static int check_dir_access(request_rec *r) { int method = r->method_number; int ret = OK; auth_remote_dir_conf *a = (auth_remote_dir_conf *) ap_get_module_config(r->per_dir_config, &auth_remote_module); if (a->order[method] == ALLOW_THEN_DENY) { ret = HTTP_FORBIDDEN; if (find_allowdeny(r, a->allows, method, a->expire_time)) { ret = OK; } if (find_allowdeny(r, a->denys, method, a->expire_time)) { ret = HTTP_FORBIDDEN; } } else if (a->order[method] == DENY_THEN_ALLOW) { if (find_allowdeny(r, a->denys, method, a->expire_time)) { ret = HTTP_FORBIDDEN; } if (find_allowdeny(r, a->allows, method, a->expire_time)) { ret = OK; } } else { if (find_allowdeny(r, a->allows, method, a->expire_time) && !find_allowdeny(r, a->denys, method, a->expire_time)) { ret = OK; } else { ret = HTTP_FORBIDDEN; } } if (ret == HTTP_FORBIDDEN && (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "client denied by auth_remote_module: %s%s", r->filename ? "" : "uri ", r->filename ? r->filename : r->uri); } return ret; }
static int check_dir_access(request_rec *r) { int method = r->method_number; access_dir_conf *a = (access_dir_conf *) ap_get_module_config(r->per_dir_config, &access_module); int ret = OK; if (a->order[method] == ALLOW_THEN_DENY) { ret = FORBIDDEN; if (find_allowdeny(r, a->allows, method)) ret = OK; if (find_allowdeny(r, a->denys, method)) ret = FORBIDDEN; } else if (a->order[method] == DENY_THEN_ALLOW) { if (find_allowdeny(r, a->denys, method)) ret = FORBIDDEN; if (find_allowdeny(r, a->allows, method)) ret = OK; } else { if (find_allowdeny(r, a->allows, method) && !find_allowdeny(r, a->denys, method)) ret = OK; else ret = FORBIDDEN; } if (ret == FORBIDDEN && (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "client denied by server configuration: %s", r->filename); } return ret; }
static int access_checker(request_rec *r) { int ret = OK; /* BEGIN DoS Evasive Maneuvers Code */ if (r->prev == NULL && r->main == NULL && hit_list != NULL) { char hash_key[2048]; struct ntt_node *n; time_t t = time(NULL); /* Check whitelist */ if (is_whitelisted(r->useragent_ip)) return OK; /* First see if the IP itself is on "hold" */ n = ntt_find(hit_list, r->useragent_ip); if (n != NULL && t-n->timestamp<blocking_period) { /* If the IP is on "hold", make it wait longer in 403 land */ ret = HTTP_FORBIDDEN; n->timestamp = time(NULL); /* Not on hold, check hit stats */ } else { /* Has URI been hit too much? */ snprintf(hash_key, 2048, "%s_%s", r->useragent_ip, r->uri); n = ntt_find(hit_list, hash_key); if (n != NULL) { /* If URI is being hit too much, add to "hold" list and 403 */ if (t-n->timestamp<page_interval && n->count>=page_count) { ret = HTTP_FORBIDDEN; ntt_insert(hit_list, r->useragent_ip, time(NULL)); } else { /* Reset our hit count list as necessary */ if (t-n->timestamp>=page_interval) { n->count=0; } } n->timestamp = t; n->count++; } else { ntt_insert(hit_list, hash_key, t); } /* Has site been hit too much? */ snprintf(hash_key, 2048, "%s_SITE", r->useragent_ip); n = ntt_find(hit_list, hash_key); if (n != NULL) { /* If site is being hit too much, add to "hold" list and 403 */ if (t-n->timestamp<site_interval && n->count>=site_count) { ret = HTTP_FORBIDDEN; ntt_insert(hit_list, r->useragent_ip, time(NULL)); } else { /* Reset our hit count list as necessary */ if (t-n->timestamp>=site_interval) { n->count=0; } } n->timestamp = t; n->count++; } else { ntt_insert(hit_list, hash_key, t); } } /* Perform email notification and system functions */ if (ret == HTTP_FORBIDDEN) { char filename[1024]; struct stat s; FILE *file; snprintf(filename, sizeof(filename), "%s/dos-%s", log_dir != NULL ? log_dir : DEFAULT_LOG_DIR, r->useragent_ip); if (stat(filename, &s)) { file = fopen(filename, "w"); if (file != NULL) { fprintf(file, "%d\n", getpid()); fclose(file); LOG(LOG_ALERT, "Blacklisting address %s: possible DoS attack.", r->useragent_ip); if (email_notify != NULL) { snprintf(filename, sizeof(filename), MAILER, email_notify); file = popen(filename, "w"); if (file != NULL) { fprintf(file, "To: %s\n", email_notify); fprintf(file, "Subject: HTTP BLACKLIST %s\n\n", r->useragent_ip); fprintf(file, "mod_evasive HTTP Blacklisted %s\n", r->useragent_ip); pclose(file); } } if (system_command != NULL) { snprintf(filename, sizeof(filename), system_command, r->useragent_ip); system(filename); } } else { LOG(LOG_ALERT, "Couldn't open logfile %s: %s",filename, strerror(errno)); } } /* if (temp file does not exist) */ } /* if (ret == HTTP_FORBIDDEN) */ } /* if (r->prev == NULL && r->main == NULL && hit_list != NULL) */ /* END DoS Evasive Maneuvers Code */ if (ret == HTTP_FORBIDDEN && (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "client denied by server configuration: %s", r->filename); } return ret; }