static int check_dir_access(request_rec *r)
{
int method = r->method_number;
int ret = OK;
auth_remote_dir_conf *a = (auth_remote_dir_conf *)
ap_get_module_config(r->per_dir_config, &auth_remote_module);
if (a->order[method] == ALLOW_THEN_DENY) {
ret = HTTP_FORBIDDEN;
if (find_allowdeny(r, a->allows, method, a->expire_time)) {
ret = OK;
}
if (find_allowdeny(r, a->denys, method, a->expire_time)) {
ret = HTTP_FORBIDDEN;
}
}
else if (a->order[method] == DENY_THEN_ALLOW) {
if (find_allowdeny(r, a->denys, method, a->expire_time)) {
ret = HTTP_FORBIDDEN;
}
if (find_allowdeny(r, a->allows, method, a->expire_time)) {
ret = OK;
}
}
else {
if (find_allowdeny(r, a->allows, method, a->expire_time)
&& !find_allowdeny(r, a->denys, method, a->expire_time)) {
ret = OK;
}
else {
ret = HTTP_FORBIDDEN;
}
}
if (ret == HTTP_FORBIDDEN
&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"client denied by auth_remote_module: %s%s",
r->filename ? "" : "uri ", r->filename ? r->filename : r->uri);
}
return ret;
}
static int check_dir_access(request_rec *r)
{
int method = r->method_number;
access_dir_conf *a =
(access_dir_conf *)
ap_get_module_config(r->per_dir_config, &access_module);
int ret = OK;
if (a->order[method] == ALLOW_THEN_DENY) {
ret = FORBIDDEN;
if (find_allowdeny(r, a->allows, method))
ret = OK;
if (find_allowdeny(r, a->denys, method))
ret = FORBIDDEN;
}
else if (a->order[method] == DENY_THEN_ALLOW) {
if (find_allowdeny(r, a->denys, method))
ret = FORBIDDEN;
if (find_allowdeny(r, a->allows, method))
ret = OK;
}
else {
if (find_allowdeny(r, a->allows, method)
&& !find_allowdeny(r, a->denys, method))
ret = OK;
else
ret = FORBIDDEN;
}
if (ret == FORBIDDEN
&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"client denied by server configuration: %s",
r->filename);
}
return ret;
}
static int access_checker(request_rec *r)
{
int ret = OK;
/* BEGIN DoS Evasive Maneuvers Code */
if (r->prev == NULL && r->main == NULL && hit_list != NULL) {
char hash_key[2048];
struct ntt_node *n;
time_t t = time(NULL);
/* Check whitelist */
if (is_whitelisted(r->useragent_ip))
return OK;
/* First see if the IP itself is on "hold" */
n = ntt_find(hit_list, r->useragent_ip);
if (n != NULL && t-n->timestamp<blocking_period) {
/* If the IP is on "hold", make it wait longer in 403 land */
ret = HTTP_FORBIDDEN;
n->timestamp = time(NULL);
/* Not on hold, check hit stats */
} else {
/* Has URI been hit too much? */
snprintf(hash_key, 2048, "%s_%s", r->useragent_ip, r->uri);
n = ntt_find(hit_list, hash_key);
if (n != NULL) {
/* If URI is being hit too much, add to "hold" list and 403 */
if (t-n->timestamp<page_interval && n->count>=page_count) {
ret = HTTP_FORBIDDEN;
ntt_insert(hit_list, r->useragent_ip, time(NULL));
} else {
/* Reset our hit count list as necessary */
if (t-n->timestamp>=page_interval) {
n->count=0;
}
}
n->timestamp = t;
n->count++;
} else {
ntt_insert(hit_list, hash_key, t);
}
/* Has site been hit too much? */
snprintf(hash_key, 2048, "%s_SITE", r->useragent_ip);
n = ntt_find(hit_list, hash_key);
if (n != NULL) {
/* If site is being hit too much, add to "hold" list and 403 */
if (t-n->timestamp<site_interval && n->count>=site_count) {
ret = HTTP_FORBIDDEN;
ntt_insert(hit_list, r->useragent_ip, time(NULL));
} else {
/* Reset our hit count list as necessary */
if (t-n->timestamp>=site_interval) {
n->count=0;
}
}
n->timestamp = t;
n->count++;
} else {
ntt_insert(hit_list, hash_key, t);
}
}
/* Perform email notification and system functions */
if (ret == HTTP_FORBIDDEN) {
char filename[1024];
struct stat s;
FILE *file;
snprintf(filename, sizeof(filename), "%s/dos-%s", log_dir != NULL ? log_dir : DEFAULT_LOG_DIR, r->useragent_ip);
if (stat(filename, &s)) {
file = fopen(filename, "w");
if (file != NULL) {
fprintf(file, "%d\n", getpid());
fclose(file);
LOG(LOG_ALERT, "Blacklisting address %s: possible DoS attack.", r->useragent_ip);
if (email_notify != NULL) {
snprintf(filename, sizeof(filename), MAILER, email_notify);
file = popen(filename, "w");
if (file != NULL) {
fprintf(file, "To: %s\n", email_notify);
fprintf(file, "Subject: HTTP BLACKLIST %s\n\n", r->useragent_ip);
fprintf(file, "mod_evasive HTTP Blacklisted %s\n", r->useragent_ip);
pclose(file);
}
}
if (system_command != NULL) {
snprintf(filename, sizeof(filename), system_command, r->useragent_ip);
system(filename);
}
} else {
LOG(LOG_ALERT, "Couldn't open logfile %s: %s",filename, strerror(errno));
}
} /* if (temp file does not exist) */
} /* if (ret == HTTP_FORBIDDEN) */
} /* if (r->prev == NULL && r->main == NULL && hit_list != NULL) */
/* END DoS Evasive Maneuvers Code */
if (ret == HTTP_FORBIDDEN
&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"client denied by server configuration: %s",
r->filename);
}
return ret;
}
