From 0e69854ed4ab87b5be850f9478b7ea4f218bc90b Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 16 Sep 2011 08:32:32 +0200 Subject: MINOR: acl: add new matches for header/path/url length This patch introduces hdr_len, path_len and url_len for matching these respective parts lengths against integers. This can be used to detect abuse or empty headers. --- doc/configuration.txt | 15 +++++++++++++++ include/proto/acl.h | 5 ++++- src/acl.c | 11 ++++++++++- src/proto_http.c | 4 ++++ 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index c6785c2..9bcc16e 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -7717,6 +7717,13 @@ hdr_ip(
) X-Client-IP. See "hdr" for more information on header matching. Use the shdr_ip() variant for response headers sent by the server. +hdr_len +hdr_len(
) + Returns true when at least one of the headers has a length which matches the + values or ranges specified. This may be used to detect empty or too large + headers. See "hdr" for more information on header matching. Use the + shdr_len() variant for response headers sent by the server. + hdr_reg hdr_reg(
) Returns true when one of the headers matches of the regular expressions. It @@ -7781,6 +7788,10 @@ path_end Returns true when the path ends with one of the strings. This may be used to control file name extension. +path_len + Returns true when the path length matches the values or ranges specified. + This may be used to detect abusive requests for instance. + path_reg Returns true when the path matches one of the regular expressions. It can be used any time, but it is important to remember that regex matching is slower @@ -7828,6 +7839,10 @@ url_ip It can be used to prevent access to certain resources such as local network. It is useful with option "http_proxy". +url_len + Returns true when the url length matches the values or ranges specified. This + may be used to detect abusive requests for instance. + url_port Applies to the port specified in the absolute URI in an HTTP request. It can be used to prevent access to certain resources. It is useful with option diff --git a/include/proto/acl.h b/include/proto/acl.h index c35cee9..b3ae181 100644 --- a/include/proto/acl.h +++ b/include/proto/acl.h @@ -2,7 +2,7 @@ * include/proto/acl.h * This file provides interface definitions for ACL manipulation. * - * Copyright (C) 2000-2010 Willy Tarreau - w@1wt.eu + * Copyright (C) 2000-2011 Willy Tarreau - w@1wt.eu * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -136,6 +136,9 @@ int acl_parse_nothing(const char **text, struct acl_pattern *pattern, int *opaqu /* NB: For two strings to be identical, it is required that their lengths match */ int acl_match_str(struct acl_test *test, struct acl_pattern *pattern); +/* Checks that the length of the pattern in is included between min and max */ +int acl_match_len(struct acl_test *test, struct acl_pattern *pattern); + /* Checks that the integer in is included between min and max */ int acl_match_int(struct acl_test *test, struct acl_pattern *pattern); diff --git a/src/acl.c b/src/acl.c index 33f00ed..3546ef7 100644 --- a/src/acl.c +++ b/src/acl.c @@ -1,7 +1,7 @@ /* * ACL management functions. * - * Copyright 2000-2010 Willy Tarreau + * Copyright 2000-2011 Willy Tarreau * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -650,6 +650,15 @@ int acl_match_int(struct acl_test *test, struct acl_pattern *pattern) return ACL_PAT_FAIL; } +/* Checks that the length of the pattern in is included between min and max */ +int acl_match_len(struct acl_test *test, struct acl_pattern *pattern) +{ + if ((!pattern->val.range.min_set || pattern->val.range.min <= test->len) && + (!pattern->val.range.max_set || test->len <= pattern->val.range.max)) + return ACL_PAT_PASS; + return ACL_PAT_FAIL; +} + int acl_match_ip(struct acl_test *test, struct acl_pattern *pattern) { struct in_addr *s; diff --git a/src/proto_http.c b/src/proto_http.c index 2cd58d2..c39fb94 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -8371,6 +8371,7 @@ static struct acl_kw_list acl_kws = {{ },{ { "url_dir", acl_parse_str, acl_fetch_url, acl_match_dir, ACL_USE_L7REQ_VOLATILE }, { "url_dom", acl_parse_str, acl_fetch_url, acl_match_dom, ACL_USE_L7REQ_VOLATILE }, { "url_reg", acl_parse_reg, acl_fetch_url, acl_match_reg, ACL_USE_L7REQ_VOLATILE }, + { "url_len", acl_parse_int, acl_fetch_url, acl_match_len, ACL_USE_L7REQ_VOLATILE }, { "url_ip", acl_parse_ip, acl_fetch_url_ip, acl_match_ip, ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP }, { "url_port", acl_parse_int, acl_fetch_url_port, acl_match_int, ACL_USE_L7REQ_VOLATILE }, @@ -8383,6 +8384,7 @@ static struct acl_kw_list acl_kws = {{ },{ { "hdr_dir", acl_parse_str, acl_fetch_chdr, acl_match_dir, ACL_USE_L7REQ_VOLATILE }, { "hdr_dom", acl_parse_str, acl_fetch_chdr, acl_match_dom, ACL_USE_L7REQ_VOLATILE }, { "hdr_cnt", acl_parse_int, acl_fetch_chdr_cnt,acl_match_int, ACL_USE_L7REQ_VOLATILE }, + { "hdr_len", acl_parse_int, acl_fetch_chdr, acl_match_len, ACL_USE_L7REQ_VOLATILE }, { "hdr_val", acl_parse_int, acl_fetch_chdr_val,acl_match_int, ACL_USE_L7REQ_VOLATILE }, { "hdr_ip", acl_parse_ip, acl_fetch_chdr_ip, acl_match_ip, ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP }, @@ -8394,6 +8396,7 @@ static struct acl_kw_list acl_kws = {{ },{ { "shdr_dir", acl_parse_str, acl_fetch_shdr, acl_match_dir, ACL_USE_L7RTR_VOLATILE }, { "shdr_dom", acl_parse_str, acl_fetch_shdr, acl_match_dom, ACL_USE_L7RTR_VOLATILE }, { "shdr_cnt", acl_parse_int, acl_fetch_shdr_cnt,acl_match_int, ACL_USE_L7RTR_VOLATILE }, + { "shdr_len", acl_parse_int, acl_fetch_shdr, acl_match_len, ACL_USE_L7RTR_VOLATILE }, { "shdr_val", acl_parse_int, acl_fetch_shdr_val,acl_match_int, ACL_USE_L7RTR_VOLATILE }, { "shdr_ip", acl_parse_ip, acl_fetch_shdr_ip, acl_match_ip, ACL_USE_L7RTR_VOLATILE|ACL_MAY_LOOKUP }, @@ -8404,6 +8407,7 @@ static struct acl_kw_list acl_kws = {{ },{ { "path_sub", acl_parse_str, acl_fetch_path, acl_match_sub, ACL_USE_L7REQ_VOLATILE }, { "path_dir", acl_parse_str, acl_fetch_path, acl_match_dir, ACL_USE_L7REQ_VOLATILE }, { "path_dom", acl_parse_str, acl_fetch_path, acl_match_dom, ACL_USE_L7REQ_VOLATILE }, + { "path_len", acl_parse_int, acl_fetch_path, acl_match_len, ACL_USE_L7REQ_VOLATILE }, #if 0 { "line", acl_parse_str, acl_fetch_line, acl_match_str }, -- 1.7.2.3