mod_noloris.c revision 40965c37b2fd320093215de6c3fbd516382077ea
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* The use of the scoreboard in this module is based on a similar
* but simpler module, mod_antiloris by Kees Monshouwer, from
* ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/
* Note the FIXME that affects both modules.
*
* The major difference is that mod_antiloris checks the scoreboard
* on every request. This implies a per-request overhead that grows
* with the scoreboard, and gets very expensive on a big server.
* On the other hand, this module (mod_noloris) may be slower to
* react to a DoS attack, and in the case of a very small server
* it might be too late.
*
* Author's untested instinct: mod_antiloris will suit servers with
* Prefork MPM and low traffic. A server with a threaded MPM
* (or possibly a big prefork server with lots of memory) should
* raise MaxClients and use mod_noloris.
*/
#include "httpd.h"
#include "http_config.h"
#include "http_connection.h"
#include "http_log.h"
#include "mpm_common.h"
#include "ap_mpm.h"
#include "apr_hash.h"
#include "scoreboard.h"
module AP_MODULE_DECLARE_DATA noloris_module;
module AP_MODULE_DECLARE_DATA core_module;
#define ADDR_MAX_SIZE 48
static unsigned int default_max_connections;
static apr_hash_t *trusted;
static apr_interval_time_t recheck_time;
static apr_shm_t *shm;
static apr_size_t shm_size;
static int server_limit;
static int thread_limit;
static int noloris_conn(conn_rec *conn)
{
/*** FIXME
* This is evil: we're assuming info that's private to the scoreboard
* We need to do that because there's no API to update the scoreboard
* on a connection, only with a request (or NULL to say not processing
* any request). We need a version of ap_update_child_status that
* accepts a conn_rec.
*/
struct { int child_num; int thread_num; } *sbh = conn->sbh;
char *shm_rec;
worker_score *ws;
if (shm == NULL) {
return DECLINED; /* we're disabled */
}
/* check the IP is not banned */
shm_rec = apr_shm_baseaddr_get(shm);
while (shm_rec[0] != '\0') {
if (!strcmp(shm_rec, conn->remote_ip)) {
apr_socket_t *csd = ap_get_module_config(conn->conn_config, &core_module);
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
"Dropping connection from banned IP %s",
conn->remote_ip);
apr_socket_close(csd);
return DONE;
}
shm_rec += ADDR_MAX_SIZE;
}
/* store this client IP for the monitor to pick up */
/* under traditional scoreboard, none of this happens until
* there's a request_rec. This is where we use the illegally-
* obtained private info from the scoreboard.
*/
ws = &ap_scoreboard_image->servers[sbh->child_num][sbh->thread_num];
strcpy(ws->client, conn->remote_ip);
return DECLINED;
}
static int noloris_monitor(apr_pool_t *pool, server_rec *s)
{
static apr_hash_t *connections = NULL;
static apr_time_t last_check = 0;
static int *totals;
int i, j;
int *n;
int index = 0;
apr_hash_index_t *hi;
char *ip;
apr_time_t time_now;
char *shm_rec;
worker_score *ws;
/* do nothing if disabled */
if (shm == NULL) {
return 0;
}
/* skip check if it's not due yet */
time_now = apr_time_now();
if (time_now - last_check < recheck_time) {
return 0;
}
last_check = time_now;
/* alloc lots of stuff at start, so we don't leak memory per-call */
if (connections == NULL) {
connections = apr_hash_make(pool);
totals = apr_palloc(pool, server_limit*thread_limit);
ip = apr_palloc(pool, ADDR_MAX_SIZE);
}
/* Get a per-client count of connections in READ state */
for (i = 0; i < server_limit; ++i) {
for (j = 0; j < thread_limit; ++j) {
ws = ap_get_scoreboard_worker_from_indexes(i, j);
if (ws->status == SERVER_BUSY_READ) {
n = apr_hash_get(connections, ws->client, APR_HASH_KEY_STRING);
if (n == NULL) {
n = totals + index++ ;
*n = 0;
}
++*n;
apr_hash_set(connections, ws->client, APR_HASH_KEY_STRING, n);
}
}
}
/* reset shm before writing to it.
* We're only dealing with approx. counts, so we ignore the race condition
* with our prospective readers
*/
shm_rec = apr_shm_baseaddr_get(shm);
memset(shm_rec, 0, shm_size);
/* Now check the hash for clients with too many connections in READ state */
for (hi = apr_hash_first(NULL, connections); hi; hi = apr_hash_next(hi)) {
apr_hash_this(hi, (const void**) &ip, NULL, (void**)&n);
if (*n >= default_max_connections) {
/* if this isn't a trusted proxy, we mark it as bad */
if (!apr_hash_get(trusted, ip, APR_HASH_KEY_STRING)) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, 0,
"noloris: banning %s with %d connections in READ state",
ip, *n);
strcpy(shm_rec, ip);
shm_rec += ADDR_MAX_SIZE;
}
}
}
apr_hash_clear(connections);
return 0;
}
static int noloris_post(apr_pool_t *pconf, apr_pool_t *ptmp, apr_pool_t *plog,
server_rec *s)
{
apr_status_t rv;
int max_bans = thread_limit * server_limit / default_max_connections;
shm_size = ADDR_MAX_SIZE * max_bans;
rv = apr_shm_create(&shm, shm_size, NULL, pconf);
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
"Failed to create shm segment; mod_noloris disabled");
apr_hash_clear(trusted);
shm = NULL;
}
return 0;
}
static int noloris_pre(apr_pool_t *pconf, apr_pool_t *ptmp, apr_pool_t *plog)
{
ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit);
ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit);
/* set up default config stuff here */
trusted = apr_hash_make(pconf);
default_max_connections = 50;
recheck_time = apr_time_from_sec(10);
return 0;
}
static void noloris_hooks(apr_pool_t *p)
{
ap_hook_process_connection(noloris_conn, NULL, NULL, APR_HOOK_FIRST);
ap_hook_pre_config(noloris_pre, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(noloris_post, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_monitor(noloris_monitor, NULL, NULL, APR_HOOK_MIDDLE);
}
static const char *noloris_trusted(cmd_parms *cmd, void *cfg, const char *val)
{
const char* err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (!err) {
apr_hash_set(trusted, val, APR_HASH_KEY_STRING, &noloris_module);
}
return err;
}
static const char *noloris_recheck(cmd_parms *cmd, void *cfg, const char *val)
{
const char* err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (!err) {
recheck_time = apr_time_from_sec(atoi(val));
}
return err;
}
static const char *noloris_max_conn(cmd_parms *cmd, void *cfg, const char *val)
{
const char* err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (!err) {
default_max_connections = atoi(val);
}
return err;
}
static const command_rec noloris_cmds[] = {
AP_INIT_ITERATE("TrustedProxy", noloris_trusted, NULL, RSRC_CONF,
"IP addresses from which to allow unlimited connections"),
AP_INIT_TAKE1("ClientRecheckTime", noloris_recheck, NULL, RSRC_CONF,
"Time interval for rechecking client connection tables"),
AP_INIT_TAKE1("MaxClientConnections", noloris_max_conn, NULL, RSRC_CONF,
"Max connections in READ state to permit from an untrusted client"),
{NULL}
};
module AP_MODULE_DECLARE_DATA noloris_module = {
STANDARD20_MODULE_STUFF,
NULL,
NULL,
NULL,
NULL,
noloris_cmds,
noloris_hooks
};