Index: libapache-mod-dosevasive/README =================================================================== --- libapache-mod-dosevasive.orig/README 2019-07-08 18:06:20.466325459 +0200 +++ libapache-mod-dosevasive/README 2019-07-08 18:06:20.462325412 +0200 @@ -179,6 +179,7 @@ DOSEmailNotify you@yourdomain.com DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" DOSLogDir "/var/lock/mod_evasive" + DOSHTTPResponseCode 429 You will also need to add this line if you are building with dynamic support: @@ -316,6 +317,14 @@ directory writable only to the user Apache is running as (usually root), then set this in your httpd.conf. +DOSHTTPResponseCode +--------- + +Choose an alternative HTTP response code to be returned when an IP is blocked. + +By default 403 HTTP_FORBIDDEN will be returned. + + WHITELISTING IP ADDRESSES IP addresses of trusted clients can be whitelisted to insure they are never Index: libapache-mod-dosevasive/mod_evasive20.c =================================================================== --- libapache-mod-dosevasive.orig/mod_evasive20.c 2019-07-08 18:06:20.466325459 +0200 +++ libapache-mod-dosevasive/mod_evasive20.c 2019-07-08 18:15:53.676497555 +0200 @@ -63,6 +63,7 @@ #define DEFAULT_SITE_INTERVAL 1 // Default 1 Second site interval #define DEFAULT_BLOCKING_PERIOD 10 // Default for Detected IPs; blocked for 10 seconds #define DEFAULT_LOG_DIR "/tmp" // Default temp directory +#define DEFAULT_HTTP_RESPONSE_CODE HTTP_FORBIDDEN /* END DoS Evasive Maneuvers Definitions */ @@ -117,8 +118,8 @@ static char *log_dir = NULL; static char *system_command = NULL; static const char *whitelist(cmd_parms *cmd, void *dconfig, const char *ip); +static int http_response_code = DEFAULT_HTTP_RESPONSE_CODE; int is_whitelisted(const char *ip); - /* END DoS Evasive Maneuvers Globals */ static void * create_hit_list(apr_pool_t *p, server_rec *s) @@ -158,8 +159,8 @@ if (n != NULL && t-n->timestamptimestamp = time(NULL); /* Not on hold, check hit stats */ @@ -170,9 +171,9 @@ n = ntt_find(hit_list, hash_key); if (n != NULL) { - /* If URI is being hit too much, add to "hold" list and 403 */ + /* If URI is being hit too much, add to "hold" list */ if (t-n->timestampcount>=page_count) { - ret = HTTP_FORBIDDEN; + ret = http_response_code; ntt_insert(hit_list, CLIENT_IP(r->connection), time(NULL)); } else { @@ -192,9 +193,9 @@ n = ntt_find(hit_list, hash_key); if (n != NULL) { - /* If site is being hit too much, add to "hold" list and 403 */ + /* If site is being hit too much, add to "hold" list */ if (t-n->timestampcount>=site_count) { - ret = HTTP_FORBIDDEN; + ret = http_response_code; ntt_insert(hit_list, CLIENT_IP(r->connection), time(NULL)); } else { @@ -211,7 +212,7 @@ } /* Perform email notification and system functions */ - if (ret == HTTP_FORBIDDEN) { + if (ret == http_response_code) { char filename[1024]; struct stat s; FILE *file; @@ -246,13 +247,13 @@ } /* if (temp file does not exist) */ - } /* if (ret == HTTP_FORBIDDEN) */ + } /* if (ret == http_response_code) */ } /* if (r->prev == NULL && r->main == NULL && hit_list != NULL) */ /* END DoS Evasive Maneuvers Code */ - if (ret == HTTP_FORBIDDEN + if (ret == http_response_code && (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "client denied by server configuration: %s", @@ -653,7 +654,21 @@ } return NULL; -} +} + +static const char * +get_http_response_code(cmd_parms *cmd, void *dconfig, const char *value) { + int n = strtol(value, NULL, 0); + // Allow HTTP response codes between 100 and 599 as per RFC 7231 + if (n>=100 && n<600) { + http_response_code = n; + } else { + http_response_code = DEFAULT_HTTP_RESPONSE_CODE; + } + + return NULL; +} + /* END Configuration Functions */ @@ -689,6 +704,9 @@ AP_INIT_ITERATE("DOSWhitelist", whitelist, NULL, RSRC_CONF, "IP-addresses wildcards to whitelist"), + AP_INIT_TAKE1("DOSHTTPResponseCode", get_http_response_code, NULL, RSRC_CONF, + "Set HTTP response code returned when IP is blocked"), + { NULL } };