File: configurable_http_response_code.patch

package info (click to toggle)
libapache-mod-evasive 1.10.1-5
  • links: PTS
  • area: main
  • in suites: bookworm
  • size: 292 kB
  • sloc: ansic: 2,976; makefile: 39; perl: 12
file content (142 lines) | stat: -rw-r--r-- 4,807 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
Index: libapache-mod-dosevasive/README
===================================================================
--- libapache-mod-dosevasive.orig/README	2019-07-08 18:06:20.466325459 +0200
+++ libapache-mod-dosevasive/README	2019-07-08 18:06:20.462325412 +0200
@@ -179,6 +179,7 @@
     DOSEmailNotify	you@yourdomain.com
     DOSSystemCommand	"su - someuser -c '/sbin/... %s ...'"
     DOSLogDir		"/var/lock/mod_evasive"
+    DOSHTTPResponseCode 429
 
 You will also need to add this line if you are building with dynamic support:
 
@@ -316,6 +317,14 @@
 directory writable only to the user Apache is running as (usually root),
 then set this in your httpd.conf.
 
+DOSHTTPResponseCode
+---------
+
+Choose an alternative HTTP response code to be returned when an IP is blocked.
+
+By default 403 HTTP_FORBIDDEN will be returned.
+
+
 WHITELISTING IP ADDRESSES
 
 IP addresses of trusted clients can be whitelisted to insure they are never 
Index: libapache-mod-dosevasive/mod_evasive20.c
===================================================================
--- libapache-mod-dosevasive.orig/mod_evasive20.c	2019-07-08 18:06:20.466325459 +0200
+++ libapache-mod-dosevasive/mod_evasive20.c	2019-07-08 18:15:53.676497555 +0200
@@ -63,6 +63,7 @@
 #define DEFAULT_SITE_INTERVAL   1       // Default 1 Second site interval
 #define DEFAULT_BLOCKING_PERIOD 10      // Default for Detected IPs; blocked for 10 seconds
 #define DEFAULT_LOG_DIR		"/tmp"  // Default temp directory
+#define DEFAULT_HTTP_RESPONSE_CODE HTTP_FORBIDDEN
 
 /* END DoS Evasive Maneuvers Definitions */
 
@@ -117,8 +118,8 @@
 static char *log_dir = NULL;
 static char *system_command = NULL;
 static const char *whitelist(cmd_parms *cmd, void *dconfig, const char *ip);
+static int http_response_code = DEFAULT_HTTP_RESPONSE_CODE;
 int is_whitelisted(const char *ip);
-
 /* END DoS Evasive Maneuvers Globals */
 
 static void * create_hit_list(apr_pool_t *p, server_rec *s) 
@@ -158,8 +159,8 @@
 
       if (n != NULL && t-n->timestamp<blocking_period) {
  
-        /* If the IP is on "hold", make it wait longer in 403 land */
-        ret = HTTP_FORBIDDEN;
+        /* If the IP is on "hold", make it wait longer on blacklist */
+        ret = http_response_code;
         n->timestamp = time(NULL);
 
       /* Not on hold, check hit stats */
@@ -170,9 +171,9 @@
         n = ntt_find(hit_list, hash_key);
         if (n != NULL) {
 
-          /* If URI is being hit too much, add to "hold" list and 403 */
+          /* If URI is being hit too much, add to "hold" list */
           if (t-n->timestamp<page_interval && n->count>=page_count) {
-            ret = HTTP_FORBIDDEN;
+            ret = http_response_code;
             ntt_insert(hit_list, CLIENT_IP(r->connection), time(NULL));
           } else {
 
@@ -192,9 +193,9 @@
         n = ntt_find(hit_list, hash_key);
         if (n != NULL) {
 
-          /* If site is being hit too much, add to "hold" list and 403 */
+          /* If site is being hit too much, add to "hold" list */
           if (t-n->timestamp<site_interval && n->count>=site_count) {
-            ret = HTTP_FORBIDDEN;
+            ret = http_response_code;
             ntt_insert(hit_list, CLIENT_IP(r->connection), time(NULL));
           } else {
 
@@ -211,7 +212,7 @@
       }
 
       /* Perform email notification and system functions */
-      if (ret == HTTP_FORBIDDEN) {
+      if (ret == http_response_code) {
         char filename[1024];
         struct stat s;
         FILE *file;
@@ -246,13 +247,13 @@
 
         } /* if (temp file does not exist) */
 
-      } /* if (ret == HTTP_FORBIDDEN) */
+      } /* if (ret == http_response_code) */
 
     } /* if (r->prev == NULL && r->main == NULL && hit_list != NULL) */
 
     /* END DoS Evasive Maneuvers Code */
 
-    if (ret == HTTP_FORBIDDEN
+    if (ret == http_response_code
 	&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
             "client denied by server configuration: %s",
@@ -653,7 +654,21 @@
   }
  
   return NULL;
-} 
+}
+
+static const char *
+get_http_response_code(cmd_parms *cmd, void *dconfig, const char *value) {
+    int n = strtol(value, NULL, 0);
+    // Allow HTTP response codes between 100 and 599 as per RFC 7231
+    if (n>=100 && n<600) {
+        http_response_code = n;
+    } else {
+        http_response_code = DEFAULT_HTTP_RESPONSE_CODE;
+    }
+
+    return NULL;
+}
+
 
 /* END Configuration Functions */
 
@@ -689,6 +704,9 @@
         AP_INIT_ITERATE("DOSWhitelist", whitelist, NULL, RSRC_CONF,
                 "IP-addresses wildcards to whitelist"),
 
+    AP_INIT_TAKE1("DOSHTTPResponseCode", get_http_response_code, NULL, RSRC_CONF,
+                  "Set HTTP response code returned when IP is blocked"),
+
 	{ NULL }
 };