RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-11 03:31:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: acl: add new matches for header/path/url length

Browse Source 
This patch introduces hdr_len, path_len and url_len for matching these
respective parts lengths against integers. This can be used to detect
abuse or empty headers.
This commit is contained in:
Willy Tarreau 2011-09-16 08:32:32 +02:00
parent 275600b6c7
commit 0e69854ed4
4 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
doc/configuration.txt
View File

@ -7717,6 +7717,13 @@ hdr_ip(<header>) <ip_address>
X-Client-IP. See "hdr" for more information on header matching. Use the X-Client-IP. See "hdr" for more information on header matching. Use the
shdr_ip() variant for response headers sent by the server. shdr_ip() variant for response headers sent by the server.
hdr_len <integer>
hdr_len(<header>) <integer>
Returns true when at least one of the headers has a length which matches the
values or ranges specified. This may be used to detect empty or too large
headers. See "hdr" for more information on header matching. Use the
shdr_len() variant for response headers sent by the server.
hdr_reg <regex> hdr_reg <regex>
hdr_reg(<header>) <regex> hdr_reg(<header>) <regex>
Returns true when one of the headers matches of the regular expressions. It Returns true when one of the headers matches of the regular expressions. It
@ -7781,6 +7788,10 @@ path_end <string>
Returns true when the path ends with one of the strings. This may be used to Returns true when the path ends with one of the strings. This may be used to
control file name extension. control file name extension.
path_len <integer>
Returns true when the path length matches the values or ranges specified.
This may be used to detect abusive requests for instance.
path_reg <regex> path_reg <regex>
Returns true when the path matches one of the regular expressions. It can be Returns true when the path matches one of the regular expressions. It can be
used any time, but it is important to remember that regex matching is slower used any time, but it is important to remember that regex matching is slower
@ -7828,6 +7839,10 @@ url_ip <ip_address>
It can be used to prevent access to certain resources such as local network. It can be used to prevent access to certain resources such as local network.
It is useful with option "http_proxy". It is useful with option "http_proxy".
url_len <integer>
Returns true when the url length matches the values or ranges specified. This
may be used to detect abusive requests for instance.
url_port <integer> url_port <integer>
Applies to the port specified in the absolute URI in an HTTP request. It can Applies to the port specified in the absolute URI in an HTTP request. It can
be used to prevent access to certain resources. It is useful with option be used to prevent access to certain resources. It is useful with option

5
include/proto/acl.h
View File

@ -2,7 +2,7 @@
* include/proto/acl.h * include/proto/acl.h
* This file provides interface definitions for ACL manipulation. * This file provides interface definitions for ACL manipulation.
* *
* Copyright (C) 2000-2010 Willy Tarreau - w@1wt.eu * Copyright (C) 2000-2011 Willy Tarreau - w@1wt.eu
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public * modify it under the terms of the GNU Lesser General Public
@ -136,6 +136,9 @@ int acl_parse_nothing(const char **text, struct acl_pattern *pattern, int *opaqu
/* NB: For two strings to be identical, it is required that their lengths match */ /* NB: For two strings to be identical, it is required that their lengths match */
int acl_match_str(struct acl_test *test, struct acl_pattern *pattern); int acl_match_str(struct acl_test *test, struct acl_pattern *pattern);
/* Checks that the length of the pattern in <test> is included between min and max */
int acl_match_len(struct acl_test *test, struct acl_pattern *pattern);
/* Checks that the integer in <test> is included between min and max */ /* Checks that the integer in <test> is included between min and max */
int acl_match_int(struct acl_test *test, struct acl_pattern *pattern); int acl_match_int(struct acl_test *test, struct acl_pattern *pattern);

11
src/acl.c
View File

@ -1,7 +1,7 @@
/* /*
* ACL management functions. * ACL management functions.
* *
* Copyright 2000-2010 Willy Tarreau <w@1wt.eu> * Copyright 2000-2011 Willy Tarreau <w@1wt.eu>
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License * modify it under the terms of the GNU General Public License
@ -650,6 +650,15 @@ int acl_match_int(struct acl_test *test, struct acl_pattern *pattern)
return ACL_PAT_FAIL; return ACL_PAT_FAIL;
} }
/* Checks that the length of the pattern in <test> is included between min and max */
int acl_match_len(struct acl_test *test, struct acl_pattern *pattern)
{
if ((!pattern->val.range.min_set || pattern->val.range.min <= test->len) &&
(!pattern->val.range.max_set || test->len <= pattern->val.range.max))
return ACL_PAT_PASS;
return ACL_PAT_FAIL;
}
int acl_match_ip(struct acl_test *test, struct acl_pattern *pattern) int acl_match_ip(struct acl_test *test, struct acl_pattern *pattern)
{ {
struct in_addr *s; struct in_addr *s;

4
src/proto_http.c
View File

@ -8371,6 +8371,7 @@ static struct acl_kw_list acl_kws = {{ },{
{ "url_dir", acl_parse_str, acl_fetch_url, acl_match_dir, ACL_USE_L7REQ_VOLATILE }, { "url_dir", acl_parse_str, acl_fetch_url, acl_match_dir, ACL_USE_L7REQ_VOLATILE },
{ "url_dom", acl_parse_str, acl_fetch_url, acl_match_dom, ACL_USE_L7REQ_VOLATILE }, { "url_dom", acl_parse_str, acl_fetch_url, acl_match_dom, ACL_USE_L7REQ_VOLATILE },
{ "url_reg", acl_parse_reg, acl_fetch_url, acl_match_reg, ACL_USE_L7REQ_VOLATILE }, { "url_reg", acl_parse_reg, acl_fetch_url, acl_match_reg, ACL_USE_L7REQ_VOLATILE },
{ "url_len", acl_parse_int, acl_fetch_url, acl_match_len, ACL_USE_L7REQ_VOLATILE },
{ "url_ip", acl_parse_ip, acl_fetch_url_ip, acl_match_ip, ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP }, { "url_ip", acl_parse_ip, acl_fetch_url_ip, acl_match_ip, ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP },
{ "url_port", acl_parse_int, acl_fetch_url_port, acl_match_int, ACL_USE_L7REQ_VOLATILE }, { "url_port", acl_parse_int, acl_fetch_url_port, acl_match_int, ACL_USE_L7REQ_VOLATILE },
@ -8383,6 +8384,7 @@ static struct acl_kw_list acl_kws = {{ },{
{ "hdr_dir", acl_parse_str, acl_fetch_chdr, acl_match_dir, ACL_USE_L7REQ_VOLATILE }, { "hdr_dir", acl_parse_str, acl_fetch_chdr, acl_match_dir, ACL_USE_L7REQ_VOLATILE },
{ "hdr_dom", acl_parse_str, acl_fetch_chdr, acl_match_dom, ACL_USE_L7REQ_VOLATILE }, { "hdr_dom", acl_parse_str, acl_fetch_chdr, acl_match_dom, ACL_USE_L7REQ_VOLATILE },
{ "hdr_cnt", acl_parse_int, acl_fetch_chdr_cnt,acl_match_int, ACL_USE_L7REQ_VOLATILE }, { "hdr_cnt", acl_parse_int, acl_fetch_chdr_cnt,acl_match_int, ACL_USE_L7REQ_VOLATILE },
{ "hdr_len", acl_parse_int, acl_fetch_chdr, acl_match_len, ACL_USE_L7REQ_VOLATILE },
{ "hdr_val", acl_parse_int, acl_fetch_chdr_val,acl_match_int, ACL_USE_L7REQ_VOLATILE }, { "hdr_val", acl_parse_int, acl_fetch_chdr_val,acl_match_int, ACL_USE_L7REQ_VOLATILE },
{ "hdr_ip", acl_parse_ip, acl_fetch_chdr_ip, acl_match_ip, ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP }, { "hdr_ip", acl_parse_ip, acl_fetch_chdr_ip, acl_match_ip, ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP },
@ -8394,6 +8396,7 @@ static struct acl_kw_list acl_kws = {{ },{
{ "shdr_dir", acl_parse_str, acl_fetch_shdr, acl_match_dir, ACL_USE_L7RTR_VOLATILE }, { "shdr_dir", acl_parse_str, acl_fetch_shdr, acl_match_dir, ACL_USE_L7RTR_VOLATILE },
{ "shdr_dom", acl_parse_str, acl_fetch_shdr, acl_match_dom, ACL_USE_L7RTR_VOLATILE }, { "shdr_dom", acl_parse_str, acl_fetch_shdr, acl_match_dom, ACL_USE_L7RTR_VOLATILE },
{ "shdr_cnt", acl_parse_int, acl_fetch_shdr_cnt,acl_match_int, ACL_USE_L7RTR_VOLATILE }, { "shdr_cnt", acl_parse_int, acl_fetch_shdr_cnt,acl_match_int, ACL_USE_L7RTR_VOLATILE },
{ "shdr_len", acl_parse_int, acl_fetch_shdr, acl_match_len, ACL_USE_L7RTR_VOLATILE },
{ "shdr_val", acl_parse_int, acl_fetch_shdr_val,acl_match_int, ACL_USE_L7RTR_VOLATILE }, { "shdr_val", acl_parse_int, acl_fetch_shdr_val,acl_match_int, ACL_USE_L7RTR_VOLATILE },
{ "shdr_ip", acl_parse_ip, acl_fetch_shdr_ip, acl_match_ip, ACL_USE_L7RTR_VOLATILE|ACL_MAY_LOOKUP }, { "shdr_ip", acl_parse_ip, acl_fetch_shdr_ip, acl_match_ip, ACL_USE_L7RTR_VOLATILE|ACL_MAY_LOOKUP },
@ -8404,6 +8407,7 @@ static struct acl_kw_list acl_kws = {{ },{
{ "path_sub", acl_parse_str, acl_fetch_path, acl_match_sub, ACL_USE_L7REQ_VOLATILE }, { "path_sub", acl_parse_str, acl_fetch_path, acl_match_sub, ACL_USE_L7REQ_VOLATILE },
{ "path_dir", acl_parse_str, acl_fetch_path, acl_match_dir, ACL_USE_L7REQ_VOLATILE }, { "path_dir", acl_parse_str, acl_fetch_path, acl_match_dir, ACL_USE_L7REQ_VOLATILE },
{ "path_dom", acl_parse_str, acl_fetch_path, acl_match_dom, ACL_USE_L7REQ_VOLATILE }, { "path_dom", acl_parse_str, acl_fetch_path, acl_match_dom, ACL_USE_L7REQ_VOLATILE },
{ "path_len", acl_parse_int, acl_fetch_path, acl_match_len, ACL_USE_L7REQ_VOLATILE },
#if 0 #if 0
{ "line", acl_parse_str, acl_fetch_line, acl_match_str }, { "line", acl_parse_str, acl_fetch_line, acl_match_str },