Adds SecRemoteRules as an build option

SecRemoteRules adds a new dependency to libcurl. Before only mlogc was depending on libcurl. SecRemoteRules also depends on the apr-tools with crypto support, which (as reported by our buildbots) is not default in some environments such as: MacOS X. This commit disable SecRemoteRules support if apr-tools was not compiled with crypto support.
2025-08-14 05:45:59 +03:00 · 2014-11-12 11:44:45 -03:00 · 2014-11-12 11:44:45 -03:00 · c54bb746c6
commit c54bb746c6
parent 38b9924705
5 changed files with 41 additions and 15 deletions
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@ -2217,7 +2217,7 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
 {
    directory_config *dcfg = (directory_config *)_dcfg;
    if (dcfg == NULL) return NULL;
-
+#ifdef WITH_REMOTE_RULES_SUPPORT
    if (strncasecmp(p1, "warn", 4) == 0)
    {
        remote_rules_fail_action = REMOTE_RULES_WARN_ON_FAIL;
@ -2231,6 +2231,10 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
                "SecRemoteRulesFailAction, expected: Abort or Warn.");
    }
+#else
+    return apr_psprintf(cmd->pool, "ModSecurity: " \
+        "SecRemoteRules: ModSecurity was not compiled with such functionality.");
+#endif

    return NULL;
 }
@ -2242,6 +2246,7 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
    directory_config *dcfg = (directory_config *)_dcfg;
    if (dcfg == NULL) return NULL;

+#ifdef WITH_REMOTE_RULES_SUPPORT
    // FIXME: make it https only.
    // if (strncasecmp(p1, "https", 5) != 0) {
    if (strncasecmp(p2, "http", 4) != 0) {
@ -2274,6 +2279,10 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
    {
        return error_msg;
    }
+#else
+    return apr_psprintf(cmd->pool, "ModSecurity:  " \
+        "SecRemoteRules: ModSecurity was not compiled with such functionality.");
+#endif

    return NULL;
 }
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@ -68,8 +68,10 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;

 unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;

+#ifdef WITH_REMOTE_RULES_SUPPORT
 msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
 int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+#endif

 int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;

@ -759,6 +761,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
        }
 #endif

+#ifdef WITH_REMOTE_RULES_SUPPORT
        if (remote_rules_server != NULL)
        {
            if (remote_rules_server->amount_of_rules == 1)
@ -776,6 +779,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
                    remote_rules_server->uri);
            }
        }
+#endif
    }

    srand((unsigned int)(time(NULL) * getpid()));
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@ -33,7 +33,6 @@ typedef struct msc_arg msc_arg;
 typedef struct msc_string msc_string;
 typedef struct msc_parm msc_parm;

-#include "msc_remote_rules.h"
 #include "msc_release.h"
 #include "msc_logging.h"
 #include "msc_multipart.h"
@ -47,11 +46,13 @@ typedef struct msc_parm msc_parm;
 #include "msc_unicode.h"
 #include "re.h"
 #include "msc_crypt.h"
+#include "msc_remote_rules.h"

 #include "ap_config.h"
 #include "apr_md5.h"
 #include "apr_strings.h"
 #include "apr_hash.h"
+#include "apr_crypto.h"
 #include "httpd.h"
 #include "http_config.h"
 #include "http_log.h"
@ -145,8 +146,10 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit;

 extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;

+#ifdef WITH_REMOTE_RULES_SUPPORT
 extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
 extern DSOLOCAL int remote_rules_fail_action;
+#endif

 extern DSOLOCAL int status_engine_state;

--- a/apache2/msc_remote_rules.c
+++ b/apache2/msc_remote_rules.c
@ -26,9 +26,7 @@
 #define AP_MAX_ARGC 64
 #endif

-#ifndef APU_HAVE_CRYPTO
-#error Missing apu crypto module
-#endif
+#ifdef WITH_REMOTE_RULES_SUPPORT

 /**
 * @brief Insert a new SecRule to be processed by ModSecurity
@ -716,3 +714,4 @@ end:
    return 0;
 }

+#endif
--- a/apache2/msc_remote_rules.h
+++ b/apache2/msc_remote_rules.h
@ -12,23 +12,33 @@
 * directly using the email address security@modsecurity.org.
 */

+#if APU_HAVE_CRYPTO
+#define WITH_REMOTE_RULES_SUPPORT
+#endif
+
+#ifdef WITH_REMOTE_RULES_SUPPORT
+
 #ifndef MSC_REMOTE_RULES_H
 #define MSC_REMOTE_RULES_H

-#include <apr_general.h>
-#include <apr_optional.h>
-#include <apr_thread_pool.h>
-#include <curl/curl.h>
-
-#include <apr_sha1.h>
-#include <apr_crypto.h>
-#include "http_core.h"
-
+/* forward declarations */
 typedef struct msc_remote_rules_server msc_remote_rules_server;
 struct msc_curl_memory_buffer_t;

 #include "modsecurity.h"

+#include <apr_general.h>
+#include <apr_optional.h>
+#include <apr_thread_pool.h>
+#include <apr_sha1.h>
+
+#include "http_core.h"
+#include "http_config.h"
+
+#include <curl/curl.h>
+
+#include <apr_crypto.h>
+
 struct msc_remote_rules_server {
        directory_config *context;
        const char *context_label;
@ -38,7 +48,7 @@ struct msc_remote_rules_server {
 };

 const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,
-                              void *mconfig, const char *args);
+                             void *mconfig, const char *args);

 int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
    struct msc_curl_memory_buffer_t *chunk, char **error_msg);
@ -64,4 +74,5 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
 int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk);

 #endif
+#endif