Merge pull request #18 from chaizhenhua/remotes/trunk

Added drop action for nginx
2025-08-14 13:56:01 +03:00 · 2012-12-21 04:42:10 -08:00 · 2012-12-21 04:42:10 -08:00 · cc6e8532ff
commit cc6e8532ff
parent f920303e8b 6815d17690
4 changed files with 45 additions and 7 deletions
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@ -64,6 +64,9 @@ unsigned long int DSOLOCAL conn_read_state_limit = 0;

 unsigned long int DSOLOCAL conn_write_state_limit = 0;

+#if defined(WIN32) || defined(VERSION_NGINX)
+int (*modsecDropAction)(request_rec *r) = NULL;
+#endif
 static int server_limit, thread_limit;

 typedef struct {
@ -250,11 +253,25 @@ int perform_interception(modsec_rec *msr) {
                }
            }
            #else
-            log_level = 1;
-            status = HTTP_INTERNAL_SERVER_ERROR;
-            message = apr_psprintf(msr->mp, "Access denied with code 500%s "
-                "(Error: Connection drop not implemented on this platform).",
-                phase_text);
+            {
+                if (modsecDropAction == NULL) {
+                    log_level = 1;
+                    status = HTTP_INTERNAL_SERVER_ERROR;
+                    message = apr_psprintf(msr->mp, "Access denied with code 500%s "
+                        "(Error: Connection drop not implemented on this platform.",
+                        phase_text);
+                } else if (modsecDropAction(msr->r) == 0) {
+                    status = HTTP_FORBIDDEN;
+                    message = apr_psprintf(msr->mp, "Access denied with connection close%s.",
+                        phase_text);
+                } else {
+                    log_level = 1;
+                    status = HTTP_INTERNAL_SERVER_ERROR;
+                    message = apr_psprintf(msr->mp, "Access denied with code 500%s "
+                        "(Error: Connection drop request failed.",
+                        phase_text);
+                }
+            }
            #endif
            break;

--- a/nginx/modsecurity/ngx_http_modsecurity.c
+++ b/nginx/modsecurity/ngx_http_modsecurity.c
@ -81,6 +81,8 @@ static char *ngx_http_modsecurity_add_handler(ngx_conf_t *cf, ngx_command_t *cmd
 static char *ngx_http_modsecurity_pass(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
 static ngx_int_t ngx_http_modsecurity_pass_to_backend(ngx_http_request_t *r);

+static int ngx_http_modsecurity_drop_action(request_rec *r);
+
 /* command handled by the module */
 static ngx_command_t  ngx_http_modsecurity_commands[] =  {
  { ngx_string("ModSecurityConfig"),
@ -223,6 +225,8 @@ ngx_http_modsecurity_init_process(ngx_cycle_t *cycle)

    modsecSetLogHook(cycle->log, modsecLog);

+    modsecSetDropAction(ngx_http_modsecurity_drop_action);
+
    modsecInit();
    /* config was already parsed in master process */
 //    modsecStartConfig();
@ -1094,3 +1098,16 @@ ngx_http_modsecurity_pass(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)

    return NGX_CONF_OK;
 }
+
+static int
+ngx_http_modsecurity_drop_action(request_rec *r)
+{
+    ngx_http_modsecurity_ctx_t     *ctx;
+    ctx = (ngx_http_modsecurity_ctx_t *) apr_table_get(r->notes, NOTE_NGINX_REQUEST_CTX);
+
+    if (ctx == NULL) {
+        return -1;
+    }
+    ctx->r->connection->error = 1;
+    return 0;
+}
--- a/standalone/api.c
+++ b/standalone/api.c
@ -41,7 +41,7 @@

 extern void *modsecLogObj;
 extern void (*modsecLogHook)(void *obj, int level, char *str);
-
+extern int (*modsecDropAction)(request_rec *r);
 apr_status_t (*modsecReadBody)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos);
 apr_status_t (*modsecReadResponse)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos);
 apr_status_t (*modsecWriteBody)(request_rec *r, char *buf, unsigned int length);
@ -528,3 +528,7 @@ void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned
 void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length))   {
    modsecWriteResponse = func;
 }
+
+void modsecSetDropAction(int (*func)(request_rec *r)) {
+    modsecDropAction = func;
+}
--- a/standalone/api.h
+++ b/standalone/api.h
@ -70,7 +70,7 @@ void modsecSetReadBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned
 void modsecSetReadResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos));
 void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length));
 void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length));
-
+void modsecSetDropAction(int (*func)(request_rec *r));
 int modsecIsResponseBodyAccessEnabled(request_rec *r);

 #ifdef __cplusplus