Adds SecStatusEngine On/Off switch

Add the possibility to turn the Status Engine On or Off using the directive SecStatusEngine [On/Off]. By default it is On.
2025-08-14 05:45:59 +03:00 · 2013-12-02 13:22:39 -08:00 · 2013-12-02 13:22:39 -08:00 · f86a71f7a7
commit f86a71f7a7
parent 0c6a661c69
4 changed files with 41 additions and 2 deletions
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@ -2083,6 +2083,23 @@ static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
    return NULL;
 }

+static const char *cmd_STATUS_ENGINE(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
+    if (strcasecmp(p1, "on") == 0) {
+        status_engine_state = STATUS_ENGINE_ENABLED;
+    }
+    else if (strcasecmp(p1, "off") == 0) {
+        status_engine_state = STATUS_ENGINE_DISABLED;
+    }
+    else {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
+                "SecStatusEngine: %s", p1);
+    }
+
+    return NULL;
+}
+
+
 static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag)
 {
    directory_config *dcfg = (directory_config *)_dcfg;
@ -3297,6 +3314,14 @@ const command_rec module_directives[] = {
        "On or Off"
    ),

+    AP_INIT_TAKE1 (
+        "SecStatusEngine",
+        cmd_status_engine,
+        NULL,
+        CMD_SCOPE_ANY,
+        "On or Off"
+    ),
+
    AP_INIT_TAKE1 (
        "SecXmlExternalEntity",
        cmd_xml_external_entity,
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@ -61,6 +61,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;

 unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;

+int DSOLOCAL status_engine_state = STATUS_ENGINE_ENABLED;
+
 unsigned long int DSOLOCAL conn_read_state_limit = 0;

 unsigned long int DSOLOCAL conn_write_state_limit = 0;
@ -724,7 +726,14 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
                    "Original server signature: %s", real_server_signature);
        }

-        msc_status_engine_call();
+        if (status_engine_state != STATUS_ENGINE_DISABLED) {
+            msc_status_engine_call();
+        }
+        else {
+            ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                    "Status engine is currently disabled, enable it by set " \
+                    "SecStatusEngine to On.");
+        }
    }

    srand((unsigned int)(time(NULL) * getpid()));
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@ -142,6 +142,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit;

 extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;

+extern DSOLOCAL int status_engine_state;
+
 extern DSOLOCAL unsigned long int conn_read_state_limit;

 extern DSOLOCAL unsigned long int conn_write_state_limit;
@ -182,6 +184,9 @@ extern DSOLOCAL int *unicode_map_table;
 #define MODSEC_DETECTION_ONLY           1
 #define MODSEC_ENABLED                  2

+#define STATUS_ENGINE_ENABLED           1
+#define STATUS_ENGINE_DISABLED          0
+
 #define HASH_DISABLED             0
 #define HASH_ENABLED              1

--- a/apache2/msc_status_engine.h
+++ b/apache2/msc_status_engine.h
@ -21,7 +21,7 @@
 #include "apr_optional.h"
 #include "msc_pcre.h"

-#define STATUS_ENGINE_DNS_IN_BETWEEN_DOTS 13
+#define STATUS_ENGINE_DNS_IN_BETWEEN_DOTS 32

 #define STATUS_ENGINE_DNS_SUFFIX "status.modsecurity.org"