summaryrefslogtreecommitdiffstats
path: root/apache2
diff options
context:
space:
mode:
Diffstat (limited to 'apache2')
-rw-r--r--apache2/Makefile.in10
-rw-r--r--apache2/config.m46
-rw-r--r--apache2/mod_qos.c14830
-rw-r--r--apache2/mod_qos.h79
4 files changed, 14925 insertions, 0 deletions
diff --git a/apache2/Makefile.in b/apache2/Makefile.in
new file mode 100644
index 0000000..d4733b2
--- /dev/null
+++ b/apache2/Makefile.in
@@ -0,0 +1,10 @@
+
+include $(top_srcdir)/build/special.mk
+
+# use the -lcrypto option when loading mod_qos as a DSO into
+# an Apache with dynamically loaded OpenSSL library (e.g. when not
+# using mod_ssl)
+SH_LDFLAGS += -lcrypto
+SH_LDFLAGS += -lpcre
+LDFLAGS += -lcrypto
+LDFLAGS += -lpcre \ No newline at end of file
diff --git a/apache2/config.m4 b/apache2/config.m4
new file mode 100644
index 0000000..a069da4
--- /dev/null
+++ b/apache2/config.m4
@@ -0,0 +1,6 @@
+
+APACHE_MODPATH_INIT(qos)
+
+APACHE_MODULE(qos, quality of service module, , , shared)
+
+APACHE_MODPATH_FINISH
diff --git a/apache2/mod_qos.c b/apache2/mod_qos.c
new file mode 100644
index 0000000..cef1cf9
--- /dev/null
+++ b/apache2/mod_qos.c
@@ -0,0 +1,14830 @@
+/* -*-mode: c; indent-tabs-mode: nil; c-basic-offset: 2; -*-
+ */
+
+/**
+ * mod_qos.c: Quality of service module for Apache Web Server.
+ *
+ * The Apache Web Servers requires threads and processes to serve
+ * requests. Each TCP connection to the web server occupies one
+ * thread or process. Sometimes, a server gets too busy to serve
+ * every request due the lack of free processes or threads.
+ *
+ * This module implements control mechanisms that can provide
+ * different priority to different requests.
+ *
+ * mod_qos requires OpenSSL, PCRE, threading and shared memory
+ * support. It has been designed, developed and fully
+ * tested for Apache httpd MPM worker binaries and it is optimized
+ * to be used in a reverse proxy.
+ *
+ * See http://mod-qos.sourceforge.net/ for further
+ * details and to obtain the latest version of this module.
+ *
+ * Copyright (C) 2023 Pascal Buchbinder
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+/************************************************************************
+ * Version
+ ***********************************************************************/
+static const char revision[] = "$Id: mod_qos.c 2706 2023-05-16 19:52:59Z pbuchbinder $";
+static const char g_revision[] = "11.74";
+
+/************************************************************************
+ * Includes
+ ***********************************************************************/
+/* std */
+#include <ctype.h>
+#include <time.h>
+
+#ifndef WIN32
+# include <arpa/inet.h>
+# include <unistd.h>
+#else
+# include <ws2tcpip.h>
+# include <windows.h>
+# include <direct.h>
+#endif
+
+#include <stdlib.h>
+
+// for socket options
+#ifdef __unix__
+#include <sys/types.h>
+#include <sys/socket.h>
+#endif
+
+/* apache */
+#include <httpd.h>
+#include <http_core.h>
+#include <http_main.h>
+#include <http_protocol.h>
+#include <http_request.h>
+#include <http_connection.h>
+#define CORE_PRIVATE
+#include <http_config.h>
+#include <http_log.h>
+#include <util_filter.h>
+#include <ap_mpm.h>
+#include <scoreboard.h>
+#include <ap_config.h>
+#include <ap_regex.h>
+#include <mpm_common.h>
+#include <util_md5.h>
+
+/* apr / scrlib */
+#include <apr_strings.h>
+#include <apr_file_info.h>
+#include <apr_base64.h>
+#include <apr_hooks.h>
+#include <apr_lib.h>
+#ifdef AP_NEED_SET_MUTEX_PERMS
+#include <unixd.h>
+#endif
+
+/* mod_qos requires OpenSSL */
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+
+/* additional modules */
+#include "mod_status.h"
+
+/* Preprocessor Definitions
+ * this (optional header file allowing other modules to register to our hoos: */
+#ifdef QS_MOD_EXT_HOOKS
+#include "mod_qos.h"
+#endif
+
+/************************************************************************
+ * defines
+ ***********************************************************************/
+#define QOS_LOG_PFX(id) "mod_qos("#id"): "
+#define QOS_LOGD_PFX "mod_qos(): "
+#define QOS_LOG_MSGCT 200
+#define QOS_HASH_LEN 16
+#define QOS_MAX_AGE "3600"
+#define QOS_COOKIE_NAME "MODQOS"
+#define QOS_USER_TRACKING "mod_qos_user_id"
+#define QOS_USER_TRACKING_NEW "QOS_USER_ID_NEW"
+#define QOS_USER_TRACKING_RENEW "QOS_USER_ID_RENEW"
+#define QOS_DISABLE_UTC_ENFORCEMENT "DISABLE_UTC_ENFORCEMENT"
+#define QOS_MILESTONE "mod_qos_milestone"
+#define QOS_MILESTONE_TIMEOUT 3600
+#define QOS_MILESTONE_COOKIE "QSSCD"
+#define QS_SIM_IP_LEN 100
+#define QS_USR_SPE "mod_qos::user"
+#define QS_REC_COOKIE "mod_qos::gc"
+#define QS_R010_ALREADY_BLOCKED "R010B"
+#define QS_R012_ALREADY_BLOCKED "R012B"
+#define QS_R013_ALREADY_BLOCKED "R013B"
+#define QS_PKT_RATE_TH 3
+#define QS_BW_SAMPLING_RATE 10
+// split linear QS_SrvMaxConnPerIP* entry (conn->conn_ip) search:
+#ifndef QS_MEM_SEG
+#define QS_MEM_SEG 4
+#endif
+// buffer if srv opens new connections faster than it closes existing ones
+#define QS_DOUBLE_CONN_H 128
+#define QS_DOUBLE_CONN 32
+
+#define QS_CONN_ABORT "mod_qos_connection_aborted"
+
+/* Preprocessor Definitions
+ * QSLOG_CLID, QSLOG_EVENT, QSLOG_AVERAGE define parameters for QSLog: */
+#ifndef QSLOG_CLID
+#define QSLOG_CLID "mod_qos_user_id"
+#endif
+#ifndef QSLOG_EVENT
+#define QSLOG_EVENT "Event"
+#endif
+#ifndef QSLOG_AVERAGE
+#define QSLOG_AVERAGE "QS_AllConn"
+#endif
+
+/* Preprocessor Definitions
+ * logs repeating messages only once: */
+#ifndef QS_LOG_REPEAT
+#define QS_LOG_REPEAT 20
+#endif
+
+#define QS_IP4IN6 "::ffff:"
+
+#define QS_PARP_Q "qos-parp-query"
+#define QS_PARP_QUERY "qos-query"
+#define QS_PARP_PATH "qos-path"
+#define QS_PARP_LOC "qos-loc"
+
+#define QSLOGFORMAT "ISBiDUkEQaC"
+
+#define QS_SET_DSCP "QS_Set_DSCP"
+
+#define QS_RESDELYATIME "QS_ResponseDelayTime"
+#define QS_CONNID "QS_ConnectionId"
+#define QS_COUNTRY "QS_Country"
+#define QS_SERIALIZE "QS_Serialize"
+#define QS_SRVSERIALIZE "QS_SrvSerialize"
+#define QS_ErrorNotes "QS_ErrorNotes"
+#define QS_BLOCK "QS_Block"
+#define QS_BLOCK_SEEN "QS_Block_seen"
+#define QS_BLOCK_DEC "QS_Block_Decrement"
+#define QS_LIMIT_NAME_PFX "QS_Limit_VAR_NAME_IDX"
+#define QS_LIMIT_DEFAULT "QS_Limit"
+#define QS_LIMIT_SEEN "QS_Limit_seen"
+#define QS_COUNTER_SUFFIX "_Counter"
+#define QS_LIMIT_CLEAR "_Clear"
+#define QS_LIMIT_DEC "_Decrement"
+#define QS_LIMIT_REMAINING "_Remaining"
+#define QS_EVENT "QS_Event"
+#define QS_COND "QS_Cond"
+#define QS_ISVIPREQ "QS_IsVipRequest"
+#define QS_VipRequest "QS_VipRequest"
+#define QS_KEEPALIVE "QS_KeepAliveTimeout"
+#define QS_MAXKEEPALIVEREQ "QS_MaxKeepAliveRequests"
+#define QS_TIMEOUT "QS_Timeout"
+#define QS_CLOSE "QS_SrvMinDataRate"
+#define QS_MAXIP "QS_SrvMaxConnPerIP"
+#define QS_EMPTY_CON "NullConnection"
+#define QS_BROKEN_CON "BrokenConnection"
+#define QS_RuleId "QS_RuleId"
+
+// enable connection counter if one of the following feature is used
+#define QS_COUNT_CONNECTIONS(sconf) (sconf->max_conn != -1) || \
+ (sconf->min_rate_max != -1) || \
+ (sconf->max_conn_close != -1) || \
+ (sconf->max_conn_per_ip_connections != 1) || \
+ sconf->geodb
+
+
+// "3758096128","3758096383","AU"
+#define QS_GEO_PATTERN "\"([0-9]+)\",\"([0-9]+)\",\"([A-Z0-9]{2}|-)\""
+
+static const char *m_env_variables[] = {
+ QS_ErrorNotes,
+ QS_SERIALIZE,
+ QS_SRVSERIALIZE,
+ QS_BLOCK,
+ QS_BLOCK_SEEN,
+ QS_BLOCK_DEC,
+ QS_LIMIT_DEFAULT,
+ QS_LIMIT_SEEN,
+ QS_EVENT,
+ QS_COND,
+ QS_ISVIPREQ,
+ QS_VipRequest,
+ QS_KEEPALIVE,
+ QS_MAXKEEPALIVEREQ,
+ QS_CLOSE,
+ QS_EMPTY_CON,
+ QS_BROKEN_CON,
+ QS_RuleId,
+ NULL
+};
+
+static const char *m_note_variables[] = {
+ QS_PARP_PATH,
+ QS_PARP_QUERY,
+ NULL
+};
+
+#define QS_INCTX_ID inctx->id
+
+/* Preprocessor Definitions
+ This is the measure rate for QS_SrvRequestRate/QS_SrvMinDataRate which may
+ be increased to 10 or 30 seconds in order to compensate bandwidth variations.
+ You may also use the QS_SrvSampleRate directive to override this default.
+ Set it greater than the Apache Timeout directive to prevent from closing
+ unused speculative TCP pre-connections. */
+#ifndef QS_REQ_RATE_TM
+#define QS_REQ_RATE_TM 5
+#endif
+
+#define QS_MAX_DELAY 5000000
+
+#define QOS_DEC_MODE_FLAGS_URL 0x00
+#define QOS_DEC_MODE_FLAGS_HTML 0x01
+#define QOS_DEC_MODE_FLAGS_UNI 0x02
+#define QOS_DEC_MODE_FLAGS_ANSI 0x04
+
+#define QOS_LOW_FLAG_PKGRATE 0x01
+#define QOS_LOW_FLAG_BEHAVIOR_OK 0x02
+#define QOS_LOW_FLAG_BEHAVIOR_BAD 0x04
+#define QOS_LOW_FLAG_EVENTBLOCK 0x08
+#define QOS_LOW_FLAG_EVENTLIMIT 0x10
+#define QOS_LOW_FLAG_TIMEOUT 0x20
+#define QOS_LOW_TIMEOUT 86400
+
+#define QOS_CC_BEHAVIOR_THR 50000
+#define QOS_CC_BEHAVIOR_THR_SINGLE 50
+#ifdef QS_INTERNAL_TEST
+#undef QOS_CC_BEHAVIOR_THR
+#undef QOS_CC_BEHAVIOR_THR_SINGLE
+#define QOS_CC_BEHAVIOR_THR 50
+#define QOS_CC_BEHAVIOR_THR_SINGLE 20
+#endif
+#define QOS_CC_BEHAVIOR_TOLERANCE_STR "20"
+
+/* Apache 2.2 testing needs patch in util_pcre.c line 134 as it does not know AP_REG_DOTALL
+ * Add:
+ * if ((cflags & 0x40) != 0) options |= 0x04; */
+#ifndef AP_REG_DOTALL
+#define AP_REG_DOTALL 0x40
+#endif
+
+#define QS_ERR_TIME_FORMAT "%a %b %d %H:%M:%S %Y"
+
+#define QSMOD 4
+#define QOS_DELIM ";"
+
+// Apache 2.4 compat
+#if (AP_SERVER_MINORVERSION_NUMBER == 4)
+#define QS_APACHE_24 1
+#if (AP_SERVER_PATCHLEVEL_NUMBER > 17)
+#define QS_CONN_REMOTEIP(c) c->master ? c->master->client_ip : c->client_ip
+#define QS_CONN_REMOTEADDR(c) c->master ? c->master->client_addr : c->client_addr
+#define QS_CONN_MASTER(c) (c->master ? c->master : c)
+#else
+#define QS_CONN_REMOTEIP(c) c->client_ip
+#define QS_CONN_REMOTEADDR(c) c->client_addr
+#define QS_CONN_MASTER(c) (c)
+#endif
+#define QOS_MY_GENERATION(g) ap_mpm_query(AP_MPMQ_GENERATION, &g)
+#define qos_unixd_set_global_mutex_perms ap_unixd_set_global_mutex_perms
+#define QS_ISDEBUG(s) APLOG_IS_LEVEL(s, APLOG_DEBUG)
+#else
+#define QS_CONN_REMOTEIP(c) c->remote_ip
+#define QS_CONN_REMOTEADDR(c) c->remote_addr
+#define QS_CONN_MASTER(c) (c)
+#define QOS_MY_GENERATION(g) g = ap_my_generation
+#define qos_unixd_set_global_mutex_perms unixd_set_global_mutex_perms
+#define QS_ISDEBUG(s) s->loglevel >= APLOG_DEBUG
+#endif
+
+#ifdef QS_MOD_EXT_HOOKS
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(qos, QOS, apr_status_t, path_decode_hook,
+ (request_rec *r, char **path, int *len),
+ (r, path, len),
+ OK, DECLINED)
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(qos, QOS, apr_status_t, query_decode_hook,
+ (request_rec *r, char **query, int *len),
+ (r, query, len),
+ OK, DECLINED)
+#endif
+
+/************************************************************************
+ * structures
+ ***********************************************************************/
+typedef struct {
+ const char *name; /* variable name */
+ ap_regex_t *preg;
+ const char *url; /* redirect url */
+ int code;
+} qos_redirectif_entry_t;
+
+typedef struct {
+ unsigned long start;
+ unsigned long end;
+ char country[3];
+} qos_geo_entry_t;
+
+typedef struct {
+ qos_geo_entry_t *data; // fist element
+ int size; // number of elements
+ const char *path;
+} qos_geo_t;
+
+typedef struct {
+ const char *url;
+ const char *path;
+} qos_errelt_t;
+
+static const qos_errelt_t m_error_pages[] = {
+ { "/errorpages/server_error.html", "work/errorpages/server_error.html" },
+ { "/errorpages/forbidden.html", "work/errorpages/forbidden.html" },
+ { "/errorpages/500.html", "work/errorpages/500.html" },
+ { "/errorpages/error.html", "work/errorpages/error.html" },
+ { "/errorpages/error500.html", "work/errorpages/error500.html" },
+ { "/errorpages/gateway_error.html", "work/errorpages/gateway_error.html" },
+ { NULL, NULL }
+};
+
+typedef struct {
+ int id;
+ const char *name;
+} qos_dscp_t;
+
+static const qos_dscp_t m_dscp_desc[] = {
+ { 0, "none" },
+ { 8, "class selector 1" },
+ { 10, "assured forwarding 11" },
+ { 12, "assured forwarding 12" },
+ { 14, "assured forwarding 13" },
+ { 16, "class selector 2" },
+ { 18, "assured forwarding 21" },
+ { 20, "assured forwarding 22" },
+ { 22, "assured forwarding 23" },
+ { 24, "class selector 3" },
+ { 26, "assured forwarding 31" },
+ { 28, "assured forwarding 32" },
+ { 30, "assured forwarding 33" },
+ { 32, "class selector 4" },
+ { 34, "assured forwarding 41" },
+ { 36, "assured forwarding 42" },
+ { 38, "assured forwarding 43" },
+ { 40, "class selector 5" },
+ { 44, "voice admit" },
+ { 46, "expedited forwarding" },
+ { 48, "class selector 6" },
+ { 56, "class selector 7" },
+ { -1, "unknown" }
+};
+
+typedef struct {
+ unsigned short int limit;
+ time_t limitTime;
+} qos_s_entry_limit_t;
+
+typedef struct {
+ unsigned short int limit;
+ time_t limitTime;
+ const char *eventClearStr; // name of the var clearing the counter
+ const char *eventDecStr; // name of the var decrementing the counter
+ const char *condStr;
+ ap_regex_t *preg;
+} qos_s_entry_limit_conf_t;
+
+typedef struct {
+ apr_uint64_t ip6[2];
+ time_t lowrate;
+ unsigned int lowratestatus;
+ /* behavior */
+ unsigned int html;
+ unsigned int cssjs;
+ unsigned int img;
+ unsigned int other;
+ unsigned int notmodified;
+ unsigned int events;
+ /* serialization flag */
+ unsigned int serialize;
+ apr_time_t serializeQueue;
+ /* prefer */
+ short int vip;
+ /* ev block */
+ unsigned short int block;
+ short int blockMsg;
+ time_t time;
+ time_t blockTime;
+ qos_s_entry_limit_t *limit;
+ /* ev/sec */
+ time_t interval;
+ long req;
+ long req_per_sec;
+ int req_per_sec_block_rate;
+ int event_req;
+} qos_s_entry_t;
+
+typedef struct {
+ time_t t;
+ /* index */
+ qos_s_entry_t **ipd;
+ qos_s_entry_t **timed;
+ /* shm */
+ apr_shm_t *m;
+ char *lock_file;
+ apr_global_mutex_t *lock;
+ /* size */
+ int num;
+ int max;
+ int msize;
+ /* limit table settings */
+ apr_table_t *limitTable;
+ /* av. behavior */
+ unsigned long long html;
+ unsigned long long cssjs;
+ unsigned long long img;
+ unsigned long long other;
+ unsigned long long notmodified;
+ /* data */
+ int connections;
+ /* remember for which clients this rec has created (shared mem) */
+ int generation_locked; // indicates the the counters have been cleared for this generation
+ /* log counter */
+ unsigned long long eventTotal[QOS_LOG_MSGCT]; // total number of events since initial start
+ unsigned long long eventLast[QOS_LOG_MSGCT]; // number of events since last read
+} qos_s_t;
+
+typedef enum {
+ QS_IP_V6_DEFAULT = 0,
+ QS_IP_V6,
+ QS_IP_V4
+} qs_ip_type_e;
+
+typedef enum {
+ QS_CONN_STATE_NEW = 0,
+ QS_CONN_STATE_HEAD,
+ QS_CONN_STATE_BODY,
+ QS_CONN_STATE_CHUNKED,
+ QS_CONN_STATE_KEEP,
+ QS_CONN_STATE_RESPONSE,
+ QS_CONN_STATE_END,
+ QS_CONN_STATE_DESTROY
+} qs_conn_state_e;
+
+typedef enum {
+ QS_HEADERFILTER_OFF_DEFAULT = 0,
+ QS_HEADERFILTER_OFF,
+ QS_HEADERFILTER_ON,
+ QS_HEADERFILTER_SIZE_ONLY,
+ QS_HEADERFILTER_SILENT
+} qs_headerfilter_mode_e;
+
+typedef enum {
+ QS_FLT_ACTION_DROP,
+ QS_FLT_ACTION_DENY
+} qs_flt_action_e;
+
+typedef enum {
+ QS_EVENT_ACTION_DENY = 0
+} qs_event_action_e;
+
+typedef enum {
+ QS_DENY_REQUEST_LINE,
+ QS_DENY_PATH,
+ QS_DENY_QUERY,
+ QS_DENY_EVENT,
+ QS_PERMIT_URI
+} qs_rfilter_type_e;
+
+typedef enum {
+ QS_LOG = 0,
+ QS_DENY,
+ QS_OFF_DEFAULT,
+ QS_OFF
+} qs_rfilter_action_e;
+
+enum qos_cmp {
+ QS_CMP_EQ,
+ QS_CMP_NE,
+ QS_CMP_GT,
+ QS_CMP_LT
+};
+
+typedef struct {
+ enum qos_cmp cmp;
+ const char *left;
+ const char *right;
+ const char *variable;
+ const char *value;
+} qos_cmp_entry_t;
+
+typedef struct {
+ char *variable1;
+ char *variable2;
+ ap_regex_t *preg;
+ char *name;
+ char *value;
+} qos_setenvif_t;
+
+typedef struct {
+ ap_regex_t *preg;
+ char *name;
+ char *value;
+} qos_setenvifquery_t;
+
+typedef struct {
+ ap_regex_t *pregx;
+ char *name;
+ char *value;
+} qos_setenvifparpbody_t;
+
+/**
+ * generic request filter
+ */
+typedef struct {
+ ap_regex_t *preg;
+ char *text;
+ char *id;
+ qs_rfilter_type_e type;
+ qs_rfilter_action_e action;
+} qos_rfilter_t;
+
+/**
+ * list of in_filter ctx
+ */
+typedef struct {
+ apr_table_t *table;
+#if APR_HAS_THREADS
+ apr_thread_mutex_t *lock;
+ apr_thread_t *thread;
+#endif
+ int exit;
+} qos_ifctx_list_t;
+
+/**
+ * ip entry
+ */
+typedef struct qs_ip_entry_st {
+ apr_uint64_t ip6[2];
+ int counter;
+ int error;
+} qs_ip_entry_t;
+
+typedef struct {
+ qs_ip_entry_t *conn_ip;
+ int conn_ip_len;
+ int connections;
+ int max_client;
+} qs_conn_t;
+
+typedef struct {
+ apr_time_t q1; // first request in queue
+ apr_time_t q2; // second request in queue
+ int locked;
+} qs_serial_t;
+
+/**
+ * session cookie
+ */
+typedef struct {
+ time_t time;
+} qos_session_t;
+
+/**
+ * cfg/act entry for event limitation
+ */
+typedef struct {
+ const char *env_var;// configured environment variable name
+ const char *eventDecStr;
+ int max; // configured max. num
+ int seconds; // configured duration
+ int limit; // event counter
+ time_t limitTime; // timer
+ qs_event_action_e action;
+ const char *condStr;
+ ap_regex_t *preg;
+} qos_event_limit_entry_t;
+
+/**
+ * access control table entry
+ */
+typedef struct qs_acentry_st {
+ int id;
+ /** pointer to lock of the actable */
+ apr_global_mutex_t *lock;
+ /** location rules */
+ char *url;
+ int url_len;
+ char *event;
+ ap_regex_t *regex;
+ ap_regex_t *regex_var;
+ ap_regex_t *condition;
+ int counter;
+ int limit;
+ /* measurement */
+ apr_time_t interval;
+ long req;
+ long req_per_sec;
+ long req_per_sec_limit;
+ int req_per_sec_block_rate;
+ long bytes; // transferred bytes
+ apr_time_t kbytes_interval_us; // elapsed time
+ apr_off_t kbytes_per_sec; // actual kbytes/sec (measured)
+ apr_off_t kbytes_per_sec_limit; // configured limitation
+ apr_off_t kbytes_per_sec_block_rate; // current wait time
+ struct qs_acentry_st *next;
+} qs_acentry_t;
+
+/**
+ * access control table (act)
+ */
+typedef struct qs_actable_st {
+ apr_size_t size;
+ apr_shm_t *m;
+ apr_pool_t *pool;
+ /** process pool is used to create user space data */
+ apr_pool_t *ppool;
+ /** rule entry list */
+ qs_acentry_t *entry; /* shm pointer */
+ int has_events;
+ /** event limit list */
+ qos_event_limit_entry_t *event_entry;
+ /** mutex */
+ char *lock_file;
+ apr_global_mutex_t *lock;
+ /** ip/conn data */
+ qs_conn_t *conn; /* shm pointer */
+ unsigned int timeout;
+ /* settings */
+ int child_init;
+ /* serialize */
+ qs_serial_t *serialize; /* shm pointer */
+ time_t *qsstatustimer; /* shm pointer */
+} qs_actable_t;
+
+/**
+ * network table (total connections, vip connections, first update, last update)
+ */
+typedef struct qs_netstat_st {
+ // int counter;
+ int vip;
+ // time_t first;
+ // time_t last;
+} qs_netstat_t;
+
+/**
+ * user space
+ */
+typedef struct {
+ int server_start;
+ apr_table_t *act_table;
+ /* client control */
+ qos_s_t *qos_cc;
+} qos_user_t;
+
+/**
+ * directory config
+ */
+typedef struct {
+ char *path;
+ apr_table_t *rfilter_table;
+ int inheritoff;
+ qs_headerfilter_mode_e headerfilter;
+ qs_headerfilter_mode_e resheaderfilter;
+ int bodyfilter_d;
+ int bodyfilter_p;
+ int dec_mode;
+ apr_off_t maxpost;
+ qs_rfilter_action_e urldecoding;
+ const char *response_pattern;
+ int response_pattern_len;
+ const char *response_pattern_var;
+ apr_array_header_t *redirectif;
+ int decodings;
+ apr_table_t *disable_reqrate_events;
+ apr_table_t *setenvstatus_t;
+ apr_array_header_t *setenvif_t;
+ apr_table_t *setenvifquery_t;
+ apr_array_header_t* setenvcmp;
+} qos_dir_config;
+
+/**
+ * server configuration
+ */
+typedef struct {
+ apr_pool_t *pool;
+ int is_virtual;
+ server_rec *base_server;
+ char *mfile;
+ qs_actable_t *act;
+ const char *error_page;
+ apr_table_t *location_t;
+ apr_table_t *setenv_t;
+ apr_table_t *setreqheader_t;
+ apr_table_t *setreqheaderlate_t;
+ apr_table_t *unsetresheader_t;
+ apr_table_t *unsetreqheader_t;
+ apr_array_header_t *setenvif_t;
+ apr_table_t *setenvifquery_t;
+ apr_table_t *setenvifparp_t;
+ apr_table_t *setenvifparpbody_t;
+ apr_table_t *setenvstatus_t;
+ apr_table_t *setenvresheader_t;
+ apr_table_t *setenvresheadermatch_t;
+ apr_table_t *setenvres_t;
+ qs_headerfilter_mode_e headerfilter;
+ qs_headerfilter_mode_e resheaderfilter;
+ apr_array_header_t *redirectif;
+ char *cookie_name;
+ char *cookie_path;
+ char *user_tracking_cookie;
+ char *user_tracking_cookie_force;
+ int user_tracking_cookie_session;
+ int user_tracking_cookie_jsredirect;
+ char *user_tracking_cookie_domain;
+ int max_age;
+ unsigned char key[EVP_MAX_KEY_LENGTH];
+ const unsigned char *rawKey;
+ int rawKeyLen;
+ int keyset;
+ char *header_name;
+ int header_name_drop;
+ ap_regex_t *header_name_regex;
+ apr_table_t *disable_reqrate_events;
+ char *ip_header_name;
+ int ip_header_name_drop;
+ ap_regex_t *ip_header_name_regex;
+ int vip_user;
+ int vip_ip_user;
+
+ int has_conn_counter;
+ int max_conn;
+ int max_conn_close;
+ int max_conn_close_percent;
+ int max_conn_per_ip;
+ int max_conn_per_ip_connections;
+ int max_conn_per_ip_ignore_vip;
+
+ int serialize;
+ int serializeTMO;
+ apr_table_t *exclude_ip;
+ qos_ifctx_list_t *inctx_t;
+ apr_table_t *hfilter_table; /* GLOBAL ONLY */
+ apr_table_t *reshfilter_table; /* GLOBAL ONLY */
+ /* event rule (enables rule validation) */
+ int has_event_filter;
+ int has_event_limit;
+ apr_array_header_t *event_limit_a;
+ /* min data rate */
+ int req_rate; /* GLOBAL ONLY */
+ int req_rate_start; /* GLOBAL ONLY */
+ int min_rate; /* GLOBAL ONLY */
+ int min_rate_max; /* GLOBAL ONLY */
+ int min_rate_off;
+ int req_ignore_vip_rate; /* GLOBAL ONLY */
+ int max_clients;
+ int max_clients_conf;
+#ifdef QS_INTERNAL_TEST
+ apr_table_t *testip;
+ int enable_testip;
+#endif
+ int disable_handler;
+ int log_only; /* GLOBAL ONLY */
+ int log_env;
+ /* client control */
+ int has_qos_cc; /* GLOBAL ONLY */
+ int qos_cc_size; /* GLOBAL ONLY */
+ int qos_cc_prefer; /* GLOBAL ONLY */
+ apr_table_t *cc_exclude_ip; /* GLOBAL ONLY */
+ int qos_cc_prefer_limit;
+ int qos_cc_event; /* GLOBAL ONLY */
+ int qos_cc_event_req; /* GLOBAL ONLY */
+ int qos_cc_block; /* GLOBAL ONLY */
+ int qos_cc_blockTime; /* GLOBAL ONLY */
+ apr_table_t *qos_cc_limitTable; /* GLOBAL ONLY */
+ char *qos_cc_forwardedfor; /* GLOBAL ONLY */
+ int qos_cc_serialize; /* GLOBAL ONLY */
+ apr_off_t maxpost;
+ int cc_tolerance; /* GLOBAL ONLY */
+ int cc_tolerance_max; /* GLOBAL ONLY */
+ int cc_tolerance_min; /* GLOBAL ONLY */
+ int qs_req_rate_tm; /* GLOBAL ONLY */
+ qos_geo_t *geodb; /* GLOBAL ONLY */
+ int geo_limit; /* GLOBAL ONLY */
+ apr_table_t *geo_priv; /* GLOBAL ONLY */
+ int geo_excludeUnknown; /* GLOBAL ONLY */
+ qs_ip_type_e ip_type; /* GLOBAL ONLY */
+ int qsstatus; /* GLOBAL ONLY */
+ int qsevents; /* GLOBAL ONLY */
+ apr_array_header_t *milestones;
+ time_t milestoneTimeout;
+ /* predefined client behavior */
+ int static_on;
+ unsigned long long static_html;
+ unsigned long long static_cssjs;
+ unsigned long long static_img;
+ unsigned long long static_other;
+ unsigned long long static_notmodified;
+ apr_file_t *qslog_p; /* GLOBAL ONLY */
+ const char *qslog_str; /* GLOBAL ONLY */
+} qos_srv_config;
+
+#if APR_HAS_THREADS
+typedef struct {
+ apr_thread_t *thread;
+ int exit;
+ int maxclients;
+ time_t *qsstatustimer; /* shm in act */
+ apr_global_mutex_t *lock; /* lock of act */
+ apr_pool_t *pool;
+ qos_srv_config *sconf;
+} qsstatus_t;
+#endif
+
+/**
+ * in_filter ctx
+ */
+typedef struct {
+ apr_socket_t *clientSocket;
+ qs_conn_state_e status;
+ apr_off_t cl_val;
+ conn_rec *c;
+ request_rec *r;
+ /* upload bandwidth (received bytes and start time) */
+ time_t time;
+ apr_size_t nbytes; // measuring the bytes/sec
+ int hasBytes;
+ int shutdown;
+ int errors;
+ int disabled;
+ int lowrate;
+ char *id;
+ qos_srv_config *sconf;
+} qos_ifctx_t;
+
+/**
+ * connection configuration
+ */
+typedef struct {
+ apr_uint64_t ip6[2];
+ conn_rec *mc; // master (real) connection
+ char *evmsg;
+ qos_srv_config *sconf;
+ int is_vip; /* is vip, either by request or by session or by ip */
+ int set_vip_by_header; /* received vip header from application/or auth. user (propagate to IP store)*/
+ int has_lowrate;
+ qs_conn_t *conn;
+} qs_conn_ctx;
+
+typedef struct {
+ qs_conn_ctx *cconf;
+ conn_rec *c;
+ qos_srv_config *sconf;
+ int requests; // number of requests processed (received) by this connection
+ apr_socket_t *clientSocket;
+} qs_conn_base_ctx;
+
+/**
+ * request configuration
+ */
+typedef struct {
+ qs_acentry_t *entry;
+ qs_acentry_t *entry_cond;
+ apr_table_t *event_entries;
+ char *evmsg;
+ int is_vip;
+ apr_off_t maxpostcount;
+ int cc_event_req_set;
+ apr_uint64_t cc_event_ip[2];
+ int cc_serialize_set;
+ apr_uint64_t cc_serialize_ip[2];
+ int srv_serialize_set;
+ char *body_window;
+ apr_off_t response_delayed; // indicates, if the response has been delayed (T)
+} qs_req_ctx;
+
+
+/**
+ * Delay filter context
+ */
+typedef struct {
+ qs_acentry_t *entry;
+ qs_req_ctx *rctx;
+} qos_delay_ctx_t;
+
+/**
+ * rule set
+ */
+typedef struct {
+ char *url;
+ char *event;
+ int limit;
+ ap_regex_t *regex;
+ ap_regex_t *regex_var;
+ ap_regex_t *condition;
+ long req_per_sec_limit;
+ apr_off_t kbytes_per_sec_limit;
+} qs_rule_ctx_t;
+
+typedef struct {
+ const char* name;
+ const char* pattern;
+ qs_flt_action_e action;
+ int size;
+} qos_her_t;
+
+typedef struct {
+ ap_regex_t *preg;
+ char *name;
+ char *value;
+} qos_pregval_t;
+
+typedef struct {
+ int num;
+ int thinktime;
+ const char* pattern;
+ ap_regex_t *preg;
+ qs_rfilter_action_e action;
+} qos_milestone_t;
+
+typedef struct {
+ char *text;
+ ap_regex_t *preg;
+ qs_flt_action_e action;
+ int size;
+} qos_fhlt_r_t;
+
+typedef struct {
+ apr_time_t request_time;
+ unsigned int in_addr;
+ unsigned int conn;
+#if APR_HAS_THREADS
+ apr_os_thread_t tid;
+#endif
+ unsigned int unique_id_counter;
+} qos_unique_id_t;
+
+/************************************************************************
+ * Globals
+ ***********************************************************************/
+
+module AP_MODULE_DECLARE_DATA qos_module;
+static int m_forced_close = 1;
+static int m_retcode = HTTP_INTERNAL_SERVER_ERROR;
+static int m_threaded_mpm = 1; // note: mod_qos is fully tested for Apache 2.2 worker MPM only
+static int m_event_mpm = 0;
+static double m_event_mpm_worker_factor = 2;
+static unsigned int m_hostcode = 0;
+static int m_generation = 0; // parent process (restart generation)
+static int m_qos_cc_partition = QSMOD;
+static qos_unique_id_t m_unique_id;
+static const char qos_basis_64[] =
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-";
+
+#ifdef QS_INTERNAL_TEST
+static int m_qs_sim_ip_len = QS_SIM_IP_LEN;
+#endif
+
+#ifdef QS_APACHE_24
+APLOG_USE_MODULE(qos);
+#endif
+
+/* mod_parp, forward and optional function */
+static apr_status_t qos_cleanup_conn(void *p);
+static apr_status_t qos_base_cleanup_conn(void *p);
+
+static qs_ip_type_e m_ip_type = QS_IP_V6_DEFAULT;
+
+APR_DECLARE_OPTIONAL_FN(apr_table_t *, parp_hp_table, (request_rec *));
+APR_DECLARE_OPTIONAL_FN(char *, parp_body_data, (request_rec *, apr_size_t *));
+static APR_OPTIONAL_FN_TYPE(parp_hp_table) *qos_parp_hp_table_fn = NULL;
+static APR_OPTIONAL_FN_TYPE(parp_body_data) *qos_parp_body_data_fn = NULL;
+static int m_requires_parp = 0;
+static int m_enable_audit = 0;
+/* mod_ssl, forward and optional function */
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *qos_is_https = NULL;
+APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, (apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *));
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *qos_ssl_var = NULL;
+
+static void qs_inc_eventcounter(apr_pool_t *ppool, int event, int locked);
+#define QS_INC_EVENT(sconf, event) if(sconf->qsevents) qs_inc_eventcounter(sconf->act->ppool, event, 0)
+#define QS_INC_EVENT_LOCKED(sconf, event) if(sconf->qsevents) qs_inc_eventcounter(sconf->act->ppool, event, 1)
+static int m_knownEvents[] = { 10, 11, 12, 13, 21, 23, 25, 30, 31, 34, 35, 36, 37, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 60, 61, 62, 65, 66, 67, 68, 69, 101, 147, 0 };
+
+/* simple header rules allowing "the usual" header formats only (even drop requests using
+ extensions which are used rarely) */
+/* reserved (to be escaped): {}[]()^$.|*+?\ */
+static const qos_her_t qs_header_rules[] = {
+#define QS_URL_UNRESERVED "a-zA-Z0-9._~% -"
+#define QS_URL_GEN ":/?#\\[\\]@"
+#define QS_URL_SUB "!$&'()*+,;="
+#define QS_URL "["QS_URL_GEN""QS_URL_SUB""QS_URL_UNRESERVED"]"
+#define QS_2616TOKEN "[\\x21\\x23-\\x27\\x2a-\\x2e0-9A-Z\\x5-\\x60a-z\\x7e]+"
+#define QS_B64_SP "[a-zA-Z0-9 +/$=:]"
+#define QS_PIPE "\\|"
+#define QS_WEAK "(W/)?"
+#define QS_H_ACCEPT "[a-zA-Z0-9_*+-]+/[a-zA-Z0-9_*+.-]+(;[ ]?[a-zA-Z0-9]+=[0-9]+)?[ ]?(;[ ]?[qv]=[a-z0-9.]+)?"
+#define QS_H_ACCEPT_C "[a-zA-Z0-9*-]+(;[ ]?q=[0-9.]+)?"
+#define QS_H_ACCEPT_E "[a-zA-Z0-9*-]+(;[ ]?q=[0-9.]+)?"
+#define QS_H_ACCEPT_L "[a-zA-Z*-]+[0-9]{0,3}(;[ ]?q=[0-9.]+)?"
+#define QS_H_CACHE "no-cache|no-store|max-age=[0-9]+|max-stale(=[0-9]+)?|min-fresh=[0-9]+|no-transform|only-if-chached"
+#define QS_H_CONTENT "[\"a-zA-Z0-9*/; =-]+"
+#define QS_H_COOKIE "["QS_URL_GEN""QS_URL_SUB"\""QS_URL_UNRESERVED"]"
+#define QS_H_EXPECT "[a-zA-Z0-9= ;.,-]"
+#define QS_H_PRAGMA "[a-zA-Z0-9= ;.,-]"
+#define QS_H_FROM "[a-zA-Z0-9=@;.,()-]"
+#define QS_H_HOST "[a-zA-Z0-9.-]+(:[0-9]+)?"
+#define QS_H_IFMATCH "[a-zA-Z0-9=@;.,*\"-]"
+#define QS_H_DATE "[a-zA-Z0-9 :,]"
+#define QS_H_TE "[a-zA-Z0-9*-]+(;[ ]?q=[0-9.]+)?"
+ { "Accept", "^("QS_H_ACCEPT"){1}([ ]?,[ ]?("QS_H_ACCEPT"))*$", QS_FLT_ACTION_DROP, 300 },
+ { "Accept-Charset", "^("QS_H_ACCEPT_C"){1}([ ]?,[ ]?("QS_H_ACCEPT_C"))*$", QS_FLT_ACTION_DROP, 300 },
+ { "Accept-Encoding", "^("QS_H_ACCEPT_E"){1}([ ]?,[ ]?("QS_H_ACCEPT_E"))*$", QS_FLT_ACTION_DROP, 500 },
+ { "Accept-Language", "^("QS_H_ACCEPT_L"){1}([ ]?,[ ]?("QS_H_ACCEPT_L"))*$", QS_FLT_ACTION_DROP, 200 },
+ { "Access-Control-Request-Method", "^[a-zA-Z]+$", QS_FLT_ACTION_DROP, 10 },
+ { "Access-Control-Request-Headers", "^([a-zA-Z0-9-]+){1}([ ]?,[ ]?([a-zA-Z0-9-]+))*$", QS_FLT_ACTION_DROP, 500 },
+ { "Authorization", "^"QS_B64_SP"+$", QS_FLT_ACTION_DROP, 4000 },
+ { "Cache-Control", "^("QS_H_CACHE"){1}([ ]?,[ ]?("QS_H_CACHE"))*$", QS_FLT_ACTION_DROP, 100 },
+ { "Connection", "^([teTE]+,[ ]?)?([a-zA-Z0-9-]+){1}([ ]?,[ ]?([teTE]+))?$", QS_FLT_ACTION_DROP, 100 },
+ { "Content-Encoding", "^[a-zA-Z0-9-]+(,[ ]*[a-zA-Z0-9-]+)*$", QS_FLT_ACTION_DENY, 100 },
+ { "Content-Language", "^([0-9a-zA-Z]{0,8}(-[0-9a-zA-Z]{0,8})*)(,[ ]*([0-9a-zA-Z]{0,8}(-[0-9a-zA-Z]{0,8})*))*$", QS_FLT_ACTION_DROP, 100 },
+ { "Content-Length", "^[0-9]+$", QS_FLT_ACTION_DENY, 10 },
+ { "Content-Location", "^"QS_URL"+$", QS_FLT_ACTION_DENY, 200 },
+ { "Content-md5", "^"QS_B64_SP"+$", QS_FLT_ACTION_DENY, 50 },
+ { "Content-Range", "^(bytes[ ]+([0-9]+-[0-9]+)/([0-9]+|\\*))$", QS_FLT_ACTION_DENY, 50 },
+ { "Content-Type", "^("QS_H_CONTENT"){1}([ ]?,[ ]?("QS_H_CONTENT"))*$", QS_FLT_ACTION_DENY, 200 },
+ { "Cookie", "^"QS_H_COOKIE"+$", QS_FLT_ACTION_DROP, 3000 },
+ { "Cookie2", "^"QS_H_COOKIE"+$", QS_FLT_ACTION_DROP, 3000 },
+ { "DNT", "^[0-9]+$", QS_FLT_ACTION_DROP, 3 },
+ { "Expect", "^"QS_H_EXPECT"+$", QS_FLT_ACTION_DROP, 200 },
+ { "From", "^"QS_H_FROM"+$", QS_FLT_ACTION_DROP, 100 },
+ { "Host", "^"QS_H_HOST"$", QS_FLT_ACTION_DROP, 100 },
+ { "If-Invalid", "^[a-zA-Z0-9_.:;() /+!-]+$", QS_FLT_ACTION_DROP, 500 },
+ { "If-Match", "^"QS_WEAK""QS_H_IFMATCH"+$", QS_FLT_ACTION_DROP, 100 },
+ { "If-Modified-Since", "^"QS_H_DATE"+$", QS_FLT_ACTION_DROP, 100 },
+ { "If-None-Match", "^"QS_WEAK""QS_H_IFMATCH"+$", QS_FLT_ACTION_DROP, 100 },
+ { "If-Range", "^"QS_H_IFMATCH"+$", QS_FLT_ACTION_DROP, 100 },
+ { "If-Unmodified-Since", "^"QS_H_DATE"+$", QS_FLT_ACTION_DROP, 100 },
+ { "If-Valid", "^[a-zA-Z0-9_.:;() /+!-]+$", QS_FLT_ACTION_DROP, 500 },
+ { "Keep-Alive", "^[0-9]+$", QS_FLT_ACTION_DROP, 20 },
+ { "Max-Forwards", "^[0-9]+$", QS_FLT_ACTION_DROP, 20 },
+ { "Origin", "^"QS_URL"+$", QS_FLT_ACTION_DROP, 2000 },
+ { "Proxy-Authorization", "^"QS_B64_SP"+$", QS_FLT_ACTION_DROP, 400 },
+ { "Pragma", "^"QS_H_PRAGMA"+$", QS_FLT_ACTION_DROP, 200 },
+ { "Range", "^[a-zA-Z0-9=_.:;() /+!-]+$", QS_FLT_ACTION_DROP, 200 },
+ { "Referer", "^"QS_URL"+$", QS_FLT_ACTION_DROP, 2000 },
+ { "TE", "^("QS_H_TE"){1}([ ]?,[ ]?("QS_H_TE"))*$", QS_FLT_ACTION_DROP, 100 },
+ { "Transfer-Encoding", "^(chunked|Chunked|compress|Compress|deflate|Deflate|gzip|Gzip|identity|Identity)([ ]?,[ ]?(chunked|Chunked|compress|Compress|deflate|Deflate|gzip|Gzip|identity|Identity))*$", QS_FLT_ACTION_DENY, 100 },
+ { "Unless-Modified-Since", "^"QS_H_DATE"+$", QS_FLT_ACTION_DROP, 100 },
+ { "User-Agent", "^[a-zA-Z0-9]+[a-zA-Z0-9_.:;()\\[\\]@ /+!=,-]+$", QS_FLT_ACTION_DROP, 300 },
+ { "Upgrade-Insecure-Requests", "^1$", QS_FLT_ACTION_DROP, 1 },
+ { "Via", "^[a-zA-Z0-9_.:;() /+!-]+$", QS_FLT_ACTION_DROP, 100 },
+ { "X-Forwarded-For", "^[a-zA-Z0-9_.:-]+(, [a-zA-Z0-9_.:-]+)*$", QS_FLT_ACTION_DROP, 100 },
+ { "X-Forwarded-Host", "^[a-zA-Z0-9_.:-]+$", QS_FLT_ACTION_DROP, 100 },
+ { "X-Forwarded-Server", "^[a-zA-Z0-9_.:-]+$", QS_FLT_ACTION_DROP, 100 },
+ { "X-lori-time-1", "^[0-9]+$", QS_FLT_ACTION_DROP, 20 },
+ { "X-Do-Not-Track", "^[0-9]+$", QS_FLT_ACTION_DROP, 20 },
+ { NULL, NULL, 0, 0 }
+};
+
+/* list of allowed standard response headers */
+static const qos_her_t qs_res_header_rules[] = {
+ { "Age", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Accept-Ranges", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Access-Control-Allow-Origin", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Access-Control-Allow-Methods", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Access-Control-Allow-Headers", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Access-Control-Max-Age", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Access-Control-Allow-Credentials", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Access-Control-Expose-Headers", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Allow", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Cache-Control", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Content-Disposition", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Content-Encoding", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Content-Language", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Content-Length", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Content-Location", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Content-MD5", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Content-Range", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Content-Security-Policy", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 8000 },
+ { "Content-Type", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Connection", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Date", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "ETag", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Expect", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Expires", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Keep-Alive", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Last-Modified", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Location", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Proxy-Authenticate", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Public-Key-Pins", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Public-Key-Pins-Report-Only", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Retry-After", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Pragma", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Server", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Set-Cookie", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Set-Cookie2", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Strict-Transport-Security", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "Vary", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "WWW-Authenticate", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "X-Content-Security-Policy", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 8000 },
+ { "X-Content-Type-Options", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "X-Frame-Options", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { "X-XSS-Protection", "^[\\x20-\\xFF]*$", QS_FLT_ACTION_DROP, 4000 },
+ { NULL, NULL, 0, 0 }
+};
+
+/************************************************************************
+ * private functions
+ ***********************************************************************/
+
+static int qos_regexec_len(apr_pool_t *pool, const ap_regex_t *preg,
+ const char *buff, apr_size_t len) {
+#if (AP_SERVER_MINORVERSION_NUMBER < 4) && defined QS_INTERNAL_TEST
+ // Apache 2.2 is no longer supported (test only)
+ char *data = apr_palloc(pool, len + 1);
+ memcpy(data, buff, len);
+ data[len] = '\0';
+ return ap_regexec(preg, data, 0, NULL, 0); // won't work for null chars!
+#else
+ return ap_regexec_len(preg, buff, len, 0, NULL, 0);
+#endif
+}
+
+/**
+ * Converts an ip long array back to a string representation
+ *
+ * @param pool
+ * @param src Array of two unsigned long
+ * @return String or null for an invalid address
+ */
+static char *qos_ip_long2str(apr_pool_t *pool, const void *src) {
+ char *dst = apr_pcalloc(pool, INET6_ADDRSTRLEN);
+ char *ret = (char *)inet_ntop(AF_INET6, src, dst, INET6_ADDRSTRLEN);
+ if(ret) {
+ if((strncmp(ret, QS_IP4IN6, 7) == 0) &&
+ strchr(ret, '.')) {
+ ret = &ret[7];
+ }
+ }
+ return ret;
+}
+
+/**
+ * Converts an ip string to long array (128 bit) representation
+ *
+ * @param src String representation, e.g. 139.12.33.1 or 1::8
+ * @param dst Pointer to array of unsigned long (2) (contains "{ 0, 0 }" on error)
+ * @return 1 on success, 0 on error
+ */
+static int qos_ip_str2long(const char *src, apr_uint64_t *dst) {
+ char str[INET6_ADDRSTRLEN];
+ const char *convert = src;
+ apr_uint64_t *n = dst;
+ n[0] = 0;
+ n[1] = 0;
+ if(convert == NULL) {
+ return 0;
+ }
+ if((strchr(convert, ':') == NULL) &&
+ (strlen(convert) <= 15)) {
+ // looks like an IPv4 address
+ sprintf(str, QS_IP4IN6"%s", src);
+ convert = str;
+ }
+ return inet_pton(AF_INET6, convert, dst);
+}
+
+static int qos_encode64_binary(char *encoded, const char *string, int len) {
+ int i;
+ char *p;
+
+ p = encoded;
+ for (i = 0; i < len - 2; i += 3) {
+ *p++ = qos_basis_64[(string[i] >> 2) & 0x3F];
+ *p++ = qos_basis_64[((string[i] & 0x3) << 4) |
+ ((int) (string[i + 1] & 0xF0) >> 4)];
+ *p++ = qos_basis_64[((string[i + 1] & 0xF) << 2) |
+ ((int) (string[i + 2] & 0xC0) >> 6)];
+ *p++ = qos_basis_64[string[i + 2] & 0x3F];
+ }
+ if (i < len) {
+ *p++ = qos_basis_64[(string[i] >> 2) & 0x3F];
+ if (i == (len - 1)) {
+ *p++ = qos_basis_64[((string[i] & 0x3) << 4)];
+ *p++ = '=';
+ }
+ else {
+ *p++ = qos_basis_64[((string[i] & 0x3) << 4) |
+ ((int) (string[i + 1] & 0xF0) >> 4)];
+ *p++ = qos_basis_64[((string[i + 1] & 0xF) << 2)];
+ }
+ *p++ = '=';
+ }
+
+ *p++ = '\0';
+ return (int)(p - encoded);
+}
+
+/**
+ * loads the default header rules into the server configuration (see rules
+ * above).
+ * @param pool To allocate memory
+ * @param outHdrFltTable Table to add rules to
+ * @param hdrFltRuleDefArray built-in header rules
+ * @return error message (NULL on success)
+ */
+static char *qos_load_headerfilter(apr_pool_t *pool, apr_table_t *outHdrFltTable,
+ const qos_her_t *hdrFltRuleDefArray) {
+ const qos_her_t* hdrFltRuleDefEntry;
+ for(hdrFltRuleDefEntry = hdrFltRuleDefArray; hdrFltRuleDefEntry->name != NULL ; ++hdrFltRuleDefEntry) {
+ qos_fhlt_r_t *hdrFltElement = apr_pcalloc(pool, sizeof(qos_fhlt_r_t));
+ hdrFltElement->text = apr_pstrdup(pool, hdrFltRuleDefEntry->pattern);
+ hdrFltElement->preg = ap_pregcomp(pool, hdrFltRuleDefEntry->pattern, AP_REG_DOTALL);
+ hdrFltElement->action = hdrFltRuleDefEntry->action;
+ hdrFltElement->size = hdrFltRuleDefEntry->size;
+ if(hdrFltElement->preg == NULL) {
+ return apr_psprintf(pool, "could not compile regular expression '%s' for %s header",
+ hdrFltElement->text, hdrFltRuleDefEntry->name);
+ }
+ apr_table_setn(outHdrFltTable, hdrFltRuleDefEntry->name, (char *)hdrFltElement);
+ }
+ return NULL;
+}
+
+/**
+ * Returns string representation of filter type (for logging purposes)
+ * @param pool To allocate string
+ * @param type Rule type
+ * @return Name of the directive used to configure the rule
+ */
+static char *qos_rfilter_type2text(apr_pool_t *pool, qs_rfilter_type_e type) {
+ if(type == QS_DENY_REQUEST_LINE) return apr_pstrdup(pool, "QS_DenyRequestLine");
+ if(type == QS_DENY_PATH) return apr_pstrdup(pool, "QS_DenyPath");
+ if(type == QS_DENY_QUERY) return apr_pstrdup(pool, "QS_DenyQuery");
+ if(type == QS_DENY_EVENT) return apr_pstrdup(pool, "QS_DenyEvent");
+ if(type == QS_PERMIT_URI) return apr_pstrdup(pool, "QS_PermitUri");
+ return apr_pstrdup(pool, "UNKNOWN");
+}
+
+/**
+ * Sets unique apache instance id (hopefully) to the global m_hostcore variable
+ * @param ptemp Pool to allocate memory from
+ * @param s Base server record
+ */
+static void qos_hostcode(apr_pool_t *ptemp, server_rec *s) {
+ char *key = apr_psprintf(ptemp, "%s%s%s%d%s"
+#ifdef ap_http_scheme
+/* Apache 2.2 */
+ "%s"
+#endif
+ "%s",
+ s->defn_name ? s->defn_name : "",
+ s->server_admin ? s->server_admin : "",
+ s->server_hostname ? s->server_hostname : "",
+ s->addrs ? s->addrs->host_port : 0,
+ s->path ? s->path : "",
+ s->error_fname ? s->error_fname : ""
+#ifdef ap_http_scheme
+/* Apache 2.2 */
+ ,s->server_scheme ? s->server_scheme : ""
+#endif
+ );
+ int len = strlen(key);
+ int i;
+ char *p;
+ for(p = key, i = len; i; i--, p++) {
+ m_hostcode = m_hostcode * 33 + *p;
+ }
+}
+
+/**
+ * temp file name for the main/virtual serve
+ * @param pool Pool to allocate the file name from
+ * @param s Server record
+ * @return absolute file name
+ */
+static char *qos_tmpnam(apr_pool_t *pool, server_rec *s) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(s->module_config,
+ &qos_module);
+ const char *path = NULL;
+ char *ret;
+ char *file;
+ if(apr_temp_dir_get(&path, pool) != APR_SUCCESS) {
+ path = apr_pstrdup(pool, "/var/tmp");
+ }
+ if(sconf && sconf->mfile) {
+ path = sconf->mfile;
+ }
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ QOS_LOGD_PFX"temporary directory for semaphores/shared memory: %s"
+ " (use QS_SemMemFile to override it).", path);
+ if(s) {
+ unsigned int scode = 0;
+ char *key = apr_psprintf(pool, "%u%s.%s.%d",
+ m_hostcode,
+ s->is_virtual ? "v" : "b",
+ s->server_hostname == NULL ? "-" : s->server_hostname,
+ s->addrs == NULL ? 0 : s->addrs->host_port);
+ int len = strlen(key);
+ int i;
+ char *p;
+ for(p = key, i = len; i; i--, p++) {
+ scode = scode * 33 + *p;
+ }
+ file = apr_psprintf(pool, "%u", scode);
+ } else {
+ file = apr_psprintf(pool, "%u", m_hostcode);
+ }
+ file[0] += 25; /* non numeric */
+ apr_filepath_merge(&ret, path, file, APR_FILEPATH_NATIVE, pool);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ QOS_LOGD_PFX"temporary file: %s", ret);
+ return ret;
+}
+
+/**
+ * QS_LimitRequestBody settings. Environment variable (dynamic) has higher prio than
+ * configuration (static) value.
+ * @param r
+ * @param sconf
+ * @param dconf
+ */
+static apr_off_t qos_maxpost(request_rec *r, qos_srv_config *sconf,
+ qos_dir_config *dconf) {
+ if(r->subprocess_env) {
+ const char *bytes = apr_table_get(r->subprocess_env, "QS_LimitRequestBody");
+ if(bytes) {
+ apr_off_t s;
+#ifdef ap_http_scheme
+ /* Apache 2.2 */
+ char *errp = NULL;
+ if(APR_SUCCESS == apr_strtoff(&s, bytes, &errp, 10)) {
+ return s;
+ }
+#else
+ if((s = apr_atoi64(bytes)) >= 0) {
+ return s;
+ }
+#endif
+ }
+ }
+ if(dconf->maxpost != -1) {
+ return dconf->maxpost;
+ }
+ return sconf->maxpost;
+}
+
+
+/**
+ * Similar to strstr but restricting the length of s1 (supports strings which
+ * are not NULL terminated).
+ *
+ * @param s1 String to search in
+ * @param s2 Pattern to ind
+ * @param len Length of s1
+ * @return pointer to the beginning of the substring s2 within s1, or NULL
+ * if the substring is not found
+ */
+static char *qos_strnstr(const char *s1, const char *s2, int len) {
+ const char *e1 = &s1[len-1];
+ char *p1, *p2;
+ if (*s2 == '\0') {
+ /* an empty s2 */
+ return((char *)s1);
+ }
+ while(1) {
+ for ( ; (*s1 != '\0') && (s1 <= e1) && (apr_tolower(*s1) != apr_tolower(*s2)); s1++);
+ if (*s1 == '\0' || s1 > e1) {
+ return(NULL);
+ }
+ /* found first character of s2, see if the rest matches */
+ p1 = (char *)s1;
+ p2 = (char *)s2;
+ for (++p1, ++p2; (apr_tolower(*p1) == apr_tolower(*p2)) && (p1 <= e1); ++p1, ++p2) {
+ if((p1 > e1) && (*p2 != '\0')) {
+ // reached the end without match
+ return NULL;
+ }
+ if (*p2 == '\0') {
+ /* both strings ended together */
+ return((char *)s1);
+ }
+ }
+ if (*p2 == '\0') {
+ /* second string ended, a match */
+ break;
+ }
+ /* didn't find a match here, try starting at next character in s1 */
+ s1++;
+ }
+ return((char *)s1);
+}
+
+/**
+ * Determines, if the client IP shall be excluded from rule enforcement
+ *
+ * @param connection Connection to get the IP
+ * @param exclude_ip Table containing the rules
+ * @return 1 on match otherwise 0
+ */
+static int qos_is_excluded_ip(conn_rec *connection, apr_table_t *exclude_ip) {
+ conn_rec *c = connection;
+ if(apr_table_elts(exclude_ip)->nelts > 0) {
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(exclude_ip)->elts;
+ for(i = 0; i < apr_table_elts(exclude_ip)->nelts; i++) {
+ if(entry[i].val[0] == 'r') {
+ if(strncmp(entry[i].key, QS_CONN_REMOTEIP(c), strlen(entry[i].key)) == 0) {
+ return 1;
+ }
+ } else {
+ if(strcmp(entry[i].key, QS_CONN_REMOTEIP(c)) == 0) {
+ return 1;
+ }
+ }
+ }
+ }
+ return 0;
+}
+
+/**
+ * Comperator (ip search) for the client ip store qos_cc_*()
+ * functions (used by bsearch/qsort)
+ */
+static int qos_cc_comp(const void *_pA, const void *_pB) {
+ qos_s_entry_t *pA=*(( qos_s_entry_t **)_pA);
+ qos_s_entry_t *pB=*(( qos_s_entry_t **)_pB);
+ if(pA->ip6[0] > pB->ip6[0]) return 2;
+ if(pA->ip6[0] < pB->ip6[0]) return -2;
+ if(pA->ip6[1] > pB->ip6[1]) return 1;
+ if(pA->ip6[1] < pB->ip6[1]) return -1;
+ return 0;
+}
+
+static int qos_cc_compv4(const void *_pA, const void *_pB) {
+ qos_s_entry_t *pA=*(( qos_s_entry_t **)_pA);
+ qos_s_entry_t *pB=*(( qos_s_entry_t **)_pB);
+ if(pA->ip6[1] > pB->ip6[1]) return 1;
+ if(pA->ip6[1] < pB->ip6[1]) return -1;
+ return 0;
+}
+
+/**
+ * Comperator (time search) for the client ip store qos_cc_*()
+ * functions (used by bsearch/qsort)
+ */
+static int qos_cc_comp_time(const void *_pA, const void *_pB) {
+ qos_s_entry_t *pA=*(( qos_s_entry_t **)_pA);
+ qos_s_entry_t *pB=*(( qos_s_entry_t **)_pB);
+ if(pA->time > pB->time) return 1;
+ if(pA->time < pB->time) return -1;
+ return 0;
+}
+
+/**
+ * creates new per client store
+ * @param pool Persistent process pool
+ * @param srec Server rec for sem/mutex
+ * @param size Number of entries
+ * @param limitTable Table of "QS_Limit" events
+ * @return pointer to the per client data array
+ */
+static qos_s_t *qos_cc_new(apr_pool_t *pool, server_rec *srec, int size,
+ apr_table_t *limitTable) {
+ char *file = "-";
+ apr_shm_t *clientMem; // per client memory table
+ apr_shm_t *limitMem; // "limit" memory table
+ apr_status_t res;
+ int limitTableSize = apr_table_elts(limitTable)->nelts;
+ int limitMemSize = 0;
+ int clientMemSize = APR_ALIGN_DEFAULT(sizeof(qos_s_t)) +
+ (APR_ALIGN_DEFAULT(sizeof(qos_s_entry_t)) * size) +
+ (2 * APR_ALIGN_DEFAULT(sizeof(qos_s_entry_t *)) * size);
+ int i;
+ qos_s_t *clientDataArray;
+ qos_s_entry_t *clientDataEntry;
+ qos_s_entry_limit_t *limitTableEntry = NULL;
+ clientMemSize = clientMemSize + 1024;
+ if(limitTableSize > 0) {
+ limitMemSize = APR_ALIGN_DEFAULT(sizeof(qos_s_entry_limit_t)) * limitTableSize * size;
+ limitMemSize = limitMemSize + 1024;
+ }
+ /* use anonymous shm by default */
+ if(limitTableSize > 0) {
+ apr_shm_create(&limitMem, limitMemSize, NULL, pool);
+ }
+ res = apr_shm_create(&clientMem, clientMemSize, NULL, pool);
+ if(APR_STATUS_IS_ENOTIMPL(res)) {
+ char *lfile = apr_psprintf(pool, "%s_cc_ml.mod_qos",
+ qos_tmpnam(pool, srec));
+ file = apr_psprintf(pool, "%s_cc_m.mod_qos",
+ qos_tmpnam(pool, srec));
+#ifdef ap_http_scheme
+ /* Apache 2.2 */
+ if(limitTableSize > 0) {
+ apr_shm_remove(lfile, pool);
+ }
+ apr_shm_remove(file, pool);
+#endif
+ if(limitTableSize > 0) {
+ apr_shm_create(&limitMem, limitMemSize, lfile, pool);
+ }
+ res = apr_shm_create(&clientMem, clientMemSize, file, pool);
+ }
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, srec,
+ QOS_LOGD_PFX"create shared memory (client control)(%s): %d bytes",
+ file, clientMemSize + limitMemSize);
+ if(res != APR_SUCCESS) {
+ char buf[MAX_STRING_LEN];
+ apr_strerror(res, buf, sizeof(buf));
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, srec,
+ QOS_LOG_PFX(002)"failed to create shared memory (client control)(%s): "
+ "%s (%d bytes)",
+ file, buf, clientMemSize);
+ return NULL;
+ }
+ clientDataArray = apr_shm_baseaddr_get(clientMem);
+ clientDataArray->m = clientMem;
+ clientDataArray->generation_locked = -1;
+ if(limitTableSize > 0) {
+ apr_table_entry_t *te = (apr_table_entry_t *)apr_table_elts(limitTable)->elts;
+ limitTableEntry = apr_shm_baseaddr_get(limitMem);
+ clientDataArray->limitTable = apr_table_make(pool, limitTableSize+10);
+ for(i = 0; i < limitTableSize; i++) {
+ char *eventName = apr_pstrdup(pool, te[i].key);
+ qos_s_entry_limit_conf_t *eventLimitConf = apr_pcalloc(pool, sizeof(qos_s_entry_limit_conf_t));
+ qos_s_entry_limit_conf_t *src = (qos_s_entry_limit_conf_t*)te[i].val;
+ eventLimitConf->limit = src->limit;
+ eventLimitConf->limitTime = src->limitTime;
+ eventLimitConf->eventClearStr = apr_pstrcat(pool, eventName, QS_LIMIT_CLEAR, NULL);
+ eventLimitConf->eventDecStr = apr_pstrcat(pool, eventName, QS_LIMIT_DEC, NULL);
+ eventLimitConf->condStr = NULL;
+ eventLimitConf->preg = NULL;
+ if(src->condStr) {
+ eventLimitConf->condStr = apr_pstrdup(pool, src->condStr);
+ eventLimitConf->preg = ap_pregcomp(pool, src->condStr, AP_REG_EXTENDED);
+ }
+ apr_table_addn(clientDataArray->limitTable, eventName, (char *)eventLimitConf);
+ }
+ } else {
+ clientDataArray->limitTable = NULL;
+ }
+ clientDataArray->lock_file = apr_psprintf(pool, "%s_ccl.mod_qos",
+ qos_tmpnam(pool, srec));
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, srec,
+ QOS_LOGD_PFX"create mutex (client control)(%s)",
+ clientDataArray->lock_file);
+ res = apr_global_mutex_create(&clientDataArray->lock, clientDataArray->lock_file, APR_LOCK_DEFAULT, pool);
+ if(res != APR_SUCCESS) {
+ char buf[MAX_STRING_LEN];
+ apr_strerror(res, buf, sizeof(buf));
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, srec,
+ QOS_LOG_PFX(004)"failed to create mutex (client control)(%s): %s",
+ clientDataArray->lock_file, buf);
+ apr_shm_destroy(clientDataArray->m);
+ return NULL;
+ }
+#ifdef AP_NEED_SET_MUTEX_PERMS
+ qos_unixd_set_global_mutex_perms(clientDataArray->lock);
+#endif
+ clientDataEntry = (qos_s_entry_t *)&clientDataArray[1];
+ clientDataArray->ipd = (qos_s_entry_t **)&clientDataEntry[size];
+ clientDataArray->timed = (qos_s_entry_t **)&clientDataArray->ipd[size];
+ clientDataArray->num = 0;
+ clientDataArray->max = size;
+ clientDataArray->msize = clientMemSize;
+ clientDataArray->connections = 0;
+ clientDataArray->html = 0;
+ clientDataArray->cssjs = 0;
+ clientDataArray->img = 0;
+ clientDataArray->other = 0;
+ clientDataArray->notmodified = 0;
+ for(i = 0; i < size; i++) {
+ clientDataArray->ipd[i] = clientDataEntry;
+ clientDataArray->timed[i] = clientDataEntry;
+ if(limitTableSize > 0) {
+ clientDataEntry->limit = limitTableEntry;
+ limitTableEntry += limitTableSize;
+ } else {
+ clientDataEntry->limit = NULL;
+ }
+ clientDataEntry++;
+ }
+ clientDataArray->t = time(NULL);
+ for(i = 0; i < QOS_LOG_MSGCT; i++) {
+ clientDataArray->eventTotal[i] = 0;
+ clientDataArray->eventLast[i] = 0;
+ }
+ return clientDataArray;
+}
+
+/**
+ * Destroys the client data store
+ */
+static void qos_cc_free(qos_s_t *s) {
+ /*
+ We don't need to destroy locks or shared memory
+ manually as apr_global_mutex_create() and
+ apr_shm_create() register the cleanup methods
+ themself to the pool we used when allocating the
+ locks/memory.
+ if(s->lock) {
+ apr_global_mutex_destroy(s->lock);
+ }
+ if(s->m) {
+ apr_shm_destroy(s->m);
+ }
+ if(s->lm) {
+ apr_shm_destroy(s->lm);
+ }
+ */
+}
+
+/**
+ * searches an entry
+ * @param s Client store (locked)
+ * @param pA IP to search
+ * @param now Current time (update access to the entry)
+ * @return client entry or NULL if not available
+ */
+static qos_s_entry_t **qos_cc_get0(qos_s_t *s, qos_s_entry_t *pA, time_t now) {
+ qos_s_entry_t **pB;
+ unsigned char *b = (void *)&pA->ip6[1];
+ int mod = b[7] % m_qos_cc_partition;
+ int max = (s->max / m_qos_cc_partition);
+ int start = mod * max;
+ if(m_ip_type == QS_IP_V4) {
+ pB = bsearch((const void *)&pA, (const void *)&s->ipd[start],
+ max, sizeof(qos_s_entry_t *), qos_cc_compv4);
+ } else {
+ pB = bsearch((const void *)&pA, (const void *)&s->ipd[start],
+ max, sizeof(qos_s_entry_t *), qos_cc_comp);
+ }
+ if(pB) {
+ if(now != 0) {
+ s->t = now;
+ }
+ (*pB)->time = s->t;
+ }
+ return pB;
+}
+
+/**
+ * inserts a new entry to the client data store
+ * @param s Client store (locked)
+ * @param pA IP to insert
+ * @param now Current time (last access)
+ * @return inserted entry
+ */
+static qos_s_entry_t **qos_cc_set(qos_s_t *s, qos_s_entry_t *pA, time_t now) {
+ qos_s_entry_t **pB;
+ unsigned char *b = (void *)&pA->ip6[1];
+ int mod = b[7] % m_qos_cc_partition;
+ int max = (s->max / m_qos_cc_partition);
+ int start = mod * max;
+ s->t = now;
+ qsort(&s->timed[start], max, sizeof(qos_s_entry_t *), qos_cc_comp_time);
+ if(s->num < s->max) {
+ s->num++;
+ }
+ pB = &s->timed[start];
+ (*pB)->ip6[0] = pA->ip6[0];
+ (*pB)->ip6[1] = pA->ip6[1];
+ (*pB)->time = now;
+ if(m_ip_type == QS_IP_V4) {
+ qsort(&s->ipd[start], max, sizeof(qos_s_entry_t *), qos_cc_compv4);
+ } else {
+ qsort(&s->ipd[start], max, sizeof(qos_s_entry_t *), qos_cc_comp);
+ }
+
+ (*pB)->vip = 0;
+ (*pB)->lowrate = 0;
+ (*pB)->lowratestatus = 0;
+ (*pB)->block = 0;
+ (*pB)->blockMsg = 0;
+ (*pB)->blockTime = 0;
+ if(s->limitTable) {
+ int i;
+ for(i = 0; i < apr_table_elts(s->limitTable)->nelts; i++) {
+ (*pB)->limit[i].limit = 0;
+ (*pB)->limit[i].limitTime = 0;
+ }
+ }
+ (*pB)->interval = now;
+ (*pB)->req = 0;
+ (*pB)->req_per_sec = 0;
+ (*pB)->req_per_sec_block_rate = 0;
+ (*pB)->event_req = 0;
+ (*pB)->serialize = 0;
+ (*pB)->serializeQueue = 0;
+ (*pB)->html = 1;
+ (*pB)->cssjs = 1;
+ (*pB)->img = 1;
+ (*pB)->other = 1;
+ (*pB)->notmodified = 1;
+ (*pB)->events = 0;
+ return pB;
+}
+
+/**
+ * searches or inserts (if not available) an entry from/to the client data store
+ * @param s Client store (locked)
+ * @param pA IP to insert
+ * @param now Current time (last access)
+ * @return inserted entry
+ */
+static qos_s_entry_t **qos_cc_getOrSet(qos_s_t *s, qos_s_entry_t *pA, time_t now) {
+ qos_s_entry_t **clientEntry = clientEntry = qos_cc_get0(s, pA, now);
+ if(!clientEntry) {
+ clientEntry = qos_cc_set(s, pA, now != 0 ? now : time(NULL));
+ }
+ return clientEntry;
+}
+
+static int qos_isnum(const char *x) {
+ const char *p = x;
+ if(x == NULL || x[0] == 0) {
+ return 0;
+ }
+ while(p && p[0]) {
+ if(!apr_isdigit(p[0])) {
+ return 0;
+ }
+ p++;
+ }
+ return 1;
+}
+
+/* 000-255 */
+int qos_dec32c(const char *x) {
+ char buf[4];
+ strncpy(buf, x, 3);
+ buf[3] = '\0';
+ return atoi(buf);
+}
+
+int qos_dec22c(const char *x) {
+ char buf[4];
+ strncpy(buf, x, 2);
+ buf[2] = '\0';
+ return atoi(buf);
+}
+
+/**
+ * hex value for the char
+ * @param x
+ * @return hex value
+ */
+int qos_hex2c(const char *x) {
+ int i, ch;
+ ch = x[0];
+ if (isdigit(ch)) {
+ i = ch - '0';
+ }else if (isupper(ch)) {
+ i = ch - ('A' - 10);
+ } else {
+ i = ch - ('a' - 10);
+ }
+ i <<= 4;
+
+ ch = x[1];
+ if (isdigit(ch)) {
+ i += ch - '0';
+ } else if (isupper(ch)) {
+ i += ch - ('A' - 10);
+ } else {
+ i += ch - ('a' - 10);
+ }
+ return i;
+}
+
+#define QOS_ISHEX(x) (((x >= '0') && (x <= '9')) || \
+ ((x >= 'a') && (x <= 'f')) || \
+ ((x >= 'A') && (x <= 'F')))
+
+
+/**
+ * url unescaping (%xx, \xHH, '+')
+ * optional decoding:
+ * - uni: MS IIS unicode %uXXXX
+ * - ansi: ansi c esc (\n, \r, ...), not implemented
+ * - char: charset conv, not implemented
+ * - html: (amp/angelbr, &#xHH;, &#DDD;, &#DD;), not implemented ('&' is delimiter)
+ */
+static int qos_unescaping(char *x, int mode, int *error) {
+ /* start with standard url decoding*/
+ int i, j, ch;
+ if(x == 0) {
+ return 0;
+ }
+ if(x[0] == '\0') {
+ return 0;
+ }
+ for(i = 0, j = 0; x[i] != '\0'; i++, j++) {
+ ch = x[i];
+ if(ch == '%') {
+ if(QOS_ISHEX(x[i + 1]) && QOS_ISHEX(x[i + 2])) {
+ /* url %xx */
+ ch = qos_hex2c(&x[i + 1]);
+ i += 2;
+ } else if((mode & QOS_DEC_MODE_FLAGS_UNI) &&
+ ((x[i + 1] == 'u') || (x[i + 1] == 'U')) &&
+ QOS_ISHEX(x[i + 2]) &&
+ QOS_ISHEX(x[i + 3]) &&
+ QOS_ISHEX(x[i + 4]) &&
+ QOS_ISHEX(x[i + 5])) {
+ /* unicode %uXXXX */
+ ch = qos_hex2c(&x[i + 4]);
+ if((ch > 0x00) && (ch < 0x5f) &&
+ ((x[i + 2] == 'f') || (x[i + 2] == 'F')) &&
+ ((x[i + 3] == 'f') || (x[i + 3] == 'F'))) {
+ ch += 0x20;
+ }
+ i += 5;
+ } else {
+ (*error)++;
+ }
+ } else if((ch == '\\') &&
+ (mode & QOS_DEC_MODE_FLAGS_UNI) &&
+ ((x[i + 1] == 'u') || (x[i + 1] == 'U'))) {
+ if(QOS_ISHEX(x[i + 2]) &&
+ QOS_ISHEX(x[i + 3]) &&
+ QOS_ISHEX(x[i + 4]) &&
+ QOS_ISHEX(x[i + 5])) {
+ /* unicode \uXXXX */
+ ch = qos_hex2c(&x[i + 4]);
+ if((ch > 0x00) && (ch < 0x5f) &&
+ ((x[i + 2] == 'f') || (x[i + 2] == 'F')) &&
+ ((x[i + 3] == 'f') || (x[i + 3] == 'F'))) {
+ ch += 0x20;
+ }
+ i += 5;
+ } else {
+ (*error)++;
+ }
+ } else if(ch == '\\' && (x[i + 1] == 'x')) {
+ if(QOS_ISHEX(x[i + 2]) && QOS_ISHEX(x[i + 3])) {
+ /* url \xHH */
+ ch = qos_hex2c(&x[i + 2]);
+ i += 3;
+ } else {
+ (*error)++;
+ }
+ } else if(ch == '+') {
+ ch = ' ';
+ }
+ x[j] = ch;
+ }
+ x[j] = '\0';
+ return j;
+}
+
+/**
+ * returns the request id from mod_unique_id (if available)
+ */
+static const char *qos_unique_id(request_rec *r, const char *eid) {
+ const char *uid = apr_table_get(r->subprocess_env, "UNIQUE_ID");
+ if(eid) {
+ apr_table_set(r->notes, "error-notes", eid);
+ apr_table_set(r->subprocess_env, QS_ErrorNotes, eid);
+ }
+ if(uid == NULL) {
+ /* generate simple id if mod_unique_id has not been not loaded */
+ qos_unique_id_t id;
+ char *uidstr;
+ int len;
+
+ m_unique_id.unique_id_counter++;
+ id.request_time = r->request_time;
+ id.in_addr = m_unique_id.in_addr;
+#if APR_HAS_THREADS
+ id.tid = apr_os_thread_current();
+#endif
+ id.conn = r->connection->id;
+ id.unique_id_counter = m_unique_id.unique_id_counter;
+ uidstr = (char *)apr_pcalloc(r->pool, apr_base64_encode_len(sizeof(qos_unique_id_t)));
+ len = qos_encode64_binary(uidstr, (const char *)&id, sizeof(qos_unique_id_t));
+ uidstr[len-2] = (id.unique_id_counter%8)+50;
+ uid = uidstr;
+ apr_table_set(r->subprocess_env, "UNIQUE_ID", uid);
+ }
+ return uid;
+}
+
+static void qos_log_env(request_rec *r, const char *handler) {
+ char *msg = "";
+ int i;
+ apr_table_entry_t *e = (apr_table_entry_t *) apr_table_elts(r->subprocess_env)->elts;
+ for (i = 0; i < apr_table_elts(r->subprocess_env)->nelts; ++i) {
+ msg = apr_psprintf(r->pool, "%s=%s;%s", e[i].key, e[i].val, msg);
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, 0, r,
+ QOS_LOG_PFX(210)"ENV %s %s %s", handler, msg, qos_unique_id(r, NULL));
+ return;
+}
+
+static char *qos_ipv6_hash(request_rec *r, const char *var) {
+ char *md = ap_md5_binary(r->pool, (unsigned char *)var, strlen(var));
+ char *hash = apr_pcalloc(r->pool, 64);
+ char *d = hash;
+ int c = 0;
+ while(md[0]) {
+ d[0] = md[0];
+ d++;
+ c++;
+ md++;
+ if(c == 4 && md[0]) {
+ c=0;
+ d[0] = ':';
+ d++;
+ }
+ }
+ d[0] = '\0';
+ return hash;
+}
+
+static const char *qos_forwardedfor_fromHeader(request_rec *r, const char *header) {
+ const char *forwardedfor = apr_table_get(r->headers_in, header);
+ if(forwardedfor == NULL && r->prev) {
+ // internal redirect?
+ forwardedfor = apr_table_get(r->prev->headers_in, header);
+ }
+ if(forwardedfor == NULL && r->main) {
+ // internal redirect?
+ forwardedfor = apr_table_get(r->main->headers_in, header);
+ }
+ return forwardedfor;
+}
+
+static const char *qos_forwardedfor_fromSSL(request_rec *r) {
+ if(qos_ssl_var) {
+ const char *dn = qos_ssl_var(r->pool, r->server, r->connection, r, "SSL_CLIENT_S_DN");
+ const char *issuer = qos_ssl_var(r->pool, r->server, r->connection, r, "SSL_CLIENT_I_DN");
+ char *header = apr_pstrcat(r->pool, dn, issuer, NULL);
+ if(header && header[0]) {
+ return header;
+ }
+ }
+ return NULL;
+}
+
+static const char *qos_pseudoip(request_rec *r, const char *header) {
+ const char *forwardedfor = NULL;
+ if(strcmp("SSL_CLIENT_S_DN", header) == 0) {
+ forwardedfor = qos_forwardedfor_fromSSL(r);
+ } else {
+ forwardedfor = qos_forwardedfor_fromHeader(r, header);
+ }
+ if(forwardedfor && forwardedfor[0]) {
+ return qos_ipv6_hash(r, forwardedfor);
+ }
+ return NULL;
+}
+
+static const char *qos_forwardedfor(request_rec *r, const char *header) {
+ const char *forwardedfor = NULL;
+ if(header[0] == '#') {
+ forwardedfor = qos_pseudoip(r, &header[1]);
+ } else {
+ forwardedfor = qos_forwardedfor_fromHeader(r, header);
+ }
+ return forwardedfor;
+}
+
+/**
+ * Returns the client IP, either from the connection
+ * of from the forwarded-for header if configured
+ *
+ * @param r Request to get the IP from the header
+ * @param sconf
+ * @param cconf (if available) to get the real IP from
+ * @param caller Which caller of the method
+ * @param ip6 The client's IP address to be used (pointer to array of unsigned long (2))
+ * @return The client's IP address as a string (for logging)
+ */
+static const char *qos_get_clientIP(request_rec *r, qos_srv_config *sconf,
+ qs_conn_ctx *cconf, const char *caller,
+ apr_uint64_t *ip6) {
+ const char *forwardedForLogIP;
+ if(sconf->qos_cc_forwardedfor) {
+ const char *forwardedfor = qos_forwardedfor(r, sconf->qos_cc_forwardedfor);
+ if(forwardedfor) {
+ if(qos_ip_str2long(forwardedfor, ip6) == 0) {
+ if(apr_table_get(r->notes, "QOS_LOG_PFX069") == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(069)"no valid IP header found (@%s):"
+ " invalid header value '%s',"
+ " fallback to connection's IP %s, id=%s",
+ caller,
+ forwardedfor,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" :
+ QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "069"));
+ apr_table_set(r->notes, "QOS_LOG_PFX069", "log once");
+ QS_INC_EVENT(sconf, 69);
+ }
+ } else {
+ // done
+ return forwardedfor;
+ }
+ } else {
+ if(apr_table_get(r->notes, "QOS_LOG_PFX069") == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(069)"no valid IP header found (@%s):"
+ " header '%s' not available,"
+ " fallback to connection's IP %s, id=%s",
+ caller,
+ sconf->qos_cc_forwardedfor,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "069"));
+ apr_table_set(r->notes, "QOS_LOG_PFX069", "log once");
+ QS_INC_EVENT(sconf, 69);
+ }
+ }
+ }
+ // use the real IP
+ if(cconf) {
+ forwardedForLogIP = QS_CONN_REMOTEIP(cconf->mc);
+ // works for real connections only (no HTTP/2)
+ ip6[0] = cconf->ip6[0];
+ ip6[1] = cconf->ip6[1];
+ } else {
+ // HTTP/2
+ forwardedForLogIP = QS_CONN_REMOTEIP(r->connection);
+ qos_ip_str2long(forwardedForLogIP, ip6);
+ }
+ return forwardedForLogIP;
+}
+
+/**
+ * returns the version number of mod_qos
+ * @param p Pool to alloc version string from
+ * @return Version string
+ */
+static char *qos_revision(apr_pool_t *p) {
+ return apr_pstrdup(p, g_revision);
+}
+
+/**
+ * returns the request context
+ */
+static qs_req_ctx *qos_rctx_config_get(request_rec *r) {
+ qs_req_ctx *rctx = ap_get_module_config(r->request_config, &qos_module);
+ if(rctx == NULL) {
+ rctx = apr_pcalloc(r->pool, sizeof(qs_req_ctx));
+ rctx->entry = NULL;
+ rctx->entry_cond = NULL;
+ rctx->evmsg = NULL;
+ rctx->is_vip = 0;
+ rctx->event_entries = apr_table_make(r->pool, 1);
+ rctx->maxpostcount = 0;
+ rctx->cc_event_req_set = 0;
+ rctx->cc_event_ip[0] = 0;
+ rctx->cc_event_ip[1] = 0;
+ rctx->cc_serialize_set = 0;
+ rctx->cc_serialize_ip[0] = 0;
+ rctx->cc_serialize_ip[1] = 0;
+ rctx->srv_serialize_set = 0;
+ rctx->body_window = NULL;
+ rctx->response_delayed = 0;
+ ap_set_module_config(r->request_config, &qos_module, rctx);
+ }
+ return rctx;
+}
+
+/**
+ * Adds the defined mod_qos_ev id to the request context (creates
+ * the req ctx if necessary).
+ *
+ * @param r
+ * @param id ID to set, e.g. "L;" or "D;"
+ */
+static void qs_set_evmsg(request_rec *r, const char *id) {
+ qs_req_ctx *rctx = qos_rctx_config_get(r);
+ if(rctx->evmsg == NULL || (strstr(rctx->evmsg, id) == NULL)) {
+ rctx->evmsg = apr_pstrcat(r->pool, id, rctx->evmsg, NULL);
+ }
+}
+
+/**
+ * Encrypts and base64 encodes the provided buffer
+ * @param r
+ * @param sconf Secret to use (sconf->key)
+ * @param b Buffer to encrypt
+ * @param l Length of the buffer
+ * @return Encrypted string (or NULL on error)
+ */
+static char *qos_encrypt(request_rec *r, qos_srv_config *sconf,
+ const unsigned char *b, int l) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX cipher_ctx;
+ EVP_CIPHER_CTX *cipher_ctx_p = &cipher_ctx;
+ HMAC_CTX hmac;
+ HMAC_CTX *hmac_p = &hmac;
+#else
+ EVP_CIPHER_CTX *cipher_ctx_p;
+ HMAC_CTX *hmac_p;
+#endif
+ unsigned char hash[HMAC_MAX_MD_CBLOCK];
+ unsigned int hashLen = HMAC_MAX_MD_CBLOCK;
+ int buf_len = 0;
+ int len = 0;
+ unsigned char *buf = apr_pcalloc(r->pool, +
+ EVP_MAX_IV_LENGTH +
+ QOS_HASH_LEN +
+ l +
+ EVP_CIPHER_block_size(EVP_des_ede3_cbc()));
+
+#if APR_HAS_RANDOM
+ if(apr_generate_random_bytes(buf, EVP_MAX_IV_LENGTH) != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ QOS_LOG_PFX(080)"Can't generate random data, id=%s",
+ qos_unique_id(r, NULL));
+ }
+#else
+ if(!RAND_bytes(buf, EVP_MAX_IV_LENGTH)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ QOS_LOG_PFX(080)"Can't generate random data, id=%s",
+ qos_unique_id(r, NULL));
+ }
+#endif
+
+ /* checksum */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX_init(hmac_p);
+#else
+ hmac_p = HMAC_CTX_new();
+#endif
+#ifndef OPENSSL_NO_MD5
+ HMAC_Init_ex(hmac_p, sconf->rawKey, sconf->rawKeyLen, EVP_md5(), NULL);
+#else
+ HMAC_Init_ex(hmac_p, sconf->rawKey, sconf->rawKeyLen, EVP_sha256(), NULL);
+#endif
+ HMAC_Update(hmac_p, b, l);
+ HMAC_Final(hmac_p, hash, &hashLen);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX_cleanup(hmac_p);
+#else
+ HMAC_CTX_free(hmac_p);
+#endif
+
+ /* sym enc */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX_init(cipher_ctx_p);
+#else
+ cipher_ctx_p = EVP_CIPHER_CTX_new();
+#endif
+ EVP_EncryptInit(cipher_ctx_p, EVP_des_ede3_cbc(), sconf->key, (unsigned char *)buf);
+
+ // skip iv, enc(hash + data)
+ buf_len = EVP_MAX_IV_LENGTH;
+ if(!EVP_EncryptUpdate(cipher_ctx_p, &buf[buf_len], &len, hash, QOS_HASH_LEN)) {
+ goto failed;
+ }
+ buf_len+=len;
+ if(!EVP_EncryptUpdate(cipher_ctx_p, &buf[buf_len], &len, b, l)) {
+ goto failed;
+ }
+ buf_len+=len;
+ if(!EVP_EncryptFinal(cipher_ctx_p, &buf[buf_len], &len)) {
+ goto failed;
+ }
+ buf_len+=len;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX_cleanup(cipher_ctx_p);
+#else
+ EVP_CIPHER_CTX_free(cipher_ctx_p);
+#endif
+
+ /* b64 encode */
+ {
+ char *data = (char *)apr_pcalloc(r->pool, 1 + apr_base64_encode_len(buf_len));
+ len = apr_base64_encode(data, (const char *)buf, buf_len);
+ data[len] = '\0';
+ return data;
+ }
+
+ failed:
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX_cleanup(cipher_ctx_p);
+#else
+ EVP_CIPHER_CTX_free(cipher_ctx_p);
+#endif
+ if(QS_ISDEBUG(r->server)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ QOS_LOGD_PFX"qos_encrypt() encryption operation failed, id=%s",
+ qos_unique_id(r, NULL));
+ }
+ return NULL;
+}
+
+/**
+ * Decryptes the base64 encoded string (see qos_encrypt()).
+ * @param r
+ * @param sconf To access the secret
+ * @param ret_buf Pointer to the decypted data (result), NULL if decyption fails
+ * @param value Base64 encded string to decrypt
+ * @return Length of the decypted data (0 if decyption failed)
+ */
+static int qos_decrypt(request_rec *r, qos_srv_config* sconf,
+ unsigned char **ret_buf, const char *value) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX cipher_ctx;
+ EVP_CIPHER_CTX *cipher_ctx_p = &cipher_ctx;
+#else
+ EVP_CIPHER_CTX *cipher_ctx_p;
+#endif
+
+ /* decode */
+ char *dec = (char *)apr_pcalloc(r->pool, 1 + apr_base64_decode_len(value));
+ int dec_len = apr_base64_decode(dec, value);
+ *ret_buf = NULL;
+
+ if(dec_len < (EVP_MAX_IV_LENGTH + QOS_HASH_LEN)) {
+ if(QS_ISDEBUG(r->server)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ QOS_LOGD_PFX"qos_decrypt() base64 decoding failed, id=%s",
+ qos_unique_id(r, NULL));
+ }
+ return 0;
+ } else {
+ /* decrypt */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX hmac;
+ HMAC_CTX *hmac_p = &hmac;
+#else
+ HMAC_CTX *hmac_p;
+#endif
+ unsigned char hash[HMAC_MAX_MD_CBLOCK];
+ unsigned int hashLen = HMAC_MAX_MD_CBLOCK;
+ int len = 0;
+ int buf_len = 0;
+ unsigned char *buf;
+ dec_len -= EVP_MAX_IV_LENGTH;
+ buf = apr_pcalloc(r->pool, dec_len);
+
+ /* sym dec */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX_init(cipher_ctx_p);
+#else
+ cipher_ctx_p = EVP_CIPHER_CTX_new();
+#endif
+ EVP_DecryptInit(cipher_ctx_p, EVP_des_ede3_cbc(), sconf->key, (unsigned char *)dec);
+ if(!EVP_DecryptUpdate(cipher_ctx_p, (unsigned char *)&buf[buf_len], &len,
+ (const unsigned char *)&dec[EVP_MAX_IV_LENGTH], dec_len)) {
+ goto failed;
+ }
+ buf_len+=len;
+ if(!EVP_DecryptFinal(cipher_ctx_p, (unsigned char *)&buf[buf_len], &len)) {
+ goto failed;
+ }
+ buf_len+=len;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX_cleanup(cipher_ctx_p);
+#else
+ EVP_CIPHER_CTX_free(cipher_ctx_p);
+#endif
+
+ // hash + data
+ if(buf_len < (QOS_HASH_LEN + 1)) {
+ if(QS_ISDEBUG(r->server)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ QOS_LOGD_PFX"qos_decrypt() misshing hash, id=%s",
+ qos_unique_id(r, NULL));
+ }
+ return 0;
+ }
+
+ /* checksum */
+ buf_len -= QOS_HASH_LEN;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX_init(hmac_p);
+#else
+ hmac_p = HMAC_CTX_new();
+#endif
+#ifndef OPENSSL_NO_MD5
+ HMAC_Init_ex(hmac_p, sconf->rawKey, sconf->rawKeyLen, EVP_md5(), NULL);
+#else
+ HMAC_Init_ex(hmac_p, sconf->rawKey, sconf->rawKeyLen, EVP_sha256(), NULL);
+#endif
+ HMAC_Update(hmac_p, &buf[QOS_HASH_LEN], buf_len);
+ HMAC_Final(hmac_p, hash, &hashLen);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX_cleanup(hmac_p);
+#else
+ HMAC_CTX_free(hmac_p);
+#endif
+ if(hashLen > QOS_HASH_LEN) {
+ // we don't keep more than 16 bytes
+ hashLen = QOS_HASH_LEN;
+ }
+ if(memcmp(hash, buf, hashLen) != 0) {
+ if(QS_ISDEBUG(r->server)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ QOS_LOGD_PFX"qos_decrypt() invalid hash, id=%s",
+ qos_unique_id(r, NULL));
+ }
+ return 0;
+ }
+
+ /* decrypted and valid */
+ *ret_buf = &buf[QOS_HASH_LEN];
+ return buf_len;
+ }
+
+ failed:
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_CIPHER_CTX_cleanup(cipher_ctx_p);
+#else
+ EVP_CIPHER_CTX_free(cipher_ctx_p);
+#endif
+ if(QS_ISDEBUG(r->server)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ QOS_LOGD_PFX"qos_decrypt() decryption operation failed, id=%s",
+ qos_unique_id(r, NULL));
+ }
+ return 0;
+}
+
+/**
+ * Adds the user tracking cookie to r->headers_out if QOS_USER_TRACKING_NEW env variable
+ * has been set.
+ * @param r
+ * @param sconf
+ * @param status (302 or other)
+ */
+static void qos_send_user_tracking_cookie(request_rec *r, qos_srv_config* sconf,
+ int status) {
+ const char *new_user = apr_table_get(r->subprocess_env, QOS_USER_TRACKING_NEW);
+ if(new_user) {
+ char *setCookieVal;
+ apr_size_t retcode;
+ char timeString[MAX_STRING_LEN];
+ apr_time_exp_t timeEx;
+ int new_user_len = strlen(new_user);
+ int len = 2 + new_user_len;
+ unsigned char *value = apr_pcalloc(r->pool, len + 1);
+ char *encryptedVal;
+ char *domain = NULL;
+ apr_time_exp_gmt(&timeEx, r->request_time);
+ apr_strftime(timeString, &retcode, sizeof(timeString), "%m", &timeEx);
+#ifdef QS_INTERNAL_TEST
+ {
+ const char *m = apr_table_get(r->headers_in, "X-TEST-USER-TRACK-MONTH");
+ if(m) {
+ strcpy(timeString, m);
+ }
+ }
+#endif
+ memcpy(value, timeString, 2);
+ memcpy(&value[2], new_user, new_user_len);
+ value[len] = '\0';
+ encryptedVal = qos_encrypt(r, sconf, value, len + 1);
+ if(sconf->user_tracking_cookie_domain != NULL) {
+ domain = apr_pstrcat(r->pool, "; Domain=", sconf->user_tracking_cookie_domain, NULL);
+ }
+ /* set cookie valid for 300 days or for this session only */
+ setCookieVal = apr_psprintf(r->pool, "%s=%s; Path=/%s%s",
+ sconf->user_tracking_cookie, encryptedVal,
+ sconf->user_tracking_cookie_session < 1 ? "; Max-Age=25920000" : "",
+ domain != NULL ? domain : "");
+ if(status != HTTP_MOVED_TEMPORARILY) {
+ apr_table_add(r->headers_out, "Set-Cookie", setCookieVal);
+ } else {
+ apr_table_add(r->err_headers_out, "Set-Cookie", setCookieVal);
+ }
+ }
+ return;
+}
+
+/**
+ * Verifies and sets the user tracking cookie
+ * - QOS_USER_TRACKING if the cookie was available
+ * - QOS_USER_TRACKING_NEW if a new cookie needs to be set
+ * - QOS_USER_TRACKING_RENEW if the cookie shall be renewed
+ *
+ * syntax: b64(enc(<month><UNIQUE_ID>))
+ *
+ * shall be called after(!) mod_unique_id has created an id
+ *
+ * @param r
+ * @param sconf
+ * @param value Cookie received from the client, possibly null (see qos_get_remove_cookie())
+ */
+static void qos_get_create_user_tracking(request_rec *r, qos_srv_config* sconf,
+ const char *value) {
+ const char *uid = qos_unique_id(r, NULL);
+ const char *verified = NULL;
+ const char *newUID = NULL;
+ if(value != NULL) {
+ int buf_len = 0;
+ unsigned char *buf;
+ buf_len = qos_decrypt(r, sconf, &buf, value);
+ if(buf_len > 0) {
+ verified = (char *)buf;
+ }
+ }
+ if(verified == NULL) {
+ newUID = uid;
+ apr_table_set(r->subprocess_env, QOS_USER_TRACKING_NEW, newUID);
+ qs_set_evmsg(r, "u;");
+ } else if(strlen(verified) > 2) {
+ apr_size_t retcode;
+ char timeString[MAX_STRING_LEN];
+ apr_time_exp_t timeEx;
+ apr_time_exp_gmt(&timeEx, r->request_time);
+ apr_strftime(timeString, &retcode, sizeof(timeString), "%m", &timeEx);
+ if(strncmp(timeString, verified, 2) != 0) {
+ /* renew, if not from this month */
+ apr_table_set(r->subprocess_env, QOS_USER_TRACKING_NEW, &verified[2]);
+ apr_table_set(r->subprocess_env, QOS_USER_TRACKING_RENEW, "1");
+ }
+ newUID = &verified[2];
+ } else {
+ newUID = uid;
+ apr_table_set(r->subprocess_env, QOS_USER_TRACKING_NEW, newUID);
+ }
+ apr_table_set(r->subprocess_env, QOS_USER_TRACKING, newUID);
+ return;
+}
+
+/**
+ * Adds new milestone cookie to the response headers if QOS_MILESTONE_COOKIE
+ * has been set.
+ * See qos_verify_milestone() about the syntax.
+ */
+static void qos_update_milestone(request_rec *r, qos_srv_config* sconf) {
+ const char *new_ms = apr_table_get(r->subprocess_env, QOS_MILESTONE_COOKIE);
+ if(new_ms) {
+ apr_time_t now = apr_time_sec(r->request_time);
+ int new_ms_len = strlen(new_ms);
+ int len = sizeof(apr_time_t) + new_ms_len;
+ unsigned char *value = apr_pcalloc(r->pool, len + 1);
+ char *encryptedVal;
+
+ apr_table_unset(r->subprocess_env, QOS_MILESTONE_COOKIE);
+ memcpy(value, &now, sizeof(apr_time_t));
+ memcpy(&value[sizeof(apr_time_t)], new_ms, new_ms_len);
+ value[len] = '\0';
+ encryptedVal = qos_encrypt(r, sconf, value, len);
+ apr_table_add(r->headers_out, "Set-Cookie",
+ apr_psprintf(r->pool, "%s=%s; Path=/;",
+ QOS_MILESTONE_COOKIE, encryptedVal));
+ }
+ return;
+}
+
+/**
+ * Verifies the milestone. Evaluates rule and enforces it. Does also set the
+ * QOS_MILESTONE_COOKIE variable if a new milestone has been reached.
+ *
+ * milestone cookie syntax: b64(enc(<time><milestone>))
+ *
+ * @param r
+ * @param sconf
+ * @param value Cookie received from the client (contains the already reached milestones)
+ * @return APR_SUCCESS if request is allowed, otherwise HTTP_FORBIDDEN
+ */
+
+static int qos_verify_milestone(request_rec *r, qos_srv_config* sconf, const char *value) {
+ char *the_request;
+ int the_request_len;
+ int escerr = 0;
+ qos_milestone_t *milestone = NULL;
+ qos_milestone_t *entries;
+ int i;
+ int ms = -1; // milestone the user has reached
+ int required = -1; // required for this request
+ apr_time_t age = 0; // milestone's age
+
+ if(value != NULL) {
+ int buf_len = 0;
+ unsigned char *buf;
+ buf_len = qos_decrypt(r, sconf, &buf, value);
+ if(buf_len >= (sizeof(apr_time_t) + 1)) {
+ apr_time_t *t = (apr_time_t *)buf;
+ apr_time_t now = apr_time_sec(r->request_time);
+ age = now - *t;
+ if(now <= (*t + sconf->milestoneTimeout)) {
+ ms = atoi((char *)&buf[sizeof(apr_time_t)]);
+ }
+ }
+ }
+ the_request = apr_pstrdup(r->pool, r->the_request);
+ the_request_len = qos_unescaping(the_request, QOS_DEC_MODE_FLAGS_URL, &escerr);
+ entries = (qos_milestone_t *)sconf->milestones->elts;
+ for(i = 0; i < sconf->milestones->nelts; ++i) {
+ milestone = &entries[i];
+ if(qos_regexec_len(r->pool, milestone->preg, the_request, the_request_len) == 0) {
+ required = milestone->num;
+ break;
+ }
+ }
+ if(milestone && (required >= 0)) {
+ int severity = milestone->action == QS_DENY ? APLOG_ERR : APLOG_WARNING;
+ if(ms < (required - 1)) {
+ /* not allowed */
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|severity, 0, r,
+ QOS_LOG_PFX(047)"access denied, reached milestone '%d' (%s),"
+ " user has already passed '%s',"
+ " action=%s, c=%s, id=%s",
+ required, milestone->pattern,
+ ms == -1 ? "none" : apr_psprintf(r->pool, "%d", ms),
+ !sconf->log_only && milestone->action == QS_DENY ?
+ "deny" : "log only (pass milestone)",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "047"));
+ QS_INC_EVENT(sconf, 47);
+ if(milestone->action == QS_DENY) {
+ return HTTP_FORBIDDEN;
+ }
+ }
+ if(milestone->thinktime > 0) {
+ if(age < milestone->thinktime) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|severity, 0, r,
+ QOS_LOG_PFX(147)"access denied, reached milestone '%d' (%s),"
+ " earlier than expected (right after %"APR_TIME_T_FMT" instead of %d seconds),"
+ " action=%s, c=%s, id=%s",
+ required, milestone->pattern,
+ age, milestone->thinktime,
+ !sconf->log_only && milestone->action == QS_DENY ?
+ "deny" : "log only (pass milestone)",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "147"));
+ QS_INC_EVENT(sconf, 147);
+ if(milestone->action == QS_DENY) {
+ return HTTP_FORBIDDEN;
+ }
+ }
+ }
+ if(required > ms) {
+ /* update milestone */
+ apr_table_set(r->subprocess_env, QOS_MILESTONE_COOKIE, apr_psprintf(r->pool, "%d", required));
+ }
+ }
+ return APR_SUCCESS;
+}
+
+
+/**
+ * Extracts the cookie from the request.
+ * @param r
+ * @param cookieName Name of the cookie to remove from the request headers
+ * @param Cookie if available of NULL if not
+ */
+static char *qos_get_remove_cookie(request_rec *r, const char *cookieName) {
+ const char *cookieHdr = apr_table_get(r->headers_in, "cookie");
+ if(cookieHdr) {
+ char *cn = apr_pstrcat(r->pool, cookieName, "=", NULL);
+ char *pt = ap_strcasestr(cookieHdr, cn);
+ char *p = NULL;
+ while(pt && !p) {
+ // ensure we found the real cookie (and not an ending b64 str)
+ if(pt == cookieHdr) {
+ // @beginning of the header
+ p = pt;
+ pt = NULL;
+ } else {
+ char pre = pt[-1];
+ if(pre == ' ' ||
+ pre == ';') {
+ // @beginning of a cookie
+ p = pt;
+ pt = NULL;
+ } else {
+ // found patter somewhere else
+ pt++;
+ pt = ap_strcasestr(pt, cn);
+ }
+ }
+ }
+ if(p) {
+ char *sp = p;
+ char *value = NULL;
+ p[0] = '\0'; /* terminates the beginning of the cookie header */
+ sp--; /* deletes spaces "in front" of the qos cookie */
+ while((sp > cookieHdr) && (sp[0] == ' ')) {
+ sp[0] = '\0';
+ sp--;
+ }
+ p = &p[strlen(cn)];
+ value = ap_getword(r->pool, (const char **)&p, ';');
+ while(p && (p[0] == ' ')) p++;
+ /* skip a path, if there is any */
+ if(p && (strncasecmp(p, "$path=", strlen("$path=")) == 0)) {
+ ap_getword(r->pool, (const char **)&p, ';');
+ }
+ /* restore cookie header appending the part left*/
+ if(p && p[0]) {
+ if(cookieHdr[0]) {
+ if(p[0] == ' ') {
+ cookieHdr = apr_pstrcat(r->pool, cookieHdr, p, NULL);
+ } else {
+ cookieHdr = apr_pstrcat(r->pool, cookieHdr, " ", p, NULL);
+ }
+ } else {
+ cookieHdr = apr_pstrcat(r->pool, p, NULL);
+ }
+ }
+ if(strlen(cookieHdr) == 0) {
+ apr_table_unset(r->headers_in, "cookie");
+ } else {
+ if((strncasecmp(cookieHdr, "$Version=", strlen("$Version=")) == 0) &&
+ (strlen(cookieHdr) <= strlen("$Version=X; "))) {
+ /* nothing left */
+ apr_table_unset(r->headers_in, "cookie");
+ } else {
+ apr_table_set(r->headers_in, "cookie", cookieHdr);
+ }
+ }
+ return value;
+ }
+ }
+ return NULL;
+}
+
+/**
+ * verifies the session cookie 0=failed, 1=succeeded
+ */
+static int qos_verify_session(request_rec *r, qos_srv_config* sconf) {
+ int buf_len = 0;
+ unsigned char *buf;
+ char *value = qos_get_remove_cookie(r, sconf->cookie_name);
+ if(value == NULL) {
+ return 0;
+ }
+ buf_len = qos_decrypt(r, sconf, &buf, value);
+ if(buf_len != sizeof(qos_session_t)) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, r,
+ QOS_LOG_PFX(021)"session cookie verification failed, "
+ "decoding failed, id=%s", qos_unique_id(r, "021"));
+ QS_INC_EVENT(sconf, 21);
+ return 0;
+ } else {
+ qos_session_t *s = (qos_session_t *)buf;
+ if(s->time < (apr_time_sec(r->request_time) - sconf->max_age)) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, r,
+ QOS_LOG_PFX(023)"session cookie verification failed, "
+ "expired, id=%s", qos_unique_id(r, "023"));
+ QS_INC_EVENT(sconf, 23);
+ return 0;
+ }
+ }
+ /* success */
+ apr_table_set(r->notes, QS_REC_COOKIE, "");
+ return 1;
+}
+
+/**
+ * set/update the session cookie
+ */
+static void qos_set_session(request_rec *r, qos_srv_config *sconf) {
+ qos_session_t *s = (qos_session_t *)apr_pcalloc(r->pool, sizeof(qos_session_t));
+ char *cookie;
+ char *session;
+ qs_set_evmsg(r, "V;"); // log VIP session creation
+ /* payload */
+ s->time = time(NULL);
+ session = qos_encrypt(r, sconf, (const unsigned char *)s, sizeof(qos_session_t));
+ if(session == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, r,
+ QOS_LOG_PFX(025)"failed to create session cookie, id=%s",
+ qos_unique_id(r, "025"));
+ QS_INC_EVENT(sconf, 25);
+ return;
+ }
+ cookie = apr_psprintf(r->pool, "%s=%s; Path=%s; Max-Age=%d",
+ sconf->cookie_name, session,
+ sconf->cookie_path, sconf->max_age);
+ apr_table_add(r->headers_out,"Set-Cookie", cookie);
+ return;
+}
+
+/**
+ * destroy shared memory and mutexes
+ */
+static void qos_destroy_act(qs_actable_t *act) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+ QOS_LOGD_PFX"cleanup shared memory: %"APR_SIZE_T_FMT" bytes",
+ act->size);
+ act->child_init = 0;
+ if(act->lock_file && act->lock_file[0]) {
+ /*
+ We don't need to destroy locks manually as
+ apr_global_mutex_create() registers the cleanup
+ method itself to the pool we used when allocating the
+ lock.
+ if(act->lock) {
+ apr_global_mutex_destroy(act->lock);
+ }
+ */
+ act->lock_file[0] = '\0';
+ act->lock_file = NULL;
+ }
+ /*
+ We don't need to destroy shared memory
+ manually as apr_shm_create() registers the
+ cleanup method to the pool we used when
+ allocating the memory.
+ if(act->m) {
+ apr_shm_destroy(act->m);
+ }
+ */
+ apr_pool_destroy(act->pool);
+}
+
+/**
+ * returns the persistent configuration (restarts)
+ */
+static qos_user_t *qos_get_user_conf(apr_pool_t *ppool) {
+ void *v;
+ qos_user_t *u;
+ apr_pool_userdata_get(&v, QS_USR_SPE, ppool);
+ u = v;
+ if(v) {
+ return v;
+ }
+ u = (qos_user_t *)apr_pcalloc(ppool, sizeof(qos_user_t));
+ u->server_start = 0;
+ u->act_table = apr_table_make(ppool, 2);
+ apr_pool_userdata_set(u, QS_USR_SPE, apr_pool_cleanup_null, ppool);
+ u->qos_cc = NULL;
+ return u;
+}
+
+/**
+ * increments the event counters for the specified event
+ * @param ppool Process pool to fetch user ctx from
+ * @param event Event number
+ * @param locked Set this to 1 if user ctx is already locked
+ */
+static void qs_inc_eventcounter(apr_pool_t *ppool, int event, int locked) {
+ qos_user_t *u = qos_get_user_conf(ppool);
+ if(u->qos_cc == NULL) {
+ return;
+ }
+ if(!locked) {
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT49 */
+ }
+ u->qos_cc->eventTotal[event]++;
+ u->qos_cc->eventLast[event]++;
+ if(!locked) {
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT49 */
+ }
+}
+
+static int qs_calc_maxClients(server_rec *bs, qos_srv_config *bsconf) {
+ int maxThreads = 0;
+ int maxDaemons = 0;
+ int maxClientsCalc = 0;
+ int maxClients = 0;
+
+ ap_mpm_query(AP_MPMQ_MAX_DAEMONS, &maxDaemons);
+ ap_mpm_query(AP_MPMQ_MAX_THREADS, &maxThreads);
+ maxClientsCalc = (maxThreads == 0 ? 1 : maxThreads) * (maxDaemons == 0 ? 1 : maxDaemons);
+ if(m_event_mpm) {
+ /* QS_MaxClients = (AsyncRequestWorkerFactor + 1) * MaxRequestWorkers */
+ maxClientsCalc = (m_event_mpm_worker_factor + 1) * maxClientsCalc;
+ }
+ if(bsconf->max_clients_conf > 0) {
+ maxClients = bsconf->max_clients_conf;
+ } else {
+ maxClients = maxClientsCalc;
+ }
+ if(maxClients != maxClientsCalc) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, bs,
+ QOS_LOG_PFX(007)"calculated MaxClients/MaxRequestWorkers (max connections): %d,"
+ " applied limit: %d (QS_MaxClients)",
+ maxClientsCalc, maxClients);
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, bs,
+ QOS_LOGD_PFX"calculated MaxClients/MaxRequestWorkers (max connections): %d",
+ maxClients);
+ }
+ return maxClients;
+}
+
+#ifdef QS_APACHE_24
+/**
+ * tells if server is terminating immediately or not
+ */
+static int qos_is_graceful() {
+ if(ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_EXITING) {
+ return 0;
+ }
+ if(ap_state_query(AP_SQ_CONFIG_GEN) == 0) {
+ return 0;
+ }
+ return 1;
+}
+#else
+/**
+ * tells if server is terminating immediately or not
+ */
+static int qos_is_graceful() {
+ int mpm_gen = 0;
+ QOS_MY_GENERATION(mpm_gen);
+ if(mpm_gen != m_generation) return 1;
+ return 0;
+}
+#endif
+
+/* clear all counters of the per client data store at graceful restart
+ used to prevent counter grow due blocked/crashed client processes*/
+static void qos_clear_cc(qos_user_t *u) {
+ if(u->qos_cc) {
+ qos_s_entry_t **entry;
+ int i;
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT37 */
+ u->qos_cc->connections = 0;
+ if(m_generation > 0) {
+ // this process generation must not update the connections counter anymore
+ u->qos_cc->generation_locked = m_generation;
+ }
+ entry = u->qos_cc->ipd;
+ for(i = 0; i < u->qos_cc->max; i++) {
+ (*entry)->event_req = 0;
+ (*entry)->serialize = 0;
+ entry++;
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT37 */
+ }
+}
+
+/**
+ * destroys the act
+ * shared memory must not be destroyed before graceful restart has
+ * been finished due running requests still need the shared memory
+ * till they have finished.
+ * keep the memory leak as little as possible ...
+ */
+static apr_status_t qos_cleanup_shm(void *p) {
+ qs_actable_t *act = p;
+ qos_user_t *u = qos_get_user_conf(act->ppool);
+ char *this_generation;
+ char *last_generation;
+ int i;
+ apr_table_entry_t *entry;
+
+ this_generation = apr_psprintf(act->ppool, "%d", m_generation);
+ last_generation = apr_psprintf(act->pool, "%d", m_generation-1);
+ qos_clear_cc(u);
+
+ /* delete acts from the last graceful restart */
+ entry = (apr_table_entry_t *)apr_table_elts(u->act_table)->elts;
+ for(i = 0; i < apr_table_elts(u->act_table)->nelts; i++) {
+ if(strcmp(entry[i].key, last_generation) == 0) {
+ qs_actable_t *a = (qs_actable_t *)entry[i].val;
+#ifdef QS_INTERNAL_TEST
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ QOS_LOGD_PFX"clear ACT generation '%s' at '%d'", last_generation, m_generation);
+#endif
+ qos_destroy_act(a);
+ }
+ }
+ apr_table_unset(u->act_table, last_generation);
+
+ if(qos_is_graceful()) {
+ /* don't delete this act now, but at next server restart ... */
+ apr_table_addn(u->act_table, this_generation, (char *)act);
+ } else {
+ if(u->qos_cc) {
+ qos_cc_free(u->qos_cc);
+ u->qos_cc = NULL;
+ }
+#ifdef QS_INTERNAL_TEST
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ QOS_LOGD_PFX"clear ACT generation 'current' at '%d'", m_generation);
+#endif
+ qos_destroy_act(act);
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * init the shared memory of the act
+ * act->serialize <- start
+ act->qsstatustimer <- start + sizeof(serialize)
+ * act->conn <- start + sizeof(serialize) + sizeof(time_t)
+ * act->conn->conn_ip <- start + sizeof(serialize) + sizeof(time_t) + sizeof(conn) * QS_MEM_SEG
+ * + [max_ip]
+ * act->entry <-
+ * + [rule_entries]
+ * act->event_limit <-
+ * + [event_limit_entries]
+ */
+static apr_status_t qos_init_shm(server_rec *s, qos_srv_config *sconf, qs_actable_t *act,
+ apr_table_t *locRuleCfgTable, int maxClients) {
+ char *file = "-";
+ apr_status_t res;
+ int i;
+ int ruleEntries = apr_table_elts(locRuleCfgTable)->nelts;
+ apr_table_entry_t *locRuleEntry = (apr_table_entry_t *)apr_table_elts(locRuleCfgTable)->elts;
+ int event_limit_entries = sconf->event_limit_a->nelts;
+ qs_acentry_t *actEntry = NULL;
+ int max_ip = maxClients;
+
+ act->size = ((max_ip+QS_DOUBLE_CONN) * QS_MEM_SEG * APR_ALIGN_DEFAULT(sizeof(qs_ip_entry_t))) +
+ (ruleEntries * APR_ALIGN_DEFAULT(sizeof(qs_acentry_t))) +
+ (event_limit_entries * APR_ALIGN_DEFAULT(sizeof(qos_event_limit_entry_t))) +
+ APR_ALIGN_DEFAULT(sizeof(qs_conn_t)) +
+ APR_ALIGN_DEFAULT(sizeof(qs_serial_t)) +
+ APR_ALIGN_DEFAULT(sizeof(time_t)) +
+ 2048;
+ /* use anonymous shm by default */
+ res = apr_shm_create(&act->m, act->size, NULL, act->pool);
+ if(APR_STATUS_IS_ENOTIMPL(res)) {
+ file = apr_psprintf(act->pool, "%s_m.mod_qos",
+ qos_tmpnam(act->pool, s));
+#ifdef ap_http_scheme
+ /* Apache 2.2 */
+ apr_shm_remove(file, act->pool);
+#endif
+ res = apr_shm_create(&act->m, act->size, file, act->pool);
+ }
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ QOS_LOGD_PFX"%s(%s), create shared memory (ACT)(%s): %"APR_SIZE_T_FMT" bytes"
+ " (r=%d,ip=%d)",
+ s->server_hostname == NULL ? "-" : s->server_hostname,
+ s->is_virtual ? "v" : "b",
+ file,
+ act->size,
+ ruleEntries, max_ip);
+ if(res != APR_SUCCESS) {
+ char buf[MAX_STRING_LEN];
+ apr_strerror(res, buf, sizeof(buf));
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+ QOS_LOG_PFX(002)"failed to create shared memory (ACT)(%s): %s"
+ " (%"APR_SIZE_T_FMT" bytes)",
+ file, buf, act->size);
+ return res;
+ } else {
+ qs_serial_t *sp = apr_shm_baseaddr_get(act->m);
+ time_t *qsstatustimer = (time_t *)&sp[1];
+ qs_conn_t *connEntryP = (qs_conn_t *)&qsstatustimer[1];
+ qs_ip_entry_t *conn_ip = (qs_ip_entry_t *)&connEntryP[1];
+ apr_time_t now = apr_time_now();
+ act->serialize = sp;
+ act->serialize->q1 = 0;
+ act->serialize->q2 = 0;
+ act->serialize->locked = 0;
+ act->qsstatustimer = qsstatustimer;
+ *act->qsstatustimer = 0;
+ act->conn = connEntryP;
+ act->conn->conn_ip_len = (max_ip + QS_DOUBLE_CONN) * QS_MEM_SEG;
+ act->conn->conn_ip = conn_ip;
+ act->conn->max_client = max_ip;
+ act->conn->connections = 0;
+ for(i = 0; i < act->conn->conn_ip_len; i++) {
+ conn_ip->ip6[0] = 0;
+ conn_ip->ip6[1] = 0;
+ conn_ip->counter = 0;
+ conn_ip->error = 0;
+ conn_ip++;
+ }
+ if(ruleEntries) {
+ act->entry = (qs_acentry_t *)conn_ip;
+ actEntry = act->entry;
+ } else {
+ act->entry = NULL;
+ }
+ /* init rule entries (link data, init mutex) */
+ for(i = 0; i < ruleEntries; i++) {
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)locRuleEntry[i].val;
+ actEntry->next = &actEntry[1];
+ actEntry->id = i;
+ actEntry->url = rule->url;
+ actEntry->url_len = strlen(actEntry->url);
+ actEntry->event = rule->event;
+ if(actEntry->event) {
+ act->has_events++;
+ }
+ actEntry->regex = rule->regex;
+ actEntry->condition = rule->condition;
+ actEntry->regex_var = rule->regex_var;
+ actEntry->limit = rule->limit;
+ if(actEntry->limit == 0 ) {
+ if((actEntry->condition == NULL) && (actEntry->event == NULL)) {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, s,
+ QOS_LOG_PFX(003)"request level rule %s has no "
+ "concurrent request limitations",
+ actEntry->url);
+ }
+ }
+ actEntry->kbytes_interval_us = now;
+ actEntry->interval = apr_time_sec(now);
+ actEntry->bytes = 0;
+ actEntry->req_per_sec_limit = rule->req_per_sec_limit;
+ actEntry->kbytes_per_sec_limit = rule->kbytes_per_sec_limit;
+ actEntry->kbytes_per_sec = 0;
+ actEntry->counter = 0;
+ actEntry->lock = act->lock;
+ if(i < ruleEntries - 1) {
+ actEntry = actEntry->next;
+ } else {
+ actEntry->next = NULL;
+ }
+ }
+ if(event_limit_entries == 0) {
+ act->event_entry = NULL;
+ } else {
+ // source (config) event limit array
+ qos_event_limit_entry_t *eventEntrySrc = (qos_event_limit_entry_t *)sconf->event_limit_a->elts;
+ // target (act) event limit array
+ qos_event_limit_entry_t *eventEntryDst;
+ if(actEntry) {
+ // end of the last act rule entry
+ act->event_entry = (qos_event_limit_entry_t *)&actEntry[1];
+ } else {
+ // end of the last connection entry
+ act->event_entry = (qos_event_limit_entry_t *)conn_ip;
+ }
+ eventEntryDst = act->event_entry;
+ // set config
+ for(i = 0; i < event_limit_entries; i++) {
+ eventEntryDst->env_var = eventEntrySrc->env_var;
+ eventEntryDst->eventDecStr = eventEntrySrc->eventDecStr;
+ eventEntryDst->max = eventEntrySrc->max;
+ eventEntryDst->seconds = eventEntrySrc->seconds;
+ eventEntryDst->limit = 0;
+ eventEntryDst->limitTime = 0;
+ eventEntryDst->action = eventEntrySrc->action;
+ eventEntryDst->condStr = eventEntrySrc->condStr;
+ eventEntryDst->preg = eventEntrySrc->preg;
+ eventEntryDst++;
+ eventEntrySrc++;
+ }
+ }
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * Loads the geo database. See QS_GEO_PATTERN about the file format.
+ * @param pool To allocate memory from
+ * @param geodb Data structore to initialize
+ * @param msg Error message if something went wrong while loading the db
+ * @param errors Number of errors
+ * @return APR_SUCCESS if data could be loaded resp. lines have been counted
+ */
+static apr_status_t qos_loadgeo(apr_pool_t *pool, qos_geo_t *geodb,
+ char **msg, int *errors) {
+ ap_regmatch_t ma[AP_MAX_REG_MATCH];
+ ap_regex_t *preg;
+ qos_geo_entry_t *entry = NULL;
+ qos_geo_entry_t *last = NULL;
+
+ int lines = 0;
+ char line[HUGE_STRING_LEN];
+ FILE *file;
+
+ preg = ap_pregcomp(pool, QS_GEO_PATTERN, AP_REG_EXTENDED);
+ if(preg == NULL) {
+ // internal error
+ *msg = apr_pstrdup(pool, "failed to compile regular"
+ " expression "QS_GEO_PATTERN);
+ (*errors)++;
+ return APR_INCOMPLETE;
+ }
+
+ file = fopen(geodb->path, "r");
+ if(!file) {
+ *msg = apr_psprintf(pool, "could not open file %s (%s)",
+ geodb->path, strerror(errno));
+ (*errors)++;
+ return APR_INCOMPLETE;
+ }
+
+ // check syntax and determine required memory size
+ while(fgets(line, sizeof(line), file) != NULL) {
+ if(strlen(line) > 0) {
+ if(ap_regexec(preg, line, 0, NULL, 0) == 0) {
+ lines++;
+ } else {
+ *msg = apr_psprintf(pool, "invalid entry in database: '%s'", line);
+ (*errors)++;
+ }
+ }
+ }
+ if(*errors != 0) {
+ return APR_INCOMPLETE;
+ }
+
+ geodb->size = lines;
+ geodb->data = apr_pcalloc(pool, APR_ALIGN_DEFAULT(sizeof(qos_geo_entry_t)) * geodb->size);
+
+ // load the file into the memory
+ entry = geodb->data;
+ fseek(file, 0, SEEK_SET);
+ lines = 0;
+ while(fgets(line, sizeof(line), file) != NULL) {
+ lines++;
+ if(strlen(line) > 0) {
+ if(ap_regexec(preg, line, AP_MAX_REG_MATCH, ma, 0) == 0) {
+ line[ma[1].rm_eo] = '\0';
+ line[ma[2].rm_eo] = '\0';
+ line[ma[3].rm_eo] = '\0';
+ entry->start = atoll(&line[ma[1].rm_so]);
+ entry->end = atoll(&line[ma[2].rm_so]);
+ strncpy(entry->country, &line[ma[3].rm_so], 2);
+ if(last) {
+ if(entry->start < last->start) {
+ *msg = apr_psprintf(pool, "wrong order/lines not sorted (line %d)",
+ lines);
+ (*errors)++;
+ }
+ }
+ last = entry;
+ entry++;
+ }
+ }
+ }
+
+ fclose(file);
+ if(*errors == 0) {
+ return APR_SUCCESS;
+ } else {
+ return APR_INCOMPLETE;
+ }
+}
+
+/**
+ * Verifies if the string is a number
+ * @param num Number to test
+ * @param 1 if numeric (0 if not)
+ */
+static int qos_is_num(const char *num) {
+ int i = 0;
+ while(num[i]) {
+ if(!isdigit(num[i])) {
+ return 0;
+ }
+ i++;
+ }
+ return 1;
+}
+
+/**
+ * Helper for the status viewer (unsigned long to char).
+ */
+static void qos_collect_ip(request_rec *r, qos_srv_config *sconf,
+ apr_table_t *entries, int limit,
+ int html) {
+ int i = sconf->act->conn->conn_ip_len;
+ qs_ip_entry_t *conn_ip = sconf->act->conn->conn_ip;
+ apr_global_mutex_lock(sconf->act->lock); /* @CRT8 */
+ while(i) {
+ if(conn_ip->ip6[0] || conn_ip->ip6[1]) {
+ char *red = "style=\"background-color: rgb(240,153,155);\"";
+ if(html) {
+ apr_table_addn(entries, apr_psprintf(r->pool, "%s</td><td %s colspan=\"3\">%d",
+ qos_ip_long2str(r->pool, conn_ip->ip6),
+ ((limit != -1) && conn_ip->counter >= limit) ? red : "",
+ conn_ip->counter), "");
+ } else {
+ apr_table_addn(entries, qos_ip_long2str(r->pool, conn_ip->ip6), apr_psprintf(r->pool, "%d", conn_ip->counter));
+ }
+ }
+ conn_ip++;
+ i--;
+ }
+ apr_global_mutex_unlock(sconf->act->lock); /* @CRT8 */
+}
+
+
+/**
+ * Count's the number of free ip entries (for the status viewer only)
+ */
+static int qos_count_free_ip(qos_srv_config *sconf) {
+ int c = sconf->act->conn->max_client;
+ int i = sconf->act->conn->conn_ip_len;
+ qs_ip_entry_t *conn_ip = sconf->act->conn->conn_ip;
+ apr_global_mutex_lock(sconf->act->lock); /* @CRT7 */
+ while(i) {
+ if((conn_ip->ip6[0] != 0) ||
+ (conn_ip->ip6[1] != 0)) {
+ c--;
+ }
+ conn_ip++;
+ i--;
+ }
+ apr_global_mutex_unlock(sconf->act->lock); /* @CRT7 */
+ return c > 0 ? c : 0;
+}
+
+/**
+ * Checks the subprocess_env table for
+ * event variable and returns its numeric value.
+ *
+ * @param r
+ * @param variable Name of the variable to lookup
+ * @return Number within the variable or 0 if not set
+ */
+static int get_qs_event(request_rec *r, const char *variable) {
+ const char *eventStr = apr_table_get(r->subprocess_env, variable);
+ if(eventStr == NULL) {
+ return 0;
+ }
+ if(qos_is_num(eventStr) && (strlen(eventStr) > 0)) {
+ int num = atoi(eventStr);
+ if(num <= 0) {
+ num = 1;
+ }
+ return num;
+ }
+ return 1;
+}
+
+/**
+ * adds an ip entry (insert or increment)
+ *
+ * @param sconf
+ * @param cconf Configuration record containing the ip table(s)
+ * @param e Pointer to the IP entry
+ * NOTE: we can't sort the list since the address of this pointer
+ * must not be change (we don't keep the lock)
+ * @return The number of connections open by this IP
+ */
+static int qos_inc_ip(qos_srv_config *sconf,
+ qs_conn_ctx *cconf, qs_ip_entry_t **e) {
+ int num = -1;
+ qs_ip_entry_t *free = NULL;
+ int i = cconf->sconf->act->conn->conn_ip_len / QS_MEM_SEG; // size of the array
+ int seqnum = (cconf->ip6[1] % QS_MEM_SEG) * i; // array offset
+ qs_ip_entry_t *conn_ip = cconf->sconf->act->conn->conn_ip;
+ conn_ip = &conn_ip[seqnum]; // address of the first entry
+
+ apr_global_mutex_lock(cconf->sconf->act->lock); /* @CRT1 */
+
+ // search the whole list (until we find an exiting entry for this ip)
+ while(i) {
+ if((conn_ip->ip6[0] == 0) &&
+ (conn_ip->ip6[1] == 0) &&
+ (free == NULL)) {
+ // first free entry
+ free = conn_ip;
+ }
+ if((conn_ip->ip6[0] == cconf->ip6[0]) &&
+ (conn_ip->ip6[1] == cconf->ip6[1])) {
+ // found an existing entry
+ conn_ip->counter++;
+ num = conn_ip->counter;
+ *e = conn_ip;
+ break;
+ }
+ conn_ip++;
+ i--;
+ }
+ if(num == -1) {
+ // no entry found, use the first free entry
+ if(free) {
+ free->ip6[0] = cconf->ip6[0];
+ free->ip6[1] = cconf->ip6[1];
+ free->counter++;
+ num = free->counter;
+ *e = free;
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, 0, sconf->base_server,
+ QOS_LOG_PFX(035)"QS_SrvMaxConn: no free IP slot available!"
+ " Check log for unclean child exit and consider"
+ " to do a graceful server restart if this condition persists."
+ " You might also increase the number of supported connections"
+ " using the 'QS_MaxClients' directive.");
+ QS_INC_EVENT_LOCKED(sconf, 35);
+ }
+ }
+
+ apr_global_mutex_unlock(cconf->sconf->act->lock); /* @CRT1 */
+ return num;
+}
+
+/**
+ * removes an ip entry (deletes/decrements)
+ */
+static void qos_dec_ip(qs_conn_ctx *cconf) {
+ int i = cconf->sconf->act->conn->conn_ip_len / QS_MEM_SEG;
+ int seqnum = (cconf->ip6[1] % QS_MEM_SEG) * i;
+ qs_ip_entry_t *conn_ip = cconf->sconf->act->conn->conn_ip;
+ conn_ip = &conn_ip[seqnum];
+ apr_global_mutex_lock(cconf->sconf->act->lock); /* @CRT2 */
+ while(i) {
+ if((conn_ip->ip6[0] == cconf->ip6[0]) &&
+ (conn_ip->ip6[1] == cconf->ip6[1])) {
+ // entry found, decrement and exit
+ conn_ip->counter--;
+ if(conn_ip->counter == 0) {
+ // entry is no longer used by this ip
+ conn_ip->ip6[0] = 0;
+ conn_ip->ip6[1] = 0;
+ conn_ip->error = 0;
+ }
+ break;
+ }
+ conn_ip++;
+ i--;
+ }
+ apr_global_mutex_unlock(cconf->sconf->act->lock); /* @CRT2 */
+}
+
+static apr_status_t qos_cleanup_inctx(void *p) {
+ qos_ifctx_t *inctx = p;
+ qos_srv_config *sconf = inctx->sconf;
+#if APR_HAS_THREADS
+ if(sconf && sconf->inctx_t && !sconf->inctx_t->exit) {
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT25 */
+ inctx->status = QS_CONN_STATE_DESTROY;
+ apr_table_unset(sconf->inctx_t->table,
+ QS_INCTX_ID);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT25 */
+ }
+#endif
+ return APR_SUCCESS;
+}
+
+/**
+ * creates a new connection ctx (remember to set the socket, connection and timeout)
+ */
+static qos_ifctx_t *qos_create_ifctx(conn_rec *connection, qos_srv_config *sconf) {
+ conn_rec *c = connection;
+ char buf[128];
+ qos_ifctx_t *inctx = apr_pcalloc(c->pool, sizeof(qos_ifctx_t));
+ inctx->clientSocket = NULL;
+ inctx->status = QS_CONN_STATE_NEW;
+ inctx->cl_val = 0;
+ inctx->c = c;
+ inctx->r = NULL;
+ inctx->clientSocket = NULL;
+ inctx->time = 0;
+ inctx->nbytes = 0;
+ inctx->hasBytes = 0;
+ inctx->shutdown = 0;
+ inctx->disabled = 0;
+ inctx->lowrate = -1;
+ sprintf(buf, "%p", inctx);
+ inctx->id = apr_psprintf(c->pool, "%s%.16lx", buf, c->id);
+ inctx->sconf = sconf;
+ apr_pool_pre_cleanup_register(c->pool, inctx, qos_cleanup_inctx);
+ return inctx;
+}
+
+/**
+ * returns the context from the r->connection->input_filters
+ */
+static qos_ifctx_t *qos_get_ifctx(ap_filter_t *f) {
+ qos_ifctx_t *inctx = NULL;
+ while(f) {
+ if(strcmp(f->frec->name, "qos-in-filter") == 0) {
+ inctx = f->ctx;
+ break;
+ }
+ f = f->next;
+ }
+ return inctx;
+}
+
+static qs_conn_base_ctx *qos_create_conn_base_ctx(conn_rec *connection, qos_srv_config *sconf) {
+ conn_rec *c = connection;
+ qs_conn_base_ctx *base = apr_pcalloc(c->pool, sizeof(qs_conn_base_ctx));
+ base->cconf = NULL;
+ base->requests = 0;
+ base->c = c;
+ base->sconf = sconf;
+ base->clientSocket = NULL;
+ ap_set_module_config(c->conn_config, &qos_module, base);
+ apr_pool_pre_cleanup_register(c->pool, base, qos_base_cleanup_conn);
+ return base;
+}
+
+static qs_conn_base_ctx *qos_get_conn_base_ctx(conn_rec *connection) {
+ conn_rec *c = connection;
+ qs_conn_base_ctx *base = (qs_conn_base_ctx*)ap_get_module_config(c->conn_config, &qos_module);
+ return base;
+}
+
+/**
+ * send server error, used for connection errors
+ */
+static int qos_return_error_andclose(conn_rec *connection, apr_socket_t *socket) {
+ conn_rec *c = connection;
+ char *line = apr_pstrcat(c->pool, AP_SERVER_PROTOCOL, " ",
+ ap_get_status_line(500), CRLF CRLF, NULL);
+ apr_bucket *e = apr_bucket_pool_create(line, strlen(line), c->pool, c->bucket_alloc);
+ apr_bucket_brigade *bb = apr_brigade_create(c->pool, c->bucket_alloc);
+
+ c->keepalive = AP_CONN_CLOSE;
+ c->aborted = 1;
+ if(c->cs) {
+ c->cs->state = CONN_STATE_LINGER;
+ }
+ apr_table_set(c->notes, QS_CONN_ABORT, QS_CONN_ABORT);
+ if (m_forced_close == 0) {
+ return DECLINED;
+ }
+
+ //apr_brigade_cleanup(bb);
+ APR_BRIGADE_INSERT_HEAD(bb, e);
+ e = apr_bucket_flush_create(c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, e);
+ ap_pass_brigade(c->output_filters, bb);
+
+// if(socket) {
+// // speed up connection termination
+// qos_ifctx_t *inctx = qos_get_ifctx(c->input_filters);
+//#ifdef QS_INTERNAL_TEST
+// struct timespec delay;
+// delay.tv_sec = 0;
+// delay.tv_nsec = 1000000; // 1ms to allow testing
+// nanosleep(&delay, NULL);
+//#endif
+// apr_socket_shutdown(socket, APR_SHUTDOWN_READ);
+// if(inctx) {
+// qos_cleanup_inctx(inctx);
+// }
+// }
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+}
+
+/**
+ * returns custom error page
+ */
+static int qos_error_response(request_rec *r, const char *error_page) {
+ if(r->subprocess_env) {
+ const char *v = apr_table_get(r->subprocess_env, "QS_ErrorPage");
+ if(v) {
+ error_page = v;
+ }
+ }
+
+ if(error_page) {
+ /* do (almost) the same as ap_die() does */
+ const char *error_notes;
+ r->status = m_retcode;
+ r->connection->keepalive = AP_CONN_CLOSE;
+ r->no_local_copy = 1;
+ apr_table_setn(r->subprocess_env, "REQUEST_METHOD", r->method);
+ if ((error_notes = apr_table_get(r->notes,
+ "error-notes")) != NULL) {
+ apr_table_setn(r->subprocess_env, "ERROR_NOTES", error_notes);
+ }
+ /* external or internal redirect */
+ if(strncasecmp(error_page, "http", 4) == 0) {
+ apr_table_set(r->headers_out, "Location", error_page);
+ return HTTP_MOVED_TEMPORARILY;
+ } else {
+ r->method = apr_pstrdup(r->pool, "GET");
+ r->method_number = M_GET;
+ ap_internal_redirect(error_page, r);
+ return DONE;
+ }
+ }
+ return DECLINED;
+}
+
+/**
+ * returns the matching regex with the lowest limitation
+ */
+static qs_acentry_t *qos_getrule_byregex(request_rec *r, qos_srv_config *sconf) {
+ qs_acentry_t *ret = NULL;
+ qs_actable_t *act = sconf->act;
+ qs_acentry_t *actEntry = act->entry;
+ int limit = -1;
+ while(actEntry) {
+ if((actEntry->event == NULL) && (actEntry->regex != NULL) && (actEntry->condition == NULL)) {
+ if((limit == -1) || (actEntry->limit < limit)) {
+ if(ap_regexec(actEntry->regex, r->unparsed_uri, 0, NULL, 0) == 0) {
+ if(limit == -1) {
+ ret = actEntry;
+ limit = actEntry->limit;
+ } else if(actEntry->limit < limit) {
+ ret = actEntry;
+ limit = actEntry->limit;
+ }
+ }
+ }
+ }
+ actEntry = actEntry->next;
+ }
+ return ret;
+}
+
+/**
+ * returns the matching conditional regex with the lowest limitation
+ */
+static qs_acentry_t *qos_getcondrule_byregex(request_rec *r, qos_srv_config *sconf) {
+ qs_acentry_t *ret = NULL;
+ qs_actable_t *act = sconf->act;
+ qs_acentry_t *actEntry = act->entry;
+ int limit = -1;
+ while(actEntry) {
+ if((actEntry->event == NULL) && (actEntry->regex != NULL) && (actEntry->condition != NULL)) {
+ if((limit == -1) || (actEntry->limit < limit)) {
+ if(ap_regexec(actEntry->regex, r->unparsed_uri, 0, NULL, 0) == 0) {
+ if(limit == -1) {
+ ret = actEntry;
+ limit = actEntry->limit;
+ } else if(actEntry->limit < limit) {
+ ret = actEntry;
+ limit = actEntry->limit;
+ }
+ }
+ }
+ }
+ actEntry = actEntry->next;
+ }
+ return ret;
+}
+
+/**
+ * returns the best matching location entry
+ */
+static qs_acentry_t *qos_getrule_bylocation(request_rec * r, qos_srv_config *sconf) {
+ qs_acentry_t *ret = NULL;
+ qs_actable_t *act = sconf->act;
+ qs_acentry_t *actEntry = act->entry;
+ int match_len = 0;
+ while(actEntry) {
+ if((actEntry->event == NULL) && (actEntry->regex == NULL)) {
+ /* per location limitation */
+ if(actEntry->url && (strncmp(actEntry->url, r->parsed_uri.path, actEntry->url_len) == 0)) {
+ /* best match */
+ if(actEntry->url_len > match_len) {
+ match_len = actEntry->url_len;
+ ret = actEntry;
+ }
+ }
+ }
+ actEntry = actEntry->next;
+ }
+ return ret;
+}
+
+/**
+ * checks for VIP user (may pass restrictions)
+ */
+static int qos_is_vip(request_rec *r, qos_srv_config *sconf) {
+ if(qos_verify_session(r, sconf)) {
+ apr_table_set(r->subprocess_env, QS_VipRequest, "yes");
+ apr_table_set(r->subprocess_env, QS_ISVIPREQ, "yes");
+ return 1;
+ }
+ if(r->subprocess_env) {
+ const char *v = apr_table_get(r->subprocess_env, QS_VipRequest);
+ if(v && (strcasecmp(v, "yes") == 0)) {
+ apr_table_set(r->subprocess_env, QS_ISVIPREQ, "yes");
+ return 1;
+ }
+ }
+ return 0;
+}
+
+/**
+ * writes the parp table to a single query line
+ */
+static const char *qos_parp_query(request_rec *r, apr_table_t *tl, const char *add) {
+ int add_len = 0;
+ char *query = NULL;
+ int len = 0;
+ char *p;
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(tl)->elts;
+ for(i = 0; i < apr_table_elts(tl)->nelts; i++) {
+ len = len +
+ (entry[i].key == NULL ? 0 : strlen(entry[i].key)) +
+ (entry[i].val == NULL ? 0 : strlen(entry[i].val)) +
+ 2;
+ }
+ if(add && add[0]) {
+ add_len = strlen(add);
+ len = len + add_len + 1;
+ }
+ query = apr_pcalloc(r->pool, len + 2);
+ query[0] = '?';
+ if(add_len) {
+ memcpy(&query[1], add, add_len);
+ p = &query[add_len];
+ } else {
+ p = &query[1];
+ }
+ p[0] = '\0';
+ for(i = 0; i < apr_table_elts(tl)->nelts; i++) {
+ int l = strlen(entry[i].key);
+ if(p != &query[1]) {
+ p[0] = '&';
+ p++;
+ p[0] = '\0';
+ }
+ memcpy(p, entry[i].key, l);
+ p += l;
+ p[0] = '=';
+ p++;
+ l = strlen(entry[i].val);
+ memcpy(p, entry[i].val, l);
+ p += l;
+ p[0] = '\0';
+ }
+ apr_table_setn(r->notes, apr_pstrdup(r->pool, QS_PARP_QUERY), query);
+ return &query[1];
+}
+
+/* filter events */
+static int qos_per_dir_event_rules(request_rec *r, qos_srv_config *sconf,
+ qos_dir_config *dconf) {
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(dconf->rfilter_table)->elts;
+ int i;
+ for(i = 0; i < apr_table_elts(dconf->rfilter_table)->nelts; i++) {
+ if(entry[i].key[0] == '+') {
+ int deny_rule = 0;
+ int ex = -1;
+ qos_rfilter_t *rfilter = (qos_rfilter_t *)entry[i].val;
+ if(rfilter->type == QS_DENY_EVENT) {
+ deny_rule = 1;
+ if(rfilter->text[0] == '!') {
+ if(apr_table_get(r->subprocess_env, &rfilter->text[1]) == NULL) {
+ ex = 0;
+ }
+ } else {
+ if(apr_table_get(r->subprocess_env, rfilter->text) != NULL) {
+ ex = 0;
+ }
+ }
+ }
+ if(deny_rule && (ex == 0)) {
+ int severity = rfilter->action == QS_DENY ? APLOG_ERR : APLOG_WARNING;
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|severity, 0, r,
+ QOS_LOG_PFX(040)"access denied, %s rule id: %s (%s),"
+ " action=%s, c=%s, id=%s",
+ qos_rfilter_type2text(r->pool, rfilter->type),
+ rfilter->id,
+ rfilter->text,
+ (!sconf->log_only) && (rfilter->action == QS_DENY) ? "deny" : "log only",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "040"));
+ QS_INC_EVENT(sconf, 40);
+ if(rfilter->action == QS_DENY) {
+ return HTTP_FORBIDDEN;
+ }
+ }
+ }
+ }
+ return APR_SUCCESS;
+}
+
+/* json parser start ------------------------------------------------------- */
+#define QOS_J_ERROR "HTTP_BAD_REQUEST QOS JSON PARSER: FORMAT ERROR"
+#define QOS_j_RECURSION 80
+
+static int j_val(apr_pool_t *pool, char **val, apr_table_t *tl, char *name, int rec);
+
+static char *j_escape_url(apr_pool_t *pool, const char *c) {
+ char buf[4];
+ char special[] = " \t()<>@,;:\\/[]?={}\"'&%+";
+ char *r = apr_pcalloc(pool, 3 * strlen(c));
+ const char *p = c;
+ int i = 0;
+ while(p && p[0]) {
+ char c = p[0];
+ if(!apr_isprint(c) || strchr(special, c)) {
+ sprintf(buf, "%02x", p[0]);
+ r[i] = '%'; i++;
+ r[i] = buf[0]; i++;
+ r[i] = buf[1]; i++;
+ } else {
+ r[i] = c;
+ i++;
+ }
+ p++;
+ }
+ return r;
+}
+
+static char *j_strchr(char *data, char d) {
+ char *q = data;
+ if(!q) {
+ return NULL;
+ }
+ if(q[0] == d) {
+ return q;
+ }
+ while(q[0]) {
+ if((q[0] == d) && (q[-1] != '\\')) {
+ return q;
+ }
+ q++;
+ }
+ return NULL;
+}
+
+static char *j_skip(char *in) {
+ if(!in) return NULL;
+ while(in[0] && ((in[0] == ' ') ||
+ (in[0] == '\t') ||
+ (in[0] == '\r') ||
+ (in[0] == '\n') ||
+ (in[0] == '\f'))) {
+ in++;
+ }
+ return in;
+}
+
+static int j_string(apr_pool_t *pool, char **val, apr_table_t *tl, char *name, char **n) {
+ char *d = *val;
+ char *v = d;
+ char *end = j_strchr(d, '"');
+ if(!end) {
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing string (no ending double quote)");
+ return HTTP_BAD_REQUEST;
+ }
+ end[0] = '\0';
+ end++;
+ *val = j_skip(end);
+ /* TODO, improve string format validation */
+ while(v[0]) {
+ if(v[0] < ' ') {
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing string (invalid character)");
+ return HTTP_BAD_REQUEST;
+ }
+ v++;
+ }
+ *n = d;
+ return APR_SUCCESS;
+}
+
+static int j_num(apr_pool_t *pool, char **val, apr_table_t *tl, char *name, char **n) {
+ char *s = *val;
+ char *d = *val;
+ while(d && ((d[0] >= '0' && d[0] <= '9') ||
+ d[0] == '.' ||
+ d[0] == 'e' ||
+ d[0] == 'E' ||
+ d[0] == '+' ||
+ d[0] == '-')) {
+ d++;
+ }
+ *n = apr_pstrndup(pool, s, d-s);
+ *val = d;
+ return APR_SUCCESS;
+}
+
+static int j_obj(apr_pool_t *pool, char **val, apr_table_t *tl, char *name, int rec) {
+ char *d = j_skip(*val);
+ int rc;
+ while(d && d[0]) {
+ if(*d != '\"') {
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing object (missing string)");
+ return HTTP_BAD_REQUEST;
+ } else {
+ /* list of string ":" value pairs (sepated by ',') */
+ char *v = NULL;
+ char *thisname;
+ d++;
+ rc = j_string(pool, &d, tl, name, &v);
+ if(rc != APR_SUCCESS) {
+ return rc;
+ }
+ thisname = apr_pstrcat(pool, name, "_" , v, NULL);
+ d = j_skip(d);
+ if(!d || d[0] != ':') {
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing object (missing value/wrong delimiter)");
+ return HTTP_BAD_REQUEST;
+ }
+ d++;
+ rc = j_val(pool, &d, tl, thisname, rec);
+ if(rc != APR_SUCCESS) {
+ return rc;
+ }
+ d = j_skip(d);
+ if(!d) {
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing object (unexpected end)");
+ return HTTP_BAD_REQUEST;
+ }
+ if(d[0] == '}') {
+ d++;
+ *val = d;
+ return APR_SUCCESS;
+ } else if(d[0] == ',') {
+ d = j_strchr(d, '"');
+ } else {
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing object (unexpected end/wrong delimiter)");
+ return HTTP_BAD_REQUEST;
+ }
+ }
+ }
+ return APR_SUCCESS;
+}
+
+static int j_ar(apr_pool_t *pool, char **val, apr_table_t *tl, char *name, int rec) {
+ char *d = j_skip(*val);
+ int rc;
+ int index = 0;
+ while(d && d[0]) {
+ rc = j_val(pool, &d, tl, apr_psprintf(pool, "%s%d", name, index), rec);
+ if(rc != APR_SUCCESS) {
+ return rc;
+ }
+ d = j_skip(d);
+ if(!d) {
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing array (unexpected end)");
+ return HTTP_BAD_REQUEST;
+ }
+ if(d[0] == ']') {
+ d++;
+ *val = d;
+ return APR_SUCCESS;
+ } else if(d[0] == ',') {
+ d++;
+ d = j_skip(d);
+ } else {
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing array (unexpected end/wrong delimiter)");
+ return HTTP_BAD_REQUEST;
+ }
+ index++;
+ }
+ return APR_SUCCESS;
+}
+
+static int j_val(apr_pool_t *pool, char **val, apr_table_t *tl, char *name, int rec) {
+ char *d = j_skip(*val);
+ int rc = APR_SUCCESS;
+ rec++;
+ if(rec > QOS_j_RECURSION) {
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing string (reached recursion limit)");
+ return HTTP_BAD_REQUEST;
+ }
+ /* either object, array, string, number, "true", "false", or "null" */
+ if(d[0] == '{') {
+ d++;
+ rc = j_obj(pool, &d, tl, apr_pstrcat(pool, name, "_o", NULL), rec);
+ } else if(d[0] == '[') {
+ d++;
+ rc = j_ar(pool, &d, tl, apr_pstrcat(pool, name, "_a", NULL), rec);
+ } else if(strncmp(d,"null",4) == 0) {
+ d+=4;
+ apr_table_add(tl, apr_pstrcat(pool, j_escape_url(pool, name), "_b", NULL), "null");
+ } else if(strncmp(d,"true",4) == 0) {
+ apr_table_add(tl, apr_pstrcat(pool, j_escape_url(pool, name), "_b", NULL), "true");
+ d+=4;
+ } else if(strncmp(d,"false",5) == 0) {
+ apr_table_add(tl, apr_pstrcat(pool, j_escape_url(pool, name), "_b", NULL), "false");
+ d+=5;
+ } else if(*d == '-' || (*d >= '0' && *d <= '9')) {
+ char *n = apr_pstrcat(pool, name, "_n", NULL);
+ char *v = NULL;
+ rc = j_num(pool, &d, tl, n, &v);
+ if(rc == APR_SUCCESS) {
+ apr_table_addn(tl, j_escape_url(pool, n), j_escape_url(pool, v));
+ }
+ } else if(*d == '\"') {
+ char *n = apr_pstrcat(pool, name, "_v", NULL);
+ char *v = NULL;
+ d++;
+ rc = j_string(pool, &d, tl, n, &v);
+ if(rc == APR_SUCCESS) {
+ apr_table_addn(tl, j_escape_url(pool, n), j_escape_url(pool, v));
+ }
+ } else {
+ /* error */
+ apr_table_add(tl, QOS_J_ERROR, "error while parsing value (invalid type)");
+ return HTTP_BAD_REQUEST;
+ }
+ if(rc != APR_SUCCESS) {
+ return rc;
+ }
+ *val = d;
+ rec--;
+ return APR_SUCCESS;
+}
+/* json parser end --------------------------------------------------------- */
+
+/**
+ * Process json data retrieved from parp (request body)
+ * @param r
+ * @param dconf
+ * @param query Query to add data
+ * @param msg Error message if paring fails
+ * @return APR_SUCCESS if processed without errors.
+ */
+static int qos_json(request_rec *r, qos_dir_config *dconf, const char **query, const char **msg) {
+ const char *contenttype = apr_table_get(r->headers_in, "Content-Type");
+ if(contenttype && (strncasecmp(contenttype, "application/json", 16) == 0)) {
+ apr_size_t len = 0;
+ const char *data = NULL;
+ /* check if parp has body data to process (requires "PARP_BodyData application/json")
+ or if the json message is stored within the query */
+ if(qos_parp_body_data_fn) {
+ data = qos_parp_body_data_fn(r, &len);
+ }
+ if(data == NULL) {
+ data = *query;
+ if(data && (data[0] == '[' || data[0] == '{')) {
+ int escerr = 0;
+ char *copyq = apr_pstrdup(r->pool, data);
+ *query = NULL;
+ // the query needs to be unescaped before getting parsed
+ len = qos_unescaping(copyq, dconf->dec_mode, &escerr);
+#ifdef QS_MOD_EXT_HOOKS
+ qos_run_path_decode_hook(r, &copyq, &len);
+#endif
+ data = copyq;
+ if(strlen(data) != len) {
+ *msg = apr_pstrdup(r->pool, "null character within data structure in query");
+ return HTTP_BAD_REQUEST;
+ }
+ } else {
+ // does not look like a json structure (strict)
+ data = NULL;
+ }
+ }
+ if(data && (len > 0)) {
+ char *value = apr_pstrndup(r->pool, data, len);
+ apr_table_t *tl = apr_table_make(r->pool, 200);
+ int rc;
+ if(strlen(value) != len) {
+ *msg = apr_pstrdup(r->pool, "null character within data structure");
+ return HTTP_BAD_REQUEST;
+ }
+ rc = j_val(r->pool, &value, tl, "J", 0);
+ if(rc != APR_SUCCESS) {
+ *msg = apr_table_get(tl, QOS_J_ERROR);
+ apr_table_unset(tl, QOS_J_ERROR);
+ return rc;
+ }
+ if(value && value[0]) {
+ value = j_skip(value);
+ if(value && value[0]) {
+ /* error, there is still some data */
+ *msg = apr_pstrdup(r->pool, "more than one element");
+ }
+ }
+ *query = qos_parp_query(r, tl, *query);
+ if(*query) {
+ apr_table_setn(r->notes, apr_pstrdup(r->pool, QS_PARP_Q), *query);
+ }
+ }
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * processes the per location rules QS_Permit* and QS_Deny*
+ */
+static int qos_per_dir_rules(request_rec *r, qos_srv_config *sconf,
+ qos_dir_config *dconf) {
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(dconf->rfilter_table)->elts;
+ int i;
+ char *path = apr_pstrdup(r->pool, r->parsed_uri.path);
+ char *query = NULL;
+ char *fragment = NULL;
+ char *request_line = apr_pstrdup(r->pool, r->the_request);
+ char *uri = path;
+ int request_line_len;
+ int path_len;
+ int query_len = 0;
+ int fragment_len = 0;
+ int uri_len;
+ int permit_rule = 0;
+ int permit_rule_match = 0;
+ int permit_rule_action = QS_DENY;
+ int escerr = 0;
+ request_line_len = qos_unescaping(request_line, dconf->dec_mode, &escerr);
+ path_len = qos_unescaping(path, dconf->dec_mode, &escerr);
+#ifdef QS_MOD_EXT_HOOKS
+ qos_run_path_decode_hook(r, &path, &path_len);
+#endif
+ uri_len = path_len;
+ if(dconf->bodyfilter_p == 1 || dconf->bodyfilter_d == 1) {
+ const char *q = apr_table_get(r->notes, QS_PARP_Q);
+ if((q == NULL) && qos_parp_hp_table_fn) {
+ const char *msg = NULL;
+ apr_table_t *tl = qos_parp_hp_table_fn(r);
+ if(tl) {
+ if(apr_table_elts(tl)->nelts > 0) {
+ q = qos_parp_query(r, tl, NULL);
+ if(q) {
+ apr_table_setn(r->notes, apr_pstrdup(r->pool, QS_PARP_Q), q);
+ }
+ }
+ } else {
+ /* no table provided by mod_parp (unsupported content type?),
+ use query string if available */
+ if(r->parsed_uri.query) {
+ q = r->parsed_uri.query;
+ }
+ }
+ if(qos_json(r, dconf, &q, &msg) != APR_SUCCESS) {
+ /* parser error */
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(048)"access denied, invalid JSON syntax (%s),"
+ " action=%s, c=%s, id=%s",
+ msg ? msg : "-",
+ sconf->log_only ? "log only" : "deny",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "048"));
+ QS_INC_EVENT(sconf, 48);
+ return HTTP_FORBIDDEN;
+ }
+ }
+ if(q) {
+ /* prepare unescaped body query (parp) */
+ char *q1 = apr_pstrdup(r->pool, q);
+ int q1_len = 0;
+ q1 = apr_pstrdup(r->pool, q);
+ q1_len = qos_unescaping(q1, dconf->dec_mode, &escerr);
+#ifdef QS_MOD_EXT_HOOKS
+ qos_run_query_decode_hook(r, &q1, &q1_len);
+#endif
+ if(dconf->bodyfilter_d == 1) {
+ /* use body for query deny filter */
+ query = q1;
+ query_len = q1_len;
+ } else {
+ /* don't use body for query deny filter */
+ if(r->parsed_uri.query) {
+ query = apr_pstrdup(r->pool, r->parsed_uri.query);
+ query_len = qos_unescaping(query, dconf->dec_mode, &escerr);
+#ifdef QS_MOD_EXT_HOOKS
+ qos_run_query_decode_hook(r, &query, &query_len);
+#endif
+ }
+ }
+ if(dconf->bodyfilter_p != 1) {
+ /* don' use body for permit filter */
+ if(r->parsed_uri.query) {
+ q1 = apr_pstrdup(r->pool, r->parsed_uri.query);
+ q1_len = qos_unescaping(q1, dconf->dec_mode, &escerr);
+#ifdef QS_MOD_EXT_HOOKS
+ qos_run_query_decode_hook(r, &q1, &q1_len);
+#endif
+ } else {
+ q1 = NULL;
+ q1_len = 0;
+ }
+ }
+ if(q1) {
+ uri = apr_pcalloc(r->pool, path_len + 1 + q1_len + 1);
+ memcpy(uri, path, path_len);
+ uri[path_len] = '?';
+ memcpy(&uri[path_len+1], q1, q1_len);
+ uri[path_len+1+q1_len] = '\0';
+ uri_len = path_len + 1 + q1_len;
+ }
+ }
+ } else {
+ if(r->parsed_uri.query) {
+ query = apr_pstrdup(r->pool, r->parsed_uri.query);
+ query_len = qos_unescaping(query, dconf->dec_mode, &escerr);
+#ifdef QS_MOD_EXT_HOOKS
+ qos_run_query_decode_hook(r, &query, &query_len);
+#endif
+ uri = apr_pcalloc(r->pool, path_len + 1 + query_len + 1);
+ memcpy(uri, path, path_len);
+ uri[path_len] = '?';
+ memcpy(&uri[path_len+1], query, query_len);
+ uri[path_len+1+query_len] = '\0';
+ uri_len = path_len + 1 + query_len;
+ }
+ }
+ if(r->parsed_uri.fragment) {
+ fragment = apr_pstrdup(r->pool, r->parsed_uri.fragment);
+ fragment_len = qos_unescaping(fragment, dconf->dec_mode, &escerr);
+ uri = apr_pcalloc(r->pool, path_len + 1 + fragment_len + 1);
+ memcpy(uri, path, path_len);
+ uri[path_len] = '?';
+ memcpy(&uri[path_len+1], fragment, fragment_len);
+ uri[path_len+1+fragment_len] = '\0';
+ uri_len = path_len + 1 + fragment_len;
+ }
+ if(escerr > 0 && (dconf->urldecoding < QS_OFF_DEFAULT)) {
+ int severity = dconf->urldecoding == QS_DENY ? APLOG_ERR : APLOG_WARNING;
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|severity, 0, r,
+ QOS_LOG_PFX(046)"access denied, invalid url encoding, action=%s, c=%s, id=%s",
+ (!sconf->log_only) && (dconf->urldecoding == QS_DENY) ? "deny" : "log only",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "046"));
+ QS_INC_EVENT(sconf, 46);
+ if(dconf->urldecoding == QS_DENY) {
+ return HTTP_FORBIDDEN;
+ }
+ }
+ /* process deny- and allow- list rules in one loop */
+ for(i = 0; i < apr_table_elts(dconf->rfilter_table)->nelts; i++) {
+ if(entry[i].key[0] == '+') {
+ int deny_rule = 0;
+ int ex = -1;
+ qos_rfilter_t *rfilter = (qos_rfilter_t *)entry[i].val;
+ if(rfilter->type == QS_DENY_REQUEST_LINE) {
+ deny_rule = 1;
+ ex = qos_regexec_len(r->pool, rfilter->preg, request_line, request_line_len);
+ } else if(rfilter->type == QS_DENY_PATH) {
+ deny_rule = 1;
+ ex = qos_regexec_len(r->pool, rfilter->preg, path, path_len);
+ } else if(rfilter->type == QS_DENY_QUERY) {
+ deny_rule = 1;
+ ex = qos_regexec_len(r->pool, rfilter->preg, query, query_len);
+ } else if(rfilter->type == QS_DENY_EVENT) {
+ /* event rules are processed separately */
+ } else {
+ permit_rule = 1;
+ ex = qos_regexec_len(r->pool, rfilter->preg, uri, uri_len);
+ permit_rule_action = rfilter->action;
+ if(ex == 0) {
+ permit_rule_match = 1;
+ }
+ }
+ if(deny_rule && (ex == 0)) {
+ int severity = rfilter->action == QS_DENY ? APLOG_ERR : APLOG_WARNING;
+ apr_table_set(r->subprocess_env, QS_RuleId, rfilter->id);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|severity, 0, r,
+ QOS_LOG_PFX(040)"access denied, %s rule id: %s (%s),"
+ " action=%s, c=%s, id=%s",
+ qos_rfilter_type2text(r->pool, rfilter->type),
+ rfilter->id,
+ rfilter->text,
+ (!sconf->log_only) && (rfilter->action == QS_DENY) ? "deny" : "log only",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "040"));
+ QS_INC_EVENT(sconf, 40);
+ if(rfilter->action == QS_DENY) {
+ return HTTP_FORBIDDEN;
+ }
+ }
+ }
+ }
+ if(permit_rule && !permit_rule_match) {
+ int severity = permit_rule_action == QS_DENY ? APLOG_ERR : APLOG_WARNING;
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|severity, 0, r,
+ QOS_LOG_PFX(041)"access denied, no permit rule match, action=%s, c=%s, id=%s",
+ (!sconf->log_only) && (permit_rule_action == QS_DENY) ? "deny" : "log only",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "041"));
+ QS_INC_EVENT(sconf, 41);
+ if(permit_rule_action == QS_DENY) {
+ return HTTP_FORBIDDEN;
+ }
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * request/response header filter, drops headers which are not allowed
+ */
+static int qos_header_filter(request_rec *r, qos_srv_config *sconf,
+ apr_table_t *headers, const char *type,
+ apr_table_t *hfilter_table,
+ qs_headerfilter_mode_e mode) {
+ apr_table_t *delete = apr_table_make(r->pool, 1);
+ apr_table_t *reason = NULL;
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(headers)->elts;
+ for(i = 0; i < apr_table_elts(headers)->nelts; i++) {
+ qos_fhlt_r_t *he = (qos_fhlt_r_t *)apr_table_get(hfilter_table, entry[i].key);
+ int denied = 0;
+ if(he) {
+ if(mode != QS_HEADERFILTER_SIZE_ONLY) {
+ if(ap_regexec(he->preg, entry[i].val, 0, NULL, 0) != 0) {
+ denied = 1;
+ }
+ }
+ if(strlen(entry[i].val) > he->size) {
+ denied += 2;
+ }
+ if(denied) {
+ char *pattern = apr_psprintf(r->pool, "(pattern=%s, max. length=%d)",
+ he->text, he->size);
+ if(he->action == QS_FLT_ACTION_DENY) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(043)"access denied%s, %s header: \'%s: %s\', %s, c=%s, id=%s",
+ sconf->log_only ? " (log only)" : "",
+ type,
+ entry[i].key, entry[i].val,
+ pattern,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "043"));
+ QS_INC_EVENT(sconf, 43);
+ return HTTP_FORBIDDEN;
+ }
+ if(reason == NULL) {
+ reason = apr_table_make(r->pool, 1);
+ }
+ apr_table_add(delete, entry[i].key, entry[i].val);
+ apr_table_add(reason, entry[i].key, pattern);
+ }
+ } else {
+ if(reason == NULL) {
+ reason = apr_table_make(r->pool, 1);
+ }
+ apr_table_add(delete, entry[i].key, entry[i].val);
+ apr_table_add(reason, entry[i].key, "(no rule available)");
+ }
+ }
+ entry = (apr_table_entry_t *)apr_table_elts(delete)->elts;
+ for(i = 0; i < apr_table_elts(delete)->nelts; i++) {
+ if(mode != QS_HEADERFILTER_SILENT) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, r,
+ QOS_LOG_PFX(042)"drop %s header%s: \'%s: %s\', %s, c=%s, id=%s",
+ type,
+ sconf->log_only ? " (log only)" : "",
+ entry[i].key, entry[i].val,
+ apr_table_get(reason, entry[i].key),
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "042"));
+ QS_INC_EVENT(sconf, 42);
+ }
+ if(!sconf->log_only) {
+ apr_table_unset(headers, entry[i].key);
+ }
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * returns list of all query name=value pairs
+ */
+static apr_table_t *qos_get_query_table(request_rec *r) {
+ apr_table_t *av = apr_table_make(r->pool, 2);
+ if(r->parsed_uri.query) {
+ const char *q = apr_pstrdup(r->pool, r->parsed_uri.query);
+ while(q && q[0]) {
+ const char *t = ap_getword(r->pool, &q, '&');
+ const char *name = ap_getword(r->pool, &t, '=');
+ const char *value = t;
+ if(name && (strlen(name) > 0)) {
+ if(value && (strlen(value) > 0)) {
+ apr_table_add(av, name, value);
+ } else if((strlen(name) > 0)) {
+ apr_table_add(av, name, "");
+ }
+ }
+ }
+ }
+ return av;
+}
+
+/** add "\n" */
+#define QOS_ALERT_LINE_LEN 65
+static char *qos_crline(request_rec *r, const char *line) {
+ char *string = "";
+ const char *pos = line;
+ while(pos && pos[0]) {
+ int len = strlen(pos);
+ if(len > QOS_ALERT_LINE_LEN) {
+ string = apr_pstrcat(r->pool, string,
+ apr_psprintf(r->pool, "%.*s", QOS_ALERT_LINE_LEN, pos), "\n", NULL);
+ pos = &pos[QOS_ALERT_LINE_LEN];
+ } else {
+ string = apr_pstrcat(r->pool, string, pos, NULL);
+ pos = NULL;
+ }
+ }
+ return string;
+}
+
+/**
+ * calculates the rec/sec block rate
+ */
+static void qos_cal_req_sec(qos_srv_config *sconf, request_rec *r, qs_acentry_t *e) {
+ if(e->req_per_sec > e->req_per_sec_limit) {
+ int factor = ((e->req_per_sec * 100) / e->req_per_sec_limit) - 100;
+ e->req_per_sec_block_rate = e->req_per_sec_block_rate + factor;
+ if(e->req_per_sec_block_rate > QS_MAX_DELAY/1000) {
+ e->req_per_sec_block_rate = QS_MAX_DELAY/1000;
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, r,
+ QOS_LOG_PFX(050)"request rate limit, rule: %s(%ld), req/sec=%ld,"
+ " delay=%dms%s",
+ e->url, e->req_per_sec_limit,
+ e->req_per_sec, e->req_per_sec_block_rate,
+ e->req_per_sec_block_rate == QS_MAX_DELAY/1000 ? " (max)" : "");
+ QS_INC_EVENT(sconf, 50);
+ } else if(e->req_per_sec_block_rate > 0) {
+ if(e->req_per_sec_block_rate < 50) {
+ e->req_per_sec_block_rate = 0;
+ } else {
+ int factor = e->req_per_sec_block_rate / 4;
+ e->req_per_sec_block_rate = e->req_per_sec_block_rate - factor;
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, 0, r,
+ QOS_LOG_PFX(051)"request rate limit, rule: %s(%ld), req/sec=%ld,"
+ " delay=%dms",
+ e->url, e->req_per_sec_limit,
+ e->req_per_sec, e->req_per_sec_block_rate);
+ QS_INC_EVENT(sconf, 51);
+ }
+}
+
+/**
+ * QS_DenyEvent enforcement at header parser
+ * @param r
+ * @param sconf
+ * @param dconf
+ # returns DECLINED if no events has been detected
+ */
+static int qos_hp_event_deny_filter(request_rec *r, qos_srv_config *sconf, qos_dir_config *dconf) {
+ apr_status_t rv = qos_per_dir_event_rules(r, sconf, dconf);
+ if(rv != APR_SUCCESS) {
+ int rc;
+ const char *error_page = sconf->error_page;
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ return rc;
+ }
+ return rv;
+ }
+ }
+ return DECLINED;
+}
+
+/**
+ * QS_Permit* / QS_Deny* enforcement at header parser
+ * @param r
+ * @param sconf
+ * @param dconf
+ * @return
+ */
+static int qos_hp_filter(request_rec *r, qos_srv_config *sconf, qos_dir_config *dconf) {
+ apr_status_t rv = APR_SUCCESS;
+ if(sconf->milestones) {
+ char *value = qos_get_remove_cookie(r, QOS_MILESTONE_COOKIE);
+ rv = qos_verify_milestone(r, sconf, value);
+ }
+
+ if((rv == APR_SUCCESS) && (apr_table_elts(dconf->rfilter_table)->nelts > 0)) {
+ rv = qos_per_dir_rules(r, sconf, dconf);
+ }
+
+ if(rv != APR_SUCCESS) {
+ int rc;
+ const char *error_page = sconf->error_page;
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ return rc;
+ }
+ return rv;
+ }
+ }
+ return DECLINED;
+}
+
+/**
+ * QS_SetEnvRes (outfilter)
+ * Detects events at response time.
+ */
+static void qos_setenvres(request_rec *r, qos_srv_config *sconf) {
+ ap_regmatch_t regm[AP_MAX_REG_MATCH];
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(sconf->setenvres_t)->elts;
+ for(i = 0; i < apr_table_elts(sconf->setenvres_t)->nelts; i++) {
+ const char *val = apr_table_get(r->subprocess_env, entry[i].key);
+ if(val) {
+ qos_pregval_t *pregval = (qos_pregval_t *)entry[i].val;
+ if(ap_regexec(pregval->preg, val, AP_MAX_REG_MATCH, regm, 0) == 0) {
+ if(pregval->value) {
+ char *replaced = ap_pregsub(r->pool, pregval->value, val, AP_MAX_REG_MATCH, regm);
+ apr_table_set(r->subprocess_env, pregval->name, replaced);
+ } else {
+ apr_table_set(r->subprocess_env, pregval->name, "1");
+ }
+ }
+ }
+ }
+}
+
+/**
+ * QS_SetEnvResHeader(Match) (outfilter)
+ * Matches response headers and sets an event on match.
+ * @param r
+ * @param sconf
+ */
+static void qos_setenvresheader(request_rec *r, qos_srv_config *sconf) {
+ apr_table_t *headers = r->headers_out;
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(sconf->setenvresheader_t)->elts;
+ apr_table_entry_t *entryMatch = (apr_table_entry_t *)apr_table_elts(sconf->setenvresheadermatch_t)->elts;
+ while(headers) {
+ for(i = 0; i < apr_table_elts(sconf->setenvresheadermatch_t)->nelts; i++) {
+ const char *val = apr_table_get(headers, entryMatch[i].key);
+ if(val) {
+ ap_regex_t *preg = (ap_regex_t *)entryMatch[i].val;
+ if(ap_regexec(preg, val, 0, NULL, 0) == 0) {
+ apr_table_set(r->subprocess_env, entryMatch[i].key, val);
+ }
+ }
+ }
+ for(i = 0; i < apr_table_elts(sconf->setenvresheader_t)->nelts; i++) {
+ const char *val = apr_table_get(headers, entry[i].key);
+ if(val) {
+ apr_table_set(r->subprocess_env, entry[i].key, val);
+ if(strcasecmp(entry[i].val, "drop") == 0) {
+ apr_table_unset(headers, entry[i].key);
+ }
+ }
+ }
+ if(headers == r->headers_out) {
+ headers = r->err_headers_out;
+ } else {
+ headers = NULL;
+ }
+ }
+}
+
+/**
+ * QS_SetEnvIfStatus
+ * Match response status code
+ *
+ * @param r
+ * @param sconf
+ * @param dconf
+ */
+static void qos_setenvstatus(request_rec *r, qos_srv_config *sconf, qos_dir_config *dconf) {
+ char *code = apr_psprintf(r->pool, "%d", r->status);
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(sconf->setenvstatus_t)->elts;
+ for(i = 0; i < apr_table_elts(sconf->setenvstatus_t)->nelts; i++) {
+ if(strcmp(entry[i].key, code) == 0) {
+ char *var = apr_pstrdup(r->pool, entry[i].val);
+ char *value = strchr(var, '=');
+ if(value) {
+ // a value has been defined
+ value[0] = '\0';
+ value++;
+ } else {
+ if(strcmp(var, QS_BLOCK) == 0) {
+ // QS_Block optionally defines the weight for error codes
+ value = apr_pstrdup(r->pool, "1");
+ } else {
+ // by default, the value becomes the status code
+ value = code;
+ }
+ }
+ apr_table_set(r->subprocess_env, var, value);
+ }
+ }
+ if(dconf) {
+ entry = (apr_table_entry_t *)apr_table_elts(dconf->setenvstatus_t)->elts;
+ for(i = 0; i < apr_table_elts(dconf->setenvstatus_t)->nelts; i++) {
+ if(strcmp(entry[i].key, code) == 0) {
+ char *var = apr_pstrdup(r->pool, entry[i].val);
+ char *value = strchr(var, '=');
+ if(value) {
+ value[0] = '\0';
+ value++;
+ } else {
+ value = code;
+ }
+ apr_table_set(r->subprocess_env, var, value);
+ }
+ }
+ }
+}
+
+/**
+ * Returns the best matching server name (the configured ServerName,
+ * supporting ServerAlias directive or the value provided by the
+ * caller (usually the Host header)).
+ *
+ * @param r
+ * @param server_hostname Host name the client expects (Host header) <host>[:<port>]
+ * @param match Indicates if the provide name matches the ServerName/ServerAlias
+ * @return hostname
+ */
+static char *qos_server_alias(request_rec *r, const char *server_hostname, int *match) {
+ char *server = apr_pstrdup(r->pool, r->server->server_hostname); // default (hostname, no port)
+ *match = 0;
+ if(server_hostname) {
+ const char *search = server_hostname;
+ char *port = strchr(search, ':');
+ if(port) {
+ // without the port
+ search = apr_pstrndup(r->pool, search, port - search);
+ }
+ if(strcasecmp(search, r->server->server_hostname) == 0) {
+ /* match ServerName */
+ // we already did: server = apr_pstrdup(r->pool, r->server->server_hostname);
+ *match = 1;
+ } else if(r->server->names) {
+ int i;
+ apr_array_header_t *names = r->server->names;
+ char **name = (char **)names->elts;
+ for(i = 0; i < names->nelts; ++i) {
+ if(!name[i]) continue;
+ if(strcasecmp(search, name[i]) == 0) {
+ /* match ServerAlias */
+ server = apr_pstrdup(r->pool, name[i]);
+ *match = 1;
+ }
+ }
+ } else if(r->server->wild_names) {
+ int i;
+ apr_array_header_t *names = r->server->wild_names;
+ char **name = (char **)names->elts;
+ for(i = 0; i < names->nelts; ++i) {
+ if(!name[i]) continue;
+ if(!ap_strcasecmp_match(search, name[i])) {
+ /* match ServerAlias using wildcards */
+ server = apr_pstrdup(r->pool, search);
+ *match = 1;
+ }
+ }
+ }
+ }
+ return server;
+}
+
+/**
+ * Returns the url to this server, e.g. https://server1 or http://server1:8080
+ * used for redirects.
+ *
+ * @param r
+ * @return schema/hostname
+ */
+static char *qos_this_host(request_rec *r) {
+ const char *hostport = apr_table_get(r->headers_in, "Host");
+ int port = 0;
+ int ssl = 0;
+ int default_port;
+ const char *server_hostname = r->server->server_hostname;
+ if(qos_is_https) {
+ ssl = qos_is_https(r->connection);
+ }
+ if(hostport) {
+ char *p;
+ int match;
+ hostport = apr_pstrdup(r->pool, hostport);
+ if((p = strchr(hostport, ':')) != NULL) {
+ p[0] = '\0';
+ p++;
+ port = atoi(p);
+ }
+ server_hostname = qos_server_alias(r, hostport, &match);
+ }
+ if(port == 0) {
+ // pref. vhost
+ port = r->server->addrs->host_port;
+ }
+ if(port == 0) {
+ // main srv
+ port = r->server->port;
+ }
+ default_port = ssl ? 443 : 80;
+ if(port == default_port) {
+ return apr_psprintf(r->pool, "%s%s",
+ ssl ? "https://" : "http://",
+ server_hostname);
+ }
+ return apr_psprintf(r->pool, "%s%s:%d",
+ ssl ? "https://" : "http://",
+ server_hostname,
+ port);
+}
+
+/**
+ * Enables mod_parp if mod_qos requires access to the request body.
+ * @param r
+ */
+static void qos_enable_parp(request_rec *r) {
+ const char *ct = apr_table_get(r->headers_in, "Content-Type");
+ if(ct) {
+ if(ap_strcasestr(ct, "application/x-www-form-urlencoded") ||
+ ap_strcasestr(ct, "multipart/form-data") ||
+ ap_strcasestr(ct, "multipart/mixed") ||
+ ap_strcasestr(ct, "application/json")) {
+ apr_table_set(r->subprocess_env, "parp", "mod_qos");
+ }
+ }
+}
+
+/**
+ * Generic request validation / sanity check:
+ * We ensure to have at least a valid, decoded request uri received.
+ * (no further uri validation required in your code)
+ * @param r
+ * @param sconf
+ * @return HTTP_BAD_REQUEST for requests which may not be processed by mod_qos, otherwise
+ * APR_SUCCESS
+ */
+static apr_status_t qos_request_check(request_rec *r, qos_srv_config *sconf) {
+ if((r->unparsed_uri == NULL) || (r->parsed_uri.path == NULL)) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(045)"access denied, invalid request line:"
+ " can't parse uri, c=%s, id=%s",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "045"));
+ QS_INC_EVENT(sconf, 45);
+ return HTTP_BAD_REQUEST;
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * QS_SetEnvIfParp (prr), enable parp
+ */
+static apr_status_t qos_parp_prr(request_rec *r, qos_srv_config *sconf) {
+ if(apr_table_elts(sconf->setenvifparp_t)->nelts > 0) {
+ qos_enable_parp(r);
+ }
+ return DECLINED;
+}
+
+/**
+ * QS_SetEnvIfQuery/QS_SetEnvIfParp
+ */
+static void qos_setenvif_ex(request_rec *r, const char *query, apr_table_t *table_setenvif) {
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(table_setenvif)->elts;
+ for(i = 0; i < apr_table_elts(table_setenvif)->nelts; i++) {
+ qos_setenvifquery_t *setenvif = (qos_setenvifquery_t *)entry[i].val;
+ char *name = setenvif->name;
+ ap_regmatch_t regm[AP_MAX_REG_MATCH];
+ if(ap_regexec(setenvif->preg, query, AP_MAX_REG_MATCH, regm, 0) == 0) {
+ if(name[0] == '!') {
+ apr_table_unset(r->subprocess_env, &name[1]);
+ } else {
+ char *replaced = "";
+ if(setenvif->value) {
+ replaced = ap_pregsub(r->pool, setenvif->value, query, AP_MAX_REG_MATCH, regm);
+ }
+ apr_table_set(r->subprocess_env, name, replaced);
+ }
+ }
+ }
+}
+
+/**
+ * Process body events (QS_SetEnvIfBody) and sets the r->subprocess_env variables
+ * @param r
+ * @param sconf
+ */
+static void qos_parp_hp_body(request_rec *r, qos_srv_config *sconf) {
+ apr_size_t len;
+ const char *data = qos_parp_body_data_fn(r, &len);
+ if(data && (len > 0)) {
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(sconf->setenvifparpbody_t)->elts;
+#if (AP_SERVER_MINORVERSION_NUMBER < 4) && defined QS_INTERNAL_TEST
+ // Apache 2.2 is no longer supported (test only)
+ char *tmpData = apr_palloc(r->pool, len + 1);
+ memcpy(tmpData, data, len);
+ tmpData[len] = '\0';
+ data = (const char *)tmpData;
+#endif
+ for(i = 0; i < apr_table_elts(sconf->setenvifparpbody_t)->nelts; i++) {
+ qos_setenvifparpbody_t *setenvif = (qos_setenvifparpbody_t *)entry[i].val;
+ ap_regmatch_t regm[AP_MAX_REG_MATCH];
+#if (AP_SERVER_MINORVERSION_NUMBER < 4) && defined QS_INTERNAL_TEST
+ if(ap_regexec(setenvif->pregx, data, AP_MAX_REG_MATCH, regm, 0) == 0) { // won't work for null chars!
+#else
+ if(ap_regexec_len(setenvif->pregx, data, len, AP_MAX_REG_MATCH, regm, 0) == 0) {
+#endif
+ char *name = setenvif->name;
+ if(name[0] == '!') {
+ apr_table_unset(r->subprocess_env, &name[1]);
+ } else {
+ char *value = apr_pstrdup(r->pool, setenvif->value);
+ char *p = strstr(value, "$1");
+ if(p) {
+ char *c = apr_pstrndup(r->pool, &data[regm[0].rm_so], regm[0].rm_eo - regm[0].rm_so);
+ if(ap_regexec(setenvif->pregx, c, AP_MAX_REG_MATCH, regm, 0) == 0) {
+ value = ap_pregsub(r->pool, value, c, AP_MAX_REG_MATCH, regm);
+ }
+ }
+ apr_table_set(r->subprocess_env, name, value != NULL ? value : "");
+ }
+ }
+ }
+ }
+}
+
+/**
+ * Setting events based on request payload (query), QS_SetEnvIfParp (hp)
+ * @param r
+ * @param sconf
+ */
+static void qos_parp_hp(request_rec *r, qos_srv_config *sconf) {
+ const char *query = apr_table_get(r->notes, QS_PARP_Q);
+ if((query == NULL) && qos_parp_hp_table_fn) {
+ apr_table_t *tl = qos_parp_hp_table_fn(r);
+ if(tl) {
+ if(apr_table_elts(tl)->nelts > 0) {
+ query = qos_parp_query(r, tl, NULL);
+ if(query) {
+ apr_table_setn(r->notes, apr_pstrdup(r->pool, QS_PARP_Q), query);
+ }
+ }
+ } else {
+ /* no table provided by mod_parp (unsupported content type?),
+ use query string if available */
+ if(r->parsed_uri.query) {
+ query = r->parsed_uri.query;
+ }
+ }
+ }
+ if(query) {
+ qos_setenvif_ex(r, query, sconf->setenvifparp_t);
+ }
+}
+
+/**
+ * Replaces ${var} by the value in var
+ * @param p Pool for memory allocation
+ * @param vars Available variables to lookup
+ * @param string String to replace variables
+ * @return 1 on success or 0 if string still contains "${"
+ */
+static int qos_reslove_variable(apr_pool_t *p, apr_table_t *vars, char **string) {
+ int i;
+ int start;
+ int line_end;
+ char *var_name;
+ char *new_line = *string;
+ char *line = *string;
+ const char *val;
+
+ once_again:
+ i = 0;
+ while(line[i] != 0) {
+ if((line[i] == '$') && (line[i+1] == '{')) {
+ line_end = i;
+ i=i+2;
+ start = i;
+ while((line[i] != 0) && (line[i] != '}')) {
+ i++;
+ }
+ if(line[i] != '}') {
+ /* no end found */
+ break;
+ } else {
+ var_name = apr_pstrndup(p, &line[start], i - start);
+ val = apr_table_get(vars, var_name);
+ if(val) {
+ line[line_end] = 0;
+ i++;
+ new_line = apr_pstrcat(p, line, val, &line[i], NULL);
+ line = new_line;
+ goto once_again;
+ }
+ }
+ }
+ i++;
+ }
+ if(!new_line[0] || strstr(new_line, "${")) {
+ return 0;
+ }
+ *string = new_line;
+ return 1;
+}
+
+/**
+ * QS_SetEnvIfQuery (hp)
+ * @param r
+ * @param sconf
+ * @param dconf
+ */
+static void qos_setenvifquery(request_rec *r, qos_srv_config *sconf, qos_dir_config *dconf) {
+ qos_setenvif_ex(r, r->parsed_uri.query, sconf->setenvifquery_t);
+ qos_setenvif_ex(r, r->parsed_uri.query, dconf->setenvifquery_t);
+}
+
+/**
+ * QS_SetEnv
+ * @param r
+ * @param sconf
+ */
+static void qos_setenv(request_rec *r, qos_srv_config *sconf) {
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(sconf->setenv_t)->elts;
+ for(i = 0; i < apr_table_elts(sconf->setenv_t)->nelts; i++) {
+ char *variable = entry[i].val;
+ char *value = apr_pstrdup(r->pool, strchr(entry[i].key, '='));
+ value++;
+ if(qos_reslove_variable(r->pool, r->subprocess_env, &value)) {
+ apr_table_set(r->subprocess_env, variable, value);
+ }
+ }
+}
+
+/**
+ * QS_SetReqHeader
+ * @param r
+ * @param header_t
+ */
+static void qos_setreqheader(request_rec *r, apr_table_t *header_t) {
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(header_t)->elts;
+ for(i = 0; i < apr_table_elts(header_t)->nelts; i++) {
+ char *header = entry[i].val;
+ char *variable = apr_pstrdup(r->pool, strchr(entry[i].key, '='));
+ const char *val;
+ variable++;
+ val = apr_table_get(r->subprocess_env, variable);
+ if(val) {
+ if(header[0] == '!') {
+ apr_table_unset(r->headers_in, &header[1]);
+ } else {
+ apr_table_set(r->headers_in, header, val);
+ }
+ }
+ }
+}
+
+/**
+ * QS_SetEnvIf (hp and logger)
+ * @param r
+ * @param setenvif_t
+ */
+static void qos_setenvif(request_rec *r, apr_array_header_t *setenvif_t) {
+ int i;
+ qos_setenvif_t *entries = (qos_setenvif_t *)setenvif_t->elts;
+ for(i = 0; i < setenvif_t->nelts; i++) {
+ qos_setenvif_t *setenvif = &entries[i];
+ if(setenvif->preg == NULL) {
+ // mode 1 (boolean AND operator)
+ if((setenvif->variable1[0] == '!') && (setenvif->variable2[0] == '!')) {
+ if(!apr_table_get(r->subprocess_env, &setenvif->variable1[1]) &&
+ !apr_table_get(r->subprocess_env, &setenvif->variable2[1])) {
+ if(setenvif->name[0] == '!') {
+ apr_table_unset(r->subprocess_env, &setenvif->name[1]);
+ } else {
+ apr_table_set(r->subprocess_env, setenvif->name, setenvif->value);
+ }
+ }
+ } else if(setenvif->variable1[0] == '!') {
+ if(!apr_table_get(r->subprocess_env, &setenvif->variable1[1]) &&
+ apr_table_get(r->subprocess_env, setenvif->variable2)) {
+ if(setenvif->name[0] == '!') {
+ apr_table_unset(r->subprocess_env, &setenvif->name[1]);
+ } else {
+ apr_table_set(r->subprocess_env, setenvif->name, setenvif->value);
+ }
+ }
+ } else if(setenvif->variable2[0] == '!') {
+ if(apr_table_get(r->subprocess_env, setenvif->variable1) &&
+ !apr_table_get(r->subprocess_env, &setenvif->variable2[1])) {
+ if(setenvif->name[0] == '!') {
+ apr_table_unset(r->subprocess_env, &setenvif->name[1]);
+ } else {
+ apr_table_set(r->subprocess_env, setenvif->name, setenvif->value);
+ }
+ }
+ } else {
+ if(apr_table_get(r->subprocess_env, setenvif->variable1) &&
+ apr_table_get(r->subprocess_env, setenvif->variable2)) {
+ if(setenvif->name[0] == '!') {
+ apr_table_unset(r->subprocess_env, &setenvif->name[1]);
+ } else {
+ apr_table_set(r->subprocess_env, setenvif->name, setenvif->value);
+ }
+ }
+ }
+ } else {
+ // mode 2 (pattern match)
+ const char *value = apr_table_get(r->subprocess_env, setenvif->variable1);
+ if(value) {
+ ap_regmatch_t regm[AP_MAX_REG_MATCH];
+ if(ap_regexec(setenvif->preg, value, AP_MAX_REG_MATCH, regm, 0) == 0) {
+ if(setenvif->name[0] == '!') {
+ apr_table_unset(r->subprocess_env, &setenvif->name[1]);
+ } else {
+ char *replaced = ap_pregsub(r->pool, setenvif->value, value, AP_MAX_REG_MATCH, regm);
+ apr_table_set(r->subprocess_env, setenvif->name, replaced);
+ }
+ }
+ }
+ }
+ }
+}
+
+/**
+ * QS_RequestHeaderFilter enforcement
+ * @param r
+ * @param sconf
+ * @parm dconf
+ * @return
+ */
+static int qos_hp_header_filter(request_rec *r, qos_srv_config *sconf, qos_dir_config *dconf) {
+ qs_headerfilter_mode_e mode = sconf->headerfilter;
+ if(dconf->headerfilter > QS_HEADERFILTER_OFF_DEFAULT) {
+ // overrides server configuration
+ mode = dconf->headerfilter;
+ }
+ if(mode > QS_HEADERFILTER_OFF) {
+ apr_status_t rv = qos_header_filter(r, sconf, r->headers_in, "request",
+ sconf->hfilter_table, mode);
+ if(rv != APR_SUCCESS) {
+ int rc;
+ const char *error_page = sconf->error_page;
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ return rc;
+ }
+ return rv;
+ }
+ }
+ }
+ return DECLINED;
+}
+
+/**
+ * Dynamic keep alive.
+ * Creates a copy of the server_rec and adjusts the keep-aliva settings
+ * for this request.
+ *
+ * @param r
+ * @param sconf
+ */
+static void qos_keepalive(request_rec *r, qos_srv_config *sconf) {
+ if(r->subprocess_env) {
+ const char *vtmo = apr_table_get(r->subprocess_env, QS_KEEPALIVE);
+ const char *vmax = apr_table_get(r->subprocess_env, QS_MAXKEEPALIVEREQ);
+ int ka = -1; // keep alive timeout
+ int km = -1; // max keep alive requests
+ if(vtmo) {
+ ka = atoi(vtmo);
+ if(ka == 0 && vtmo[0] != '0') {
+ ka = -1;
+ }
+ }
+ if(vmax) {
+ km = atoi(vmax);
+ if(km == 0 && vmax[0] != '0') {
+ km = -1;
+ }
+ }
+ if(ka >= 0 || km >= 0) {
+ qs_req_ctx *rctx = qos_rctx_config_get(r);
+ if(m_event_mpm) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
+ QOS_LOG_PFX(037)"loaded MPM is 'event'"
+ " and the QS_KeepAliveTimeout/QS_MaxKeepAliveRequests"
+ " directives can't be used.");
+ QS_INC_EVENT(sconf, 37);
+ return;
+ }
+ if(QS_ISDEBUG(r->server)) {
+ int kaorig = apr_time_sec(r->server->keep_alive_timeout);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ QOS_LOGD_PFX"set keepalive timeout to %d seconds and max"
+ " keepalive requests to %d%s, id=%s",
+ ka >= 0 ? ka : kaorig,
+ km >= 0 ? km : r->server->keep_alive_max,
+ sconf->log_only ? " (log only)" : "",
+ qos_unique_id(r, NULL));
+ }
+ /* copy the server record (I know......., but this works) */
+ if(!rctx->evmsg || !strstr(rctx->evmsg, "T;")) {
+ /* copy it only once (@hp or @out-filter) */
+ if(!sconf->log_only) {
+ server_rec *sr = apr_pcalloc(r->connection->pool, sizeof(server_rec));
+ server_rec *sc = apr_pcalloc(r->connection->pool, sizeof(server_rec));
+ memcpy(sr, r->server, sizeof(server_rec));
+ memcpy(sc, r->connection->base_server, sizeof(server_rec));
+ r->server = sr;
+ r->connection->base_server = sc;
+ }
+ qs_set_evmsg(r, "T;");
+ }
+ if(!sconf->log_only) {
+ if(ka >= 0) {
+ apr_interval_time_t kat = apr_time_from_sec(ka);
+ r->server->keep_alive_timeout = kat;
+ r->connection->base_server->keep_alive_timeout = kat;
+ }
+ if(km >= 0) {
+ r->server->keep_alive_max = km;
+ r->connection->base_server->keep_alive_max = km;
+ }
+ }
+ }
+ }
+}
+
+/**
+ * QS_EventPerSecLimit
+ */
+static void qos_lg_event_update(request_rec *r, apr_time_t *t) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ qs_actable_t *act = sconf->act;
+ if(act->has_events && (apr_table_get(r->notes, QS_R012_ALREADY_BLOCKED) == NULL)) {
+ apr_time_t now = apr_time_sec(r->request_time);
+ qs_acentry_t *actEntry = act->entry;
+ *t = now;
+ if(actEntry) {
+ apr_global_mutex_lock(act->lock); /* @CRT13 */
+ while(actEntry) {
+ if(actEntry->event) {
+ if(((actEntry->event[0] != '!') && apr_table_get(r->subprocess_env, actEntry->event)) ||
+ ((actEntry->event[0] == '!') && !apr_table_get(r->subprocess_env, &actEntry->event[1]))) {
+ if(actEntry->req < LONG_MAX) {
+ actEntry->req++;
+ }
+ if(now > (actEntry->interval + QS_BW_SAMPLING_RATE)) {
+ if(actEntry->req_per_sec_limit) {
+ /* QS_EventPerSecLimit */
+ actEntry->req_per_sec = actEntry->req / (now - actEntry->interval);
+ actEntry->req = 0;
+ actEntry->interval = now;
+ qos_cal_req_sec(sconf, r, actEntry);
+ }
+ }
+ }
+ }
+ actEntry = actEntry->next;
+ }
+ apr_global_mutex_unlock(act->lock); /* @CRT13 */
+ }
+ }
+}
+
+/**
+ * QS_EventLimitCount, propagte variable
+ */
+static void qos_pr_event_limit(request_rec *r, qos_srv_config *sconf) {
+ qs_actable_t *act = sconf->act;
+ if(act->event_entry && (sconf->event_limit_a->nelts > 0)) {
+ int i;
+ qos_event_limit_entry_t *entry = act->event_entry;
+ apr_time_t now = apr_time_sec(r->request_time);
+ apr_global_mutex_lock(act->lock); /* @CRT46 */
+ for(i = 0; i < sconf->event_limit_a->nelts; i++) {
+ if(entry->action == QS_EVENT_ACTION_DENY) {
+ // propagte to environment (previous value)
+ if(entry->limitTime + entry->seconds >= now) {
+ apr_table_set(r->subprocess_env,
+ apr_pstrcat(r->pool, entry->env_var, QS_COUNTER_SUFFIX, NULL),
+ apr_psprintf(r->pool, "%d", entry->limit));
+ }
+ }
+ // next rule
+ entry++;
+ }
+ apr_global_mutex_unlock(act->lock); /* @CRT46 */
+ }
+}
+
+/**
+ * QS_EventLimitCount, detect and enforce
+ */
+static int qos_hp_event_limit(request_rec *r, qos_srv_config *sconf) {
+ apr_status_t rv = DECLINED;
+ qs_actable_t *act = sconf->act;
+ if(act->event_entry) {
+ apr_time_t now = apr_time_sec(r->request_time);
+ int i;
+ qos_event_limit_entry_t *entry = act->event_entry;
+ apr_global_mutex_lock(act->lock); /* @CRT41 */
+ for(i = 0; i < sconf->event_limit_a->nelts; i++) {
+ if(entry->action == QS_EVENT_ACTION_DENY) {
+ if(apr_table_get(r->subprocess_env, entry->env_var) != NULL) {
+ char *eventLimitId = apr_pstrcat(r->pool, QS_R013_ALREADY_BLOCKED, entry->env_var, NULL);
+ apr_table_set(r->notes, eventLimitId, "");
+ // reset required (expired)?
+ if(entry->limitTime + entry->seconds < now) {
+ entry->limit = 0;
+ entry->limitTime = 0;
+ }
+ /* increment limit event */
+ if(entry->limit < INT_MAX) {
+ entry->limit++;
+ }
+ if(entry->limit == 1) {
+ /* ... and start timer */
+ entry->limitTime = now;
+ }
+ // check limit
+ if(entry->limit > entry->max) {
+ int block = 1;
+ char *conditional = "";
+ if(entry->condStr != NULL) {
+ // conditional enforcement...
+ const char *condition = apr_table_get(r->subprocess_env, QS_COND);
+ conditional = apr_pstrdup(r->pool, "Cond");
+ if(condition == NULL) {
+ block = 0; // variable not set
+ } else {
+ if(ap_regexec(entry->preg, condition, 0, NULL, 0) != 0) {
+ block = 0; // pattern does not match
+ }
+ }
+ }
+ if(block) {
+ rv = m_retcode;
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(013)"access denied%s,"
+ " QS_%sEventLimitCount rule: %s,"
+ " max=%d, current=%d,"
+ " c=%s, id=%s",
+ sconf->log_only ? " (log only)" : "",
+ conditional,
+ entry->env_var, entry->max, entry->limit,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "013"));
+ QS_INC_EVENT_LOCKED(sconf, 13);
+ }
+ }
+ }
+ // propagte to environment (current)
+ apr_table_set(r->subprocess_env,
+ apr_pstrcat(r->pool, entry->env_var, QS_COUNTER_SUFFIX, NULL),
+ apr_psprintf(r->pool, "%d", entry->limit));
+ }
+ // next rule
+ entry++;
+ }
+ apr_global_mutex_unlock(act->lock); /* @CRT41 */
+ }
+ if(rv != DECLINED) {
+ int rc;
+ const char *error_page = sconf->error_page;
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ rv = rc;
+ }
+ } else {
+ return DECLINED;
+ }
+ }
+ return rv;
+}
+
+/**
+ * QS_EventRequestLimit
+ */
+static int qos_hp_event_filter(request_rec *r, qos_srv_config *sconf) {
+ apr_status_t rv = DECLINED;
+ qs_req_ctx *rctx = qos_rctx_config_get(r);
+ qs_actable_t *act = sconf->act;
+ if(act->has_events) {
+ qs_acentry_t *actEntry = act->entry;
+ if(actEntry) {
+ apr_global_mutex_lock(act->lock); /* @CRT31 */
+ while(actEntry) {
+ if(actEntry->event && (actEntry->limit != -1)) {
+ const char *var = apr_table_get(r->subprocess_env, actEntry->event);
+ if(var) {
+ int match = 1;
+ if(actEntry->regex_var) {
+ if(ap_regexec(actEntry->regex_var, var, 0, NULL, 0) != 0) {
+ match = 0;
+ }
+ }
+ if(match) {
+ apr_table_addn(rctx->event_entries, actEntry->url, (char *)actEntry);
+ if(actEntry->counter < INT_MAX) {
+ actEntry->counter++;
+ }
+ if(actEntry->counter > actEntry->limit) {
+ rv = m_retcode;
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(012)"access denied%s,"
+ " QS_EventRequestLimit rule: %s(%d),"
+ " concurrent requests=%d,"
+ " c=%s, id=%s",
+ sconf->log_only ? " (log only)" : "",
+ actEntry->url, actEntry->limit, actEntry->counter,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "012"));
+ apr_table_set(r->notes, QS_R012_ALREADY_BLOCKED, "");
+ QS_INC_EVENT_LOCKED(sconf, 12);
+ }
+ apr_table_add(r->subprocess_env,
+ apr_psprintf(r->pool, "QS_EventRequestLimit_%s_Counter", actEntry->event),
+ apr_psprintf(r->pool, "%d", actEntry->counter));
+ }
+ }
+ }
+ actEntry = actEntry->next;
+ }
+ apr_global_mutex_unlock(act->lock); /* @CRT31 */
+ }
+ }
+ if(rv != DECLINED) {
+ int rc;
+ const char *error_page = sconf->error_page;
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ rv = rc;
+ }
+ } else {
+ return DECLINED;
+ }
+ }
+ return rv;
+}
+
+static qs_conn_ctx *qos_get_cconf(conn_rec *connection) {
+ conn_rec *c = QS_CONN_MASTER(connection);
+ qs_conn_ctx *cconf = NULL;
+ qs_conn_base_ctx *base = qos_get_conn_base_ctx(c);
+ if(base) {
+ cconf = base->cconf;
+ }
+ return cconf;
+}
+
+static qs_conn_ctx *qos_create_cconf(conn_rec *connection, qos_srv_config *sconf) {
+ conn_rec *c = QS_CONN_MASTER(connection);
+ qs_conn_base_ctx *base = qos_get_conn_base_ctx(c);
+ qs_conn_ctx *cconf = apr_pcalloc(c->pool, sizeof(qs_conn_ctx));
+ cconf->mc = c;
+ cconf->ip6[0] = 0;
+ cconf->ip6[1] = 0;
+ cconf->evmsg = NULL;
+ cconf->sconf = sconf;
+ cconf->is_vip = 0;
+ cconf->set_vip_by_header = 0;
+ cconf->has_lowrate = 0;
+ apr_pool_pre_cleanup_register(c->pool, cconf, qos_cleanup_conn);
+ if(base == NULL) {
+ base = qos_create_conn_base_ctx(c, sconf);
+ }
+ base->cconf = cconf;
+ return cconf;
+}
+
+/*
+ * QS_SrvSerialize
+ */
+static void qos_hp_srv_serialize(request_rec *r, qos_srv_config *sconf,
+ qs_req_ctx * rctx) {
+ int loops = 0;
+ int locked = 0; // we got the lock for this request
+ if(!rctx) {
+ rctx = qos_rctx_config_get(r);
+ }
+ while(!locked) {
+ apr_global_mutex_lock(sconf->act->lock); /* @CRT44 */
+ if(sconf->act->serialize->locked == 0) {
+ // free!! check if we might get the lock for this request
+ if(sconf->act->serialize->q1 == 0) {
+ // yes: no other request waiting
+ locked = 1;
+ } else if(sconf->act->serialize->q1 == r->request_time) {
+ // yes: waiting for this request (we are the next in the queue)
+ locked = 1;
+ sconf->act->serialize->q1 = sconf->act->serialize->q2;
+ sconf->act->serialize->q2 = 0;
+ } else if(sconf->act->serialize->q1 > r->request_time) {
+ // yes: not yet in the queue but this request is waiting for a longer time
+ // keep the others in the queue
+ locked = 1;
+ } else if(sconf->act->serialize->q2 == 0 || sconf->act->serialize->q2 > r->request_time) {
+ // no: it's not yet our time... but take the second place in the queue
+ sconf->act->serialize->q2 = r->request_time;
+ }
+ } else {
+ // put this request into one of the queues if possible
+ if(sconf->act->serialize->q1 == 0) {
+ // no other request waiting
+ sconf->act->serialize->q1 = r->request_time;
+ } else if(sconf->act->serialize->q1 == r->request_time) {
+ // already next in the queue
+ } else if(sconf->act->serialize->q1 > r->request_time) {
+ // older request is waiting, take over
+ sconf->act->serialize->q2 = sconf->act->serialize->q1;
+ sconf->act->serialize->q1 = r->request_time;
+ } else if(sconf->act->serialize->q2 == 0) {
+ // no one in on the second place
+ sconf->act->serialize->q2 = r->request_time;
+ } else if(sconf->act->serialize->q2 == r->request_time) {
+ // already next in the queue
+ } else if(sconf->act->serialize->q2 > r->request_time) {
+ // older request is waiting in the second position, take over
+ sconf->act->serialize->q2 = r->request_time;
+ }
+ }
+ if(locked) {
+ sconf->act->serialize->locked = 1;
+ rctx->srv_serialize_set = 1;
+ }
+ apr_global_mutex_unlock(sconf->act->lock); /* @CRT44 */
+ if(!locked) {
+ /* sleep 50ms */
+ qs_set_evmsg(r, "s;");
+ if(sconf->log_only) {
+ return;
+ }
+ apr_sleep(50000);
+ }
+ if(loops >= sconf->serializeTMO) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, r,
+ QOS_LOG_PFX(068)"QS_SrvSerialize exceeds limit of %d seconds, "
+ "id=%s",
+ sconf->serializeTMO / 20,
+ qos_unique_id(r, "037"));
+ QS_INC_EVENT(sconf, 37);
+ /* remove this request from the queue resp. clear the queue
+ to avoid a deadlock */
+ apr_global_mutex_lock(sconf->act->lock); /* @CRT44.1 */
+ sconf->act->serialize->q2 = 0;
+ sconf->act->serialize->q1 = 0;
+ apr_global_mutex_unlock(sconf->act->lock); /* @CRT44.1 */
+ break;
+ }
+ loops++;
+ }
+}
+
+/*
+ * QS_ClientSerialize
+ */
+static void qos_hp_cc_serialize(request_rec *r, qos_srv_config *sconf, qs_req_ctx * rctx) {
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ if(!rctx) {
+ rctx = qos_rctx_config_get(r);
+ }
+ if(u && cconf) {
+ int loops = 0;
+ int locked = 0;
+ qos_s_entry_t searchE;
+ const char *forwardedForLogIP = qos_get_clientIP(r, sconf, cconf,
+ "hp", rctx->cc_serialize_ip);
+ searchE.ip6[0] = rctx->cc_serialize_ip[0];
+ searchE.ip6[1] = rctx->cc_serialize_ip[1];
+
+ /* wait until we get a lock */
+ while(!locked) {
+ qos_s_entry_t **clientEntry = NULL;
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT36 */
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, apr_time_sec(r->request_time));
+ if((*clientEntry)->serialize == 0) {
+ // free! check if this request is the next in the queue */
+ if(((*clientEntry)->serializeQueue == 0) || (r->request_time <= (*clientEntry)->serializeQueue)) {
+ (*clientEntry)->serialize = 1;
+ (*clientEntry)->serializeQueue = 0;
+ rctx->cc_serialize_set = 1;
+ locked = 1;
+ }
+ } else {
+ // put the request into the queue
+ if((*clientEntry)->serializeQueue == 0) {
+ // the only waiting req
+ (*clientEntry)->serializeQueue = r->request_time;
+ } else {
+ if((*clientEntry)->serializeQueue > r->request_time) {
+ // this request is waiting for a longer time
+ (*clientEntry)->serializeQueue = r->request_time;
+ }
+ }
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT36 */
+ if(!locked) {
+ /* sleep 100ms */
+ qs_set_evmsg(r, "s;");
+ if(sconf->log_only) {
+ return;
+ }
+ apr_sleep(100000);
+ }
+ // max wait time: 5 minutes
+ if(loops >= 3000) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, r,
+ QOS_LOG_PFX(068)"QS_ClientSerialize exceeds limit of 5 minutes, "
+ "c=%s, id=%s",
+ forwardedForLogIP == NULL ? "-" : forwardedForLogIP,
+ qos_unique_id(r, "068"));
+ QS_INC_EVENT(sconf, 68);
+ /* remove this request from the queue resp. clear the queue
+ to avoid a deadlock */
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT36.1 */
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, apr_time_sec(r->request_time));
+ (*clientEntry)->serializeQueue = 0;
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT36.1 */
+ break;
+ }
+ loops++;
+ }
+ }
+}
+
+/*
+ * QS_ClientEventRequestLimit
+ */
+static int qos_hp_cc_event_count(request_rec *r, qos_srv_config *sconf,
+ qs_req_ctx * rctx) {
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ if(!rctx) {
+ rctx = qos_rctx_config_get(r);
+ }
+ if(u && cconf &&
+ r->subprocess_env && apr_table_get(r->subprocess_env, "QS_EventRequest")) {
+ int vip = 0;
+ int count = 0;
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t searchE;
+ const char *forwardedForLogIP = qos_get_clientIP(r, sconf, cconf,
+ "hp", rctx->cc_event_ip);
+
+ rctx->cc_event_req_set = 1;
+ searchE.ip6[0] = rctx->cc_event_ip[0];
+ searchE.ip6[1] = rctx->cc_event_ip[1];
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT33 */
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, apr_time_sec(r->request_time));
+ if((*clientEntry)->event_req < INT_MAX) {
+ (*clientEntry)->event_req++;
+ }
+ count = (*clientEntry)->event_req;
+ if((*clientEntry)->vip || rctx->is_vip) {
+ vip = 1;
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT33 */
+ if(vip) {
+ apr_table_set(r->subprocess_env, QS_ISVIPREQ, "yes");
+ }
+ if(count > sconf->qos_cc_event_req) {
+ if(vip) {
+ qs_set_evmsg(r, "S;");
+ } else {
+ int rc;
+ const char *error_page = sconf->error_page;
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(065)"access denied%s,"
+ " QS_ClientEventRequestLimit rule:"
+ " max=%d, current=%d, c=%s, id=%s",
+ sconf->log_only ? " (log only)" : "",
+ sconf->qos_cc_event_req,
+ count,
+ forwardedForLogIP == NULL ? "-" :
+ forwardedForLogIP,
+ qos_unique_id(r, "065"));
+ QS_INC_EVENT(sconf, 65);
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ return rc;
+ }
+ return m_retcode;
+ }
+ }
+ }
+ }
+ return DECLINED;
+}
+
+/* QS_SetEnvIfCmp */
+static void qos_setenvifcmp(request_rec *r, apr_array_header_t *cmps) {
+ int i;
+ qos_cmp_entry_t *entries = (qos_cmp_entry_t *)cmps->elts;
+ for(i = 0; i < cmps->nelts; ++i) {
+ qos_cmp_entry_t *b = &entries[i];
+ const char *leftStr = apr_table_get(r->subprocess_env, b->left);
+ const char *rightStr = apr_table_get(r->subprocess_env, b->right);
+ if(leftStr != NULL && rightStr != NULL) {
+ int set = 0;
+ if(qos_isnum(leftStr) && qos_isnum(rightStr)) {
+ int left = atoi(leftStr);
+ int right = atoi(rightStr);
+ switch (b->cmp) {
+ case QS_CMP_EQ:
+ if(left == right) {
+ set = 1;
+ }
+ break;
+ case QS_CMP_NE:
+ if(left != right) {
+ set = 1;
+ }
+ break;
+ case QS_CMP_GT:
+ if(left > right) {
+ set = 1;
+ }
+ break;
+ case QS_CMP_LT:
+ if(left < right) {
+ set = 1;
+ }
+ break;
+ }
+ } else {
+ int c = strcasecmp(leftStr, rightStr);
+ switch (b->cmp) {
+ case QS_CMP_EQ:
+ if(c == 0) {
+ set = 1;
+ }
+ break;
+ case QS_CMP_NE:
+ if(c != 0) {
+ set = 1;
+ }
+ break;
+ case QS_CMP_GT:
+ if(c < 0) {
+ set = 1;
+ }
+ break;
+ case QS_CMP_LT:
+ if(c > 0) {
+ set = 1;
+ }
+ break;
+ }
+ }
+ if(set) {
+ if(b->variable[0] == '!') {
+ apr_table_unset(r->subprocess_env, &b->variable[1]);
+ } else {
+ apr_table_set(r->subprocess_env, b->variable, b->value);
+ }
+ }
+ }
+ }
+ return;
+}
+
+/*
+ * QS_EventPerSecLimit/QS_EventKBytesPerSecLimit
+ * returns the max req_per_sec_block_rate/kbytes_per_sec_limit and the event
+ * with the lowest kbytes_per_sec_limit.
+ */
+static qs_acentry_t *qos_hp_event_count(request_rec *r,
+ int *req_per_sec_block,
+ apr_off_t *kbytes_per_sec_limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ qs_actable_t *act = sconf->act;
+ qs_acentry_t *event_kbytes_limit = NULL;
+ *req_per_sec_block = 0;
+ *kbytes_per_sec_limit = 0;
+ if(act->has_events) {
+ qs_acentry_t *actEntry = act->entry;
+ if(actEntry) {
+ apr_global_mutex_lock(act->lock); /* @CRT12 */
+ while(actEntry) {
+ if(actEntry->event && (actEntry->limit == -1)) {
+ if(((actEntry->event[0] != '!') && apr_table_get(r->subprocess_env, actEntry->event)) ||
+ ((actEntry->event[0] == '!') && !apr_table_get(r->subprocess_env, &actEntry->event[1]))) {
+ if(actEntry->req_per_sec_limit) {
+ /* QS_EventPerSecLimit */
+ if(actEntry->req_per_sec_block_rate > *req_per_sec_block) {
+ *req_per_sec_block = actEntry->req_per_sec_block_rate;
+ }
+ } else {
+ /* QS_EventKBytesPerSecLimit */
+ if(actEntry->kbytes_per_sec_limit) {
+ if((*kbytes_per_sec_limit == 0) ||
+ (actEntry->kbytes_per_sec_limit < *kbytes_per_sec_limit)) {
+ *kbytes_per_sec_limit = actEntry->kbytes_per_sec_limit;
+ event_kbytes_limit = actEntry;
+ }
+ }
+ }
+ }
+ }
+ actEntry = actEntry->next;
+ }
+ apr_global_mutex_unlock(act->lock); /* @CRT12 */
+ }
+ }
+ return event_kbytes_limit;
+}
+
+static apr_size_t qos_packet_rate(qos_ifctx_t *inctx, apr_bucket_brigade *bb) {
+ apr_bucket *b;
+ apr_size_t total = 0;
+ for(b = APR_BRIGADE_FIRST(bb); b != APR_BRIGADE_SENTINEL(bb); b = APR_BUCKET_NEXT(b)) {
+ if(b->length) {
+ total = total + b->length;
+ }
+ }
+ return total;
+}
+
+/**
+ * start packet rate measure (if filter has not already been inserted)
+ */
+static void qos_pktrate_pc(conn_rec *connection, qos_srv_config *sconf) {
+ conn_rec *c = connection;
+ qos_ifctx_t *inctx = qos_get_ifctx(c->input_filters);
+ if(inctx == NULL) {
+ inctx = qos_create_ifctx(c, sconf);
+ ap_add_input_filter("qos-in-filter", inctx, NULL, c);
+ }
+ inctx->lowrate = 0;
+}
+
+/**
+ * timeout control at process connection handler
+ */
+static void qos_timeout_pc(conn_rec *connection, qos_srv_config *sconf) {
+ conn_rec *c = connection;
+ qos_ifctx_t *inctx = qos_get_ifctx(c->input_filters);
+ if(inctx) {
+ inctx->status = QS_CONN_STATE_HEAD;
+ inctx->time = time(NULL);
+ inctx->nbytes = 0;
+#if APR_HAS_THREADS
+ if(sconf->inctx_t && !sconf->inctx_t->exit && sconf->min_rate_off == 0) {
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT22 */
+ apr_table_setn(sconf->inctx_t->table,
+ QS_INCTX_ID,
+ (char *)inctx);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT22 */
+ }
+#endif
+ }
+}
+
+/**
+ * determines client behavior based on accessed content types
+ *
+ * @return 0=normal, -1=unknown (not enough data), >=1 abnormal
+ */
+static int qos_content_type(request_rec *r, qos_srv_config *sconf,
+ qos_s_t *s, qos_s_entry_t *e, int limit) {
+ int penalty = -1;
+ const char *ct = apr_table_get(r->headers_out, "Content-Type");
+ e->events++; // events counts requests and connections
+ if(r->status == 304) {
+ e->notmodified ++;
+ s->notmodified ++;
+ }
+ if(ct) {
+ if(ap_strcasestr(ct, "html")) {
+ e->events++; // learn faster if user requests HTML content (main pages)
+ e->html++;
+ s->html++;
+ goto end;
+ } else if(ap_strcasestr(ct, "image")) {
+ e->img++;
+ s->img++;
+ goto end;
+ } else if(ap_strcasestr(ct, "css")) {
+ e->cssjs++;
+ s->cssjs++;
+ goto end;
+ } else if(ap_strcasestr(ct, "javascript")) {
+ e->cssjs++;
+ s->cssjs++;
+ goto end;
+ }
+ }
+ e->other++;
+ s->other++;
+
+ end:
+ /* compare this client with other clients */
+ if(e->events > QOS_CC_BEHAVIOR_THR_SINGLE) {
+ penalty = 0;
+ if(limit &&
+ ((sconf->static_on == 1) ||
+ (s->html > QOS_CC_BEHAVIOR_THR && s->html && s->img && s->cssjs && s->other && s->notmodified))) {
+ int i;
+ unsigned int server[5];
+ unsigned int client[5];
+ // note: all e->* variables are initialized by "1" to avoid FPE
+ if(sconf->static_on == 1) {
+ /* use predefined value */
+ unsigned long e_all = e->html + e->img + e->cssjs + e->other + e->notmodified;
+ server[0] = sconf->static_html;
+ server[1] = sconf->static_cssjs;
+ server[2] = sconf->static_img;
+ server[3] = sconf->static_other;
+ server[4] = sconf->static_notmodified;
+ client[0] = 100 * e->html / e_all;
+ client[1] = 100 * e->cssjs / e_all;
+ client[2] = 100 * e->img / e_all;
+ client[3] = 100 * e->other / e_all;
+ client[4] = 100 * e->notmodified / e_all;
+ } else {
+ /* learn average */
+ unsigned long long s_all = s->html + s->img + s->cssjs + s->other + s->notmodified;
+ unsigned long e_all = e->html + e->img + e->cssjs + e->other + e->notmodified;
+ server[0] = 100 * s->html / s_all;
+ server[1] = 100 * s->cssjs / s_all;
+ server[2] = 100 * s->img / s_all;
+ server[3] = 100 * s->other / s_all;
+ server[4] = 100 * s->notmodified / s_all;
+ client[0] = 100 * e->html / e_all;
+ client[1] = 100 * e->cssjs / e_all;
+ client[2] = 100 * e->img / e_all;
+ client[3] = 100 * e->other / e_all;
+ client[4] = 100 * e->notmodified / e_all;
+ }
+ for(i = 0; i < 5; i++) {
+ if(client[i] > (server[i] + sconf->cc_tolerance)) {
+ penalty++;
+ } else {
+ if((server[i] > sconf->cc_tolerance) &&
+ (client[i] < (server[i] - sconf->cc_tolerance))) {
+ penalty++;
+ }
+ }
+ }
+ }
+ }
+ return penalty;
+}
+
+//static void qos_error_log(const char *file, int line, int level,
+// apr_status_t status, const server_rec *s,
+// const request_rec *r, apr_pool_t *pool,
+// const char *errstr) {
+// return;
+//}
+
+/**
+ * QS_EventLimitCount, detect/update only
+ */
+static void qos_logger_event_limit(request_rec *r, qos_srv_config *sconf) {
+ qs_actable_t *act = sconf->act;
+ if(act->event_entry && (sconf->event_limit_a->nelts > 0)) {
+ apr_time_t now = apr_time_sec(r->request_time);
+ int i;
+ qos_event_limit_entry_t *actEntry = act->event_entry;
+ apr_global_mutex_lock(act->lock); /* @CRT42 */
+ for(i = 0; i < sconf->event_limit_a->nelts; i++) {
+ if(actEntry->action == QS_EVENT_ACTION_DENY) {
+ int decEvent = get_qs_event(r, actEntry->eventDecStr);
+ if(decEvent > 0) {
+ if(decEvent >= actEntry->limit) {
+ actEntry->limit = 0;
+ actEntry->limitTime = 0;
+ } else {
+ actEntry->limit = actEntry->limit - decEvent;
+ }
+ }
+ if(apr_table_get(r->subprocess_env, actEntry->env_var) != NULL) {
+ // increment only once
+ char *eventLimitId = apr_pstrcat(r->pool, QS_R013_ALREADY_BLOCKED, actEntry->env_var, NULL);
+ if(apr_table_get(r->notes, eventLimitId) == NULL) {
+ // reset required (expired)?
+ if(actEntry->limitTime + actEntry->seconds < now) {
+ actEntry->limit = 0;
+ actEntry->limitTime = 0;
+ }
+ /* increment limit event */
+ if(actEntry->limit < INT_MAX) {
+ actEntry->limit++;
+ }
+ if(actEntry->limit == 1) {
+ /* ... and start timer */
+ actEntry->limitTime = now;
+ }
+ }
+ }
+ }
+ // next rule
+ actEntry++;
+ }
+ apr_global_mutex_unlock(act->lock); /* @CRT42 */
+ }
+}
+
+/**
+ * client control rules at log transaction
+ */
+static void qos_logger_cc(request_rec *r, qos_srv_config *sconf, qs_req_ctx *rctx) {
+ int lowrate = 0;
+ int unusual_behavior = -1;
+ int block_event = get_qs_event(r, QS_BLOCK);
+ const char *block_seen = apr_table_get(r->subprocess_env, QS_BLOCK_SEEN);
+ int block_dec = get_qs_event(r, QS_BLOCK_DEC);
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ apr_time_t now = apr_time_sec(r->request_time);
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t **clientEntryFromHdr = NULL; // client ip entry from header
+ qos_s_entry_t searchE;
+ qos_s_entry_t searchEFromHdr;
+
+ if(block_seen != NULL) {
+ block_event = 0;
+ }
+
+ if(sconf->qos_cc_prefer_limit || (sconf->req_rate != -1)) {
+ qos_ifctx_t *inctx = qos_get_ifctx(r->connection->input_filters);
+ if(inctx) {
+ if(inctx->lowrate > QS_PKT_RATE_TH) {
+ lowrate = inctx->lowrate;
+ }
+ if(inctx->lowrate != -1) {
+ inctx->lowrate = 0;
+ }
+ if(inctx->status > QS_CONN_STATE_NEW) {
+ inctx->r = NULL;
+ inctx->status = QS_CONN_STATE_KEEP;
+ }
+ if(inctx->shutdown) {
+ lowrate++;
+ inctx->shutdown = 0;
+ }
+ }
+ }
+
+ if(cconf) {
+ // works for real connections only (no HTTP/2)
+ searchE.ip6[0] = cconf->ip6[0];
+ searchE.ip6[1] = cconf->ip6[1];
+ } else {
+ // HTTP/2
+ apr_uint64_t ci6[2];
+ qos_ip_str2long(QS_CONN_REMOTEIP(r->connection), ci6);
+ searchE.ip6[0] = ci6[0];
+ searchE.ip6[1] = ci6[1];
+ }
+ qos_get_clientIP(r, sconf, cconf, "logger", searchEFromHdr.ip6);
+
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT19 */
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, apr_time_sec(r->request_time));
+ if(searchEFromHdr.ip6[0] == searchE.ip6[0] && searchEFromHdr.ip6[1] == searchE.ip6[1]) {
+ clientEntryFromHdr = clientEntry; // same as connection
+ } else {
+ clientEntryFromHdr = qos_cc_getOrSet(u->qos_cc, &searchEFromHdr, apr_time_sec(r->request_time));
+ }
+
+ if(rctx->cc_event_req_set) {
+ /* QS_ClientEventRequestLimit */
+ qos_s_entry_t **eEvent = NULL;
+ rctx->cc_event_req_set = 0;
+ if(rctx->cc_event_ip[0] == searchE.ip6[0] &&
+ rctx->cc_event_ip[1] == searchE.ip6[1]) {
+ // connection ip
+ eEvent = clientEntry;
+ } else if(rctx->cc_event_ip[0] == searchEFromHdr.ip6[0] &&
+ rctx->cc_event_ip[1] == searchEFromHdr.ip6[1]) {
+ // from header
+ eEvent = clientEntryFromHdr;
+ } else {
+ // looks like the header has changed or is no longer available
+ qos_s_entry_t searchEvent;
+ searchEvent.ip6[0] = rctx->cc_event_ip[0];
+ searchEvent.ip6[1] = rctx->cc_event_ip[1];
+ eEvent = qos_cc_get0(u->qos_cc, &searchEvent, apr_time_sec(r->request_time));
+ }
+ if(eEvent) {
+ if((*eEvent)->event_req > 0) {
+ (*eEvent)->event_req--;
+ }
+ }
+ }
+
+ if(rctx->cc_serialize_set) {
+ /* QS_ClientSerialize */
+ qos_s_entry_t **eSerialize = NULL;
+ rctx->cc_serialize_set = 0;
+ if(rctx->cc_serialize_ip[0] == searchE.ip6[0] &&
+ rctx->cc_serialize_ip[1] == searchE.ip6[1]) {
+ // connection ip
+ eSerialize = clientEntry;
+ } else if(rctx->cc_serialize_ip[0] == searchEFromHdr.ip6[0] &&
+ rctx->cc_serialize_ip[1] == searchEFromHdr.ip6[1]) {
+ // from header
+ eSerialize = clientEntryFromHdr;
+ } else {
+ // looks like the header has changed or is no longer available
+ qos_s_entry_t searchSerialize;
+ searchSerialize.ip6[0] = rctx->cc_serialize_ip[0];
+ searchSerialize.ip6[1] = rctx->cc_serialize_ip[1];
+ eSerialize = qos_cc_get0(u->qos_cc, &searchSerialize, apr_time_sec(r->request_time));
+ }
+ if(eSerialize) {
+ (*eSerialize)->serialize = 0;
+ }
+ }
+
+ if(sconf->qos_cc_prefer) {
+ // QS_ClientPrefer is not enabled
+ unusual_behavior = qos_content_type(r, sconf, u->qos_cc, *clientEntry, sconf->qos_cc_prefer_limit);
+ if(unusual_behavior == 0) {
+ // normal behavior
+ (*clientEntry)->lowratestatus |= QOS_LOW_FLAG_BEHAVIOR_OK;
+ (*clientEntry)->lowratestatus &= ~QOS_LOW_FLAG_BEHAVIOR_BAD;
+ } else {
+ // unknown or bad behavior
+ (*clientEntry)->lowratestatus &= ~QOS_LOW_FLAG_BEHAVIOR_OK;
+ }
+ }
+
+ if(block_event || block_dec || lowrate || (unusual_behavior > 0)) {
+ if(((*clientEntry)->blockTime + sconf->qos_cc_blockTime) < now) {
+ /* reset expired events */
+ if((*clientEntry)->blockMsg > QS_LOG_REPEAT) {
+ // write remaining log lines
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r->connection->base_server,
+ QOS_LOG_PFX(060)"access denied (previously), "
+ "QS_ClientEventBlockCount rule: "
+ "max=%d, current=%hu, "
+ "message repeated %d times, "
+ "c=%s",
+ sconf->qos_cc_block,
+ (*clientEntry)->block,
+ (*clientEntry)->blockMsg % QS_LOG_REPEAT,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" :
+ QS_CONN_REMOTEIP(r->connection)/*no id here, this r is okay*/);
+ QS_INC_EVENT_LOCKED(sconf, 60);
+ (*clientEntry)->blockMsg = 0;
+ }
+ (*clientEntry)->block = 0;
+ (*clientEntry)->blockTime = 0;
+ }
+ /* mark lowpkt client */
+ if(lowrate || (unusual_behavior > 0)) {
+ (*clientEntry)->lowrate = apr_time_sec(r->request_time);
+ if(lowrate) {
+ (*clientEntry)->lowratestatus |= QOS_LOW_FLAG_PKGRATE;
+ }
+ if(unusual_behavior > 1) {
+ (*clientEntry)->lowratestatus |= QOS_LOW_FLAG_BEHAVIOR_BAD;
+ (*clientEntry)->lowratestatus &= ~QOS_LOW_FLAG_BEHAVIOR_OK;
+ }
+ qs_set_evmsg(r, "r;");
+ }
+ if(block_dec > 0) {
+ if(block_dec >= (*clientEntry)->block) {
+ (*clientEntry)->block = 0;
+ (*clientEntry)->blockTime = 0;
+ } else {
+ (*clientEntry)->block = (*clientEntry)->block - block_dec;
+ }
+ }
+ if(block_event) {
+ int newValue = (*clientEntry)->block + block_event;
+ if((*clientEntry)->block == 0) {
+ /* start timer */
+ (*clientEntry)->blockTime = now;
+ }
+ /* ...and increment/increase block event counter */
+ (*clientEntry)->block = newValue > USHRT_MAX ? USHRT_MAX : newValue;
+ }
+ } else if((*clientEntry)->lowrate) {
+ /* reset low prio client after 24h (resp. QOS_LOW_TIMEOUT seconds) */
+ if(((*clientEntry)->lowrate + QOS_LOW_TIMEOUT) < now) {
+ (*clientEntry)->lowrate = 0;
+ if((*clientEntry)->lowratestatus & QOS_LOW_FLAG_BEHAVIOR_OK) {
+ (*clientEntry)->lowratestatus = QOS_LOW_FLAG_BEHAVIOR_OK;
+ } else {
+ (*clientEntry)->lowratestatus = 0;
+ }
+ }
+ }
+
+ /* QS_Limit* */
+ if(u->qos_cc->limitTable) {
+ int limitTableIndex;
+ apr_table_entry_t *limitTableEntry = (apr_table_entry_t *)apr_table_elts(u->qos_cc->limitTable)->elts;
+ for(limitTableIndex = 0;
+ limitTableIndex < apr_table_elts(u->qos_cc->limitTable)->nelts;
+ limitTableIndex++) {
+ int eventSet = 0;
+ const char *eventName = limitTableEntry[limitTableIndex].key;
+ qos_s_entry_limit_conf_t *eventLimitConf = (qos_s_entry_limit_conf_t *)limitTableEntry[limitTableIndex].val;
+ const char *clearEvent = apr_table_get(r->subprocess_env, eventLimitConf->eventClearStr);
+ int decEvent = get_qs_event(r, eventLimitConf->eventDecStr);
+
+ /*
+ * reset expired events, clear event counter, decrement event counter
+ */
+ if(clearEvent ||
+ (((*clientEntryFromHdr)->limit[limitTableIndex].limitTime + eventLimitConf->limitTime) < now)) {
+ (*clientEntryFromHdr)->limit[limitTableIndex].limit = 0;
+ (*clientEntryFromHdr)->limit[limitTableIndex].limitTime = 0;
+ }
+ if(decEvent > 0) {
+ if(decEvent >= (*clientEntryFromHdr)->limit[limitTableIndex].limit) {
+ (*clientEntryFromHdr)->limit[limitTableIndex].limit = 0;
+ (*clientEntryFromHdr)->limit[limitTableIndex].limitTime = 0;
+ } else {
+ (*clientEntryFromHdr)->limit[limitTableIndex].limit = (*clientEntryFromHdr)->limit[limitTableIndex].limit - decEvent;
+ }
+ }
+
+ /*
+ * check for new events
+ */
+ eventSet = get_qs_event(r, eventName);
+ if(eventSet) {
+ char *seenEvent;
+ if(strcasecmp(eventName, QS_LIMIT_DEFAULT) == 0) {
+ // backward compat/event forwarding
+ seenEvent = apr_pstrcat(r->pool, QS_LIMIT_SEEN, NULL);
+ } else {
+ seenEvent = apr_pstrcat(r->pool, QS_LIMIT_SEEN, eventName, NULL);
+ }
+ if(apr_table_get(r->subprocess_env, seenEvent) == NULL) {
+ int newValue = (*clientEntryFromHdr)->limit[limitTableIndex].limit + eventSet;
+ /* only once per request */
+ apr_table_set(r->subprocess_env, seenEvent, "");
+ if((*clientEntryFromHdr)->limit[limitTableIndex].limit == 0) {
+ /* start timer... */
+ (*clientEntryFromHdr)->limit[limitTableIndex].limitTime = now;
+ }
+ /* ... and increase limit event */
+ (*clientEntryFromHdr)->limit[limitTableIndex].limit = newValue > USHRT_MAX ? USHRT_MAX : newValue;
+ }
+ }
+ }
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT19 */
+ if(block_event) {
+ /* only once per request */
+ apr_table_set(r->subprocess_env, QS_BLOCK_SEEN, "");
+ apr_table_set(r->connection->notes, QS_BLOCK_SEEN, "");
+ }
+}
+
+/**
+ * client control rules at header parser
+ */
+static int qos_hp_cc(request_rec *r, qos_srv_config *sconf, char **msg, char **uid) {
+ int ret = DECLINED;
+ if(sconf->has_qos_cc) {
+ int req_per_sec_block_rate = 0;
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t **clientEntryFromHdr = NULL;
+ qos_s_entry_t searchE;
+ qos_s_entry_t searchEFromHdr;
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ const char *forwardedForLogIP = QS_CONN_REMOTEIP(r->connection);
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ int excludeFromBlock = qos_is_excluded_ip(r->connection, sconf->cc_exclude_ip);
+ if(cconf) {
+ searchE.ip6[0] = cconf->ip6[0];
+ searchE.ip6[1] = cconf->ip6[1];
+ } else {
+ // HTTP/2
+ apr_uint64_t ci6[2];
+ qos_ip_str2long(QS_CONN_REMOTEIP(r->connection), ci6);
+ searchE.ip6[0] = ci6[0];
+ searchE.ip6[1] = ci6[1];
+ }
+
+ forwardedForLogIP = qos_get_clientIP(r, sconf, cconf, "hp",
+ searchEFromHdr.ip6);
+
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT17 */
+ clientEntry = qos_cc_get0(u->qos_cc, &searchE, apr_time_sec(r->request_time));
+ if(!clientEntry) {
+ clientEntry = qos_cc_set(u->qos_cc, &searchE, apr_time_sec(r->request_time));
+ } else {
+ /* update time */
+ (*clientEntry)->time = apr_time_sec(r->request_time);
+ }
+ if(searchEFromHdr.ip6[0] == searchE.ip6[0] && searchEFromHdr.ip6[1] == searchE.ip6[1]) {
+ clientEntryFromHdr = clientEntry; // same as connection
+ } else {
+ clientEntryFromHdr = qos_cc_get0(u->qos_cc, &searchEFromHdr, apr_time_sec(r->request_time));
+ if(!clientEntryFromHdr) {
+ clientEntryFromHdr = qos_cc_set(u->qos_cc, &searchEFromHdr, apr_time_sec(r->request_time));
+ } else {
+ /* update time */
+ (*clientEntryFromHdr)->time = apr_time_sec(r->request_time);
+ }
+ }
+ if(sconf->qos_cc_event) {
+ apr_time_t now = apr_time_sec(r->request_time);
+ const char *v = apr_table_get(r->subprocess_env, QS_EVENT);
+ if(v) {
+ if((*clientEntry)->req < LONG_MAX) {
+ (*clientEntry)->req++;
+ }
+ if(now > (*clientEntry)->interval + QS_BW_SAMPLING_RATE) {
+ /* calc req/sec */
+ (*clientEntry)->req_per_sec = (*clientEntry)->req / (now - (*clientEntry)->interval);
+ (*clientEntry)->req = 0;
+ (*clientEntry)->interval = now;
+ /* calc block rate */
+ if((*clientEntry)->req_per_sec > sconf->qos_cc_event) {
+ int factor = (((*clientEntry)->req_per_sec * 100) / sconf->qos_cc_event) - 100;
+ (*clientEntry)->req_per_sec_block_rate = (*clientEntry)->req_per_sec_block_rate + factor;
+ if((*clientEntry)->req_per_sec_block_rate > QS_MAX_DELAY/1000) {
+ (*clientEntry)->req_per_sec_block_rate = QS_MAX_DELAY/1000;
+ }
+ /* QS_ClientEventPerSecLimit */
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, r,
+ QOS_LOG_PFX(061)"request rate limit,"
+ " rule: "QS_EVENT"(%d), req/sec=%ld,"
+ " delay=%dms%s",
+ sconf->qos_cc_event,
+ (*clientEntry)->req_per_sec, (*clientEntry)->req_per_sec_block_rate,
+ (*clientEntry)->req_per_sec_block_rate == QS_MAX_DELAY/1000 ? " (max)" : "");
+ QS_INC_EVENT_LOCKED(sconf, 61);
+ } else if((*clientEntry)->req_per_sec_block_rate > 0) {
+ if((*clientEntry)->req_per_sec_block_rate < 50) {
+ (*clientEntry)->req_per_sec_block_rate = 0;
+ } else {
+ int factor = (*clientEntry)->req_per_sec_block_rate / 4;
+ (*clientEntry)->req_per_sec_block_rate = (*clientEntry)->req_per_sec_block_rate - factor;
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, 0, r,
+ QOS_LOG_PFX(062)"request rate limit,"
+ " rule: "QS_EVENT"(%d), req/sec=%ld,"
+ " delay=%dms",
+ sconf->qos_cc_event,
+ (*clientEntry)->req_per_sec, (*clientEntry)->req_per_sec_block_rate);
+ QS_INC_EVENT_LOCKED(sconf, 62);
+ }
+ }
+ req_per_sec_block_rate = (*clientEntry)->req_per_sec_block_rate;
+ }
+ }
+ if(sconf->qos_cc_block && !excludeFromBlock) {
+ apr_time_t now = apr_time_sec(r->request_time);
+ int block_event = get_qs_event(r, QS_BLOCK);
+ if(((*clientEntry)->blockTime + sconf->qos_cc_blockTime) < now) {
+ /* reset expired events */
+ if((*clientEntry)->blockMsg > QS_LOG_REPEAT) {
+ // write remaining log lines
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r->connection->base_server,
+ QOS_LOG_PFX(060)"access denied (previously), "
+ "QS_ClientEventBlockCount rule: "
+ "max=%d, current=%hu, "
+ "message repeated %d times, "
+ "c=%s",
+ sconf->qos_cc_block,
+ (*clientEntry)->block,
+ (*clientEntry)->blockMsg % QS_LOG_REPEAT,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" :
+ QS_CONN_REMOTEIP(r->connection)/*no id here, this r is okay*/);
+ QS_INC_EVENT_LOCKED(sconf, 60);
+ (*clientEntry)->blockMsg = 0;
+ }
+ (*clientEntry)->block = 0;
+ (*clientEntry)->blockTime = 0;
+ }
+ if(block_event) {
+ if((*clientEntry)->block == 0) {
+ /* start timer */
+ (*clientEntry)->blockTime = now;
+ }
+ /* ... and increment block event */
+ (*clientEntry)->block += block_event;
+ /* only once per request */
+ apr_table_set(r->subprocess_env, QS_BLOCK_SEEN, "");
+ apr_table_set(r->connection->notes, QS_BLOCK_SEEN, "");
+ }
+ if((*clientEntry)->block >= sconf->qos_cc_block) {
+ *uid = apr_pstrdup(r->connection->pool, "060");
+ *msg = apr_psprintf(r->connection->pool,
+ QOS_LOG_PFX(060)"access denied%s, "
+ "QS_ClientEventBlockCount rule: "
+ "max=%d, current=%hu, age=%"APR_TIME_T_FMT", c=%s",
+ sconf->log_only ? " (log only)" : "",
+ sconf->qos_cc_block,
+ (*clientEntry)->block,
+ now - (*clientEntry)->blockTime,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" :
+ QS_CONN_REMOTEIP(r->connection));
+ QS_INC_EVENT_LOCKED(sconf, 60);
+ ret = m_retcode;
+ (*clientEntry)->lowrate = apr_time_sec(r->request_time);
+ (*clientEntry)->lowratestatus |= QOS_LOW_FLAG_EVENTBLOCK;
+ qs_set_evmsg(r, "r;");
+ }
+ }
+ if(u->qos_cc->limitTable) {
+ apr_time_t now = apr_time_sec(r->request_time);
+ int limitTableIndex;
+ apr_table_entry_t *limitTableEntry = (apr_table_entry_t *)apr_table_elts(u->qos_cc->limitTable)->elts;
+ for(limitTableIndex = 0;
+ limitTableIndex < apr_table_elts(u->qos_cc->limitTable)->nelts;
+ limitTableIndex++) {
+ time_t remaining = 0;
+ int eventSet = 0;
+ const char *eventName = limitTableEntry[limitTableIndex].key;
+ qos_s_entry_limit_conf_t *eventLimitConf = (qos_s_entry_limit_conf_t *)limitTableEntry[limitTableIndex].val;
+ const char *clearEvent = apr_table_get(r->subprocess_env, eventLimitConf->eventClearStr);
+
+ /*
+ * reset expired events or clear event counter
+ */
+ if(clearEvent ||
+ (((*clientEntryFromHdr)->limit[limitTableIndex].limitTime + eventLimitConf->limitTime) < now)) {
+ (*clientEntryFromHdr)->limit[limitTableIndex].limit = 0;
+ (*clientEntryFromHdr)->limit[limitTableIndex].limitTime = 0;
+ }
+
+ /*
+ * check for new events
+ */
+ eventSet = get_qs_event(r, eventName);
+ if(eventSet) {
+ char *seenEvent;
+ if(strcasecmp(eventName, QS_LIMIT_DEFAULT) == 0) {
+ // backward compat/event forwarding
+ seenEvent = apr_pstrcat(r->pool, QS_LIMIT_SEEN, NULL);
+ } else {
+ seenEvent = apr_pstrcat(r->pool, QS_LIMIT_SEEN, eventName, NULL);
+ }
+ if(apr_table_get(r->subprocess_env, seenEvent) == NULL) {
+ int newValue = (*clientEntryFromHdr)->limit[limitTableIndex].limit + eventSet;
+ // first occurrence
+ apr_table_set(r->subprocess_env, seenEvent, "");
+ if((*clientEntryFromHdr)->limit[limitTableIndex].limit == 0) {
+ /* .start timer */
+ (*clientEntryFromHdr)->limit[limitTableIndex].limitTime = now;
+ }
+ /* increment limit event */
+ (*clientEntryFromHdr)->limit[limitTableIndex].limit = newValue > USHRT_MAX ? USHRT_MAX : newValue;
+ }
+ }
+
+ /*
+ * propagate to env
+ */
+ apr_table_set(r->subprocess_env,
+ apr_pstrcat(r->pool, QS_LIMIT_NAME_PFX, eventName, NULL),
+ eventName);
+ apr_table_set(r->subprocess_env,
+ apr_pstrcat(r->pool, eventName, QS_COUNTER_SUFFIX, NULL),
+ apr_psprintf(r->pool, "%d", (*clientEntryFromHdr)->limit[limitTableIndex].limit));
+
+ remaining = ((*clientEntryFromHdr)->limit[limitTableIndex].limitTime + eventLimitConf->limitTime) - now;
+ apr_table_set(r->subprocess_env,
+ apr_pstrcat(r->pool, eventName, QS_LIMIT_REMAINING, NULL),
+ apr_psprintf(r->pool, "%"APR_TIME_T_FMT, remaining > 0 ? remaining : 0));
+
+ /*
+ * enforce limit
+ */
+ if((*clientEntryFromHdr)->limit[limitTableIndex].limit >= eventLimitConf->limit) {
+ int block = 1;
+ char *conditional = "";
+ if(eventLimitConf->condStr != NULL) {
+ // conditional enforcement...
+ const char *condition = apr_table_get(r->subprocess_env, QS_COND);
+ conditional = apr_pstrdup(r->pool, "Cond");
+ if(condition == NULL) {
+ block = 0; // variable not set
+ } else {
+ if(ap_regexec(eventLimitConf->preg, condition, 0, NULL, 0) != 0) {
+ block = 0; // pattern does not match
+ }
+ }
+ }
+ if(block) {
+ if(ret == DECLINED || clientEntryFromHdr != clientEntry) {
+ /* log only one error (either block or limit) */
+ *uid = apr_pstrdup(r->connection->pool, "067");
+ *msg = apr_psprintf(r->connection->pool,
+ QOS_LOG_PFX(067)"access denied%s, "
+ "QS_%sClientEventLimitCount rule: "
+ "event=%s, "
+ "max=%hu, current=%hu, age=%"APR_TIME_T_FMT", c=%s",
+ sconf->log_only ? " (log only)" : "",
+ conditional,
+ eventName,
+ eventLimitConf->limit,
+ (*clientEntryFromHdr)->limit[limitTableIndex].limit,
+ now - (*clientEntryFromHdr)->limit[limitTableIndex].limitTime,
+ forwardedForLogIP == NULL ? "-" : forwardedForLogIP);
+ QS_INC_EVENT_LOCKED(sconf, 67);
+ ret = m_retcode;
+ }
+ }
+ if(clientEntryFromHdr == clientEntry) {
+ (*clientEntry)->lowrate = apr_time_sec(r->request_time);
+ (*clientEntry)->lowratestatus |= QOS_LOW_FLAG_EVENTLIMIT;
+ qs_set_evmsg(r, "r;");
+ }
+ }
+ }
+ }
+
+ /* reset low prio client after 24h */
+ if(clientEntry && sconf->qos_cc_prefer) {
+ apr_time_t now = apr_time_sec(r->request_time);
+ if(((*clientEntry)->lowrate + QOS_LOW_TIMEOUT) < now) {
+ (*clientEntry)->lowrate = 0;
+ if((*clientEntry)->lowratestatus & QOS_LOW_FLAG_BEHAVIOR_OK) {
+ (*clientEntry)->lowratestatus = QOS_LOW_FLAG_BEHAVIOR_OK;
+ } else {
+ (*clientEntry)->lowratestatus = 0;
+ }
+ }
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT17 */
+
+ if(req_per_sec_block_rate) {
+ qs_set_evmsg(r, "L;");
+ if(!sconf->log_only) {
+ apr_sleep(req_per_sec_block_rate*1000);
+ }
+ }
+ }
+ return ret;
+}
+
+#if APR_HAS_THREADS
+static apr_status_t qos_cleanup_status_thread(void *selfv) {
+ qsstatus_t *s = selfv;
+ s->exit = 1;
+ /* may long up to 100ms */
+ if(m_threaded_mpm) {
+ apr_status_t status;
+ apr_thread_join(&status, s->thread);
+ //apr_pool_destroy(s->pool);
+ }
+ return APR_SUCCESS;
+}
+
+// checks if connection counting is enabled (any host)
+static int qos_count_connections(qos_srv_config *sconf) {
+ server_rec *s = sconf->base_server;
+ qos_srv_config *bsconf = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+ if(QS_COUNT_CONNECTIONS(bsconf)) {
+ return 1;
+ }
+ s = s->next;
+ while(s) {
+ qos_srv_config *sc = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+ if(QS_COUNT_CONNECTIONS(sc)) {
+ return 1;
+ }
+ s = s->next;
+ }
+ return 0;
+}
+
+// total (server/all hosts) connections
+static int qos_server_connections(qos_srv_config *sconf) {
+ server_rec *s = sconf->base_server;
+ qos_srv_config *bsconf = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+ int connections = bsconf->act->conn->connections;
+ s = s->next;
+ while(s) {
+ qos_srv_config *sc = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+ if(sc->act->conn != bsconf->act->conn) {
+ // server has either his own counter or the base server's counter
+ connections += sc->act->conn->connections;
+ }
+ s = s->next;
+ }
+ return connections;
+ /*
+ int i, j;
+ worker_score *ws_record;
+ process_score *ps_record;
+ for(i = 0; i < sconf->server_limit; ++i) {
+ ps_record = ap_get_scoreboard_process(i);
+ for(j = 0; j < sconf->thread_limit; ++j) {
+ ws_record = ap_get_scoreboard_worker(i, j);
+ if(!ps_record->quiescing && ps_record->pid) {
+ if(ws_record->status == SERVER_READY && ps_record->generation == qos_my_generation) {
+ ready++;
+ }
+ }
+ }
+ }
+ */
+}
+
+/**
+ * Status logger thread
+ *
+ * @param thread
+ * @param selfv Base server_rec
+ */
+static void *APR_THREAD_FUNC qos_status_thread(apr_thread_t *thread, void *selfv) {
+ qsstatus_t *s = selfv;
+ int server_limit, thread_limit;
+ ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit);
+ ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit);
+ while(!s->exit) {
+ char clientContentTypes[8192];
+ char allConn[64];
+ int s_busy = 0;
+ int s_open = 0;
+ int s_ready = 0;
+ int s_read = 0;
+ int s_write = 0;
+ int s_keep = 0;
+ int s_start = 0;
+ int s_log = 0;
+ int s_dns = 0;
+ int s_closing = 0;
+ int s_usr1 = 0;
+ int s_kill = 0;
+ worker_score ws_record;
+ int c, i, e;
+ time_t now = time(NULL);
+ int run = 0;
+ e = 60 - (now % 60);
+ e = e * 10;
+ for(c = 0; c < e; c++) {
+ apr_sleep(100000);
+ if(s->exit) {
+ run = 0;
+ break;
+ }
+ }
+ if(!s->exit) {
+ apr_global_mutex_lock(s->lock); /* @CRT47 */
+ now = time(NULL);
+ if(*s->qsstatustimer <= now) {
+ // set next and fetch the data
+ *s->qsstatustimer = (now/60*60 + 60);
+ run = 1;
+ } else {
+ // another child already did the job
+ run = 0;
+ }
+ apr_global_mutex_unlock(s->lock); /* @CRT47 */
+ }
+ if(!s->exit && run) {
+ for(i = 0; i < server_limit; ++i) {
+ int j;
+ for(j = 0; j < thread_limit; ++j) {
+ int res;
+ ap_copy_scoreboard_worker(&ws_record, i, j);
+ res = ws_record.status;
+ if(res == SERVER_DEAD) {
+ s_open++;
+ } else if(res == SERVER_READY) {
+ s_ready++;
+ } else if(res == SERVER_BUSY_READ) {
+ s_read++;
+ s_busy++;
+ } else if(res == SERVER_BUSY_WRITE) {
+ s_write++;
+ s_busy++;
+ } else if(res == SERVER_BUSY_KEEPALIVE) {
+ s_keep++;
+ s_busy++;
+ } else if(res == SERVER_STARTING) {
+ s_start++;
+ } else if(res == SERVER_BUSY_LOG) {
+ s_log++;
+ s_busy++;
+ } else if(res == SERVER_BUSY_DNS) {
+ s_dns++;
+ s_busy++;
+ } else if(res == SERVER_CLOSING) {
+ s_closing++;
+ } else if(res == SERVER_GRACEFUL) {
+ s_usr1++;
+ } else if(res == SERVER_IDLE_KILL) {
+ s_kill++;
+ }
+ }
+ }
+ clientContentTypes[0] = '\0';
+ if(s->sconf->qos_cc_prefer) {
+ qos_user_t *u = qos_get_user_conf(s->sconf->act->ppool);
+ if(u) {
+ unsigned long long html;
+ unsigned long long cssjs;
+ unsigned long long img;
+ unsigned long long other;
+ unsigned long long notmodified;
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT48 */
+ html = u->qos_cc->html;
+ cssjs = u->qos_cc->cssjs;
+ img = u->qos_cc->img;
+ other = u->qos_cc->other;
+ notmodified = u->qos_cc->notmodified;
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT48 */
+ snprintf(clientContentTypes, 8191, ", \"clientContentTypes\": { "
+ "\"html\": %llu, \"css/js\": %llu,"
+ " \"images\": %llu, \"other\": %llu, \"304\": %llu }",
+ html, cssjs,
+ img, other, notmodified
+ );
+ }
+ }
+ allConn[0] = '\0';
+ if(qos_count_connections(s->sconf)) {
+ apr_global_mutex_lock(s->lock); /* @CRT52 */
+ int all_connections = qos_server_connections(s->sconf);
+ snprintf(allConn, 64, ", \"QS_AllConn\": %d",
+ all_connections
+ );
+ apr_global_mutex_unlock(s->lock); /* @CRT52 */
+ }
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s->sconf->base_server,
+ QOS_LOG_PFX(200)"{ \"scoreboard\": { "
+ "\"open\": %d, \"waiting\": %d, \"read\": %d, "
+ "\"write\": %d, \"keepalive\": %d, "
+ "\"start\": %d, \"log\": %d, "
+ "\"dns\": %d, \"closing\": %d, "
+ "\"finishing\": %d, \"idle\": %d }, "
+ "\"maxclients\": { "
+ "\"max\": %d, \"busy\": %d"
+ "%s }"
+ "%s }",
+ s_open, s_ready, s_read,
+ s_write, s_keep,
+ s_start, s_log,
+ s_dns, s_closing,
+ s_usr1, s_kill,
+ s->maxclients, s_busy,
+ allConn,
+ clientContentTypes);
+ }
+ }
+ if(m_threaded_mpm) {
+ apr_thread_exit(thread, APR_SUCCESS);
+ }
+ return NULL;
+}
+
+/**
+ * Starts the stats logger thread
+ */
+static void qos_init_status_thread(apr_pool_t *p, qos_srv_config *sconf, int maxclients) {
+ qs_actable_t *act = sconf->act;
+ apr_pool_t *pool;
+ apr_threadattr_t *tattr;
+ qsstatus_t *s;
+ apr_pool_create(&pool, NULL);
+ s = apr_pcalloc(pool, sizeof(qsstatus_t));
+ s->exit = 0;
+ s->pool = pool;
+ s->maxclients = maxclients;
+ s->qsstatustimer = act->qsstatustimer;
+ s->lock = act->lock;
+ s->sconf = sconf;
+ if(apr_threadattr_create(&tattr, pool) == APR_SUCCESS) {
+ if(apr_thread_create(&s->thread, tattr, qos_status_thread, s, pool) == APR_SUCCESS) {
+ apr_pool_pre_cleanup_register(p, s, qos_cleanup_status_thread);
+ }
+ }
+}
+#endif
+
+/**
+ * client control rules at process connection handler
+ */
+static int qos_cc_pc_filter(conn_rec *connection, qs_conn_ctx *cconf, qos_user_t *u, char **msg) {
+ conn_rec *c = connection;
+ int ret = DECLINED;
+ if(cconf && cconf->sconf->has_qos_cc) {
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t searchE;
+ searchE.ip6[0] = cconf->ip6[0];
+ searchE.ip6[1] = cconf->ip6[1];
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT14 */
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, 0);
+
+ /* early vip detection */
+ if((*clientEntry)->vip) {
+ cconf->is_vip = 1;
+ apr_table_set(c->notes, QS_ISVIPREQ, "yes");
+ }
+
+ /* max connections */
+ if(cconf->sconf->has_qos_cc && cconf->sconf->qos_cc_prefer) {
+ if(m_generation != u->qos_cc->generation_locked) {
+ u->qos_cc->connections++;
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, c->base_server,
+ QOS_LOG_PFX(166)"unexpected connection dispatching, skipping"
+ " connection counter update for QS_ClientPrefer rule, c=%s",
+ QS_CONN_REMOTEIP(cconf->mc) == NULL ? "-" :
+ QS_CONN_REMOTEIP(cconf->mc));
+ }
+ if((*clientEntry)->lowrate) {
+ if(c->notes) {
+ char *flags = apr_psprintf(c->pool, "0x%02x", (*clientEntry)->lowratestatus);
+ apr_table_set(c->notes, "QS_ClientLowPrio", flags);
+ }
+ }
+ /* non vip (allow all vip addresses - no restrictions) */
+ if(!(*clientEntry)->vip) {
+ if(u->qos_cc->connections > cconf->sconf->qos_cc_prefer_limit) {
+ int penalty = 4; // 2 to 12 points
+ int reqSpare = 0;
+ if((*clientEntry)->lowrate) {
+ if((*clientEntry)->lowratestatus & QOS_LOW_FLAG_PKGRATE) {
+ penalty++;
+ }
+ if((*clientEntry)->lowratestatus & QOS_LOW_FLAG_BEHAVIOR_BAD) {
+ penalty+=2;
+ }
+ if((*clientEntry)->lowratestatus & QOS_LOW_FLAG_EVENTBLOCK) {
+ penalty+=2;
+ }
+ if((*clientEntry)->lowratestatus & QOS_LOW_FLAG_EVENTLIMIT) {
+ penalty+=2;
+ }
+ if((*clientEntry)->lowratestatus & QOS_LOW_FLAG_TIMEOUT) {
+ penalty++;
+ }
+ }
+ if((*clientEntry)->lowratestatus & QOS_LOW_FLAG_BEHAVIOR_OK) {
+ // normal behavior
+ penalty-=2;
+ }
+ // calculate the min. required free connections allowing us to serve request by this IP
+ reqSpare = (cconf->sconf->max_clients - cconf->sconf->qos_cc_prefer_limit) * penalty / 12;
+ if((cconf->sconf->max_clients - u->qos_cc->connections) < reqSpare) {
+ /* not enough free connections */
+ if(u->qos_cc->connections > cconf->sconf->qos_cc_prefer_limit) {
+ *msg = apr_psprintf(cconf->mc->pool,
+ QOS_LOG_PFX(066)"access denied%s, "
+ "QS_ClientPrefer rule (penalty=%d 0x%02x): "
+ "max=%d, concurrent connections=%d, c=%s",
+ cconf->sconf->log_only ? " (log only)" : "",
+ penalty, (*clientEntry)->lowratestatus,
+ cconf->sconf->qos_cc_prefer_limit, u->qos_cc->connections,
+ QS_CONN_REMOTEIP(cconf->mc) == NULL ? "-" :
+ QS_CONN_REMOTEIP(cconf->mc));
+ QS_INC_EVENT_LOCKED(cconf->sconf, 66);
+ ret = m_retcode;
+ }
+ }
+ }
+ }
+ }
+
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT14 */
+ }
+ return ret;
+}
+
+/**
+ * calculates the current minimal up/download bandwidth
+ */
+static int qos_req_rate_calc(qos_srv_config *sconf, int *current) {
+ int req_rate = sconf->req_rate;
+ if(sconf->min_rate_max != -1) {
+ int connections = qos_server_connections(sconf);
+ if(connections > sconf->req_rate_start) {
+ /* keep the minimal rate until reaching the min connections */
+ req_rate = req_rate + (sconf->min_rate_max * connections / sconf->max_clients);
+ if(connections > sconf->max_clients) {
+ // limit the max rate to its max if we have more connections then expected
+ if(connections > (sconf->max_clients + QS_DOUBLE_CONN_H)) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, 0, sconf->base_server,
+ QOS_LOG_PFX(036)"QS_SrvMinDataRate: unexpected connection status!"
+ " connections=%d,"
+ " cal. request rate=%d,"
+ " max. limit=%d."
+ " Check log for unclean child exit and consider"
+ " to do a graceful server restart if this condition persists."
+ " You might also increase the number of supported connections"
+ " using the 'QS_MaxClients' directive.",
+ connections, req_rate, sconf->min_rate_max);
+ }
+ QS_INC_EVENT(sconf, 36);
+ req_rate = sconf->min_rate_max;
+ }
+ }
+ *current = connections;
+ }
+ return req_rate;
+}
+
+qos_s_entry_limit_conf_t *qos_getQSLimitEvent(qos_user_t *u, const char *event,
+ int *limitTableIndex) {
+ int i = 0;
+ apr_table_entry_t *limitTableEntry = (apr_table_entry_t *)apr_table_elts(u->qos_cc->limitTable)->elts;
+ for(i = 0; i < apr_table_elts(u->qos_cc->limitTable)->nelts; i++) {
+ const char *eventName = limitTableEntry[i].key;
+ if(strcasecmp(eventName, event) == 0) {
+ *limitTableIndex = i;
+ return (qos_s_entry_limit_conf_t *)limitTableEntry[i].val;
+ }
+ }
+ return NULL;
+}
+
+/************************************************************************
+ * "public"
+ ***********************************************************************/
+
+/**
+ * short status viewer
+ */
+static void qos_ext_status_short(request_rec *r, apr_table_t *qt) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ server_rec *s = sconf->base_server;
+ qos_srv_config *bsconf = (qos_srv_config*)ap_get_module_config(s->module_config,
+ &qos_module);
+ const char *option = apr_table_get(qt, "option");
+ const char *all_connections = apr_table_get(r->subprocess_env, "QS_AllConn");
+ apr_time_t now = apr_time_sec(r->request_time);
+ double av[1];
+
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+
+#if (!defined(WIN32) && !defined(__MINGW32__) && !defined(_WIN64) && !defined(CYGWIN))
+ getloadavg(av, 1);
+ ap_rprintf(r, "b"QOS_DELIM"system.load: %.2f\n", av[0]);
+#endif
+
+ if(u->qos_cc && sconf->qos_cc_prefer) {
+ unsigned long long html;
+ unsigned long long cssjs;
+ unsigned long long img;
+ unsigned long long other;
+ unsigned long long notmodified;
+ char clientContentTypes[8192];
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT51 */
+ html = u->qos_cc->html;
+ cssjs = u->qos_cc->cssjs;
+ img = u->qos_cc->img;
+ other = u->qos_cc->other;
+ notmodified = u->qos_cc->notmodified;
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT51 */
+ snprintf(clientContentTypes, 8191,
+ "b;clientContentTypes(html,css/js,images,other,304): "
+ "%llu %llu %llu %llu %llu",
+ html, cssjs, img, other, notmodified
+ );
+ ap_rprintf(r, "%s\n", clientContentTypes);
+ }
+ while(s) {
+ char *sn = apr_psprintf(r->pool, "%s"QOS_DELIM"%s"QOS_DELIM"%d",
+ s->is_virtual ? "v" : "b",
+ s->server_hostname == NULL ? "-" :
+ ap_escape_html(r->pool, s->server_hostname),
+ s->addrs->host_port);
+ sconf = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+ if(all_connections && !s->is_virtual) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_AllConn: %s\n", sn, all_connections);
+ }
+ if((s->is_virtual && (sconf != bsconf)) || !s->is_virtual) {
+ qs_acentry_t *actEntry;
+ if(!s->is_virtual && sconf->has_qos_cc && sconf->qos_cc_prefer_limit) {
+ int hc = u->qos_cc->connections; /* not synchronized ... */
+ ap_rprintf(r, "%s"QOS_DELIM"QS_ClientPrefer"QOS_DELIM"%d[]: %d\n", sn,
+ sconf->qos_cc_prefer_limit, hc);
+ }
+ /* request level */
+ actEntry = sconf->act->entry;
+ while(actEntry) {
+ if((actEntry->limit > 0) && !actEntry->condition && !actEntry->event) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_LocRequestLimit%s"QOS_DELIM"%d[%s]: %d\n", sn,
+ actEntry->regex == NULL ? "" : "Match",
+ actEntry->limit,
+ actEntry->url,
+ actEntry->counter);
+ }
+ if((actEntry->req_per_sec_limit > 0) && !actEntry->event) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_LocRequestPerSecLimit%s"QOS_DELIM"%ld[%s]: %ld\n", sn,
+ actEntry->regex == NULL ? "" : "Match",
+ actEntry->req_per_sec_limit,
+ actEntry->url,
+ actEntry->req_per_sec);
+ }
+ if((actEntry->kbytes_per_sec_limit > 0) && !actEntry->event) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_LocKBytesPerSecLimit%s"QOS_DELIM"%"APR_OFF_T_FMT"[%s]: %"APR_OFF_T_FMT"\n", sn,
+ actEntry->regex == NULL ? "" : "Match",
+ actEntry->kbytes_per_sec_limit,
+ actEntry->url,
+ actEntry->kbytes_per_sec);
+ }
+ if(actEntry->condition && !actEntry->event) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_CondLocRequestLimitMatch"QOS_DELIM"%d[%s]: %d\n", sn,
+ actEntry->limit,
+ actEntry->url,
+ actEntry->counter);
+ }
+ if(actEntry->event && (actEntry->limit != -1)) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_EventRequestLimit"QOS_DELIM"%d[%s]: %d\n", sn,
+ actEntry->limit,
+ actEntry->url,
+ actEntry->counter);
+ }
+ if(actEntry->event && (actEntry->kbytes_per_sec_limit != 0)) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_EventKBytesPerSecLimit"QOS_DELIM"%"APR_OFF_T_FMT"[%s]: %"APR_OFF_T_FMT"\n", sn,
+ actEntry->kbytes_per_sec_limit,
+ actEntry->url,
+ now > (apr_time_sec(actEntry->kbytes_interval_us) + (QS_BW_SAMPLING_RATE*10)) ? 0 : actEntry->kbytes_per_sec);
+ }
+ if(actEntry->event && (actEntry->req_per_sec_limit > 0)) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_EventPerSecLimit"QOS_DELIM"%ld[%s]: %ld\n", sn,
+ actEntry->req_per_sec_limit,
+ actEntry->url,
+ now > (actEntry->interval + (QS_BW_SAMPLING_RATE*3)) ? 0 : actEntry->req_per_sec);
+ }
+ actEntry = actEntry->next;
+ }
+ /* event limit */
+ if(sconf->event_limit_a->nelts > 0) {
+ int ie = 0;
+ qos_event_limit_entry_t *event_limit = sconf->act->event_entry;
+ for(ie = 0; ie < sconf->event_limit_a->nelts; ie++) {
+ int elimit = event_limit->limit;
+ if(event_limit->limitTime + event_limit->seconds <= now) {
+ elimit = 0;
+ }
+ if(event_limit->action == QS_EVENT_ACTION_DENY) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_%sEventLimitCount"QOS_DELIM"%d/%d[%s]: %d\n",
+ sn,
+ event_limit->condStr == NULL ? "" : "Cond",
+ event_limit->max,
+ event_limit->seconds,
+ event_limit->env_var,
+ elimit);
+ }
+ event_limit++;
+ }
+ }
+ if(!s->is_virtual || sconf->act->conn != bsconf->act->conn) {
+ if(sconf->max_conn != -1) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_SrvMaxConn"QOS_DELIM"%d[]: %d\n", sn,
+ sconf->max_conn,
+ sconf->act->conn->connections);
+ }
+ if(sconf->max_conn_close != -1) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_SrvMaxConnClose"QOS_DELIM"%d[]: %d\n", sn,
+ sconf->max_conn_close,
+ sconf->act->conn->connections);
+ }
+ if(option && strstr(option, "ip")) {
+ if(sconf->act->conn->connections) {
+ apr_table_t *entries = apr_table_make(r->pool, 100);
+ int j;
+ apr_table_entry_t *entry;
+ qos_collect_ip(r, sconf, entries, sconf->max_conn_per_ip, 0);
+ entry = (apr_table_entry_t *)apr_table_elts(entries)->elts;
+ for(j = 0; j < apr_table_elts(entries)->nelts; j++) {
+ ap_rprintf(r, "%s"QOS_DELIM"QS_SrvMaxConnPerIP"QOS_DELIM"%s: %s\n",
+ sn,
+ entry[j].key, entry[j].val);
+ }
+ }
+ }
+ }
+ }
+ s = s->next;
+ }
+ if(u->qos_cc && sconf->qsevents) {
+ int i = 0;
+ apr_table_t *eTable = apr_table_make(r->pool, QOS_LOG_MSGCT);
+ apr_table_entry_t *entry;
+ char buf1[1024];
+ char buf2[1024];
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT50 */
+ while(m_knownEvents[i] > 0) {
+ snprintf(buf1, 1023, "e;mod_qos(%03d);new: %llu",
+ m_knownEvents[i], u->qos_cc->eventLast[m_knownEvents[i]]);
+ snprintf(buf2, 1023, "e;mod_qos(%03d);total: %llu",
+ m_knownEvents[i], u->qos_cc->eventTotal[m_knownEvents[i]]);
+ apr_table_add(eTable, buf1, buf2);
+ u->qos_cc->eventLast[m_knownEvents[i]] = 0;
+ i++;
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT50 */
+ entry = (apr_table_entry_t *)apr_table_elts(eTable)->elts;
+ for(i = 0; i < apr_table_elts(eTable)->nelts; ++i) {
+ ap_rprintf(r, "%s\n%s\n", entry[i].key, entry[i].val);
+ }
+ }
+}
+
+/**
+ * Comperator for bsearch function
+ */
+static int qos_geo_comp(const void *_pA, const void *_pB) {
+ unsigned long *pA = (unsigned long *)_pA;
+ qos_geo_entry_t *pB = (qos_geo_entry_t *)_pB;
+ unsigned long search = *pA;
+ if((search >= pB->start) && (search <= pB->end)) return 0;
+ if(search > pB->start) return 1;
+ if(search < pB->start) return -1;
+ return -1; // error
+}
+
+/**
+ * Translates an IP address (from geo csv) to a numeric value.
+ *
+ * @param pool To dup the string while parsing.
+ * @param ip
+ * @return
+ */
+static unsigned long qos_geo_str2long(apr_pool_t *pool, const char *ip) {
+ char *p;
+ char *i = apr_pstrdup(pool, ip);
+ unsigned long addr = 0;
+
+ p = strchr(i, '.');
+ if(!p) return 0;
+ p[0] = '\0';
+ if(!qos_is_num(i)) return 0;
+ addr += (atol(i) * 16777216);
+ i = p;
+ i++;
+
+ p = strchr(i, '.');
+ if(!p) return 0;
+ p[0] = '\0';
+ if(!qos_is_num(i)) return 0;
+ addr += (atol(i) * 65536);
+ i = p;
+ i++;
+
+ p = strchr(i, '.');
+ if(!p) return 0;
+ p[0] = '\0';
+ if(!qos_is_num(i)) return 0;
+ addr += (atol(i) * 256);
+ i = p;
+ i++;
+
+ if(!qos_is_num(i)) return 0;
+ addr += (atol(i));
+
+ return addr;
+}
+
+/**
+ * Viewer settings about ip address information.
+ */
+static void qos_show_ip(request_rec *r, qos_srv_config *sconf, apr_table_t *qt) {
+ int max_conn_per_ip = 0;
+ server_rec *s = sconf->base_server;
+ apr_time_t now = apr_time_sec(r->request_time);
+ while(s) {
+ // enable per client connection search if any server has enabled QS_SrvMaxConnPerIP
+ qos_srv_config *conf = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+ if(conf->max_conn_per_ip != -1) {
+ max_conn_per_ip = 1;
+ break;
+ }
+ s = s->next;
+ }
+ if(sconf->has_qos_cc || max_conn_per_ip) {
+ const char *option = apr_table_get(qt, "option");
+ const char *refresh = apr_table_get(qt, "refresh");
+ const char *address = apr_table_get(qt, "address");
+ if(address) {
+ int escerr = 0;
+ char *ta = apr_pstrdup(r->pool, address);
+ qos_unescaping(ta, QOS_DEC_MODE_FLAGS_URL, &escerr);
+ address = ta;
+ }
+ if(strcmp(r->handler, "qos-viewer") == 0) {
+ ap_rputs("<table class=\"btable\"><tbody>\n", r);
+ ap_rputs(" <tr class=\"row\"><td>\n", r);
+ } else {
+ ap_rputs("<table border=\"1\"><tbody>\n", r);
+ ap_rputs(" <tr><td>\n", r);
+ }
+ if(strcmp(r->handler, "qos-viewer") == 0) {
+ ap_rputs(" <table border=\"0\" cellpadding=\"2\" "
+ "cellspacing=\"2\" style=\"width: 100%\"><tbody>\n",r);
+ } else {
+ ap_rputs(" <table border=\"1\" cellpadding=\"2\" "
+ "cellspacing=\"2\" style=\"width: 100%\"><tbody>\n",r);
+ }
+ ap_rputs(" <tr class=\"rowe\">\n", r);
+ ap_rputs(" <td colspan=\"9\">viewer settings</td>\n", r);
+ ap_rputs(" </tr>\n", r);
+ /* auto refresh */
+ ap_rputs(" <tr class=\"rows\">\n"
+ " <td colspan=\"1\">auto refresh</td>\n", r);
+ ap_rputs(" <td colspan=\"8\">\n", r);
+ ap_rprintf(r, " <form action=\"%s\" method=\"get\">\n",
+ ap_escape_html(r->pool, r->parsed_uri.path));
+ if(option && strstr(option, "ip")) {
+ ap_rprintf(r, " <input name=\"option\" value=\"ip\" type=\"hidden\">\n");
+ }
+ if(address) {
+ ap_rprintf(r, " <input name=\"address\" value=\"%s\" type=\"hidden\">\n",
+ ap_escape_html(r->pool, address));
+ }
+ if(refresh) {
+ ap_rprintf(r, " <input name=\"action\" value=\"disable\" type=\"submit\">\n");
+ } else {
+ ap_rprintf(r, " <input name=\"action\" value=\"enable\" type=\"submit\">\n");
+ ap_rprintf(r, " <input name=\"refresh\" value=\"\" type=\"hidden\">\n");
+ }
+ ap_rputs(" </form>\n", r);
+ ap_rputs(" </td>\n", r);
+ ap_rputs(" </tr>\n", r);
+ /* show ip addresses and their connections */
+ ap_rputs(" <tr class=\"rows\">\n"
+ " <td colspan=\"1\">client ip connections</td>\n", r);
+ ap_rputs(" <td colspan=\"8\">\n", r);
+ ap_rprintf(r, " <form action=\"%s\" method=\"get\">\n",
+ ap_escape_html(r->pool, r->parsed_uri.path));
+ if(!option || (option && !strstr(option, "ip")) ) {
+ ap_rprintf(r, " <input name=\"option\" value=\"ip\" type=\"hidden\">\n");
+ ap_rprintf(r, " <input name=\"action\" value=\"enable\" type=\"submit\">\n");
+ } else {
+ ap_rprintf(r, " <input name=\"option\" value=\"no\" type=\"hidden\">\n");
+ ap_rprintf(r, " <input name=\"action\" value=\"disable\" type=\"submit\">\n");
+ }
+ if(address) {
+ ap_rprintf(r, " <input name=\"address\" value=\"%s\" type=\"hidden\">\n",
+ ap_escape_html(r->pool, address));
+ }
+ if(refresh) {
+ ap_rprintf(r, " <input name=\"refresh\" value=\"\" type=\"hidden\">\n");
+ }
+ ap_rputs(" </form>\n", r);
+ ap_rputs(" </td>\n", r);
+ ap_rputs(" </tr>\n", r);
+
+ if(sconf->has_qos_cc) {
+ ap_rputs(" <tr class=\"rows\">\n"
+ " <td colspan=\"1\">search a client ip entry</td>\n", r);
+ ap_rputs(" <td colspan=\"8\">\n", r);
+ ap_rprintf(r, " <form action=\"%s\" method=\"get\">\n",
+ ap_escape_html(r->pool, r->parsed_uri.path));
+ if(option && strstr(option, "ip")) {
+ ap_rprintf(r, " <input name=\"option\" value=\"ip\" type=\"hidden\">\n");
+ }
+ if(refresh) {
+ ap_rprintf(r, " <input name=\"refresh\" value=\"\" type=\"hidden\">\n");
+ }
+ ap_rprintf(r, " <input name=\"address\" value=\"%s\" type=\"text\">\n",
+ address ? ap_escape_html(r->pool, address) : "0.0.0.0");
+ ap_rprintf(r, " <input name=\"action\" value=\"search\" type=\"submit\">\n");
+ ap_rputs(" </form>\n", r);
+ ap_rputs(" </td>\n", r);
+ ap_rputs(" </tr>\n", r);
+ if(address) {
+ apr_uint64_t ip[2];
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ if(qos_ip_str2long(address, ip)) {
+ unsigned long html;
+ unsigned long cssjs;
+ unsigned long img;
+ unsigned long other;
+ unsigned long notmodified;
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t searchE;
+ int found = 0;
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT20 */
+ html = u->qos_cc->html;
+ cssjs = u->qos_cc->cssjs;
+ img = u->qos_cc->img;
+ other = u->qos_cc->other;
+ notmodified = u->qos_cc->notmodified;
+ searchE.ip6[0] = ip[0];
+ searchE.ip6[1] = ip[1];
+ clientEntry = qos_cc_get0(u->qos_cc, &searchE, 0);
+ if(clientEntry) {
+ found = 1;
+ searchE.vip = (*clientEntry)->vip;
+ searchE.lowrate = (*clientEntry)->lowrate;
+ searchE.lowratestatus = (*clientEntry)->lowratestatus;
+ searchE.time = (*clientEntry)->time;
+ searchE.block = (*clientEntry)->block;
+ searchE.blockTime = (*clientEntry)->blockTime;
+ searchE.limit = (*clientEntry)->limit;
+ searchE.req_per_sec = (*clientEntry)->req_per_sec;
+ searchE.req_per_sec_block_rate = (*clientEntry)->req_per_sec_block_rate;
+ searchE.other = (*clientEntry)->other - 1;
+ searchE.html = (*clientEntry)->html - 1;
+ searchE.cssjs = (*clientEntry)->cssjs - 1;
+ searchE.img = (*clientEntry)->img - 1;
+ searchE.notmodified = (*clientEntry)->notmodified - 1;
+ searchE.event_req = (*clientEntry)->event_req;
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT20 */
+ ap_rputs(" <tr class=\"rowt\">\n", r);
+ ap_rputs(" <td colspan=\"1\">IP</td>\n", r);
+ ap_rputs(" <td colspan=\"2\">last request</td>\n", r);
+ ap_rputs(" <td colspan=\"1\">"
+ "<div title=\"QS_VipHeaderName|QS_VipIPHeaderName\">vip</div></td>\n", r);
+ ap_rputs(" <td colspan=\"1\">"
+ "<div title=\"QS_ClientEventBlockCount\">blocked</div></td>\n", r);
+ ap_rputs(" <td colspan=\"1\">"
+ "<div title=\"QS_ClientEventLimitCount (QS_Limit)\">limited</div></td>\n", r);
+ ap_rputs(" <td colspan=\"2\">"
+ "<div title=\"QS_ClientEventPerSecLimit\">events/sec</div></td>\n", r);
+ ap_rputs(" <td colspan=\"1\">"
+ "<div title=\"QS_ClientPrefer&#013;0x01 bad pkg rate&#013;0x02 normal behavior&#013;0x04 bad behavior&#013;0x08 blocked&#013;0x10 limited&#013;0x20 timeout\">low prio</div></td>\n", r);
+ ap_rputs(" </tr>\n", r);
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"1\">%s</td>", ap_escape_html(r->pool, address));
+ if(!found) {
+ ap_rputs("<td colspan=\"8\"><i>not found</i></td>\n", r);
+ } else {
+ char buf[1024];
+ struct tm *ptr = localtime(&searchE.time);
+ strftime(buf, sizeof(buf), "%d.%m.%Y %H:%M:%S", ptr);
+ ap_rprintf(r, "<td colspan=\"2\">%s</td>", buf);
+ ap_rprintf(r, "<td colspan=\"1\">%s</td>", searchE.vip ? "yes" : "no");
+ if(sconf->qos_cc_blockTime > (time(NULL) - searchE.blockTime)) {
+ ap_rprintf(r, "<td colspan=\"1\">%d, %ld&nbsp;sec</td>",
+ searchE.block, time(NULL) - searchE.blockTime);
+ } else {
+ ap_rprintf(r, "<td colspan=\"1\">no</td>");
+ }
+
+ if(u->qos_cc->limitTable) {
+ int limitTableIndex;
+ qos_s_entry_limit_conf_t *eventLimitConf = qos_getQSLimitEvent(u, QS_LIMIT_DEFAULT, &limitTableIndex);
+ if(eventLimitConf) {
+ if(eventLimitConf->limitTime > (time(NULL) - searchE.limit[limitTableIndex].limitTime)) {
+ ap_rprintf(r, "<td colspan=\"1\">%hu, %ld&nbsp;sec</td>",
+ searchE.limit[limitTableIndex].limit, time(NULL) - searchE.limit[limitTableIndex].limitTime);
+ } else {
+ ap_rprintf(r, "<td colspan=\"1\">no</td>");
+ }
+ } else {
+ ap_rprintf(r, "<td colspan=\"1\">off</td>");
+ }
+ } else {
+ ap_rprintf(r, "<td colspan=\"1\">off</td>");
+ }
+ ap_rprintf(r, "<td colspan=\"1\">%ld</td>", searchE.req_per_sec);
+ ap_rprintf(r, "<td colspan=\"1\">%d&nbsp;ms</td>", searchE.req_per_sec_block_rate);
+ ap_rprintf(r, "<td colspan=\"1\">%s (0x%02x)</td>\n",
+ (searchE.lowrate + QOS_LOW_TIMEOUT) > now ? "yes" : "no",
+ searchE.lowratestatus);
+ ap_rputs("</tr>\n", r);
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"6\">&nbsp;</td>"
+ "<td>"
+ "<div title=\"QS_ClientEventRequestLimit\">events:</div></td>"
+ "<td style=\"width:9%%\">%s</td>"
+ "<td colspan=\"1\"></td>"
+ "</tr>\n", (sconf->qos_cc_event_req == -1 ? "off" : apr_psprintf(r->pool, "%d", searchE.event_req)));
+ }
+ if(sconf->qos_cc_prefer) {
+ ap_rprintf(r, " <tr class=\"rowt\">"
+ "<td colspan=\"4\"></td>"
+ "<td style=\"width:9%%\">html</td>"
+ "<td style=\"width:9%%\">css/js</td>"
+ "<td style=\"width:9%%\">images</td>"
+ "<td style=\"width:9%%\">other</td>"
+ "<td style=\"width:9%%\">304</td>"
+ "</tr>\n");
+ if(found) {
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"4\"></td>"
+ "<td style=\"width:9%%\">%u</td>"
+ "<td style=\"width:9%%\">%u</td>"
+ "<td style=\"width:9%%\">%u</td>"
+ "<td style=\"width:9%%\">%u</td>"
+ "<td style=\"width:9%%\">%u</td>"
+ "</tr>\n", searchE.html,
+ searchE.cssjs,
+ searchE.img,
+ searchE.other,
+ searchE.notmodified);
+ }
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"3\"></td>"
+ "<td style=\"width:9%%\"><div title=\"QS_ClientContentTypes\">all clients</div></td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "</tr>\n", html, cssjs, img, other, notmodified);
+ if(sconf->static_on == 1) {
+ unsigned long shtml = sconf->static_html;
+ unsigned long scssjs = sconf->static_cssjs;
+ unsigned long simg = sconf->static_img;
+ unsigned long sother = sconf->static_other;
+ unsigned long snotmodified = sconf->static_notmodified;
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"3\"></td>"
+ "<td style=\"width:9%%\"><div title=\"QS_ClientContentTypes\">configured (global)</div></td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "<td style=\"width:9%%\">%lu</td>"
+ "</tr>\n", shtml, scssjs,
+ simg, sother, snotmodified);
+ }
+ }
+ }
+ }
+ }
+ ap_rprintf(r, " <tr class=\"row\">"
+ "<td style=\"width:28%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "</tr>\n");
+ ap_rputs(" </tbody></table>\n", r);
+ ap_rputs(" </tr></td>\n", r);
+ ap_rputs("</tbody></table>\n", r);
+ }
+}
+
+/**
+ * Daws the load/connection bars at the top of the status page
+ *
+ * @param r
+ * @param bs
+ */
+static void qos_bars(request_rec *r, server_rec *bs) {
+ server_rec *s = bs;
+ qos_srv_config *bsconf = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+ if(bsconf->act && bsconf->act->conn) {
+ int connections = -1;
+ double av[1];
+ int load = 0;
+#if (!defined(WIN32) && !defined(__MINGW32__) && !defined(_WIN64) && !defined(CYGWIN))
+ getloadavg(av, 1);
+ load = av[0];
+ if(load > 0) {
+ load = 100*load/(10+load);
+ }
+#endif
+
+ ap_rputs("<table class=\"btable\"><tbody>\n", r);
+ ap_rputs(" <tr class=\"row\"><td>\n", r);
+
+ ap_rputs("<table border=\"0\" cellpadding=\"2\" "
+ "cellspacing=\"2\" style=\"width: 100%\"><tbody>\n",r);
+ ap_rputs("<tr class=\"rowe\">\n", r);
+ ap_rputs("<td colspan=\"2\">overview</td>", r);
+ ap_rputs("</tr>\n", r);
+
+ if(bsconf->log_only) {
+ ap_rputs("<tr class=\"rowt\">\n", r);
+ ap_rputs("<td colspan=\"2\">running in 'log only' mode - rules are NOT enforced</td>", r);
+ ap_rputs("</tr>\n", r);
+ }
+ if(qos_count_connections(bsconf)) {
+ connections = qos_server_connections(bsconf);
+ }
+ if(connections != -1) {
+#if (!defined(WIN32) && !defined(__MINGW32__) && !defined(_WIN64))
+ ap_rprintf(r, "<tr class=\"rowt\">"
+ "<td colspan=\"1\">connections: %d</td>"
+ "<td colspan=\"1\">load: %.2f</td>"
+ "</tr>\n", connections, av[0]);
+#else
+ ap_rprintf(r, "<tr class=\"rowt\">"
+ "<td colspan=\"1\">connections: %d</td>"
+ "<td colspan=\"1\">load: n/a</td>"
+ "</tr>\n", connections);
+#endif
+ } else {
+#if (!defined(WIN32) && !defined(__MINGW32__) && !defined(_WIN64))
+ ap_rprintf(r, "<tr class=\"rowt\">"
+ "<td colspan=\"1\">connections: n/a</td>"
+ "<td colspan=\"1\">load: %.2f</td>"
+ "</tr>\n", av[0]);
+#else
+ ap_rprintf(r, "<tr class=\"rowt\">"
+ "<td colspan=\"1\">connections: n/a</td>"
+ "<td colspan=\"1\">load: n/a</td>"
+ "</tr>\n");
+#endif
+ }
+ ap_rprintf(r, "<tr class=\"rows\">");
+ ap_rprintf(r, "<td>");
+ if(connections != -1) {
+ int percentage = 100 * connections / bsconf->max_clients;
+ if(percentage > 100) percentage = 100;
+ ap_rprintf(r, "<div class=\"prog-border\">"
+ "<div class=\"%s\" style=\"width: %d%%;\"></div></div>",
+ percentage < 90 ? "prog-bar" : "prog-bar-limit",
+ percentage);
+ ap_rprintf(r, "</td>");
+ } else {
+ ap_rprintf(r, "&nbsp;");
+ }
+ ap_rprintf(r, "<td>");
+ ap_rprintf(r, "<div class=\"prog-border\">"
+ "<div class=\"prog-bar\" style=\"width: %d%%;\"></div></div>",
+ load);
+ ap_rprintf(r, "</td>");
+ ap_rprintf(r, "</tr>\n");
+
+ ap_rputs("</tbody></table>\n", r);
+
+ ap_rputs(" </tr></td>\n", r);
+ ap_rputs("</tbody></table>\n", r);
+ }
+}
+
+/**
+ * (Extendet-)Status viewer, used by internal and mod_status handler.
+ */
+static int qos_ext_status_hook(request_rec *r, int flags) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ server_rec *s = sconf->base_server;
+ int i = 0;
+ apr_time_t now = apr_time_sec(r->request_time);
+ qos_srv_config *bsconf = (qos_srv_config*)ap_get_module_config(s->module_config,
+ &qos_module);
+ apr_table_t *qt = qos_get_query_table(r);
+ const char *option = apr_table_get(qt, "option");
+ if(sconf->disable_handler == 1) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(072)"handler has been disabled for this host, id=%s",
+ qos_unique_id(r, "072"));
+ return OK;
+ }
+ if (flags & AP_STATUS_SHORT) {
+ qos_ext_status_short(r, qt);
+ return OK;
+ }
+ if(qt && (apr_table_get(qt, "auto") != NULL)) {
+ qos_ext_status_short(r, qt);
+ return OK;
+ }
+ if(strcmp(r->handler, "qos-viewer") != 0) {
+ ap_rputs("<hr>\n", r);
+ ap_rputs("<table style=\"width:400px\" cellspacing=0 cellpadding=0>\n", r);
+ ap_rputs(" <tr><td bgcolor=\"#000000\">\n", r);
+ ap_rputs(" <b><font color=\"#ffffff\" face=\"Arial,Helvetica\">", r);
+ ap_rprintf(r, "mod_qos&nbsp;%s", ap_escape_html(r->pool, qos_revision(r->pool)));
+ ap_rputs(" </font></b>\r", r);
+ ap_rputs(" </td></tr>\n", r);
+ ap_rputs("</table>\n", r);
+ if(sconf->log_only) {
+ ap_rputs("<p>running in 'log only' mode - rules are NOT enforced</p>\n", r);
+ }
+ }
+#ifdef QS_INTERNAL_TEST
+ {
+ apr_uint64_t remoteip[2];
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ qos_ip_str2long(QS_CONN_REMOTEIP(r->connection), remoteip);
+ if(cconf) {
+ remoteip[0] = cconf->ip6[0];
+ remoteip[1] = cconf->ip6[1];
+ }
+ ap_rputs("<p>TEST BINARY, NOT FOR PRODUCTIVE USE<br>\n", r);
+ ap_rprintf(r, "client ip=%s</p>\n", qos_ip_long2str(r->pool, remoteip));
+ }
+#endif
+ if(strcmp(r->handler, "qos-viewer") == 0) {
+ qos_bars(r, s);
+ }
+ qos_show_ip(r, bsconf, qt);
+ if(strcmp(r->handler, "qos-viewer") == 0) {
+ ap_rputs("<table class=\"btable\"><tbody>\n", r);
+ ap_rputs(" <tr class=\"row\"><td>\n", r);
+ } else {
+ ap_rputs("<table border=\"1\"><tbody>\n", r);
+ ap_rputs(" <tr><td>\n", r);
+ }
+ while(s) {
+ qs_acentry_t *actEntry;
+ if(strcmp(r->handler, "qos-viewer") == 0) {
+ ap_rputs(" <table border=\"0\" cellpadding=\"2\" "
+ "cellspacing=\"2\" style=\"width: 100%\"><tbody>\n",r);
+ } else {
+ ap_rputs(" <table border=\"1\" cellpadding=\"2\" "
+ "cellspacing=\"2\" style=\"width: 100%\"><tbody>\n",r);
+ }
+ ap_rputs(" <tr class=\"rowe\">\n", r);
+ ap_rprintf(r, " <td colspan=\"9\">%s:%d (%s)</td>\n",
+ s->server_hostname == NULL ? "-" : ap_escape_html(r->pool, s->server_hostname),
+ s->addrs->host_port,
+ s->is_virtual ? "virtual" : "base");
+ ap_rputs(" </tr>\n", r);
+ sconf = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+
+ if((sconf == bsconf) && s->is_virtual) {
+ ap_rputs(" <tr class=\"rows\">\n"
+ " <td colspan=\"9\"><i>uses base server settings and counters</i></td>\n </tr>\n", r);
+ } else {
+ if(!s->is_virtual && sconf->has_qos_cc) {
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ int num = 0;
+ int max = 0;
+ int hc = -1;
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT16 */
+ hc = u->qos_cc->connections;
+ num = u->qos_cc->num;
+ max = u->qos_cc->max;
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT16 */
+ ap_rputs("<tr class=\"rowt\">"
+ "<td colspan=\"6\">client control</td>"
+ "<td >max</td>"
+ "<td >limit&nbsp;</td>"
+ "<td >current&nbsp;</td>", r);
+ ap_rputs("</tr>\n", r);
+ ap_rprintf(r, "<tr class=\"rows\">");
+ ap_rprintf(r, "<td colspan=\"6\"><div title=\"QS_ClientEntries\">clients in memory</div></td>");
+ ap_rprintf(r, "<td >%d</td>", max);
+ ap_rprintf(r, "<td >-</td>");
+ ap_rprintf(r, "<td >%d</td>", num);
+ ap_rputs("</tr>\n", r);
+ if(sconf->qos_cc_prefer) {
+ ap_rprintf(r, "<tr class=\"rows\">");
+ ap_rprintf(r, "<td colspan=\"6\"><div title=\"QS_ClientPrefer\">connections</div></td>");
+ ap_rprintf(r, "<td >%d</td>", sconf->qos_cc_prefer);
+ ap_rprintf(r, "<td >%d</td>", sconf->qos_cc_prefer_limit);
+ ap_rprintf(r, "<td >%d</td>", hc);
+ ap_rputs("</tr>\n", r);
+ }
+ /*
+ if(sconf->qos_cc_block) {
+ ap_rprintf(r, "<tr class=\"rows\">");
+ ap_rprintf(r, "<td colspan=\"6\">block event</td>");
+ ap_rprintf(r, "<td >%d</td>", sconf->qos_cc_block);
+ ap_rprintf(r, "<td >&nbsp</td>");
+ ap_rprintf(r, "<td >%d</td>", blocked);
+ ap_rputs("</tr>\n", r);
+ }
+ */
+ }
+ /* request level */
+ actEntry = sconf->act->entry;
+ if(actEntry) {
+ ap_rputs(" <tr class=\"rowt\">"
+ "<td colspan=\"1\">rule</td>"
+ "<td colspan=\"2\">"
+ "<div title=\"QS_LocRequestLimitMatch|QS_LocRequestLimit"
+ "|QS_CondLocRequestLimitMatch|QS_EventRequestLimit\">"
+ "concurrent requests</div></td>"
+ "<td colspan=\"3\">"
+ "<div title=\"QS_LocRequestPerSecLimitMatch|"
+ "QS_LocRequestPerSecLimit|QS_EventPerSecLimit\">"
+ "requests/second</div></td>"
+ "<td colspan=\"3\">"
+ "<div title=\"QS_LocKBytesPerSecLimitMatch|QS_LocKBytesPerSecLimit\">"
+ "kbytes/second</div></td>", r);
+ ap_rputs("</tr>\n", r);
+ ap_rputs(" <tr class=\"rowt\">"
+ "<td >&nbsp;</td>"
+ "<td >limit</td>"
+ "<td >current</td>"
+ "<td >wait rate</td>"
+ "<td >limit</td>"
+ "<td >current</td>"
+ "<td >wait rate</td>"
+ "<td >limit</td>"
+ "<td >current</td>", r);
+ ap_rputs("</tr>\n", r);
+ }
+ while(actEntry) {
+ char *red = "style=\"background-color: rgb(240,153,155);\"";
+ ap_rputs(" <tr class=\"rows\">", r);
+ ap_rprintf(r, "<!--%d--><td>%s%s</a></td>", i,
+ ap_escape_html(r->pool, qos_crline(r, actEntry->url)),
+ actEntry->condition == NULL ? "" : " <small>(conditional)</small>");
+ if((actEntry->limit == 0) || (actEntry->limit == -1)) {
+ ap_rprintf(r, "<td>-</td>");
+ ap_rprintf(r, "<td>-</td>");
+ } else {
+ ap_rprintf(r, "<td>%d</td>", actEntry->limit);
+ ap_rprintf(r, "<td %s>%d</td>",
+ ((actEntry->counter * 100) / actEntry->limit) > 90 ? red : "",
+ actEntry->counter);
+ }
+ if(actEntry->req_per_sec_limit == 0) {
+ ap_rprintf(r, "<td>-</td>");
+ ap_rprintf(r, "<td>-</td>");
+ ap_rprintf(r, "<td>-</td>");
+ } else {
+ ap_rprintf(r, "<td %s>%d&nbsp;ms</td>",
+ actEntry->req_per_sec_block_rate ? red : "",
+ actEntry->req_per_sec_block_rate);
+ ap_rprintf(r, "<td>%ld</td>", actEntry->req_per_sec_limit);
+ ap_rprintf(r, "<td %s>%ld</td>",
+ ((actEntry->req_per_sec * 100) / actEntry->req_per_sec_limit) > 90 ? red : "",
+ now > (actEntry->interval + (QS_BW_SAMPLING_RATE*3)) ? 0 : actEntry->req_per_sec);
+ }
+ if(actEntry->kbytes_per_sec_limit == 0) {
+ ap_rprintf(r, "<td>-</td>");
+ ap_rprintf(r, "<td>-</td>");
+ ap_rprintf(r, "<td>-</td>");
+ } else {
+ int hasActualData = now > (apr_time_sec(actEntry->kbytes_interval_us) + QS_BW_SAMPLING_RATE) ? 0 : 1;
+ ap_rprintf(r, "<td %s>%"APR_OFF_T_FMT"&nbsp;ms</td>",
+ hasActualData && (actEntry->kbytes_per_sec_block_rate >= 1000) ? red : "",
+ actEntry->kbytes_per_sec_block_rate / 1000);
+ ap_rprintf(r, "<td>%"APR_OFF_T_FMT"</td>", actEntry->kbytes_per_sec_limit);
+ ap_rprintf(r, "<td %s>%"APR_OFF_T_FMT"</td>",
+ hasActualData && (((actEntry->kbytes_per_sec * 100) / actEntry->kbytes_per_sec_limit) > 90) ? red : "",
+ hasActualData ? actEntry->kbytes_per_sec : 0);
+ }
+ ap_rputs("</tr>\n", r);
+ actEntry = actEntry->next;
+ }
+ /* event limit */
+ if(sconf->event_limit_a->nelts > 0) {
+ char *red = "style=\"background-color: rgb(240,153,155);\"";
+ int ie = 0;
+ qos_event_limit_entry_t *event_limit = sconf->act->event_entry;
+ ap_rputs(" <tr class=\"rowt\">"
+ "<td colspan=\"5\"><div title=\"QS_EventLimitCount\">events</div></td>"
+ "<td colspan=\"1\">limit</td>"
+ "<td colspan=\"1\">seconds</td>"
+ "<td colspan=\"2\">current</td>", r);
+ ap_rputs("</tr>\n", r);
+ for(ie = 0; ie < sconf->event_limit_a->nelts; ie++) {
+ int edelta = event_limit->limitTime + event_limit->seconds - now;
+ int elimit = event_limit->limit;
+ if(event_limit->limitTime + event_limit->seconds <= now) {
+ elimit = 0;
+ edelta = 0;
+ }
+ if(event_limit->action == QS_EVENT_ACTION_DENY) {
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"5\">%s%s</td>"
+ "<td>%d</td><td>%ds</td><td %s>%d</td><td>%ds</td>"
+ "</tr>\n",
+ event_limit->env_var,
+ event_limit->condStr == NULL ? "" : " <small>(conditional)</small>",
+ event_limit->max,
+ event_limit->seconds,
+ elimit >= event_limit->max ? red : "",
+ elimit,
+ edelta);
+ }
+ event_limit++;
+ }
+ }
+ /* connection level */
+ if(sconf->has_conn_counter == 1 || !s->is_virtual) {
+ char *red = "style=\"background-color: rgb(240,153,155);\"";
+ int c = qos_count_free_ip(sconf);
+ ap_rputs(" <tr class=\"rowt\">"
+ "<td colspan=\"9\">connections</td>", r);
+ ap_rputs("</tr>\n", r);
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<!--%d--><td colspan=\"6\">"
+ "<div title=\"QS_SrvMaxConnPerIP\">free ip entries</div></td>"
+ "<td colspan=\"3\">%d</td></tr>\n", i, c);
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<!--%d--><td colspan=\"6\">"
+ "<div title=\"QS_SrvMaxConn|QS_SrvMaxConnClose\">current connections</div></td>"
+ "<td %s colspan=\"3\">%d</td></tr>\n", i,
+ ( ( (sconf->max_conn_close != -1) &&
+ (sconf->act->conn->connections >= sconf->max_conn_close) ) ||
+ ( (sconf->max_conn != -1) &&
+ (sconf->act->conn->connections >= sconf->max_conn) ) ) ? red : "",
+ sconf->act->conn->connections);
+
+ if(!s->is_virtual) {
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<!--base--><td colspan=\"6\">"
+ "<div>total connections</div></td>"
+ "<td colspan=\"3\">%d</td></tr>\n",
+ qos_server_connections(sconf));
+ }
+
+ if(option && strstr(option, "ip")) {
+ apr_table_t *entries = apr_table_make(r->pool, 100);
+ int j;
+ apr_table_entry_t *entry;
+ ap_rputs(" <tr class=\"rowt\">"
+ "<td colspan=\"6\">"
+ "<div title=\"QS_SrvMaxConnPerIP\">client ip connections</div></td>"
+ "<td colspan=\"3\">current&nbsp;</td>", r);
+ ap_rputs("</tr>\n", r);
+ qos_collect_ip(r, sconf, entries, sconf->max_conn_per_ip, 1);
+ entry = (apr_table_entry_t *)apr_table_elts(entries)->elts;
+ for(j = 0; j < apr_table_elts(entries)->nelts; j++) {
+ ap_rputs(" <tr class=\"rows\">", r);
+ ap_rputs("<td colspan=\"6\">", r);
+ ap_rprintf(r, "%s</td></tr>\n", entry[j].key);
+ }
+ }
+
+ ap_rputs(" <tr class=\"rowt\">"
+ "<td colspan=\"9\">connection settings</td>", r);
+ ap_rputs("</tr>\n", r);
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"6\">"
+ "<div title=\"QS_SrvMaxConn\">max connections</div></td>");
+ if(sconf->max_conn == -1) {
+ ap_rprintf(r, "<td colspan=\"3\">-</td></tr>\n");
+ } else {
+ ap_rprintf(r, "<td colspan=\"3\">%d</td></tr>\n", sconf->max_conn);
+ }
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"6\">"
+ "<div title=\"QS_SrvMaxConnClose\">max connections with keep-alive</div></td>");
+ if(sconf->max_conn_close == -1) {
+ ap_rprintf(r, "<td colspan=\"3\">-</td></tr>\n");
+ } else {
+ ap_rprintf(r, "<td colspan=\"3\">%d</td></tr>\n", sconf->max_conn_close);
+ }
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"6\">"
+ "<div title=\"QS_SrvMaxConnPerIP\">max connections per client ip</div></td>");
+ if(sconf->max_conn_per_ip == -1) {
+ ap_rprintf(r, "<td colspan=\"3\">-</td></tr>\n");
+ } else {
+ ap_rprintf(r, "<td colspan=\"3\">%d</td></tr>\n", sconf->max_conn_per_ip);
+ }
+ ap_rprintf(r, " <tr class=\"rows\">"
+ "<td colspan=\"6\">"
+ "<div title=\"QS_SrvMinDataRate|QS_SrvRequestRate\">"
+ "min. data rate (bytes/sec) (min/max/current)</div></td>");
+ if(sconf->req_rate == -1) {
+ ap_rprintf(r, "<td colspan=\"3\">-</td></tr>\n");
+ } else {
+ int connections;
+ int rt = qos_req_rate_calc(sconf, &connections);
+ ap_rprintf(r, "<td colspan=\"3\">%d/%d/%d</td></tr>\n",
+ sconf->req_rate,
+ sconf->min_rate_max == -1 ? sconf->req_rate : sconf->min_rate_max,
+ rt);
+ }
+ } else {
+ ap_rputs(" <tr class=\"rowt\">"
+ "<td colspan=\"9\">connections</td>", r);
+ ap_rputs("</tr>\n", r);
+ ap_rputs(" <tr class=\"rows\">\n"
+ " <td colspan=\"9\"><i>uses base server settings and counters</i></td>\n </tr>\n", r);
+ }
+ }
+ ap_rprintf(r, " <tr class=\"row\">"
+ "<td style=\"width:28%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "<td style=\"width:9%%\"></td>"
+ "</tr>");
+ i++;
+ s = s->next;
+ ap_rputs("</tbody></table>\n", r);
+ }
+ ap_rputs(" </td></tr>\n", r);
+ ap_rputs("</tbody></table>\n", r);
+ return OK;
+}
+
+/**
+ * Disables request rate enforcements for all child processes (at start/fork) if
+ * init has failed.
+ *
+ * @param bs Base server_rec to iterate through all client configurations
+ * @param msg Error message to log (reason what has failed @init).
+ */
+static void qos_disable_req_rate(server_rec *bs, const char *msg) {
+ server_rec *s = bs->next;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(bs->module_config, &qos_module);
+ ap_log_error(APLOG_MARK, APLOG_CRIT, 0, bs,
+ QOS_LOG_PFX(008)"could not create supervisor thread (%s),"
+ " disable request rate enforcement", msg);
+ sconf->req_rate = -1;
+ while(s) {
+ sconf = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+ sconf->req_rate = -1;
+ s = s->next;
+ }
+}
+
+/**
+ * stores the IP of the connection into the array and
+ * increments the array pointer (for QS_Block for connection errors)
+ */
+static apr_uint64_t *qos_inc_block(conn_rec *connection, qos_srv_config *sconf,
+ qs_conn_ctx *cconf, apr_uint64_t *ip) {
+ conn_rec *c = connection;
+ if(sconf->qos_cc_block &&
+ apr_table_get(sconf->setenvstatus_t, QS_CLOSE) &&
+ !apr_table_get(c->notes, QS_BLOCK_SEEN)) {
+ apr_table_set(c->notes, QS_BLOCK_SEEN, "");
+ *ip = cconf->ip6[0];
+ ip++;
+ *ip = cconf->ip6[1];
+ ip++;
+ }
+ return ip;
+}
+
+#if APR_HAS_THREADS
+/**
+ * Supervisior thread monitoring the bandith of registered connections.
+ *
+ * Connections are closed by a apr_socket_close/shutdown which must be
+ * detected by the thread processing the connection in order to
+ * de-register the connection and to terminate the pending request in
+ * order to free resources (thread).
+ *
+ * @param thread
+ * @param selfv Base server_rec
+ */
+static void *APR_THREAD_FUNC qos_req_rate_thread(apr_thread_t *thread, void *selfv) {
+ server_rec *bs = selfv;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(bs->module_config, &qos_module);
+ // list of ip addr. for whose we shall inc. block count
+ apr_uint64_t *ips = calloc(sconf->max_clients * 2, APR_ALIGN_DEFAULT(sizeof(apr_uint64_t)));
+ while(!sconf->inctx_t->exit) {
+ apr_uint64_t *ip = ips;
+ int current_con = 0;
+ int req_rate = qos_req_rate_calc(sconf, &current_con);
+ apr_time_t now = apr_time_sec(apr_time_now());
+ apr_time_t interval = now - sconf->qs_req_rate_tm;
+ int i;
+ apr_table_entry_t *entry;
+ // every second
+ apr_sleep(APR_USEC_PER_SEC);
+ if(sconf->inctx_t->exit) {
+ break;
+ }
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT21 */
+ entry = (apr_table_entry_t *)apr_table_elts(sconf->inctx_t->table)->elts;
+ for(i = 0; i < apr_table_elts(sconf->inctx_t->table)->nelts; i++) {
+ qos_ifctx_t *inctx = (qos_ifctx_t *)entry[i].val;
+ if(inctx->status == QS_CONN_STATE_KEEP) {
+ /* enforce keep alive */
+ apr_interval_time_t current_timeout = 0;
+ apr_socket_timeout_get(inctx->clientSocket, &current_timeout);
+ /* add 5sec tolerance to receive the request line
+ or let Apache close the connection */
+ /* ignored by event MPM ! */
+ if(!m_event_mpm &&
+ (now > (apr_time_sec(current_timeout) + 5 + inctx->time))) {
+ qs_conn_ctx *cconf = qos_get_cconf(inctx->c);
+ int level = APLOG_ERR;
+ if(cconf) {
+ /* disabled by vip priv */
+ if(cconf->is_vip && sconf->req_ignore_vip_rate != 1) {
+ level = APLOG_DEBUG;
+ cconf->has_lowrate = 1; /* mark connection low rate */
+ }
+ /* disabled for this request/connection */
+ if(inctx->disabled) {
+ level = APLOG_DEBUG;
+ cconf->has_lowrate = 1; /* mark connection low rate */
+ }
+ /* enable only if min. num of connection reached */
+ if(current_con < sconf->req_rate_start) {
+ level = APLOG_DEBUG;
+ cconf->has_lowrate = 1; /* mark connection low rate */
+ }
+ ip = qos_inc_block(inctx->c, sconf, cconf, ip);
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|level, 0, inctx->c->base_server,
+ QOS_LOG_PFX(034)"%s,"
+ " QS_SrvMinDataRate rule (enforce keep-alive),"
+ " c=%s",
+ (level == APLOG_DEBUG) || sconf->log_only ?
+ "log only (allowed)"
+ : "access denied",
+ QS_CONN_REMOTEIP(inctx->c) == NULL ? "-" : QS_CONN_REMOTEIP(inctx->c));
+ QS_INC_EVENT_LOCKED(sconf, 34);
+ inctx->time = now;
+ inctx->nbytes = 0;
+ if((level == APLOG_ERR) &&
+ !sconf->log_only) {
+ apr_socket_shutdown(inctx->clientSocket, APR_SHUTDOWN_READ);
+ }
+ /* mark slow clients (QS_ClientPrefer) even they are VIP */
+ inctx->shutdown = 1;
+ }
+ //else {
+ // // HTTP/2
+ //}
+ }
+ } else {
+ if(interval > inctx->time) {
+ int rate = inctx->nbytes / sconf->qs_req_rate_tm;
+ if(rate < req_rate) {
+ if(inctx->clientSocket) {
+ qs_conn_ctx *cconf = qos_get_cconf(inctx->c);
+ int level = APLOG_ERR;
+ int notUsed = 0;
+ if(cconf) {
+ /* disabled by vip priv */
+ if(cconf->is_vip && sconf->req_ignore_vip_rate != 1) {
+ level = APLOG_DEBUG;
+ cconf->has_lowrate = 1; /* mark connection low rate */
+ }
+ /* disabled for this request/connection */
+ if(inctx->disabled) {
+ level = APLOG_DEBUG;
+ cconf->has_lowrate = 1; /* mark connection low rate */
+ }
+ /* enable only if min. num of connection reached */
+ if(current_con < sconf->req_rate_start) {
+ level = APLOG_DEBUG;
+ cconf->has_lowrate = 1; /* mark connection low rate */
+ }
+ ip = qos_inc_block(inctx->c, sconf, cconf, ip);
+ if((inctx->hasBytes == 0) &&
+ (inctx->c->keepalives == 0) &&
+ (inctx->status == QS_CONN_STATE_HEAD)) {
+ // not even received the request line
+ notUsed = 1;
+ }
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|level, 0, inctx->c->base_server,
+ QOS_LOG_PFX(034)"%s, QS_SrvMinDataRate rule (%s%s): min=%d,"
+ " this connection=%d,"
+ " c=%s",
+ (level == APLOG_DEBUG) || sconf->log_only ?
+ "log only (allowed)"
+ : "access denied",
+ inctx->status == QS_CONN_STATE_RESPONSE ? "out" : "in",
+ notUsed ? ":0" : "",
+ req_rate,
+ rate,
+ QS_CONN_REMOTEIP(inctx->c) == NULL ? "-" : QS_CONN_REMOTEIP(inctx->c));
+ QS_INC_EVENT_LOCKED(sconf, 34);
+ inctx->time = interval + sconf->qs_req_rate_tm;
+ inctx->nbytes = 0;
+ if((level == APLOG_ERR) && !sconf->log_only) {
+ if(inctx->status == QS_CONN_STATE_RESPONSE) {
+ apr_socket_shutdown(inctx->clientSocket, APR_SHUTDOWN_WRITE);
+ /* close out socket (the hard way) */
+ apr_socket_close(inctx->clientSocket);
+ } else {
+ apr_socket_shutdown(inctx->clientSocket, APR_SHUTDOWN_READ);
+ }
+ }
+ /* mark slow clients (QS_ClientPrefer) even they are VIP */
+ inctx->shutdown = 1;
+ }
+ }
+ //else {
+ // // HTTP/2
+ //}
+ } else {
+ inctx->time = interval + sconf->qs_req_rate_tm;
+ inctx->nbytes = 0;
+ }
+ }
+ }
+ }
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT21 */
+ /* QS_Block for connection errors */
+ while(ip != ips) {
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t searchE;
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT38 */
+ ip--;
+ searchE.ip6[1] = *ip;
+ ip--;
+ searchE.ip6[0] = *ip;
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, 0);
+
+ /* increment block event */
+ if((*clientEntry)->block < USHRT_MAX) {
+ (*clientEntry)->block++;
+ }
+ if((*clientEntry)->block == 1) {
+ /* ... and start timer */
+ (*clientEntry)->blockTime = apr_time_sec(apr_time_now());
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT38 */
+ }
+ }
+ // apr_thread_mutex_lock(sconf->inctx_t->lock);
+ // apr_thread_mutex_unlock(sconf->inctx_t->lock);
+ // called via apr_pool_cleanup_register():
+ // apr_thread_mutex_destroy(sconf->inctx_t->lock);
+ free(ips);
+ if(m_threaded_mpm) {
+ apr_thread_exit(thread, APR_SUCCESS);
+ }
+ return NULL;
+}
+
+/**
+ * Terminates the connection supervisor thread.
+ * (works for mpm_worker only)
+ *
+ * @param selfv The base server_rec
+ * @return APR_SUCCESS
+ */
+static apr_status_t qos_cleanup_req_rate_thread(void *selfv) {
+ server_rec *bs = selfv;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(bs->module_config, &qos_module);
+ sconf->inctx_t->exit = 1;
+ /* may long up to one second */
+ if(m_threaded_mpm) {
+ apr_status_t status;
+ apr_thread_join(&status, sconf->inctx_t->thread);
+ }
+ return APR_SUCCESS;
+}
+#endif
+
+/**
+ * Writes the query/body to the env variables which may be used
+ * for the qsfilter* audit log.
+ *
+ * @param r
+ * @param dconf
+ */
+static void qos_audit(request_rec *r, qos_dir_config *dconf) {
+ const char *q = NULL;
+ const char *u = apr_table_get(r->notes, QS_PARP_PATH);
+ if(dconf->bodyfilter_p == 1 || dconf->bodyfilter_d == 1) {
+ q = apr_table_get(r->notes, QS_PARP_QUERY);
+ }
+ if(u == NULL) {
+ if(r->parsed_uri.path) {
+ u = apr_pstrdup(r->pool, r->parsed_uri.path);
+ } else {
+ u = apr_pstrdup(r->pool, "");
+ }
+ apr_table_setn(r->notes, apr_pstrdup(r->pool, QS_PARP_PATH), u);
+ }
+ if(q == NULL) {
+ if(r->parsed_uri.query) {
+ q = apr_pstrcat(r->pool, "?", r->parsed_uri.query, NULL);
+ } else {
+ q = apr_pstrdup(r->pool, "");
+ }
+ apr_table_setn(r->notes, apr_pstrdup(r->pool, QS_PARP_QUERY), q);
+ }
+ apr_table_setn(r->notes, apr_pstrdup(r->pool, QS_PARP_LOC), dconf->path);
+ if(r->next) {
+ apr_table_setn(r->next->notes, apr_pstrdup(r->pool, QS_PARP_PATH), u);
+ apr_table_setn(r->next->notes, apr_pstrdup(r->pool, QS_PARP_QUERY), q);
+ apr_table_setn(r->next->notes, apr_pstrdup(r->pool, QS_PARP_LOC), dconf->path);
+ }
+}
+
+/**
+ * Adds the configured (QS_Delay env var) delay to the request
+ *
+ * @param r
+ * @param sconf Do set log-only mode
+ */
+static void qos_delay(request_rec *r, qos_srv_config *sconf) {
+ const char *d = apr_table_get(r->subprocess_env, "QS_Delay");
+ if(d) {
+ apr_off_t s;
+#ifdef ap_http_scheme
+ /* Apache 2.2 */
+ char *errp = NULL;
+ if((APR_SUCCESS == apr_strtoff(&s, d, &errp, 10)) && s > 0)
+#else
+ if((s = apr_atoi64(d)) > 0)
+#endif
+ {
+ qs_set_evmsg(r, "L;");
+ if(!sconf->log_only) {
+ apr_sleep(s*1000);
+ }
+ }
+ }
+}
+
+/**
+ * Enables mod_deflate
+ * QS_DeflateReqBody (if parp has been enabled)
+ *
+ * @param r
+ */
+static void qos_deflate(request_rec *r) {
+ if(apr_table_get(r->subprocess_env, "QS_DeflateReqBody") &&
+ apr_table_get(r->subprocess_env, "parp")) {
+ ap_add_input_filter("DEFLATE", NULL, r, r->connection);
+ }
+}
+
+/**
+ * Adjusts the content-length header
+ *
+ * @param r
+ */
+static void qos_deflate_contentlength(request_rec *r) {
+ if(apr_table_get(r->subprocess_env, "QS_DeflateReqBody") &&
+ apr_table_get(r->subprocess_env, "parp")) {
+ const char *PARPContentLength = apr_table_get(r->subprocess_env, "PARPContentLength");
+ const char *contentLength = apr_table_get(r->headers_in, "Content-Length");
+ if(PARPContentLength && contentLength) {
+ apr_table_set(r->headers_in, "Content-Length", PARPContentLength);
+ }
+ }
+}
+
+/**
+ * Verifies Apache and MPM version and writes error message (notice)
+ * for incompatibel version/type.
+ *
+ * Apache MPM worker binaries is the only configuration which
+ * has been fully tested (as mentioned in the documentation, see index.html).
+ *
+ * - old (2.0.x, 2.2.x) MPM Apache prefork versions do not unload the
+ * DSO properly or child exit may cause a segfault (pool cleanup)
+ * - regular expression are only fully supported with Apach 2.4
+ * - Apache 2.4 should work (but is not fully tested)
+ * (see CHANGES.txt for more information)
+ * - Apache 2.0 does not support all directives (e.g. QS_ClientPrefer) and
+ * we do no longer test against this version (the module does probably
+ * not even compile with version 2.0)
+ *
+ */
+static void qos_version_check(server_rec *bs) {
+ ap_version_t version;
+
+ if(strcasecmp(ap_show_mpm(), "event") == 0) {
+ ap_directive_t *pdir;
+ m_event_mpm = 1; // disable features like keep-alive control
+ for(pdir = ap_conftree; pdir != NULL; pdir = pdir->next) {
+ if(strcasecmp(pdir->directive, "AsyncRequestWorkerFactor") == 0) {
+ double val = 0;
+ char *endptr;
+ const char *arg = pdir->args;
+ if(arg == NULL) {
+ continue;
+ }
+ val = strtod(arg, &endptr);
+ if(*endptr) {
+ continue;
+ }
+ if(val < 0) {
+ continue;
+ }
+ m_event_mpm_worker_factor = val;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, bs,
+ QOS_LOGD_PFX"found AsyncRequestWorkerFactor directive '%f'",
+ m_event_mpm_worker_factor);
+ }
+ }
+ } else if(strcasecmp(ap_show_mpm(), "worker") != 0) {
+ // mod_qos is fully tested for MPM worker (and "works" with event)
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, bs,
+ QOS_LOG_PFX(009)"loaded MPM is '%s'"
+ " but mod_qos should be used with MPM 'Worker' or 'Event' only.",
+ ap_show_mpm());
+ }
+
+ if(strcasecmp(ap_show_mpm(), "prefork") == 0) {
+ m_threaded_mpm = 0; // disable child cleanup (if neither worker nor event MPM)
+ }
+
+ ap_get_server_revision(&version);
+ if(version.major == 2 && version.minor == 4 && version.patch == 49) {
+ // 2.4.49 compat: prevents Apache segfault on connection close
+ m_forced_close = 0;
+ }
+
+ if(version.major != 2 || version.minor != 4) {
+ // 2.4 should work fine / older or newer versions are not tested
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, bs,
+ QOS_LOG_PFX(009)"server version is %d.%d"
+ " but mod_qos should be used with Apache 2.4 only.",
+ version.major, version.minor);
+ }
+}
+
+/**
+ * enforces the QS_RedirectIf variable
+ * @param r
+ * @param sconf
+ * @param rules Rules array
+ * @return HTTP_MOVED_TEMPORARILY/HTTP_TEMPORARY_REDIRECT or DECLINED
+ */
+static int qos_redirectif(request_rec *r, qos_srv_config *sconf,
+ apr_array_header_t *rules) {
+ ap_regmatch_t regm[AP_MAX_REG_MATCH];
+ int i;
+ qos_redirectif_entry_t *entries = (qos_redirectif_entry_t *)rules->elts;
+ for(i = 0; i < rules->nelts; ++i) {
+ qos_redirectif_entry_t *entry = &entries[i];
+ const char *val = apr_table_get(r->subprocess_env, entry->name);
+ if(val) {
+ if(ap_regexec(entry->preg, val, AP_MAX_REG_MATCH, regm, 0) == 0) {
+ int severity = sconf->log_only ? APLOG_WARNING : APLOG_ERR;
+ char *replaced = ap_pregsub(r->pool, entry->url, val, AP_MAX_REG_MATCH, regm);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|severity, 0, r,
+ QOS_LOG_PFX(049)"redirect to %s,"
+ " var=%s,"
+ " action=%s, c=%s, id=%s",
+ replaced,
+ entry->name,
+ sconf->log_only ? "log only" : "redirect",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" :
+ QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "049"));
+ QS_INC_EVENT(sconf, 49);
+ if(!sconf->log_only) {
+ apr_table_set(r->headers_out, "Location", replaced);
+ return entry->code;
+ }
+ }
+ }
+ }
+ return DECLINED;
+}
+
+static void qos_init_unique_id(apr_pool_t *p, server_rec *bs) {
+ char str[APRMAXHOSTLEN + 1];
+ apr_sockaddr_t *sockaddr;
+ str[APRMAXHOSTLEN] = '\0';
+ unsigned int in_addr = 0;
+ if(apr_gethostname(str, sizeof(str) - 1, p) == APR_SUCCESS) {
+ if(apr_sockaddr_info_get(&sockaddr, str, AF_INET, 0, 0, p) == APR_SUCCESS) {
+ in_addr = sockaddr->sa.sin.sin_addr.s_addr;
+ }
+ }
+ pid_t pid = getpid();
+ m_unique_id.in_addr = pid^in_addr;
+ m_unique_id.unique_id_counter = time(NULL);
+}
+
+/**
+ * propagates environment variables to sub-requests (for logging)
+ */
+static void qos_propagate_events(request_rec *r) {
+ request_rec *mr = NULL;
+ const char **var;
+ if(r->prev) {
+ mr = r->prev;
+ } else if(r->main) {
+ mr = r->main;
+ } else if(r->next) {
+ mr = r->next;
+ }
+ var = m_env_variables;
+ while(*var) {
+ int propagated = 0;
+ if(mr) {
+ const char *p = apr_table_get(mr->subprocess_env, *var);
+ if(p) {
+ propagated = 1;
+ apr_table_set(r->subprocess_env, *var, p);
+ }
+ if(!propagated) {
+ p = apr_table_get(r->subprocess_env, *var);
+ if(p) {
+ propagated = 1;
+ apr_table_set(mr->subprocess_env, *var, p);
+ }
+ }
+ }
+ var++;
+ }
+ if(r->prev) {
+ // internal redirect (e.g. error page)
+ int i;
+ int len = strlen(QS_LIMIT_NAME_PFX);
+ request_rec *mp = r->prev;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(mp->subprocess_env)->elts;
+ for(i = 0; i < apr_table_elts(mp->subprocess_env)->nelts; ++i) {
+ if(strncmp(entry[i].key, QS_LIMIT_NAME_PFX, len) == 0) {
+ const char *eventName = entry[i].val;
+ const char *name = apr_pstrcat(r->pool, eventName, QS_COUNTER_SUFFIX, NULL);
+ const char *value = apr_table_get(mp->subprocess_env, name);
+ if(value) {
+ apr_table_set(r->subprocess_env, name, value);
+ }
+ name = eventName;
+ value = apr_table_get(mp->subprocess_env, name);
+ if(value) {
+ apr_table_set(r->subprocess_env, name, value);
+ }
+ name = apr_pstrcat(r->pool, eventName, QS_LIMIT_REMAINING, NULL);
+ value = apr_table_get(mp->subprocess_env, name);
+ if(value) {
+ apr_table_set(r->subprocess_env, name, value);
+ }
+ name = apr_pstrcat(r->pool, eventName, QS_LIMIT_SEEN, NULL);
+ value = apr_table_get(mp->subprocess_env, name);
+ if(value) {
+ apr_table_set(r->subprocess_env, name, value);
+ }
+ }
+ }
+ }
+}
+
+/**
+ * ensure that every request record has the error notes to log
+ */
+static void qos_propagate_notes(request_rec *r) {
+ request_rec *mr = NULL;
+ const char **var;
+ if(r->prev) {
+ mr = r->prev;
+ } else if(r->main) {
+ mr = r->main;
+ } else if(r->next) {
+ mr = r->next;
+ }
+ var = m_note_variables;
+ while(*var) {
+ int propagated = 0;
+ if(mr) {
+ const char *p = apr_table_get(mr->notes, *var);
+ if(p) {
+ propagated = 1;
+ apr_table_setn(r->notes, *var, p);
+ }
+ if(!propagated) {
+ p = apr_table_get(r->notes, *var);
+ if(p) {
+ propagated = 1;
+ apr_table_setn(mr->notes, *var, p);
+ }
+ }
+ }
+ var++;
+ }
+}
+
+
+/* QS_UnsetReqHeader */
+static void qos_unset_reqheader(request_rec *r, qos_srv_config *sconf) {
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(sconf->unsetreqheader_t)->elts;
+ for(i = 0; i < apr_table_elts(sconf->unsetreqheader_t)->nelts; i++) {
+ apr_table_unset(r->headers_in, entry[i].key);
+ }
+ return;
+}
+
+/* QS_UnsetResHeader */
+static void qos_unset_resheader(request_rec *r, qos_srv_config *sconf) {
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(sconf->unsetresheader_t)->elts;
+ for(i = 0; i < apr_table_elts(sconf->unsetresheader_t)->nelts; i++) {
+ apr_table_unset(r->headers_out, entry[i].key);
+ apr_table_unset(r->err_headers_out, entry[i].key);
+ }
+ return;
+}
+
+/************************************************************************
+ * handlers
+ ***********************************************************************/
+
+/**
+ * Destructor to handle connections which do not have been established
+ * successfully resp. have been closed unexpectedly.
+ *
+ * Increments block counter.
+ *
+ * @param p Connection base context
+ * @return APR_SUCCESS
+ */
+static apr_status_t qos_base_cleanup_conn(void *p) {
+ qs_conn_base_ctx *base = p;
+ if(base->sconf->has_qos_cc || base->sconf->qos_cc_prefer) {
+ int connRuleViolation = 0;
+ const char *type = QS_EMPTY_CON;
+ if(base->requests == 0 &&
+ apr_table_get(base->sconf->setenvstatus_t, QS_EMPTY_CON) &&
+ !apr_table_get(base->c->notes, QS_BLOCK_SEEN)) {
+ connRuleViolation = 1;
+ apr_table_set(base->c->notes, QS_BLOCK_SEEN, "");
+ }
+ if(apr_table_get(base->c->notes, QS_BROKEN_CON)) {
+ connRuleViolation = 1;
+ type = QS_BROKEN_CON;
+ }
+ if(apr_table_get(base->c->notes, QS_MAXIP)) {
+ connRuleViolation = 1;
+ type = QS_MAXIP;
+ }
+ if(connRuleViolation) {
+ qos_user_t *u = qos_get_user_conf(base->sconf->act->ppool);
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t searchE;
+ qos_ip_str2long(QS_CONN_REMOTEIP(base->c), searchE.ip6); // no ip simulation here
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT40 */
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, 0);
+
+ /* increment block event */
+ if((*clientEntry)->block < USHRT_MAX) {
+ (*clientEntry)->block++;
+ }
+ if((*clientEntry)->block == 1) {
+ /* ... and start timer */
+ (*clientEntry)->blockTime = apr_time_sec(apr_time_now());
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT40 */
+ if(QS_ISDEBUG(base->c->base_server)) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base->c->base_server,
+ QOS_LOGD_PFX"QS_ClientEventBlockCount rule: "
+ "%s event detected "
+ "c=%s",
+ type,
+ QS_CONN_REMOTEIP(base->c) == NULL ? "-" : QS_CONN_REMOTEIP(base->c));
+ }
+ }
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * Connection destructor.
+ *
+ * Updates per IP events and connection counter.
+ *
+ * @param p Connection context
+ * @return APR_SUCCESS
+ */
+static apr_status_t qos_cleanup_conn(void *p) {
+ qs_conn_ctx *cconf = p;
+ if(cconf->sconf->has_qos_cc || cconf->sconf->qos_cc_prefer) {
+ qos_user_t *u = qos_get_user_conf(cconf->sconf->act->ppool);
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t searchE;
+ searchE.ip6[0] = cconf->ip6[0];
+ searchE.ip6[1] = cconf->ip6[1];
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT15 */
+ // generation: check if it has been cleard for this process generation
+ if((m_generation != u->qos_cc->generation_locked) && u->qos_cc->connections > 0) {
+ u->qos_cc->connections--;
+ }
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, 0);
+ if((*clientEntry)->events < UINT_MAX) {
+ (*clientEntry)->events++; // update event activity even there is no valid request (logger)
+ }
+ if(cconf->set_vip_by_header) {
+ (*clientEntry)->vip = 1;
+ }
+ if(cconf->has_lowrate) {
+ (*clientEntry)->lowrate = time(NULL);
+ (*clientEntry)->lowratestatus |= QOS_LOW_FLAG_PKGRATE;
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT15 */
+ }
+ /* QS_SrvMaxConn or Geo */
+ if(qos_count_connections(cconf->sconf)) {
+ apr_global_mutex_lock(cconf->sconf->act->lock); /* @CRT3 */
+ if(cconf->sconf->act->conn && cconf->sconf->act->conn->connections > 0) {
+ cconf->sconf->act->conn->connections--;
+ }
+ apr_global_mutex_unlock(cconf->sconf->act->lock); /* @CRT3 */
+ }
+ if(cconf->sconf->max_conn_per_ip != -1) {
+ qos_dec_ip(cconf);
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * handler to close the connection in the case the abort
+ * by the pre-connect hook was ignored (Apache 2.4.28 Event MPM)
+ */
+static int qos_process_connection(conn_rec *connection) {
+#if (AP_SERVER_MINORVERSION_NUMBER == 4)
+#if (AP_SERVER_PATCHLEVEL_NUMBER > 17)
+ if(connection->master) {
+ // skip slave connections / process "real" connections only
+ return DECLINED;
+ }
+#endif
+#endif
+ if(connection->aborted == 1 && apr_table_get(connection->notes, QS_CONN_ABORT)) {
+ if(connection->cs) {
+ connection->cs->state = CONN_STATE_LINGER;
+ }
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, connection->base_server,
+ QOS_LOG_PFX(167)"closing connection at process connection hook, c=%s",
+ QS_CONN_REMOTEIP(connection) == NULL ? "-" :
+ QS_CONN_REMOTEIP(connection));
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ return DECLINED;
+}
+
+/**
+ * Connection constructor. Rules that are applied to established connections.
+ *
+ * @param c
+ * @return
+ */
+static int qos_pre_process_connection(conn_rec *connection, void *skt) {
+ conn_rec *c = connection;
+ qs_conn_ctx *cconf;
+ int vip = 0;
+ apr_socket_t *socket = skt;
+
+ if(c->sbh == NULL) {
+ // proxy connections do NOT have any relation to the score board, don't handle them
+ return DECLINED;
+ }
+
+#if (AP_SERVER_MINORVERSION_NUMBER == 4)
+#if (AP_SERVER_PATCHLEVEL_NUMBER > 17)
+ if(connection->master) {
+ // skip slave connections / process "real" connections only
+ return DECLINED;
+ }
+#endif
+#endif
+
+ cconf = qos_get_cconf(c);
+ if(cconf == NULL) {
+ int client_control = DECLINED;
+ int connections = 0;
+ int all_connections = 0;
+ int current = 0;
+ qs_ip_entry_t *conn_ip = NULL;
+ char *msg = NULL;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(c->base_server->module_config,
+ &qos_module);
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ cconf = qos_create_cconf(c, sconf);
+
+ /* control timeout */
+ if(sconf->req_rate != -1) {
+ qos_timeout_pc(c, sconf);
+ }
+
+ /* packet rate */
+ if(sconf->qos_cc_prefer_limit) {
+ qos_pktrate_pc(c, sconf);
+ }
+
+ /* evaluates client ip */
+ qos_ip_str2long(QS_CONN_REMOTEIP(c), cconf->ip6);
+#ifdef QS_INTERNAL_TEST
+ /* use one of the predefined ip addresses */
+ if(cconf->sconf->enable_testip) {
+ char *testid = apr_psprintf(c->pool, "%d", rand()%(m_qs_sim_ip_len-1));
+ const char *testip = apr_table_get(cconf->sconf->testip, testid);
+ qos_ip_str2long(testip, cconf->ip6);
+ }
+#endif
+
+ /* ------------------------------------------------------------
+ * update data
+ */
+ /* client control */
+ client_control = qos_cc_pc_filter(c, cconf, u, &msg);
+ /* QS_SrvMaxConn: vhost connections or Geo */
+ if(qos_count_connections(sconf)) {
+ apr_global_mutex_lock(cconf->sconf->act->lock); /* @CRT4 */
+ if(cconf->sconf->act->conn) {
+ cconf->sconf->act->conn->connections++;
+ all_connections = qos_server_connections(sconf);
+ connections = cconf->sconf->act->conn->connections;
+ apr_table_set(c->notes, "QS_SrvConn", apr_psprintf(c->pool, "%d", connections));
+ apr_table_set(c->notes, "QS_AllConn", apr_psprintf(c->pool, "%d", all_connections));
+ }
+ apr_global_mutex_unlock(cconf->sconf->act->lock); /* @CRT4 */
+ }
+
+ /* single source ip */
+ if(sconf->max_conn_per_ip != -1) {
+ current = qos_inc_ip(sconf, cconf, &conn_ip);
+ apr_table_set(c->notes, "QS_IPConn", apr_psprintf(c->pool, "%d", current));
+ }
+ /* Check for vip (by ip) */
+ vip = qos_is_excluded_ip(cconf->mc, sconf->exclude_ip);
+ if(vip == 0) {
+ // check if qos_cc_pc_filter() got vip status form the cc store
+ vip = cconf->is_vip;
+ }
+ if(vip) {
+ /* propagate vip to connection */
+ cconf->is_vip = vip;
+ if(!cconf->evmsg || !strstr(cconf->evmsg, "S;")) {
+ cconf->evmsg = apr_pstrcat(c->pool, "S;", cconf->evmsg, NULL);
+ }
+ }
+
+ /* ------------------------------------------------------------
+ * enforce rules
+ */
+ /* client control */
+ if((client_control != DECLINED) && !vip) {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, c->base_server,
+ "%s",
+ msg == NULL ? "-" : msg);
+ if(!sconf->log_only) {
+ return qos_return_error_andclose(c, socket);
+ }
+ }
+ /* Geo */
+ if(sconf->geodb) {
+ unsigned long ip = qos_geo_str2long(c->pool, QS_CONN_REMOTEIP(c));
+ qos_geo_entry_t *pB = bsearch(&ip,
+ sconf->geodb->data,
+ sconf->geodb->size,
+ sizeof(qos_geo_entry_t),
+ qos_geo_comp);
+ if(pB) {
+ apr_table_set(c->notes, QS_COUNTRY, pB->country);
+ }
+ if(sconf->geo_limit != -1) {
+ if(all_connections >= sconf->geo_limit) {
+ if(sconf->geo_excludeUnknown == 1 && (pB == NULL || pB->country[0] == '\0')) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server,
+ QOS_LOGD_PFX"skip QS_ClientGeoCountryPriv enforcement"
+ " for client address %s which could not be mapped to country code",
+ QS_CONN_REMOTEIP(c) ? QS_CONN_REMOTEIP(c) : "UNKNOWN");
+ } else if(pB == NULL || apr_table_get(sconf->geo_priv, pB->country) == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, c->base_server,
+ QOS_LOG_PFX(101)"access denied%s,"
+ " QS_ClientGeoCountryPriv rule: max=%d,"
+ " concurrent connections=%d,"
+ " c=%s"
+ " country=%s",
+ sconf->log_only ? " (log only)" : "",
+ sconf->geo_limit,
+ all_connections,
+ QS_CONN_REMOTEIP(c) == NULL ? "-" : QS_CONN_REMOTEIP(c),
+ pB != NULL ? pB->country : "--");
+ QS_INC_EVENT(sconf, 101);
+ if(!sconf->log_only) {
+ return qos_return_error_andclose(c, socket);
+ }
+ }
+ }
+ }
+ }
+ /* QS_SrvMaxConn: vhost connections */
+ if((sconf->max_conn != -1) && !vip) {
+ if(connections > sconf->max_conn) {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, c->base_server,
+ QOS_LOG_PFX(030)"access denied%s, QS_SrvMaxConn rule: max=%d,"
+ " concurrent connections=%d,"
+ " c=%s",
+ sconf->log_only ? " (log only)" : "",
+ sconf->max_conn, connections,
+ QS_CONN_REMOTEIP(c) == NULL ? "-" : QS_CONN_REMOTEIP(c));
+ QS_INC_EVENT(sconf, 30);
+ if(!sconf->log_only) {
+ return qos_return_error_andclose(c, socket);
+ }
+ }
+ }
+ /* single source ip */
+ if((sconf->max_conn_per_ip != -1) && (!vip || sconf->max_conn_per_ip_ignore_vip == 1)) {
+ if((current > sconf->max_conn_per_ip) &&
+ (all_connections >= sconf->max_conn_per_ip_connections)) {
+ conn_ip->error++;
+ if(apr_table_get(sconf->setenvstatus_t, QS_MAXIP)) {
+ apr_table_set(c->notes, QS_MAXIP, "1");
+ }
+ /* only print the first 20 messages for this client */
+ QS_INC_EVENT(sconf, 31);
+ if(conn_ip->error <= QS_LOG_REPEAT) {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, c->base_server,
+ QOS_LOG_PFX(031)"access denied%s,"
+ " QS_SrvMaxConnPerIP rule: max=%d,"
+ " concurrent connections=%d,"
+ " c=%s",
+ sconf->log_only ? " (log only)" : "",
+ sconf->max_conn_per_ip, current,
+ QS_CONN_REMOTEIP(c) == NULL ? "-" : QS_CONN_REMOTEIP(c));
+ } else {
+ if((conn_ip->error % QS_LOG_REPEAT) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, c->base_server,
+ QOS_LOG_PFX(031)"access denied%s,"
+ " QS_SrvMaxConnPerIP rule: max=%d,"
+ " concurrent connections=%d,"
+ " message repeated %d times,"
+ " c=%s",
+ sconf->log_only ? " (log only)" : "",
+ sconf->max_conn_per_ip, current,
+ QS_LOG_REPEAT,
+ QS_CONN_REMOTEIP(c) == NULL ? "-" : QS_CONN_REMOTEIP(c));
+ }
+ }
+ if(!sconf->log_only) {
+ return qos_return_error_andclose(c, socket);
+ }
+ } else {
+ if(conn_ip) {
+ if(conn_ip->error > QS_LOG_REPEAT) {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, c->base_server,
+ QOS_LOG_PFX(031)"access denied (previously),"
+ " QS_SrvMaxConnPerIP rule: max=%d,"
+ " concurrent connections=%d,"
+ " message repeated %d times,"
+ " c=%s",
+ sconf->max_conn_per_ip, current,
+ conn_ip->error % QS_LOG_REPEAT,
+ QS_CONN_REMOTEIP(c) == NULL ? "-" : QS_CONN_REMOTEIP(c));
+ }
+ conn_ip->error = 0;
+ }
+ }
+ }
+ }
+ return DECLINED;
+}
+
+/**
+ * Pre connection
+ * - constructs the connection ctx (stores socket ref)
+ * - enforces block counter (as early as possible)
+ */
+static int qos_pre_connection(conn_rec *connection, void *skt) {
+ conn_rec *c = connection;
+ int ret = DECLINED;
+ qos_srv_config *sconf;
+ qs_conn_base_ctx *base;
+ int excludeFromBlock;
+
+ if(c->sbh == NULL) {
+ // proxy connections do NOT have any relation to the score board, don't handle them
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server,
+ QOS_LOGD_PFX"skip processing of outgoing/virtual connection %s<->%s",
+ QS_CONN_REMOTEIP(c) ? QS_CONN_REMOTEIP(c) : "UNKNOWN",
+ c->local_ip ? c->local_ip : "UNKNOWN");
+ return ret;
+ }
+
+#if (AP_SERVER_MINORVERSION_NUMBER == 4)
+#if (AP_SERVER_PATCHLEVEL_NUMBER > 17)
+ if(connection->master) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server,
+ QOS_LOGD_PFX"skip slave connection %s",
+ QS_CONN_REMOTEIP(c) ? QS_CONN_REMOTEIP(c) : "UNKNOWN");
+ return ret;
+ }
+#endif
+#endif
+
+ sconf = (qos_srv_config*)ap_get_module_config(c->base_server->module_config, &qos_module);
+ excludeFromBlock = qos_is_excluded_ip(c, sconf->cc_exclude_ip);
+ base = qos_get_conn_base_ctx(c);
+ if(base == NULL) {
+ base = qos_create_conn_base_ctx(c, sconf);
+ base->clientSocket = skt;
+ }
+
+ if(sconf && (sconf->req_rate != -1)) {
+ qos_ifctx_t *inctx = qos_create_ifctx(c, sconf);
+ inctx->clientSocket = skt;
+ ap_add_input_filter("qos-in-filter", inctx, NULL, c);
+ }
+
+ /* blocked by event (block only, no limit) - very aggressive */
+ if(sconf->qos_cc_block && !excludeFromBlock) {
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t searchE;
+ qos_ip_str2long(QS_CONN_REMOTEIP(c), searchE.ip6); // no ip simulation here
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT39 */
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, 0);
+ if((*clientEntry)->block >= sconf->qos_cc_block) {
+ apr_time_t now = time(NULL);
+ if(((*clientEntry)->blockTime + sconf->qos_cc_blockTime) > now) {
+ (*clientEntry)->blockMsg++;;
+ // stop logging every event if we have logged it many times
+ QS_INC_EVENT_LOCKED(sconf, 60);
+ if((*clientEntry)->blockMsg > QS_LOG_REPEAT) {
+ if(((*clientEntry)->blockMsg % QS_LOG_REPEAT) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, c->base_server,
+ QOS_LOG_PFX(060)"access denied, "
+ "QS_ClientEventBlockCount rule: "
+ "max=%d, current=%hu, "
+ "message repeated %d times, "
+ "c=%s",
+ sconf->qos_cc_block,
+ (*clientEntry)->block,
+ QS_LOG_REPEAT,
+ QS_CONN_REMOTEIP(c) == NULL ? "-" : QS_CONN_REMOTEIP(c));
+ }
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, c->base_server,
+ QOS_LOG_PFX(060)"access denied, QS_ClientEventBlockCount rule: "
+ "max=%d, current=%hu, age=%"APR_TIME_T_FMT", c=%s",
+ sconf->qos_cc_block,
+ (*clientEntry)->block,
+ now - (*clientEntry)->blockTime,
+ QS_CONN_REMOTEIP(c) == NULL ? "-" : QS_CONN_REMOTEIP(c));
+ }
+ if(!sconf->log_only) {
+ apr_table_set(c->notes, QS_BLOCK_SEEN, ""); // suppress NullConnection messages
+ c->keepalive = AP_CONN_CLOSE;
+ c->aborted = 1;
+ if(c->cs) {
+ c->cs->state = CONN_STATE_LINGER;
+ }
+ apr_table_set(c->notes, QS_CONN_ABORT, QS_CONN_ABORT);
+ if (m_forced_close == 0) {
+ ret = DECLINED;
+ } else {
+ ret = m_retcode;
+ }
+ }
+ } else {
+ /* release */
+ if((*clientEntry)->blockMsg > QS_LOG_REPEAT) {
+ // write remaining log lines
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, c->base_server,
+ QOS_LOG_PFX(060)"access denied (previously), QS_ClientEventBlockCount rule: "
+ "max=%d, current=%hu, "
+ "message repeated %d times, "
+ "c=%s",
+ sconf->qos_cc_block,
+ (*clientEntry)->block,
+ (*clientEntry)->blockMsg % QS_LOG_REPEAT,
+ QS_CONN_REMOTEIP(c) == NULL ? "-" : QS_CONN_REMOTEIP(c));
+ (*clientEntry)->blockMsg = 0;
+ }
+ (*clientEntry)->block = 0;
+ (*clientEntry)->blockTime = 0;
+ }
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT39 */
+ }
+
+ return ret;
+}
+
+/**
+ * Process user tracking cookie (QS_UserTrackingCookieName)
+ *
+ * @param r
+ * @return DECLINED or 302
+ */
+static int qos_post_read_request_later(request_rec *r) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ char *value;
+ const char *ignore;
+
+ if(sconf->log_env == 1) {
+ qos_log_env(r, ">PR_2");
+ }
+
+ if(!ap_is_initial_req(r) || !sconf->user_tracking_cookie) {
+ return DECLINED;
+ }
+
+ value = qos_get_remove_cookie(r, sconf->user_tracking_cookie);
+ qos_get_create_user_tracking(r, sconf, value);
+
+ if(!sconf->user_tracking_cookie_force) {
+ return DECLINED;
+ }
+
+ if(qos_request_check(r, sconf) != APR_SUCCESS) {
+ return HTTP_BAD_REQUEST;
+ }
+
+ if(strcmp("/favicon.ico", r->parsed_uri.path) == 0) {
+ return DECLINED;
+ }
+
+ ignore = apr_table_get(r->subprocess_env, QOS_DISABLE_UTC_ENFORCEMENT);
+ if(ignore) {
+ return DECLINED;
+ }
+ if(strcmp(sconf->user_tracking_cookie_force, r->parsed_uri.path) == 0) {
+ /* access to check url */
+ if(sconf->user_tracking_cookie_jsredirect == 1) {
+ apr_table_set(r->subprocess_env, "QS_UT_NAME", sconf->user_tracking_cookie);
+ apr_table_set(r->subprocess_env, "QS_UT_INITIAL_URI", "/");
+ apr_table_set(r->subprocess_env, "QS_UT_QUERY", "qs=init");
+ if(r->parsed_uri.query && strcmp(r->parsed_uri.query, "qs=init") == 0) {
+ apr_table_add(r->headers_out, "Cache-Control", "no-cache, no-store");
+ qos_send_user_tracking_cookie(r, sconf, HTTP_OK);
+ return DECLINED;
+ }
+ if(r->parsed_uri.query && (strncmp(r->parsed_uri.query, "r=", 2) == 0)) {
+ char *redirect_page;
+ int buf_len = 0;
+ unsigned char *buf;
+ char *q = r->parsed_uri.query;
+ buf_len = qos_decrypt(r, sconf, &buf, &q[2]);
+ if(buf_len > 0) {
+ redirect_page = apr_psprintf(r->pool, "%.*s",
+ buf_len, buf);
+ apr_table_set(r->subprocess_env, "QS_UT_INITIAL_URI", redirect_page);
+ }
+ }
+ }
+ if(apr_table_get(r->subprocess_env, QOS_USER_TRACKING_NEW) == NULL) {
+ if(r->parsed_uri.query && (strncmp(r->parsed_uri.query, "r=", 2) == 0)) {
+ /* client has send a cookie, redirect to original url */
+ int buf_len = 0;
+ unsigned char *buf;
+ char *q = r->parsed_uri.query;
+ buf_len = qos_decrypt(r, sconf, &buf, &q[2]);
+ if(buf_len > 0) {
+ char *redirect_page = apr_psprintf(r->pool, "%s%.*s",
+ qos_this_host(r),
+ buf_len, buf);
+ apr_table_set(r->headers_out, "Location", redirect_page);
+ return HTTP_MOVED_TEMPORARILY;
+ }
+ }
+ } /* else, "grant access" to the error page */
+ /* but prevent page caching (the browser shall always access the
+ server when redireced to this url */
+ apr_table_add(r->headers_out, "Cache-Control", "no-cache, no-store");
+ } else if(apr_table_get(r->subprocess_env, QOS_USER_TRACKING_NEW) != NULL) {
+ if((r->method_number == M_GET || sconf->user_tracking_cookie_jsredirect == 1) &&
+ (apr_table_get(r->subprocess_env, QOS_USER_TRACKING_RENEW) == NULL)) {
+ /* no valid cookie in request, redirect to check page */
+ char *redirect_page = apr_pstrcat(r->pool, qos_this_host(r),
+ sconf->user_tracking_cookie_force,
+ "?r=",
+ qos_encrypt(r, sconf,
+ (unsigned char *)r->unparsed_uri,
+ strlen(r->unparsed_uri)),
+ NULL);
+ apr_table_set(r->headers_out, "Location", redirect_page);
+ if(sconf->user_tracking_cookie_jsredirect < 1) {
+ qos_send_user_tracking_cookie(r, sconf, HTTP_MOVED_TEMPORARILY);
+ }
+ return HTTP_MOVED_TEMPORARILY;
+ }
+ }
+ return DECLINED;
+}
+
+/**
+ * All headers has been read. End/updates connection level filters and propagtes
+ * per connection events to the request_rec.
+ *
+ * @param r
+ * @return DECLINED
+ */
+static int qos_post_read_request(request_rec *r) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ qos_ifctx_t *inctx = NULL;
+
+ /* propagate connection env vars to req, geo data and QS_SrvMaxConn */
+ const char *country = apr_table_get(r->connection->notes, QS_COUNTRY);
+ const char *connections = apr_table_get(r->connection->notes, "QS_SrvConn");
+ const char *all_connections = apr_table_get(r->connection->notes, "QS_AllConn");
+ const char *fromCurrentIp = apr_table_get(r->connection->notes, "QS_IPConn");
+ const char *connectionid = apr_table_get(r->connection->notes, QS_CONNID);
+ const char *lowPrioFlags = apr_table_get(r->connection->notes, "QS_ClientLowPrio");
+ const char *isVipIP = apr_table_get(r->connection->notes, QS_ISVIPREQ);
+
+ /* QS_UnsetReqHeader */
+ qos_unset_reqheader(r, sconf);
+
+ if(sconf->geodb) {
+ if(sconf->qos_cc_forwardedfor) {
+ // override country determined on a per connection basis
+ const char *forwardedfor = qos_forwardedfor_fromHeader(r, sconf->qos_cc_forwardedfor);
+ if(forwardedfor) {
+ unsigned long ip = qos_geo_str2long(r->pool, forwardedfor);
+ if(ip) {
+ qos_geo_entry_t *pB = bsearch(&ip,
+ sconf->geodb->data,
+ sconf->geodb->size,
+ sizeof(qos_geo_entry_t),
+ qos_geo_comp);
+ if(pB) {
+ country = apr_pstrdup(r->pool, pB->country);
+ }
+ } else {
+ if(apr_table_get(r->notes, "QOS_LOG_PFX069") == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(069)"no valid IP header found (@prr):"
+ " invalid header value '%s', fallback to connection's IP %s, id=%s",
+ forwardedfor,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "069"));
+ apr_table_set(r->notes, "QOS_LOG_PFX069", "log once");
+ QS_INC_EVENT(sconf, 69);
+ }
+ }
+ } else {
+ if(apr_table_get(r->notes, "QOS_LOG_PFX069") == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(069)"no valid IP header found (@prr):"
+ " header '%s' not available, fallback to connection's IP %s, id=%s",
+ sconf->qos_cc_forwardedfor,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "069"));
+ apr_table_set(r->notes, "QOS_LOG_PFX069", "log once");
+ QS_INC_EVENT(sconf, 69);
+ }
+ }
+ }
+ }
+ if(country) {
+ apr_table_set(r->subprocess_env, QS_COUNTRY, country);
+ }
+ if(connections) {
+ apr_table_set(r->subprocess_env, "QS_SrvConn", connections);
+ }
+ if(fromCurrentIp) {
+ apr_table_set(r->subprocess_env, "QS_IPConn", fromCurrentIp);
+ }
+ if(all_connections) {
+ apr_table_set(r->subprocess_env, "QS_AllConn", all_connections);
+ }
+ if(connectionid == NULL) {
+ connectionid = apr_psprintf(r->pool, "%"APR_TIME_T_FMT"%.2ld%.5"APR_PID_T_FMT,
+ r->request_time,
+ r->connection->id % 100,
+ getpid());
+ apr_table_set(r->connection->notes, QS_CONNID, connectionid);
+ }
+ apr_table_set(r->subprocess_env, QS_CONNID, connectionid);
+
+ if(!ap_is_initial_req(r)) {
+ // sub-request
+ qos_propagate_events(r);
+ } else {
+ qos_pr_event_limit(r, sconf);
+ }
+
+ /* QS_ClientPrefer: propagate connection env vars to req */
+ if(lowPrioFlags) {
+ apr_table_set(r->subprocess_env, "QS_ClientLowPrio", lowPrioFlags);
+ }
+ /* QS_IsVipRequest is set due VIP IP */
+ if(isVipIP) {
+ apr_table_set(r->subprocess_env, QS_ISVIPREQ, isVipIP);
+ }
+
+ if(sconf->log_env == 1) {
+ qos_log_env(r, ">PR_1");
+ }
+
+ if(qos_request_check(r, sconf) != APR_SUCCESS) {
+ return HTTP_BAD_REQUEST;
+ }
+
+ if(!ap_is_initial_req(r)) {
+ // we are done for this request (e.g. error page)
+ return DECLINED;
+ }
+
+ qos_parp_prr(r, sconf);
+ if(sconf && (sconf->req_rate != -1)) {
+ inctx = qos_get_ifctx(r->connection->input_filters);
+ if(inctx) {
+ const char *te = apr_table_get(r->headers_in, "Transfer-Encoding");
+ inctx->r = r;
+ if(r->read_chunked || (te && (strcasecmp(te, "chunked") == 0))) {
+ ap_add_input_filter("qos-in-filter2", inctx, r, r->connection);
+ inctx->status = QS_CONN_STATE_CHUNKED;
+ } else {
+ const char *cl = apr_table_get(r->headers_in, "Content-Length");
+ if(cl == NULL) {
+ inctx->status = QS_CONN_STATE_END;
+#if APR_HAS_THREADS
+ if(!sconf->inctx_t->exit) {
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT26 */
+ apr_table_unset(sconf->inctx_t->table,
+ QS_INCTX_ID);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT26 */
+ }
+#endif
+ } else {
+#ifdef ap_http_scheme
+ /* Apache 2.2 */
+ if(APR_SUCCESS == apr_strtoff(&inctx->cl_val, cl, NULL, 0))
+#else
+ if((inctx->cl_val = apr_atoi64(cl)) >= 0)
+#endif
+ {
+ ap_add_input_filter("qos-in-filter2", inctx, r, r->connection);
+ inctx->status = QS_CONN_STATE_BODY;
+ } else {
+ /* header filter should block this request */
+ }
+ }
+ }
+ }
+ }
+ return DECLINED;
+}
+
+/**
+ * QS_LimitRequestBody, if content-length header is available.
+ *
+ * @param r
+ * @param sconf Either server or dir config is used (or env var)
+ * @param dconf Either server or dir config is used (or env var)
+ * @return HTTP_REQUEST_ENTITY_TOO_LARGE if not allowed
+ */
+static apr_status_t qos_limitrequestbody_ctl(request_rec *r, qos_srv_config *sconf,
+ qos_dir_config *dconf) {
+ apr_off_t maxpost = qos_maxpost(r, sconf, dconf);
+ if(maxpost != -1) {
+ const char *l = apr_table_get(r->headers_in, "Content-Length");
+ if(l != NULL) {
+ apr_off_t s;
+#ifdef ap_http_scheme
+ /* Apache 2.2 */
+ char *errp = NULL;
+ if((APR_SUCCESS != apr_strtoff(&s, l, &errp, 10)) || (s < 0))
+#else
+ if(((s = apr_atoi64(l)) < 0) || (s < 0))
+#endif
+ {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(044)"access denied%s, QS_LimitRequestBody:"
+ " invalid content-length header, c=%s, id=%s",
+ sconf->log_only ? " (log only)" : "",
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "044"));
+ QS_INC_EVENT(sconf, 44);
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+ if(s > maxpost) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(044)"access denied%s, QS_LimitRequestBody:"
+ " max=%"APR_OFF_T_FMT" this=%"APR_OFF_T_FMT", c=%s, id=%s",
+ sconf->log_only ? " (log only)" : "",
+ maxpost, s,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "044"));
+ QS_INC_EVENT(sconf, 44);
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+ } else {
+ int read_chunked = 0;
+ if(r->read_chunked) {
+ read_chunked = 1;
+ } else {
+ // Apache 2.4
+ const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
+ if(tenc && strcasecmp(tenc, "chunked") == 0) {
+ read_chunked = 1;
+ }
+ }
+ if(ap_is_initial_req(r) && read_chunked) {
+ ap_add_input_filter("qos-in-filter3", NULL, r, r->connection);
+ }
+ }
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * Header parser (executed after mod_setenvif but before mod_parp).
+ * Implements content-length based request body size limit and activates
+ * content-length adijustmen for compressed request body.
+ *
+ * @param r
+ * @return
+ */
+static int qos_header_parser1(request_rec * r) {
+ if(ap_is_initial_req(r)) {
+ apr_status_t rv;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ qos_dir_config *dconf = (qos_dir_config*)ap_get_module_config(r->per_dir_config,
+ &qos_module);
+
+ if(sconf->log_env == 1) {
+ qos_log_env(r, ">HP_2");
+ }
+
+ qos_deflate(r);
+
+ /** QS_LimitRequestBody */
+ rv = qos_limitrequestbody_ctl(r, sconf, dconf);
+ if(rv != APR_SUCCESS) {
+ int rc;
+ const char *error_page = sconf->error_page;
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ return rc;
+ }
+ return rv;
+ }
+ }
+ }
+ return DECLINED;
+}
+
+/**
+ * Header parser (executed before mod_setenvif or mod_parp).
+ * Enables mod_parp if request body processing (filter) has been enabled
+ * and implements the request header filter.
+ *
+ * @param r
+ * @return
+ */
+static int qos_header_parser0(request_rec * r) {
+ if(ap_is_initial_req(r)) {
+ int rc = DECLINED;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ qos_dir_config *dconf = (qos_dir_config*)ap_get_module_config(r->per_dir_config,
+ &qos_module);
+
+ if(sconf->log_env == 1) {
+ qos_log_env(r, ">HP_1");
+ }
+
+ /*
+ * QS_DenyBody requires mod_parp
+ */
+ if(dconf && (dconf->bodyfilter_p == 1 || dconf->bodyfilter_d == 1)) {
+ qos_enable_parp(r);
+ }
+
+ /*
+ * QS_RequestHeaderFilter enforcement
+ */
+ rc = qos_hp_header_filter(r, sconf, dconf);
+ if(rc != DECLINED) {
+ return rc;
+ }
+
+ }
+ return DECLINED;
+}
+
+/**
+ * Header parser implements restrictions on a per location (url) basis.
+ *
+ * @param r
+ * @return
+ */
+static int qos_header_parser(request_rec * r) {
+ /* apply rules only to main request (avoid filtering of error documents) */
+ if(ap_is_initial_req(r)) {
+ char *msg = NULL;
+ char *uid = NULL;
+ int req_per_sec_block = 0;
+ apr_off_t kbytes_per_sec_limit = 0;
+ qs_acentry_t *event_kbytes_per_sec = NULL;
+ int status;
+ const char *tmostr = NULL;
+ qs_acentry_t *actEntry = NULL;
+ qs_acentry_t *actEntryCond = NULL;
+ qs_acentry_t *actEntryMain = NULL; // either e or e_cond (used for locking)
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ qos_dir_config *dconf = (qos_dir_config*)ap_get_module_config(r->per_dir_config,
+ &qos_module);
+ qs_req_ctx *rctx = NULL;
+ const char *error_page = sconf->error_page;
+
+ if(sconf->log_env == 1) {
+ qos_log_env(r, ">HP_3");
+ }
+
+ qos_deflate_contentlength(r);
+
+ /* QS_SetEnvIfResBody */
+ if(dconf && dconf->response_pattern) {
+ ap_add_output_filter("qos-out-filter-body", NULL, r, r->connection);
+ }
+
+ /* enable broken connection detection (connection abort by client) */
+ if(apr_table_get(sconf->setenvstatus_t, QS_BROKEN_CON)) {
+ ap_add_output_filter("qos-out-filter-brokencon", NULL, r, r->connection);
+ }
+
+ /*
+ * QS_Permit* / QS_Deny* enforcement (but not QS_DenyEvent)
+ */
+ status = qos_hp_filter(r, sconf, dconf);
+ /* prepare audit log */
+ if(m_enable_audit && dconf) {
+ qos_audit(r, dconf);
+ }
+ if(status != DECLINED) {
+ return status;
+ }
+
+ /*
+ * Dynamic keep alive
+ */
+ if(!sconf->log_only) {
+ qos_keepalive(r, sconf);
+ }
+
+ /*
+ * VIP control
+ */
+ if(sconf->header_name || sconf->vip_user) {
+ rctx = qos_rctx_config_get(r);
+ rctx->is_vip = qos_is_vip(r, sconf);
+ if(rctx->is_vip) {
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ if(cconf) {
+ cconf->is_vip = 1;
+ }
+ }
+ }
+
+ /*
+ * additional variables
+ */
+ if(apr_table_elts(sconf->setenvifparp_t)->nelts > 0) {
+ qos_parp_hp(r, sconf);
+ }
+ if((apr_table_elts(sconf->setenvifparpbody_t)->nelts > 0) && qos_parp_body_data_fn) {
+ qos_parp_hp_body(r, sconf);
+ }
+ if(r->parsed_uri.query) {
+ qos_setenvifquery(r, sconf, dconf);
+ }
+ if(sconf->setenvif_t->nelts > 0) {
+ qos_setenvif(r, sconf->setenvif_t);
+ }
+ if(dconf->setenvif_t->nelts > 0) {
+ qos_setenvif(r, dconf->setenvif_t);
+ }
+ if(apr_table_elts(sconf->setenv_t)->nelts > 0) {
+ qos_setenv(r, sconf);
+ }
+ if(apr_table_elts(sconf->setreqheader_t)->nelts > 0) {
+ qos_setreqheader(r, sconf->setreqheader_t);
+ }
+ tmostr = apr_table_get(r->subprocess_env, QS_TIMEOUT);
+ if(tmostr) {
+ apr_interval_time_t timeout = apr_time_from_sec(atoi(tmostr));
+ if(timeout > 0) {
+ qs_conn_base_ctx *bctx = qos_get_conn_base_ctx(r->connection);
+ if(bctx && bctx->clientSocket) {
+ if(QS_ISDEBUG(r->server)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ QOS_LOGD_PFX"set connection timeout to %s seconds, id=%s",
+ tmostr, qos_unique_id(r, NULL));
+ }
+ apr_socket_timeout_set(bctx->clientSocket, timeout);
+ }
+ }
+ }
+
+ /*
+ * QS_DenyEvent
+ */
+ if(apr_table_elts(dconf->rfilter_table)->nelts > 0) {
+ status = qos_hp_event_deny_filter(r, sconf, dconf);
+ if(status != DECLINED) {
+ return status;
+ }
+ }
+
+ /*
+ * QS_EventLimitCount
+ */
+ if(sconf->event_limit_a->nelts > 0) {
+ status = qos_hp_event_limit(r, sconf);
+ if(status != DECLINED) {
+ return status;
+ }
+ }
+
+ /*
+ * QS_EventRequestLimit
+ */
+ if(sconf->has_event_filter) {
+ status = qos_hp_event_filter(r, sconf);
+ if(status != DECLINED) {
+ return status;
+ }
+ }
+
+ /*
+ * QS_EventPerSecLimit/QS_EventKBytesPerSecLimit
+ */
+ if(sconf->has_event_limit) {
+ event_kbytes_per_sec = qos_hp_event_count(r, &req_per_sec_block, &kbytes_per_sec_limit);
+ }
+
+ /*
+ * QS_SetEnvIfCmp
+ */
+ qos_setenvifcmp(r, dconf->setenvcmp);
+
+ /*
+ * QS_ClientEventRequestLimit
+ */
+ if(sconf->qos_cc_event_req >= 0) {
+ status = qos_hp_cc_event_count(r, sconf, rctx);
+ if(status != DECLINED) {
+ return status;
+ }
+ }
+
+ /*
+ * QS_ClientSerialize
+ */
+ if(sconf->qos_cc_serialize && apr_table_get(r->subprocess_env, QS_SERIALIZE)) {
+ qos_hp_cc_serialize(r, sconf, rctx);
+ }
+
+ /*
+ * QS_SrvSerialize
+ */
+ if((sconf->serialize == 1) && apr_table_get(r->subprocess_env, QS_SRVSERIALIZE)) {
+ qos_hp_srv_serialize(r, sconf, rctx);
+ }
+
+ /*
+ * client control
+ */
+ if(qos_hp_cc(r, sconf, &msg, &uid) != DECLINED) {
+ int rc;
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ "%s, id=%s", msg == NULL ? "-" : msg,
+ qos_unique_id(r, uid));
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ return rc;
+ }
+ return m_retcode;
+ }
+ }
+
+ /*
+ * Request level control
+ * get rule with conditional enforcement
+ */
+ actEntryCond = qos_getcondrule_byregex(r, sconf);
+ /* 1st prio has "Match" rule */
+ actEntry = qos_getrule_byregex(r, sconf);
+ /* 2th prio has "URL" rule */
+ if(!actEntry) actEntry = qos_getrule_bylocation(r, sconf);
+ if(actEntry) {
+ actEntryMain = actEntry;
+ } else if(actEntryCond) {
+ actEntryMain = actEntryCond;
+ }
+
+ if(!rctx) {
+ rctx = qos_rctx_config_get(r);
+ }
+ // optimistic locking (write only)
+ if(actEntryMain) {
+ rctx->entry_cond = actEntryCond;
+ rctx->entry = actEntry;
+
+ apr_global_mutex_lock(actEntryMain->lock); /* @CRT5 */
+
+ if(actEntryCond) {
+ actEntryCond->counter++;
+ }
+
+ if(actEntry) {
+ actEntry->counter++;
+ if(actEntry->req_per_sec_block_rate > req_per_sec_block) {
+ /* update req_per_sec_block if event restriction has returned worse block rate */
+ req_per_sec_block = actEntry->req_per_sec_block_rate;
+ }
+ }
+
+ apr_global_mutex_unlock(actEntryMain->lock); /* @CRT5 */
+
+ }
+
+ if(actEntry) {
+ /*
+ * QS_LocRequestLimitMatch/QS_LocRequestLimit/QS_LocRequestLimitDefault enforcement
+ */
+ if(actEntry->limit && (actEntry->counter > actEntry->limit)) {
+ /* vip session has no limitation */
+ if(rctx->is_vip) {
+ qs_set_evmsg(r, "S;");
+ } else {
+ /* std user */
+ int rc;
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(010)"access denied%s, QS_LocRequestLimit* rule: %s(%d),"
+ " concurrent requests=%d,"
+ " c=%s, id=%s",
+ sconf->log_only ? " (log only)" : "",
+ actEntry->url, actEntry->limit, actEntry->counter,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "010"));
+ QS_INC_EVENT(sconf, 10);
+ qs_set_evmsg(r, "D;");
+ // request has already been blocked, don't cont this request for req/sec violations!
+ apr_table_set(r->notes, QS_R010_ALREADY_BLOCKED, "");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ return rc;
+ }
+ return m_retcode;
+ }
+ }
+ }
+ /*
+ * QS_LocRequestPerSecLimit/QS_EventPerSecLimit enforcement
+ */
+ if(req_per_sec_block) {
+ if(rctx->is_vip) {
+ qs_set_evmsg(r, "S;");
+ } else {
+ qs_set_evmsg(r, "L;");
+ if(!sconf->log_only) {
+ apr_sleep(req_per_sec_block*1000);
+ }
+ /* don't wait more than once */
+ req_per_sec_block = 0;
+ }
+ }
+
+ /*
+ * QS_LocKBytesPerSecLimit selection
+ */
+ if(actEntry->kbytes_per_sec_limit) {
+ if(kbytes_per_sec_limit) {
+ if(actEntry->kbytes_per_sec_limit < kbytes_per_sec_limit) {
+ // this is lower than the event limitation
+ kbytes_per_sec_limit = actEntry->kbytes_per_sec_limit;
+ event_kbytes_per_sec = actEntry;
+ }
+ } else {
+ kbytes_per_sec_limit = actEntry->kbytes_per_sec_limit;
+ event_kbytes_per_sec = actEntry;
+ }
+ }
+ }
+
+ /*
+ * QS_EventKBytesPerSecLimit or QS_LocKBytesPerSecLimit enforcement
+ */
+ if(kbytes_per_sec_limit) {
+ if(rctx->is_vip) {
+ qs_set_evmsg(r, "S;");
+ } else {
+ qos_delay_ctx_t *dctx = apr_pcalloc(r->pool, sizeof(qos_delay_ctx_t));
+ dctx->rctx = rctx;
+ dctx->entry = event_kbytes_per_sec;
+ if(!sconf->log_only) {
+ ap_add_output_filter("qos-out-filter-delay", dctx, r, r->connection);
+ }
+ }
+ }
+
+ if(actEntryCond) {
+ /*
+ * QS_CondLocRequestLimitMatch
+ */
+ if(actEntryCond->limit && (actEntryCond->counter > actEntryCond->limit)) {
+ /* check condition */
+ const char *condition = apr_table_get(r->subprocess_env, QS_COND);
+ if(condition) {
+ if(ap_regexec(actEntryCond->condition, condition, 0, NULL, 0) == 0) {
+ /* vip session has no limitation */
+ if(rctx->is_vip) {
+ qs_set_evmsg(r, "S;");
+ } else {
+ /* std user */
+ int rc;
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(011)"access denied, QS_CondLocRequestLimitMatch"
+ " rule: %s(%d),"
+ " concurrent requests=%d,"
+ " c=%s, id=%s",
+ actEntryCond->url, actEntryCond->limit, actEntryCond->counter,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "011"));
+ QS_INC_EVENT(sconf, 11);
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ return rc;
+ }
+ return m_retcode;
+ }
+ }
+ }
+ }
+ }
+ }
+
+ /*
+ * QS_EventPerSecLimit
+ */
+ if(req_per_sec_block) {
+ qs_set_evmsg(r, "L;");
+ if(!sconf->log_only) {
+ apr_sleep(req_per_sec_block*1000);
+ }
+ }
+
+ /*
+ * QS_Delay
+ */
+ qos_delay(r, sconf);
+
+ }
+ return DECLINED;
+}
+
+/**
+ * QS_LimitRequestBody
+ * Input filter limiting request body size for chunked encoded requests.
+ *
+ * @param f
+ * @param bb
+ * @param mode
+ * @param block
+ * @param nbytes
+ * @return
+ */
+static apr_status_t qos_in_filter3(ap_filter_t *f, apr_bucket_brigade *bb,
+ ap_input_mode_t mode, apr_read_type_e block,
+ apr_off_t nbytes) {
+ apr_status_t rv = ap_get_brigade(f->next, bb, mode, block, nbytes);
+ request_rec *r = f->r;
+
+ qos_srv_config *sconf = ap_get_module_config(r->server->module_config, &qos_module);
+ qos_dir_config *dconf = ap_get_module_config(r->per_dir_config, &qos_module);
+ apr_off_t maxpost = qos_maxpost(r, sconf, dconf);
+
+ if(rv != APR_SUCCESS) {
+ return rv;
+ }
+
+ if(maxpost != -1) {
+ apr_size_t bytes = 0;
+ apr_bucket *b;
+ qs_req_ctx *rctx = qos_rctx_config_get(r);
+ for(b = APR_BRIGADE_FIRST(bb); b != APR_BRIGADE_SENTINEL(bb); b = APR_BUCKET_NEXT(b)) {
+ bytes = bytes + b->length;
+ }
+ rctx->maxpostcount += bytes;
+ if(rctx->maxpostcount > maxpost) {
+ int rc;
+ const char *error_page = sconf->error_page;
+ qs_req_ctx *rctx = qos_rctx_config_get(r);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(044)"access denied%s, QS_LimitRequestBody:"
+ " max=%"APR_OFF_T_FMT" this=%"APR_OFF_T_FMT", c=%s, id=%s",
+ sconf->log_only ? " (log only)" : "",
+ maxpost, rctx->maxpostcount,
+ QS_CONN_REMOTEIP(r->connection) == NULL ? "-" : QS_CONN_REMOTEIP(r->connection),
+ qos_unique_id(r, "044"));
+ QS_INC_EVENT(sconf, 44);
+ qs_set_evmsg(r, "D;");
+ if(!sconf->log_only) {
+ rc = qos_error_response(r, error_page);
+ if((rc == DONE) || (rc == HTTP_MOVED_TEMPORARILY)) {
+ return rc;
+ }
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+ }
+ }
+ return APR_SUCCESS;
+}
+
+/**
+ * Input filter removes connection from sconf->inctx_t->table
+ * when reading EOS.
+ *
+ * @param f
+ * @param bb
+ * @param mode
+ * @param block
+ * @param nbytes
+ * @return
+ */
+static apr_status_t qos_in_filter2(ap_filter_t *f, apr_bucket_brigade *bb,
+ ap_input_mode_t mode, apr_read_type_e block,
+ apr_off_t nbytes) {
+ qos_ifctx_t *inctx = f->ctx;
+ apr_status_t rv = ap_get_brigade(f->next, bb, mode, block, nbytes);
+ if((rv == APR_SUCCESS) && APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(inctx->c->base_server->module_config,
+ &qos_module);
+ ap_remove_input_filter(f);
+#if APR_HAS_THREADS
+ if(!sconf->inctx_t->exit) {
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT28 */
+ apr_table_unset(sconf->inctx_t->table,
+ QS_INCTX_ID);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT28 */
+ }
+#endif
+ }
+ return rv;
+}
+
+/**
+ * Input filter, used to log timeout event, mark slow clients,
+ * and to calculate packet rate.
+ *
+ * Adds/removes the connection from the sconf->inctx_t->table
+ * dapending of the request state (read head/body, keepalive, ...).
+ *
+ * @param f
+ * @param bb
+ * @param mode
+ * @param block
+ * @param nbytes
+ * @return
+ */
+static apr_status_t qos_in_filter(ap_filter_t *f, apr_bucket_brigade *bb,
+ ap_input_mode_t mode, apr_read_type_e block,
+ apr_off_t nbytes) {
+ apr_status_t rv;
+ qos_ifctx_t *inctx = f->ctx;
+ apr_size_t bytes = 0;
+ int crs = inctx->status;
+ rv = ap_get_brigade(f->next, bb, mode, block, nbytes);
+ if(rv == APR_SUCCESS) {
+ if(inctx->lowrate != -1) {
+ bytes = qos_packet_rate(inctx, bb);
+ }
+ }
+ if(inctx->status == QS_CONN_STATE_KEEP) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(inctx->c->base_server->module_config,
+ &qos_module);
+ inctx->time = time(NULL);
+ inctx->nbytes = 0;
+ inctx->status = QS_CONN_STATE_HEAD;
+#if APR_HAS_THREADS
+ if(sconf->inctx_t && !sconf->inctx_t->exit && sconf->min_rate_off == 0) {
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT23 */
+ apr_table_setn(sconf->inctx_t->table,
+ QS_INCTX_ID,
+ (char *)inctx);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT23 */
+ }
+#endif
+ }
+ if(rv != APR_SUCCESS) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(inctx->c->base_server->module_config,
+ &qos_module);
+ inctx->status = QS_CONN_STATE_END;
+ inctx->time = 0;
+ inctx->nbytes = 0;
+#if APR_HAS_THREADS
+ if(sconf->inctx_t && !sconf->inctx_t->exit) {
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT24 */
+ apr_table_unset(sconf->inctx_t->table,
+ QS_INCTX_ID);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT24 */
+ }
+#endif
+ }
+ if(inctx->status > QS_CONN_STATE_NEW) {
+ if(rv == APR_SUCCESS) {
+ if(bytes == 0) {
+ apr_bucket *b;
+ for(b = APR_BRIGADE_FIRST(bb); b != APR_BRIGADE_SENTINEL(bb); b = APR_BUCKET_NEXT(b)) {
+ bytes = bytes + b->length;
+ }
+ }
+ inctx->nbytes = inctx->nbytes + bytes;
+ inctx->hasBytes = inctx->nbytes;
+ if(inctx->status == QS_CONN_STATE_BODY) {
+ if(inctx->cl_val >= bytes) {
+ inctx->cl_val = inctx->cl_val - bytes;
+ }
+ if(inctx->cl_val == 0) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(inctx->c->base_server->module_config,
+ &qos_module);
+#if APR_HAS_THREADS
+ if(!sconf->inctx_t->exit) {
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT27 */
+ apr_table_unset(sconf->inctx_t->table,
+ QS_INCTX_ID);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT27 */
+ }
+#endif
+ }
+ }
+ }
+ if((rv == APR_TIMEUP) &&
+ (crs != QS_CONN_STATE_END) &&
+ (crs != QS_CONN_STATE_KEEP)) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(inctx->c->base_server->module_config,
+ &qos_module);
+ /* mark clients causing a timeout */
+ if(sconf && sconf->has_qos_cc) {
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t searchE;
+ request_rec *r = f->r;
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT18 */
+ qos_ip_str2long(QS_CONN_REMOTEIP(inctx->c), searchE.ip6);
+ clientEntry = qos_cc_getOrSet(u->qos_cc, &searchE, 0);
+ (*clientEntry)->lowrate = time(NULL);
+ (*clientEntry)->lowratestatus |= QOS_LOW_FLAG_TIMEOUT;
+ if(r) {
+ qs_set_evmsg(r, "r;");
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT18 */
+ }
+ inctx->lowrate = QS_PKT_RATE_TH + 1;
+ }
+ }
+ return rv;
+}
+
+/**
+ * BrokenConnection
+ */
+static apr_status_t qos_out_filter_brokencon(ap_filter_t *f, apr_bucket_brigade *bb) {
+ apr_status_t rc = ap_pass_brigade(f->next, bb);
+ if(rc == APR_ECONNABORTED || rc == APR_EPIPE) {
+ // client closed the connection (abort or broken pipe)
+ request_rec *r = f->r;
+ qs_set_evmsg(r, "A;");
+ apr_table_set(r->connection->notes, QS_BROKEN_CON, "");
+ }
+ return rc;
+}
+
+/**
+ * QS_SetEnvIfResBody
+ *
+ * Searches the response body for the pattern defined by the QS_SetEnvIfResBody
+ * directive (supports only one search pattern (literal string)).
+ *
+ * @param f
+ * @param bb
+ * @return
+ */
+static apr_status_t qos_out_filter_body(ap_filter_t *f, apr_bucket_brigade *bb) {
+ request_rec *r = f->r;
+ qos_dir_config *dconf = ap_get_module_config(r->per_dir_config, &qos_module);
+ qs_req_ctx *rctx;
+ int len;
+ apr_bucket *b;
+
+ if((dconf == NULL) || (dconf->response_pattern == NULL)) {
+ // not used
+ ap_remove_output_filter(f);
+ return ap_pass_brigade(f->next, bb);
+ }
+
+ rctx = qos_rctx_config_get(r);
+ len = dconf->response_pattern_len;
+
+ if((apr_table_get(r->subprocess_env, "QS_SetEnvIfResBodyIgnore") != NULL) &&
+ rctx->body_window == NULL) {
+ // skip this response (disabled and nothing processed yet)
+ ap_remove_output_filter(f);
+ return ap_pass_brigade(f->next, bb);
+ }
+
+ for(b = APR_BRIGADE_FIRST(bb); b != APR_BRIGADE_SENTINEL(bb); b = APR_BUCKET_NEXT(b)) {
+ if(APR_BUCKET_IS_EOS(b)) {
+ /* If we ever see an EOS, make sure to FLUSH. */
+ apr_bucket *flush = apr_bucket_flush_create(f->c->bucket_alloc);
+ APR_BUCKET_INSERT_BEFORE(b, flush);
+ }
+ if(!(APR_BUCKET_IS_METADATA(b))) {
+ const char *buf;
+ apr_size_t nbytes;
+ if(apr_bucket_read(b, &buf, &nbytes, APR_BLOCK_READ) == APR_SUCCESS) {
+ if(nbytes > 0) {
+ int blen = nbytes > len ? len : nbytes - 1;
+ /* 1. overlap: this buffer avoids that we miss a string if it is cut apart
+ within two buckets
+ e.g., [Logi][n Page] instead of [Login Page] when searching for "Login Page" */
+ if(rctx->body_window == NULL) {
+ // first call, create a window buffer
+ rctx->body_window = apr_pcalloc(r->pool, (len*2)+1);
+ rctx->body_window[0] = '\0';
+ } else {
+ // subsequent call, searches within the window too
+ int wlen = strlen(rctx->body_window);
+ strncpy(&rctx->body_window[wlen], buf, blen);
+ rctx->body_window[wlen+blen+1] = '\0';
+ if(strstr(rctx->body_window, dconf->response_pattern)) {
+ /* found pattern */
+ if(dconf->response_pattern_var[0] == '!') {
+ apr_table_unset(r->subprocess_env, &dconf->response_pattern_var[1]);
+ } else {
+ apr_table_set(r->subprocess_env, dconf->response_pattern_var, dconf->response_pattern);
+ }
+ ap_remove_output_filter(f);
+ }
+ }
+ /* 2. new buffer (don't want to copy the data) */
+ if(qos_strnstr(buf, dconf->response_pattern, nbytes)) {
+ /* found pattern */
+ if(dconf->response_pattern_var[0] == '!') {
+ apr_table_unset(r->subprocess_env, &dconf->response_pattern_var[1]);
+ } else {
+ apr_table_set(r->subprocess_env, dconf->response_pattern_var, dconf->response_pattern);
+ }
+ ap_remove_output_filter(f);
+ }
+ /* 3. store the end (for next loop) */
+ strncpy(rctx->body_window, &buf[nbytes - blen], blen);
+ rctx->body_window[blen] = '\0';
+ }
+ }
+ }
+ }
+ return ap_pass_brigade(f->next, bb);
+}
+
+/**
+ * Helper used by qos_out_filter_delay() to calculate/update
+ * the delay rate. Shall be called for every bucket we are
+ * sending to the client.
+ * @param request_time Time this request has started
+ * @param entry Rule entry to update / measure
+ * @param length Bytes we are going to transfer
+ * @return Wait time in microsseconds
+ */
+static apr_off_t qos_calc_kbytes_per_sec_wait_time(apr_time_t request_time,
+ qs_acentry_t *entry,
+ apr_off_t length) {
+ apr_off_t kbps_wait_time;
+ apr_global_mutex_lock(entry->lock); /* @CRT43 */
+ kbps_wait_time = entry->kbytes_per_sec_block_rate;
+ if(((entry->bytes / 1024) > entry->kbytes_per_sec_limit) ||
+ (request_time > (entry->kbytes_interval_us + APR_USEC_PER_SEC))) {
+ /* transferred more than the limit/sec OR
+ it's long time ago since we last updated the rate
+ => check within which time we did */
+ apr_time_t now = apr_time_now();
+ apr_time_t duration = now - entry->kbytes_interval_us;
+ apr_off_t kbs;
+ if(duration == 0) {
+ duration = 1;
+ }
+ kbs = entry->bytes * 1000 / duration;
+ entry->kbytes_per_sec = (entry->kbytes_per_sec + kbs) / 2;
+ if(duration > APR_USEC_PER_SEC) {
+ // lower than the defined kbytes/sec rate
+ if(kbps_wait_time > 0) {
+ // reduce wait time
+ apr_off_t newtime = kbps_wait_time * kbs / entry->kbytes_per_sec_limit;
+ // PI like closed-loop control
+ kbps_wait_time = (kbps_wait_time + newtime) / 2;
+ }
+ } else {
+ // higher than the defined kbytes/sec rate
+ if(kbps_wait_time == 0) {
+ kbps_wait_time = 1000; // start with 1 ms
+ } else {
+ // increase wait time
+ apr_off_t newtime = kbps_wait_time * kbs / entry->kbytes_per_sec_limit;
+ // PI like closed-loop control
+ kbps_wait_time = (kbps_wait_time + newtime) / 2;
+ }
+ }
+ if(kbps_wait_time > QS_MAX_DELAY) {
+ kbps_wait_time = QS_MAX_DELAY;
+ }
+ entry->kbytes_interval_us = now;
+ entry->bytes = 0;
+ }
+ entry->bytes = entry->bytes + length;
+ entry->kbytes_per_sec_block_rate = kbps_wait_time;
+ apr_global_mutex_unlock(entry->lock); /* @CRT43 */
+ return kbps_wait_time;
+}
+
+/**
+ * Output filter adds response delay.
+ *
+ * @param f
+ * @param bb
+ * @return
+ */
+static apr_status_t qos_out_filter_delay(ap_filter_t *f, apr_bucket_brigade *bb) {
+ qos_delay_ctx_t *dctx = f->ctx;
+ qs_acentry_t *entry = dctx->entry;
+ request_rec *r = f->r;
+ if(entry) {
+ apr_off_t length;
+ if(apr_brigade_length(bb, 1, &length) == APR_SUCCESS) {
+ if(length > 0) {
+ if(length > APR_BUCKET_BUFF_SIZE) {
+ // split (no proxy)
+ while(!APR_BRIGADE_EMPTY(bb)) {
+ apr_bucket *b, *first, *next;
+ apr_bucket_brigade *tmp_bb;
+ apr_status_t rv;
+ apr_off_t kbps_wait_time;
+ rv = apr_brigade_partition(bb, APR_BUCKET_BUFF_SIZE, &next);
+ if(rv != APR_SUCCESS && rv != APR_INCOMPLETE) {
+ return rv;
+ }
+ if(rv == APR_INCOMPLETE) { /* no split needed */
+ break;
+ }
+ first = APR_BRIGADE_FIRST(bb);
+ APR_BUCKET_REMOVE(first);
+ kbps_wait_time = qos_calc_kbytes_per_sec_wait_time(r->request_time,
+ entry, first->length);
+ if(kbps_wait_time > 0) {
+ dctx->rctx->response_delayed = (1 + dctx->rctx->response_delayed + kbps_wait_time) / 2;
+ apr_sleep(kbps_wait_time);
+ }
+ tmp_bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(tmp_bb, first);
+ b = apr_bucket_flush_create(f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(tmp_bb, b);
+ rv = ap_pass_brigade(f->next, tmp_bb);
+ if(rv != APR_SUCCESS) {
+ return rv;
+ }
+ }
+ } else {
+ // sleep once every 8k
+ apr_off_t kbps_wait_time = qos_calc_kbytes_per_sec_wait_time(r->request_time,
+ entry, length);
+ if(length < APR_BUCKET_BUFF_SIZE) {
+ // be fair with very small responses
+ kbps_wait_time = kbps_wait_time * length / APR_BUCKET_BUFF_SIZE;
+ }
+ if(kbps_wait_time > 0) {
+ dctx->rctx->response_delayed = (1 + dctx->rctx->response_delayed + kbps_wait_time) / 2;
+ apr_sleep(kbps_wait_time);
+ }
+ }
+ }
+ }
+ }
+ return ap_pass_brigade(f->next, bb);
+}
+
+/**
+ * Out filter measuring the minimal download bandwidth.
+ *
+ * @param f
+ * @param bb
+ * @return
+ */
+static apr_status_t qos_out_filter_min(ap_filter_t *f, apr_bucket_brigade *bb) {
+ request_rec *r = f->r;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config, &qos_module);
+ qos_ifctx_t *inctx = qos_get_ifctx(r->connection->input_filters);
+ if(APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) {
+#if APR_HAS_THREADS
+ if(!sconf->inctx_t->exit) {
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT30 */
+ apr_table_unset(sconf->inctx_t->table,
+ QS_INCTX_ID);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT30 */
+ }
+#endif
+ inctx->status = QS_CONN_STATE_END;
+ ap_remove_output_filter(f);
+ } else {
+ apr_size_t total = 0;
+ apr_bucket *b;
+ for(b = APR_BRIGADE_FIRST(bb); b != APR_BRIGADE_SENTINEL(bb); b = APR_BUCKET_NEXT(b)) {
+ total = total + b->length;
+ }
+ inctx->nbytes = inctx->nbytes + total;
+ }
+ return ap_pass_brigade(f->next, bb);
+}
+
+/**
+ * Merges two rule tables. Entries whose key/name begin with a "+" are added
+ * while those with a "-" prefix are removed.
+ *
+ * @param p Pool to allocate new table from.
+ * @param b_rfilter_table Base rule table (parent)
+ * @param o_rfilter_table Over rule table (child)
+ * @return Merged table
+ */
+apr_table_t *qos_table_merge_create(apr_pool_t *p, apr_table_t *b_rfilter_table,
+ apr_table_t *o_rfilter_table) {
+ int i;
+ apr_table_t *rfilter_table = apr_table_make(p, apr_table_elts(b_rfilter_table)->nelts +
+ apr_table_elts(o_rfilter_table)->nelts);
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(b_rfilter_table)->elts;
+ // add additional (+) entries from the base/parent table
+ for(i = 0; i < apr_table_elts(b_rfilter_table)->nelts; ++i) {
+ if(entry[i].key[0] == '+') {
+ apr_table_setn(rfilter_table, entry[i].key, entry[i].val);
+ }
+ }
+ // add additional (+) entries from the over/child table
+ entry = (apr_table_entry_t *)apr_table_elts(o_rfilter_table)->elts;
+ for(i = 0; i < apr_table_elts(o_rfilter_table)->nelts; ++i) {
+ if(entry[i].key[0] == '+') {
+ apr_table_setn(rfilter_table, entry[i].key, entry[i].val);
+ }
+ }
+ // remove the "-" entries
+ for(i = 0; i < apr_table_elts(o_rfilter_table)->nelts; ++i) {
+ if(entry[i].key[0] == '-') {
+ char *id = apr_psprintf(p, "+%s", &entry[i].key[1]);
+ apr_table_unset(rfilter_table, id);
+ }
+ }
+ return rfilter_table;
+}
+
+/* QS_SrvMinDataRateOffEvent */
+#if APR_HAS_THREADS
+static void qos_disable_rate(request_rec *r, qos_srv_config *sconf,
+ qos_dir_config *dconf) {
+ if(dconf && sconf && (sconf->req_rate != -1) && (sconf->min_rate != -1)) {
+ apr_table_t *disable_reqrate_events = dconf->disable_reqrate_events;
+ if(apr_table_elts(sconf->disable_reqrate_events)->nelts > 0) {
+ disable_reqrate_events = qos_table_merge_create(r->pool, sconf->disable_reqrate_events,
+ dconf->disable_reqrate_events);
+ }
+ if(apr_table_elts(disable_reqrate_events)->nelts > 0) {
+ qos_ifctx_t *inctx = qos_get_ifctx(r->connection->input_filters);
+ if(inctx) {
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(disable_reqrate_events)->elts;
+ int i;
+ for(i = 0; i < apr_table_elts(disable_reqrate_events)->nelts; i++) {
+ char *v = entry[i].key;
+ if(apr_table_get(r->subprocess_env, &v[1])) {
+ inctx->disabled = 1;
+ break;
+ }
+ }
+ }
+ }
+ }
+}
+#endif
+
+static void qos_start_res_rate(request_rec *r, qos_srv_config *sconf) {
+ if(sconf && (sconf->req_rate != -1) && (sconf->min_rate != -1)) {
+ qos_ifctx_t *inctx = qos_get_ifctx(r->connection->input_filters);
+ if(inctx) {
+ inctx->status = QS_CONN_STATE_RESPONSE;
+ inctx->time = time(NULL);
+ inctx->nbytes = 0;
+#if APR_HAS_THREADS
+ if(sconf->inctx_t && !sconf->inctx_t->exit && sconf->min_rate_off == 0) {
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT29 */
+ apr_table_setn(sconf->inctx_t->table,
+ QS_INCTX_ID,
+ (char *)inctx);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT29 */
+ }
+ ap_add_output_filter("qos-out-filter-min", NULL, r, r->connection);
+#endif
+ }
+ }
+}
+
+/* QS_SET_DSCP */
+static void qos_set_dscp(request_rec *r) {
+ const char *dscpStr = apr_table_get(r->subprocess_env, QS_SET_DSCP);
+ if(dscpStr) {
+#ifdef __unix__
+ qs_conn_base_ctx *base = qos_get_conn_base_ctx(r->connection);
+ int rc = -2;
+ int hasSocket = 0;
+ if(base!=NULL && base->clientSocket!=NULL) {
+ apr_socket_t *sock = base->clientSocket;
+ int fd;
+ int dscp = atoi(dscpStr);
+ hasSocket = 1;
+ apr_os_sock_get(&fd, sock);
+ if(dscp >= 0 && dscp < 64) {
+ int tos = dscp << 2;
+ if(QS_ISDEBUG(r->server)) {
+ int n = 0;
+ const char *d = "unknown";
+ while(m_dscp_desc[n].id >= 0) {
+ if(m_dscp_desc[n].id == dscp) {
+ d = m_dscp_desc[n].name;
+ }
+ n++;
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ QOS_LOGD_PFX"%s=%s, tos=0x%02x, dscp=0x%02x (%s), id=%s",
+ QS_SET_DSCP, dscpStr, tos, dscp, d, qos_unique_id(r, NULL));
+ }
+ rc = setsockopt(fd,
+ IPPROTO_IP, IP_TOS,
+ &tos, sizeof(tos));
+ }
+ }
+ if(rc != 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
+ QOS_LOG_PFX(038)"DSCP, failed to set socket options, "
+ QS_SET_DSCP"=%s, socket=%s, rc=%d, id=%s",
+ dscpStr,
+ hasSocket ? "yes" : "no",
+ rc,
+ qos_unique_id(r, "038"));
+ }
+#else
+ ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
+ QOS_LOG_PFX(038)QS_SET_DSCP" is not available for this platform");
+#endif
+ }
+}
+
+static void qos_end_res_rate(request_rec *r, qos_srv_config *sconf) {
+ if((sconf->req_rate != -1) && (sconf->min_rate != -1)) {
+ qos_ifctx_t *inctx = qos_get_ifctx(r->connection->input_filters);
+ if(inctx) {
+ inctx->time = time(NULL);
+ inctx->nbytes = 0;
+ if(r->connection->keepalive == AP_CONN_CLOSE) {
+ if(!sconf->inctx_t->exit) {
+#if APR_HAS_THREADS
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT30 */
+#endif
+ inctx->status = QS_CONN_STATE_END;
+#if APR_HAS_THREADS
+ apr_table_unset(sconf->inctx_t->table,
+ QS_INCTX_ID);
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT30 */
+#endif
+ }
+ } else {
+ if(!sconf->inctx_t->exit) {
+#if APR_HAS_THREADS
+ apr_thread_mutex_lock(sconf->inctx_t->lock); /* @CRT30 */
+#endif
+ if(inctx->status != QS_CONN_STATE_DESTROY) {
+ inctx->status = QS_CONN_STATE_KEEP;
+#if APR_HAS_THREADS
+ apr_table_setn(sconf->inctx_t->table,
+ QS_INCTX_ID, (char *)inctx);
+#endif
+ }
+#if APR_HAS_THREADS
+ apr_thread_mutex_unlock(sconf->inctx_t->lock); /* @CRT30 */
+#endif
+ }
+ }
+ }
+ }
+}
+
+/**
+ * process response:
+ * - start min data measure
+ * - setenvif header
+ * - detects vip header and create session
+ * - header filter
+ */
+static apr_status_t qos_out_filter(ap_filter_t *f, apr_bucket_brigade *bb) {
+ request_rec *r = f->r;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config, &qos_module);
+ qos_dir_config *dconf = ap_get_module_config(r->per_dir_config, &qos_module);
+ qs_headerfilter_mode_e mode;
+
+ qos_start_res_rate(r, sconf);
+ qos_setenvstatus(r, sconf, dconf);
+ qos_setenvresheader(r, sconf);
+ qos_setenvres(r, sconf);
+ if(sconf->user_tracking_cookie) {
+ if((sconf->user_tracking_cookie_jsredirect < 1) ||
+ (apr_table_get(r->subprocess_env, QOS_USER_TRACKING_RENEW) != NULL)) {
+ qos_send_user_tracking_cookie(r, sconf, r->status);
+ }
+ }
+ if(sconf->milestones) {
+ qos_update_milestone(r, sconf);
+ }
+ if(sconf->ip_header_name) {
+ const char *ctrl_h = apr_table_get(r->headers_out, sconf->ip_header_name);
+ if(ctrl_h) {
+ int match = 1;
+ if(sconf->ip_header_name_regex) {
+ if(ap_regexec(sconf->ip_header_name_regex, ctrl_h, 0, NULL, 0) != 0) {
+ match = 0;
+ }
+ }
+ if(match) {
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ if(cconf) {
+ qs_set_evmsg(r, "v;");
+ cconf->is_vip = 1;
+ cconf->set_vip_by_header = 1;
+ apr_table_set(r->subprocess_env, QS_ISVIPREQ, "yes");
+ }
+ }
+ if(sconf->ip_header_name_drop) {
+ apr_table_unset(r->headers_out, sconf->ip_header_name);
+ }
+ }
+ }
+ if(sconf->header_name) {
+ /* got a vip header: create new session (if non exists) */
+ const char *ctrl_h = apr_table_get(r->headers_out, sconf->header_name);
+ if(ctrl_h && !apr_table_get(r->notes, QS_REC_COOKIE)) {
+ int match = 1;
+ if(sconf->header_name_regex) {
+ if(ap_regexec(sconf->header_name_regex, ctrl_h, 0, NULL, 0) != 0) {
+ match = 0;
+ }
+ }
+ if(match) {
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ qos_set_session(r, sconf);
+ if(cconf) {
+ qs_set_evmsg(r, "v;");
+ cconf->is_vip = 1;
+ cconf->set_vip_by_header = 1;
+ apr_table_set(r->subprocess_env, QS_ISVIPREQ, "yes");
+ }
+ apr_table_set(r->notes, QS_REC_COOKIE, "");
+ }
+ if(sconf->header_name_drop) {
+ apr_table_unset(r->headers_out, sconf->header_name);
+ }
+ }
+ }
+ if(sconf->vip_user && r->user) {
+ if(!apr_table_get(r->notes, QS_REC_COOKIE)) {
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ qos_set_session(r, sconf);
+ if(cconf) {
+ qs_set_evmsg(r, "v;");
+ cconf->is_vip = 1;
+ cconf->set_vip_by_header = 1;
+ apr_table_set(r->subprocess_env, QS_ISVIPREQ, "yes");
+ }
+ apr_table_set(r->notes, QS_REC_COOKIE, "");
+ }
+ }
+ if(sconf->vip_ip_user && r->user) {
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ if(cconf) {
+ qs_set_evmsg(r, "v;");
+ cconf->is_vip = 1;
+ cconf->set_vip_by_header = 1;
+ apr_table_set(r->subprocess_env, QS_ISVIPREQ, "yes");
+ }
+ }
+ qos_unset_resheader(r, sconf);
+ /* don't handle response status since response header filter use "drop" action only */
+ mode = sconf->resheaderfilter;
+ if(dconf->resheaderfilter > QS_HEADERFILTER_OFF_DEFAULT) {
+ // override server configuration
+ mode = dconf->resheaderfilter;
+ }
+ if(mode > QS_HEADERFILTER_OFF) {
+ qos_header_filter(r, sconf, r->headers_out, "response",
+ sconf->reshfilter_table, mode);
+ }
+ qos_set_dscp(r);
+ qos_keepalive(r, sconf);
+ if(sconf->max_conn_close != -1) {
+ if(sconf->act->conn->connections > sconf->max_conn_close) {
+ qs_set_evmsg(r, "K;");
+ r->connection->keepalive = AP_CONN_CLOSE;
+ }
+ }
+ /* disable request rate for certain connections */
+#if APR_HAS_THREADS
+ qos_disable_rate(r, sconf, dconf);
+#endif
+ ap_remove_output_filter(f);
+ return ap_pass_brigade(f->next, bb);
+}
+
+static apr_status_t qos_out_err_filter(ap_filter_t *f, apr_bucket_brigade *bb) {
+ request_rec *r = f->r;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config, &qos_module);
+
+ if(sconf) {
+ qos_dir_config *dconf = ap_get_module_config(r->per_dir_config, &qos_module);
+ qos_setenvstatus(r, sconf, dconf);
+ qos_setenvresheader(r, sconf);
+ qos_setenvres(r, sconf);
+ if(sconf->milestones) {
+ qos_update_milestone(r, sconf);
+ }
+ }
+
+ ap_remove_output_filter(f);
+ return ap_pass_brigade(f->next, bb);
+}
+
+/**
+ * QS_SrvSerialize
+ */
+static void qos_logger_serialize(qos_srv_config *sconf, qs_req_ctx *rctx) {
+ if(rctx->srv_serialize_set) {
+ apr_global_mutex_lock(sconf->act->lock); /* @CRT45 */
+ sconf->act->serialize->locked = 0;
+ apr_global_mutex_unlock(sconf->act->lock); /* @CRT45 */
+ }
+}
+
+/**
+ * QS_EventRequestLimit
+ * reset event counter
+ */
+static void qos_event_reset(qos_srv_config *sconf, qs_req_ctx *rctx) {
+ int i;
+ apr_table_entry_t *entry;
+ apr_global_mutex_lock(sconf->act->lock); /* @CRT32 */
+ entry = (apr_table_entry_t *)apr_table_elts(rctx->event_entries)->elts;
+ for(i = 0; i < apr_table_elts(rctx->event_entries)->nelts; i++) {
+ qs_acentry_t *e = (qs_acentry_t *)entry[i].val;
+ if(e->counter > 0) {
+ e->counter--;
+ }
+ }
+ apr_global_mutex_unlock(sconf->act->lock); /* @CRT32 */
+}
+
+static int qos_fixup(request_rec * r) {
+ int rc = 0;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ qos_dir_config *dconf = (qos_dir_config*)ap_get_module_config(r->per_dir_config,
+ &qos_module);
+ /* QS_VipUser/QS_VipIpUser */
+ if(sconf && (sconf->vip_user || sconf->vip_ip_user) && r->user) {
+ /* check r->user early (final status is update is implemented in output-filter) */
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ if(cconf) {
+ qs_set_evmsg(r, "v;");
+ cconf->is_vip = 1;
+ cconf->set_vip_by_header = 1;
+ apr_table_set(r->subprocess_env, QS_ISVIPREQ, "yes");
+ }
+ }
+
+ if(sconf->log_env == 1) {
+ qos_log_env(r, ">FX_1");
+ }
+
+#if APR_HAS_THREADS
+ qos_disable_rate(r, sconf, dconf);
+#endif
+
+ if(apr_table_elts(sconf->setreqheaderlate_t)->nelts > 0) {
+ qos_setreqheader(r, sconf->setreqheaderlate_t);
+ }
+
+ rc = qos_redirectif(r, sconf, sconf->redirectif);
+ if(rc != DECLINED) {
+ return rc;
+ }
+ rc = qos_redirectif(r, sconf, dconf->redirectif);
+ if(rc != DECLINED) {
+ return rc;
+ }
+
+ return DECLINED;
+}
+
+/**
+ * "free resources" and update stats
+ */
+static int qos_logger(request_rec *r) {
+ qs_req_ctx *rctx = qos_rctx_config_get(r);
+ qs_acentry_t *actEntry = rctx->entry;
+ qs_acentry_t *actEntryCond = rctx->entry_cond;
+ qs_acentry_t *actEntryMain = actEntry;
+ qs_conn_base_ctx *base = qos_get_conn_base_ctx(r->connection);
+ qs_conn_ctx *cconf = qos_get_cconf(r->connection);
+ apr_time_t now = 0;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config, &qos_module);
+ qos_dir_config *dconf = ap_get_module_config(r->per_dir_config, &qos_module);
+ if(actEntryMain == NULL) {
+ actEntryMain = actEntryCond;
+ }
+ if(rctx->response_delayed) {
+ qs_set_evmsg(r, "L;");
+ apr_table_set(r->subprocess_env, QS_RESDELYATIME,
+ apr_psprintf(r->pool, "%"APR_OFF_T_FMT, rctx->response_delayed));
+ }
+ qos_propagate_notes(r);
+ qos_propagate_events(r);
+ if(sconf->log_env == 1) {
+ qos_log_env(r, "<LG_1");
+ }
+ qos_end_res_rate(r, sconf);
+ if(sconf->setenvif_t->nelts > 0) {
+ qos_setenvif(r, sconf->setenvif_t);
+ }
+ if(dconf->setenvif_t->nelts > 0) {
+ qos_setenvif(r, dconf->setenvif_t);
+ }
+ if(sconf->has_qos_cc) {
+ qos_logger_cc(r, sconf, rctx);
+ }
+ qos_logger_event_limit(r, sconf);
+ if(base) {
+ base->requests++;
+ }
+ if(cconf) {
+ if(cconf->evmsg) {
+ rctx->evmsg = apr_pstrcat(r->pool, cconf->evmsg, rctx->evmsg, NULL);
+ }
+ }
+ if(sconf->has_event_filter) {
+ qos_event_reset(sconf, rctx);
+ }
+ if(sconf->serialize == 1) {
+ qos_logger_serialize(sconf, rctx);
+ }
+ if(sconf->has_event_limit) {
+ qos_lg_event_update(r, &now);
+ }
+ if(actEntryMain) {
+ char *h;
+ if(!now) {
+ now = apr_time_sec(r->request_time);
+ }
+ apr_global_mutex_lock(actEntryMain->lock); /* @CRT6 */
+ h = apr_psprintf(r->pool, "%d", actEntryMain->counter);
+ if(actEntryCond) {
+ if(actEntryCond->counter > 0) {
+ actEntryCond->counter--;
+ }
+ }
+ if(actEntry) {
+ if(actEntry->counter > 0) {
+ actEntry->counter--;
+ }
+ if(apr_table_get(r->notes, QS_R010_ALREADY_BLOCKED) == NULL) {
+ if(actEntry->req < LONG_MAX) {
+ actEntry->req++;
+ }
+ if(now > (actEntry->interval + QS_BW_SAMPLING_RATE)) {
+ actEntry->req_per_sec = actEntry->req / (now - actEntry->interval);
+ actEntry->req = 0;
+ actEntry->interval = now;
+ if(actEntry->req_per_sec_limit) {
+ qos_cal_req_sec(sconf, r, actEntry);
+ }
+ }
+ }
+ }
+ apr_global_mutex_unlock(actEntryMain->lock); /* @CRT6 */
+ /* allow logging of the current location usage */
+ apr_table_set(r->subprocess_env, "mod_qos_cr", h);
+ if(r->next) {
+ apr_table_set(r->next->subprocess_env, "mod_qos_cr", h);
+ }
+ /* decrement only once */
+ ap_set_module_config(r->request_config, &qos_module, NULL);
+ }
+ if(cconf && (cconf->sconf->max_conn != -1)) {
+ char *cc = apr_psprintf(r->pool, "%d", cconf->sconf->act->conn->connections);
+ apr_table_set(r->subprocess_env, "mod_qos_con", cc);
+ if(r->next) {
+ apr_table_set(r->next->subprocess_env, "mod_qos_con", cc);
+ }
+ }
+ if(rctx->evmsg) {
+ apr_table_set(r->subprocess_env, "mod_qos_ev", rctx->evmsg);
+ if(r->next) {
+ apr_table_set(r->next->subprocess_env, "mod_qos_ev", rctx->evmsg);
+ }
+ }
+#if APR_HAS_THREADS
+ qos_disable_rate(r, sconf, dconf);
+#endif
+
+ if(sconf->qslog_p) {
+ // ISBiDUkEQaC equiv %h %>s %B %{Content-Length}i %D %{mod_qos_user_id}e %k %{Event}e %{mod_qos_ev}e %{QS_AllConn}e '%v:%U'
+ apr_size_t nbytes;
+ const char *clID = apr_table_get(r->subprocess_env, QSLOG_CLID); // client identifier (individual users)
+ const char *event = apr_table_get(r->subprocess_env, QSLOG_EVENT); // generic event variable
+ const char *mod_qos_ev = apr_table_get(r->subprocess_env, "mod_qos_ev"); // qos events
+ const char *averageConn = apr_table_get(r->subprocess_env, QSLOG_AVERAGE); // average counter, e.g. connections
+ // TODO: measure the real traffic instead of using the (optional) content-length header
+ const char *contentLength = apr_table_get(r->headers_in, "Content-Length");
+ char *qslogstr = apr_psprintf(r->pool, "%s %s %s %s %s %s %d %s %s %s '%s:%s'\n",
+ QS_CONN_REMOTEIP(r->connection), /* %h */
+ (r->status <= 0) ? "-" : apr_itoa(r->pool, r->status), /* %s */
+ (!r->sent_bodyct || !r->bytes_sent) ? "0" : apr_off_t_toa(r->pool, r->bytes_sent), /* %B */
+ contentLength == NULL ? "-" : contentLength, /* %{content-length} */
+ apr_psprintf(r->pool, "%" APR_TIME_T_FMT, (apr_time_now() - r->request_time)), /* %D */
+ clID == NULL ? "-" : clID, /* %{mod_qos_user_id}e */
+ r->connection->keepalives ? r->connection->keepalives - 1 : 0, /* %k */
+ event == NULL ? "-" : event, /* %{Event}e */
+ mod_qos_ev == NULL ? "-" : mod_qos_ev, /* %{mod_qos_ev}e */
+ averageConn == NULL ? "- " : averageConn, /* %{QS_AllConn}e */
+ ap_escape_logitem(r->pool, ap_get_server_name(r)), /* %v */
+ ap_escape_logitem(r->pool, r->uri) /* %U */
+ );
+ nbytes = strlen(qslogstr);
+ apr_file_write(sconf->qslog_p, qslogstr, &nbytes);
+ }
+
+ return DECLINED;
+}
+
+static void qos_audit_check(ap_directive_t * node) {
+ ap_directive_t *pdir;
+ for(pdir = node; pdir != NULL; pdir = pdir->next) {
+ if(pdir->args &&
+ strstr(pdir->args, "%{"QS_PARP_PATH"}n") &&
+ strstr(pdir->args, "%{"QS_PARP_QUERY"}n")) {
+ m_enable_audit = 1;
+ }
+ if(pdir->first_child != NULL) {
+ qos_audit_check(pdir->first_child);
+ }
+ }
+}
+
+static int qos_module_check(const char *m) {
+ module *modp = NULL;
+ for(modp = ap_top_module; modp; modp = modp->next) {
+ if(strcmp(modp->name, m) == 0) {
+ return APR_SUCCESS;
+ }
+ }
+ return DECLINED;
+}
+
+/**
+ * inits each child
+ */
+static void qos_child_init(apr_pool_t *p, server_rec *bs) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(bs->module_config, &qos_module);
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ qos_ifctx_list_t *inctx_t = NULL;
+#ifdef QS_INTERNAL_TEST
+#ifdef PREFORK_MPM
+ int seed = getpid() + time(NULL);
+#if APR_HAS_THREADS
+ seed += apr_os_thread_current();
+#endif
+ srand(seed);
+#endif
+#endif
+ qos_init_unique_id(p, bs);
+#if APR_HAS_THREADS
+ if(sconf->req_rate != -1) {
+ inctx_t = apr_pcalloc(p, sizeof(qos_ifctx_list_t));
+ inctx_t->exit = 0;
+ inctx_t->table = apr_table_make(p, 64);
+ sconf->inctx_t = inctx_t;
+ if(apr_thread_mutex_create(&sconf->inctx_t->lock, APR_THREAD_MUTEX_DEFAULT, p) != APR_SUCCESS) {
+ qos_disable_req_rate(bs, "create mutex");
+ } else {
+ apr_threadattr_t *tattr;
+ if(apr_threadattr_create(&tattr, p) != APR_SUCCESS) {
+ qos_disable_req_rate(bs, "create thread attr");
+ } else {
+ if(apr_thread_create(&sconf->inctx_t->thread, tattr,
+ qos_req_rate_thread, bs, p) != APR_SUCCESS) {
+ qos_disable_req_rate(bs, "create thread");
+ } else {
+ server_rec *sn = bs->next;
+ apr_pool_pre_cleanup_register(p, bs, qos_cleanup_req_rate_thread);
+ while(sn) {
+ qos_srv_config *sc = (qos_srv_config*)ap_get_module_config(sn->module_config, &qos_module);
+ sc->inctx_t = inctx_t;
+ sn = sn->next;
+ }
+ }
+ }
+ }
+ }
+#endif
+ if(sconf->has_qos_cc) {
+ apr_global_mutex_child_init(&u->qos_cc->lock, u->qos_cc->lock_file, p);
+ }
+ if(!sconf->act->child_init) {
+ sconf->act->child_init = 1;
+ /* propagate mutex to child process (required by some platforms) */
+ apr_global_mutex_child_init(&sconf->act->lock, sconf->act->lock_file, p);
+ }
+#if APR_HAS_THREADS
+ if(sconf->qsstatus) {
+ qos_init_status_thread(p, sconf, sconf->max_clients);
+ }
+#endif
+}
+
+/*
+static const char *qos_search_docroot(apr_pool_t *pconf, server_rec *bs,
+ ap_directive_t *node) {
+ ap_directive_t *pdir;
+ for(pdir = node; pdir != NULL; pdir = pdir->next) {
+ if(strcasecmp(pdir->directive, "DocumentRoot") == 0) {
+ return pdir->args;
+ }
+ if(pdir->first_child != NULL) {
+ const char *docroot = qos_search_docroot(pconf, bs, pdir->first_child);
+ if(docroot != NULL) {
+ return docroot;
+ }
+ }
+ }
+ return NULL;
+}
+*/
+
+static const char *detectErrorPage(apr_pool_t *ptemp, server_rec *bs, ap_directive_t *pdir) {
+ const qos_errelt_t *e = m_error_pages;
+ apr_finfo_t finfo;
+ /*
+ const char *docroot = qos_search_docroot(ptemp, bs, pdir);
+ if(docroot) {
+ docroot = ap_server_root_relative(ptemp, docroot);
+ }
+ */
+ while(e->path != NULL) {
+ char *path = ap_server_root_relative(ptemp, e->path);
+ if(apr_stat(&finfo, path, APR_FINFO_TYPE, ptemp) == APR_SUCCESS) {
+ return e->url;
+ }
+ /*
+ if(docroot) {
+ path = apr_pstrcat(ptemp, docroot, "/", e->path, NULL);
+ if(apr_stat(&finfo, path, APR_FINFO_TYPE, ptemp) == APR_SUCCESS) {
+ return e->url;
+ }
+ }
+ */
+ e++;
+ }
+ return NULL;
+}
+
+/**
+ * inits the server configuration
+ */
+static int qos_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *bs) {
+ qos_srv_config *bsconf = (qos_srv_config*)ap_get_module_config(bs->module_config, &qos_module);
+ char *rev = qos_revision(ptemp);
+ qos_user_t *u;
+ int maxClients;
+ int cc_net_prefer_limit = 0;
+ apr_status_t rv;
+ ap_directive_t *pdir = ap_conftree;
+ const char *error_page = detectErrorPage(ptemp, bs, pdir);
+ int auto_error_page = 0;
+
+ /* verify if this Apache version is supported/mod_qos has been tested for
+ and enable/disable features */
+ qos_version_check(bs);
+
+ maxClients = qs_calc_maxClients(bs, bsconf);
+ QOS_MY_GENERATION(m_generation);
+ bsconf->max_clients = maxClients;
+
+ if(bsconf->ip_type == QS_IP_V4) {
+ m_ip_type = QS_IP_V4;
+ } else {
+ m_ip_type = QS_IP_V6;
+ }
+
+ qos_hostcode(ptemp, bs);
+
+ if(bsconf->log_only) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, bs,
+ QOS_LOG_PFX(009)"running in 'log only' mode - rules are NOT enforced!");
+ }
+ if(bsconf->geo_limit != -1 && !bsconf->geodb) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, 0, bs,
+ QOS_LOG_PFX(100)"QS_ClientGeoCountryDB has not been configured");
+ }
+
+ if(bsconf->max_conn_close_percent) {
+ bsconf->max_conn_close = maxClients * bsconf->max_conn_close_percent / 100;
+ }
+ cc_net_prefer_limit = maxClients * bsconf->qos_cc_prefer / 100;
+ if(bsconf->qos_cc_prefer) {
+ bsconf->qos_cc_prefer = maxClients;
+ bsconf->qos_cc_prefer_limit = cc_net_prefer_limit;
+ } else {
+ bsconf->qos_cc_prefer = 0;
+ bsconf->qos_cc_prefer_limit = 0;
+ }
+ u = qos_get_user_conf(bs->process->pool);
+ if(u == NULL) return !OK;
+ u->server_start++;
+ /* mutex init */
+ if(bsconf->act->lock_file == NULL) {
+ bsconf->act->lock_file = apr_psprintf(bsconf->act->pool, "%s.mod_qos",
+ qos_tmpnam(bsconf->act->pool, bs));
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, bs,
+ QOS_LOGD_PFX"create mutex (ACT)(%s)",
+ bsconf->act->lock_file);
+ rv = apr_global_mutex_create(&bsconf->act->lock, bsconf->act->lock_file,
+ APR_LOCK_DEFAULT, bsconf->act->pool);
+ if (rv != APR_SUCCESS) {
+ char buf[MAX_STRING_LEN];
+ apr_strerror(rv, buf, sizeof(buf));
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, bs,
+ QOS_LOG_PFX(004)"failed to create mutex (ACT)(%s): %s",
+ bsconf->act->lock_file, buf);
+ exit(1);
+ }
+#ifdef AP_NEED_SET_MUTEX_PERMS
+ qos_unixd_set_global_mutex_perms(bsconf->act->lock);
+#endif
+ }
+ bsconf->base_server = bs;
+ bsconf->act->timeout = apr_time_sec(bs->timeout);
+ if(bsconf->act->timeout == 0) bsconf->act->timeout = 300;
+ if(qos_init_shm(bs, bsconf, bsconf->act, bsconf->location_t, maxClients) != APR_SUCCESS) {
+ return !OK;
+ }
+ apr_pool_pre_cleanup_register(bsconf->pool, bsconf->act, qos_cleanup_shm);
+
+ if((qos_module_check("mod_unique_id.c") != APR_SUCCESS) &&
+ (qos_module_check("mod_navajo.cpp") != APR_SUCCESS)) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, bs,
+ QOS_LOG_PFX(009)"mod_unique_id not available"
+ " (mod_qos generates simple request id if required)");
+ }
+ qos_audit_check(ap_conftree);
+ qos_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+ qos_ssl_var = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+ if(qos_is_https == NULL || qos_ssl_var == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, bs,
+ QOS_LOG_PFX(009)"could not retrieve mod_ssl functions");
+ }
+ if(m_requires_parp) {
+ if(qos_module_check("mod_parp.c") != APR_SUCCESS) {
+ qos_parp_hp_table_fn = NULL;
+ ap_log_error(APLOG_MARK, APLOG_CRIT, 0, bs,
+ QOS_LOG_PFX(009)"mod_parp not available"
+ " (required by some directives)");
+ } else {
+ qos_parp_hp_table_fn = APR_RETRIEVE_OPTIONAL_FN(parp_hp_table);
+ qos_parp_body_data_fn = APR_RETRIEVE_OPTIONAL_FN(parp_body_data);
+ }
+ }
+ if(u->server_start == 2) {
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(bsconf->hfilter_table)->elts;
+ for(i = 0; i < apr_table_elts(bsconf->hfilter_table)->nelts; i++) {
+ qos_fhlt_r_t *he = (qos_fhlt_r_t *)entry[i].val;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, bs,
+ QOS_LOGD_PFX"request header filter rule (%s) %s: %s max=%d",
+ he->action == QS_FLT_ACTION_DROP ? "drop" : "deny", entry[i].key,
+ he->text, he->size);
+ }
+ entry = (apr_table_entry_t *)apr_table_elts(bsconf->reshfilter_table)->elts;
+ for(i = 0; i < apr_table_elts(bsconf->reshfilter_table)->nelts; i++) {
+ qos_fhlt_r_t *he = (qos_fhlt_r_t *)entry[i].val;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, bs,
+ QOS_LOGD_PFX"response header filter rule (%s) %s: %s max=%d",
+ he->action == QS_FLT_ACTION_DROP ? "drop" : "deny", entry[i].key,
+ he->text, he->size);
+ }
+ }
+ if(bsconf->has_qos_cc) {
+ if(!u->qos_cc) {
+ u->qos_cc = qos_cc_new(bs->process->pool, bs, bsconf->qos_cc_size, bsconf->qos_cc_limitTable);
+ if(u->qos_cc == NULL) {
+ return !OK;
+ }
+ } else {
+ int configOk = 1;
+ int limitTableSize = apr_table_elts(bsconf->qos_cc_limitTable)->nelts;
+ if(u->qos_cc->limitTable) {
+ int i;
+ apr_table_entry_t *te = (apr_table_entry_t *)apr_table_elts(bsconf->qos_cc_limitTable)->elts;
+ for(i = 0; i < limitTableSize; i++) {
+ const char *name = te[i].key;
+ qos_s_entry_limit_conf_t *newentry = (qos_s_entry_limit_conf_t *)te[i].val;
+ qos_s_entry_limit_conf_t *entryConf = (qos_s_entry_limit_conf_t *)apr_table_get(u->qos_cc->limitTable, name);
+ if(entryConf) {
+ entryConf->limit = newentry->limit;
+ entryConf->limitTime = newentry->limitTime;
+ entryConf->condStr = NULL;
+ entryConf->preg = NULL;
+ if(newentry->condStr) {
+ entryConf->condStr = apr_pstrdup(bs->process->pool, newentry->condStr);
+ entryConf->preg = ap_pregcomp(bs->process->pool, newentry->condStr, AP_REG_EXTENDED);
+ }
+ } else {
+ // new variable
+ configOk = 0;
+ }
+ if(apr_table_elts(u->qos_cc->limitTable)->nelts != limitTableSize) {
+ // removed variable
+ configOk = 0;
+ }
+ }
+ } else {
+ if(limitTableSize > 0) {
+ // enabled after graceful restart
+ configOk = 0;
+ }
+ }
+ if(!configOk) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, bs,
+ QOS_LOG_PFX(001)"QS_ClientEventLimitCount directives"
+ " can't be added/removed by graceful restart. A server"
+ " restart is required to apply the new configuration!");
+ }
+ }
+ }
+ if(bsconf->error_page == NULL && error_page != NULL) {
+ bsconf->error_page = error_page;
+ auto_error_page = 1;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, bs,
+ QOS_LOGD_PFX"QS_ErrorPage: use %s for server %s:%d (global)",
+ error_page,
+ bs->server_hostname == NULL ? "-" : bs->server_hostname,
+ bs->addrs->host_port);
+ }
+
+ if(bsconf->qslog_str) {
+ char *qslogarg = apr_psprintf(pconf, "%s -f %s", bsconf->qslog_str, QSLOGFORMAT);
+ piped_log *pl = ap_open_piped_log(pconf, qslogarg);
+ if(pl == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, bs,
+ QOS_LOG_PFX(009)"failed to initialize the qslog facility '%s'", qslogarg);
+ }
+ bsconf->qslog_p = ap_piped_log_write_fd(pl);
+ }
+
+ {
+ server_rec *s = bs->next;
+ while(s) {
+ qos_srv_config *ssconf = (qos_srv_config*)ap_get_module_config(s->module_config, &qos_module);
+
+ /* mutex init */
+ if(ssconf->act->lock == NULL) {
+ ssconf->act->lock_file = bsconf->act->lock_file;
+ ssconf->act->lock = bsconf->act->lock;
+ }
+ ssconf->base_server = bs;
+ ssconf->act->timeout = apr_time_sec(s->timeout);
+ ssconf->qos_cc_prefer = bsconf->qos_cc_prefer;
+ ssconf->qos_cc_prefer_limit = bsconf->qos_cc_prefer_limit;
+ ssconf->max_clients = bsconf->max_clients;
+ ssconf->max_clients_conf = bsconf->max_clients_conf;
+ if(ssconf->max_conn_close_percent) {
+ ssconf->max_conn_close = maxClients * ssconf->max_conn_close_percent / 100;
+ }
+ if(ssconf->act->timeout == 0) {
+ ssconf->act->timeout = 300;
+ }
+ ssconf->qslog_p = bsconf->qslog_p;
+ if(ssconf->is_virtual) {
+ if(qos_init_shm(s, ssconf, ssconf->act, ssconf->location_t, maxClients) != APR_SUCCESS) {
+ return !OK;
+ }
+ apr_pool_pre_cleanup_register(ssconf->pool, ssconf->act,
+ qos_cleanup_shm);
+ if(ssconf->has_conn_counter == 0 && bsconf->has_conn_counter == 1) {
+ // shall use global counter because vhost has not QS_SrvMaxConn* directive
+ ssconf->act->conn = bsconf->act->conn;
+ }
+ }
+ if(ssconf->error_page == NULL && error_page != NULL) {
+ ssconf->error_page = error_page;
+ auto_error_page |= 2;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, bs,
+ QOS_LOGD_PFX"QS_ErrorPage: use %s for server %s:%d",
+ error_page,
+ s->server_hostname == NULL ? "-" : s->server_hostname,
+ s->addrs->host_port);
+ }
+ s = s->next;
+ }
+ }
+ if(auto_error_page) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, bs,
+ QOS_LOG_PFX(009)"found default error document '%s'. Use the QS_ErrorPage"
+ " directive to override this default page.",
+ error_page);
+ }
+ ap_add_version_component(pconf, apr_psprintf(pconf, "mod_qos/%s", rev));
+
+#ifdef QS_INTERNAL_TEST
+ fprintf(stdout, "\033[1mmod_qos TEST BINARY, NOT FOR PRODUCTIVE USE\033[0m\n");
+ fflush(stdout);
+#endif
+#ifndef QS_NO_STATUS_HOOK
+ APR_OPTIONAL_HOOK(ap, status_hook, qos_ext_status_hook, NULL, NULL, APR_HOOK_MIDDLE);
+#endif
+
+ return DECLINED;
+}
+
+/**
+ * mod_qos
+ */
+static int qos_favicon(request_rec *r) {
+ int i;
+ unsigned const char ico[] = {
+ 0x00,0x00,0x01,0x00,0x01,0x00,0x10,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x68,0x05,
+ 0x00,0x00,0x16,0x00,0x00,0x00,0x28,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0x00,0x01,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x0f,0x29,0x21,0x00,0x11,0x29,0x21,0x00,0x9c,0x9d,0x9c,0x00,0x8d,0x8e,
+ 0x8d,0x00,0x65,0x65,0x65,0x00,0x73,0xaf,0x9d,0x00,0xf1,0xf3,0xf2,0x00,0x04,0x0e,
+ 0x0b,0x00,0x05,0x0e,0x0b,0x00,0x1b,0x3b,0x31,0x00,0x26,0x60,0x4d,0x00,0x45,0x45,
+ 0x45,0x00,0x9c,0xc8,0xb9,0x00,0x38,0x89,0x6e,0x00,0x35,0x7d,0x67,0x00,0x7d,0x7d,
+ 0x7d,0x00,0x6f,0x27,0x80,0x00,0x3d,0x28,0x3d,0x00,0x0c,0x10,0x0f,0x00,0x04,0x05,
+ 0x05,0x00,0x5f,0x64,0x62,0x00,0x20,0x50,0x42,0x00,0x85,0xca,0xb6,0x00,0x61,0x22,
+ 0x98,0x00,0x76,0xb4,0xa2,0x00,0x69,0x6a,0x6a,0x00,0x02,0x03,0x03,0x00,0xaa,0xda,
+ 0xca,0x00,0x25,0x5c,0x4a,0x00,0xfc,0xfc,0xfc,0x00,0x87,0xae,0xa2,0x00,0xaa,0xcc,
+ 0xc0,0x00,0x01,0x01,0x01,0x00,0x6a,0xa0,0x91,0x00,0x31,0x75,0x5f,0x00,0x44,0xa5,
+ 0x85,0x00,0xe6,0xe5,0xec,0x00,0x31,0x7a,0x62,0x00,0x0b,0x1d,0x16,0x00,0xc2,0xcb,
+ 0xdc,0x00,0x2e,0x6c,0x58,0x00,0x22,0x53,0x44,0x00,0xa5,0xd4,0xc4,0x00,0x3e,0x42,
+ 0x41,0x00,0x68,0x85,0x7b,0x00,0x31,0x5a,0x51,0x00,0x55,0x4e,0xd5,0x00,0x8b,0x8b,
+ 0x8a,0x00,0x02,0x06,0x05,0x00,0x04,0x06,0x05,0x00,0x48,0x62,0x5b,0x00,0x0c,0x1d,
+ 0x17,0x00,0x01,0x04,0x03,0x00,0x03,0x04,0x03,0x00,0x2f,0x3d,0x38,0x00,0x65,0x81,
+ 0x77,0x00,0xef,0xf1,0xf5,0x00,0x57,0x25,0x51,0x00,0xc1,0xbd,0xc3,0x00,0x34,0x81,
+ 0x69,0x00,0x39,0x5d,0x52,0x00,0xff,0xff,0xff,0x00,0x2f,0x31,0x31,0x00,0x79,0x7d,
+ 0xd5,0x00,0x1b,0x46,0x39,0x00,0x4d,0x46,0xdd,0x00,0x13,0x13,0x13,0x00,0x5a,0x40,
+ 0x71,0x00,0xb4,0xb4,0xb4,0x00,0x71,0x74,0x73,0x00,0x4c,0x59,0x55,0x00,0x02,0x02,
+ 0x02,0x00,0xec,0xec,0xec,0x00,0x6f,0x72,0x71,0x00,0x67,0x67,0x67,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x3e,0x3e,
+ 0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,
+ 0x3e,0x3e,0x3e,0x4a,0x26,0x26,0x15,0x3e,0x3e,0x3e,0x3e,0x1e,0x28,0x39,0x3e,0x3f,
+ 0x3e,0x24,0x24,0x24,0x24,0x24,0x24,0x24,0x20,0x2f,0x11,0x18,0x25,0x3e,0x3e,0x3e,
+ 0x00,0x24,0x08,0x00,0x05,0x4b,0x21,0x42,0x3a,0x0f,0x40,0x3e,0x3e,0x3e,0x3e,0x17,
+ 0x2e,0x00,0x0c,0x45,0x00,0x00,0x44,0x12,0x24,0x09,0x3c,0x3e,0x3e,0x3e,0x3c,0x3c,
+ 0x00,0x3c,0x00,0x00,0x0d,0x2b,0x24,0x24,0x00,0x00,0x3c,0x46,0x3e,0x3e,0x3c,0x3c,
+ 0x30,0x43,0x24,0x31,0x1c,0x1c,0x0e,0x00,0x48,0x3b,0x3c,0x3c,0x3e,0x3e,0x3c,0x06,
+ 0x3e,0x00,0x23,0x1c,0x1c,0x1c,0x1c,0x00,0x36,0x3e,0x16,0x3c,0x3e,0x3e,0x3c,0x22,
+ 0x3e,0x00,0x33,0x1c,0x37,0x1f,0x1c,0x3d,0x14,0x3e,0x41,0x3c,0x3e,0x3e,0x3c,0x3c,
+ 0x49,0x00,0x00,0x32,0x1c,0x1c,0x2a,0x24,0x00,0x3e,0x3c,0x3c,0x3e,0x3e,0x47,0x3c,
+ 0x00,0x00,0x27,0x24,0x29,0x13,0x00,0x02,0x24,0x00,0x3c,0x0a,0x3e,0x3e,0x3e,0x3c,
+ 0x19,0x34,0x24,0x21,0x48,0x1b,0x00,0x00,0x01,0x0b,0x3c,0x3e,0x3e,0x3e,0x3e,0x3e,
+ 0x1d,0x3c,0x00,0x1a,0x3e,0x3e,0x10,0x00,0x3c,0x35,0x3e,0x3e,0x3e,0x3e,0x3e,0x2c,
+ 0x3e,0x3c,0x3c,0x3c,0x2d,0x38,0x3c,0x3c,0x3c,0x07,0x3f,0x3e,0x3e,0x3e,0x3e,0x3e,
+ 0x3e,0x3e,0x03,0x3c,0x3c,0x3c,0x3c,0x04,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,
+ 0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
+ ap_set_content_type(r, "image/x-icon");
+ for(i=0; i < sizeof(ico); i++) {
+ ap_rputc(ico[i], r);
+ }
+ return OK;
+}
+
+static int qos_console_dump(request_rec * r, const char *event) {
+ qos_srv_config *sconf = sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config,
+ &qos_module);
+ if(sconf && sconf->has_qos_cc) {
+ int i = 0;
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ qos_s_entry_t **clientEntry = NULL;
+ /* table requires heap (100'000 ~ 4MB) but we avoid io with drawn lock */
+ apr_table_t *iptable = apr_table_make(r->pool, u->qos_cc->max);
+ apr_table_entry_t *entry;
+ apr_time_t now = apr_time_sec(r->request_time);
+ ap_set_content_type(r, "text/plain");
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT35 */
+ clientEntry = u->qos_cc->ipd;
+ for(i = 0; i < u->qos_cc->max; i++) {
+ if((clientEntry[i]->ip6[0] != 0) ||
+ (clientEntry[i]->ip6[1] != 0)) {
+ char *k;
+ int limit = 0;
+ time_t limitTime = 0;
+ if(u->qos_cc->limitTable) {
+ int limitTableIndex;
+ qos_s_entry_limit_conf_t *eventLimitConf = qos_getQSLimitEvent(u, event, &limitTableIndex);
+ if(eventLimitConf) {
+ limit = clientEntry[i]->limit[limitTableIndex].limit;
+ limitTime = (eventLimitConf->limitTime >= (time(NULL) - clientEntry[i]->limit[limitTableIndex].limitTime)) ?
+ (eventLimitConf->limitTime - (time(NULL) - clientEntry[i]->limit[limitTableIndex].limitTime)) : 0;
+ }
+ }
+ k = apr_psprintf(r->pool,
+ "%010d %s vip=%s lowprio=%s block=%hu/%ld limit=%d/%ld %ld",
+ i,
+ qos_ip_long2str(r->pool, clientEntry[i]->ip6),
+ clientEntry[i]->vip ? "yes" : "no",
+ (clientEntry[i]->lowrate + QOS_LOW_TIMEOUT) > now ? "yes" : "no",
+ clientEntry[i]->block,
+ (sconf->qos_cc_blockTime >= (time(NULL) - clientEntry[i]->blockTime)) ?
+ (sconf->qos_cc_blockTime - (time(NULL) - clientEntry[i]->blockTime)) : 0,
+ limit,
+ limitTime,
+ clientEntry[i]->time);
+ apr_table_addn(iptable, k, NULL);
+ }
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT35 */
+ entry = (apr_table_entry_t *)apr_table_elts(iptable)->elts;
+ for(i = 0; i < apr_table_elts(iptable)->nelts; ++i) {
+ ap_rprintf(r, "%s\n", entry[i].key);
+ }
+ return OK;
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(070)"console, not acceptable, "
+ "qos client control has not been activated, id=%s",
+ qos_unique_id(r, "070"));
+ return HTTP_NOT_ACCEPTABLE;
+}
+
+#ifdef QS_INTERNAL_TEST
+static int qos_handler_headerfilter(request_rec * r) {
+ int i;
+ apr_table_entry_t *entry;
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config, &qos_module);
+ if(strcmp(r->handler, "qos-headerfilter") != 0) {
+ return DECLINED;
+ }
+ ap_set_content_type(r, "text/plain");
+
+ ap_rprintf(r, "\nQS_RequestHeaderFilter rules:\n\n");
+ entry = (apr_table_entry_t *)apr_table_elts(sconf->hfilter_table)->elts;
+ for(i = 0; i < apr_table_elts(sconf->hfilter_table)->nelts; i++) {
+ qos_fhlt_r_t *he = (qos_fhlt_r_t *)entry[i].val;
+ ap_rprintf(r, " name=%s, action=%s, size=%d, pattern=%s\n",
+ entry[i].key,
+ he->action == QS_FLT_ACTION_DROP ? "drop" : "deny",
+ he->size, he->text);
+ }
+ ap_rprintf(r, "\nQS_ResponseHeaderFilter rules:\n\n");
+ entry = (apr_table_entry_t *)apr_table_elts(sconf->reshfilter_table)->elts;
+ for(i = 0; i < apr_table_elts(sconf->reshfilter_table)->nelts; i++) {
+ qos_fhlt_r_t *he = (qos_fhlt_r_t *)entry[i].val;
+ ap_rprintf(r, " name=%s, action=%s, size=%d, pattern=%s\n",
+ entry[i].key,
+ he->action == QS_FLT_ACTION_DROP ? "drop" : "deny",
+ he->size, he->text);
+ }
+
+ ap_rprintf(r, "\nmod_qos %s\n", g_revision);
+
+ return OK;
+}
+
+static int qos_handler_man1(request_rec * r) {
+ module *modp = NULL;
+ if(strcmp(r->handler, "qos-man1") != 0) {
+ return DECLINED;
+ }
+ ap_set_content_type(r, "text/plain");
+ for(modp = ap_top_module; modp; modp = modp->next) {
+ if(strcmp(modp->name, "mod_qos.c") == 0) {
+ const command_rec *cmd = modp->cmds;
+ char time_string[64];
+ time_t tm = time(NULL);
+ struct tm *ptr = localtime(&tm);
+ strftime(time_string, sizeof(time_string), "%B %Y", ptr);
+ ap_rprintf(r, ".TH MOD_QOS 1 \"%s\" \"mod_qos Apache Module\" \"mod_qos\"\n", time_string);
+ ap_rprintf(r, ".SH NAME\n");
+ ap_rprintf(r, "mod_qos - quality of service module for the Apache Web server\n");
+ ap_rprintf(r, ".SH DESCRIPTION\n");
+ ap_rprintf(r, "mod_qos is a quality of service module for the Apache web server implementing control mechanisms that can provide different levels of priority to different HTTP requests.\n");
+ ap_rprintf(r, ".SH OPTIONS\n");
+ while(cmd) {
+ if(cmd->name) {
+ if(cmd->errmsg && cmd->errmsg[0] &&
+ ((strstr(cmd->errmsg, "QS_") != NULL) || (strstr(cmd->errmsg, "QSLog") != NULL))) {
+ ap_rprintf(r, ".TP\n");
+ ap_rprintf(r, "%s\n", cmd->errmsg);
+ }
+ cmd++;
+ } else {
+ break;
+ }
+ }
+ ap_rprintf(r, ".SH AUTHOR\n");
+ ap_rprintf(r, "Pascal Buchbinder, http://mod-qos.sourceforge.net/\n");
+ }
+ }
+ return OK;
+}
+#endif
+
+static int qos_handler_console(request_rec * r) {
+ apr_table_t *qt;
+ const char *ip;
+ const char *cmd;
+ const char *event;
+ apr_uint64_t addr[2];
+ qos_srv_config *sconf;
+ int status = HTTP_NOT_ACCEPTABLE;;
+ if (strcmp(r->handler, "qos-console") != 0) {
+ return DECLINED;
+ }
+ sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config, &qos_module);
+ if(sconf->disable_handler == 1) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(072)"handler has been disabled for this host, id=%s",
+ qos_unique_id(r, "072"));
+ return DECLINED;
+ }
+ apr_table_add(r->err_headers_out, "Cache-Control", "no-cache");
+ qt = qos_get_query_table(r);
+ ip = apr_table_get(qt, "address");
+ cmd = apr_table_get(qt, "action");
+ event = apr_table_get(qt, "event");
+ if(event == NULL) {
+ event = apr_pstrdup(r->pool, QS_LIMIT_DEFAULT);
+ }
+ if(!cmd || !ip) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(070)"console, not acceptable,"
+ " missing request query (action/address), id=%s",
+ qos_unique_id(r, "070"));
+ return HTTP_NOT_ACCEPTABLE;
+ }
+ if(ip) {
+ int escerr = 0;
+ char *ta = apr_pstrdup(r->pool, ip);
+ qos_unescaping(ta, QOS_DEC_MODE_FLAGS_URL, &escerr);
+ ip = ta;
+ }
+ if(!sconf->has_qos_cc) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(070)"console, not acceptable,"
+ " client data store has not been enabled, id=%s",
+ qos_unique_id(r, "070"));
+ return HTTP_NOT_ACCEPTABLE;
+ }
+ if((strcasecmp(cmd, "search") == 0) && (strcmp(ip, "*") == 0)) {
+ return qos_console_dump(r, event);
+ }
+ if(qos_ip_str2long(ip, addr) == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(070)"console, not acceptable,"
+ " invalid ip/wrong format, id=%s",
+ qos_unique_id(r, "070"));
+ return HTTP_NOT_ACCEPTABLE;
+ }
+ if(sconf->has_qos_cc) {
+ char *msg = "not available";
+ qos_user_t *u = qos_get_user_conf(sconf->act->ppool);
+ qos_s_entry_t **clientEntry = NULL;
+ qos_s_entry_t searchE;
+ int limitTableIndex = 0;
+ qos_s_entry_limit_conf_t *eventLimitConf = NULL;
+ int limit = 0;
+ time_t limitTime = 0;
+ apr_time_t now = apr_time_sec(r->request_time);
+ apr_global_mutex_lock(u->qos_cc->lock); /* @CRT34 */
+ searchE.ip6[0] = addr[0];
+ searchE.ip6[1] = addr[1];
+ clientEntry = qos_cc_get0(u->qos_cc, &searchE, apr_time_sec(r->request_time));
+ if(!clientEntry) {
+ if(strcasecmp(cmd, "search") != 0) {
+ clientEntry = qos_cc_set(u->qos_cc, &searchE, time(NULL));
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, 0, r,
+ QOS_LOG_PFX(071)"console, add new client ip entry '%s', is=%s",
+ ip, qos_unique_id(r, "071"));
+ }
+ }
+ status = OK;
+ if(u->qos_cc->limitTable) {
+ eventLimitConf = qos_getQSLimitEvent(u, event, &limitTableIndex);
+ }
+ if(strcasecmp(cmd, "setvip") == 0) {
+ (*clientEntry)->vip = 1;
+ } else if(strcasecmp(cmd, "unsetvip") == 0) {
+ (*clientEntry)->vip = 0;
+ } else if(strcasecmp(cmd, "setlowprio") == 0) {
+ (*clientEntry)->lowrate = time(NULL);
+ (*clientEntry)->lowratestatus = 0xff;
+ (*clientEntry)->lowratestatus &= ~QOS_LOW_FLAG_BEHAVIOR_OK;
+ } else if(strcasecmp(cmd, "unsetlowprio") == 0) {
+ (*clientEntry)->lowrate = 0;
+ if((*clientEntry)->lowratestatus & QOS_LOW_FLAG_BEHAVIOR_OK) {
+ (*clientEntry)->lowratestatus = QOS_LOW_FLAG_BEHAVIOR_OK;
+ } else {
+ (*clientEntry)->lowratestatus = 0;
+ }
+ } else if(strcasecmp(cmd, "unblock") == 0) {
+ (*clientEntry)->blockTime = 0;
+ (*clientEntry)->block = 0;
+ } else if(strcasecmp(cmd, "block") == 0) {
+ (*clientEntry)->blockTime = time(NULL);
+ (*clientEntry)->block = sconf->qos_cc_block + 1000;
+ } else if(strcasecmp(cmd, "unlimit") == 0) {
+ if(eventLimitConf) {
+ (*clientEntry)->limit[limitTableIndex].limitTime = 0;
+ (*clientEntry)->limit[limitTableIndex].limit = 0;
+ }
+ } else if(strcasecmp(cmd, "limit") == 0) {
+ if(eventLimitConf) {
+ (*clientEntry)->limit[limitTableIndex].limitTime = time(NULL);
+ (*clientEntry)->limit[limitTableIndex].limit = eventLimitConf->limit + 1000;
+ }
+ } else if(strcasecmp(cmd, "inclimit") == 0) {
+ if(eventLimitConf) {
+ if(((*clientEntry)->limit[limitTableIndex].limitTime + eventLimitConf->limitTime) < now) {
+ // expired
+ (*clientEntry)->limit[limitTableIndex].limit = 0;
+ (*clientEntry)->limit[limitTableIndex].limitTime = 0;
+ }
+ // increment limit event
+ if((*clientEntry)->limit[limitTableIndex].limit < USHRT_MAX) {
+ (*clientEntry)->limit[limitTableIndex].limit++;
+ }
+ if((*clientEntry)->limit[limitTableIndex].limit == 1) {
+ // first, start timer
+ (*clientEntry)->limit[limitTableIndex].limitTime = now;
+ }
+ }
+ } else if(strcasecmp(cmd, "search") == 0) {
+ /* nothing to do here */
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(070)"console, not acceptable, unknown action '%s', id=%s",
+ cmd, qos_unique_id(r, "070"));
+ status = HTTP_NOT_ACCEPTABLE;
+ }
+ if(clientEntry) {
+ if(eventLimitConf) {
+ limit = (*clientEntry)->limit[limitTableIndex].limit;
+ limitTime = (eventLimitConf->limitTime >= (time(NULL) - (*clientEntry)->limit[limitTableIndex].limitTime)) ?
+ (eventLimitConf->limitTime - (time(NULL) - (*clientEntry)->limit[limitTableIndex].limitTime)) : 0;
+ }
+ msg = apr_psprintf(r->pool, "%s vip=%s lowprio=%s block=%hu/%ld limit=%d/%ld", ip,
+ (*clientEntry)->vip ? "yes" : "no",
+ ((*clientEntry)->lowrate + QOS_LOW_TIMEOUT) > now ? "yes" : "no",
+ (*clientEntry)->block,
+ (sconf->qos_cc_blockTime >= (time(NULL) - (*clientEntry)->blockTime)) ?
+ (sconf->qos_cc_blockTime - (time(NULL) - (*clientEntry)->blockTime)) : 0,
+ limit,
+ limitTime);
+ }
+ apr_global_mutex_unlock(u->qos_cc->lock); /* @CRT34 */
+ if(status == OK) {
+ ap_set_content_type(r, "text/plain");
+ ap_rprintf(r, "%s\n", msg);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, 0, r,
+ QOS_LOG_PFX(071)"console, action '%s' applied to client ip entry '%s', id=%s",
+ cmd, ip, qos_unique_id(r, "071"));
+ }
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(070)"console, not acceptable,"
+ " qos client control has not been activated, id=%s",
+ qos_unique_id(r, "070"));
+ status = HTTP_NOT_ACCEPTABLE;
+ }
+ return status;
+}
+
+/**
+ * viewer which may be used as an alternative to mod_status
+ */
+static int qos_handler_view(request_rec * r) {
+ qos_srv_config *sconf;
+ apr_table_t *qt;
+ if (strcmp(r->handler, "qos-viewer") != 0) {
+ return DECLINED;
+ }
+ sconf = (qos_srv_config*)ap_get_module_config(r->server->module_config, &qos_module);
+ if(sconf->disable_handler == 1) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ QOS_LOG_PFX(072)"handler has been disabled for this host, id=%s",
+ qos_unique_id(r, "072"));
+ return DECLINED;
+ }
+ if(strstr(r->parsed_uri.path, "favicon.ico") != NULL) {
+ apr_table_add(r->err_headers_out, "Cache-Control", "public, max-age=2592000");
+ return qos_favicon(r);
+ }
+ apr_table_add(r->err_headers_out, "Cache-Control", "no-cache");
+ qt = qos_get_query_table(r);
+ if(qt && (apr_table_get(qt, "refresh") != NULL)) {
+ apr_table_add(r->err_headers_out, "Refresh", "10");
+ }
+ if(qt && (apr_table_get(qt, "auto") != NULL)) {
+ ap_set_content_type(r, "text/plain");
+ qos_ext_status_short(r, qt);
+ return OK;
+ }
+ ap_set_content_type(r, "text/html");
+ if(!r->header_only) {
+ int hasSlash = 1;
+ if(strlen(r->parsed_uri.path) > 0) {
+ if(r->parsed_uri.path[strlen(r->parsed_uri.path)-1] != '/') {
+ hasSlash = 0;
+ }
+ }
+ ap_rputs("<html><head><title>mod_qos</title>\n", r);
+ ap_rprintf(r,"<link rel=\"shortcut icon\" href=\"%s%sfavicon.ico\"/>\n",
+ ap_escape_html(r->pool, r->parsed_uri.path),
+ hasSlash ? "" : "/");
+ ap_rputs("<meta http-equiv=\"content-type\" content=\"text/html; charset=ISO-8859-1\">\n", r);
+ ap_rputs("<meta name=\"author\" content=\"Pascal Buchbinder\">\n", r);
+ ap_rputs("<meta http-equiv=\"Pragma\" content=\"no-cache\">\n", r);
+ ap_rputs("<style TYPE=\"text/css\">\n", r);
+ ap_rputs("<!--", r);
+ ap_rputs(" body {\n\
+ background-color: rgb(248,250,246);\n\
+ color: black;\n\
+ font-family: arial, helvetica, verdana, sans-serif;\n\
+ }\n\
+ .btable{\n\
+ background-color: white;\n\
+ border: 1px solid; padding: 0px;\n\
+ margin: 6px; width: 920px;\n\
+ font-weight: normal;\n\
+ border-collapse: collapse;\n\
+ }\n\
+ .rowts {\n\
+ background-color: rgb(150,165,158);\n\
+ vertical-align: top;\n\
+ border: 1px solid;\n\
+ border-color: black;\n\
+ font-weight: normal;\n\
+ padding: 0px;\n\
+ margin: 0px;\n\
+ }\n\
+ .rowt {\n\
+ background-color: rgb(210,220,215);\n\
+ vertical-align: top;\n\
+ border: 1px solid;\n\
+ border-color: black;\n\
+ font-weight: normal;\n\
+ padding: 0px;\n\
+ margin: 0px;\n\
+ }\n\
+ .rows {\n\
+ background-color: rgb(228,235,230);\n\
+ vertical-align: top;\n\
+ border: 1px solid;\n\
+ border-color: black;\n\
+ font-weight: normal;\n\
+ padding: 0px;\n\
+ margin: 0px;\n\
+ }\n\
+ .row {\n\
+ background-color: white;\n\
+ vertical-align: top;\n\
+ border: 1px solid;\n\
+ border-color: black;\n\
+ font-weight: normal;\n\
+ padding: 0px;\n\
+ margin: 0px;\n\
+ }\n\
+ .rowe {\n\
+ background-color: rgb(186,200,190);\n\
+ vertical-align: top;\n\
+ border: 1px solid;\n\
+ border-color: black;\n\
+ font-weight: normal;\n\
+ padding: 0px;\n\
+ margin: 0px;\n\
+ }\n\
+ .small {\n\
+ font-size: 0.75em;\n\
+ font-family: courier;\n\
+ }\n\
+ .prog-border {\n\
+ height: 10px;\n\
+ width: 150px;\n\
+ background: #eee;\n\
+ border: 1px solid #000;\n\
+ padding: 2px;\n\
+ font-family: arial, helvetica, verdana, sans-serif; font-size: 10px; color: #000;\n\
+ }\n\
+ .prog-bar {\n\
+ height: 10px;\n\
+ padding: 0;\n\
+ background: #339900;\n\
+ font-family: arial, helvetica, verdana, sans-serif; font-size: 10px; color: #000;\n\
+ }\n\
+ .prog-bar-limit {\n\
+ height: 10px;\n\
+ padding: 0;\n\
+ background: #993300;\n\
+ font-family: arial, helvetica, verdana, sans-serif; font-size: 10px; color: #000;\n\
+ }\n\
+ form { display: inline; }\n", r);
+ ap_rputs("-->\n", r);
+ ap_rputs("</style>\n", r);
+ ap_rputs("</head><body>\n", r);
+ qos_ext_status_hook(r, 0);
+ {
+ apr_time_t nowtime = apr_time_now();
+ ap_rvputs(r, "<div class=\"small\">",
+ ap_ht_time(r->pool, nowtime, QS_ERR_TIME_FORMAT, 0), NULL);
+ ap_rprintf(r, ", mod_qos %s\n", ap_escape_html(r->pool, qos_revision(r->pool)));
+ }
+ ap_rputs("</body></html>", r);
+ }
+ return OK;
+}
+
+static int qos_handler(request_rec * r) {
+ int status = qos_handler_view(r);
+ if(status != DECLINED) {
+ return status;
+ }
+ status = qos_handler_console(r);
+ if(status != DECLINED) {
+ return status;
+ }
+#ifdef QS_INTERNAL_TEST
+ status = qos_handler_man1(r);
+ if(status != DECLINED) {
+ return status;
+ }
+ status = qos_handler_headerfilter(r);
+ if(status != DECLINED) {
+ return status;
+ }
+#endif
+ return DECLINED;
+}
+
+/**
+ * insert response filter
+ */
+static void qos_insert_filter(request_rec *r) {
+ ap_add_output_filter("qos-out-filter", NULL, r, r->connection);
+}
+static void qos_insert_err_filter(request_rec *r) {
+ ap_add_output_filter("qos-out-err-filter", NULL, r, r->connection);
+}
+
+/************************************************************************
+ * directiv handlers
+ ***********************************************************************/
+static void qos_table_merge(apr_table_t *o, apr_table_t *b) {
+ int i;
+ apr_table_entry_t *entry = (apr_table_entry_t *)apr_table_elts(b)->elts;
+ for(i = 0; i < apr_table_elts(b)->nelts; ++i) {
+ if(apr_table_get(o, entry[i].key) == NULL) {
+ // copy the pointer only!!!
+ apr_table_setn(o, entry[i].key, entry[i].val);
+ }
+ }
+}
+
+static void *qos_dir_config_create(apr_pool_t *p, char *d) {
+ qos_dir_config *dconf = apr_pcalloc(p, sizeof(qos_dir_config));
+ dconf->path = d;
+ dconf->rfilter_table = apr_table_make(p, 1);
+ dconf->inheritoff = 0;
+ dconf->headerfilter = QS_HEADERFILTER_OFF_DEFAULT;
+ dconf->resheaderfilter = QS_HEADERFILTER_OFF_DEFAULT;
+ dconf->bodyfilter_p = -1;
+ dconf->bodyfilter_d = -1;
+ dconf->dec_mode = QOS_DEC_MODE_FLAGS_URL;
+ dconf->maxpost = -1;
+ dconf->urldecoding = QS_OFF_DEFAULT;
+ dconf->response_pattern = NULL;
+ dconf->response_pattern_var = NULL;
+ dconf->redirectif = apr_array_make(p, 20, sizeof(qos_redirectif_entry_t));
+ dconf->disable_reqrate_events = apr_table_make(p, 1);
+ dconf->setenvstatus_t = apr_table_make(p, 5);
+ dconf->setenvif_t = apr_array_make(p, 20, sizeof(qos_setenvif_t));
+ dconf->setenvifquery_t = apr_table_make(p, 1);
+ dconf->setenvcmp = apr_array_make(p, 2, sizeof(qos_cmp_entry_t));
+ return dconf;
+}
+
+/**
+ * merges dir config, inheritoff disables merge of rfilter_table.
+ */
+static void *qos_dir_config_merge(apr_pool_t *p, void *basev, void *addv) {
+ qos_dir_config *b = (qos_dir_config *)basev;
+ qos_dir_config *o = (qos_dir_config *)addv;
+ qos_dir_config *dconf = apr_pcalloc(p, sizeof(qos_dir_config));
+ dconf->path = o->path;
+ if(o->headerfilter != QS_HEADERFILTER_OFF_DEFAULT) {
+ dconf->headerfilter = o->headerfilter;
+ } else {
+ dconf->headerfilter = b->headerfilter;
+ }
+ if(o->resheaderfilter != QS_HEADERFILTER_OFF_DEFAULT) {
+ dconf->resheaderfilter = o->resheaderfilter;
+ } else {
+ dconf->resheaderfilter = b->resheaderfilter;
+ }
+ if(o->bodyfilter_p != -1) {
+ dconf->bodyfilter_p = o->bodyfilter_p;
+ } else {
+ dconf->bodyfilter_p = b->bodyfilter_p;
+ }
+ if(o->bodyfilter_d != -1) {
+ dconf->bodyfilter_d = o->bodyfilter_d;
+ } else {
+ dconf->bodyfilter_d = b->bodyfilter_d;
+ }
+ if((o->dec_mode != QOS_DEC_MODE_FLAGS_URL) ||
+ (o->inheritoff)) {
+ dconf->dec_mode = o->dec_mode;
+ } else {
+ dconf->dec_mode = b->dec_mode;
+ }
+ if(o->inheritoff) {
+ dconf->rfilter_table = o->rfilter_table;
+ } else {
+ dconf->rfilter_table = qos_table_merge_create(p, b->rfilter_table, o->rfilter_table);
+ }
+ if(o->maxpost != -1) {
+ dconf->maxpost = o->maxpost;
+ } else {
+ dconf->maxpost = b->maxpost;
+ }
+ if(o->urldecoding == QS_OFF_DEFAULT) {
+ dconf->urldecoding = b->urldecoding;
+ } else {
+ dconf->urldecoding = o->urldecoding;
+ }
+ if(o->response_pattern) {
+ dconf->response_pattern = o->response_pattern;
+ dconf->response_pattern_len = o->response_pattern_len;
+ dconf->response_pattern_var = o->response_pattern_var;
+ } else {
+ dconf->response_pattern = b->response_pattern;
+ dconf->response_pattern_len = b->response_pattern_len;
+ dconf->response_pattern_var = b->response_pattern_var;
+ }
+ dconf->disable_reqrate_events = qos_table_merge_create(p, b->disable_reqrate_events,
+ o->disable_reqrate_events);
+ dconf->redirectif = apr_array_append(p, b->redirectif, o->redirectif);
+
+ dconf->setenvstatus_t = apr_table_copy(p, b->setenvstatus_t);
+ qos_table_merge(dconf->setenvstatus_t, o->setenvstatus_t);
+
+ dconf->setenvif_t = apr_array_append(p, b->setenvif_t, o->setenvif_t);
+
+ dconf->setenvifquery_t = apr_table_copy(p, b->setenvifquery_t);
+ qos_table_merge(dconf->setenvifquery_t, o->setenvifquery_t);
+
+ dconf->setenvcmp = apr_array_append(p, b->setenvcmp, o->setenvcmp);
+
+ return dconf;
+}
+
+static void *qos_srv_config_create(apr_pool_t *p, server_rec *s) {
+ qos_srv_config *sconf;
+ apr_pool_t *act_pool;
+ apr_pool_create(&act_pool, NULL);
+ sconf =(qos_srv_config *)apr_pcalloc(p, sizeof(qos_srv_config));
+ sconf->pool = p;
+ sconf->location_t = apr_table_make(sconf->pool, 2);
+ sconf->setenvif_t = apr_array_make(sconf->pool, 20, sizeof(qos_setenvif_t));
+ sconf->setenv_t = apr_table_make(sconf->pool, 1);
+ sconf->setreqheader_t = apr_table_make(sconf->pool, 5);
+ sconf->setreqheaderlate_t = apr_table_make(sconf->pool, 5);
+ sconf->unsetreqheader_t = apr_table_make(sconf->pool, 5);
+ sconf->unsetresheader_t = apr_table_make(sconf->pool, 5);
+ sconf->setenvifquery_t = apr_table_make(sconf->pool, 1);
+ sconf->setenvifparp_t = apr_table_make(sconf->pool, 1);
+ sconf->setenvifparpbody_t = apr_table_make(sconf->pool, 1);
+ sconf->setenvstatus_t = apr_table_make(sconf->pool, 5);
+ sconf->setenvresheader_t = apr_table_make(sconf->pool, 1);
+ sconf->setenvresheadermatch_t = apr_table_make(sconf->pool, 1);
+ sconf->setenvres_t = apr_table_make(sconf->pool, 1);
+ sconf->headerfilter = QS_HEADERFILTER_OFF_DEFAULT;
+ sconf->resheaderfilter = QS_HEADERFILTER_OFF_DEFAULT;
+ sconf->redirectif = apr_array_make(p, 20, sizeof(qos_redirectif_entry_t));
+ sconf->error_page = NULL;
+ sconf->req_rate = -1;
+ sconf->req_rate_start = 0;
+ sconf->min_rate = -1;
+ sconf->min_rate_max = -1;
+ sconf->min_rate_off = 0;
+ sconf->req_ignore_vip_rate = -1;
+ sconf->max_clients = 1024;
+ sconf->max_clients_conf = -1;
+ sconf->has_event_filter = 0;
+ sconf->has_event_limit = 0;
+ sconf->event_limit_a = apr_array_make(p, 2, sizeof(qos_event_limit_entry_t));
+ sconf->mfile = NULL;
+ sconf->act = (qs_actable_t *)apr_pcalloc(act_pool, sizeof(qs_actable_t));
+ sconf->act->pool = act_pool;
+ sconf->act->ppool = s->process->pool;
+ sconf->act->child_init = 0;
+ sconf->act->timeout = apr_time_sec(s->timeout);
+ sconf->act->has_events = 0;
+ sconf->act->lock_file = NULL;
+ sconf->act->lock = NULL;
+ sconf->is_virtual = s->is_virtual;
+ sconf->cookie_name = apr_pstrdup(sconf->pool, QOS_COOKIE_NAME);
+ sconf->cookie_path = apr_pstrdup(sconf->pool, "/");
+ sconf->user_tracking_cookie = NULL;
+ sconf->user_tracking_cookie_force = NULL;
+ sconf->user_tracking_cookie_session = -1;
+ sconf->user_tracking_cookie_jsredirect = -1;
+ sconf->user_tracking_cookie_domain = NULL;
+ sconf->max_age = atoi(QOS_MAX_AGE);
+ sconf->header_name = NULL;
+ sconf->header_name_drop = 0;
+ sconf->header_name_regex = NULL;
+ sconf->ip_header_name = NULL;
+ sconf->ip_header_name_drop = 0;
+ sconf->ip_header_name_regex = NULL;
+ sconf->vip_user = 0;
+ sconf->vip_ip_user = 0;
+
+ sconf->has_conn_counter = 0;
+ sconf->max_conn = -1;
+ sconf->max_conn_close = -1;
+ sconf->max_conn_per_ip = -1;
+ sconf->max_conn_per_ip_connections = -1;
+ sconf->max_conn_per_ip_ignore_vip = -1;
+
+ sconf->serialize = -1;
+ sconf->exclude_ip = apr_table_make(sconf->pool, 2);
+ sconf->hfilter_table = apr_table_make(p, 5);
+ sconf->reshfilter_table = apr_table_make(p, 5);
+ sconf->disable_reqrate_events = apr_table_make(p, 1);
+ sconf->log_only = 0;
+ sconf->log_env = -1;
+ sconf->has_qos_cc = 0;
+ sconf->cc_exclude_ip = apr_table_make(sconf->pool, 2);
+ sconf->qos_cc_size = 50000;
+ sconf->qos_cc_prefer = 0;
+ sconf->qos_cc_prefer_limit = 0;
+ sconf->qos_cc_event = 0;
+ sconf->qos_cc_event_req = -1;
+ sconf->qos_cc_block = 0;
+ sconf->qos_cc_serialize = 0;
+ sconf->serializeTMO = 6000; // 6000 * 50ms = 5 minutes
+ sconf->cc_tolerance = atoi(QOS_CC_BEHAVIOR_TOLERANCE_STR);
+ sconf->qs_req_rate_tm = QS_REQ_RATE_TM;
+ sconf->geodb = NULL;
+ sconf->geo_limit = -1;
+ sconf->geo_priv = apr_table_make(p, 20);
+ sconf->geo_excludeUnknown = -1;
+ sconf->qslog_p = NULL;
+ sconf->qsstatus = 0;
+ sconf->qsevents = 0;
+ sconf->qslog_str = NULL;
+ sconf->ip_type = QS_IP_V6_DEFAULT;
+ sconf->qos_cc_blockTime = 600;
+ sconf->qos_cc_limitTable = apr_table_make(p, 5);
+ sconf->qos_cc_forwardedfor = NULL;
+ sconf->disable_handler = -1;
+ sconf->maxpost = -1;
+ sconf->milestones = NULL;
+ sconf->milestoneTimeout = QOS_MILESTONE_TIMEOUT;
+ sconf->static_on = -1;
+ sconf->static_html = 0;
+ sconf->static_cssjs = 0;
+ sconf->static_img = 0;
+ sconf->static_other = 0;
+ sconf->static_notmodified = 0;
+ if(!s->is_virtual) {
+ char *msg = qos_load_headerfilter(p, sconf->hfilter_table, qs_header_rules);
+ if(msg) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+ QOS_LOG_PFX(006)"could not compile request header filter rules: %s", msg);
+ exit(1);
+ }
+ msg = qos_load_headerfilter(p, sconf->reshfilter_table, qs_res_header_rules);
+ if(msg) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+ QOS_LOG_PFX(006)"could not compile response header filter rules: %s", msg);
+ exit(1);
+ }
+ }
+
+ {
+ int len = EVP_MAX_KEY_LENGTH;
+ unsigned char *rand = apr_pcalloc(p, len);
+#if APR_HAS_RANDOM
+ if(apr_generate_random_bytes(rand, len) != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ QOS_LOG_PFX(083)"Can't generate random data.");
+ }
+#else
+ if(!RAND_bytes(rand, len)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ QOS_LOG_PFX(083)"Can't generate random data.");
+ }
+#endif
+ EVP_BytesToKey(EVP_des_ede3_cbc(), EVP_sha1(), NULL, rand, len, 1, sconf->key, NULL);
+ sconf->rawKey = rand;
+ sconf->rawKeyLen = len;
+ sconf->keyset = 0;
+ }
+#ifdef QS_INTERNAL_TEST
+ {
+ int i;
+ sconf->testip = apr_table_make(sconf->pool, m_qs_sim_ip_len);
+ sconf->enable_testip = 1;
+ for(i = 0; i < (m_qs_sim_ip_len*3/4); i++) {
+ char *qsmi = apr_psprintf(p, "%d.%d.%d.%d", rand()%255, rand()%255, rand()%255, rand()%255);
+ apr_table_add(sconf->testip, apr_psprintf(p, "%d", i), qsmi);
+ }
+ for(i = m_qs_sim_ip_len*3/4; i < m_qs_sim_ip_len; i++) {
+ char *qsmi = apr_psprintf(p, "fe%d::%d:%d:%d", rand()%100, rand()%4000, rand()%4000, rand()%400);
+ apr_table_add(sconf->testip, apr_psprintf(p, "%d", i), qsmi);
+ }
+ }
+#endif
+ return sconf;
+}
+
+/**
+ * "merges" server configuration: virtual host overwrites global settings (if
+ * any rule has been specified)
+ * but: global settings such as header filter table and connection timeouts
+ * are always used from the base server
+ */
+static void *qos_srv_config_merge(apr_pool_t *p, void *basev, void *addv) {
+ qos_srv_config *b = (qos_srv_config *)basev;
+ qos_srv_config *o = (qos_srv_config *)addv;
+ /* GLOBAL ONLY directives: */
+ o->hfilter_table = b->hfilter_table;
+ o->reshfilter_table = b->reshfilter_table;
+ o->log_only = b->log_only;
+ if(o->log_env == -1) {
+ o->log_env = b->log_env;
+ }
+ o->has_qos_cc = b->has_qos_cc;
+ o->cc_exclude_ip = b->cc_exclude_ip;
+ o->qos_cc_size = b->qos_cc_size;
+ o->qos_cc_prefer = b->qos_cc_prefer;
+ o->qos_cc_prefer_limit = b->qos_cc_prefer_limit;
+ o->qos_cc_event = b->qos_cc_event;
+ o->qos_cc_event_req = b->qos_cc_event_req;
+ o->qos_cc_block = b->qos_cc_block;
+ o->qos_cc_blockTime = b->qos_cc_blockTime;
+ o->qos_cc_limitTable = b->qos_cc_limitTable;
+ o->qos_cc_forwardedfor = b->qos_cc_forwardedfor;
+ o->qos_cc_serialize = b->qos_cc_serialize;
+ o->cc_tolerance = b->cc_tolerance;
+ o->qs_req_rate_tm = b->qs_req_rate_tm;
+ o->geodb = b->geodb;
+ o->geo_limit = b->geo_limit;
+ o->geo_priv = b->geo_priv;
+ o->geo_excludeUnknown = b->geo_excludeUnknown;
+ o->qslog_p = b->qslog_p;
+ o->qsstatus = b->qsstatus;
+ o->qsevents = b->qsevents;
+ o->qslog_str = b->qslog_str;
+ o->ip_type = b->ip_type;
+ o->req_rate = b->req_rate;
+ o->req_rate_start = b->req_rate_start;
+ o->min_rate = b->min_rate;
+ o->min_rate_max = b->min_rate_max;
+ o->req_ignore_vip_rate = b->req_ignore_vip_rate;
+ o->event_limit_a = apr_array_append(p, b->event_limit_a, o->event_limit_a);
+ /* end GLOBAL ONLY directives */
+ if(o->disable_handler == -1) {
+ o->disable_handler = b->disable_handler;
+ }
+#ifdef QS_INTERNAL_TEST
+ o->enable_testip = b->enable_testip;
+#endif
+ if(o->error_page == NULL) {
+ o->error_page = b->error_page;
+ }
+ qos_table_merge(o->location_t, b->location_t);
+ o->setenvif_t = apr_array_append(p, b->setenvif_t, o->setenvif_t);
+ qos_table_merge(o->setenv_t, b->setenv_t);
+ qos_table_merge(o->setreqheader_t, b->setreqheader_t);
+ qos_table_merge(o->setreqheaderlate_t, b->setreqheaderlate_t);
+ qos_table_merge(o->unsetreqheader_t, b->unsetreqheader_t);
+ qos_table_merge(o->unsetresheader_t, b->unsetresheader_t);
+ qos_table_merge(o->setenvifquery_t, b->setenvifquery_t);
+ qos_table_merge(o->setenvifparp_t, b->setenvifparp_t);
+ qos_table_merge(o->setenvifparpbody_t, b->setenvifparpbody_t);
+ qos_table_merge(o->setenvstatus_t, b->setenvstatus_t);
+ qos_table_merge(o->setenvresheader_t, b->setenvresheader_t);
+ qos_table_merge(o->setenvresheadermatch_t, b->setenvresheadermatch_t);
+ qos_table_merge(o->setenvres_t, b->setenvres_t);
+ qos_table_merge(o->exclude_ip, b->exclude_ip);
+ o->disable_reqrate_events = qos_table_merge_create(p, b->disable_reqrate_events,
+ o->disable_reqrate_events);
+ if(o->headerfilter == QS_HEADERFILTER_OFF_DEFAULT) {
+ o->headerfilter = b->headerfilter;
+ }
+ if(o->resheaderfilter == QS_HEADERFILTER_OFF_DEFAULT) {
+ o->resheaderfilter = b->resheaderfilter;
+ }
+ o->redirectif = apr_array_append(p, b->redirectif, o->redirectif);
+ if(o->mfile == NULL) {
+ o->mfile = b->mfile;
+ }
+ if(strcmp(o->cookie_name, QOS_COOKIE_NAME) == 0) {
+ o->cookie_name = b->cookie_name;
+ }
+ if(strcmp(o->cookie_path, "/") == 0) {
+ o->cookie_path = b->cookie_path;
+ }
+ if(o->max_age == atoi(QOS_MAX_AGE)) {
+ o->max_age = b->max_age;
+ }
+ if(o->user_tracking_cookie == NULL) {
+ o->user_tracking_cookie = b->user_tracking_cookie;
+ o->user_tracking_cookie_force = b->user_tracking_cookie_force;
+ o->user_tracking_cookie_session = b->user_tracking_cookie_session;
+ o->user_tracking_cookie_jsredirect = b->user_tracking_cookie_jsredirect;
+ o->user_tracking_cookie_domain = b->user_tracking_cookie_domain;
+ }
+ if(o->keyset == 0) {
+ memcpy(o->key, b->key, sizeof(o->key));
+ o->rawKey = b->rawKey;
+ o->rawKeyLen = b->rawKeyLen;
+ }
+ if(o->header_name == NULL) {
+ o->header_name = b->header_name;
+ o->header_name_drop = b->header_name_drop;
+ o->header_name_regex = b->header_name_regex;
+ }
+ if(o->ip_header_name == NULL) {
+ o->ip_header_name = b->ip_header_name;
+ o->ip_header_name_drop = b->ip_header_name_drop;
+ o->ip_header_name_regex = b->ip_header_name_regex;
+ }
+ if(o->vip_user == 0) {
+ o->vip_user = b->vip_user;
+ }
+ if(o->vip_ip_user == 0) {
+ o->vip_ip_user = b->vip_ip_user;
+ }
+ if(o->max_conn == -1) {
+ o->max_conn = b->max_conn;
+ }
+ if(o->max_conn_close == -1) {
+ o->max_conn_close = b->max_conn_close;
+ o->max_conn_close_percent = b->max_conn_close_percent;
+ }
+ if(o->max_conn_per_ip == -1) {
+ o->max_conn_per_ip = b->max_conn_per_ip;
+ }
+ if(o->max_conn_per_ip_ignore_vip == -1) {
+ o->max_conn_per_ip_ignore_vip = b->max_conn_per_ip_ignore_vip;
+ }
+ if(o->max_conn_per_ip_connections == -1) {
+ o->max_conn_per_ip_connections = b->max_conn_per_ip_connections;
+ }
+ if(o->serialize == -1) {
+ o->serialize = b->serialize;
+ o->serializeTMO = b->serializeTMO;
+ }
+ if(o->has_event_filter == 0) {
+ o->has_event_filter = b->has_event_filter;
+ }
+ if(o->has_event_limit == 0) {
+ o->has_event_limit = b->has_event_limit;
+ }
+ if(o->maxpost == -1) {
+ o->maxpost = b->maxpost;
+ }
+ if(o->milestones == NULL) {
+ o->milestones = b->milestones;
+ o->milestoneTimeout = b->milestoneTimeout;
+ }
+ if(o->static_on == -1) {
+ /* use base settings if not configured per vhost */
+ o->static_on = b->static_on;
+ o->static_html = b->static_html;
+ o->static_cssjs = b->static_cssjs;
+ o->static_img = b->static_img;
+ o->static_other = b->static_other;
+ o->static_notmodified = b->static_notmodified;
+ }
+ return o;
+}
+
+const char *qos_logonly_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->log_only = flag;
+ return NULL;
+}
+
+const char *qos_logenv_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->log_env = flag;
+ return NULL;
+}
+
+/**
+ * QS_MaxClients
+ */
+const char *qos_maxclients_cmd(cmd_parms *cmd, void *dcfg, const char *arg1) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->max_clients_conf = atoi(arg1);
+ if(sconf->max_clients_conf <= 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >=0",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+const char *qos_mfile_cmd(cmd_parms *cmd, void *dcfg, const char *path) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ apr_finfo_t finfo;
+ apr_status_t rc;
+ if(!path[0]) {
+ return apr_psprintf(cmd->pool, "%s: invalid path",
+ cmd->directive->directive);
+ }
+ if((rc = apr_stat(&finfo, path, APR_FINFO_TYPE, cmd->pool)) != APR_SUCCESS) {
+ char *p = apr_pstrdup(cmd->pool, path);
+ /* file? */
+ if(p[strlen(p)-1] == '/') {
+ return apr_psprintf(cmd->pool, "%s: path does not exist",
+ cmd->directive->directive);
+ } else {
+ char *e = strrchr(p, '/');
+ if(e) {
+ e[0] = '\0';
+ }
+ if(((rc = apr_stat(&finfo, p, APR_FINFO_TYPE, cmd->pool)) != APR_SUCCESS) ||
+ (finfo.filetype != APR_DIR)){
+ return apr_psprintf(cmd->pool, "%s: path does not exist",
+ cmd->directive->directive);
+ }
+ }
+ }
+ sconf->mfile = apr_pstrdup(cmd->pool, path);
+ return NULL;
+}
+
+/**
+ * command to define the concurrent request limitation for a location
+ */
+const char *qos_loc_con_cmd(cmd_parms *cmd, void *dcfg, const char *loc, const char *limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_table_get(sconf->location_t, loc);
+ if(rule == NULL) {
+ rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ rule->url = apr_pstrdup(cmd->pool, loc);
+ }
+ rule->limit = atoi(limit);
+ if((rule->limit < 0) || ((rule->limit == 0) && limit && (strcmp(limit, "0") != 0))) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >=0",
+ cmd->directive->directive);
+ }
+ rule->event = NULL;
+ rule->regex = NULL;
+ rule->condition = NULL;
+ apr_table_setn(sconf->location_t, apr_pstrdup(cmd->pool, loc), (char *)rule);
+ return NULL;
+}
+
+/**
+ * QS_LocRequestPerSecLimit: command to define the req/sec limitation for a location
+ */
+const char *qos_loc_rs_cmd(cmd_parms *cmd, void *dcfg, const char *loc, const char *limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_table_get(sconf->location_t, loc);
+ if(rule == NULL) {
+ rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ rule->url = apr_pstrdup(cmd->pool, loc);
+ }
+ rule->req_per_sec_limit = atol(limit);
+ if(rule->req_per_sec_limit == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ rule->event = NULL;
+ rule->regex = NULL;
+ rule->condition = NULL;
+ apr_table_setn(sconf->location_t, apr_pstrdup(cmd->pool, loc), (char *)rule);
+ return NULL;
+}
+
+/**
+ * QS_LocKBytesPerSecLimit: command to define the kbytes/sec limitation for a location
+ */
+const char *qos_loc_bs_cmd(cmd_parms *cmd, void *dcfg, const char *loc, const char *limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_table_get(sconf->location_t, loc);
+ if(rule == NULL) {
+ rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ rule->url = apr_pstrdup(cmd->pool, loc);
+ }
+ rule->kbytes_per_sec_limit = atol(limit);
+ if(rule->kbytes_per_sec_limit == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ rule->event = NULL;
+ rule->regex = NULL;
+ rule->condition = NULL;
+ apr_table_setn(sconf->location_t, apr_pstrdup(cmd->pool, loc), (char *)rule);
+ return NULL;
+}
+
+/**
+ * QS_LocRequestLimitMatch: defines the maximum of concurrent requests matching the specified
+ * request line pattern
+ */
+const char *qos_match_con_cmd(cmd_parms *cmd, void *dcfg, const char *match, const char *limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_table_get(sconf->location_t, match);
+ if(rule == NULL) {
+ rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ rule->url = apr_pstrdup(cmd->pool, match);
+ }
+ rule->limit = atoi(limit);
+ if((rule->limit < 0) || ((rule->limit == 0) && limit && (strcmp(limit, "0") != 0))) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >=0",
+ cmd->directive->directive);
+ }
+ rule->regex = ap_pregcomp(cmd->pool, match, AP_REG_EXTENDED);
+ if(rule->regex == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regular expression (%s)",
+ cmd->directive->directive, match);
+ }
+ rule->event = NULL;
+ rule->condition = NULL;
+ apr_table_setn(sconf->location_t, apr_pstrdup(cmd->pool, match), (char *)rule);
+ return NULL;
+}
+
+/**
+ * QS_CondLocRequestLimitMatch: defines the maximum of concurrent requests
+ * matching the specified request line pattern
+ */
+const char *qos_cond_match_con_cmd(cmd_parms *cmd, void *dcfg, const char *match,
+ const char *limit, const char *pattern) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ rule->url = apr_pstrdup(cmd->pool, match);
+ rule->limit = atoi(limit);
+ if((rule->limit < 0) || ((rule->limit == 0) && limit && (strcmp(limit, "0") != 0))) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >=0",
+ cmd->directive->directive);
+ }
+ rule->regex = ap_pregcomp(cmd->pool, match, AP_REG_EXTENDED);
+ rule->condition = ap_pregcomp(cmd->pool, pattern, AP_REG_EXTENDED);
+ if(rule->regex == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regular expression (%s)",
+ cmd->directive->directive, match);
+ }
+ if(rule->condition == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regular expression (%s)",
+ cmd->directive->directive, pattern);
+ }
+ rule->event = NULL;
+ apr_table_setn(sconf->location_t, apr_pstrcat(cmd->pool, match, "##conditional##", NULL), (char *)rule);
+ return NULL;
+}
+
+/**
+ * QS_LocRequestPerSecLimitMatch: defines the maximum requests/sec for
+ * the matching request line pattern
+ */
+const char *qos_match_rs_cmd(cmd_parms *cmd, void *dcfg, const char *match, const char *limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_table_get(sconf->location_t, match);
+ if(rule == NULL) {
+ rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ rule->url = apr_pstrdup(cmd->pool, match);
+ }
+ rule->req_per_sec_limit = atol(limit);
+ if(rule->req_per_sec_limit == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ rule->regex = ap_pregcomp(cmd->pool, match, AP_REG_EXTENDED);
+ if(rule->regex == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regular expression (%s)",
+ cmd->directive->directive, match);
+ }
+ rule->event = NULL;
+ rule->condition = NULL;
+ apr_table_setn(sconf->location_t, apr_pstrdup(cmd->pool, match), (char *)rule);
+ return NULL;
+}
+
+/**
+ * QS_LocKBytesPerSecLimitMatch: defines the maximum kbytes/sec for
+ * the matching request line pattern
+ */
+const char *qos_match_bs_cmd(cmd_parms *cmd, void *dcfg, const char *match, const char *limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_table_get(sconf->location_t, match);
+ if(rule == NULL) {
+ rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ rule->url = apr_pstrdup(cmd->pool, match);
+ }
+ rule->kbytes_per_sec_limit = atol(limit);
+ if(rule->kbytes_per_sec_limit == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ rule->regex = ap_pregcomp(cmd->pool, match, AP_REG_EXTENDED);
+ if(rule->regex == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regular expression (%s)",
+ cmd->directive->directive, match);
+ }
+ rule->event = NULL;
+ rule->condition = NULL;
+ apr_table_setn(sconf->location_t, apr_pstrdup(cmd->pool, match), (char *)rule);
+ return NULL;
+}
+
+/**
+ * sets the default limitation of cuncurrent requests
+ */
+const char *qos_loc_con_def_cmd(cmd_parms *cmd, void *dcfg, const char *limit) {
+ return qos_loc_con_cmd(cmd, dcfg, "/", limit);
+}
+
+/**
+ * QS_EventRequestLimit: defines the number of concurrent events
+ */
+const char *qos_event_req_cmd(cmd_parms *cmd, void *dcfg, const char *event, const char *limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ char *p = strchr(event, '=');
+ rule->url = apr_pstrcat(cmd->pool, "var=(", event, ")", NULL);
+ rule->limit = atoi(limit);
+ rule->req_per_sec_limit = 0;
+ rule->req_per_sec_limit = 0;
+ if((rule->limit < 0) || ((rule->limit == 0) && limit && (strcmp(limit, "0") != 0))) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >=0",
+ cmd->directive->directive);
+ }
+ sconf->has_event_filter = 1;
+ if(p) {
+ p++;
+ rule->regex_var = ap_pregcomp(cmd->pool, p, AP_REG_EXTENDED);
+ if(rule->regex_var == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regex (%s)",
+ cmd->directive->directive, p);
+ }
+ rule->event = apr_pstrndup(cmd->pool, event, p - event - 1);
+ } else {
+ rule->regex_var = NULL;
+ rule->event = apr_pstrdup(cmd->pool, event);
+ }
+ rule->regex = NULL;
+ rule->condition = NULL;
+ apr_table_setn(sconf->location_t, rule->url, (char *)rule);
+ return NULL;
+}
+
+/**
+ * QS_EventPerSecLimit: defines the maximum requests/sec for the matching variable.
+ */
+const char *qos_event_rs_cmd(cmd_parms *cmd, void *dcfg, const char *event, const char *limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ rule->url = apr_pstrcat(cmd->pool, "var=[", event, "]", NULL);
+ rule->req_per_sec_limit = atol(limit);
+ rule->kbytes_per_sec_limit = 0;
+ if(rule->req_per_sec_limit == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ sconf->has_event_limit = 1;
+ rule->event = apr_pstrdup(cmd->pool, event);
+ rule->regex = NULL;
+ rule->condition = NULL;
+ rule->limit = -1;
+ apr_table_setn(sconf->location_t, rule->url, (char *)rule);
+ return NULL;
+}
+
+/**
+ * QS_EventKBytesPerSecLimit: maximum download per event
+ */
+const char *qos_event_bps_cmd(cmd_parms *cmd, void *dcfg, const char *event, const char *limit) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qs_rule_ctx_t *rule = (qs_rule_ctx_t *)apr_pcalloc(cmd->pool, sizeof(qs_rule_ctx_t));
+ rule->url = apr_pstrcat(cmd->pool, "var={", event, "}", NULL);
+ rule->kbytes_per_sec_limit = atol(limit);
+ rule->req_per_sec_limit = 0;
+ if(rule->kbytes_per_sec_limit == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ sconf->has_event_limit = 1;
+ rule->event = apr_pstrdup(cmd->pool, event);
+ rule->regex = NULL;
+ rule->condition = NULL;
+ rule->limit = -1;
+ apr_table_setn(sconf->location_t, rule->url, (char *)rule);
+ return NULL;
+}
+
+// QS_CondEventLimitCount
+const char *qos_cond_event_limit_cmd(cmd_parms *cmd, void *dcfg, int argc, char *const argv[]) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_event_limit_entry_t *new = apr_array_push(sconf->event_limit_a);
+ if(argc < 4) {
+ return apr_psprintf(cmd->pool, "%s: takes 3 arguments",
+ cmd->directive->directive);
+ }
+ new->env_var = apr_pstrdup(cmd->pool, argv[0]);
+ new->eventDecStr = apr_pstrcat(cmd->pool, argv[0], QS_LIMIT_DEC, NULL);
+ new->max = atoi(argv[1]);
+ new->seconds = atoi(argv[2]);
+ new->action = QS_EVENT_ACTION_DENY;
+ if(new->max == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ if(new->seconds == 0) {
+ return apr_psprintf(cmd->pool, "%s: seconds must be numeric value >0",
+ cmd->directive->directive);
+ }
+ new->condStr = apr_pstrdup(cmd->pool, argv[3]);
+ new->preg = ap_pregcomp(cmd->pool, new->condStr, AP_REG_EXTENDED);
+ if(new->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regex (%s)",
+ cmd->directive->directive, new->condStr);
+ }
+ return NULL;
+}
+
+// QS_EventLimitCount
+const char *qos_event_limit_cmd(cmd_parms *cmd, void *dcfg, const char *event,
+ const char *number, const char *seconds) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_event_limit_entry_t *new = apr_array_push(sconf->event_limit_a);
+ new->env_var = apr_pstrdup(cmd->pool, event);
+ new->max = atoi(number);
+ new->seconds = atoi(seconds);
+ new->action = QS_EVENT_ACTION_DENY;
+ new->condStr = NULL;
+ if(new->max == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ if(new->seconds == 0) {
+ return apr_psprintf(cmd->pool, "%s: seconds must be numeric value >0",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+const char *qos_event_setenvifstatus_cmd(cmd_parms *cmd, void *dcfg, const char *rc, const char *var) {
+ apr_table_t *setenvstatus_t;
+ if(cmd->path) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ setenvstatus_t = dconf->setenvstatus_t;
+ } else {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ setenvstatus_t = sconf->setenvstatus_t;
+ }
+
+ if(strcasecmp(rc, QS_CLOSE) == 0) {
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if(err != NULL) {
+ return apr_psprintf(cmd->pool, "%s: "QS_CLOSE" may only be defined globally",
+ cmd->directive->directive);
+ }
+ if(strcasecmp(var, QS_BLOCK) != 0) {
+ return apr_psprintf(cmd->pool, "%s: "QS_CLOSE" may only be defined for the event "QS_BLOCK,
+ cmd->directive->directive);
+ }
+ } else if(strcasecmp(rc, QS_MAXIP) == 0) {
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if(err != NULL) {
+ return apr_psprintf(cmd->pool, "%s: "QS_MAXIP" may only be defined globally",
+ cmd->directive->directive);
+ }
+ if(strcasecmp(var, QS_BLOCK) != 0) {
+ return apr_psprintf(cmd->pool, "%s: "QS_MAXIP" may only be defined for the event "QS_BLOCK,
+ cmd->directive->directive);
+ }
+ } else if(strcasecmp(rc, QS_EMPTY_CON) == 0) {
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if(err != NULL) {
+ return apr_psprintf(cmd->pool, "%s: "QS_EMPTY_CON" may only be defined globally",
+ cmd->directive->directive);
+ }
+ if(strcasecmp(var, QS_BLOCK) != 0) {
+ return apr_psprintf(cmd->pool, "%s: "QS_EMPTY_CON" may only be defined for the event "QS_BLOCK,
+ cmd->directive->directive);
+ }
+ } else if(strcasecmp(rc, QS_BROKEN_CON) == 0) {
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if(err != NULL) {
+ return apr_psprintf(cmd->pool, "%s: "QS_BROKEN_CON" may only be defined globally",
+ cmd->directive->directive);
+ }
+ if(strcasecmp(var, QS_BLOCK) != 0) {
+ return apr_psprintf(cmd->pool, "%s: "QS_BROKEN_CON" may only be defined for the event "QS_BLOCK,
+ cmd->directive->directive);
+ }
+ } else {
+ int code = atoi(rc);
+ if(code <= 0) {
+ return apr_psprintf(cmd->pool, "%s: invalid HTTP status code",
+ cmd->directive->directive);
+ }
+ }
+ apr_table_set(setenvstatus_t, rc, var);
+ return NULL;
+}
+
+/** QS_SetEnvIfResBody */
+const char *qos_event_setenvifresbody_cmd(cmd_parms *cmd, void *dcfg, const char *pattern,
+ const char *var) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ if(dconf->response_pattern) {
+ return apr_psprintf(cmd->pool, "%s: only one pattern must be configured for a location",
+ cmd->directive->directive);
+ }
+ dconf->response_pattern = apr_pstrdup(cmd->pool, pattern);
+ dconf->response_pattern_len = strlen(dconf->response_pattern);
+ dconf->response_pattern_var = apr_pstrdup(cmd->pool, var);
+ if(var[0] == '!' && !var[1]) {
+ return apr_psprintf(cmd->pool, "%s: variable name is too short",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+/* QS_SetEnv */
+const char *qos_setenv_cmd(cmd_parms *cmd, void *dcfg, const char *variable,
+ const char *value) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ if(!variable[0] || !value[0]) {
+ return apr_psprintf(cmd->pool, "%s: invalid parameter",
+ cmd->directive->directive);
+ }
+ if(strchr(variable, '=')) {
+ return apr_psprintf(cmd->pool, "%s: variable must not contain a '='",
+ cmd->directive->directive);
+ }
+ apr_table_set(sconf->setenv_t, apr_pstrcat(cmd->pool, variable, "=", value, NULL), variable);
+ return NULL;
+}
+
+/* QS_SetReqHeader */
+const char *qos_setreqheader_cmd(cmd_parms *cmd, void *dcfg, const char *header,
+ const char *variable, const char *late) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+
+ if(!variable[0] || !header[0]) {
+ return apr_psprintf(cmd->pool, "%s: invalid parameter",
+ cmd->directive->directive);
+ }
+ if(header[0] == '!' && !header[1]) {
+ return apr_psprintf(cmd->pool, "%s: header name is too short",
+ cmd->directive->directive);
+ }
+ if(strchr(header, '=')) {
+ return apr_psprintf(cmd->pool, "%s: header name must not contain a '='",
+ cmd->directive->directive);
+ }
+ if(late != NULL) {
+ if(strcasecmp(late, "late") != 0) {
+ return apr_psprintf(cmd->pool, "%s: third parameter can only be 'late'",
+ cmd->directive->directive);
+ }
+ apr_table_set(sconf->setreqheaderlate_t,
+ apr_pstrcat(cmd->pool, header, "=", variable, NULL), header);
+ } else {
+ apr_table_set(sconf->setreqheader_t,
+ apr_pstrcat(cmd->pool, header, "=", variable, NULL), header);
+ }
+ return NULL;
+}
+
+/* QS_UnsetReqHeader */
+const char *qos_unsetreqheader_cmd(cmd_parms *cmd, void *dcfg, const char *header) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ apr_table_set(sconf->unsetreqheader_t, header, "");
+ return NULL;
+}
+
+/* QS_UnsetResHeader */
+const char *qos_unsetresheader_cmd(cmd_parms *cmd, void *dcfg, const char *header) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ apr_table_set(sconf->unsetresheader_t, header, "");
+ return NULL;
+}
+
+const char *qos_event_setenvresheader_cmd(cmd_parms *cmd, void *dcfg, const char *hdr,
+ const char *action) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ apr_table_set(sconf->setenvresheader_t, hdr, action == NULL ? "" : action);
+ return NULL;
+}
+
+const char *qos_event_setenvresheadermatch_cmd(cmd_parms *cmd, void *dcfg, const char *hdr,
+ const char *pcres) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ ap_regex_t *preg = ap_pregcomp(cmd->pool, pcres, AP_REG_DOTALL | AP_REG_ICASE);
+ if(preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: could not compile regular expression '%s'",
+ cmd->directive->directive, pcres);
+ }
+ apr_table_setn(sconf->setenvresheadermatch_t, apr_pstrdup(cmd->pool, hdr), (char *)preg);
+ return NULL;
+}
+
+const char *qos_redirectif_cmd(cmd_parms *cmd, void *dcfg, const char *var,
+ const char *pattern, const char *url) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ qos_redirectif_entry_t *new;
+ if(cmd->path) {
+ new = apr_array_push(dconf->redirectif);
+ } else {
+ new = apr_array_push(sconf->redirectif);
+ }
+ new->name = apr_pstrdup(cmd->pool, var);
+ new->preg = ap_pregcomp(cmd->pool, pattern, (AP_REG_EXTENDED | AP_REG_ICASE));
+ if(new->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: could not compile regular expression %s",
+ cmd->directive->directive, pattern);
+ }
+ if(strncasecmp(url, "307:", 4) == 0) {
+ new->code = HTTP_TEMPORARY_REDIRECT;
+ new->url = apr_pstrdup(cmd->pool, &url[4]);
+ } else if(strncasecmp(url, "301:", 4) == 0) {
+ new->code = HTTP_MOVED_PERMANENTLY;
+ new->url = apr_pstrdup(cmd->pool, &url[4]);
+ } else if(strncasecmp(url, "302:", 4) == 0) {
+ new->code = HTTP_MOVED_TEMPORARILY;
+ new->url = apr_pstrdup(cmd->pool, &url[4]);
+ } else {
+ new->code = HTTP_MOVED_TEMPORARILY;
+ new->url = apr_pstrdup(cmd->pool, url);
+ }
+ return NULL;
+}
+
+const char *qos_setenvres_cmd(cmd_parms *cmd, void *dcfg, const char *var,
+ const char *pattern, const char *var2) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_pregval_t *pregval = apr_pcalloc(cmd->pool, sizeof(qos_pregval_t));
+ pregval->name = apr_pstrdup(cmd->pool, var2);
+ pregval->value = strchr(pregval->name, '=');
+ if(pregval->value) {
+ pregval->value[0] = '\0';
+ pregval->value++;
+ }
+ pregval->preg = ap_pregcomp(cmd->pool, pattern, AP_REG_EXTENDED);
+ if(pregval->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: could not compile regular expression '%s'",
+ cmd->directive->directive, pattern);
+ }
+ apr_table_addn(sconf->setenvres_t, apr_pstrdup(cmd->pool, var), (char *)pregval);
+ return NULL;
+}
+
+/** QS_SetEnvIf */
+const char *qos_event_setenvif_cmd(cmd_parms *cmd, void *dcfg, const char *v1, const char *v2,
+ const char *a3) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_setenvif_t *setenvif;
+ if(cmd->path) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ setenvif = apr_array_push(dconf->setenvif_t);
+ } else {
+ setenvif = apr_array_push(sconf->setenvif_t);
+ }
+
+ if(a3) {
+ // mode 1 (boolean AND operator)
+ setenvif->variable1 = apr_pstrdup(cmd->pool, v1);
+ setenvif->variable2 = apr_pstrdup(cmd->pool, v2);
+ setenvif->preg = NULL;
+ setenvif->name = apr_pstrdup(cmd->pool, a3);
+ setenvif->value = strchr(setenvif->name, '=');
+ if(setenvif->value == NULL) {
+ if(setenvif->name[0] == '!') {
+ setenvif->value = apr_pstrdup(cmd->pool, "");
+ } else {
+ return apr_psprintf(cmd->pool, "%s: new variable must have the format <name>=<value>",
+ cmd->directive->directive);
+ }
+ } else {
+ setenvif->value[0] = '\0';
+ setenvif->value++;
+ }
+ } else {
+ // mode 2 (pattern match)
+ char *pattern;
+ setenvif->variable1 = apr_pstrdup(cmd->pool, v1);
+ pattern = strchr(setenvif->variable1, '=');
+ if(pattern == NULL) {
+ return apr_psprintf(cmd->pool, "%s: missing pattern for variable1",
+ cmd->directive->directive);
+ }
+ pattern[0] = '\0';
+ pattern++;
+ setenvif->variable2 = NULL;
+ setenvif->preg = ap_pregcomp(cmd->pool, pattern, AP_REG_EXTENDED);
+ if(setenvif->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regex (%s)",
+ cmd->directive->directive, pattern);
+ }
+ setenvif->name = apr_pstrdup(cmd->pool, v2);
+ setenvif->value = strchr(setenvif->name, '=');
+ if(setenvif->value == NULL) {
+ if(setenvif->name[0] == '!') {
+ setenvif->value = apr_pstrdup(cmd->pool, "");
+ } else {
+ return apr_psprintf(cmd->pool, "%s: new variable must have the format <name>=<value>",
+ cmd->directive->directive);
+ }
+ } else {
+ setenvif->value[0] = '\0';
+ setenvif->value++;
+ }
+ }
+ return NULL;
+}
+
+/** QS_SetEnvIfCmp */
+const char *qos_cmp_cmd(cmd_parms *cmd, void *dcfg, int argc, char *const argv[]) {
+ qos_cmp_entry_t *new;
+ qos_dir_config *conf = dcfg;
+ char *del;
+ if(argc != 4) {
+ return apr_psprintf(cmd->pool, "%s: requires 4 arguments",
+ cmd->directive->directive);
+ }
+ new = apr_array_push(conf->setenvcmp);
+ new->left = apr_pstrdup(cmd->pool, argv[0]);
+ if(strcasecmp(argv[1], "eq") == 0) {
+ new->cmp = QS_CMP_EQ;
+ } else if(strcasecmp(argv[1], "ne") == 0) {
+ new->cmp = QS_CMP_NE;
+ } else if(strcasecmp(argv[1], "lt") == 0) {
+ new->cmp = QS_CMP_LT;
+ } else if(strcasecmp(argv[1], "gt") == 0) {
+ new->cmp = QS_CMP_GT;
+ } else {
+ return apr_psprintf(cmd->pool, "%s: invalid operator '%s",
+ cmd->directive->directive, argv[1]);
+ }
+ new->right = apr_pstrdup(cmd->pool, argv[2]);
+ new->variable = apr_pstrdup(cmd->pool, argv[3]);
+ del = strchr(new->variable, '=');
+ if(del) {
+ new->value = &del[1];
+ del[0] = '\0';
+ } else {
+ new->value = apr_pstrdup(cmd->pool, "");
+ }
+ return NULL;
+}
+
+/** QS_SetEnvIfQuery */
+const char *qos_event_setenvifquery_cmd(cmd_parms *cmd, void *dcfg, const char *rx, const char *v) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_setenvifquery_t *setenvif = apr_pcalloc(cmd->pool, sizeof(qos_setenvifquery_t));
+ char *p;
+ setenvif->preg = ap_pregcomp(cmd->pool, rx, AP_REG_EXTENDED);
+ if(setenvif->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regex (%s)",
+ cmd->directive->directive, rx);
+ }
+ if(strlen(v) < 2) {
+ return apr_psprintf(cmd->pool, "%s: variable name is too short (%s)",
+ cmd->directive->directive, v);
+ }
+ setenvif->name = apr_pstrdup(cmd->pool, v);
+ p = strchr(setenvif->name, '=');
+ if(p == NULL) {
+ setenvif->value = apr_pstrdup(cmd->pool, "");
+ } else {
+ p[0] = '\0';
+ p++;
+ setenvif->value = p;
+ }
+ if(cmd->path) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ apr_table_setn(dconf->setenvifquery_t, apr_pstrdup(cmd->pool, rx), (char *)setenvif);
+ } else {
+ apr_table_setn(sconf->setenvifquery_t, apr_pstrdup(cmd->pool, rx), (char *)setenvif);
+ }
+ return NULL;
+}
+
+const char *qos_event_setenvifparpbody_cmd(cmd_parms *cmd, void *dcfg,
+ const char *rx, const char *v) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_setenvifparpbody_t *setenvif = apr_pcalloc(cmd->pool, sizeof(qos_setenvifparpbody_t));
+ char *p;
+ setenvif->pregx = ap_pregcomp(cmd->pool, rx, AP_REG_DOTALL | AP_REG_EXTENDED | AP_REG_ICASE);
+ if(setenvif->pregx == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regex (%s)",
+ cmd->directive->directive, rx);
+ }
+ setenvif->name = apr_pstrdup(cmd->pool, v);
+ p = strchr(setenvif->name, '=');
+ if(p == NULL) {
+ setenvif->value = apr_pstrdup(cmd->pool, "");
+ } else {
+ p[0] = '\0';
+ p++;
+ setenvif->value = p;
+ }
+ m_requires_parp = 1;
+ apr_table_setn(sconf->setenvifparpbody_t, apr_pstrdup(cmd->pool, rx), (char *)setenvif);
+ return NULL;
+}
+
+const char *qos_event_setenvifparp_cmd(cmd_parms *cmd, void *dcfg, const char *rx, const char *v) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_setenvifquery_t *setenvif = apr_pcalloc(cmd->pool, sizeof(qos_setenvifquery_t));
+ char *p;
+ setenvif->preg = ap_pregcomp(cmd->pool, rx, AP_REG_EXTENDED);
+ if(setenvif->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regex (%s)",
+ cmd->directive->directive, rx);
+ }
+ if(strlen(v) < 2) {
+ return apr_psprintf(cmd->pool, "%s: variable name is too short (%s)",
+ cmd->directive->directive, v);
+ }
+ setenvif->name = apr_pstrdup(cmd->pool, v);
+ p = strchr(setenvif->name, '=');
+ if(p == NULL) {
+ setenvif->value = apr_pstrdup(cmd->pool, "");
+ } else {
+ p[0] = '\0';
+ p++;
+ setenvif->value = p;
+ }
+ m_requires_parp = 1;
+ apr_table_setn(sconf->setenvifparp_t, apr_pstrdup(cmd->pool, rx), (char *)setenvif);
+ return NULL;
+}
+
+/**
+ * defines custom error page
+ */
+const char *qos_error_page_cmd(cmd_parms *cmd, void *dcfg, const char *path) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->error_page = apr_pstrdup(cmd->pool, path);
+ if((sconf->error_page[0] != '/') &&
+ (strncmp(sconf->error_page, "http", 4) != 0)) {
+ return apr_psprintf(cmd->pool, "%s: requires absolute path (%s)",
+ cmd->directive->directive, sconf->error_page);
+ }
+ return NULL;
+}
+
+#if APR_HAS_THREADS
+/**
+ * QS_Status
+ */
+const char *qos_qsstatus_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->qsstatus = flag;
+ return NULL;
+}
+#endif
+
+/**
+ * QS_EventCount
+ */
+const char *qos_qsevents_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->qsevents = flag;
+ return NULL;
+}
+
+/**
+ * pipe to global qslog tool (per Apache instance stat)
+ */
+const char *qos_qlog_cmd(cmd_parms *cmd, void *dcfg, const char *arg) {
+ qos_srv_config *sconf = ap_get_module_config(cmd->server->module_config, &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->qslog_str = apr_pstrdup(cmd->pool, arg);
+ return NULL;
+}
+
+/**
+ * global error code setting
+ */
+const char *qos_error_code_cmd(cmd_parms *cmd, void *dcfg, const char *arg) {
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ int idx500 = ap_index_of_response(HTTP_INTERNAL_SERVER_ERROR);
+ if (err != NULL) {
+ return err;
+ }
+ m_retcode = atoi(arg);
+ if((m_retcode < 400) || (m_retcode > 599)) {
+ return apr_psprintf(cmd->pool, "%s: HTTP response code code must be a"
+ " numeric value between 400 and 599",
+ cmd->directive->directive);
+ }
+ if(m_retcode != 500) {
+ if(ap_index_of_response(m_retcode) == idx500) {
+ return apr_psprintf(cmd->pool, "%s: unsupported HTTP response code",
+ cmd->directive->directive);
+ }
+ }
+ return NULL;
+}
+
+/**
+ * global connection close behavior
+ */
+const char *qos_forced_close_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ m_forced_close = flag;
+ return NULL;
+}
+
+/** QS_UserTrackingCookieName */
+
+#ifdef AP_TAKE_ARGV
+const char *qos_user_tracking_cookie_cmd(cmd_parms *cmd, void *dcfg,
+ int argc, char *const argv[]) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ int pos = 1;
+ if(argc == 0) {
+ return apr_psprintf(cmd->pool, "%s: takes 1 to 4 arguments",
+ cmd->directive->directive);
+ }
+ sconf->user_tracking_cookie = apr_pstrdup(cmd->pool, argv[0]);
+ while(pos < argc) {
+ const char *value = argv[pos];
+ if(value[0] == '/') {
+ sconf->user_tracking_cookie_force = apr_pstrdup(cmd->pool, value);
+ } else if(strcasecmp(value, "session") == 0) {
+ sconf->user_tracking_cookie_session = 1;
+ } else if(strcasecmp(value, "jsredirect") == 0) {
+ sconf->user_tracking_cookie_jsredirect = 1;
+ } else {
+ if(sconf->user_tracking_cookie_domain != NULL) {
+ return apr_psprintf(cmd->pool, "%s: invalid attribute"
+ " (expects <name>, <path>, 'session', or <domain>",
+ cmd->directive->directive);
+ }
+ sconf->user_tracking_cookie_domain = apr_pstrdup(cmd->pool, value);
+ }
+ pos++;
+ }
+ return NULL;
+}
+#else
+const char *qos_user_tracking_cookie_cmd(cmd_parms *cmd, void *dcfg,
+ const char *name,
+ const char *option1,
+ const char *option2) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *force = NULL;
+ sconf->user_tracking_cookie = apr_pstrdup(cmd->pool, name);
+ if(option1) {
+ if((strcasecmp(option1, "session") == 0) ||
+ (strcasecmp(option1, "'session'") == 0)) {
+ sconf->user_tracking_cookie_session = 1;
+ } else {
+ force = option1;
+ }
+ }
+ if(option2) {
+ if((strcasecmp(option2, "session") == 0) ||
+ (strcasecmp(option2, "'session'") == 0)) {
+ sconf->user_tracking_cookie_session = 1;
+ } else {
+ if(force == NULL) {
+ force = option2;
+ }
+ }
+ }
+ if(force) {
+ if(force[0] != '/') {
+ return apr_psprintf(cmd->pool, "%s: invalid path '%s'",
+ cmd->directive->directive, force);
+ }
+ sconf->user_tracking_cookie_force = apr_pstrdup(cmd->pool, force);
+ }
+ return NULL;
+}
+#endif
+
+/**
+ * session definitions: cookie name and path, expiration/max-age
+ */
+const char *qos_cookie_name_cmd(cmd_parms *cmd, void *dcfg, const char *name) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->cookie_name = apr_pstrdup(cmd->pool, name);
+ return NULL;
+}
+
+const char *qos_cookie_path_cmd(cmd_parms *cmd, void *dcfg, const char *path) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->cookie_path = apr_pstrdup(cmd->pool, path);
+ return NULL;
+}
+
+const char *qos_timeout_cmd(cmd_parms *cmd, void *dcfg, const char *sec) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->max_age = atoi(sec);
+ if(sconf->max_age == 0) {
+ return apr_psprintf(cmd->pool, "%s: timeout must be numeric value >0",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+const char *qos_key_cmd(cmd_parms *cmd, void *dcfg, const char *seed) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->rawKey = (unsigned char *)apr_pstrdup(cmd->pool, seed);
+ sconf->rawKeyLen = strlen(seed);
+ EVP_BytesToKey(EVP_des_ede3_cbc(), EVP_sha1(), NULL,
+ sconf->rawKey, sconf->rawKeyLen, 1, sconf->key, NULL);
+ sconf->keyset = 1;
+ return NULL;
+}
+
+/**
+ * name of the http header to mark a vip
+ */
+const char *qos_header_name_cmd(cmd_parms *cmd, void *dcfg, const char *n, const char *drop) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ char *name = apr_pstrdup(cmd->pool, n);
+ char *p = strchr(name, '=');
+ if(p) {
+ p[0] = '\0';
+ p++;
+ sconf->header_name_regex = ap_pregcomp(cmd->pool, p, AP_REG_EXTENDED);
+ if(sconf->header_name_regex == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regex (%s)",
+ cmd->directive->directive, p);
+ }
+ } else {
+ sconf->header_name_regex = NULL;
+ }
+ if(drop && (strcasecmp(drop, "drop") == 0)) {
+ sconf->header_name_drop = 1;
+ } else {
+ sconf->header_name_drop = 0;
+ }
+ sconf->header_name = name;
+ return NULL;
+}
+
+const char *qos_ip_header_name_cmd(cmd_parms *cmd, void *dcfg, const char *n, const char *drop) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ char *name = apr_pstrdup(cmd->pool, n);
+ char *p = strchr(name, '=');
+ if(p) {
+ p[0] = '\0';
+ p++;
+ sconf->ip_header_name_regex = ap_pregcomp(cmd->pool, p, AP_REG_EXTENDED);
+ if(sconf->ip_header_name_regex == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regex (%s)",
+ cmd->directive->directive, p);
+ }
+ } else {
+ sconf->ip_header_name_regex = NULL;
+ }
+ if(drop && (strcasecmp(drop, "drop") == 0)) {
+ sconf->ip_header_name_drop = 1;
+ } else {
+ sconf->ip_header_name_drop = 0;
+ }
+ sconf->has_qos_cc = 1;
+ sconf->ip_header_name = name;
+ return NULL;
+}
+
+const char *qos_vip_u_cmd(cmd_parms *cmd, void *dcfg) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->vip_user = 1;
+ return NULL;
+}
+
+const char *qos_vip_ip_u_cmd(cmd_parms *cmd, void *dcfg) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->vip_ip_user = 1;
+ return NULL;
+}
+
+/**
+ * max concurrent connections per server
+ */
+const char *qos_max_conn_cmd(cmd_parms *cmd, void *dcfg, const char *number) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->has_conn_counter = 1;
+ sconf->max_conn = atoi(number);
+ if(sconf->max_conn == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+/**
+ * QS_SrvMaxConnClose, disable keep-alive
+ */
+const char *qos_max_conn_close_cmd(cmd_parms *cmd, void *dcfg, const char *number) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ char *n = apr_pstrdup(cmd->temp_pool, number);
+ sconf->has_conn_counter = 1;
+ if((strlen(n) > 1) &&
+ (n[strlen(n)-1] == '%')) {
+ n[strlen(n)-1] = '\0';
+ sconf->max_conn_close = atoi(n);
+ sconf->max_conn_close_percent = sconf->max_conn_close;
+ if(sconf->max_conn_close > 99) {
+ return apr_psprintf(cmd->pool, "%s: number must be a percentage <100",
+ cmd->directive->directive);
+ }
+ } else {
+ sconf->max_conn_close = atoi(n);
+ sconf->max_conn_close_percent = 0;
+ }
+ if(sconf->max_conn_close == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be >0",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+/**
+ * max concurrent connections per client ip
+ */
+const char *qos_max_conn_ip_cmd(cmd_parms *cmd, void *dcfg, const char *number,
+ const char *connections) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->has_conn_counter = 1;
+ sconf->max_conn_per_ip = atoi(number);
+ if(sconf->max_conn_per_ip == 0) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ if(connections) {
+ sconf->max_conn_per_ip_connections = atoi(connections);
+ if((sconf->max_conn_per_ip_connections == 0) &&
+ (strcmp(connections, "0") != 0)) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >0",
+ cmd->directive->directive);
+ }
+ }
+ return NULL;
+}
+
+/* QS_SrvMaxConnPerIPIgnoreVIP */
+const char *qos_max_conn_ip_vip_off_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->max_conn_per_ip_ignore_vip = flag;
+ return NULL;
+}
+
+/**
+ * QS_SrvSerialize
+ */
+const char *qos_serialize_cmd(cmd_parms *cmd, void *dcfg, const char * flag,
+ const char *seconds) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ if(strcasecmp(flag, "on") == 0) {
+ sconf->serialize = 1;
+ } else if(strcasecmp(flag, "off") == 0) {
+ sconf->serialize = 0;
+ } else {
+ return apr_psprintf(cmd->pool, "%s: flag needs to be either 'on' or 'off'",
+ cmd->directive->directive);
+ }
+ if(seconds) {
+ sconf->serializeTMO = atoi(seconds);
+ if(sconf->serializeTMO <= 0) {
+ return apr_psprintf(cmd->pool, "%s: timeout (seconds) must be a numeric value >0",
+ cmd->directive->directive);
+ }
+ // n * 50 milliseconds
+ sconf->serializeTMO = sconf->serializeTMO * 20;
+ }
+ return NULL;
+}
+
+/**
+ * ip address without any limitation
+ */
+const char *qos_max_conn_ex_cmd(cmd_parms *cmd, void *dcfg, const char *addr) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ if(addr[strlen(addr)-1] == '.') {
+ /* address range */
+ apr_table_add(sconf->exclude_ip, addr, "r");
+ } else if(addr[strlen(addr)-1] == ':') {
+ /* address range */
+ apr_table_add(sconf->exclude_ip, addr, "r");
+ } else {
+ /* single ip */
+ apr_table_add(sconf->exclude_ip, addr, "s");
+ }
+ return NULL;
+}
+
+const char *qos_req_rate_off_cmd(cmd_parms *cmd, void *dcfg) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->min_rate_off = 1;
+ return NULL;
+}
+
+/** verify, that the platform supports "%p" in sprintf */
+static int qos_sprintfcheck() {
+ char buf[128];
+ char buf2[128];
+ sprintf(buf, "%p", buf);
+ sprintf(buf2, "%p", buf2);
+ if((strcmp(buf, buf2) == 0) || (strlen(buf) < 4)) {
+ /* not okay */
+ return 0;
+ }
+ return 1;
+}
+
+const char *qos_req_rate_cmd(cmd_parms *cmd, void *dcfg, const char *sec, const char *secmax) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ if(!qos_sprintfcheck()) {
+ return apr_psprintf(cmd->pool, "%s: directive can't be used on this platform",
+ cmd->directive->directive);
+ }
+ if(sconf->req_rate != -1) {
+ return apr_psprintf(cmd->pool, "%s: directive can't be used together with QS_SrvMinDataRate",
+ cmd->directive->directive);
+ }
+ sconf->req_rate = atoi(sec);
+ if(sconf->req_rate <= 0) {
+ return apr_psprintf(cmd->pool, "%s: request rate must be a numeric value >0",
+ cmd->directive->directive);
+ }
+ if(secmax) {
+ sconf->min_rate_max = atoi(secmax);
+ if(sconf->min_rate_max <= sconf->min_rate) {
+ return apr_psprintf(cmd->pool, "%s: max. data rate must be a greater than min. value",
+ cmd->directive->directive);
+ }
+ }
+ return NULL;
+}
+
+/* QS_SrvMinDataRateOffEvent */
+const char *qos_min_rate_off_cmd(cmd_parms *cmd, void *dcfg, const char *var) {
+ apr_table_t *disable_reqrate_events;
+ if(cmd->path) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ disable_reqrate_events = dconf->disable_reqrate_events;
+ } else {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ disable_reqrate_events = sconf->disable_reqrate_events;
+ }
+ if(((var[0] != '+') && (var[0] != '-')) || (strlen(var) < 2)) {
+ return apr_psprintf(cmd->pool, "%s: invalid variable (requires +/- prefix)",
+ cmd->directive->directive);
+ }
+ apr_table_set(disable_reqrate_events, var, "");
+ return NULL;
+}
+
+#ifdef AP_TAKE_ARGV
+const char *qos_min_rate_cmd(cmd_parms *cmd, void *dcfg, int argc, char *const argv[])
+#else
+const char *qos_min_rate_cmd(cmd_parms *cmd, void *dcfg, const char *_sec, const char *_secmax)
+#endif
+{
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *sec = NULL;
+ const char *secmax = NULL;
+ const char *connections = NULL;
+#ifdef AP_TAKE_ARGV
+ if(argc == 0) {
+ return apr_psprintf(cmd->pool, "%s: takes 1 to 3 arguments",
+ cmd->directive->directive);
+ }
+ sec = argv[0];
+ if(argc > 1) {
+ secmax = argv[1];
+ }
+ if(argc > 2) {
+ connections = argv[2];
+ }
+#else
+ sec = _sec;
+ secmax = _secmax;
+#endif
+ if (err != NULL) {
+ return err;
+ }
+ if(!qos_sprintfcheck()) {
+ return apr_psprintf(cmd->pool, "%s: directive can't be used on this platform",
+ cmd->directive->directive);
+ }
+ if(sconf->req_rate != -1) {
+ return apr_psprintf(cmd->pool, "%s: directive can't be used together with QS_SrvRequestRate",
+ cmd->directive->directive);
+ }
+ sconf->req_rate = atoi(sec);
+ sconf->min_rate = sconf->req_rate;
+ if(connections) {
+ sconf->req_rate_start = atoi(connections);
+ if(sconf->req_rate_start <= 0) {
+ return apr_psprintf(cmd->pool, "%s: number of connections must be a numeric value >0",
+ cmd->directive->directive);
+ }
+ }
+ if(sconf->req_rate <= 0) {
+ return apr_psprintf(cmd->pool, "%s: minimal data rate must be a numeric value >0",
+ cmd->directive->directive);
+ }
+ if(secmax) {
+ sconf->min_rate_max = atoi(secmax);
+ if(sconf->min_rate_max <= sconf->min_rate) {
+ return apr_psprintf(cmd->pool, "%s: max. data rate must be a greater than min. value",
+ cmd->directive->directive);
+ }
+ }
+ return NULL;
+}
+
+/* QS_SrvMinDataRateIgnoreVIP */
+const char *qos_min_rate_vip_off_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->req_ignore_vip_rate = flag;
+ return NULL;
+}
+
+/**
+ * generic filter command
+ */
+const char *qos_deny_cmd(cmd_parms *cmd, void *dcfg,
+ const char *id, const char *action, const char *pcres,
+ qs_rfilter_type_e type, int options) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ qos_rfilter_t *flt = apr_pcalloc(cmd->pool, sizeof(qos_rfilter_t));
+ flt->type = type;
+ if(((id[0] != '+') && (id[0] != '-')) || (strlen(id) < 2)) {
+ return apr_psprintf(cmd->pool, "%s: invalid rule id",
+ cmd->directive->directive);
+ }
+ flt->id = apr_pstrdup(cmd->pool, &id[1]);
+ if(strcasecmp(action, "log") == 0) {
+ flt->action = QS_LOG;
+ } else if(strcasecmp(action, "deny") == 0) {
+ flt->action = QS_DENY;
+ } else {
+ return apr_psprintf(cmd->pool, "%s: invalid action",
+ cmd->directive->directive);
+ }
+ if(flt->type != QS_DENY_EVENT) {
+ flt->preg = ap_pregcomp(cmd->pool, pcres, AP_REG_DOTALL | options);
+ if(flt->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: could not compile regular expression '%s'",
+ cmd->directive->directive,
+ pcres);
+ }
+ }
+ flt->text = apr_pstrdup(cmd->pool, pcres);
+ apr_table_setn(dconf->rfilter_table, apr_pstrdup(cmd->pool, id), (char *)flt);
+ return NULL;
+}
+const char *qos_deny_rql_cmd(cmd_parms *cmd, void *dcfg,
+ const char *id, const char *action, const char *pcres) {
+ return qos_deny_cmd(cmd, dcfg, id, action, pcres, QS_DENY_REQUEST_LINE, AP_REG_ICASE);
+}
+const char *qos_deny_path_cmd(cmd_parms *cmd, void *dcfg,
+ const char *id, const char *action, const char *pcres) {
+ return qos_deny_cmd(cmd, dcfg, id, action, pcres, QS_DENY_PATH, AP_REG_ICASE);
+}
+const char *qos_deny_query_cmd(cmd_parms *cmd, void *dcfg,
+ const char *id, const char *action, const char *pcres) {
+ return qos_deny_cmd(cmd, dcfg, id, action, pcres, QS_DENY_QUERY, AP_REG_ICASE);
+}
+const char *qos_deny_event_cmd(cmd_parms *cmd, void *dcfg,
+ const char *id, const char *action, const char *event) {
+ return qos_deny_cmd(cmd, dcfg, id, action, event, QS_DENY_EVENT, 0);
+}
+const char *qos_permit_uri_cmd(cmd_parms *cmd, void *dcfg,
+ const char *id, const char *action, const char *pcres) {
+ return qos_deny_cmd(cmd, dcfg, id, action, pcres, QS_PERMIT_URI, 0);
+}
+const char *qos_deny_urlenc_cmd(cmd_parms *cmd, void *dcfg, const char *mode) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ if(strcasecmp(mode, "log") == 0) {
+ dconf->urldecoding = QS_LOG;
+ } else if(strcasecmp(mode, "deny") == 0) {
+ dconf->urldecoding = QS_DENY;
+ } else if(strcasecmp(mode, "off") == 0) {
+ dconf->urldecoding = QS_OFF;
+ } else {
+ return apr_psprintf(cmd->pool, "%s: invalid action",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+const char *qos_milestone_tmo_cmd(cmd_parms *cmd, void *dcfg, const char *sec) {
+ qos_srv_config *sconf = ap_get_module_config(cmd->server->module_config, &qos_module);
+ sconf->milestoneTimeout = atoi(sec);
+ if(sconf->milestoneTimeout <= 0) {
+ return apr_psprintf(cmd->pool, "%s: timeout must be numeric value >0",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+const char *qos_milestone_cmd(cmd_parms *cmd, void *dcfg, const char *action,
+ const char *pattern, const char *thinktimestr) {
+ qos_srv_config *sconf = ap_get_module_config(cmd->server->module_config, &qos_module);
+ qos_milestone_t *ms;
+ if(sconf->milestones == NULL) {
+ sconf->milestones = apr_array_make(cmd->pool, 100, sizeof(qos_milestone_t));
+ }
+ ms = apr_array_push(sconf->milestones);
+ ms->num = sconf->milestones->nelts - 1;
+ if(thinktimestr != NULL) {
+ ms->thinktime = atoi(thinktimestr);
+ if(ms->thinktime <= 0) {
+ return apr_psprintf(cmd->pool, "%s: invalid 'think time' (must be numeric value >0)",
+ cmd->directive->directive);
+ }
+ } else {
+ ms->thinktime = 0;
+ }
+ ms->preg = ap_pregcomp(cmd->pool, pattern, AP_REG_DOTALL);
+ if(ms->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: could not compile regular expression '%s'",
+ cmd->directive->directive, pattern);
+ }
+ ms->pattern = apr_pstrdup(cmd->pool, pattern);
+ if(strcasecmp(action, "deny") == 0) {
+ ms->action = QS_DENY;
+ } else if(strcasecmp(action, "log") == 0) {
+ ms->action = QS_LOG;
+ } else {
+ return apr_psprintf(cmd->pool, "%s: invalid action %s",
+ cmd->directive->directive, action);
+ }
+ return NULL;
+}
+
+const char *qos_maxpost_cmd(cmd_parms *cmd, void *dcfg, const char *bytes) {
+ apr_off_t s;
+ char *errp = NULL;
+#ifdef ap_http_scheme
+ /* Apache 2.2 */
+ if(APR_SUCCESS != apr_strtoff(&s, bytes, &errp, 10))
+#else
+ if((s = apr_atoi64(bytes)) < 0)
+#endif
+ {
+ return "QS_LimitRequestBody argument is not parsable";
+ }
+ if(s < 0) {
+ return "QS_LimitRequestBody requires a non-negative integer";
+ }
+ if(cmd->path == NULL) {
+ /* server */
+ qos_srv_config *sconf = ap_get_module_config(cmd->server->module_config, &qos_module);
+ sconf->maxpost = s;
+ } else {
+ /* location */
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ dconf->maxpost = s;
+ }
+ return NULL;
+}
+
+/* QS_Decoding */
+const char *qos_dec_cmd(cmd_parms *cmd, void *dcfg, const char *arg) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+// if(strcasecmp(arg, "html") == 0) {
+// dconf->dec_mode |= QOS_DEC_MODE_FLAGS_HTML;
+// } else
+ if(strcasecmp(arg, "uni") == 0) {
+ dconf->dec_mode |= QOS_DEC_MODE_FLAGS_UNI;
+// } if(strcasecmp(arg, "ansi") == 0) {
+// dconf->dec_mode |= QOS_DEC_MODE_FLAGS_ANSI;
+ } else {
+ return apr_psprintf(cmd->pool, "%s: unknown decoding '%s'",
+ cmd->directive->directive, arg);
+ }
+ return NULL;
+}
+
+const char *qos_denyinheritoff_cmd(cmd_parms *cmd, void *dcfg) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ dconf->inheritoff = 1;
+ return NULL;
+}
+
+const char *qos_denybody_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ dconf->bodyfilter_p = flag;
+ dconf->bodyfilter_d = flag;
+ if(flag) {
+ m_requires_parp = 1;
+ }
+ return NULL;
+}
+
+const char *qos_denybody_d_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ dconf->bodyfilter_d = flag;
+ if(flag) {
+ m_requires_parp = 1;
+ }
+ return NULL;
+}
+
+const char *qos_denybody_p_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ dconf->bodyfilter_p = flag;
+ if(flag) {
+ m_requires_parp = 1;
+ }
+ return NULL;
+}
+
+/* QS_RequestHeaderFilter enables/disables header filter */
+const char *qos_headerfilter_cmd(cmd_parms *cmd, void *dcfg, const char *flag) {
+ qs_headerfilter_mode_e headerfilter;
+ if(strcasecmp(flag, "on") == 0) {
+ headerfilter = QS_HEADERFILTER_ON;
+ } else if(strcasecmp(flag, "off") == 0) {
+ headerfilter = QS_HEADERFILTER_OFF;
+ } else if(strcasecmp(flag, "size") == 0) {
+ headerfilter = QS_HEADERFILTER_SIZE_ONLY;
+ } else {
+ return apr_psprintf(cmd->pool, "%s: invalid argument",
+ cmd->directive->directive);
+ }
+ if(cmd->path) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ dconf->headerfilter = headerfilter;
+ } else {
+ qos_srv_config *sconf = ap_get_module_config(cmd->server->module_config, &qos_module);
+ sconf->headerfilter = headerfilter;
+ }
+ return NULL;
+}
+
+/* QS_ResponseHeaderFilter */
+const char *qos_resheaderfilter_cmd(cmd_parms *cmd, void *dcfg, const char *flag) {
+ qos_dir_config *dconf = (qos_dir_config*)dcfg;
+ if(strcasecmp(flag, "on") == 0) {
+ dconf->resheaderfilter = QS_HEADERFILTER_ON;
+ } else if(strcasecmp(flag, "off") == 0) {
+ dconf->resheaderfilter = QS_HEADERFILTER_OFF;
+ } else if(strcasecmp(flag, "silent") == 0) {
+ dconf->resheaderfilter = QS_HEADERFILTER_SILENT;
+ } else {
+ return apr_psprintf(cmd->pool, "%s: invalid argument",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+/* QS_RequestHeaderFilterRule: set custom header rules (global only)
+ name, action, pcre, size */
+#ifdef AP_TAKE_ARGV
+const char *qos_headerfilter_rule_cmd(cmd_parms *cmd, void *dcfg, int argc, char *const argv[])
+#else
+const char *qos_headerfilter_rule_cmd(cmd_parms *cmd, void *dcfg,
+ const char *header, const char *action,
+ const char *rule)
+#endif
+ {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_fhlt_r_t *he;
+#ifdef AP_TAKE_ARGV
+ const char *header;
+ const char *rule;
+ const char *action;
+#endif
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+#ifdef AP_TAKE_ARGV
+ if(argc != 4) {
+ return apr_psprintf(cmd->pool, "%s: takes 4 arguments",
+ cmd->directive->directive);
+ }
+#endif
+ he = apr_pcalloc(cmd->pool, sizeof(qos_fhlt_r_t));
+#ifdef AP_TAKE_ARGV
+ header = argv[0];
+ action = argv[1];
+ rule = argv[2];
+ he->size = atoi(argv[3]);
+#else
+ he->size = 9000;
+#endif
+ he->text = apr_pstrdup(cmd->pool, rule);
+ he->preg = ap_pregcomp(cmd->pool, rule, AP_REG_DOTALL);
+ if(strcasecmp(action, "deny") == 0) {
+ he->action = QS_FLT_ACTION_DENY;
+ } else if(strcasecmp(action, "drop") == 0) {
+ he->action = QS_FLT_ACTION_DROP;
+ } else {
+ return apr_psprintf(cmd->pool, "%s: invalid action %s",
+ cmd->directive->directive, action);
+ }
+ if(he->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: could not compile regular expression '%s'",
+ cmd->directive->directive, rule);
+ }
+ if(he->size <= 0) {
+ return apr_psprintf(cmd->pool, "%s: size must be numeric value >0",
+ cmd->directive->directive);
+ }
+ apr_table_setn(sconf->hfilter_table, apr_pstrdup(cmd->pool, header), (char *)he);
+ return NULL;
+}
+
+const char *qos_resheaderfilter_rule_cmd(cmd_parms *cmd, void *dcfg,
+ const char *header,
+ const char *rule, const char *size) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ qos_fhlt_r_t *he;
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ he = apr_pcalloc(cmd->pool, sizeof(qos_fhlt_r_t));
+ he->size = atoi(size);
+ he->text = apr_pstrdup(cmd->pool, rule);
+ he->preg = ap_pregcomp(cmd->pool, rule, AP_REG_DOTALL);
+ he->action = QS_FLT_ACTION_DROP;
+ if(he->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: could not compile regular expression '%s'",
+ cmd->directive->directive, rule);
+ }
+ if(he->size <= 0) {
+ return apr_psprintf(cmd->pool, "%s: size must be numeric value >0",
+ cmd->directive->directive);
+ }
+ apr_table_setn(sconf->reshfilter_table, apr_pstrdup(cmd->pool, header), (char *)he);
+ return NULL;
+}
+
+const char *qos_geodb_cmd(cmd_parms *cmd, void *dcfg, const char *arg1) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ char *msg = NULL;
+ int errors = 0;
+ qos_geo_t *geodb = apr_pcalloc(cmd->pool, sizeof(qos_geo_t));
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+
+ sconf->geodb = geodb;
+ sconf->geodb->data = NULL;
+ sconf->geodb->path = ap_server_root_relative(cmd->pool, arg1);
+ sconf->geodb->size = 0;
+
+ if(qos_loadgeo(cmd->pool, sconf->geodb, &msg, &errors) != APR_SUCCESS) {
+ return apr_psprintf(cmd->pool, "%s: failed to load the database: %s"
+ " (total %d errors)",
+ cmd->directive->directive,
+ msg ? msg : "-",
+ errors);
+ }
+
+ return NULL;
+}
+
+const char *qos_geopriv_cmd(cmd_parms *cmd, void *dcfg, const char *list, const char *con,
+ const char *excludeUnknown) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ char *next = apr_pstrdup(cmd->pool, list);
+ int geo_limit;
+ char *name;
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ name = apr_strtok(next, ",", &next);
+ if(name == NULL) {
+ return apr_psprintf(cmd->pool, "%s: empty list",
+ cmd->directive->directive);
+ }
+ while(name) {
+ apr_table_set(sconf->geo_priv, name, "");
+ name = apr_strtok(NULL, ",", &next);
+ }
+ geo_limit = atoi(con);
+ if(geo_limit <= 0 && con[0] != '0' && con[1] != '\0') {
+ return apr_psprintf(cmd->pool, "%s: invalid connection number",
+ cmd->directive->directive);
+ }
+ if(sconf->geo_limit != -1 && sconf->geo_limit != geo_limit) {
+ return apr_psprintf(cmd->pool, "%s: already configured with a different limitation",
+ cmd->directive->directive);
+ }
+ if(excludeUnknown != NULL) {
+ if(strcasecmp(excludeUnknown, excludeUnknown) != 0) {
+ return apr_psprintf(cmd->pool, "%s: invalid argument %s",
+ cmd->directive->directive, excludeUnknown);
+ }
+ sconf->geo_excludeUnknown = 1;
+ }
+ sconf->geo_limit = geo_limit;
+ return NULL;
+}
+
+const char *qos_enable_ipv6_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ if(flag) {
+ sconf->ip_type = QS_IP_V6;
+ } else {
+ sconf->ip_type = QS_IP_V4;
+ }
+ return NULL;
+}
+
+const char *qos_client_ex_cmd(cmd_parms *cmd, void *dcfg, const char *addr) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ if(strlen(addr) == 0) {
+ return apr_psprintf(cmd->pool, "%s: invalid address",
+ cmd->directive->directive);
+ }
+ if(addr[strlen(addr)-1] == '.') {
+ /* address range */
+ apr_table_add(sconf->cc_exclude_ip, addr, "r");
+ } else if(addr[strlen(addr)-1] == ':') {
+ /* address range */
+ apr_table_add(sconf->cc_exclude_ip, addr, "r");
+ } else {
+ /* single ip */
+ apr_table_add(sconf->cc_exclude_ip, addr, "s");
+ }
+ return NULL;
+}
+
+const char *qos_client_cmd(cmd_parms *cmd, void *dcfg, const char *arg1) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->qos_cc_size = atoi(arg1);
+#ifdef QS_INTERNAL_TEST
+ sconf->qos_cc_size = sconf->qos_cc_size / 100 * 100 ;
+#else
+ sconf->qos_cc_size = sconf->qos_cc_size / 640 * 640 ;
+#endif
+ if(sconf->qos_cc_size < 50000) {
+ m_qos_cc_partition = 2;
+ }
+ if(sconf->qos_cc_size >= 100000) {
+ m_qos_cc_partition = 8;
+ }
+ if(sconf->qos_cc_size >= 500000) {
+ m_qos_cc_partition = 16;
+ }
+ if(sconf->qos_cc_size >= 1000000) {
+ m_qos_cc_partition = 32;
+ }
+ if(sconf->qos_cc_size >= 4000000) {
+ m_qos_cc_partition = 64;
+ }
+ if(sconf->qos_cc_size <= 0 || sconf->qos_cc_size > 10000000) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value gearter than 640"
+ " and less than 10000000",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+#ifdef AP_TAKE_ARGV
+const char *qos_client_pref_cmd(cmd_parms *cmd, void *dcfg, int argc, char *const argv[])
+#else
+const char *qos_client_pref_cmd(cmd_parms *cmd, void *dcfg)
+#endif
+ {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->has_qos_cc = 1;
+ sconf->qos_cc_prefer = 80;
+#ifdef AP_TAKE_ARGV
+ if(argc) {
+ char *copy = apr_pstrdup(cmd->pool, argv[0]);
+ char *p = strchr(copy, '%');
+ if(p) {
+ p[0] = '\0';
+ }
+ sconf->qos_cc_prefer = atoi(copy);
+ }
+#endif
+ if((sconf->qos_cc_prefer < 1) || (sconf->qos_cc_prefer > 99)) {
+ return apr_psprintf(cmd->pool, "%s: percentage must be a numeric value"
+ " between 1 and 99",
+ cmd->directive->directive);
+ }
+#ifdef AP_TAKE_ARGV
+ if(argc > 1) {
+ return apr_psprintf(cmd->pool, "%s: command takes not more than one argument",
+ cmd->directive->directive);
+ }
+#endif
+ return NULL;
+}
+
+const char *qos_client_block_cmd(cmd_parms *cmd, void *dcfg, const char *arg1,
+ const char *arg2) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->has_qos_cc = 1;
+ sconf->qos_cc_block = atoi(arg1);
+ if((sconf->qos_cc_block < 0) || sconf->qos_cc_block >= (USHRT_MAX-1) || ((sconf->qos_cc_block == 0) && (strcmp(arg1, "0") != 0))) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >=0 and <%d.",
+ cmd->directive->directive, USHRT_MAX-1);
+ }
+ if(arg2) {
+ sconf->qos_cc_blockTime = atoi(arg2);
+ }
+ if(sconf->qos_cc_blockTime == 0) {
+ return apr_psprintf(cmd->pool, "%s: time must be numeric value >0",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+const char *qos_client_limit_int_cmd(cmd_parms *cmd, void *dcfg, const char *arg_number,
+ const char *arg_sec, const char *arg_varname,
+ const char *arg_condition) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ char *limit_name = QS_LIMIT_DEFAULT;
+ int limit;
+ time_t limitTime = 600;
+ qos_s_entry_limit_conf_t *entry = apr_pcalloc(cmd->pool, sizeof(qos_s_entry_limit_conf_t));
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->has_qos_cc = 1;
+ limit = atoi(arg_number);
+ if((limit < 0) || limit >= (USHRT_MAX-1) || ((limit == 0) && (strcmp(arg_number, "0") != 0))) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >=0 and <%d.",
+ cmd->directive->directive, USHRT_MAX-1);
+ }
+ if(arg_sec) {
+ limitTime = atoi(arg_sec);
+ }
+ if(limitTime == 0) {
+ return apr_psprintf(cmd->pool, "%s: time must be numeric value >0",
+ cmd->directive->directive);
+ }
+ if(arg_varname) {
+ limit_name = apr_pstrdup(cmd->pool, arg_varname);
+ }
+ entry->limit = limit;
+ entry->limitTime = limitTime;
+ entry->condStr = NULL;
+ entry->preg = NULL;
+ if(arg_condition) {
+ entry->condStr = apr_pstrdup(cmd->pool, arg_condition);
+ entry->preg = ap_pregcomp(cmd->pool, entry->condStr, AP_REG_EXTENDED);
+ if(entry->preg == NULL) {
+ return apr_psprintf(cmd->pool, "%s: failed to compile regex (%s)",
+ cmd->directive->directive, entry->condStr);
+ }
+ }
+ if(apr_table_get(sconf->qos_cc_limitTable, limit_name) != NULL) {
+ return apr_psprintf(cmd->pool, "%s: variable %s has already been used by"
+ " another QS_[Cond]ClientEventLimitCount directive",
+ cmd->directive->directive, limit_name);
+ }
+ apr_table_setn(sconf->qos_cc_limitTable, limit_name, (char *)entry);
+ return NULL;
+}
+
+/* QS_ClientEventLimitCount <number> <seconds> <variable> */
+const char *qos_client_limit_cmd(cmd_parms *cmd, void *dcfg, const char *arg_number,
+ const char *arg_sec, const char *arg_varname) {
+ return qos_client_limit_int_cmd(cmd, dcfg, arg_number, arg_sec, arg_varname, NULL);
+}
+
+#ifdef AP_TAKE_ARGV
+/* QS_CondClientEventLimitCount <number> <seconds> <variable> <pattern> */
+const char *qos_cond_client_limit_cmd(cmd_parms *cmd, void *dcfg, int argc, char *const argv[]) {
+ if(argc != 4) {
+ return apr_psprintf(cmd->pool, "%s: takes 4 arguments",
+ cmd->directive->directive);
+ }
+ return qos_client_limit_int_cmd(cmd, dcfg, argv[0], argv[1], argv[2], argv[3]);
+}
+#endif
+
+const char *qos_client_forwardedfor_cmd(cmd_parms *cmd, void *dcfg, const char *header) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->qos_cc_forwardedfor = apr_pstrdup(cmd->pool, header);
+ return NULL;
+}
+
+const char *qos_client_serial_cmd(cmd_parms *cmd, void *dcfg) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->has_qos_cc = 1;
+ sconf->qos_cc_serialize = 1;
+ return NULL;
+}
+
+const char *qos_req_rate_tm_cmd(cmd_parms *cmd, void *dcfg, const char *arg1) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->qs_req_rate_tm= atoi(arg1);
+ if(sconf->qs_req_rate_tm < 2) {
+ return apr_psprintf(cmd->pool, "%s: must be numeric value between >1",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+const char *qos_client_tolerance_cmd(cmd_parms *cmd, void *dcfg, const char *arg1) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ char *value = apr_pstrdup(cmd->pool, arg1);
+ char *p = strchr(value, '%');
+ if(p) {
+ p[0] = '\0';
+ }
+ if (err != NULL) {
+ return err;
+ }
+ sconf->cc_tolerance = atoi(value);
+ if(sconf->cc_tolerance < 5 || sconf->cc_tolerance > 80) {
+ return apr_psprintf(cmd->pool, "%s: must be numeric value between 5 and 80",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+#ifdef AP_TAKE_ARGV
+const char *qos_client_contenttype(cmd_parms *cmd, void *dcfg, int argc, char *const argv[]) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ if(argc != 5) {
+ return apr_psprintf(cmd->pool, "%s: requires five arguments",
+ cmd->directive->directive);
+ }
+ sconf->static_on = 1;
+ sconf->static_html = atol(argv[0]);
+ sconf->static_cssjs = atol(argv[1]);
+ sconf->static_img = atol(argv[2]);
+ sconf->static_other = atol(argv[3]);
+ sconf->static_notmodified = atol(argv[4]);
+ if(sconf->static_html == 0 ||
+ sconf->static_cssjs == 0 ||
+ sconf->static_img == 0 ||
+ sconf->static_other == 0 ||
+ sconf->static_notmodified == 0) {
+ return apr_psprintf(cmd->pool, "%s: requires numeric values greater than 0",
+ cmd->directive->directive);
+ } else {
+ unsigned long long s_all = sconf->static_html + sconf->static_img + sconf->static_cssjs +
+ sconf->static_other + sconf->static_notmodified;
+ unsigned long long s_2html = 100 * sconf->static_html / s_all;
+ unsigned long long s_2cssjs = 100 * sconf->static_cssjs / s_all;
+ unsigned long long s_2img = 100 * sconf->static_img / s_all;
+ unsigned long long s_2other = 100 * sconf->static_other / s_all;
+ unsigned long long s_2notmodified = 100 * sconf->static_notmodified / s_all;
+ sconf->static_html = s_2html;
+ sconf->static_cssjs = s_2cssjs;
+ sconf->static_img = s_2img;
+ sconf->static_other = s_2other;
+ sconf->static_notmodified = s_2notmodified;
+ }
+ return NULL;
+}
+#endif
+
+const char *qos_client_event_cmd(cmd_parms *cmd, void *dcfg, const char *arg1) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->has_qos_cc = 1;
+ sconf->qos_cc_event = atoi(arg1);
+ if((sconf->qos_cc_event < 0) || ((sconf->qos_cc_event == 0) && (strcmp(arg1, "0") != 0))) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >=0",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+const char *qos_client_event_req_cmd(cmd_parms *cmd, void *dcfg, const char *arg1) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ sconf->has_qos_cc = 1;
+ sconf->qos_cc_event_req = atoi(arg1);
+ if((sconf->qos_cc_event_req < 0) || ((sconf->qos_cc_event_req == 0) && (strcmp(arg1, "0") != 0))) {
+ return apr_psprintf(cmd->pool, "%s: number must be numeric value >=0",
+ cmd->directive->directive);
+ }
+ return NULL;
+}
+
+const char *qos_disable_handler_cmd(cmd_parms *cmd, void *dcfg, int flag) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ sconf->disable_handler = flag;
+ return NULL;
+}
+
+#ifdef QS_INTERNAL_TEST
+const char *qos_disable_int_ip_cmd(cmd_parms *cmd, void *dcfg, const char *arg) {
+ qos_srv_config *sconf = (qos_srv_config*)ap_get_module_config(cmd->server->module_config,
+ &qos_module);
+ if(strcasecmp(arg, "off") == 0 ) {
+ sconf->enable_testip = 0;
+ } else if(strcasecmp(arg, "on") == 0 ) {
+ sconf->enable_testip = 1;
+ } else {
+ sconf->enable_testip = 1;
+ m_qs_sim_ip_len = atoi(arg);
+ if(m_qs_sim_ip_len == 0) {
+ return apr_psprintf(cmd->pool, "%s: must be on/off or the number of IPs",
+ cmd->directive->directive);
+ }
+ }
+ return NULL;
+}
+#endif
+
+static const command_rec qos_config_cmds[] = {
+ /* request limitation per location */
+ AP_INIT_TAKE1("QS_LocRequestLimitDefault", qos_loc_con_def_cmd, NULL,
+ RSRC_CONF,
+ "QS_LocRequestLimitDefault <number>, defines the default for the"
+ " QS_LocRequestLimit and QS_LocRequestLimitMatch directive."),
+
+ AP_INIT_TAKE2("QS_LocRequestLimit", qos_loc_con_cmd, NULL,
+ RSRC_CONF,
+ "QS_LocRequestLimit <location> <number>, defines the maximum number of"
+ " concurrent requests allowed to access the specified location. Default is defined by the"
+ " QS_LocRequestLimitDefault directive."),
+
+ AP_INIT_TAKE2("QS_LocRequestPerSecLimit", qos_loc_rs_cmd, NULL,
+ RSRC_CONF,
+ "QS_LocRequestPerSecLimit <location> <number>, defines the allowed"
+ " number of requests per second to a location. Requests are limited"
+ " by adding a delay to each requests. This directive should be used"
+ " in conjunction with QS_LocRequestLimit only."),
+
+ AP_INIT_TAKE2("QS_LocKBytesPerSecLimit", qos_loc_bs_cmd, NULL,
+ RSRC_CONF,
+ "QS_LocKBytesPerSecLimit <location> <kbytes>, defines the allowed"
+ " download bandwidth to the defined kbytes per second. Responses are"
+ "slowed by adding a delay to each response (non-linear, bigger files"
+ " get longer delay than smaller ones). This directive should be used"
+ " in conjunction with QS_LocRequestLimit only."),
+
+ AP_INIT_TAKE2("QS_LocRequestLimitMatch", qos_match_con_cmd, NULL,
+ RSRC_CONF,
+ "QS_LocRequestLimitMatch <regex> <number>, defines the number of"
+ " concurrent requests to the uri (path and query) pattern."
+ " Default is defined by the QS_LocRequestLimitDefault directive."),
+
+ AP_INIT_TAKE2("QS_LocRequestPerSecLimitMatch", qos_match_rs_cmd, NULL,
+ RSRC_CONF,
+ "QS_LocRequestPerSecLimitMatch <regex> <number>, defines the allowed"
+ " number of requests per second to the uri (path and query) pattern."
+ " Requests are limited by adding a delay to each requests."
+ " This directive should be used in conjunction with"
+ " QS_LocRequestLimitMatch only."),
+
+ AP_INIT_TAKE2("QS_LocKBytesPerSecLimitMatch", qos_match_bs_cmd, NULL,
+ RSRC_CONF,
+ "QS_LocKBytesPerSecLimitMatch <regex> <kbytes>, defines the allowed"
+ " download bandwidth to the location matching the defined URL (path"
+ " and query) pattern. Responses are slowed down"
+ " by adding a delay to each response (non-linear, bigger files"
+ " get longer delay than smaller ones). This directive should be used"
+ " in conjunction with QS_LocRequestLimitMatch only."),
+
+ /* conditional per location */
+ AP_INIT_TAKE3("QS_CondLocRequestLimitMatch", qos_cond_match_con_cmd, NULL,
+ RSRC_CONF,
+ "QS_CondLocRequestLimitMatch <regex> <number> <pattern>, defines the number of"
+ " concurrent requests to the uri (path and query) regex."
+ " Rule is only enforced if the "QS_COND" variable matches the specified"
+ " pattern (regex)."),
+
+ /* event based rules */
+ AP_INIT_TAKE2("QS_EventRequestLimit", qos_event_req_cmd, NULL,
+ RSRC_CONF,
+ "QS_EventRequestLimit <variable>[=<regex>] <number>, defines the"
+ " number of concurrent events. Directive works similar to"
+ " QS_LocRequestLimit, but counts the requests having the same"
+ " environment variable (and optionally matching its value, too)"
+ " rather than those that have the same URL pattern."),
+
+ AP_INIT_TAKE2("QS_EventPerSecLimit", qos_event_rs_cmd, NULL,
+ RSRC_CONF,
+ "QS_EventPerSecLimit [!]<variable> <number>, defines how"
+ " often requests may have the defined environment variable"
+ " (literal string) set. It measures the occurrences of the defined"
+ " environment variable on a request per seconds level and tries to"
+ " limit this occurrence to the defined number. It works similar to"
+ " as QS_LocRequestPerSecLimit, but counts only the requests with the"
+ " specified variable (or without it if the variable name is"
+ " prefixed by a '!'). If a request matches multiple events, the"
+ " rule with the lowest bandwidth is applied. Events are limited"
+ " by adding a delay to each request causing an event."),
+ AP_INIT_TAKE2("QS_EventKBytesPerSecLimit", qos_event_bps_cmd, NULL,
+ RSRC_CONF,
+ "QS_EventKBytesPerSecLimit [!]<variable> <kbytes>, throttles the"
+ " download bandwidth of all requests having the defined"
+ " variable set to the defined kbytes per second. Responses are slowed"
+ " by adding a delay to each response (non-linear, bigger files get"
+ " longer delay than smaller ones). By default, no limitation is active."
+ " This directive should be used in conjunction with QS_EventRequestLimit"
+ " only (you must use the same variable name for both directives)."),
+ AP_INIT_TAKE3("QS_EventLimitCount", qos_event_limit_cmd, NULL,
+ RSRC_CONF,
+ "QS_EventLimitCount <env-variable> <number> <seconds>,"
+ " defines the maximum number of events allowed within the defined"
+ " time. Requests are denied when reaching this limitation for the"
+ " specified time (blocked at request level)."),
+#ifdef AP_TAKE_ARGV
+ AP_INIT_TAKE_ARGV("QS_CondEventLimitCount", qos_cond_event_limit_cmd, NULL,
+ RSRC_CONF,
+ "QS_CondEventLimitCount <env-variable> <number> <seconds> <pattern>,"
+ " same as QS_EventLimitCount but blocks requests only if the "QS_COND
+ " variable matches the specified pattern (regex)."),
+#endif
+
+ /* server / connection limitation */
+ AP_INIT_TAKE1("QS_SrvMaxConn", qos_max_conn_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvMaxConn <number>, defines the maximum number of concurrent"
+ " TCP connections for this server (virtual host)."),
+
+ AP_INIT_TAKE1("QS_SrvMaxConnClose", qos_max_conn_close_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvMaxConnClose <number>[%], defines the maximum number of"
+ " concurrent TCP connections until the server disables"
+ " keep-alive for this server (closes the connection after"
+ " each requests. You may specify the number of connections"
+ " as a percentage of MaxClients if adding the suffix '%'"
+ " to the specified value."),
+
+ AP_INIT_TAKE12("QS_SrvMaxConnPerIP", qos_max_conn_ip_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvMaxConnPerIP <number> [<connections>], defines the maximum number"
+ " of connections per source IP address for this server (virtual host)."
+ " 'connections' defines the number of busy connections of the server"
+ " (all virtual hosts) to enable this limitation, default is 0."),
+
+ AP_INIT_TAKE1("QS_SrvMaxConnExcludeIP", qos_max_conn_ex_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvMaxConnExcludeIP <addr>, excludes an IP address or"
+ " address range from being limited."),
+
+ AP_INIT_FLAG("QS_SrvMaxConnPerIPIgnoreVIP", qos_max_conn_ip_vip_off_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvMinDataRateIgnoreVIP tells the QS_SrvMaxConnPerIP"
+ " directive to ignore (if set to \"on\") the VIP status"
+ " of clients. Default is \"off\", which means that"
+ " QS_SrvMaxConnPerIP is disabled for VIPs."),
+
+ AP_INIT_TAKE12("QS_SrvSerialize", qos_serialize_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvSerialize 'on'|'off' [<seconds>], ensures that not more than one request"
+ " having the "QS_SRVSERIALIZE" variable set is processed"
+ " at the same time by serializing them (process one after"
+ " each other)."),
+
+#if APR_HAS_THREADS
+ AP_INIT_NO_ARGS("QS_SrvDataRateOff", qos_req_rate_off_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvDataRateOff,"
+ " disables the QS_SrvRequestRate and QS_SrvMinDataRate enforcement for"
+ " a virtual host (only port/address based but not for name based"
+ " virtual hosts)."),
+
+ AP_INIT_TAKE12("QS_SrvRequestRate", qos_req_rate_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvRequestRate <bytes per seconds> [<max bytes per second>],"
+ " defines the minimum upload"
+ " throughput a client must generate. See also QS_SrvMinDataRate."),
+
+#ifdef AP_TAKE_ARGV
+ AP_INIT_TAKE_ARGV("QS_SrvMinDataRate", qos_min_rate_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvMinDataRate <bytes per seconds> [<max bytes per second> [<connections>]],"
+ " defines the minimum upload/download"
+ " throughput a client must generate (the bytes send/received by the client"
+ " per seconds). This bandwidth is measured while transmitting the data"
+ " (request line, header fields, request body, or response data). The"
+ " client connection get closed if the client does not fulfill the"
+ " required data rate and the IP address of the causing client get marked"
+ " in order to be handled with low priority (see the QS_ClientPrefer"
+ " directive)."
+ " The \"max bytes per second\" activates dynamic"
+ " minimum throughput control: The required minimal throughput"
+ " is increased in parallel to the number of concurrent clients"
+ " sending/receiving data. The \"max bytes per second\""
+ " setting is reached when the number of sending/receiving"
+ " clients is equal to the MaxClients setting."
+ " The \"connections\" argument is used to specify the"
+ " number of busy TCP connections a server must have to"
+ " enable this feature (0 by default)."
+ " No limitation is set by default."),
+#else
+ AP_INIT_TAKE12("QS_SrvMinDataRate", qos_min_rate_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvMinDataRate <bytes per seconds> [<max bytes per second>],"
+ " defines the minimum upload/download throughput"
+ " a client must generate (the bytes send/received by the client"
+ " per seconds). This bandwidth is measured while transmitting the data"
+ " (request line, header fields, request body, or response data). The"
+ " client connection get closed if the client does not fulfill the"
+ " required data rate and the IP address of the causing client get marked"
+ " in order to be handled with low priority (see the QS_ClientPrefer"
+ " directive)."
+ " The \"max bytes per second\" activates dynamic"
+ " minimum throughput control: The required minimal throughput"
+ " is increased in parallel to the number of concurrent clients"
+ " sending/receiving data. The \"max bytes per second\""
+ " setting is reached when the number of sending/receiving"
+ " clients is equal to the MaxClients setting."
+ " No limitation is set by default."),
+#endif // ARGV
+ AP_INIT_TAKE1("QS_SrvMinDataRateOffEvent", qos_min_rate_off_cmd, NULL,
+ RSRC_CONF|ACCESS_CONF,
+ "QS_SrvMinDataRateOffEvent '+'|'-'<env-variable>,"
+ " disables the minimal data rate enfocement (QS_SrvMinDataRate)"
+ " for a certain connection if the defined environment variable"
+ " has been set. The '+' prefix is used to add a variable"
+ " to the configuration while the '-' prefix is used"
+ " to remove a variable."),
+
+ AP_INIT_FLAG("QS_SrvMinDataRateIgnoreVIP", qos_min_rate_vip_off_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvMinDataRateIgnoreVIP tells the QS_SrvMinDataRate"
+ " directive to ignore (if set to \"on\") the VIP status"
+ " of clients. Default is \"off\", which means that"
+ " QS_SrvMinDataRate is disabled for VIPs."),
+
+#endif // has threads
+
+ AP_INIT_TAKE1("QS_SrvSampleRate", qos_req_rate_tm_cmd, NULL,
+ RSRC_CONF,
+ "QS_SrvSampleRate <seconds>, defines the sampling rate used"
+ " by the QS_SrvMinDataRate directive to measure the"
+ " throughput of a connection."),
+
+ /* generic request filter */
+ AP_INIT_TAKE3("QS_DenyRequestLine", qos_deny_rql_cmd, NULL,
+ ACCESS_CONF,
+ "QS_DenyRequestLine '+'|'-'<id> 'log'|'deny' <regular expression>, generic"
+ " request line (method, path, query and protocol) filter used"
+ " to deny access for requests matching the defined regular expression."
+ " '+' adds a new rule while '-' removes a rule for a location."
+ " The action is either 'log' (access is granted but rule"
+ " match is logged) or 'deny' (access is denied)."),
+
+ AP_INIT_TAKE3("QS_DenyPath", qos_deny_path_cmd, NULL,
+ ACCESS_CONF,
+ "QS_DenyPath, same as QS_DenyRequestLine but applied to the"
+ " path only."),
+
+ AP_INIT_TAKE3("QS_DenyQuery", qos_deny_query_cmd, NULL,
+ ACCESS_CONF,
+ "QS_DenyQuery, same as QS_DenyRequestLine but applied to the"
+ " query only."),
+
+ AP_INIT_TAKE3("QS_DenyEvent", qos_deny_event_cmd, NULL,
+ ACCESS_CONF,
+ "QS_DenyEvent '+'|'-'<id> 'log'|'deny' [!]<variable>, matches"
+ " requests having the defined process"
+ " environment variable set (or NOT set if prefixed by a '!')."
+ " The action taken for matching rules"
+ " is either 'log' (access is granted but the rule match is"
+ " logged) or 'deny' (access is denied)."),
+
+ AP_INIT_TAKE3("QS_PermitUri", qos_permit_uri_cmd, NULL,
+ ACCESS_CONF,
+ "QS_PermitUri, '+'|'-'<id> 'log'|'deny' <regular expression>, generic"
+ " request filter applied to the request uri (path and query)."
+ " Only requests matching at least one QS_PermitUri pattern are"
+ " allowed. If a QS_PermitUri pattern has been defined an the"
+ " request does not match any rule, the request is denied albeit of"
+ " any server resource availability (allow list). All rules"
+ " must define the same action. Regular expression is case sensitive."),
+
+ AP_INIT_FLAG("QS_DenyBody", qos_denybody_cmd, NULL,
+ ACCESS_CONF,
+ "QS_DenyBody 'on'|'off', enabled body data filter (obsolete)."),
+
+ AP_INIT_FLAG("QS_DenyQueryBody", qos_denybody_d_cmd, NULL,
+ ACCESS_CONF,
+ "QS_DenyQueryBody 'on'|'off', enabled body data filter for QS_DenyQuery."),
+
+ AP_INIT_FLAG("QS_PermitUriBody", qos_denybody_p_cmd, NULL,
+ ACCESS_CONF,
+ "QS_PermitUriBody 'on'|'off', enabled body data filter for QS_PermitUriBody."),
+
+ AP_INIT_TAKE1("QS_InvalidUrlEncoding", qos_deny_urlenc_cmd, NULL,
+ ACCESS_CONF,
+ "QS_InvalidUrlEncoding 'log'|'deny'|'off',"
+ " enforces correct URL decoding in conjunction with the"
+ " QS_DenyRequestLine, QS_DenyPath, and QS_DenyQuery"
+ " directives. Default is \"off\"."),
+
+ AP_INIT_TAKE1("QS_LimitRequestBody", qos_maxpost_cmd, NULL,
+ ACCESS_CONF|RSRC_CONF,
+ "QS_LimitRequestBody <bytes>, limits the allowed size"
+ " of an HTTP request message body."),
+
+ AP_INIT_ITERATE("QS_Decoding", qos_dec_cmd, NULL,
+ ACCESS_CONF,
+ "QS_DenyDecoding 'uni', enabled additional string decoding"
+ " functions which are applied before"
+ " matching QS_Deny* and QS_Permit* directives."
+ " Default is URL decoding (%xx, \\xHH, '+')."),
+
+ AP_INIT_NO_ARGS("QS_DenyInheritanceOff", qos_denyinheritoff_cmd, NULL,
+ ACCESS_CONF,
+ "QS_DenyInheritanceOff, disable inheritance of QS_Deny* and QS_Permit*"
+ " directives to a location."),
+
+ AP_INIT_TAKE1("QS_RequestHeaderFilter", qos_headerfilter_cmd, NULL,
+ RSRC_CONF|ACCESS_CONF,
+ "QS_RequestHeaderFilter 'on'|'off'|'size', filters request headers by allowing"
+ " only these headers which match the request header rules defined by"
+ " mod_qos. Request headers which do not conform these definitions"
+ " are either dropped or the whole request is denied. Custom"
+ " request headers may be added by the QS_RequestHeaderFilterRule"
+ " directive. Using the 'size' option, the header field max. size"
+ " is verified only (similar to LimitRequestFieldsize but using"
+ " individual values for each header type) while the pattern is ignored."),
+
+ AP_INIT_TAKE1("QS_ResponseHeaderFilter", qos_resheaderfilter_cmd, NULL,
+ ACCESS_CONF,
+ "QS_ResponseHeaderFilter 'on'|'off', filters response headers by allowing"
+ " only these headers which match the response header rules defined by"
+ " mod_qos. Response headers which do not conform these definitions"
+ " are dropped."),
+
+#ifdef AP_TAKE_ARGV
+ AP_INIT_TAKE_ARGV("QS_RequestHeaderFilterRule", qos_headerfilter_rule_cmd, NULL,
+ RSRC_CONF,
+ "QS_RequestHeaderFilterRule <header name> 'drop'|'deny' <regular expression> <size>, used"
+ " to add custom request header filter rules which override the internal"
+ " filter rules of mod_qos."
+ " Directive is allowed in global server context only."),
+#else
+ AP_INIT_TAKE3("QS_RequestHeaderFilterRule", qos_headerfilter_rule_cmd, NULL,
+ RSRC_CONF,
+ "QS_RequestHeaderFilterRule <header name> 'drop'|'deny' <regular expression>, used"
+ " to add custom request header filter rules which override the internal"
+ " filter rules of mod_qos."
+ " Directive is allowed in global server context only."),
+#endif
+
+ AP_INIT_TAKE3("QS_ResponseHeaderFilterRule", qos_resheaderfilter_rule_cmd, NULL,
+ RSRC_CONF,
+ "QS_ResponseHeaderFilterRule <header name> <regular expression> <size>, used"
+ " to add custom response header filter rules which override the internal"
+ " filter rules of mod_qos."
+ " Directive is allowed in global server context only."),
+
+ /* milestones */
+ AP_INIT_TAKE23("QS_MileStone", qos_milestone_cmd, NULL,
+ RSRC_CONF,
+ "QS_MileStone 'log'|'deny' <pattern> [<thinktime>], defines request line patterns"
+ " a client must access in the defined order as they are defined in the"
+ " configuration file."),
+
+ AP_INIT_TAKE1("QS_MileStoneTimeout", qos_milestone_tmo_cmd, NULL,
+ RSRC_CONF,
+ "QS_MileStoneTimeout <seconds>, defines the time in seconds"
+ " within a client must reach the next milestone."
+ " Default are 3600 seconds."),
+
+ /* session / vip */
+ AP_INIT_TAKE1("QS_SessionCookieName", qos_cookie_name_cmd, NULL,
+ RSRC_CONF,
+ "QS_SessionCookieName <name>, defines a custom session cookie name,"
+ " default is "QOS_COOKIE_NAME"."),
+
+ AP_INIT_TAKE1("QS_SessionCookiePath", qos_cookie_path_cmd, NULL,
+ RSRC_CONF,
+ "QS_SessionCookiePath <path>, defines the cookie path, default is \"/\"."),
+
+ AP_INIT_TAKE1("QS_SessionTimeout", qos_timeout_cmd, NULL,
+ RSRC_CONF,
+ "QS_SessionTimeout <seconds>, defines the session life time for a VIP."
+ " It is only used for session based (cookie) VIP identification (not"
+ " for IP based). Default is "QOS_MAX_AGE" seconds."),
+
+ AP_INIT_TAKE1("QS_SessionKey", qos_key_cmd, NULL,
+ RSRC_CONF,
+ "QS_SessionKey <string>, secret key used for cookie encryption."
+ " Used when using the same session cookie for multiple web servers"
+ " (load balancing) or sessions should survive a server restart."
+ " By default, a random key is used which changes every server restart."),
+
+ AP_INIT_TAKE12("QS_VipHeaderName", qos_header_name_cmd, NULL,
+ RSRC_CONF,
+ "QS_VipHeaderName <name>[=<regex>] [drop], defines an HTTP"
+ " response header which marks a user as a VIP. mod_qos"
+ " creates a session for this user by setting a cookie,"
+ " e.g., after successful user authentication. Tests"
+ " optionally its value against the provided regular"
+ " expression. Specify the action 'drop' if you want mod_qos"
+ " to remove this control header from the HTTP response."),
+
+ AP_INIT_TAKE12("QS_VipIPHeaderName", qos_ip_header_name_cmd, NULL,
+ RSRC_CONF,
+ "QS_VipIPHeaderName <name>[=<regex>] [drop], defines an HTTP"
+ " response header which marks a client source IP address as"
+ " a VIP. Tests optionally its value against the provided"
+ " regular expression."
+ " Specify the action 'drop' if you want mod_qos to remove"
+ " this control header from the HTTP response."),
+
+ AP_INIT_NO_ARGS("QS_VipUser", qos_vip_u_cmd, NULL,
+ RSRC_CONF,
+ "QS_VipUser, creates a VIP session for users which have been"
+ " authenticated by the Apache server, e.g., by the standard"
+ " mod_auth* modules. It works similar to the"
+ " QS_VipHeaderName directive."),
+
+ AP_INIT_NO_ARGS("QS_VipIpUser", qos_vip_ip_u_cmd, NULL,
+ RSRC_CONF,
+ "QS_VipIpUser, marks a source IP address as a VIP if the"
+ " user has been authenticated by the Apache server, e.g."
+ " by the standard mod_auth* modules. It works similar to"
+ " the QS_VipIPHeaderName directive."),
+
+ /* user tracking */
+#ifdef AP_TAKE_ARGV
+ AP_INIT_TAKE_ARGV("QS_UserTrackingCookieName", qos_user_tracking_cookie_cmd, NULL,
+ RSRC_CONF,
+ "QS_UserTrackingCookieName <name> [<path>] [<domain>] ['session'] ['jsredirect'],"
+ " enables the user tracking cookie by defining a cookie"
+ " name. The \"path\" parameter is an option cookie"
+ " check page which is used to ensure the client accepts"
+ " cookies. The \"domain\" option defines the Domain attriibute"
+ " for the Set-Cookie header. The option \"session\" indicates"
+ " that the cookie shall be a session cookie expiring when the"
+ " user closes it's browser."
+ " User tracking requires mod_unique_id."
+ " This feature is disabled by default."
+ " Ignores QS_LogOnly."),
+#else
+ AP_INIT_TAKE123("QS_UserTrackingCookieName", qos_user_tracking_cookie_cmd, NULL,
+ RSRC_CONF,
+ "QS_UserTrackingCookieName <name> [<path>] ['session'],"
+ " enables the user tracking cookie by defining a cookie"
+ " name. The \"path\" parameter is an option cookie"
+ " check page which is used to ensure the client accepts"
+ " cookies. The option \"session\" indicates that the"
+ " cookie shall be a session cookie expiring when the"
+ " user closes it's browser."
+ " User tracking requires mod_unique_id."
+ " This feature is disabled by default."
+ " Ignores QS_LogOnly."),
+#endif
+
+ /* env vars */
+ AP_INIT_TAKE23("QS_SetEnvIf", qos_event_setenvif_cmd, NULL,
+ RSRC_CONF|ACCESS_CONF,
+ "QS_SetEnvIf [!]<variable1>[=<regex>] [[!]<variable2>] [!]<variable=value>,"
+ " sets (or unsets) the 'variable=value' (literal string) if"
+ " variable1 (literal string) AND variable2 (literal string)"
+ " are set in the request environment variable list (not case"
+ " sensitive). This is used to combine multiple variables"
+ " to a new event type. Alternatively, a regular expression"
+ " can be specified for variable1's value and variable2 must be"
+ " omitted in order to simply set a new variable if"
+ " the regular expression matches."),
+
+ AP_INIT_TAKE_ARGV("QS_SetEnvIfCmp", qos_cmp_cmd, NULL,
+ ACCESS_CONF,
+ "QS_SetEnvIfCmpP <env-variable1> eq|ne|gt|lt <env-variable2> [!]<env-variable>[=<value>],"
+ " sets the specified environment variable if the specified env-variables"
+ " are alphabetically or numerical equal (eq), not equal (ne),"
+ " greater (gt), less (lt)."),
+
+ AP_INIT_TAKE2("QS_SetEnvIfQuery", qos_event_setenvifquery_cmd, NULL,
+ RSRC_CONF|ACCESS_CONF,
+ "QS_SetEnvIfQuery <regex> [!]<variable>[=value],"
+ " directive works quite similar to the SetEnvIf directive"
+ " of the Apache module mod_setenvif, but the specified regex"
+ " is applied against the query string portion of the request"
+ " line. The directive recognizes the occurrences of $1..$9"
+ " within value and replaces them by the sub-expressions of"
+ " the defined regex pattern."),
+
+ AP_INIT_TAKE2("QS_SetEnvIfParp", qos_event_setenvifparp_cmd, NULL,
+ RSRC_CONF,
+ "QS_SetEnvIfParp <regex> [!]<variable>[=value],"
+ " directive parsing the request payload using the Apache module"
+ " mod_parp. It matches the request URL query and the HTTP"
+ " request message body data as well ('application/x-www-form-urlencoded',"
+ " 'multipart/form-data', and 'multipart/mixed') and sets the defined"
+ " process variable (quite similar to the QS_SetEnvIfQuery directive)."
+ " The directive recognizes the occurrences of $1..$9 within value"
+ " and replaces them by the sub-expressions of the defined regex"
+ " pattern. This directive activates mod_parp for every request to"
+ " the virtual host. You may deactivate mod_parp for selected requests"
+ " using the SetEnvIf directive: unset the variable 'parp' to do so."
+ " Important: request message body processing requires that the server"
+ " loads the whole request into its memory (at least twice the length"
+ " of the message). You should limit the allowed size of the HTTP"
+ " request message body using the QS_LimitRequestBody directive"
+ " when using QS_SetEnvIfParp!"),
+
+ AP_INIT_TAKE2("QS_SetEnvIfBody", qos_event_setenvifparpbody_cmd, NULL,
+ RSRC_CONF,
+ "QS_SetEnvIfBody <regex> [!]<variable>[=value],"
+ " parses the request body using the Apache module mod_parp."
+ " Specify the content types to process using the mod_parp"
+ " directive PARP_BodyData and ensure that mod_parp is enabled"
+ " using the SetEnvIf directive of the Apache module mod_setenvif."
+ " You should limit the allowed size of HTTP requests message body"
+ " using the QS_LimitRequestBody directive when using mod_parp."
+ " The directive recognizes the occurrence of $1 within the variable"
+ " value and replaces it by the sub-expressions of the defined regex"
+ " pattern."),
+
+ AP_INIT_TAKE2("QS_SetEnvStatus", qos_event_setenvifstatus_cmd, NULL,
+ RSRC_CONF|ACCESS_CONF,
+ "QS_SetEnvStatus (deprecated, use QS_SetEnvIfStatus)"),
+
+ AP_INIT_TAKE2("QS_SetEnvIfStatus", qos_event_setenvifstatus_cmd, NULL,
+ RSRC_CONF|ACCESS_CONF,
+ "QS_SetEnvIfStatus <status code> <variable>, adds the defined"
+ " request environment variable if the HTTP status code matches the"
+ " defined value. The value '"QS_CLOSE"' may be used as a special"
+ " status code to set a "QS_BLOCK" event in order to handle"
+ " connection close events caused by "QS_CLOSE" rules while"
+ " the status '"QS_EMPTY_CON"' may be used to mark connections"
+ " which are closed before any HTTP request has ever been received."
+ " The '"QS_MAXIP"' value may be used to count "QS_BLOCK" events for"
+ " connections closed by the "QS_MAXIP" directive."
+ " The '"QS_BROKEN_CON"' value may be used to mark clients not"
+ " reading the full HTTP response."),
+
+ AP_INIT_TAKE2("QS_SetEnvResBody", qos_event_setenvifresbody_cmd, NULL,
+ ACCESS_CONF,
+ "QS_SetEnvResBody (deprecated, use QS_SetEnvIfResBody)"),
+
+ AP_INIT_TAKE2("QS_SetEnvIfResBody", qos_event_setenvifresbody_cmd, NULL,
+ ACCESS_CONF,
+ "QS_SetEnvIfResBody <string> [!]<variable>, adds the defined"
+ " request environment variable (e.g. "QS_BLOCK") if the HTTP"
+ " response body contains the defined literal string."
+ " Supports only one pattern per location."),
+
+ AP_INIT_TAKE2("QS_SetEnv", qos_setenv_cmd, NULL,
+ RSRC_CONF,
+ "QS_SetEnv <variable> <value>, sets the defined variable"
+ " with the value where the value string may contain"
+ " other environment variables surrounded by \"${\" and \"}\"."
+ " The variable is only set if all defined variables within"
+ " the value can be resolved."),
+
+ AP_INIT_TAKE23("QS_SetReqHeader", qos_setreqheader_cmd, NULL,
+ RSRC_CONF,
+ "QS_SetReqHeader [!]<header name> <variable> ['late'], sets the defined"
+ " HTTP request header to the request if the specified"
+ " environment variable is set."),
+
+ AP_INIT_TAKE1("QS_UnsetReqHeader", qos_unsetreqheader_cmd, NULL,
+ RSRC_CONF,
+ "QS_UnsetReqHeader <header name>, Removes the specified header from the request."),
+
+ AP_INIT_TAKE1("QS_UnsetResHeader", qos_unsetresheader_cmd, NULL,
+ RSRC_CONF,
+ "QS_UnsetResHeader <header name>, Removes the specified header from the response."),
+
+ AP_INIT_TAKE12("QS_SetEnvResHeader", qos_event_setenvresheader_cmd, NULL,
+ RSRC_CONF,
+ "QS_SetEnvResHeader <header name> [drop], sets the defined"
+ " HTTP response header (name and value) to the request environment variables"
+ " Deletes the header if the action 'drop' has been specified."),
+
+ AP_INIT_TAKE2("QS_SetEnvResHeaderMatch", qos_event_setenvresheadermatch_cmd, NULL,
+ RSRC_CONF,
+ "QS_SetEnvResHeaderMatch <header name> <regex>, sets the defined"
+ " HTTP response header (name and value) to the request environment variables"
+ " if the specified regular expression matches the header value."),
+
+ AP_INIT_TAKE3("QS_SetEnvRes", qos_setenvres_cmd, NULL,
+ RSRC_CONF,
+ "QS_SetEnvRes <variable> <regex> <variable2>[=<value>], sets the environment"
+ " variable2 if the regular expression matches against the value of"
+ " the environment variable. Occurrences of $1..$9 within the value"
+ " and replace them by parenthesized subexpressions of the regular expression."),
+
+ AP_INIT_TAKE3("QS_RedirectIf", qos_redirectif_cmd, NULL,
+ RSRC_CONF|ACCESS_CONF,
+ "QS_RedirectIf <variable> <regex> [<code>:]<url>,"
+ " redirects the client to the configured url"
+ " if the regular expression matches"
+ " the value of the the environment variable."),
+
+ /* client control */
+ AP_INIT_TAKE1("QS_ClientEntries", qos_client_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientEntries <number>, defines the number of individual"
+ " clients managed by mod_qos. Default is 50000."
+ " Directive is allowed in global server context only."),
+
+#ifdef AP_TAKE_ARGV
+ AP_INIT_TAKE_ARGV("QS_ClientPrefer", qos_client_pref_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientPrefer [<percent>], prefers known VIP clients"
+ " when server has less than 80% (or the configured value)"
+ " of free TCP connections. Preferred clients"
+ " are VIP clients (or those without any negative penalties),"
+ " see QS_VipHeaderName directive."
+ " Directive is allowed in global server context only."),
+#else
+ AP_INIT_NO_ARGS("QS_ClientPrefer", qos_client_pref_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientPrefer, prefers known VIP clients"
+ " when server has less than 80% of free TCP connections."
+ " Preferred clients are VIP clients only,"
+ " see QS_VipHeaderName directive."
+ " Directive is allowed in global server context only."),
+#endif
+
+ AP_INIT_TAKE1("QS_ClientTolerance", qos_client_tolerance_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientTolerance <percent>, defines the allowed tolerance (variation)"
+ " from a \"normal\" client (average) in percent."
+ " Default is "QOS_CC_BEHAVIOR_TOLERANCE_STR"%."
+ " Directive is allowed in global server context only."),
+
+#ifdef AP_TAKE_ARGV
+ AP_INIT_TAKE_ARGV("QS_ClientContentTypes", qos_client_contenttype, NULL,
+ RSRC_CONF,
+ "QS_ClientContentTypes <html> <css/js> <images> <other> <304>,"
+ " defines the distribution of HTTP response content types a client normally"
+ " receives when accessing the server. mod_qos normally learns the average"
+ " behavior automatically by default but you may specify a static configuration"
+ " in order to avoid influences by a high number of abnormal clients."),
+#endif
+
+ AP_INIT_TAKE12("QS_ClientEventBlockCount", qos_client_block_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientEventBlockCount <number> [<seconds>], defines the maximum number"
+ " of "QS_BLOCK" allowed within the defined time (default are 10 minutes)."
+ " Directive is allowed in global server context only."),
+
+ AP_INIT_TAKE1("QS_ClientEventBlockExcludeIP", qos_client_ex_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientEventBlockExcludeIP <addr>, excludes an IP address or"
+ " address range from being limited by QS_ClientEventBlockCount."),
+
+ AP_INIT_TAKE123("QS_ClientEventLimitCount", qos_client_limit_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientEventLimitCount <number> [<seconds> [<variable>]],"
+ " defines the maximum number"
+ " of the specified environment variable ("QS_LIMIT_DEFAULT" by default)"
+ " allowed within the defined time (default are 10 minutes)."
+ " Directive is allowed in global server context only."),
+
+#ifdef AP_TAKE_ARGV
+ AP_INIT_TAKE_ARGV("QS_CondClientEventLimitCount", qos_cond_client_limit_cmd, NULL,
+ RSRC_CONF,
+ "QS_CondClientEventLimitCount <number> <seconds> <variable> <pattern>,"
+ " defines the maximum number"
+ " of the specified environment variable"
+ " allowed within the defined time."
+ " Directive works similar as QS_ClientEventLimitCount but"
+ " requests are only blocked if the "QS_COND" variable matches"
+ " the defined pattern (regex)."
+ " Directive is allowed in global server context only."),
+#endif
+
+ AP_INIT_TAKE1("QS_ClientEventPerSecLimit", qos_client_event_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientEventPerSecLimit <number>, defines the number"
+ " events pro seconds on a per client (source IP) basis."
+ " Events are identified by requests having the"
+ " "QS_EVENT" variable set."
+ " Directive is allowed in global server context only."),
+
+ AP_INIT_TAKE1("QS_ClientEventRequestLimit", qos_client_event_req_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientEventRequestLimit <number>, defines the allowed"
+ " number of concurrent requests coming from the same client"
+ " source IP address"
+ " having the QS_EventRequest variable set."
+ " Directive is allowed in global server context only."),
+
+ AP_INIT_NO_ARGS("QS_ClientSerialize", qos_client_serial_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientSerialize, serializes requests having the "QS_SERIALIZE" variable"
+ " set if they are coming from the same IP address."),
+
+ AP_INIT_TAKE1("QS_ClientIpFromHeader", qos_client_forwardedfor_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientIpFromHeader <header>, defines a HTTP request header to read"
+ " the client's source IP address from (instead of taking the IP address"
+ " of the client opening the TCP connection). This may be used for the"
+ " QS_ClientEventLimitCount directive and QS_Country variable."),
+
+ /* geo ip */
+ AP_INIT_TAKE1("QS_ClientGeoCountryDB", qos_geodb_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientGeoCountryDB <path>, path to the geograpical database file."),
+
+ AP_INIT_TAKE23("QS_ClientGeoCountryPriv", qos_geopriv_cmd, NULL,
+ RSRC_CONF,
+ "QS_ClientGeoCountryPriv <list> <connections> ['excludeUnknown'],"
+ " defines a comma separated list of country codes"
+ " for origin client IP address which are allowed to"
+ " access the server if the number of busy TCP connections reaches"
+ " the defined number of connections while others are denied access."
+ " Clients whose IP can't be mapped to a country code can be excluded"
+ " from the limitation by configuring the 'excludeUnknown' argument."),
+
+ /* error documents */
+ AP_INIT_TAKE1("QS_ErrorPage", qos_error_page_cmd, NULL,
+ RSRC_CONF,
+ "QS_ErrorPage <url>, defines a custom error page."),
+
+ AP_INIT_TAKE1("QS_ErrorResponseCode", qos_error_code_cmd, NULL,
+ RSRC_CONF,
+ "QS_ErrorResponseCode <code>, defines the HTTP response code which"
+ " is used when a request is denied, default is 500."),
+
+ AP_INIT_FLAG("QS_ForcedClose", qos_forced_close_cmd, NULL,
+ RSRC_CONF,
+ "QS_ForcedClose 'on'|'off', defines if mod_qos connection handler shall"
+ " exit with an error code (on) or not. Default is on (except for"
+ " Apache 2.4.49)."),
+
+ /* module settings / various stuff */
+ AP_INIT_FLAG("QS_LogOnly", qos_logonly_cmd, NULL,
+ RSRC_CONF,
+ "QS_LogOnly 'on'|'off', enables the log only mode of the module"
+ " where no limitations are enforced. Default is off."
+ " Directive is allowed in global server context only."),
+
+ AP_INIT_FLAG("QS_LogEnv", qos_logenv_cmd, NULL,
+ RSRC_CONF,
+ "QS_LogEnv 'on'|'off', enables logging of environment"
+ " variables."),
+
+ AP_INIT_FLAG("QS_SupportIPv6", qos_enable_ipv6_cmd, NULL,
+ RSRC_CONF,
+ "QS_SupportIPv6 'on'|'off', enables IPv6 address support."
+ " Default is on."),
+
+ AP_INIT_TAKE1("QS_SemMemFile", qos_mfile_cmd, NULL,
+ RSRC_CONF,
+ "QS_SemMemFile <path>, optional path to a directory or file"
+ " which shall be used for file based semaphores/shared memory"
+ " usage, e.g. /var/tmp."),
+
+ AP_INIT_TAKE1("QS_MaxClients", qos_maxclients_cmd, NULL,
+ RSRC_CONF,
+ "QS_MaxClients <number>, optional override for mod_qos's"
+ " MaxClients/MaxRequestWorkers calculation which defines"
+ " the maximum number of TCP connections the server can handle."),
+
+ AP_INIT_FLAG("QS_DisableHandler", qos_disable_handler_cmd, NULL,
+ RSRC_CONF,
+ "QS_DisableHandler 'on'|'off', disables the qos-viewer"
+ " and qos-console for a virtual host"),
+
+#if APR_HAS_THREADS
+ AP_INIT_FLAG("QS_Status", qos_qsstatus_cmd, NULL,
+ RSRC_CONF,
+ "QS_Status 'on'|'off', writes a log message containing server"
+ " statistics once every minute. Default is off."),
+#endif
+
+ AP_INIT_FLAG("QS_EventCount", qos_qsevents_cmd, NULL,
+ RSRC_CONF,
+ "QS_EventCount 'on'|'off', enables error event counting"
+ " (counters are shown in the machine-readable version"
+ " of the status viewer). Default is off."),
+
+ AP_INIT_TAKE1("QSLog", qos_qlog_cmd, NULL,
+ RSRC_CONF,
+ "QSLog <arg>, used to configure a global (per Apache"
+ " instance) 'qslog' logger."),
+
+#ifdef QS_INTERNAL_TEST
+ AP_INIT_TAKE1("QS_EnableInternalIPSimulation", qos_disable_int_ip_cmd, NULL,
+ RSRC_CONF,
+ ""),
+#endif
+
+ { NULL }
+};
+
+
+/************************************************************************
+ * apache register
+ ***********************************************************************/
+static void qos_register_hooks(apr_pool_t * p) {
+ static const char *pre[] = { "mod_setenvif.c", "mod_setenvifplus.c", "mod_parp.c", NULL };
+ static const char *preuid[] = { "mod_setenvif.c", "mod_setenvifplus.c", "mod_parp.c", "mod_unique_id.c", NULL };
+ static const char *pressl[] = { "mod_ssl.c", NULL };
+ static const char *preconf[] = { "mod_setenvif.c", "mod_setenvifplus.c", "mod_parp.c", "mod_ssl.c", NULL };
+ static const char *post[] = { "mod_setenvif.c", "mod_setenvifplus.c", NULL };
+ static const char *postlog[] = { "mod_logio.c", NULL };
+ static const char *parp[] = { "mod_parp.c", NULL };
+ static const char *prelast[] = { "mod_setenvif.c", "mod_setenvifplus.c", "mod_ssl.c", NULL };
+ static const char *preFix[] = { "mod_ssl.c", "mod_setenvifplus.c", NULL };
+
+ ap_hook_post_config(qos_post_config, preconf, NULL, APR_HOOK_MIDDLE);
+
+ ap_hook_child_init(qos_child_init, NULL, NULL, APR_HOOK_MIDDLE);
+
+ // before ssl_hook_pre_connection@APR_HOOK_MIDDLE but after logio_pre_conn@APR_HOOK_MIDDLE
+ ap_hook_pre_connection(qos_pre_connection, postlog, pressl, APR_HOOK_MIDDLE);
+ // after ssl_hook_pre_connection@APR_HOOK_MIDDLE (and a many others)
+ ap_hook_pre_connection(qos_pre_process_connection, prelast, NULL, APR_HOOK_LAST);
+
+ ap_hook_process_connection(qos_process_connection, NULL, NULL, APR_HOOK_MIDDLE);
+
+ // be before sp_post_read_request@APR_HOOK_MIDDLE
+ ap_hook_post_read_request(qos_post_read_request, NULL, post, APR_HOOK_MIDDLE);
+ ap_hook_post_read_request(qos_post_read_request_later, preuid, NULL, APR_HOOK_MIDDLE);
+
+ ap_hook_header_parser(qos_header_parser0, NULL, post, APR_HOOK_FIRST);
+ ap_hook_header_parser(qos_header_parser1, post, parp, APR_HOOK_FIRST);
+ ap_hook_header_parser(qos_header_parser, pre, NULL, APR_HOOK_MIDDLE);
+
+ ap_hook_fixups(qos_fixup, preFix, NULL, APR_HOOK_MIDDLE);
+
+ ap_hook_handler(qos_handler, NULL, NULL, APR_HOOK_MIDDLE);
+
+ ap_hook_log_transaction(qos_logger, NULL, NULL, APR_HOOK_FIRST);
+ //ap_hook_error_log(qos_error_log, NULL, NULL, APR_HOOK_LAST);
+
+ ap_register_input_filter("qos-in-filter", qos_in_filter, NULL, AP_FTYPE_CONNECTION);
+ ap_register_input_filter("qos-in-filter2", qos_in_filter2, NULL, AP_FTYPE_RESOURCE);
+ ap_register_input_filter("qos-in-filter3", qos_in_filter3, NULL, AP_FTYPE_CONTENT_SET);
+ /* AP_FTYPE_RESOURCE+1 ensures the filter is executed after mod_setenvifplus
+ * AP_FTYPE_PROTOCOL+3 ensures the filter is executed after mod_deflate */
+ ap_register_output_filter("qos-out-filter", qos_out_filter, NULL, AP_FTYPE_RESOURCE+1);
+ ap_register_output_filter("qos-out-filter-min", qos_out_filter_min, NULL, AP_FTYPE_RESOURCE+1);
+ ap_register_output_filter("qos-out-filter-delay", qos_out_filter_delay, NULL, AP_FTYPE_PROTOCOL+3);
+ ap_register_output_filter("qos-out-filter-body", qos_out_filter_body, NULL, AP_FTYPE_RESOURCE+1);
+ ap_register_output_filter("qos-out-filter-brokencon", qos_out_filter_brokencon, NULL, AP_FTYPE_PROTOCOL+3);
+ ap_register_output_filter("qos-out-err-filter", qos_out_err_filter, NULL, AP_FTYPE_RESOURCE+1);
+
+ ap_hook_insert_filter(qos_insert_filter, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_insert_error_filter(qos_insert_err_filter, NULL, NULL, APR_HOOK_MIDDLE);
+
+}
+
+/************************************************************************
+ * apache module definition
+ ***********************************************************************/
+module AP_MODULE_DECLARE_DATA qos_module ={
+ STANDARD20_MODULE_STUFF,
+ qos_dir_config_create, /**< dir config creator */
+ qos_dir_config_merge, /**< dir merger */
+ qos_srv_config_create, /**< server config */
+ qos_srv_config_merge, /**< server merger */
+ qos_config_cmds, /**< command table */
+ qos_register_hooks, /**< hook registration */
+};
diff --git a/apache2/mod_qos.h b/apache2/mod_qos.h
new file mode 100644
index 0000000..3372abe
--- /dev/null
+++ b/apache2/mod_qos.h
@@ -0,0 +1,79 @@
+/* -*-mode: c; indent-tabs-mode: nil; c-basic-offset: 2; -*-
+ */
+
+/**
+ * mod_qos.h: Quality of service module for Apache Web Server.
+ *
+ * The Apache Web Servers requires threads and processes to serve
+ * requests. Each TCP connection to the web server occupies one
+ * thread or process. Sometimes, a server gets too busy to serve
+ * every request due the lack of free processes or threads.
+ *
+ * This module implements control mechanisms that can provide
+ * different priority to different requests.
+ *
+ * See http://mod-qos.sourceforge.net/ for further
+ * details.
+ *
+ * Copyright (C) 2023 Pascal Buchbinder
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef __MOD_QOS_H__
+#define __MOD_QOS_H__
+
+/**************************************************************************
+ * Hooks
+ **************************************************************************/
+#if !defined(WIN32)
+#define QOS_DECLARE(type) type
+#define QOS_DECLARE_NONSTD(type) type
+#define QOS_DECLARE_DATA
+#elif defined(QOS_DECLARE_STATIC)
+#define QOS_DECLARE(type) type __stdcall
+#define QOS_DECLARE_NONSTD(type) type
+#define QOS_DECLARE_DATA
+#elif defined(QOS_DECLARE_EXPORT)
+#define QOS_DECLARE(type) __declspec(dllexport) type __stdcall
+#define QOS_DECLARE_NONSTD(type) __declspec(dllexport) type
+#define QOS_DECLARE_DATA __declspec(dllexport)
+#else
+#define QOS_DECLARE(type) __declspec(dllimport) type __stdcall
+#define QOS_DECLARE_NONSTD(type) __declspec(dllimport) type
+#define QOS_DECLARE_DATA __declspec(dllimport)
+#endif
+
+#define QOS_OPTIONAL_HOOK(name,fn,pre,succ,order) \
+ APR_OPTIONAL_HOOK(qos,name,fn,pre,succ,order)
+
+/**
+ * mod_qos.h header file defining hooks for path/query
+ * decoding (used by QS_Deny* and QS_Permit* rules).
+ *
+ * Define QS_MOD_EXT_HOOKS in order to enable these hooks
+ * within mod_qos.c.
+ */
+
+/* hook to decode/unescape the path portion of the request uri */
+APR_DECLARE_EXTERNAL_HOOK(qos, QOS, apr_status_t, path_decode_hook,
+ (request_rec *r, char **path, int *len))
+/* hook to decode/unescape the query portion of the request uri */
+APR_DECLARE_EXTERNAL_HOOK(qos, QOS, apr_status_t, query_decode_hook,
+ (request_rec *r, char **query, int *len))
+
+#endif /* __MOD_QOS_H__ */