[src/trunk]: src/libexec/httpd Add blocklistd(8) support.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/libexec/httpd Add blocklistd(8) support.
From: jruoho <jruoho%NetBSD.org@localhost>
Date: Sat, 11 Jul 2020 10:50:59 +0000

details:   https://anonhg.NetBSD.org/src/rev/d02f14817d84
branches:  trunk
changeset: 935858:d02f14817d84
user:      jruoho <jruoho%NetBSD.org@localhost>
date:      Sat Jul 11 08:10:52 2020 +0000

description:
Add blocklistd(8) support.

diffstat:

 libexec/httpd/Makefile    |   7 ++++---
 libexec/httpd/auth-bozo.c |   7 ++++++-
 libexec/httpd/bozohttpd.8 |  43 +++++++++++++++++++++++++++++++++++++++++--
 libexec/httpd/bozohttpd.c |  34 +++++++++++++++++++++++++++++++++-
 libexec/httpd/bozohttpd.h |   9 +++++++--
 5 files changed, 91 insertions(+), 9 deletions(-)

diffs (205 lines):

diff -r f5d138b652e8 -r d02f14817d84 libexec/httpd/Makefile
--- a/libexec/httpd/Makefile    Sat Jul 11 07:14:53 2020 +0000
+++ b/libexec/httpd/Makefile    Sat Jul 11 08:10:52 2020 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.28 2019/01/17 07:39:00 mrg Exp $
+#      $NetBSD: Makefile,v 1.29 2020/07/11 08:10:52 jruoho Exp $
 #
 #      $eterna: Makefile,v 1.30 2010/07/11 00:34:27 mrg Exp $
 #
@@ -14,6 +14,7 @@
 #      NO_SSL_SUPPORT          /* don't support ssl (https) */
 #      DO_HTPASSWD             /* support .htpasswd files */
 #      NO_LUA_SUPPORT          /* don't support Lua for dynamic content */
+#      NO_BLOCKLIST_SUPPORT    /* don't support blocklist */
 #
 # other system specific defines:
 #      HAVE_NBUTIL_H           /* netbsd compat is in <nbutil.h>
@@ -32,8 +33,8 @@
        tilde-luzah-bozo.c dir-index-bozo.c content-bozo.c lua-bozo.c
 SRCS+= main.c
 
-LDADD= -lcrypt -llua -lm
-DPADD= ${LIBCRYPT} ${LIBLUA} ${LIBM}
+LDADD= -lblocklist -lcrypt -llua -lm
+DPADD= ${LIBBLOCKLIST} ${LIBCRYPT} ${LIBLUA} ${LIBM}
 
 WARNS?=        4
 
diff -r f5d138b652e8 -r d02f14817d84 libexec/httpd/auth-bozo.c
--- a/libexec/httpd/auth-bozo.c Sat Jul 11 07:14:53 2020 +0000
+++ b/libexec/httpd/auth-bozo.c Sat Jul 11 08:10:52 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: auth-bozo.c,v 1.24 2019/02/28 08:28:21 mrg Exp $       */
+/*     $NetBSD: auth-bozo.c,v 1.25 2020/07/11 08:10:52 jruoho Exp $    */
 
 /*     $eterna: auth-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $       */
 
@@ -105,6 +105,11 @@
                                        pass) != 0)
                                break;
                        fclose(fp);
+
+#ifndef NO_BLOCKLIST_SUPPORT
+                       pfilter_notify(BLOCKLIST_AUTH_OK, 200);
+#endif /* !NO_BLOCKLIST_SUPPORT */
+
                        return 0;
                }
        }
diff -r f5d138b652e8 -r d02f14817d84 libexec/httpd/bozohttpd.8
--- a/libexec/httpd/bozohttpd.8 Sat Jul 11 07:14:53 2020 +0000
+++ b/libexec/httpd/bozohttpd.8 Sat Jul 11 08:10:52 2020 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: bozohttpd.8,v 1.80 2020/07/06 23:31:36 jmcneill Exp $
+.\"    $NetBSD: bozohttpd.8,v 1.81 2020/07/11 08:10:52 jruoho Exp $
 .\"
 .\"    $eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $
 .\"
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd July 6, 2020
+.Dd July 11, 2020
 .Dt BOZOHTTPD 8
 .Os
 .Sh NAME
@@ -454,6 +454,45 @@
 on the compiler command line to enable this support.
 It may require linking with the crypt library, using
 .Dq -lcrypt .
+.Ss BLOCKLIST SUPPORT
+On NetBSD,
+.Nm
+supports
+.Xr blocklistd 8
+by default.
+The support can be disabled with the
+.Dq -DNO_BLOCKLIST_SUPPORT
+compilation option.
+.Pp
+Upon occurrence,
+.Nm
+reports three HTTP status codes to
+.Xr blocklistd 8
+as failures:
+.Em 401
+(``Unauthorized'') ,
+.Em 403
+(``Forbidden'') ,
+and
+.Em 500
+(``Internal Server Error'') .
+Of these,
+.Em 401
+is the one received upon authorization failure with the
+HTTP Basic Authorization mechanism.
+A successful authorization decreases the counter kept by
+.Xr blocklistd 8 .
+.Pp
+Note that the implementation of the HTTP Basic Authorization mechanism
+uses a redirection; a status code
+.Em 401
+is always initially received.
+Therefore, a single authorization failure of
+.Pa .htpasswd
+is reported as two failures to
+.Xr blocklistd 8 ,
+but no failures are recorded upon successful authorization
+due to the decrease of the failure counter.
 .Ss SSL SUPPORT
 .Nm
 has support for TLSv1.1 and TLSv1.2 protocols that are included by
diff -r f5d138b652e8 -r d02f14817d84 libexec/httpd/bozohttpd.c
--- a/libexec/httpd/bozohttpd.c Sat Jul 11 07:14:53 2020 +0000
+++ b/libexec/httpd/bozohttpd.c Sat Jul 11 08:10:52 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bozohttpd.c,v 1.115 2020/07/06 23:31:36 jmcneill Exp $ */
+/*     $NetBSD: bozohttpd.c,v 1.116 2020/07/11 08:10:52 jruoho Exp $   */
 
 /*     $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $      */
 
@@ -2133,6 +2133,7 @@
        const char *shortmsg;           /* short version of message */
        const char *longmsg;            /* long version of message */
 } errors_map[] = {
+       { 200,  "200 OK",               "The request was valid", },
        { 400,  "400 Bad Request",      "The request was not valid", },
        { 401,  "401 Unauthorized",     "No authorization", },
        { 403,  "403 Forbidden",        "Access to this item has been denied",},
@@ -2170,6 +2171,23 @@
        return (help);
 }
 
+#ifndef NO_BLOCKLIST_SUPPORT
+static struct blocklist *blstate;
+
+void
+pfilter_notify(const int what, const int code)
+{
+
+       if (blstate == NULL)
+               blstate = blocklist_open();
+
+       if (blstate == NULL)
+               return;
+
+       (void)blocklist_r(blstate, what, 0, http_errors_short(code));
+}
+#endif /* !NO_BLOCKLIST_SUPPORT */
+
 /* the follow functions and variables are used in handling HTTP errors */
 /* ARGSUSED */
 int
@@ -2272,6 +2290,20 @@
                bozo_printf(httpd, "%s", httpd->errorbuf);
        bozo_flush(httpd, stdout);
 
+#ifndef NO_BLOCKLIST_SUPPORT
+       switch(code) {
+
+       case 401:
+               pfilter_notify(BLOCKLIST_AUTH_FAIL, code);
+               break;
+
+       case 403: /* FALLTHROUGH */
+       case 500:
+               pfilter_notify(BLOCKLIST_ABUSIVE_BEHAVIOR, code);
+               break;
+       }
+#endif /* !NO_BLOCKLIST_SUPPORT */
+
        return code;
 }
 
diff -r f5d138b652e8 -r d02f14817d84 libexec/httpd/bozohttpd.h
--- a/libexec/httpd/bozohttpd.h Sat Jul 11 07:14:53 2020 +0000
+++ b/libexec/httpd/bozohttpd.h Sat Jul 11 08:10:52 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bozohttpd.h,v 1.61 2020/07/06 23:31:36 jmcneill Exp $  */
+/*     $NetBSD: bozohttpd.h,v 1.62 2020/07/11 08:10:52 jruoho Exp $    */
 
 /*     $eterna: bozohttpd.h,v 1.39 2011/11/18 09:21:15 mrg Exp $       */
 
@@ -35,6 +35,7 @@
 #include "netbsd_queue.h"
 
 #include <stdbool.h>
+#include <stdio.h>
 #include <signal.h>
 
 #include <sys/stat.h>
@@ -42,7 +43,11 @@
 #ifndef NO_LUA_SUPPORT
 #include <lua.h>
 #endif
-#include <stdio.h>
+
+#ifndef NO_BLOCKLIST_SUPPORT
+#include <blocklist.h>
+void pfilter_notify(const int, const int);
+#endif
 
 /* QNX provides a lot of NetBSD things in nbutil.h */
 #ifdef HAVE_NBUTIL_H

Prev by Date: [src/trunk]: src/sys/kern Remove support for '%n' in the kernel printf functi...
Next by Date: [pkgsrc/trunk]: pkgsrc/archivers/libzip libzip: update to 1.7.2.
Previous by Thread: [src/trunk]: src/sys/kern Remove support for '%n' in the kernel printf functi...
Next by Thread: [pkgsrc/trunk]: pkgsrc/archivers/libzip libzip: update to 1.7.2.
Indexes:

Home | Main Index | Thread Index | Old Index