Bug 1393888 - Write httpd access handler to block by ip address stored in memcached

1 files changed, 65 insertions, 0 deletions

diff --git a/Bugzilla/ModPerl/BlockIP.pm b/Bugzilla/ModPerl/BlockIP.pm
new file mode 100644
index 000000000..4e9a4be5c
--- /dev/null
+++ b/Bugzilla/ModPerl/BlockIP.pm
@@ -0,0 +1,65 @@
+package Bugzilla::ModPerl::BlockIP;
+use 5.10.1;
+use strict;
+use warnings;
+
+use Apache2::RequestRec ();
+use Apache2::Connection ();
+
+use Apache2::Const -compile => qw(OK);
+use Cache::Memcached::Fast;
+
+use constant BLOCK_TIMEOUT => 60*60;
+
+my $MEMCACHED = Bugzilla::Memcached->_new()->{memcached};
+my $STATIC_URI = qr{
+    ^/
+     (?: extensions/[^/]+/web
+       | robots\.txt
+       | __heartbeat__
+       | __lbheartbeat__
+       | __version__
+       | images
+       | skins
+       | js
+       | errors
+     )
+}xms;
+
+sub block_ip {
+    my ($class, $ip) = @_;
+    $MEMCACHED->set("block_ip:$ip" => 1, BLOCK_TIMEOUT) if $MEMCACHED;
+}
+
+sub unblock_ip {
+    my ($class, $ip) = @_;
+    $MEMCACHED->delete("block_ip:$ip") if $MEMCACHED;
+}
+
+sub handler {
+    my $r = shift;
+    return Apache2::Const::OK if $r->uri =~ $STATIC_URI;
+
+    my $ip = $r->headers_in->{'X-Forwarded-For'};
+    if ($ip) {
+        $ip = (split(/\s*,\s*/ms, $ip))[-1];
+    }
+    else {
+        $ip = $r->connection->remote_ip;
+    }
+
+    if ($MEMCACHED && $MEMCACHED->get("block_ip:$ip")) {
+        __PACKAGE__->block_ip($ip);
+        $r->status_line("429 Too Many Requests");
+        # 500 is used here because apache 2.2 doesn't understand 429.
+        # the above line and the return value together mean we produce 429.
+        # Any other variation doesn't work.
+        $r->custom_response(500, "Too Many Requests");
+        return 429;
+    }
+    else {
+        return Apache2::Const::OK;
+    }
+}
+
+1;