diff options
author | Dylan William Hardison <dylan@hardison.net> | 2017-09-11 18:59:58 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-09-11 18:59:58 +0200 |
commit | ce38f8be741a8b618dfac9d2f6f166a6e3954e45 (patch) | |
tree | 67c2d67bc1c180bb2be80e12b6d07bf9ef42446f /Bugzilla | |
parent | d3cf76c62299d9ff9e3589a3c159571711d8d186 (diff) | |
download | bugzilla-ce38f8be741a8b618dfac9d2f6f166a6e3954e45.tar.gz bugzilla-ce38f8be741a8b618dfac9d2f6f166a6e3954e45.tar.xz |
Bug 1393888 - Write httpd access handler to block by ip address stored in memcached
Diffstat (limited to 'Bugzilla')
-rw-r--r-- | Bugzilla/ModPerl.pm | 3 | ||||
-rw-r--r-- | Bugzilla/ModPerl/BlockIP.pm | 65 |
2 files changed, 68 insertions, 0 deletions
diff --git a/Bugzilla/ModPerl.pm b/Bugzilla/ModPerl.pm index 7c367ed2e..142df63d4 100644 --- a/Bugzilla/ModPerl.pm +++ b/Bugzilla/ModPerl.pm @@ -19,6 +19,8 @@ use Carp (); # (and there might be side-effects, since this code is loaded very early in the httpd startup) use Template (); +use Bugzilla::ModPerl::BlockIP; + sub apache_config { my ($class, $cgi_path) = @_; @@ -72,6 +74,7 @@ __DATA__ # the built-in rand(), even though we never use it in Bugzilla itself, # so we need to srand() both of them.) PerlChildInitHandler "sub { Bugzilla::RNG::srand(); srand(); }" +PerlAccessHandler Bugzilla::ModPerl::BlockIP # It is important to specify ErrorDocuments outside of all directories. # These used to be in .htaccess, but then things like "AllowEncodedSlashes no" diff --git a/Bugzilla/ModPerl/BlockIP.pm b/Bugzilla/ModPerl/BlockIP.pm new file mode 100644 index 000000000..4e9a4be5c --- /dev/null +++ b/Bugzilla/ModPerl/BlockIP.pm @@ -0,0 +1,65 @@ +package Bugzilla::ModPerl::BlockIP; +use 5.10.1; +use strict; +use warnings; + +use Apache2::RequestRec (); +use Apache2::Connection (); + +use Apache2::Const -compile => qw(OK); +use Cache::Memcached::Fast; + +use constant BLOCK_TIMEOUT => 60*60; + +my $MEMCACHED = Bugzilla::Memcached->_new()->{memcached}; +my $STATIC_URI = qr{ + ^/ + (?: extensions/[^/]+/web + | robots\.txt + | __heartbeat__ + | __lbheartbeat__ + | __version__ + | images + | skins + | js + | errors + ) +}xms; + +sub block_ip { + my ($class, $ip) = @_; + $MEMCACHED->set("block_ip:$ip" => 1, BLOCK_TIMEOUT) if $MEMCACHED; +} + +sub unblock_ip { + my ($class, $ip) = @_; + $MEMCACHED->delete("block_ip:$ip") if $MEMCACHED; +} + +sub handler { + my $r = shift; + return Apache2::Const::OK if $r->uri =~ $STATIC_URI; + + my $ip = $r->headers_in->{'X-Forwarded-For'}; + if ($ip) { + $ip = (split(/\s*,\s*/ms, $ip))[-1]; + } + else { + $ip = $r->connection->remote_ip; + } + + if ($MEMCACHED && $MEMCACHED->get("block_ip:$ip")) { + __PACKAGE__->block_ip($ip); + $r->status_line("429 Too Many Requests"); + # 500 is used here because apache 2.2 doesn't understand 429. + # the above line and the return value together mean we produce 429. + # Any other variation doesn't work. + $r->custom_response(500, "Too Many Requests"); + return 429; + } + else { + return Apache2::Const::OK; + } +} + +1; |