/* * mod_access - restrict access to the webserver for certain clients * * Description: * mod_access lets you filter clients by IP address. * * Setups: * access.load "file"; * - Loads access rules from a file. One rule per line in the format . * Example file (\n is newline): allow 127.0.0.1\ndeny 10.0.0.0/8\nallow 192.168.0.0/24 * Options: * access.redirect_url = "url"; * - if set, clients are redirected to this url if access is refused * Actions: * access.deny; * - Denies access by returning a 403 status code * access.check ("allow" => iplist, "deny" => iplist); * - "allow" and "deny" are optional. If left out, they default to "all" * - iplists are lists of strings representing IP addresses with optional CIDR suffix * - To represent all IPs, you can either use "x.x.x.x/0" or "all" * * Example config: * access.redirect_url = "http://www.example.tld/denied.html"; * access.check ( * "allow" => ("127.0.0.0/24", "192.168.0.0/16", "::1"), * "deny" => ( "all" ) * ); * if req.path =$ ".inc" { access.deny; } * * This config snippet will grant access only to clients from the local network (127.0.0.* or 192.168.*.*). * Additionally it will deny access to any file ending with ".inc", no matter what client. * Clients that are denied access, will be redirected to http://www.example.tld/denied.html * * Tip: * none * * Todo: * - access.redirect_url * * Author: * Copyright (c) 2009 Thomas Porzelt * License: * MIT, see COPYING file in the lighttpd 2 tree */ #include #include LI_API gboolean mod_access_init(liModules *mods, liModule *mod); LI_API gboolean mod_access_free(liModules *mods, liModule *mod); struct access_check_data { liPlugin *p; liRadixTree *ipv4, *ipv6; }; typedef struct access_check_data access_check_data; enum { ACCESS_DENY = 1, ACCESS_ALLOW = 2 }; enum { OPTION_LOG_BLOCKED = 0 }; enum { OPTION_REDIRECT_URL = 0 }; static liHandlerResult access_check(liVRequest *vr, gpointer param, gpointer *context) { access_check_data *acd = param; liSockAddr *addr = vr->coninfo->remote_addr.addr; gboolean log_blocked = _OPTION(vr, acd->p, OPTION_LOG_BLOCKED).boolean; GString *redirect_url = _OPTIONPTR(vr, acd->p, OPTION_REDIRECT_URL).string; UNUSED(context); UNUSED(redirect_url); if (addr->plain.sa_family == AF_INET) { if (GINT_TO_POINTER(ACCESS_DENY) == li_radixtree_lookup(acd->ipv4, &addr->ipv4.sin_addr.s_addr, 32)) { if (!li_vrequest_handle_direct(vr)) return LI_HANDLER_GO_ON; vr->response.http_status = 403; if (log_blocked) VR_INFO(vr, "access.check: blocked %s", vr->coninfo->remote_addr_str->str); } #ifdef HAVE_IPV6 } else if (addr->plain.sa_family == AF_INET6) { if (GINT_TO_POINTER(ACCESS_DENY) == li_radixtree_lookup(acd->ipv6, &addr->ipv6.sin6_addr.s6_addr, 128)) { if (!li_vrequest_handle_direct(vr)) return LI_HANDLER_GO_ON; vr->response.http_status = 403; if (log_blocked) VR_INFO(vr, "access.check: blocked %s", vr->coninfo->remote_addr_str->str); } #endif } else { VR_ERROR(vr, "%s", "access.check only supports ipv4 or ipv6 clients"); return LI_HANDLER_ERROR; } return LI_HANDLER_GO_ON; } static void access_check_free(liServer *srv, gpointer param) { access_check_data *acd = param; UNUSED(srv); li_radixtree_free(acd->ipv4, NULL, NULL); li_radixtree_free(acd->ipv6, NULL, NULL); g_slice_free(access_check_data, acd); } static liAction* access_check_create(liServer *srv, liWorker *wrk, liPlugin* p, liValue *val, gpointer userdata) { GArray *arr; liValue *v, *ip; guint i, j; guint32 ipv4, netmaskv4; gboolean deny = FALSE; access_check_data *acd = NULL; UNUSED(srv); UNUSED(wrk); UNUSED(userdata); if (!val || val->type != LI_VALUE_LIST || (val->data.list->len != 1 && val->data.list->len != 2)) { ERROR(srv, "%s", "access_check expects a list of one or two string,list tuples as parameter"); return NULL; } arr = val->data.list; acd = g_slice_new0(access_check_data); acd->p = p; acd->ipv4 = li_radixtree_new(); acd->ipv6 = li_radixtree_new(); li_radixtree_insert(acd->ipv4, NULL, 0, GINT_TO_POINTER(ACCESS_DENY)); li_radixtree_insert(acd->ipv6, NULL, 0, GINT_TO_POINTER(ACCESS_DENY)); for (i = 0; i < arr->len; i++) { v = g_array_index(arr, liValue*, i); if (v->type != LI_VALUE_LIST || v->data.list->len != 2) { ERROR(srv, "%s", "access_check expects a list of one or two string,list tuples as parameter"); goto failed_free_acd; } v = g_array_index(v->data.list, liValue*, 0); if (v->type != LI_VALUE_STRING) { ERROR(srv, "%s", "access_check expects a list of one or two string,list tuples as parameter"); goto failed_free_acd; } if (g_str_equal(v->data.string->str, "allow")) { deny = FALSE; } else if (g_str_equal(v->data.string->str, "deny")) { deny = TRUE; } else { ERROR(srv, "access_check: invalid option \"%s\"", v->data.string->str); goto failed_free_acd; } v = g_array_index(g_array_index(arr, liValue*, i)->data.list, liValue*, 1); if (v->type != LI_VALUE_LIST) { ERROR(srv, "%s", "access_check expects a list of one or two string,list tuples as parameter"); goto failed_free_acd; } for (j = 0; j < v->data.list->len; j++) { guint8 ipv6_addr[16]; guint ipv6_network; ip = g_array_index(v->data.list, liValue*, j); if (ip->type != LI_VALUE_STRING) { ERROR(srv, "%s", "access_check expects a list of one or two string,list tuples as parameter"); goto failed_free_acd; } if (g_str_equal(ip->data.string->str, "all")) { li_radixtree_insert(acd->ipv4, NULL, 0, GINT_TO_POINTER(deny ? ACCESS_DENY : ACCESS_ALLOW)); li_radixtree_insert(acd->ipv6, NULL, 0, GINT_TO_POINTER(deny ? ACCESS_DENY : ACCESS_ALLOW)); } else if (li_parse_ipv4(ip->data.string->str, &ipv4, &netmaskv4, NULL)) { gint prefixlen; netmaskv4 = ntohl(netmaskv4); prefixlen = 32 - g_bit_nth_lsf(netmaskv4, -1); if (prefixlen < 0 || prefixlen > 32) prefixlen = 0; li_radixtree_insert(acd->ipv4, &ipv4, prefixlen, GINT_TO_POINTER(deny ? ACCESS_DENY : ACCESS_ALLOW)); } else if (li_parse_ipv6(ip->data.string->str, ipv6_addr, &ipv6_network, NULL)) { li_radixtree_insert(acd->ipv6, ipv6_addr, ipv6_network, GINT_TO_POINTER(deny ? ACCESS_DENY : ACCESS_ALLOW)); } else { ERROR(srv, "access_check: error parsing ip: %s", ip->data.string->str); goto failed_free_acd; } } } return li_action_new_function(access_check, NULL, access_check_free, acd); failed_free_acd: li_radixtree_free(acd->ipv4, NULL, NULL); li_radixtree_free(acd->ipv6, NULL, NULL); g_slice_free(access_check_data, acd); return NULL; } static liHandlerResult access_deny(liVRequest *vr, gpointer param, gpointer *context) { gboolean log_blocked = _OPTION(vr, ((liPlugin*)param), OPTION_LOG_BLOCKED).boolean; GString *redirect_url = _OPTIONPTR(vr, ((liPlugin*)param), OPTION_REDIRECT_URL).string; UNUSED(context); UNUSED(redirect_url); if (!li_vrequest_handle_direct(vr)) return LI_HANDLER_GO_ON; vr->response.http_status = 403; if (log_blocked) { VR_INFO(vr, "access.deny: blocked %s", vr->coninfo->remote_addr_str->str); } return LI_HANDLER_GO_ON; } static liAction* access_deny_create(liServer *srv, liWorker *wrk, liPlugin* p, liValue *val, gpointer userdata) { UNUSED(srv); UNUSED(wrk); UNUSED(userdata); if (val) { ERROR(srv, "%s", "access.deny doesn't expect any parameters"); return NULL; } return li_action_new_function(access_deny, NULL, NULL, p); } static const liPluginOption options[] = { { "access.log_blocked", LI_VALUE_BOOLEAN, 0, NULL }, { NULL, 0, 0, NULL } }; static const liPluginOptionPtr optionptrs[] = { { "access.redirect_url", LI_VALUE_STRING, NULL, NULL, NULL }, { NULL, 0, NULL, NULL, NULL } }; static const liPluginAction actions[] = { { "access.check", access_check_create, NULL }, { "access.deny", access_deny_create, NULL }, { NULL, NULL, NULL } }; static const liPluginSetup setups[] = { { NULL, NULL, NULL } }; static void plugin_access_init(liServer *srv, liPlugin *p, gpointer userdata) { UNUSED(srv); UNUSED(userdata); p->options = options; p->optionptrs = optionptrs; p->actions = actions; p->setups = setups; } gboolean mod_access_init(liModules *mods, liModule *mod) { UNUSED(mod); MODULE_VERSION_CHECK(mods); mod->config = li_plugin_register(mods->main, "mod_access", plugin_access_init, NULL); return mod->config != NULL; } gboolean mod_access_free(liModules *mods, liModule *mod) { if (mod->config) li_plugin_free(mods->main, mod->config); return TRUE; }