This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit d1037fcff18806bdbdc80d5fad3e53facb6da01e Author: Evan Zelkowitz <[email protected]> AuthorDate: Tue Sep 3 20:22:26 2024 -0600 Add geoguard specific fields to maxmind anonymous blocking (#11747) (cherry picked from commit eeb7ebaf5cfd11950147f509c09e7e730991954b) --- doc/admin-guide/plugins/maxmind_acl.en.rst | 6 +++ plugins/experimental/maxmind_acl/mmdb.cc | 75 ++++++++++++++++++++++++++++++ plugins/experimental/maxmind_acl/mmdb.h | 6 +++ 3 files changed, 87 insertions(+) diff --git a/doc/admin-guide/plugins/maxmind_acl.en.rst b/doc/admin-guide/plugins/maxmind_acl.en.rst index ab1d9d8671..d0a4aacb97 100644 --- a/doc/admin-guide/plugins/maxmind_acl.en.rst +++ b/doc/admin-guide/plugins/maxmind_acl.en.rst @@ -108,3 +108,9 @@ For example in the above if an IP had both vpn and hosting true in the database The allow IP and deny IP fields also will work while using the anonymous blocking if you wish to allow specific known IPs or block specific IPs. Keep in mind that the same rule about reversing the logic applies, so that even if you are only doing anonymous IP blocking, and then set allowable IPs to allow certain anonymous IP through (if desired), this will reverse the logic and default to blocking all IPs unless they fall into a range in the allow list. + +The plugin also supports optional fields from GeoGuard databases which includes: +``vpn_datacenter`` +``relay_proxy`` +``proxy_over_vpn`` +``smart_dns_proxy`` \ No newline at end of file diff --git a/plugins/experimental/maxmind_acl/mmdb.cc b/plugins/experimental/maxmind_acl/mmdb.cc index e48f0f9d19..bd213c9481 100644 --- a/plugins/experimental/maxmind_acl/mmdb.cc +++ b/plugins/experimental/maxmind_acl/mmdb.cc @@ -112,6 +112,11 @@ Acl::init(char const *filename) _residential_proxy = false; _public_proxy = false; + _vpn_datacenter = false; + _relay_proxy = false; + _proxy_over_vpn = false; + _smart_dns_proxy = false; + if (loadallow(maxmind["allow"])) { Dbg(dbg_ctl, "Loaded Allow ruleset"); status = true; @@ -192,6 +197,27 @@ Acl::loadanonymous(const YAML::Node &anonNode) _residential_proxy = true; } + // GeoGuard specific fields + if (anonNode["vpn_datacenter"].as<bool>(false)) { + Dbg(dbg_ctl, "saw vpn datacenter true"); + _vpn_datacenter = true; + } + + if (anonNode["relay_proxy"].as<bool>(false)) { + Dbg(dbg_ctl, "saw relay proxy true"); + _relay_proxy = true; + } + + if (anonNode["proxy_over_vpn"].as<bool>(false)) { + Dbg(dbg_ctl, "saw proxy over vpn true"); + _proxy_over_vpn = true; + } + + if (anonNode["smart_dns_proxy"].as<bool>(false)) { + Dbg(dbg_ctl, "saw smart dns proxy true"); + _smart_dns_proxy = true; + } + } catch (const YAML::Exception &e) { Dbg(dbg_ctl, "YAML::Exception %s when parsing YAML config file anonymous list", e.what()); return false; @@ -682,6 +708,55 @@ Acl::eval_anonymous(MMDB_entry_s *entry) } } + // GeoGuard specific fields + if (_vpn_datacenter) { + status = MMDB_get_value(entry, &entry_data, "is_vpn_datacenter", NULL); + if ((MMDB_SUCCESS == status) && (entry_data.has_data)) { + if (entry_data.type == MMDB_DATA_TYPE_BOOLEAN) { + if (entry_data.boolean == true) { + Dbg(dbg_ctl, "saw is_vpn_datacenter set to true bool"); + return false; + } + } + } + } + + if (_relay_proxy) { + status = MMDB_get_value(entry, &entry_data, "is_relay_proxy", NULL); + if ((MMDB_SUCCESS == status) && (entry_data.has_data)) { + if (entry_data.type == MMDB_DATA_TYPE_BOOLEAN) { + if (entry_data.boolean == true) { + Dbg(dbg_ctl, "saw is_relay_proxy set to true bool"); + return false; + } + } + } + } + + if (_proxy_over_vpn) { + status = MMDB_get_value(entry, &entry_data, "is_proxy_over_vpn", NULL); + if ((MMDB_SUCCESS == status) && (entry_data.has_data)) { + if (entry_data.type == MMDB_DATA_TYPE_BOOLEAN) { + if (entry_data.boolean == true) { + Dbg(dbg_ctl, "saw is_proxy_over_vpn set to true bool"); + return false; + } + } + } + } + + if (_smart_dns_proxy) { + status = MMDB_get_value(entry, &entry_data, "is_smart_dns_proxy", NULL); + if ((MMDB_SUCCESS == status) && (entry_data.has_data)) { + if (entry_data.type == MMDB_DATA_TYPE_BOOLEAN) { + if (entry_data.boolean == true) { + Dbg(dbg_ctl, "saw is_smart_dns_proxy set to true bool"); + return false; + } + } + } + } + return true; } diff --git a/plugins/experimental/maxmind_acl/mmdb.h b/plugins/experimental/maxmind_acl/mmdb.h index 258f433655..c466353c2f 100644 --- a/plugins/experimental/maxmind_acl/mmdb.h +++ b/plugins/experimental/maxmind_acl/mmdb.h @@ -108,6 +108,12 @@ protected: bool _tor_exit_node = false; bool _residential_proxy = false; + // GeoGuard specific fields + bool _vpn_datacenter = false; + bool _relay_proxy = false; + bool _proxy_over_vpn = false; + bool _smart_dns_proxy = false; + bool _anonymous_blocking = false; // Do we want to allow by default or not? Useful
