diff -Nru pound-2.5/config.c pound-2.5-new/config.c
--- pound-2.5/config.c 2011-04-19 12:07:53.000000000 +0200
+++ pound-2.5-new/config.c 2011-04-19 12:22:47.000000000 +0200
@@ -8,15 +8,15 @@
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* Pound is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
+ *
* Contact information:
* Apsis GmbH
* P.O.Box
@@ -78,6 +78,9 @@
static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale;
static regex_t ClientCert, AddHeader, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert;
+/* New policy "Deny" to deny access to a service with an IP filter */
+static regex_t Deny;
+static regex_t Err403;
static regmatch_t matches[5];
@@ -452,6 +455,9 @@
MATCHER *m;
int ign_case;
+ regex_t ip;
+ int flag_pat=0;
+
if((res = (SERVICE *)malloc(sizeof(SERVICE))) == NULL)
conf_err("Service config: out of memory - aborted");
memset(res, 0, sizeof(SERVICE));
@@ -586,6 +592,64 @@
res->dynscale = atoi(lin + matches[1].rm_so);
} else if(!regexec(&IgnoreCase, lin, 4, matches, 0)) {
ign_case = atoi(lin + matches[1].rm_so);
+ } else if(!regexec(&Deny, lin, 4, matches, 0)) {
+ if(res->acl) {
+ for(m = res->acl; m->next; m = m->next)
+ ;
+ if((m->next = (MATCHER *)malloc(sizeof(MATCHER))) == NULL) {
+ conf_err("Deny config: out of memory - aborted");
+ exit(1);
+ }
+ m = m->next;
+ } else {
+ if((res->acl = (MATCHER *)malloc(sizeof(MATCHER))) == NULL) {
+ conf_err("Deny config: out of memory - aborted");
+ exit(1);
+ }
+ m = res->acl;
+ }
+
+ memset(m, 0, sizeof(MATCHER));
+ lin[matches[1].rm_eo] = '\0';
+
+ // Pointing start of denied ips list
+
+ char *ipstr=(char *)malloc(16*sizeof(char));
+ char *regip=(char *)malloc(18*sizeof(char));
+ char *iplist;
+
+ iplist = lin + matches[1].rm_so;
+
+ if(!regcomp(&ip,"(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9]).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9]))",REG_ICASE | REG_NEWLINE | REG_EXTENDED))
+ {
+ for(flag_pat=0,ipstr=strtok(iplist," "); ipstr!=NULL; ipstr=strtok(NULL," "),flag_pat=1)
+ {
+ // Matching IPV4 ip
+ if(!regexec(&ip,ipstr,0,NULL,0))
+ {
+ if(flag_pat)
+ {
+ m->next = (MATCHER *)malloc(sizeof(MATCHER));
+ m = m->next;
+ memset(m,0,sizeof(MATCHER));
+ }
+ sprintf(regip,"^%s$",ipstr);
+ regcomp(&m->pat, regip, REG_ICASE | REG_NEWLINE | REG_EXTENDED);
+ }
+ else
+ {
+ conf_err("Bad IP address - aborted");
+ exit(1);
+ }
+ }
+ }
+ else {
+ conf_err("IP bad pattern - aborted");
+ exit(1);
+ }
+
+ free(ipstr);
+ free(regip);
} else {
conf_err("unknown directive");
}
@@ -637,6 +701,9 @@
memset(res, 0, sizeof(LISTENER));
res->to = clnt_to;
res->rewr_loc = 1;
+
+
+ res->err403 = "You don't have permission to access on this service";
res->err414 = "Request URI is too long";
res->err500 = "An internal server error occurred. Please try again later.";
res->err501 = "This method may not be used.";
@@ -687,6 +754,9 @@
if(regcomp(&res->url_pat, lin + matches[1].rm_so, REG_NEWLINE | REG_EXTENDED))
conf_err("CheckURL bad pattern - aborted");
res->has_pat = 1;
+ } else if(!regexec(&Err403, lin, 4, matches, 0)) {
+ lin[matches[1].rm_eo] = '\0';
+ res->err403 = file2str(lin + matches[1].rm_so);
} else if(!regexec(&Err414, lin, 4, matches, 0)) {
lin[matches[1].rm_eo] = '\0';
res->err414 = file2str(lin + matches[1].rm_so);
@@ -788,6 +858,7 @@
res->to = clnt_to;
res->rewr_loc = 1;
+ res->err403 = "You don't have permission to access on this service";
res->err414 = "Request URI is too long";
res->err500 = "An internal server error occurred. Please try again later.";
res->err501 = "This method may not be used.";
@@ -833,6 +904,9 @@
if(regcomp(&res->url_pat, lin + matches[1].rm_so, REG_NEWLINE | REG_EXTENDED))
conf_err("CheckURL bad pattern - aborted");
res->has_pat = 1;
+ } else if(!regexec(&Err403, lin, 4, matches, 0)) {
+ lin[matches[1].rm_eo] = '\0';
+ res->err403 = file2str(lin + matches[1].rm_so);
} else if(!regexec(&Err414, lin, 4, matches, 0)) {
lin[matches[1].rm_eo] = '\0';
res->err414 = file2str(lin + matches[1].rm_so);
@@ -1125,6 +1199,7 @@
|| regcomp(&xHTTP, "^[ \t]*xHTTP[ \t]+([01234])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Client, "^[ \t]*Client[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CheckURL, "^[ \t]*CheckURL[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&Err403, "^[ \t]*Err403[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Err414, "^[ \t]*Err414[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Err500, "^[ \t]*Err500[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Err501, "^[ \t]*Err501[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
@@ -1163,6 +1238,7 @@
|| regcomp(&IgnoreCase, "^[ \t]*IgnoreCase[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&HTTPS, "^[ \t]*HTTPS[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&HTTPSCert, "^[ \t]*HTTPS[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&Deny,"^[ \t]*Deny[ \t]+\"(.+)\"[ ]*$",REG_ICASE | REG_NEWLINE | REG_EXTENDED)
) {
logmsg(LOG_ERR, "bad config Regex - aborted");
exit(1);
@@ -1317,6 +1393,8 @@
regfree(&IgnoreCase);
regfree(&HTTPS);
regfree(&HTTPSCert);
+ regfree(&Deny);
+ regfree(&Err403);
/* set the facility only here to ensure the syslog gets opened if necessary */
log_facility = def_facility;
diff -Nru pound-2.5/http.c pound-2.5-new/http.c
--- pound-2.5/http.c 2011-04-19 12:07:53.000000000 +0200
+++ pound-2.5-new/http.c 2011-04-19 12:22:47.000000000 +0200
@@ -8,12 +8,12 @@
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* Pound is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*
@@ -31,8 +31,10 @@
static char *h500 = "500 Internal Server Error",
*h501 = "501 Not Implemented",
*h503 = "503 Service Unavailable",
+ *h403 = "403 Forbidden",
*h414 = "414 Request URI too long";
+
static char *err_response = "HTTP/1.0 %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\nExpires: now\r\nPragma: no-cache\r\nCache-control: no-cache,no-store\r\n\r\n%s";
/*
@@ -740,6 +742,17 @@
clean_all();
pthread_exit(NULL);
}
+
+ /* Checking acl for a service */
+ if(!check_acl(svc,&from_host)) {
+ addr2str(caddr, MAXBUF - 1, &from_host,1);
+ logmsg(LOG_NOTICE, "(%lx) denied access to service %s from IP \"%s\" ", pthread_self(), svc->name, caddr);
+ err_reply(cl, h403, lstn->err403);
+ free_headers(headers);
+ clean_all();
+ pthread_exit(NULL);
+ }
+
if((backend = get_backend(svc, &from_host, url, &headers[1])) == NULL) {
addr2str(caddr, MAXBUF - 1, &from_host, 1);
logmsg(LOG_NOTICE, "(%lx) e503 no back-end \"%s\" from %s", pthread_self(), request, caddr);
@@ -1144,7 +1157,7 @@
memset(buf, 0, sizeof(buf));
if(!cur_backend->redir_req)
snprintf(buf, sizeof(buf) - 1, "%s%s", cur_backend->url, url);
- else
+ else
strncpy(buf, cur_backend->url, sizeof(buf) - 1);
redirect_reply(cl, buf, cur_backend->be_type);
addr2str(caddr, MAXBUF - 1, &from_host, 1);
diff -Nru pound-2.5/pound.h pound-2.5-new/pound.h
--- pound-2.5/pound.h 2011-04-19 12:07:53.000000000 +0200
+++ pound-2.5-new/pound.h 2011-04-19 12:22:47.000000000 +0200
@@ -8,12 +8,12 @@
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* Pound is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*
@@ -327,7 +327,8 @@
char name[KEY_SIZE + 1]; /* symbolic name */
MATCHER *url, /* request matcher */
*req_head, /* required headers */
- *deny_head; /* forbidden headers */
+ *deny_head, /* forbidden headers */
+ *acl; /* Access Control List by IPs */
BACKEND *backends;
BACKEND *emergency;
int abs_pri; /* abs total priority for all back-ends */
@@ -359,7 +360,8 @@
int to; /* client time-out */
int has_pat; /* was a URL pattern defined? */
regex_t url_pat; /* pattern to match the request URL against */
- char *err414, /* error messages */
+ char *err403, /* error messages */
+ *err414,
*err500,
*err501,
*err503;
diff -Nru pound-2.5/svc.c pound-2.5-new/svc.c
--- pound-2.5/svc.c 2011-04-19 12:07:53.000000000 +0200
+++ pound-2.5-new/svc.c 2011-04-19 12:22:47.000000000 +0200
@@ -8,12 +8,12 @@
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* Pound is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*
@@ -334,6 +334,28 @@
return 1;
}
+/* check acl for a service */
+int
+check_acl(const SERVICE *svc, const struct addrinfo *from_host) {
+ MATCHER *m;
+ int found = 0;
+ char ip[MAXBUF];
+
+ addr2str(ip,MAXBUF-1,from_host,1);
+
+ if(svc->acl)
+ {
+ for(m = svc->acl; m; m = m->next) {
+ if(!regexec(&m->pat,ip,0,NULL,0))
+ found = 1;
+ if(found)
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
/*
* Find the right service for a request
*/
@@ -431,7 +453,7 @@
/*
* return a back-end based on a fixed hash value
* this is used for session_ttl < 0
- *
+ *
* WARNING: the function may return different back-ends
* if the target back-end is disabled or not alive
*/
@@ -1088,7 +1110,7 @@
logmsg(LOG_WARNING, "do_resurect() unlock: %s", strerror(ret_val));
}
}
-
+
return;
}