From: Jim Jagielski Date: Wed, 21 Apr 2010 18:19:06 +0000 (+0000) Subject: Add in BalancerNonce directive... useful for shared-secrets. X-Git-Tag: 2.3.6~189 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d9fcb8daf1fcdea41112daed795145982b3d3f44;p=apache Add in BalancerNonce directive... useful for shared-secrets. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@936407 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 008a038c66..e388bbfa77 100644 --- a/CHANGES +++ b/CHANGES @@ -28,6 +28,10 @@ Changes with Apache 2.3.7 processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni , Jeff Trawick] + *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin + to control/set the nonce used in the balancer-manager application. + [Jim Jagielski] + *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673. [Stefan Fritsch] diff --git a/docs/manual/mod/mod_proxy_balancer.xml b/docs/manual/mod/mod_proxy_balancer.xml index dcc32a5799..6649d6b6c3 100644 --- a/docs/manual/mod/mod_proxy_balancer.xml +++ b/docs/manual/mod/mod_proxy_balancer.xml @@ -183,4 +183,34 @@ http://your.server.name/balancer-manager

+ +BalancerNonce +Set the nonce used in the balancer-manager application +BalancerNonce Default|None|Set "value" +ProxyStatus Default +server config +virtual host + +Available in version 2.4 and later + + +

This directive specifies the protective nonce used in the + balancer-manager application page.

+

The default is to use an automatically determined UUID-based + nonce, to provide for further protection for the page. If set + to Set, then the next argument sets the nonce to that + value. A setting of None disables all nonce checking.

+ + + BalancerNonce Set "RealGudSharedSecret" + + + Note +

In addition to the nonce, the balancer-manager page + should be protected via an ACL.

+ + + + + diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c index ff25ed0fa5..ab4eae5296 100644 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -659,23 +659,12 @@ static void recalc_factors(proxy_balancer *balancer) } } -/* post_config hook: */ -static int balancer_init(apr_pool_t *p, apr_pool_t *plog, - apr_pool_t *ptemp, server_rec *s) +/* pre_config hook: */ +static int balancer_init(apr_pool_t *pconf, apr_pool_t *plog, + apr_pool_t *ptemp) { - void *data; - const char *userdata_key = "mod_proxy_balancer_init"; apr_uuid_t uuid; - /* balancer_init() will be called twice during startup. So, only - * set up the static data the second time through. */ - apr_pool_userdata_get(&data, userdata_key, s->process->pool); - if (!data) { - apr_pool_userdata_set((const void *)1, userdata_key, - apr_pool_cleanup_null, s->process->pool); - return OK; - } - /* Retrieve a UUID and store the nonce for the lifetime of * the process. */ apr_uuid_get(&uuid); @@ -730,8 +719,9 @@ static int balancer_handler(request_rec *r) /* Check that the supplied nonce matches this server's nonce; * otherwise ignore all parameters, to prevent a CSRF attack. */ - if ((name = apr_table_get(params, "nonce")) == NULL - || strcmp(balancer_nonce, name) != 0) { + if (*balancer_nonce && + ((name = apr_table_get(params, "nonce")) == NULL + || strcmp(balancer_nonce, name) != 0)) { apr_table_clear(params); } @@ -972,6 +962,35 @@ static void child_init(apr_pool_t *p, server_rec *s) } +static const char *set_balancer_nonce (cmd_parms *cmd, void *dummy, const char *arg, + const char *val) +{ + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + if (err != NULL) { + return err; + } + + if (!strcasecmp(arg, "None")) { + *balancer_nonce = '\0'; + } else if (!strcasecmp(arg, "Set")) { + if (val) { + apr_cpystrn(balancer_nonce, val, sizeof(balancer_nonce)); + } else { + return "BalancerNonce Set requires an argument"; + } + } else if (strcasecmp(arg, "Default")) { + return "Bad argument for BalancerNonce: Must be 'Set', 'None' or 'Default'"; + } + return NULL; +} + +static const command_rec balancer_cmds[] = +{ + AP_INIT_TAKE12("BalancerNonce", set_balancer_nonce, NULL, + RSRC_CONF, "Set value for balancer-manager nonce"), + {NULL} +}; + static void ap_proxy_balancer_register_hook(apr_pool_t *p) { /* Only the mpm_winnt has child init hook handler. @@ -980,7 +999,7 @@ static void ap_proxy_balancer_register_hook(apr_pool_t *p) */ static const char *const aszPred[] = { "mpm_winnt.c", NULL}; /* manager handler */ - ap_hook_post_config(balancer_init, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_pre_config(balancer_init, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_handler(balancer_handler, NULL, NULL, APR_HOOK_FIRST); ap_hook_child_init(child_init, aszPred, NULL, APR_HOOK_MIDDLE); proxy_hook_pre_request(proxy_balancer_pre_request, NULL, NULL, APR_HOOK_FIRST); @@ -994,6 +1013,6 @@ module AP_MODULE_DECLARE_DATA proxy_balancer_module = { NULL, /* merge per-directory config structures */ NULL, /* create per-server config structure */ NULL, /* merge per-server config structures */ - NULL, /* command apr_table_t */ + balancer_cmds, /* command apr_table_t */ ap_proxy_balancer_register_hook /* register hooks */ };