From 13a3672f586e5f969cc8f59ba76eeda9ad30a360 Mon Sep 17 00:00:00 2001 From: Rainer Jung Date: Sat, 12 Nov 2011 02:10:43 +0000 Subject: [PATCH] Pre GA removal ob components that will not be included: Part 1: mod_noloris was superseded by mod_reqtimeout. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1201164 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 6 +- STATUS | 1 - modules/experimental/NWGNUnoloris | 256 ----------------------------- modules/experimental/mod_noloris.c | 237 -------------------------- 4 files changed, 5 insertions(+), 495 deletions(-) delete mode 100644 modules/experimental/NWGNUnoloris delete mode 100644 modules/experimental/mod_noloris.c diff --git a/CHANGES b/CHANGES index 2f95c0a1a6..1754568f9c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,9 @@ -*- coding: utf-8 -*- -Changes with Apache 2.3.16 +Changes with Apache 2.4.0 + + *) Pre GA removal ob components that will not be included: + - mod_noloris was superseded by mod_reqtimeout. + [Rainer Jung] *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch] diff --git a/STATUS b/STATUS index 62476842d0..aaec13adfe 100644 --- a/STATUS +++ b/STATUS @@ -82,7 +82,6 @@ RELEASE SHOWSTOPPERS: - MPM simple (unfinished; buggy) - mod_serf (which is optimal for async httpd anyways; didn't work with MPM event last time sf tested it) - - mod_noloris (in experimental; obsoleted by mod_reqtimeout) See https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/STATUS under 'modules docs' for a more comprehensive list of undocumented modules. diff --git a/modules/experimental/NWGNUnoloris b/modules/experimental/NWGNUnoloris deleted file mode 100644 index d1a9a96c04..0000000000 --- a/modules/experimental/NWGNUnoloris +++ /dev/null @@ -1,256 +0,0 @@ -# -# Declare the sub-directories to be built here -# - -SUBDIRS = \ - $(EOLIST) - -# -# Get the 'head' of the build environment. This includes default targets and -# paths to tools -# - -include $(AP_WORK)/build/NWGNUhead.inc - -# -# build this level's files - -# -# Make sure all needed macro's are defined -# - -# -# These directories will be at the beginning of the include list, followed by -# INCDIRS -# -XINCDIRS += \ - $(APR)/include \ - $(APRUTIL)/include \ - $(AP_WORK)/include \ - $(NWOS) \ - $(EOLIST) - -# -# These flags will come after CFLAGS -# -XCFLAGS += \ - $(EOLIST) - -# -# These defines will come after DEFINES -# -XDEFINES += \ - $(EOLIST) - -# -# These flags will be added to the link.opt file -# -XLFLAGS += \ - $(EOLIST) - -# -# These values will be appended to the correct variables based on the value of -# RELEASE -# -ifeq "$(RELEASE)" "debug" -XINCDIRS += \ - $(EOLIST) - -XCFLAGS += \ - $(EOLIST) - -XDEFINES += \ - $(EOLIST) - -XLFLAGS += \ - $(EOLIST) -endif - -ifeq "$(RELEASE)" "noopt" -XINCDIRS += \ - $(EOLIST) - -XCFLAGS += \ - $(EOLIST) - -XDEFINES += \ - $(EOLIST) - -XLFLAGS += \ - $(EOLIST) -endif - -ifeq "$(RELEASE)" "release" -XINCDIRS += \ - $(EOLIST) - -XCFLAGS += \ - $(EOLIST) - -XDEFINES += \ - $(EOLIST) - -XLFLAGS += \ - $(EOLIST) -endif - -# -# These are used by the link target if an NLM is being generated -# This is used by the link 'name' directive to name the nlm. If left blank -# TARGET_nlm (see below) will be used. -# -NLM_NAME = noloris - -# -# This is used by the link '-desc ' directive. -# If left blank, NLM_NAME will be used. -# -NLM_DESCRIPTION = Apache $(VERSION_STR) No-Slowloris Module - -# -# This is used by the '-threadname' directive. If left blank, -# NLM_NAME Thread will be used. -# -NLM_THREAD_NAME = $(NLM_NAME) Module - -# -# If this is specified, it will override VERSION value in -# $(AP_WORK)/build/NWGNUenvironment.inc -# -NLM_VERSION = - -# -# If this is specified, it will override the default of 64K -# -NLM_STACK_SIZE = 8192 - - -# -# If this is specified it will be used by the link '-entry' directive -# -NLM_ENTRY_SYM = - -# -# If this is specified it will be used by the link '-exit' directive -# -NLM_EXIT_SYM = - -# -# If this is specified it will be used by the link '-check' directive -# -NLM_CHECK_SYM = - -# -# If these are specified it will be used by the link '-flags' directive -# -NLM_FLAGS = - -# -# If this is specified it will be linked in with the XDCData option in the def -# file instead of the default of $(NWOS)/apache.xdc. XDCData can be disabled -# by setting APACHE_UNIPROC in the environment -# -XDCDATA = - -# -# If there is an NLM target, put it here -# -TARGET_nlm = \ - $(OBJDIR)/$(NLM_NAME).nlm \ - $(EOLIST) - -# -# If there is an LIB target, put it here -# -TARGET_lib = \ - $(EOLIST) - -# -# These are the OBJ files needed to create the NLM target above. -# Paths must all use the '/' character -# -FILES_nlm_objs = \ - $(OBJDIR)/mod_noloris.o \ - $(EOLIST) - -# -# These are the LIB files needed to create the NLM target above. -# These will be added as a library command in the link.opt file. -# -FILES_nlm_libs = \ - $(PRELUDE) \ - $(EOLIST) - -# -# These are the modules that the above NLM target depends on to load. -# These will be added as a module command in the link.opt file. -# -FILES_nlm_modules = \ - aprlib \ - libc \ - $(EOLIST) - -# -# If the nlm has a msg file, put it's path here -# -FILE_nlm_msg = - -# -# If the nlm has a hlp file put it's path here -# -FILE_nlm_hlp = - -# -# If this is specified, it will override $(NWOS)\copyright.txt. -# -FILE_nlm_copyright = - -# -# Any additional imports go here -# -FILES_nlm_Ximports = \ - @aprlib.imp \ - @httpd.imp \ - @libc.imp \ - $(EOLIST) - -# -# Any symbols exported to here -# -FILES_nlm_exports = \ - noloris_module \ - $(EOLIST) - -# -# These are the OBJ files needed to create the LIB target above. -# Paths must all use the '/' character -# -FILES_lib_objs = \ - $(EOLIST) - -# -# implement targets and dependancies (leave this section alone) -# - -libs :: $(OBJDIR) $(TARGET_lib) - -nlms :: libs $(TARGET_nlm) - -# -# Updated this target to create necessary directories and copy files to the -# correct place. (See $(AP_WORK)/build/NWGNUhead.inc for examples) -# -install :: nlms FORCE - -# -# Any specialized rules here -# - -# -# Include the 'tail' makefile that has targets that depend on variables defined -# in this makefile -# - -include $(APBUILD)/NWGNUtail.inc - - diff --git a/modules/experimental/mod_noloris.c b/modules/experimental/mod_noloris.c deleted file mode 100644 index d541e6a3a3..0000000000 --- a/modules/experimental/mod_noloris.c +++ /dev/null @@ -1,237 +0,0 @@ -/* Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - -/* The use of the scoreboard in this module is based on a similar - * but simpler module, mod_antiloris by Kees Monshouwer, from - * ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/ - * Note the FIXME that affects both modules. - * - * The major difference is that mod_antiloris checks the scoreboard - * on every request. This implies a per-request overhead that grows - * with the scoreboard, and gets very expensive on a big server. - * On the other hand, this module (mod_noloris) may be slower to - * react to a DoS attack, and in the case of a very small server - * it might be too late. - * - * Author's untested instinct: mod_antiloris will suit servers with - * Prefork MPM and low traffic. A server with a threaded MPM - * (or possibly a big prefork server with lots of memory) should - * raise MaxClients and use mod_noloris. - */ - -#include "httpd.h" -#include "http_config.h" -#include "http_core.h" -#include "http_connection.h" -#include "http_log.h" -#include "mpm_common.h" -#include "ap_mpm.h" -#include "apr_hash.h" -#include "scoreboard.h" - -module AP_MODULE_DECLARE_DATA noloris_module; - -#define ADDR_MAX_SIZE 48 - -static unsigned int default_max_connections; -static apr_hash_t *trusted; -static apr_interval_time_t recheck_time; -static apr_shm_t *shm; -static apr_size_t shm_size; -static int server_limit; -static int thread_limit; - -static int noloris_conn(conn_rec *conn) -{ - struct { int child_num; int thread_num; } *sbh = conn->sbh; - - char *shm_rec; - if (shm == NULL) { - return DECLINED; /* we're disabled */ - } - - /* check the IP is not banned */ - shm_rec = apr_shm_baseaddr_get(shm); - while (shm_rec[0] != '\0') { - if (!strcmp(shm_rec, conn->remote_ip)) { - apr_socket_t *csd = ap_get_conn_socket(conn); - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, - "Dropping connection from banned IP %s", - conn->remote_ip); - apr_socket_close(csd); - - return DONE; - } - shm_rec += ADDR_MAX_SIZE; - } - - /* store this client IP for the monitor to pick up */ - - ap_update_child_status_from_conn(conn->sbh, SERVER_READY, conn); - - return DECLINED; -} -static int noloris_monitor(apr_pool_t *pool, server_rec *s) -{ - static apr_hash_t *connections = NULL; - static apr_time_t last_check = 0; - static int *totals; - - int i, j; - int *n; - int index = 0; - apr_hash_index_t *hi; - char *ip; - apr_time_t time_now; - char *shm_rec; - worker_score *ws; - - /* do nothing if disabled */ - if (shm == NULL) { - return 0; - } - - /* skip check if it's not due yet */ - time_now = apr_time_now(); - if (time_now - last_check < recheck_time) { - return 0; - } - last_check = time_now; - - /* alloc lots of stuff at start, so we don't leak memory per-call */ - if (connections == NULL) { - connections = apr_hash_make(pool); - totals = apr_palloc(pool, server_limit*thread_limit); - ip = apr_palloc(pool, ADDR_MAX_SIZE); - } - - /* Get a per-client count of connections in READ state */ - for (i = 0; i < server_limit; ++i) { - for (j = 0; j < thread_limit; ++j) { - ws = ap_get_scoreboard_worker_from_indexes(i, j); - if (ws->status == SERVER_BUSY_READ) { - n = apr_hash_get(connections, ws->client, APR_HASH_KEY_STRING); - if (n == NULL) { - n = totals + index++ ; - *n = 0; - } - ++*n; - apr_hash_set(connections, ws->client, APR_HASH_KEY_STRING, n); - } - } - } - - /* reset shm before writing to it. - * We're only dealing with approx. counts, so we ignore the race condition - * with our prospective readers - */ - shm_rec = apr_shm_baseaddr_get(shm); - memset(shm_rec, 0, shm_size); - - /* Now check the hash for clients with too many connections in READ state */ - for (hi = apr_hash_first(NULL, connections); hi; hi = apr_hash_next(hi)) { - apr_hash_this(hi, (const void**) &ip, NULL, (void**)&n); - if (*n >= default_max_connections) { - /* if this isn't a trusted proxy, we mark it as bad */ - if (!apr_hash_get(trusted, ip, APR_HASH_KEY_STRING)) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "noloris: banning %s with %d connections in READ state", - ip, *n); - strcpy(shm_rec, ip); - shm_rec += ADDR_MAX_SIZE; - } - } - } - apr_hash_clear(connections); - return 0; -} -static int noloris_post(apr_pool_t *pconf, apr_pool_t *ptmp, apr_pool_t *plog, - server_rec *s) -{ - apr_status_t rv; - int max_bans = thread_limit * server_limit / default_max_connections; - shm_size = ADDR_MAX_SIZE * max_bans; - - rv = apr_shm_create(&shm, shm_size, NULL, pconf); - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, - "Failed to create shm segment; mod_noloris disabled"); - apr_hash_clear(trusted); - shm = NULL; - } - return 0; -} -static int noloris_pre(apr_pool_t *pconf, apr_pool_t *ptmp, apr_pool_t *plog) -{ - ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit); - ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit); - - /* set up default config stuff here */ - trusted = apr_hash_make(pconf); - default_max_connections = 50; - recheck_time = apr_time_from_sec(10); - return 0; -} -static void noloris_hooks(apr_pool_t *p) -{ - ap_hook_process_connection(noloris_conn, NULL, NULL, APR_HOOK_FIRST); - ap_hook_pre_config(noloris_pre, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_post_config(noloris_post, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_monitor(noloris_monitor, NULL, NULL, APR_HOOK_MIDDLE); -} -static const char *noloris_trusted(cmd_parms *cmd, void *cfg, const char *val) -{ - const char* err = ap_check_cmd_context(cmd, GLOBAL_ONLY); - if (!err) { - apr_hash_set(trusted, val, APR_HASH_KEY_STRING, &noloris_module); - } - return err; -} -static const char *noloris_recheck(cmd_parms *cmd, void *cfg, const char *val) -{ - const char* err = ap_check_cmd_context(cmd, GLOBAL_ONLY); - if (!err) { - recheck_time = apr_time_from_sec(atoi(val)); - } - return err; -} -static const char *noloris_max_conn(cmd_parms *cmd, void *cfg, const char *val) -{ - const char* err = ap_check_cmd_context(cmd, GLOBAL_ONLY); - if (!err) { - default_max_connections = atoi(val); - } - return err; -} -static const command_rec noloris_cmds[] = { - AP_INIT_ITERATE("TrustedProxy", noloris_trusted, NULL, RSRC_CONF, - "IP addresses from which to allow unlimited connections"), - AP_INIT_TAKE1("ClientRecheckTime", noloris_recheck, NULL, RSRC_CONF, - "Time interval for rechecking client connection tables"), - AP_INIT_TAKE1("MaxClientConnections", noloris_max_conn, NULL, RSRC_CONF, - "Max connections in READ state to permit from an untrusted client"), - {NULL} -}; -AP_DECLARE_MODULE(noloris) = { - STANDARD20_MODULE_STUFF, - NULL, - NULL, - NULL, - NULL, - noloris_cmds, - noloris_hooks -}; -- 2.40.0