Skip to content

Commit 48d85c7

Browse files
author
Felipe Zimmerle
committed
Places connection filter engine in a separated configuration
Different from the Rules or other options, the connections filters are applied to entire server, not to a single vhost, or so. In order to keep it clear to the user this patches adds "SecConnectionEngine" which works in the same way that SecRuleEngine does.
1 parent a15f881 commit 48d85c7

File tree

2 files changed

+37
-3
lines changed

2 files changed

+37
-3
lines changed

apache2/apache2_config.c

Lines changed: 36 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2141,6 +2141,34 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg,
21412141
return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_NORMAL, p1, p2, p3);
21422142
}
21432143

2144+
static const char *cmd_sever_conn_filters_engine(cmd_parms *cmd, void *_dcfg,
2145+
const char *p1)
2146+
{
2147+
directory_config *dcfg = (directory_config *)_dcfg;
2148+
2149+
if (dcfg == NULL) return NULL;
2150+
2151+
if (strcasecmp(p1, "on") == 0)
2152+
{
2153+
conn_limits_filter_state = MODSEC_ENABLED;
2154+
}
2155+
else if (strcasecmp(p1, "off") == 0)
2156+
{
2157+
conn_limits_filter_state = MODSEC_DISABLED;
2158+
}
2159+
else if (strcasecmp(p1, "detectiononly") == 0)
2160+
{
2161+
conn_limits_filter_state = MODSEC_DETECTION_ONLY;
2162+
}
2163+
else
2164+
{
2165+
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
2166+
"SecConnectionEngine: %s", p1);
2167+
}
2168+
2169+
return NULL;
2170+
}
2171+
21442172
static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
21452173
{
21462174
directory_config *dcfg = (directory_config *)_dcfg;
@@ -2167,8 +2195,6 @@ static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
21672195
"SecRuleEngine: %s", p1);
21682196
}
21692197

2170-
conn_limits_filter_state = dcfg->is_enabled;
2171-
21722198
return NULL;
21732199
}
21742200

@@ -3411,6 +3437,14 @@ const command_rec module_directives[] = {
34113437
"On or Off"
34123438
),
34133439

3440+
AP_INIT_TAKE1 (
3441+
"SecConnectionEngine",
3442+
cmd_sever_conn_filters_engine,
3443+
NULL,
3444+
CMD_SCOPE_ANY,
3445+
"On or Off"
3446+
),
3447+
34143448
AP_INIT_TAKE1 (
34153449
"SecXmlExternalEntity",
34163450
cmd_xml_external_entity,

apache2/mod_security2.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
6363

6464
int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
6565

66-
int DSOLOCAL conn_limits_filter_state = 0;
66+
int DSOLOCAL conn_limits_filter_state = MODSEC_DISABLED;
6767

6868
unsigned long int DSOLOCAL conn_read_state_limit = 0;
6969
TreeRoot DSOLOCAL *conn_read_state_whitelist = 0;

0 commit comments

Comments
 (0)