commit: ua-filtering

2017-11-25 14:29:33 +00:00 · 2017-11-25 14:29:33 +00:00 · ebffccf412
commit ebffccf412
--- a/lib.d/do-configure.pl
+++ b/lib.d/do-configure.pl
@ -407,6 +407,9 @@ sub DoProject {
 &SetEnv("block_location", "");
 &SetEnv("block_location_re", "");

+&SetEnv("user_agent_whitelist_re", "");
+&SetEnv("user_agent_blacklist_re", "");
+
 &SetEnv("no_cache_content_type", "");
 &SetEnv("no_cache_host", "");

--- a/lib.d/lint.pl
+++ b/lib.d/lint.pl
@ -9,6 +9,10 @@ my %known =
     'SSL_TOOL' => 1,
     'TEMPLATE_TOOL' => 1,

+     # user-agent stuff
+     'USER_AGENT_BLACKLIST_RE' => 1,
+     'USER_AGENT_WHITELIST_RE' => 1,
+
     # expect to de-onionify onions in request paths
     'PATHS_CONTAIN_ONIONS' => 1,

--- a/templates.d/nginx-hard.conf.txt
+++ b/templates.d/nginx-hard.conf.txt
@ -553,12 +553,40 @@ http {
    # paths are assumed not to contain onion addresses
    %%ENDIF

+    %%IF USER_AGENT_BLACKLIST_RE
+    # check user_agent_blacklist_re
+    if ( $http_user_agent ~* "%USER_AGENT_BLACKLIST_RE%" ) {
+      return 500; # let's be vague
+    }
+    %%ELSE
+    # no user_agent_blacklist_re
+    %%ENDIF
+
+    %%IF USER_AGENT_WHITELIST_RE
+    # check user_agent_whitelist_re
+    set $ua_is_bad 1;
+    if ( $http_user_agent ~* "%USER_AGENT_WHITELIST_RE%" ) {
+      set $ua_is_bad 0;
+    }
+    %%ELSE
+    # no user_agent_whitelist_re
+    %%ENDIF
+
    # for traffic
    location / {
+      %%IF USER_AGENT_WHITELIST_RE
+      # check success of user_agent_whitelist_re
+      if ( $ua_is_bad ) {
+	return 500; # let's be vague
+      }
+      %%ELSE
+      # no check for success of user_agent_whitelist_re
+      %%ENDIF
+
      %%IF %COOKIE_LOCK%
      # check for cookie-lock
      if ( $cookie_eotk_lock != "%COOKIE_LOCK%" ) {
-	return 500 "Error 500"; # let's be vague
+	return 500; # let's be vague
      }
      %%ELSE
      # no cookie lock checks
--- a/templates.d/nginx.conf.txt
+++ b/templates.d/nginx.conf.txt
@ -605,12 +605,40 @@ http {
    # paths are assumed not to contain onion addresses
    %%ENDIF

+    %%IF USER_AGENT_BLACKLIST_RE
+    # check user_agent_blacklist_re
+    if ( $http_user_agent ~* "%USER_AGENT_BLACKLIST_RE%" ) {
+      return 500; # let's be vague
+    }
+    %%ELSE
+    # no user_agent_blacklist_re
+    %%ENDIF
+
+    %%IF USER_AGENT_WHITELIST_RE
+    # check user_agent_whitelist_re
+    set $ua_is_bad 1;
+    if ( $http_user_agent ~* "%USER_AGENT_WHITELIST_RE%" ) {
+      set $ua_is_bad 0;
+    }
+    %%ELSE
+    # no user_agent_whitelist_re
+    %%ENDIF
+
    # for traffic
    location / {
+      %%IF USER_AGENT_WHITELIST_RE
+      # check success of user_agent_whitelist_re
+      if ( $ua_is_bad ) {
+	return 500; # let's be vague
+      }
+      %%ELSE
+      # no check for success of user_agent_whitelist_re
+      %%ENDIF
+
      %%IF %COOKIE_LOCK%
      # check for cookie-lock
      if ( $cookie_eotk_lock != "%COOKIE_LOCK%" ) {
-	return 500 "Error 500"; # let's be vague
+	return 500; # let's be vague
      }
      %%ELSE
      # no cookie lock checks