mod_policy: Add a new testing module to help server administrators

enforce a configurable level of protocol compliance on their
servers and application servers behind theirs.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1221668 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_policy: Add a new testing module to help server administrators
+     enforce a configurable level of protocol compliance on their
+     servers and application servers behind theirs. [Graham Leggett]
+
   *) mod_firehose: Add a new debugging module able to record traffic
      passing through the server in such a way that connections and/or
      requests be reconstructed and replayed. [Graham Leggett]

NWGNUmakefile

@@ -426,6 +426,7 @@ install :: nlms instscripts FORCE
 	$(call MKCNF,docs/conf/extra/httpd-multilang-errordoc.conf.in, $(INSTALLBASE)/conf/extra/httpd-multilang-errordoc.conf)
 	$(call MKCNF,docs/conf/extra/httpd-userdir.conf.in,            $(INSTALLBASE)/conf/extra/httpd-userdir.conf)
 	$(call MKCNF,docs/conf/extra/httpd-vhosts.conf.in,             $(INSTALLBASE)/conf/extra/httpd-vhosts.conf)
+	$(call MKCNF,docs/conf/extra/httpd-policy.conf.in,             $(INSTALLBASE)/conf/extra/httpd-policy.conf)
 	$(call MKCNF,docs/conf/extra/httpd-ssl.conf.in,                $(INSTALLBASE)/conf/extra/httpd-ssl.conf)
 	$(call MKCNF,docs/conf/extra/proxy-html.conf.in,               $(INSTALLBASE)/conf/extra/proxy-html.conf)
 	$(call COPYR,docs/docroot,                                     $(INSTALLBASE)/htdocs)

build/installwinconf.awk

@@ -63,6 +63,7 @@ BEGIN {
     filelist["httpd-manual.conf"] = "httpd-manual.conf.in";
     filelist["httpd-mpm.conf"] = "httpd-mpm.conf.in";
     filelist["httpd-multilang-errordoc.conf"] = "httpd-multilang-errordoc.conf.in";
+    filelist["httpd-policy.conf"] = "httpd-policy.conf.in";
     filelist["httpd-ssl.conf"] = "httpd-ssl.conf.in";
     filelist["httpd-userdir.conf"] = "httpd-userdir.conf.in";
     filelist["httpd-vhosts.conf"] = "httpd-vhosts.conf.in";

configure.in

@@ -810,6 +810,6 @@ dnl Ensure that the httpd version is included
 HTTPD_VERSION=`$abs_srcdir/build/get-version.sh all $abs_srcdir/include/ap_release.h AP_SERVER`
 AC_SUBST(HTTPD_VERSION)
 
-AC_OUTPUT($APACHE_OUTPUT_FILES docs/conf/httpd.conf docs/conf/extra/httpd-autoindex.conf docs/conf/extra/httpd-dav.conf docs/conf/extra/httpd-default.conf docs/conf/extra/httpd-info.conf docs/conf/extra/httpd-languages.conf docs/conf/extra/httpd-manual.conf docs/conf/extra/httpd-mpm.conf docs/conf/extra/httpd-multilang-errordoc.conf docs/conf/extra/httpd-ssl.conf docs/conf/extra/httpd-userdir.conf docs/conf/extra/httpd-vhosts.conf docs/conf/extra/proxy-html.conf include/ap_config_layout.h support/apxs support/apachectl support/dbmmanage support/envvars-std support/log_server_status support/logresolve.pl support/phf_abuse_log.cgi support/split-logfile build/rules.mk build/pkg/pkginfo build/config_vars.sh,[true],[
+AC_OUTPUT($APACHE_OUTPUT_FILES docs/conf/httpd.conf docs/conf/extra/httpd-autoindex.conf docs/conf/extra/httpd-dav.conf docs/conf/extra/httpd-default.conf docs/conf/extra/httpd-info.conf docs/conf/extra/httpd-languages.conf docs/conf/extra/httpd-manual.conf docs/conf/extra/httpd-mpm.conf docs/conf/extra/httpd-multilang-errordoc.conf docs/conf/extra/httpd-policy.conf docs/conf/extra/httpd-ssl.conf docs/conf/extra/httpd-userdir.conf docs/conf/extra/httpd-vhosts.conf docs/conf/extra/proxy-html.conf include/ap_config_layout.h support/apxs support/apachectl support/dbmmanage support/envvars-std support/log_server_status support/logresolve.pl support/phf_abuse_log.cgi support/split-logfile build/rules.mk build/pkg/pkginfo build/config_vars.sh,[true],[
   APACHE_GEN_MAKEFILES
 ])

docs/conf/extra/httpd-policy.conf.in

@@ -0,0 +1,61 @@
+
+#
+# Load the module if not already present
+<IfModule !mod_policy.c>
+  LoadModule policy_module modules/mod_policy.so
+</IfModule>
+
+#
+# Typical policy for static content.
+# Swap "enforce" for "log" to complain about violations rather
+# than failing.
+<Location />
+  SetOutputFilter POLICY_TYPE;POLICY_LENGTH;POLICY_KEEPALIVE;POLICY_VARY;POLICY_VALIDATION;POLICY_CONDITIONAL;POLICY_NOCACHE;POLICY_MAXAGE
+
+  # content type must be present and valid, but can be anything<br />
+  PolicyType enforce */*<br />
+
+  # reject if no explicitly declared content length<br />
+  PolicyLength enforce<br />
+
+  # covered by the policy length filter<br />
+  PolicyKeepalive ignore<br />
+
+  # reject if User-Agent appears within Vary headers<br />
+  PolicyVary enforce User-Agent<br />
+
+  # we want to enforce validation<br />
+  PolicyValidation enforce<br />
+
+  # non-functional conditional responses should be rejected<br />
+  PolicyConditional enforce<br />
+
+  # no-cache responses should be rejected<br />
+  PolicyNocache enforce<br />
+
+  # maxage must be at least a day<br />
+  PolicyMaxage enforce 86400<br />
+
+  # request version can be anything<br />
+  PolicyVersion ignore HTTP/1.1<br />
+
+  # define documentation links
+  PolicyConditionalURL http://httpd.apache.org/docs/trunk/compliance.html#policyconditional
+  PolicyLengthURL http://httpd.apache.org/docs/trunk/compliance.html#policylength
+  PolicyTypeURL http://httpd.apache.org/docs/trunk/compliance.html#policytype
+  PolicyKeepaliveURL http://httpd.apache.org/docs/trunk/compliance.html#policykeepalive
+  PolicyMaxageURL http://httpd.apache.org/docs/trunk/compliance.html#policymaxage
+  PolicyNocacheURL http://httpd.apache.org/docs/trunk/compliance.html#policynocache
+  PolicyValidationURL http://httpd.apache.org/docs/trunk/compliance.html#policyvalidation
+  PolicyVaryURL http://httpd.apache.org/docs/trunk/compliance.html#policyvary
+  PolicyVersionURL http://httpd.apache.org/docs/trunk/compliance.html#policyversion
+
+</Location>
+
+#
+# Server status can be bypassed
+<Location /server-status>
+  PolicyFilter off
+</Location>
+
+

docs/conf/httpd.conf.in

@@ -389,6 +389,9 @@ LogLevel warn
 # Various default settings
 #Include @rel_sysconfdir@/extra/httpd-default.conf
 
+# Policy enforcement
+#Include @rel_sysconfdir@/extra/httpd-policy.conf
+
 # Configure mod_proxy_html to understand HTML4/XHTML1
 <IfModule proxy_html_module>
 Include @rel_sysconfdir@/extra/proxy-html.conf

modules/test/config.m4

@@ -8,6 +8,8 @@ APACHE_MODULE(optional_fn_export, example optional function exporter, , , no)
 
 APACHE_MODULE(dialup, rate limits static files to dialup modem speeds, , , )
 
+APACHE_MODULE(policy, HTTP protocol compliance filters, , , no)
+
 APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current])
 
 APACHE_MODPATH_FINISH