mod_policy: Add a new testing module to help server administrators

enforce a configurable level of protocol compliance on their servers and application servers behind theirs. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1221668 13f79535-47bb-0310-9956-ffa450edef68
2025-08-16 16:17:23 +00:00 · 2011-12-21 10:42:34 +00:00
parent 7ddddd900f
commit a03bcce31d
8 changed files with 1407 additions and 1 deletions
--- a/4
+++ b/4
@ -1,6 +1,10 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.5.0

+  *) mod_policy: Add a new testing module to help server administrators
+     enforce a configurable level of protocol compliance on their
+     servers and application servers behind theirs. [Graham Leggett]
+
  *) mod_firehose: Add a new debugging module able to record traffic
     passing through the server in such a way that connections and/or
     requests be reconstructed and replayed. [Graham Leggett]
--- a/1
+++ b/1
@ -426,6 +426,7 @@ install :: nlms instscripts FORCE
 	$(call MKCNF,docs/conf/extra/httpd-multilang-errordoc.conf.in, $(INSTALLBASE)/conf/extra/httpd-multilang-errordoc.conf)
 	$(call MKCNF,docs/conf/extra/httpd-userdir.conf.in,            $(INSTALLBASE)/conf/extra/httpd-userdir.conf)
 	$(call MKCNF,docs/conf/extra/httpd-vhosts.conf.in,             $(INSTALLBASE)/conf/extra/httpd-vhosts.conf)
+	$(call MKCNF,docs/conf/extra/httpd-policy.conf.in,             $(INSTALLBASE)/conf/extra/httpd-policy.conf)
 	$(call MKCNF,docs/conf/extra/httpd-ssl.conf.in,                $(INSTALLBASE)/conf/extra/httpd-ssl.conf)
 	$(call MKCNF,docs/conf/extra/proxy-html.conf.in,               $(INSTALLBASE)/conf/extra/proxy-html.conf)
 	$(call COPYR,docs/docroot,                                     $(INSTALLBASE)/htdocs)
--- a/build/installwinconf.awk
+++ b/build/installwinconf.awk
@ -63,6 +63,7 @@ BEGIN {
    filelist["httpd-manual.conf"] = "httpd-manual.conf.in";
    filelist["httpd-mpm.conf"] = "httpd-mpm.conf.in";
    filelist["httpd-multilang-errordoc.conf"] = "httpd-multilang-errordoc.conf.in";
+    filelist["httpd-policy.conf"] = "httpd-policy.conf.in";
    filelist["httpd-ssl.conf"] = "httpd-ssl.conf.in";
    filelist["httpd-userdir.conf"] = "httpd-userdir.conf.in";
    filelist["httpd-vhosts.conf"] = "httpd-vhosts.conf.in";
--- a/configure.in
+++ b/configure.in
@ -810,6 +810,6 @@ dnl Ensure that the httpd version is included
 HTTPD_VERSION=`$abs_srcdir/build/get-version.sh all $abs_srcdir/include/ap_release.h AP_SERVER`
 AC_SUBST(HTTPD_VERSION)

-AC_OUTPUT($APACHE_OUTPUT_FILES docs/conf/httpd.conf docs/conf/extra/httpd-autoindex.conf docs/conf/extra/httpd-dav.conf docs/conf/extra/httpd-default.conf docs/conf/extra/httpd-info.conf docs/conf/extra/httpd-languages.conf docs/conf/extra/httpd-manual.conf docs/conf/extra/httpd-mpm.conf docs/conf/extra/httpd-multilang-errordoc.conf docs/conf/extra/httpd-ssl.conf docs/conf/extra/httpd-userdir.conf docs/conf/extra/httpd-vhosts.conf docs/conf/extra/proxy-html.conf include/ap_config_layout.h support/apxs support/apachectl support/dbmmanage support/envvars-std support/log_server_status support/logresolve.pl support/phf_abuse_log.cgi support/split-logfile build/rules.mk build/pkg/pkginfo build/config_vars.sh,[true],[
+AC_OUTPUT($APACHE_OUTPUT_FILES docs/conf/httpd.conf docs/conf/extra/httpd-autoindex.conf docs/conf/extra/httpd-dav.conf docs/conf/extra/httpd-default.conf docs/conf/extra/httpd-info.conf docs/conf/extra/httpd-languages.conf docs/conf/extra/httpd-manual.conf docs/conf/extra/httpd-mpm.conf docs/conf/extra/httpd-multilang-errordoc.conf docs/conf/extra/httpd-policy.conf docs/conf/extra/httpd-ssl.conf docs/conf/extra/httpd-userdir.conf docs/conf/extra/httpd-vhosts.conf docs/conf/extra/proxy-html.conf include/ap_config_layout.h support/apxs support/apachectl support/dbmmanage support/envvars-std support/log_server_status support/logresolve.pl support/phf_abuse_log.cgi support/split-logfile build/rules.mk build/pkg/pkginfo build/config_vars.sh,[true],[
  APACHE_GEN_MAKEFILES
 ])
--- a/docs/conf/extra/httpd-policy.conf.in
+++ b/docs/conf/extra/httpd-policy.conf.in
@ -0,0 +1,61 @@
+
+#
+# Load the module if not already present
+<IfModule !mod_policy.c>
+  LoadModule policy_module modules/mod_policy.so
+</IfModule>
+
+#
+# Typical policy for static content.
+# Swap "enforce" for "log" to complain about violations rather
+# than failing.
+<Location />
+  SetOutputFilter POLICY_TYPE;POLICY_LENGTH;POLICY_KEEPALIVE;POLICY_VARY;POLICY_VALIDATION;POLICY_CONDITIONAL;POLICY_NOCACHE;POLICY_MAXAGE
+
+  # content type must be present and valid, but can be anything<br />
+  PolicyType enforce */*<br />
+
+  # reject if no explicitly declared content length<br />
+  PolicyLength enforce<br />
+
+  # covered by the policy length filter<br />
+  PolicyKeepalive ignore<br />
+
+  # reject if User-Agent appears within Vary headers<br />
+  PolicyVary enforce User-Agent<br />
+
+  # we want to enforce validation<br />
+  PolicyValidation enforce<br />
+
+  # non-functional conditional responses should be rejected<br />
+  PolicyConditional enforce<br />
+
+  # no-cache responses should be rejected<br />
+  PolicyNocache enforce<br />
+
+  # maxage must be at least a day<br />
+  PolicyMaxage enforce 86400<br />
+
+  # request version can be anything<br />
+  PolicyVersion ignore HTTP/1.1<br />
+
+  # define documentation links
+  PolicyConditionalURL http://httpd.apache.org/docs/trunk/compliance.html#policyconditional
+  PolicyLengthURL http://httpd.apache.org/docs/trunk/compliance.html#policylength
+  PolicyTypeURL http://httpd.apache.org/docs/trunk/compliance.html#policytype
+  PolicyKeepaliveURL http://httpd.apache.org/docs/trunk/compliance.html#policykeepalive
+  PolicyMaxageURL http://httpd.apache.org/docs/trunk/compliance.html#policymaxage
+  PolicyNocacheURL http://httpd.apache.org/docs/trunk/compliance.html#policynocache
+  PolicyValidationURL http://httpd.apache.org/docs/trunk/compliance.html#policyvalidation
+  PolicyVaryURL http://httpd.apache.org/docs/trunk/compliance.html#policyvary
+  PolicyVersionURL http://httpd.apache.org/docs/trunk/compliance.html#policyversion
+
+</Location>
+
+#
+# Server status can be bypassed
+<Location /server-status>
+  PolicyFilter off
+</Location>
+
+
--- a/docs/conf/httpd.conf.in
+++ b/docs/conf/httpd.conf.in
@ -389,6 +389,9 @@ LogLevel warn
 # Various default settings
 #Include @rel_sysconfdir@/extra/httpd-default.conf

+# Policy enforcement
+#Include @rel_sysconfdir@/extra/httpd-policy.conf
+
 # Configure mod_proxy_html to understand HTML4/XHTML1
 <IfModule proxy_html_module>
 Include @rel_sysconfdir@/extra/proxy-html.conf
--- a/modules/test/config.m4
+++ b/modules/test/config.m4
@ -8,6 +8,8 @@ APACHE_MODULE(optional_fn_export, example optional function exporter, , , no)

 APACHE_MODULE(dialup, rate limits static files to dialup modem speeds, , , )

+APACHE_MODULE(policy, HTTP protocol compliance filters, , , no)
+
 APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current])

 APACHE_MODPATH_FINISH
--- a/modules/test/mod_policy.c
+++ b/modules/test/mod_policy.c