Added drop action for nginx

apache2/mod_security2.c

@@ -64,6 +64,9 @@ unsigned long int DSOLOCAL conn_read_state_limit = 0;
 
 unsigned long int DSOLOCAL conn_write_state_limit = 0;
 
+#if defined(WIN32) || defined(VERSION_NGINX)
+int (*modsecDropAction)(request_rec *r) = NULL;
+#endif
 static int server_limit, thread_limit;
 
 typedef struct {
@@ -250,11 +253,25 @@ int perform_interception(modsec_rec *msr) {
                 }
             }
             #else
+            {
+                if (modsecDropAction == NULL) {
+                    log_level = 1;
+                    status = HTTP_INTERNAL_SERVER_ERROR;
+                    message = apr_psprintf(msr->mp, "Access denied with code 500%s "
+                        "(Error: Connection drop not implemented on this platform.",
+                        phase_text);
+                } else if (modsecDropAction(msr->r) == 0) {
+                    status = HTTP_FORBIDDEN;
+                    message = apr_psprintf(msr->mp, "Access denied with connection close%s.",
+                        phase_text);
+                } else {
             log_level = 1;
             status = HTTP_INTERNAL_SERVER_ERROR;
             message = apr_psprintf(msr->mp, "Access denied with code 500%s "
-                "(Error: Connection drop not implemented on this platform).",
+                        "(Error: Connection drop request failed.",
                 phase_text);
+                }
+            }
             #endif
             break;
 

nginx/modsecurity/ngx_http_modsecurity.c

@@ -81,6 +81,8 @@ static char *ngx_http_modsecurity_add_handler(ngx_conf_t *cf, ngx_command_t *cmd
 static char *ngx_http_modsecurity_pass(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
 static ngx_int_t ngx_http_modsecurity_pass_to_backend(ngx_http_request_t *r);
 
+static int ngx_http_modsecurity_drop_action(request_rec *r);
+
 /* command handled by the module */
 static ngx_command_t  ngx_http_modsecurity_commands[] =  {
   { ngx_string("ModSecurityConfig"),
@@ -223,6 +225,8 @@ ngx_http_modsecurity_init_process(ngx_cycle_t *cycle)
 
     modsecSetLogHook(cycle->log, modsecLog);
 
+    modsecSetDropAction(ngx_http_modsecurity_drop_action);
+
     modsecInit();
     /* config was already parsed in master process */
 //    modsecStartConfig();
@@ -1094,3 +1098,16 @@ ngx_http_modsecurity_pass(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 
     return NGX_CONF_OK;
 }
+
+static int
+ngx_http_modsecurity_drop_action(request_rec *r)
+{
+    ngx_http_modsecurity_ctx_t     *ctx;
+    ctx = (ngx_http_modsecurity_ctx_t *) apr_table_get(r->notes, NOTE_NGINX_REQUEST_CTX);
+
+    if (ctx == NULL) {
+        return -1;
+    }
+    ctx->r->connection->error = 1;
+    return 0;
+}

standalone/api.c

@@ -41,7 +41,7 @@
 
 extern void *modsecLogObj;
 extern void (*modsecLogHook)(void *obj, int level, char *str);
-
+extern int (*modsecDropAction)(request_rec *r);
 apr_status_t (*modsecReadBody)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos);
 apr_status_t (*modsecReadResponse)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos);
 apr_status_t (*modsecWriteBody)(request_rec *r, char *buf, unsigned int length);
@@ -528,3 +528,7 @@ void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned
 void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length))   {
     modsecWriteResponse = func;
 }
+
+void modsecSetDropAction(int (*func)(request_rec *r)) {
+    modsecDropAction = func;
+}

standalone/api.h

@@ -1,78 +1,78 @@
-/*
-* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
-*
-* You may not use this file except in compliance with
-* the License.  You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* If any of the files related to licensing are missing or if you have any
-* other questions related to licensing please contact Trustwave Holdings, Inc.
-* directly using the email address security@modsecurity.org.
-*/
-
-
-#pragma once
-
-#include <limits.h>
-
-#include "http_core.h"
-#include "http_request.h"
-
-#include "modsecurity.h"
-#include "apache2.h"
-#include "http_main.h"
-#include "http_connection.h"
-
-#include "apr_optional.h"
-#include "mod_log_config.h"
-
-#include "msc_logging.h"
-#include "msc_util.h"
-
-#include "ap_mpm.h"
-#include "scoreboard.h"
-
-#include "apr_version.h"
-
-#include "apr_lib.h"
-#include "ap_config.h"
-#include "http_config.h"
-
-
-#ifdef	__cplusplus
-extern "C"
-{
-#endif
-
-server_rec *modsecInit();
-void modsecTerminate();
-
-void modsecStartConfig();
-directory_config *modsecGetDefaultConfig();
-const char *modsecProcessConfig(directory_config *config, const char *dir);
-void modsecFinalizeConfig();
-
-void modsecInitProcess();
-
-conn_rec *modsecNewConnection();
-void modsecProcessConnection(conn_rec *c);
-
-request_rec *modsecNewRequest(conn_rec *connection, directory_config *config);
-int modsecProcessRequest(request_rec *r);
-int modsecProcessResponse(request_rec *r);
-int modsecFinishRequest(request_rec *r);
-
-void modsecSetLogHook(void *obj, void (*hook)(void *obj, int level, char *str));
-
-void modsecSetReadBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos));
-void modsecSetReadResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos));
-void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length));
-void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length));
-
-int modsecIsResponseBodyAccessEnabled(request_rec *r);
-
-#ifdef __cplusplus
-}
-#endif
+/*
+* ModSecurity for Apache 2.x, http://www.modsecurity.org/
+* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+*
+* You may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* If any of the files related to licensing are missing or if you have any
+* other questions related to licensing please contact Trustwave Holdings, Inc.
+* directly using the email address security@modsecurity.org.
+*/
+
+
+#pragma once
+
+#include <limits.h>
+
+#include "http_core.h"
+#include "http_request.h"
+
+#include "modsecurity.h"
+#include "apache2.h"
+#include "http_main.h"
+#include "http_connection.h"
+
+#include "apr_optional.h"
+#include "mod_log_config.h"
+
+#include "msc_logging.h"
+#include "msc_util.h"
+
+#include "ap_mpm.h"
+#include "scoreboard.h"
+
+#include "apr_version.h"
+
+#include "apr_lib.h"
+#include "ap_config.h"
+#include "http_config.h"
+
+
+#ifdef	__cplusplus
+extern "C"
+{
+#endif
+
+server_rec *modsecInit();
+void modsecTerminate();
+
+void modsecStartConfig();
+directory_config *modsecGetDefaultConfig();
+const char *modsecProcessConfig(directory_config *config, const char *dir);
+void modsecFinalizeConfig();
+
+void modsecInitProcess();
+
+conn_rec *modsecNewConnection();
+void modsecProcessConnection(conn_rec *c);
+
+request_rec *modsecNewRequest(conn_rec *connection, directory_config *config);
+int modsecProcessRequest(request_rec *r);
+int modsecProcessResponse(request_rec *r);
+int modsecFinishRequest(request_rec *r);
+
+void modsecSetLogHook(void *obj, void (*hook)(void *obj, int level, char *str));
+
+void modsecSetReadBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos));
+void modsecSetReadResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos));
+void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length));
+void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length));
+void modsecSetDropAction(int (*func)(request_rec *r));
+int modsecIsResponseBodyAccessEnabled(request_rec *r);
+
+#ifdef __cplusplus
+}
+#endif