Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Put the ModSecurity interception logic onto separated threads #289

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions src/ngx_http_modsecurity_body_filter.c
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);

dd("body filter, recovering ctx: %p", ctx);
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "body filter, recovering ctx: %p", ctx);

if (ctx == NULL) {
return ngx_http_next_body_filter(r, in);
Expand Down Expand Up @@ -155,11 +155,11 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
is_request_processed = chain->buf->last_buf;

if (is_request_processed) {
ngx_pool_t *old_pool;
// ngx_pool_t *old_pool;

old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
// old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
msc_process_response_body(ctx->modsec_transaction);
ngx_http_modsecurity_pcre_malloc_done(old_pool);
// ngx_http_modsecurity_pcre_malloc_done(old_pool);

/* XXX: I don't get how body from modsec being transferred to nginx's buffer. If so - after adjusting of nginx's
XXX: body we can proceed to adjust body size (content-length). see xslt_body_filter() for example */
Expand All @@ -176,7 +176,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
}
if (!is_request_processed)
{
dd("buffer was not fully loaded! ctx: %p", ctx);
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "buffer was not fully loaded! ctx: %p", ctx);
}

/* XXX: xflt_filter() -- return NGX_OK here */
Expand Down
4 changes: 4 additions & 0 deletions src/ngx_http_modsecurity_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
#include <ngx_thread_pool.h>

#include <modsecurity/modsecurity.h>
#include <modsecurity/transaction.h>
Expand Down Expand Up @@ -117,6 +118,9 @@ typedef struct {
void *rules_set;

ngx_flag_t enable;

ngx_str_t thread_pool_name;
ngx_thread_pool_t *thread_pool;
#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
ngx_flag_t sanity_checks_enabled;
#endif
Expand Down
24 changes: 12 additions & 12 deletions src/ngx_http_modsecurity_header_filter.c
Original file line number Diff line number Diff line change
Expand Up @@ -415,18 +415,18 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
int ret = 0;
ngx_uint_t status;
char *http_response_ver;
ngx_pool_t *old_pool;
// ngx_pool_t *old_pool;


/* XXX: if NOT_MODIFIED, do we need to process it at all? see xslt_header_filter() */

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);

dd("header filter, recovering ctx: %p", ctx);
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "header filter, recovering ctx: %p", ctx);

if (ctx == NULL)
{
dd("something really bad happened or ModSecurity is disabled. going to the next filter.");
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "something really bad happened or ModSecurity is disabled. going to the next filter.");
return ngx_http_next_header_filter(r);
}

Expand All @@ -442,7 +442,7 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
/*
* FIXME: verify if this request is already processed.
*/
dd("Already processed... going to the next header...");
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "Already processed... going to the next header...");
return ngx_http_next_header_filter(r);
}

Expand All @@ -469,13 +469,13 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
*/
for (i = 0; ngx_http_modsecurity_headers_out[i].name.len; i++)
{
dd(" Sending header to ModSecurity - header: `%.*s'.",
(int) ngx_http_modsecurity_headers_out[i].name.len,
ngx_http_modsecurity_headers_out[i].name.data);
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, " Sending header to ModSecurity - header: `%.*s'.",
(int)ngx_http_modsecurity_headers_out[i].name.len,
ngx_http_modsecurity_headers_out[i].name.data);

ngx_http_modsecurity_headers_out[i].resolver(r,
ngx_http_modsecurity_headers_out[i].name,
ngx_http_modsecurity_headers_out[i].offset);
ngx_http_modsecurity_headers_out[i].resolver(r,
ngx_http_modsecurity_headers_out[i].name,
ngx_http_modsecurity_headers_out[i].offset);
}

for (i = 0 ;; i++)
Expand Down Expand Up @@ -523,9 +523,9 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
}
#endif

old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
// old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
msc_process_response_headers(ctx->modsec_transaction, status, http_response_ver);
ngx_http_modsecurity_pcre_malloc_done(old_pool);
// ngx_http_modsecurity_pcre_malloc_done(old_pool);
ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
if (r->error_page) {
return ngx_http_next_header_filter(r);
Expand Down
14 changes: 7 additions & 7 deletions src/ngx_http_modsecurity_log.c
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,13 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
ngx_http_modsecurity_ctx_t *ctx;
ngx_http_modsecurity_conf_t *mcf;

dd("catching a new _log_ phase handler");
ngx_log_error(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "catching a new _log_ phase handler");

mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
if (mcf == NULL || mcf->enable != 1)
{
dd("ModSecurity not enabled... returning");
return NGX_OK;
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "ModSecurity not enabled... returning");
return NGX_DECLINED;
}

/*
Expand All @@ -63,19 +63,19 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
dd("recovering ctx: %p", ctx);

if (ctx == NULL) {
dd("something really bad happened here. returning NGX_ERROR");
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "something really bad happened here. returning NGX_ERROR");
return NGX_ERROR;
}

if (ctx->logged) {
dd("already logged earlier");
return NGX_OK;
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "already logged earlier");
return NGX_DECLINED;
}

dd("calling msc_process_logging for %p", ctx);
old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
msc_process_logging(ctx->modsec_transaction);
ngx_http_modsecurity_pcre_malloc_done(old_pool);

return NGX_OK;
return NGX_DECLINED;
}
Loading