Sample Source Code¶
denylist_1.cc¶
The sample denylisting plugin included in the Traffic Server SDK is
denylist_1.cc
. This plugin checks every incoming HTTP client request
against a list of web sites. If the client requests a
listed site, then the plugin returns an Access forbidden
message to the client.
This plugin illustrates:
An HTTP transaction extension
How to examine HTTP request headers
How to use the logging interface
How to use the plugin configuration management interface
/** @file
An example plugin that denies client access to specified sites (denylist.txt).
@section license License
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include <cstdio>
#include <cstring>
#include "ts/ts.h"
#include "tscore/ink_defs.h"
#define PLUGIN_NAME "denylist_1"
#define MAX_NSITES 500
#define RETRY_TIME 10
static DbgCtl dbg_ctl{PLUGIN_NAME};
static char *sites[MAX_NSITES];
static int nsites;
static TSMutex sites_mutex;
static TSTextLogObject ts_log;
static TSCont global_contp;
static void handle_txn_start(TSCont contp, TSHttpTxn txnp);
enum calling_func {
HANDLE_DNS,
HANDLE_RESPONSE,
READ_BLOCKLIST,
};
struct cdata {
calling_func cf;
TSHttpTxn txnp;
};
static void
destroy_continuation(TSHttpTxn txnp, TSCont contp)
{
cdata *cd = nullptr;
cd = static_cast<cdata *>(TSContDataGet(contp));
if (cd != nullptr) {
TSfree(cd);
}
TSContDestroy(contp);
TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
return;
}
static void
handle_dns(TSHttpTxn txnp, TSCont contp)
{
TSMBuffer bufp;
TSMLoc hdr_loc;
TSMLoc url_loc;
const char *host;
int i;
int host_length;
if (TSHttpTxnClientReqGet(txnp, &bufp, &hdr_loc) != TS_SUCCESS) {
TSError("[%s] Couldn't retrieve client request header", PLUGIN_NAME);
goto done;
}
if (TSHttpHdrUrlGet(bufp, hdr_loc, &url_loc) != TS_SUCCESS) {
TSError("[%s] Couldn't retrieve request url", PLUGIN_NAME);
TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
goto done;
}
host = TSUrlHostGet(bufp, url_loc, &host_length);
if (!host) {
TSError("[%s] Couldn't retrieve request hostname", PLUGIN_NAME);
TSHandleMLocRelease(bufp, hdr_loc, url_loc);
TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
goto done;
}
/* We need to lock the sites_mutex as that is the mutex that is
protecting the global list of all denylisted sites. */
if (TSMutexLockTry(sites_mutex) != TS_SUCCESS) {
Dbg(dbg_ctl, "Unable to get lock. Will retry after some time");
TSHandleMLocRelease(bufp, hdr_loc, url_loc);
TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
TSContScheduleOnPool(contp, RETRY_TIME, TS_THREAD_POOL_NET);
return;
}
for (i = 0; i < nsites; i++) {
if (strncmp(host, sites[i], host_length) == 0) {
if (ts_log) {
TSTextLogObjectWrite(ts_log, "denylisting site: %s", sites[i]);
} else {
Dbg(dbg_ctl, "denylisting site: %s", sites[i]);
}
TSHttpTxnHookAdd(txnp, TS_HTTP_SEND_RESPONSE_HDR_HOOK, contp);
TSHandleMLocRelease(bufp, hdr_loc, url_loc);
TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
TSHttpTxnReenable(txnp, TS_EVENT_HTTP_ERROR);
TSMutexUnlock(sites_mutex);
return;
}
}
TSMutexUnlock(sites_mutex);
TSHandleMLocRelease(bufp, hdr_loc, url_loc);
TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
done:
TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
}
static void
handle_response(TSHttpTxn txnp, TSCont contp ATS_UNUSED)
{
TSMBuffer bufp;
TSMLoc hdr_loc;
TSMLoc url_loc;
char *url_str;
char *buf;
int url_length;
if (TSHttpTxnClientRespGet(txnp, &bufp, &hdr_loc) != TS_SUCCESS) {
TSError("[%s] Couldn't retrieve client response header", PLUGIN_NAME);
goto done;
}
TSHttpHdrStatusSet(bufp, hdr_loc, TS_HTTP_STATUS_FORBIDDEN);
TSHttpHdrReasonSet(bufp, hdr_loc, TSHttpHdrReasonLookup(TS_HTTP_STATUS_FORBIDDEN),
strlen(TSHttpHdrReasonLookup(TS_HTTP_STATUS_FORBIDDEN)));
if (TSHttpTxnClientReqGet(txnp, &bufp, &hdr_loc) != TS_SUCCESS) {
TSError("[%s] Couldn't retrieve client request header", PLUGIN_NAME);
TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
goto done;
}
if (TSHttpHdrUrlGet(bufp, hdr_loc, &url_loc) != TS_SUCCESS) {
TSError("[%s] Couldn't retrieve request url", PLUGIN_NAME);
TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
goto done;
}
buf = static_cast<char *>(TSmalloc(4096));
url_str = TSUrlStringGet(bufp, url_loc, &url_length);
snprintf(buf, 4096, "You are forbidden from accessing \"%s\"\n", url_str);
TSfree(url_str);
TSHandleMLocRelease(bufp, hdr_loc, url_loc);
TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
TSHttpTxnErrorBodySet(txnp, buf, strlen(buf), nullptr);
done:
TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
}
static void
read_denylist(TSCont contp)
{
char denylist_file[1024];
TSFile file;
snprintf(denylist_file, sizeof(denylist_file), "%s/denylist.txt", TSPluginDirGet());
file = TSfopen(denylist_file, "r");
nsites = 0;
/* If the Mutex lock is not successful try again in RETRY_TIME */
if (TSMutexLockTry(sites_mutex) != TS_SUCCESS) {
if (file != nullptr) {
TSfclose(file);
}
TSContScheduleOnPool(contp, RETRY_TIME, TS_THREAD_POOL_NET);
return;
}
if (file != nullptr) {
char buffer[1024];
while (TSfgets(file, buffer, sizeof(buffer) - 1) != nullptr && nsites < MAX_NSITES) {
char *eol;
if ((eol = strstr(buffer, "\r\n")) != nullptr) {
/* To handle newlines on Windows */
*eol = '\0';
} else if ((eol = strchr(buffer, '\n')) != nullptr) {
*eol = '\0';
} else {
/* Not a valid line, skip it */
continue;
}
if (sites[nsites] != nullptr) {
TSfree(sites[nsites]);
}
sites[nsites] = TSstrdup(buffer);
nsites++;
}
TSfclose(file);
} else {
TSError("[%s] Unable to open %s", PLUGIN_NAME, denylist_file);
TSError("[%s] All sites will be allowed", PLUGIN_NAME);
}
TSMutexUnlock(sites_mutex);
}
static int
denylist_plugin(TSCont contp, TSEvent event, void *edata)
{
TSHttpTxn txnp;
cdata *cd;
switch (event) {
case TS_EVENT_HTTP_TXN_START:
txnp = static_cast<TSHttpTxn>(edata);
handle_txn_start(contp, txnp);
return 0;
case TS_EVENT_HTTP_OS_DNS:
if (contp != global_contp) {
cd = static_cast<cdata *>(TSContDataGet(contp));
cd->cf = HANDLE_DNS;
handle_dns(cd->txnp, contp);
return 0;
} else {
break;
}
case TS_EVENT_HTTP_TXN_CLOSE:
txnp = static_cast<TSHttpTxn>(edata);
if (contp != global_contp) {
destroy_continuation(txnp, contp);
}
break;
case TS_EVENT_HTTP_SEND_RESPONSE_HDR:
if (contp != global_contp) {
cd = static_cast<cdata *>(TSContDataGet(contp));
cd->cf = HANDLE_RESPONSE;
handle_response(cd->txnp, contp);
return 0;
} else {
break;
}
case TS_EVENT_TIMEOUT:
/* when mutex lock is not acquired and continuation is rescheduled,
the plugin is called back with TS_EVENT_TIMEOUT with a null
edata. We need to decide, in which function did the MutexLock
failed and call that function again */
if (contp != global_contp) {
cd = static_cast<cdata *>(TSContDataGet(contp));
switch (cd->cf) {
case HANDLE_DNS:
handle_dns(cd->txnp, contp);
return 0;
case HANDLE_RESPONSE:
handle_response(cd->txnp, contp);
return 0;
default:
Dbg(dbg_ctl, "This event was unexpected: %d", event);
break;
}
} else {
read_denylist(contp);
return 0;
}
default:
break;
}
return 0;
}
static void
handle_txn_start(TSCont contp ATS_UNUSED, TSHttpTxn txnp)
{
TSCont txn_contp;
cdata *cd;
txn_contp = TSContCreate(static_cast<TSEventFunc>(denylist_plugin), TSMutexCreate());
/* create the data that'll be associated with the continuation */
cd = static_cast<cdata *>(TSmalloc(sizeof(cdata)));
TSContDataSet(txn_contp, cd);
cd->txnp = txnp;
TSHttpTxnHookAdd(txnp, TS_HTTP_OS_DNS_HOOK, txn_contp);
TSHttpTxnHookAdd(txnp, TS_HTTP_TXN_CLOSE_HOOK, txn_contp);
TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
}
void
TSPluginInit(int argc ATS_UNUSED, const char *argv[] ATS_UNUSED)
{
int i;
TSPluginRegistrationInfo info;
TSReturnCode error;
info.plugin_name = PLUGIN_NAME;
info.vendor_name = "Apache Software Foundation";
info.support_email = "dev@trafficserver.apache.org";
if (TSPluginRegister(&info) != TS_SUCCESS) {
TSError("[%s] Plugin registration failed", PLUGIN_NAME);
}
/* create an TSTextLogObject to log denied requests to */
error = TSTextLogObjectCreate("denylist", TS_LOG_MODE_ADD_TIMESTAMP, &ts_log);
if (!ts_log || error == TS_ERROR) {
Dbg(dbg_ctl, "error while creating log");
}
sites_mutex = TSMutexCreate();
nsites = 0;
for (i = 0; i < MAX_NSITES; i++) {
sites[i] = nullptr;
}
global_contp = TSContCreate(denylist_plugin, sites_mutex);
read_denylist(global_contp);
/*TSHttpHookAdd (TS_HTTP_OS_DNS_HOOK, contp); */
TSHttpHookAdd(TS_HTTP_TXN_START_HOOK, global_contp);
}