在 lighttpd 1.4.64 中哪里可以找到 http_auth.c(来自 lighttpd 1.4.35)的等效功能?
我想添加我们之前在 lighttpd 1.4.35 和 1.4.40 中添加的补丁。 该补丁的目的是帮助“反自动化”。例如,如果用户尝试连续输入错误密码 5 次,他将被锁定一分钟。
We have now moved over to the latest lighttpd 1.4.64 and I am trying to find out where the functionality under lighttpd-1.4.35/src/http_auth.c may be now found.
I can see that there are many files now -
mod_auth.c
mod_authn_file.c
mod_authn_gssapi.c
mod_authn_ldap.c
mod_authn_pam.c
mod_authn_sasl.c
mod_auth_api.c
I have attached a MSVP of what I want to achieve. As you can see 99 % of it is self-contained code. Just need to know where to plumb -
a) The HTTP authentication path
b) The HTTPS authentication path
The original patch in lighttpd 1.4.35 was in the function
http_auth_basic_check and
http_auth_digest_check
As the name suggests,
sinBin_Add would add a bad attempt into the "bin". If the number of attempts exceed, the user is "sidelined".
对于 http_auth_basic_check,
/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
buffer_free(username);
buffer_free(password);
log_error_write(srv, __FILE__, __LINE__, "s", "basic: anti automation precaution" );
return 0;
}
/* password doesn't match */
if (http_auth_basic_password_compare(srv, p, req, username, realm->value, password, pw))
{
log_error_write(srv, __FILE__, __LINE__, "sbsBss", "password doesn't match for", con->uri.path, "username:", username, ", IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
sinBin_Add( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );
buffer_free(username);
buffer_free(password);
同样对于 http 摘要位,我们有 对于 http_auth_digest_check -
/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
buffer_free(b);
log_error_write(srv, __FILE__, __LINE__, "s", "digest: anti automation precaution");
return 0;
}
if (0 != strcmp(a2, respons)) {
/* digest not ok */
sinBin_Add( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );
if (p->conf.auth_debug) {
log_error_write(srv, __FILE__, __LINE__, "sss",
I want to add a patch we had earlier in lighttpd 1.4.35 and 1.4.40.
The purpose of the patch was to help with "anti-automation". For e.g. if a user tried to enter an incorrect password 5 times in a row, he would be locked out for a minute.
We have now moved over to the latest lighttpd 1.4.64 and I am trying to find out where the functionality under lighttpd-1.4.35/src/http_auth.c may be now found.
I can see that there are many files now -
mod_auth.c
mod_authn_file.c
mod_authn_gssapi.c
mod_authn_ldap.c
mod_authn_pam.c
mod_authn_sasl.c
mod_auth_api.c
I have attached a MSVP of what I want to achieve. As you can see 99 % of it is self-contained code. Just need to know where to plumb -
a) The HTTP authentication path
b) The HTTPS authentication path
The original patch in lighttpd 1.4.35 was in the function
http_auth_basic_check and
http_auth_digest_check
As the name suggests,
sinBin_Add would add a bad attempt into the "bin". If the number of attempts exceed, the user is "sidelined".
For http_auth_basic_check,
/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
buffer_free(username);
buffer_free(password);
log_error_write(srv, __FILE__, __LINE__, "s", "basic: anti automation precaution" );
return 0;
}
/* password doesn't match */
if (http_auth_basic_password_compare(srv, p, req, username, realm->value, password, pw))
{
log_error_write(srv, __FILE__, __LINE__, "sbsBss", "password doesn't match for", con->uri.path, "username:", username, ", IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
sinBin_Add( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );
buffer_free(username);
buffer_free(password);
Likewise for the http digest bit, we had
For http_auth_digest_check -
/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
buffer_free(b);
log_error_write(srv, __FILE__, __LINE__, "s", "digest: anti automation precaution");
return 0;
}
if (0 != strcmp(a2, respons)) {
/* digest not ok */
sinBin_Add( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );
if (p->conf.auth_debug) {
log_error_write(srv, __FILE__, __LINE__, "sss",
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
lighttpd 板上的现有讨论已经为您指出了多个答案
你应该看看lighttpd中的地方
src/mod_auth.c设置了r->keep_alive = -1;另外:如果您仍在运行 lighttpd 1.4.35(超过 8 岁!)或lighttpd 1.4.40(快 6 岁了!),您应该考虑到您缺乏保持系统最新的能力。如果您的自定义补丁阻止您运行当前版本的lighttpd,则它可能弊大于利。请参阅上面的链接并考虑使用fail2ban,或为您实现密码策略的身份验证后端,或自定义mod_fastcgi授权者。
Existing discussions on lighttpd boards already point you to multiple answers
You should look at the places in lighttpd
src/mod_auth.cwhich setr->keep_alive = -1;Aside: If you're still running lighttpd 1.4.35 (over 8 years old!) or lighttpd 1.4.40 (almost 6 years old!), you should consider that your ability to keep your systems up-to-date is lacking. Your custom patch is possibly doing more harm than good if it prevents you from running a current version of lighttpd. See the above links and consider using fail2ban, or an authentication backend which implements your password policy for you, or a custom mod_fastcgi authorizer.