Forum OpenACS Development: generalize rp_filter feature

Collapse
1: generalize rp_filter feature
Posted by Torben Brosten on 07/16/10 11:58 PM
Hi,

rp_filter currently blocks specific "NASTY" user-agents.

It would be really handy if filtering included Host requests.

Both filters would be generalized by using a parameter for each (so the APM wouldn't need to Watch acs-tcl/tcl/request-processor-procs.tcl when making changes etc).

Any objection to this in theory?

It seems especially relevant for ecommerce and sites regularly under attack.

I'm working on code for it now

Collapse
2: Re: generalize rp_filter feature (response to 1)
Posted by Torben Brosten on 07/17/10 12:11 AM
Let's make that 3 filters, also peer address.
Collapse
3: Re: generalize rp_filter feature (response to 1)
Posted by Dave Bauer on 07/20/10 02:18 PM
This seems like a great idea.

I wonder how watching the request processor procs affects the filters since they are the procs that would reload themselves!

Collapse
4: Re: generalize rp_filter feature (response to 1)
Posted by Torben Brosten on 07/26/10 10:22 PM
Currently, ad_script_abort is used after redirects in rp_filter, which leaves a short error message in the log, but appears to function as expected.

It would be nice to know if there is a cleaner way of handling this.

Collapse
5: Re: generalize rp_filter feature (response to 1)
Posted by Torben Brosten on 09/06/10 01:10 PM
I think I've found a cleaner way.. by using:
return filter_return

Just need to redirect to a global/blocked.adp page

..still field testing..