在哪里可以找到 lighttpd 1.4.64 中 http_auth.c(来自 lighttpd 1.4.35)的等效功能?
Where to find equivalent functionality of http_auth.c (from lighttpd 1.4.35) in lighttpd 1.4.64?
我想添加我们之前在 lighttpd 1.4.35 和 1.4.40 中的补丁。
该补丁的目的是帮助“反自动化”。例如如果用户连续 5 次尝试输入错误密码,他将被锁定一分钟。
We have now moved over to the latest lighttpd 1.4.64 and I am trying to find out where the functionality under lighttpd-1.4.35/src/http_auth.c may be now found.
I can see that there are many files now -
mod_auth.c
mod_authn_file.c
mod_authn_gssapi.c
mod_authn_ldap.c
mod_authn_pam.c
mod_authn_sasl.c
mod_auth_api.c
I have attached a MSVP of what I want to achieve. As you can see 99 % of it is self-contained code. Just need to know where to plumb -
a) The HTTP authentication path
b) The HTTPS authentication path
The original patch in lighttpd 1.4.35 was in the function
http_auth_basic_check and
http_auth_digest_check
As the name suggests,
sinBin_Add would add a bad attempt into the "bin". If the number of attempts exceed, the user is "sidelined".
对于http_auth_basic_check,
/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
buffer_free(username);
buffer_free(password);
log_error_write(srv, __FILE__, __LINE__, "s", "basic: anti automation precaution" );
return 0;
}
/* password doesn't match */
if (http_auth_basic_password_compare(srv, p, req, username, realm->value, password, pw))
{
log_error_write(srv, __FILE__, __LINE__, "sbsBss", "password doesn't match for", con->uri.path, "username:", username, ", IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
sinBin_Add( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );
buffer_free(username);
buffer_free(password);
同样对于 http 摘要位,我们有
对于 http_auth_digest_check -
/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
buffer_free(b);
log_error_write(srv, __FILE__, __LINE__, "s", "digest: anti automation precaution");
return 0;
}
if (0 != strcmp(a2, respons)) {
/* digest not ok */
sinBin_Add( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );
if (p->conf.auth_debug) {
log_error_write(srv, __FILE__, __LINE__, "sss",
lighttpd 板上的现有讨论已经为您指出了多个答案
- https://redmine.lighttpd.net/boards/2/topics/6699
- https://redmine.lighttpd.net/boards/2/topics/9574
- https://redmine.lighttpd.net/boards/3/topics/8885
你应该看看 lighttpd src/mod_auth.c 中设置 r->keep_alive = -1;
的地方
旁白:如果您仍然是 运行lighttpd 1.4.35(超过 8 岁!)或 lighttpd 1.4.40(将近 6 岁!),您应该考虑保持您的能力缺少系统 up-to-date。如果您的自定义补丁阻止您使用 运行 当前版本的 lighttpd,那么它可能弊大于利。请参阅以上链接并考虑使用 fail2ban,或为您实施密码策略的身份验证后端,或自定义 mod_fastcgi 授权方。
我想添加我们之前在 lighttpd 1.4.35 和 1.4.40 中的补丁。 该补丁的目的是帮助“反自动化”。例如如果用户连续 5 次尝试输入错误密码,他将被锁定一分钟。
We have now moved over to the latest lighttpd 1.4.64 and I am trying to find out where the functionality under lighttpd-1.4.35/src/http_auth.c may be now found.
I can see that there are many files now -
mod_auth.c
mod_authn_file.c
mod_authn_gssapi.c
mod_authn_ldap.c
mod_authn_pam.c
mod_authn_sasl.c
mod_auth_api.c
I have attached a MSVP of what I want to achieve. As you can see 99 % of it is self-contained code. Just need to know where to plumb -
a) The HTTP authentication path
b) The HTTPS authentication path
The original patch in lighttpd 1.4.35 was in the function
http_auth_basic_check and
http_auth_digest_check
As the name suggests,
sinBin_Add would add a bad attempt into the "bin". If the number of attempts exceed, the user is "sidelined".
对于http_auth_basic_check,
/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
buffer_free(username);
buffer_free(password);
log_error_write(srv, __FILE__, __LINE__, "s", "basic: anti automation precaution" );
return 0;
}
/* password doesn't match */
if (http_auth_basic_password_compare(srv, p, req, username, realm->value, password, pw))
{
log_error_write(srv, __FILE__, __LINE__, "sbsBss", "password doesn't match for", con->uri.path, "username:", username, ", IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
sinBin_Add( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );
buffer_free(username);
buffer_free(password);
同样对于 http 摘要位,我们有 对于 http_auth_digest_check -
/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
buffer_free(b);
log_error_write(srv, __FILE__, __LINE__, "s", "digest: anti automation precaution");
return 0;
}
if (0 != strcmp(a2, respons)) {
/* digest not ok */
sinBin_Add( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );
if (p->conf.auth_debug) {
log_error_write(srv, __FILE__, __LINE__, "sss",
lighttpd 板上的现有讨论已经为您指出了多个答案
- https://redmine.lighttpd.net/boards/2/topics/6699
- https://redmine.lighttpd.net/boards/2/topics/9574
- https://redmine.lighttpd.net/boards/3/topics/8885
你应该看看 lighttpd src/mod_auth.c 中设置 r->keep_alive = -1;
旁白:如果您仍然是 运行lighttpd 1.4.35(超过 8 岁!)或 lighttpd 1.4.40(将近 6 岁!),您应该考虑保持您的能力缺少系统 up-to-date。如果您的自定义补丁阻止您使用 运行 当前版本的 lighttpd,那么它可能弊大于利。请参阅以上链接并考虑使用 fail2ban,或为您实施密码策略的身份验证后端,或自定义 mod_fastcgi 授权方。