Initial support to load rules from a remote server

New directive `SecRemoteRules' was added. It allows the user to load a
set of rules from a given HTTP server.

Author: Felipe Zimmerle

apache2/Makefile.am

@@ -21,6 +21,7 @@ mod_security2_la_SOURCES = acmp.c \
     msc_parsers.c \
     msc_pcre.c \
     msc_release.c \
+    msc_remote_rules.c \
     msc_reqbody.c \
     msc_tree.c \
     msc_unicode.c \

apache2/Makefile.win

@@ -58,6 +58,7 @@ OBJS = mod_security2.obj apache2_config.obj apache2_io.obj apache2_util.obj \
        msc_reqbody.obj msc_geo.obj msc_gsb.obj msc_crypt.obj msc_tree.obj msc_unicode.obj acmp.obj msc_lua.obj \
        msc_release.obj \
        msc_status_engine.obj \
+       msc_remote_rules.obj \
        msc_json.obj \
        libinjection/libinjection_html5.obj \
        libinjection/libinjection_sqli.obj \

apache2/apache2_config.c

@@ -2213,6 +2213,50 @@ static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
     return NULL;
 }
 
+static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
+        const char *p2)
+{
+    char *error_msg = NULL;
+    directory_config *dcfg = (directory_config *)_dcfg;
+    if (dcfg == NULL) return NULL;
+
+    // FIXME: make it https only.
+    // if (strncasecmp(p1, "https", 5) != 0) {
+    if (strncasecmp(p2, "http", 4) != 0) {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
+                " %s, expected an HTTPS address.", p2);
+    }
+
+    // FIXME: Should we handle more then one server at once?
+    if (remote_rules_server != NULL)
+    {
+        return apr_psprintf(cmd->pool, "ModSecurity:  " \
+                "SecRemoteRules cannot be used more than once.");
+    }
+
+    remote_rules_server = apr_pcalloc(cmd->pool, sizeof(msc_remote_rules_server));
+    if (remote_rules_server == NULL)
+    {
+        return apr_psprintf(cmd->pool, "ModSecurity:  " \
+                "SecRemoteRules: Internal failure. Not enougth memory.");
+    }
+
+    remote_rules_server->context = dcfg;
+    remote_rules_server->context_label = apr_pstrdup(cmd->pool, "Unkwon context");
+    remote_rules_server->key = p1;
+    remote_rules_server->uri = p2;
+    remote_rules_server->amount_of_rules = 0;
+
+    msc_remote_add_rules_from_uri(cmd, remote_rules_server, &error_msg);
+    if (error_msg != NULL)
+    {
+        return error_msg;
+    }
+
+    return NULL;
+}
+
+
 static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
 {
     if (strcasecmp(p1, "on") == 0) {
@@ -3500,6 +3544,14 @@ const command_rec module_directives[] = {
         "On or Off"
     ),
 
+    AP_INIT_TAKE2 (
+        "SecRemoteRules",
+        cmd_remote_rules,
+        NULL,
+        CMD_SCOPE_ANY,
+        "key and URI to the remote rules"
+    ),
+
     AP_INIT_TAKE1 (
         "SecXmlExternalEntity",
         cmd_xml_external_entity,

apache2/mod_security2.c

@@ -33,6 +33,8 @@
 
 #include "apr_version.h"
 
+#include "msc_remote_rules.h"
+
 #if defined(WITH_LUA)
 #include "msc_lua.h"
 #endif
@@ -66,6 +68,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
 
 unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
 
+msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
+
 int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
 
 int DSOLOCAL conn_limits_filter_state = MODSEC_DISABLED;
@@ -752,6 +756,24 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
                     "SecStatusEngine to On.");
         }
 #endif
+
+        if (remote_rules_server != NULL)
+        {
+            if (remote_rules_server->amount_of_rules == 1)
+            {
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                    "ModSecurity: Loaded %d rule from: '%s'.",
+                    remote_rules_server->amount_of_rules,
+                    remote_rules_server->uri);
+            }
+            else
+            {
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                    "ModSecurity: Loaded %d rule from: '%s'.",
+                    remote_rules_server->amount_of_rules,
+                    remote_rules_server->uri);
+            }
+        }
     }
 
     srand((unsigned int)(time(NULL) * getpid()));

apache2/modsecurity.c

@@ -536,7 +536,7 @@ static apr_status_t modsecurity_process_phase_request_body(modsec_rec *msr) {
     apr_time_t time_before;
     apr_status_t rc = 0;
 
-    
+
     if ((msr->allow_scope == ACTION_ALLOW_REQUEST)||(msr->allow_scope == ACTION_ALLOW)) {
         if (msr->txcfg->debuglog_level >= 4) {
             msr_log(msr, 4, "Skipping phase REQUEST_BODY (allow used).");
@@ -626,7 +626,7 @@ static apr_status_t modsecurity_process_phase_response_body(modsec_rec *msr) {
  */
 static apr_status_t modsecurity_process_phase_logging(modsec_rec *msr) {
     apr_time_t time_before, time_after;
-    
+
     if (msr->txcfg->debuglog_level >= 4) {
         msr_log(msr, 4, "Starting phase LOGGING.");
     }

apache2/modsecurity.h

@@ -33,6 +33,7 @@ typedef struct msc_arg msc_arg;
 typedef struct msc_string msc_string;
 typedef struct msc_parm msc_parm;
 
+#include "msc_remote_rules.h"
 #include "msc_release.h"
 #include "msc_logging.h"
 #include "msc_multipart.h"
@@ -144,6 +145,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit;
 
 extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
 
+extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
+
 extern DSOLOCAL int status_engine_state;
 
 extern DSOLOCAL int conn_limits_filter_state;
@@ -619,6 +622,14 @@ struct directory_config {
 
     /* xml */
     int                 xml_external_entity;
+
+    /* This will be used whenever ModSecurity will be ready
+     * to ask the server for newer rules.
+     */
+#if 0
+    msc_remote_rules_server *remote_rules;
+    int remote_timeout;
+#endif
 };
 
 struct error_message_t {