diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 966593e4d..202a8f3bc 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -21,6 +21,7 @@ use strict; use Apache::Htpasswd; +use Scalar::Util qw(looks_like_number); # enable only the following on debugging purpose #use warnings; @@ -229,6 +230,9 @@ $proxysettings{'THROTTLING_GREEN_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited'; +$proxysettings{'ASNBL_FASTFLUX_DETECTION'} = 'off'; +$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} = '5'; +$proxysettings{'ASNBL_SELECANN_DETECTION'} = 'off'; $proxysettings{'ENABLE_MIME_FILTER'} = 'off'; $proxysettings{'AUTH_METHOD'} = 'none'; $proxysettings{'AUTH_REALM'} = ''; @@ -418,6 +422,21 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} $errormessage = $Lang::tr{'invalid maximum incoming size'}; goto ERROR; } + if (($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) + { + if (-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}) { + $errormessage = $Lang::tr{'advproxy fastflux no threshold given'}; + goto ERROR; + } + if (! looks_like_number($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) { + $errormessage = $Lang::tr{'advproxy fastflux threshold invalid'}; + goto ERROR; + } + if (($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} < 2) || ($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} > 10)) { + $errormessage = $Lang::tr{'advproxy fastflux threshold out of bounds'}; + goto ERROR; + } + } if (!($proxysettings{'AUTH_METHOD'} eq 'none')) { unless (($proxysettings{'AUTH_METHOD'} eq 'ident') && @@ -801,6 +820,14 @@ $selected{'THROTTLING_GREEN_HOST'}{$proxysettings{'THROTTLING_GREEN_HOST'}} = "s $selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}} = "selected='selected'"; $selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = "selected='selected'"; +$checked{'ASNBL_FASTFLUX_DETECTION'}{'off'} = ''; +$checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} = ''; +$checked{'ASNBL_FASTFLUX_DETECTION'}{$proxysettings{'ASNBL_FASTFLUX_DETECTION'}} = "checked='checked'"; + +$checked{'ASNBL_SELECANN_DETECTION'}{'off'} = ''; +$checked{'ASNBL_SELECANN_DETECTION'}{'on'} = ''; +$checked{'ASNBL_SELECANN_DETECTION'}{$proxysettings{'ASNBL_SELECANN_DETECTION'}} = "checked='checked'"; + $checked{'ENABLE_MIME_FILTER'}{'off'} = ''; $checked{'ENABLE_MIME_FILTER'}{'on'} = ''; $checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} = "checked='checked'"; @@ -1633,6 +1660,24 @@ END print < + + + + + $Lang::tr{'advproxy asbased anomaly detection'} + + + $Lang::tr{'advproxy fastflux detection'}: + + $Lang::tr{'advproxy fastflux detection threshold'}: + + + + $Lang::tr{'advproxy selectively announcements detection'}: + + + + END ; @@ -3525,6 +3570,59 @@ if (@ssl_ports) { print FILE "http_access deny CONNECT !SSL_ports\n"; } + if ((($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') && (!-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) { + print FILE "external_acl_type asnblhelper children-max=10 children-startup=2 ttl=86400 %DST /usr/bin/asnbl-helper.py ${General::swroot}/proxy/asnbl-helper.conf\n"; + print FILE "acl asnbl external asnblhelper\n"; + + # Use the user-defined URL filter whitelist (if present and populated) for the ASNBL helper as well + # Necessary for destinations such as fedoraproject.org, but we do not want to maintain a dedicated + # or hardcoded list for such FQDNs. + if ((-e "${General::swroot}/urlfilter/blacklists/custom/allowed/domains") && (!-z "${General::swroot}/urlfilter/blacklists/custom/allowed/domains")) { + print FILE "acl asnbl_whitelisted_destinations dstdomain \"${General::swroot}/urlfilter/blacklists/custom/allowed/domains\"\n"; + print FILE "http_access deny asnbl !asnbl_whitelisted_destinations\n\n"; + } else { + print FILE "http_access deny asnbl\n\n"; + } + + # Write ASNBL helper configuration file... + open(ASNBLFILE, ">${General::swroot}/proxy/asnbl-helper.conf"); + flock(ASNBLFILE, 2); + + print ASNBLFILE<