Sample Source Code

blacklist-1.c

The sample blacklisting plugin included in the Traffic Server SDK is blacklist-1.c. This plugin checks every incoming HTTP client request against a list of blacklisted web sites. If the client requests a blacklisted site, then the plugin returns an Access forbidden message to the client.

This plugin illustrates:

  • An HTTP transaction extension
  • How to examine HTTP request headers
  • How to use the logging interface
  • How to use the plugin configuration management interface
  1. /** @file
  2. An example plugin that denies client access to blacklisted sites (blacklist.txt).
  3. @section license License
  4. Licensed to the Apache Software Foundation (ASF) under one
  5. or more contributor license agreements. See the NOTICE file
  6. distributed with this work for additional information
  7. regarding copyright ownership. The ASF licenses this file
  8. to you under the Apache License, Version 2.0 (the
  9. "License"); you may not use this file except in compliance
  10. with the License. You may obtain a copy of the License at
  11. http://www.apache.org/licenses/LICENSE-2.0
  12. Unless required by applicable law or agreed to in writing, software
  13. distributed under the License is distributed on an "AS IS" BASIS,
  14. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15. See the License for the specific language governing permissions and
  16. limitations under the License.
  17. */
  18. #include <stdio.h>
  19. #include <string.h>
  20. #include "ts/ts.h"
  21. #include "ts/ink_defs.h"
  22. #define MAX_NSITES 500
  23. #define RETRY_TIME 10
  24. static char *sites[MAX_NSITES];
  25. static int nsites;
  26. static TSMutex sites_mutex;
  27. static TSTextLogObject log;
  28. static TSCont global_contp;
  29. static void handle_txn_start(TSCont contp, TSHttpTxn txnp);
  30. typedef struct contp_data {
  31. enum calling_func {
  32. HANDLE_DNS,
  33. HANDLE_RESPONSE,
  34. READ_BLACKLIST,
  35. } cf;
  36. TSHttpTxn txnp;
  37. } cdata;
  38. static void
  39. destroy_continuation(TSHttpTxn txnp, TSCont contp)
  40. {
  41. cdata *cd = NULL;
  42. cd = (cdata *)TSContDataGet(contp);
  43. if (cd != NULL) {
  44. TSfree(cd);
  45. }
  46. TSContDestroy(contp);
  47. TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
  48. return;
  49. }
  50. static void
  51. handle_dns(TSHttpTxn txnp, TSCont contp)
  52. {
  53. TSMBuffer bufp;
  54. TSMLoc hdr_loc;
  55. TSMLoc url_loc;
  56. const char *host;
  57. int i;
  58. int host_length;
  59. if (TSHttpTxnClientReqGet(txnp, &bufp, &hdr_loc) != TS_SUCCESS) {
  60. TSError("[blacklist-1] Couldn't retrieve client request header");
  61. goto done;
  62. }
  63. if (TSHttpHdrUrlGet(bufp, hdr_loc, &url_loc) != TS_SUCCESS) {
  64. TSError("[blacklist-1] Couldn't retrieve request url");
  65. TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
  66. goto done;
  67. }
  68. host = TSUrlHostGet(bufp, url_loc, &host_length);
  69. if (!host) {
  70. TSError("[blacklist-1] Couldn't retrieve request hostname");
  71. TSHandleMLocRelease(bufp, hdr_loc, url_loc);
  72. TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
  73. goto done;
  74. }
  75. /* We need to lock the sites_mutex as that is the mutex that is
  76. protecting the global list of all blacklisted sites. */
  77. if (TSMutexLockTry(sites_mutex) != TS_SUCCESS) {
  78. TSDebug("blacklist-1", "Unable to get lock. Will retry after some time");
  79. TSHandleMLocRelease(bufp, hdr_loc, url_loc);
  80. TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
  81. TSContSchedule(contp, RETRY_TIME, TS_THREAD_POOL_DEFAULT);
  82. return;
  83. }
  84. for (i = 0; i < nsites; i++) {
  85. if (strncmp(host, sites[i], host_length) == 0) {
  86. if (log) {
  87. TSTextLogObjectWrite(log, "blacklisting site: %s", sites[i]);
  88. } else {
  89. TSDebug("blacklist-1", "blacklisting site: %s", sites[i]);
  90. }
  91. TSHttpTxnHookAdd(txnp, TS_HTTP_SEND_RESPONSE_HDR_HOOK, contp);
  92. TSHandleMLocRelease(bufp, hdr_loc, url_loc);
  93. TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
  94. TSHttpTxnReenable(txnp, TS_EVENT_HTTP_ERROR);
  95. TSMutexUnlock(sites_mutex);
  96. return;
  97. }
  98. }
  99. TSMutexUnlock(sites_mutex);
  100. TSHandleMLocRelease(bufp, hdr_loc, url_loc);
  101. TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
  102. done:
  103. TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
  104. }
  105. static void
  106. handle_response(TSHttpTxn txnp, TSCont contp ATS_UNUSED)
  107. {
  108. TSMBuffer bufp;
  109. TSMLoc hdr_loc;
  110. TSMLoc url_loc;
  111. char *url_str;
  112. char *buf;
  113. int url_length;
  114. if (TSHttpTxnClientRespGet(txnp, &bufp, &hdr_loc) != TS_SUCCESS) {
  115. TSError("[blacklist-1] Couldn't retrieve client response header");
  116. goto done;
  117. }
  118. TSHttpHdrStatusSet(bufp, hdr_loc, TS_HTTP_STATUS_FORBIDDEN);
  119. TSHttpHdrReasonSet(bufp, hdr_loc, TSHttpHdrReasonLookup(TS_HTTP_STATUS_FORBIDDEN),
  120. strlen(TSHttpHdrReasonLookup(TS_HTTP_STATUS_FORBIDDEN)));
  121. if (TSHttpTxnClientReqGet(txnp, &bufp, &hdr_loc) != TS_SUCCESS) {
  122. TSError("[blacklist-1] Couldn't retrieve client request header");
  123. TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
  124. goto done;
  125. }
  126. if (TSHttpHdrUrlGet(bufp, hdr_loc, &url_loc) != TS_SUCCESS) {
  127. TSError("[blacklist-1] Couldn't retrieve request url");
  128. TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
  129. goto done;
  130. }
  131. buf = (char *)TSmalloc(4096);
  132. url_str = TSUrlStringGet(bufp, url_loc, &url_length);
  133. sprintf(buf, "You are forbidden from accessing \"%s\"\n", url_str);
  134. TSfree(url_str);
  135. TSHandleMLocRelease(bufp, hdr_loc, url_loc);
  136. TSHandleMLocRelease(bufp, TS_NULL_MLOC, hdr_loc);
  137. TSHttpTxnErrorBodySet(txnp, buf, strlen(buf), NULL);
  138. done:
  139. TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
  140. }
  141. static void
  142. read_blacklist(TSCont contp)
  143. {
  144. char blacklist_file[1024];
  145. TSFile file;
  146. sprintf(blacklist_file, "%s/blacklist.txt", TSPluginDirGet());
  147. file = TSfopen(blacklist_file, "r");
  148. nsites = 0;
  149. /* If the Mutext lock is not successful try again in RETRY_TIME */
  150. if (TSMutexLockTry(sites_mutex) != TS_SUCCESS) {
  151. if (file != NULL) {
  152. TSfclose(file);
  153. }
  154. TSContSchedule(contp, RETRY_TIME, TS_THREAD_POOL_DEFAULT);
  155. return;
  156. }
  157. if (file != NULL) {
  158. char buffer[1024];
  159. while (TSfgets(file, buffer, sizeof(buffer) - 1) != NULL && nsites < MAX_NSITES) {
  160. char *eol;
  161. if ((eol = strstr(buffer, "\r\n")) != NULL) {
  162. /* To handle newlines on Windows */
  163. *eol = '\0';
  164. } else if ((eol = strchr(buffer, '\n')) != NULL) {
  165. *eol = '\0';
  166. } else {
  167. /* Not a valid line, skip it */
  168. continue;
  169. }
  170. if (sites[nsites] != NULL) {
  171. TSfree(sites[nsites]);
  172. }
  173. sites[nsites] = TSstrdup(buffer);
  174. nsites++;
  175. }
  176. TSfclose(file);
  177. } else {
  178. TSError("[blacklist-1] Unable to open %s", blacklist_file);
  179. TSError("[blacklist-1] All sites will be allowed");
  180. }
  181. TSMutexUnlock(sites_mutex);
  182. }
  183. static int
  184. blacklist_plugin(TSCont contp, TSEvent event, void *edata)
  185. {
  186. TSHttpTxn txnp;
  187. cdata *cd;
  188. switch (event) {
  189. case TS_EVENT_HTTP_TXN_START:
  190. txnp = (TSHttpTxn)edata;
  191. handle_txn_start(contp, txnp);
  192. return 0;
  193. case TS_EVENT_HTTP_OS_DNS:
  194. if (contp != global_contp) {
  195. cd = (cdata *)TSContDataGet(contp);
  196. cd->cf = HANDLE_DNS;
  197. handle_dns(cd->txnp, contp);
  198. return 0;
  199. } else {
  200. break;
  201. }
  202. case TS_EVENT_HTTP_TXN_CLOSE:
  203. txnp = (TSHttpTxn)edata;
  204. if (contp != global_contp) {
  205. destroy_continuation(txnp, contp);
  206. }
  207. break;
  208. case TS_EVENT_HTTP_SEND_RESPONSE_HDR:
  209. if (contp != global_contp) {
  210. cd = (cdata *)TSContDataGet(contp);
  211. cd->cf = HANDLE_RESPONSE;
  212. handle_response(cd->txnp, contp);
  213. return 0;
  214. } else {
  215. break;
  216. }
  217. case TS_EVENT_TIMEOUT:
  218. /* when mutex lock is not acquired and continuation is rescheduled,
  219. the plugin is called back with TS_EVENT_TIMEOUT with a NULL
  220. edata. We need to decide, in which function did the MutexLock
  221. failed and call that function again */
  222. if (contp != global_contp) {
  223. cd = (cdata *)TSContDataGet(contp);
  224. switch (cd->cf) {
  225. case HANDLE_DNS:
  226. handle_dns(cd->txnp, contp);
  227. return 0;
  228. case HANDLE_RESPONSE:
  229. handle_response(cd->txnp, contp);
  230. return 0;
  231. default:
  232. TSDebug("blacklist_plugin", "This event was unexpected: %d", event);
  233. break;
  234. }
  235. } else {
  236. read_blacklist(contp);
  237. return 0;
  238. }
  239. default:
  240. break;
  241. }
  242. return 0;
  243. }
  244. static void
  245. handle_txn_start(TSCont contp ATS_UNUSED, TSHttpTxn txnp)
  246. {
  247. TSCont txn_contp;
  248. cdata *cd;
  249. txn_contp = TSContCreate((TSEventFunc)blacklist_plugin, TSMutexCreate());
  250. /* create the data that'll be associated with the continuation */
  251. cd = (cdata *)TSmalloc(sizeof(cdata));
  252. TSContDataSet(txn_contp, cd);
  253. cd->txnp = txnp;
  254. TSHttpTxnHookAdd(txnp, TS_HTTP_OS_DNS_HOOK, txn_contp);
  255. TSHttpTxnHookAdd(txnp, TS_HTTP_TXN_CLOSE_HOOK, txn_contp);
  256. TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
  257. }
  258. void
  259. TSPluginInit(int argc ATS_UNUSED, const char *argv[] ATS_UNUSED)
  260. {
  261. int i;
  262. TSPluginRegistrationInfo info;
  263. TSReturnCode error;
  264. info.plugin_name = "blacklist-1";
  265. info.vendor_name = "MyCompany";
  266. info.support_email = "ts-api-support@MyCompany.com";
  267. if (TSPluginRegister(&info) != TS_SUCCESS) {
  268. TSError("[blacklist-1] Plugin registration failed.");
  269. }
  270. /* create an TSTextLogObject to log blacklisted requests to */
  271. error = TSTextLogObjectCreate("blacklist", TS_LOG_MODE_ADD_TIMESTAMP, &log);
  272. if (!log || error == TS_ERROR) {
  273. TSDebug("blacklist-1", "error while creating log");
  274. }
  275. sites_mutex = TSMutexCreate();
  276. nsites = 0;
  277. for (i = 0; i < MAX_NSITES; i++) {
  278. sites[i] = NULL;
  279. }
  280. global_contp = TSContCreate(blacklist_plugin, sites_mutex);
  281. read_blacklist(global_contp);
  282. /*TSHttpHookAdd (TS_HTTP_OS_DNS_HOOK, contp); */
  283. TSHttpHookAdd(TS_HTTP_TXN_START_HOOK, global_contp);
  284. }