From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 16 Jan 2010 04:44:46 +0000 (+1300)
Subject: Add client_ip_max_connections
X-Git-Tag: SQUID_3_0_STABLE22~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b661bac47e2dcc2bbff207eb087fe5bf3282da17;p=thirdparty%2Fsquid.git

Add client_ip_max_connections

Given some incentive after deep consideration of the slowloris claims.
While I still do not believe Squid is vulnerable per-se and some people
have tested and found no such failures as claimed for the DoS attack.

We found we could provide better administrative controls.  This is one such
that has been asked about many times and still did not exist. It operates
essentially the same as maxconn ACL, but does not require HTTP headers and
other request data to fully exist like ACLs do.

It is tested immediately after accept() and is request type agnostic, right
down to DNS TCP requests. So care is warranted in hierarchy situations or where
clients may be behind NAT.

Utilizes the client DB to monitor accepted TCP links. Operates prior to
everything so as to eliminate resource usage on the blocking case and
close the windows of opportunity for dribble-attacks etc.

Default (-1) is to keep the status-quo of no limits.
---

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 56b3cfc196..03017a5ea2 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -4735,6 +4735,24 @@ accept_filter httpready
 accept_filter data
 DOC_END
 
+NAME: client_ip_max_connections
+TYPE: int
+LOC: Config.client_ip_max_connections
+DEFAULT: -1
+DOC_START
+	Set an absolute limit on the number of connections a single
+	client IP can use. Any more than this and Squid will begin to drop
+	new connections from the client until it closes some links.
+
+	Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+	connections from the client. For finer control use the ACL access controls.
+
+	Requires client_db to be enabled (the default).
+
+	WARNING: This may noticably slow down traffic received via external proxies
+	or NAT devices and cause them to rebound error messages back to their clients.
+DOC_END
+
 NAME: tcp_recv_bufsize
 COMMENT: (bytes)
 TYPE: b_size_t
diff --git a/src/comm.cc b/src/comm.cc
index 707b53d611..90ed281eb5 100644
--- a/src/comm.cc
+++ b/src/comm.cc
@@ -45,6 +45,7 @@
 #include "MemBuf.h"
 #include "pconn.h"
 #include "SquidTime.h"
+#include "protos.h"
 
 #if defined(_SQUID_CYGWIN_)
 #include <sys/ioctl.h>
@@ -1355,6 +1356,13 @@ comm_old_accept(int fd, ConnectionDetail &details)
     Slen = sizeof(details.me);
     memset(&details.me, '\0', Slen);
 
+    if ( Config.client_ip_max_connections >= 0) {
+        if (clientdbEstablished(details.peer, 0) > Config.client_ip_max_connections) {
+            debugs(50, DBG_IMPORTANT, "WARNING: " << inet_ntoa(details.peer.sin_addr) << " attempting more than " << Config.client_ip_max_connections << " connections.");
+            return COMM_ERROR;
+        }
+    }
+
     getsockname(sock, (struct sockaddr *) &details.me, &Slen);
     commSetCloseOnExec(sock);
     /* fdstat update */
diff --git a/src/structs.h b/src/structs.h
index 5ade3dce5e..0a5104f76d 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -743,6 +743,7 @@ struct _SquidConfig
 
     char *accept_filter;
     int umask;
+    int client_ip_max_connections;
 };
 
 struct _SquidConfig2