diff options
| -rw-r--r-- | modules/apache/templates/vhost_fcgid.conf | 9 | ||||
| -rw-r--r-- | modules/viewvc/files/setcookieredirect.html | 27 | ||||
| -rw-r--r-- | modules/viewvc/manifests/init.pp | 9 |
3 files changed, 45 insertions, 0 deletions
diff --git a/modules/apache/templates/vhost_fcgid.conf b/modules/apache/templates/vhost_fcgid.conf index 75ac9300..3aed1ea2 100644 --- a/modules/apache/templates/vhost_fcgid.conf +++ b/modules/apache/templates/vhost_fcgid.conf @@ -23,6 +23,15 @@ RewriteCond %{QUERY_STRING} pathrev=|r1= RewriteCond %{HTTP_USER_AGENT} "Googlebot|GoogleOther|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider|iPod|Trident|Presto" RewriteRule . - [R=403,L] +# Only let expensive operations through when a cookie is set. If no cookie is +# set, redirect to a page where it will be set using JavaScript and redirect +# back. This will block requests from user agents that do not support +# JavaScript, which includes many robots. +RewriteCond %{QUERY_STRING} pathrev=|r1= +RewriteCond %{REQUEST_URI} !/_check +RewriteCond %{HTTP_COOKIE} !session=([^;]+) [novary] +RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?%{QUERY_STRING} [R=302,L] + # Block abusive spiders by IP address who don't identify themselves in the # User-Agent: string RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16' || -R '188.239.0.0/18' || -R '166.108.192.0/18' || -R '124.243.160.0/19' || -R '101.46.0.0/20'" diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html new file mode 100644 index 00000000..d1b7ada4 --- /dev/null +++ b/modules/viewvc/files/setcookieredirect.html @@ -0,0 +1,27 @@ +<!DOCTYPE html> +<html> + <head> + <title>User check</title> + <script type="text/javascript" defer> + const randomValue = Math.random().toString(36).substring(2); + document.cookie = `session=${randomValue}; path=/; expires=${new Date(Date.now() + 24*3600*1000).toUTCString()}`; + const params = new Proxy(new URLSearchParams(window.location.search), { + get: (searchParams, prop) => searchParams.get(prop), + }); + let url = params.to; + // Sanitize redirect path to avoid malicious arbitrary redirects + if (/^\/[-_a-zA-Z0-9~.?&=/]*$/.test(url)) { + window.location.href = url; + } else { + window.onload = function() { + document.getElementById('error').innerHTML = 'Error! Bad redirect location!'; + } + } + </script> + </head> + <body> + Redirecting back... + <br> + <p id="error"><!-- space for error message --></p> + </body> +</html> diff --git a/modules/viewvc/manifests/init.pp b/modules/viewvc/manifests/init.pp index 99acec90..e1d336c9 100644 --- a/modules/viewvc/manifests/init.pp +++ b/modules/viewvc/manifests/init.pp @@ -40,9 +40,18 @@ class viewvc { source => 'puppet:///modules/viewvc/robots.txt', } + file { "$viewvc_docroot/setcookieredirect.html": + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/viewvc/setcookieredirect.html', + } + $vhost_aliases = { '/viewvc' => $viewvc_docroot, '/robots.txt' => $robotsfile, + '/_check' => "$viewvc_docroot/setcookieredirect.html", } $script_aliases = { |