Kindly bumping this during the summer vacation time for potentially new 
recipients :)


> On 21. Aug. 2017, at 21:14, Daniel Schneller 
> <daniel.schnel...@centerdevice.com> wrote:
> 
> Hi!
> 
> According to the documentation
> 
>  req.cook_cnt([<name>]) : integer
>  Returns an integer value representing the number of occurrences of the cookie
>  <name> in the request, or all cookies if <name> is not specified.
> 
> it should be possible to do something like this to reject a request if it 
> contains more than <n> cookies total. I do not know the cookie names in 
> advance. I am trying to reject malicious requests with hundreds or thousands 
> of cookies, trying to exhaust memory in my backend servers. Tomcat has a 
> maximum number of cookies per request setting, but I’d like to reject these 
> before they even get to the backends.
> 
> I thought this would work (for n=2):
> 
>       frontend fe-test
>               bind 0.0.0.0:8070
>               http-request deny deny_status 400 if { req.cook_cnt() gt 2 }
>               http-request auth realm tomcat
>               default_backend be-test
> 
> 
> However, it does not work. The count is always 0, hence the ACL always passes 
> and I get a 401 response from the next ACL in line.
> 
> root@tomcat:~# curl -v -b 'C1=v1; C1=v2; C1=v3' tomcat:8070
> * Rebuilt URL to: tomcat:8070/
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.1.1...
> * Connected to tomcat (127.0.1.1) port 8070 (#0)
>> GET / HTTP/1.1
>> User-Agent: curl/7.35.0
>> Host: tomcat:8070
>> Accept: */*
>> Cookie: C1=v1; C1=v2; C1=v3
>> 
> * HTTP 1.0, assume close after body
> < HTTP/1.0 401 Unauthorized
> < Cache-Control: no-cache
> < Connection: close
> < Content-Type: text/html
> < WWW-Authenticate: Basic realm="tomcat"
> <
> <html><body><h1>401 Unauthorized</h1>
> You need a valid user and password to access this content.
> </body></html>
> * Closing connection 0
> 
> 
> When I change the ACL to include a cookie name, it works:
> 
>        http-request deny deny_status 400 if { req.cook_cnt("C1") gt 2 }
> 
> root@tomcat:~# curl -v -b 'C1=v1; C1=v2; C1=v3' tomcat:8070
> * Rebuilt URL to: tomcat:8070/
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.1.1...
> * Connected to tomcat (127.0.1.1) port 8070 (#0)
>> GET / HTTP/1.1
>> User-Agent: curl/7.35.0
>> Host: tomcat:8070
>> Accept: */*
>> Cookie: C1=v1; C1=v2; C1=v3
>> 
> * HTTP 1.0, assume close after body
> < HTTP/1.0 400 Bad request
> < Cache-Control: no-cache
> < Connection: close
> < Content-Type: text/html
> <
> <html><body><h1>400 Bad request</h1>
> Your browser sent an invalid request.
> </body></html>
> * Closing connection 0
> 
> 
> 
> I tried to figure out what the code does, to see if I am doing something 
> wrong and found this in proto_http.c:
> 
> ------------------------------------------------------------------------------
> /* Iterate over all cookies present in a request to count how many occurrences
> * match the name in args and args->data.str.len. If <multi> is non-null, then
> * multiple cookies may be parsed on the same line. The returned sample is of
> * type UINT. Accepts exactly 1 argument of type string.
> */
> static int
> smp_fetch_cookie_cnt(const struct arg *args, struct sample *smp, const char 
> *kw, void *private)
> {
>       struct http_txn *txn;
>       struct hdr_idx *idx;
>       struct hdr_ctx ctx;
>       const struct http_msg *msg;
>       const char *hdr_name;
>       int hdr_name_len;
>       int cnt;
>       char *val_beg, *val_end;
>       char *sol;
> 
>       if (!args || args->type != ARGT_STR)
>               return 0;
> ------------------------------------------------------------------------------
> 
> So without being very C-savvy, this appears to exit early when there is no 
> parameter of type string passed in.
> 
> I hope someone can shed some light on this. :)
> 
> Thanks in advance,
> Daniel
> 
> 
> -- 
> Daniel Schneller
> Principal Cloud Engineer
> 
> CenterDevice GmbH                  | Hochstraße 11
>                                   | 42697 Solingen
> tel: +49 1754155711                | Deutschland
> daniel.schnel...@centerdevice.de   | www.centerdevice.de
> 
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
> Michael Rosbach, Handelsregister-Nr.: HRB 18655,
> HR-Gericht: Bonn, USt-IdNr.: DE-815299431
> 
> 


Reply via email to