Hi,
we have discussed this patch a while ago and it seemed that it is fine
for inclusion, however I did not find it anywhere in git?
Richard
--- polipo-20080907/tunnel.c.rzt 2008-09-07 23:21:20.000000000 +0200
+++ polipo-20080907/tunnel.c 2008-12-28 11:58:44.000000000 +0100
@@ -75,6 +75,13 @@
return buf->head == buf->tail;
}
+static void
+logTunnel(TunnelPtr tunnel, int blocked)
+{
+ do_log(L_TUNNEL,"tunnel %s:%d %s\n", tunnel->hostname->string,
tunnel->port,
+ blocked ? "blocked" : "allowed");
+}
+
static TunnelPtr
makeTunnel(int fd, char *buf, int offset, int len)
{
@@ -156,6 +163,16 @@
}
tunnel->port = port;
+ if (tunnelIsMatched(url->string, url->length,
+ tunnel->hostname->string, tunnel->hostname->length)) {
+ releaseAtom(url);
+ tunnelError(tunnel, 404, internAtom("Forbidden tunnel"));
+ logTunnel(tunnel,1);
+ return;
+ }
+
+ logTunnel(tunnel,0);
+
releaseAtom(url);
if(socksParentProxy)
--- polipo-20080907/forbidden.c.rzt 2008-09-07 23:21:20.000000000 +0200
+++ polipo-20080907/forbidden.c 2008-12-28 11:58:44.000000000 +0100
@@ -45,6 +45,11 @@
DomainPtr *uncachableDomains = NULL;
regex_t *uncachableRegex = NULL;
+AtomPtr forbiddenTunnelsFile = NULL;
+DomainPtr *forbiddenTunnelsDomains = NULL;
+regex_t *forbiddenTunnelsRegex = NULL;
+
+
/* these three are only used internally by {parse,read}DomainFile */
/* to avoid having to pass it all as parameters */
static DomainPtr *domains;
@@ -82,6 +87,9 @@
#endif
CONFIG_VARIABLE_SETTABLE(uncachableFile, CONFIG_ATOM, atomSetterForbidden,
"File specifying uncachable URLs.");
+
+ CONFIG_VARIABLE_SETTABLE(forbiddenTunnelsFile, CONFIG_ATOM,
atomSetterForbidden,
+ "File specifying forbidden tunnels.");
}
static int
@@ -331,10 +339,54 @@
parseDomainFile(uncachableFile, &uncachableDomains, &uncachableRegex);
+ if(forbiddenTunnelsFile)
+ forbiddenTunnelsFile = expandTilde(forbiddenTunnelsFile);
+
+ if(forbiddenTunnelsFile == NULL) {
+ forbiddenTunnelsFile =
expandTilde(internAtom("~/.polipo-forbiddenTunnels"));
+ if(forbiddenTunnelsFile) {
+ if(access(forbiddenTunnelsFile->string, F_OK) < 0) {
+ releaseAtom(forbiddenTunnelsFile);
+ forbiddenTunnelsFile = NULL;
+ }
+ }
+ }
+
+ if(forbiddenTunnelsFile == NULL) {
+ if(access("/etc/polipo/forbiddenTunnels", F_OK) >= 0)
+ forbiddenTunnelsFile = internAtom("/etc/polipo/forbiddenTunnels");
+ }
+
+ parseDomainFile(forbiddenTunnelsFile, &forbiddenTunnelsDomains,
&forbiddenTunnelsRegex);
+ //
+
return;
}
int
+tunnelIsMatched(char *url, int lurl, char *hostname, int lhost)
+{
+ DomainPtr *domain, *domains;
+
+ domains=forbiddenTunnelsDomains;
+ if (domains) {
+ domain = domains;
+ while(*domain) {
+ if (lhost == (*domain)->length &&
+ memcmp(hostname, (*domain)->domain, lhost)==0)
+ return 1;
+ domain++;
+ }
+ }
+
+ if(forbiddenTunnelsRegex) {
+ if(!regexec(forbiddenTunnelsRegex, url, 0, NULL, 0))
+ return 1;
+ }
+ return 0;
+}
+
+int
urlIsMatched(char *url, int length, DomainPtr *domains, regex_t *regex)
{
if(length < 8)
--- polipo-20080907/forbidden.h.rzt 2008-09-07 23:21:20.000000000 +0200
+++ polipo-20080907/forbidden.h 2008-12-28 11:58:44.000000000 +0100
@@ -46,3 +46,5 @@
void redirectorTrigger(void);
int
runRedirector(pid_t *pid_return, int *read_fd_return, int *write_fd_return);
+
+int tunnelIsMatched(char *url, int lurl, char *hostname, int lhost);
--- polipo-20080907/tunnel.h.rzt 2008-09-07 23:21:20.000000000 +0200
+++ polipo-20080907/tunnel.h 2008-12-28 11:58:44.000000000 +0100
@@ -47,4 +47,4 @@
void do_tunnel(int fd, char *buf, int offset, int len, AtomPtr url);
-
+void listTunnels(FILE *out);
--- polipo-20080907/log.h.rzt 2008-09-07 23:21:20.000000000 +0200
+++ polipo-20080907/log.h 2008-12-28 11:58:44.000000000 +0100
@@ -27,6 +27,7 @@
#define L_UNCACHEABLE 0x10
#define L_SUPERSEDED 0x20
#define L_VARY 0x40
+#define L_TUNNEL 0x80
#define D_SERVER_CONN 0x100
#define D_SERVER_REQ 0x200
--- polipo-20080907/log.c.rzt 2008-09-07 23:21:20.000000000 +0200
+++ polipo-20080907/log.c 2008-12-28 11:58:44.000000000 +0100
@@ -253,6 +253,7 @@
{ L_UNCACHEABLE, LOG_DEBUG },
{ L_SUPERSEDED, LOG_DEBUG },
{ L_VARY, LOG_DEBUG },
+ { L_TUNNEL, LOG_NOTICE },
{ 0, 0 }};
PrioritiesRec *current;
--- polipo-20080907/polipo.texi.rz-doc 2008-12-28 11:18:21.000000000 +0100
+++ polipo-20080907/polipo.texi 2008-12-28 11:25:44.000000000 +0100
@@ -1152,9 +1152,17 @@
browser, either by returning a @emph{forbidden} error message to the
user, or by @emph{redirecting} such URLs to some other URL.
+Some content providers attempt to subvert content filtering as well as
+malware scans by tunnelling their questionable content as https or other
+encrypted protocols. Other content providers are so clueless as to inject
+content from external providers into supposedly safe webpages.
+Polipo has therefore the ability to selectively block tunneled connections
+based on hostname and port information.
+
@menu
* Internal forbidden list:: Specifying forbidden URLs.
* External redirectors:: Using an external redirector.
+* Forbidden Tunnels::
@end menu
@node Internal forbidden list, External redirectors, Forbidden, Forbidden
@@ -1186,7 +1194,7 @@
default) the redirection will be marked as temporary, if 301 it will
be a permanent one.
-...@node External redirectors, , Internal forbidden list, Forbidden
+...@node External redirectors, Forbidden Tunnels, Internal forbidden list,
Forbidden
@subsection External redirectors
@cindex forbidden
@cindex redirect
@@ -1208,6 +1216,67 @@
redirector = /usr/bin/adzapper
@end example
+...@node Forbidden Tunnels, , External redirectors, Forbidden
+...@subsection Forbidden Tunnels
+
+Polipo does by default allow tunnelled connections
+(@pxref{ Tunnelling connections}), however sometimes it is desirable to
+block connections selectively.
+
+Because polipo does only pass through tunnelled connections filtering is
+possible based on hostname and port information only. Filtering based on
+protocol specific types of information like pathname is not possible.
+
+Obviously the web browser (and other software) must be configured to use
+polipo as tunneling proxy for this to work. The tunnelled traffic is neither
+touched nor inspected in any way by polipo, thus encryption, certification
+and all other security and integrity guarantees implemented in the browser
+are not in any way affected.
+
+The file pointed at by the variable @code{forbiddenTunnelsFile} (defaults to
+...@file{~/.polipo-forbiddenTunnels} or @file{/etc/polipo/forbiddenTunnels},
+whichever exists) specifies the set of tunnel specifications that should
+be blocked.
+
+Every line in a file listing forbidden Tunnels can either be a domain
+name --- a string that doesn't contain any of @samp{/}, @samp{*} or
+...@samp{\} ---, or a POSIX extended regular expression. Blank lines are
+ignored, as are those that start with a hash sign @samp{#}.
+
+Entries in the form of regular expressions will be matched against
+tunnel reqeusts of the form @code{hostname:portnumber}.
+
+Tunnelled and blocked connections will be logged if the configuration variable
+...@code{loglevel} is set to a value such that @code{((logLevel & 0x80) !=0)}
+
+Example @code{forbiddenTunnelsFile} :
+...@example
+# simple case, exact match of hostnames
+www.massfuel.com
+
+# match hostname against regexp
+\.hitbox\.
+
+# match hostname and port against regexp
+# this will block tunnels to example.com but also www.example.com
+# for ports in the range 600-999
+# Also watch for effects of 'tunnelAllowedPorts'
+example.com\:[6-9][0-9][0-9]
+
+# random examples
+\.liveperson\.
+\.atdmt\.com
+.*doubleclick\.net
+.*webtrekk\.de
+^count\..*
+.*\.offerstrategy\.com
+.*\.ivwbox\.de
+.*adwords.*
+.*\.sitestat\.com
+\.xiti\.com
+webtrekk\..*
+...@end example
+
@node DNS, Parent proxies, Forbidden, Network
@section The domain name service
@cindex DNS
@@ -1444,6 +1513,9 @@
Polipo will accept to tunnel traffic to. It defaults to allowing ssh,
HTTP, https, rsync, IMAP, imaps, POP, pops, Jabber, CVS and Git traffic.
+It is possible to selectively block tunneled connections,
+...@pxref{forbidden Tunnels}
+
@node Caching, Memory usage, Network, Top
@chapter Caching
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Polipo-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/polipo-users
