commit: basic parameter blocking

demo.d/wikipedia.tconf

@@ -27,10 +27,13 @@ set paths_contain_onions 1
 set suppress_methods_except_get 1
 
 # proof-of-concept: block logins by blocking access to login.*
-set block_host_re ^login\\.
+#set block_host_re ^login\\.
 
 # proof-of-concept: block logins by blocking access to login.*
-set block_location_re ^/login/
+#set block_location_re ^/login/
+
+# proof-of-concept: block logins by "parameter,value"
+set block_param_re title,^Special:UserLogin$
 
 # blocking access to query parameter lists is more complex, but given
 # this is a read-only proof of concept with POST blocked, ignore that

lib.d/do-configure.pl

@@ -430,6 +430,11 @@ sub DoProject {
 &SetEnv("host_whitelist_re", "");
 &SetEnv("host_blacklist_re", "");
 
+&SetEnv("block_param", "");
+&SetEnv("block_param_re", "");
+&SetEnv("param_whitelist_re", "");
+&SetEnv("param_blacklist_re", "");
+
 &SetEnv("no_cache_content_type", "");
 &SetEnv("no_cache_host", "");
 

lib.d/generate-bw-code.pl

@@ -139,6 +139,9 @@ block block_path_re if ( $uri ~* "%0%" )
 # legacy
 block block_location location %0%
 block block_location_re location ~* "%0%"
+# query parameters
+block block_param if ( $arg_%1% = "%2%" )
+block block_param_re if ( $arg_%1% ~* "%2%" )
 
 # redirects
 redirect redirect_host_csv if ( $host ~* "%1%" )
@@ -152,3 +155,4 @@ bwlist user_agent if ( $http_user_agent ~* "%0%" )
 bwlist referer if ( $http_referer ~* "%0%" )
 bwlist host if ( $http_host ~* "%0%" )
 bwlist path if ( $uri ~* "%0%" )
+bwlist param if ( $arg_%1% ~* "%2%" )

templates.d/nginx-generated-blocks.conf

@@ -65,6 +65,24 @@
     # no polite block for block_location_re (generated)
     %%ENDIF
 
+    %%IF %BLOCK_PARAM%
+    # polite block for block_param (generated)
+    %%CSV %BLOCK_PARAM%
+    if ( $arg_%1% = "%2%" ) { return 403 "%BLOCK_ERR%"; }
+    %%ENDCSV
+    %%ELSE
+    # no polite block for block_param (generated)
+    %%ENDIF
+
+    %%IF %BLOCK_PARAM_RE%
+    # polite block for block_param_re (generated)
+    %%CSV %BLOCK_PARAM_RE%
+    if ( $arg_%1% ~* "%2%" ) { return 403 "%BLOCK_ERR%"; }
+    %%ENDCSV
+    %%ELSE
+    # no polite block for block_param_re (generated)
+    %%ENDIF
+
 
     # blacklists (generated)
 
@@ -104,6 +122,15 @@
     # no path_blacklist_re (generated)
     %%ENDIF
 
+    %%IF %PARAM_BLACKLIST_RE%
+    # check param_blacklist_re (generated)
+    %%CSV %PARAM_BLACKLIST_RE%
+    if ( $arg_%1% ~* "%2%" ) { %NGINX_ACTION_ABORT%; }
+    %%ENDCSV
+    %%ELSE
+    # no param_blacklist_re (generated)
+    %%ENDIF
+
 
     # redirects (generated)
 
@@ -177,5 +204,15 @@
     # no path_whitelist_re (generated)
     %%ENDIF
 
+    %%IF %PARAM_WHITELIST_RE%
+    # check param_whitelist_re (generated)
+    set $non_whitelist_param 1;
+    %%CSV %PARAM_WHITELIST_RE%
+    if ( $arg_%1% ~* "%2%" ) { set $non_whitelist_param 0; }
+    %%ENDCSV
+    %%ELSE
+    # no param_whitelist_re (generated)
+    %%ENDIF
+
 
     # ---- END GENERATED CODE ----

templates.d/nginx-generated-checks.conf

@@ -30,5 +30,12 @@
       # no check for success of path_whitelist_re (generated)
       %%ENDIF
 
+      %%IF %PARAM_WHITELIST_RE%
+      # check success of param_whitelist_re (generated)
+      if ( $non_whitelist_param ) { %NGINX_ACTION_ABORT%; }
+      %%ELSE
+      # no check for success of param_whitelist_re (generated)
+      %%ENDIF
+
 
       # ---- END GENERATED CODE ----