###################################################################################################### # Capri 1.30 # Idea & concept : thomas.loo, saltstorm.techlabs # Date : 18:41 2002-04-14 # License : GNU GPL # # ----------------------------------------------------------------- # Snap-in configuration for Apache 1.3.20+ # the capri-protocol definition ruleset. # # ----------------------------------------------------------------- # Copyright 2001-2002, thomas@saltstorm.net | http://www.saltstorm.net/ ###################################################################################################### RewriteEngine On ### At Apache start-up, assign & load the maps we'll use. ######################################## # Map files are cached in-core and will only be reloaded on a mtime change. RewriteMap lowercase int:tolower RewriteMap escaped int:escape # ! MODIFY these to match the path to the capri-directory. Target files MUST exist and be # readable by the apache user/group (eg. nobody/nobody) RewriteMap capri-conf txt:capri/capri.conf RewriteMap capri-ip-cache txt:capri/capri.ip-cache ################################################################################################## ### [optional] Blocking unsolicitated proxy access ############################################### # Uncomment this if you experience anonymous proxy attempts to your server, will effectively block # anything being proxied through your server. Beware collisions with your own proxy setup though. # RewriteCond %{THE_REQUEST} ^(HEAD|CONNECT|GET|POST|PUT)\ https?:.+ [NC] # RewriteRule ^.+ - [F,E=LOG_BLOCK:1] ### [optional] Debugging capri/mod_write. ######################################################## # Do not use rewrite logging on a productional server, it'll eat up yer HDD space and go tough on # the CPU. Uncomment if you are experiencing malbehaviors with capri and you are willing to try # track down the problem. # RewriteLog logs/rewrite.log # RewriteLogLevel 9 ################################################################################################## ### LOG_BLOCK fix, partially working on Apache 1.3.20- ########################################### # For some reason (nods to bug ;)) Apache interrupts the internal handler-chain under certain # conditions whereby the request never gets to mod_rewrite (or other modules farther down the # handler chain). These are : # * A request-uri containing a %% sequence, causing a 400 status # * A request-uri containing the %2f character. (hex for '/') gives a 404 # However, using mod_setenvif you can catch the 400's, and if you are on 1.3.21+ # the following directive will even catch the %2f requests. # So, keeping them hard ones in the Nimda and CodeRed attacks away from getting logged we do: SetEnvIf Request_URI ^/scripts/\.\.%% LOG_BLOCK SetEnvIf Request_URI ^/scripts/\.\.%c0%2f LOG_BLOCK SetEnvIf Request_URI ^/default\.ida LOG_BLOCK SetEnvIf Request_URI ^/_vti_bin/\.\.%% LOG_BLOCK ################################################################################################## ### [example] Creating custom capri-handlers ##################################################### # Force explicit mapping of URL /whats-cool-today/ to key "wday-redir" defined in capri.conf. # RewriteRule ^/whats-cool-today/? - [E=CAPRIFY:wday-redir:%{TIME_WDAY}] ################################################################################################## ### CAPRI protocol scheme. [Do not touch anything beyond this point!] ############################ # [0] Init. Lookup request and the CAPRIFY environment label for a corresponding capri interceptor # defined in capri.conf, if match apply rule at [1], else skip for [2]. RewriteCond ${capri-conf:${escaped:%{REQUEST_URI}}|%{ENV:CAPRIFY}} ^(capri(-x)?:[a-z-]+=?)(.*)$ [NC] # [1] yes, there was an interceptor available, substitute URL and skip to [3]. RewriteRule ^/.+ ${lowercase:%1}%3 [S=1] # [2] No matching directive found in capri.conf, in case of an capri-directive already set by an earlier # rule, continue as normal with [3]. Else skip ALL further capri rules and jump straight to [16] RewriteRule ^.+ - [S=11] ### Logging, defined in capri.conf globally, or by capri-x ###################################### # [3] Should we disable logging for this request, as indicated globally in capri.conf ? RewriteCond ${capri-conf:LOG_BLOCK|1} 1 # [4] ...ok. then set env variable LOG_BLOCK for use by the CustomLog "env" directive. RewriteRule .+ - [E=LOG_BLOCK:1] # [5] ...or if the capri-x protocol is used, set LOG_BLOCK and switch to the capri: protocol. RewriteRule ^(capri)-x:(.+) $1:$2 [E=LOG_BLOCK:1] ### CAPRI:IPC|IP-CONDPASS=... ################################################################### # [6] Unless an ip-condpass interceptor, perform no ip-cache lookup and skip to [10]. RewriteRule !^capri:ip(c|-condpass)? - [S=2] # [7] ...else, lookup client ip from the cache RewriteCond ${capri-ip-cache:%{REMOTE_ADDR}|NEW} NEW # [8] IP wasn't in cache, perform the primary action and pass on to next API handler. RewriteRule ^capri:ip(c|-condpass)=([^\|]+) $2 [PT,E=CAPRI:${capri-conf:VERSION|X}] # [9] IP was found in cache, fallback on the secondary action and continue with [10] RewriteRule ^capri:ip(c|-condpass)=.+\|([a-z-]+)(=?.*) capri:${lowercase:$2}$3 [NC] ### CAPRI:F|FORBIDDEN ########################################################################### # [10] Should we respond with a 403 forbidden ? If so, break here and leave for the next API handler. RewriteRule ^capri:f(orbidden)? - [F] ### CAPRI:PT|PASSTHROUGH=... ##################################################################### # [11] Should we rewrite URL and pass it through ? if so, set env variable and pass on to next API handler. RewriteRule ^capri:(pt|passthrough)=(.+) $2 [PT,E=CAPRI:${capri-conf:VERSION|X}] ### CAPRI:G|GONE ################################################################################ # [12] Should we respond with a 410 Gone ? If so, break outta here. RewriteRule ^capri:g(one)? - [G] ### CAPRI:R|REDIRECT=...######################################################################### # [13] Should we redirect the client somewhere else. if so, let this be the last rule applied. RewriteRule ^capri:r(edirect)?=(.+) $2 [L,R] ### CAPRI:P|PROXY=http://... (via mod_proxy) #################################################### # [14] Should we proxy this request to some other host ? if so, break here. # (you probably need an additional ProxyPassReverse directive for this to work.) RewriteRule ^capri:p(roxy)?=(.+) $2 [P] ### ERROR Fallback ############################################################################## # [15] Oups! Unknown or malformed capri-directive. Re-write url back to its initial state to # prevent a 400 error and pass it on to any additional RewriteRules/next API handler. RewriteRule .+ %{REQUEST_URI} # [16] End. Proceed with any user defined rewrite directives... ################################# # ...