Permalink
Browse files

Added:

- Whitelist per URI
- Whitelist per UA now supports PCRE
- Custom charset support (defaults to UTF-8)
- Support session-cookie validity_window (when set to 0)

Fixed:
- POSTs with multipart/form-data now get cleanly challenged (no
  resubmission support for now)
- Form name/value quote handling
- Incorrect whitespace handling
- Custom challenge_hash_input values now work
  • Loading branch information...
yuri-gushin committed Jun 29, 2011
1 parent bcb7d80 commit 2e067f52b4ac4d78eae1d975e1116bea27bd58e1
View
@@ -36,41 +36,47 @@ Configuration
The following parameters may be configured to control the module:
Roboo_challenge_modes - "SWF,gzip":
- - "JS" or "SWF" for pure Javascript-based challenge or flash + javascript challenge. If Roboo is used behind a site
- with flash content - it is advised on using this verification type for maximum security.
+ - "JS" or "SWF" for pure Javascript-based challenge or flash + javascript challenge. If Roboo is used behind a
+ site with flash content - it is advised on using this verification type for maximum security.
- ",gzip" to enable gzip compression of the chosen challenge type
Roboo_cookie_name - "Anti-Robot"
- The name of the HTTP cookie to contain the challenge/response key
Roboo_validity_window - 600
- Validity window in seconds for the challenge/response key - when expired, client will be re-challenged
+ - When set to zero - the validity per authenticated host will persist until Roboo is restarted
- Roboo_whitelist - "UA('Googlebot'),IP(127.0.0.0/8)"
- - UA('string') syntax whitelists a user-agent string
+ Roboo_whitelist - "UA('Googlebot'),IP(127.0.0.0/8),URI('^/ajax/')"
+ - UA('pcre_string') and URI('pcre_string') syntax whitelists a user-agent or URI string using PCRE
- IP(0.0.0.0/0) syntax whitelists a CIDR network
+ Roboo_charset - "UTF-8"
+ - The character set to use during the challenge - so POST challenges that resubmit data use the correct encoding
+
(Advanced) Roboo_challenge_hash_input - $remote_addr (client IP address)
- - Sets the input to the challenge hash function producing the key - the default should be fine for most environments,
- if deeper verification resolution is desired more variables can be added. For example, changing it to
- "$remote_addr$http_user_agent" ensures a different challenge key is generated for every IP address + User-Agent,
- meaning different clients behind a NAT will be challenged and verified with different keys.
+ - Sets the input to the challenge hash function producing the key - the default should be fine for most
+ environments, if deeper verification resolution is desired more variables can be added. For example, changing
+ it to "$remote_addr$http_user_agent" ensures a different challenge key is generated for every IP address +
+ User-Agent, meaning different clients behind a NAT will be challenged and verified with different keys.
(Advanced) Roboo_secret - "<RANDOM STRING>"
- - The secret is used for the challenge key computation and is by default regenerated on every Roboo (Nginx) invocation.
- - It is possible to specify the secret as part of the configuration - use only when required, as setting this value
- statically reduces the strength of the challenge key.
- - Use case - when multiple Roboo servers are being used behind a load-balancer without persistence set up - since each
- server produces a unique challenge key - the host will need to reauthenticate every time it reaches a different server.
- Setting this value identically across an array of such Roboo servers will result in the generation of identical keys and
- eliminate the key mismatch problems.
- In order for multiple Roboo servers to produce the same challenge key, the following conditions must be met across all
- servers:
+ - The secret is used for the challenge key computation and is by default regenerated on every Roboo (Nginx)
+ invocation.
+ - It is possible to specify the secret as part of the configuration - use only when required, as setting this
+ value statically reduces the strength of the challenge key.
+ - Use case - when multiple Roboo servers are being used behind a load-balancer without persistence set up -
+ since each server produces a unique challenge key - the host will need to reauthenticate every time it reaches a
+ different server.
+ Setting this value identically across an array of such Roboo servers will result in the generation of identical
+ keys and eliminate the key mismatch problems.
+ In order for multiple Roboo servers to produce the same challenge key, the following conditions must be met
+ across all servers:
- Roboo secret value - use the same long random string as input
* Change & synchronize the secret periodically (e.g. with cronjob)
- System time & validity window - ensure time is synchronized and the same Roboo_validity_window is configured
- Perl environment - ensure the same RANDBITS value was compiled into perl
- * Verify by running: perl -MConfig -e 'print "$Config{randbits}\n";')
+ * Verify by running: perl -MConfig -e 'print "$Config{randbits}\n";'
Installation
View
114 Roboo.pm

Large diffs are not rendered by default.

Oops, something went wrong.
@@ -5,9 +5,9 @@
<movie disabled="False" />
<movie input="" />
<movie path="bin\cookie.swf" />
- <movie fps="30" />
- <movie width="100" />
- <movie height="100" />
+ <movie fps="1" />
+ <movie width="1" />
+ <movie height="1" />
<movie version="10" />
<movie background="#FFFFFF" />
</output>
@@ -66,7 +66,7 @@
</library>
<!-- Class files to compile (other referenced classes will automatically be included) -->
<compileTargets>
- <compile path="src\GET.as" />
+ <compile path="src\POST.as" />
</compileTargets>
<!-- Paths to exclude from the Project Explorer tree -->
<hiddenPaths>
@@ -1,9 +0,0 @@
-movie 'Z:\SharedSpace\Projects\Web cookies\SWFCookie\bin\cookie.swf' {
-// flash 10, total frames: 1, frame rate: 30 fps, 100x100 px, compressed
-
- metadata <rdf:RDF xmlns:rdf=\'http://www.w3.org/1999/02/22-rdf-syntax-ns#\'><rdf:Description rdf:about=\'\' xmlns:dc=\'http://purl.org/dc/elements/1.1\'><dc:format>application/x-shockwave-flash</dc:format><dc:title>Adobe Flex 4 Application</dc:title><dc:description>http://www.adobe.com/products/flex</dc:description><dc:publisher>unknown</dc:publisher><dc:creator>unknown</dc:creator><dc:language>EN</dc:language><dc:date>Feb 10, 2011</dc:date></rdf:Description></rdf:RDF>
-
- // unknown tag 82 length 1305
-
- // unknown tag 76 length 9
-}
View
Binary file not shown.
Binary file not shown.
@@ -1,33 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--This Adobe Flex compiler configuration file was generated by a tool.-->
-<!--Any modifications you make may be lost.-->
-<flex-config>
- <target-player>10.0.0</target-player>
- <compiler>
- <define>
- <name>CONFIG::debug</name>
- <value>false</value>
- </define>
- <define>
- <name>CONFIG::release</name>
- <value>true</value>
- </define>
- <define>
- <name>CONFIG::timeStamp</name>
- <value>'12/2/2011 8:11 PM'</value>
- </define>
- <source-path append="true">
- <path-element>Z:\SharedSpace\Projects\Web cookies\SWFCookie\src</path-element>
- <path-element>C:\Program Files\FlashDevelop\Library\AS3\classes</path-element>
- </source-path>
- </compiler>
- <file-specs>
- <path-element>Z:\SharedSpace\Projects\Web cookies\SWFCookie\src\GET.as</path-element>
- </file-specs>
- <default-background-color>#FFFFFF</default-background-color>
- <default-frame-rate>30</default-frame-rate>
- <default-size>
- <width>100</width>
- <height>100</height>
- </default-size>
-</flex-config>
@@ -14,20 +14,20 @@
</define>
<define>
<name>CONFIG::timeStamp</name>
- <value>'12/2/2011 8:17 PM'</value>
+ <value>'29/6/2011 12:59 PM'</value>
</define>
<source-path append="true">
- <path-element>Z:\SharedSpace\Projects\Web cookies\SWFCookie\src</path-element>
+ <path-element>Z:\SharedSpace\Projects\Roboo\Roboo\helper-tools\SWFCookie\src</path-element>
<path-element>C:\Program Files\FlashDevelop\Library\AS3\classes</path-element>
</source-path>
</compiler>
<file-specs>
- <path-element>Z:\SharedSpace\Projects\Web cookies\SWFCookie\src\GET.as</path-element>
+ <path-element>Z:\SharedSpace\Projects\Roboo\Roboo\helper-tools\SWFCookie\src\POST.as</path-element>
</file-specs>
<default-background-color>#FFFFFF</default-background-color>
- <default-frame-rate>30</default-frame-rate>
+ <default-frame-rate>1</default-frame-rate>
<default-size>
- <width>100</width>
- <height>100</height>
+ <width>1</width>
+ <height>1</height>
</default-size>
</flex-config>
@@ -28,8 +28,8 @@
<![CDATA[
function (cookie_name, cookie_value, cookie_validity) {
document.cookie=cookie_name + '=' + cookie_value + '; max-age=' + cookie_validity + '; path=/';
- document.response.action=window.location.pathname+window.location.search
- document.response.submit();
+ document.response.action = window.location.pathname + window.location.search;
+ document.forms[0].submit();
}
]]>
</script>
View
@@ -54,14 +54,15 @@ http {
location / {
perl Roboo::handler;
- set $Roboo_challenge_modes "SWF,gzip"; # SWF or JS, optionally gzip for encoding ("JS,gzip" or "SWF,gzip")
+ set $Roboo_challenge_modes "SWF,gzip"; # SWF or JS, optionally gzip for encoding ("JS,gzip" or "SWF,gzip")
# Defaults
- #set $Roboo_cookie_name "Anti-Robot"; # Cookie name used for challenge/response
- #set $Roboo_validity_window 600; # Authentication validity time window
- #set $Roboo_whitelist "IP(),UA('')"; # Whitelist - IP addresses or user-agents ("IP(123.123.123.0/24),UA('Googlebot'),IP(..),UA('..')")
- #set $Roboo_challenge_hash_input $remote_addr; # Advanced - challenge hash basis, can add $server_name$server_port$http_host$http_user_agent
-
+ #set $Roboo_cookie_name "Anti-Robot"; # Cookie name used for challenge/response
+ #set $Roboo_validity_window 600; # Authentication validity time window
+ #set $Roboo_whitelist "IP(),UA(''),URI('')"; # Whitelist - IP addresses (CIDR), user-agents or URIs (PCRE)
+ #set $Roboo_charset "UTF-8"; # Charset used during challenge (for proper POST resubmissions)
+ #set $Roboo_challenge_hash_input $remote_addr; # Advanced - challenge hash basis, can add $server_name$server_port$http_host$http_user_agent
+
error_page 555 = @proxy;
expires epoch;
add_header Last-Modified "";

0 comments on commit 2e067f5

Please sign in to comment.