Add foswiki.apache.blocked_agents to configure blocked user agents

ce47026f · André Kerkhoff · 548f3081 · ce47026f · ce47026f · ce47026f
Commit ce47026f authored Jun 11, 2021 by André Kerkhoff
--- a/attributes/apache.rb
+++ b/attributes/apache.rb
 # Apache configuration for the default Foswiki installation
 default['foswiki']['apache']['access_control'] = 'System/ResetPassword'
+default['foswiki']['apache']['blocked_agents'] = %w(^$ ^Accoona ^ActiveAgent ^Attache BecomeBot ^bot Charlotte/ ^ConveraCrawler ^CrownPeak-HttpAgent ^EmailCollector ^EmailSiphon ^e-SocietyRobot ^Exabot ^FAST ^FDM ^GetRight/6.0a ^GetWebPics ^Gigabot ^gonzo1 ^Google\sSpider ^ichiro ^ie_crawler ^iGetter ^IRLbot Jakarta ^Java ^KrakSpider ^larbin ^LeechGet ^LinkWalker ^Lsearch ^Microsoft MJ12bot MSIECrawler ^MSRBOT ^noxtrumbot ^NutchCVS ^RealDownload ^Rome ^Roverbot ^schibstedsokbot SemrushBot ^Seekbot ^SiteSnagger ^SiteSucker ^Snapbot ^sogou ^SpiderKU ^SpiderMan ^Squid ^Teleport ^User-Agent\: VoilaBot ^voyager ^w3search ^Web\sDownloader ^WebCopier ^WebDevil ^WebSec ^WebVac ^Webwhacker ^Webzip ^Wells ^WhoWhere www\.netforex\.org ^WX_mail ^yacybot ^ZIBB)
 default['foswiki']['apache']['blocked_ips'] = [] # regexes for full IPs
 default['foswiki']['apache']['cert_chain_file'] = nil
 default['foswiki']['apache']['cert_file'] = nil

--- a/metadata.rb
+++ b/metadata.rb
@@ -3,7 +3,7 @@ maintainer       'HPC'
 maintainer_email 'hpc@gsi.de'
 license          'All rights reserved'
 description      'Installs/Configures Foswiki'
-version          '2.10.0'
+version          '2.11.0'
 depends          'apache2', '< 6.0'
 supports         'debian'
 supports         'ubuntu'
--- a/recipes/apache.rb
+++ b/recipes/apache.rb
@@ -61,6 +61,7 @@ script_url_path_view = node['foswiki']['config']['ScriptUrlPaths']['view']

 web_app apache_conf['server_name'] do
  access_control apache_conf['access_control']
+  blocked_agents apache_conf['blocked_agents']
  blocked_ips apache_conf['blocked_ips']
  cert_name apache_conf['cert_name']
  cert_chain_file apache_conf['cert_chain_file']

--- a/templates/web_app.conf.erb
+++ b/templates/web_app.conf.erb
@@ -278,81 +278,10 @@
    # including its own topics as URLs and also prevents other Foswikis from
    # doing the same. This is important to prevent the most obvious
    # Denial of Service attacks.
-    #
-    # You can expand this by adding more BrowserMatchNoCase statements to
-    # block evil browser agents trying to crawl your Foswiki
-    #
-    # Example:
-    # BrowserMatchNoCase ^SiteSucker blockAccess
-    # BrowserMatchNoCase ^$ blockAccess
-
-    BrowserMatchNoCase ^Accoona blockAccess
-    BrowserMatchNoCase ^ActiveAgent blockAccess
-    BrowserMatchNoCase ^Attache blockAccess
-    BrowserMatchNoCase BecomeBot blockAccess
-    BrowserMatchNoCase ^bot blockAccess
-    BrowserMatchNoCase Charlotte/ blockAccess
-    BrowserMatchNoCase ^ConveraCrawler blockAccess
-    BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess
-    BrowserMatchNoCase ^EmailCollector blockAccess
-    BrowserMatchNoCase ^EmailSiphon blockAccess
-    BrowserMatchNoCase ^e-SocietyRobot blockAccess
-    BrowserMatchNoCase ^Exabot blockAccess
-    BrowserMatchNoCase ^FAST blockAccess
-    BrowserMatchNoCase ^FDM blockAccess
-    BrowserMatchNoCase ^GetRight/6.0a blockAccess
-    BrowserMatchNoCase ^GetWebPics blockAccess
-    BrowserMatchNoCase ^Gigabot blockAccess
-    BrowserMatchNoCase ^gonzo1 blockAccess
-    BrowserMatchNoCase ^Google\sSpider blockAccess
-    BrowserMatchNoCase ^ichiro blockAccess
-    BrowserMatchNoCase ^ie_crawler blockAccess
-    BrowserMatchNoCase ^iGetter blockAccess
-    BrowserMatchNoCase ^IRLbot blockAccess
-    BrowserMatchNoCase Jakarta blockAccess
-    BrowserMatchNoCase ^Java blockAccess
-    BrowserMatchNoCase ^KrakSpider blockAccess
-    BrowserMatchNoCase ^larbin blockAccess
-    BrowserMatchNoCase ^LeechGet blockAccess
-    BrowserMatchNoCase ^LinkWalker blockAccess
-    BrowserMatchNoCase ^Lsearch blockAccess
-    BrowserMatchNoCase ^Microsoft blockAccess
-    BrowserMatchNoCase MJ12bot blockAccess
-    BrowserMatchNoCase MSIECrawler blockAccess
-    BrowserMatchNoCase ^MSRBOT blockAccess
-    BrowserMatchNoCase ^noxtrumbot blockAccess
-    BrowserMatchNoCase ^NutchCVS blockAccess
-    BrowserMatchNoCase ^RealDownload blockAccess
-    BrowserMatchNoCase ^Rome blockAccess
-    BrowserMatchNoCase ^Roverbot blockAccess
-    BrowserMatchNoCase ^schibstedsokbot blockAccess
-    BrowserMatchNoCase SemrushBot blockAccess
-    BrowserMatchNoCase ^Seekbot blockAccess
-    BrowserMatchNoCase ^SiteSnagger blockAccess
-    BrowserMatchNoCase ^SiteSucker blockAccess
-    BrowserMatchNoCase ^Snapbot blockAccess
-    BrowserMatchNoCase ^sogou blockAccess
-    BrowserMatchNoCase ^SpiderKU blockAccess
-    BrowserMatchNoCase ^SpiderMan blockAccess
-    BrowserMatchNoCase ^Squid blockAccess
-    BrowserMatchNoCase ^Teleport blockAccess
-    BrowserMatchNoCase ^User-Agent\: blockAccess
-    BrowserMatchNoCase VoilaBot blockAccess
-    BrowserMatchNoCase ^voyager blockAccess
-    BrowserMatchNoCase ^w3search blockAccess
-    BrowserMatchNoCase ^Web\sDownloader blockAccess
-    BrowserMatchNoCase ^WebCopier blockAccess
-    BrowserMatchNoCase ^WebDevil blockAccess
-    BrowserMatchNoCase ^WebSec blockAccess
-    BrowserMatchNoCase ^WebVac blockAccess
-    BrowserMatchNoCase ^Webwhacker blockAccess
-    BrowserMatchNoCase ^Webzip blockAccess
-    BrowserMatchNoCase ^Wells blockAccess
-    BrowserMatchNoCase ^WhoWhere blockAccess
-    BrowserMatchNoCase www\.netforex\.org blockAccess
-    BrowserMatchNoCase ^WX_mail blockAccess
-    BrowserMatchNoCase ^yacybot blockAccess
-    BrowserMatchNoCase ^ZIBB blockAccess
+
+<% (@params[:blocked_agents] || []).each do |agent| -%>
+    BrowserMatchNoCase "<%= agent %>" blockAccess
+<% end -%>
 <% (@params[:blocked_ips] || []).each do |ip| -%>
    SetEnvIf Remote_Addr "^<%= ip %>$" blockAccess
 <% end -%>