Forward http message as is

rzo rzo at gmx.de
Fri Jan 8 18:25:29 EST 2010 

Hello,

I tried a few times to create an entry on the jboss wiki.
But it hangs every time I click the create new entry.

I am therefore including it here:


      Netty Example: implementing a simple WAF (Web Application Firewall)


This example shows how to implement a simple WAF (Web Application 
Firewall <http://de.wikipedia.org/wiki/Web_Application_Firewall>) using 
netty.
For this we create a proxy server which receives the http requests. If 
  the request is ok, the "bytes"
received are forwarded to the web server.

As starting point we use the HexDumpProxy example which comes with the 
netty distribution.
We adapt the PipelineFactory from the example by adding the 
InterceptStart, HttpDecoder and InterceptStop handlers.

public class WafPipelineFactory implements ChannelPipelineFactory {

     private final ClientSocketChannelFactory cf;

     private final String remoteHost;

     private final int remotePort;


     public WafPipelineFactory(ClientSocketChannelFactory cf, String 
remoteHost, int remotePort) {

         this.cf = cf;

         this.remoteHost = remoteHost;

         this.remotePort = remotePort;

     }

         public ChannelPipeline getPipeline() throws Exception {

             ChannelPipeline pipeline = pipeline();

* pipeline.addLast("interceptStart", new InterceptStart());*

* pipeline.addLast("decoder", new HttpRequestDecoder());*

*             pipeline.addLast("aggregator", new 
HttpChunkAggregator(1048576));*

*              pipeline.addLast("interceptStop", new InterceptStop());*

             pipeline.addLast("handler", new 
HexDumpProxyInboundHandler(cf, remoteHost, remotePort));


             return pipeline;

         }

}


InterceptStart intercepts all incoming messages and makes a copy into a 
local buffer

public class InterceptStart extends SimpleChannelUpstreamHandler {


     ChannelBuffer buf = null;

     @Override

      public void messageReceived(ChannelHandlerContext ctx, 
MessageEvent evt) throws Exception

      {

          ChannelBuffer m = (ChannelBuffer) evt.getMessage();

          ChannelBuffer buf = (ChannelBuffer) ctx.getAttachment();

          if (buf == null)

          {

              // if this is a new connection create a new buffer and 
attach it to the context

              buf = dynamicBuffer();

              ctx.setAttachment(buf);

          }

          // copy the incoming bytes to the buffer

          m.markReaderIndex();

          buf.writeBytes(m);

          m.resetReaderIndex();

          // send the buffer further upstream to the HttpDecoder

          super.messageReceived(ctx, evt);

         }

}


InterceptStop receives the http request, analyzes it, and if ok gets the 
copy buffer from InterceptStart and forwards it to the http proxy

public class InterceptStop extends SimpleChannelUpstreamHandler {


             @Override

              public void messageReceived(ChannelHandlerContext ctx, 
MessageEvent evt) {

                  if (evt.getMessage() != null)

                  {

                      HttpRequest request = (HttpRequest) evt.getMessage();

                      // make sure that the http request is complete
                     // this may not be necessary ??

                     if (request.getContentLength() == 0 || 
request.getContentLength() == request.getContent().writerIndex())

                      {

                      ChannelBuffer buf = (ChannelBuffer) 
ctx.getPipeline().getContext("interceptStart").getAttachment();

                     if (buf == null)

                      {

                          System.out.println("this should not happen");

                      }

                      else if (buf.writerIndex() != 0)

                      {

                            // check the request

                           if ( ! wafCheck(request))

                           {

                                     // bad request -> close the channel

                                    cts.getChannel.close();

                                    return;

                             }

                            // request is ok, remove the copy the 
interceptor

                          
  ctx.getPipeline().getContext("interceptStart").setAttachment(null);

                           // forward the buffer to the proxy

                           ctx.sendUpstream(new 
UpstreamMessageEvent(evt.getChannel(), buf, evt.getRemoteAddress()));

                      }

                      }


                  }

                 }

}


To check the http request one may use the OWASP Stinger Project 
<http://www.owasp.org/index.php/Category:OWASP_Stinger_Project> or a 
similar framework.
Since these frameworks generally analyze a HttpServletRequest 
<http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletRequest.html> 
we need an adapter <http://en.wikipedia.org/wiki/Adapter_pattern> to 
adapt to the netty HttpRequest.
Implementing the adapter is straight forward.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/netty-users/attachments/20100109/50995231/attachment-0001.html

More information about the netty-users mailing list