Add variables to hold processing times for modsecurity phases

awmackowiak · awmackowiak · commit e6954925e357 · 2022-03-24T13:36:43.000+01:00
diff --git a/src/ngx_http_modsecurity_body_filter.c b/src/ngx_http_modsecurity_body_filter.c
@@ -156,6 +156,8 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
         if (is_request_processed) {
             ngx_pool_t *old_pool;
+            struct timeval start_tv;
+            ngx_gettimeofday(&start_tv);
 
             old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
             msc_process_response_body(ctx->modsec_transaction);
@@ -164,6 +166,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
 /* XXX: I don't get how body from modsec being transferred to nginx's buffer.  If so - after adjusting of nginx's
    XXX: body we can proceed to adjust body size (content-length).  see xslt_body_filter() for example */
             ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
+            ctx->resp_body_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);
             if (ret > 0) {
                 return ret;
             }
diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h
@@ -99,6 +99,10 @@ typedef struct {
     unsigned processed:1;
     unsigned logged:1;
     unsigned intervention_triggered:1;
+    ngx_msec_int_t req_headers_phase_time;
+    ngx_msec_int_t req_body_phase_time;
+    ngx_msec_int_t resp_headers_phase_time;
+    ngx_msec_int_t resp_body_phase_time;
 } ngx_http_modsecurity_ctx_t;
 
 
@@ -164,5 +168,6 @@ ngx_int_t ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r);
 /* ngx_http_modsecurity_rewrite.c */
 ngx_int_t ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r);
 
+ngx_msec_int_t ngx_http_modsecurity_compute_processing_time(struct timeval tv);
 
 #endif /* _NGX_HTTP_MODSECURITY_COMMON_H_INCLUDED_ */
diff --git a/src/ngx_http_modsecurity_header_filter.c b/src/ngx_http_modsecurity_header_filter.c
@@ -446,6 +446,9 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
         return ngx_http_next_header_filter(r);
     }
 
+    struct timeval start_tv;
+    ngx_gettimeofday(&start_tv);
+
     /*
      * Lets ask nginx to keep the response body in memory
      *
@@ -524,9 +527,12 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
 #endif
 
     old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
-    msc_process_response_headers(ctx->modsec_transaction, status, http_response_ver);
+    msc_process_response_headers(ctx->modsec_transaction, status, http_response_ver);    
     ngx_http_modsecurity_pcre_malloc_done(old_pool);
     ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
+    
+    ctx->resp_headers_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);
+
     if (r->error_page) {
         return ngx_http_next_header_filter(r);
     }
diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c
@@ -25,13 +25,24 @@
 #include <ngx_http.h>
 
 static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t *cf);
+static ngx_int_t ngx_http_modsecurity_add_variables(ngx_conf_t *cf);
 static void *ngx_http_modsecurity_create_main_conf(ngx_conf_t *cf);
 static char *ngx_http_modsecurity_init_main_conf(ngx_conf_t *cf, void *conf);
 static void *ngx_http_modsecurity_create_conf(ngx_conf_t *cf);
 static char *ngx_http_modsecurity_merge_conf(ngx_conf_t *cf, void *parent, void *child);
 static void ngx_http_modsecurity_cleanup_instance(void *data);
 static void ngx_http_modsecurity_cleanup_rules(void *data);
 
+static ngx_int_t ngx_http_modsecurity_req_headers_phase_time(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_modsecurity_req_body_phase_time(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_modsecurity_resp_headers_phase_time(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_modsecurity_resp_body_phase_time(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_modsecurity_time_variable(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data, ngx_msec_int_t usec);
 
 /*
  * PCRE malloc/free workaround, based on
@@ -268,6 +279,11 @@ ngx_http_modsecurity_create_ctx(ngx_http_request_t *r)
         return NULL;
     }
 
+    ctx->req_headers_phase_time = -1;
+    ctx->req_body_phase_time = -1;
+    ctx->resp_headers_phase_time = -1;
+    ctx->resp_body_phase_time = -1;
+
     mmcf = ngx_http_get_module_main_conf(r, ngx_http_modsecurity_module);
     mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
 
@@ -490,7 +506,7 @@ static ngx_command_t ngx_http_modsecurity_commands[] =  {
 
 
 static ngx_http_module_t ngx_http_modsecurity_ctx = {
-    NULL,                                  /* preconfiguration */
+    ngx_http_modsecurity_add_variables,    /* preconfiguration */
     ngx_http_modsecurity_init,             /* postconfiguration */
 
     ngx_http_modsecurity_create_main_conf, /* create main configuration */
@@ -520,6 +536,27 @@ ngx_module_t ngx_http_modsecurity_module = {
 };
 
 
+static ngx_http_variable_t  ngx_http_modsecurity_vars[] = {
+    { ngx_string("modsecurity_req_headers_phase_time"), NULL,
+      ngx_http_modsecurity_req_headers_phase_time, 0,
+      NGX_HTTP_VAR_NOCACHEABLE, 0 },
+
+    { ngx_string("modsecurity_req_body_phase_time"), NULL,
+      ngx_http_modsecurity_req_body_phase_time, 0,
+      NGX_HTTP_VAR_NOCACHEABLE, 0 },
+
+    { ngx_string("modsecurity_resp_headers_phase_time"), NULL,
+      ngx_http_modsecurity_resp_headers_phase_time, 0,
+      NGX_HTTP_VAR_NOCACHEABLE, 0 },
+    
+    { ngx_string("modsecurity_resp_body_phase_time"), NULL,
+      ngx_http_modsecurity_resp_body_phase_time, 0,
+      NGX_HTTP_VAR_NOCACHEABLE, 0 },
+
+      ngx_http_null_variable
+};
+
+
 static ngx_int_t
 ngx_http_modsecurity_init(ngx_conf_t *cf)
 {
@@ -596,6 +633,23 @@ ngx_http_modsecurity_init(ngx_conf_t *cf)
     return NGX_OK;
 }
 
+static ngx_int_t
+ngx_http_modsecurity_add_variables(ngx_conf_t *cf) {
+    ngx_http_variable_t  *var, *v;
+
+    for (v = ngx_http_modsecurity_vars; v->name.len; v++) {
+        var = ngx_http_add_variable(cf, &v->name, v->flags);
+        if (var == NULL) {
+            return NGX_ERROR;
+        }
+
+        var->get_handler = v->get_handler;
+        var->data = v->data;
+    }
+
+    return NGX_OK;
+};
+
 
 static void *
 ngx_http_modsecurity_create_main_conf(ngx_conf_t *cf)
@@ -788,4 +842,92 @@ ngx_http_modsecurity_cleanup_rules(void *data)
 }
 
 
+static ngx_int_t
+ngx_http_modsecurity_req_headers_phase_time(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data)
+{
+    ngx_http_modsecurity_ctx_t *ctx;
+
+    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+    return ngx_http_modsecurity_time_variable(r, v, data, ctx->req_headers_phase_time);
+}
+
+
+static ngx_int_t
+ngx_http_modsecurity_req_body_phase_time(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data)
+{
+    ngx_http_modsecurity_ctx_t *ctx;
+
+    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+    return ngx_http_modsecurity_time_variable(r, v, data, ctx->req_body_phase_time);
+}
+
+
+static ngx_int_t
+ngx_http_modsecurity_resp_headers_phase_time(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data)
+{
+    ngx_http_modsecurity_ctx_t *ctx;
+
+    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+    return ngx_http_modsecurity_time_variable(r, v, data, ctx->resp_headers_phase_time);
+}
+
+
+static ngx_int_t
+ngx_http_modsecurity_resp_body_phase_time(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data)
+{
+    ngx_http_modsecurity_ctx_t *ctx;
+
+    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+    return ngx_http_modsecurity_time_variable(r, v, data, ctx->resp_body_phase_time);
+}
+
+static ngx_int_t
+ngx_http_modsecurity_time_variable(ngx_http_request_t *r,
+    ngx_http_variable_value_t *v, uintptr_t data, ngx_msec_int_t usec)
+{
+    u_char  *p;
+
+    p = ngx_pnalloc(r->pool, NGX_TIME_T_LEN + 7);
+    if (p == NULL) {
+        return NGX_ERROR;
+    }
+
+    if(usec == -1) {
+        v->len = ngx_sprintf(p, "-") - p;
+    } else  {
+        v->len = ngx_sprintf(p, "%T.%06M", (time_t) usec / 1000000, usec % 1000000) - p;
+    }
+
+    v->valid = 1;
+    v->no_cacheable = 0;
+    v->not_found = 0;
+    v->data = p;
+
+    return NGX_OK;
+}
+
+
+ngx_msec_int_t
+ngx_http_modsecurity_compute_processing_time(struct timeval tv) {
+    struct timeval current_tv;
+    ngx_gettimeofday(&current_tv);
+    return (ngx_msec_int_t) ((current_tv.tv_sec - tv.tv_sec) * 1000000 + (current_tv.tv_usec - tv.tv_usec));
+};
+
 /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
diff --git a/src/ngx_http_modsecurity_pre_access.c b/src/ngx_http_modsecurity_pre_access.c
@@ -140,6 +140,9 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
         int ret = 0;
         int already_inspected = 0;
 
+        struct timeval start_tv;
+        ngx_gettimeofday(&start_tv);
+
         dd("request body is ready to be processed");
 
         r->write_event_handler = ngx_http_core_run_phases;
@@ -209,7 +212,11 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
 /* XXX: once more -- is body can be modified ?  content-length need to be adjusted ? */
 
         old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
+
         msc_process_request_body(ctx->modsec_transaction);
+
+        ctx->req_body_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);
+
         ngx_http_modsecurity_pcre_malloc_done(old_pool);
 
         ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
diff --git a/src/ngx_http_modsecurity_rewrite.c b/src/ngx_http_modsecurity_rewrite.c
@@ -51,6 +51,9 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
     if (ctx == NULL)
     {
         int ret = 0;
+        struct timeval start_tv;
+
+        ngx_gettimeofday(&start_tv);
 
         ngx_connection_t *connection = r->connection;
         /**
@@ -206,6 +209,9 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
         ngx_http_modsecurity_pcre_malloc_done(old_pool);
         dd("Processing intervention with the request headers information filled in");
         ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 1);
+
+        ctx->req_headers_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);
+        
         if (r->error_page) {
             return NGX_DECLINED;
             }
@@ -215,6 +221,5 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
         }
     }
 
-
     return NGX_DECLINED;
 }

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,9 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)`
`51`	`51`	`if (ctx == NULL)`
`52`	`52`	`{`
`53`	`53`	`int ret = 0;`
	`54`	`+ struct timeval start_tv;`
	`55`	`+`
	`56`	`+ ngx_gettimeofday(&start_tv);`
`54`	`57`
`55`	`58`	`ngx_connection_t *connection = r->connection;`
`56`	`59`	`/**`
`@@ -206,6 +209,9 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)`
`206`	`209`	`ngx_http_modsecurity_pcre_malloc_done(old_pool);`
`207`	`210`	`dd("Processing intervention with the request headers information filled in");`
`208`	`211`	`ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 1);`
	`212`	`+`
	`213`	`+ ctx->req_headers_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);`
	`214`	`+`
`209`	`215`	`if (r->error_page) {`
`210`	`216`	`return NGX_DECLINED;`
`211`	`217`	`}`
`@@ -215,6 +221,5 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)`
`215`	`221`	`}`
`216`	`222`	`}`
`217`	`223`
`218`		`-`
`219`	`224`	`return NGX_DECLINED;`
`220`	`225`	`}`