ucphhpc · jonasbardino · Nov 10, 2025
diff --git a/mig/install/apache-MiG-template.conf b/mig/install/apache-MiG-template.conf
@@ -181,6 +181,21 @@ Alias /status-events.json "__MIG_STATE__/wwwpublic/status-events.json"
     </FilesMatch>
 </IfModule>
 
+# Optional DDoS protection with conservative request limits
+<IfModule mod_evasive20.c>
+    DOSPageCount 5
+    DOSSiteCount 50
+    DOSPageInterval 1
+    DOSSiteInterval 1
+    DOSHashTableSize 32768
+    DOSBlockingPeriod 300
+    DOSEmailNotify __EVASIVE_DOSEMAILNOTIFY__
+
+    # Never block localhost and optionally any registered security scanners
+    DOSWhitelist 127.0.0.1/8
+    __EVASIVE_ALLOW_SECSCAN_COMMENTED__ DOSWhitelist __SECSCAN_ADDR__
+</IfModule>
+
 <IfModule mod_mime.c>
     # NOTE: workaround for broken double gzip decompression e.g. in Firefox.
     #       The bam files are in fact already gzip files and require care:

diff --git a/mig/install/apache-mimic-deb-template.conf b/mig/install/apache-mimic-deb-template.conf
@@ -80,6 +80,9 @@ __JUPYTER_COMMENTED__ LoadModule lbmethod_byrequests_module modules/mod_lbmethod
 # Optional Header mangling if requested (for HSTS)
 __HSTS_COMMENTED__ LoadModule headers_module modules/mod_headers.so
 
+# Optional DDoS protection if requested (for mod evasive)
+__EVASIVE_COMMENTED__ LoadModule evasive20_module modules/mod_evasive20.so
+
 # Apparently we need this mime setup on Redhat to just run apache
 TypesConfig /etc/mime.types
 MIMEMagicFile conf/magic

diff --git a/mig/install/generateconfs.py b/mig/install/generateconfs.py
@@ -1,3 +1,3 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 #
@@ -20,7 +20,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 #
 # -- END_HEADER ---
 #
@@ -47,7 +47,7 @@

 # NOTE: moved mig imports into try/except to avoid autopep8 moving to top!
 try:
    from mig.shared.defaults import MIG_BASE, MIG_ENV
    from mig.shared.install import generate_confs
 except ImportError:
    print("ERROR: the migrid modules must be in PYTHONPATH")
@@ -280,6 +280,7 @@
         'enable_cloud',
         'enable_gdp',
         'enable_hsts',
+        'enable_evasive',
         'enable_vhost_certs',
         'enable_verify_certs',
         'enable_seafile',
@@ -306,7 +307,7 @@
        'gdp_email_notify',
    ]
    names = str_names + int_names + bool_names
    settings, options, result = {}, {}, {}
    default_val = 'DEFAULT'
    # Force values to expected type
    for key in names:
@@ -382,7 +383,7 @@
        if val == 'DEFAULT':
            del settings[key]

    (options, result) = _generate_confs(output_path, **settings)

    # TODO: avoid reconstructing this path (also done inside generate_confs)
    instructions_path = os.path.join(options['destination_dir'],

diff --git a/mig/shared/install.py b/mig/shared/install.py
@@ -1,3 +1,3 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 #
@@ -20,7 +20,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 #
 # -- END_HEADER ---
 #
@@ -49,7 +49,7 @@
 import subprocess
 import sys

 from mig.shared.base import force_native_str, force_utf8
 from mig.shared.defaults import default_http_port, default_https_port, \
    auth_openid_mig_db, auth_openid_ext_db, MIG_BASE, STRONG_TLS_CIPHERS, \
    STRONG_TLS_CURVES, STRONG_SSH_HOSTKEYALGOS, STRONG_SSH_KEXALGOS, \
@@ -62,11 +62,11 @@
 from mig.shared.fileio import read_file, read_file_lines, write_file, \
    write_file_lines
 from mig.shared.htmlgen import menu_items
 from mig.shared.jupyter import gen_balancer_proxy_template, gen_openid_template, \
    gen_rewrite_template
 from mig.shared.pwcrypto import password_requirements, make_simple_hash, \
    make_safe_hash
 from mig.shared.safeeval import subprocess_call, subprocess_popen, subprocess_pipe
 from mig.shared.safeinput import valid_alphanumeric, InputException
 from mig.shared.url import urlparse

@@ -88,9 +88,9 @@
 def transform_str_to_dict(input_str):
    """
    Transforms a string input into a Python literal or container.
    The function will only return the transformed object if it becomes a dictionary.
    input_str: The input string that is expected to be
     structured as a dictionary. A valid input_str for example could be '{'hello': 'world'}'.
    """
    try:
        output_dict = ast.literal_eval(input_str)
@@ -102,10 +102,10 @@
    return output_dict


 def determine_timezone(_environ=os.environ, _path_exists=os.path.exists, _print=print):
    """Attempt to detect the timezone in various known portable ways."""

    sys_timezone = None

    timezone_link = '/etc/localtime'
    timezone_cmd = ["/usr/bin/timedatectl", "status"]
@@ -167,7 +167,7 @@


 def fill_template(template_file, output_file, settings, eat_trailing_space=[],
                  additional=None):
    """Fill a configuration template using provided settings dictionary"""
    contents = read_file(template_file, None)
    if contents is None:
@@ -179,7 +179,7 @@
    for (variable, value) in settings.items():
        suffix = ''
        if variable in eat_trailing_space:
            suffix = '\s{0,1}'
        try:
            contents = re.sub(variable + suffix, value, contents)
        except Exception as exc:
@@ -199,8 +199,8 @@
    """ Insert into a configuration template using provided settings dictionary
    :param template_file: path to the template configuration file that should be
    modified with inserts
    :param insert_identifiers: dictionary, where the keys are used as search strings
    to find the index where the insert should take place. The values can either be a list
    of a single string
    :param unique: Whether the function should check whether the supplied value is
    already present in the template_file, if so it won't insert it
@@ -382,6 +382,7 @@
     enable_jupyter=False,
     enable_cloud=False,
     enable_hsts=True,
+    enable_evasive=False,
     enable_vhost_certs=False,
     enable_verify_certs=False,
     enable_seafile=False,
@@ -708,6 +709,7 @@
     enable_jupyter,
     enable_cloud,
     enable_hsts,
+    enable_evasive,
     enable_vhost_certs,
     enable_verify_certs,
     enable_seafile,
@@ -964,6 +966,8 @@
     user_dict['__ENABLE_JUPYTER__'] = "%s" % enable_jupyter
     user_dict['__ENABLE_CLOUD__'] = "%s" % enable_cloud
     user_dict['__ENABLE_HSTS__'] = "%s" % enable_hsts
+    user_dict['__ENABLE_EVASIVE__'] = "%s" % enable_evasive
+    user_dict['__EVASIVE_DOSEMAILNOTIFY__'] = keyword_auto
     user_dict['__ENABLE_VHOST_CERTS__'] = "%s" % enable_vhost_certs
     user_dict['__ENABLE_VERIFY_CERTS__'] = "%s" % enable_verify_certs
     user_dict['__ENABLE_SEAFILE__'] = "%s" % enable_seafile
@@ -1356,6 +1360,18 @@
     else:
         user_dict['__HSTS_COMMENTED__'] = '#'
 
+    # Enable DDoS protection with mod_evasive only if explicitly requested
+    user_dict['__EVASIVE_ALLOW_SECSCAN_COMMENTED__'] = '#'
+    if user_dict['__ENABLE_EVASIVE__'].lower() == 'true':
+        user_dict['__EVASIVE_COMMENTED__'] = ''
+        if user_dict['__SECSCAN_ADDR__']:
+            user_dict['__EVASIVE_ALLOW_SECSCAN_COMMENTED__'] = ''
+    else:
+        user_dict['__EVASIVE_COMMENTED__'] = '#'
+
+    if user_dict['__EVASIVE_DOSEMAILNOTIFY__'] == keyword_auto:
+        user_dict['__EVASIVE_DOSEMAILNOTIFY__'] = admin_email
+
     # Enable vhost-specific certificates only if explicitly requested
     if user_dict['__ENABLE_VHOST_CERTS__'].lower() == 'true':
         user_dict['__VHOSTCERTS_COMMENTED__'] = ''
@@ -1510,7 +1526,7 @@

    if user_dict['__ENABLE_JUPYTER__'].lower() == 'true':
        try:
            import requests
        except ImportError:
            print("ERROR: jupyter use requested but requests is not installed!")
            sys.exit(1)

diff --git a/tests/fixture/confs-stdlocal/MiG.conf b/tests/fixture/confs-stdlocal/MiG.conf
@@ -181,6 +181,21 @@ Alias /status-events.json "/home/mig/state/wwwpublic/status-events.json"
     </FilesMatch>
 </IfModule>
 
+# Optional DDoS protection with conservative request limits
+<IfModule mod_evasive20.c>
+    DOSPageCount 5
+    DOSSiteCount 50
+    DOSPageInterval 1
+    DOSSiteInterval 1
+    DOSHashTableSize 32768
+    DOSBlockingPeriod 300
+    DOSEmailNotify mig
+
+    # Never block localhost and optionally any registered security scanners
+    DOSWhitelist 127.0.0.1/8
+    #DOSWhitelist UNSET
+</IfModule>
+
 <IfModule mod_mime.c>
     # NOTE: workaround for broken double gzip decompression e.g. in Firefox.
     #       The bam files are in fact already gzip files and require care:

diff --git a/tests/fixture/confs-stdlocal/mimic-deb.conf b/tests/fixture/confs-stdlocal/mimic-deb.conf
@@ -80,6 +80,9 @@ LoadModule wsgi_module modules/mod_wsgi.so
 # Optional Header mangling if requested (for HSTS)
 LoadModule headers_module modules/mod_headers.so
 
+# Optional DDoS protection if requested (for mod evasive)
+#LoadModule evasive20_module modules/mod_evasive20.so
+
 # Apparently we need this mime setup on Redhat to just run apache
 TypesConfig /etc/mime.types
 MIMEMagicFile conf/magic