Fetch Central Spamfilter rules with the API Key via alternate URL.

* The [Central Spamfilter](https://www.unrealircd.org/docs/Central_Spamfilter), which provides spamfilter { } blocks that are centrally managed, is now fetched from a different URL if you have an Central API key set. This way, we can later provide spamfilter { } blocks that build on central blocklist scoring functionality, and also don't have to reveal the central spamfilter blocks to 100% of the world.
2026-06-12 19:14:46 +02:00 · 2023-11-27 14:33:00 +01:00
parent 3803759bf2
commit cd1b79d3f7
3 changed files with 37 additions and 6 deletions
@@ -6,7 +6,7 @@ in progress and may not always be a stable version.

 ### Enhancements:
 * Central anti-spam services:
-  * The two services from below require a central-api key, which
+  * The services from below require a central-api key, which
    you can [request here](https://www.unrealircd.org/central-api/).
  * [Central Blocklist](https://www.unrealircd.org/docs/Central_Blocklist)
    is an attempt to detect and block spammers. It works similar to DNS
@@ -18,7 +18,12 @@ in progress and may not always be a stable version.
    the `SPAMREPORT` command. This information may then be used to improve
    [Central Blocklist](https://www.unrealircd.org/docs/Central_Blocklist)
    and/or [Central Spamfilter](https://www.unrealircd.org/docs/Central_Spamfilter).
-* TODO: Mention Central API, central blocklist, central spamreport...
+  * The [Central Spamfilter](https://www.unrealircd.org/docs/Central_Spamfilter),
+    which provides spamfilter { } blocks that are centrally managed, is
+    now fetched from a different URL if you have an Central API key set.
+    This way, we can later provide spamfilter { } blocks that build on
+    central blocklist scoring functionality, and also don't have to reveal
+    the central spamfilter blocks to 100% of the world.
 * Make [Deny channel](https://www.unrealircd.org/docs/Deny_channel_block)
  support escaped sequences like `channel "#xyz\*";` so you can match
  a literal `*` or `?` via `\*` and `\?`.
@@ -299,6 +299,11 @@
 #define UNREALIRCD_DEFAULT_ECDH_CURVES "secp521r1:secp384r1:prime256v1"
 #endif

+/* These can be changed via set::central-spamfilter::url and ::feed */
+#define DEFAULT_CENTRAL_SPAMFILTER_URL_OPEN_ACCESS "https://spamfilter.unrealircd.org/spamfilter/v6/$feed/central_spamfilter.conf"
+#define DEFAULT_CENTRAL_SPAMFILTER_URL_RESTRICTED_ACCESS "https://spamfilter.unrealircd-api.org/spamfilter/v6/$feed/central_spamfilter.conf"
+#define DEFAULT_CENTRAL_SPAMFILTER_FEED "standard"
+
 /* These are just defaults, which you can override via set::dns */
 #define DNS_DEFAULT_CLIENT_TIMEOUT 1500
 #define DNS_DEFAULT_CLIENT_RETRIES 2
@@ -1821,8 +1821,8 @@ void config_setdefaultsettings(Configuration *i)
 	i->who_limit = 100;
 	i->named_extended_bans = 1;
 	i->high_connection_rate = 1000;
-	safe_strdup(i->central_spamfilter_url, "https://spamfilter.unrealircd.org/spamfilter/v6/$feed/central_spamfilter.conf");
-	safe_strdup(i->central_spamfilter_feed, "standard");
+	safe_strdup(i->central_spamfilter_url, DEFAULT_CENTRAL_SPAMFILTER_URL_OPEN_ACCESS);
+	safe_strdup(i->central_spamfilter_feed, DEFAULT_CENTRAL_SPAMFILTER_FEED);
 	i->central_spamfilter_refresh_time = 3600;
 	i->central_spamfilter_enabled = 0;
 	i->central_spamfilter_except = safe_alloc(sizeof(SecurityGroup));
@@ -11955,6 +11955,8 @@ void central_spamfilter_start_download(void)
 {
 	char url[512];
 	NameValuePrioList *nvp = NULL;
+	const char *apikey;
+	OutgoingWebRequest *request;

 	if (central_spamfilter_downloading)
 		return;
@@ -11967,13 +11969,32 @@ void central_spamfilter_start_download(void)

 	central_spamfilter_downloading = 1;

+	/* Prepare the request */
+	request = safe_alloc(sizeof(OutgoingWebRequest));
+	request->http_method = HTTP_METHOD_GET;
+	request->cachetime = CENTRAL_SPAMFILTER_CACHE_TIME;
+	request->callback = central_spamfilter_download_complete;
+	request->callback_data = NULL;
+	request->max_redirects = DOWNLOAD_MAX_REDIRECTS;
+	request->store_in_file = 1;
+
 	/* Build the URL */
 	add_nvplist(&nvp, 0, "feed", iConf.central_spamfilter_feed);
-	buildvarstring_nvp(iConf.central_spamfilter_url, url, sizeof(url), nvp, 0);
+	apikey = get_central_api_key();
+	if (apikey && !strcmp(iConf.central_spamfilter_url, DEFAULT_CENTRAL_SPAMFILTER_URL_OPEN_ACCESS))
+	{
+		/* Use the restricted URL */
+		buildvarstring_nvp(DEFAULT_CENTRAL_SPAMFILTER_URL_RESTRICTED_ACCESS, url, sizeof(url), nvp, 0);
+		add_nvplist(&request->headers, 0, "X-API-Key", apikey);
+	} else {
+		/* Use the open access URL */
+		buildvarstring_nvp(iConf.central_spamfilter_url, url, sizeof(url), nvp, 0);
+	}
 	safe_free_nvplist(nvp);

 	/* Start HTTPS request */
-	download_file_async(url, CENTRAL_SPAMFILTER_CACHE_TIME, central_spamfilter_download_complete, NULL, DOWNLOAD_MAX_REDIRECTS);
+	safe_strdup(request->url, url);
+	url_start_async(request);
 }

 EVENT(central_spamfilter_download_evt)