Where to find equivalent functionality of http_auth.c (from lighttpd 1.4.35) in lighttpd 1.4.64?

Question

I want to add a patch we had earlier in lighttpd 1.4.35 and 1.4.40. The purpose of the patch was to help with "anti-automation". For e.g. if a user tried to enter an incorrect password 5 times in a row, he would be locked out for a minute.

We have now moved over to the latest lighttpd 1.4.64 and I am trying to find out where the functionality under lighttpd-1.4.35/src/http_auth.c may be now found.
I can see that there are many files now - 
mod_auth.c
mod_authn_file.c
mod_authn_gssapi.c
mod_authn_ldap.c
mod_authn_pam.c
mod_authn_sasl.c
mod_auth_api.c

I have attached a MSVP of what I want to achieve. As you can see 99 % of it is self-contained code. Just need to know where to plumb -
a)  The HTTP authentication  path
b)  The HTTPS authentication  path

The original patch in lighttpd 1.4.35 was in the function
http_auth_basic_check and
http_auth_digest_check

As the name suggests,
sinBin_Add would add a bad attempt into the "bin". If the number of attempts exceed, the user is "sidelined".

For http_auth_basic_check,

/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
    buffer_free(username);
    buffer_free(password);
    log_error_write(srv, __FILE__, __LINE__, "s", "basic: anti automation precaution" );
    return 0;
}

/* password doesn't match */
if (http_auth_basic_password_compare(srv, p, req, username, realm->value, password, pw)) 
{
    log_error_write(srv, __FILE__, __LINE__, "sbsBss", "password doesn't match for", con->uri.path, "username:", username, ", IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));

    sinBin_Add( &sinBin, username->ptr, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );

    buffer_free(username);
    buffer_free(password);

Likewise for the http digest bit, we had For http_auth_digest_check -

/* anti automation check */
if ( sinBin_Sidelined( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) ) )
{
    buffer_free(b);
    log_error_write(srv, __FILE__, __LINE__, "s", "digest: anti automation precaution");
    return 0;
}

if (0 != strcmp(a2, respons)) {
    /* digest not ok */
    sinBin_Add( &sinBin, username, inet_ntop_cache_get_ip(srv, &(con->dst_addr)) );
    

if (p->conf.auth_debug) {
            log_error_write(srv, __FILE__, __LINE__, "sss",

Answer 1

Existing discussions on lighttpd boards already point you to multiple answers

• https://redmine.lighttpd.net/boards/2/topics/6699
• https://redmine.lighttpd.net/boards/2/topics/9574
• https://redmine.lighttpd.net/boards/3/topics/8885

You should look at the places in lighttpd src/mod_auth.c which set r->keep_alive = -1;

Aside: If you're still running lighttpd 1.4.35 (over 8 years old!) or lighttpd 1.4.40 (almost 6 years old!), you should consider that your ability to keep your systems up-to-date is lacking. Your custom patch is possibly doing more harm than good if it prevents you from running a current version of lighttpd. See the above links and consider using fail2ban, or an authentication backend which implements your password policy for you, or a custom mod_fastcgi authorizer.