Re: ATS plugin to sign HTTP header and content

[Alan Carroll <so...@verizonmedia.com>]

Sorry for the late reply, I've been thinking about this a bit. It would be
challenging.

1) Easy.
2) Trivial.
3) Not sure what you mean here - this would be in the chunk header itself?
Unfortunately I think transform plugins don't get to see the chunking.
4) This could be done with a transform plugin.
5) Challenging.

I think overall you would want to make a transform plugin that tells ATS
it's not chunked encoded so that ATS stores the chunked content literally,
rather than dechunking. Then it would be able to modify the cached content.
You can ping me on the ASF slack if you want.


On Tue, Apr 28, 2020 at 5:36 AM peter <pe...@equalit.ie> wrote:

> Hello, we are developing a software that lets users share HTTP resources
> in a way akin to BitTorrent.
> For this purpose, we have built a proxy which acts as a signatory of these
> resources, so that
> when it is shared among peers, its integrity can be verified.
>
> All the signatory does ATM is, whenever it receives a response from the
> origin, it signs
> the HTTP header fields, it forces HTTP chunk encoding and signs each chunk
> in a chunk
> extension.
>
> We've been using ATS for about 9 years now in another project (
> https://deflect.ca) and are
> now thinking whether it would be possible to write an ATS plugin to sign
> the content from
> there. The hope is that this would allow us to cache already signed
> resources to avoid
> re-signing the content each it it's requested. Another benefit would be
> that we could
> reuse our existing deflect infrastructure.
>
> That is, whenever ATS receives a response from the origin, we need to:
>
> 1. Add HTTP header fields containing signature of the original fields
> 2. Force chunked encoding (we also need to return chunks of particular
> sizes)
> 3. Add chunk extensions containing chunk signatures
> 4. Add HTTP trailer
> 5. Ideally, also have ATS store the response together with all the
> signatures (from header,
>    chunk extensions and the trailer) so that ATS can serve those on the
> next request.
>
> I have last looked into writing ATS plugins more than a year ago, but IIRC
> #1 is not a problem.
> However we've so far failed to find an ATS plugin API to do #2,3 and 4 and
> thus would greatly
> appreciate any pointers.
>
> We have also found [1], which seems to suggest that chunk headers and
> extensions are not
> stored in the cache. But maybe there is a workaround? Or the situation has
> changes since 2016?
>
> Thanks,
> Peter
>
> [1]
> http://apache-traffic-server.24303.n7.nabble.com/Chunked-Transfer-Encodings-in-Traffic-Server-td2782.html
>