You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by sh...@apache.org on 2020/12/02 17:30:19 UTC
[trafficserver] branch master updated: Fix sni ip_allow and
host_sni_policy (#7349)
This is an automated email from the ASF dual-hosted git repository.
shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 1fc1406 Fix sni ip_allow and host_sni_policy (#7349)
1fc1406 is described below
commit 1fc140640ed004b6d5c1641648196f58ab8a8dea
Author: Susan Hinrichs <sh...@yahoo-inc.com>
AuthorDate: Wed Dec 2 11:30:07 2020 -0600
Fix sni ip_allow and host_sni_policy (#7349)
---
doc/admin-guide/files/records.config.en.rst | 2 +-
iocore/net/P_SNIActionPerformer.h | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index d9d0025..8ec7b22 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -1894,7 +1894,7 @@ Security
You can override this global setting on a per domain basis in the :file:`sni.yaml` file using the :ref:`host_sni_policy attribute<override-host-sni-policy>` action.
- Currently, only the verify_client policy is checked for host name and SNI matching.
+ Currently, only the verify_client and ip_allow policies are checked for host name and SNI matching.
Cache Control
=============
diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h
index c94a74d..89067ae 100644
--- a/iocore/net/P_SNIActionPerformer.h
+++ b/iocore/net/P_SNIActionPerformer.h
@@ -325,8 +325,9 @@ public:
TestClientSNIAction(const char *servrername, const IpEndpoint &ep, int &policy) const override
{
bool retval = false;
- if (ip_map.contains(ep)) {
- retval = true;
+ if (ip_map.count() > 0) {
+ // Only triggers if the map didn't contain the address
+ retval = !ip_map.contains(ep);
}
return retval;
}