You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2018/01/22 00:23:57 UTC
[trafficserver] branch master updated: Do not send HSTS header when
remap has failed
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 129f59d Do not send HSTS header when remap has failed
129f59d is described below
commit 129f59db0267db428631e3992f8e00c9fad30f78
Author: Bryan Call <bc...@apache.org>
AuthorDate: Fri Jan 19 10:40:03 2018 -0800
Do not send HSTS header when remap has failed
---
proxy/http/HttpTransact.cc | 4 +-
tests/gold_tests/headers/hsts.200.gold | 7 +++
tests/gold_tests/headers/hsts.404.gold | 24 ++++++++++
tests/gold_tests/headers/hsts.test.py | 85 ++++++++++++++++++++++++++++++++++
4 files changed, 119 insertions(+), 1 deletion(-)
diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index ca93ea2..6d57d27 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -7705,7 +7705,9 @@ HttpTransact::build_response(State *s, HTTPHdr *base_response, HTTPHdr *outgoing
}
// Add HSTS header (Strict-Transport-Security) if max-age is set and the request was https
- if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0) {
+ // and the incoming request was remapped correctly
+ if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0 &&
+ s->url_remap_success == true) {
TxnDebug("http_hdrs", "hsts max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age);
HttpTransactHeaders::insert_hsts_header_in_response(s, outgoing_response);
}
diff --git a/tests/gold_tests/headers/hsts.200.gold b/tests/gold_tests/headers/hsts.200.gold
new file mode 100644
index 0000000..306f1bb
--- /dev/null
+++ b/tests/gold_tests/headers/hsts.200.gold
@@ -0,0 +1,7 @@
+HTTP/1.1 200 OK
+Date:``
+Age: 0
+Transfer-Encoding: chunked
+Connection: keep-alive
+Strict-Transport-Security: max-age=300
+Server:``
diff --git a/tests/gold_tests/headers/hsts.404.gold b/tests/gold_tests/headers/hsts.404.gold
new file mode 100644
index 0000000..5323c84
--- /dev/null
+++ b/tests/gold_tests/headers/hsts.404.gold
@@ -0,0 +1,24 @@
+HTTP/1.1 404 Not Found on Accelerator
+Date:``
+Connection: keep-alive
+Server:``
+Cache-Control: no-store
+Content-Type: text/html``
+Content-Language: en
+Content-Length:``
+
+<HTML>
+<HEAD>
+<TITLE>Not Found on Accelerator</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="white" FGCOLOR="black">
+<H1>Not Found on Accelerator</H1>
+<HR>
+
+<FONT FACE="Helvetica,Arial"><B>
+Description: Your request on the specified host was not found.
+Check the location and try again.
+</B></FONT>
+<HR>
+</BODY>
diff --git a/tests/gold_tests/headers/hsts.test.py b/tests/gold_tests/headers/hsts.test.py
new file mode 100644
index 0000000..7ae60e2
--- /dev/null
+++ b/tests/gold_tests/headers/hsts.test.py
@@ -0,0 +1,85 @@
+'''
+Test the hsts reponse header.
+'''
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+Test.Summary = '''
+heck hsts header is set correctly
+'''
+
+# Needs Curl
+Test.SkipUnless(
+ Condition.HasProgram("curl", "Curl need to be installed on system for this test to work")
+)
+Test.ContinueOnFail = True
+
+# Define default ATS
+ts = Test.MakeATSProcess("ts", select_ports=False)
+server = Test.MakeOriginServer("server")
+
+#**testname is required**
+testName = ""
+request_header = {"headers": "GET / HTTP/1.1\r\nHost: www.example.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+# ATS Configuration
+ts.addSSLfile("../remap/ssl/server.pem")
+ts.addSSLfile("../remap/ssl/server.key")
+
+ts.Variables.ssl_port = 4443
+ts.Disk.records_config.update({
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl',
+ 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
+ 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+ 'proxy.config.http.server_ports': '{0} {1}:ssl'.format(ts.Variables.port, ts.Variables.ssl_port),
+ 'proxy.config.ssl.hsts_max_age': 300,
+})
+
+ts.Disk.remap_config.AddLine(
+ 'map https://www.example.com http://127.0.0.1:{0}'.format(server.Variables.Port)
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+# Test 1 - 200 Response
+tr = Test.AddTestRun()
+tr.Processes.Default.StartBefore(server)
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.ssl_port))
+tr.Processes.Default.Command = (
+ 'curl -s -D - --verbose --ipv4 --http1.1 --insecure --header "Host: {0}" https://localhost:{1}'
+ .format('www.example.com', ts.Variables.ssl_port)
+)
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = "hsts.200.gold"
+tr.StillRunningAfter = ts
+
+# Test 2 - 404 Not Found on Accelerator
+tr = Test.AddTestRun()
+tr.Processes.Default.Command = (
+ 'curl -s -D - --verbose --ipv4 --http1.1 --insecure --header "Host: {0}" https://localhost:{1}'
+ .format('bad_host', ts.Variables.ssl_port)
+)
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = "hsts.404.gold"
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
--
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>'].