You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2018/01/22 00:23:57 UTC

[trafficserver] branch master updated: Do not send HSTS header when remap has failed

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 129f59d  Do not send HSTS header when remap has failed
129f59d is described below

commit 129f59db0267db428631e3992f8e00c9fad30f78
Author: Bryan Call <bc...@apache.org>
AuthorDate: Fri Jan 19 10:40:03 2018 -0800

    Do not send HSTS header when remap has failed
---
 proxy/http/HttpTransact.cc             |  4 +-
 tests/gold_tests/headers/hsts.200.gold |  7 +++
 tests/gold_tests/headers/hsts.404.gold | 24 ++++++++++
 tests/gold_tests/headers/hsts.test.py  | 85 ++++++++++++++++++++++++++++++++++
 4 files changed, 119 insertions(+), 1 deletion(-)

diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index ca93ea2..6d57d27 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -7705,7 +7705,9 @@ HttpTransact::build_response(State *s, HTTPHdr *base_response, HTTPHdr *outgoing
   }
 
   // Add HSTS header (Strict-Transport-Security) if max-age is set and the request was https
-  if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0) {
+  // and the incoming request was remapped correctly
+  if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0 &&
+      s->url_remap_success == true) {
     TxnDebug("http_hdrs", "hsts max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age);
     HttpTransactHeaders::insert_hsts_header_in_response(s, outgoing_response);
   }
diff --git a/tests/gold_tests/headers/hsts.200.gold b/tests/gold_tests/headers/hsts.200.gold
new file mode 100644
index 0000000..306f1bb
--- /dev/null
+++ b/tests/gold_tests/headers/hsts.200.gold
@@ -0,0 +1,7 @@
+HTTP/1.1 200 OK
+Date:``
+Age: 0
+Transfer-Encoding: chunked
+Connection: keep-alive
+Strict-Transport-Security: max-age=300
+Server:``
diff --git a/tests/gold_tests/headers/hsts.404.gold b/tests/gold_tests/headers/hsts.404.gold
new file mode 100644
index 0000000..5323c84
--- /dev/null
+++ b/tests/gold_tests/headers/hsts.404.gold
@@ -0,0 +1,24 @@
+HTTP/1.1 404 Not Found on Accelerator
+Date:``
+Connection: keep-alive
+Server:``
+Cache-Control: no-store
+Content-Type: text/html``
+Content-Language: en
+Content-Length:``
+
+<HTML>
+<HEAD>
+<TITLE>Not Found on Accelerator</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="white" FGCOLOR="black">
+<H1>Not Found on Accelerator</H1>
+<HR>
+
+<FONT FACE="Helvetica,Arial"><B>
+Description: Your request on the specified host was not found.
+Check the location and try again.
+</B></FONT>
+<HR>
+</BODY>
diff --git a/tests/gold_tests/headers/hsts.test.py b/tests/gold_tests/headers/hsts.test.py
new file mode 100644
index 0000000..7ae60e2
--- /dev/null
+++ b/tests/gold_tests/headers/hsts.test.py
@@ -0,0 +1,85 @@
+'''
+Test the hsts reponse header.
+'''
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import os
+Test.Summary = '''
+heck hsts header is set correctly
+'''
+
+# Needs Curl
+Test.SkipUnless(
+    Condition.HasProgram("curl", "Curl need to be installed on system for this test to work")
+)
+Test.ContinueOnFail = True
+
+# Define default ATS
+ts = Test.MakeATSProcess("ts", select_ports=False)
+server = Test.MakeOriginServer("server")
+
+#**testname is required**
+testName = ""
+request_header = {"headers": "GET / HTTP/1.1\r\nHost: www.example.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+# ATS Configuration
+ts.addSSLfile("../remap/ssl/server.pem")
+ts.addSSLfile("../remap/ssl/server.key")
+
+ts.Variables.ssl_port = 4443
+ts.Disk.records_config.update({
+    'proxy.config.diags.debug.enabled': 1,
+    'proxy.config.diags.debug.tags': 'ssl',
+    'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.http.server_ports': '{0} {1}:ssl'.format(ts.Variables.port, ts.Variables.ssl_port),
+    'proxy.config.ssl.hsts_max_age': 300,
+})
+
+ts.Disk.remap_config.AddLine(
+    'map https://www.example.com http://127.0.0.1:{0}'.format(server.Variables.Port)
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+    'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+# Test 1 - 200 Response
+tr = Test.AddTestRun()
+tr.Processes.Default.StartBefore(server)
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.ssl_port))
+tr.Processes.Default.Command = (
+    'curl -s -D - --verbose --ipv4 --http1.1 --insecure --header "Host: {0}" https://localhost:{1}'
+    .format('www.example.com', ts.Variables.ssl_port)
+)
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = "hsts.200.gold"
+tr.StillRunningAfter = ts
+
+# Test 2 - 404 Not Found on Accelerator
+tr = Test.AddTestRun()
+tr.Processes.Default.Command = (
+    'curl -s -D - --verbose --ipv4 --http1.1 --insecure --header "Host: {0}" https://localhost:{1}'
+    .format('bad_host', ts.Variables.ssl_port)
+)
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = "hsts.404.gold"
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>'].