You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by zw...@apache.org on 2018/01/22 05:19:52 UTC

[trafficserver] branch 7.1.x updated (f5b6194 -> 651d917)

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a change to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git.


    from f5b6194  Modify regex_revalidate so that traffic_ctl may be used to trigger config file updates and add a config parameter to disable timed updates if desired.
     new bdcfc7a  Do not send HSTS header when remap has failed
     new 651d917  clang-format

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 proxy/http/HttpTransact.cc                         |  3 +-
 tests/gold_tests/headers/hsts.200.gold             |  7 +++
 .../{passthrough_get.gold => hsts.404.gold}        |  8 ++-
 .../tls_hooks2.test.py => headers/hsts.test.py}    | 72 ++++++++++++----------
 4 files changed, 54 insertions(+), 36 deletions(-)
 create mode 100644 tests/gold_tests/headers/hsts.200.gold
 copy tests/gold_tests/headers/{passthrough_get.gold => hsts.404.gold} (78%)
 copy tests/gold_tests/{tls_hooks/tls_hooks2.test.py => headers/hsts.test.py} (54%)

-- 
To stop receiving notification emails like this one, please contact
zwoop@apache.org.

[trafficserver] 01/02: Do not send HSTS header when remap has failed

Posted by zw...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit bdcfc7afe032f3160a0a51255b6d284c3e48ac3f
Author: Bryan Call <bc...@apache.org>
AuthorDate: Fri Jan 19 10:40:03 2018 -0800

    Do not send HSTS header when remap has failed
    
    (cherry picked from commit 129f59db0267db428631e3992f8e00c9fad30f78)
    
     Conflicts:
    	proxy/http/HttpTransact.cc
---
 proxy/http/HttpTransact.cc             |  4 +-
 tests/gold_tests/headers/hsts.200.gold |  7 +++
 tests/gold_tests/headers/hsts.404.gold | 24 ++++++++++
 tests/gold_tests/headers/hsts.test.py  | 85 ++++++++++++++++++++++++++++++++++
 4 files changed, 119 insertions(+), 1 deletion(-)

diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index f877a88..68e7501 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -8095,7 +8095,9 @@ HttpTransact::build_response(State *s, HTTPHdr *base_response, HTTPHdr *outgoing
   }
 
   // Add HSTS header (Strict-Transport-Security) if max-age is set and the request was https
-  if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0) {
+  // and the incoming request was remapped correctly
+  if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0 &&
+      s->url_remap_success == true) {
     DebugTxn("http_hdrs", "hsts max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age);
     HttpTransactHeaders::insert_hsts_header_in_response(s, outgoing_response);
   }
diff --git a/tests/gold_tests/headers/hsts.200.gold b/tests/gold_tests/headers/hsts.200.gold
new file mode 100644
index 0000000..306f1bb
--- /dev/null
+++ b/tests/gold_tests/headers/hsts.200.gold
@@ -0,0 +1,7 @@
+HTTP/1.1 200 OK
+Date:``
+Age: 0
+Transfer-Encoding: chunked
+Connection: keep-alive
+Strict-Transport-Security: max-age=300
+Server:``
diff --git a/tests/gold_tests/headers/hsts.404.gold b/tests/gold_tests/headers/hsts.404.gold
new file mode 100644
index 0000000..5323c84
--- /dev/null
+++ b/tests/gold_tests/headers/hsts.404.gold
@@ -0,0 +1,24 @@
+HTTP/1.1 404 Not Found on Accelerator
+Date:``
+Connection: keep-alive
+Server:``
+Cache-Control: no-store
+Content-Type: text/html``
+Content-Language: en
+Content-Length:``
+
+<HTML>
+<HEAD>
+<TITLE>Not Found on Accelerator</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="white" FGCOLOR="black">
+<H1>Not Found on Accelerator</H1>
+<HR>
+
+<FONT FACE="Helvetica,Arial"><B>
+Description: Your request on the specified host was not found.
+Check the location and try again.
+</B></FONT>
+<HR>
+</BODY>
diff --git a/tests/gold_tests/headers/hsts.test.py b/tests/gold_tests/headers/hsts.test.py
new file mode 100644
index 0000000..7ae60e2
--- /dev/null
+++ b/tests/gold_tests/headers/hsts.test.py
@@ -0,0 +1,85 @@
+'''
+Test the hsts reponse header.
+'''
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import os
+Test.Summary = '''
+heck hsts header is set correctly
+'''
+
+# Needs Curl
+Test.SkipUnless(
+    Condition.HasProgram("curl", "Curl need to be installed on system for this test to work")
+)
+Test.ContinueOnFail = True
+
+# Define default ATS
+ts = Test.MakeATSProcess("ts", select_ports=False)
+server = Test.MakeOriginServer("server")
+
+#**testname is required**
+testName = ""
+request_header = {"headers": "GET / HTTP/1.1\r\nHost: www.example.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+server.addResponse("sessionlog.json", request_header, response_header)
+
+# ATS Configuration
+ts.addSSLfile("../remap/ssl/server.pem")
+ts.addSSLfile("../remap/ssl/server.key")
+
+ts.Variables.ssl_port = 4443
+ts.Disk.records_config.update({
+    'proxy.config.diags.debug.enabled': 1,
+    'proxy.config.diags.debug.tags': 'ssl',
+    'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.http.server_ports': '{0} {1}:ssl'.format(ts.Variables.port, ts.Variables.ssl_port),
+    'proxy.config.ssl.hsts_max_age': 300,
+})
+
+ts.Disk.remap_config.AddLine(
+    'map https://www.example.com http://127.0.0.1:{0}'.format(server.Variables.Port)
+)
+
+ts.Disk.ssl_multicert_config.AddLine(
+    'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+# Test 1 - 200 Response
+tr = Test.AddTestRun()
+tr.Processes.Default.StartBefore(server)
+tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.ssl_port))
+tr.Processes.Default.Command = (
+    'curl -s -D - --verbose --ipv4 --http1.1 --insecure --header "Host: {0}" https://localhost:{1}'
+    .format('www.example.com', ts.Variables.ssl_port)
+)
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = "hsts.200.gold"
+tr.StillRunningAfter = ts
+
+# Test 2 - 404 Not Found on Accelerator
+tr = Test.AddTestRun()
+tr.Processes.Default.Command = (
+    'curl -s -D - --verbose --ipv4 --http1.1 --insecure --header "Host: {0}" https://localhost:{1}'
+    .format('bad_host', ts.Variables.ssl_port)
+)
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stdout = "hsts.404.gold"
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts

-- 
To stop receiving notification emails like this one, please contact
zwoop@apache.org.

[trafficserver] 02/02: clang-format

Posted by zw...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 651d917fe61ba52abab5625886d278cd380884b2
Author: Bryan Call <bc...@apache.org>
AuthorDate: Sun Jan 21 16:52:08 2018 -0800

    clang-format
    
    (cherry picked from commit 3b3d1f20fe6628042ea51c65edda54ede972c948)
    
     Conflicts:
    	proxy/http/HttpTransact.cc
---
 proxy/http/HttpTransact.cc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index 68e7501..64cdea3 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -8096,8 +8096,7 @@ HttpTransact::build_response(State *s, HTTPHdr *base_response, HTTPHdr *outgoing
 
   // Add HSTS header (Strict-Transport-Security) if max-age is set and the request was https
   // and the incoming request was remapped correctly
-  if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0 &&
-      s->url_remap_success == true) {
+  if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0 && s->url_remap_success == true) {
     DebugTxn("http_hdrs", "hsts max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age);
     HttpTransactHeaders::insert_hsts_header_in_response(s, outgoing_response);
   }

-- 
To stop receiving notification emails like this one, please contact
zwoop@apache.org.