You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2020/06/29 23:12:45 UTC
[trafficserver] branch 9.0.x updated: Move to blocklists and
allowlists (#6941)
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new c333a55 Move to blocklists and allowlists (#6941)
c333a55 is described below
commit c333a55e7e2ea6304927e7d4473117daf3598a8f
Author: Randall Meyer <rr...@apache.org>
AuthorDate: Wed Jun 24 08:49:02 2020 -0700
Move to blocklists and allowlists (#6941)
NOTE: This is backwards compatibility breaking.
proxy.config.http.proxy_protocol_whitelist renamed to proxy.config.http.proxy_protocol_allowlist
(cherry picked from commit 32cb4fe281fe1ac3e350413c91b0fdf7ed926a2b)
---
doc/admin-guide/configuration/proxy-protocol.en.rst | 2 +-
doc/admin-guide/files/records.config.en.rst | 4 ++--
iocore/net/SSLNetVConnection.cc | 8 ++++----
mgmt/RecordsConfig.cc | 2 +-
proxy/ProtocolProbeSessionAccept.cc | 10 +++++-----
proxy/http/HttpConfig.cc | 2 +-
tests/gold_tests/ip_allow/ip_allow.test.py | 6 +++---
7 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/doc/admin-guide/configuration/proxy-protocol.en.rst b/doc/admin-guide/configuration/proxy-protocol.en.rst
index 64a0bc2..cc92406 100644
--- a/doc/admin-guide/configuration/proxy-protocol.en.rst
+++ b/doc/admin-guide/configuration/proxy-protocol.en.rst
@@ -45,7 +45,7 @@ with the PROXY v1 header. Any request not preface by this header will be
dropped.
As a security measure, an optional whitelist of trusted IP addresses may be
-configured with :ts:cv:`proxy.config.http.proxy_protocol_whitelist`.
+configured with :ts:cv:`proxy.config.http.proxy_protocol_allowlist`.
.. important::
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index 5d33652..a9db974 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -1754,9 +1754,9 @@ Proxy User Variables
is prohibited by RFC 7239. Currently, for the ``host`` parameter to provide the original host from the
incoming client request, `proxy.config.url_remap.pristine_host_hdr`_ must be enabled.
-.. ts:cv:: CONFIG proxy.config.http.proxy_protocol_whitelist STRING ```<ip list>```
+.. ts:cv:: CONFIG proxy.config.http.proxy_protocol_allowlist STRING ```<ip list>```
- This defines a whitelist of server IPs that are trusted to provide
+ This defines a allowlist of server IPs that are trusted to provide
connections with Proxy Protocol information. This is a comma delimited list
of IP addresses. Addressed may be listed individually, in a range separated
by a dash or by using CIDR notation.
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 5209a93..8e8976c 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -410,7 +410,7 @@ SSLNetVConnection::read_raw_data()
if (this->get_is_proxy_protocol()) {
Debug("proxyprotocol", "proxy protocol is enabled on this port");
if (pp_ipmap->count() > 0) {
- Debug("proxyprotocol", "proxy protocol has a configured whitelist of trusted IPs - checking");
+ Debug("proxyprotocol", "proxy protocol has a configured allowlist of trusted IPs - checking");
// At this point, using get_remote_addr() will return the ip of the
// proxy source IP, not the Proxy Protocol client ip. Since we are
@@ -418,17 +418,17 @@ SSLNetVConnection::read_raw_data()
// what we want now.
void *payload = nullptr;
if (!pp_ipmap->contains(get_remote_addr(), &payload)) {
- Debug("proxyprotocol", "proxy protocol src IP is NOT in the configured whitelist of trusted IPs - "
+ Debug("proxyprotocol", "proxy protocol src IP is NOT in the configured allowlist of trusted IPs - "
"closing connection");
r = -ENOTCONN; // Need a quick close/exit here to refuse the connection!!!!!!!!!
goto proxy_protocol_bypass;
} else {
char new_host[INET6_ADDRSTRLEN];
- Debug("proxyprotocol", "Source IP [%s] is in the trusted whitelist for proxy protocol",
+ Debug("proxyprotocol", "Source IP [%s] is in the trusted allowlist for proxy protocol",
ats_ip_ntop(this->get_remote_addr(), new_host, sizeof(new_host)));
}
} else {
- Debug("proxyprotocol", "proxy protocol DOES NOT have a configured whitelist of trusted IPs but "
+ Debug("proxyprotocol", "proxy protocol DOES NOT have a configured allowlist of trusted IPs but "
"proxy protocol is enabled on this port - processing all connections");
}
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index cfc2464..c2f4a87 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -527,7 +527,7 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.http.insert_forwarded", RECD_STRING, "none", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
- {RECT_CONFIG, "proxy.config.http.proxy_protocol_whitelist", RECD_STRING, "none", RECU_NULL, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+ {RECT_CONFIG, "proxy.config.http.proxy_protocol_allowlist", RECD_STRING, "none", RECU_NULL, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
{RECT_CONFIG, "proxy.config.http.insert_age_in_response", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
diff --git a/proxy/ProtocolProbeSessionAccept.cc b/proxy/ProtocolProbeSessionAccept.cc
index ed23291..31c7f25 100644
--- a/proxy/ProtocolProbeSessionAccept.cc
+++ b/proxy/ProtocolProbeSessionAccept.cc
@@ -93,7 +93,7 @@ struct ProtocolProbeTrampoline : public Continuation, public ProtocolProbeSessio
}
// if proxy_protocol is enabled via port descriptor AND the src IP is in
- // the trusted whitelist for proxy protocol, then check to see if it is
+ // the trusted allowlist for proxy protocol, then check to see if it is
// present
IpMap *pp_ipmap;
@@ -102,20 +102,20 @@ struct ProtocolProbeTrampoline : public Continuation, public ProtocolProbeSessio
if (netvc->get_is_proxy_protocol()) {
Debug("proxyprotocol", "ioCompletionEvent: proxy protocol is enabled on this port");
if (pp_ipmap->count() > 0) {
- Debug("proxyprotocol", "ioCompletionEvent: proxy protocol has a configured whitelist of trusted IPs - checking");
+ Debug("proxyprotocol", "ioCompletionEvent: proxy protocol has a configured allowlist of trusted IPs - checking");
void *payload = nullptr;
if (!pp_ipmap->contains(netvc->get_remote_addr(), &payload)) {
Debug("proxyprotocol",
- "ioCompletionEvent: proxy protocol src IP is NOT in the configured whitelist of trusted IPs - closing connection");
+ "ioCompletionEvent: proxy protocol src IP is NOT in the configured allowlist of trusted IPs - closing connection");
goto done;
} else {
char new_host[INET6_ADDRSTRLEN];
- Debug("proxyprotocol", "ioCompletionEvent: Source IP [%s] is trusted in the whitelist for proxy protocol",
+ Debug("proxyprotocol", "ioCompletionEvent: Source IP [%s] is trusted in the allowlist for proxy protocol",
ats_ip_ntop(netvc->get_remote_addr(), new_host, sizeof(new_host)));
}
} else {
Debug("proxyprotocol",
- "ioCompletionEvent: proxy protocol DOES NOT have a configured whitelist of trusted IPs but proxy protocol is "
+ "ioCompletionEvent: proxy protocol DOES NOT have a configured allowlist of trusted IPs but proxy protocol is "
"ernabled on this port - processing all connections");
}
diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc
index d3cc7b6..a7e83ff 100644
--- a/proxy/http/HttpConfig.cc
+++ b/proxy/http/HttpConfig.cc
@@ -1105,7 +1105,7 @@ HttpConfig::startup()
RecHttpLoadIp("proxy.local.incoming_ip_to_bind", c.inbound_ip4, c.inbound_ip6);
RecHttpLoadIp("proxy.local.outgoing_ip_to_bind", c.outbound_ip4, c.outbound_ip6);
- RecHttpLoadIpMap("proxy.config.http.proxy_protocol_whitelist", c.config_proxy_protocol_ipmap);
+ RecHttpLoadIpMap("proxy.config.http.proxy_protocol_allowlist", c.config_proxy_protocol_ipmap);
SSLConfigInit(&c.config_proxy_protocol_ipmap);
HttpEstablishStaticConfigLongLong(c.server_max_connections, "proxy.config.http.server_max_connections");
diff --git a/tests/gold_tests/ip_allow/ip_allow.test.py b/tests/gold_tests/ip_allow/ip_allow.test.py
index 5e4b5d6..59c3daf 100644
--- a/tests/gold_tests/ip_allow/ip_allow.test.py
+++ b/tests/gold_tests/ip_allow/ip_allow.test.py
@@ -141,7 +141,7 @@ ts.Streams.stderr += Testers.ContainsExpression(
"The PUSH request should be denied by ip_allow")
#
-# TEST 1: Perform a GET request. Should be allowed because GET is in the whitelist.
+# TEST 1: Perform a GET request. Should be allowed because GET is in the allowlist.
#
tr = Test.AddTestRun()
tr.Processes.Default.StartBefore(server, ready=When.PortOpen(server.Variables.SSL_Port))
@@ -156,7 +156,7 @@ tr.StillRunningAfter = server
#
# TEST 2: Perform a CONNECT request. Should not be allowed because CONNECT is
-# not in the whitelist.
+# not in the allowlist.
#
tr = Test.AddTestRun()
tr.Processes.Default.Command = ('curl --verbose -X CONNECT -H "Host: localhost" http://localhost:{ts_port}/connect'.
@@ -168,7 +168,7 @@ tr.StillRunningAfter = server
#
# TEST 3: Perform a PUSH request over HTTP/2. Should not be allowed because
-# PUSH is not in the whitelist.
+# PUSH is not in the allowlist.
#
tr = Test.AddTestRun()
tr.Processes.Default.Command = ('curl --http2 --verbose -k -X PUSH -H "Host: localhost" https://localhost:{ts_port}/h2_push'.