You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2014/01/21 00:08:11 UTC
[32/50] git commit: TS-1668: Added HSTS configuration options to ATS
TS-1668: Added HSTS configuration options to ATS
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/4cf9975e
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/4cf9975e
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/4cf9975e
Branch: refs/heads/5.0.x
Commit: 4cf9975e9b8ff0cc5510707443da0adafbb962cb
Parents: f057cdc
Author: Bryan Call <bc...@apache.org>
Authored: Wed Jan 15 13:38:07 2014 -0800
Committer: Bryan Call <bc...@apache.org>
Committed: Wed Jan 15 13:38:07 2014 -0800
----------------------------------------------------------------------
CHANGES | 2 ++
.../configuration/records.config.en.rst | 15 +++++++++++++++
mgmt/RecordsConfig.cc | 5 +++++
proxy/InkAPI.cc | 19 +++++++++++++++++++
proxy/InkAPITest.cc | 4 +++-
proxy/api/ts/ts.h.in | 4 ++++
proxy/hdrs/HdrToken.cc | 3 +++
proxy/hdrs/MIME.cc | 6 ++++++
proxy/hdrs/MIME.h | 3 +++
proxy/http/HttpConfig.cc | 4 ++++
proxy/http/HttpConfig.h | 5 ++++-
proxy/http/HttpTransact.cc | 6 ++++++
proxy/http/HttpTransactHeaders.cc | 19 +++++++++++++++++++
proxy/http/HttpTransactHeaders.h | 1 +
14 files changed, 94 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 2c56ffd..a688aea 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 4.2.0
+ *) [TS-1668] Added HSTS configuration options to ATS
+
*) [TS-2495] Reduce the size of HttpVCTableEntry.
*) [TS-2491] stop other esi plugin unit test programs after error.
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/doc/reference/configuration/records.config.en.rst
----------------------------------------------------------------------
diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst
index f0d7f8a..c3aac2e 100644
--- a/doc/reference/configuration/records.config.en.rst
+++ b/doc/reference/configuration/records.config.en.rst
@@ -2046,6 +2046,21 @@ SSL Termination
entries in seconds. If it is ``0``, then the SSL library will use
a default value, typically 300 seconds.
+.. ts:cv:: CONFIG proxy.config.ssl.hsts_max_age INT -1
+
+ This configuration specifies the max-age value that will be used
+ when adding the Strict-Transport-Security header. The value is in seconds.
+ A value of 0 will set the max-age value to 0 and should remove the
+ hsts entry from the cleint. A value of -1 will disable this feature and
+ not set the header. This option is only used for HTTPS request and the
+ header will not be set on HTTP requests.
+
+.. ts:cv:: CONFIG proxy.config.ssl.hsts_include_subdomains INT 0
+
+ Enables (``1``) or disables (``0``) to add the includeSubdomain value
+ to the Strict-Transport-Security header. proxy.config.ssl.hsts_max_age
+ will need to be set to a non -1 value for this value to be added.
+
Client-Related Configuration
----------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 3e3fe5c..abae558 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1275,6 +1275,11 @@ RecordElement RecordsConfig[] = {
,
{RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.hsts_max_age", RECD_INT, "-1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[-1-2147483648]", RECA_NULL}
+ ,
+ {RECT_CONFIG, "proxy.config.ssl.hsts_include_subdomains", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
+
//##############################################################################
//# ICP Configuration
//##############################################################################
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/InkAPI.cc
----------------------------------------------------------------------
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index 3c40ce5..2be442d 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -198,6 +198,7 @@ tsapi const char *TS_MIME_FIELD_RETRY_AFTER;
tsapi const char *TS_MIME_FIELD_SENDER;
tsapi const char *TS_MIME_FIELD_SERVER;
tsapi const char *TS_MIME_FIELD_SET_COOKIE;
+tsapi const char *TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY;
tsapi const char *TS_MIME_FIELD_SUBJECT;
tsapi const char *TS_MIME_FIELD_SUMMARY;
tsapi const char *TS_MIME_FIELD_TE;
@@ -271,6 +272,7 @@ tsapi int TS_MIME_LEN_RETRY_AFTER;
tsapi int TS_MIME_LEN_SENDER;
tsapi int TS_MIME_LEN_SERVER;
tsapi int TS_MIME_LEN_SET_COOKIE;
+tsapi int TS_MIME_LEN_STRICT_TRANSPORT_SECURITY;
tsapi int TS_MIME_LEN_SUBJECT;
tsapi int TS_MIME_LEN_SUMMARY;
tsapi int TS_MIME_LEN_TE;
@@ -1425,6 +1427,7 @@ api_init()
TS_MIME_FIELD_SENDER = MIME_FIELD_SENDER;
TS_MIME_FIELD_SERVER = MIME_FIELD_SERVER;
TS_MIME_FIELD_SET_COOKIE = MIME_FIELD_SET_COOKIE;
+ TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY = MIME_FIELD_STRICT_TRANSPORT_SECURITY;
TS_MIME_FIELD_SUBJECT = MIME_FIELD_SUBJECT;
TS_MIME_FIELD_SUMMARY = MIME_FIELD_SUMMARY;
TS_MIME_FIELD_TE = MIME_FIELD_TE;
@@ -1498,6 +1501,7 @@ api_init()
TS_MIME_LEN_SENDER = MIME_LEN_SENDER;
TS_MIME_LEN_SERVER = MIME_LEN_SERVER;
TS_MIME_LEN_SET_COOKIE = MIME_LEN_SET_COOKIE;
+ TS_MIME_LEN_STRICT_TRANSPORT_SECURITY = MIME_LEN_STRICT_TRANSPORT_SECURITY;
TS_MIME_LEN_SUBJECT = MIME_LEN_SUBJECT;
TS_MIME_LEN_SUMMARY = MIME_LEN_SUMMARY;
TS_MIME_LEN_TE = MIME_LEN_TE;
@@ -7591,6 +7595,14 @@ _conf_to_memberp(TSOverridableConfigKey conf, HttpSM* sm, OverridableDataType *t
case TS_CONFIG_HTTP_ACCEPT_ENCODING_FILTER_ENABLED:
ret = &sm->t_state.txn_conf->accept_encoding_filter_enabled;
break;
+ case TS_CONFIG_SSL_HSTS_MAX_AGE:
+ typ = OVERRIDABLE_TYPE_INT;
+ ret = &sm->t_state.txn_conf->proxy_response_hsts_max_age;
+ break;
+ case TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS:
+ typ = OVERRIDABLE_TYPE_BYTE;
+ ret = &sm->t_state.txn_conf->proxy_response_hsts_include_subdomains;
+ break;
// This helps avoiding compiler warnings, yet detect unhandled enum members.
case TS_CONFIG_NULL:
@@ -7775,6 +7787,11 @@ TSHttpTxnConfigFind(const char* name, int length, TSOverridableConfigKey *conf,
cnf = TS_CONFIG_HTTP_CACHE_HTTP;
break;
+ case 29:
+ if (!strncmp(name, "proxy.config.ssl.hsts_max_age", length))
+ cnf = TS_CONFIG_SSL_HSTS_MAX_AGE;
+ break;
+
case 31:
if (!strncmp(name, "proxy.config.http.chunking.size", length))
cnf = TS_CONFIG_HTTP_CHUNKING_SIZE;
@@ -7891,6 +7908,8 @@ TSHttpTxnConfigFind(const char* name, int length, TSOverridableConfigKey *conf,
cnf = TS_CONFIG_HTTP_ORIGIN_MAX_CONNECTIONS;
else if (!strncmp(name, "proxy.config.http.cache.required_headers", length))
cnf = TS_CONFIG_HTTP_CACHE_REQUIRED_HEADERS;
+ else if (!strncmp(name, "proxy.config.ssl.hsts_include_subdomains", length))
+ cnf = TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS;
break;
case 't':
if (!strncmp(name, "proxy.config.http.keep_alive_enabled_out", length))
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/InkAPITest.cc
----------------------------------------------------------------------
diff --git a/proxy/InkAPITest.cc b/proxy/InkAPITest.cc
index 8f97a88..b9945a1 100644
--- a/proxy/InkAPITest.cc
+++ b/proxy/InkAPITest.cc
@@ -7412,7 +7412,9 @@ const char *SDK_Overridable_Configs[TS_CONFIG_LAST_ENTRY] = {
"proxy.config.http.response_header_max_size",
"proxy.config.http.negative_revalidating_enabled",
"proxy.config.http.negative_revalidating_lifetime",
- "proxy.config.http.accept_encoding_filter_enabled"
+ "proxy.config.http.accept_encoding_filter_enabled",
+ "proxy.config.ssl.hsts_max_age",
+ "proxy.config.ssl.hsts_include_subdomains"
};
REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS) (RegressionTest * test, int /* atype ATS_UNUSED */, int *pstatus)
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/api/ts/ts.h.in
----------------------------------------------------------------------
diff --git a/proxy/api/ts/ts.h.in b/proxy/api/ts/ts.h.in
index a184939..e568b1f 100644
--- a/proxy/api/ts/ts.h.in
+++ b/proxy/api/ts/ts.h.in
@@ -680,6 +680,8 @@ extern "C"
TS_CONFIG_HTTP_NEGATIVE_REVALIDATING_ENABLED,
TS_CONFIG_HTTP_NEGATIVE_REVALIDATING_LIFETIME,
TS_CONFIG_HTTP_ACCEPT_ENCODING_FILTER_ENABLED,
+ TS_CONFIG_SSL_HSTS_MAX_AGE,
+ TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS,
TS_CONFIG_LAST_ENTRY
} TSOverridableConfigKey;
@@ -903,6 +905,7 @@ extern "C"
extern tsapi const char* TS_MIME_FIELD_SENDER;
extern tsapi const char* TS_MIME_FIELD_SERVER;
extern tsapi const char* TS_MIME_FIELD_SET_COOKIE;
+ extern tsapi const char* TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY;
extern tsapi const char* TS_MIME_FIELD_SUBJECT;
extern tsapi const char* TS_MIME_FIELD_SUMMARY;
extern tsapi const char* TS_MIME_FIELD_TE;
@@ -977,6 +980,7 @@ extern "C"
extern tsapi int TS_MIME_LEN_SENDER;
extern tsapi int TS_MIME_LEN_SERVER;
extern tsapi int TS_MIME_LEN_SET_COOKIE;
+ extern tsapi int TS_MIME_LEN_STRICT_TRANSPORT_SECURITY;
extern tsapi int TS_MIME_LEN_SUBJECT;
extern tsapi int TS_MIME_LEN_SUMMARY;
extern tsapi int TS_MIME_LEN_TE;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/HdrToken.cc
----------------------------------------------------------------------
diff --git a/proxy/hdrs/HdrToken.cc b/proxy/hdrs/HdrToken.cc
index 4374d85..72bbbe1 100644
--- a/proxy/hdrs/HdrToken.cc
+++ b/proxy/hdrs/HdrToken.cc
@@ -107,6 +107,7 @@ static const char *_hdrtoken_strs[] = {
"Sender", // NNTP
"Server",
"Set-Cookie",
+ "Strict-Transport-Security",
"Subject", // NNTP
"Summary", // NNTP
"Transfer-Encoding",
@@ -293,6 +294,7 @@ static HdrTokenFieldInfo _hdrtoken_strs_field_initializers[] = {
{"Sender", MIME_SLOTID_NONE, MIME_PRESENCE_NONE, HTIF_NONE},
{"Server", MIME_SLOTID_NONE, MIME_PRESENCE_SERVER, HTIF_NONE},
{"Set-Cookie", MIME_SLOTID_SET_COOKIE, MIME_PRESENCE_SET_COOKIE, (HTIF_MULTVALS)},
+ {"Strict-Transport-Security", MIME_SLOTID_NONE, MIME_PRESENCE_NONE, (HTIF_MULTVALS)},
{"Subject", MIME_SLOTID_NONE, MIME_PRESENCE_SUBJECT, HTIF_NONE},
{"Summary", MIME_SLOTID_NONE, MIME_PRESENCE_SUMMARY, HTIF_NONE},
{"TE", MIME_SLOTID_TE, MIME_PRESENCE_TE, (HTIF_COMMAS | HTIF_MULTVALS | HTIF_HOPBYHOP)},
@@ -433,6 +435,7 @@ static const char *_hdrtoken_commonly_tokenized_strs[] = {
"Sender", // NNTP
"Server",
"Set-Cookie",
+ "Strict-Transport-Security",
"Subject", // NNTP
"Summary", // NNTP
"Transfer-Encoding",
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/MIME.cc
----------------------------------------------------------------------
diff --git a/proxy/hdrs/MIME.cc b/proxy/hdrs/MIME.cc
index b779589..0313314 100644
--- a/proxy/hdrs/MIME.cc
+++ b/proxy/hdrs/MIME.cc
@@ -141,6 +141,7 @@ const char *MIME_FIELD_RETRY_AFTER;
const char *MIME_FIELD_SENDER;
const char *MIME_FIELD_SERVER;
const char *MIME_FIELD_SET_COOKIE;
+const char *MIME_FIELD_STRICT_TRANSPORT_SECURITY;
const char *MIME_FIELD_SUBJECT;
const char *MIME_FIELD_SUMMARY;
const char *MIME_FIELD_TE;
@@ -249,6 +250,7 @@ int MIME_LEN_RETRY_AFTER;
int MIME_LEN_SENDER;
int MIME_LEN_SERVER;
int MIME_LEN_SET_COOKIE;
+int MIME_LEN_STRICT_TRANSPORT_SECURITY;
int MIME_LEN_SUBJECT;
int MIME_LEN_SUMMARY;
int MIME_LEN_TE;
@@ -323,6 +325,7 @@ int MIME_WKSIDX_RETRY_AFTER;
int MIME_WKSIDX_SENDER;
int MIME_WKSIDX_SERVER;
int MIME_WKSIDX_SET_COOKIE;
+int MIME_WKSIDX_STRICT_TRANSPORT_SECURITY;
int MIME_WKSIDX_SUBJECT;
int MIME_WKSIDX_SUMMARY;
int MIME_WKSIDX_TE;
@@ -665,6 +668,7 @@ mime_init()
MIME_FIELD_SENDER = hdrtoken_string_to_wks("Sender");
MIME_FIELD_SERVER = hdrtoken_string_to_wks("Server");
MIME_FIELD_SET_COOKIE = hdrtoken_string_to_wks("Set-Cookie");
+ MIME_FIELD_STRICT_TRANSPORT_SECURITY = hdrtoken_string_to_wks("Strict-Transport-Security");
MIME_FIELD_SUBJECT = hdrtoken_string_to_wks("Subject");
MIME_FIELD_SUMMARY = hdrtoken_string_to_wks("Summary");
MIME_FIELD_TE = hdrtoken_string_to_wks("TE");
@@ -740,6 +744,7 @@ mime_init()
MIME_LEN_SENDER = hdrtoken_wks_to_length(MIME_FIELD_SENDER);
MIME_LEN_SERVER = hdrtoken_wks_to_length(MIME_FIELD_SERVER);
MIME_LEN_SET_COOKIE = hdrtoken_wks_to_length(MIME_FIELD_SET_COOKIE);
+ MIME_LEN_STRICT_TRANSPORT_SECURITY = hdrtoken_wks_to_length(MIME_FIELD_STRICT_TRANSPORT_SECURITY);
MIME_LEN_SUBJECT = hdrtoken_wks_to_length(MIME_FIELD_SUBJECT);
MIME_LEN_SUMMARY = hdrtoken_wks_to_length(MIME_FIELD_SUMMARY);
MIME_LEN_TE = hdrtoken_wks_to_length(MIME_FIELD_TE);
@@ -814,6 +819,7 @@ mime_init()
MIME_WKSIDX_SENDER = hdrtoken_wks_to_index(MIME_FIELD_SENDER);
MIME_WKSIDX_SERVER = hdrtoken_wks_to_index(MIME_FIELD_SERVER);
MIME_WKSIDX_SET_COOKIE = hdrtoken_wks_to_index(MIME_FIELD_SET_COOKIE);
+ MIME_WKSIDX_STRICT_TRANSPORT_SECURITY = hdrtoken_wks_to_index(MIME_FIELD_STRICT_TRANSPORT_SECURITY);
MIME_WKSIDX_SUBJECT = hdrtoken_wks_to_index(MIME_FIELD_SUBJECT);
MIME_WKSIDX_SUMMARY = hdrtoken_wks_to_index(MIME_FIELD_SUMMARY);
MIME_WKSIDX_TE = hdrtoken_wks_to_index(MIME_FIELD_TE);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/MIME.h
----------------------------------------------------------------------
diff --git a/proxy/hdrs/MIME.h b/proxy/hdrs/MIME.h
index 264847c..a75e56a 100644
--- a/proxy/hdrs/MIME.h
+++ b/proxy/hdrs/MIME.h
@@ -352,6 +352,7 @@ extern const char *MIME_FIELD_RETRY_AFTER;
extern const char *MIME_FIELD_SENDER;
extern const char *MIME_FIELD_SERVER;
extern const char *MIME_FIELD_SET_COOKIE;
+extern const char *MIME_FIELD_STRICT_TRANSPORT_SECURITY;
extern const char *MIME_FIELD_SUBJECT;
extern const char *MIME_FIELD_SUMMARY;
extern const char *MIME_FIELD_TE;
@@ -449,6 +450,7 @@ extern int MIME_LEN_RETRY_AFTER;
extern int MIME_LEN_SENDER;
extern int MIME_LEN_SERVER;
extern int MIME_LEN_SET_COOKIE;
+extern int MIME_LEN_STRICT_TRANSPORT_SECURITY;
extern int MIME_LEN_SUBJECT;
extern int MIME_LEN_SUMMARY;
extern int MIME_LEN_TE;
@@ -546,6 +548,7 @@ extern int MIME_WKSIDX_RETRY_AFTER;
extern int MIME_WKSIDX_SENDER;
extern int MIME_WKSIDX_SERVER;
extern int MIME_WKSIDX_SET_COOKIE;
+extern int MIME_WKSIDX_STRICT_TRANSPORT_SECURITY;
extern int MIME_WKSIDX_SUBJECT;
extern int MIME_WKSIDX_SUMMARY;
extern int MIME_WKSIDX_TE;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpConfig.cc
----------------------------------------------------------------------
diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc
index 26fa002..be6f0d8 100644
--- a/proxy/http/HttpConfig.cc
+++ b/proxy/http/HttpConfig.cc
@@ -1164,6 +1164,8 @@ HttpConfig::startup()
HttpEstablishStaticConfigByte(c.oride.insert_request_via_string, "proxy.config.http.insert_request_via_str");
HttpEstablishStaticConfigByte(c.oride.insert_response_via_string, "proxy.config.http.insert_response_via_str");
+ HttpEstablishStaticConfigLongLong(c.oride.proxy_response_hsts_max_age, "proxy.config.ssl.hsts_max_age");
+ HttpEstablishStaticConfigByte(c.oride.proxy_response_hsts_include_subdomains, "proxy.config.ssl.hsts_include_subdomains");
HttpEstablishStaticConfigStringAlloc(c.proxy_request_via_string, "proxy.config.http.request_via_str");
c.proxy_request_via_string_len = -1;
@@ -1406,6 +1408,8 @@ HttpConfig::reconfigure()
params->proxy_request_via_string_len = (params->proxy_request_via_string) ? strlen(params->proxy_request_via_string) : 0;
params->proxy_response_via_string = ats_strdup(m_master.proxy_response_via_string);
params->proxy_response_via_string_len = (params->proxy_response_via_string) ? strlen(params->proxy_response_via_string) : 0;
+ params->oride.proxy_response_hsts_max_age = m_master.oride.proxy_response_hsts_max_age;
+ params->oride.proxy_response_hsts_include_subdomains = m_master.oride.proxy_response_hsts_include_subdomains;
params->url_expansions_string = ats_strdup(m_master.url_expansions_string);
params->url_expansions = parse_url_expansions(params->url_expansions_string, ¶ms->num_url_expansions);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpConfig.h
----------------------------------------------------------------------
diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h
index b3b9e40..e4790a9 100644
--- a/proxy/http/HttpConfig.h
+++ b/proxy/http/HttpConfig.h
@@ -406,7 +406,8 @@ struct OverridableHttpConfigParams {
share_server_sessions(2), fwd_proxy_auth_to_parent(0), insert_age_in_response(1),
anonymize_remove_from(0), anonymize_remove_referer(0), anonymize_remove_user_agent(0),
anonymize_remove_cookie(0), anonymize_remove_client_ip(0), anonymize_insert_client_ip(1),
- proxy_response_server_enabled(1), insert_squid_x_forwarded_for(1), send_http11_requests(1),
+ proxy_response_server_enabled(1), proxy_response_hsts_max_age(-1), proxy_response_hsts_include_subdomains(0),
+ insert_squid_x_forwarded_for(1), send_http11_requests(1),
cache_http(1), cache_cluster_cache_local(0), cache_ignore_client_no_cache(1), cache_ignore_client_cc_max_age(0),
cache_ims_on_client_no_cache(1), cache_ignore_server_no_cache(0), cache_responses_to_cookies(1),
cache_ignore_auth(0), cache_urls_that_look_dynamic(1), cache_required_headers(2), cache_range_lookup(1),
@@ -471,6 +472,8 @@ struct OverridableHttpConfigParams {
MgmtByte anonymize_insert_client_ip;
MgmtByte proxy_response_server_enabled;
+ MgmtInt proxy_response_hsts_max_age;
+ MgmtByte proxy_response_hsts_include_subdomains;
/////////////////////
// X-Forwarded-For //
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransact.cc
----------------------------------------------------------------------
diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index 14207f0..ff043b2 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -7745,6 +7745,12 @@ HttpTransact::build_response(State* s, HTTPHdr* base_response, HTTPHdr* outgoing
if (s->next_hop_scheme < 0)
s->next_hop_scheme = URL_WKSIDX_HTTP;
+ // Add HSTS header (Strict-Transport-Security) if max-age is set and the request was https
+ if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0) {
+ Debug("http_hdrs", "hsts max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age);
+ HttpTransactHeaders::insert_hsts_header_in_response(s, outgoing_response);
+ }
+
if (s->txn_conf->insert_response_via_string)
HttpTransactHeaders::insert_via_header_in_response(s, outgoing_response);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransactHeaders.cc
----------------------------------------------------------------------
diff --git a/proxy/http/HttpTransactHeaders.cc b/proxy/http/HttpTransactHeaders.cc
index 7c9a3e6..b5ab0fe 100644
--- a/proxy/http/HttpTransactHeaders.cc
+++ b/proxy/http/HttpTransactHeaders.cc
@@ -879,6 +879,25 @@ HttpTransactHeaders::insert_via_header_in_request(HttpTransact::State *s, HTTPHd
header->value_append(MIME_FIELD_VIA, MIME_LEN_VIA, new_via_string, via_string - new_via_string, true);
}
+void
+HttpTransactHeaders::insert_hsts_header_in_response(HttpTransact::State *s, HTTPHdr *header)
+{
+ char new_hsts_string[64];
+ char *hsts_string = new_hsts_string;
+ const char include_subdomains[] = "; includeSubDomains";
+
+ // add max-age
+ int length = snprintf(new_hsts_string, sizeof(new_hsts_string), "max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age);
+
+ // add include subdomain if set
+ if (s->txn_conf->proxy_response_hsts_include_subdomains) {
+ hsts_string += length;
+ memcpy(hsts_string, include_subdomains, sizeof(include_subdomains));
+ length += sizeof(include_subdomains);
+ }
+
+ header->value_set(MIME_FIELD_STRICT_TRANSPORT_SECURITY, MIME_LEN_STRICT_TRANSPORT_SECURITY, new_hsts_string, length);
+}
void
HttpTransactHeaders::insert_via_header_in_response(HttpTransact::State *s, HTTPHdr *header)
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransactHeaders.h
----------------------------------------------------------------------
diff --git a/proxy/http/HttpTransactHeaders.h b/proxy/http/HttpTransactHeaders.h
index 8dbbdab..0fa3a03 100644
--- a/proxy/http/HttpTransactHeaders.h
+++ b/proxy/http/HttpTransactHeaders.h
@@ -72,6 +72,7 @@ public:
static void insert_server_header_in_response(const char *server_tag, int server_tag_size, HTTPHdr * header);
static void insert_via_header_in_request(HttpTransact::State *s, HTTPHdr *header);
static void insert_via_header_in_response(HttpTransact::State *s, HTTPHdr *header);
+ static void insert_hsts_header_in_response(HttpTransact::State *s, HTTPHdr *header);
static bool is_request_proxy_authorized(HTTPHdr * incoming_hdr);