This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 605e17151 [rpc] detect HTTP client on RPC port
605e17151 is described below
commit 605e171515ec251d9741e09de0a5a08814705e5b
Author: Alexey Serbin <[email protected]>
AuthorDate: Tue Sep 19 11:58:55 2023 -0700
[rpc] detect HTTP client on RPC port
Widen the list of HTTP requests [1] to report in the log when an HTTP
client tries to connect to the RPC port. Also, output the first four
bytes from the connection negotiation data if they don't match the
expected "hrpc" magic.
I also did a few other minor updates.
This is a follow-up to 45a970a490b72b12af7fa0596bac9b0d80604b5b.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
Change-Id: I8dd040eb78dbe38ab258449302fb48ce5432379f
Reviewed-on: http://gerrit.cloudera.org:8080/20493
Tested-by: Kudu Jenkins
Reviewed-by: Yingchun Lai <[email protected]>
---
src/kudu/rpc/serialization.cc | 36 ++++++++++++++++++++++++++----------
1 file changed, 26 insertions(+), 10 deletions(-)
diff --git a/src/kudu/rpc/serialization.cc b/src/kudu/rpc/serialization.cc
index b8454070d..40d823ba0 100644
--- a/src/kudu/rpc/serialization.cc
+++ b/src/kudu/rpc/serialization.cc
@@ -190,27 +190,43 @@ Status ValidateConnHeader(const Slice& slice) {
<< "Invalid RPC header length";
// validate actual magic
- if (!slice.starts_with(kMagicNumber)) {
- if (slice.starts_with("GET ") ||
+ if (PREDICT_FALSE(!slice.starts_with(kMagicNumber))) {
+ // Check if that's an HTTP request sent by mistake (misconfiguration, etc.)
+ // to the RPC port. There might be network monitoring tools that might send
+ // HTTP requests as well to TCP ports they detect or otherwise know about.
+ //
+ // The list of possible HTTP requests [1] is ordered
+ // by the empirical and perceived likelihood of receiving one vs another.
+ //
+ // [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
+ if (slice.starts_with("GET") ||
+ slice.starts_with("HEAD") ||
+ slice.starts_with("OPTIONS") ||
slice.starts_with("POST") ||
- slice.starts_with("HEAD")) {
- return Status::InvalidArgument("invalid negotation, appears to be an
HTTP client on "
- "the RPC port");
+ slice.starts_with("CONNECT") ||
+ slice.starts_with("DELETE") ||
+ slice.starts_with("PUT") ||
+ slice.starts_with("PATCH") ||
+ slice.starts_with("TRACE")) {
+ return Status::InvalidArgument(
+ "invalid negotiation, appears to be an HTTP client on the RPC port");
}
- return Status::InvalidArgument("connection must begin with magic number",
kMagicNumber);
+ return Status::InvalidArgument(Substitute(
+ "connection must begin with magic number '$0' not with '$1'",
+ kMagicNumber, slice.ToDebugString(kMagicNumberLength)));
}
- const uint8_t *data = slice.data();
+ const uint8_t* data = slice.data();
data += kMagicNumberLength;
// validate version
- if (data[kHeaderPosVersion] != kCurrentRpcVersion) {
- return Status::InvalidArgument("Unsupported RPC version",
+ if (PREDICT_FALSE(data[kHeaderPosVersion] != kCurrentRpcVersion)) {
+ return Status::InvalidArgument("unsupported RPC version",
StringPrintf("Received: %d, Supported: %d",
data[kHeaderPosVersion], kCurrentRpcVersion));
}
- // TODO: validate additional header flags:
+ // TODO(mpercy): validate additional header flags:
// RPC_SERVICE_CLASS
// RPC_AUTH_PROTOCOL
