This is an automated email from the ASF dual-hosted git repository.
zrhoffman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 3a25717 Add ability for TR to strip its special query params from
responses (#6019)
3a25717 is described below
commit 3a25717ac1290daf33e869299e74394f6defae4e
Author: Rawlin Peters <[email protected]>
AuthorDate: Fri Jul 16 14:54:32 2021 -0600
Add ability for TR to strip its special query params from responses (#6019)
If enabled, strip the 'trred' and 'fakeClientIpAddress' query parameters
from the response URL(s) returned in TR's response.
---
CHANGELOG.md | 1 +
docs/source/admin/traffic_router.rst | 3 +++
.../traffic_router/core/router/TrafficRouter.java | 28 ++++++++++++++++++++--
.../core/router/TrafficRouterTest.java | 15 ++++++++++++
4 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f8c9b93..a1af1b5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ The format is based on [Keep a
Changelog](http://keepachangelog.com/en/1.0.0/).
- Traffic Portal: Adds the ability for operations/admin users to create a
CDN-level notification.
- Traffic Portal: upgraded delivery service UI tables to use more
powerful/performant ag-grid component
- Traffic Router: added new 'dnssec.rrsig.cache.enabled' profile parameter to
enable new DNSSEC RRSIG caching functionality. Enabling this greatly reduces
CPU usage during the DNSSEC signing process.
+- Traffic Router: added new 'strip.special.query.params' profile parameter to
enable stripping the 'trred' and 'fakeClientIpAddress' query parameters from
responses: [#1065](https://github.com/apache/trafficcontrol/issues/1065)
- [#5316](https://github.com/apache/trafficcontrol/issues/5316) - Add router
host names and ports on a per interface basis, rather than a per server basis.
- Traffic Ops: Adds API endpoints to fetch (GET), create (POST) or delete
(DELETE) a cdn notification. Create and delete are limited to users with
operations or admin role.
- Added ACME certificate renewals and ACME account registration using external
account binding
diff --git a/docs/source/admin/traffic_router.rst
b/docs/source/admin/traffic_router.rst
index 299989e..8b30389 100644
--- a/docs/source/admin/traffic_router.rst
+++ b/docs/source/admin/traffic_router.rst
@@ -217,6 +217,9 @@ Much of a Traffic Router's configuration can be obtained
through the :term:`Para
| client.steering.forced.diversity | CRConfig.json
| When this :term:`Parameter` exists and is exactly "true", it enables the
"Client Steering Forced Diversity" feature to diversify |
| |
| CLIENT_STEERING results by including more unique :term:`Edge-tier cache
servers` in the response to the client's request. |
+-----------------------------------------+------------------------------+---------------------------------------------------------------------------------------------------------------------------------------+
+ | strip.special.query.params | CRConfig.json
| If "true", Traffic Router will strip its special query parameters (namely
"trred" and "fakeClientIpAddress") from its responses. |
+ | |
| Note: the special query parameter "format" is not stripped due to its
generality. |
+
+-----------------------------------------+------------------------------+---------------------------------------------------------------------------------------------------------------------------------------+
| tld.soa.expire | CRConfig.json
| The value for the "expire" field the Traffic Router DNS Server will respond
with on :abbr:`SOA (Start of Authority)` records. |
+-----------------------------------------+------------------------------+---------------------------------------------------------------------------------------------------------------------------------------+
| tld.soa.minimum | CRConfig.json
| The value for the minimum field the Traffic Router DNS Server will respond
with on :abbr:`SOA (Start of Authority)` records. |
diff --git
a/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouter.java
b/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouter.java
index 3c60cc7..4c71308 100644
---
a/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouter.java
+++
b/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouter.java
@@ -34,6 +34,7 @@ import
org.apache.traffic_control.traffic_router.core.edge.Node;
import org.apache.traffic_control.traffic_router.core.edge.Node.IPVersions;
import
org.apache.traffic_control.traffic_router.core.edge.TrafficRouterLocation;
import org.apache.traffic_control.traffic_router.core.hash.ConsistentHasher;
+import org.apache.traffic_control.traffic_router.core.http.RouterFilter;
import org.apache.traffic_control.traffic_router.core.loc.AnonymousIp;
import
org.apache.traffic_control.traffic_router.core.loc.AnonymousIpDatabaseService;
import org.apache.traffic_control.traffic_router.core.loc.FederationRegistry;
@@ -58,6 +59,7 @@ import com.fasterxml.jackson.databind.JsonNode;
import org.apache.log4j.Logger;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
+import org.springframework.web.util.UriComponentsBuilder;
import org.xbill.DNS.Name;
import org.xbill.DNS.Type;
import org.xbill.DNS.Zone;
@@ -105,6 +107,7 @@ public class TrafficRouter {
public static final String DNSSEC_ENABLED = "dnssec.enabled";
public static final String DNSSEC_ZONE_DIFFING =
"dnssec.zone.diffing.enabled";
public static final String DNSSEC_RRSIG_CACHE_ENABLED =
"dnssec.rrsig.cache.enabled";
+ public static final String STRIP_SPECIAL_QUERY_PARAMS =
"strip.special.query.params";
private static final long DEFAULT_EDGE_NS_TTL = 3600;
private static final int DEFAULT_EDGE_TR_LIMIT = 4;
@@ -117,6 +120,7 @@ public class TrafficRouter {
private final boolean consistentDNSRouting;
private final boolean clientSteeringDiversityEnabled;
private final boolean dnssecZoneDiffingEnabled;
+ private final boolean stripSpecialQueryParamsEnabled;
private final boolean edgeDNSRouting;
private final boolean edgeHTTPRouting;
private final long edgeNSttl; // 1 hour default
@@ -152,6 +156,7 @@ public class TrafficRouter {
this.anonymousIpService = anonymousIpService;
this.federationRegistry = federationRegistry;
this.clientSteeringDiversityEnabled =
JsonUtils.optBoolean(cr.getConfig(), CLIENT_STEERING_DIVERSITY);
+ this.stripSpecialQueryParamsEnabled =
JsonUtils.optBoolean(cr.getConfig(), STRIP_SPECIAL_QUERY_PARAMS);
this.dnssecZoneDiffingEnabled =
JsonUtils.optBoolean(cr.getConfig(), DNSSEC_ENABLED) &&
JsonUtils.optBoolean(cr.getConfig(), DNSSEC_ZONE_DIFFING);
this.consistentDNSRouting =
JsonUtils.optBoolean(cr.getConfig(), "consistent.dns.routing"); //
previous/default behavior
this.edgeDNSRouting = JsonUtils.optBoolean(cr.getConfig(),
"edge.dns.routing") && cr.hasEdgeTrafficRouters();
@@ -1164,10 +1169,29 @@ public class TrafficRouter {
public HTTPRouteResult route(final HTTPRequest request, final Track
track) throws MalformedURLException, GeolocationException {
track.setRouteType(RouteType.HTTP, request.getHostname());
+ final HTTPRouteResult result;
if (isMultiRouteRequest(request)) {
- return multiRoute(request, track);
+ result = multiRoute(request, track);
} else {
- return singleRoute(request, track);
+ result = singleRoute(request, track);
+ }
+ if (stripSpecialQueryParamsEnabled) {
+ stripSpecialQueryParams(result);
+ }
+ return result;
+ }
+
+ public void stripSpecialQueryParams(final HTTPRouteResult result)
throws MalformedURLException {
+ if (result != null && result.getUrls() != null) {
+ for (int i = 0; i < result.getUrls().size(); i++) {
+ final URL url = result.getUrls().get(i);
+ if (url != null) {
+ result.getUrls().set(i,
UriComponentsBuilder.fromHttpUrl(url.toString())
+
.replaceQueryParam(HTTPRequest.FAKE_IP)
+
.replaceQueryParam(RouterFilter.REDIRECT_QUERY_PARAM)
+
.build().toUri().toURL());
+ }
+ }
}
}
diff --git
a/traffic_router/core/src/test/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouterTest.java
b/traffic_router/core/src/test/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouterTest.java
index 990b2a4..b5488fb 100644
---
a/traffic_router/core/src/test/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouterTest.java
+++
b/traffic_router/core/src/test/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouterTest.java
@@ -36,6 +36,8 @@ import org.junit.Test;
import org.xbill.DNS.Name;
import org.xbill.DNS.Type;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
@@ -98,6 +100,7 @@ public class TrafficRouterTest {
when(trafficRouter.singleRoute(any(HTTPRequest.class),
any(Track.class))).thenCallRealMethod();
when(trafficRouter.selectDeliveryService(any(Request.class))).thenReturn(deliveryService);
when(trafficRouter.consistentHashDeliveryService(any(DeliveryService.class),
any(HTTPRequest.class), any())).thenCallRealMethod();
+
doCallRealMethod().when(trafficRouter).stripSpecialQueryParams(any(HTTPRouteResult.class));
}
@Test
@@ -324,4 +327,16 @@ public class TrafficRouterTest {
assertThat(deliveryService.createURIString(httpRequest, cache),
equalTo(dest.toString()));
}
+
+ @Test
+ public void itStripsSpecialQueryParameters() throws MalformedURLException {
+ HTTPRouteResult result = new HTTPRouteResult(false);
+ result.setUrl(new
URL("http://example.org/foo?trred=false&fakeClientIpAddress=192.168.0.2";));
+ trafficRouter.stripSpecialQueryParams(result);
+ assertThat(result.getUrl().toString(),
equalTo("http://example.org/foo";));
+
+ result.setUrl(new
URL("http://example.org/foo?b=1&trred=false&a=2&asdf=foo&fakeClientIpAddress=192.168.0.2&c=3";));
+ trafficRouter.stripSpecialQueryParams(result);
+ assertThat(result.getUrl().toString(),
equalTo("http://example.org/foo?b=1&a=2&asdf=foo&c=3";));
+ }
}
