Thanks for the comments on the documentation. I will make those changes. Yeah, NTTP is still around in the code. I added a commit on the Jira ticket about cleanup the headers and we should remove NNTP headers if they are not being used in HTTP.
-Bryan On Jan 16, 2014, at 5:34 AM, Igor Galić <i.ga...@brainsware.org> wrote: > > > ----- Original Message ----- >> Updated Branches: >> refs/heads/master f057cdcca -> 4cf9975e9 >> >> >> TS-1668: Added HSTS configuration options to ATS >> >> >> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo >> Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/4cf9975e >> Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/4cf9975e >> Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/4cf9975e >> >> Branch: refs/heads/master >> Commit: 4cf9975e9b8ff0cc5510707443da0adafbb962cb >> Parents: f057cdc >> Author: Bryan Call <bc...@apache.org> >> Authored: Wed Jan 15 13:38:07 2014 -0800 >> Committer: Bryan Call <bc...@apache.org> >> Committed: Wed Jan 15 13:38:07 2014 -0800 >> >> ---------------------------------------------------------------------- >> CHANGES | 2 ++ >> .../configuration/records.config.en.rst | 15 +++++++++++++++ >> mgmt/RecordsConfig.cc | 5 +++++ >> proxy/InkAPI.cc | 19 +++++++++++++++++++ >> proxy/InkAPITest.cc | 4 +++- >> proxy/api/ts/ts.h.in | 4 ++++ >> proxy/hdrs/HdrToken.cc | 3 +++ >> proxy/hdrs/MIME.cc | 6 ++++++ >> proxy/hdrs/MIME.h | 3 +++ >> proxy/http/HttpConfig.cc | 4 ++++ >> proxy/http/HttpConfig.h | 5 ++++- >> proxy/http/HttpTransact.cc | 6 ++++++ >> proxy/http/HttpTransactHeaders.cc | 19 +++++++++++++++++++ >> proxy/http/HttpTransactHeaders.h | 1 + >> 14 files changed, 94 insertions(+), 2 deletions(-) >> ---------------------------------------------------------------------- >> >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/CHANGES >> ---------------------------------------------------------------------- >> diff --git a/CHANGES b/CHANGES >> index 2c56ffd..a688aea 100644 >> --- a/CHANGES >> +++ b/CHANGES >> @@ -1,6 +1,8 @@ >> -*- coding: utf-8 >> -*- >> Changes with Apache Traffic Server 4.2.0 >> >> + *) [TS-1668] Added HSTS configuration options to ATS >> + >> *) [TS-2495] Reduce the size of HttpVCTableEntry. >> >> *) [TS-2491] stop other esi plugin unit test programs after error. >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/doc/reference/configuration/records.config.en.rst >> ---------------------------------------------------------------------- >> diff --git a/doc/reference/configuration/records.config.en.rst >> b/doc/reference/configuration/records.config.en.rst >> index f0d7f8a..c3aac2e 100644 >> --- a/doc/reference/configuration/records.config.en.rst >> +++ b/doc/reference/configuration/records.config.en.rst >> @@ -2046,6 +2046,21 @@ SSL Termination >> entries in seconds. If it is ``0``, then the SSL library will use >> a default value, typically 300 seconds. >> >> +.. ts:cv:: CONFIG proxy.config.ssl.hsts_max_age INT -1 >> + >> + This configuration specifies the max-age value that will be used >> + when adding the Strict-Transport-Security header. The value is in >> seconds. >> + A value of 0 will set the max-age value to 0 and should remove the >> + hsts entry from the cleint. A value of -1 will disable this feature and > > should be: HSTS entry from the client > > I'd also put max-age and numbers in ``, e.g.: > > A value of ``0`` will set the ``max-age`` value to ... > >> + not set the header. This option is only used for HTTPS request and the >> + header will not be set on HTTP requests. >> + >> +.. ts:cv:: CONFIG proxy.config.ssl.hsts_include_subdomains INT 0 >> + >> + Enables (``1``) or disables (``0``) to add the includeSubdomain value >> + to the Strict-Transport-Security header. proxy.config.ssl.hsts_max_age >> + will need to be set to a non -1 value for this value to be added. >> + >> Client-Related Configuration >> ---------------------------- >> >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/mgmt/RecordsConfig.cc >> ---------------------------------------------------------------------- >> diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc >> index 3e3fe5c..abae558 100644 >> --- a/mgmt/RecordsConfig.cc >> +++ b/mgmt/RecordsConfig.cc >> @@ -1275,6 +1275,11 @@ RecordElement RecordsConfig[] = { >> , >> {RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0", >> RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} >> , >> + {RECT_CONFIG, "proxy.config.ssl.hsts_max_age", RECD_INT, "-1", >> RECU_DYNAMIC, RR_NULL, RECC_INT, "[-1-2147483648]", RECA_NULL} >> + , >> + {RECT_CONFIG, "proxy.config.ssl.hsts_include_subdomains", RECD_INT, "0", >> RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} >> + , >> + >> >> //############################################################################## >> //# ICP Configuration >> >> //############################################################################## >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/InkAPI.cc >> ---------------------------------------------------------------------- >> diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc >> index 3c40ce5..2be442d 100644 >> --- a/proxy/InkAPI.cc >> +++ b/proxy/InkAPI.cc >> @@ -198,6 +198,7 @@ tsapi const char *TS_MIME_FIELD_RETRY_AFTER; >> tsapi const char *TS_MIME_FIELD_SENDER; >> tsapi const char *TS_MIME_FIELD_SERVER; >> tsapi const char *TS_MIME_FIELD_SET_COOKIE; >> +tsapi const char *TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY; >> tsapi const char *TS_MIME_FIELD_SUBJECT; >> tsapi const char *TS_MIME_FIELD_SUMMARY; >> tsapi const char *TS_MIME_FIELD_TE; >> @@ -271,6 +272,7 @@ tsapi int TS_MIME_LEN_RETRY_AFTER; >> tsapi int TS_MIME_LEN_SENDER; >> tsapi int TS_MIME_LEN_SERVER; >> tsapi int TS_MIME_LEN_SET_COOKIE; >> +tsapi int TS_MIME_LEN_STRICT_TRANSPORT_SECURITY; >> tsapi int TS_MIME_LEN_SUBJECT; >> tsapi int TS_MIME_LEN_SUMMARY; >> tsapi int TS_MIME_LEN_TE; >> @@ -1425,6 +1427,7 @@ api_init() >> TS_MIME_FIELD_SENDER = MIME_FIELD_SENDER; >> TS_MIME_FIELD_SERVER = MIME_FIELD_SERVER; >> TS_MIME_FIELD_SET_COOKIE = MIME_FIELD_SET_COOKIE; >> + TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY = >> MIME_FIELD_STRICT_TRANSPORT_SECURITY; >> TS_MIME_FIELD_SUBJECT = MIME_FIELD_SUBJECT; >> TS_MIME_FIELD_SUMMARY = MIME_FIELD_SUMMARY; >> TS_MIME_FIELD_TE = MIME_FIELD_TE; >> @@ -1498,6 +1501,7 @@ api_init() >> TS_MIME_LEN_SENDER = MIME_LEN_SENDER; >> TS_MIME_LEN_SERVER = MIME_LEN_SERVER; >> TS_MIME_LEN_SET_COOKIE = MIME_LEN_SET_COOKIE; >> + TS_MIME_LEN_STRICT_TRANSPORT_SECURITY = >> MIME_LEN_STRICT_TRANSPORT_SECURITY; >> TS_MIME_LEN_SUBJECT = MIME_LEN_SUBJECT; >> TS_MIME_LEN_SUMMARY = MIME_LEN_SUMMARY; >> TS_MIME_LEN_TE = MIME_LEN_TE; >> @@ -7591,6 +7595,14 @@ _conf_to_memberp(TSOverridableConfigKey conf, HttpSM* >> sm, OverridableDataType *t >> case TS_CONFIG_HTTP_ACCEPT_ENCODING_FILTER_ENABLED: >> ret = &sm->t_state.txn_conf->accept_encoding_filter_enabled; >> break; >> + case TS_CONFIG_SSL_HSTS_MAX_AGE: >> + typ = OVERRIDABLE_TYPE_INT; >> + ret = &sm->t_state.txn_conf->proxy_response_hsts_max_age; >> + break; >> + case TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS: >> + typ = OVERRIDABLE_TYPE_BYTE; >> + ret = &sm->t_state.txn_conf->proxy_response_hsts_include_subdomains; >> + break; >> >> // This helps avoiding compiler warnings, yet detect unhandled enum >> members. >> case TS_CONFIG_NULL: >> @@ -7775,6 +7787,11 @@ TSHttpTxnConfigFind(const char* name, int length, >> TSOverridableConfigKey *conf, >> cnf = TS_CONFIG_HTTP_CACHE_HTTP; >> break; >> >> + case 29: > > wow. Such expressiveness. I mean.. what's case 29? > >> + if (!strncmp(name, "proxy.config.ssl.hsts_max_age", length)) >> + cnf = TS_CONFIG_SSL_HSTS_MAX_AGE; >> + break; >> + >> case 31: >> if (!strncmp(name, "proxy.config.http.chunking.size", length)) >> cnf = TS_CONFIG_HTTP_CHUNKING_SIZE; >> @@ -7891,6 +7908,8 @@ TSHttpTxnConfigFind(const char* name, int length, >> TSOverridableConfigKey *conf, >> cnf = TS_CONFIG_HTTP_ORIGIN_MAX_CONNECTIONS; >> else if (!strncmp(name, "proxy.config.http.cache.required_headers", >> length)) >> cnf = TS_CONFIG_HTTP_CACHE_REQUIRED_HEADERS; >> + else if (!strncmp(name, "proxy.config.ssl.hsts_include_subdomains", >> length)) >> + cnf = TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS; >> break; >> case 't': >> if (!strncmp(name, "proxy.config.http.keep_alive_enabled_out", >> length)) >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/InkAPITest.cc >> ---------------------------------------------------------------------- >> diff --git a/proxy/InkAPITest.cc b/proxy/InkAPITest.cc >> index 8f97a88..b9945a1 100644 >> --- a/proxy/InkAPITest.cc >> +++ b/proxy/InkAPITest.cc >> @@ -7412,7 +7412,9 @@ const char >> *SDK_Overridable_Configs[TS_CONFIG_LAST_ENTRY] = { >> "proxy.config.http.response_header_max_size", >> "proxy.config.http.negative_revalidating_enabled", >> "proxy.config.http.negative_revalidating_lifetime", >> - "proxy.config.http.accept_encoding_filter_enabled" >> + "proxy.config.http.accept_encoding_filter_enabled", >> + "proxy.config.ssl.hsts_max_age", >> + "proxy.config.ssl.hsts_include_subdomains" >> }; >> >> REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS) (RegressionTest * test, int /* >> atype ATS_UNUSED */, int *pstatus) >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/api/ts/ts.h.in >> ---------------------------------------------------------------------- >> diff --git a/proxy/api/ts/ts.h.in b/proxy/api/ts/ts.h.in >> index a184939..e568b1f 100644 >> --- a/proxy/api/ts/ts.h.in >> +++ b/proxy/api/ts/ts.h.in >> @@ -680,6 +680,8 @@ extern "C" >> TS_CONFIG_HTTP_NEGATIVE_REVALIDATING_ENABLED, >> TS_CONFIG_HTTP_NEGATIVE_REVALIDATING_LIFETIME, >> TS_CONFIG_HTTP_ACCEPT_ENCODING_FILTER_ENABLED, >> + TS_CONFIG_SSL_HSTS_MAX_AGE, >> + TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS, >> TS_CONFIG_LAST_ENTRY >> } TSOverridableConfigKey; >> >> @@ -903,6 +905,7 @@ extern "C" >> extern tsapi const char* TS_MIME_FIELD_SENDER; >> extern tsapi const char* TS_MIME_FIELD_SERVER; >> extern tsapi const char* TS_MIME_FIELD_SET_COOKIE; >> + extern tsapi const char* TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY; >> extern tsapi const char* TS_MIME_FIELD_SUBJECT; >> extern tsapi const char* TS_MIME_FIELD_SUMMARY; >> extern tsapi const char* TS_MIME_FIELD_TE; >> @@ -977,6 +980,7 @@ extern "C" >> extern tsapi int TS_MIME_LEN_SENDER; >> extern tsapi int TS_MIME_LEN_SERVER; >> extern tsapi int TS_MIME_LEN_SET_COOKIE; >> + extern tsapi int TS_MIME_LEN_STRICT_TRANSPORT_SECURITY; >> extern tsapi int TS_MIME_LEN_SUBJECT; >> extern tsapi int TS_MIME_LEN_SUMMARY; >> extern tsapi int TS_MIME_LEN_TE; >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/HdrToken.cc >> ---------------------------------------------------------------------- >> diff --git a/proxy/hdrs/HdrToken.cc b/proxy/hdrs/HdrToken.cc >> index 4374d85..72bbbe1 100644 >> --- a/proxy/hdrs/HdrToken.cc >> +++ b/proxy/hdrs/HdrToken.cc >> @@ -107,6 +107,7 @@ static const char *_hdrtoken_strs[] = { >> "Sender", // NNTP > > NNTP? Really? I thought we only support HTTP... > >> "Server", >> "Set-Cookie", >> + "Strict-Transport-Security", >> "Subject", // NNTP >> "Summary", // NNTP >> "Transfer-Encoding", >> @@ -293,6 +294,7 @@ static HdrTokenFieldInfo >> _hdrtoken_strs_field_initializers[] = { >> {"Sender", MIME_SLOTID_NONE, MIME_PRESENCE_NONE, HTIF_NONE}, >> {"Server", MIME_SLOTID_NONE, MIME_PRESENCE_SERVER, HTIF_NONE}, >> {"Set-Cookie", MIME_SLOTID_SET_COOKIE, MIME_PRESENCE_SET_COOKIE, >> (HTIF_MULTVALS)}, >> + {"Strict-Transport-Security", MIME_SLOTID_NONE, MIME_PRESENCE_NONE, >> (HTIF_MULTVALS)}, >> {"Subject", MIME_SLOTID_NONE, MIME_PRESENCE_SUBJECT, HTIF_NONE}, >> {"Summary", MIME_SLOTID_NONE, MIME_PRESENCE_SUMMARY, HTIF_NONE}, >> {"TE", MIME_SLOTID_TE, MIME_PRESENCE_TE, (HTIF_COMMAS | HTIF_MULTVALS | >> HTIF_HOPBYHOP)}, >> @@ -433,6 +435,7 @@ static const char *_hdrtoken_commonly_tokenized_strs[] = >> { >> "Sender", // NNTP >> "Server", >> "Set-Cookie", >> + "Strict-Transport-Security", >> "Subject", // NNTP >> "Summary", // NNTP >> "Transfer-Encoding", >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/MIME.cc >> ---------------------------------------------------------------------- >> diff --git a/proxy/hdrs/MIME.cc b/proxy/hdrs/MIME.cc >> index b779589..0313314 100644 >> --- a/proxy/hdrs/MIME.cc >> +++ b/proxy/hdrs/MIME.cc >> @@ -141,6 +141,7 @@ const char *MIME_FIELD_RETRY_AFTER; >> const char *MIME_FIELD_SENDER; >> const char *MIME_FIELD_SERVER; >> const char *MIME_FIELD_SET_COOKIE; >> +const char *MIME_FIELD_STRICT_TRANSPORT_SECURITY; >> const char *MIME_FIELD_SUBJECT; >> const char *MIME_FIELD_SUMMARY; >> const char *MIME_FIELD_TE; >> @@ -249,6 +250,7 @@ int MIME_LEN_RETRY_AFTER; >> int MIME_LEN_SENDER; >> int MIME_LEN_SERVER; >> int MIME_LEN_SET_COOKIE; >> +int MIME_LEN_STRICT_TRANSPORT_SECURITY; >> int MIME_LEN_SUBJECT; >> int MIME_LEN_SUMMARY; >> int MIME_LEN_TE; >> @@ -323,6 +325,7 @@ int MIME_WKSIDX_RETRY_AFTER; >> int MIME_WKSIDX_SENDER; >> int MIME_WKSIDX_SERVER; >> int MIME_WKSIDX_SET_COOKIE; >> +int MIME_WKSIDX_STRICT_TRANSPORT_SECURITY; >> int MIME_WKSIDX_SUBJECT; >> int MIME_WKSIDX_SUMMARY; >> int MIME_WKSIDX_TE; >> @@ -665,6 +668,7 @@ mime_init() >> MIME_FIELD_SENDER = hdrtoken_string_to_wks("Sender"); >> MIME_FIELD_SERVER = hdrtoken_string_to_wks("Server"); >> MIME_FIELD_SET_COOKIE = hdrtoken_string_to_wks("Set-Cookie"); >> + MIME_FIELD_STRICT_TRANSPORT_SECURITY = >> hdrtoken_string_to_wks("Strict-Transport-Security"); >> MIME_FIELD_SUBJECT = hdrtoken_string_to_wks("Subject"); >> MIME_FIELD_SUMMARY = hdrtoken_string_to_wks("Summary"); >> MIME_FIELD_TE = hdrtoken_string_to_wks("TE"); >> @@ -740,6 +744,7 @@ mime_init() >> MIME_LEN_SENDER = hdrtoken_wks_to_length(MIME_FIELD_SENDER); >> MIME_LEN_SERVER = hdrtoken_wks_to_length(MIME_FIELD_SERVER); >> MIME_LEN_SET_COOKIE = hdrtoken_wks_to_length(MIME_FIELD_SET_COOKIE); >> + MIME_LEN_STRICT_TRANSPORT_SECURITY = >> hdrtoken_wks_to_length(MIME_FIELD_STRICT_TRANSPORT_SECURITY); >> MIME_LEN_SUBJECT = hdrtoken_wks_to_length(MIME_FIELD_SUBJECT); >> MIME_LEN_SUMMARY = hdrtoken_wks_to_length(MIME_FIELD_SUMMARY); >> MIME_LEN_TE = hdrtoken_wks_to_length(MIME_FIELD_TE); >> @@ -814,6 +819,7 @@ mime_init() >> MIME_WKSIDX_SENDER = hdrtoken_wks_to_index(MIME_FIELD_SENDER); >> MIME_WKSIDX_SERVER = hdrtoken_wks_to_index(MIME_FIELD_SERVER); >> MIME_WKSIDX_SET_COOKIE = hdrtoken_wks_to_index(MIME_FIELD_SET_COOKIE); >> + MIME_WKSIDX_STRICT_TRANSPORT_SECURITY = >> hdrtoken_wks_to_index(MIME_FIELD_STRICT_TRANSPORT_SECURITY); >> MIME_WKSIDX_SUBJECT = hdrtoken_wks_to_index(MIME_FIELD_SUBJECT); >> MIME_WKSIDX_SUMMARY = hdrtoken_wks_to_index(MIME_FIELD_SUMMARY); >> MIME_WKSIDX_TE = hdrtoken_wks_to_index(MIME_FIELD_TE); >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/MIME.h >> ---------------------------------------------------------------------- >> diff --git a/proxy/hdrs/MIME.h b/proxy/hdrs/MIME.h >> index 264847c..a75e56a 100644 >> --- a/proxy/hdrs/MIME.h >> +++ b/proxy/hdrs/MIME.h >> @@ -352,6 +352,7 @@ extern const char *MIME_FIELD_RETRY_AFTER; >> extern const char *MIME_FIELD_SENDER; >> extern const char *MIME_FIELD_SERVER; >> extern const char *MIME_FIELD_SET_COOKIE; >> +extern const char *MIME_FIELD_STRICT_TRANSPORT_SECURITY; >> extern const char *MIME_FIELD_SUBJECT; >> extern const char *MIME_FIELD_SUMMARY; >> extern const char *MIME_FIELD_TE; >> @@ -449,6 +450,7 @@ extern int MIME_LEN_RETRY_AFTER; >> extern int MIME_LEN_SENDER; >> extern int MIME_LEN_SERVER; >> extern int MIME_LEN_SET_COOKIE; >> +extern int MIME_LEN_STRICT_TRANSPORT_SECURITY; >> extern int MIME_LEN_SUBJECT; >> extern int MIME_LEN_SUMMARY; >> extern int MIME_LEN_TE; >> @@ -546,6 +548,7 @@ extern int MIME_WKSIDX_RETRY_AFTER; >> extern int MIME_WKSIDX_SENDER; >> extern int MIME_WKSIDX_SERVER; >> extern int MIME_WKSIDX_SET_COOKIE; >> +extern int MIME_WKSIDX_STRICT_TRANSPORT_SECURITY; >> extern int MIME_WKSIDX_SUBJECT; >> extern int MIME_WKSIDX_SUMMARY; >> extern int MIME_WKSIDX_TE; >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpConfig.cc >> ---------------------------------------------------------------------- >> diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc >> index 26fa002..be6f0d8 100644 >> --- a/proxy/http/HttpConfig.cc >> +++ b/proxy/http/HttpConfig.cc >> @@ -1164,6 +1164,8 @@ HttpConfig::startup() >> >> HttpEstablishStaticConfigByte(c.oride.insert_request_via_string, >> "proxy.config.http.insert_request_via_str"); >> HttpEstablishStaticConfigByte(c.oride.insert_response_via_string, >> "proxy.config.http.insert_response_via_str"); >> + HttpEstablishStaticConfigLongLong(c.oride.proxy_response_hsts_max_age, >> "proxy.config.ssl.hsts_max_age"); >> + >> HttpEstablishStaticConfigByte(c.oride.proxy_response_hsts_include_subdomains, >> "proxy.config.ssl.hsts_include_subdomains"); >> >> HttpEstablishStaticConfigStringAlloc(c.proxy_request_via_string, >> "proxy.config.http.request_via_str"); >> c.proxy_request_via_string_len = -1; >> @@ -1406,6 +1408,8 @@ HttpConfig::reconfigure() >> params->proxy_request_via_string_len = (params->proxy_request_via_string) >> ? strlen(params->proxy_request_via_string) : 0; >> params->proxy_response_via_string = >> ats_strdup(m_master.proxy_response_via_string); >> params->proxy_response_via_string_len = >> (params->proxy_response_via_string) ? >> strlen(params->proxy_response_via_string) : 0; >> + params->oride.proxy_response_hsts_max_age = >> m_master.oride.proxy_response_hsts_max_age; >> + params->oride.proxy_response_hsts_include_subdomains = >> m_master.oride.proxy_response_hsts_include_subdomains; >> >> params->url_expansions_string = >> ats_strdup(m_master.url_expansions_string); >> params->url_expansions = >> parse_url_expansions(params->url_expansions_string, >> ¶ms->num_url_expansions); >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpConfig.h >> ---------------------------------------------------------------------- >> diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h >> index b3b9e40..e4790a9 100644 >> --- a/proxy/http/HttpConfig.h >> +++ b/proxy/http/HttpConfig.h >> @@ -406,7 +406,8 @@ struct OverridableHttpConfigParams { >> share_server_sessions(2), fwd_proxy_auth_to_parent(0), >> insert_age_in_response(1), >> anonymize_remove_from(0), anonymize_remove_referer(0), >> anonymize_remove_user_agent(0), >> anonymize_remove_cookie(0), anonymize_remove_client_ip(0), >> anonymize_insert_client_ip(1), >> - proxy_response_server_enabled(1), insert_squid_x_forwarded_for(1), >> send_http11_requests(1), >> + proxy_response_server_enabled(1), proxy_response_hsts_max_age(-1), >> proxy_response_hsts_include_subdomains(0), >> + insert_squid_x_forwarded_for(1), send_http11_requests(1), >> cache_http(1), cache_cluster_cache_local(0), >> cache_ignore_client_no_cache(1), cache_ignore_client_cc_max_age(0), >> cache_ims_on_client_no_cache(1), cache_ignore_server_no_cache(0), >> cache_responses_to_cookies(1), >> cache_ignore_auth(0), cache_urls_that_look_dynamic(1), >> cache_required_headers(2), cache_range_lookup(1), >> @@ -471,6 +472,8 @@ struct OverridableHttpConfigParams { >> MgmtByte anonymize_insert_client_ip; >> >> MgmtByte proxy_response_server_enabled; >> + MgmtInt proxy_response_hsts_max_age; >> + MgmtByte proxy_response_hsts_include_subdomains; >> >> ///////////////////// >> // X-Forwarded-For // >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransact.cc >> ---------------------------------------------------------------------- >> diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc >> index 14207f0..ff043b2 100644 >> --- a/proxy/http/HttpTransact.cc >> +++ b/proxy/http/HttpTransact.cc >> @@ -7745,6 +7745,12 @@ HttpTransact::build_response(State* s, HTTPHdr* >> base_response, HTTPHdr* outgoing >> if (s->next_hop_scheme < 0) >> s->next_hop_scheme = URL_WKSIDX_HTTP; >> >> + // Add HSTS header (Strict-Transport-Security) if max-age is set and the >> request was https >> + if (s->orig_scheme == URL_WKSIDX_HTTPS && >> s->txn_conf->proxy_response_hsts_max_age >= 0) { >> + Debug("http_hdrs", "hsts max-age=%" PRId64, >> s->txn_conf->proxy_response_hsts_max_age); >> + HttpTransactHeaders::insert_hsts_header_in_response(s, >> outgoing_response); >> + } >> + >> if (s->txn_conf->insert_response_via_string) >> HttpTransactHeaders::insert_via_header_in_response(s, >> outgoing_response); >> >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransactHeaders.cc >> ---------------------------------------------------------------------- >> diff --git a/proxy/http/HttpTransactHeaders.cc >> b/proxy/http/HttpTransactHeaders.cc >> index 7c9a3e6..b5ab0fe 100644 >> --- a/proxy/http/HttpTransactHeaders.cc >> +++ b/proxy/http/HttpTransactHeaders.cc >> @@ -879,6 +879,25 @@ >> HttpTransactHeaders::insert_via_header_in_request(HttpTransact::State *s, >> HTTPHd >> header->value_append(MIME_FIELD_VIA, MIME_LEN_VIA, new_via_string, >> via_string - new_via_string, true); >> } >> >> +void >> +HttpTransactHeaders::insert_hsts_header_in_response(HttpTransact::State *s, >> HTTPHdr *header) >> +{ >> + char new_hsts_string[64]; >> + char *hsts_string = new_hsts_string; >> + const char include_subdomains[] = "; includeSubDomains"; >> + >> + // add max-age >> + int length = snprintf(new_hsts_string, sizeof(new_hsts_string), >> "max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age); >> + >> + // add include subdomain if set >> + if (s->txn_conf->proxy_response_hsts_include_subdomains) { >> + hsts_string += length; >> + memcpy(hsts_string, include_subdomains, sizeof(include_subdomains)); >> + length += sizeof(include_subdomains); >> + } >> + >> + header->value_set(MIME_FIELD_STRICT_TRANSPORT_SECURITY, >> MIME_LEN_STRICT_TRANSPORT_SECURITY, new_hsts_string, length); >> +} >> >> void >> HttpTransactHeaders::insert_via_header_in_response(HttpTransact::State *s, >> HTTPHdr *header) >> >> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransactHeaders.h >> ---------------------------------------------------------------------- >> diff --git a/proxy/http/HttpTransactHeaders.h >> b/proxy/http/HttpTransactHeaders.h >> index 8dbbdab..0fa3a03 100644 >> --- a/proxy/http/HttpTransactHeaders.h >> +++ b/proxy/http/HttpTransactHeaders.h >> @@ -72,6 +72,7 @@ public: >> static void insert_server_header_in_response(const char *server_tag, int >> server_tag_size, HTTPHdr * header); >> static void insert_via_header_in_request(HttpTransact::State *s, HTTPHdr >> *header); >> static void insert_via_header_in_response(HttpTransact::State *s, HTTPHdr >> *header); >> + static void insert_hsts_header_in_response(HttpTransact::State *s, HTTPHdr >> *header); >> >> static bool is_request_proxy_authorized(HTTPHdr * incoming_hdr); >> >> >> > > -- > Igor Galić > > Tel: +43 (0) 664 886 22 883 > Mail: i.ga...@brainsware.org > URL: http://brainsware.org/ > GPG: 8716 7A9F 989B ABD5 100F 4008 F266 55D6 2998 1641
