This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 7.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit bdcfc7afe032f3160a0a51255b6d284c3e48ac3f Author: Bryan Call <bc...@apache.org> AuthorDate: Fri Jan 19 10:40:03 2018 -0800 Do not send HSTS header when remap has failed (cherry picked from commit 129f59db0267db428631e3992f8e00c9fad30f78) Conflicts: proxy/http/HttpTransact.cc --- proxy/http/HttpTransact.cc | 4 +- tests/gold_tests/headers/hsts.200.gold | 7 +++ tests/gold_tests/headers/hsts.404.gold | 24 ++++++++++ tests/gold_tests/headers/hsts.test.py | 85 ++++++++++++++++++++++++++++++++++ 4 files changed, 119 insertions(+), 1 deletion(-) diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc index f877a88..68e7501 100644 --- a/proxy/http/HttpTransact.cc +++ b/proxy/http/HttpTransact.cc @@ -8095,7 +8095,9 @@ HttpTransact::build_response(State *s, HTTPHdr *base_response, HTTPHdr *outgoing } // Add HSTS header (Strict-Transport-Security) if max-age is set and the request was https - if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0) { + // and the incoming request was remapped correctly + if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0 && + s->url_remap_success == true) { DebugTxn("http_hdrs", "hsts max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age); HttpTransactHeaders::insert_hsts_header_in_response(s, outgoing_response); } diff --git a/tests/gold_tests/headers/hsts.200.gold b/tests/gold_tests/headers/hsts.200.gold new file mode 100644 index 0000000..306f1bb --- /dev/null +++ b/tests/gold_tests/headers/hsts.200.gold @@ -0,0 +1,7 @@ +HTTP/1.1 200 OK +Date:`` +Age: 0 +Transfer-Encoding: chunked +Connection: keep-alive +Strict-Transport-Security: max-age=300 +Server:`` diff --git a/tests/gold_tests/headers/hsts.404.gold b/tests/gold_tests/headers/hsts.404.gold new file mode 100644 index 0000000..5323c84 --- /dev/null +++ b/tests/gold_tests/headers/hsts.404.gold @@ -0,0 +1,24 @@ +HTTP/1.1 404 Not Found on Accelerator +Date:`` +Connection: keep-alive +Server:`` +Cache-Control: no-store +Content-Type: text/html`` +Content-Language: en +Content-Length:`` + +<HTML> +<HEAD> +<TITLE>Not Found on Accelerator</TITLE> +</HEAD> + +<BODY BGCOLOR="white" FGCOLOR="black"> +<H1>Not Found on Accelerator</H1> +<HR> + +<FONT FACE="Helvetica,Arial"><B> +Description: Your request on the specified host was not found. +Check the location and try again. +</B></FONT> +<HR> +</BODY> diff --git a/tests/gold_tests/headers/hsts.test.py b/tests/gold_tests/headers/hsts.test.py new file mode 100644 index 0000000..7ae60e2 --- /dev/null +++ b/tests/gold_tests/headers/hsts.test.py @@ -0,0 +1,85 @@ +''' +Test the hsts reponse header. +''' +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import os +Test.Summary = ''' +heck hsts header is set correctly +''' + +# Needs Curl +Test.SkipUnless( + Condition.HasProgram("curl", "Curl need to be installed on system for this test to work") +) +Test.ContinueOnFail = True + +# Define default ATS +ts = Test.MakeATSProcess("ts", select_ports=False) +server = Test.MakeOriginServer("server") + +#**testname is required** +testName = "" +request_header = {"headers": "GET / HTTP/1.1\r\nHost: www.example.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +server.addResponse("sessionlog.json", request_header, response_header) + +# ATS Configuration +ts.addSSLfile("../remap/ssl/server.pem") +ts.addSSLfile("../remap/ssl/server.key") + +ts.Variables.ssl_port = 4443 +ts.Disk.records_config.update({ + 'proxy.config.diags.debug.enabled': 1, + 'proxy.config.diags.debug.tags': 'ssl', + 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), + 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), + 'proxy.config.http.server_ports': '{0} {1}:ssl'.format(ts.Variables.port, ts.Variables.ssl_port), + 'proxy.config.ssl.hsts_max_age': 300, +}) + +ts.Disk.remap_config.AddLine( + 'map https://www.example.com http://127.0.0.1:{0}'.format(server.Variables.Port) +) + +ts.Disk.ssl_multicert_config.AddLine( + 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key' +) + +# Test 1 - 200 Response +tr = Test.AddTestRun() +tr.Processes.Default.StartBefore(server) +tr.Processes.Default.StartBefore(Test.Processes.ts) +tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.ssl_port)) +tr.Processes.Default.Command = ( + 'curl -s -D - --verbose --ipv4 --http1.1 --insecure --header "Host: {0}" https://localhost:{1}' + .format('www.example.com', ts.Variables.ssl_port) +) +tr.Processes.Default.ReturnCode = 0 +tr.Processes.Default.Streams.stdout = "hsts.200.gold" +tr.StillRunningAfter = ts + +# Test 2 - 404 Not Found on Accelerator +tr = Test.AddTestRun() +tr.Processes.Default.Command = ( + 'curl -s -D - --verbose --ipv4 --http1.1 --insecure --header "Host: {0}" https://localhost:{1}' + .format('bad_host', ts.Variables.ssl_port) +) +tr.Processes.Default.ReturnCode = 0 +tr.Processes.Default.Streams.stdout = "hsts.404.gold" +tr.StillRunningAfter = server +tr.StillRunningAfter = ts -- To stop receiving notification emails like this one, please contact zw...@apache.org.