mirror of
https://github.com/yacy/yacy_search_server.git
synced 2024-09-19 00:01:41 +02:00
Improved absolute URLs rendering in OpenSearch desc and RSS feeds.
When the peer is behind a reverse proxy providing SSL/TLS encryption, the rendered absolute URLs should start with https when the user browser requested https : added limited support to the X-Forwarded-Proto HTTP header notably provided on Heroku platform. Also added some unit tests.
This commit is contained in:
parent
75802dcf00
commit
731684105a
|
@ -98,6 +98,7 @@ import org.eclipse.jetty.util.MultiPartOutputStream;
|
||||||
import org.eclipse.jetty.util.URIUtil;
|
import org.eclipse.jetty.util.URIUtil;
|
||||||
import org.eclipse.jetty.util.resource.Resource;
|
import org.eclipse.jetty.util.resource.Resource;
|
||||||
|
|
||||||
|
import com.google.common.net.HttpHeaders;
|
||||||
import com.google.common.util.concurrent.SimpleTimeLimiter;
|
import com.google.common.util.concurrent.SimpleTimeLimiter;
|
||||||
import com.google.common.util.concurrent.TimeLimiter;
|
import com.google.common.util.concurrent.TimeLimiter;
|
||||||
import com.google.common.util.concurrent.UncheckedTimeoutException;
|
import com.google.common.util.concurrent.UncheckedTimeoutException;
|
||||||
|
@ -695,41 +696,69 @@ public class YaCyDefaultServlet extends HttpServlet {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the URL base for this peer, determined from request header when present. Use this when absolute URL rendering is required,
|
* Returns the URL base for this peer, determined from request HTTP header "Host" when present. Use this when absolute URL rendering is required,
|
||||||
* otherwise relative URLs should be preferred.
|
* otherwise relative URLs should be preferred.<br/>
|
||||||
|
* Note : this implementation lets the responsibility to any eventual Reverse Proxy to eventually rewrite the rendered absolute URL. Example Apache directive :
|
||||||
|
* <code>Substitute "s|http://internal.yacypeer.com:8090/|http://www.example.com/yacy/|in"</code>.
|
||||||
|
* From a security point of view this is preferable than eventually relying blindly here on a X-Forwarded-Host HTTP header that can be forged by an attacker.
|
||||||
* @param header request header.
|
* @param header request header.
|
||||||
* @param sb Switchboard instance.
|
* @param sb Switchboard instance.
|
||||||
* @return the application context (URL request base) from request header or default configuration. This is
|
* @return the application context (URL request base) from request header or default configuration. This is
|
||||||
* either http://hostname:port or https://hostname:sslport
|
* either http://hostname:port or https://hostname:sslport
|
||||||
*/
|
*/
|
||||||
public static String getContext(final RequestHeader header, final Switchboard sb) {
|
public static String getContext(final RequestHeader header, final Switchboard sb) {
|
||||||
|
String protocol = "http";
|
||||||
String hostAndPort = null;
|
String hostAndPort = null;
|
||||||
if(header != null) {
|
if(header != null) {
|
||||||
hostAndPort = header.get(HeaderFramework.HOST);
|
if(hostAndPort == null){
|
||||||
|
hostAndPort = header.get(HeaderFramework.HOST);
|
||||||
|
|
||||||
|
/* We can try here to figure out if we are using http or https, relying on the port used.
|
||||||
|
* This only works port is not standard (80 or 443) : if so HeaderFramework.X_YACY_REQUEST_SCHEME will be more reliable */
|
||||||
|
final String sslport;
|
||||||
|
if(sb != null) {
|
||||||
|
sslport = ":" + sb.getConfigInt("port.ssl", 8443);
|
||||||
|
} else {
|
||||||
|
sslport = ":8443";
|
||||||
|
}
|
||||||
|
if (hostAndPort != null && hostAndPort.endsWith(sslport)) { // connection on ssl port, use https protocol
|
||||||
|
protocol = "https";
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
String protocol = "http";
|
/* Host and port still null : let's use the default local ones */
|
||||||
if (hostAndPort == null) {
|
if (hostAndPort == null) {
|
||||||
if(sb != null) {
|
if(sb != null) {
|
||||||
hostAndPort = Domains.LOCALHOST + ":" + sb.getConfigInt("port", 8090);
|
hostAndPort = Domains.LOCALHOST + ":" + sb.getConfigInt("port", 8090);
|
||||||
} else {
|
} else {
|
||||||
hostAndPort = Domains.LOCALHOST + ":8090";
|
hostAndPort = Domains.LOCALHOST + ":8090";
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
final String sslport;
|
|
||||||
if(sb != null) {
|
|
||||||
sslport = ":" + sb.getConfigInt("port.ssl", 8443);
|
|
||||||
} else {
|
|
||||||
sslport = ":8443";
|
|
||||||
}
|
|
||||||
if (hostAndPort.endsWith(sslport)) { // connection on ssl port, use https protocol
|
|
||||||
protocol = "https";
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
/* YaCyDefaultServelt should have filled this custom header, making sure we know here whether original request is http or https
|
|
||||||
* (when default ports (80 and 443) are used, there is no way to distinguish the two schemes relying only on the Host header) */
|
|
||||||
protocol = header.get(HeaderFramework.X_YACY_REQUEST_SCHEME, protocol);
|
|
||||||
|
|
||||||
/* Note : this implementation lets the responsibility to any eventual Reverse Proxy to eventually rewrite the rendered absolute URL */
|
if(header != null) {
|
||||||
|
/* YaCyDefaultServelt should have filled this custom header, making sure we know here whether original request is http or https
|
||||||
|
* (when default ports (80 and 443) are used, there is no way to distinguish the two schemes relying only on the Host header) */
|
||||||
|
String protocolHeader = header.get(HeaderFramework.X_YACY_REQUEST_SCHEME, "").toLowerCase();
|
||||||
|
|
||||||
|
/* Let's check this custom header has a valid value */
|
||||||
|
if("http".equals(protocolHeader) || "https".equals(protocolHeader)) {
|
||||||
|
protocol = protocolHeader.toLowerCase();
|
||||||
|
} else if(!protocolHeader.isEmpty()) {
|
||||||
|
ConcurrentLog.warn("FILEHANDLER","YaCyDefaultServlet: illegal " + HeaderFramework.X_YACY_REQUEST_SCHEME + " header value : " + protocolHeader);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* This peer can also be behind a reverse proxy requested using https, even if the request coming to this YaCy peer is http only
|
||||||
|
* Possible scenario (happens for example when YaCy is deployed on Heroku Platform) : User browser -> https://reverseProxy/yacyURL -> http://yacypeer/yacyURL
|
||||||
|
* In that case, absolute URLs rendered by this peer (in rss feeds for example) must effectively start with the https scheme */
|
||||||
|
protocolHeader = header.get(HttpHeaders.X_FORWARDED_PROTO.toString(), "").toLowerCase();
|
||||||
|
|
||||||
|
/* Here we only allow an upgrade from HTTP to HTTPS, not the reverse (we don't want a forged HTTP header by an eventual attacker to force fallback to HTTP) */
|
||||||
|
if("https".equals(protocolHeader)) {
|
||||||
|
protocol = protocolHeader;
|
||||||
|
} else if(!protocolHeader.isEmpty()) {
|
||||||
|
ConcurrentLog.warn("FILEHANDLER","YaCyDefaultServlet: illegal " + HttpHeaders.X_FORWARDED_PROTO.toString() + " header value : " + protocolHeader);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return protocol + "://" + hostAndPort;
|
return protocol + "://" + hostAndPort;
|
||||||
}
|
}
|
||||||
|
|
120
test/java/net/yacy/http/servlets/YaCyDefaultServletTest.java
Normal file
120
test/java/net/yacy/http/servlets/YaCyDefaultServletTest.java
Normal file
|
@ -0,0 +1,120 @@
|
||||||
|
// YaCyDefaultServletTest.java
|
||||||
|
// Copyright 2016 by luccioman; https://github.com/luccioman
|
||||||
|
//
|
||||||
|
// This is a part of YaCy, a peer-to-peer based web search engine
|
||||||
|
//
|
||||||
|
// LICENSE
|
||||||
|
//
|
||||||
|
// This program is free software; you can redistribute it and/or modify
|
||||||
|
// it under the terms of the GNU General Public License as published by
|
||||||
|
// the Free Software Foundation; either version 2 of the License, or
|
||||||
|
// (at your option) any later version.
|
||||||
|
//
|
||||||
|
// This program is distributed in the hope that it will be useful,
|
||||||
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
// GNU General Public License for more details.
|
||||||
|
//
|
||||||
|
// You should have received a copy of the GNU General Public License
|
||||||
|
// along with this program; if not, write to the Free Software
|
||||||
|
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
|
|
||||||
|
package net.yacy.http.servlets;
|
||||||
|
|
||||||
|
import static org.junit.Assert.*;
|
||||||
|
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
import com.google.common.net.HttpHeaders;
|
||||||
|
|
||||||
|
import net.yacy.cora.protocol.HeaderFramework;
|
||||||
|
import net.yacy.cora.protocol.RequestHeader;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Unit tests for {@link YaCyDefaultServlet} class.
|
||||||
|
* @author luccioman
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public class YaCyDefaultServletTest {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* getContext() should be able fallback to default value with null or empty parameters.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testGetContextEmptyParams() {
|
||||||
|
assertEquals("http://localhost:8090", YaCyDefaultServlet.getContext(null, null));
|
||||||
|
|
||||||
|
RequestHeader header = new RequestHeader();
|
||||||
|
assertEquals("http://localhost:8090", YaCyDefaultServlet.getContext(header, null));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* getContext() : standard "Host" HTTP header is filled with host and port
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testGetContextHostHeader() {
|
||||||
|
RequestHeader header = new RequestHeader();
|
||||||
|
header.put(HeaderFramework.HOST, "localhost:8090");
|
||||||
|
assertEquals("http://localhost:8090", YaCyDefaultServlet.getContext(header, null));
|
||||||
|
|
||||||
|
header = new RequestHeader();
|
||||||
|
header.put(HeaderFramework.HOST, "myhost.com:8090");
|
||||||
|
assertEquals("http://myhost.com:8090", YaCyDefaultServlet.getContext(header, null));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* getContext() : standard "Host" header is filled with hostname and port,
|
||||||
|
* custom "X-YaCy-Request-Scheme" header indicates the protocol
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testGetContextCustomProtocolHeader() {
|
||||||
|
RequestHeader header = new RequestHeader();
|
||||||
|
header.put(HeaderFramework.HOST, "myhost.com:8443");
|
||||||
|
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "https");
|
||||||
|
assertEquals("https://myhost.com:8443", YaCyDefaultServlet.getContext(header, null));
|
||||||
|
|
||||||
|
header = new RequestHeader();
|
||||||
|
header.put(HeaderFramework.HOST, "myhost.com:8090");
|
||||||
|
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "http");
|
||||||
|
assertEquals("http://myhost.com:8090", YaCyDefaultServlet.getContext(header, null));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* getContext() : standard "Host" header is filled only with hostname (default standard port),
|
||||||
|
* custom "X-YaCy-Request-Scheme" indicates the protocol
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testGetContextDefaultPortCustomProtocolHeader() {
|
||||||
|
RequestHeader header = new RequestHeader();
|
||||||
|
header.put(HeaderFramework.HOST, "myhost.com");
|
||||||
|
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "http");
|
||||||
|
assertEquals("http://myhost.com", YaCyDefaultServlet.getContext(header, null));
|
||||||
|
|
||||||
|
header = new RequestHeader();
|
||||||
|
header.put(HeaderFramework.HOST, "myhost.com");
|
||||||
|
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "https");
|
||||||
|
assertEquals("https://myhost.com", YaCyDefaultServlet.getContext(header, null));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* getContext() : reverse proxy serving HTTPS, YaCy serving HTTP
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testGetContextReverseProxy() {
|
||||||
|
/* Different protocols : HTTPS on proxy, HTTP on peer */
|
||||||
|
RequestHeader header = new RequestHeader();
|
||||||
|
header.put(HeaderFramework.HOST, "myhost.com");
|
||||||
|
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "http");
|
||||||
|
header.put(HttpHeaders.X_FORWARDED_PROTO.toString(), "https");
|
||||||
|
assertEquals("https://myhost.com", YaCyDefaultServlet.getContext(header, null));
|
||||||
|
|
||||||
|
/* Illegal X-Forwarded-Proto header value */
|
||||||
|
header = new RequestHeader();
|
||||||
|
header.put(HeaderFramework.HOST, "myhost.com:8090");
|
||||||
|
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "http");
|
||||||
|
header.put(HttpHeaders.X_FORWARDED_PROTO.toString(), "http://attacker.com?query=");
|
||||||
|
assertEquals("http://myhost.com:8090", YaCyDefaultServlet.getContext(header, null));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user