Marown/yacy_search_server
1
0
Fork 0
mirror of https://github.com/yacy/yacy_search_server.git synced 2024-09-19 00:01:41 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improved absolute URLs rendering in OpenSearch desc and RSS feeds.

Browse Source 
When the peer is behind a reverse proxy providing SSL/TLS encryption,
the rendered absolute URLs should start with https when the user browser
requested https : added limited support to the X-Forwarded-Proto HTTP
header notably provided on Heroku platform.
Also added some unit tests.
This commit is contained in:
luccioman 2016-11-08 02:39:45 +01:00
parent 75802dcf00
commit 731684105a
2 changed files with 167 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
source/net/yacy/http/servlets/YaCyDefaultServlet.java
View File

@ -98,6 +98,7 @@ import org.eclipse.jetty.util.MultiPartOutputStream;
import org.eclipse.jetty.util.URIUtil; import org.eclipse.jetty.util.URIUtil;
import org.eclipse.jetty.util.resource.Resource; import org.eclipse.jetty.util.resource.Resource;
import com.google.common.net.HttpHeaders;
import com.google.common.util.concurrent.SimpleTimeLimiter; import com.google.common.util.concurrent.SimpleTimeLimiter;
import com.google.common.util.concurrent.TimeLimiter; import com.google.common.util.concurrent.TimeLimiter;
import com.google.common.util.concurrent.UncheckedTimeoutException; import com.google.common.util.concurrent.UncheckedTimeoutException;
@ -695,41 +696,69 @@ public class YaCyDefaultServlet extends HttpServlet {
} }
/** /**
* Returns the URL base for this peer, determined from request header when present. Use this when absolute URL rendering is required, * Returns the URL base for this peer, determined from request HTTP header "Host" when present. Use this when absolute URL rendering is required,
* otherwise relative URLs should be preferred. * otherwise relative URLs should be preferred.<br/>
* Note : this implementation lets the responsibility to any eventual Reverse Proxy to eventually rewrite the rendered absolute URL. Example Apache directive :
* <code>Substitute "s|http://internal.yacypeer.com:8090/|http://www.example.com/yacy/|in"</code>.
* From a security point of view this is preferable than eventually relying blindly here on a X-Forwarded-Host HTTP header that can be forged by an attacker.
* @param header request header. * @param header request header.
* @param sb Switchboard instance. * @param sb Switchboard instance.
* @return the application context (URL request base) from request header or default configuration. This is * @return the application context (URL request base) from request header or default configuration. This is
* either http://hostname:port or https://hostname:sslport * either http://hostname:port or https://hostname:sslport
*/ */
public static String getContext(final RequestHeader header, final Switchboard sb) { public static String getContext(final RequestHeader header, final Switchboard sb) {
String protocol = "http";
String hostAndPort = null; String hostAndPort = null;
if(header != null) { if(header != null) {
hostAndPort = header.get(HeaderFramework.HOST); if(hostAndPort == null){
hostAndPort = header.get(HeaderFramework.HOST);
/* We can try here to figure out if we are using http or https, relying on the port used.
* This only works port is not standard (80 or 443) : if so HeaderFramework.X_YACY_REQUEST_SCHEME will be more reliable */
final String sslport;
if(sb != null) {
sslport = ":" + sb.getConfigInt("port.ssl", 8443);
} else {
sslport = ":8443";
}
if (hostAndPort != null && hostAndPort.endsWith(sslport)) { // connection on ssl port, use https protocol
protocol = "https";
}
}
} }
String protocol = "http"; /* Host and port still null : let's use the default local ones */
if (hostAndPort == null) { if (hostAndPort == null) {
if(sb != null) { if(sb != null) {
hostAndPort = Domains.LOCALHOST + ":" + sb.getConfigInt("port", 8090); hostAndPort = Domains.LOCALHOST + ":" + sb.getConfigInt("port", 8090);
} else { } else {
hostAndPort = Domains.LOCALHOST + ":8090"; hostAndPort = Domains.LOCALHOST + ":8090";
} }
} else {
final String sslport;
if(sb != null) {
sslport = ":" + sb.getConfigInt("port.ssl", 8443);
} else {
sslport = ":8443";
}
if (hostAndPort.endsWith(sslport)) { // connection on ssl port, use https protocol
protocol = "https";
}
} }
/* YaCyDefaultServelt should have filled this custom header, making sure we know here whether original request is http or https
* (when default ports (80 and 443) are used, there is no way to distinguish the two schemes relying only on the Host header) */
protocol = header.get(HeaderFramework.X_YACY_REQUEST_SCHEME, protocol);
/* Note : this implementation lets the responsibility to any eventual Reverse Proxy to eventually rewrite the rendered absolute URL */ if(header != null) {
/* YaCyDefaultServelt should have filled this custom header, making sure we know here whether original request is http or https
* (when default ports (80 and 443) are used, there is no way to distinguish the two schemes relying only on the Host header) */
String protocolHeader = header.get(HeaderFramework.X_YACY_REQUEST_SCHEME, "").toLowerCase();
/* Let's check this custom header has a valid value */
if("http".equals(protocolHeader) || "https".equals(protocolHeader)) {
protocol = protocolHeader.toLowerCase();
} else if(!protocolHeader.isEmpty()) {
ConcurrentLog.warn("FILEHANDLER","YaCyDefaultServlet: illegal " + HeaderFramework.X_YACY_REQUEST_SCHEME + " header value : " + protocolHeader);
}
/* This peer can also be behind a reverse proxy requested using https, even if the request coming to this YaCy peer is http only
* Possible scenario (happens for example when YaCy is deployed on Heroku Platform) : User browser -> https://reverseProxy/yacyURL -> http://yacypeer/yacyURL
* In that case, absolute URLs rendered by this peer (in rss feeds for example) must effectively start with the https scheme */
protocolHeader = header.get(HttpHeaders.X_FORWARDED_PROTO.toString(), "").toLowerCase();
/* Here we only allow an upgrade from HTTP to HTTPS, not the reverse (we don't want a forged HTTP header by an eventual attacker to force fallback to HTTP) */
if("https".equals(protocolHeader)) {
protocol = protocolHeader;
} else if(!protocolHeader.isEmpty()) {
ConcurrentLog.warn("FILEHANDLER","YaCyDefaultServlet: illegal " + HttpHeaders.X_FORWARDED_PROTO.toString() + " header value : " + protocolHeader);
}
}
return protocol + "://" + hostAndPort; return protocol + "://" + hostAndPort;
} }

120
test/java/net/yacy/http/servlets/YaCyDefaultServletTest.java Normal file
View File

@ -0,0 +1,120 @@
// YaCyDefaultServletTest.java
// Copyright 2016 by luccioman; https://github.com/luccioman
//
// This is a part of YaCy, a peer-to-peer based web search engine
//
// LICENSE
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
package net.yacy.http.servlets;
import static org.junit.Assert.*;
import org.junit.Test;
import com.google.common.net.HttpHeaders;
import net.yacy.cora.protocol.HeaderFramework;
import net.yacy.cora.protocol.RequestHeader;
/**
* Unit tests for {@link YaCyDefaultServlet} class.
* @author luccioman
*
*/
public class YaCyDefaultServletTest {
/**
* getContext() should be able fallback to default value with null or empty parameters.
*/
@Test
public void testGetContextEmptyParams() {
assertEquals("http://localhost:8090", YaCyDefaultServlet.getContext(null, null));
RequestHeader header = new RequestHeader();
assertEquals("http://localhost:8090", YaCyDefaultServlet.getContext(header, null));
}
/**
* getContext() : standard "Host" HTTP header is filled with host and port
*/
@Test
public void testGetContextHostHeader() {
RequestHeader header = new RequestHeader();
header.put(HeaderFramework.HOST, "localhost:8090");
assertEquals("http://localhost:8090", YaCyDefaultServlet.getContext(header, null));
header = new RequestHeader();
header.put(HeaderFramework.HOST, "myhost.com:8090");
assertEquals("http://myhost.com:8090", YaCyDefaultServlet.getContext(header, null));
}
/**
* getContext() : standard "Host" header is filled with hostname and port,
* custom "X-YaCy-Request-Scheme" header indicates the protocol
*/
@Test
public void testGetContextCustomProtocolHeader() {
RequestHeader header = new RequestHeader();
header.put(HeaderFramework.HOST, "myhost.com:8443");
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "https");
assertEquals("https://myhost.com:8443", YaCyDefaultServlet.getContext(header, null));
header = new RequestHeader();
header.put(HeaderFramework.HOST, "myhost.com:8090");
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "http");
assertEquals("http://myhost.com:8090", YaCyDefaultServlet.getContext(header, null));
}
/**
* getContext() : standard "Host" header is filled only with hostname (default standard port),
* custom "X-YaCy-Request-Scheme" indicates the protocol
*/
@Test
public void testGetContextDefaultPortCustomProtocolHeader() {
RequestHeader header = new RequestHeader();
header.put(HeaderFramework.HOST, "myhost.com");
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "http");
assertEquals("http://myhost.com", YaCyDefaultServlet.getContext(header, null));
header = new RequestHeader();
header.put(HeaderFramework.HOST, "myhost.com");
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "https");
assertEquals("https://myhost.com", YaCyDefaultServlet.getContext(header, null));
}
/**
* getContext() : reverse proxy serving HTTPS, YaCy serving HTTP
*/
@Test
public void testGetContextReverseProxy() {
/* Different protocols : HTTPS on proxy, HTTP on peer */
RequestHeader header = new RequestHeader();
header.put(HeaderFramework.HOST, "myhost.com");
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "http");
header.put(HttpHeaders.X_FORWARDED_PROTO.toString(), "https");
assertEquals("https://myhost.com", YaCyDefaultServlet.getContext(header, null));
/* Illegal X-Forwarded-Proto header value */
header = new RequestHeader();
header.put(HeaderFramework.HOST, "myhost.com:8090");
header.put(HeaderFramework.X_YACY_REQUEST_SCHEME, "http");
header.put(HttpHeaders.X_FORWARDED_PROTO.toString(), "http://attacker.com?query=");
assertEquals("http://myhost.com:8090", YaCyDefaultServlet.getContext(header, null));
}
}