Skip to content

TS-3485: Support ip_allow config for HTTP2 #614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
shinrich wants to merge 2 commits into from
Closed

TS-3485: Support ip_allow config for HTTP2 #614

shinrich wants to merge 2 commits into from

Conversation

@shinrich
Copy link
Member

@shinrich shinrich commented May 4, 2016

Actually enforce the ip-level ACL checks for HTTP2 and move to the accept logic to make the decision before creating the session object.

jpeach
jpeach reviewed May 4, 2016
View reviewed changes
proxy/http2/Http2SessionAccept.cc Outdated
ats_ip_nptop(client_ip, ipb, sizeof(ipb)), netvc->attributes);
}

// XXX Allocate a Http2ClientSession
Copy link
Contributor

@jpeach jpeach May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this "XXX" is done now?

@bryancall
Copy link
Contributor

bryancall commented May 4, 2016
edited
Loading

Where is the check on the method? Each individual stream would need to be verified. You can do a higher level check on the session if you check that all methods are being denied.

@shinrich
Copy link
Member Author

shinrich commented May 4, 2016

The method checks are done in HttpTransact. The acl_record is stored on the ProxyClientTransaction object for that later check.

@bryancall
Copy link
Contributor

bryancall commented May 4, 2016

Don't you need to check what is being denied at the higher level?

@shinrich
Copy link
Member Author

shinrich commented May 4, 2016

Just pushed another commit that moves the IP-based ip allow checking to the SessionAccept superclass. Verified for IP-based and method-based policies. The method-based denies will return an error header and body. The IP-based denies just closed the connection.

@bryancall I'm not following your question about checking what is denied at a higher level.

bryancall
bryancall reviewed May 4, 2016
View reviewed changes
proxy/http2/Http2SessionAccept.cc
Warning("HTTP/2 client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
netvc->do_io_close();
return;
}
Copy link
Contributor

@bryancall bryancall May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an extra space at the end of this line.

@bryancall
Copy link
Contributor

bryancall commented May 4, 2016

Looks like it needs to be clang-formatted there are a few formatting issues.

@shinrich
Copy link
Member Author

shinrich commented May 4, 2016

Yes, planning on running clang-format and squashing before mergin.

@bryancall
Copy link
Contributor

bryancall commented May 4, 2016

Besides the formatting it looks good. I was meaning from above that you would have to check the allowed methods at the at the session level. I missed the isEmpty() before.

@asfgit asfgit closed this in 5ce103e May 4, 2016
PSUdaemon pushed a commit that referenced this pull request May 20, 2016
@shinrich @PSUdaemon
TS-3485: Support ip_allow config for HTTP2. This closes #614.
2a000a7 
(cherry picked from commit 5ce103e)
SolidWallOfCode pushed a commit to SolidWallOfCode/trafficserver that referenced this pull request Feb 1, 2017
@shinrich
TS-3485: Support ip_allow config for HTTP2. This closes apache#614.
1fc7fd9 
Conflicts:
	lib/luajit
	proxy/http2/Http2ClientSession.cc
	proxy/http2/Http2SessionAccept.cc
SolidWallOfCode pushed a commit to SolidWallOfCode/trafficserver that referenced this pull request Feb 1, 2017
Merge pull request apache#337 from Edge/ts-3485
ecbfaf1 
TS-3485: Support ip_allow config for HTTP2.  This closes apache#614.
shinrich added a commit to shinrich/trafficserver that referenced this pull request Jan 9, 2018
@shinrich
Merge pull request apache#614 from shinrich/fix-cherry-pick
6064d09 
Fix previous H2 cherry-pick which pulled in extra stuff
brbzull0 pushed a commit to brbzull0/trafficserver that referenced this pull request Jan 24, 2022
@brbzull0
Clean up the shared handler response data. This shared data is used t…
e260f45 
…o carry the plugin responses to jsonrpc messages. (apache#614)

This needs to be clear up after use otherwise the state may hold the old one which can end up giving the wrong response
to rpc requests.
brbzull0 pushed a commit to brbzull0/trafficserver that referenced this pull request Jan 24, 2022
@brbzull0
Clean up the shared handler response data. This shared data is used t…
b96e697 
…o carry the plugin responses to jsonrpc messages. (apache#614)

This needs to be clear up after use otherwise the state may hold the old one which can end up giving the wrong response
to rpc requests.
ywkaras pushed a commit to ywkaras/trafficserver that referenced this pull request Jul 7, 2022
Clean up the shared handler response data. This shared data is used t…
9565844 
…o carry the plugin responses to jsonrpc messages. (apache#614)

This needs to be clear up after use otherwise the state may hold the old one which can end up giving the wrong response
to rpc requests.
masaori335 pushed a commit to masaori335/trafficserver that referenced this pull request Sep 26, 2023
@cmcfarlen
use correct symbol for rpm (apache#614)
5c61373
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shinrich @bryancall @jpeach