Pull request 1985: 2998-hsts
Updates #2998. Updates #4941. Squashed commit of the following: commit ef6ed6acb89b10c4bf1b0c7ba34002f9d7f2e68c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Aug 30 18:43:25 2023 +0300 all: imp chlog commit 0957a85d53edcd5eba591e42301191db42a258ad Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Aug 30 18:31:46 2023 +0300 home: add hsts when force_https is true
This commit is contained in:
parent
a2ca8b5b4a
commit
18d15be4e8
12
CHANGELOG.md
12
CHANGELOG.md
|
@ -25,9 +25,13 @@ NOTE: Add new changes BELOW THIS COMMENT.
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
|
- [`Strict-Transport-Security`][hsts] header in the HTTP API and DNS-over-HTTPS
|
||||||
|
responses when HTTPS is forced ([#2998]). See [RFC 6979][rfc6797].
|
||||||
|
- UI for the schedule of the service-blocking pause ([#951]).
|
||||||
- IPv6 hints are now filtered in case IPv6 addresses resolving is disabled
|
- IPv6 hints are now filtered in case IPv6 addresses resolving is disabled
|
||||||
([#6122]).
|
([#6122]).
|
||||||
- The ability to set fallback DNS servers in the configuration file ([#3701]).
|
- The ability to set fallback DNS servers in the configuration file and the UI
|
||||||
|
([#3701]).
|
||||||
- While adding or updating blocklists, the title can now be parsed from
|
- While adding or updating blocklists, the title can now be parsed from
|
||||||
`! Title:` definition of the blocklist's source ([#6020]).
|
`! Title:` definition of the blocklist's source ([#6020]).
|
||||||
- The ability to filter DNS HTTPS records including IPv4/v6 hints ([#6053]).
|
- The ability to filter DNS HTTPS records including IPv4/v6 hints ([#6053]).
|
||||||
|
@ -149,6 +153,7 @@ In this release, the schema version has changed from 24 to 26.
|
||||||
([#5948]).
|
([#5948]).
|
||||||
|
|
||||||
[#1453]: https://github.com/AdguardTeam/AdGuardHome/issues/1453
|
[#1453]: https://github.com/AdguardTeam/AdGuardHome/issues/1453
|
||||||
|
[#2998]: https://github.com/AdguardTeam/AdGuardHome/issues/2998
|
||||||
[#3701]: https://github.com/AdguardTeam/AdGuardHome/issues/3701
|
[#3701]: https://github.com/AdguardTeam/AdGuardHome/issues/3701
|
||||||
[#5948]: https://github.com/AdguardTeam/AdGuardHome/issues/5948
|
[#5948]: https://github.com/AdguardTeam/AdGuardHome/issues/5948
|
||||||
[#6020]: https://github.com/AdguardTeam/AdGuardHome/issues/6020
|
[#6020]: https://github.com/AdguardTeam/AdGuardHome/issues/6020
|
||||||
|
@ -159,6 +164,9 @@ In this release, the schema version has changed from 24 to 26.
|
||||||
[#6122]: https://github.com/AdguardTeam/AdGuardHome/issues/6122
|
[#6122]: https://github.com/AdguardTeam/AdGuardHome/issues/6122
|
||||||
[#6133]: https://github.com/AdguardTeam/AdGuardHome/issues/6133
|
[#6133]: https://github.com/AdguardTeam/AdGuardHome/issues/6133
|
||||||
|
|
||||||
|
[hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||||
|
[rfc6797]: https://datatracker.ietf.org/doc/html/rfc6797
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
NOTE: Add new changes ABOVE THIS COMMENT.
|
NOTE: Add new changes ABOVE THIS COMMENT.
|
||||||
-->
|
-->
|
||||||
|
@ -675,7 +683,7 @@ In this release, the schema version has changed from 17 to 20.
|
||||||
[#5701]: https://github.com/AdguardTeam/AdGuardHome/issues/5701
|
[#5701]: https://github.com/AdguardTeam/AdGuardHome/issues/5701
|
||||||
|
|
||||||
[ms-v0.107.28]: https://github.com/AdguardTeam/AdGuardHome/milestone/64?closed=1
|
[ms-v0.107.28]: https://github.com/AdguardTeam/AdGuardHome/milestone/64?closed=1
|
||||||
[rfc6761]: https://www.rfc-editor.org/rfc/rfc6761
|
[rfc6761]: https://datatracker.ietf.org/doc/html/rfc6761
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -5,5 +5,6 @@ package aghhttp
|
||||||
// HTTP header value constants.
|
// HTTP header value constants.
|
||||||
const (
|
const (
|
||||||
HdrValApplicationJSON = "application/json"
|
HdrValApplicationJSON = "application/json"
|
||||||
|
HdrValStrictTransportSecurity = "max-age=31536000; includeSubDomains"
|
||||||
HdrValTextPlain = "text/plain"
|
HdrValTextPlain = "text/plain"
|
||||||
)
|
)
|
||||||
|
|
|
@ -321,9 +321,10 @@ func preInstallHandler(handler http.Handler) http.Handler {
|
||||||
return &preInstallHandlerStruct{handler}
|
return &preInstallHandlerStruct{handler}
|
||||||
}
|
}
|
||||||
|
|
||||||
// handleHTTPSRedirect redirects the request to HTTPS, if needed. If ok is
|
// handleHTTPSRedirect redirects the request to HTTPS, if needed, and adds some
|
||||||
// true, the middleware must continue handling the request.
|
// HTTPS-related headers. If proceed is true, the middleware must continue
|
||||||
func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
|
// handling the request.
|
||||||
|
func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (proceed bool) {
|
||||||
web := Context.web
|
web := Context.web
|
||||||
if web.httpsServer.server == nil {
|
if web.httpsServer.server == nil {
|
||||||
return true
|
return true
|
||||||
|
@ -362,23 +363,19 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
|
||||||
respHdr.Set(httphdr.AltSvc, altSvc)
|
respHdr.Set(httphdr.AltSvc, altSvc)
|
||||||
}
|
}
|
||||||
|
|
||||||
if r.TLS == nil && forceHTTPS {
|
if forceHTTPS {
|
||||||
hostPort := host
|
if r.TLS == nil {
|
||||||
if portHTTPS != defaultPortHTTPS {
|
u := httpsURL(r.URL, host, portHTTPS)
|
||||||
hostPort = netutil.JoinHostPort(host, portHTTPS)
|
http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
|
||||||
}
|
|
||||||
|
|
||||||
httpsURL := &url.URL{
|
|
||||||
Scheme: aghhttp.SchemeHTTPS,
|
|
||||||
Host: hostPort,
|
|
||||||
Path: r.URL.Path,
|
|
||||||
RawQuery: r.URL.RawQuery,
|
|
||||||
}
|
|
||||||
http.Redirect(w, r, httpsURL.String(), http.StatusTemporaryRedirect)
|
|
||||||
|
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO(a.garipov): Consider adding a configurable max-age. Currently,
|
||||||
|
// the default is 365 days.
|
||||||
|
respHdr.Set(httphdr.StrictTransportSecurity, aghhttp.HdrValStrictTransportSecurity)
|
||||||
|
}
|
||||||
|
|
||||||
// Allow the frontend from the HTTP origin to send requests to the HTTPS
|
// Allow the frontend from the HTTP origin to send requests to the HTTPS
|
||||||
// server. This can happen when the user has just set up HTTPS with
|
// server. This can happen when the user has just set up HTTPS with
|
||||||
// redirects. Prevent cache-related errors by setting the Vary header.
|
// redirects. Prevent cache-related errors by setting the Vary header.
|
||||||
|
@ -395,6 +392,22 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// httpsURL returns a copy of u for redirection to the HTTPS version, taking the
|
||||||
|
// hostname and the HTTPS port into account.
|
||||||
|
func httpsURL(u *url.URL, host string, portHTTPS int) (redirectURL *url.URL) {
|
||||||
|
hostPort := host
|
||||||
|
if portHTTPS != defaultPortHTTPS {
|
||||||
|
hostPort = netutil.JoinHostPort(host, portHTTPS)
|
||||||
|
}
|
||||||
|
|
||||||
|
return &url.URL{
|
||||||
|
Scheme: aghhttp.SchemeHTTPS,
|
||||||
|
Host: hostPort,
|
||||||
|
Path: u.Path,
|
||||||
|
RawQuery: u.RawQuery,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// postInstall lets the handler to run only if firstRun is false. Otherwise, it
|
// postInstall lets the handler to run only if firstRun is false. Otherwise, it
|
||||||
// redirects to /install.html. It also enforces HTTPS if it is enabled and
|
// redirects to /install.html. It also enforces HTTPS if it is enabled and
|
||||||
// configured and sets appropriate access control headers.
|
// configured and sets appropriate access control headers.
|
||||||
|
@ -408,13 +421,12 @@ func postInstall(handler func(http.ResponseWriter, *http.Request)) func(http.Res
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !handleHTTPSRedirect(w, r) {
|
proceed := handleHTTPSRedirect(w, r)
|
||||||
return
|
if proceed {
|
||||||
}
|
|
||||||
|
|
||||||
handler(w, r)
|
handler(w, r)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
type postInstallHandlerStruct struct {
|
type postInstallHandlerStruct struct {
|
||||||
handler http.Handler
|
handler http.Handler
|
||||||
|
|
Loading…
Reference in New Issue