Pull request 1985: 2998-hsts
Updates #2998. Updates #4941. Squashed commit of the following: commit ef6ed6acb89b10c4bf1b0c7ba34002f9d7f2e68c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Aug 30 18:43:25 2023 +0300 all: imp chlog commit 0957a85d53edcd5eba591e42301191db42a258ad Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Aug 30 18:31:46 2023 +0300 home: add hsts when force_https is true
This commit is contained in:
parent
a2ca8b5b4a
commit
18d15be4e8
12
CHANGELOG.md
12
CHANGELOG.md
|
@ -25,9 +25,13 @@ NOTE: Add new changes BELOW THIS COMMENT.
|
|||
|
||||
### Added
|
||||
|
||||
- [`Strict-Transport-Security`][hsts] header in the HTTP API and DNS-over-HTTPS
|
||||
responses when HTTPS is forced ([#2998]). See [RFC 6979][rfc6797].
|
||||
- UI for the schedule of the service-blocking pause ([#951]).
|
||||
- IPv6 hints are now filtered in case IPv6 addresses resolving is disabled
|
||||
([#6122]).
|
||||
- The ability to set fallback DNS servers in the configuration file ([#3701]).
|
||||
- The ability to set fallback DNS servers in the configuration file and the UI
|
||||
([#3701]).
|
||||
- While adding or updating blocklists, the title can now be parsed from
|
||||
`! Title:` definition of the blocklist's source ([#6020]).
|
||||
- The ability to filter DNS HTTPS records including IPv4/v6 hints ([#6053]).
|
||||
|
@ -149,6 +153,7 @@ In this release, the schema version has changed from 24 to 26.
|
|||
([#5948]).
|
||||
|
||||
[#1453]: https://github.com/AdguardTeam/AdGuardHome/issues/1453
|
||||
[#2998]: https://github.com/AdguardTeam/AdGuardHome/issues/2998
|
||||
[#3701]: https://github.com/AdguardTeam/AdGuardHome/issues/3701
|
||||
[#5948]: https://github.com/AdguardTeam/AdGuardHome/issues/5948
|
||||
[#6020]: https://github.com/AdguardTeam/AdGuardHome/issues/6020
|
||||
|
@ -159,6 +164,9 @@ In this release, the schema version has changed from 24 to 26.
|
|||
[#6122]: https://github.com/AdguardTeam/AdGuardHome/issues/6122
|
||||
[#6133]: https://github.com/AdguardTeam/AdGuardHome/issues/6133
|
||||
|
||||
[hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
[rfc6797]: https://datatracker.ietf.org/doc/html/rfc6797
|
||||
|
||||
<!--
|
||||
NOTE: Add new changes ABOVE THIS COMMENT.
|
||||
-->
|
||||
|
@ -675,7 +683,7 @@ In this release, the schema version has changed from 17 to 20.
|
|||
[#5701]: https://github.com/AdguardTeam/AdGuardHome/issues/5701
|
||||
|
||||
[ms-v0.107.28]: https://github.com/AdguardTeam/AdGuardHome/milestone/64?closed=1
|
||||
[rfc6761]: https://www.rfc-editor.org/rfc/rfc6761
|
||||
[rfc6761]: https://datatracker.ietf.org/doc/html/rfc6761
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -5,5 +5,6 @@ package aghhttp
|
|||
// HTTP header value constants.
|
||||
const (
|
||||
HdrValApplicationJSON = "application/json"
|
||||
HdrValStrictTransportSecurity = "max-age=31536000; includeSubDomains"
|
||||
HdrValTextPlain = "text/plain"
|
||||
)
|
||||
|
|
|
@ -321,9 +321,10 @@ func preInstallHandler(handler http.Handler) http.Handler {
|
|||
return &preInstallHandlerStruct{handler}
|
||||
}
|
||||
|
||||
// handleHTTPSRedirect redirects the request to HTTPS, if needed. If ok is
|
||||
// true, the middleware must continue handling the request.
|
||||
func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
|
||||
// handleHTTPSRedirect redirects the request to HTTPS, if needed, and adds some
|
||||
// HTTPS-related headers. If proceed is true, the middleware must continue
|
||||
// handling the request.
|
||||
func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (proceed bool) {
|
||||
web := Context.web
|
||||
if web.httpsServer.server == nil {
|
||||
return true
|
||||
|
@ -362,23 +363,19 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
|
|||
respHdr.Set(httphdr.AltSvc, altSvc)
|
||||
}
|
||||
|
||||
if r.TLS == nil && forceHTTPS {
|
||||
hostPort := host
|
||||
if portHTTPS != defaultPortHTTPS {
|
||||
hostPort = netutil.JoinHostPort(host, portHTTPS)
|
||||
}
|
||||
|
||||
httpsURL := &url.URL{
|
||||
Scheme: aghhttp.SchemeHTTPS,
|
||||
Host: hostPort,
|
||||
Path: r.URL.Path,
|
||||
RawQuery: r.URL.RawQuery,
|
||||
}
|
||||
http.Redirect(w, r, httpsURL.String(), http.StatusTemporaryRedirect)
|
||||
if forceHTTPS {
|
||||
if r.TLS == nil {
|
||||
u := httpsURL(r.URL, host, portHTTPS)
|
||||
http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// TODO(a.garipov): Consider adding a configurable max-age. Currently,
|
||||
// the default is 365 days.
|
||||
respHdr.Set(httphdr.StrictTransportSecurity, aghhttp.HdrValStrictTransportSecurity)
|
||||
}
|
||||
|
||||
// Allow the frontend from the HTTP origin to send requests to the HTTPS
|
||||
// server. This can happen when the user has just set up HTTPS with
|
||||
// redirects. Prevent cache-related errors by setting the Vary header.
|
||||
|
@ -395,6 +392,22 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
|
|||
return true
|
||||
}
|
||||
|
||||
// httpsURL returns a copy of u for redirection to the HTTPS version, taking the
|
||||
// hostname and the HTTPS port into account.
|
||||
func httpsURL(u *url.URL, host string, portHTTPS int) (redirectURL *url.URL) {
|
||||
hostPort := host
|
||||
if portHTTPS != defaultPortHTTPS {
|
||||
hostPort = netutil.JoinHostPort(host, portHTTPS)
|
||||
}
|
||||
|
||||
return &url.URL{
|
||||
Scheme: aghhttp.SchemeHTTPS,
|
||||
Host: hostPort,
|
||||
Path: u.Path,
|
||||
RawQuery: u.RawQuery,
|
||||
}
|
||||
}
|
||||
|
||||
// postInstall lets the handler to run only if firstRun is false. Otherwise, it
|
||||
// redirects to /install.html. It also enforces HTTPS if it is enabled and
|
||||
// configured and sets appropriate access control headers.
|
||||
|
@ -408,13 +421,12 @@ func postInstall(handler func(http.ResponseWriter, *http.Request)) func(http.Res
|
|||
return
|
||||
}
|
||||
|
||||
if !handleHTTPSRedirect(w, r) {
|
||||
return
|
||||
}
|
||||
|
||||
proceed := handleHTTPSRedirect(w, r)
|
||||
if proceed {
|
||||
handler(w, r)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
type postInstallHandlerStruct struct {
|
||||
handler http.Handler
|
||||
|
|
Loading…
Reference in New Issue