Pull request 1985: 2998-hsts

Updates #2998.
Updates #4941.

Squashed commit of the following:

commit ef6ed6acb89b10c4bf1b0c7ba34002f9d7f2e68c
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Aug 30 18:43:25 2023 +0300

    all: imp chlog

commit 0957a85d53edcd5eba591e42301191db42a258ad
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Aug 30 18:31:46 2023 +0300

    home: add hsts when force_https is true
This commit is contained in:
Ainar Garipov 2023-08-30 18:57:36 +03:00
parent a2ca8b5b4a
commit 18d15be4e8
3 changed files with 45 additions and 24 deletions

View File

@ -25,9 +25,13 @@ NOTE: Add new changes BELOW THIS COMMENT.
### Added
- [`Strict-Transport-Security`][hsts] header in the HTTP API and DNS-over-HTTPS
responses when HTTPS is forced ([#2998]). See [RFC 6979][rfc6797].
- UI for the schedule of the service-blocking pause ([#951]).
- IPv6 hints are now filtered in case IPv6 addresses resolving is disabled
([#6122]).
- The ability to set fallback DNS servers in the configuration file ([#3701]).
- The ability to set fallback DNS servers in the configuration file and the UI
([#3701]).
- While adding or updating blocklists, the title can now be parsed from
`! Title:` definition of the blocklist's source ([#6020]).
- The ability to filter DNS HTTPS records including IPv4/v6 hints ([#6053]).
@ -149,6 +153,7 @@ In this release, the schema version has changed from 24 to 26.
([#5948]).
[#1453]: https://github.com/AdguardTeam/AdGuardHome/issues/1453
[#2998]: https://github.com/AdguardTeam/AdGuardHome/issues/2998
[#3701]: https://github.com/AdguardTeam/AdGuardHome/issues/3701
[#5948]: https://github.com/AdguardTeam/AdGuardHome/issues/5948
[#6020]: https://github.com/AdguardTeam/AdGuardHome/issues/6020
@ -159,6 +164,9 @@ In this release, the schema version has changed from 24 to 26.
[#6122]: https://github.com/AdguardTeam/AdGuardHome/issues/6122
[#6133]: https://github.com/AdguardTeam/AdGuardHome/issues/6133
[hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
[rfc6797]: https://datatracker.ietf.org/doc/html/rfc6797
<!--
NOTE: Add new changes ABOVE THIS COMMENT.
-->
@ -675,7 +683,7 @@ In this release, the schema version has changed from 17 to 20.
[#5701]: https://github.com/AdguardTeam/AdGuardHome/issues/5701
[ms-v0.107.28]: https://github.com/AdguardTeam/AdGuardHome/milestone/64?closed=1
[rfc6761]: https://www.rfc-editor.org/rfc/rfc6761
[rfc6761]: https://datatracker.ietf.org/doc/html/rfc6761

View File

@ -5,5 +5,6 @@ package aghhttp
// HTTP header value constants.
const (
HdrValApplicationJSON = "application/json"
HdrValStrictTransportSecurity = "max-age=31536000; includeSubDomains"
HdrValTextPlain = "text/plain"
)

View File

@ -321,9 +321,10 @@ func preInstallHandler(handler http.Handler) http.Handler {
return &preInstallHandlerStruct{handler}
}
// handleHTTPSRedirect redirects the request to HTTPS, if needed. If ok is
// true, the middleware must continue handling the request.
func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
// handleHTTPSRedirect redirects the request to HTTPS, if needed, and adds some
// HTTPS-related headers. If proceed is true, the middleware must continue
// handling the request.
func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (proceed bool) {
web := Context.web
if web.httpsServer.server == nil {
return true
@ -362,23 +363,19 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
respHdr.Set(httphdr.AltSvc, altSvc)
}
if r.TLS == nil && forceHTTPS {
hostPort := host
if portHTTPS != defaultPortHTTPS {
hostPort = netutil.JoinHostPort(host, portHTTPS)
}
httpsURL := &url.URL{
Scheme: aghhttp.SchemeHTTPS,
Host: hostPort,
Path: r.URL.Path,
RawQuery: r.URL.RawQuery,
}
http.Redirect(w, r, httpsURL.String(), http.StatusTemporaryRedirect)
if forceHTTPS {
if r.TLS == nil {
u := httpsURL(r.URL, host, portHTTPS)
http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
return false
}
// TODO(a.garipov): Consider adding a configurable max-age. Currently,
// the default is 365 days.
respHdr.Set(httphdr.StrictTransportSecurity, aghhttp.HdrValStrictTransportSecurity)
}
// Allow the frontend from the HTTP origin to send requests to the HTTPS
// server. This can happen when the user has just set up HTTPS with
// redirects. Prevent cache-related errors by setting the Vary header.
@ -395,6 +392,22 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
return true
}
// httpsURL returns a copy of u for redirection to the HTTPS version, taking the
// hostname and the HTTPS port into account.
func httpsURL(u *url.URL, host string, portHTTPS int) (redirectURL *url.URL) {
hostPort := host
if portHTTPS != defaultPortHTTPS {
hostPort = netutil.JoinHostPort(host, portHTTPS)
}
return &url.URL{
Scheme: aghhttp.SchemeHTTPS,
Host: hostPort,
Path: u.Path,
RawQuery: u.RawQuery,
}
}
// postInstall lets the handler to run only if firstRun is false. Otherwise, it
// redirects to /install.html. It also enforces HTTPS if it is enabled and
// configured and sets appropriate access control headers.
@ -408,13 +421,12 @@ func postInstall(handler func(http.ResponseWriter, *http.Request)) func(http.Res
return
}
if !handleHTTPSRedirect(w, r) {
return
}
proceed := handleHTTPSRedirect(w, r)
if proceed {
handler(w, r)
}
}
}
type postInstallHandlerStruct struct {
handler http.Handler