----- Original Message ----- > Updated Branches: > refs/heads/master f057cdcca -> 4cf9975e9 > > > TS-1668: Added HSTS configuration options to ATS > > > Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo > Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/4cf9975e > Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/4cf9975e > Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/4cf9975e > > Branch: refs/heads/master > Commit: 4cf9975e9b8ff0cc5510707443da0adafbb962cb > Parents: f057cdc > Author: Bryan Call <bc...@apache.org> > Authored: Wed Jan 15 13:38:07 2014 -0800 > Committer: Bryan Call <bc...@apache.org> > Committed: Wed Jan 15 13:38:07 2014 -0800 > > ---------------------------------------------------------------------- > CHANGES | 2 ++ > .../configuration/records.config.en.rst | 15 +++++++++++++++ > mgmt/RecordsConfig.cc | 5 +++++ > proxy/InkAPI.cc | 19 +++++++++++++++++++ > proxy/InkAPITest.cc | 4 +++- > proxy/api/ts/ts.h.in | 4 ++++ > proxy/hdrs/HdrToken.cc | 3 +++ > proxy/hdrs/MIME.cc | 6 ++++++ > proxy/hdrs/MIME.h | 3 +++ > proxy/http/HttpConfig.cc | 4 ++++ > proxy/http/HttpConfig.h | 5 ++++- > proxy/http/HttpTransact.cc | 6 ++++++ > proxy/http/HttpTransactHeaders.cc | 19 +++++++++++++++++++ > proxy/http/HttpTransactHeaders.h | 1 + > 14 files changed, 94 insertions(+), 2 deletions(-) > ---------------------------------------------------------------------- > > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/CHANGES > ---------------------------------------------------------------------- > diff --git a/CHANGES b/CHANGES > index 2c56ffd..a688aea 100644 > --- a/CHANGES > +++ b/CHANGES > @@ -1,6 +1,8 @@ > -*- coding: utf-8 > -*- > Changes with Apache Traffic Server 4.2.0 > > + *) [TS-1668] Added HSTS configuration options to ATS > + > *) [TS-2495] Reduce the size of HttpVCTableEntry. > > *) [TS-2491] stop other esi plugin unit test programs after error. > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/doc/reference/configuration/records.config.en.rst > ---------------------------------------------------------------------- > diff --git a/doc/reference/configuration/records.config.en.rst > b/doc/reference/configuration/records.config.en.rst > index f0d7f8a..c3aac2e 100644 > --- a/doc/reference/configuration/records.config.en.rst > +++ b/doc/reference/configuration/records.config.en.rst > @@ -2046,6 +2046,21 @@ SSL Termination > entries in seconds. If it is ``0``, then the SSL library will use > a default value, typically 300 seconds. > > +.. ts:cv:: CONFIG proxy.config.ssl.hsts_max_age INT -1 > + > + This configuration specifies the max-age value that will be used > + when adding the Strict-Transport-Security header. The value is in > seconds. > + A value of 0 will set the max-age value to 0 and should remove the > + hsts entry from the cleint. A value of -1 will disable this feature and
should be: HSTS entry from the client I'd also put max-age and numbers in ``, e.g.: A value of ``0`` will set the ``max-age`` value to ... > + not set the header. This option is only used for HTTPS request and the > + header will not be set on HTTP requests. > + > +.. ts:cv:: CONFIG proxy.config.ssl.hsts_include_subdomains INT 0 > + > + Enables (``1``) or disables (``0``) to add the includeSubdomain value > + to the Strict-Transport-Security header. proxy.config.ssl.hsts_max_age > + will need to be set to a non -1 value for this value to be added. > + > Client-Related Configuration > ---------------------------- > > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/mgmt/RecordsConfig.cc > ---------------------------------------------------------------------- > diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc > index 3e3fe5c..abae558 100644 > --- a/mgmt/RecordsConfig.cc > +++ b/mgmt/RecordsConfig.cc > @@ -1275,6 +1275,11 @@ RecordElement RecordsConfig[] = { > , > {RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0", > RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} > , > + {RECT_CONFIG, "proxy.config.ssl.hsts_max_age", RECD_INT, "-1", > RECU_DYNAMIC, RR_NULL, RECC_INT, "[-1-2147483648]", RECA_NULL} > + , > + {RECT_CONFIG, "proxy.config.ssl.hsts_include_subdomains", RECD_INT, "0", > RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} > + , > + > > //############################################################################## > //# ICP Configuration > > //############################################################################## > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/InkAPI.cc > ---------------------------------------------------------------------- > diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc > index 3c40ce5..2be442d 100644 > --- a/proxy/InkAPI.cc > +++ b/proxy/InkAPI.cc > @@ -198,6 +198,7 @@ tsapi const char *TS_MIME_FIELD_RETRY_AFTER; > tsapi const char *TS_MIME_FIELD_SENDER; > tsapi const char *TS_MIME_FIELD_SERVER; > tsapi const char *TS_MIME_FIELD_SET_COOKIE; > +tsapi const char *TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY; > tsapi const char *TS_MIME_FIELD_SUBJECT; > tsapi const char *TS_MIME_FIELD_SUMMARY; > tsapi const char *TS_MIME_FIELD_TE; > @@ -271,6 +272,7 @@ tsapi int TS_MIME_LEN_RETRY_AFTER; > tsapi int TS_MIME_LEN_SENDER; > tsapi int TS_MIME_LEN_SERVER; > tsapi int TS_MIME_LEN_SET_COOKIE; > +tsapi int TS_MIME_LEN_STRICT_TRANSPORT_SECURITY; > tsapi int TS_MIME_LEN_SUBJECT; > tsapi int TS_MIME_LEN_SUMMARY; > tsapi int TS_MIME_LEN_TE; > @@ -1425,6 +1427,7 @@ api_init() > TS_MIME_FIELD_SENDER = MIME_FIELD_SENDER; > TS_MIME_FIELD_SERVER = MIME_FIELD_SERVER; > TS_MIME_FIELD_SET_COOKIE = MIME_FIELD_SET_COOKIE; > + TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY = > MIME_FIELD_STRICT_TRANSPORT_SECURITY; > TS_MIME_FIELD_SUBJECT = MIME_FIELD_SUBJECT; > TS_MIME_FIELD_SUMMARY = MIME_FIELD_SUMMARY; > TS_MIME_FIELD_TE = MIME_FIELD_TE; > @@ -1498,6 +1501,7 @@ api_init() > TS_MIME_LEN_SENDER = MIME_LEN_SENDER; > TS_MIME_LEN_SERVER = MIME_LEN_SERVER; > TS_MIME_LEN_SET_COOKIE = MIME_LEN_SET_COOKIE; > + TS_MIME_LEN_STRICT_TRANSPORT_SECURITY = > MIME_LEN_STRICT_TRANSPORT_SECURITY; > TS_MIME_LEN_SUBJECT = MIME_LEN_SUBJECT; > TS_MIME_LEN_SUMMARY = MIME_LEN_SUMMARY; > TS_MIME_LEN_TE = MIME_LEN_TE; > @@ -7591,6 +7595,14 @@ _conf_to_memberp(TSOverridableConfigKey conf, HttpSM* > sm, OverridableDataType *t > case TS_CONFIG_HTTP_ACCEPT_ENCODING_FILTER_ENABLED: > ret = &sm->t_state.txn_conf->accept_encoding_filter_enabled; > break; > + case TS_CONFIG_SSL_HSTS_MAX_AGE: > + typ = OVERRIDABLE_TYPE_INT; > + ret = &sm->t_state.txn_conf->proxy_response_hsts_max_age; > + break; > + case TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS: > + typ = OVERRIDABLE_TYPE_BYTE; > + ret = &sm->t_state.txn_conf->proxy_response_hsts_include_subdomains; > + break; > > // This helps avoiding compiler warnings, yet detect unhandled enum > members. > case TS_CONFIG_NULL: > @@ -7775,6 +7787,11 @@ TSHttpTxnConfigFind(const char* name, int length, > TSOverridableConfigKey *conf, > cnf = TS_CONFIG_HTTP_CACHE_HTTP; > break; > > + case 29: wow. Such expressiveness. I mean.. what's case 29? > + if (!strncmp(name, "proxy.config.ssl.hsts_max_age", length)) > + cnf = TS_CONFIG_SSL_HSTS_MAX_AGE; > + break; > + > case 31: > if (!strncmp(name, "proxy.config.http.chunking.size", length)) > cnf = TS_CONFIG_HTTP_CHUNKING_SIZE; > @@ -7891,6 +7908,8 @@ TSHttpTxnConfigFind(const char* name, int length, > TSOverridableConfigKey *conf, > cnf = TS_CONFIG_HTTP_ORIGIN_MAX_CONNECTIONS; > else if (!strncmp(name, "proxy.config.http.cache.required_headers", > length)) > cnf = TS_CONFIG_HTTP_CACHE_REQUIRED_HEADERS; > + else if (!strncmp(name, "proxy.config.ssl.hsts_include_subdomains", > length)) > + cnf = TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS; > break; > case 't': > if (!strncmp(name, "proxy.config.http.keep_alive_enabled_out", > length)) > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/InkAPITest.cc > ---------------------------------------------------------------------- > diff --git a/proxy/InkAPITest.cc b/proxy/InkAPITest.cc > index 8f97a88..b9945a1 100644 > --- a/proxy/InkAPITest.cc > +++ b/proxy/InkAPITest.cc > @@ -7412,7 +7412,9 @@ const char > *SDK_Overridable_Configs[TS_CONFIG_LAST_ENTRY] = { > "proxy.config.http.response_header_max_size", > "proxy.config.http.negative_revalidating_enabled", > "proxy.config.http.negative_revalidating_lifetime", > - "proxy.config.http.accept_encoding_filter_enabled" > + "proxy.config.http.accept_encoding_filter_enabled", > + "proxy.config.ssl.hsts_max_age", > + "proxy.config.ssl.hsts_include_subdomains" > }; > > REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS) (RegressionTest * test, int /* > atype ATS_UNUSED */, int *pstatus) > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/api/ts/ts.h.in > ---------------------------------------------------------------------- > diff --git a/proxy/api/ts/ts.h.in b/proxy/api/ts/ts.h.in > index a184939..e568b1f 100644 > --- a/proxy/api/ts/ts.h.in > +++ b/proxy/api/ts/ts.h.in > @@ -680,6 +680,8 @@ extern "C" > TS_CONFIG_HTTP_NEGATIVE_REVALIDATING_ENABLED, > TS_CONFIG_HTTP_NEGATIVE_REVALIDATING_LIFETIME, > TS_CONFIG_HTTP_ACCEPT_ENCODING_FILTER_ENABLED, > + TS_CONFIG_SSL_HSTS_MAX_AGE, > + TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS, > TS_CONFIG_LAST_ENTRY > } TSOverridableConfigKey; > > @@ -903,6 +905,7 @@ extern "C" > extern tsapi const char* TS_MIME_FIELD_SENDER; > extern tsapi const char* TS_MIME_FIELD_SERVER; > extern tsapi const char* TS_MIME_FIELD_SET_COOKIE; > + extern tsapi const char* TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY; > extern tsapi const char* TS_MIME_FIELD_SUBJECT; > extern tsapi const char* TS_MIME_FIELD_SUMMARY; > extern tsapi const char* TS_MIME_FIELD_TE; > @@ -977,6 +980,7 @@ extern "C" > extern tsapi int TS_MIME_LEN_SENDER; > extern tsapi int TS_MIME_LEN_SERVER; > extern tsapi int TS_MIME_LEN_SET_COOKIE; > + extern tsapi int TS_MIME_LEN_STRICT_TRANSPORT_SECURITY; > extern tsapi int TS_MIME_LEN_SUBJECT; > extern tsapi int TS_MIME_LEN_SUMMARY; > extern tsapi int TS_MIME_LEN_TE; > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/HdrToken.cc > ---------------------------------------------------------------------- > diff --git a/proxy/hdrs/HdrToken.cc b/proxy/hdrs/HdrToken.cc > index 4374d85..72bbbe1 100644 > --- a/proxy/hdrs/HdrToken.cc > +++ b/proxy/hdrs/HdrToken.cc > @@ -107,6 +107,7 @@ static const char *_hdrtoken_strs[] = { > "Sender", // NNTP NNTP? Really? I thought we only support HTTP... > "Server", > "Set-Cookie", > + "Strict-Transport-Security", > "Subject", // NNTP > "Summary", // NNTP > "Transfer-Encoding", > @@ -293,6 +294,7 @@ static HdrTokenFieldInfo > _hdrtoken_strs_field_initializers[] = { > {"Sender", MIME_SLOTID_NONE, MIME_PRESENCE_NONE, HTIF_NONE}, > {"Server", MIME_SLOTID_NONE, MIME_PRESENCE_SERVER, HTIF_NONE}, > {"Set-Cookie", MIME_SLOTID_SET_COOKIE, MIME_PRESENCE_SET_COOKIE, > (HTIF_MULTVALS)}, > + {"Strict-Transport-Security", MIME_SLOTID_NONE, MIME_PRESENCE_NONE, > (HTIF_MULTVALS)}, > {"Subject", MIME_SLOTID_NONE, MIME_PRESENCE_SUBJECT, HTIF_NONE}, > {"Summary", MIME_SLOTID_NONE, MIME_PRESENCE_SUMMARY, HTIF_NONE}, > {"TE", MIME_SLOTID_TE, MIME_PRESENCE_TE, (HTIF_COMMAS | HTIF_MULTVALS | > HTIF_HOPBYHOP)}, > @@ -433,6 +435,7 @@ static const char *_hdrtoken_commonly_tokenized_strs[] = > { > "Sender", // NNTP > "Server", > "Set-Cookie", > + "Strict-Transport-Security", > "Subject", // NNTP > "Summary", // NNTP > "Transfer-Encoding", > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/MIME.cc > ---------------------------------------------------------------------- > diff --git a/proxy/hdrs/MIME.cc b/proxy/hdrs/MIME.cc > index b779589..0313314 100644 > --- a/proxy/hdrs/MIME.cc > +++ b/proxy/hdrs/MIME.cc > @@ -141,6 +141,7 @@ const char *MIME_FIELD_RETRY_AFTER; > const char *MIME_FIELD_SENDER; > const char *MIME_FIELD_SERVER; > const char *MIME_FIELD_SET_COOKIE; > +const char *MIME_FIELD_STRICT_TRANSPORT_SECURITY; > const char *MIME_FIELD_SUBJECT; > const char *MIME_FIELD_SUMMARY; > const char *MIME_FIELD_TE; > @@ -249,6 +250,7 @@ int MIME_LEN_RETRY_AFTER; > int MIME_LEN_SENDER; > int MIME_LEN_SERVER; > int MIME_LEN_SET_COOKIE; > +int MIME_LEN_STRICT_TRANSPORT_SECURITY; > int MIME_LEN_SUBJECT; > int MIME_LEN_SUMMARY; > int MIME_LEN_TE; > @@ -323,6 +325,7 @@ int MIME_WKSIDX_RETRY_AFTER; > int MIME_WKSIDX_SENDER; > int MIME_WKSIDX_SERVER; > int MIME_WKSIDX_SET_COOKIE; > +int MIME_WKSIDX_STRICT_TRANSPORT_SECURITY; > int MIME_WKSIDX_SUBJECT; > int MIME_WKSIDX_SUMMARY; > int MIME_WKSIDX_TE; > @@ -665,6 +668,7 @@ mime_init() > MIME_FIELD_SENDER = hdrtoken_string_to_wks("Sender"); > MIME_FIELD_SERVER = hdrtoken_string_to_wks("Server"); > MIME_FIELD_SET_COOKIE = hdrtoken_string_to_wks("Set-Cookie"); > + MIME_FIELD_STRICT_TRANSPORT_SECURITY = > hdrtoken_string_to_wks("Strict-Transport-Security"); > MIME_FIELD_SUBJECT = hdrtoken_string_to_wks("Subject"); > MIME_FIELD_SUMMARY = hdrtoken_string_to_wks("Summary"); > MIME_FIELD_TE = hdrtoken_string_to_wks("TE"); > @@ -740,6 +744,7 @@ mime_init() > MIME_LEN_SENDER = hdrtoken_wks_to_length(MIME_FIELD_SENDER); > MIME_LEN_SERVER = hdrtoken_wks_to_length(MIME_FIELD_SERVER); > MIME_LEN_SET_COOKIE = hdrtoken_wks_to_length(MIME_FIELD_SET_COOKIE); > + MIME_LEN_STRICT_TRANSPORT_SECURITY = > hdrtoken_wks_to_length(MIME_FIELD_STRICT_TRANSPORT_SECURITY); > MIME_LEN_SUBJECT = hdrtoken_wks_to_length(MIME_FIELD_SUBJECT); > MIME_LEN_SUMMARY = hdrtoken_wks_to_length(MIME_FIELD_SUMMARY); > MIME_LEN_TE = hdrtoken_wks_to_length(MIME_FIELD_TE); > @@ -814,6 +819,7 @@ mime_init() > MIME_WKSIDX_SENDER = hdrtoken_wks_to_index(MIME_FIELD_SENDER); > MIME_WKSIDX_SERVER = hdrtoken_wks_to_index(MIME_FIELD_SERVER); > MIME_WKSIDX_SET_COOKIE = hdrtoken_wks_to_index(MIME_FIELD_SET_COOKIE); > + MIME_WKSIDX_STRICT_TRANSPORT_SECURITY = > hdrtoken_wks_to_index(MIME_FIELD_STRICT_TRANSPORT_SECURITY); > MIME_WKSIDX_SUBJECT = hdrtoken_wks_to_index(MIME_FIELD_SUBJECT); > MIME_WKSIDX_SUMMARY = hdrtoken_wks_to_index(MIME_FIELD_SUMMARY); > MIME_WKSIDX_TE = hdrtoken_wks_to_index(MIME_FIELD_TE); > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/MIME.h > ---------------------------------------------------------------------- > diff --git a/proxy/hdrs/MIME.h b/proxy/hdrs/MIME.h > index 264847c..a75e56a 100644 > --- a/proxy/hdrs/MIME.h > +++ b/proxy/hdrs/MIME.h > @@ -352,6 +352,7 @@ extern const char *MIME_FIELD_RETRY_AFTER; > extern const char *MIME_FIELD_SENDER; > extern const char *MIME_FIELD_SERVER; > extern const char *MIME_FIELD_SET_COOKIE; > +extern const char *MIME_FIELD_STRICT_TRANSPORT_SECURITY; > extern const char *MIME_FIELD_SUBJECT; > extern const char *MIME_FIELD_SUMMARY; > extern const char *MIME_FIELD_TE; > @@ -449,6 +450,7 @@ extern int MIME_LEN_RETRY_AFTER; > extern int MIME_LEN_SENDER; > extern int MIME_LEN_SERVER; > extern int MIME_LEN_SET_COOKIE; > +extern int MIME_LEN_STRICT_TRANSPORT_SECURITY; > extern int MIME_LEN_SUBJECT; > extern int MIME_LEN_SUMMARY; > extern int MIME_LEN_TE; > @@ -546,6 +548,7 @@ extern int MIME_WKSIDX_RETRY_AFTER; > extern int MIME_WKSIDX_SENDER; > extern int MIME_WKSIDX_SERVER; > extern int MIME_WKSIDX_SET_COOKIE; > +extern int MIME_WKSIDX_STRICT_TRANSPORT_SECURITY; > extern int MIME_WKSIDX_SUBJECT; > extern int MIME_WKSIDX_SUMMARY; > extern int MIME_WKSIDX_TE; > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpConfig.cc > ---------------------------------------------------------------------- > diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc > index 26fa002..be6f0d8 100644 > --- a/proxy/http/HttpConfig.cc > +++ b/proxy/http/HttpConfig.cc > @@ -1164,6 +1164,8 @@ HttpConfig::startup() > > HttpEstablishStaticConfigByte(c.oride.insert_request_via_string, > "proxy.config.http.insert_request_via_str"); > HttpEstablishStaticConfigByte(c.oride.insert_response_via_string, > "proxy.config.http.insert_response_via_str"); > + HttpEstablishStaticConfigLongLong(c.oride.proxy_response_hsts_max_age, > "proxy.config.ssl.hsts_max_age"); > + > HttpEstablishStaticConfigByte(c.oride.proxy_response_hsts_include_subdomains, > "proxy.config.ssl.hsts_include_subdomains"); > > HttpEstablishStaticConfigStringAlloc(c.proxy_request_via_string, > "proxy.config.http.request_via_str"); > c.proxy_request_via_string_len = -1; > @@ -1406,6 +1408,8 @@ HttpConfig::reconfigure() > params->proxy_request_via_string_len = (params->proxy_request_via_string) > ? strlen(params->proxy_request_via_string) : 0; > params->proxy_response_via_string = > ats_strdup(m_master.proxy_response_via_string); > params->proxy_response_via_string_len = > (params->proxy_response_via_string) ? > strlen(params->proxy_response_via_string) : 0; > + params->oride.proxy_response_hsts_max_age = > m_master.oride.proxy_response_hsts_max_age; > + params->oride.proxy_response_hsts_include_subdomains = > m_master.oride.proxy_response_hsts_include_subdomains; > > params->url_expansions_string = > ats_strdup(m_master.url_expansions_string); > params->url_expansions = > parse_url_expansions(params->url_expansions_string, > ¶ms->num_url_expansions); > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpConfig.h > ---------------------------------------------------------------------- > diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h > index b3b9e40..e4790a9 100644 > --- a/proxy/http/HttpConfig.h > +++ b/proxy/http/HttpConfig.h > @@ -406,7 +406,8 @@ struct OverridableHttpConfigParams { > share_server_sessions(2), fwd_proxy_auth_to_parent(0), > insert_age_in_response(1), > anonymize_remove_from(0), anonymize_remove_referer(0), > anonymize_remove_user_agent(0), > anonymize_remove_cookie(0), anonymize_remove_client_ip(0), > anonymize_insert_client_ip(1), > - proxy_response_server_enabled(1), insert_squid_x_forwarded_for(1), > send_http11_requests(1), > + proxy_response_server_enabled(1), proxy_response_hsts_max_age(-1), > proxy_response_hsts_include_subdomains(0), > + insert_squid_x_forwarded_for(1), send_http11_requests(1), > cache_http(1), cache_cluster_cache_local(0), > cache_ignore_client_no_cache(1), cache_ignore_client_cc_max_age(0), > cache_ims_on_client_no_cache(1), cache_ignore_server_no_cache(0), > cache_responses_to_cookies(1), > cache_ignore_auth(0), cache_urls_that_look_dynamic(1), > cache_required_headers(2), cache_range_lookup(1), > @@ -471,6 +472,8 @@ struct OverridableHttpConfigParams { > MgmtByte anonymize_insert_client_ip; > > MgmtByte proxy_response_server_enabled; > + MgmtInt proxy_response_hsts_max_age; > + MgmtByte proxy_response_hsts_include_subdomains; > > ///////////////////// > // X-Forwarded-For // > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransact.cc > ---------------------------------------------------------------------- > diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc > index 14207f0..ff043b2 100644 > --- a/proxy/http/HttpTransact.cc > +++ b/proxy/http/HttpTransact.cc > @@ -7745,6 +7745,12 @@ HttpTransact::build_response(State* s, HTTPHdr* > base_response, HTTPHdr* outgoing > if (s->next_hop_scheme < 0) > s->next_hop_scheme = URL_WKSIDX_HTTP; > > + // Add HSTS header (Strict-Transport-Security) if max-age is set and the > request was https > + if (s->orig_scheme == URL_WKSIDX_HTTPS && > s->txn_conf->proxy_response_hsts_max_age >= 0) { > + Debug("http_hdrs", "hsts max-age=%" PRId64, > s->txn_conf->proxy_response_hsts_max_age); > + HttpTransactHeaders::insert_hsts_header_in_response(s, > outgoing_response); > + } > + > if (s->txn_conf->insert_response_via_string) > HttpTransactHeaders::insert_via_header_in_response(s, > outgoing_response); > > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransactHeaders.cc > ---------------------------------------------------------------------- > diff --git a/proxy/http/HttpTransactHeaders.cc > b/proxy/http/HttpTransactHeaders.cc > index 7c9a3e6..b5ab0fe 100644 > --- a/proxy/http/HttpTransactHeaders.cc > +++ b/proxy/http/HttpTransactHeaders.cc > @@ -879,6 +879,25 @@ > HttpTransactHeaders::insert_via_header_in_request(HttpTransact::State *s, > HTTPHd > header->value_append(MIME_FIELD_VIA, MIME_LEN_VIA, new_via_string, > via_string - new_via_string, true); > } > > +void > +HttpTransactHeaders::insert_hsts_header_in_response(HttpTransact::State *s, > HTTPHdr *header) > +{ > + char new_hsts_string[64]; > + char *hsts_string = new_hsts_string; > + const char include_subdomains[] = "; includeSubDomains"; > + > + // add max-age > + int length = snprintf(new_hsts_string, sizeof(new_hsts_string), > "max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age); > + > + // add include subdomain if set > + if (s->txn_conf->proxy_response_hsts_include_subdomains) { > + hsts_string += length; > + memcpy(hsts_string, include_subdomains, sizeof(include_subdomains)); > + length += sizeof(include_subdomains); > + } > + > + header->value_set(MIME_FIELD_STRICT_TRANSPORT_SECURITY, > MIME_LEN_STRICT_TRANSPORT_SECURITY, new_hsts_string, length); > +} > > void > HttpTransactHeaders::insert_via_header_in_response(HttpTransact::State *s, > HTTPHdr *header) > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransactHeaders.h > ---------------------------------------------------------------------- > diff --git a/proxy/http/HttpTransactHeaders.h > b/proxy/http/HttpTransactHeaders.h > index 8dbbdab..0fa3a03 100644 > --- a/proxy/http/HttpTransactHeaders.h > +++ b/proxy/http/HttpTransactHeaders.h > @@ -72,6 +72,7 @@ public: > static void insert_server_header_in_response(const char *server_tag, int > server_tag_size, HTTPHdr * header); > static void insert_via_header_in_request(HttpTransact::State *s, HTTPHdr > *header); > static void insert_via_header_in_response(HttpTransact::State *s, HTTPHdr > *header); > + static void insert_hsts_header_in_response(HttpTransact::State *s, HTTPHdr > *header); > > static bool is_request_proxy_authorized(HTTPHdr * incoming_hdr); > > > -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 8716 7A9F 989B ABD5 100F 4008 F266 55D6 2998 1641
