Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: support known tls placeholders replacing even for non tls request #5154

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix: support known tls placeholders replacing even for non tls request #5154

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
372f79b
fix: support known tls placeholders replacing even for non tls request
nikolaevn Oct 18, 2022
1dc7668
Merge remote-tracking branch 'upstream/master' into fix/tls_placehold…
nikolaevn Oct 20, 2022
c0b9e0b
refactoring if-else branches
nikolaevn Oct 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
67 changes: 60 additions & 7 deletions modules/caddyhttp/replacer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,20 +311,21 @@ func addHTTPVarsToReplacer(repl *caddy.Replacer, req *http.Request, w http.Respo
}

func getReqTLSReplacement(req *http.Request, key string) (any, bool) {
if req == nil || req.TLS == nil {
return nil, false
}

if len(key) < len(reqTLSReplPrefix) {
return nil, false
}

var isTLSReq bool = req != nil && req.TLS != nil

field := strings.ToLower(key[len(reqTLSReplPrefix):])

if strings.HasPrefix(field, "client.") {
cert := getTLSPeerCert(req.TLS)
if cert == nil {
return nil, false
var cert *x509.Certificate
if isTLSReq {
cert = getTLSPeerCert(req.TLS)
if cert == nil {
return nil, false
}
}

// subject alternate names (SANs)
Expand All @@ -334,15 +335,27 @@ func getReqTLSReplacement(req *http.Request, key string) (any, bool) {
var fieldValue any
switch {
case strings.HasPrefix(field, "dns_names"):
if !isTLSReq {
return nil, true
}
fieldName = "dns_names"
fieldValue = cert.DNSNames
case strings.HasPrefix(field, "emails"):
if !isTLSReq {
return nil, true
}
fieldName = "emails"
fieldValue = cert.EmailAddresses
case strings.HasPrefix(field, "ips"):
if !isTLSReq {
return nil, true
}
fieldName = "ips"
fieldValue = cert.IPAddresses
case strings.HasPrefix(field, "uris"):
if !isTLSReq {
return nil, true
}
fieldName = "uris"
fieldValue = cert.URIs
default:
Expand Down Expand Up @@ -387,8 +400,15 @@ func getReqTLSReplacement(req *http.Request, key string) (any, bool) {

switch field {
case "client.fingerprint":
if !isTLSReq {
return "", true
}
return fmt.Sprintf("%x", sha256.Sum256(cert.Raw)), true
case "client.public_key", "client.public_key_sha256":
if !isTLSReq {
return nil, true
}

if cert.PublicKey == nil {
return nil, true
}
Expand All @@ -401,15 +421,30 @@ func getReqTLSReplacement(req *http.Request, key string) (any, bool) {
}
return fmt.Sprintf("%x", pubKeyBytes), true
case "client.issuer":
if !isTLSReq {
return "", true
}
return cert.Issuer, true
case "client.serial":
if !isTLSReq {
return "", true
}
return cert.SerialNumber, true
case "client.subject":
if !isTLSReq {
return "", true
}
return cert.Subject, true
case "client.certificate_pem":
if !isTLSReq {
return "", true
}
block := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
return pem.EncodeToMemory(&block), true
case "client.certificate_der_base64":
if !isTLSReq {
return "", true
}
return base64.StdEncoding.EncodeToString(cert.Raw), true
default:
return nil, false
Expand All @@ -418,17 +453,35 @@ func getReqTLSReplacement(req *http.Request, key string) (any, bool) {

switch field {
case "version":
if !isTLSReq {
return "", true
}
return caddytls.ProtocolName(req.TLS.Version), true
case "cipher_suite":
if !isTLSReq {
return "", true
}
return tls.CipherSuiteName(req.TLS.CipherSuite), true
case "resumed":
if !isTLSReq {
return false, true
}
return req.TLS.DidResume, true
case "proto":
if !isTLSReq {
return "", true
}
return req.TLS.NegotiatedProtocol, true
case "proto_mutual":
if !isTLSReq {
return false, true
}
// req.TLS.NegotiatedProtocolIsMutual is deprecated - it's always true.
return true, true
case "server_name":
if !isTLSReq {
return "", true
}
return req.TLS.ServerName, true
}
return nil, false
Expand Down
157 changes: 157 additions & 0 deletions modules/caddyhttp/replacer_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,3 +215,160 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
}
}
}

func TestHTTPVarReplacement_NonTLSRequest(t *testing.T) {
req, _ := http.NewRequest(http.MethodGet, "/foo/bar.tar.gz", nil)
repl := caddy.NewReplacer()
ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
req = req.WithContext(ctx)
req.Host = "example.com:80"
req.RemoteAddr = "192.168.159.32:1234"

res := httptest.NewRecorder()
addHTTPVarsToReplacer(repl, req, res)

for i, tc := range []struct {
get string
expect string
}{
{
get: "http.request.scheme",
expect: "http",
},
{
get: "http.request.method",
expect: http.MethodGet,
},
{
get: "http.request.host",
expect: "example.com",
},
{
get: "http.request.port",
expect: "80",
},
{
get: "http.request.hostport",
expect: "example.com:80",
},
{
get: "http.request.remote.host",
expect: "192.168.159.32",
},
{
get: "http.request.remote.host/24",
expect: "192.168.159.0/24",
},
{
get: "http.request.remote.host/24,32",
expect: "192.168.159.0/24",
},
{
get: "http.request.remote.host/999",
expect: "",
},
{
get: "http.request.remote.port",
expect: "1234",
},
{
get: "http.request.host.labels.0",
expect: "com",
},
{
get: "http.request.host.labels.1",
expect: "example",
},
{
get: "http.request.host.labels.2",
expect: "",
},
{
get: "http.request.uri.path.file",
expect: "bar.tar.gz",
},
{
get: "http.request.uri.path.file.base",
expect: "bar.tar",
},
{
// not ideal, but also most correct, given that files can have dots (example: index.<SHA>.html) TODO: maybe this isn't right..
get: "http.request.uri.path.file.ext",
expect: ".gz",
},

{
get: "http.request.tls.cipher_suite",
expect: "",
},
{
get: "http.request.tls.proto",
expect: "",
},
{
get: "http.request.tls.proto_mutual",
expect: "false",
},
{
get: "http.request.tls.resumed",
expect: "false",
},
{
get: "http.request.tls.server_name",
expect: "",
},
{
get: "http.request.tls.version",
expect: "",
},
{
get: "http.request.tls.client.fingerprint",
expect: "",
},
{
get: "http.request.tls.client.issuer",
expect: "",
},
{
get: "http.request.tls.client.serial",
expect: "",
},
{
get: "http.request.tls.client.subject",
expect: "",
},
{
get: "http.request.tls.client.san.dns_names",
expect: "",
},
{
get: "http.request.tls.client.san.dns_names.0",
expect: "",
},
{
get: "http.request.tls.client.san.dns_names.1",
expect: "",
},
{
get: "http.request.tls.client.san.ips",
expect: "",
},
{
get: "http.request.tls.client.san.ips.0",
expect: "",
},
{
get: "http.request.tls.client.certificate_pem",
expect: "",
},
} {
actual, got := repl.GetString(tc.get)
if !got {
t.Errorf("Test %d: Expected to recognize the placeholder name, but didn't", i)
}
if actual != tc.expect {
t.Errorf("Test %d: Expected %s to be '%s' but got '%s'",
i, tc.get, tc.expect, actual)
}
}
}