From 22871ed87119cd1d0b016070f33ca43734f8d518 Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Fri, 2 Apr 2021 17:54:46 -0500 Subject: [PATCH 01/12] Enable external file loading for sni.yaml. Cherry-picked from Yahoo's internal 9.1.x branch Conflicts: include/tscore/bwf_std_format.h iocore/net/P_SNIActionPerformer.h iocore/net/SSLSNIConfig.cc proxy/IPAllow.cc --- include/tscore/bwf_std_format.h | 2 + iocore/net/P_SNIActionPerformer.h | 61 ++++--------------------- iocore/net/SSLSNIConfig.cc | 76 +++++++++++++++++++++++++++++++ proxy/IPAllow.cc | 27 +++++++++++ src/tscore/BufferWriterFormat.cc | 1 - 5 files changed, 115 insertions(+), 52 deletions(-) diff --git a/include/tscore/bwf_std_format.h b/include/tscore/bwf_std_format.h index 20595631678..84579f81be9 100644 --- a/include/tscore/bwf_std_format.h +++ b/include/tscore/bwf_std_format.h @@ -149,4 +149,6 @@ namespace bwf BufferWriter &bwformat(BufferWriter &w, BWFSpec const &spec, bwf::Errno const &e); BufferWriter &bwformat(BufferWriter &w, BWFSpec const &spec, bwf::Date const &date); BufferWriter &bwformat(BufferWriter &w, BWFSpec const &spec, bwf::OptionalAffix const &opts); +BufferWriter &bwformat(BufferWriter &w, BWFSpec const &spec, std::error_code const &ec); + } // namespace ts diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h index 9d6d98480b8..ed7adda1c73 100644 --- a/iocore/net/P_SNIActionPerformer.h +++ b/iocore/net/P_SNIActionPerformer.h @@ -296,60 +296,19 @@ class SNI_IpAllow : public ActionItem IpMap ip_map; public: - SNI_IpAllow(std::string &ip_allow_list, const std::string &servername) - { - // the server identified by item.fqdn requires ATS to do IP filtering - if (ip_allow_list.length()) { - IpAddr addr1; - IpAddr addr2; - // check format first - // check if the input is a comma separated list of IPs - ts::TextView content(ip_allow_list); - while (!content.empty()) { - ts::TextView list{content.take_prefix_at(',')}; - if (0 != ats_ip_range_parse(list, addr1, addr2)) { - Debug("ssl_sni", "%.*s is not a valid format", static_cast(list.size()), list.data()); - break; - } else { - Debug("ssl_sni", "%.*s added to the ip_allow list %s", static_cast(list.size()), list.data(), servername.c_str()); - ip_map.fill(IpEndpoint().assign(addr1), IpEndpoint().assign(addr2), reinterpret_cast(1)); - } - } - } - } // end function SNI_IpAllow + SNI_IpAllow(std::string &ip_allow_list, const std::string &servername); // end function SNI_IpAllow - int - SNIAction(TLSSNISupport *snis, const Context &ctx) const override - { - // i.e, ip filtering is not required - if (ip_map.count() == 0) { - return SSL_TLSEXT_ERR_OK; - } + int SNIAction(TLSSNISupport *snis, const Context &ctx) const override; - auto ssl_vc = dynamic_cast(snis); - auto ip = ssl_vc->get_remote_endpoint(); - - // check the allowed ips - if (ip_map.contains(ip)) { - return SSL_TLSEXT_ERR_OK; - } else { - char buff[256]; - ats_ip_ntop(&ip.sa, buff, sizeof(buff)); - Debug("ssl_sni", "%s is not allowed. Denying connection", buff); - return SSL_TLSEXT_ERR_ALERT_FATAL; - } - } + bool TestClientSNIAction(const char *servrername, const IpEndpoint &ep, int &policy) const override; - bool - TestClientSNIAction(const char *servrername, const IpEndpoint &ep, int &policy) const override - { - bool retval = false; - if (ip_map.count() > 0) { - // Only triggers if the map didn't contain the address - retval = !ip_map.contains(ep); - } - return retval; - } +protected: + /** Load the map from @a text. + * + * @param content A list of IP addresses in text form, separated by commas or newlines. + * @param server_name Server named, used only for debugging messages. + */ + void load(ts::TextView content, ts::TextView server_name); }; /** diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc index 3ee810e5b33..412512c94b1 100644 --- a/iocore/net/SSLSNIConfig.cc +++ b/iocore/net/SSLSNIConfig.cc @@ -37,10 +37,14 @@ #include "tscore/Diags.h" #include "tscore/SimpleTokenizer.h" #include "tscore/ink_memory.h" +#include "tscpp/util/TextView.h" +#include "tscore/ts_file.h" #include "tscore/I_Layout.h" #include "tscpp/util/TextView.h" +#include "tscore/BufferWriter.h" +#include "tscore/bwf_std_format.h" #include #include #include @@ -93,6 +97,78 @@ NamedElement::set_regex_name(const std::string ®ex_name) //// // SNIConfigParams // +// ---- + +SNI_IpAllow::SNI_IpAllow(std::string &ip_allow_list, std::string const &servername) +{ + ts::TextView content{ip_allow_list}; + if (content && content[0] == '@') { + std::error_code ec; + ts::file::path path{content.remove_prefix(1)}; + ts::LocalBufferWriter<1024> w; + if (path.is_relative()) { + path = ts::file::path(Layout::get()->sysconfdir) / path; + } + ip_allow_list = ts::file::load(path, ec); + if (ec) { + w.print("SNIConfig unable to load file {} - {}", path.string(), ec); + Warning("%.*s", int(w.size()), w.data()); + } + } + this->load(ip_allow_list, servername); +} + +void +SNI_IpAllow::load(ts::TextView content, ts::TextView server_name) +{ + IpAddr addr1; + IpAddr addr2; + static constexpr ts::TextView delim{",\n"}; + static void *MARK{reinterpret_cast(1)}; + + while (!content.ltrim(delim).empty()) { + ts::TextView list{content.take_prefix_at(delim)}; + if (0 != ats_ip_range_parse(list, addr1, addr2)) { + Debug("ssl_sni", "%.*s is not a valid format", static_cast(list.size()), list.data()); + break; + } else { + Debug("ssl_sni", "%.*s added to the ip_allow list %.*s", static_cast(list.size()), list.data(), int(server_name.size()), + server_name.data()); + ip_map.fill(IpEndpoint().assign(addr1), IpEndpoint().assign(addr2), MARK); + } + } +} + +int +SNI_IpAllow::SNIAction(TLSSNISupport *snis, ActionItem::Context const &ctx) const +{ + // i.e, ip filtering is not required + if (ip_map.count() == 0) { + return SSL_TLSEXT_ERR_OK; + } + + auto ssl_vc = dynamic_cast(snis); + auto ip = ssl_vc->get_remote_endpoint(); + + // check the allowed ips + if (ip_map.contains(ip)) { + return SSL_TLSEXT_ERR_OK; + } else { + char buff[256]; + ats_ip_ntop(&ip.sa, buff, sizeof(buff)); + Debug("ssl_sni", "%s is not allowed. Denying connection", buff); + return SSL_TLSEXT_ERR_ALERT_FATAL; + } +} + +bool +SNI_IpAllow::TestClientSNIAction(char const *servrername, IpEndpoint const &ep, int &policy) const +{ + return ip_map.contains(ep); +} + +// ---- + const NextHopProperty * SNIConfigParams::get_property_config(const std::string &servername) const { diff --git a/proxy/IPAllow.cc b/proxy/IPAllow.cc index f0d3bd7e45f..cca7cc51657 100644 --- a/proxy/IPAllow.cc +++ b/proxy/IPAllow.cc @@ -27,6 +27,10 @@ #include #include "IPAllow.h" +#include "tscore/BufferWriter.h" +#include "tscore/bwf_std_format.h" +#include "tscore/ts_file.h" +#include "tscore/ink_memory.h" #include "tscore/Filenames.h" #include "tscpp/util/ts_errata.h" @@ -60,6 +64,29 @@ bwformat(BufferWriter &w, Spec const &spec, YAML::Mark const &mark) } // namespace swoc +namespace YAML +{ +template <> struct convert { + static Node + encode(ts::TextView const &tv) + { + Node zret; + zret = std::string(tv.data(), tv.size()); + return zret; + } + static bool + decode(const Node &node, ts::TextView &tv) + { + if (!node.IsScalar()) { + return false; + } + tv.assign(node.Scalar()); + return true; + } +}; + +} // namespace YAML + enum AclOp { ACL_OP_ALLOW, ///< Allow access. ACL_OP_DENY, ///< Deny access. diff --git a/src/tscore/BufferWriterFormat.cc b/src/tscore/BufferWriterFormat.cc index 1e97ce5fc5b..ea9341663e9 100644 --- a/src/tscore/BufferWriterFormat.cc +++ b/src/tscore/BufferWriterFormat.cc @@ -11,7 +11,6 @@ to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software From d7c28aa7982d39f18de54cdb74826d7d32b37122 Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Mon, 6 Mar 2023 22:33:48 +0000 Subject: [PATCH 02/12] add back the blank line --- src/tscore/BufferWriterFormat.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/tscore/BufferWriterFormat.cc b/src/tscore/BufferWriterFormat.cc index ea9341663e9..1e97ce5fc5b 100644 --- a/src/tscore/BufferWriterFormat.cc +++ b/src/tscore/BufferWriterFormat.cc @@ -11,6 +11,7 @@ to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software From aecea1d2dd29e4c4905046122b09149b4894f7b7 Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Mon, 6 Mar 2023 22:36:52 +0000 Subject: [PATCH 03/12] remove the duplicated signature --- include/tscore/bwf_std_format.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/tscore/bwf_std_format.h b/include/tscore/bwf_std_format.h index 84579f81be9..20595631678 100644 --- a/include/tscore/bwf_std_format.h +++ b/include/tscore/bwf_std_format.h @@ -149,6 +149,4 @@ namespace bwf BufferWriter &bwformat(BufferWriter &w, BWFSpec const &spec, bwf::Errno const &e); BufferWriter &bwformat(BufferWriter &w, BWFSpec const &spec, bwf::Date const &date); BufferWriter &bwformat(BufferWriter &w, BWFSpec const &spec, bwf::OptionalAffix const &opts); -BufferWriter &bwformat(BufferWriter &w, BWFSpec const &spec, std::error_code const &ec); - } // namespace ts From 453a73d69986f34eebfdd0f54bf295c870d6b3dd Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Mon, 6 Mar 2023 22:54:25 +0000 Subject: [PATCH 04/12] remove the duplicated include for TextView.h --- iocore/net/SSLSNIConfig.cc | 1 - 1 file changed, 1 deletion(-) diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc index 412512c94b1..e290e3d6d55 100644 --- a/iocore/net/SSLSNIConfig.cc +++ b/iocore/net/SSLSNIConfig.cc @@ -37,7 +37,6 @@ #include "tscore/Diags.h" #include "tscore/SimpleTokenizer.h" #include "tscore/ink_memory.h" -#include "tscpp/util/TextView.h" #include "tscore/ts_file.h" #include "tscore/I_Layout.h" From 39f76d96df6c922f63f8fe6aff24cecd03fc30f9 Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Tue, 7 Mar 2023 16:58:28 +0000 Subject: [PATCH 05/12] Updated doc for the external loading functionality --- doc/admin-guide/files/sni.yaml.en.rst | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/admin-guide/files/sni.yaml.en.rst b/doc/admin-guide/files/sni.yaml.en.rst index cf15490ff73..9c4915b674f 100644 --- a/doc/admin-guide/files/sni.yaml.en.rst +++ b/doc/admin-guide/files/sni.yaml.en.rst @@ -61,6 +61,12 @@ ip_allow Inbound Specify a list of client IP address, subnets the connection. This list is comma separated. IPv4 and IPv6 addresses can be specified. Here is an example list: 192.168.1.0/24,192.168.10.1-4. This would allow connections from clients in the 19.168.1.0 network or in the range from 192.168.10.1 to 192.168.1.4. + Alternatively, the path to a file containing + the list of comma-separated IP addresses can + be specified in the form of + ``@path_to_file``. If a given file path does + not begin with ``/``, it must be relative to + the Traffic Server configuration directory. verify_server_policy Outbound One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`. @@ -86,7 +92,7 @@ verify_client_ca_certs Both Specifies an alternate set of certificate au CA certs. Otherwise, there should be up to two nested pairs. The possible keys are ``file`` and ``dir``. The value for ``file`` must be a file path for a file containing CA certs. The value for ``dir`` must be a file path for an OpenSSL - X509 hashed directory containing CA certs. If a given file path does not being + X509 hashed directory containing CA certs. If a given file path does not begin with ``/`` , it must be relative to the |TS| configuration directory. ``verify_client_ca_certs`` can only be used with capbilities provided by OpenSSL 1.0.2 or later. From ff8d4c0e7bc9fc4bef164b7d14c52ec84ff113b7 Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Tue, 7 Mar 2023 18:53:01 +0000 Subject: [PATCH 06/12] put the implementation of SNI_IpAllow into a separate file --- iocore/net/CMakeLists.txt | 1 + iocore/net/Makefile.am | 3 +- iocore/net/SNIActionPerformer.cc | 96 ++++++++++++++++++++++++++++++++ iocore/net/SSLSNIConfig.cc | 72 ------------------------ 4 files changed, 99 insertions(+), 73 deletions(-) create mode 100644 iocore/net/SNIActionPerformer.cc diff --git a/iocore/net/CMakeLists.txt b/iocore/net/CMakeLists.txt index d046c7c0003..16c0bf66737 100644 --- a/iocore/net/CMakeLists.txt +++ b/iocore/net/CMakeLists.txt @@ -61,6 +61,7 @@ add_library(inknet STATIC UnixUDPConnection.cc UnixUDPNet.cc SSLDynlock.cc + SNIActionPerformer.cc ) target_link_libraries(inknet inkevent records_p) target_compile_options(inknet PUBLIC -Wno-deprecated-declarations) diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am index eb2e19de635..fac842765cc 100644 --- a/iocore/net/Makefile.am +++ b/iocore/net/Makefile.am @@ -209,7 +209,8 @@ libinknet_a_SOURCES = \ UnixNetVConnection.cc \ UnixUDPConnection.cc \ UnixUDPNet.cc \ - SSLDynlock.cc + SSLDynlock.cc \ + SNIActionPerformer.cc if ENABLE_QUIC if USE_QUICHE diff --git a/iocore/net/SNIActionPerformer.cc b/iocore/net/SNIActionPerformer.cc new file mode 100644 index 00000000000..6e7dafe1b57 --- /dev/null +++ b/iocore/net/SNIActionPerformer.cc @@ -0,0 +1,96 @@ +/** @file + + Implementation of SNIActionPerformer + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + +#include "P_SNIActionPerformer.h" +#include "tscore/ts_file.h" +#include "tscpp/util/TextView.h" +#include "tscore/BufferWriter.h" +#include "tscore/bwf_std_format.h" + +SNI_IpAllow::SNI_IpAllow(std::string &ip_allow_list, std::string const &servername) +{ + ts::TextView content{ip_allow_list}; + if (content && content[0] == '@') { + std::error_code ec; + ts::file::path path{content.remove_prefix(1)}; + ts::LocalBufferWriter<1024> w; + if (path.is_relative()) { + path = ts::file::path(Layout::get()->sysconfdir) / path; + } + ip_allow_list = ts::file::load(path, ec); + if (ec) { + w.print("SNIConfig unable to load file {} - {}", path.string(), ec); + Warning("%.*s", int(w.size()), w.data()); + } + } + this->load(ip_allow_list, servername); +} + +void +SNI_IpAllow::load(ts::TextView content, ts::TextView server_name) +{ + IpAddr addr1; + IpAddr addr2; + static constexpr ts::TextView delim{",\n"}; + static void *MARK{reinterpret_cast(1)}; + + while (!content.ltrim(delim).empty()) { + ts::TextView list{content.take_prefix_at(delim)}; + if (0 != ats_ip_range_parse(list, addr1, addr2)) { + Debug("ssl_sni", "%.*s is not a valid format", static_cast(list.size()), list.data()); + break; + } else { + Debug("ssl_sni", "%.*s added to the ip_allow list %.*s", static_cast(list.size()), list.data(), int(server_name.size()), + server_name.data()); + ip_map.fill(IpEndpoint().assign(addr1), IpEndpoint().assign(addr2), MARK); + } + } +} + +int +SNI_IpAllow::SNIAction(TLSSNISupport *snis, ActionItem::Context const &ctx) const +{ + // i.e, ip filtering is not required + if (ip_map.count() == 0) { + return SSL_TLSEXT_ERR_OK; + } + + auto ssl_vc = dynamic_cast(snis); + auto ip = ssl_vc->get_remote_endpoint(); + + // check the allowed ips + if (ip_map.contains(ip)) { + return SSL_TLSEXT_ERR_OK; + } else { + char buff[256]; + ats_ip_ntop(&ip.sa, buff, sizeof(buff)); + Debug("ssl_sni", "%s is not allowed. Denying connection", buff); + return SSL_TLSEXT_ERR_ALERT_FATAL; + } +} + +bool +SNI_IpAllow::TestClientSNIAction(char const *servrername, IpEndpoint const &ep, int &policy) const +{ + return ip_map.contains(ep); +} diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc index e290e3d6d55..46c993dbc0b 100644 --- a/iocore/net/SSLSNIConfig.cc +++ b/iocore/net/SSLSNIConfig.cc @@ -96,78 +96,6 @@ NamedElement::set_regex_name(const std::string ®ex_name) //// // SNIConfigParams // -// ---- - -SNI_IpAllow::SNI_IpAllow(std::string &ip_allow_list, std::string const &servername) -{ - ts::TextView content{ip_allow_list}; - if (content && content[0] == '@') { - std::error_code ec; - ts::file::path path{content.remove_prefix(1)}; - ts::LocalBufferWriter<1024> w; - if (path.is_relative()) { - path = ts::file::path(Layout::get()->sysconfdir) / path; - } - ip_allow_list = ts::file::load(path, ec); - if (ec) { - w.print("SNIConfig unable to load file {} - {}", path.string(), ec); - Warning("%.*s", int(w.size()), w.data()); - } - } - this->load(ip_allow_list, servername); -} - -void -SNI_IpAllow::load(ts::TextView content, ts::TextView server_name) -{ - IpAddr addr1; - IpAddr addr2; - static constexpr ts::TextView delim{",\n"}; - static void *MARK{reinterpret_cast(1)}; - - while (!content.ltrim(delim).empty()) { - ts::TextView list{content.take_prefix_at(delim)}; - if (0 != ats_ip_range_parse(list, addr1, addr2)) { - Debug("ssl_sni", "%.*s is not a valid format", static_cast(list.size()), list.data()); - break; - } else { - Debug("ssl_sni", "%.*s added to the ip_allow list %.*s", static_cast(list.size()), list.data(), int(server_name.size()), - server_name.data()); - ip_map.fill(IpEndpoint().assign(addr1), IpEndpoint().assign(addr2), MARK); - } - } -} - -int -SNI_IpAllow::SNIAction(TLSSNISupport *snis, ActionItem::Context const &ctx) const -{ - // i.e, ip filtering is not required - if (ip_map.count() == 0) { - return SSL_TLSEXT_ERR_OK; - } - - auto ssl_vc = dynamic_cast(snis); - auto ip = ssl_vc->get_remote_endpoint(); - - // check the allowed ips - if (ip_map.contains(ip)) { - return SSL_TLSEXT_ERR_OK; - } else { - char buff[256]; - ats_ip_ntop(&ip.sa, buff, sizeof(buff)); - Debug("ssl_sni", "%s is not allowed. Denying connection", buff); - return SSL_TLSEXT_ERR_ALERT_FATAL; - } -} - -bool -SNI_IpAllow::TestClientSNIAction(char const *servrername, IpEndpoint const &ep, int &policy) const -{ - return ip_map.contains(ep); -} - -// ---- - const NextHopProperty * SNIConfigParams::get_property_config(const std::string &servername) const { From de070631e4afaf5cba550adb0786eee6be21defb Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Tue, 7 Mar 2023 19:02:52 +0000 Subject: [PATCH 07/12] removed unused includes --- iocore/net/SSLSNIConfig.cc | 3 --- 1 file changed, 3 deletions(-) diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc index 46c993dbc0b..3ee810e5b33 100644 --- a/iocore/net/SSLSNIConfig.cc +++ b/iocore/net/SSLSNIConfig.cc @@ -37,13 +37,10 @@ #include "tscore/Diags.h" #include "tscore/SimpleTokenizer.h" #include "tscore/ink_memory.h" -#include "tscore/ts_file.h" #include "tscore/I_Layout.h" #include "tscpp/util/TextView.h" -#include "tscore/BufferWriter.h" -#include "tscore/bwf_std_format.h" #include #include #include From 6af0a2eaec56fe3f6aa1ce21348a9bc846ad057b Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Wed, 8 Mar 2023 19:26:36 +0000 Subject: [PATCH 08/12] removed encode and decode --- proxy/IPAllow.cc | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/proxy/IPAllow.cc b/proxy/IPAllow.cc index cca7cc51657..f0d3bd7e45f 100644 --- a/proxy/IPAllow.cc +++ b/proxy/IPAllow.cc @@ -27,10 +27,6 @@ #include #include "IPAllow.h" -#include "tscore/BufferWriter.h" -#include "tscore/bwf_std_format.h" -#include "tscore/ts_file.h" -#include "tscore/ink_memory.h" #include "tscore/Filenames.h" #include "tscpp/util/ts_errata.h" @@ -64,29 +60,6 @@ bwformat(BufferWriter &w, Spec const &spec, YAML::Mark const &mark) } // namespace swoc -namespace YAML -{ -template <> struct convert { - static Node - encode(ts::TextView const &tv) - { - Node zret; - zret = std::string(tv.data(), tv.size()); - return zret; - } - static bool - decode(const Node &node, ts::TextView &tv) - { - if (!node.IsScalar()) { - return false; - } - tv.assign(node.Scalar()); - return true; - } -}; - -} // namespace YAML - enum AclOp { ACL_OP_ALLOW, ///< Allow access. ACL_OP_DENY, ///< Deny access. From b73f1042fc35ee44f121d34dde5550fabc45c4b1 Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Wed, 8 Mar 2023 20:13:37 +0000 Subject: [PATCH 09/12] removed unnecessary comment --- iocore/net/P_SNIActionPerformer.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h index ed7adda1c73..ef5953fe88b 100644 --- a/iocore/net/P_SNIActionPerformer.h +++ b/iocore/net/P_SNIActionPerformer.h @@ -296,7 +296,7 @@ class SNI_IpAllow : public ActionItem IpMap ip_map; public: - SNI_IpAllow(std::string &ip_allow_list, const std::string &servername); // end function SNI_IpAllow + SNI_IpAllow(std::string &ip_allow_list, const std::string &servername); int SNIAction(TLSSNISupport *snis, const Context &ctx) const override; From 69b17ee5b01cb2c1006887d04031f0c6153de793 Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Wed, 8 Mar 2023 21:26:26 +0000 Subject: [PATCH 10/12] replace a few types with the swoc versions --- iocore/net/P_SNIActionPerformer.h | 3 ++- iocore/net/SNIActionPerformer.cc | 23 +++++++++++------------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h index ef5953fe88b..9b53c53fb3a 100644 --- a/iocore/net/P_SNIActionPerformer.h +++ b/iocore/net/P_SNIActionPerformer.h @@ -35,6 +35,7 @@ #include "P_SSLNetVConnection.h" #include "SNIActionPerformer.h" #include "SSLTypes.h" +#include "swoc/TextView.h" #include "tscore/ink_inet.h" @@ -308,7 +309,7 @@ class SNI_IpAllow : public ActionItem * @param content A list of IP addresses in text form, separated by commas or newlines. * @param server_name Server named, used only for debugging messages. */ - void load(ts::TextView content, ts::TextView server_name); + void load(swoc::TextView content, swoc::TextView server_name); }; /** diff --git a/iocore/net/SNIActionPerformer.cc b/iocore/net/SNIActionPerformer.cc index 6e7dafe1b57..3d9fec0280b 100644 --- a/iocore/net/SNIActionPerformer.cc +++ b/iocore/net/SNIActionPerformer.cc @@ -22,23 +22,22 @@ */ #include "P_SNIActionPerformer.h" -#include "tscore/ts_file.h" -#include "tscpp/util/TextView.h" -#include "tscore/BufferWriter.h" -#include "tscore/bwf_std_format.h" +#include "swoc/swoc_file.h" +#include "swoc/BufferWriter.h" +#include "swoc/bwf_std.h" SNI_IpAllow::SNI_IpAllow(std::string &ip_allow_list, std::string const &servername) { - ts::TextView content{ip_allow_list}; + swoc::TextView content{ip_allow_list}; if (content && content[0] == '@') { std::error_code ec; - ts::file::path path{content.remove_prefix(1)}; - ts::LocalBufferWriter<1024> w; + swoc::file::path path{content.remove_prefix(1)}; if (path.is_relative()) { - path = ts::file::path(Layout::get()->sysconfdir) / path; + path = swoc::file::path(Layout::get()->sysconfdir) / path; } - ip_allow_list = ts::file::load(path, ec); + ip_allow_list = swoc::file::load(path, ec); if (ec) { + swoc::LocalBufferWriter<1024> w; w.print("SNIConfig unable to load file {} - {}", path.string(), ec); Warning("%.*s", int(w.size()), w.data()); } @@ -47,15 +46,15 @@ SNI_IpAllow::SNI_IpAllow(std::string &ip_allow_list, std::string const &serverna } void -SNI_IpAllow::load(ts::TextView content, ts::TextView server_name) +SNI_IpAllow::load(swoc::TextView content, swoc::TextView server_name) { IpAddr addr1; IpAddr addr2; - static constexpr ts::TextView delim{",\n"}; + static constexpr swoc::TextView delim{",\n"}; static void *MARK{reinterpret_cast(1)}; while (!content.ltrim(delim).empty()) { - ts::TextView list{content.take_prefix_at(delim)}; + swoc::TextView list{content.take_prefix_at(delim)}; if (0 != ats_ip_range_parse(list, addr1, addr2)) { Debug("ssl_sni", "%.*s is not a valid format", static_cast(list.size()), list.data()); break; From da18e3d2515a903fad3f3d210853ca593476017f Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Wed, 8 Mar 2023 22:22:21 +0000 Subject: [PATCH 11/12] enhanced documentation --- doc/admin-guide/files/sni.yaml.en.rst | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/doc/admin-guide/files/sni.yaml.en.rst b/doc/admin-guide/files/sni.yaml.en.rst index 9c4915b674f..c5ae8b65e84 100644 --- a/doc/admin-guide/files/sni.yaml.en.rst +++ b/doc/admin-guide/files/sni.yaml.en.rst @@ -61,12 +61,17 @@ ip_allow Inbound Specify a list of client IP address, subnets the connection. This list is comma separated. IPv4 and IPv6 addresses can be specified. Here is an example list: 192.168.1.0/24,192.168.10.1-4. This would allow connections from clients in the 19.168.1.0 network or in the range from 192.168.10.1 to 192.168.1.4. + Alternatively, the path to a file containing - the list of comma-separated IP addresses can - be specified in the form of - ``@path_to_file``. If a given file path does - not begin with ``/``, it must be relative to - the Traffic Server configuration directory. + the list of IP addresses can be specified in + the form of ``"@path_to_file"``. The IP + addresses in the file can be either + comma-separated or line-separated. If a + given file path does not begin with ``/``, + it must be relative to the Traffic Server + configuration directory. Here is an example + showing this form of the configuration: + ``ip_allow: "@ip_dir/example.com.ip.txt"`` verify_server_policy Outbound One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`. From 4fc662b4e168288abf81396f2d4299d058631735 Mon Sep 17 00:00:00 2001 From: Zhengxi Li Date: Wed, 8 Mar 2023 22:32:21 +0000 Subject: [PATCH 12/12] make the documentation visually better by adding a line-break --- doc/admin-guide/files/sni.yaml.en.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/admin-guide/files/sni.yaml.en.rst b/doc/admin-guide/files/sni.yaml.en.rst index c5ae8b65e84..36563d62023 100644 --- a/doc/admin-guide/files/sni.yaml.en.rst +++ b/doc/admin-guide/files/sni.yaml.en.rst @@ -71,6 +71,7 @@ ip_allow Inbound Specify a list of client IP address, subnets it must be relative to the Traffic Server configuration directory. Here is an example showing this form of the configuration: + ``ip_allow: "@ip_dir/example.com.ip.txt"`` verify_server_policy Outbound One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`.