diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 42370b7d023..6d7160b4805 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -906,6 +906,13 @@ HttpSM::state_read_client_request_header(int event, void *data) } } + if (t_state.hdr_info.client_request.method_get_wksidx() == HTTP_WKSIDX_PUSH && + t_state.http_config_param->push_method_enabled == 0) { + SMDebug("http", "Rejecting PUSH request because push_method_enabled is 0."); + call_transact_and_set_next_state(HttpTransact::Forbidden); + return 0; + } + // Call to ensure the content-length and transfer_encoding elements in client_request are filled in HttpTransact::set_client_request_state(&t_state, &t_state.hdr_info.client_request); diff --git a/tests/gold_tests/bigobj/bigobj.test.py b/tests/gold_tests/bigobj/bigobj.test.py index cb7971392c4..b46f4178785 100644 --- a/tests/gold_tests/bigobj/bigobj.test.py +++ b/tests/gold_tests/bigobj/bigobj.test.py @@ -33,7 +33,7 @@ Test.Setup.Copy(os.path.join(Test.Variables.AtsBuildGoldTestsDir, 'bigobj', 'push_request')) Test.Setup.Copy(os.path.join(Test.Variables.AtsBuildGoldTestsDir, 'bigobj', 'check_ramp')) -ts = Test.MakeATSProcess("ts", enable_tls=True) +ts = Test.MakeATSProcess("ts1", enable_tls=True) ts.addDefaultSSLFiles() ts.Disk.records_config.update({ @@ -42,8 +42,8 @@ 'proxy.config.http.cache.required_headers': 0, # No required headers for caching 'proxy.config.http.push_method_enabled': 1, 'proxy.config.proxy_name': 'Poxy_Proxy', # This will be the server name. - 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), - 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), + 'proxy.config.ssl.server.cert.path': ts.Variables.SSLDir, + 'proxy.config.ssl.server.private_key.path': ts.Variables.SSLDir, 'proxy.config.url_remap.remap_required': 0 }) @@ -66,56 +66,82 @@ # obj_kilobytes = 10 * 1024 -tr = Test.AddTestRun() +tr = Test.AddTestRun("PUSH an object to the cache") # Delay on readiness of TS IPv4 ssl port -tr.Processes.Default.StartBefore(Test.Processes.ts) +tr.Processes.Default.StartBefore(ts) # # Put object with URL http://localhost/bigobj in cache using PUSH request. tr.Processes.Default.Command = ( - './push_request {} | nc localhost {}'.format(obj_kilobytes, ts.Variables.port) + f'./push_request {obj_kilobytes} | nc localhost {ts.Variables.port}' ) tr.Processes.Default.ReturnCode = 0 -# GET bigobj -- cleartext, HTTP 1.1, IPv4 -# -tr = Test.AddTestRun() +tr = Test.AddTestRun("GET bigobj: cleartext, HTTP/1.1, IPv4") tr.Processes.Default.Command = ( - 'curl --verbose --ipv4 --http1.1 --header "Host: localhost"' + - ' http://localhost:{}/bigobj 2>> log.txt | ./check_ramp {}' - .format(ts.Variables.port, obj_kilobytes) + 'curl --verbose --ipv4 --http1.1 --header "Host: localhost"' + f' http://localhost:{ts.Variables.port}/bigobj 2>> log.txt |' + f' ./check_ramp {obj_kilobytes}' ) tr.Processes.Default.ReturnCode = 0 -# GET bigobj -- TLS, HTTP 1.1, IPv4 -# -tr = Test.AddTestRun() +tr = Test.AddTestRun("GET bigobj: TLS, HTTP/1.1, IPv4") tr.Processes.Default.Command = ( - 'curl --verbose --ipv4 --http1.1 --insecure --header "Host: localhost"' + - ' https://localhost:{}/bigobj 2>> log.txt | ./check_ramp {}' - .format(ts.Variables.ssl_port, obj_kilobytes) + 'curl --verbose --ipv4 --http1.1 --insecure --header "Host: localhost"' + f' https://localhost:{ts.Variables.ssl_port}/bigobj 2>> log.txt |' + f' ./check_ramp {obj_kilobytes}' ) tr.Processes.Default.ReturnCode = 0 -# GET bigobj -- TLS, HTTP 2, IPv4 -# -tr = Test.AddTestRun() +tr = Test.AddTestRun("GET bigobj: TLS, HTTP/2, IPv4") tr.Processes.Default.Command = ( - 'curl --verbose --ipv4 --http2 --insecure --header "Host: localhost"' + - ' https://localhost:{}/bigobj 2>> log.txt | ./check_ramp {}' - .format(ts.Variables.ssl_port, obj_kilobytes) + 'curl --verbose --ipv4 --http2 --insecure --header "Host: localhost"' + f' https://localhost:{ts.Variables.ssl_port}/bigobj 2>> log.txt |' + f' ./check_ramp {obj_kilobytes}' ) tr.Processes.Default.ReturnCode = 0 -# GET bigobj -- TLS, HTTP 2, IPv6 -# -tr = Test.AddTestRun() +tr = Test.AddTestRun("GET bigobj: TLS, HTTP/2, IPv6") tr.Processes.Default.Command = ( - 'curl --verbose --ipv6 --http2 --insecure --header "Host: localhost"' + - ' https://localhost:{}/bigobj 2>> log.txt | ./check_ramp {}' - .format(ts.Variables.ssl_portv6, obj_kilobytes) + 'curl --verbose --ipv6 --http2 --insecure --header "Host: localhost"' + f' https://localhost:{ts.Variables.ssl_portv6}/bigobj 2>> log.txt |' + f' ./check_ramp {obj_kilobytes}' ) tr.Processes.Default.ReturnCode = 0 tr = Test.AddTestRun() tr.Processes.Default.Command = "sed 's/0 log2.txt" tr.Processes.Default.ReturnCode = 0 + +# Verify that PUSH requests are rejected when push_method_enabled is 0 (the +# default configuration). +ts = Test.MakeATSProcess("ts2", enable_tls=True) +ts.addDefaultSSLFiles() + +ts.Disk.records_config.update({ + 'proxy.config.diags.debug.enabled': 1, + 'proxy.config.diags.debug.tags': 'http|dns|cache', + 'proxy.config.http.cache.required_headers': 0, # No required headers for caching + 'proxy.config.proxy_name': 'Poxy_Proxy', # This will be the server name. + 'proxy.config.ssl.server.cert.path': ts.Variables.SSLDir, + 'proxy.config.ssl.server.private_key.path': ts.Variables.SSLDir, + 'proxy.config.url_remap.remap_required': 0 +}) + +ts.Disk.ssl_multicert_config.AddLine( + 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key' +) + +ts.Disk.remap_config.AddLine( + 'map https://localhost http://localhost' +) + +tr = Test.AddTestRun("PUSH request is rejected when push_method_enabled is 0") +tr.Processes.Default.StartBefore(ts) +tr.Processes.Default.Command = ( + f'./push_request {obj_kilobytes} | nc localhost {ts.Variables.port}' +) +tr.Processes.Default.ReturnCode = 1 +tr.Processes.Default.Streams.stdout = Testers.ContainsExpression( + "403 Access Denied", + "The PUSH request should have received a 403 response." +) diff --git a/tests/gold_tests/ip_allow/ip_allow.test.py b/tests/gold_tests/ip_allow/ip_allow.test.py index 95dfaaec163..cdd0657992d 100644 --- a/tests/gold_tests/ip_allow/ip_allow.test.py +++ b/tests/gold_tests/ip_allow/ip_allow.test.py @@ -86,6 +86,7 @@ ts.Disk.records_config.update({ 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'ip-allow', + 'proxy.config.http.push_method_enabled': 1, 'proxy.config.http.connect_ports': '{0}'.format(server.Variables.SSL_Port), 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), diff --git a/tests/gold_tests/proxy_protocol/proxy_serve_stale.test.py b/tests/gold_tests/proxy_protocol/proxy_serve_stale.test.py index eabc31570ec..30cfcbb9535 100644 --- a/tests/gold_tests/proxy_protocol/proxy_serve_stale.test.py +++ b/tests/gold_tests/proxy_protocol/proxy_serve_stale.test.py @@ -45,6 +45,7 @@ def _configure_ts(self): self.ts_child = Test.MakeATSProcess("ts_child") # Config child proxy to route to parent proxy self.ts_child.Disk.records_config.update({ + 'proxy.config.http.push_method_enabled': 1, 'proxy.config.http.parent_proxy.fail_threshold': 2, 'proxy.config.http.parent_proxy.total_connect_attempts': 1, 'proxy.config.http.cache.max_stale_age': 10, diff --git a/tests/gold_tests/proxy_protocol/proxy_serve_stale_dns_fail.test.py b/tests/gold_tests/proxy_protocol/proxy_serve_stale_dns_fail.test.py index 19e87df2203..c8cb60ad38c 100644 --- a/tests/gold_tests/proxy_protocol/proxy_serve_stale_dns_fail.test.py +++ b/tests/gold_tests/proxy_protocol/proxy_serve_stale_dns_fail.test.py @@ -28,6 +28,7 @@ # Config child proxy to route to parent proxy ts_child.Disk.records_config.update({ + 'proxy.config.http.push_method_enabled': 1, 'proxy.config.url_remap.pristine_host_hdr': 1, 'proxy.config.http.cache.max_stale_age': 10, 'proxy.config.http.parent_proxy.self_detect': 0, @@ -42,6 +43,7 @@ # Configure parent proxy ts_parent.Disk.records_config.update({ + 'proxy.config.http.push_method_enabled': 1, 'proxy.config.url_remap.pristine_host_hdr': 1, 'proxy.config.http.cache.max_stale_age': 10, 'proxy.config.dns.nameservers': f"127.0.0.1:{nameserver.Variables.Port}",