Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: show proper req.url in HTTPS mode #5968

Merged
merged 9 commits into from
Sep 6, 2023
Merged

fix: show proper req.url in HTTPS mode #5968

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
090d94c
fix: show proper `req.url` in HTTPS mode
Skn0tt Aug 28, 2023
58b40b3
fix: use x-nf-passthrough-proto
Skn0tt Sep 4, 2023
d528543
Merge branch 'main' into fix-5945
Skn0tt Sep 5, 2023
dfa73c9
refactor: use settings.https to detect https
Skn0tt Sep 5, 2023
18fe0a1
refactor: throw 500 error in test
Skn0tt Sep 5, 2023
3c9a98c
chore: remove unused import
Skn0tt Sep 5, 2023
bb5f238
fix: update bootstrap url
Skn0tt Sep 5, 2023
a60764c
fix: use .com
Skn0tt Sep 5, 2023
f57689e
Merge branch 'main' into fix-5945
Skn0tt Sep 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/lib/edge-functions/bootstrap.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import { env } from 'process'

const latestBootstrapURL = 'https://64c264287e9cbb0008621df3--edge.netlify.com/bootstrap/index-combined.ts'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to merge the ef-bootstrap PR first, so we can update the URL here.

const latestBootstrapURL = 'https://deploy-preview-294--edge.netlify.app/bootstrap/index-combined.ts'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not forget to change this before merging.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done in bb5f238


export const getBootstrapURL = () => env.NETLIFY_EDGE_BOOTSTRAP || latestBootstrapURL
1 change: 1 addition & 0 deletions src/lib/edge-functions/headers.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ export const headers = {
DeployID: 'x-nf-deploy-id',
FeatureFlags: 'x-nf-feature-flags',
ForwardedHost: 'x-forwarded-host',
ForwardedProtocol: 'x-forwarded-proto',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this one still needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're still using x-forwarded-proto in the code. x-forwarded-host could be removed, if we wanted - but I think it's also fine to leave it in, so it's easier to discover the headers that ef-bootstrap takes in the future 🀷

Functions: 'x-nf-edge-functions',
InvocationMetadata: 'x-nf-edge-functions-metadata',
Geo: 'x-nf-geo',
Expand Down
16 changes: 6 additions & 10 deletions src/lib/edge-functions/proxy.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,8 +94,8 @@ export const initializeProxy = async ({
inspectSettings,
mainPort,
offline,
passthroughPort,
projectDir,
settings,
siteInfo,
state,
}) => {
Expand All @@ -122,6 +122,7 @@ export const initializeProxy = async ({
internalFunctions,
port: isolatePort,
projectDir,
settings,
})
const hasEdgeFunctions = userFunctionsPath !== undefined || internalFunctionsPath

Expand Down Expand Up @@ -167,11 +168,11 @@ export const initializeProxy = async ({
}

const featureFlags = ['edge_functions_bootstrap_failure_mode']
const forwardedHost = `localhost:${passthroughPort}`

req[headersSymbol] = {
[headers.FeatureFlags]: getFeatureFlagsHeader(featureFlags),
[headers.ForwardedHost]: forwardedHost,
[headers.ForwardedHost]: req.headers.host,
[headers.ForwardedProtocol]: req.socket.encrypted ? 'https:' : 'http:',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make the caller method pass settings.https rather than using req.socket.encrypted here? That way we have a unified detection mechanism for whether we're running on HTTPS.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done in dfa73c9

[headers.Functions]: functionNames.join(','),
[headers.InvocationMetadata]: getInvocationMetadataHeader(invocationMetadata),
[headers.IP]: LOCAL_HOST,
Expand All @@ -182,13 +183,6 @@ export const initializeProxy = async ({
req[headersSymbol][headers.DebugLogging] = '1'
}

// If we're using a different port for passthrough requests, which is the
// case when the CLI is running on HTTPS, use it on the Host header so
// that the request URL inside the edge function is something accessible.
if (mainPort !== passthroughPort) {
req[headersSymbol].host = forwardedHost
}

return `http://${LOCAL_HOST}:${isolatePort}`
}
}
Expand All @@ -207,6 +201,7 @@ const prepareServer = async ({
internalFunctions,
port,
projectDir,
settings,
}) => {
// Merging internal with user-defined import maps.
const importMapPaths = [...importMaps, config.functions['*'].deno_import_map]
Expand All @@ -227,6 +222,7 @@ const prepareServer = async ({
importMapPaths,
inspectSettings,
port,
certificatePath: settings?.https?.certFilePath,
})
const registry = new EdgeFunctionsRegistry({
bundler,
Expand Down
17 changes: 1 addition & 16 deletions src/utils/proxy.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ import contentType from 'content-type'
import cookie from 'cookie'
import { getProperty } from 'dot-prop'
import generateETag from 'etag'
import getAvailablePort from 'get-port'
import httpProxy from 'http-proxy'
import { createProxyMiddleware } from 'http-proxy-middleware'
import jwtDecode from 'jwt-decode'
Expand Down Expand Up @@ -681,7 +680,6 @@ export const startProxy = async function ({
siteInfo,
state,
}) {
const secondaryServerPort = settings.https ? await getAvailablePort() : null
const functionsServer = settings.functionsPort ? `http://127.0.0.1:${settings.functionsPort}` : null
const edgeFunctionsProxy = await initializeEdgeFunctionsProxy({
config,
Expand All @@ -694,10 +692,10 @@ export const startProxy = async function ({
inspectSettings,
mainPort: settings.port,
offline,
passthroughPort: secondaryServerPort || settings.port,
projectDir,
siteInfo,
accountId,
settings,
state,
})
const proxy = await initializeProxy({
Expand Down Expand Up @@ -742,19 +740,6 @@ export const startProxy = async function ({

const eventQueue = [once(primaryServer, 'listening')]

// If we're running the main server on HTTPS, we need to start a secondary
// server on HTTP for receiving passthrough requests from edge functions.
// This lets us run the Deno server on HTTP and avoid the complications of
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this PR, we're passing the "potentially untrusted certificate" into Deno via the --certs flag.

This functionality was originally implemented in denoland/deno#3972, and it works by adding the cert as a trusted root certificate to the HTTP client:

https://github.com/denoland/deno/pull/3972/files#diff-5c6fb275a66a1b02f99597f6e9b36297274abd4b16926b9fb2d412f94ee0700eR52

From my perspective, this should be fine. Maybe Eduardo can elaborate on the complications they had in mind when they're back.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you seen the PR that introduced that functionality? #5409

// Deno talking to Node on HTTPS with potentially untrusted certificates.
if (secondaryServerPort) {
const secondaryServer = http.createServer(onRequestWithOptions)

secondaryServer.on('upgrade', onUpgrade)
secondaryServer.listen({ port: secondaryServerPort })

eventQueue.push(once(secondaryServer, 'listening'))
}

await Promise.all(eventQueue)

return getProxyUrl(settings)
Expand Down
10 changes: 10 additions & 0 deletions tests/integration/200.command.dev.test.cjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,10 @@ export const handler = async function () {

return new Response(text.toUpperCase(), res)
}

if (req.url.includes('?ef=url')) {
return new Response(req.url)
}
},
name: 'hello',
})
Expand All @@ -255,6 +259,12 @@ export const handler = async function () {
])
await withDevServer({ cwd: builder.directory, args }, async ({ port }) => {
const options = { https: { rejectUnauthorized: false } }
t.is(
await got(`https://localhost:${port}/?ef=url`, {
...options,
}).text(),
`https://localhost:${port}/?ef=url`,
)
t.is(await got(`https://localhost:${port}`, options).text(), 'index')
t.is(await got(`https://localhost:${port}?ef=true`, options).text(), 'INDEX')
t.is(await got(`https://localhost:${port}?ef=fetch`, options).text(), 'ORIGIN')
Expand Down