diff options
| author | Haw Loeung <[email protected]> | 2024-05-10 10:25:01 +1000 |
|---|---|---|
| committer | Haw Loeung <[email protected]> | 2024-05-10 10:27:59 +1000 |
| commit | 638443bfad70b34556adc506a27193ca417b6f14 (patch) | |
| tree | 7fc0e3275e2902419005dba1c2cedbbaa041dc76 | |
| parent | 03ebc45b509f558053251acc38814b5a37da712e (diff) | |
Fix duplicate X-F-F headers when more than one location
12 files changed, 60 insertions, 1 deletions
diff --git a/reactive/content_cache.py b/reactive/content_cache.py index ebbb3ab..c110cd2 100644 --- a/reactive/content_cache.py +++ b/reactive/content_cache.py @@ -345,7 +345,11 @@ def configure_haproxy(): # NOQA: C901 LP#1825084 new_cached_loc_conf['backend-options'] = site_conf.get('haproxy-extra-configs', []) # Rather than enable haproxy's 'option forwardfor' we want to replace # the X-F-F header in case it's spoofed. - new_cached_loc_conf['backend-options'].insert(0, 'http-request set-header X-Forwarded-For %[src]') + if ( + len(new_cached_loc_conf['backend-options']) == 0 + or new_cached_loc_conf['backend-options'][0] != 'http-request set-header X-Forwarded-For %[src]' + ): + new_cached_loc_conf['backend-options'].insert(0, 'http-request set-header X-Forwarded-For %[src]') new_cached_loc_conf['rate-limit'] = loc_conf.get('rate-limit', '') diff --git a/tests/unit/files/config_test_config.txt b/tests/unit/files/config_test_config.txt index eab890b..c4f748b 100644 --- a/tests/unit/files/config_test_config.txt +++ b/tests/unit/files/config_test_config.txt @@ -30,14 +30,26 @@ site2.local: - 127.0.1.10:443 - 127.0.1.11:443 - 127.0.1.12:443 + backend-options: ['http-request set-header X-Forwarded-For %[src]'] /my-local-content/: extra-config: - root /var/www/html /my-local-content2/: extra-configs: - root /var/www/html + /.well-known/matrix/server: + extra-config: + - "return 200 '{\"m.server\": \"chat-server.ubuntu.com:443\"}'" + /.well-known/matrix/client: + extra-config: + - "return 200 '{\"m.homeserver\": {\"base_url\": \"https://chat-server.ubuntu.com\"}}'" # Test default site with only a single backend. default: True + haproxy-extra-configs: + - http-request set-var(txn.path) path + - acl p_matrix var(txn.path) -m beg /.well-known/matrix + - http-response set-header Content-Type application/json if p_matrix + - http-response set-header Access-Control-Allow-Origin * if p_matrix # Test 3: No port, just backends (HTTP), with custom cache-maxconn site3.local: diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt index c08bb5a..6d6cbed 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt @@ -209,12 +209,17 @@ backend backend-cached-site2-local http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] + http-request set-var(txn.path) path + acl p_matrix var(txn.path) -m beg /.well-known/matrix + http-response set-header Content-Type application/json if p_matrix + http-response set-header Access-Control-Allow-Origin * if p_matrix balance leastconn server server_1 127.0.0.1:6081 check inter 2s rise 2 fall 60 maxconn 3072 backend backend-site2-local option httpchk GET /check/ HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header Host site2.local + http-request set-header X-Forwarded-For %[src] option redispatch 1 balance leastconn server server_1 127.0.1.10:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt index bece830..56189ae 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt @@ -209,12 +209,17 @@ backend backend-cached-site2-local http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] + http-request set-var(txn.path) path + acl p_matrix var(txn.path) -m beg /.well-known/matrix + http-response set-header Content-Type application/json if p_matrix + http-response set-header Access-Control-Allow-Origin * if p_matrix balance leastconn server server_1 127.0.0.1:6081 check inter 2s rise 2 fall 60 maxconn 3072 backend backend-site2-local option httpchk GET /check/ HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header Host site2.local + http-request set-header X-Forwarded-For %[src] option redispatch 1 balance leastconn server server_1 127.0.1.10:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt index f05826e..032728a 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt @@ -209,12 +209,17 @@ backend backend-cached-site2-local http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] + http-request set-var(txn.path) path + acl p_matrix var(txn.path) -m beg /.well-known/matrix + http-response set-header Content-Type application/json if p_matrix + http-response set-header Access-Control-Allow-Origin * if p_matrix balance roundrobin server server_1 127.0.0.1:6081 check inter 2s rise 2 fall 60 maxconn 3072 backend backend-site2-local option httpchk GET /check/ HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header Host site2.local + http-request set-header X-Forwarded-For %[src] option redispatch 1 balance roundrobin server server_1 127.0.1.10:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt index ddbc8c6..c72b5ee 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt @@ -210,12 +210,17 @@ backend backend-cached-site2-local http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] + http-request set-var(txn.path) path + acl p_matrix var(txn.path) -m beg /.well-known/matrix + http-response set-header Content-Type application/json if p_matrix + http-response set-header Access-Control-Allow-Origin * if p_matrix balance leastconn server server_1 127.0.0.1:6081 check inter 2s rise 2 fall 60 maxconn 3072 backend backend-site2-local option httpchk GET /check/ HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header Host site2.local + http-request set-header X-Forwarded-For %[src] option redispatch 1 balance leastconn server server_1 127.0.1.10:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt index e48af71..c5251fa 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt @@ -213,6 +213,10 @@ backend backend-cached-site2-local http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] + http-request set-var(txn.path) path + acl p_matrix var(txn.path) -m beg /.well-known/matrix + http-response set-header Content-Type application/json if p_matrix + http-response set-header Access-Control-Allow-Origin * if p_matrix balance leastconn server server_1 127.0.0.1:6081 check inter 2s rise 2 fall 60 maxconn 3072 @@ -220,6 +224,7 @@ backend backend-site2-local option httpchk GET /check/ HTTP/1.1 http-check send hdr Host site2.local hdr User-Agent haproxy/httpchk http-request set-header Host site2.local + http-request set-header X-Forwarded-For %[src] retry-on all-retryable-errors option redispatch 1 balance leastconn diff --git a/tests/unit/files/haproxy_config_rendered_backends_stanzas_test_output.txt b/tests/unit/files/haproxy_config_rendered_backends_stanzas_test_output.txt index 565c469..48984b1 100644 --- a/tests/unit/files/haproxy_config_rendered_backends_stanzas_test_output.txt +++ b/tests/unit/files/haproxy_config_rendered_backends_stanzas_test_output.txt @@ -10,6 +10,7 @@ backend backend-site1-local backend backend-site2-local option httpchk GET /check/ HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header Host site2.local + http-request set-header X-Forwarded-For %[src] balance leastconn server server_1 127.0.1.10:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt server server_2 127.0.1.11:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt diff --git a/tests/unit/files/haproxy_config_rendered_test_output.txt b/tests/unit/files/haproxy_config_rendered_test_output.txt index 4121b07..ba08267 100644 --- a/tests/unit/files/haproxy_config_rendered_test_output.txt +++ b/tests/unit/files/haproxy_config_rendered_test_output.txt @@ -126,6 +126,7 @@ backend backend-site1-local backend backend-site2-local option httpchk GET /check/ HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header Host site2.local + http-request set-header X-Forwarded-For %[src] balance leastconn server server_1 127.0.1.10:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt server server_2 127.0.1.11:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt diff --git a/tests/unit/files/haproxy_config_rendered_test_output2.txt b/tests/unit/files/haproxy_config_rendered_test_output2.txt index 22c56ab..a5b3d08 100644 --- a/tests/unit/files/haproxy_config_rendered_test_output2.txt +++ b/tests/unit/files/haproxy_config_rendered_test_output2.txt @@ -126,6 +126,7 @@ backend backend-site1-local backend backend-site2-local option httpchk GET /check/ HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header Host site2.local + http-request set-header X-Forwarded-For %[src] balance leastconn server server_1 127.0.1.10:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt server server_2 127.0.1.11:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt diff --git a/tests/unit/files/haproxy_config_rendered_test_output_with_extra_configs.txt b/tests/unit/files/haproxy_config_rendered_test_output_with_extra_configs.txt index 7166d28..0ec24fa 100644 --- a/tests/unit/files/haproxy_config_rendered_test_output_with_extra_configs.txt +++ b/tests/unit/files/haproxy_config_rendered_test_output_with_extra_configs.txt @@ -126,6 +126,7 @@ backend backend-site1-local backend backend-site2-local option httpchk GET /check/ HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header Host site2.local + http-request set-header X-Forwarded-For %[src] balance leastconn server server_1 127.0.1.10:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt server server_2 127.0.1.11:443 check inter 5s rise 2 fall 5 maxconn 1024 ssl sni str(site2.local) check-sni site2.local verify required ca-file ca-certificates.crt diff --git a/tests/unit/files/nginx_config_rendered_test_output-site2.local.txt b/tests/unit/files/nginx_config_rendered_test_output-site2.local.txt index 6264b6e..b3392bd 100644 --- a/tests/unit/files/nginx_config_rendered_test_output-site2.local.txt +++ b/tests/unit/files/nginx_config_rendered_test_output-site2.local.txt @@ -43,6 +43,20 @@ server { root /var/www/html; } + + location /.well-known/matrix/server { + proxy_cache 9813f9fe7826-cache; + add_header X-Cache-Status "$upstream_cache_status from mock-content-cache/0"; + return 200 '{"m.server": "chat-server.ubuntu.com:443"}'; + } + + + location /.well-known/matrix/client { + proxy_cache 9813f9fe7826-cache; + add_header X-Cache-Status "$upstream_cache_status from mock-content-cache/0"; + return 200 '{"m.homeserver": {"base_url": "https://chat-server.ubuntu.com"}}'; + } + location /_status/content-cache-check { stub_status; } |