use AnyEvent::HTTP;
use AnyEvent::Handle;
-use AnyEvent::IO;
use AnyEvent::Socket;
# use AnyEvent::Strict; # only use this for debugging
use AnyEvent::TLS;
delete $reqstate->{request};
delete $reqstate->{proto};
delete $reqstate->{accept_gzip};
+ delete $reqstate->{accept_deflate};
delete $reqstate->{starttime};
if ($reqstate->{tmpfilename}) {
$reqstate->{hdl}->timeout($self->{timeout});
$nocomp = 1 if !$self->{compression};
- $nocomp = 1 if !$reqstate->{accept_gzip};
+ $nocomp = 1 if !$reqstate->{accept_gzip} && !$reqstate->{accept_deflate};
my $code = $resp->code;
my $msg = $resp->message || HTTP::Status::status_message($code);
$content_length = length($content);
if (!$nocomp && ($content_length > 1024)) {
- my $comp = Compress::Zlib::memGzip($content);
- $resp->header('Content-Encoding', 'gzip');
- $content = $comp;
- $content_length = length($content);
+ if ($reqstate->{accept_gzip}) {
+ my $comp = Compress::Zlib::memGzip($content);
+ $resp->header('Content-Encoding', 'gzip');
+ $content = $comp;
+ } elsif ($reqstate->{accept_deflate}) {
+ my $comp = Compress::Zlib::compress($content);
+ $resp->header('Content-Encoding', 'deflate');
+ $content = $comp;
+ }
}
+ $content_length = length($content);
$resp->header("Content-Length" => $content_length);
$reqstate->{log}->{content_length} = $content_length;
$proxyhdl->{block_disconnect} = 1 if length $proxyhdl->{wbuf};
$proxyhdl->push_shutdown();
- }
+ }
$hdl->push_shutdown();
} elsif ($opcode == 9) {
# ping received, schedule pong
if $auth->{api_token};
$headers->{'CSRFPreventionToken'} = $auth->{token}
if $auth->{token};
- $headers->{'Accept-Encoding'} = 'gzip' if ($reqstate->{accept_gzip} && $self->{compression});
+ if ($self->{compression}) {
+ if ($reqstate->{accept_deflate} && $reqstate->{accept_gzip}) {
+ $headers->{'Accept-Encoding'} = 'gzip, deflate';
+ } elsif ($reqstate->{accept_gzip}) {
+ $headers->{'Accept-Encoding'} = 'gzip';
+ } elsif ($reqstate->{accept_deflate}) {
+ $headers->{'Accept-Encoding'} = 'deflate';
+ }
+ }
if (defined(my $host = $reqstate->{request}->header('Host'))) {
$headers->{Host} = $host;
my $content;
if ($method eq 'POST' || $method eq 'PUT') {
- $headers->{'Content-Type'} = 'application/x-www-form-urlencoded';
- # use URI object to format application/x-www-form-urlencoded content.
- my $url = URI->new('http:');
- $url->query_form(%$params);
- $content = $url->query;
+ my $request_ct = $reqstate->{request}->header('Content-Type');
+ if (defined($request_ct) && $request_ct =~ 'application/json') {
+ $headers->{'Content-Type'} = 'application/json';
+ $content = encode_json($params);
+ } else {
+ $headers->{'Content-Type'} = 'application/x-www-form-urlencoded';
+ # use URI object to format application/x-www-form-urlencoded content.
+ my $url = URI->new('http:');
+ $url->query_form(%$params);
+ $content = $url->query;
+ }
if (defined($content)) {
$headers->{'Content-Length'} = length($content);
}
sslv2 => 0,
sslv3 => 0,
verify => 1,
+ ca_path => '/usr/lib/ssl/certs', # to avoid loading the combined CA cert file
verify_cb => sub {
my (undef, undef, undef, $depth, undef, undef, $cert) = @_;
# we don't care about intermediate or root certificates
$v = Encode::decode('utf8', $v);
if (defined(my $old = $res->{$k})) {
- $v = "$old\0$v";
+ if (ref($old) eq 'ARRAY') {
+ push @$old, $v;
+ $v = $old;
+ } else {
+ $v = [$old, $v];
+ }
}
}
$res->{proxy_params}->{tmpfilename} = $reqstate->{tmpfilename} if $upload_state;
- $self->proxy_request($reqstate, $clientip, $host, $res->{proxynode}, $method,
- $r->uri, $auth, $res->{proxy_params});
+ $self->proxy_request(
+ $reqstate, $clientip, $host, $res->{proxynode}, $method, $r->uri, $auth, $res->{proxy_params});
return;
} elsif ($upgrade && ($method eq 'GET') && ($path =~ m|websocket$|)) {
my $download = $res->{download};
$download //= $res->{data}->{download}
- if defined($res->{data}) && ref($res->{data}) eq 'HASH';
+ if defined($res->{data}) && ref($res->{data}) eq 'HASH';
if (defined($download)) {
send_file_start($self, $reqstate, $download);
return;
my $clientip = $reqstate->{peer_host};
my $r = $reqstate->{request};
- my $remip;
+ my $remip;
- if ($node ne 'localhost' && PVE::INotify::nodename() !~ m/^$node$/i) {
- $remip = $self->remote_node_ip($node);
+ if ($node ne 'localhost' && PVE::INotify::nodename() !~ m/^$node$/i) {
+ $remip = $self->remote_node_ip($node);
$self->dprint("REMOTE CONNECT $vmid, $remip, $connect_str");
- } else {
+ } else {
$self->dprint("CONNECT $vmid, $node, $spiceport");
}
$reqstate->{hdl}->push_write($line);
$self->client_do_disconnect($reqstate);
}
- });
+ });
} else {
&$startproxy();
}
$extract_form_disposition->('checksum-algorithm');
$extract_form_disposition->('checksum');
- if ($hdl->{rbuf} =~ s/^${delim_re}Content-Disposition: (.*?); name="(.*?)"; filename="([^"]+)"${newline_re}//s) {
+ if ($hdl->{rbuf} =~ s/^${delim_re}Content-Disposition: (.*?); name="(.*?)"; filename="([^"]+)"//s) {
assert_form_disposition($1);
die "wrong field name '$2' for file upload, expected 'filename'" if $2 ne "filename";
$rstate->{phase} = 2;
if ($write_length > 0) {
syswrite($rstate->{outfh}, $data) == $write_length or die "write to temporary file failed - $!\n";
$rstate->{bytes} += $write_length;
- $rstate->{ctx}->add($data);
}
}
if ($rstate->{phase} == 100) { # Phase 100 - transfer finished
- $rstate->{md5sum} = $rstate->{ctx}->hexdigest;
my $elapsed = tv_interval($rstate->{starttime});
- syslog('info', "multipart upload complete (size: %dB time: %.3fs rate: %.2fMiB/s md5sum: %s)",
- $rstate->{bytes}, $elapsed, $rstate->{bytes} / ($elapsed * 1024 * 1024), $rstate->{md5sum}
+ syslog('info', "multipart upload complete (size: %dB time: %.3fs rate: %.2fMiB/s filename: %s)",
+ $rstate->{bytes}, $elapsed, $rstate->{bytes} / ($elapsed * 1024 * 1024),
+ $rstate->{params}->{filename}
);
$self->handle_api2_request($reqstate, $auth, $method, $path, $rstate);
}
$r->push_header($state->{key}, $state->{val})
if $state->{key};
- $self->process_header($reqstate) or return;
- # header processing complete - authenticate now
- $self->authenticate_and_handle_request($reqstate) or return;
+ return if !$self->process_header($reqstate);
+ return if !$self->ensure_tls_connection($reqstate);
+
+ $self->authenticate_and_handle_request($reqstate);
} elsif ($line =~ /^([^:\s]+)\s*:\s*(.*)/) {
$r->push_header($state->{key}, $state->{val}) if $state->{key};
});
};
+# sends an (error) response and returns 0 in case of errors
sub process_header {
my ($self, $reqstate) = @_;
if (!$known_methods->{$method}) {
my $resp = HTTP::Response->new(HTTP_NOT_IMPLEMENTED, "method '$method' not available");
$self->response($reqstate, $resp);
- return;
+ return 0;
}
my $conn = $request->header('Connection');
my $accept_enc = $request->header('Accept-Encoding');
$reqstate->{accept_gzip} = ($accept_enc && $accept_enc =~ m/gzip/) ? 1 : 0;
+ $reqstate->{accept_deflate} = ($accept_enc && $accept_enc =~ m/deflate/) ? 1 : 0;
if ($conn) {
$reqstate->{keep_alive} = 0 if $conn =~ m/close/oi;
if ($te && lc($te) eq 'chunked') {
# Handle chunked transfer encoding
$self->error($reqstate, 501, "chunked transfer encoding not supported");
- return;
+ return 0;
} elsif ($te) {
$self->error($reqstate, 501, "Unknown transfer encoding '$te'");
- return;
+ return 0;
}
my $pveclientip = $request->header('PVEClientIP');
return 1;
}
+# sends an (redirect) response, disconnects the client and returns 0 if
+# connection is not TLS-protected
+sub ensure_tls_connection {
+ my ($self, $reqstate) = @_;
+
+ # Skip if server doesn't use TLS
+ if (!$self->{tls_ctx}) {
+ return 1;
+ }
+
+ # TLS session exists, so the handshake has succeeded
+ if ($reqstate->{hdl}->{tls}) {
+ return 1;
+ }
+
+ my $request = $reqstate->{request};
+ my $method = $request->method();
+
+ my $h_host = $reqstate->{request}->header('Host');
+
+ die "Header field 'Host' not found in request\n"
+ if !$h_host;
+
+ my $secure_host = "https://" . ($h_host =~ s/^http(s)?:\/\///r);
+
+ my $header = HTTP::Headers->new('Location' => $secure_host . $request->uri());
+
+ if ($method eq 'GET' || $method eq 'HEAD') {
+ $self->error($reqstate, 301, 'Moved Permanently', $header);
+ } else {
+ $self->error($reqstate, 308, 'Permanent Redirect', $header);
+ }
+
+ # disconnect the client so they may immediately connect again via HTTPS
+ $self->client_do_disconnect($reqstate);
+
+ return 0;
+}
+
sub authenticate_and_handle_request {
my ($self, $reqstate) = @_;
my $state = {
size => $len,
boundary => $boundary,
- ctx => Digest::MD5->new,
boundlen => $boundlen,
maxheader => 2048 + $boundlen, # should be large enough
params => decode_urlencoded($request->url->query()),
starttime => [gettimeofday],
outfh => $outfh,
};
+
+ die "'tmpfilename' query parameter is not allowed for file uploads\n"
+ if exists $state->{params}->{tmpfilename};
+
$reqstate->{tmpfilename} = $tmpfilename;
$reqstate->{hdl}->on_read(sub {
$self->file_upload_multipart($reqstate, $auth, $method, $path, $state);
} else {
$self->handle_request($reqstate, $auth, $method, $path);
}
-
- return 1;
}
sub push_request_header {
$reqstate->{proto}->{min} = $min;
$reqstate->{proto}->{ver} = $maj*1000+$min;
$reqstate->{request} = HTTP::Request->new($method, $url);
- $reqstate->{starttime} = [gettimeofday],
+ $reqstate->{starttime} = [gettimeofday];
$self->unshift_read_header($reqstate);
} elsif ($line eq '') {
foreach my $t (@{$self->{allow_from}}) {
if ($t->overlaps($cip)) {
$match_allow = 1;
- $self->dprint("client IP allowed: ". $t->prefix());
+ $self->dprint("client IP allowed: ". $t->print());
last;
}
}
if ($self->{deny_from}) {
foreach my $t (@{$self->{deny_from}}) {
if ($t->overlaps($cip)) {
- $self->dprint("client IP denied: ". $t->prefix());
+ $self->dprint("client IP denied: ". $t->print());
$match_deny = 1;
last;
}
};
if (my $err = $@) { syslog('err', "$err"); }
},
- ($self->{tls_ctx} ? (tls => "accept", tls_ctx => $self->{tls_ctx}) : ()));
+ );
$handle_creation = 0;
$self->dprint("ACCEPT FH" . $clientfh->fileno() . " CONN$self->{conn_count}");
+ if ($self->{tls_ctx}) {
+ $self->dprint("Setting TLS to autostart");
+ $reqstate->{hdl}->unshift_read(tls_autostart => $self->{tls_ctx}, "accept");
+ }
+
$self->push_request_header($reqstate);
}
};
warn "Failed to set TLS 1.3 ciphersuites '$ciphersuites'\n"
if !Net::SSLeay::CTX_set_ciphersuites($self->{tls_ctx}->{ctx}, $ciphersuites);
}
+
+ my $opts = Net::SSLeay::CTX_get_options($self->{tls_ctx}->{ctx});
+ my $min_version = Net::SSLeay::TLS1_1_VERSION();
+ my $max_version = Net::SSLeay::TLS1_3_VERSION();
+ if ($opts & &Net::SSLeay::OP_NO_TLSv1_1) {
+ $min_version = Net::SSLeay::TLS1_2_VERSION();
+ }
+ if ($opts & &Net::SSLeay::OP_NO_TLSv1_2) {
+ $min_version = Net::SSLeay::TLS1_3_VERSION();
+ }
+ if ($opts & &Net::SSLeay::OP_NO_TLSv1_3) {
+ die "misconfigured TLS settings - cannot disable all supported TLS versions!\n"
+ if $min_version && $min_version == Net::SSLeay::TLS1_3_VERSION();
+ $max_version = Net::SSLeay::TLS1_2_VERSION();
+ }
+ Net::SSLeay::CTX_set_min_proto_version($self->{tls_ctx}->{ctx}, $min_version) if $min_version;
+ Net::SSLeay::CTX_set_max_proto_version($self->{tls_ctx}->{ctx}, $max_version);
}
if ($self->{spiceproxy}) {
projects / pve-http-server.git / blobdiff