Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Strict-Transport-Security is no longer tied to RedirectHTTPToHTTPS, a…

…nd max-age is configurable, defaulting to 1 week.

git-svn-id: https://svn.calendarserver.org/repository/calendarserver/CalendarServer/trunk@10165 e27351fd-9f3e-4f54-a53b-843176b1656c
  • Loading branch information
m0rgen committed Dec 13, 2012
1 parent bde1667 commit 04b0ed243a957605bcd50826f4fac53fccc4108a
@@ -874,6 +874,22 @@ def queueMasterAvailable(connectionFromMaster):
def requestFactory(*args, **kw):
return SSLRedirectRequest(site=underlyingSite, *args, **kw)

# Add the Strict-Transport-Security header to all secured requests
# if enabled.
if config.StrictTransportSecuritySeconds:
previousRequestFactory = requestFactory
def requestFactory(*args, **kw):
request = previousRequestFactory(*args, **kw)
def responseFilter(ignored, response):
ignored, secure = request.chanRequest.getHostInfo()
if secure:
response.headers.addRawHeader("Strict-Transport-Security",
"max-age={max_age:d}"
.format(max_age=config.StrictTransportSecuritySeconds))
return response
request.addResponseFilter(responseFilter)
return request

httpFactory = LimitingHTTPFactory(
requestFactory,
maxRequests=config.MaxRequests,
@@ -894,6 +910,9 @@ def updateFactory(configDict, reloading=False):
connectionService.setName(CalDAVService.connectionServiceName)
connectionService.setServiceParent(service)

# For calendarserver.tap.test.test_caldav.BaseServiceMakerTests.getSite():
connectionService.underlyingSite = underlyingSite

if config.InheritFDs or config.InheritSSLFDs:
# Inherit sockets to call accept() on them individually.

@@ -380,9 +380,10 @@ def getSite(self):
# NOTE: in a database 'single' configuration, PostgresService
# will prevent the HTTP services from actually getting added to
# the hierarchy until the hierarchy has started.
lambda x: hasattr(x, 'args')
# 'underlyingSite' assigned in caldav.py
lambda x: hasattr(x, 'underlyingSite')
):
return listeningService.args[1].protocolArgs['requestFactory']
return listeningService.underlyingSite
raise RuntimeError("No site found.")


@@ -76,26 +76,11 @@ def connectionMade(self):
self.transport.loseConnection()



class SSLRedirectRequest(Request):
"""
An L{SSLRedirectRequest} prevents processing if the request is over plain
HTTP; instead, it redirects to HTTPS.
If the request is already secured, it instead sets the
Strict-Transport-Security header as documented by the U{HTTP Strict
Transport Security specification
<http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-02>}.
@ivar maxAge: the number of seconds that a client must wait after receiving
an HTTPS response, before they may attempt to make an HTTP request
again.
@type maxAge: C{int}
"""

maxAge = 600

def process(self):
ignored, secure = self.chanRequest.getHostInfo()
if not secure:
@@ -116,15 +101,6 @@ def process(self):
return super(SSLRedirectRequest, self).process()


def writeResponse(self, response):
"""
Response filter to add HSTS header.
"""
response.headers.addRawHeader("Strict-Transport-Security",
"max-age={max_age:d}"
.format(max_age=self.maxAge))
return super(SSLRedirectRequest, self).writeResponse(response)

# >%

PERSIST_NO_PIPELINE, PERSIST_PIPELINE = (1,2)
@@ -742,18 +742,6 @@ def testHTTP1_1_chunking(self, extraHeaders=""):
cxn.client.loseConnection()
self.assertDone(cxn)


def test_http1_1_sts(self):
"""
L{SSLRedirectRequest} uses strict transport security, and will set the
appropriate header.
"""
self.requestClass = TestSSLRedirectRequest
return self.testHTTP1_1_chunking(
"Strict-Transport-Security: max-age=600"
)


def testHTTP1_1_expect_continue(self):
cxn = self.connect()
cmds = [[]]
@@ -250,6 +250,8 @@
"RedirectHTTPToHTTPS" : False, # If True, all nonSSL requests redirected to an SSL Port
"SSLMethod" : "SSLv3_METHOD", # SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD
"SSLCiphers" : "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM",
"StrictTransportSecuritySeconds" : 7 * 24 * 60 * 60, # max-age value for
# Strict-Transport-Security header; set to 0 to disable header.

#
# Network address configuration information

0 comments on commit 04b0ed2

Please sign in to comment.
You can’t perform that action at this time.