-
Notifications
You must be signed in to change notification settings - Fork 679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[wip] Add HTTP Alternative Service header to source, journalist interfaces when both v2 and v3 onion services are enabled #4715
Conversation
(port seems to be required according to RFC7838)
Codecov Report
@@ Coverage Diff @@
## develop #4715 +/- ##
===========================================
+ Coverage 82.38% 82.67% +0.28%
===========================================
Files 46 45 -1
Lines 3162 3122 -40
Branches 345 338 -7
===========================================
- Hits 2605 2581 -24
+ Misses 470 454 -16
Partials 87 87
Continue to review full report at Codecov.
|
given how much other stuff needs to go in ahead of this yet for 1.0.0, i'm marking this wip until we can find a way to properly test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The headers are indeed served on both Source & Journalist v2 interfaces, which is a good sign. Outstanding questions remain about whether the alternative service is actually working with establishing connections. Some guidance on next steps for more thorough review:
GET /.well-known/http-opportunistic HTTP/1.1
request in journalist-access.log ;- Use of the
h2=
protocol id may require enabling HTTP/2 support in Apache - Source error logs showing
AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error
Given the difficulty of confirming the functional behavior of the alt-svc header, coupled with the remaining times on the 1.0 milestone still pending merge, let's backburner these changes to prioritize merging other PRs related to v3 functionality. (I'll rebase #4718, for example, to exclude the dependency on this PR.) We can return to this work in the future if we develop a workable test plan for verifying the behavior.
yeah I don't see the internal redirect error on develop in staging so is related to the changes here |
closing this for now, see discussion in #4630 |
Status
work in progress
Description of Changes
Fixes #4630
Changes proposed in this pull request:
Alt-Svc
header to send user traffic from v2 to v3Testing
It's not possible as far as I can tell to determine that the Alt-Svc header is being used in Tor Browser (see my thoughts/explanation in #4630 for the full details) but I'll see if I can cook up something better on this for the 1.0.0 QA period.
For now, you can verify that the header is being set by provisioning staging and visiting the v2 onions. Enabling developer tools in Tor Browser you should see:
To convince yourself that this is correct, you can read the spec or you can check out this site, which nicely shows via the color of the background in the page that is visited when the Alt-Svc is being used. It uses an Alt-Svc from Cloudflare:
Bonus
I'm marking these as bonus because I think since the reviewer will be inspecting the diff doing this testing as part of 1.0.0 QA is OK:
Deployment
This will be ran the next time an administrator runs the Ansible playbook. The
Checklist
If you made changes to the server application code:
make lint
) and tests (make -C securedrop test
) pass in the development containerIf you made changes to the system configuration:
If you made non-trivial code changes: