Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Variables and conditions for custom HTTP headers #907

Open
krizhanovsky opened this issue Feb 10, 2018 · 0 comments
Open

Variables and conditions for custom HTTP headers #907

krizhanovsky opened this issue Feb 10, 2018 · 0 comments
Labels
enhancement
Milestone
backlog

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Feb 10, 2018
edited
Loading

Further development of #511 (HTTP: transform custom HTTP headers). Depends on the new rule syntax introduced in #731 (HTTP tables) and #531 (Upgrade/downgrade HTTP messages).

A use case (for Wiki)

If several of the backend servers in the WAF acceleratiotn scenario have public IPs and allow HTTP/1.0, then, even announcing the public IPs as virtual IPs (VIPs) on Tempesta FW intefaces, the WAF, configured in reverse proxy mode, doesn't have an idea which backend to send an HTTP/1.0 requests to. The Internet adopts HTTP/3 nowadays, so there is no sense to care about HTTP/1.0.

Conditional HTTP upgrade

The first solution is to upgrade forwarded HTTP/1.0 request without Host header to HTTP/1.1 or HTTP/2 with correct setting of Host header. We can do this using a rule to translate the backend public IP to it's Host value (the condition construction is the subject got multi-pattern matching optimization in #732, so keep the further optimization in mind):

$dst_ip == 1.1.1.1 -> req_hdr_add Host "foo.com";
$dst_ip == 2.2.2.2 -> req_hdr_add Host "bar.com";

$dst_ip is the matching variable for skb destination IP address.

Setting X-Server-IP

Another solution is just to add an extension header with the backend public IP:

req_hdr_add X-Server-IP $dst_ip

and the the WAF to make the correct message forwarding based on the header.

The variables

Please research how the variables are implemented in Nginx, Varnish VCL, HAProxy.

Following variables must be implemented:

  1. $proto - a protocol (HTTP/1.0, HTTP/1.1 etc) used by a client in a request;
  2. $dst_addr - client skb destination address;
  3. $dst_port - client skb destination port;
  4. $src_addr - client skb source address;

Variables should be aggregated into tfw_http_req_t (most likely we'll have different sets of variables for requests and responses and there is no sense to spend extra memory) as an array of fixed size. The array items could be something like:

typedef struct {
    union {
        TfwStr   *str;
        long       i_val;
    };
} TfwVar;

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
backlog
Development

No branches or pull requests
1 participant
@krizhanovsky