relay_read_http: strip out Content-Length if we strip the body too

We should not forward Content-Length if the body is not also forwarded.

relay_read_http: defer header parsing until after line continuation

Wait until we have a complete line before parsing the Content-Length,
Transfer-Encoding and Host headers. This prevents potential

relay_read_http: defer header parsing until after line continuation

Wait until we have a complete line before parsing the Content-Length,
Transfer-Encoding and Host headers. This prevents potential request
smuggling attacks. Filtering already happens after header line
continuation has been performed. Reported by Ben Kallus.
OK claudio@

show more ...

relay_read_http: tighten up header parsing

1) reject headers with embedded NULs
2) reject headers with invalid characters in the name
3) reject Transfer-Encoding with values other than "chunked"
4)

relay_read_http: tighten up header parsing

1) reject headers with embedded NULs
2) reject headers with invalid characters in the name
3) reject Transfer-Encoding with values other than "chunked"
4) reject chunk values containing non-hex characters
5) reject Content-Length values of "+0" or "-0"
6) reject requests without a ' ' and headers without a ':'

Reported by Ben Kallus, OK bluhm@

show more ...

{en,de}queing -> {en,de}queuing; from paul tagliamonte

do not duplicate "Connection: close" headers and only add it if its
not a websockets response.
Reported by Marcus MERIGHI and Jonathon Fletcher, this fix is by Jonathon, Thanks!
ok claudio@

The output of server_root_strip() is a string. Use the correct format
"%s". Same for the output of relay_expand_http().
with and ok claudio@
Found by Cedric Tessier, thanks!

Responses to HEAD requests must not have a message body (even though they have
a Content-Length header). HTTP RFC 7231 section 4.3.2.
found by niklas@, claudio@ agrees.

Add 'strip' directive

Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa

OK benno@

Replace TAILQ concatenation loop with TAILQ_CONCAT

OK millert@, florian@

Don't "forward to <table>" when a "forward to destination" address is set.
This matches the documented behaviour.
On matching "forward to <table>" filter rules the "forward to destination"
address is

Don't "forward to <table>" when a "forward to destination" address is set.
This matches the documented behaviour.
On matching "forward to <table>" filter rules the "forward to destination"
address is unset, so that in that case the "forward to <table>" rule is still
used.

OK benno@, regression tests still passing.

show more ...

Add a new macro called $HOST that expands to the Host header's value or falls
back to the same value as $SERVER_ADDR in case the Host header is not available.

ok reyk@

Add Connection: close when switching to "unlimited" reading mode.

Ask the server to close the connection after the request since we
don't read any further request headers. This fixes an issue with

Add Connection: close when switching to "unlimited" reading mode.

Ask the server to close the connection after the request since we
don't read any further request headers. This fixes an issue with
OPTIONS and optional body, as well as similar cases.

Reported and tested by Rivo Nurges

OK benno@

show more ...

Fix filter rules with "forward to" statement in persistent connections.

OK bentley@ mikeb@

Add support for from/to in relay filter rules.

For example,
pass from 10.0.0.0/8 path "/hello/*" forward to <b>

Ok benno@

Fix and tweak websocket upgrade handling.

- Don't expect the Connection header to equal Upgrade, it may include Upgrade
- Reshuffle the code to check the Upgrade/Connection headers in one place

Rep

Fix and tweak websocket upgrade handling.

- Don't expect the Connection header to equal Upgrade, it may include Upgrade
- Reshuffle the code to check the Upgrade/Connection headers in one place

Reported and tested by Rivo Nurges

OK and input from benno@
Cvs: ----------------------------------------------------------------------

show more ...

Support for rfc 6455 Websockets connection upgrade. Add a new protocol
option 'http { [no] websockets }' to allow such connections (default
is no). Original diff from Daniel Lamando (dan AT danopia

Support for rfc 6455 Websockets connection upgrade. Add a new protocol
option 'http { [no] websockets }' to allow such connections (default
is no). Original diff from Daniel Lamando (dan AT danopia DOT net),
option and header checks by me. suggestions and ok bluhm@ and earlier
diff claudio@

show more ...

replace the current log options

log updates|all

with

log state changes
log host checks
log connection [errors]

The first two control the logging of host check results: either changes in host

replace the current log options

log updates|all

with

log state changes
log host checks
log connection [errors]

The first two control the logging of host check results: either changes in host state only or
all checks.

The third option controls logging of connections in relay mode:
Either log all connections, or only errors.

Additionaly, errors will be logged with LOG_WARN and good connections
will be logged with LOG_INFO, so they can be differentiated in syslog.

ok and feedback from claudio@

show more ...

rfc 7230 mandates that a "204 No Content" http status must not come with a
Content-Lenght Header. Of course some servers still so it and send
Content-Lenght: 0. Adjust accordingly.
ok claudio@

Simplify relay_close_http(), make relay_httpdesc_free() accept and ignore
a NULL pointer argument (like free()). Also switch a !size to size == 0.
OK benno@

make the maximum size of http headers configurable in the protocol.
ok bluhm@, >8k makes sense claudio@

The relayd regression tests for chunked HTTP traffic were failing
sporadically. If the \r and \n were read in separate chunks, relayd
got out of sync with the protocol as they were interpreted as tw

The relayd regression tests for chunked HTTP traffic were failing
sporadically. If the \r and \n were read in separate chunks, relayd
got out of sync with the protocol as they were interpreted as two
lines. Use evbuffer_readln() with EVBUFFER_EOL_CRLF instead of
evbuffer_readline().
OK benno@

show more ...

use __func__ in log messages. fix some whitespace while here.
From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks!
ok florian, claudio

Migrate relayd to use libtls for TLS. Still does the TLS privsep via the
engine but at least we can use a sane API for new features.
Going in now so it is possible to work with this in tree.
General

Migrate relayd to use libtls for TLS. Still does the TLS privsep via the
engine but at least we can use a sane API for new features.
Going in now so it is possible to work with this in tree.
General agreement at d2k17.

show more ...

DELETE can have a body.

Fix by Rivo Nurges, fixes a problem with Atlassian JIRA

OK benno@

spacing