diff options
author | thiagoftsm <thiagoftsm@gmail.com> | 2019-07-25 16:43:04 +0000 |
---|---|---|
committer | Chris Akritidis <43294513+cakrit@users.noreply.github.com> | 2019-07-25 18:43:04 +0200 |
commit | 2f7962c9e154dcce1684f2275387c9b6ac4d0b4c (patch) | |
tree | 10a3f5d7451d429a1bd8df91176b04cd82551abb /web/server | |
parent | d95912af0834c45fa8a4aee2892b97fbd2e9b520 (diff) |
Fix parsing SSL ACL along with others (#6468)
* sslstream: ACL parser
It was noticed in the issue 6457 that the some ACLs were not parsing
correctly when they were along SSL acl, this commit fixes this'
* sslstream: remove comments
This commit removes the comments that were present while I was testing the code
* sslstream: Tests
This commit adds ACL tests to check the Netdata response to them
* sslstream: Tests
Fix the extension to upload the files
* sslstream: more tests
In this commit I am bringing more tests, including the ssl tests'
* sslstream: leading space
Remove leading space from variable that was creating problem with shellcheck
* sslstream: glob
Remove special character from script
* sslstream: Makefile
The Makefile diretives were pointed to wrong files
* sslstream: Missing stream encrypt
This commit solves the problem of the stream not be encrypted, but
it is not the final solution, because the parser made is incomplete.
* sslstream: Finish encrypt channel
This commit brings the step that I was missing, the complete encryptation
in the communication between Master and Slave
* sslstream: Fix argument in script
After the latest tests, it was verified that two arguments given to a function
inside the script were not correct, with this PR I am fixing this!
* sslstream: Fix argument in info
Instead to call a function to deliver an integer I was passing a size_t value.
Only cmake showed this, but not in my clion! :/
* sslstream: Fix redirect
When we were having different SSL configuration, the system were not applying
the option for all
* sslstream: Update documentation
Our documentation was not clear about the rules according our code
so I am updating the text to explain for the users
* sslstream: Adjust script
With this last commit, I am adjusting the tests to avoid false positive
* sslstream: Missing elif
The previous commit had a missing elif in the shell script
* sslstream: Split ports
Before this commit Netdata was having SSL as a global option, now it has as a real ACL.
* sslstream: reduce context
The stream variable will not be affected in the master side, it is only necessary
on the slave side, so I am reducing the context of it
* sslstream: Force SSL
When the user has certificate and he does not set any SSL flag, it is necessary
to append the SSL=force flag
* sslstream: Default flag
It is necessary to have a default flag when the SSL flags are not SET
* sslstream: remove comments
Remove comments from the scrip
* sslstream: moving flag
It is better the flag to be set inside socket instead everytime there is a new connection
* sslstream: documentation
Fix a sentence in the web/server/README.md
Diffstat (limited to 'web/server')
-rw-r--r-- | web/server/README.md | 14 | ||||
-rw-r--r-- | web/server/web_client.c | 8 |
2 files changed, 20 insertions, 2 deletions
diff --git a/web/server/README.md b/web/server/README.md index 0bab9f105f..173e895963 100644 --- a/web/server/README.md +++ b/web/server/README.md @@ -112,6 +112,20 @@ Example: For information how to configure the slaves to use TLS, check [securing the communication](../../streaming#securing-streaming-communications) in the streaming documentation. There you will find additional details on the expected behavior for client and server nodes, when their respective TLS options are enabled. +When we define the use of SSL in a Netdata agent for different ports, Netdata will apply the behavior specified on each port. For example, using the configuration line below: + +``` +[web] + bind to = *=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force *:20000=netdata.conf^SSL=optional *:20001=dashboard|registry +``` + +Netdata will: + +- Force all HTTP requests to the default port to be redirected to HTTPS (same port). +- Refuse unencrypted streaming connections from slaves on the default port. +- Allow both HTTP and HTTPS requests to port 20000 for netdata.conf +- Force HTTP requests to port 20001 to be redirected to HTTPS (same port). Only allow requests for the dashboard, the read API and the registry on port 20001. + #### TLS/SSL errors When you start using Netdata with TLS, you may find errors in the Netdata log, which is stored at `/var/log/netdata/error.log` by default. diff --git a/web/server/web_client.c b/web/server/web_client.c index e8566ce991..5d7d0708c2 100644 --- a/web/server/web_client.c +++ b/web/server/web_client.c @@ -835,7 +835,11 @@ static inline char *web_client_valid_method(struct web_client *w, char *s) { s = &s[7]; #ifdef ENABLE_HTTPS - if ( (w->ssl.flags) && (netdata_use_ssl_on_stream & NETDATA_SSL_FORCE)){ + if (w->ssl.flags && web_client_is_using_ssl_force(w)){ + w->header_parse_tries = 0; + w->header_parse_last_size = 0; + web_client_disable_wait_receive(w); + char hostname[256]; char *copyme = strstr(s,"hostname="); if ( copyme ){ @@ -1065,7 +1069,7 @@ static inline HTTP_VALIDATION http_request_validate(struct web_client *w) { } #ifdef ENABLE_HTTPS if ( (!web_client_check_unix(w)) && (netdata_srv_ctx) ) { - if ((w->ssl.conn) && ((w->ssl.flags & NETDATA_SSL_NO_HANDSHAKE) && (netdata_use_ssl_on_http & NETDATA_SSL_FORCE) && (w->mode != WEB_CLIENT_MODE_STREAM)) ) { + if ((w->ssl.conn) && ((w->ssl.flags & NETDATA_SSL_NO_HANDSHAKE) && (web_client_is_using_ssl_force(w) || web_client_is_using_ssl_default(w)) && (w->mode != WEB_CLIENT_MODE_STREAM)) ) { w->header_parse_tries = 0; w->header_parse_last_size = 0; web_client_disable_wait_receive(w); |