Fix parsing SSL ACL along with others (#6468)

* sslstream: ACL parser

It was noticed in the issue 6457 that the some ACLs were not parsing
correctly when they were along SSL acl, this commit fixes this'

* sslstream: remove comments

This commit removes the comments that were present while I was testing the code

* sslstream: Tests

This commit adds ACL tests to check the Netdata response to them

* sslstream: Tests

Fix the extension to upload the files

* sslstream: more tests

In this commit I am bringing more tests, including the ssl tests'

* sslstream: leading space

Remove leading space from variable that was creating problem with shellcheck

* sslstream: glob

Remove special character from script

* sslstream: Makefile

The Makefile diretives were pointed to wrong files

* sslstream: Missing stream encrypt

This commit solves the problem of the stream not be encrypted, but
it is not the final solution, because the parser made is incomplete.

* sslstream: Finish encrypt channel

This commit brings the step that I was missing, the complete encryptation
in the communication between Master and Slave

* sslstream: Fix argument in script

After the latest tests, it was verified that two arguments given to a function
inside the script were not correct, with this PR I am fixing this!

* sslstream: Fix argument in info

Instead to call a function to deliver an integer I was passing a size_t value.
Only cmake showed this, but not in my clion! :/

* sslstream: Fix redirect

When we were having different SSL configuration, the system were not applying
the option for all

* sslstream: Update documentation

Our documentation was not clear about the rules according our code
so I am updating the text to explain for the users

* sslstream: Adjust script

With this last commit, I am adjusting the tests to avoid false positive

* sslstream: Missing elif

The previous commit had a missing elif in the shell script

* sslstream: Split ports

Before this commit Netdata was having SSL as a global option, now it has as a real ACL.

* sslstream: reduce context

The stream variable will not be affected in the master side, it is only necessary
on the slave side, so I am reducing the context of it

* sslstream: Force SSL

When the user has certificate and he does not set any SSL flag, it is necessary
to append the SSL=force flag

* sslstream: Default flag

It is necessary to have a default flag when the SSL flags are not SET

* sslstream: remove comments

Remove comments from the scrip

* sslstream: moving flag

It is better the flag to be set inside socket instead everytime there is a new connection

* sslstream: documentation

Fix a sentence in the web/server/README.md

2 files changed, 20 insertions, 2 deletions

diff --git a/web/server/README.md b/web/server/README.md
index 0bab9f105f..173e895963 100644
--- a/web/server/README.md
+++ b/web/server/README.md
@@ -112,6 +112,20 @@ Example:
 
 For information how to configure the slaves to use TLS, check [securing the communication](../../streaming#securing-streaming-communications) in the streaming documentation. There you will find additional details on the expected behavior for client and server nodes, when their respective TLS options are enabled.
 
+When we define the use of SSL in a Netdata agent for different ports,  Netdata will apply the behavior specified on each port. For example, using the configuration line below:
+
+```
+[web]
+    bind to = *=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force *:20000=netdata.conf^SSL=optional *:20001=dashboard|registry
+```
+
+Netdata will:
+
+- Force all HTTP requests to the default port to be redirected to HTTPS (same port).
+- Refuse unencrypted streaming connections from slaves on the default port.
+- Allow both HTTP and HTTPS requests to port 20000 for netdata.conf
+- Force HTTP requests to port 20001 to be redirected to HTTPS (same port). Only allow requests for the dashboard, the read API and the registry on port 20001.
+
 #### TLS/SSL errors
 
 When you start using Netdata with TLS, you may find errors in the Netdata log, which is stored at `/var/log/netdata/error.log` by default.
diff --git a/web/server/web_client.c b/web/server/web_client.c
index e8566ce991..5d7d0708c2 100644
--- a/web/server/web_client.c
+++ b/web/server/web_client.c
@@ -835,7 +835,11 @@ static inline char *web_client_valid_method(struct web_client *w, char *s) {
         s = &s[7];
 
 #ifdef ENABLE_HTTPS
-        if ( (w->ssl.flags) && (netdata_use_ssl_on_stream & NETDATA_SSL_FORCE)){
+        if (w->ssl.flags && web_client_is_using_ssl_force(w)){
+            w->header_parse_tries = 0;
+            w->header_parse_last_size = 0;
+            web_client_disable_wait_receive(w);
+
             char hostname[256];
             char *copyme = strstr(s,"hostname=");
             if ( copyme ){
@@ -1065,7 +1069,7 @@ static inline HTTP_VALIDATION http_request_validate(struct web_client *w) {
                 }
 #ifdef ENABLE_HTTPS
                 if ( (!web_client_check_unix(w)) && (netdata_srv_ctx) ) {
-                    if ((w->ssl.conn) && ((w->ssl.flags & NETDATA_SSL_NO_HANDSHAKE) && (netdata_use_ssl_on_http & NETDATA_SSL_FORCE) && (w->mode != WEB_CLIENT_MODE_STREAM))  ) {
+                    if ((w->ssl.conn) && ((w->ssl.flags & NETDATA_SSL_NO_HANDSHAKE) && (web_client_is_using_ssl_force(w) || web_client_is_using_ssl_default(w)) && (w->mode != WEB_CLIENT_MODE_STREAM))  ) {
                         w->header_parse_tries = 0;
                         w->header_parse_last_size = 0;
                         web_client_disable_wait_receive(w);