commit 6292e6d: [Project] Drop HTTPS proxies as they are too intrusive to implement
Vsevolod Stakhov
vsevolod at highsecure.ru
Mon Mar 18 16:21:10 UTC 2019
Author: Vsevolod Stakhov
Date: 2019-03-18 16:17:16 +0000
URL: https://github.com/rspamd/rspamd/commit/6292e6da71860030d5336c0f751c335bfa5c14a7 (HEAD -> master)
[Project] Drop HTTPS proxies as they are too intrusive to implement
Issue: #572
---
src/libutil/http_connection.c | 71 +++++++++++++++----------------------------
src/libutil/http_context.c | 16 +++-------
src/libutil/http_context.h | 1 -
src/libutil/http_private.h | 1 -
4 files changed, 28 insertions(+), 61 deletions(-)
diff --git a/src/libutil/http_connection.c b/src/libutil/http_connection.c
index ea664f20d..72cc1d239 100644
--- a/src/libutil/http_connection.c
+++ b/src/libutil/http_connection.c
@@ -1165,58 +1165,29 @@ rspamd_http_connection_new_client (struct rspamd_http_context *ctx,
{
gint fd;
- if (opts & RSPAMD_HTTP_CLIENT_ENCRYPTED) {
- if (ctx->https_proxies) {
- struct upstream *up = rspamd_upstream_get (ctx->https_proxies,
- RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);
+ if (ctx->http_proxies) {
+ struct upstream *up = rspamd_upstream_get (ctx->http_proxies,
+ RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);
- if (up) {
- rspamd_inet_addr_t *proxy_addr = rspamd_upstream_addr_next (up);
+ if (up) {
+ rspamd_inet_addr_t *proxy_addr = rspamd_upstream_addr_next (up);
- fd = rspamd_inet_address_connect (proxy_addr, SOCK_STREAM, TRUE);
+ fd = rspamd_inet_address_connect (proxy_addr, SOCK_STREAM, TRUE);
- if (fd == -1) {
- msg_info ("cannot connect to https proxy %s: %s",
- rspamd_inet_address_to_string (proxy_addr),
- strerror (errno));
- rspamd_upstream_fail (up, TRUE);
-
- return NULL;
- }
+ if (fd == -1) {
+ msg_info ("cannot connect to http proxy %s: %s",
+ rspamd_inet_address_to_string (proxy_addr),
+ strerror (errno));
+ rspamd_upstream_fail (up, TRUE);
- return rspamd_http_connection_new_common (ctx, fd, body_handler,
- error_handler, finish_handler, opts,
- RSPAMD_HTTP_CLIENT,
- RSPAMD_HTTP_CONN_OWN_SOCKET|RSPAMD_HTTP_CONN_FLAG_PROXY,
- up);
+ return NULL;
}
- }
- }
- else {
- if (ctx->http_proxies) {
- struct upstream *up = rspamd_upstream_get (ctx->http_proxies,
- RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);
-
- if (up) {
- rspamd_inet_addr_t *proxy_addr = rspamd_upstream_addr_next (up);
- fd = rspamd_inet_address_connect (proxy_addr, SOCK_STREAM, TRUE);
-
- if (fd == -1) {
- msg_info ("cannot connect to http proxy %s: %s",
- rspamd_inet_address_to_string (proxy_addr),
- strerror (errno));
- rspamd_upstream_fail (up, TRUE);
-
- return NULL;
- }
-
- return rspamd_http_connection_new_common (ctx, fd, body_handler,
- error_handler, finish_handler, opts,
- RSPAMD_HTTP_CLIENT,
- RSPAMD_HTTP_CONN_OWN_SOCKET|RSPAMD_HTTP_CONN_FLAG_PROXY,
- up);
- }
+ return rspamd_http_connection_new_common (ctx, fd, body_handler,
+ error_handler, finish_handler, opts,
+ RSPAMD_HTTP_CLIENT,
+ RSPAMD_HTTP_CONN_OWN_SOCKET|RSPAMD_HTTP_CONN_FLAG_PROXY,
+ up);
}
}
@@ -1878,11 +1849,12 @@ rspamd_http_message_write_header (const gchar* mime_type, gboolean encrypted,
else {
if (conn->priv->flags & RSPAMD_HTTP_CONN_FLAG_PROXY) {
rspamd_printf_fstring (buf,
- "%s http://%s:%d/%V HTTP/1.1\r\n"
+ "%s %s://%s:%d/%V HTTP/1.1\r\n"
"Connection: %s\r\n"
"Host: %s\r\n"
"Content-Length: %z\r\n",
http_method_str (msg->method),
+ (msg->flags & RSPAMD_HTTP_FLAG_SSL) ? "https" : "http",
host,
msg->port,
msg->url,
@@ -2243,6 +2215,11 @@ rspamd_http_connection_write_message_common (struct rspamd_http_connection *conn
priv->flags &= ~RSPAMD_HTTP_CONN_FLAG_RESETED;
+ if (priv->flags & RSPAMD_HTTP_CONN_FLAG_PROXY) {
+ /* We need to disable SSL flag! */
+ msg->flags &=~ RSPAMD_HTTP_FLAG_SSL;
+ }
+
if (rspamd_event_pending (&priv->ev, EV_TIMEOUT|EV_WRITE|EV_READ)) {
event_del (&priv->ev);
}
diff --git a/src/libutil/http_context.c b/src/libutil/http_context.c
index 18c89c6bc..b3a308891 100644
--- a/src/libutil/http_context.c
+++ b/src/libutil/http_context.c
@@ -203,11 +203,6 @@ rspamd_http_context_init (struct rspamd_http_context *ctx)
&ctx->http_proxies);
}
- if (ctx->config.https_proxy) {
- rspamd_http_context_parse_proxy (ctx, ctx->config.https_proxy,
- &ctx->https_proxies);
- }
-
default_ctx = ctx;
}
@@ -270,13 +265,6 @@ rspamd_http_context_create (struct rspamd_config *cfg,
if (http_proxy) {
ctx->config.http_proxy = ucl_object_tostring (http_proxy);
}
-
- const ucl_object_t *https_proxy;
- https_proxy = ucl_object_lookup (client_obj, "https_proxy");
-
- if (https_proxy) {
- ctx->config.https_proxy = ucl_object_tostring (https_proxy);
- }
}
server_obj = ucl_object_lookup (http_obj, "server");
@@ -340,6 +328,10 @@ rspamd_http_context_free (struct rspamd_http_context *ctx)
kh_destroy (rspamd_keep_alive_hash, ctx->keep_alive_hash);
+ if (ctx->http_proxies) {
+ rspamd_upstreams_destroy (ctx->http_proxies);
+ }
+
g_free (ctx);
}
diff --git a/src/libutil/http_context.h b/src/libutil/http_context.h
index 6abd66651..4cf07fb48 100644
--- a/src/libutil/http_context.h
+++ b/src/libutil/http_context.h
@@ -36,7 +36,6 @@ struct rspamd_http_context_cfg {
gdouble client_key_rotate_time;
const gchar *user_agent;
const gchar *http_proxy;
- const gchar *https_proxy;
};
/**
diff --git a/src/libutil/http_private.h b/src/libutil/http_private.h
index fbc4c17e3..368715891 100644
--- a/src/libutil/http_private.h
+++ b/src/libutil/http_private.h
@@ -98,7 +98,6 @@ struct rspamd_http_context {
struct rspamd_keypair_cache *server_kp_cache;
struct upstream_ctx *ups_ctx;
struct upstream_list *http_proxies;
- struct upstream_list *https_proxies;
gpointer ssl_ctx;
gpointer ssl_ctx_noverify;
struct event_base *ev_base;
More information about the Commits
mailing list