Prohibit DELETE method in default configuration #2058

[biathlon3]

My first attempt, I am not sure that it is the best solution, but it seems to work.

[EvgeniiMekhanik]

Invalid tabulation.

[biathlon3]

Sorry, I have changed my editor's behavior.

[EvgeniiMekhanik]

I think we should also prohibit PUT method here

[EvgeniiMekhanik]

You should also fix tests, where DELETE method is used by adding appropriate DELETE method to frang config

[krizhanovsky]

Definitely need more work and it seems the issue isn't so straightforward as I thought, so we need a good discussion on this.

Also please make pull requests from our repo, not your own - this way we can just switch between branches during review instead of cloning repos of each developers.

Finally, please don't forget to update wiki about allowed methods by default. Probably it also makes sense to describe in the wiki how DELETE behaves with the cache.

[krizhanovsky]

LGTM with just a small coding style cleanup

[krizhanovsky]

Suggested change

	#define TFW_FRANG_HTTP_METHODS_MASK_DEFAULT ((1 << TFW_HTTP_METH_GET) | \
	(1 << TFW_HTTP_METH_HEAD) | \
	(1 << TFW_HTTP_METH_POST))
	#define TFW_FRANG_HTTP_METHODS_MASK_DEFAULT ((1 << TFW_HTTP_METH_GET) | \
	(1 << TFW_HTTP_METH_HEAD) | \
	(1 << TFW_HTTP_METH_POST))

We almost never use 2 empty lines in C/C++ code and we use alignments (tabs plus spaces)

[const-t]

I would like to suggest another solution. In TfwCfgSpec we can specify default values for each directive.
Example:

{
		.name = "http_methods",
		.deflt = "get post head",
		.handler = tfw_cfgop_frang_http_methods,
		.allow_reconfig = true,
	},

Field deflt it's just value, same as in config, that will be parsed and assigned to directive. Please, change TfwCfgSpec for each context.
Also, I believe, we don't need to remove already made changes, we will treat empty value, as defualt. Or we can remove these changes, and treat empty value of this directive as error - this looks more clear for me. Up to you.

[const-t]

Why do we set allow_none to false for frang_limits?

[biathlon3]

If we leave allow_none as true, the default configuration won't be read in spec_finish_handling(TfwCfgSpec specs[]).
It was the reason why I wrote my previous version.

[keshonok]

This seems wrong. Are you sure? There are plenty of places in the code with both .allow_none = true and .deflt set to some value.

[biathlon3]

Yes, guys, I was wrong.

[biathlon3]

I tested it more careful and found that with .allow_none = true, in this position, it stops using default configuration when vhost is configured in tempesta_fw.cfg.
Looks like I hastened to agree with you. And we need to use .allow_none = false or change behavior of spec_finish_handling(TfwCfgSpec specs[]) or change somthing else.

[const-t]

Looks like dead code and we never reach this place. If we have ce->dflt_value == false it means value was specified in config and now we know that this value is empty. Therefore, we will always return in if (!ce->dflt_value). Is there a case when ce->dflt_value == true but ce->val_n == false?

[biathlon3]

This situation is possible when we have " http_methods ;" in config

[const-t]

In my understanding when we have " http_methods ;" then we have ce->dflt_value == false and ce->val_n == false in other cases we will have ce->val_n > 0. For example: http_methods ""; or http_methods " "; will have ce->val_n > 0 and will disallowed in TFW_CFG_ENTRY_FOR_EACH_VAL. I can't find another value for http_methods where ce->val_n == 0 except " http_methods ;". Do you know such value for http_methods?

[biathlon3]

Yes, when we have
.name = "http_methods",
.deflt = "",
in the code

[const-t]

Now we doesn't, and I believe we must not maintain this. If you warring about this, it would be better to write a comment in appropriate place.

[const-t]

Please remove todo from http_limits.c, when you will rebase.
TODO: Remove when PR #2078 merged

[biathlon3]

I removed checking f_cfg->http_methods_mask because this checking breaks new logic.

[krizhanovsky]

Please implement a workaround for #2119 with a TODO comment

[biathlon3]

Please implement a workaround for #2119 with a TODO comment

I manage to do it in normal way.

[const-t]

A want to ask you to check following(and others similar conditions) part in tfw_http_req_process():

if (res.type == TFW_HTTP_RES_REDIR) {
tfw_http_req_redir(req, res.redir.resp_code, &res.redir);
return T_OK;
}

In this case we don't freed split skb as well. To check it just use redirects.

http_chain redirects {
    # Absolute path
    uri == "/company.html" -> 301 = https://tempesta-tech.com/company;

    # Use variables
    uri == "/blog/" -> 308 = https://$host/$request_uri/;

    # Relative path
    uri == "*/services.html" -> 303 = /services;

    # Temporal redirection for the default index page only to a temporal landing page.
    uri == "/" -> 307 = /c++-services;
}

[krizhanovsky]

Suggested change

	bool tfw_tls_get_allow_any_sni_reconfig(void)
	bool
	tfw_tls_get_allow_any_sni_reconfig(void)

[const-t]

In general looks good, but could you add a little bit description to the last commit.

Chenged frang inheritance for locatians in default vhost

Why it's changed, how it's changed. Also looks like you fixed live-reconfig logic for frang, describe it also in the commit message.

[const-t]

Seems we can remove this unnecessary condition if (skb) then just assign skb and return r instead of T_DROP.

[EvgeniiMekhanik]

We should not change return code here, because it is used to determine how Tempesta close connection.
We should also fix this memory leak in all other places in this function.

[biathlon3]

Code reworked. I tried to make it universal, but if you think it is not the best way, I will rework it for special cases only.

[EvgeniiMekhanik]

Change fixing memory leak

[EvgeniiMekhanik]

50 is default value for this setting. Please also check all other settings. concurrent_tcp_connections - 1000 is default settings

[biathlon3]

Fixed

[EvgeniiMekhanik]

We need to discuss this place. If I understand it correctly we have the same problem for http_body_len also and may be some other settings.

frang_limits {
    http_body_len 0;
}
frang_limits {
}

The second one frang_limits has default http_body_len == 1073741824, should we override previosly set http_body_len or not?

[biathlon3]

I returned the old behavior, only explicit parameters should be overridden.

[EvgeniiMekhanik]

You don't need to check !ce->dflt_value here, because if it is dflt_value vam_n is always 3 (get post head). This check is better to do before TFW_CFG_ENTRY_FOR_EACH_VAL loop

[EvgeniiMekhanik]

TFW_CFG_CHECK_VAL_N(>, 0, cs, ce);
TFW_CFG_CHECK_NO_ATTRS(cs, ce);

is right way. Tempesta interpret get=hhhsdsd as attribute and silently ignore such invalid configuration

[biathlon3]

Reworked.

[EvgeniiMekhanik]

It is incorrect to use tfw_cfgop_frang_glob_set_long here. If we have global frang limits like below:
frang_limits {
http_body_len 0;
}
frang_limits {
}

We should not override http_body_len 0; in the second config as i understand the idea in all other places.
I thinkn that using tfw_cfgop_frang_glob_set_int for tfw_frang_glob_reconfig.http_hdr_cnt is also incorrect. Same as for concurrent_tcp_connections

[biathlon3]

I returned the old behavior, only explicit parameters should be overridden.

[EvgeniiMekhanik]

We can't use tfw_cfgop_frang_glob_set_bool here because default value is true.
frang_limits {
http_strict_host_checking false;
}
frang_limits {
}

We have http_strict_host_checking true, but should have false

[EvgeniiMekhanik]

Please add tests for all this changes! We need to cover all this cases because I found a lot of mistakes here. you should check several frang_limits on one level and how it is work.

[EvgeniiMekhanik]

Please look at this function tfw_frang_cfg_inherit we have BUG in it.
if (!curr->http_ct_vals)
we only set r = -ENOMEM and do not return. Then we memcpy(curr->http_ct_vals, from->http_ct_vals, sz);

[biathlon3]

Add else to avoid using curr->http_ct_vals after error.

[EvgeniiMekhanik]

Why do you delete this check? Previously when tls_match_any_server_name is true, we return T_OK. Why this behavior is changed?

[const-t]

When tfw_tls_allow_any_sni is true, it means connection with empty sni or sni not listed in our vhost is "routed" to default vhost. In other words tfw_tls_allow_any_sni is the way to enable default vhost and it's not related to other vhosts. But when we have this check here and we want to check SNI vs authority for some vhosts and don't check for other we can't do this, because tfw_tls_allow_any_sni will override it.

Now I would prefer to introduce new knob only for domain fronting, that must be disabled by default. It will depends on tfw_tls_allow_any_sni also, but in the future we will remove default vhost and tfw_tls_allow_any_sni and will check SNI only when vhost is found by http tables.

[EvgeniiMekhanik]

Why we can't use tfw_cfgop_frang_rsp_code_block. The only difference that here we directly set FrangVhostCfg *cfg = &tfw_frang_vhost_reconfig; instead of FrangVhostCfg *cfg = tfw_cfgop_frang_get_cfg(); ?

[biathlon3]

It was attempt to solve strange location inheritance for default vhost. I returned it back now because my code had changed overriding.

[EvgeniiMekhanik]

Can you also check __tfw_cfgop_frang_rsp_code_block. I see that we return -EINVAL after memory allocation without
freeing previously allocated cb = kzalloc(sizeof(FrangHttpRespCodeBlock), GFP_KERNEL); Is there memory leak or we will free it later?

[biathlon3]

It assigns to conf->http_resp_code_block and will be freed by __tfw_frang_clean() in case of error.