Changeset f00bf7d


Ignore:
Timestamp:
Feb 20, 2018 8:19:34 PM (2 years ago)
Author:
zzz <zzz@…>
Branches:
master
Children:
3159c51
Parents:
33ea4cf
Message:

Console: Redirect to HTTPS if available (ticket #2160)
Show console links as HTTPS if available
Extend blacklisted ports to cover HTTPS console and eepsite

Files:
6 edited

Legend:

Unmodified
Added
Removed
  • apps/routerconsole/java/src/net/i2p/router/web/HostCheckHandler.java

    r33ea4cf rf00bf7d  
    1212import net.i2p.data.DataHelper;
    1313import net.i2p.util.Log;
     14import net.i2p.util.PortMapper;
    1415
    1516import org.apache.http.conn.util.InetAddressUtils;
     
    3031{
    3132    private final I2PAppContext _context;
     33    private final PortMapper _portMapper;
    3234    private final Set<String> _listenHosts;
     35    private static final String PROP_REDIRECT = "routerconsole.redirectToHTTPS";
    3336
    3437    /**
     
    3841        super();
    3942        _context = ctx;
     43        _portMapper = ctx.portMapper();
    4044        _listenHosts = new HashSet<String>(8);
    4145    }
     
    5458
    5559    /**
    56      *  Block by Host header, pass everything else to the delegate.
     60     *  Block by Host header,
     61     *  redirect HTTP to HTTPS,
     62     *  pass everything else to the delegate.
    5763     */
    5864    public void handle(String pathInContext,
     
    7682        }
    7783
     84        // redirect HTTP to HTTPS if available, AND:
     85        // either 1) PROP_REDIRECT is set to true;
     86        // or 2) PROP_REDIRECT is unset and the Upgrade-Insecure-Requests request header is set
     87        // https://w3c.github.io/webappsec-upgrade-insecure-requests/
     88        if (!httpRequest.isSecure()) {
     89            int httpsPort = _portMapper.getPort(PortMapper.SVC_HTTPS_CONSOLE);
     90            if (httpsPort > 0 && httpRequest.getLocalPort() != httpsPort) {
     91                String redir = _context.getProperty(PROP_REDIRECT);
     92                if (Boolean.valueOf(redir) ||
     93                    (redir == null && "1".equals(httpRequest.getHeader("Upgrade-Insecure-Requests")))) {
     94                    sendRedirect(httpsPort, httpRequest, httpResponse);
     95                    return;
     96                }
     97            }
     98        }
     99
    78100        super.handle(pathInContext, baseRequest, httpRequest, httpResponse);
    79101    }
     
    92114        // common cases
    93115        if (host.equals("127.0.0.1:7657") ||
    94             host.equals("localhost:7657"))
     116            host.equals("localhost:7657") ||
     117            host.equals("[::1]:7657") ||
     118            host.equals("127.0.0.1:7667") ||
     119            host.equals("localhost:7667") ||
     120            host.equals("[::1]:7667"))
    95121            return true;
    96122        // all allowed?
     
    125151        return host;
    126152    }
     153
     154    /**
     155     *  Redirect to HTTPS
     156     *
     157     *  @since 0.9.34
     158     */
     159    private static void sendRedirect(int httpsPort, HttpServletRequest httpRequest,
     160                                     HttpServletResponse httpResponse) throws IOException {
     161        StringBuilder buf = new StringBuilder(64);
     162        buf.append("https://");
     163        String name = httpRequest.getServerName();
     164        boolean ipv6 = name.indexOf(':') >= 0 && !name.startsWith("[");
     165        if (ipv6)
     166            buf.append('[');
     167        buf.append(name);
     168        if (ipv6)
     169            buf.append(']');
     170        buf.append(':').append(httpsPort)
     171           .append(httpRequest.getRequestURI());
     172        String q = httpRequest.getQueryString();
     173        if (q != null)
     174            buf.append('?').append(q);
     175        httpResponse.setHeader("Location", buf.toString());
     176        // https://w3c.github.io/webappsec-upgrade-insecure-requests/
     177        httpResponse.setHeader("Vary", "Upgrade-Insecure-Requests");
     178        httpResponse.setStatus(307);
     179        httpResponse.flushBuffer();
     180    }
    127181}
  • core/java/src/net/i2p/util/PortMapper.java

    r33ea4cf rf00bf7d  
    2020public class PortMapper {
    2121    private final ConcurrentHashMap<String, InetSocketAddress> _dir;
     22    public static final String PROP_PREFER_HTTPS = "routerconsole.preferHTTPS";
    2223
    2324    public static final String SVC_CONSOLE = "console";
     
    178179    }
    179180
    180     /*
     181    /**
     182     *  If PROP_PREFER_HTTPS is true or unset,
     183     *  return https URL unless console is http only. Default https://127.0.0.1:7667/
     184     *  If PROP_PREFER_HTTPS is set to false,
     185     *  return http URL unless console is https only. Default http://127.0.0.1:7657/
     186     *
     187     *  @since 0.9.33 consolidated from i2ptunnel and desktopgui
     188     */
     189    public String getConsoleURL() {
     190        return getConsoleURL(I2PAppContext.getGlobalContext().getBooleanPropertyDefaultTrue(PROP_PREFER_HTTPS));
     191    }
     192
     193    /**
     194     *  If preferHTTPS is true,
     195     *  return https URL unless console is http only. Default https://127.0.0.1:7667/
     196     *  If preferHTTPS is false,
     197     *  return http URL unless console is https only. Default http://127.0.0.1:7657/
     198     *
     199     *  @since 0.9.34
     200     */
     201    public String getConsoleURL(boolean preferHTTPS) {
     202        return preferHTTPS ? getHTTPSConsoleURL() : getHTTPConsoleURL();
     203    }
     204
     205    /**
    181206     *  @return http URL unless console is https only. Default http://127.0.0.1:7657/
    182      *  @since 0.9.33 consolidated from i2ptunnel and desktopgui
    183      */
    184     public String getConsoleURL() {
     207     */
     208    private String getHTTPConsoleURL() {
    185209        String unset = "*unset*";
    186210        String httpHost = getActualHost(SVC_CONSOLE, unset);
    187211        String httpsHost = getActualHost(SVC_HTTPS_CONSOLE, unset);
    188212        int httpPort = getPort(SVC_CONSOLE, 7657);
    189         int httpsPort = getPort(SVC_HTTPS_CONSOLE, -1);
     213        int httpsPort = getPort(SVC_HTTPS_CONSOLE);
    190214        boolean httpsOnly = httpsPort > 0 && httpHost.equals(unset) && !httpsHost.equals(unset);
    191215        if (httpsOnly)
     
    194218            httpHost = "127.0.0.1";
    195219        return "http://" + httpHost + ':' + httpPort + '/';
     220    }
     221
     222    /**
     223     *  @return https URL unless console is http only. Default https://127.0.0.1:7667/
     224     *  @since 0.9.34
     225     */
     226    private String getHTTPSConsoleURL() {
     227        String unset = "*unset*";
     228        String httpHost = getActualHost(SVC_CONSOLE, unset);
     229        String httpsHost = getActualHost(SVC_HTTPS_CONSOLE, unset);
     230        int httpPort = getPort(SVC_CONSOLE);
     231        int httpsPort = getPort(SVC_HTTPS_CONSOLE, 7667);
     232        boolean httpOnly = httpPort > 0 && httpsHost.equals(unset) && !httpHost.equals(unset);
     233        if (httpOnly)
     234            return "http://" + httpHost + ':' + httpPort + '/';
     235        if (httpsHost.equals(unset))
     236            httpsHost = "127.0.0.1";
     237        return "https://" + httpsHost + ':' + httpsPort + '/';
    196238    }
    197239
  • history.txt

    r33ea4cf rf00bf7d  
     12018-02-20 zzz
     2 * Console:
     3   - Redirect to HTTPS if available (ticket #2160)
     4   - Change all 302s to 303 or 307
     5   - Change sendError() to setStatus() for 3xx responses
     6 * Crypto: Backdate selfsigned cert to allow for clock skew
     7 * Eepget: Handle 308
     8
     92018-02-19 zzz
     10 * Console:
     11   - Change trac links (ticket #2014)
     12   - Change selfsigned cert cname to localhost (ticket #2160)
     13 * Crypto: Add IP addresses to selfsigned cert SAN (ticket #2160)
     14 * Streaming: Don't exceed configured tag settings
     15 * Time: More sanity checks on NTP responses
     16
    1172018-02-18 zzz
    218 * i2ptunnel: Retry accept after router soft restart (ticket #2003)
  • router/java/src/net/i2p/router/RouterVersion.java

    r33ea4cf rf00bf7d  
    1919    public final static String ID = "Monotone";
    2020    public final static String VERSION = CoreVersion.VERSION;
    21     public final static long BUILD = 7;
     21    public final static long BUILD = 8;
    2222
    2323    /** for example "-test" */
  • router/java/src/net/i2p/router/transport/TransportUtil.java

    r33ea4cf rf00bf7d  
    240240               (!(port >= 6665 && port <= 6669)) && // IRC and alternates
    241241               port != 6697 &&  // IRC+TLS
    242                (!(port >= 7650 && port <= 7664)) && // standard I2P range
     242               (!(port >= 7650 && port <= 7668)) && // standard I2P range
    243243               port != 8998 &&  // mtn
    244244               port != 9001 &&  // Tor
  • router/java/src/net/i2p/router/transport/udp/UDPEndpoint.java

    r33ea4cf rf00bf7d  
    118118            _log.error("Specified UDP port " + port + " is not valid, selecting a new port");
    119119            // See isValidPort() for list
    120             _log.error("Invalid ports are: 0-1023, 1900, 2049, 2827, 3659, 4045, 4444, 4445, 6000, 6665-6669, 6697, 7650-7664, 8998, 9001, 9030, 9050, 9100, 9150, 31000, 32000, 65536+");
     120            _log.error("Invalid ports are: 0-1023, 1900, 2049, 2827, 3659, 4045, 4444, 4445, 6000, 6665-6669, 6697, 7650-7668, 8998, 9001, 9030, 9050, 9100, 9150, 31000, 32000, 65536+");
    121121            port = -1;
    122122        }
Note: See TracChangeset for help on using the changeset viewer.