]> source.dussan.org Git - rspamd.git/commitdiff
[Project] Drop HTTPS proxies as they are too intrusive to implement
authorVsevolod Stakhov <vsevolod@highsecure.ru>
Mon, 18 Mar 2019 16:17:16 +0000 (16:17 +0000)
committerVsevolod Stakhov <vsevolod@highsecure.ru>
Mon, 18 Mar 2019 16:17:16 +0000 (16:17 +0000)
Issue: #572

src/libutil/http_connection.c
src/libutil/http_context.c
src/libutil/http_context.h
src/libutil/http_private.h

index ea664f20da128f8c2c037175a54e48ee9c930dd8..72cc1d239fada1175e9505dd3e0c10ec8cc2fba6 100644 (file)
@@ -1165,58 +1165,29 @@ rspamd_http_connection_new_client (struct rspamd_http_context *ctx,
 {
        gint fd;
 
-       if (opts & RSPAMD_HTTP_CLIENT_ENCRYPTED) {
-               if (ctx->https_proxies) {
-                       struct upstream *up = rspamd_upstream_get (ctx->https_proxies,
-                                       RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);
+       if (ctx->http_proxies) {
+               struct upstream *up = rspamd_upstream_get (ctx->http_proxies,
+                               RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);
 
-                       if (up) {
-                               rspamd_inet_addr_t *proxy_addr = rspamd_upstream_addr_next (up);
+               if (up) {
+                       rspamd_inet_addr_t *proxy_addr = rspamd_upstream_addr_next (up);
 
-                               fd = rspamd_inet_address_connect (proxy_addr, SOCK_STREAM, TRUE);
+                       fd = rspamd_inet_address_connect (proxy_addr, SOCK_STREAM, TRUE);
 
-                               if (fd == -1) {
-                                       msg_info ("cannot connect to https proxy %s: %s",
-                                                       rspamd_inet_address_to_string (proxy_addr),
-                                                       strerror (errno));
-                                       rspamd_upstream_fail (up, TRUE);
-
-                                       return NULL;
-                               }
+                       if (fd == -1) {
+                               msg_info ("cannot connect to http proxy %s: %s",
+                                               rspamd_inet_address_to_string (proxy_addr),
+                                               strerror (errno));
+                               rspamd_upstream_fail (up, TRUE);
 
-                               return rspamd_http_connection_new_common (ctx, fd, body_handler,
-                                               error_handler, finish_handler, opts,
-                                               RSPAMD_HTTP_CLIENT,
-                                               RSPAMD_HTTP_CONN_OWN_SOCKET|RSPAMD_HTTP_CONN_FLAG_PROXY,
-                                               up);
+                               return NULL;
                        }
-               }
-       }
-       else {
-               if (ctx->http_proxies) {
-                       struct upstream *up = rspamd_upstream_get (ctx->http_proxies,
-                                       RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);
-
-                       if (up) {
-                               rspamd_inet_addr_t *proxy_addr = rspamd_upstream_addr_next (up);
 
-                               fd = rspamd_inet_address_connect (proxy_addr, SOCK_STREAM, TRUE);
-
-                               if (fd == -1) {
-                                       msg_info ("cannot connect to http proxy %s: %s",
-                                                       rspamd_inet_address_to_string (proxy_addr),
-                                                       strerror (errno));
-                                       rspamd_upstream_fail (up, TRUE);
-
-                                       return NULL;
-                               }
-
-                               return rspamd_http_connection_new_common (ctx, fd, body_handler,
-                                               error_handler, finish_handler, opts,
-                                               RSPAMD_HTTP_CLIENT,
-                                               RSPAMD_HTTP_CONN_OWN_SOCKET|RSPAMD_HTTP_CONN_FLAG_PROXY,
-                                               up);
-                       }
+                       return rspamd_http_connection_new_common (ctx, fd, body_handler,
+                                       error_handler, finish_handler, opts,
+                                       RSPAMD_HTTP_CLIENT,
+                                       RSPAMD_HTTP_CONN_OWN_SOCKET|RSPAMD_HTTP_CONN_FLAG_PROXY,
+                                       up);
                }
        }
 
@@ -1878,11 +1849,12 @@ rspamd_http_message_write_header (const gchar* mime_type, gboolean encrypted,
                        else {
                                if (conn->priv->flags & RSPAMD_HTTP_CONN_FLAG_PROXY) {
                                        rspamd_printf_fstring (buf,
-                                                       "%s http://%s:%d/%V HTTP/1.1\r\n"
+                                                       "%s %s://%s:%d/%V HTTP/1.1\r\n"
                                                        "Connection: %s\r\n"
                                                        "Host: %s\r\n"
                                                        "Content-Length: %z\r\n",
                                                        http_method_str (msg->method),
+                                                       (msg->flags & RSPAMD_HTTP_FLAG_SSL) ? "https" : "http",
                                                        host,
                                                        msg->port,
                                                        msg->url,
@@ -2243,6 +2215,11 @@ rspamd_http_connection_write_message_common (struct rspamd_http_connection *conn
 
        priv->flags &= ~RSPAMD_HTTP_CONN_FLAG_RESETED;
 
+       if (priv->flags & RSPAMD_HTTP_CONN_FLAG_PROXY) {
+               /* We need to disable SSL flag! */
+               msg->flags &=~ RSPAMD_HTTP_FLAG_SSL;
+       }
+
        if (rspamd_event_pending (&priv->ev, EV_TIMEOUT|EV_WRITE|EV_READ)) {
                event_del (&priv->ev);
        }
index 18c89c6bcee9dfc8fe56bfb294db2aa8edb1ea39..b3a30889135add229a8d341acd639f3f70611d35 100644 (file)
@@ -203,11 +203,6 @@ rspamd_http_context_init (struct rspamd_http_context *ctx)
                                &ctx->http_proxies);
        }
 
-       if (ctx->config.https_proxy) {
-               rspamd_http_context_parse_proxy (ctx, ctx->config.https_proxy,
-                               &ctx->https_proxies);
-       }
-
        default_ctx = ctx;
 }
 
@@ -270,13 +265,6 @@ rspamd_http_context_create (struct rspamd_config *cfg,
                        if (http_proxy) {
                                ctx->config.http_proxy = ucl_object_tostring (http_proxy);
                        }
-
-                       const ucl_object_t *https_proxy;
-                       https_proxy = ucl_object_lookup (client_obj, "https_proxy");
-
-                       if (https_proxy) {
-                               ctx->config.https_proxy = ucl_object_tostring (https_proxy);
-                       }
                }
 
                server_obj = ucl_object_lookup (http_obj, "server");
@@ -340,6 +328,10 @@ rspamd_http_context_free (struct rspamd_http_context *ctx)
 
        kh_destroy (rspamd_keep_alive_hash, ctx->keep_alive_hash);
 
+       if (ctx->http_proxies) {
+               rspamd_upstreams_destroy (ctx->http_proxies);
+       }
+
        g_free (ctx);
 }
 
index 6abd666516ff735047e5cc711b42c05ebacacbde..4cf07fb48caa45d4c43da98479756cae009cc063 100644 (file)
@@ -36,7 +36,6 @@ struct rspamd_http_context_cfg {
        gdouble client_key_rotate_time;
        const gchar *user_agent;
        const gchar *http_proxy;
-       const gchar *https_proxy;
 };
 
 /**
index fbc4c17e38536a95bdecca4c4bb20f5af230d387..368715891b54af5d418c2f95e215a34b0d66ae26 100644 (file)
@@ -98,7 +98,6 @@ struct rspamd_http_context {
        struct rspamd_keypair_cache *server_kp_cache;
        struct upstream_ctx *ups_ctx;
        struct upstream_list *http_proxies;
-       struct upstream_list *https_proxies;
        gpointer ssl_ctx;
        gpointer ssl_ctx_noverify;
        struct event_base *ev_base;