[Project] Drop HTTPS proxies as they are too intrusive to implement

author Vsevolod Stakhov <vsevolod@highsecure.ru>

Mon, 18 Mar 2019 16:17:16 +0000 (16:17 +0000)

committer Vsevolod Stakhov <vsevolod@highsecure.ru>

Mon, 18 Mar 2019 16:17:16 +0000 (16:17 +0000)
author Vsevolod Stakhov <vsevolod@highsecure.ru>
Mon, 18 Mar 2019 16:17:16 +0000 (16:17 +0000)
committer Vsevolod Stakhov <vsevolod@highsecure.ru>
Mon, 18 Mar 2019 16:17:16 +0000 (16:17 +0000)
diff --git a/src/libutil/http_connection.c b/src/libutil/http_connection.c

index ea664f20da128f8c2c037175a54e48ee9c930dd8..72cc1d239fada1175e9505dd3e0c10ec8cc2fba6 100644 (file)
--- a/src/libutil/http_connection.c
+++ b/src/libutil/http_connection.c
@@ -1165,58 +1165,29 @@ rspamd_http_connection_new_client (struct rspamd_http_context *ctx,
  {
         gint fd;
  
-       if (opts & RSPAMD_HTTP_CLIENT_ENCRYPTED) {
-               if (ctx->https_proxies) {
-                       struct upstream *up = rspamd_upstream_get (ctx->https_proxies,
-                                       RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);
+       if (ctx->http_proxies) {
+               struct upstream *up = rspamd_upstream_get (ctx->http_proxies,
+                               RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);
  
-                       if (up) {
-                               rspamd_inet_addr_t *proxy_addr = rspamd_upstream_addr_next (up);
+               if (up) {
+                       rspamd_inet_addr_t *proxy_addr = rspamd_upstream_addr_next (up);
  
-                               fd = rspamd_inet_address_connect (proxy_addr, SOCK_STREAM, TRUE);
+                       fd = rspamd_inet_address_connect (proxy_addr, SOCK_STREAM, TRUE);
  
-                               if (fd == -1) {
-                                       msg_info ("cannot connect to https proxy %s: %s",
-                                                       rspamd_inet_address_to_string (proxy_addr),
-                                                       strerror (errno));
-                                       rspamd_upstream_fail (up, TRUE);
-
-                                       return NULL;
-                               }
+                       if (fd == -1) {
+                               msg_info ("cannot connect to http proxy %s: %s",
+                                               rspamd_inet_address_to_string (proxy_addr),
+                                               strerror (errno));
+                               rspamd_upstream_fail (up, TRUE);
  
-                               return rspamd_http_connection_new_common (ctx, fd, body_handler,
-                                               error_handler, finish_handler, opts,
-                                               RSPAMD_HTTP_CLIENT,
-                                               RSPAMD_HTTP_CONN_OWN_SOCKET|RSPAMD_HTTP_CONN_FLAG_PROXY,
-                                               up);
+                               return NULL;
                         }
-               }
-       }
-       else {
-               if (ctx->http_proxies) {
-                       struct upstream *up = rspamd_upstream_get (ctx->http_proxies,
-                                       RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);
-
-                       if (up) {
-                               rspamd_inet_addr_t *proxy_addr = rspamd_upstream_addr_next (up);
  
-                               fd = rspamd_inet_address_connect (proxy_addr, SOCK_STREAM, TRUE);
-
-                               if (fd == -1) {
-                                       msg_info ("cannot connect to http proxy %s: %s",
-                                                       rspamd_inet_address_to_string (proxy_addr),
-                                                       strerror (errno));
-                                       rspamd_upstream_fail (up, TRUE);
-
-                                       return NULL;
-                               }
-
-                               return rspamd_http_connection_new_common (ctx, fd, body_handler,
-                                               error_handler, finish_handler, opts,
-                                               RSPAMD_HTTP_CLIENT,
-                                               RSPAMD_HTTP_CONN_OWN_SOCKET|RSPAMD_HTTP_CONN_FLAG_PROXY,
-                                               up);
-                       }
+                       return rspamd_http_connection_new_common (ctx, fd, body_handler,
+                                       error_handler, finish_handler, opts,
+                                       RSPAMD_HTTP_CLIENT,
+                                       RSPAMD_HTTP_CONN_OWN_SOCKET|RSPAMD_HTTP_CONN_FLAG_PROXY,
+                                       up);
                 }
         }
  
@@ -1878,11 +1849,12 @@ rspamd_http_message_write_header (const gchar* mime_type, gboolean encrypted,
                         else {
                                 if (conn->priv->flags & RSPAMD_HTTP_CONN_FLAG_PROXY) {
                                         rspamd_printf_fstring (buf,
-                                                       "%s http://%s:%d/%V HTTP/1.1\r\n"
+                                                       "%s %s://%s:%d/%V HTTP/1.1\r\n"
                                                         "Connection: %s\r\n"
                                                         "Host: %s\r\n"
                                                         "Content-Length: %z\r\n",
                                                         http_method_str (msg->method),
+                                                       (msg->flags & RSPAMD_HTTP_FLAG_SSL) ? "https" : "http",
                                                         host,
                                                         msg->port,
                                                         msg->url,
@@ -2243,6 +2215,11 @@ rspamd_http_connection_write_message_common (struct rspamd_http_connection *conn
  
         priv->flags &= ~RSPAMD_HTTP_CONN_FLAG_RESETED;
  
+       if (priv->flags & RSPAMD_HTTP_CONN_FLAG_PROXY) {
+               /* We need to disable SSL flag! */
+               msg->flags &=~ RSPAMD_HTTP_FLAG_SSL;
+       }
+
         if (rspamd_event_pending (&priv->ev, EV_TIMEOUT|EV_WRITE|EV_READ)) {
                 event_del (&priv->ev);
         }
diff --git a/src/libutil/http_context.c b/src/libutil/http_context.c

index 18c89c6bcee9dfc8fe56bfb294db2aa8edb1ea39..b3a30889135add229a8d341acd639f3f70611d35 100644 (file)
--- a/src/libutil/http_context.c
+++ b/src/libutil/http_context.c
@@ -203,11 +203,6 @@ rspamd_http_context_init (struct rspamd_http_context *ctx)
                                 &ctx->http_proxies);
         }
  
-       if (ctx->config.https_proxy) {
-               rspamd_http_context_parse_proxy (ctx, ctx->config.https_proxy,
-                               &ctx->https_proxies);
-       }
-
         default_ctx = ctx;
  }
  
@@ -270,13 +265,6 @@ rspamd_http_context_create (struct rspamd_config *cfg,
                         if (http_proxy) {
                                 ctx->config.http_proxy = ucl_object_tostring (http_proxy);
                         }
-
-                       const ucl_object_t *https_proxy;
-                       https_proxy = ucl_object_lookup (client_obj, "https_proxy");
-
-                       if (https_proxy) {
-                               ctx->config.https_proxy = ucl_object_tostring (https_proxy);
-                       }
                 }
  
                 server_obj = ucl_object_lookup (http_obj, "server");
@@ -340,6 +328,10 @@ rspamd_http_context_free (struct rspamd_http_context *ctx)
  
         kh_destroy (rspamd_keep_alive_hash, ctx->keep_alive_hash);
  
+       if (ctx->http_proxies) {
+               rspamd_upstreams_destroy (ctx->http_proxies);
+       }
+
         g_free (ctx);
  }
  
diff --git a/src/libutil/http_context.h b/src/libutil/http_context.h

index 6abd666516ff735047e5cc711b42c05ebacacbde..4cf07fb48caa45d4c43da98479756cae009cc063 100644 (file)
--- a/src/libutil/http_context.h
+++ b/src/libutil/http_context.h
@@ -36,7 +36,6 @@ struct rspamd_http_context_cfg {
         gdouble client_key_rotate_time;
         const gchar *user_agent;
         const gchar *http_proxy;
-       const gchar *https_proxy;
  };
  
  /**
diff --git a/src/libutil/http_private.h b/src/libutil/http_private.h

index fbc4c17e38536a95bdecca4c4bb20f5af230d387..368715891b54af5d418c2f95e215a34b0d66ae26 100644 (file)
--- a/src/libutil/http_private.h
+++ b/src/libutil/http_private.h
@@ -98,7 +98,6 @@ struct rspamd_http_context {
         struct rspamd_keypair_cache *server_kp_cache;
         struct upstream_ctx *ups_ctx;
         struct upstream_list *http_proxies;
-       struct upstream_list *https_proxies;
         gpointer ssl_ctx;
         gpointer ssl_ctx_noverify;
         struct event_base *ev_base;
author	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Mon, 18 Mar 2019 16:17:16 +0000 (16:17 +0000)
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Mon, 18 Mar 2019 16:17:16 +0000 (16:17 +0000)
src/libutil/http_connection.c		patch \| blob \| history
src/libutil/http_context.c		patch \| blob \| history
src/libutil/http_context.h		patch \| blob \| history
src/libutil/http_private.h		patch \| blob \| history