echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Console: Redirect to HTTPS if available (ticket #2160)

Browse Source 
Show console links as HTTPS if available
Extend blacklisted ports to cover HTTPS console and eepsite
This commit is contained in:
zzz
2018-02-20 20:19:34 +00:00
parent 33ea4cf571
commit f00bf7d2cb
6 changed files with 120 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
apps/routerconsole/java/src/net/i2p/router/web/HostCheckHandler.java
View File

@ -11,6 +11,7 @@ import javax.servlet.http.HttpServletResponse;
import net.i2p.I2PAppContext;
import net.i2p.data.DataHelper;
import net.i2p.util.Log;
import net.i2p.util.PortMapper;
import org.apache.http.conn.util.InetAddressUtils;
@ -29,7 +30,9 @@ import org.eclipse.jetty.server.handler.HandlerWrapper;
public class HostCheckHandler extends HandlerWrapper
{
private final I2PAppContext _context;
private final PortMapper _portMapper;
private final Set<String> _listenHosts;
private static final String PROP_REDIRECT = "routerconsole.redirectToHTTPS";
/**
* MUST call setListenHosts() afterwards.
@ -37,6 +40,7 @@ public class HostCheckHandler extends HandlerWrapper
public HostCheckHandler(I2PAppContext ctx) {
super();
_context = ctx;
_portMapper = ctx.portMapper();
_listenHosts = new HashSet<String>(8);
}
@ -53,7 +57,9 @@ public class HostCheckHandler extends HandlerWrapper
}
/**
* Block by Host header, pass everything else to the delegate.
* Block by Host header,
* redirect HTTP to HTTPS,
* pass everything else to the delegate.
*/
public void handle(String pathInContext,
Request baseRequest,
@ -75,6 +81,22 @@ public class HostCheckHandler extends HandlerWrapper
return;
}
// redirect HTTP to HTTPS if available, AND:
// either 1) PROP_REDIRECT is set to true;
// or 2) PROP_REDIRECT is unset and the Upgrade-Insecure-Requests request header is set
// https://w3c.github.io/webappsec-upgrade-insecure-requests/
if (!httpRequest.isSecure()) {
int httpsPort = _portMapper.getPort(PortMapper.SVC_HTTPS_CONSOLE);
if (httpsPort > 0 && httpRequest.getLocalPort() != httpsPort) {
String redir = _context.getProperty(PROP_REDIRECT);
if (Boolean.valueOf(redir) ||
(redir == null && "1".equals(httpRequest.getHeader("Upgrade-Insecure-Requests")))) {
sendRedirect(httpsPort, httpRequest, httpResponse);
return;
}
}
}
super.handle(pathInContext, baseRequest, httpRequest, httpResponse);
}
@ -91,7 +113,11 @@ public class HostCheckHandler extends HandlerWrapper
return true;
// common cases
if (host.equals("127.0.0.1:7657") ||
host.equals("localhost:7657"))
host.equals("localhost:7657") ||
host.equals("[::1]:7657") ||
host.equals("127.0.0.1:7667") ||
host.equals("localhost:7667") ||
host.equals("[::1]:7667"))
return true;
// all allowed?
if (_listenHosts.isEmpty())
@ -124,4 +150,32 @@ public class HostCheckHandler extends HandlerWrapper
}
return host;
}
/**
* Redirect to HTTPS
*
* @since 0.9.34
*/
private static void sendRedirect(int httpsPort, HttpServletRequest httpRequest,
HttpServletResponse httpResponse) throws IOException {
StringBuilder buf = new StringBuilder(64);
buf.append("https://");
String name = httpRequest.getServerName();
boolean ipv6 = name.indexOf(':') >= 0 && !name.startsWith("[");
if (ipv6)
buf.append('[');
buf.append(name);
if (ipv6)
buf.append(']');
buf.append(':').append(httpsPort)
.append(httpRequest.getRequestURI());
String q = httpRequest.getQueryString();
if (q != null)
buf.append('?').append(q);
httpResponse.setHeader("Location", buf.toString());
// https://w3c.github.io/webappsec-upgrade-insecure-requests/
httpResponse.setHeader("Vary", "Upgrade-Insecure-Requests");
httpResponse.setStatus(307);
httpResponse.flushBuffer();
}
}