From 80d9e7424cc7ede818e4f6c6b5edabc6aeee9343 Mon Sep 17 00:00:00 2001 From: Randall Meyer Date: Tue, 23 Jun 2020 14:12:12 -0700 Subject: [PATCH] Move to blocklists and allowlists NOTE: This is backwards compatibility breaking. proxy.config.http.proxy_protocol_whitelist renamed to proxy.config.http.proxy_protocol_allowlist --- doc/admin-guide/configuration/proxy-protocol.en.rst | 2 +- doc/admin-guide/files/records.config.en.rst | 4 ++-- iocore/net/SSLNetVConnection.cc | 8 ++++---- mgmt/RecordsConfig.cc | 2 +- proxy/ProtocolProbeSessionAccept.cc | 10 +++++----- proxy/http/HttpConfig.cc | 2 +- tests/gold_tests/ip_allow/ip_allow.test.py | 6 +++--- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/doc/admin-guide/configuration/proxy-protocol.en.rst b/doc/admin-guide/configuration/proxy-protocol.en.rst index 64a0bc2fe2c..cc924062a31 100644 --- a/doc/admin-guide/configuration/proxy-protocol.en.rst +++ b/doc/admin-guide/configuration/proxy-protocol.en.rst @@ -45,7 +45,7 @@ with the PROXY v1 header. Any request not preface by this header will be dropped. As a security measure, an optional whitelist of trusted IP addresses may be -configured with :ts:cv:`proxy.config.http.proxy_protocol_whitelist`. +configured with :ts:cv:`proxy.config.http.proxy_protocol_allowlist`. .. important:: diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index f24c359d51e..a32fc7c9ef8 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -1770,9 +1770,9 @@ Proxy User Variables is prohibited by RFC 7239. Currently, for the ``host`` parameter to provide the original host from the incoming client request, `proxy.config.url_remap.pristine_host_hdr`_ must be enabled. -.. ts:cv:: CONFIG proxy.config.http.proxy_protocol_whitelist STRING `````` +.. ts:cv:: CONFIG proxy.config.http.proxy_protocol_allowlist STRING `````` - This defines a whitelist of server IPs that are trusted to provide + This defines a allowlist of server IPs that are trusted to provide connections with Proxy Protocol information. This is a comma delimited list of IP addresses. Addressed may be listed individually, in a range separated by a dash or by using CIDR notation. diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 5209a936f68..8e8976cb71a 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -410,7 +410,7 @@ SSLNetVConnection::read_raw_data() if (this->get_is_proxy_protocol()) { Debug("proxyprotocol", "proxy protocol is enabled on this port"); if (pp_ipmap->count() > 0) { - Debug("proxyprotocol", "proxy protocol has a configured whitelist of trusted IPs - checking"); + Debug("proxyprotocol", "proxy protocol has a configured allowlist of trusted IPs - checking"); // At this point, using get_remote_addr() will return the ip of the // proxy source IP, not the Proxy Protocol client ip. Since we are @@ -418,17 +418,17 @@ SSLNetVConnection::read_raw_data() // what we want now. void *payload = nullptr; if (!pp_ipmap->contains(get_remote_addr(), &payload)) { - Debug("proxyprotocol", "proxy protocol src IP is NOT in the configured whitelist of trusted IPs - " + Debug("proxyprotocol", "proxy protocol src IP is NOT in the configured allowlist of trusted IPs - " "closing connection"); r = -ENOTCONN; // Need a quick close/exit here to refuse the connection!!!!!!!!! goto proxy_protocol_bypass; } else { char new_host[INET6_ADDRSTRLEN]; - Debug("proxyprotocol", "Source IP [%s] is in the trusted whitelist for proxy protocol", + Debug("proxyprotocol", "Source IP [%s] is in the trusted allowlist for proxy protocol", ats_ip_ntop(this->get_remote_addr(), new_host, sizeof(new_host))); } } else { - Debug("proxyprotocol", "proxy protocol DOES NOT have a configured whitelist of trusted IPs but " + Debug("proxyprotocol", "proxy protocol DOES NOT have a configured allowlist of trusted IPs but " "proxy protocol is enabled on this port - processing all connections"); } diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 23cb77491e8..1ab7c54e61b 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -527,7 +527,7 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, "proxy.config.http.insert_forwarded", RECD_STRING, "none", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL} , - {RECT_CONFIG, "proxy.config.http.proxy_protocol_whitelist", RECD_STRING, "none", RECU_NULL, RR_NULL, RECC_NULL, nullptr, RECA_NULL} + {RECT_CONFIG, "proxy.config.http.proxy_protocol_allowlist", RECD_STRING, "none", RECU_NULL, RR_NULL, RECC_NULL, nullptr, RECA_NULL} , {RECT_CONFIG, "proxy.config.http.insert_age_in_response", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , diff --git a/proxy/ProtocolProbeSessionAccept.cc b/proxy/ProtocolProbeSessionAccept.cc index d2fd1ca3304..ac210f0091f 100644 --- a/proxy/ProtocolProbeSessionAccept.cc +++ b/proxy/ProtocolProbeSessionAccept.cc @@ -94,7 +94,7 @@ struct ProtocolProbeTrampoline : public Continuation, public ProtocolProbeSessio } // if proxy_protocol is enabled via port descriptor AND the src IP is in - // the trusted whitelist for proxy protocol, then check to see if it is + // the trusted allowlist for proxy protocol, then check to see if it is // present IpMap *pp_ipmap; @@ -103,20 +103,20 @@ struct ProtocolProbeTrampoline : public Continuation, public ProtocolProbeSessio if (netvc->get_is_proxy_protocol()) { Debug("proxyprotocol", "ioCompletionEvent: proxy protocol is enabled on this port"); if (pp_ipmap->count() > 0) { - Debug("proxyprotocol", "ioCompletionEvent: proxy protocol has a configured whitelist of trusted IPs - checking"); + Debug("proxyprotocol", "ioCompletionEvent: proxy protocol has a configured allowlist of trusted IPs - checking"); void *payload = nullptr; if (!pp_ipmap->contains(netvc->get_remote_addr(), &payload)) { Debug("proxyprotocol", - "ioCompletionEvent: proxy protocol src IP is NOT in the configured whitelist of trusted IPs - closing connection"); + "ioCompletionEvent: proxy protocol src IP is NOT in the configured allowlist of trusted IPs - closing connection"); goto done; } else { char new_host[INET6_ADDRSTRLEN]; - Debug("proxyprotocol", "ioCompletionEvent: Source IP [%s] is trusted in the whitelist for proxy protocol", + Debug("proxyprotocol", "ioCompletionEvent: Source IP [%s] is trusted in the allowlist for proxy protocol", ats_ip_ntop(netvc->get_remote_addr(), new_host, sizeof(new_host))); } } else { Debug("proxyprotocol", - "ioCompletionEvent: proxy protocol DOES NOT have a configured whitelist of trusted IPs but proxy protocol is " + "ioCompletionEvent: proxy protocol DOES NOT have a configured allowlist of trusted IPs but proxy protocol is " "ernabled on this port - processing all connections"); } diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc index 0e6409acd80..97f7d23e513 100644 --- a/proxy/http/HttpConfig.cc +++ b/proxy/http/HttpConfig.cc @@ -1067,7 +1067,7 @@ HttpConfig::startup() RecHttpLoadIp("proxy.local.incoming_ip_to_bind", c.inbound_ip4, c.inbound_ip6); RecHttpLoadIp("proxy.local.outgoing_ip_to_bind", c.outbound_ip4, c.outbound_ip6); - RecHttpLoadIpMap("proxy.config.http.proxy_protocol_whitelist", c.config_proxy_protocol_ipmap); + RecHttpLoadIpMap("proxy.config.http.proxy_protocol_allowlist", c.config_proxy_protocol_ipmap); SSLConfigInit(&c.config_proxy_protocol_ipmap); HttpEstablishStaticConfigLongLong(c.server_max_connections, "proxy.config.http.server_max_connections"); diff --git a/tests/gold_tests/ip_allow/ip_allow.test.py b/tests/gold_tests/ip_allow/ip_allow.test.py index 5e4b5d69185..59c3daf4c7b 100644 --- a/tests/gold_tests/ip_allow/ip_allow.test.py +++ b/tests/gold_tests/ip_allow/ip_allow.test.py @@ -141,7 +141,7 @@ "The PUSH request should be denied by ip_allow") # -# TEST 1: Perform a GET request. Should be allowed because GET is in the whitelist. +# TEST 1: Perform a GET request. Should be allowed because GET is in the allowlist. # tr = Test.AddTestRun() tr.Processes.Default.StartBefore(server, ready=When.PortOpen(server.Variables.SSL_Port)) @@ -156,7 +156,7 @@ # # TEST 2: Perform a CONNECT request. Should not be allowed because CONNECT is -# not in the whitelist. +# not in the allowlist. # tr = Test.AddTestRun() tr.Processes.Default.Command = ('curl --verbose -X CONNECT -H "Host: localhost" http://localhost:{ts_port}/connect'. @@ -168,7 +168,7 @@ # # TEST 3: Perform a PUSH request over HTTP/2. Should not be allowed because -# PUSH is not in the whitelist. +# PUSH is not in the allowlist. # tr = Test.AddTestRun() tr.Processes.Default.Command = ('curl --http2 --verbose -k -X PUSH -H "Host: localhost" https://localhost:{ts_port}/h2_push'.