- Update CHANGELOG

- Add tests for the etags functionality

Signed-off-by: Valery Piashchynski <[email protected]>

9 files changed, 490 insertions, 236 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47e2a940..ca0758b1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,24 @@
 CHANGELOG
 =========
 
+v2.2.0 (11.05.2021)
+-------------------
+
+## 👀 New:
+
+- ✏️ Reworked `static` plugin. Now, it does not affect the performance of the main route and persist on the separate
+  file server (within the `http` plugin). Looong awaited feature: `Etag` (+ weak Etags) as well with the `If-Mach`
+  , `If-None-Match`, `If-Range`, `Last-Modified`
+  and `If-Modified-Since` tags supported. Static plugin has a bunch of new options such as: `allow`, `calculate_etag`
+  , `weak` and `pattern`.
+  ### Option `always` was deleted from the plugin.
+
+- ✏️
+
+## 🩹 Fixes:
+
+- 🐛 Fix: issue with wrong ordered middlewares (reverse). Now the order is correct.
+
 v2.1.0 (27.04.2021)
 -------------------
 
diff --git a/pkg/worker_watcher/worker_watcher.go b/pkg/worker_watcher/worker_watcher.go
index a6dfe43e..5aec4ee6 100755
--- a/pkg/worker_watcher/worker_watcher.go
+++ b/pkg/worker_watcher/worker_watcher.go
@@ -153,7 +153,7 @@ func (ww *workerWatcher) Allocate() error {
 	return nil
 }
 
-// Remove
+// Remove worker
 func (ww *workerWatcher) Remove(wb worker.BaseProcess) {
 	ww.Lock()
 	defer ww.Unlock()
@@ -172,7 +172,7 @@ func (ww *workerWatcher) Remove(wb worker.BaseProcess) {
 	}
 }
 
-// O(1) operation
+// Push O(1) operation
 func (ww *workerWatcher) Push(w worker.BaseProcess) {
 	if w.State().Value() != worker.StateReady {
 		_ = w.Kill()
diff --git a/plugins/http/config/static.go b/plugins/http/config/static.go
index e9acc3e4..4b7b3a9b 100644
--- a/plugins/http/config/static.go
+++ b/plugins/http/config/static.go
@@ -17,6 +17,12 @@ type Static struct {
 	// Default - /static/
 	Pattern string
 
+	// CalculateEtag can be true/false and used to calculate etag for the static
+	CalculateEtag bool `mapstructure:"calculate_etag"`
+
+	// Weak etag `W/`
+	Weak bool
+
 	// forbid specifies list of file extensions which are forbidden for access.
 	// example: .php, .exe, .bat, .htaccess and etc.
 	Forbid []string
diff --git a/plugins/http/plugin.go b/plugins/http/plugin.go
index 33efaf37..58336c17 100644
--- a/plugins/http/plugin.go
+++ b/plugins/http/plugin.go
@@ -2,15 +2,11 @@ package http
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"net/http"
-	"net/http/fcgi"
-	"net/url"
-	"strings"
+	"os"
+	"path/filepath"
 	"sync"
 
 	"github.com/hashicorp/go-multierror"
@@ -27,10 +23,8 @@ import (
 	"github.com/spiral/roadrunner/v2/plugins/logger"
 	"github.com/spiral/roadrunner/v2/plugins/server"
 	"github.com/spiral/roadrunner/v2/plugins/status"
-	"github.com/spiral/roadrunner/v2/utils"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
-	"golang.org/x/sys/cpu"
 )
 
 const (
@@ -190,10 +184,22 @@ func (s *Plugin) serve(errCh chan error) { //nolint:gocognit
 				}
 			}
 
+			// calculate etag for the resource
+			if s.cfg.Static.CalculateEtag {
+				f, errS := os.Open(filepath.Join(s.cfg.Static.Dir, r.URL.Path))
+				if errS != nil {
+					s.log.Warn("error opening file to calculate the Etag", "provided path", r.URL.Path)
+				}
+
+				// Set etag value to the ResponseWriter
+				static.SetEtag(s.cfg.Static, f, w)
+			}
+
 			h.ServeHTTP(w, r)
 		})
 	}
 
+	// handle main route
 	mux.HandleFunc("/", s.ServeHTTP)
 
 	if s.cfg.EnableHTTP() {
@@ -241,78 +247,6 @@ func (s *Plugin) serve(errCh chan error) { //nolint:gocognit
 	}()
 }
 
-func (s *Plugin) serveHTTP(errCh chan error) {
-	if s.http == nil {
-		return
-	}
-	const op = errors.Op("http_plugin_serve_http")
-
-	if len(s.mdwr) > 0 {
-		applyMiddlewares(s.http, s.mdwr, s.cfg.Middleware, s.log)
-	}
-	l, err := utils.CreateListener(s.cfg.Address)
-	if err != nil {
-		errCh <- errors.E(op, err)
-		return
-	}
-
-	err = s.http.Serve(l)
-	if err != nil && err != http.ErrServerClosed {
-		errCh <- errors.E(op, err)
-		return
-	}
-}
-
-func (s *Plugin) serveHTTPS(errCh chan error) {
-	if s.https == nil {
-		return
-	}
-	const op = errors.Op("http_plugin_serve_https")
-	if len(s.mdwr) > 0 {
-		applyMiddlewares(s.https, s.mdwr, s.cfg.Middleware, s.log)
-	}
-	l, err := utils.CreateListener(s.cfg.SSLConfig.Address)
-	if err != nil {
-		errCh <- errors.E(op, err)
-		return
-	}
-
-	err = s.https.ServeTLS(
-		l,
-		s.cfg.SSLConfig.Cert,
-		s.cfg.SSLConfig.Key,
-	)
-
-	if err != nil && err != http.ErrServerClosed {
-		errCh <- errors.E(op, err)
-		return
-	}
-}
-
-// serveFCGI starts FastCGI server.
-func (s *Plugin) serveFCGI(errCh chan error) {
-	if s.fcgi == nil {
-		return
-	}
-	const op = errors.Op("http_plugin_serve_fcgi")
-
-	if len(s.mdwr) > 0 {
-		applyMiddlewares(s.https, s.mdwr, s.cfg.Middleware, s.log)
-	}
-
-	l, err := utils.CreateListener(s.cfg.FCGIConfig.Address)
-	if err != nil {
-		errCh <- errors.E(op, err)
-		return
-	}
-
-	err = fcgi.Serve(l, s.fcgi.Handler)
-	if err != nil && err != http.ErrServerClosed {
-		errCh <- errors.E(op, err)
-		return
-	}
-}
-
 // Stop stops the http.
 func (s *Plugin) Stop() error {
 	s.Lock()
@@ -498,155 +432,3 @@ func (s *Plugin) Ready() status.Status {
 		Code: http.StatusServiceUnavailable,
 	}
 }
-
-func (s *Plugin) redirect(w http.ResponseWriter, r *http.Request) {
-	target := &url.URL{
-		Scheme: HTTPSScheme,
-		// host or host:port
-		Host:     s.tlsAddr(r.Host, false),
-		Path:     r.URL.Path,
-		RawQuery: r.URL.RawQuery,
-	}
-
-	http.Redirect(w, r, target.String(), http.StatusPermanentRedirect)
-}
-
-// https://golang.org/pkg/net/http/#Hijacker
-//go:inline
-func headerContainsUpgrade(r *http.Request) bool {
-	if _, ok := r.Header["Upgrade"]; ok {
-		return true
-	}
-	return false
-}
-
-// append RootCA to the https server TLS config
-func (s *Plugin) appendRootCa() error {
-	const op = errors.Op("http_plugin_append_root_ca")
-	rootCAs, err := x509.SystemCertPool()
-	if err != nil {
-		return nil
-	}
-	if rootCAs == nil {
-		rootCAs = x509.NewCertPool()
-	}
-
-	CA, err := ioutil.ReadFile(s.cfg.SSLConfig.RootCA)
-	if err != nil {
-		return err
-	}
-
-	// should append our CA cert
-	ok := rootCAs.AppendCertsFromPEM(CA)
-	if !ok {
-		return errors.E(op, errors.Str("could not append Certs from PEM"))
-	}
-	// disable "G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)"
-	// #nosec G402
-	cfg := &tls.Config{
-		InsecureSkipVerify: false,
-		RootCAs:            rootCAs,
-	}
-	s.http.TLSConfig = cfg
-
-	return nil
-}
-
-// Init https server
-func (s *Plugin) initSSL() *http.Server {
-	var topCipherSuites []uint16
-	var defaultCipherSuitesTLS13 []uint16
-
-	hasGCMAsmAMD64 := cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
-	hasGCMAsmARM64 := cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
-	// Keep in sync with crypto/aes/cipher_s390x.go.
-	hasGCMAsmS390X := cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
-
-	hasGCMAsm := hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
-
-	if hasGCMAsm {
-		// If AES-GCM hardware is provided then priorities AES-GCM
-		// cipher suites.
-		topCipherSuites = []uint16{
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		}
-		defaultCipherSuitesTLS13 = []uint16{
-			tls.TLS_AES_128_GCM_SHA256,
-			tls.TLS_CHACHA20_POLY1305_SHA256,
-			tls.TLS_AES_256_GCM_SHA384,
-		}
-	} else {
-		// Without AES-GCM hardware, we put the ChaCha20-Poly1305
-		// cipher suites first.
-		topCipherSuites = []uint16{
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		}
-		defaultCipherSuitesTLS13 = []uint16{
-			tls.TLS_CHACHA20_POLY1305_SHA256,
-			tls.TLS_AES_128_GCM_SHA256,
-			tls.TLS_AES_256_GCM_SHA384,
-		}
-	}
-
-	DefaultCipherSuites := make([]uint16, 0, 22)
-	DefaultCipherSuites = append(DefaultCipherSuites, topCipherSuites...)
-	DefaultCipherSuites = append(DefaultCipherSuites, defaultCipherSuitesTLS13...)
-
-	sslServer := &http.Server{
-		Addr:     s.tlsAddr(s.cfg.Address, true),
-		Handler:  s,
-		ErrorLog: s.stdLog,
-		TLSConfig: &tls.Config{
-			CurvePreferences: []tls.CurveID{
-				tls.CurveP256,
-				tls.CurveP384,
-				tls.CurveP521,
-				tls.X25519,
-			},
-			CipherSuites:             DefaultCipherSuites,
-			MinVersion:               tls.VersionTLS12,
-			PreferServerCipherSuites: true,
-		},
-	}
-
-	return sslServer
-}
-
-// init http/2 server
-func (s *Plugin) initHTTP2() error {
-	return http2.ConfigureServer(s.https, &http2.Server{
-		MaxConcurrentStreams: s.cfg.HTTP2Config.MaxConcurrentStreams,
-	})
-}
-
-// tlsAddr replaces listen or host port with port configured by SSLConfig config.
-func (s *Plugin) tlsAddr(host string, forcePort bool) string {
-	// remove current forcePort first
-	host = strings.Split(host, ":")[0]
-
-	if forcePort || s.cfg.SSLConfig.Port != 443 {
-		host = fmt.Sprintf("%s:%v", host, s.cfg.SSLConfig.Port)
-	}
-
-	return host
-}
-
-func applyMiddlewares(server *http.Server, middlewares map[string]Middleware, order []string, log logger.Logger) {
-	for i := len(order) - 1; i >= 0; i-- {
-		if mdwr, ok := middlewares[order[i]]; ok {
-			server.Handler = mdwr.Middleware(server.Handler)
-		} else {
-			log.Warn("requested middleware does not exist", "requested", order[i])
-		}
-	}
-}
diff --git a/plugins/http/serve.go b/plugins/http/serve.go
new file mode 100644
index 00000000..338d4339
--- /dev/null
+++ b/plugins/http/serve.go
@@ -0,0 +1,242 @@
+package http
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+	"net/http/fcgi"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/spiral/errors"
+	"github.com/spiral/roadrunner/v2/plugins/logger"
+	"github.com/spiral/roadrunner/v2/utils"
+	"golang.org/x/net/http2"
+	"golang.org/x/sys/cpu"
+)
+
+func (s *Plugin) serveHTTP(errCh chan error) {
+	if s.http == nil {
+		return
+	}
+	const op = errors.Op("http_plugin_serve_http")
+
+	if len(s.mdwr) > 0 {
+		applyMiddlewares(s.http, s.mdwr, s.cfg.Middleware, s.log)
+	}
+	l, err := utils.CreateListener(s.cfg.Address)
+	if err != nil {
+		errCh <- errors.E(op, err)
+		return
+	}
+
+	err = s.http.Serve(l)
+	if err != nil && err != http.ErrServerClosed {
+		errCh <- errors.E(op, err)
+		return
+	}
+}
+
+func (s *Plugin) serveHTTPS(errCh chan error) {
+	if s.https == nil {
+		return
+	}
+	const op = errors.Op("http_plugin_serve_https")
+	if len(s.mdwr) > 0 {
+		applyMiddlewares(s.https, s.mdwr, s.cfg.Middleware, s.log)
+	}
+	l, err := utils.CreateListener(s.cfg.SSLConfig.Address)
+	if err != nil {
+		errCh <- errors.E(op, err)
+		return
+	}
+
+	err = s.https.ServeTLS(
+		l,
+		s.cfg.SSLConfig.Cert,
+		s.cfg.SSLConfig.Key,
+	)
+
+	if err != nil && err != http.ErrServerClosed {
+		errCh <- errors.E(op, err)
+		return
+	}
+}
+
+// serveFCGI starts FastCGI server.
+func (s *Plugin) serveFCGI(errCh chan error) {
+	if s.fcgi == nil {
+		return
+	}
+	const op = errors.Op("http_plugin_serve_fcgi")
+
+	if len(s.mdwr) > 0 {
+		applyMiddlewares(s.https, s.mdwr, s.cfg.Middleware, s.log)
+	}
+
+	l, err := utils.CreateListener(s.cfg.FCGIConfig.Address)
+	if err != nil {
+		errCh <- errors.E(op, err)
+		return
+	}
+
+	err = fcgi.Serve(l, s.fcgi.Handler)
+	if err != nil && err != http.ErrServerClosed {
+		errCh <- errors.E(op, err)
+		return
+	}
+}
+
+func (s *Plugin) redirect(w http.ResponseWriter, r *http.Request) {
+	target := &url.URL{
+		Scheme: HTTPSScheme,
+		// host or host:port
+		Host:     s.tlsAddr(r.Host, false),
+		Path:     r.URL.Path,
+		RawQuery: r.URL.RawQuery,
+	}
+
+	http.Redirect(w, r, target.String(), http.StatusPermanentRedirect)
+}
+
+// https://golang.org/pkg/net/http/#Hijacker
+//go:inline
+func headerContainsUpgrade(r *http.Request) bool {
+	if _, ok := r.Header["Upgrade"]; ok {
+		return true
+	}
+	return false
+}
+
+// append RootCA to the https server TLS config
+func (s *Plugin) appendRootCa() error {
+	const op = errors.Op("http_plugin_append_root_ca")
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		return nil
+	}
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	CA, err := os.ReadFile(s.cfg.SSLConfig.RootCA)
+	if err != nil {
+		return err
+	}
+
+	// should append our CA cert
+	ok := rootCAs.AppendCertsFromPEM(CA)
+	if !ok {
+		return errors.E(op, errors.Str("could not append Certs from PEM"))
+	}
+	// disable "G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)"
+	// #nosec G402
+	cfg := &tls.Config{
+		InsecureSkipVerify: false,
+		RootCAs:            rootCAs,
+	}
+	s.http.TLSConfig = cfg
+
+	return nil
+}
+
+// Init https server
+func (s *Plugin) initSSL() *http.Server {
+	var topCipherSuites []uint16
+	var defaultCipherSuitesTLS13 []uint16
+
+	hasGCMAsmAMD64 := cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
+	hasGCMAsmARM64 := cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
+	// Keep in sync with crypto/aes/cipher_s390x.go.
+	hasGCMAsmS390X := cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
+
+	hasGCMAsm := hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
+
+	if hasGCMAsm {
+		// If AES-GCM hardware is provided then priorities AES-GCM
+		// cipher suites.
+		topCipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		}
+		defaultCipherSuitesTLS13 = []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+		}
+	} else {
+		// Without AES-GCM hardware, we put the ChaCha20-Poly1305
+		// cipher suites first.
+		topCipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		}
+		defaultCipherSuitesTLS13 = []uint16{
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+		}
+	}
+
+	DefaultCipherSuites := make([]uint16, 0, 22)
+	DefaultCipherSuites = append(DefaultCipherSuites, topCipherSuites...)
+	DefaultCipherSuites = append(DefaultCipherSuites, defaultCipherSuitesTLS13...)
+
+	sslServer := &http.Server{
+		Addr:     s.tlsAddr(s.cfg.Address, true),
+		Handler:  s,
+		ErrorLog: s.stdLog,
+		TLSConfig: &tls.Config{
+			CurvePreferences: []tls.CurveID{
+				tls.CurveP256,
+				tls.CurveP384,
+				tls.CurveP521,
+				tls.X25519,
+			},
+			CipherSuites:             DefaultCipherSuites,
+			MinVersion:               tls.VersionTLS12,
+			PreferServerCipherSuites: true,
+		},
+	}
+
+	return sslServer
+}
+
+// init http/2 server
+func (s *Plugin) initHTTP2() error {
+	return http2.ConfigureServer(s.https, &http2.Server{
+		MaxConcurrentStreams: s.cfg.HTTP2Config.MaxConcurrentStreams,
+	})
+}
+
+// tlsAddr replaces listen or host port with port configured by SSLConfig config.
+func (s *Plugin) tlsAddr(host string, forcePort bool) string {
+	// remove current forcePort first
+	host = strings.Split(host, ":")[0]
+
+	if forcePort || s.cfg.SSLConfig.Port != 443 {
+		host = fmt.Sprintf("%s:%v", host, s.cfg.SSLConfig.Port)
+	}
+
+	return host
+}
+
+func applyMiddlewares(server *http.Server, middlewares map[string]Middleware, order []string, log logger.Logger) {
+	for i := len(order) - 1; i >= 0; i-- {
+		if mdwr, ok := middlewares[order[i]]; ok {
+			server.Handler = mdwr.Middleware(server.Handler)
+		} else {
+			log.Warn("requested middleware does not exist", "requested", order[i])
+		}
+	}
+}
diff --git a/plugins/http/static/etag.go b/plugins/http/static/etag.go
new file mode 100644
index 00000000..5d41cc53
--- /dev/null
+++ b/plugins/http/static/etag.go
@@ -0,0 +1,71 @@
+package static
+
+import (
+	"hash/crc32"
+	"io"
+	"net/http"
+	"os"
+	"unsafe"
+
+	httpConfig "github.com/spiral/roadrunner/v2/plugins/http/config"
+)
+
+const etag string = "Etag"
+
+// weak Etag prefix
+var weakPrefix = []byte(`W/`)
+
+// CRC32 table
+var crc32q = crc32.MakeTable(0x48D90782)
+
+func SetEtag(cfg *httpConfig.Static, f *os.File, w http.ResponseWriter) {
+	// read the file content
+	body, err := io.ReadAll(f)
+	if err != nil {
+		return
+	}
+
+	// skip for 0 body
+	if len(body) == 0 {
+		return
+	}
+
+	// preallocate
+	calculatedEtag := make([]byte, 0, 64)
+
+	// write weak
+	if cfg.Weak {
+		calculatedEtag = append(calculatedEtag, weakPrefix...)
+	}
+
+	calculatedEtag = append(calculatedEtag, '"')
+	calculatedEtag = appendUint(calculatedEtag, uint32(len(body)))
+	calculatedEtag = append(calculatedEtag, '-')
+	calculatedEtag = appendUint(calculatedEtag, crc32.Checksum(body, crc32q))
+	calculatedEtag = append(calculatedEtag, '"')
+
+	w.Header().Set(etag, byteToSrt(calculatedEtag))
+}
+
+// appendUint appends n to dst and returns the extended dst.
+func appendUint(dst []byte, n uint32) []byte {
+	var b [20]byte
+	buf := b[:]
+	i := len(buf)
+	var q uint32
+	for n >= 10 {
+		i--
+		q = n / 10
+		buf[i] = '0' + byte(n-q*10)
+		n = q
+	}
+	i--
+	buf[i] = '0' + byte(n)
+
+	dst = append(dst, buf[i:]...)
+	return dst
+}
+
+func byteToSrt(b []byte) string {
+	return *(*string)(unsafe.Pointer(&b))
+}
diff --git a/tests/plugins/http/configs/.rr-http-static-etags.yaml b/tests/plugins/http/configs/.rr-http-static-etags.yaml
new file mode 100644
index 00000000..e18c50dd
--- /dev/null
+++ b/tests/plugins/http/configs/.rr-http-static-etags.yaml
@@ -0,0 +1,35 @@
+server:
+  command: "php ../../http/client.php pid pipes"
+  user: ""
+  group: ""
+  env:
+    "RR_HTTP": "true"
+  relay: "pipes"
+  relay_timeout: "20s"
+
+http:
+  address: 127.0.0.1:21603
+  max_request_size: 1024
+  middleware: [ "gzip" ]
+  trusted_subnets: [ "10.0.0.0/8", "127.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "::1/128", "fc00::/7", "fe80::/10" ]
+  uploads:
+    forbid: [ ".php", ".exe", ".bat" ]
+  static:
+    dir: "../../../"
+    pattern: "/tests/"
+    forbid: [ "" ]
+    allow: [ ".txt", ".php" ]
+    calculate_etag: true
+    weak: true
+    request:
+      "input": "custom-header"
+    response:
+      "output": "output-header"
+  pool:
+    num_workers: 2
+    max_jobs: 0
+    allocate_timeout: 60s
+    destroy_timeout: 60s
+logs:
+  mode: development
+  level: error
diff --git a/tests/plugins/http/configs/.rr-http-static.yaml b/tests/plugins/http/configs/.rr-http-static.yaml
index 9351f020..bbec13f9 100644
--- a/tests/plugins/http/configs/.rr-http-static.yaml
+++ b/tests/plugins/http/configs/.rr-http-static.yaml
@@ -1,5 +1,5 @@
 server:
-  command: "php ../../psr-worker-bench.php"
+  command: "php ../../http/client.php pid pipes"
   user: ""
   group: ""
   env:
@@ -19,12 +19,14 @@ http:
     pattern: "/tests/"
     forbid: [ "" ]
     allow: [ ".txt", ".php" ]
+    calculate_etag: true
+    weak: false
     request:
       "input": "custom-header"
     response:
       "output": "output-header"
   pool:
-    num_workers: 12
+    num_workers: 2
     max_jobs: 0
     allocate_timeout: 60s
     destroy_timeout: 60s
diff --git a/tests/plugins/http/http_plugin_test.go b/tests/plugins/http/http_plugin_test.go
index 61486eef..f48194c9 100644
--- a/tests/plugins/http/http_plugin_test.go
+++ b/tests/plugins/http/http_plugin_test.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/rpc"
+	"net/url"
 	"os"
 	"os/signal"
 	"sync"
@@ -1562,6 +1563,103 @@ func bigEchoHTTP(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestStaticEtagPlugin(t *testing.T) {
+	cont, err := endure.NewContainer(nil, endure.SetLogLevel(endure.ErrorLevel))
+	assert.NoError(t, err)
+
+	cfg := &config.Viper{
+		Path:   "configs/.rr-http-static.yaml",
+		Prefix: "rr",
+	}
+
+	err = cont.RegisterAll(
+		cfg,
+		&logger.ZapLogger{},
+		&server.Plugin{},
+		&httpPlugin.Plugin{},
+		&gzip.Plugin{},
+	)
+	assert.NoError(t, err)
+
+	err = cont.Init()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ch, err := cont.Serve()
+	assert.NoError(t, err)
+
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+
+	stopCh := make(chan struct{}, 1)
+
+	go func() {
+		defer wg.Done()
+		for {
+			select {
+			case e := <-ch:
+				assert.Fail(t, "error", e.Error.Error())
+				err = cont.Stop()
+				if err != nil {
+					assert.FailNow(t, "error", err.Error())
+				}
+			case <-sig:
+				err = cont.Stop()
+				if err != nil {
+					assert.FailNow(t, "error", err.Error())
+				}
+				return
+			case <-stopCh:
+				// timeout
+				err = cont.Stop()
+				if err != nil {
+					assert.FailNow(t, "error", err.Error())
+				}
+				return
+			}
+		}
+	}()
+
+	time.Sleep(time.Second)
+	t.Run("ServeSampleEtag", serveStaticSampleEtag)
+
+	stopCh <- struct{}{}
+	wg.Wait()
+}
+
+func serveStaticSampleEtag(t *testing.T) {
+	// OK 200 response
+	b, r, err := get("http://localhost:21603/tests/static/sample.txt")
+	assert.NoError(t, err)
+	assert.Equal(t, "sample\n", b)
+	assert.Equal(t, r.StatusCode, http.StatusOK)
+	etag := r.Header.Get("Etag")
+
+	_ = r.Body.Close()
+
+	// Should be 304 response with same etag
+	c := http.Client{
+		Timeout: time.Second * 5,
+	}
+
+	parsedURL, _ := url.Parse("http://localhost:21603/tests/static/sample.txt")
+
+	req := &http.Request{
+		Method: http.MethodGet,
+		URL:    parsedURL,
+		Header: map[string][]string{"If-None-Match": {etag}},
+	}
+
+	resp, err := c.Do(req)
+	assert.Nil(t, err)
+	assert.Equal(t, http.StatusNotModified, resp.StatusCode)
+	_ = resp.Body.Close()
+}
+
 func TestStaticPlugin(t *testing.T) {
 	cont, err := endure.NewContainer(nil, endure.SetLogLevel(endure.ErrorLevel))
 	assert.NoError(t, err)