- Update CHANGELOG

- Add tests for the etags functionality Signed-off-by: Valery Piashchynski <[email protected]>
author: Valery Piashchynski <[email protected]> 2021-04-28 16:43:59 +0300
committer: Valery Piashchynski <[email protected]> 2021-04-28 16:43:59 +0300
commit: b789df7dcc9268f98f2bacfb40f753b10d521e4f (patch)
tree: 126b0fd8271f27e77f9107906bb0e6713a49d6ab /plugins
parent: 30c25f17fa7d6386e33a4894c812f7ca5db990ad (diff)
4 files changed, 333 insertions, 232 deletions
diff --git a/plugins/http/config/static.go b/plugins/http/config/static.go
index e9acc3e4..4b7b3a9b 100644
--- a/plugins/http/config/static.go
+++ b/plugins/http/config/static.go
@@ -17,6 +17,12 @@ type Static struct {
 	// Default - /static/
 	Pattern string
 
+	// CalculateEtag can be true/false and used to calculate etag for the static
+	CalculateEtag bool `mapstructure:"calculate_etag"`
+
+	// Weak etag `W/`
+	Weak bool
+
 	// forbid specifies list of file extensions which are forbidden for access.
 	// example: .php, .exe, .bat, .htaccess and etc.
 	Forbid []string
diff --git a/plugins/http/plugin.go b/plugins/http/plugin.go
index 33efaf37..58336c17 100644
--- a/plugins/http/plugin.go
+++ b/plugins/http/plugin.go
@@ -2,15 +2,11 @@ package http
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"net/http"
-	"net/http/fcgi"
-	"net/url"
-	"strings"
+	"os"
+	"path/filepath"
 	"sync"
 
 	"github.com/hashicorp/go-multierror"
@@ -27,10 +23,8 @@ import (
 	"github.com/spiral/roadrunner/v2/plugins/logger"
 	"github.com/spiral/roadrunner/v2/plugins/server"
 	"github.com/spiral/roadrunner/v2/plugins/status"
-	"github.com/spiral/roadrunner/v2/utils"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
-	"golang.org/x/sys/cpu"
 )
 
 const (
@@ -190,10 +184,22 @@ func (s *Plugin) serve(errCh chan error) { //nolint:gocognit
 				}
 			}
 
+			// calculate etag for the resource
+			if s.cfg.Static.CalculateEtag {
+				f, errS := os.Open(filepath.Join(s.cfg.Static.Dir, r.URL.Path))
+				if errS != nil {
+					s.log.Warn("error opening file to calculate the Etag", "provided path", r.URL.Path)
+				}
+
+				// Set etag value to the ResponseWriter
+				static.SetEtag(s.cfg.Static, f, w)
+			}
+
 			h.ServeHTTP(w, r)
 		})
 	}
 
+	// handle main route
 	mux.HandleFunc("/", s.ServeHTTP)
 
 	if s.cfg.EnableHTTP() {
@@ -241,78 +247,6 @@ func (s *Plugin) serve(errCh chan error) { //nolint:gocognit
 	}()
 }
 
-func (s *Plugin) serveHTTP(errCh chan error) {
-	if s.http == nil {
-		return
-	}
-	const op = errors.Op("http_plugin_serve_http")
-
-	if len(s.mdwr) > 0 {
-		applyMiddlewares(s.http, s.mdwr, s.cfg.Middleware, s.log)
-	}
-	l, err := utils.CreateListener(s.cfg.Address)
-	if err != nil {
-		errCh <- errors.E(op, err)
-		return
-	}
-
-	err = s.http.Serve(l)
-	if err != nil && err != http.ErrServerClosed {
-		errCh <- errors.E(op, err)
-		return
-	}
-}
-
-func (s *Plugin) serveHTTPS(errCh chan error) {
-	if s.https == nil {
-		return
-	}
-	const op = errors.Op("http_plugin_serve_https")
-	if len(s.mdwr) > 0 {
-		applyMiddlewares(s.https, s.mdwr, s.cfg.Middleware, s.log)
-	}
-	l, err := utils.CreateListener(s.cfg.SSLConfig.Address)
-	if err != nil {
-		errCh <- errors.E(op, err)
-		return
-	}
-
-	err = s.https.ServeTLS(
-		l,
-		s.cfg.SSLConfig.Cert,
-		s.cfg.SSLConfig.Key,
-	)
-
-	if err != nil && err != http.ErrServerClosed {
-		errCh <- errors.E(op, err)
-		return
-	}
-}
-
-// serveFCGI starts FastCGI server.
-func (s *Plugin) serveFCGI(errCh chan error) {
-	if s.fcgi == nil {
-		return
-	}
-	const op = errors.Op("http_plugin_serve_fcgi")
-
-	if len(s.mdwr) > 0 {
-		applyMiddlewares(s.https, s.mdwr, s.cfg.Middleware, s.log)
-	}
-
-	l, err := utils.CreateListener(s.cfg.FCGIConfig.Address)
-	if err != nil {
-		errCh <- errors.E(op, err)
-		return
-	}
-
-	err = fcgi.Serve(l, s.fcgi.Handler)
-	if err != nil && err != http.ErrServerClosed {
-		errCh <- errors.E(op, err)
-		return
-	}
-}
-
 // Stop stops the http.
 func (s *Plugin) Stop() error {
 	s.Lock()
@@ -498,155 +432,3 @@ func (s *Plugin) Ready() status.Status {
 		Code: http.StatusServiceUnavailable,
 	}
 }
-
-func (s *Plugin) redirect(w http.ResponseWriter, r *http.Request) {
-	target := &url.URL{
-		Scheme: HTTPSScheme,
-		// host or host:port
-		Host:     s.tlsAddr(r.Host, false),
-		Path:     r.URL.Path,
-		RawQuery: r.URL.RawQuery,
-	}
-
-	http.Redirect(w, r, target.String(), http.StatusPermanentRedirect)
-}
-
-// https://golang.org/pkg/net/http/#Hijacker
-//go:inline
-func headerContainsUpgrade(r *http.Request) bool {
-	if _, ok := r.Header["Upgrade"]; ok {
-		return true
-	}
-	return false
-}
-
-// append RootCA to the https server TLS config
-func (s *Plugin) appendRootCa() error {
-	const op = errors.Op("http_plugin_append_root_ca")
-	rootCAs, err := x509.SystemCertPool()
-	if err != nil {
-		return nil
-	}
-	if rootCAs == nil {
-		rootCAs = x509.NewCertPool()
-	}
-
-	CA, err := ioutil.ReadFile(s.cfg.SSLConfig.RootCA)
-	if err != nil {
-		return err
-	}
-
-	// should append our CA cert
-	ok := rootCAs.AppendCertsFromPEM(CA)
-	if !ok {
-		return errors.E(op, errors.Str("could not append Certs from PEM"))
-	}
-	// disable "G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)"
-	// #nosec G402
-	cfg := &tls.Config{
-		InsecureSkipVerify: false,
-		RootCAs:            rootCAs,
-	}
-	s.http.TLSConfig = cfg
-
-	return nil
-}
-
-// Init https server
-func (s *Plugin) initSSL() *http.Server {
-	var topCipherSuites []uint16
-	var defaultCipherSuitesTLS13 []uint16
-
-	hasGCMAsmAMD64 := cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
-	hasGCMAsmARM64 := cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
-	// Keep in sync with crypto/aes/cipher_s390x.go.
-	hasGCMAsmS390X := cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
-
-	hasGCMAsm := hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
-
-	if hasGCMAsm {
-		// If AES-GCM hardware is provided then priorities AES-GCM
-		// cipher suites.
-		topCipherSuites = []uint16{
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		}
-		defaultCipherSuitesTLS13 = []uint16{
-			tls.TLS_AES_128_GCM_SHA256,
-			tls.TLS_CHACHA20_POLY1305_SHA256,
-			tls.TLS_AES_256_GCM_SHA384,
-		}
-	} else {
-		// Without AES-GCM hardware, we put the ChaCha20-Poly1305
-		// cipher suites first.
-		topCipherSuites = []uint16{
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		}
-		defaultCipherSuitesTLS13 = []uint16{
-			tls.TLS_CHACHA20_POLY1305_SHA256,
-			tls.TLS_AES_128_GCM_SHA256,
-			tls.TLS_AES_256_GCM_SHA384,
-		}
-	}
-
-	DefaultCipherSuites := make([]uint16, 0, 22)
-	DefaultCipherSuites = append(DefaultCipherSuites, topCipherSuites...)
-	DefaultCipherSuites = append(DefaultCipherSuites, defaultCipherSuitesTLS13...)
-
-	sslServer := &http.Server{
-		Addr:     s.tlsAddr(s.cfg.Address, true),
-		Handler:  s,
-		ErrorLog: s.stdLog,
-		TLSConfig: &tls.Config{
-			CurvePreferences: []tls.CurveID{
-				tls.CurveP256,
-				tls.CurveP384,
-				tls.CurveP521,
-				tls.X25519,
-			},
-			CipherSuites:             DefaultCipherSuites,
-			MinVersion:               tls.VersionTLS12,
-			PreferServerCipherSuites: true,
-		},
-	}
-
-	return sslServer
-}
-
-// init http/2 server
-func (s *Plugin) initHTTP2() error {
-	return http2.ConfigureServer(s.https, &http2.Server{
-		MaxConcurrentStreams: s.cfg.HTTP2Config.MaxConcurrentStreams,
-	})
-}
-
-// tlsAddr replaces listen or host port with port configured by SSLConfig config.
-func (s *Plugin) tlsAddr(host string, forcePort bool) string {
-	// remove current forcePort first
-	host = strings.Split(host, ":")[0]
-
-	if forcePort || s.cfg.SSLConfig.Port != 443 {
-		host = fmt.Sprintf("%s:%v", host, s.cfg.SSLConfig.Port)
-	}
-
-	return host
-}
-
-func applyMiddlewares(server *http.Server, middlewares map[string]Middleware, order []string, log logger.Logger) {
-	for i := len(order) - 1; i >= 0; i-- {
-		if mdwr, ok := middlewares[order[i]]; ok {
-			server.Handler = mdwr.Middleware(server.Handler)
-		} else {
-			log.Warn("requested middleware does not exist", "requested", order[i])
-		}
-	}
-}
diff --git a/plugins/http/serve.go b/plugins/http/serve.go
new file mode 100644
index 00000000..338d4339
--- /dev/null
+++ b/plugins/http/serve.go
@@ -0,0 +1,242 @@
+package http
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+	"net/http/fcgi"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/spiral/errors"
+	"github.com/spiral/roadrunner/v2/plugins/logger"
+	"github.com/spiral/roadrunner/v2/utils"
+	"golang.org/x/net/http2"
+	"golang.org/x/sys/cpu"
+)
+
+func (s *Plugin) serveHTTP(errCh chan error) {
+	if s.http == nil {
+		return
+	}
+	const op = errors.Op("http_plugin_serve_http")
+
+	if len(s.mdwr) > 0 {
+		applyMiddlewares(s.http, s.mdwr, s.cfg.Middleware, s.log)
+	}
+	l, err := utils.CreateListener(s.cfg.Address)
+	if err != nil {
+		errCh <- errors.E(op, err)
+		return
+	}
+
+	err = s.http.Serve(l)
+	if err != nil && err != http.ErrServerClosed {
+		errCh <- errors.E(op, err)
+		return
+	}
+}
+
+func (s *Plugin) serveHTTPS(errCh chan error) {
+	if s.https == nil {
+		return
+	}
+	const op = errors.Op("http_plugin_serve_https")
+	if len(s.mdwr) > 0 {
+		applyMiddlewares(s.https, s.mdwr, s.cfg.Middleware, s.log)
+	}
+	l, err := utils.CreateListener(s.cfg.SSLConfig.Address)
+	if err != nil {
+		errCh <- errors.E(op, err)
+		return
+	}
+
+	err = s.https.ServeTLS(
+		l,
+		s.cfg.SSLConfig.Cert,
+		s.cfg.SSLConfig.Key,
+	)
+
+	if err != nil && err != http.ErrServerClosed {
+		errCh <- errors.E(op, err)
+		return
+	}
+}
+
+// serveFCGI starts FastCGI server.
+func (s *Plugin) serveFCGI(errCh chan error) {
+	if s.fcgi == nil {
+		return
+	}
+	const op = errors.Op("http_plugin_serve_fcgi")
+
+	if len(s.mdwr) > 0 {
+		applyMiddlewares(s.https, s.mdwr, s.cfg.Middleware, s.log)
+	}
+
+	l, err := utils.CreateListener(s.cfg.FCGIConfig.Address)
+	if err != nil {
+		errCh <- errors.E(op, err)
+		return
+	}
+
+	err = fcgi.Serve(l, s.fcgi.Handler)
+	if err != nil && err != http.ErrServerClosed {
+		errCh <- errors.E(op, err)
+		return
+	}
+}
+
+func (s *Plugin) redirect(w http.ResponseWriter, r *http.Request) {
+	target := &url.URL{
+		Scheme: HTTPSScheme,
+		// host or host:port
+		Host:     s.tlsAddr(r.Host, false),
+		Path:     r.URL.Path,
+		RawQuery: r.URL.RawQuery,
+	}
+
+	http.Redirect(w, r, target.String(), http.StatusPermanentRedirect)
+}
+
+// https://golang.org/pkg/net/http/#Hijacker
+//go:inline
+func headerContainsUpgrade(r *http.Request) bool {
+	if _, ok := r.Header["Upgrade"]; ok {
+		return true
+	}
+	return false
+}
+
+// append RootCA to the https server TLS config
+func (s *Plugin) appendRootCa() error {
+	const op = errors.Op("http_plugin_append_root_ca")
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		return nil
+	}
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	CA, err := os.ReadFile(s.cfg.SSLConfig.RootCA)
+	if err != nil {
+		return err
+	}
+
+	// should append our CA cert
+	ok := rootCAs.AppendCertsFromPEM(CA)
+	if !ok {
+		return errors.E(op, errors.Str("could not append Certs from PEM"))
+	}
+	// disable "G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)"
+	// #nosec G402
+	cfg := &tls.Config{
+		InsecureSkipVerify: false,
+		RootCAs:            rootCAs,
+	}
+	s.http.TLSConfig = cfg
+
+	return nil
+}
+
+// Init https server
+func (s *Plugin) initSSL() *http.Server {
+	var topCipherSuites []uint16
+	var defaultCipherSuitesTLS13 []uint16
+
+	hasGCMAsmAMD64 := cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
+	hasGCMAsmARM64 := cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
+	// Keep in sync with crypto/aes/cipher_s390x.go.
+	hasGCMAsmS390X := cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
+
+	hasGCMAsm := hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
+
+	if hasGCMAsm {
+		// If AES-GCM hardware is provided then priorities AES-GCM
+		// cipher suites.
+		topCipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		}
+		defaultCipherSuitesTLS13 = []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+		}
+	} else {
+		// Without AES-GCM hardware, we put the ChaCha20-Poly1305
+		// cipher suites first.
+		topCipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		}
+		defaultCipherSuitesTLS13 = []uint16{
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+		}
+	}
+
+	DefaultCipherSuites := make([]uint16, 0, 22)
+	DefaultCipherSuites = append(DefaultCipherSuites, topCipherSuites...)
+	DefaultCipherSuites = append(DefaultCipherSuites, defaultCipherSuitesTLS13...)
+
+	sslServer := &http.Server{
+		Addr:     s.tlsAddr(s.cfg.Address, true),
+		Handler:  s,
+		ErrorLog: s.stdLog,
+		TLSConfig: &tls.Config{
+			CurvePreferences: []tls.CurveID{
+				tls.CurveP256,
+				tls.CurveP384,
+				tls.CurveP521,
+				tls.X25519,
+			},
+			CipherSuites:             DefaultCipherSuites,
+			MinVersion:               tls.VersionTLS12,
+			PreferServerCipherSuites: true,
+		},
+	}
+
+	return sslServer
+}
+
+// init http/2 server
+func (s *Plugin) initHTTP2() error {
+	return http2.ConfigureServer(s.https, &http2.Server{
+		MaxConcurrentStreams: s.cfg.HTTP2Config.MaxConcurrentStreams,
+	})
+}
+
+// tlsAddr replaces listen or host port with port configured by SSLConfig config.
+func (s *Plugin) tlsAddr(host string, forcePort bool) string {
+	// remove current forcePort first
+	host = strings.Split(host, ":")[0]
+
+	if forcePort || s.cfg.SSLConfig.Port != 443 {
+		host = fmt.Sprintf("%s:%v", host, s.cfg.SSLConfig.Port)
+	}
+
+	return host
+}
+
+func applyMiddlewares(server *http.Server, middlewares map[string]Middleware, order []string, log logger.Logger) {
+	for i := len(order) - 1; i >= 0; i-- {
+		if mdwr, ok := middlewares[order[i]]; ok {
+			server.Handler = mdwr.Middleware(server.Handler)
+		} else {
+			log.Warn("requested middleware does not exist", "requested", order[i])
+		}
+	}
+}
diff --git a/plugins/http/static/etag.go b/plugins/http/static/etag.go
new file mode 100644
index 00000000..5d41cc53
--- /dev/null
+++ b/plugins/http/static/etag.go
@@ -0,0 +1,71 @@
+package static
+
+import (
+	"hash/crc32"
+	"io"
+	"net/http"
+	"os"
+	"unsafe"
+
+	httpConfig "github.com/spiral/roadrunner/v2/plugins/http/config"
+)
+
+const etag string = "Etag"
+
+// weak Etag prefix
+var weakPrefix = []byte(`W/`)
+
+// CRC32 table
+var crc32q = crc32.MakeTable(0x48D90782)
+
+func SetEtag(cfg *httpConfig.Static, f *os.File, w http.ResponseWriter) {
+	// read the file content
+	body, err := io.ReadAll(f)
+	if err != nil {
+		return
+	}
+
+	// skip for 0 body
+	if len(body) == 0 {
+		return
+	}
+
+	// preallocate
+	calculatedEtag := make([]byte, 0, 64)
+
+	// write weak
+	if cfg.Weak {
+		calculatedEtag = append(calculatedEtag, weakPrefix...)
+	}
+
+	calculatedEtag = append(calculatedEtag, '"')
+	calculatedEtag = appendUint(calculatedEtag, uint32(len(body)))
+	calculatedEtag = append(calculatedEtag, '-')
+	calculatedEtag = appendUint(calculatedEtag, crc32.Checksum(body, crc32q))
+	calculatedEtag = append(calculatedEtag, '"')
+
+	w.Header().Set(etag, byteToSrt(calculatedEtag))
+}
+
+// appendUint appends n to dst and returns the extended dst.
+func appendUint(dst []byte, n uint32) []byte {
+	var b [20]byte
+	buf := b[:]
+	i := len(buf)
+	var q uint32
+	for n >= 10 {
+		i--
+		q = n / 10
+		buf[i] = '0' + byte(n-q*10)
+		n = q
+	}
+	i--
+	buf[i] = '0' + byte(n)
+
+	dst = append(dst, buf[i:]...)
+	return dst
+}
+
+func byteToSrt(b []byte) string {
+	return *(*string)(unsafe.Pointer(&b))
+}
author	Valery Piashchynski <[email protected]>	2021-04-28 16:43:59 +0300
committer	Valery Piashchynski <[email protected]>	2021-04-28 16:43:59 +0300
commit	b789df7dcc9268f98f2bacfb40f753b10d521e4f (patch)
tree	126b0fd8271f27e77f9107906bb0e6713a49d6ab /plugins
parent	30c25f17fa7d6386e33a4894c812f7ca5db990ad (diff)