Software / code / prosody
Annotate
plugins/mod_http_errors.lua @ 13801:a5d5fefb8b68 13.0
mod_tls: Enable Prosody's certificate checking for incoming s2s connections (fixes #1916) (thanks Damian, Zash)
Various options in Prosody allow control over the behaviour of the certificate
verification process For example, some deployments choose to allow falling
back to traditional "dialback" authentication (XEP-0220), while others verify
via DANE, hard-coded fingerprints, or other custom plugins.
Implementing this flexibility requires us to override OpenSSL's default
certificate verification, to allow Prosody to verify the certificate itself,
apply custom policies and make decisions based on the outcome.
To enable our custom logic, we have to suppress OpenSSL's default behaviour of
aborting the connection with a TLS alert message. With LuaSec, this can be
achieved by using the verifyext "lsec_continue" flag.
We also need to use the lsec_ignore_purpose flag, because XMPP s2s uses server
certificates as "client" certificates (for mutual TLS verification in outgoing
s2s connections).
Commit 99d2100d2918 moved these settings out of the defaults and into mod_s2s,
because we only really need these changes for s2s, and they should be opt-in,
rather than automatically applied to all TLS services we offer.
That commit was incomplete, because it only added the flags for incoming
direct TLS connections. StartTLS connections are handled by mod_tls, which was
not applying the lsec_* flags. It previously worked because they were already
in the defaults.
This resulted in incoming s2s connections with "invalid" certificates being
aborted early by OpenSSL, even if settings such as `s2s_secure_auth = false`
or DANE were present in the config.
Outgoing s2s connections inherit verify "none" from the defaults, which means
OpenSSL will receive the cert but will not terminate the connection when it is
deemed invalid. This means we don't need lsec_continue there, and we also
don't need lsec_ignore_purpose (because the remote peer is a "server").
Wondering why we can't just use verify "none" for incoming s2s? It's because
in that mode, OpenSSL won't request a certificate from the peer for incoming
connections. Setting verify "peer" is how you ask OpenSSL to request a
certificate from the client, but also what triggers its built-in verification.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 01 Apr 2025 17:26:56 +0100 |
| parent | 13393:f72ca74de456 |
| rev | line source |
|---|---|
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 module:set_global(); |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11820
diff
changeset
|
3 local server = require "prosody.net.http.server"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11820
diff
changeset
|
4 local codes = require "prosody.net.http.codes"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11820
diff
changeset
|
5 local xml_escape = require "prosody.util.stanza".xml_escape; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11820
diff
changeset
|
6 local render = require "prosody.util.interpolation".new("%b{}", xml_escape); |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 local show_private = module:get_option_boolean("http_errors_detailed", false); |
|
4737
7b9e2a8c4710
mod_http_errors: Add two new config options, http_errors_always_show (show even for unknown errors) and http_errors_default_message (message for unknown errors)
Matthew Wild <mwild1@gmail.com>
parents:
4711
diff
changeset
|
9 local always_serve = module:get_option_boolean("http_errors_always_show", true); |
|
7b9e2a8c4710
mod_http_errors: Add two new config options, http_errors_always_show (show even for unknown errors) and http_errors_default_message (message for unknown errors)
Matthew Wild <mwild1@gmail.com>
parents:
4711
diff
changeset
|
10 local default_message = { module:get_option_string("http_errors_default_message", "That's all I know.") }; |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 local default_messages = { |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 [400] = { "What kind of request do you call that??" }; |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 [403] = { "You're not allowed to do that." }; |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 [404] = { "Whatever you were looking for is not here. %"; |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 "Where did you put it?", "It's behind you.", "Keep looking." }; |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 [500] = { "% Check your error log for more info."; |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 "Gremlins.", "It broke.", "Don't look at me." }; |
|
11403
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
18 ["/"] = { |
|
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
19 "A study in simplicity."; |
|
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
20 "Better catch it!"; |
|
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
21 "Don't just stand there, go after it!"; |
|
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
22 "Well, say something, before it runs too far!"; |
|
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
23 "Welcome to the world of XMPP!"; |
|
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
24 "You can do anything in XMPP!"; -- "The only limit is XML."; |
|
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
25 "You can do anything with Prosody!"; -- the only limit is memory? |
|
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
26 }; |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 }; |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 local messages = setmetatable(module:get_option("http_errors_messages", {}), { __index = default_messages }); |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 local html = [[ |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 <!DOCTYPE html> |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 <html> |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 <head> |
|
8364
f91ab40a3105
mod_http_errors: Use util.interpolation to render HTML template
Kim Alvefur <zash@zash.se>
parents:
8363
diff
changeset
|
35 <meta charset="utf-8"> |
|
f91ab40a3105
mod_http_errors: Use util.interpolation to render HTML template
Kim Alvefur <zash@zash.se>
parents:
8363
diff
changeset
|
36 <title>{title}</title> |
|
f91ab40a3105
mod_http_errors: Use util.interpolation to render HTML template
Kim Alvefur <zash@zash.se>
parents:
8363
diff
changeset
|
37 <style> |
|
13393
f72ca74de456
mod_http_errors: Simplify CSS via built-in dark mode
Kim Alvefur <zash@zash.se>
parents:
12977
diff
changeset
|
38 :root{color-scheme:light dark} |
|
f72ca74de456
mod_http_errors: Simplify CSS via built-in dark mode
Kim Alvefur <zash@zash.se>
parents:
12977
diff
changeset
|
39 body{margin-top:14%;text-align:center;font-family:sans-serif} |
| 11388 | 40 h1{font-size:xx-large} |
| 41 p{font-size:x-large} | |
| 11395 | 42 p.warning>span{font-size:large;background-color:yellow} |
| 11388 | 43 p.extra{font-size:large;font-family:courier} |
| 44 @media(prefers-color-scheme:dark){ | |
| 11395 | 45 p.warning>span{background-color:inherit;color:yellow} |
| 11154 | 46 } |
|
8364
f91ab40a3105
mod_http_errors: Use util.interpolation to render HTML template
Kim Alvefur <zash@zash.se>
parents:
8363
diff
changeset
|
47 </style> |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 </head> |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 <body> |
|
11662
a8798e04b5c8
mod_http_errors: Allow adding icons on error pages
Kim Alvefur <zash@zash.se>
parents:
11404
diff
changeset
|
50 <h1>{icon?{icon_raw!?}} {title}</h1> |
|
8364
f91ab40a3105
mod_http_errors: Use util.interpolation to render HTML template
Kim Alvefur <zash@zash.se>
parents:
8363
diff
changeset
|
51 <p>{message}</p> |
| 11395 | 52 {warning&<p class="warning"><span>⚠ {warning?} ⚠</span></p>} |
|
11155
8d692a8a8f48
mod_http_errors: Remove 'extra' element when empty
Kim Alvefur <zash@zash.se>
parents:
11154
diff
changeset
|
53 {extra&<p class="extra">{extra?}</p>} |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 </body> |
|
7492
9a749cf8c1ba
mod_http_errors: Add a newline after end of HTML
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
55 </html> |
|
9a749cf8c1ba
mod_http_errors: Add a newline after end of HTML
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
56 ]]; |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 local function get_page(code, extra) |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 local message = messages[code]; |
|
4737
7b9e2a8c4710
mod_http_errors: Add two new config options, http_errors_always_show (show even for unknown errors) and http_errors_default_message (message for unknown errors)
Matthew Wild <mwild1@gmail.com>
parents:
4711
diff
changeset
|
60 if always_serve or message then |
|
7b9e2a8c4710
mod_http_errors: Add two new config options, http_errors_always_show (show even for unknown errors) and http_errors_default_message (message for unknown errors)
Matthew Wild <mwild1@gmail.com>
parents:
4711
diff
changeset
|
61 message = message or default_message; |
|
8364
f91ab40a3105
mod_http_errors: Use util.interpolation to render HTML template
Kim Alvefur <zash@zash.se>
parents:
8363
diff
changeset
|
62 return render(html, { |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 title = rawget(codes, code) or ("Code "..tostring(code)); |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 message = message[1]:gsub("%%", function () |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 return message[math.random(2, math.max(#message,2))]; |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 end); |
|
8364
f91ab40a3105
mod_http_errors: Use util.interpolation to render HTML template
Kim Alvefur <zash@zash.se>
parents:
8363
diff
changeset
|
67 extra = extra; |
|
f91ab40a3105
mod_http_errors: Use util.interpolation to render HTML template
Kim Alvefur <zash@zash.se>
parents:
8363
diff
changeset
|
68 }); |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 end |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 end |
|
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 |
|
11404
f7704f987439
mod_http_errors: Add some comments
Kim Alvefur <zash@zash.se>
parents:
11403
diff
changeset
|
72 -- Main error page handler |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 module:hook_object_event(server, "http-error", function (event) |
|
8363
e2460edc2a2f
mod_http_errors: Set Content-Type header to HTML (fixes #1030)
Kim Alvefur <zash@zash.se>
parents:
7492
diff
changeset
|
74 if event.response then |
|
e2460edc2a2f
mod_http_errors: Set Content-Type header to HTML (fixes #1030)
Kim Alvefur <zash@zash.se>
parents:
7492
diff
changeset
|
75 event.response.headers.content_type = "text/html; charset=utf-8"; |
|
e2460edc2a2f
mod_http_errors: Set Content-Type header to HTML (fixes #1030)
Kim Alvefur <zash@zash.se>
parents:
7492
diff
changeset
|
76 end |
|
10574
f70c874b7936
mod_http_errors: Use text from util.errror object if included
Kim Alvefur <zash@zash.se>
parents:
10430
diff
changeset
|
77 return get_page(event.code, (show_private and event.private_message) or event.message or (event.error and event.error.text)); |
|
4711
4ddf3ba0c749
mod_http_errors: Module to handle HTTP errors with a HTML page
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 end); |
|
10430
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
79 |
|
11404
f7704f987439
mod_http_errors: Add some comments
Kim Alvefur <zash@zash.se>
parents:
11403
diff
changeset
|
80 -- Way to use the template for other things so to give a consistent appearance |
|
11389
29e7ed75ed3f
mod_http_errors: Add way to reuse the error page template
Kim Alvefur <zash@zash.se>
parents:
11388
diff
changeset
|
81 module:hook("http-message", function (event) |
|
29e7ed75ed3f
mod_http_errors: Add way to reuse the error page template
Kim Alvefur <zash@zash.se>
parents:
11388
diff
changeset
|
82 if event.response then |
|
29e7ed75ed3f
mod_http_errors: Add way to reuse the error page template
Kim Alvefur <zash@zash.se>
parents:
11388
diff
changeset
|
83 event.response.headers.content_type = "text/html; charset=utf-8"; |
|
29e7ed75ed3f
mod_http_errors: Add way to reuse the error page template
Kim Alvefur <zash@zash.se>
parents:
11388
diff
changeset
|
84 end |
|
29e7ed75ed3f
mod_http_errors: Add way to reuse the error page template
Kim Alvefur <zash@zash.se>
parents:
11388
diff
changeset
|
85 return render(html, event); |
|
11820
0375ef78ed64
mod_http_errors: Make it easier to override 'http-message' handler
Kim Alvefur <zash@zash.se>
parents:
11664
diff
changeset
|
86 end, -1); |
|
11389
29e7ed75ed3f
mod_http_errors: Add way to reuse the error page template
Kim Alvefur <zash@zash.se>
parents:
11388
diff
changeset
|
87 |
|
11663
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
88 local icon = [[ |
|
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
89 <svg xmlns="http://www.w3.org/2000/svg" height="0.7em" viewBox="0 0 480 480" width="0.7em"> |
|
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
90 <rect fill="#6197df" height="220" rx="60" ry="60" width="220" x="10" y="10"></rect> |
|
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
91 <rect fill="#f29b00" height="220" rx="60" ry="60" width="220" x="10" y="240"></rect> |
|
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
92 <rect fill="#f29b00" height="220" rx="60" ry="60" width="220" x="240" y="10"></rect> |
|
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
93 <rect fill="#6197df" height="220" rx="60" ry="60" width="220" x="240" y="240"></rect> |
|
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
94 </svg> |
|
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
95 ]]; |
|
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
96 |
|
11404
f7704f987439
mod_http_errors: Add some comments
Kim Alvefur <zash@zash.se>
parents:
11403
diff
changeset
|
97 -- Something nicer shown instead of 404 at the root path, if nothing else handles this path |
|
10430
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
98 module:hook_object_event(server, "http-error", function (event) |
|
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
99 local request, response = event.request, event.response; |
|
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
100 if request and response and request.path == "/" and response.status_code == 404 then |
|
11664
d83f8f44caea
mod_http_errors: Set status code 200 from root page
Kim Alvefur <zash@zash.se>
parents:
11663
diff
changeset
|
101 response.status_code = 200; |
|
10430
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
102 response.headers.content_type = "text/html; charset=utf-8"; |
|
11403
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
103 local message = messages["/"]; |
|
10430
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
104 return render(html, { |
|
11663
04fa947784bc
mod_http_errors: Add a Prosody logo to root page
Kim Alvefur <zash@zash.se>
parents:
11662
diff
changeset
|
105 icon_raw = icon, |
|
10430
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
106 title = "Prosody is running!"; |
|
11403
747e8245f180
mod_http_errors: Add some silly variations for the '/' page
Kim Alvefur <zash@zash.se>
parents:
11395
diff
changeset
|
107 message = message[math.random(#message)]; |
|
10430
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
108 }); |
|
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
109 end |
|
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
110 end, 1); |
|
46dd9df2db0c
mod_http_errors: Show a friendly page instead of 404 on top level
Kim Alvefur <zash@zash.se>
parents:
9760
diff
changeset
|
111 |
