Annotate

plugins/mod_http.lua @ 12444:b33558969b3e 0.12

mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731) The same-origin policy enforced by browsers is a security measure that should only be turned off when it is safe to do so. It is safe to do so in Prosody's default modules, but people may load third-party modules that are unsafe. Therefore we have flipped the default, so that modules must explicitly opt in to having CORS headers added on their requests.
author Matthew Wild <mwild1@gmail.com>
date Mon, 28 Mar 2022 14:53:24 +0100
parent 12443:17d87fb2312a
child 12790:24b55f0e2db9
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
1 -- Prosody IM
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
2 -- Copyright (C) 2008-2012 Matthew Wild
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
3 -- Copyright (C) 2008-2012 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5427
diff changeset
4 --
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
6 -- COPYING file in the source package for more information.
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
7 --
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
8
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
9 module:set_global();
10409
abfc05495d8b mod_http: Soften dependency on mod_http_errors
Kim Alvefur <zash@zash.se>
parents: 10315
diff changeset
10 pcall(function ()
abfc05495d8b mod_http: Soften dependency on mod_http_errors
Kim Alvefur <zash@zash.se>
parents: 10315
diff changeset
11 module:depends("http_errors");
abfc05495d8b mod_http: Soften dependency on mod_http_errors
Kim Alvefur <zash@zash.se>
parents: 10315
diff changeset
12 end);
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
13
5374
b62c6cbcb065 mod_http: Import portmanager
Kim Alvefur <zash@zash.se>
parents: 5332
diff changeset
14 local portmanager = require "core.portmanager";
4892
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
15 local moduleapi = require "core.moduleapi";
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
16 local url_parse = require "socket.url".parse;
5093
1ce9e8068dda mod_http: Rework how module:http_url() builds the url.
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
17 local url_build = require "socket.url".build;
9504
cfbea3064aa9 mod_http: Move normalize_path to util.http
Kim Alvefur <zash@zash.se>
parents: 9503
diff changeset
18 local normalize_path = require "util.http".normalize_path;
9797
071538a567d5 mod_http: Determine CORS methods to whitelist from actual methods used
Kim Alvefur <zash@zash.se>
parents: 9796
diff changeset
19 local set = require "util.set";
4892
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
20
10923
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
21 local ip_util = require "util.ip";
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
22 local new_ip = ip_util.new_ip;
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
23 local match_ip = ip_util.match;
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
24 local parse_cidr = ip_util.parse_cidr;
4892
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
25
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
26 local server = require "net.http.server";
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
27
4736
3514338c59c3 net.http.server, mod_http: Support http_default_host config option to specify where to direct requests for unknown HTTP vhosts
Matthew Wild <mwild1@gmail.com>
parents: 4724
diff changeset
28 server.set_default_host(module:get_option_string("http_default_host"));
3514338c59c3 net.http.server, mod_http: Support http_default_host config option to specify where to direct requests for unknown HTTP vhosts
Matthew Wild <mwild1@gmail.com>
parents: 4724
diff changeset
29
7580
588ed6451984 mod_http: Allow configuring http parser size limits
Kim Alvefur <zash@zash.se>
parents: 6598
diff changeset
30 server.set_option("body_size_limit", module:get_option_number("http_max_content_size"));
588ed6451984 mod_http: Allow configuring http parser size limits
Kim Alvefur <zash@zash.se>
parents: 6598
diff changeset
31 server.set_option("buffer_size_limit", module:get_option_number("http_max_buffer_size"));
588ed6451984 mod_http: Allow configuring http parser size limits
Kim Alvefur <zash@zash.se>
parents: 6598
diff changeset
32
11727
f3aee8a825cc Fix various spelling errors (thanks codespell)
Kim Alvefur <zash@zash.se>
parents: 11410
diff changeset
33 -- CORS settings
12443
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
34 local cors_overrides = module:get_option("http_cors_override", {});
9797
071538a567d5 mod_http: Determine CORS methods to whitelist from actual methods used
Kim Alvefur <zash@zash.se>
parents: 9796
diff changeset
35 local opt_methods = module:get_option_set("access_control_allow_methods", { "GET", "OPTIONS" });
9793
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
36 local opt_headers = module:get_option_set("access_control_allow_headers", { "Content-Type" });
12443
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
37 local opt_origins = module:get_option_set("access_control_allow_origins");
10258
4ff2f14f9ac7 mod_http: Add support for configuring CORS Access-Control-Allow-Credentials
Matthew Wild <mwild1@gmail.com>
parents: 9852
diff changeset
38 local opt_credentials = module:get_option_boolean("access_control_allow_credentials", false);
9793
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
39 local opt_max_age = module:get_option_number("access_control_max_age", 2 * 60 * 60);
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
40
4667
d0cfc49f3f2b mod_http: Support for default_path in apps
Matthew Wild <mwild1@gmail.com>
parents: 4664
diff changeset
41 local function get_http_event(host, app_path, key)
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
42 local method, path = key:match("^(%S+)%s+(.+)$");
4721
1c6c4c53f08a mod_http: Routes now require a method to be specified, but the path has become optional (defaults to the base path with no trailing '/'
Matthew Wild <mwild1@gmail.com>
parents: 4720
diff changeset
43 if not method then -- No path specified, default to "" (base path)
1c6c4c53f08a mod_http: Routes now require a method to be specified, but the path has become optional (defaults to the base path with no trailing '/'
Matthew Wild <mwild1@gmail.com>
parents: 4720
diff changeset
44 method, path = key, "";
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
45 end
4721
1c6c4c53f08a mod_http: Routes now require a method to be specified, but the path has become optional (defaults to the base path with no trailing '/'
Matthew Wild <mwild1@gmail.com>
parents: 4720
diff changeset
46 if method:sub(1,1) == "/" then
1c6c4c53f08a mod_http: Routes now require a method to be specified, but the path has become optional (defaults to the base path with no trailing '/'
Matthew Wild <mwild1@gmail.com>
parents: 4720
diff changeset
47 return nil;
1c6c4c53f08a mod_http: Routes now require a method to be specified, but the path has become optional (defaults to the base path with no trailing '/'
Matthew Wild <mwild1@gmail.com>
parents: 4720
diff changeset
48 end
5092
a89f8f2f2943 mod_http: Don't produce paths with double / if a module is set to serve /
Kim Alvefur <zash@zash.se>
parents: 4915
diff changeset
49 if app_path == "/" and path:sub(1,1) == "/" then
a89f8f2f2943 mod_http: Don't produce paths with double / if a module is set to serve /
Kim Alvefur <zash@zash.se>
parents: 4915
diff changeset
50 app_path = "";
a89f8f2f2943 mod_http: Don't produce paths with double / if a module is set to serve /
Kim Alvefur <zash@zash.se>
parents: 4915
diff changeset
51 end
9376
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
52 if host == "*" then
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
53 return method:upper().." "..app_path..path;
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
54 else
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
55 return method:upper().." "..host..app_path..path;
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
56 end
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
57 end
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
58
4702
5a85e541de1a mod_http: Switch to single option for specifying HTTP app bases, http_paths. Keys are app/module names, values are base paths.
Matthew Wild <mwild1@gmail.com>
parents: 4696
diff changeset
59 local function get_base_path(host_module, app_name, default_app_path)
5332
5b73ac268a9e mod_http: Expand $host in http_paths
Kim Alvefur <zash@zash.se>
parents: 5230
diff changeset
60 return (normalize_path(host_module:get_option("http_paths", {})[app_name] -- Host
4702
5a85e541de1a mod_http: Switch to single option for specifying HTTP app bases, http_paths. Keys are app/module names, values are base paths.
Matthew Wild <mwild1@gmail.com>
parents: 4696
diff changeset
61 or module:get_option("http_paths", {})[app_name] -- Global
5332
5b73ac268a9e mod_http: Expand $host in http_paths
Kim Alvefur <zash@zash.se>
parents: 5230
diff changeset
62 or default_app_path)) -- Default
6025
583e5c1365fe mod_http: Use hostname from the correct context (thanks gryffus)
Kim Alvefur <zash@zash.se>
parents: 5427
diff changeset
63 :gsub("%$(%w+)", { host = host_module.host });
4892
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
64 end
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
65
6504
e1659f32852e mod_http: For URLs that end with / or wildcard handlers, add a low-priority redirect from without to with slash
Kim Alvefur <zash@zash.se>
parents: 6086
diff changeset
66 local function redir_handler(event)
e1659f32852e mod_http: For URLs that end with / or wildcard handlers, add a low-priority redirect from without to with slash
Kim Alvefur <zash@zash.se>
parents: 6086
diff changeset
67 event.response.headers.location = event.request.path.."/";
7518
829ebe806e82 mod_http: Fix indentation in redir_handler
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 7359
diff changeset
68 if event.request.url.query then
829ebe806e82 mod_http: Fix indentation in redir_handler
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 7359
diff changeset
69 event.response.headers.location = event.response.headers.location .. "?" .. event.request.url.query
829ebe806e82 mod_http: Fix indentation in redir_handler
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 7359
diff changeset
70 end
6504
e1659f32852e mod_http: For URLs that end with / or wildcard handlers, add a low-priority redirect from without to with slash
Kim Alvefur <zash@zash.se>
parents: 6086
diff changeset
71 return 301;
e1659f32852e mod_http: For URLs that end with / or wildcard handlers, add a low-priority redirect from without to with slash
Kim Alvefur <zash@zash.se>
parents: 6086
diff changeset
72 end
e1659f32852e mod_http: For URLs that end with / or wildcard handlers, add a low-priority redirect from without to with slash
Kim Alvefur <zash@zash.se>
parents: 6086
diff changeset
73
5093
1ce9e8068dda mod_http: Rework how module:http_url() builds the url.
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
74 local ports_by_scheme = { http = 80, https = 443, };
1ce9e8068dda mod_http: Rework how module:http_url() builds the url.
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
75
4892
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
76 -- Helper to deduce a module's external URL
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
77 function moduleapi.http_url(module, app_name, default_path)
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
78 app_name = app_name or (module.name:gsub("^http_", ""));
12191
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
79
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
80 local external_url = url_parse(module:get_option_string("http_external_url"));
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
81 if external_url then
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
82 local url = {
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
83 scheme = external_url.scheme;
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
84 host = external_url.host;
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
85 port = tonumber(external_url.port) or ports_by_scheme[external_url.scheme];
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
86 path = normalize_path(external_url.path or "/", true)
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
87 .. (get_base_path(module, app_name, default_path or "/" .. app_name):sub(2));
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
88 }
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
89 if ports_by_scheme[url.scheme] == url.port then url.port = nil end
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
90 return url_build(url);
6026
8a8be471ec72 mod_http: Fix http_external_url setting without an explicit port
Kim Alvefur <zash@zash.se>
parents: 6025
diff changeset
91 end
12191
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
92
4892
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
93 local services = portmanager.get_active_services();
4915
3fbc01d1fc5a mod_http: Fix traceback when no HTTP services succeed in binding
Matthew Wild <mwild1@gmail.com>
parents: 4911
diff changeset
94 local http_services = services:get("https") or services:get("http") or {};
8969
48d0b908f8b6 mod_http: Silecence harmless warnings
Kim Alvefur <zash@zash.se>
parents: 8596
diff changeset
95 for interface, ports in pairs(http_services) do -- luacheck: ignore 213/interface
8970
75c3b1bd9d7b mod_http: Rename loop variable to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8969
diff changeset
96 for port, service in pairs(ports) do -- luacheck: ignore 512
5093
1ce9e8068dda mod_http: Rework how module:http_url() builds the url.
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
97 local url = {
12191
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
98 scheme = service[1].service.name;
12268
d41e8c7890b0 mod_http: Use http_default_host for URLs generated in global context
Kim Alvefur <zash@zash.se>
parents: 12192
diff changeset
99 host = module:get_option_string("http_host", module.global
12269
a19d435dee90 mod_http: Use interface name as default default global hostname
Kim Alvefur <zash@zash.se>
parents: 12268
diff changeset
100 and module:get_option_string("http_default_host", interface) or module.host);
12191
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
101 port = port;
8b57362f1176 mod_http: Skip querying portmanager when http_external_url when is set
Kim Alvefur <zash@zash.se>
parents: 12187
diff changeset
102 path = get_base_path(module, app_name, default_path or "/" .. app_name);
5093
1ce9e8068dda mod_http: Rework how module:http_url() builds the url.
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
103 }
1ce9e8068dda mod_http: Rework how module:http_url() builds the url.
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
104 if ports_by_scheme[url.scheme] == url.port then url.port = nil end
1ce9e8068dda mod_http: Rework how module:http_url() builds the url.
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
105 return url_build(url);
4892
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
106 end
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
107 end
11066
dc41c8dfd2b1 mod_http: Silence warnings when running under prosodyctl
Matthew Wild <mwild1@gmail.com>
parents: 11022
diff changeset
108 if prosody.process_type == "prosody" then
dc41c8dfd2b1 mod_http: Silence warnings when running under prosodyctl
Matthew Wild <mwild1@gmail.com>
parents: 11022
diff changeset
109 module:log("warn", "No http ports enabled, can't generate an external URL");
dc41c8dfd2b1 mod_http: Silence warnings when running under prosodyctl
Matthew Wild <mwild1@gmail.com>
parents: 11022
diff changeset
110 end
6598
4b4852c4f96a mod_http: Return a static string from module:http_url() when no ports are enabled and log a warning
Kim Alvefur <zash@zash.se>
parents: 6597
diff changeset
111 return "http://disabled.invalid/";
4702
5a85e541de1a mod_http: Switch to single option for specifying HTTP app bases, http_paths. Keys are app/module names, values are base paths.
Matthew Wild <mwild1@gmail.com>
parents: 4696
diff changeset
112 end
5a85e541de1a mod_http: Switch to single option for specifying HTTP app bases, http_paths. Keys are app/module names, values are base paths.
Matthew Wild <mwild1@gmail.com>
parents: 4696
diff changeset
113
12443
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
114 local function apply_cors_headers(response, methods, headers, max_age, allow_credentials, allowed_origins, origin)
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
115 if allowed_origins and not allowed_origins[origin] then
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
116 return;
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
117 end
9793
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
118 response.headers.access_control_allow_methods = tostring(methods);
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
119 response.headers.access_control_allow_headers = tostring(headers);
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
120 response.headers.access_control_max_age = tostring(max_age)
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
121 response.headers.access_control_allow_origin = origin or "*";
10258
4ff2f14f9ac7 mod_http: Add support for configuring CORS Access-Control-Allow-Credentials
Matthew Wild <mwild1@gmail.com>
parents: 9852
diff changeset
122 if allow_credentials then
4ff2f14f9ac7 mod_http: Add support for configuring CORS Access-Control-Allow-Credentials
Matthew Wild <mwild1@gmail.com>
parents: 9852
diff changeset
123 response.headers.access_control_allow_credentials = "true";
4ff2f14f9ac7 mod_http: Add support for configuring CORS Access-Control-Allow-Credentials
Matthew Wild <mwild1@gmail.com>
parents: 9852
diff changeset
124 end
9793
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
125 end
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
126
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
127 function module.add_host(module)
9376
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
128 local host = module.host;
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
129 if host ~= "*" then
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
130 host = module:get_option_string("http_host", host);
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
131 end
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
132 local apps = {};
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
133 module.environment.apps = apps;
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
134 local function http_app_added(event)
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
135 local app_name = event.item.name;
4667
d0cfc49f3f2b mod_http: Support for default_path in apps
Matthew Wild <mwild1@gmail.com>
parents: 4664
diff changeset
136 local default_app_path = event.item.default_path or "/"..app_name;
4892
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
137 local app_path = get_base_path(module, app_name, default_app_path);
6c8074f47ca4 mod_http: Add module:http_url([app_name,][default_path]) for a module to get a guess at its external URL
Matthew Wild <mwild1@gmail.com>
parents: 4774
diff changeset
138 if not app_name then
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
139 -- TODO: Link to docs
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
140 module:log("error", "HTTP app has no 'name', add one or use module:provides('http', app)");
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
141 return;
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
142 end
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
143 apps[app_name] = apps[app_name] or {};
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
144 local app_handlers = apps[app_name];
9793
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
145
9797
071538a567d5 mod_http: Determine CORS methods to whitelist from actual methods used
Kim Alvefur <zash@zash.se>
parents: 9796
diff changeset
146 local app_methods = opt_methods;
11397
27a22a1f141c mod_http: Allow modifying CORS header list via :provides API
Kim Alvefur <zash@zash.se>
parents: 11396
diff changeset
147 local app_headers = opt_headers;
11396
f6bb3b193277 mod_http: Allow setting the CORS credentials flag via :provides API
Kim Alvefur <zash@zash.se>
parents: 11387
diff changeset
148 local app_credentials = opt_credentials;
12443
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
149 local app_origins;
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
150 if opt_origins and not (opt_origins:empty() or opt_origins:contains("*")) then
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
151 opt_origins = opt_origins._items;
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
152 end
9797
071538a567d5 mod_http: Determine CORS methods to whitelist from actual methods used
Kim Alvefur <zash@zash.se>
parents: 9796
diff changeset
153
9793
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
154 local function cors_handler(event_data)
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
155 local request, response = event_data.request, event_data.response;
12443
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
156 apply_cors_headers(response, app_methods, app_headers, opt_max_age, app_credentials, app_origins, request.headers.origin);
9793
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
157 end
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
158
9796
adfb29f44412 mod_http: Set up to handle OPTIONS
Kim Alvefur <zash@zash.se>
parents: 9793
diff changeset
159 local function options_handler(event_data)
adfb29f44412 mod_http: Set up to handle OPTIONS
Kim Alvefur <zash@zash.se>
parents: 9793
diff changeset
160 cors_handler(event_data);
adfb29f44412 mod_http: Set up to handle OPTIONS
Kim Alvefur <zash@zash.se>
parents: 9793
diff changeset
161 return "";
adfb29f44412 mod_http: Set up to handle OPTIONS
Kim Alvefur <zash@zash.se>
parents: 9793
diff changeset
162 end
adfb29f44412 mod_http: Set up to handle OPTIONS
Kim Alvefur <zash@zash.se>
parents: 9793
diff changeset
163
12443
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
164 local cors = cors_overrides[app_name] or event.item.cors;
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
165 if cors then
12444
b33558969b3e mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731)
Matthew Wild <mwild1@gmail.com>
parents: 12443
diff changeset
166 if cors.enabled == true then
12443
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
167 if cors.credentials ~= nil then
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
168 app_credentials = cors.credentials;
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
169 end
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
170 if cors.headers then
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
171 for header, enable in pairs(cors.headers) do
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
172 if enable and not app_headers:contains(header) then
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
173 app_headers = app_headers + set.new { header };
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
174 elseif not enable and app_headers:contains(header) then
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
175 app_headers = app_headers - set.new { header };
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
176 end
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
177 end
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
178 end
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
179 if cors.origins then
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
180 if cors.origins == "*" or cors.origins[1] == "*" then
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
181 app_origins = nil;
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
182 else
17d87fb2312a mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730)
Matthew Wild <mwild1@gmail.com>
parents: 12269
diff changeset
183 app_origins = set.new(cors.origins)._items;
11397
27a22a1f141c mod_http: Allow modifying CORS header list via :provides API
Kim Alvefur <zash@zash.se>
parents: 11396
diff changeset
184 end
27a22a1f141c mod_http: Allow modifying CORS header list via :provides API
Kim Alvefur <zash@zash.se>
parents: 11396
diff changeset
185 end
27a22a1f141c mod_http: Allow modifying CORS header list via :provides API
Kim Alvefur <zash@zash.se>
parents: 11396
diff changeset
186 end
11396
f6bb3b193277 mod_http: Allow setting the CORS credentials flag via :provides API
Kim Alvefur <zash@zash.se>
parents: 11387
diff changeset
187 end
f6bb3b193277 mod_http: Allow setting the CORS credentials flag via :provides API
Kim Alvefur <zash@zash.se>
parents: 11387
diff changeset
188
11022
3e5bc34be734 mod_http: Add way to signal that a module supports streaming uploads
Kim Alvefur <zash@zash.se>
parents: 11021
diff changeset
189 local streaming = event.item.streaming_uploads;
3e5bc34be734 mod_http: Add way to signal that a module supports streaming uploads
Kim Alvefur <zash@zash.se>
parents: 11021
diff changeset
190
11399
d5d895313be2 mod_http: Warn if app is missing 'route'
Kim Alvefur <zash@zash.se>
parents: 11397
diff changeset
191 if not event.item.route then
d5d895313be2 mod_http: Warn if app is missing 'route'
Kim Alvefur <zash@zash.se>
parents: 11397
diff changeset
192 -- TODO: Link to docs
11400
19a59cb7311e mod_http: Improve message for missing 'route'
Kim Alvefur <zash@zash.se>
parents: 11399
diff changeset
193 module:log("error", "HTTP app %q provides no 'route', add one to handle HTTP requests", app_name);
11399
d5d895313be2 mod_http: Warn if app is missing 'route'
Kim Alvefur <zash@zash.se>
parents: 11397
diff changeset
194 return;
d5d895313be2 mod_http: Warn if app is missing 'route'
Kim Alvefur <zash@zash.se>
parents: 11397
diff changeset
195 end
d5d895313be2 mod_http: Warn if app is missing 'route'
Kim Alvefur <zash@zash.se>
parents: 11397
diff changeset
196
d5d895313be2 mod_http: Warn if app is missing 'route'
Kim Alvefur <zash@zash.se>
parents: 11397
diff changeset
197 for key, handler in pairs(event.item.route) do
4667
d0cfc49f3f2b mod_http: Support for default_path in apps
Matthew Wild <mwild1@gmail.com>
parents: 4664
diff changeset
198 local event_name = get_http_event(host, app_path, key);
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
199 if event_name then
9797
071538a567d5 mod_http: Determine CORS methods to whitelist from actual methods used
Kim Alvefur <zash@zash.se>
parents: 9796
diff changeset
200 local method = event_name:match("^%S+");
071538a567d5 mod_http: Determine CORS methods to whitelist from actual methods used
Kim Alvefur <zash@zash.se>
parents: 9796
diff changeset
201 if not app_methods:contains(method) then
071538a567d5 mod_http: Determine CORS methods to whitelist from actual methods used
Kim Alvefur <zash@zash.se>
parents: 9796
diff changeset
202 app_methods = app_methods + set.new{ method };
071538a567d5 mod_http: Determine CORS methods to whitelist from actual methods used
Kim Alvefur <zash@zash.se>
parents: 9796
diff changeset
203 end
9796
adfb29f44412 mod_http: Set up to handle OPTIONS
Kim Alvefur <zash@zash.se>
parents: 9793
diff changeset
204 local options_event_name = event_name:gsub("^%S+", "OPTIONS");
4724
a8c234332258 mod_http: Allow a route value to be static data rather than a handler function
Matthew Wild <mwild1@gmail.com>
parents: 4721
diff changeset
205 if type(handler) ~= "function" then
a8c234332258 mod_http: Allow a route value to be static data rather than a handler function
Matthew Wild <mwild1@gmail.com>
parents: 4721
diff changeset
206 local data = handler;
a8c234332258 mod_http: Allow a route value to be static data rather than a handler function
Matthew Wild <mwild1@gmail.com>
parents: 4721
diff changeset
207 handler = function () return data; end
a8c234332258 mod_http: Allow a route value to be static data rather than a handler function
Matthew Wild <mwild1@gmail.com>
parents: 4721
diff changeset
208 elseif event_name:sub(-2, -1) == "/*" then
5230
6f5640375358 mod_http: Fix path length pattern
Kim Alvefur <zash@zash.se>
parents: 5204
diff changeset
209 local base_path_len = #event_name:match("/.+$");
4669
0e0a72679f77 mod_http: Pass portion of path that matched wildcard to wildcard handlers, as a second parameter
Matthew Wild <mwild1@gmail.com>
parents: 4667
diff changeset
210 local _handler = handler;
8972
0b254439d451 mod_http: Rename argument to avoid name clash with outer scope [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8971
diff changeset
211 handler = function (_event)
0b254439d451 mod_http: Rename argument to avoid name clash with outer scope [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8971
diff changeset
212 local path = _event.request.path:sub(base_path_len);
0b254439d451 mod_http: Rename argument to avoid name clash with outer scope [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8971
diff changeset
213 return _handler(_event, path);
4669
0e0a72679f77 mod_http: Pass portion of path that matched wildcard to wildcard handlers, as a second parameter
Matthew Wild <mwild1@gmail.com>
parents: 4667
diff changeset
214 end;
6504
e1659f32852e mod_http: For URLs that end with / or wildcard handlers, add a low-priority redirect from without to with slash
Kim Alvefur <zash@zash.se>
parents: 6086
diff changeset
215 module:hook_object_event(server, event_name:sub(1, -3), redir_handler, -1);
e1659f32852e mod_http: For URLs that end with / or wildcard handlers, add a low-priority redirect from without to with slash
Kim Alvefur <zash@zash.se>
parents: 6086
diff changeset
216 elseif event_name:sub(-1, -1) == "/" then
e1659f32852e mod_http: For URLs that end with / or wildcard handlers, add a low-priority redirect from without to with slash
Kim Alvefur <zash@zash.se>
parents: 6086
diff changeset
217 module:hook_object_event(server, event_name:sub(1, -2), redir_handler, -1);
4669
0e0a72679f77 mod_http: Pass portion of path that matched wildcard to wildcard handlers, as a second parameter
Matthew Wild <mwild1@gmail.com>
parents: 4667
diff changeset
218 end
11022
3e5bc34be734 mod_http: Add way to signal that a module supports streaming uploads
Kim Alvefur <zash@zash.se>
parents: 11021
diff changeset
219 if not streaming then
11021
9673c95895fb net.http.parser: Allow specifying sink for large request bodies
Kim Alvefur <zash@zash.se>
parents: 10923
diff changeset
220 -- COMPAT Modules not compatible with streaming uploads behave as before.
9673c95895fb net.http.parser: Allow specifying sink for large request bodies
Kim Alvefur <zash@zash.se>
parents: 10923
diff changeset
221 local _handler = handler;
9673c95895fb net.http.parser: Allow specifying sink for large request bodies
Kim Alvefur <zash@zash.se>
parents: 10923
diff changeset
222 function handler(event) -- luacheck: ignore 432/event
9673c95895fb net.http.parser: Allow specifying sink for large request bodies
Kim Alvefur <zash@zash.se>
parents: 10923
diff changeset
223 if event.request.body ~= false then
9673c95895fb net.http.parser: Allow specifying sink for large request bodies
Kim Alvefur <zash@zash.se>
parents: 10923
diff changeset
224 return _handler(event);
9673c95895fb net.http.parser: Allow specifying sink for large request bodies
Kim Alvefur <zash@zash.se>
parents: 10923
diff changeset
225 end
9673c95895fb net.http.parser: Allow specifying sink for large request bodies
Kim Alvefur <zash@zash.se>
parents: 10923
diff changeset
226 end
9673c95895fb net.http.parser: Allow specifying sink for large request bodies
Kim Alvefur <zash@zash.se>
parents: 10923
diff changeset
227 end
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
228 if not app_handlers[event_name] then
10315
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
229 app_handlers[event_name] = {
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
230 main = handler;
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
231 cors = cors_handler;
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
232 options = options_handler;
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
233 };
4696
4700e318add1 mod_http: Use module:hook/unhook_event_object() so that handlers get unregistered if mod_http is unloaded
Matthew Wild <mwild1@gmail.com>
parents: 4678
diff changeset
234 module:hook_object_event(server, event_name, handler);
9793
9993fd021d19 mod_http: Solve CORS problems once and for all
Kim Alvefur <zash@zash.se>
parents: 9504
diff changeset
235 module:hook_object_event(server, event_name, cors_handler, 1);
9796
adfb29f44412 mod_http: Set up to handle OPTIONS
Kim Alvefur <zash@zash.se>
parents: 9793
diff changeset
236 module:hook_object_event(server, options_event_name, options_handler, -1);
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
237 else
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
238 module:log("warn", "App %s added handler twice for '%s', ignoring", app_name, event_name);
4636
41983ec223f0 mod_http: Include handlers of non-global modules.
Waqas Hussain <waqas20@gmail.com>
parents: 4635
diff changeset
239 end
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
240 else
7359
a5a080c12c96 Update every link to the documentation to use HTTPS
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 7247
diff changeset
241 module:log("error", "Invalid route in %s, %q. See https://prosody.im/doc/developers/http#routes", app_name, key);
4636
41983ec223f0 mod_http: Include handlers of non-global modules.
Waqas Hussain <waqas20@gmail.com>
parents: 4635
diff changeset
242 end
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
243 end
6597
321321f566fb mod_http: Log a debug message when adding new http apps and warn if no http ports are enabled
Kim Alvefur <zash@zash.se>
parents: 6596
diff changeset
244 local services = portmanager.get_active_services();
321321f566fb mod_http: Log a debug message when adding new http apps and warn if no http ports are enabled
Kim Alvefur <zash@zash.se>
parents: 6596
diff changeset
245 if services:get("https") or services:get("http") then
10460
5ce6cbb5ce6a mod_http: Log served URLs at 'info' level
Kim Alvefur <zash@zash.se>
parents: 10409
diff changeset
246 module:log("info", "Serving '%s' at %s", app_name, module:http_url(app_name, app_path));
11066
dc41c8dfd2b1 mod_http: Silence warnings when running under prosodyctl
Matthew Wild <mwild1@gmail.com>
parents: 11022
diff changeset
247 elseif prosody.process_type == "prosody" then
12192
6a772a0c0dfd mod_http: Increase severity of loading unreachable http modules
Kim Alvefur <zash@zash.se>
parents: 12191
diff changeset
248 module:log("error", "Not listening on any ports, '%s' will be unreachable", app_name);
6597
321321f566fb mod_http: Log a debug message when adding new http apps and warn if no http ports are enabled
Kim Alvefur <zash@zash.se>
parents: 6596
diff changeset
249 end
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
250 end
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5427
diff changeset
251
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
252 local function http_app_removed(event)
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
253 local app_handlers = apps[event.item.name];
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
254 apps[event.item.name] = nil;
10315
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
255 for event_name, handlers in pairs(app_handlers) do
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
256 module:unhook_object_event(server, event_name, handlers.main);
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
257 module:unhook_object_event(server, event_name, handlers.cors);
12113
86e6f0810956 mod_http: Clean up redirects handlers for wildcard on http module unload
Kim Alvefur <zash@zash.se>
parents: 11727
diff changeset
258
86e6f0810956 mod_http: Clean up redirects handlers for wildcard on http module unload
Kim Alvefur <zash@zash.se>
parents: 11727
diff changeset
259 if event_name:sub(-2, -1) == "/*" then
86e6f0810956 mod_http: Clean up redirects handlers for wildcard on http module unload
Kim Alvefur <zash@zash.se>
parents: 11727
diff changeset
260 module:unhook_object_event(server, event_name:sub(1, -3), redir_handler, -1);
86e6f0810956 mod_http: Clean up redirects handlers for wildcard on http module unload
Kim Alvefur <zash@zash.se>
parents: 11727
diff changeset
261 elseif event_name:sub(-1, -1) == "/" then
86e6f0810956 mod_http: Clean up redirects handlers for wildcard on http module unload
Kim Alvefur <zash@zash.se>
parents: 11727
diff changeset
262 module:unhook_object_event(server, event_name:sub(1, -2), redir_handler, -1);
86e6f0810956 mod_http: Clean up redirects handlers for wildcard on http module unload
Kim Alvefur <zash@zash.se>
parents: 11727
diff changeset
263 end
86e6f0810956 mod_http: Clean up redirects handlers for wildcard on http module unload
Kim Alvefur <zash@zash.se>
parents: 11727
diff changeset
264
10315
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
265 local options_event_name = event_name:gsub("^%S+", "OPTIONS");
d4c538a7d655 mod_http: Unhook CORS related event handlers
Kim Alvefur <zash@zash.se>
parents: 10258
diff changeset
266 module:unhook_object_event(server, options_event_name, handlers.options);
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
267 end
4636
41983ec223f0 mod_http: Include handlers of non-global modules.
Waqas Hussain <waqas20@gmail.com>
parents: 4635
diff changeset
268 end
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5427
diff changeset
269
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
270 module:handle_items("http-provider", http_app_added, http_app_removed);
4736
3514338c59c3 net.http.server, mod_http: Support http_default_host config option to specify where to direct requests for unknown HTTP vhosts
Matthew Wild <mwild1@gmail.com>
parents: 4724
diff changeset
271
9376
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
272 if host ~= "*" then
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
273 server.add_host(host);
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
274 function module.unload()
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
275 server.remove_host(host);
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
276 end
4736
3514338c59c3 net.http.server, mod_http: Support http_default_host config option to specify where to direct requests for unknown HTTP vhosts
Matthew Wild <mwild1@gmail.com>
parents: 4724
diff changeset
277 end
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
278 end
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
279
9376
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
280 module.add_host(module); -- set up handling on global context too
220468f7a103 mod_http: Support global HTTP modules
Kim Alvefur <zash@zash.se>
parents: 9338
diff changeset
281
8594
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
282 local trusted_proxies = module:get_option_set("trusted_proxies", { "127.0.0.1", "::1" })._items;
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
283
10923
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
284 local function is_trusted_proxy(ip)
11385
c81b6b8c6b19 mod_http: Optimize proxy IP check
Kim Alvefur <zash@zash.se>
parents: 11383
diff changeset
285 if trusted_proxies[ip] then
c81b6b8c6b19 mod_http: Optimize proxy IP check
Kim Alvefur <zash@zash.se>
parents: 11383
diff changeset
286 return true;
c81b6b8c6b19 mod_http: Optimize proxy IP check
Kim Alvefur <zash@zash.se>
parents: 11383
diff changeset
287 end
10923
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
288 local parsed_ip = new_ip(ip)
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
289 for trusted_proxy in trusted_proxies do
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
290 if match_ip(parsed_ip, parse_cidr(trusted_proxy)) then
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
291 return true;
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
292 end
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
293 end
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
294 return false
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
295 end
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
296
11410
2ea70d291429 mod_http: Consolidate handling of proxied connection details
Kim Alvefur <zash@zash.se>
parents: 11409
diff changeset
297 local function get_forwarded_connection_info(request) --> ip:string, secure:boolean
11409
d30c44a829c1 net.http.server: Set request.ip so mod_http doesn't have to
Kim Alvefur <zash@zash.se>
parents: 11408
diff changeset
298 local ip = request.ip;
11410
2ea70d291429 mod_http: Consolidate handling of proxied connection details
Kim Alvefur <zash@zash.se>
parents: 11409
diff changeset
299 local secure = request.secure; -- set by net.http.server
8594
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
300 local forwarded_for = request.headers.x_forwarded_for;
11410
2ea70d291429 mod_http: Consolidate handling of proxied connection details
Kim Alvefur <zash@zash.se>
parents: 11409
diff changeset
301 if forwarded_for then
10841
22f783d80eec mod_http: Tell luacheck to ignore the long comment lines
Kim Alvefur <zash@zash.se>
parents: 10840
diff changeset
302 -- luacheck: ignore 631
10840
a83bfb266b15 mod_http: Add documentation to the non-obvious logic of get_ip_from_request
Jonas Schäfer <jonas@wielicki.name>
parents: 10465
diff changeset
303 -- This logic looks weird at first, but it makes sense.
a83bfb266b15 mod_http: Add documentation to the non-obvious logic of get_ip_from_request
Jonas Schäfer <jonas@wielicki.name>
parents: 10465
diff changeset
304 -- The for loop will take the last non-trusted-proxy IP from `forwarded_for`.
a83bfb266b15 mod_http: Add documentation to the non-obvious logic of get_ip_from_request
Jonas Schäfer <jonas@wielicki.name>
parents: 10465
diff changeset
305 -- We append the original request IP to the header. Then, since the last IP wins, there are two cases:
a83bfb266b15 mod_http: Add documentation to the non-obvious logic of get_ip_from_request
Jonas Schäfer <jonas@wielicki.name>
parents: 10465
diff changeset
306 -- Case a) The original request IP is *not* in trusted proxies, in which case the X-Forwarded-For header will, effectively, be ineffective; the original request IP will win because it overrides any other IP in the header.
a83bfb266b15 mod_http: Add documentation to the non-obvious logic of get_ip_from_request
Jonas Schäfer <jonas@wielicki.name>
parents: 10465
diff changeset
307 -- Case b) The original request IP is in trusted proxies. In that case, the if branch in the for loop will skip the last IP, causing it to be ignored. The second-to-last IP will be taken instead.
a83bfb266b15 mod_http: Add documentation to the non-obvious logic of get_ip_from_request
Jonas Schäfer <jonas@wielicki.name>
parents: 10465
diff changeset
308 -- Case c) If the second-to-last IP is also a trusted proxy, it will also be ignored, iteratively, up to the last IP which isn’t in trusted proxies.
a83bfb266b15 mod_http: Add documentation to the non-obvious logic of get_ip_from_request
Jonas Schäfer <jonas@wielicki.name>
parents: 10465
diff changeset
309 -- Case d) If all IPs are in trusted proxies, something went obviously wrong and the logic never overwrites `ip`, leaving it at the original request IP.
8594
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
310 forwarded_for = forwarded_for..", "..ip;
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
311 for forwarded_ip in forwarded_for:gmatch("[^%s,]+") do
10923
dff1aebd0f2b mod_http: Support CIDR for trusted proxies.
Boris Grozev <boris@jitsi.org>
parents: 10841
diff changeset
312 if not is_trusted_proxy(forwarded_ip) then
8594
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
313 ip = forwarded_ip;
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
314 end
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
315 end
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
316 end
11410
2ea70d291429 mod_http: Consolidate handling of proxied connection details
Kim Alvefur <zash@zash.se>
parents: 11409
diff changeset
317
2ea70d291429 mod_http: Consolidate handling of proxied connection details
Kim Alvefur <zash@zash.se>
parents: 11409
diff changeset
318 secure = secure or request.headers.x_forwarded_proto == "https";
2ea70d291429 mod_http: Consolidate handling of proxied connection details
Kim Alvefur <zash@zash.se>
parents: 11409
diff changeset
319
2ea70d291429 mod_http: Consolidate handling of proxied connection details
Kim Alvefur <zash@zash.se>
parents: 11409
diff changeset
320 return ip, secure;
8594
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
321 end
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
322
8596
71da54c7f797 mod_http: Pass util.events object to API, fixes traceback
Kim Alvefur <zash@zash.se>
parents: 8594
diff changeset
323 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data)
8594
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
324 local request = event_data.request;
11410
2ea70d291429 mod_http: Consolidate handling of proxied connection details
Kim Alvefur <zash@zash.se>
parents: 11409
diff changeset
325 if request and is_trusted_proxy(request.ip) then
8594
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
326 -- Not included in eg http-error events
11410
2ea70d291429 mod_http: Consolidate handling of proxied connection details
Kim Alvefur <zash@zash.se>
parents: 11409
diff changeset
327 request.ip, request.secure = get_forwarded_connection_info(request);
8594
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
328 end
9338
9beb767295d4 Revert 2dc7490899ae::5d6b252bc36f: Unfinished and broken
Kim Alvefur <zash@zash.se>
parents: 9336
diff changeset
329 return handlers(event_name, event_data);
8594
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
330 end);
b4a0bc46c82d mod_http: Set request.ip on all HTTP requests (moves code out of mod_bosh) (fixes #540)
Kim Alvefur <zash@zash.se>
parents: 7868
diff changeset
331
5120
bcabea740c00 mod_{admin_telnet,c2s,component,http,net_multiplex,s2s}: Use module:provides() instead of module:add_item().
Waqas Hussain <waqas20@gmail.com>
parents: 5093
diff changeset
332 module:provides("net", {
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
333 name = "http";
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
334 listener = server.listener;
12187
94253e02d47d mod_http: Limit unencrypted http port (5280) to loopback by default
Kim Alvefur <zash@zash.se>
parents: 12113
diff changeset
335 private = true;
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
336 default_port = 5280;
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
337 multiplex = {
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
338 pattern = "^[A-Z]";
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
339 };
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
340 });
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
341
5120
bcabea740c00 mod_{admin_telnet,c2s,component,http,net_multiplex,s2s}: Use module:provides() instead of module:add_item().
Waqas Hussain <waqas20@gmail.com>
parents: 5093
diff changeset
342 module:provides("net", {
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
343 name = "https";
4664
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
344 listener = server.listener;
7438b3c68576 mod_http: Revamp module for new API and config
Matthew Wild <mwild1@gmail.com>
parents: 4636
diff changeset
345 default_port = 5281;
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
346 encryption = "ssl";
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
347 multiplex = {
10465
09697a673015 mod_net_multiplex: Add support for using ALPN
Kim Alvefur <zash@zash.se>
parents: 10460
diff changeset
348 protocol = "http/1.1";
4635
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
349 pattern = "^[A-Z]";
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
350 };
ea5215bd2783 mod_http: Provide HTTP service.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
351 });