annotate mod_strict_https/mod_strict_https.lua @ 5256:44f7edd4f845

mod_http_oauth2: Reject non-local hosts in more code paths We're not issuing tokens for users on remote hosts, we can't even authenticate them since they're remote. Thus the host is always the local module.host so no need to pass around the host in most cases or use it for anything but enforcing the same host.
author Kim Alvefur <zash@zash.se>
date Thu, 16 Mar 2023 17:52:10 +0100
parents efa9c1676d1f
children b3158647cb36
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
861
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- HTTP Strict Transport Security
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 -- https://tools.ietf.org/html/rfc6797
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 module:set_global();
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local http_server = require "net.http.server";
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
863
efa9c1676d1f mod_strict_https: Correct underscore to hypen in max-age directive
Kim Alvefur <zash@zash.se>
parents: 861
diff changeset
8 local hsts_header = module:get_option_string("hsts_header", "max-age=31556952"); -- This means "Don't even try to access without HTTPS for a year"
861
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local _old_send_response;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local _old_fire_event;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local modules = {};
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 function module.load()
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 _old_send_response = http_server.send_response;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 function http_server.send_response(response, body)
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 response.headers.strict_transport_security = hsts_header;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 return _old_send_response(response, body);
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 end
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 _old_fire_event = http_server._events.fire_event;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 function http_server._events.fire_event(event, payload)
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 local request = payload.request;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 local host = event:match("^[A-Z]+ ([^/]+)");
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 local module = modules[host];
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 if module and not request.secure then
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 payload.response.headers.location = module:http_url(request.path);
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 return 301;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 end
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 return _old_fire_event(event, payload);
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 end
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 end
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 function module.unload()
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 http_server.send_response = _old_send_response;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 http_server._events.fire_event = _old_fire_event;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 end
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 function module.add_host(module)
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 local http_host = module:get_option_string("http_host", module.host);
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 modules[http_host] = module;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 function module.unload()
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 modules[http_host] = nil;
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 end
1b34c8e46ffb mod_strict_https: New module implementing HTTP Strict Transport Security
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 end