Fix a major memset() mistake leaking memory and possibly breaking CA
chains for proxyspecs and struct filtering rules.
Fix wrong memset size.
Fix redundant WUNRES attrib, MALLOC attrib has WUNRES already.
And fix param names.
Now we can specify multiple sites in one struct rule: SNI, CN, Host,
URI, and DstIp destination sites. We create a new rule for each
destination site type specified. Struct rules can be complicated and
long, so this is expected to help with rule reuse.
Error out unit tests if DEBUG_PROXY enabled, because we debug print
line_num if DEBUG_PROXY enabled. We cannot support line_num in expected
debug output, it would make things complicated with very little benefit.
But we don't support $macros within multi valued Log lines, i.e. cannot
mix log actions with $macros, use either log actions concat with spaces
or just a $macro, and no point trying to support it either.
Don't forget tot increment precedence if only Desc is used.
But do not increment precedence twice for both User and Desc.
Note that the ordering of User and Desc in the rule is not known.
The ReconnectSSL option allows rule developers to write struct filtering
rules using SNI and CN SSL specifications to override the SSL
configuration of a connection.
Otherwise, without this new option, filtering rules cannot change SSL
options using SSL filtering fields to match connections (the SSL config
in the rule would not have any effect on the server side of the matching
connection). Without ReconnectSSL, only DstIP and DstPort fields can be
used to override the SSL config of a connection.
If the ReconnectSSL option in a struct filtering rule is set, we
disconnect and free the server side of the matching SSL connection, and
reconnect it with the SSL options in the matching struct filtering rule.
This enforces the SSL config in the rule.
Do not use the ReconnectSSL option if server disconnect is not desirable
or acceptable in your case.
We have to apply the DstHost filter both (1) as early as in
pxy_conn_connect() and also (2) after user owner of the conn is
determined in srvdst connected callback functions for tcp and ssl.
Otherwise, we cannot override SSL options of conns if we don't apply it
before SSL establishment (1), and we cannot apply user auth filtering
rules if we don't apply after determining the user owner of conn (2).
This commit actually adds the same calls in the same places as they were
before the structured filtering rules were introduced.
So for example, now we have to apply filters 4x for an HTTPS conn: 2x
dsthost, 1x ssl, and 1x http.
So that we can replace the SSL/TLS configuration of the conn with the
one in the matching filtering rule. Otherwise, once the server conn is
established, we cannot change the SSL config, or would risk confusing
the SSL routines.
Now all connection oriented proxy options possible to specify
per-proxyspec or globally can be specified in structured filtering rules
to be selectively applied to connections too. One line filtering rules
can specify filter and log actions only.
For example, we can enable/disable user authentication, protocol
validation, server ssl verification, and many other options
per-connection, or configure SSL/TLS connection options per-connection.
So, now we replace the conn_opts struct of a connection's ctx with the
conn_opts struct of the matching structured filtering rule. (One line
filtering rules have a NULL conn_opts, so we first check if the
conn_opts is not NULL.)
Now, all of the 'to' site fields in filtering rules can specify a port,
not just the dstip sites.
Fix the precedence of sites in the same type of rules. For example, if
we find a match with an sni site, we should not stop searching for a
match in cn, because a matching cn site may have a higher precedence
than the matching sni site. We should apply the action of the cn site,
although sni rules have precedence over cn. The same applies to http
host and uri rules too.
Fix the precedence of dstip rules.
Improve and update unit and e2e tests accordingly.
Now, the filter uses B-trees for exact string matching and Aho-Corasick
machines for substring matching. B-trees and AC machines are exported to
linked lists for debug logging only.
Also,
- Separate all_sites and all_ports filters from substring filters. They
are not related with substring filters actually, and ACM keywords cannot
be empty strings anyway. So now they should be handled separately too.
- Improve debug logging of filtering rules.
- Update unit tests accordingly, and improve.
- Fix pxyconn_filter(), keep searching for a match in substring filters
if exact match does not have a matching site rule.
- Increase common names max len and tokens. weather.gov has 73 tokens.
- Rename keyword to desc.
- Update documentation.
- Clean up.
Actually, no need to check all_sites or all_ports, because strstr(3) on
OpenBSD reads that "If little is an empty string, big is returned", and
if all_sites or all_ports is set, site or port (little/needle) is empty.
But using all_sites and all_ports should improve performance by avoiding
the strstr() call.
Soner Tari