support upgrade-insecure-requests option

bench/bench.sh

@@ -1,29 +1,29 @@
 #!/bin/sh
 
-echo "----------------------------"
-echo "Benchmark on rpxy"
-ab -c 100 -n 10000 http://127.0.0.1:8080/index.html
-
-echo "----------------------------"
-echo "Benchmark on nginx"
-ab -c 100 -n 10000  http://127.0.0.1:8090/index.html
-
-echo "----------------------------"
-echo "Benchmark on caddy"
-ab -c 100 -n 10000  http://127.0.0.1:8100/index.html
-
-
 # echo "----------------------------"
 # echo "Benchmark on rpxy"
-# #wrk -t8 -c100 -d30s http://127.0.0.1:8080/index.html
-# rewrk -c 256 -t 4 -d 15s -h http://127.0.0.1:8080 --pct
+# ab -c 100 -n 10000 http://127.0.0.1:8080/index.html
 
 # echo "----------------------------"
 # echo "Benchmark on nginx"
-# # wrk -t8 -c100 -d30s http://127.0.0.1:8090/index.html
-# rewrk -c 256 -t 4 -d 15s -h http://127.0.0.1:8090 --pct
+# ab -c 100 -n 10000  http://127.0.0.1:8090/index.html
 
 # echo "----------------------------"
 # echo "Benchmark on caddy"
-# # wrk -t8 -c100 -d30s http://127.0.0.1:8100/index.html
-# rewrk -c 256 -t 4 -d 15s -h http://127.0.0.1:8100 --pct
+# ab -c 100 -n 10000  http://127.0.0.1:8100/index.html
+
+
+echo "----------------------------"
+echo "Benchmark on rpxy"
+#wrk -t8 -c100 -d30s http://127.0.0.1:8080/index.html
+rewrk -c 256 -t 8 -d 15s -h http://localhost:8080 --pct
+
+echo "----------------------------"
+echo "Benchmark on nginx"
+# wrk -t8 -c100 -d30s http://127.0.0.1:8090/index.html
+rewrk -c 256 -t 8 -d 15s -h http://localhost:8090 --pct
+
+echo "----------------------------"
+echo "Benchmark on caddy"
+# wrk -t8 -c100 -d30s http://127.0.0.1:8100/index.html
+rewrk -c 256 -t 8 -d 15s -h http://localhost:8100 --pct

bench/docker-compose.yml

@@ -5,12 +5,12 @@ services:
     container_name: backend-nginx
     restart: unless-stopped
     environment:
-      - VIRTUAL_HOST="127.0.0.1"
+      - VIRTUAL_HOST=localhost
       - VIRTUAL_PORT=80
     expose:
       - 80
-    ports:
-      - 127.0.0.1:8888:80
+    # ports:
+      # - 127.0.0.1:8888:80
     logging:
       options:
         max-size: "10m"
@@ -45,6 +45,8 @@ services:
     tty: false
     privileged: true
     volumes:
+      - ./nginx_data/vhost:/etc/nginx/vhost.d
+      - ./nginx_data/conf:/etc/nginx/conf.d/
       - /var/run/docker.sock:/tmp/docker.sock:ro
     logging:
       options:

bench/nginx_data/conf/default.conf

@@ -0,0 +1,74 @@
+# nginx-proxy version : 1.0.1-6-gc4ad18f
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+# Default dhparam
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
+map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent" '
+                 '"$upstream_addr"';
+access_log off;
+		ssl_protocols TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+		ssl_prefer_server_ciphers off;
+error_log /dev/stderr;
+resolver 127.0.0.11;
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+proxy_set_header X-Original-URI $request_uri;
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
+server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
+	server_tokens off;
+	listen 80;
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+}
+	# localhost
+upstream localhost {
+        ## Can be connected with "bench-nw" network
+        # backend-nginx
+        server 192.168.100.100:80;
+}
+server {
+	server_name localhost;
+	listen 80 ;
+	access_log /var/log/nginx/access.log vhost;
+	location / {
+		proxy_pass http://localhost;
+}
+}

bench/rpxy.toml

@@ -1,6 +1,6 @@
 listen_port = 8080
 # listen_port_tls = 8443
-listen_ipv6 = false
+# listen_ipv6 = true
 
 max_concurrent_streams = 128
 max_clients = 512
@@ -14,11 +14,7 @@ server_name = 'localhost'
 reverse_proxy = [
   # default destination if path is not specified
   # Array for load balancing
-  { upstream = [
-    { location = 'backend-nginx', tls = false, upstream_options = [
-      # "override_host",
-    ] },
-  ] },
+  { upstream = [{ location = 'backend-nginx', tls = false }] },
   # { upstream = [{ location = '192.168.100.100', tls = false }] },
 ]
 

config-example.toml

@@ -45,6 +45,7 @@ reverse_proxy = [
     { location = 'www.bing.co.jp', tls = true },
   ], upstream_options = [
     "override_host",
+    "upgrade_insecure_requests",
   ] },
 ]
 # Optional: TLS setting. if https_port is specified and tls is true above, this must be given.

src/backend_opt.rs

@@ -3,6 +3,7 @@ use crate::error::*;
 #[derive(Debug, Clone, Hash, Eq, PartialEq)]
 pub enum UpstreamOption {
   OverrideHost,
+  UpgradeInsecureRequests,
   // TODO: Adds more options for heder override
 }
 impl TryFrom<&str> for UpstreamOption {
@@ -10,6 +11,7 @@ impl TryFrom<&str> for UpstreamOption {
   fn try_from(val: &str) -> Result<Self> {
     match val {
       "override_host" => Ok(Self::OverrideHost),
+      "upgrade_insecure_requests" => Ok(Self::UpgradeInsecureRequests),
       _ => Err(anyhow!("Unsupported header option")),
     }
   }

src/msg_handler/handler.rs

@@ -92,7 +92,7 @@ where
       return http_error(StatusCode::SERVICE_UNAVAILABLE);
     };
     // debug!("Request to be forwarded: {:?}", req_forwarded);
-    req_forwarded.log(&client_addr, Some("Forwarding"));
+    req_forwarded.log(&client_addr, Some("(Forwarding)"));
 
     // Forward request to
     let mut res_backend = match self.forwarder.request(req_forwarded).await {

src/msg_handler/utils_headers.rs

@@ -16,13 +16,21 @@ pub(super) fn apply_upstream_options_to_header(
   upstream: &Upstream,
 ) -> Result<()> {
   for opt in upstream.opts.iter() {
+    println!("{:?}", opt);
     match opt {
       UpstreamOption::OverrideHost => {
+        // overwrite HOST value with upstream hostname (like 192.168.xx.x seen from rpxy)
         let upstream_host = upstream_scheme_host.host().ok_or_else(|| anyhow!("none"))?;
         headers
           .insert(header::HOST, HeaderValue::from_str(upstream_host)?)
           .ok_or_else(|| anyhow!("none"))?;
       }
+      UpstreamOption::UpgradeInsecureRequests => {
+        // add upgrade-insecure-requests in request header if not exist
+        headers
+          .entry(header::UPGRADE_INSECURE_REQUESTS)
+          .or_insert(HeaderValue::from_bytes(&[b'1']).unwrap());
+      }
     }
   }