support upgrade-insecure-requests option
This commit is contained in:
		
					parent
					
						
							
								954a1993a9
							
						
					
				
			
			
				commit
				
					
						1a80e405b5
					
				
			
		
					 8 changed files with 112 additions and 29 deletions
				
			
		|  | @ -1,29 +1,29 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| echo "----------------------------" | ||||
| echo "Benchmark on rpxy" | ||||
| ab -c 100 -n 10000 http://127.0.0.1:8080/index.html | ||||
| 
 | ||||
| echo "----------------------------" | ||||
| echo "Benchmark on nginx" | ||||
| ab -c 100 -n 10000  http://127.0.0.1:8090/index.html | ||||
| 
 | ||||
| echo "----------------------------" | ||||
| echo "Benchmark on caddy" | ||||
| ab -c 100 -n 10000  http://127.0.0.1:8100/index.html | ||||
| 
 | ||||
| 
 | ||||
| # echo "----------------------------" | ||||
| # echo "Benchmark on rpxy" | ||||
| # #wrk -t8 -c100 -d30s http://127.0.0.1:8080/index.html | ||||
| # rewrk -c 256 -t 4 -d 15s -h http://127.0.0.1:8080 --pct | ||||
| # ab -c 100 -n 10000 http://127.0.0.1:8080/index.html | ||||
| 
 | ||||
| # echo "----------------------------" | ||||
| # echo "Benchmark on nginx" | ||||
| # # wrk -t8 -c100 -d30s http://127.0.0.1:8090/index.html | ||||
| # rewrk -c 256 -t 4 -d 15s -h http://127.0.0.1:8090 --pct | ||||
| # ab -c 100 -n 10000  http://127.0.0.1:8090/index.html | ||||
| 
 | ||||
| # echo "----------------------------" | ||||
| # echo "Benchmark on caddy" | ||||
| # # wrk -t8 -c100 -d30s http://127.0.0.1:8100/index.html | ||||
| # rewrk -c 256 -t 4 -d 15s -h http://127.0.0.1:8100 --pct | ||||
| # ab -c 100 -n 10000  http://127.0.0.1:8100/index.html | ||||
| 
 | ||||
| 
 | ||||
| echo "----------------------------" | ||||
| echo "Benchmark on rpxy" | ||||
| #wrk -t8 -c100 -d30s http://127.0.0.1:8080/index.html | ||||
| rewrk -c 256 -t 8 -d 15s -h http://localhost:8080 --pct | ||||
| 
 | ||||
| echo "----------------------------" | ||||
| echo "Benchmark on nginx" | ||||
| # wrk -t8 -c100 -d30s http://127.0.0.1:8090/index.html | ||||
| rewrk -c 256 -t 8 -d 15s -h http://localhost:8090 --pct | ||||
| 
 | ||||
| echo "----------------------------" | ||||
| echo "Benchmark on caddy" | ||||
| # wrk -t8 -c100 -d30s http://127.0.0.1:8100/index.html | ||||
| rewrk -c 256 -t 8 -d 15s -h http://localhost:8100 --pct | ||||
|  |  | |||
|  | @ -5,12 +5,12 @@ services: | |||
|     container_name: backend-nginx | ||||
|     restart: unless-stopped | ||||
|     environment: | ||||
|       - VIRTUAL_HOST="127.0.0.1" | ||||
|       - VIRTUAL_HOST=localhost | ||||
|       - VIRTUAL_PORT=80 | ||||
|     expose: | ||||
|       - 80 | ||||
|     ports: | ||||
|       - 127.0.0.1:8888:80 | ||||
|     # ports: | ||||
|       # - 127.0.0.1:8888:80 | ||||
|     logging: | ||||
|       options: | ||||
|         max-size: "10m" | ||||
|  | @ -45,6 +45,8 @@ services: | |||
|     tty: false | ||||
|     privileged: true | ||||
|     volumes: | ||||
|       - ./nginx_data/vhost:/etc/nginx/vhost.d | ||||
|       - ./nginx_data/conf:/etc/nginx/conf.d/ | ||||
|       - /var/run/docker.sock:/tmp/docker.sock:ro | ||||
|     logging: | ||||
|       options: | ||||
|  |  | |||
							
								
								
									
										74
									
								
								bench/nginx_data/conf/default.conf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										74
									
								
								bench/nginx_data/conf/default.conf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,74 @@ | |||
| # nginx-proxy version : 1.0.1-6-gc4ad18f | ||||
| # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the | ||||
| # scheme used to connect to this server | ||||
| map $http_x_forwarded_proto $proxy_x_forwarded_proto { | ||||
|   default $http_x_forwarded_proto; | ||||
|   ''      $scheme; | ||||
| } | ||||
| # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the | ||||
| # server port the client connected to | ||||
| map $http_x_forwarded_port $proxy_x_forwarded_port { | ||||
|   default $http_x_forwarded_port; | ||||
|   ''      $server_port; | ||||
| } | ||||
| # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any | ||||
| # Connection header that may have been passed to this server | ||||
| map $http_upgrade $proxy_connection { | ||||
|   default upgrade; | ||||
|   '' close; | ||||
| } | ||||
| # Apply fix for very long server names | ||||
| server_names_hash_bucket_size 128; | ||||
| # Default dhparam | ||||
| ssl_dhparam /etc/nginx/dhparam/dhparam.pem; | ||||
| # Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto | ||||
| map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl { | ||||
|   default off; | ||||
|   https on; | ||||
| } | ||||
| gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; | ||||
| log_format vhost '$host $remote_addr - $remote_user [$time_local] ' | ||||
|                  '"$request" $status $body_bytes_sent ' | ||||
|                  '"$http_referer" "$http_user_agent" ' | ||||
|                  '"$upstream_addr"'; | ||||
| access_log off; | ||||
| 		ssl_protocols TLSv1.2 TLSv1.3; | ||||
| 		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; | ||||
| 		ssl_prefer_server_ciphers off; | ||||
| error_log /dev/stderr; | ||||
| resolver 127.0.0.11; | ||||
| # HTTP 1.1 support | ||||
| proxy_http_version 1.1; | ||||
| proxy_buffering off; | ||||
| proxy_set_header Host $http_host; | ||||
| proxy_set_header Upgrade $http_upgrade; | ||||
| proxy_set_header Connection $proxy_connection; | ||||
| proxy_set_header X-Real-IP $remote_addr; | ||||
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||||
| proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; | ||||
| proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; | ||||
| proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; | ||||
| proxy_set_header X-Original-URI $request_uri; | ||||
| # Mitigate httpoxy attack (see README for details) | ||||
| proxy_set_header Proxy ""; | ||||
| server { | ||||
| 	server_name _; # This is just an invalid value which will never trigger on a real hostname. | ||||
| 	server_tokens off; | ||||
| 	listen 80; | ||||
| 	access_log /var/log/nginx/access.log vhost; | ||||
| 	return 503; | ||||
| } | ||||
| 	# localhost | ||||
| upstream localhost { | ||||
|         ## Can be connected with "bench-nw" network | ||||
|         # backend-nginx | ||||
|         server 192.168.100.100:80; | ||||
| } | ||||
| server { | ||||
| 	server_name localhost; | ||||
| 	listen 80 ; | ||||
| 	access_log /var/log/nginx/access.log vhost; | ||||
| 	location / { | ||||
| 		proxy_pass http://localhost; | ||||
| } | ||||
| } | ||||
|  | @ -1,6 +1,6 @@ | |||
| listen_port = 8080 | ||||
| # listen_port_tls = 8443 | ||||
| listen_ipv6 = false | ||||
| # listen_ipv6 = true | ||||
| 
 | ||||
| max_concurrent_streams = 128 | ||||
| max_clients = 512 | ||||
|  | @ -14,11 +14,7 @@ server_name = 'localhost' | |||
| reverse_proxy = [ | ||||
|   # default destination if path is not specified | ||||
|   # Array for load balancing | ||||
|   { upstream = [ | ||||
|     { location = 'backend-nginx', tls = false, upstream_options = [ | ||||
|       # "override_host", | ||||
|     ] }, | ||||
|   ] }, | ||||
|   { upstream = [{ location = 'backend-nginx', tls = false }] }, | ||||
|   # { upstream = [{ location = '192.168.100.100', tls = false }] }, | ||||
| ] | ||||
| 
 | ||||
|  |  | |||
|  | @ -45,6 +45,7 @@ reverse_proxy = [ | |||
|     { location = 'www.bing.co.jp', tls = true }, | ||||
|   ], upstream_options = [ | ||||
|     "override_host", | ||||
|     "upgrade_insecure_requests", | ||||
|   ] }, | ||||
| ] | ||||
| # Optional: TLS setting. if https_port is specified and tls is true above, this must be given. | ||||
|  |  | |||
|  | @ -3,6 +3,7 @@ use crate::error::*; | |||
| #[derive(Debug, Clone, Hash, Eq, PartialEq)] | ||||
| pub enum UpstreamOption { | ||||
|   OverrideHost, | ||||
|   UpgradeInsecureRequests, | ||||
|   // TODO: Adds more options for heder override
 | ||||
| } | ||||
| impl TryFrom<&str> for UpstreamOption { | ||||
|  | @ -10,6 +11,7 @@ impl TryFrom<&str> for UpstreamOption { | |||
|   fn try_from(val: &str) -> Result<Self> { | ||||
|     match val { | ||||
|       "override_host" => Ok(Self::OverrideHost), | ||||
|       "upgrade_insecure_requests" => Ok(Self::UpgradeInsecureRequests), | ||||
|       _ => Err(anyhow!("Unsupported header option")), | ||||
|     } | ||||
|   } | ||||
|  |  | |||
|  | @ -92,7 +92,7 @@ where | |||
|       return http_error(StatusCode::SERVICE_UNAVAILABLE); | ||||
|     }; | ||||
|     // debug!("Request to be forwarded: {:?}", req_forwarded);
 | ||||
|     req_forwarded.log(&client_addr, Some("Forwarding")); | ||||
|     req_forwarded.log(&client_addr, Some("(Forwarding)")); | ||||
| 
 | ||||
|     // Forward request to
 | ||||
|     let mut res_backend = match self.forwarder.request(req_forwarded).await { | ||||
|  |  | |||
|  | @ -16,13 +16,21 @@ pub(super) fn apply_upstream_options_to_header( | |||
|   upstream: &Upstream, | ||||
| ) -> Result<()> { | ||||
|   for opt in upstream.opts.iter() { | ||||
|     println!("{:?}", opt); | ||||
|     match opt { | ||||
|       UpstreamOption::OverrideHost => { | ||||
|         // overwrite HOST value with upstream hostname (like 192.168.xx.x seen from rpxy)
 | ||||
|         let upstream_host = upstream_scheme_host.host().ok_or_else(|| anyhow!("none"))?; | ||||
|         headers | ||||
|           .insert(header::HOST, HeaderValue::from_str(upstream_host)?) | ||||
|           .ok_or_else(|| anyhow!("none"))?; | ||||
|       } | ||||
|       UpstreamOption::UpgradeInsecureRequests => { | ||||
|         // add upgrade-insecure-requests in request header if not exist
 | ||||
|         headers | ||||
|           .entry(header::UPGRADE_INSECURE_REQUESTS) | ||||
|           .or_insert(HeaderValue::from_bytes(&[b'1']).unwrap()); | ||||
|       } | ||||
|     } | ||||
|   } | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 Jun Kurihara
				Jun Kurihara