tempesta-tech
diff --git a/‎fw/http.c‎
Lines changed: 39 additions & 27 deletions b/‎fw/http.c‎
Lines changed: 39 additions & 27 deletions
diff --git a/‎fw/http.h‎
Lines changed: 2 additions & 0 deletions b/‎fw/http.h‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎fw/http_match.c‎
Lines changed: 4 additions & 1 deletion b/‎fw/http_match.c‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎fw/http_match.h‎
Lines changed: 1 addition & 0 deletions b/‎fw/http_match.h‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎fw/http_sess.c‎
Lines changed: 53 additions & 26 deletions b/‎fw/http_sess.c‎
Lines changed: 53 additions & 26 deletions
@@ -150,6 +150,7 @@ static struct {
  * here, because it refers to HTTP layer.
  */
 unsigned int max_header_list_size = 0;
+bool is_jsch_global = true;
 
 #define S_CRLFCRLF		"\r\n\r\n"
 #define S_HTTP			"http://"
@@ -6034,6 +6035,15 @@ tfw_http_req_process(TfwConn *conn, TfwStream *stream, struct sk_buff *skb,
 				"request has been filtered out via http table",
 				HTTP2_ECODE_PROTO);
 	}
+	if (res.type == TFW_HTTP_RES_JSCH) {
+		req->need_jsch = true;
+		req->vhost = res.vhost;
+		pr_notice("req->need_jsch = true\n");
+	}
+	else {
+		req->need_jsch = is_jsch_global;
+		pr_notice("req->need_jsch = false\n");
+	}
 	if (res.type == TFW_HTTP_RES_VHOST) {
 		req->vhost = res.vhost;
 	}
@@ -6139,37 +6149,39 @@ tfw_http_req_process(TfwConn *conn, TfwStream *stream, struct sk_buff *skb,
 	 * to GET. We should send js challenge to the client because the real
 	 * method, expected by the client is GET.
 	 */
-	switch (tfw_http_sess_obtain(req)) {
-	case TFW_HTTP_SESS_SUCCESS:
-		break;
+	if (req->need_jsch) {
+		switch (tfw_http_sess_obtain(req)) {
+		case TFW_HTTP_SESS_SUCCESS:
+			break;
 
-	case TFW_HTTP_SESS_REDIRECT_NEED:
-		/* Response is built and stored in @req->resp. */
-		break;
+		case TFW_HTTP_SESS_REDIRECT_NEED:
+			/* Response is built and stored in @req->resp. */
+			break;
 
-	case TFW_HTTP_SESS_VIOLATE:
-		TFW_INC_STAT_BH(clnt.msgs_filtout);
-		return tfw_http_req_parse_block(req, 403, NULL,
-						HTTP2_ECODE_PROTO);
+		case TFW_HTTP_SESS_VIOLATE:
+			TFW_INC_STAT_BH(clnt.msgs_filtout);
+			return tfw_http_req_parse_block(req, 403, NULL,
+							HTTP2_ECODE_PROTO);
 
-	case TFW_HTTP_SESS_JS_NOT_SUPPORTED:
-		/*
-		 * Requested resource can't be challenged, try service it
-		 * from cache.
-		 */
-		T_DBG("Can't send JS challenge for request since a "
-		      "non-challengeable resource (e.g. image) was requested");
-		__set_bit(TFW_HTTP_B_JS_NOT_SUPPORTED, req->flags);
-		break;
+		case TFW_HTTP_SESS_JS_NOT_SUPPORTED:
+			/*
+			 * Requested resource can't be challenged, try service it
+			 * from cache.
+			 */
+			T_DBG("Can't send JS challenge for request since a "
+			      "non-challengeable resource (e.g. image) was requested");
+			__set_bit(TFW_HTTP_B_JS_NOT_SUPPORTED, req->flags);
+			break;
 
-	case TFW_HTTP_SESS_FAILURE:
-		TFW_INC_STAT_BH(clnt.msgs_otherr);
-		return tfw_http_req_parse_drop_with_fin(req, 500,
-				"request dropped: internal error"
-				" in Sticky module",
-				HTTP2_ECODE_PROTO);
-	default:
-		BUG();
+		case TFW_HTTP_SESS_FAILURE:
+			TFW_INC_STAT_BH(clnt.msgs_otherr);
+			return tfw_http_req_parse_drop_with_fin(req, 500,
+					"request dropped: internal error"
+					" in Sticky module",
+					HTTP2_ECODE_PROTO);
+		default:
+			BUG();
+		}
 	}
 
 	if (TFW_MSG_H2(req))
 
@@ -400,6 +400,7 @@ struct tfw_http_req_t {
 	unsigned char		method_override;
 	unsigned int		header_list_sz;
 	unsigned int		headers_cnt;
+	bool			need_jsch;
 };
 
 #define TFW_IDX_BITS		24
@@ -722,6 +723,7 @@ typedef void (*tfw_http_cache_cb_t)(TfwHttpMsg *);
 	(TFW_MSG_H2(hmmsg) ? HTTP2_EXTRA_HDR_OVERHEAD : 0)
 
 extern unsigned int max_header_list_size;
+extern bool is_jsch_global;
 
 /* External HTTP functions. */
 int tfw_http_msg_process(TfwConn *conn, struct sk_buff *skb,
 
@@ -483,6 +483,9 @@ do_eval(TfwHttpReq *req, const TfwHttpMatchRule *rule)
 	match_fn match_fn;
 	tfw_http_match_fld_t field;
 
+	pr_notice("rule: %p, field: %#x, op: %#x, arg:%d:%d'%.*s'\n",
+	       rule, rule->field, rule->op, rule->arg.type, rule->arg.len,
+	       rule->arg.len, rule->arg.str);
 	T_DBG2("rule: %p, field: %#x, op: %#x, arg:%d:%d'%.*s'\n",
 	       rule, rule->field, rule->op, rule->arg.type, rule->arg.len,
 	       rule->arg.len, rule->arg.str);
@@ -558,7 +561,7 @@ TfwHttpMatchRule *
 tfw_http_match_req(TfwHttpReq *req, struct list_head *mlst)
 {
 	TfwHttpMatchRule *rule;
-
+	pr_notice("Matching request: %p, list: %p\n", req, mlst);
 	T_DBG2("Matching request: %p, list: %p\n", req, mlst);
 
 	list_for_each_entry(rule, mlst, list) {
 
@@ -76,6 +76,7 @@ typedef enum {
 	TFW_HTTP_MATCH_ACT_BLOCK,
 	TFW_HTTP_MATCH_ACT_FLAG,
 	TFW_HTTP_MATCH_ACT_CACHE_TTL,
+	TFW_HTTP_MATCH_ACT_JSCH,
 	_TFW_HTTP_MATCH_ACT_COUNT
 } tfw_http_rule_act_t;
 
 
@@ -207,6 +207,7 @@ tfw_http_sticky_get_req(TfwHttpReq *req, TfwStr *cookie_val)
 	TfwStr *hdr, *end, *dup;
 	int r = 0;
 
+	pr_notice("tfw_http_sticky_get_req\n");
 	/*
 	 * Find a 'Cookie:' header field in the request. Then search for
 	 * Tempesta sticky cookie within the field. In HTTP/1.x requests
@@ -498,6 +499,7 @@ tfw_http_sticky_verify(TfwHttpReq *req, TfwStr *value, StickyVal *sv)
 	TfwStr *c, *end;
 	TfwStickyCookie *sticky = req->vhost->cookie;
 
+	pr_notice("tfw_http_sticky_verify\n");
 	T_DBG("Sticky cookie found: \"%.*s\" = \"%.*s\"%s\n",
 	      PR_TFW_STR(&sticky->name),
 	      TFW_STR_PLAIN(value) ?
@@ -508,8 +510,10 @@ tfw_http_sticky_verify(TfwHttpReq *req, TfwStr *value, StickyVal *sv)
 		      value->chunks->data,
 	      TFW_STR_PLAIN(value) ? "" : "<truncated>");
 
-	if (sticky->learn)
+	if (sticky->learn) {
+		pr_notice("sticky->learn\n");
 		return TFW_HTTP_SESS_SUCCESS;
+	}
 
 	if (value->len != sizeof(StickyVal) * 2) {
 		sess_warn("bad sticky cookie length", addr, " %lu(%lu)\n",
@@ -530,6 +534,11 @@ tfw_http_sticky_verify(TfwHttpReq *req, TfwStr *value, StickyVal *sv)
 		return r;
 
 	/* The cookie is valid but already expired, reject it. */
+	pr_notice("jiffies=%lu sv->ts=%lu sticky->sess_lifetime * HZ=%lu sticky->sess_lifetime=%i",
+		  jiffies,
+		  sv->ts,
+		  (unsigned long)sticky->sess_lifetime * HZ, sticky->sess_lifetime);
+
 	if (jiffies > sv->ts + (unsigned long)sticky->sess_lifetime * HZ) {
 		sess_warn("sticky cookie value expired", addr,
 			  " (issued=%lu lifetime=%lu now=%lu)\n", sv->ts,
@@ -539,6 +548,7 @@ tfw_http_sticky_verify(TfwHttpReq *req, TfwStr *value, StickyVal *sv)
 
 	/* Sticky cookie is found and verified, now we can set the flag. */
 	__set_bit(TFW_HTTP_B_HAS_STICKY, req->flags);
+	pr_notice("TFW_HTTP_B_HAS_STICKY\n");
 
 	return r;
 }
@@ -551,20 +561,25 @@ tfw_http_sticky_req_process(TfwHttpReq *req, StickyVal *sv, TfwStr *cookie_val)
 {
 	int r;
 
+	pr_notice("tfw_http_sticky_req_process\n");
 	/*
 	 * See if the Tempesta sticky cookie is present in the request,
 	 * and act depending on the result.
 	 */
 	r = tfw_http_sticky_get_req(req, cookie_val);
+
+	pr_notice("tfw_http_sticky_get_req result =%i\n", r);
 	if (r < 0)
 		return r;
 	if (r == 0) {
 		return !req->vhost->cookie->enforce ?
 			TFW_HTTP_SESS_SUCCESS : TFW_HTTP_SESS_COOKIE_NOT_FOUND;
 	}
 	if (r == 1) {
-		if ((r = tfw_http_sticky_verify(req, cookie_val, sv)))
+		if ((r = tfw_http_sticky_verify(req, cookie_val, sv))) {
+			pr_notice("tfw_http_sticky_verify result =%i\n", r);
 			return r;
+		}
 
 		return TFW_HTTP_SESS_SUCCESS;
 	}
@@ -590,17 +605,20 @@ tfw_http_sess_resp_process(TfwHttpResp *resp, bool cache,
 	{
 		return 0;
 	}
-	BUG_ON(!req->sess);
+	if (req->need_jsch) {
+		BUG_ON(!req->sess);
 
-	/*
-	 * RFC 6265 4.1.1 and 4.1.2 says that we should not set session cookie
-	 * if it's not necessary. Since client didn't send up the cookie and
-	 * it seems that we don't enforce them, we can just set the cookie in
-	 * each response forwarded to the client.
-	 */
-	if (test_bit(TFW_HTTP_B_HAS_STICKY, req->flags))
-		return 0;
-	return tfw_http_sticky_add(resp, cache, stream_id);
+		/*
+		 * RFC 6265 4.1.1 and 4.1.2 says that we should not set session cookie
+		 * if it's not necessary. Since client didn't send up the cookie and
+		 * it seems that we don't enforce them, we can just set the cookie in
+		 * each response forwarded to the client.
+		 */
+		if (test_bit(TFW_HTTP_B_HAS_STICKY, req->flags))
+			return 0;
+		return tfw_http_sticky_add(resp, cache, stream_id);
+	}
+	return 0;
 }
 
 /**
@@ -623,6 +641,7 @@ tfw_http_sess_unpin_srv(TfwHttpSess *sess)
 static inline void
 tfw_http_sess_set_expired(TfwHttpSess *sess)
 {
+	pr_notice("tfw_http_sess_set_expired\n");
 	atomic64_set(&sess->expires, 0);
 }
 
@@ -631,6 +650,7 @@ tfw_http_sess_prolong(TfwHttpSess *sess, TfwStickyCookie *sticky)
 {
 	if (!sticky->learn)
 		return;
+	pr_notice("tfw_http_sess_prolong\n");
 	atomic64_set(&sess->expires,
 		     jiffies + (unsigned long)sticky->sess_lifetime * HZ);
 }
@@ -668,6 +688,8 @@ tfw_http_sess_check_jsch(StickyVal *sv, TfwHttpReq* req)
 {
 	unsigned long min_time;
 	TfwCfgJsCh *js_ch = req->vhost->cookie->js_challenge;
+	if (!req->need_jsch)
+		return 0;
 
 	if (!js_ch)
 		return 0;
@@ -701,6 +723,7 @@ tfw_http_sess_eq(TdbRec *rec, void *data)
 	 * Expired  or invalid session is not usable, leave it for garbage
 	 * collector.
 	 */
+	pr_notice("tfw_http_sess_eq\n");
 	if (((unsigned long)atomic64_read(&sess->expires) < jiffies)
 	    || !sess->vhost)
 	{
@@ -793,6 +816,7 @@ tfw_sess_ent_init(TdbRec *rec, void *data)
 		sess->ts = ctx->sv.ts;
 	}
 
+	pr_notice("tfw_sess_ent_init\n");
 	atomic_set(&sess->users, 1);
 	atomic64_set(&sess->expires,
 		     sess->ts + (unsigned long)sticky->sess_lifetime * HZ);
@@ -825,6 +849,7 @@ tfw_http_sess_obtain(TfwHttpReq *req)
 	TdbRec *rec;
 	TdbGetAllocCtx tdb_ctx = { 0 };
 
+	pr_notice("tfw_http_sess_obtain\n");
 	/*
 	 * If vhost is not known, then request is to be dropped. Don't save the
 	 * session even if the client has passed a cookie challenge.
@@ -845,20 +870,22 @@ tfw_http_sess_obtain(TfwHttpReq *req)
 	 * We leave this for administrator decision or more progressive DDoS
 	 * mitigation techniques.
 	 */
-	r = tfw_http_sticky_req_process(req, sv, c_val);
-	switch (r) {
-	case TFW_HTTP_SESS_SUCCESS:
-		break;
-	case TFW_HTTP_SESS_FAILURE:
-		return r;
-	default:
-		/*
-		 * Any js challenge processing error: cookie not found
-		 * or invalid or request comes not in time. We increment
-		 * max_misses and restart js challenge.
-		 */
-		BUG_ON(r < __TFW_HTTP_SESS_PUB_CODE_MAX);
-		return tfw_http_sticky_challenge_start(req);
+	if (req->need_jsch) {
+		r = tfw_http_sticky_req_process(req, sv, c_val);
+		switch (r) {
+		case TFW_HTTP_SESS_SUCCESS:
+			break;
+		case TFW_HTTP_SESS_FAILURE:
+			return r;
+		default:
+			/*
+			 * Any js challenge processing error: cookie not found
+			 * or invalid or request comes not in time. We increment
+			 * max_misses and restart js challenge.
+			 */
+			BUG_ON(r < __TFW_HTTP_SESS_PUB_CODE_MAX);
+			return tfw_http_sticky_challenge_start(req);
+		}
 	}
 
 	if (req->vhost->cookie->learn) {