From: Casey Bodley Date: Mon, 22 Oct 2018 18:13:21 +0000 (-0400) Subject: rgw: add helper function rgw_transport_is_secure() X-Git-Tag: 3.2-0~102^2~2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=73d355fc515799e73f38a307b394d02c85eb9670;p=ceph-ci.git rgw: add helper function rgw_transport_is_secure() Signed-off-by: Casey Bodley --- diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 4ce812f1397..466fa42c135 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1044,6 +1044,31 @@ string RGWHTTPArgs::sys_get(const string& name, bool * const exists) const return e ? iter->second : string(); } +bool rgw_transport_is_secure(CephContext *cct, const RGWEnv& env) +{ + const auto& m = env.get_map(); + // frontend connected with ssl + if (m.count("SERVER_PORT_SECURE")) { + return true; + } + // ignore proxy headers unless explicitly enabled + if (!cct->_conf->rgw_trust_forwarded_https) { + return false; + } + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded + // Forwarded: by=; for=; host=; proto= + auto i = m.find("HTTP_FORWARDED"); + if (i != m.end() && i->second.find("proto=https") != std::string::npos) { + return true; + } + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto + i = m.find("HTTP_X_FORWARDED_PROTO"); + if (i != m.end() && i->second == "https") { + return true; + } + return false; +} + namespace { Effect eval_or_pass(const boost::optional& policy, const rgw::IAM::Environment& env, diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index 10c41370c92..0fcdca142c9 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -437,6 +437,10 @@ public: } }; +// return true if the connection is secure. this either means that the +// connection arrived via ssl, or was forwarded as https by a trusted proxy +bool rgw_transport_is_secure(CephContext *cct, const RGWEnv& env); + enum http_op { OP_GET, OP_PUT,