update code and add document

2024-11-22 15:42:02 +00:00 · 2021-09-29 17:27:36 +08:00 · 2021-09-29 17:27:36 +08:00 · bd78af435d
commit bd78af435d
parent c298fba774
8 changed files with 50 additions and 13 deletions
--- a/docs/en/operations/server-configuration-parameters/settings.md
+++ b/docs/en/operations/server-configuration-parameters/settings.md
@ -365,6 +365,15 @@ Opens `https://tabix.io/` when accessing `http://localhost: http_port`.
 <http_server_default_response>
  <![CDATA[<html ng-app="SMI2"><head><base href="http://ui.tabix.io/"></head><body><div ui-view="" class="content-ui"></div><script src="http://loader.tabix.io/master.js"></script></body></html>]]>
 </http_server_default_response>
+```  
+## hsts_max_age  
+  
+Expired time for HSTS in seconds. The default value is 0 means clickhouse disabled HSTS. If you set a positive number, the HSTS will be enabled and the max-age is the number you set.  
+  
+**Example**  
+
+```xml
+<hsts_max_age>600000</hsts_max_age>
 ```

 ## include_from {#server_configuration_parameters-include_from}
--- a/src/Server/HTTP/HTTPServerRequest.cpp
+++ b/src/Server/HTTP/HTTPServerRequest.cpp
@ -26,6 +26,7 @@ HTTPServerRequest::HTTPServerRequest(ContextPtr context, HTTPServerResponse & re
    /// Now that we know socket is still connected, obtain addresses
    client_address = session.clientAddress();
    server_address = session.serverAddress();
+    secure = session.socket().secure();

    auto receive_timeout = context->getSettingsRef().http_receive_timeout;
    auto send_timeout = context->getSettingsRef().http_send_timeout;
--- a/src/Server/HTTP/HTTPServerRequest.h
+++ b/src/Server/HTTP/HTTPServerRequest.h
@ -30,6 +30,8 @@ public:

    bool checkPeerConnected() const;

+    bool isSecure() const { return secure; }
+
    /// Returns the client's address.
    const Poco::Net::SocketAddress & clientAddress() const { return client_address; }

@ -54,6 +56,8 @@ private:
    Poco::Net::SocketAddress client_address;
    Poco::Net::SocketAddress server_address;

+    bool secure;
+
    void readRequest(ReadBuffer & in);
 };

--- a/src/Server/HTTPHandler.cpp
+++ b/src/Server/HTTPHandler.cpp
@ -834,12 +834,20 @@ void HTTPHandler::trySendExceptionToClient(
 void HTTPHandler::handleRequest(HTTPServerRequest & request, HTTPServerResponse & response)
 {
    setThreadName("HTTPHandler");
+
+    if (request.isSecure())
+    {
+        size_t hsts_max_age = server.config().getUInt64("hsts_max_age", 0);
+
+        if (hsts_max_age > 0)
+            response.add("Strict-Transport-Security", "max-age=" + std::to_string(hsts_max_age));
+    }
+
    ThreadStatus thread_status;

    session = std::make_unique<Session>(server.context(), ClientInfo::Interface::HTTP);
    SCOPE_EXIT({ session.reset(); });
    std::optional<CurrentThread::QueryScope> query_scope;
-
    Output used_output;

    /// In case of exception, send stack trace to client.
--- a/src/Server/InterserverIOHTTPHandler.cpp
+++ b/src/Server/InterserverIOHTTPHandler.cpp
@ -81,6 +81,14 @@ void InterserverIOHTTPHandler::handleRequest(HTTPServerRequest & request, HTTPSe
 {
    setThreadName("IntersrvHandler");

+    if (request.isSecure())
+    {
+        size_t hsts_max_age = server.config().getUInt64("hsts_max_age", 0);
+
+        if (hsts_max_age > 0)
+            response.add("Strict-Transport-Security", "max-age=" + std::to_string(hsts_max_age));
+    }
+
    /// In order to work keep-alive.
    if (request.getVersion() == HTTPServerRequest::HTTP_1_1)
        response.setChunkedTransferEncoding(true);
--- a/src/Server/PrometheusRequestHandler.cpp
+++ b/src/Server/PrometheusRequestHandler.cpp
@ -20,6 +20,14 @@ void PrometheusRequestHandler::handleRequest(HTTPServerRequest & request, HTTPSe
        const auto & config = server.config();
        unsigned keep_alive_timeout = config.getUInt("keep_alive_timeout", 10);

+        if (request.isSecure())
+        {
+            size_t hsts_max_age = config.getUInt64("hsts_max_age", 0);
+
+            if (hsts_max_age > 0)
+                response.add("Strict-Transport-Security", "max-age=" + std::to_string(hsts_max_age));
+        }
+
        setResponseDefaultHeaders(response, keep_alive_timeout);

        response.setContentType("text/plain; version=0.0.4; charset=UTF-8");
--- a/src/Server/StaticRequestHandler.cpp
+++ b/src/Server/StaticRequestHandler.cpp
@ -101,17 +101,7 @@ static inline void trySendExceptionToClient(

 void StaticRequestHandler::handleRequest(HTTPServerRequest & request, HTTPServerResponse & response)
 {
-    const auto & config = server.config();
-    auto keep_alive_timeout = config.getUInt("keep_alive_timeout", 10);
-    size_t hsts_max_age = config.getUInt64("hsts_max_age", 0);
-
-    if (hsts_max_age > 0)
-    {
-        std::stringstream ss;
-        ss << "max-age=" << hsts_max_age;
-        response.add("Strict-Transport-Security", ss.str());
-    }
-
+    auto keep_alive_timeout = server.config().getUInt("keep_alive_timeout", 10);
    const auto & out = responseWriteBuffer(request, response, keep_alive_timeout);

    try
--- a/src/Server/WebUIRequestHandler.cpp
+++ b/src/Server/WebUIRequestHandler.cpp
@ -20,7 +20,16 @@ WebUIRequestHandler::WebUIRequestHandler(IServer & server_, std::string resource

 void WebUIRequestHandler::handleRequest(HTTPServerRequest & request, HTTPServerResponse & response)
 {
-    auto keep_alive_timeout = server.config().getUInt("keep_alive_timeout", 10);
+    auto & config = server.config();
+    auto keep_alive_timeout = config.getUInt("keep_alive_timeout", 10);
+
+    if (request.isSecure())
+    {
+        size_t hsts_max_age = server.config().getUInt64("hsts_max_age", 0);
+
+        if (hsts_max_age > 0)
+            response.add("Strict-Transport-Security", "max-age=" + std::to_string(hsts_max_age));
+    }

    response.setContentType("text/html; charset=UTF-8");