update code and add document

docs/en/operations/server-configuration-parameters/settings.md

@@ -365,6 +365,15 @@ Opens `https://tabix.io/` when accessing `http://localhost: http_port`.
 <http_server_default_response>
   <![CDATA[<html ng-app="SMI2"><head><base href="http://ui.tabix.io/"></head><body><div ui-view="" class="content-ui"></div><script src="http://loader.tabix.io/master.js"></script></body></html>]]>
 </http_server_default_response>
+```  
+## hsts_max_age  
+  
+Expired time for HSTS in seconds. The default value is 0 means clickhouse disabled HSTS. If you set a positive number, the HSTS will be enabled and the max-age is the number you set.  
+  
+**Example**  
+
+```xml
+<hsts_max_age>600000</hsts_max_age>
 ```
 
 ## include_from {#server_configuration_parameters-include_from}

src/Server/HTTP/HTTPServerRequest.cpp

@@ -26,6 +26,7 @@ HTTPServerRequest::HTTPServerRequest(ContextPtr context, HTTPServerResponse & re
     /// Now that we know socket is still connected, obtain addresses
     client_address = session.clientAddress();
     server_address = session.serverAddress();
+    secure = session.socket().secure();
 
     auto receive_timeout = context->getSettingsRef().http_receive_timeout;
     auto send_timeout = context->getSettingsRef().http_send_timeout;

src/Server/HTTP/HTTPServerRequest.h

@@ -30,6 +30,8 @@ public:
 
     bool checkPeerConnected() const;
 
+    bool isSecure() const { return secure; }
+
     /// Returns the client's address.
     const Poco::Net::SocketAddress & clientAddress() const { return client_address; }
 
@@ -54,6 +56,8 @@ private:
     Poco::Net::SocketAddress client_address;
     Poco::Net::SocketAddress server_address;
 
+    bool secure;
+
     void readRequest(ReadBuffer & in);
 };
 

src/Server/HTTPHandler.cpp

@@ -834,12 +834,20 @@ void HTTPHandler::trySendExceptionToClient(
 void HTTPHandler::handleRequest(HTTPServerRequest & request, HTTPServerResponse & response)
 {
     setThreadName("HTTPHandler");
+
+    if (request.isSecure())
+    {
+        size_t hsts_max_age = server.config().getUInt64("hsts_max_age", 0);
+
+        if (hsts_max_age > 0)
+            response.add("Strict-Transport-Security", "max-age=" + std::to_string(hsts_max_age));
+    }
+
     ThreadStatus thread_status;
 
     session = std::make_unique<Session>(server.context(), ClientInfo::Interface::HTTP);
     SCOPE_EXIT({ session.reset(); });
     std::optional<CurrentThread::QueryScope> query_scope;
-
     Output used_output;
 
     /// In case of exception, send stack trace to client.

src/Server/InterserverIOHTTPHandler.cpp

@@ -81,6 +81,14 @@ void InterserverIOHTTPHandler::handleRequest(HTTPServerRequest & request, HTTPSe
 {
     setThreadName("IntersrvHandler");
 
+    if (request.isSecure())
+    {
+        size_t hsts_max_age = server.config().getUInt64("hsts_max_age", 0);
+
+        if (hsts_max_age > 0)
+            response.add("Strict-Transport-Security", "max-age=" + std::to_string(hsts_max_age));
+    }
+
     /// In order to work keep-alive.
     if (request.getVersion() == HTTPServerRequest::HTTP_1_1)
         response.setChunkedTransferEncoding(true);

src/Server/PrometheusRequestHandler.cpp

@@ -20,6 +20,14 @@ void PrometheusRequestHandler::handleRequest(HTTPServerRequest & request, HTTPSe
         const auto & config = server.config();
         unsigned keep_alive_timeout = config.getUInt("keep_alive_timeout", 10);
 
+        if (request.isSecure())
+        {
+            size_t hsts_max_age = config.getUInt64("hsts_max_age", 0);
+
+            if (hsts_max_age > 0)
+                response.add("Strict-Transport-Security", "max-age=" + std::to_string(hsts_max_age));
+        }
+
         setResponseDefaultHeaders(response, keep_alive_timeout);
 
         response.setContentType("text/plain; version=0.0.4; charset=UTF-8");

src/Server/StaticRequestHandler.cpp

@@ -101,17 +101,7 @@ static inline void trySendExceptionToClient(
 
 void StaticRequestHandler::handleRequest(HTTPServerRequest & request, HTTPServerResponse & response)
 {
-    const auto & config = server.config();
+    auto keep_alive_timeout = server.config().getUInt("keep_alive_timeout", 10);
-    auto keep_alive_timeout = config.getUInt("keep_alive_timeout", 10);
-    size_t hsts_max_age = config.getUInt64("hsts_max_age", 0);
-
-    if (hsts_max_age > 0)
-    {
-        std::stringstream ss;
-        ss << "max-age=" << hsts_max_age;
-        response.add("Strict-Transport-Security", ss.str());
-    }
-
     const auto & out = responseWriteBuffer(request, response, keep_alive_timeout);
 
     try

src/Server/WebUIRequestHandler.cpp

@@ -20,7 +20,16 @@ WebUIRequestHandler::WebUIRequestHandler(IServer & server_, std::string resource
 
 void WebUIRequestHandler::handleRequest(HTTPServerRequest & request, HTTPServerResponse & response)
 {
-    auto keep_alive_timeout = server.config().getUInt("keep_alive_timeout", 10);
+    auto & config = server.config();
+    auto keep_alive_timeout = config.getUInt("keep_alive_timeout", 10);
+
+    if (request.isSecure())
+    {
+        size_t hsts_max_age = server.config().getUInt64("hsts_max_age", 0);
+
+        if (hsts_max_age > 0)
+            response.add("Strict-Transport-Security", "max-age=" + std::to_string(hsts_max_age));
+    }
 
     response.setContentType("text/html; charset=UTF-8");