Enable HTTP additional sockets
This commit attempts to add the concept of an SSL detector from beast,
and add the capability into bmcweb. This allows directing multiple
socket files to the bmcweb instance, and bmcweb will automatically sort
out whether or not they're SSL, and give the correct response. This
allows users to plug in erroneous urls like "https://mybmc:80" and they
will forward and work correctly.
Some key design points:
The HTTP side of bmcweb implements the exact same http headers as the
HTTPS side, with the exception of HSTS, which is explicitly disallowed.
This is for consistency and security.
The above allows bmcweb builds to "select" the appropriate security
posture (http, https, or both) for a given channel using the
FileDescriptorName field within a socket file. Items ending in:
both: Will support both HTTPS and HTTP redirect to HTTPS
https: Will support HTTPS only
http: will support HTTP only
Given the flexibility in bind statements, this allows administrators to
support essentially any security posture they like. The openbmc
defaults are:
HTTPS + Redirect on both ports 443 and port 80 if http-redirect is
enabled
And HTTPS only if http-redirect is disabled.
This commit adds the following meson options that each take an array of
strings, indexex on the port.
additional-ports
Adds additional ports that bmcweb should listen to. This is always
required when adding new ports.
additional-protocol
Specifies 'http', 'https', or 'both' for whether or not tls is enfoced
on this socket. 'both' allows bmcweb to detect whether a user has
specified tls or not on a given connection and give the correct
response.
additional-bind-to-device
Accepts values that fill the SO_BINDTODEVICE flag in systemd/linux,
and allows binding to a specific device
additional-auth
Accepts values of 'auth' or 'noauth' that determines whether this
socket should apply the normal authentication routines, or treat the
socket as unauthenticated.
Tested:
Previous commits ran the below tests.
Ran the server with options enabled. Tried:
```
curl -vvvv --insecure --user root:0penBmc http://192.168.7.2/redfish/v1/Managers/bmc
* Trying 192.168.7.2:80...
* Connected to 192.168.7.2 (192.168.7.2) port 80 (#0)
* Server auth using Basic with user 'root'
> GET /redfish/v1/Managers/bmc HTTP/1.1
> Host: 192.168.7.2
> Authorization: Basic cm9vdDowcGVuQm1j
> User-Agent: curl/7.72.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.7.2
< X-Frame-Options: DENY
< Pragma: no-cache
< Cache-Control: no-Store,no-Cache
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
< Date: Fri, 08 Jan 2021 01:43:49 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
```
Observe above:
webserver returned 301 redirect.
webserver returned the appropriate security headers
webserver immediately closed the connection.
The same test above over https:// returns the values as expected
Loaded the webui to test static file hosting. Webui logs in and works
as expected.
Used the scripts/websocket_test.py to verify that websockets work.
Sensors report as expected.
Change-Id: Ib5733bbe5473fed6e0e27c56cdead0bffedf2993
Signed-off-by: Ed Tanous <ed@tanous.net>
diff --git a/meson.options b/meson.options
index ab69e08..551f4f2 100644
--- a/meson.options
+++ b/meson.options
@@ -351,16 +351,65 @@
)
-# BMCWEB_HTTPS_PORT
option(
'https_port',
type: 'integer',
- min: 1,
+ min: -1,
max: 65535,
value: 443,
- description: 'HTTPS Port number.',
+ description: '''HTTPS default port number. Set to -1 to disable and rely
+ only on additional_ports''',
)
+
+# Additional ports
+# This series of options below allows setting up non-trivial deployments of
+# bmcweb, binding specific ports, authentication profiles, and device binds to
+# multiple ports.
+# Setting these options incorrectly can have severe security consequences and
+# should be reserved for platform experts familiar with their particular
+# platforms security requirements.
+
+option(
+ 'additional-ports',
+ type: 'array',
+ value: [],
+ description: '''Additional ports to listen to. Allows bmcweb to listen to
+ multiple ports at a given protocol''',
+)
+
+option(
+ 'additional-protocol',
+ type: 'array',
+ value: [],
+ description: '''Allows specifying a specific protocol type for a given
+ additional-ports index. Allows setting http, https, or both
+ to each socket index. If not provided for a given
+ additional-ports index, assumes https.''',
+)
+
+option(
+ 'additional-bind-to-device',
+ type: 'array',
+ value: [],
+ description: '''Allows specifying an SO_BINDTODEVICE or BindToDevice systemd
+ directive for each additional socket file. If not provided
+ for a given additional-ports index, assumes bind to all
+ devices''',
+)
+
+option(
+ 'additional-auth',
+ type: 'array',
+ value: [],
+ description: '''Allows specifying an authentication profile for each socket
+ created with additional-ports. Allows auth or noauth, and
+ defaults to auth if not provided. If noauth is provided,
+ authentication will not be performed for a given socket/port
+ index.''',
+)
+# end additional ports
+
# BMCWEB_DNS_RESOLVER
option(
'dns-resolver',