Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 796ba93b48f7866630a3c031fd6b01c118202953^! / . / src
commit796ba93b48f7866630a3c031fd6b01c118202953[log] [tgz]
authorEd Tanous <ed@tanous.net>Sun Aug 02 04:29:21 2020 +0000
committerEd Tanous <etanous@nvidia.com>Mon Feb 10 20:56:13 2025 +0000
treedf562a27c0196ec0a8b6106181da95752d7758d4
parentcd7dbb308f3e867e70a4e6de7880f889e8556eb7 [diff]
Enable HTTP additional sockets

This commit attempts to add the concept of an SSL detector from beast,
and add the capability into bmcweb.  This allows directing multiple
socket files to the bmcweb instance, and bmcweb will automatically sort
out whether or not they're SSL, and give the correct response.  This
allows users to plug in erroneous urls like "https://mybmc:80" and they
will forward and work correctly.

Some key design points:
The HTTP side of bmcweb implements the exact same http headers as the
HTTPS side, with the exception of HSTS, which is explicitly disallowed.
This is for consistency and security.

The above allows bmcweb builds to "select" the appropriate security
posture (http, https, or both) for a given channel using the
FileDescriptorName field within a socket file.  Items ending in:
both: Will support both HTTPS and HTTP redirect to HTTPS
https: Will support HTTPS only
http: will support HTTP only

Given the flexibility in bind statements, this allows administrators to
support essentially any security posture they like.  The openbmc
defaults are:
HTTPS + Redirect on both ports 443 and port 80 if http-redirect is
enabled

And HTTPS only if http-redirect is disabled.

This commit adds the following meson options that each take an array of
strings, indexex on the port.
additional-ports
  Adds additional ports that bmcweb should listen to.  This is always
  required when adding new ports.

additional-protocol
  Specifies 'http', 'https', or 'both' for whether or not tls is enfoced
  on this socket.  'both' allows bmcweb to detect whether a user has
  specified tls or not on a given connection and give the correct
  response.

additional-bind-to-device
  Accepts values that fill the SO_BINDTODEVICE flag in systemd/linux,
  and allows binding to a specific device

additional-auth
  Accepts values of 'auth' or 'noauth' that determines whether this
  socket should apply the normal authentication routines, or treat the
  socket as unauthenticated.

Tested:
Previous commits ran the below tests.
Ran the server with options enabled.  Tried:
```
curl -vvvv --insecure --user root:0penBmc http://192.168.7.2/redfish/v1/Managers/bmc
*   Trying 192.168.7.2:80...
* Connected to 192.168.7.2 (192.168.7.2) port 80 (#0)
* Server auth using Basic with user 'root'
> GET /redfish/v1/Managers/bmc HTTP/1.1
> Host: 192.168.7.2
> Authorization: Basic cm9vdDowcGVuQm1j
> User-Agent: curl/7.72.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.7.2
< X-Frame-Options: DENY
< Pragma: no-cache
< Cache-Control: no-Store,no-Cache
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
< Date: Fri, 08 Jan 2021 01:43:49 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
```

Observe above:
webserver returned 301 redirect.
webserver returned the appropriate security headers
webserver immediately closed the connection.

The same test above over https:// returns the values as expected

Loaded the webui to test static file hosting.  Webui logs in and works
as expected.

Used the scripts/websocket_test.py to verify that websockets work.
Sensors report as expected.

Change-Id: Ib5733bbe5473fed6e0e27c56cdead0bffedf2993
Signed-off-by: Ed Tanous <ed@tanous.net>

diff --git a/src/ssl_key_handler.cpp b/src/ssl_key_handler.cpp
index 1e92746..b2a78b8 100644
--- a/src/ssl_key_handler.cpp
+++ b/src/ssl_key_handler.cpp

@@ -9,15 +9,11 @@
 #include "sessions.hpp"
 
 #include <boost/asio/buffer.hpp>
+#include <boost/asio/ssl/context.hpp>
 #include <boost/asio/ssl/verify_mode.hpp>
 #include <boost/beast/core/file_base.hpp>
 #include <boost/beast/core/file_posix.hpp>
-
-#include <bit>
-#include <cstddef>
-#include <limits>
-#include <system_error>
-#include <utility>
+#include <boost/system/error_code.hpp>
 
 extern "C"
 {
@@ -37,14 +33,16 @@
 #include <openssl/x509v3.h>
 }
 
-#include <boost/asio/ssl/context.hpp>
-#include <boost/system/error_code.hpp>
-
+#include <bit>
+#include <cstddef>
 #include <filesystem>
+#include <limits>
 #include <memory>
 #include <optional>
 #include <random>
 #include <string>
+#include <system_error>
+#include <utility>
 
 namespace ensuressl
 {