[
https://issues.apache.org/jira/browse/TS-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15270083#comment-15270083
]
ASF GitHub Bot commented on TS-3485:
------------------------------------
Github user jpeach commented on a diff in the pull request:
https://github.com/apache/trafficserver/pull/614#discussion_r61987839
--- Diff: proxy/http2/Http2SessionAccept.cc ---
@@ -38,9 +39,22 @@ Http2SessionAccept::~Http2SessionAccept()
void
Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf,
IOBufferReader *reader)
{
+ AclRecord *session_acl_record = NULL;
+ sockaddr const *client_ip = netvc->get_remote_addr();
+ IpAllow::scoped_config ipallow;
+ if (ipallow && (((session_acl_record = ipallow->match(client_ip)) ==
NULL) || (session_acl_record->isEmpty()))) {
+ ip_port_text_buffer ipb;
+ Warning("http2 client '%s' prohibited by ip-allow policy",
ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
--- End diff --
Oh so this is fail-closed when there is no config? If that is the case,
then HTTP/1 should do the same thing. We should have a single function that
does this check for both protocols to avoid this kind of drift.
> We should honor ip_allow.config ACLs for HTTP/2 streams
> -------------------------------------------------------
>
> Key: TS-3485
> URL: https://issues.apache.org/jira/browse/TS-3485
> Project: Traffic Server
> Issue Type: Bug
> Components: HTTP/2
> Reporter: Leif Hedstrom
> Assignee: Susan Hinrichs
> Fix For: 7.0.0
>
>
> From the comments:
> {code}
> // XXX we need to refactor the ACL checks from HttpSessionAccept so that we
> can invoke them here, and also in
> // the SPDY protocol layer ...
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
