Commit Graph

37 Commits

Author SHA1 Message Date
Pierre-Louis Bonicoli
a158774364
hackney adapter helper & reverse proxy client: enable TLSv1.3
The list of TLS versions was added by
8bd2b6eb13 when hackney version was
pinned to 1.15.2. Later hackney version was upgraded
(166455c884) but the list of TLS
versions wasn't removed. From the hackney point of view, this list has
been replaced by the OTP defaults since 0.16.0
(734694ea4e24f267864c459a2f050e943adc6694).

It looks like the same issue already occurred before:
0cb7b0ea84.

A way to test this issue (where example.com is an ActivityPub site
which uses TLSv1.3 only):

   $ PLEROMA_CONFIG_PATH=/path/to/config.exs pleroma start_iex
   Erlang/OTP 22 [erts-10.7.2.16] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]

   Erlang/OTP 22 [erts-10.7.2.16] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]

   Interactive Elixir (1.10.4) - press Ctrl+C to exit (type h() ENTER for help)
   iex(pleroma@127.0.0.1)2> Pleroma.Object.Fetcher.fetch_and_contain_remote_object_from_id("https://example.com/@/Nick/")
   {:error,
    {:tls_alert,
     {:protocol_version,
      'TLS client: In state hello received SERVER ALERT: Fatal - Protocol Version\n'}}}

With this patch, the output is the expected one:

   iex(pleroma@127.0.0.1)3> Pleroma.Object.Fetcher.fetch_and_contain_remote_object_from_id("https://example.com/@/Nick/")
   {:error,
   {:ok,
    %{
      "@context" => [
        "https://www.w3.org/ns/activitystreams",
        "https://w3id.org/security/v1",
        %{
          "Emoji" => "toot:Emoji",
          "Hashtag" => "as:Hashtag",
          "atomUri" => "ostatus:atomUri",
          "conversation" => "ostatus:conversation",
          "featured" => "toot:featured",
          "focalPoint" => %{"@container" => "@list", "@id" => "toot:focalPoint"},
          "inReplyToAtomUri" => "ostatus:inReplyToAtomUri",
          "manuallyApprovesFollowers" => "as:manuallyApprovesFollowers",
          "movedTo" => "as:movedTo",
          "ostatus" => "http://ostatus.org#",
          "sensitive" => "as:sensitive",
          "toot" => "http://joinmastodon.org/ns#"
        }
      ],
      "endpoints" => %{"sharedInbox" => "https://example.com/inbox"},
      "followers" => "https://example.com/@/Nick/followers",
      "following" => nil,
      "icon" => %{
        "type" => "Image",
        "url" => "https://example.com/static/media/[...].png"
      },
      "id" => "https://example.com/@/Nick/",
      "inbox" => "https://example.com/@/Nick/inbox",
      "liked" => nil,
      "name" => "Nick",
      "outbox" => "https://example.com/@/Nick/outbox",
      "preferredUsername" => "Nick",
      "publicKey" => %{
        "id" => "https://example.com/@/Nick/#main-key",
        "owner" => "https://example.com/@/Nick/",
        "publicKeyPem" => "[...]
      },
      "summary" => "",
      "type" => "Person",
      "url" => "https://example.com/@/Nick/"
    }}

A way to test the reverse proxy bits of this issue (where example.com allows TLSv1.3 only):

    iex(pleroma@127.0.0.1)1> Pleroma.ReverseProxy.Client.Hackney.request("GET", "https://example.com", [], [])
    {:error,
     {:tls_alert,
      {:protocol_version,
       'TLS client: In state hello received SERVER ALERT: Fatal - Protocol Version\n'}}}
2022-05-31 00:51:45 +02:00
Sean King
17aa3644be
Copyright bump for 2022 2022-02-25 23:11:42 -07:00
Mark Felder
5660bee2dc Dirty hack to make mediaproxy functional by relying on Hackney for that part 2021-12-16 11:36:58 -06:00
Alex Gleason
1c3fe43d23
ReverseProxy: create Client.Wrapper to call client from config
Speeds up recompilation by reducing compile-time cycles
2021-06-04 21:12:24 -05:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
Alexander Strizhakov
0374df1d12
other files consistency 2020-10-13 16:38:19 +03:00
Ivan Tashkinov
0bda85857e Merge remote-tracking branch 'remotes/origin/develop' into media-preview-proxy
# Conflicts:
#	lib/pleroma/instances/instance.ex
2020-09-11 17:19:58 +03:00
Alexander Strizhakov
e8bfb50fa3
pass options without adapter key 2020-09-10 20:09:44 +03:00
Mark Felder
4ee99dafcc Merge branch 'develop' into media-preview-proxy 2020-09-09 11:11:36 -05:00
Ivan Tashkinov
f170d47130 [#2497] Adjusted media proxy preview invalidation. Allowed client-side caching for media preview. Adjusted prewarmer to fetch only proxiable URIs.
Removed :preview pool in favor of existing :media one. Misc. refactoring.
2020-09-05 20:19:09 +03:00
Alexander Strizhakov
473458b0fb
fix for ReverseProxy 2020-09-04 14:45:30 +03:00
Ivan Tashkinov
1298a2ea2c Merge remote-tracking branch 'remotes/origin/develop' into 2168-media-preview-proxy
# Conflicts:
#	mix.lock
2020-08-07 09:38:05 +03:00
rinpatch
6bf8eee5f9 ReverseProxy tesla client: remove handling of old_conn
This is no longer relevant because we use a custom
FollowRedirects middleware now
2020-07-26 20:52:00 +03:00
rinpatch
d4fbec62a3 ReverseProxy: Fix a gun connection leak when there is an error with no
body

- Modify `close/1` function to do the same thing it does for hackney,
which is - close the client rather than the whole connection
- Release the connection when there is no body to chunk
2020-07-26 19:30:17 +03:00
Ivan Tashkinov
bdf57b8ef4 Merge remote-tracking branch 'remotes/origin/develop' into 2168-media-preview-proxy
# Conflicts:
#	config/config.exs
#	lib/pleroma/web/media_proxy/media_proxy.ex
#	mix.lock
#	test/web/media_proxy/media_proxy_test.exs
2020-07-19 20:05:37 +03:00
rinpatch
58a4f350a8 Refactor gun pooling and simplify adapter option insertion
This patch refactors gun pooling to use Elixir process registry and
simplifies adapter option insertion.

Having the pool use process registry instead of a GenServer has a number of advantages:
- Simpler code: the initial implementation adds about half the lines of code it deletes
- Concurrency: unlike a GenServer, ETS-based registry can handle multiple checkout/checkin
requests at the same time
- Precise and easy idle connection clousure: current proposal for closing idle connections in
the GenServer-based pool needs to filter through all connections once a minute and compare their
last active time with closing time. With Elixir process registry this can be done
by just using `Process.send_after`/`Process.cancel_timer` in the worker process.
- Lower memory footprint: In my tests `gun-memory-leak` branch uses about 290mb on peak load (250 connections)
and 235mb on idle (5-10 connections). Registry-based pool uses 210mb on idle and 240mb on peak load
2020-07-15 15:17:27 +03:00
Mark Felder
72b3dbf4d1 Credo line length complaint 2020-07-10 11:04:19 -05:00
href
a1dace088c ReverseProxy: Streaming and disable encoding if Range
Fixes #1823
Fixes #1860
2020-07-10 17:23:11 +02:00
Ivan Tashkinov
1b23acf164 [#2497] Media preview proxy for images: fixes, tweaks, refactoring, tests adjustments. 2020-05-11 23:21:53 +03:00
Alexander Strizhakov
f0651730bd
Merge branch 'develop' into gun 2020-03-16 14:25:55 +03:00
Mark Felder
7321429a2e Lint 2020-03-13 12:42:06 -05:00
Mark Felder
c62195127d Update comment to reflect what the code is actually doing 2020-03-13 11:46:40 -05:00
Mark Felder
ad31d0726a Do not trust remote Cache-Control headers for mediaproxy 2020-03-13 11:30:27 -05:00
Alexander Strizhakov
98ed0d1c4b
more clean up 2020-03-13 09:37:57 +03:00
Mark Felder
d9c5ae7c09 Update Copyrights for gun related files 2020-03-03 17:16:24 -06:00
Mark Felder
4427161ca3 Merge branch 'develop' into gun 2020-03-03 17:15:49 -06:00
Mark Felder
05da5f5cca Update Copyrights 2020-03-03 16:44:49 -06:00
Alexander Strizhakov
d0e4d3ca3b
removing unnecessary with
comment in tesla client impovement
2020-03-03 14:56:49 +03:00
Alexander Strizhakov
151dc4e387 Apply suggestion to lib/pleroma/reverse_proxy/client/tesla.ex 2020-03-03 09:53:37 +00:00
Alexander Strizhakov
514c899275
adding gun adapter 2020-02-18 08:19:01 +03:00
rinpatch
9bdbf0811b Make MediaProxy failure tracking less brutal
The current failure tracking mechanism will never request anything that
didn't respond with a success, 403, 404, or 5xx codes. This is causing
issues when using in real fediverse because of weird status codes
some software has and timeouts being frequent. This patch changes
failure tracking mechanism to only never request the url again if it
responded with 400, 204, or the body is too large, otherwise it can be
re-requested in 60 seconds.
2019-10-11 22:52:38 +03:00
Sergey Suprunenko
c541b83bef Track failed proxy urls and don't request them again 2019-10-01 20:00:27 +00:00
Mark Felder
ef82f868d9 Formatting 2019-08-16 10:00:18 -05:00
Mark Felder
6a3b1a526e max_body_size -> max_body_length, as it should be 2019-08-15 15:34:41 -05:00
rinpatch
b001b8891a Merge the default options with custom ones in ReverseProxy and
Pleroma.HTTP
2019-07-12 23:52:26 +03:00
feld
93a0eeab16 Add license/copyright to all project files 2019-07-10 05:13:23 +00:00
Alexander Strizhakov
4e6e5d8042 reverse proxy tests 2019-07-09 16:54:13 +00:00