test: Remove strict mode, use host header instead

Author: Krinkle

.github/workflows/CI.yaml

@@ -15,7 +15,7 @@ jobs:
       - name: Build the image
         run: docker build -t codeorigin ./
 
-      - name: Test the container in open mode
+      - name: Test the container
         run: |
           docker run --rm -p 4000:80/tcp --detach codeorigin
           # The first error is "Empty reply from server", which curl
@@ -24,14 +24,5 @@ jobs:
           # instead of hardcoded sleep. --krinkle 2021-08-21
           sleep 2
           curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://localhost:4000/jquery-3.0.0.js
-          php test/static-open.php
+          php test/CodeoriginTest.php
           docker kill $(docker ps -q -f ancestor=codeorigin)
-
-      - name: Test the container in strict mode
-        env:
-          CDN_ACCESS_KEY: aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccdddddddddddddddd
-        run: |
-          docker run --rm -p 4000:80/tcp -e "CDN_ACCESS_KEY=$CDN_ACCESS_KEY" --detach codeorigin
-          sleep 2
-          curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://localhost:4000/jquery-3.0.0.js
-          php test/static-strict.php

.github/workflows/deploy.yaml

@@ -28,7 +28,7 @@ jobs:
           docker run --rm -p 4000:80/tcp --detach ${{ env.IMAGE_NAME }}
           sleep 2
           curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://127.0.0.1:4000/jquery-3.0.0.js
-          php test/static-open.php
+          php test/CodeoriginTest.php
 
       # https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio
       - name: Login to Container Registry

Dockerfile

@@ -34,10 +34,6 @@ COPY cdn/ /var/www/cdn/
 #
 RUN find /var/www/cdn/ -type f -print0 | TZ=UTC xargs -0 -P 4 -n 50 touch --date='1991-10-18 12:00:00' {} +
 
-# Define the environment variable that will be used in the origin pull magic header
-# Set this via `docker run`
-ENV CDN_ACCESS_KEY=''
-
 # Copy in the necessary config files
 COPY cfg/vimrc /etc/vim/vimrc
 COPY cfg/default.conf /etc/nginx/templates/default.conf.template

README.md

@@ -23,7 +23,7 @@ Build the image, by running the following in a clone of this repo:
 docker build -t codeorigin ./
 ```
 
-**Test the container in open mode**:
+**Test the container**:
 
 1. Start a container, exposing port 80:
    ```
@@ -46,43 +46,14 @@ docker run --rm -p 4000:80/tcp -it --entrypoint /bin/sh codeorigin
 ...
 ```
 
-Inspect restricted mode:
-
-```
-docker run --rm -p 4000:80/tcp -e "CDN_ACCESS_KEY=$CDN_ACCESS_KEY" -it --entrypoint /bin/sh codeorigin
-```
-
 **Debug nginx**:
 
 In `cfg/default.conf`, change `error_log … crit` to `error_log … debug` and then build+run as usual.
 
-**Test the container in restricted mode**:
-
-There is a restricted mode, which responds to unauthorized static file requests with a redirect instead of serving files.
-
-1. Run `export CDN_ACCESS_KEY="$(openssl rand -hex 32)"`
-1. Start a container, exposing port 80, and given the environment variable:
-   ```
-   docker run --rm -p 4000:80/tcp -e "CDN_ACCESS_KEY=$CDN_ACCESS_KEY" codeorigin
-   ````
-1. The site is now running at <http://localhost:4000/jquery-3.0.0.js>.
-   To stop the container, press `ctrl+c`
-
-In the restricted mode:
-
-* Simple requests for static files redirect to `code.jquery.com/*`, e.g. `curl -i 'http://localhost/jquery-3.0.0.js'`.
-* Requests with the access key will respond by serving the file: `curl -i -H "x-cdn-access: $CDN_ACCESS_KEY" 'http://localhost/jquery-3.0.0.js'`
-* Requests with an invalid key will redirect the same as without: `curl -i -H "x-cdn-access: wrong" 'http://localhost/jquery-3.0.0.js'`
-
 ### Production deployment
 
-1. First, generate a CDN access key: `openssl rand -hex 32`.
-1. At a hosting platform of your choosing, build or pull the container, and pass the CDN access key as run environment variable.
-1. Finally, configure the CDN to use the container address as its origin, with special handling to augment origin pulls with a `Host: code.jquery.com` header, and a `x-cdn-access` header with the access key.
-
-### In case of emergency
-
-If you need to deploy a standalone codeorigin site immediately, or if there are origin pull failures and you're not sure why, then deploy the container without any `CDN_ACCESS_KEY` environment variable. The codeorigin container then default to its unrestricted mode (no offload redirects).
+1. At a hosting platform of your choosing, build or pull the container.
+1. Finally, configure the CDN to use the container address as its origin, with special handling to augment origin pulls with a `Host: code.jquery.com` header.
 
 -------
 

cfg/default.conf

@@ -1,40 +1,9 @@
 #
-# This file is responsible for the site which serves the main releases from codeorigin. By default,
-# it generates a site that operates in "break glass" emergency mode. All requests are served,
-# regardless of where they come from.
-#
-# In production, the CDN should add a private header to origin fetches. All requests which do not
-# include the correct header should be bounced via 301 redirect back to the CDN. This ensures that
-# even if a client attempts to link to codeorigin, it will still be served from the CDN. The end
-# result should be that codeorigin is only reachable for origin pulls from the CDN, decreasing its
-# load and reducing the attack surface for DDOSs.
+# This file is responsible for the site which serves the releases from codeorigin.
 #
 # Configuration information is in the README.md file.
 #
 
-# Increase map_hash_bucket_size to accommodate longer CDN tokens
-map_hash_bucket_size 128;
-
-# If the CDN_ACCESS_KEY environment variable is *not* set, operate in "break glass" mode where the
-# container openly serves files without restriction. Otherwise, it responds with redirects to requests
-# that don't carry a matching x-cdn-access request header.
-#
-# NOTE: We're using the "envsubst" feature that comes with docker-nginx because nginx does not
-# currently have a way to access environment variables without significant workarounds.
-# This is interpreted at run-time just before the server starts.
-#
-# This is preferred over substitution at build-time in Dockerfile as that would put the
-# credentials inside the image, making it unsuitable to push to a public container registry.
-map "${CDN_ACCESS_KEY}" $origin_mode {
-    ""                  open;
-    default             key;
-}
-map $origin_mode  $key_input { key $http_x_cdn_access; default none; }
-map $origin_mode  $key_expect {
-    key           "${CDN_ACCESS_KEY}";
-    default       none;
-}
-
 server {
   listen        80;
   listen        [::]:80;
@@ -64,9 +33,6 @@ server {
     # https://stackoverflow.com/a/6475493/319266
     gzip_types text/plain text/xml application/xml text/css text/javascript application/javascript application/x-javascript text/x-component application/json application/xhtml+xml application/rss+xml application/atom+xml application/vnd.ms-fontobject image/svg+xml application/x-font-ttf font/opentype;
 
-    # Proxies must not mix up differently keyed responses
-    add_header Vary "x-cdn-access";
-
     add_header Cache-Control "public";
     add_header Access-Control-Allow-Origin *;
     expires max;
@@ -76,9 +42,6 @@ server {
 
     # Applies to charset_types (mainly for JS and CSS)
     charset utf-8;
-
-    # Let rerouting responses be cached for a shorter time for faster recovery from mistakes
-    if ($key_expect != $key_input) { expires 5m; return 302 https://code.jquery.com$uri; }
   }
 
   # Legacy redirects for renamed files

test/static-open.php test/CodeoriginTest.phptest/static-open.php renamed to test/CodeoriginTest.php

@@ -2,9 +2,11 @@
 /**
  * Usage:
  *
- *     $ php test/static-open.php
+ *     $ php test/CodeoriginTest.php
  *
- *     $ php test/static-open.php "localhost:4000"
+ *     $ php test/CodeoriginTest.php "localhost:4000"
+ *
+ *     $ php test/CodeoriginTest.php "code.jquery.com"
  */
 
 require_once __DIR__ . '/Unit.php';
@@ -29,7 +31,7 @@
 	'content-length' => '263268',
 	'last-modified' => 'Fri, 18 Oct 1991 12:00:00 GMT',
 	'connection' => 'keep-alive',
-	'vary' => 'Accept-Encoding, x-cdn-access',
+	'vary' => 'Accept-Encoding',
 	'etag' => '"28feccc0-40464"',
 	'cache-control' => 'max-age=315360000, public',
 	'access-control-allow-origin' => '*',
@@ -43,7 +45,7 @@
 	'content-length' => '7456',
 	'last-modified' => 'Fri, 18 Oct 1991 12:00:00 GMT',
 	'connection' => 'keep-alive',
-	'vary' => 'Accept-Encoding, x-cdn-access',
+	'vary' => 'Accept-Encoding',
 	'etag' => '"28feccc0-1d20"',
 	'cache-control' => 'max-age=315360000, public',
 	'access-control-allow-origin' => '*',
@@ -76,7 +78,7 @@
 	'accept-ranges' => 'bytes',
 ] );
 
-// Static asset with a key when no key is required
+// Static asset
 
 Unit::testHttp( $server, '/jquery-3.0.0.js', [
 	"x-cdn-access: there-is-no-spoon"
@@ -87,7 +89,7 @@
 	'content-length' => '263268',
 	'last-modified' => 'Fri, 18 Oct 1991 12:00:00 GMT',
 	'connection' => 'keep-alive',
-	'vary' => 'Accept-Encoding, x-cdn-access',
+	'vary' => 'Accept-Encoding',
 	'etag' => '"28feccc0-40464"',
 	'cache-control' => 'max-age=315360000, public',
 	'access-control-allow-origin' => '*',

test/Unit.php

@@ -1,5 +1,12 @@
 <?php
 
+// Support: PHP < 8.0
+if ( !function_exists( 'str_starts_with' ) ) {
+	function str_starts_with( $haystack, $needle ) {
+		return strpos( $haystack, $needle ) === 0;
+	}
+}
+
 function jq_req( $url, array $reqHeaders = [] ) {
 	print "# $url\n";
 	$ch = curl_init( $url );
@@ -71,6 +78,17 @@ public static function testHttp( $server, $path, array $reqHeaders, array $expec
 		try {
 			$resp = jq_req( "http://{$server}{$path}", $reqHeaders );
 			foreach ( $expectHeaders as $key => $val ) {
+				// Tolerate E-Tag weakning (which Highwinds CDN does)
+				if ( $key == 'etag' ) {
+					$actualVal = @$resp['headers'][$key];
+					if ( $val !== $actualVal && $actualVal === "W/$val" ) {
+						$val = "W/$val";
+					}
+					if ( $val !== $actualVal && $val === "W/$actualVal" ) {
+						$actualVal = "W/$actualVal";
+					}
+				}
+
 				self::test( "GET $path > header $key", @$resp['headers'][$key], $val );
 			}
 		} catch ( Exception $e ) {