feat(nginx): enable tls 1.3 0-rtt for safe http methods

and add a new annotation earlyDataMethods to tweak the list or disable
early data completely. the early data feature also is also known as TLS
1.3 zero rount trip time (0-RTT) negotiation and allow the client to
send the HTTP request as part of the SSL negotiation, saving one round
trip compared to TLS 1.2 for non-resumed sessions. the feature is
enabled for the safe HTTP methods GET, HEAD and OPTIONS by default to
protect against replay attacks and the Early-Data header is forwarded to
origins to allow blocking early data even for safe methods by returning
the 425 (Too Early) status code. non-whitelisted HTTP methods will be
denied using 425 status by the router and the feature can be disabled
completely by setting tje list of methods to an empty string.

Author: felixbuenemann

README.md

@@ -270,6 +270,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="ssl-hsts-max-age"></a>deis-router | deployment | [router.deis.io/nginx.ssl.hsts.maxAge](#ssl-hsts-max-age) | `"10886400"` | Maximum number of seconds user agents should observe HSTS rewrites. |
 | <a name="ssl-hsts-include-sub-domains"></a>deis-router | deployment | [router.deis.io/nginx.ssl.hsts.includeSubDomains](#ssl-hsts-include-sub-domains) | `"false"` | Whether to enforce HSTS for subsequent requests to all subdomains of the original request. |
 | <a name="ssl-hsts-preload"></a>deis-router | deployment | [router.deis.io/nginx.ssl.hsts.preload](#ssl-hsts-preload) | `"false"` | Whether to allow the domain to be included in the HSTS preload list. |
+| <a name="ssl-early-data-methods"></a>deis-router | deployment | [router.deis.io/nginx.ssl.earlyDataMethods](#ssl-early-data-methods) | `"GET|HEAD|OPTIONS"` | enables nginx `ssl_early_data` (TLS 1.3 0-RTT) for the listes HTTP methods (set to `""` to disable, valid methods: `"GET|HEAD|POST|PUT|DELETE|PATCH|OPTIONS"`). Unsafe or non-idempotent methods should be avoided, to prevent replay attacks. The header `Early-Data: 1` is forwarded to apps, when Early Data is used and they can reply with HTTP status 425 to block it, causing the client to retry without Early-Data. Requires "TLSv1.3" in `"protocols"` to work.|
 | <a name="proxy-buffers-enabled"></a>deis-router | deployment | [router.deis.io/nginx.proxyBuffers.enabled](#proxy-buffers-enabled) | `"false"` | Whether to enabled proxy buffering for all applications (this can be overridden on an application basis). |
 | <a name="proxy-buffers-number"></a>deis-router | deployment | [router.deis.io/nginx.proxyBuffers.number](#proxy-buffers-number) | `"8"` | `number` argument to the nginx `proxy_buffers` directive for all applications (this can be overridden on an application basis). |
 | <a name="proxy-buffers-size"></a>deis-router | deployment | [router.deis.io/nginx.proxyBuffers.size](#proxy-buffers-size) | `"4k"` | `size` argument to the nginx `proxy_buffers` directive expressed in bytes (no suffix), kilobytes (suffixes `k` and `K`), or megabytes (suffixes `m` and `M`). This setting applies to all applications, but can be overridden on an application basis. |

model/model.go

@@ -218,6 +218,7 @@ type SSLConfig struct {
 	UseSessionTickets bool        `key:"useSessionTickets" constraint:"(?i)^(true|false)$"`
 	BufferSize        string      `key:"bufferSize" constraint:"^[1-9]\\d*[kKmM]?$"`
 	HSTSConfig        *HSTSConfig `key:"hsts"`
+	EarlyDataMethods  string      `key:"earlyDataMethods" constraint:"^((GET|HEAD|POST|PUT|DELETE|PATCH|OPTIONS)(\\|\\b|$))*$"`
 	DHParam           string
 }
 
@@ -238,6 +239,7 @@ func newSSLConfig() *SSLConfig {
 		UseSessionTickets: true,
 		BufferSize:        "4k",
 		HSTSConfig:        newHSTSConfig(),
+		EarlyDataMethods:  "GET|HEAD|OPTIONS",
 	}
 }
 

model/model_validation_test.go

@@ -375,6 +375,14 @@ func TestValidHSTSPreload(t *testing.T) {
 	testValidValues(t, newTestHSTSConfig, "Preload", "preload", []string{"true", "false", "TRUE", "FALSE"})
 }
 
+func TestInvalidEarlyDataMethods(t *testing.T) {
+	testInvalidValues(t, newTestSSLConfig, "EarlyDataMethods", "earlyDataMethods", []string{"0", "-1", "foobar", "GET||HEAD", "|GET", "GET|", "get|head"})
+}
+
+func TestValidEarlyDataMethods(t *testing.T) {
+	testValidValues(t, newTestSSLConfig, "EarlyDataMethods", "earlyDataMethods", []string{"", "GET", "GET|HEAD", "GET|HEAD|OPTIONS"})
+}
+
 func TestInvalidProxyBuffersEnabled(t *testing.T) {
 	testInvalidValues(t, newTestProxyBuffersConfig, "Enabled", "enabled", []string{"0", "-1", "foobar"})
 }

nginx/config.go

@@ -125,6 +125,13 @@ http {
 		'https' 'max-age={{ $hstsConfig.MaxAge }}{{ if $hstsConfig.IncludeSubDomains }}; includeSubDomains{{ end }}{{ if $hstsConfig.Preload }}; preload{{ end }}';
 	}
 	{{ end }}
+	{{ if ne $sslConfig.EarlyDataMethods "" }}
+	# Only allow early data (TLSv1.3 0-RTT) for select methods
+	map $request_method $ssl_block_early_data {
+		default $ssl_early_data;
+		"~^{{ $sslConfig.EarlyDataMethods }}$" 0;
+	}
+	{{ end }}
 
 	{{ if $routerConfig.RequestIDs }}
 		map $http_x_correlation_id $correlation_id {
@@ -168,6 +175,7 @@ http {
 			proxy_http_version 1.1;
 			proxy_set_header Upgrade $http_upgrade;
 			proxy_set_header Connection $connection_upgrade;
+			{{ if ne $sslConfig.EarlyDataMethods "" }}proxy_set_header Early-Data $ssl_early_data;{{ end }}
 			proxy_pass http://{{$routerConfig.DefaultServiceIP}}:80;
 		}
 	}
@@ -186,6 +194,7 @@ http {
 		ssl_protocols {{ $sslConfig.Protocols }};
 		{{ if ne $sslConfig.Ciphers "" }}ssl_ciphers {{ $sslConfig.Ciphers }};{{ end }}
 		ssl_prefer_server_ciphers on;
+		ssl_early_data {{ if ne $sslConfig.EarlyDataMethods "" }}on{{ else }}off{{ end }};
 		{{ if $routerConfig.PlatformCertificate }}
 		ssl_certificate /opt/router/ssl/platform.crt;
 		ssl_certificate_key /opt/router/ssl/platform.key;
@@ -261,6 +270,7 @@ http {
 		ssl_protocols {{ $sslConfig.Protocols }};
 		{{ if ne $sslConfig.Ciphers "" }}ssl_ciphers {{ $sslConfig.Ciphers }};{{ end }}
 		ssl_prefer_server_ciphers on;
+		ssl_early_data {{ if ne $sslConfig.EarlyDataMethods "" }}on{{ else }}off{{ end }};
 		ssl_certificate /opt/router/ssl/{{ $domain }}.crt;
 		ssl_certificate_key /opt/router/ssl/{{ $domain }}.key;
 		{{ if ne $sslConfig.SessionCache "" }}ssl_session_cache {{ $sslConfig.SessionCache }};
@@ -278,6 +288,10 @@ http {
 
 		vhost_traffic_status_filter_by_set_key {{ $appConfig.Name }} application::*;
 
+		if ($ssl_block_early_data) {
+			return 425;
+		}
+
 		{{range $location := $appConfig.Locations}}
 			location {{ $location.Path }} {
 				{{ if $routerConfig.RequestIDs }}
@@ -304,6 +318,7 @@ http {
 				proxy_http_version 1.1;
 				proxy_set_header Upgrade $http_upgrade;
 				proxy_set_header Connection $connection_upgrade;
+				{{ if ne $sslConfig.EarlyDataMethods "" }}proxy_set_header Early-Data $ssl_early_data;{{ end }}
 				{{ if $routerConfig.RequestIDs }}
 				proxy_set_header X-Request-Id $request_id;
 				proxy_set_header X-Correlation-Id $correlation_id;