Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix: ACME directory URL redirects are not followed #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix: ACME directory URL redirects are not followed #77

wants to merge 1 commit into from

Conversation

@mdegel
Copy link
Contributor

@mdegel mdegel commented Nov 2, 2025
edited
Loading

Partial fix for #75

Technically this PR fixes the general redirect aspects for the GET call in acme.rs.
As of now the POST from acme.rs would still not be covered:
https://github.com/nginx/nginx-acme/blob/main/src/acme.rs#L181

Based on my testing this should only affect use-cases where URLs (relative, or absolute) are returned, that cause another redirect, which should be rarely the case (at least not in the environments I tested with). Reason being, that the URLs provided by https://acme.example.com/directory should normally be OK not requiring redirects.

Also I'm not completely sure how to best implement the requirements for RFC 8555 §6.2.
I can add those as well if needed, though it might be best to extract part of the redirect functionality to it's own (reusable) unit I assume.
Any opinions on this matter?

IMO this basic PR should already cover a few additional standard use cases, such as:

@bavshin-f5
Copy link
Member

bavshin-f5 commented Nov 5, 2025

Did not have time to take a good look at this; some general comments:

  • I would definitely avoid implementing redirects for anything other than GET. The behavior for redirects in POST/POST-as-GET requests is not defined in RFC8555, and too many things can be interpreted differently. For example, I would assume that 301-303 must fail, and 307-308 must obtain new nonce and update URL in the JWS header. Server implementers may have different opinion.
  • Implementation in the NgxHttpClient looks a bit too low-level.
  • I am planning to swap the HttpClient implementation with another one using subrequests on a fake request, as soon as we make it possible with the open-source nginx code. Maintaining redirect support in both implementations is undesirable.

Something I would want to see here is a simple loop in AcmeClient::get():

pub async fn get(&self, url: &Uri) -> Result<http::Response<Bytes>, RequestError> {
    let mut u = url.clone();

    for _ in 0..MAX_REDIRECTS {
        let req = ...;
        let res = self.http.request(req).await?;

        if res.status().is_redirection() {
            u = ...;
            continue;
        }

        return Ok(res);
    }

    Err(...)
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mdegel @bavshin-f5