Add redirect-chain rules per RFC 9110 §15.4

2026-04-27 10:09:21 +07:00 · 2026-04-27 10:09:21 +07:00 · 27a30638f4
commit 27a30638f4
parent 2250902a94
3 changed files with 416 additions and 1 deletions
--- a/checker/collect.go
+++ b/checker/collect.go
@ -221,10 +221,16 @@ func runProbe(ctx context.Context, host, ip, scheme string, port uint16, timeout
 		// and a separate http.Client.Timeout would race with it.
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			prev := via[len(via)-1]
+			// req.Response is the 3xx response that triggered this hop;
+			// it carries the redirecting status code (301/302/307/308…).
+			status := 0
+			if req.Response != nil {
+				status = req.Response.StatusCode
+			}
 			redirectChain = append(redirectChain, RedirectStep{
 				From:   prev.URL.String(),
 				To:     req.URL.String(),
-				Status: 0, // populated post-hoc below if available
+				Status: status,
 			})
 			// The transport's DialContext is pinned to the original
 			// (ip, port) and TLS ServerName is pinned to the original
--- a/checker/rules_redirect_chain.go
+++ b/checker/rules_redirect_chain.go
@ -0,0 +1,242 @@
+// This file is part of the happyDomain (R) project.
+// Copyright (c) 2020-2026 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+
+package checker
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"strings"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+func init() {
+	RegisterRule(&redirectChainRule{})
+	RegisterRule(&redirectPermanenceRule{})
+}
+
+// MaxRecommendedRedirectHops is the soft upper bound for a healthy redirect
+// chain. RFC 9110 §15.4 does not mandate a hard cap, but every additional
+// hop adds latency, defeats HSTS for the intermediate hop, and degrades
+// the user experience; popular guidance (Google, Mozilla, web.dev) treats
+// 3+ hops as a smell worth surfacing.
+const MaxRecommendedRedirectHops = 3
+
+// redirectChainRule inspects the redirect chain captured during probing
+// and flags the three classic anti-patterns called out by RFC 9110 §15.4
+// and operational guidance:
+//
+//   - a loop (the same URL appears twice in the chain);
+//   - excessive length (more hops than MaxRecommendedRedirectHops);
+//   - a scheme downgrade (HTTPS → HTTP at any hop), which strips transport
+//     security and silently invalidates HSTS expectations.
+//
+// Each probe contributes its own state so multi-IP deployments can show
+// per-backend divergence.
+type redirectChainRule struct{}
+
+func (r *redirectChainRule) Name() string { return "http.redirect_chain" }
+func (r *redirectChainRule) Description() string {
+	return "Inspects the redirect chain (RFC 9110 §15.4) for loops, excessive length, and scheme downgrades."
+}
+
+func (r *redirectChainRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	data, errSt := loadHTTPData(ctx, obs)
+	if errSt != nil {
+		return []sdk.CheckState{*errSt}
+	}
+	if len(data.Probes) == 0 {
+		return []sdk.CheckState{unknownState("http.redirect_chain.no_probes", "No probes were attempted.")}
+	}
+
+	var states []sdk.CheckState
+	anyChain := false
+	for _, p := range data.Probes {
+		if len(p.RedirectChain) == 0 {
+			continue
+		}
+		anyChain = true
+
+		if loopAt, found := redirectLoop(p.RedirectChain); found {
+			states = append(states, sdk.CheckState{
+				Status:  sdk.StatusWarn,
+				Code:    "http.redirect_chain.loop",
+				Subject: p.Address,
+				Message: fmt.Sprintf("Redirect loop detected: %s reappears in the chain.", loopAt),
+				Meta:    map[string]any{"chain": chainSummary(p.RedirectChain)},
+			})
+			continue
+		}
+
+		if downgradeAt, found := redirectDowngrade(p.RedirectChain); found {
+			states = append(states, sdk.CheckState{
+				Status:  sdk.StatusWarn,
+				Code:    "http.redirect_chain.downgrade",
+				Subject: p.Address,
+				Message: fmt.Sprintf("Redirect chain downgrades from HTTPS to HTTP at %q.", downgradeAt),
+				Meta: map[string]any{
+					"fix":   "Ensure no hop in the redirect chain switches from https:// back to http://.",
+					"chain": chainSummary(p.RedirectChain),
+				},
+			})
+			continue
+		}
+
+		if len(p.RedirectChain) > MaxRecommendedRedirectHops {
+			states = append(states, sdk.CheckState{
+				Status:  sdk.StatusWarn,
+				Code:    "http.redirect_chain.too_long",
+				Subject: p.Address,
+				Message: fmt.Sprintf("Redirect chain has %d hops (recommended ≤ %d).", len(p.RedirectChain), MaxRecommendedRedirectHops),
+				Meta: map[string]any{
+					"fix":   "Collapse intermediate redirects so a single hop reaches the canonical URL.",
+					"chain": chainSummary(p.RedirectChain),
+				},
+			})
+			continue
+		}
+
+		states = append(states, sdk.CheckState{
+			Status:  sdk.StatusOK,
+			Code:    "http.redirect_chain.ok",
+			Subject: p.Address,
+			Message: fmt.Sprintf("Redirect chain is %d hop(s), no loop, no downgrade.", len(p.RedirectChain)),
+		})
+	}
+
+	if !anyChain {
+		return []sdk.CheckState{passState("http.redirect_chain.none", "No redirects observed on any probe.")}
+	}
+	return states
+}
+
+// redirectLoop returns the first URL that appears as both source and
+// destination (or as destination twice) in the chain, signalling a cycle.
+func redirectLoop(chain []RedirectStep) (string, bool) {
+	seen := make(map[string]struct{}, len(chain)+1)
+	for _, step := range chain {
+		key := canonicalURL(step.From)
+		if _, ok := seen[key]; ok {
+			return step.From, true
+		}
+		seen[key] = struct{}{}
+	}
+	if len(chain) > 0 {
+		last := canonicalURL(chain[len(chain)-1].To)
+		if _, ok := seen[last]; ok {
+			return chain[len(chain)-1].To, true
+		}
+	}
+	return "", false
+}
+
+// redirectDowngrade returns the first hop whose source is HTTPS and
+// destination is HTTP. RFC 9110 does not forbid this, but it strips
+// transport security and is universally treated as a misconfiguration.
+func redirectDowngrade(chain []RedirectStep) (string, bool) {
+	for _, step := range chain {
+		from, errF := url.Parse(step.From)
+		to, errT := url.Parse(step.To)
+		if errF != nil || errT != nil {
+			continue
+		}
+		if strings.EqualFold(from.Scheme, "https") && strings.EqualFold(to.Scheme, "http") {
+			return step.From + " → " + step.To, true
+		}
+	}
+	return "", false
+}
+
+func canonicalURL(s string) string {
+	u, err := url.Parse(s)
+	if err != nil {
+		return strings.ToLower(strings.TrimSpace(s))
+	}
+	u.Scheme = strings.ToLower(u.Scheme)
+	u.Host = strings.ToLower(u.Host)
+	if u.Path == "" {
+		u.Path = "/"
+	}
+	u.Fragment = ""
+	return u.String()
+}
+
+func chainSummary(chain []RedirectStep) []string {
+	out := make([]string, 0, len(chain))
+	for _, s := range chain {
+		if s.Status != 0 {
+			out = append(out, fmt.Sprintf("%d %s → %s", s.Status, s.From, s.To))
+		} else {
+			out = append(out, fmt.Sprintf("%s → %s", s.From, s.To))
+		}
+	}
+	return out
+}
+
+// redirectPermanenceRule scrutinises the very first hop of any HTTP probe
+// that ends up on HTTPS: per RFC 9110 §15.4, 301 (Moved Permanently) and
+// 308 (Permanent Redirect) are cacheable and signal that user-agents may
+// rewrite future requests, which is exactly what an HTTP→HTTPS upgrade
+// wants. 302/303/307 are temporary and force the client to re-resolve
+// every time, defeating browser optimisations and HSTS preload eligibility
+// guidance from hstspreload.org.
+type redirectPermanenceRule struct{}
+
+func (r *redirectPermanenceRule) Name() string { return "http.redirect_permanence" }
+func (r *redirectPermanenceRule) Description() string {
+	return "HTTP→HTTPS upgrade should use 301 or 308 (permanent) rather than 302/307 (temporary)."
+}
+
+func (r *redirectPermanenceRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	data, errSt := loadHTTPData(ctx, obs)
+	if errSt != nil {
+		return []sdk.CheckState{*errSt}
+	}
+	const okMsg = "HTTP→HTTPS upgrade uses a permanent redirect (301/308) on every probe."
+	return EvalAggregateByScheme(data, "http", "http.redirect_permanence", okMsg, func(p HTTPProbe, emit func(sdk.CheckState)) {
+		if len(p.RedirectChain) == 0 {
+			return
+		}
+		first := p.RedirectChain[0]
+		from, errF := url.Parse(first.From)
+		to, errT := url.Parse(first.To)
+		if errF != nil || errT != nil {
+			return
+		}
+		// We only care about the HTTP→HTTPS upgrade hop; other shapes
+		// (HTTPS→HTTPS canonicalisation, locale redirects, …) belong to
+		// the chain rule.
+		if !strings.EqualFold(from.Scheme, "http") || !strings.EqualFold(to.Scheme, "https") {
+			return
+		}
+		switch first.Status {
+		case 301, 308:
+			// Good; aggregated to the single OK state below.
+		case 0:
+			emit(sdk.CheckState{
+				Status:  sdk.StatusInfo,
+				Code:    "http.redirect_permanence.unknown",
+				Subject: p.Address,
+				Message: "Could not determine the status code of the HTTP→HTTPS redirect.",
+			})
+		case 302, 303, 307:
+			emit(sdk.CheckState{
+				Status:  sdk.StatusWarn,
+				Code:    "http.redirect_permanence.temporary",
+				Subject: p.Address,
+				Message: fmt.Sprintf("HTTP→HTTPS upgrade returns %d (temporary). Prefer 301 or 308 so clients cache the upgrade.", first.Status),
+				Meta:    map[string]any{"fix": "Configure your web server to answer plain HTTP with `301 Moved Permanently` (or `308 Permanent Redirect`) pointing to the https:// URL."},
+			})
+		default:
+			emit(sdk.CheckState{
+				Status:  sdk.StatusInfo,
+				Code:    "http.redirect_permanence.unexpected",
+				Subject: p.Address,
+				Message: fmt.Sprintf("HTTP→HTTPS upgrade uses an unusual status code: %d.", first.Status),
+			})
+		}
+	})
+}
--- a/checker/rules_redirect_chain_test.go
+++ b/checker/rules_redirect_chain_test.go
@ -0,0 +1,167 @@
+// This file is part of the happyDomain (R) project.
+// Copyright (c) 2020-2026 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+
+package checker
+
+import (
+	"testing"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+func TestRedirectChainRule_NoProbes(t *testing.T) {
+	states := runRule(t, &redirectChainRule{}, &HTTPData{}, nil)
+	mustStatus(t, states, sdk.StatusUnknown)
+	if !hasCode(states, "http.redirect_chain.no_probes") {
+		t.Errorf("expected no_probes: %+v", states)
+	}
+}
+
+func TestRedirectChainRule_NoRedirects(t *testing.T) {
+	p := httpsProbe("a:443")
+	states := runRule(t, &redirectChainRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+	mustStatus(t, states, sdk.StatusOK)
+	if !hasCode(states, "http.redirect_chain.none") {
+		t.Errorf("expected redirect_chain.none: %+v", states)
+	}
+}
+
+func TestRedirectChainRule_OK(t *testing.T) {
+	p := httpProbe("a:80")
+	p.RedirectChain = []RedirectStep{
+		{From: "http://example.test/", To: "https://example.test/", Status: 301},
+	}
+	states := runRule(t, &redirectChainRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+	mustStatus(t, states, sdk.StatusOK)
+	if !hasCode(states, "http.redirect_chain.ok") {
+		t.Errorf("expected redirect_chain.ok: %+v", states)
+	}
+}
+
+func TestRedirectChainRule_Loop(t *testing.T) {
+	p := httpProbe("a:80")
+	p.RedirectChain = []RedirectStep{
+		{From: "http://example.test/a", To: "http://example.test/b", Status: 302},
+		{From: "http://example.test/b", To: "http://example.test/a", Status: 302},
+	}
+	states := runRule(t, &redirectChainRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+	mustStatus(t, states, sdk.StatusWarn)
+	if !hasCode(states, "http.redirect_chain.loop") {
+		t.Errorf("expected redirect_chain.loop: %+v", states)
+	}
+}
+
+func TestRedirectChainRule_Downgrade(t *testing.T) {
+	p := httpsProbe("a:443")
+	p.RedirectChain = []RedirectStep{
+		{From: "https://example.test/", To: "http://example.test/legacy", Status: 302},
+	}
+	states := runRule(t, &redirectChainRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+	mustStatus(t, states, sdk.StatusWarn)
+	if !hasCode(states, "http.redirect_chain.downgrade") {
+		t.Errorf("expected redirect_chain.downgrade: %+v", states)
+	}
+}
+
+func TestRedirectChainRule_TooLong(t *testing.T) {
+	p := httpProbe("a:80")
+	p.RedirectChain = []RedirectStep{
+		{From: "http://example.test/1", To: "http://example.test/2", Status: 301},
+		{From: "http://example.test/2", To: "http://example.test/3", Status: 301},
+		{From: "http://example.test/3", To: "http://example.test/4", Status: 301},
+		{From: "http://example.test/4", To: "https://example.test/5", Status: 301},
+	}
+	states := runRule(t, &redirectChainRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+	mustStatus(t, states, sdk.StatusWarn)
+	if !hasCode(states, "http.redirect_chain.too_long") {
+		t.Errorf("expected redirect_chain.too_long: %+v", states)
+	}
+}
+
+func TestRedirectChainRule_LoopTakesPrecedenceOverDowngrade(t *testing.T) {
+	// When both anomalies are present, the loop is reported first since
+	// it explains downstream weirdness.
+	p := httpsProbe("a:443")
+	p.RedirectChain = []RedirectStep{
+		{From: "https://example.test/x", To: "http://example.test/x", Status: 302},
+		{From: "http://example.test/x", To: "https://example.test/x", Status: 302},
+	}
+	states := runRule(t, &redirectChainRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+	mustStatus(t, states, sdk.StatusWarn)
+	if !hasCode(states, "http.redirect_chain.loop") {
+		t.Errorf("expected loop to take precedence: %+v", states)
+	}
+}
+
+func TestRedirectPermanenceRule_NoProbes(t *testing.T) {
+	states := runRule(t, &redirectPermanenceRule{}, &HTTPData{Probes: []HTTPProbe{httpsProbe("a:443")}}, nil)
+	mustStatus(t, states, sdk.StatusUnknown)
+}
+
+func TestRedirectPermanenceRule_NoRedirect(t *testing.T) {
+	p := httpProbe("a:80")
+	p.StatusCode = 200
+	states := runRule(t, &redirectPermanenceRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+	mustStatus(t, states, sdk.StatusOK)
+}
+
+func TestRedirectPermanenceRule_Permanent(t *testing.T) {
+	for _, code := range []int{301, 308} {
+		p := httpProbe("a:80")
+		p.RedirectChain = []RedirectStep{
+			{From: "http://example.test/", To: "https://example.test/", Status: code},
+		}
+		states := runRule(t, &redirectPermanenceRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+		mustStatus(t, states, sdk.StatusOK)
+		if !hasCode(states, "http.redirect_permanence.ok") {
+			t.Errorf("status %d: expected ok: %+v", code, states)
+		}
+	}
+}
+
+func TestRedirectPermanenceRule_Temporary(t *testing.T) {
+	for _, code := range []int{302, 303, 307} {
+		p := httpProbe("a:80")
+		p.RedirectChain = []RedirectStep{
+			{From: "http://example.test/", To: "https://example.test/", Status: code},
+		}
+		states := runRule(t, &redirectPermanenceRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+		mustStatus(t, states, sdk.StatusWarn)
+		if !hasCode(states, "http.redirect_permanence.temporary") {
+			t.Errorf("status %d: expected temporary: %+v", code, states)
+		}
+	}
+}
+
+func TestRedirectPermanenceRule_UnknownStatus(t *testing.T) {
+	p := httpProbe("a:80")
+	p.RedirectChain = []RedirectStep{
+		{From: "http://example.test/", To: "https://example.test/", Status: 0},
+	}
+	states := runRule(t, &redirectPermanenceRule{}, &HTTPData{Probes: []HTTPProbe{p}}, nil)
+	mustStatus(t, states, sdk.StatusInfo)
+	if !hasCode(states, "http.redirect_permanence.unknown") {
+		t.Errorf("expected redirect_permanence.unknown: %+v", states)
+	}
+}
+
+func TestRedirectPermanenceRule_IgnoresNonUpgradeChain(t *testing.T) {
+	// An HTTP probe whose first hop stays in HTTP (path canonicalisation,
+	// trailing-slash, www stripping before the TLS bump…) is not in scope
+	// for this rule, so a 302 there must not raise a warning. A second
+	// probe is included so the per-probe iteration has another candidate.
+	first := httpProbe("a:80")
+	first.RedirectChain = []RedirectStep{
+		{From: "http://example.test/", To: "http://www.example.test/", Status: 302},
+	}
+	second := httpProbe("b:80")
+	second.RedirectChain = []RedirectStep{
+		{From: "http://example.test/", To: "https://example.test/", Status: 301},
+	}
+	states := runRule(t, &redirectPermanenceRule{}, &HTTPData{Probes: []HTTPProbe{first, second}}, nil)
+	mustStatus(t, states, sdk.StatusOK)
+	if !hasCode(states, "http.redirect_permanence.ok") {
+		t.Errorf("HTTP-only first hop should not trigger a warning: %+v", states)
+	}
+}