如何在带有服务器的过滤器中检索HTTP2帧设置？

Question

背景

为了安全起见，我目前正在研究各种HTTP被动指纹技术的项目。我计划指纹处理的请求的某些方面包括客户机hello、标头顺序、HTTP2帧设置和HTTP2伪标头顺序。到目前为止，我已经实现了一个解决方案，通过扩展Jetty的org.eclipse.jetty.util.ssl.SslContextFactory.Server类来包装SSLEngine实例，从而从客户机hello检索密码套件、压缩方法和扩展。然后，我可以在Zuul过滤器中访问客户端hello数据，如下所示：

private static final String SSL_SESSION_ATTRIBUTE = "org.eclipse.jetty.servlet.request.ssl_session";

@Override
public Object run() {
    RequestContext ctx = RequestContext.getCurrentContext();
    HttpServletRequest request = ctx.getRequest();

    SSLSession sslSession = (SSLSession) request.getAttribute(SSL_SESSION_ATTRIBUTE);
    ClientHello clientHello = (ClientHello) sslSession.getValue("client-hello");
        
    return null;
}

有关HTTP2指纹的更多信息：

http://webcache.googleusercontent.com/search?q=cache:https://www.akamai.com/us/en/multimedia/documents/white-paper/passive-fingerprinting-of-http2-clients-white-paper.pdf

问题

尽管Spring、Netflix和Jetty服务器都有详细的文档，但我一直无法找到一种方法来实现检索HTTP2框架设置的类似解决方案。

Answer 1

一个最简单的代码示例来详细说明@sbordet的答案。

您可以扩展HTTP2ServerConnectionFactory并覆盖受保护的> ServerSessionListener newSessionListener(连接器连接器，EndPoint > endPoint)以返回自定义实现(该实现可能委托给原始实现)。

MyServerSessionListener.java

public class MyServerSessionListener implements ServerSessionListener {

    private final ServerSessionListener delegate;

    public MyServerSessionListener(ServerSessionListener delegate) {
        this.delegate = delegate;
    }

    ...

    @Override
    public void onSettings(Session session, SettingsFrame settingsFrame) {
        Map<Integer, Integer> settings = settingsFrame.getSettings();

        RequestContext context = RequestContext.getCurrentContext();
        context.set("http2-frame-settings", settings);

        delegate.onSettings(session, settingsFrame);
    }

}

MyHTTP2ConnectionFactory.java

public class MyHTTP2ServerConnectionFactory extends HTTP2ServerConnectionFactory {

    public MyHTTP2ServerConnectionFactory(HttpConfiguration httpConfiguration) {
        super(httpConfiguration);
    }

    public MyHTTP2ServerConnectionFactory(HttpConfiguration httpConfiguration, String... protocols) {
        super(httpConfiguration, protocols);
    }

    @Override
    protected ServerSessionListener newSessionListener(Connector connector, EndPoint endPoint) {
        ServerSessionListener delegate = super.newSessionListener(connector, endPoint);
        return new MyServerSessionListener(delegate);
    }

}

MyFilter.java

public class MyFilter extends ZuulFilter {

    ...

    @Override
    public Object run() {
        RequestContext context = RequestContext.getCurrentContext();

        Map<Integer, Integer> http2FrameSettings = (Map<Integer, Integer>) context.get("http2-frame-settings");

        return null;
    }

}

Answer 2

您可以扩展HTTP2ServerConnectionFactory并重写protected ServerSessionListener newSessionListener(Connector connector, EndPoint endPoint)以返回自定义实现(这可能委托给原始实现)。

通过这种方式，您可以访问低级别的HTTP/2帧(作为对象，而不是字节格式)，这可能允许您对客户端进行指纹识别。