From dc09c49cad817ea3ef9616a7e40f920aff63b1a7 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 20 Nov 2018 16:59:41 +0000
Subject: [PATCH] [Feature] Allow to require encryption when accepting
 connections

---
 src/worker.c         | 29 ++++++++---------------------
 src/worker_private.h |  8 ++------
 2 files changed, 10 insertions(+), 27 deletions(-)

diff --git a/src/worker.c b/src/worker.c
index 544f05cbd4..9778cee088 100644
--- a/src/worker.c
+++ b/src/worker.c
@@ -342,7 +342,7 @@ accept_socket (gint fd, short what, void *arg)
 	struct rspamd_worker_ctx *ctx;
 	struct rspamd_task *task;
 	rspamd_inet_addr_t *addr;
-	gint nfd;
+	gint nfd, http_opts = 0;
 
 	ctx = worker->ctx;
 
@@ -386,10 +386,14 @@ accept_socket (gint fd, short what, void *arg)
 	/* TODO: allow to disable autolearn in protocol */
 	task->flags |= RSPAMD_TASK_FLAG_LEARN_AUTO;
 
+	if (ctx->encrypted_only && !rspamd_inet_address_is_local (addr, FALSE)) {
+		http_opts = RSPAMD_HTTP_REQUIRE_ENCRYPTION;
+	}
+
 	task->http_conn = rspamd_http_connection_new (rspamd_worker_body_handler,
 			rspamd_worker_error_handler,
 			rspamd_worker_finish_handler,
-			0,
+			http_opts,
 			RSPAMD_HTTP_SERVER,
 			ctx->keys_cache,
 			NULL);
@@ -547,30 +551,13 @@ init_worker (struct rspamd_config *cfg)
 
 	rspamd_rcl_register_worker_option (cfg,
 			type,
-			"http",
+			"encrypted_only",
 			rspamd_rcl_parse_struct_boolean,
 			ctx,
-			G_STRUCT_OFFSET (struct rspamd_worker_ctx, is_http),
+			G_STRUCT_OFFSET (struct rspamd_worker_ctx, encrypted_only),
 			0,
 			"Deprecated: always true now");
 
-	rspamd_rcl_register_worker_option (cfg,
-			type,
-			"json",
-			rspamd_rcl_parse_struct_boolean,
-			ctx,
-			G_STRUCT_OFFSET (struct rspamd_worker_ctx, is_json),
-			0,
-			"Deprecated: always true now");
-
-	rspamd_rcl_register_worker_option (cfg,
-			type,
-			"allow_learn",
-			rspamd_rcl_parse_struct_boolean,
-			ctx,
-			G_STRUCT_OFFSET (struct rspamd_worker_ctx, allow_learn),
-			0,
-			"Deprecated: disabled and forgotten");
 
 	rspamd_rcl_register_worker_option (cfg,
 			type,
diff --git a/src/worker_private.h b/src/worker_private.h
index fe4a6c4b39..f07a95b412 100644
--- a/src/worker_private.h
+++ b/src/worker_private.h
@@ -40,12 +40,8 @@ struct rspamd_worker_ctx {
 	struct timeval io_tv;
 	/* Detect whether this worker is mime worker    */
 	gboolean is_mime;
-	/* HTTP worker									*/
-	gboolean is_http;
-	/* JSON output                                  */
-	gboolean is_json;
-	/* Allow learning through worker				*/
-	gboolean allow_learn;
+	/* Allow encrypted requests only using network */
+	gboolean encrypted_only;
 	/* Limit of tasks */
 	guint32 max_tasks;
 	/* Maximum time for task processing */
-- 
2.47.3