Add http_port range validation (0 or 1-65535)

Change http_port type from u16 to u32 to allow out-of-range values to be caught by validation. Add HttpPortInvalid error variant and validation check for http_port > 65535. Add test for http_port=65536 producing HttpPortInvalid. http_port=0 (disabled) remains valid per existing test.
2026-06-12 04:28:35 +00:00
parent 53ef5b32c3
commit d24148dae9
3 changed files with 33 additions and 9 deletions
--- a/src/config/static_config.rs
+++ b/src/config/static_config.rs
@@ -33,7 +33,7 @@ pub fn default_shutdown_timeout_secs() -> u64 {
 pub struct ListenerConfig {
    pub bind_addr: String,
    #[serde(default = "default_http_port")]
-    pub http_port: u16,
+    pub http_port: u32,
    #[serde(default = "default_https_port")]
    pub https_port: u16,
    pub tls: TlsConfig,
@@ -42,7 +42,7 @@ pub struct ListenerConfig {
 }

 #[allow(dead_code)]
-fn default_http_port() -> u16 {
+fn default_http_port() -> u32 {
    80
 }

--- a/src/config/validation.rs
+++ b/src/config/validation.rs
@@ -41,19 +41,19 @@ pub enum ValidationError {
    #[error("body.limit_bytes must be > 0, got {value}")]
    BodyLimitBytesZero { value: u64 },
    #[error("duplicate bind_addr:http_port combination: {bind_addr}:{http_port}")]
-    DuplicateHttpBind { bind_addr: String, http_port: u16 },
+    DuplicateHttpBind { bind_addr: String, http_port: u32 },
    #[error(
        "listener {bind_addr}: http_port ({http_port}) and https_port ({https_port}) must differ"
    )]
    HttpsAndHttpPortSame {
        bind_addr: String,
-        http_port: u16,
+        http_port: u32,
        https_port: u16,
    },
    #[error("listener {bind_addr}: https_port must be 1-65535, got {https_port}")]
    HttpsPortInvalid { bind_addr: String, https_port: u16 },
    #[error("listener {bind_addr}: http_port must be 0 (disabled) or 1-65535, got {http_port}")]
-    HttpPortInvalid { bind_addr: String, http_port: u16 },
+    HttpPortInvalid { bind_addr: String, http_port: u32 },
    #[error("health_check_port {health_check_port} conflicts with listener {bind_addr}:{port}")]
    HealthCheckPortConflict {
        health_check_port: u16,
@@ -120,7 +120,14 @@ pub fn validate(
            });
        }

-        if listener.http_port > 0 && listener.http_port == listener.https_port {
+        if listener.http_port > 65535 {
+            errors.push(ValidationError::HttpPortInvalid {
+                bind_addr: listener.bind_addr.clone(),
+                http_port: listener.http_port,
+            });
+        }
+
+        if listener.http_port > 0 && listener.http_port == listener.https_port as u32 {
            errors.push(ValidationError::HttpsAndHttpPortSame {
                bind_addr: listener.bind_addr.clone(),
                http_port: listener.http_port,
@@ -175,11 +182,14 @@ pub fn validate(
                    port: listener.https_port,
                });
            }
-            if listener.http_port > 0 && static_config.health_check_port == listener.http_port {
+            if listener.http_port > 0
+                && listener.http_port <= 65535
+                && static_config.health_check_port as u32 == listener.http_port
+            {
                errors.push(ValidationError::HealthCheckPortConflict {
                    health_check_port: static_config.health_check_port,
                    bind_addr: listener.bind_addr.clone(),
-                    port: listener.http_port,
+                    port: listener.http_port as u16,
                });
            }
        }
@@ -710,6 +720,20 @@ mod tests {
            .any(|e| matches!(e, ValidationError::HttpsPortInvalid { .. })));
    }

+    #[test]
+    fn rule13_http_port_invalid() {
+        let mut config = valid_static_config();
+        config.listeners[0].http_port = 65536;
+        config.listeners[0].tls = make_acme_tls();
+        let dynamic = valid_dynamic_config();
+        let result = validate(&config, &dynamic, false);
+        assert!(result.is_err());
+        let errors = result.unwrap_err();
+        assert!(errors
+            .iter()
+            .any(|e| matches!(e, ValidationError::HttpPortInvalid { .. })));
+    }
+
    #[test]
    fn rule13_http_port_disabled_valid() {
        let mut config = valid_static_config();
--- a/tests/integration_test.rs
+++ b/tests/integration_test.rs
@@ -259,7 +259,7 @@ async fn test_rate_limit_eviction_task() {

 fn make_redirect_listener_config(
    bind_addr: &str,
-    http_port: u16,
+    http_port: u32,
    https_port: u16,
 ) -> reverse_proxy::config::static_config::ListenerConfig {
    reverse_proxy::config::static_config::ListenerConfig {