blek
/
astraproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #4 from Snawoot/ciphers_options 

Ciphers options
This commit is contained in:
Snawoot 2021-02-26 09:39:03 +02:00 committed by GitHub
parent 6dd28baf6b e16ae281e3
commit 20f676d5cd
Failed to generate hash of commit
7 changed files with 551 additions and 498 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -155,8 +155,14 @@ $ ~/go/bin/dumbproxy -h
CA file to authenticate clients with certificates CA file to authenticate clients with certificates
-cert string -cert string
enable TLS and use certificate enable TLS and use certificate
-ciphers string
colon-separated list of enabled ciphers
-disable-http2
disable HTTP2
-key string -key string
key for TLS certificate key for TLS certificate
-list-ciphers
list ciphersuites
-timeout duration -timeout duration
timeout for network operations (default 10s) timeout for network operations (default 10s)
-verbosity int -verbosity int

15
auth.go
View File

@ -1,16 +1,16 @@
package main package main
import ( import (
"os" "bufio"
"crypto/subtle"
"encoding/base64"
"errors"
"golang.org/x/crypto/bcrypt"
"net/http" "net/http"
"net/url" "net/url"
"errors" "os"
"strings"
"strconv" "strconv"
"encoding/base64" "strings"
"crypto/subtle"
"golang.org/x/crypto/bcrypt"
"bufio"
) )
const AUTH_REQUIRED_MSG = "Proxy authentication required.\n" const AUTH_REQUIRED_MSG = "Proxy authentication required.\n"
@ -188,7 +188,6 @@ func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
return true return true
} }
type CertAuth struct{} type CertAuth struct{}
func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {

2
condlog.go
View File

@ -1,8 +1,8 @@
package main package main
import ( import (
"log"
"fmt" "fmt"
"log"
) )
const ( const (

6
handler.go
View File

@ -1,13 +1,13 @@
package main package main
import ( import (
"net" "context"
"fmt" "fmt"
"time" "net"
"net/http" "net/http"
"strings" "strings"
"context"
"sync" "sync"
"time"
) )
type ProxyHandler struct { type ProxyHandler struct {

2
logwriter.go
View File

@ -1,8 +1,8 @@
package main package main
import ( import (
"io"
"errors" "errors"
"io"
"time" "time"
) )

30
main.go
View File

@ -1,12 +1,13 @@
package main package main
import ( import (
"log" "crypto/tls"
"os"
"fmt"
"flag" "flag"
"time" "fmt"
"log"
"net/http" "net/http"
"os"
"time"
) )
func perror(msg string) { func perror(msg string) {
@ -27,8 +28,16 @@ type CLIArgs struct {
verbosity int verbosity int
timeout time.Duration timeout time.Duration
cert, key, cafile string cert, key, cafile string
list_ciphers bool
ciphers string
disableHTTP2 bool
} }
func list_ciphers() {
for _, cipher := range tls.CipherSuites() {
fmt.Println(cipher.Name)
}
}
func parse_args() CLIArgs { func parse_args() CLIArgs {
var args CLIArgs var args CLIArgs
@ -40,6 +49,9 @@ func parse_args() CLIArgs {
flag.StringVar(&args.cert, "cert", "", "enable TLS and use certificate") flag.StringVar(&args.cert, "cert", "", "enable TLS and use certificate")
flag.StringVar(&args.key, "key", "", "key for TLS certificate") flag.StringVar(&args.key, "key", "", "key for TLS certificate")
flag.StringVar(&args.cafile, "cafile", "", "CA file to authenticate clients with certificates") flag.StringVar(&args.cafile, "cafile", "", "CA file to authenticate clients with certificates")
flag.BoolVar(&args.list_ciphers, "list-ciphers", false, "list ciphersuites")
flag.StringVar(&args.ciphers, "ciphers", "", "colon-separated list of enabled ciphers")
flag.BoolVar(&args.disableHTTP2, "disable-http2", false, "disable HTTP2")
flag.Parse() flag.Parse()
return args return args
} }
@ -47,6 +59,11 @@ func parse_args() CLIArgs {
func run() int { func run() int {
args := parse_args() args := parse_args()
if args.list_ciphers {
list_ciphers()
return 0
}
logWriter := NewLogWriter(os.Stderr) logWriter := NewLogWriter(os.Stderr)
defer logWriter.Close() defer logWriter.Close()
@ -73,6 +90,10 @@ func run() int {
IdleTimeout: 0, IdleTimeout: 0,
} }
if args.disableHTTP2 {
server.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
}
mainLogger.Info("Starting proxy server...") mainLogger.Info("Starting proxy server...")
if args.cert != "" { if args.cert != "" {
cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile) cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile)
@ -80,6 +101,7 @@ func run() int {
mainLogger.Critical("TLS config construction failed: %v", err) mainLogger.Critical("TLS config construction failed: %v", err)
return 3 return 3
} }
cfg.CipherSuites = makeCipherList(args.ciphers)
server.TLSConfig = cfg server.TLSConfig = cfg
err = server.ListenAndServeTLS("", "") err = server.ListenAndServeTLS("", "")
} else { } else {

40
utils.go
View File

@ -1,17 +1,19 @@
package main package main
import ( import (
"context"
"net"
"sync"
"io"
"time"
"errors"
"net/http"
"bufio" "bufio"
"context"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"errors"
"io"
"io/ioutil" "io/ioutil"
"log"
"net"
"net/http"
"strings"
"sync"
"time"
) )
const COPY_BUF = 128 * 1024 const COPY_BUF = 128 * 1024
@ -163,3 +165,27 @@ func makeServerTLSConfig(certfile, keyfile, cafile string) (*tls.Config, error)
} }
return &cfg, nil return &cfg, nil
} }
func makeCipherList(ciphers string) []uint16 {
if ciphers == "" {
return nil
}
cipherIDs := make(map[string]uint16)
for _, cipher := range tls.CipherSuites() {
cipherIDs[cipher.Name] = cipher.ID
}
cipherNameList := strings.Split(ciphers, ":")
cipherIDList := make([]uint16, 0, len(cipherNameList))
for _, name := range cipherNameList {
id, ok := cipherIDs[name]
if !ok {
log.Printf("WARNING: Unknown cipher \"%s\"", name)
}
cipherIDList = append(cipherIDList, id)
}
return cipherIDList
}