blek
/
astraproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #4 from Snawoot/ciphers_options 

Ciphers options
This commit is contained in:
Snawoot 2021-02-26 09:39:03 +02:00 committed by GitHub
parent 6dd28baf6b e16ae281e3
commit 20f676d5cd
Failed to generate hash of commit
7 changed files with 551 additions and 498 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -155,8 +155,14 @@ $ ~/go/bin/dumbproxy -h
CA file to authenticate clients with certificates CA file to authenticate clients with certificates
-cert string -cert string
enable TLS and use certificate enable TLS and use certificate
-ciphers string
colon-separated list of enabled ciphers
-disable-http2
disable HTTP2
-key string -key string
key for TLS certificate key for TLS certificate
-list-ciphers
list ciphersuites
-timeout duration -timeout duration
timeout for network operations (default 10s) timeout for network operations (default 10s)
-verbosity int -verbosity int

19
auth.go
View File

@ -1,16 +1,16 @@
package main package main
import ( import (
"os" "bufio"
"crypto/subtle"
"encoding/base64"
"errors"
"golang.org/x/crypto/bcrypt"
"net/http" "net/http"
"net/url" "net/url"
"errors" "os"
"strings"
"strconv" "strconv"
"encoding/base64" "strings"
"crypto/subtle"
"golang.org/x/crypto/bcrypt"
"bufio"
) )
const AUTH_REQUIRED_MSG = "Proxy authentication required.\n" const AUTH_REQUIRED_MSG = "Proxy authentication required.\n"
@ -182,14 +182,13 @@ func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool
return false return false
} }
type NoAuth struct {} type NoAuth struct{}
func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
return true return true
} }
type CertAuth struct{}
type CertAuth struct {}
func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 { if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 {

12
condlog.go
View File

@ -1,8 +1,8 @@
package main package main
import ( import (
"log"
"fmt" "fmt"
"log"
) )
const ( const (
@ -34,23 +34,23 @@ func (cl *CondLogger) log(verb int, format string, v ...interface{}) error {
} }
func (cl *CondLogger) Critical(s string, v ...interface{}) error { func (cl *CondLogger) Critical(s string, v ...interface{}) error {
return cl.log(CRITICAL, "CRITICAL " + s, v...) return cl.log(CRITICAL, "CRITICAL "+s, v...)
} }
func (cl *CondLogger) Error(s string, v ...interface{}) error { func (cl *CondLogger) Error(s string, v ...interface{}) error {
return cl.log(ERROR, "ERROR " + s, v...) return cl.log(ERROR, "ERROR "+s, v...)
} }
func (cl *CondLogger) Warning(s string, v ...interface{}) error { func (cl *CondLogger) Warning(s string, v ...interface{}) error {
return cl.log(WARNING, "WARNING " + s, v...) return cl.log(WARNING, "WARNING "+s, v...)
} }
func (cl *CondLogger) Info(s string, v ...interface{}) error { func (cl *CondLogger) Info(s string, v ...interface{}) error {
return cl.log(INFO, "INFO " + s, v...) return cl.log(INFO, "INFO "+s, v...)
} }
func (cl *CondLogger) Debug(s string, v ...interface{}) error { func (cl *CondLogger) Debug(s string, v ...interface{}) error {
return cl.log(DEBUG, "DEBUG " + s, v...) return cl.log(DEBUG, "DEBUG "+s, v...)
} }
func NewCondLogger(logger *log.Logger, verbosity int) *CondLogger { func NewCondLogger(logger *log.Logger, verbosity int) *CondLogger {

10
handler.go
View File

@ -1,13 +1,13 @@
package main package main
import ( import (
"net" "context"
"fmt" "fmt"
"time" "net"
"net/http" "net/http"
"strings" "strings"
"context"
"sync" "sync"
"time"
) )
type ProxyHandler struct { type ProxyHandler struct {
@ -108,8 +108,8 @@ func (s *ProxyHandler) isLoopback(req *http.Request) (string, bool) {
func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) { func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
s.logger.Info("Request: %v %v %v %v", req.RemoteAddr, req.Proto, req.Method, req.URL) s.logger.Info("Request: %v %v %v %v", req.RemoteAddr, req.Proto, req.Method, req.URL)
if originator, isLoopback := s.isLoopback(req) ; isLoopback { if originator, isLoopback := s.isLoopback(req); isLoopback {
s.logger.Critical("Loopback tunnel detected: %s is an outbound " + s.logger.Critical("Loopback tunnel detected: %s is an outbound "+
"address for another request from %s", req.RemoteAddr, originator) "address for another request from %s", req.RemoteAddr, originator)
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest) http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
return return

2
logwriter.go
View File

@ -1,8 +1,8 @@
package main package main
import ( import (
"io"
"errors" "errors"
"io"
"time" "time"
) )

40
main.go
View File

@ -1,12 +1,13 @@
package main package main
import ( import (
"log" "crypto/tls"
"os"
"fmt"
"flag" "flag"
"time" "fmt"
"log"
"net/http" "net/http"
"os"
"time"
) )
func perror(msg string) { func perror(msg string) {
@ -27,19 +28,30 @@ type CLIArgs struct {
verbosity int verbosity int
timeout time.Duration timeout time.Duration
cert, key, cafile string cert, key, cafile string
list_ciphers bool
ciphers string
disableHTTP2 bool
} }
func list_ciphers() {
for _, cipher := range tls.CipherSuites() {
fmt.Println(cipher.Name)
}
}
func parse_args() CLIArgs { func parse_args() CLIArgs {
var args CLIArgs var args CLIArgs
flag.StringVar(&args.bind_address, "bind-address", ":8080", "HTTP proxy listen address") flag.StringVar(&args.bind_address, "bind-address", ":8080", "HTTP proxy listen address")
flag.StringVar(&args.auth, "auth", "none://", "auth parameters") flag.StringVar(&args.auth, "auth", "none://", "auth parameters")
flag.IntVar(&args.verbosity, "verbosity", 20, "logging verbosity " + flag.IntVar(&args.verbosity, "verbosity", 20, "logging verbosity "+
"(10 - debug, 20 - info, 30 - warning, 40 - error, 50 - critical)") "(10 - debug, 20 - info, 30 - warning, 40 - error, 50 - critical)")
flag.DurationVar(&args.timeout, "timeout", 10 * time.Second, "timeout for network operations") flag.DurationVar(&args.timeout, "timeout", 10*time.Second, "timeout for network operations")
flag.StringVar(&args.cert, "cert", "", "enable TLS and use certificate") flag.StringVar(&args.cert, "cert", "", "enable TLS and use certificate")
flag.StringVar(&args.key, "key", "", "key for TLS certificate") flag.StringVar(&args.key, "key", "", "key for TLS certificate")
flag.StringVar(&args.cafile, "cafile", "", "CA file to authenticate clients with certificates") flag.StringVar(&args.cafile, "cafile", "", "CA file to authenticate clients with certificates")
flag.BoolVar(&args.list_ciphers, "list-ciphers", false, "list ciphersuites")
flag.StringVar(&args.ciphers, "ciphers", "", "colon-separated list of enabled ciphers")
flag.BoolVar(&args.disableHTTP2, "disable-http2", false, "disable HTTP2")
flag.Parse() flag.Parse()
return args return args
} }
@ -47,14 +59,19 @@ func parse_args() CLIArgs {
func run() int { func run() int {
args := parse_args() args := parse_args()
if args.list_ciphers {
list_ciphers()
return 0
}
logWriter := NewLogWriter(os.Stderr) logWriter := NewLogWriter(os.Stderr)
defer logWriter.Close() defer logWriter.Close()
mainLogger := NewCondLogger(log.New(logWriter, "MAIN : ", mainLogger := NewCondLogger(log.New(logWriter, "MAIN : ",
log.LstdFlags | log.Lshortfile), log.LstdFlags|log.Lshortfile),
args.verbosity) args.verbosity)
proxyLogger := NewCondLogger(log.New(logWriter, "PROXY : ", proxyLogger := NewCondLogger(log.New(logWriter, "PROXY : ",
log.LstdFlags | log.Lshortfile), log.LstdFlags|log.Lshortfile),
args.verbosity) args.verbosity)
auth, err := NewAuth(args.auth) auth, err := NewAuth(args.auth)
@ -66,13 +83,17 @@ func run() int {
server := http.Server{ server := http.Server{
Addr: args.bind_address, Addr: args.bind_address,
Handler: NewProxyHandler(args.timeout, auth, proxyLogger), Handler: NewProxyHandler(args.timeout, auth, proxyLogger),
ErrorLog: log.New(logWriter, "HTTPSRV : ", log.LstdFlags | log.Lshortfile), ErrorLog: log.New(logWriter, "HTTPSRV : ", log.LstdFlags|log.Lshortfile),
ReadTimeout: 0, ReadTimeout: 0,
ReadHeaderTimeout: 0, ReadHeaderTimeout: 0,
WriteTimeout: 0, WriteTimeout: 0,
IdleTimeout: 0, IdleTimeout: 0,
} }
if args.disableHTTP2 {
server.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
}
mainLogger.Info("Starting proxy server...") mainLogger.Info("Starting proxy server...")
if args.cert != "" { if args.cert != "" {
cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile) cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile)
@ -80,6 +101,7 @@ func run() int {
mainLogger.Critical("TLS config construction failed: %v", err) mainLogger.Critical("TLS config construction failed: %v", err)
return 3 return 3
} }
cfg.CipherSuites = makeCipherList(args.ciphers)
server.TLSConfig = cfg server.TLSConfig = cfg
err = server.ListenAndServeTLS("", "") err = server.ListenAndServeTLS("", "")
} else { } else {

50
utils.go
View File

@ -1,24 +1,26 @@
package main package main
import ( import (
"context"
"net"
"sync"
"io"
"time"
"errors"
"net/http"
"bufio" "bufio"
"context"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"errors"
"io"
"io/ioutil" "io/ioutil"
"log"
"net"
"net/http"
"strings"
"sync"
"time"
) )
const COPY_BUF = 128 * 1024 const COPY_BUF = 128 * 1024
func proxy(ctx context.Context, left, right net.Conn) { func proxy(ctx context.Context, left, right net.Conn) {
wg := sync.WaitGroup{} wg := sync.WaitGroup{}
cpy := func (dst, src net.Conn) { cpy := func(dst, src net.Conn) {
defer wg.Done() defer wg.Done()
io.Copy(dst, src) io.Copy(dst, src)
dst.Close() dst.Close()
@ -29,7 +31,7 @@ func proxy(ctx context.Context, left, right net.Conn) {
groupdone := make(chan struct{}, 1) groupdone := make(chan struct{}, 1)
go func() { go func() {
wg.Wait() wg.Wait()
groupdone <-struct{}{} groupdone <- struct{}{}
}() }()
select { select {
case <-ctx.Done(): case <-ctx.Done():
@ -44,12 +46,12 @@ func proxy(ctx context.Context, left, right net.Conn) {
func proxyh2(ctx context.Context, leftreader io.ReadCloser, leftwriter io.Writer, right net.Conn) { func proxyh2(ctx context.Context, leftreader io.ReadCloser, leftwriter io.Writer, right net.Conn) {
wg := sync.WaitGroup{} wg := sync.WaitGroup{}
ltr := func (dst net.Conn, src io.Reader) { ltr := func(dst net.Conn, src io.Reader) {
defer wg.Done() defer wg.Done()
io.Copy(dst, src) io.Copy(dst, src)
dst.Close() dst.Close()
} }
rtl := func (dst io.Writer, src io.Reader) { rtl := func(dst io.Writer, src io.Reader) {
defer wg.Done() defer wg.Done()
copyBody(dst, src) copyBody(dst, src)
} }
@ -59,7 +61,7 @@ func proxyh2(ctx context.Context, leftreader io.ReadCloser, leftwriter io.Writer
groupdone := make(chan struct{}, 1) groupdone := make(chan struct{}, 1)
go func() { go func() {
wg.Wait() wg.Wait()
groupdone <-struct{}{} groupdone <- struct{}{}
}() }()
select { select {
case <-ctx.Done(): case <-ctx.Done():
@ -163,3 +165,27 @@ func makeServerTLSConfig(certfile, keyfile, cafile string) (*tls.Config, error)
} }
return &cfg, nil return &cfg, nil
} }
func makeCipherList(ciphers string) []uint16 {
if ciphers == "" {
return nil
}
cipherIDs := make(map[string]uint16)
for _, cipher := range tls.CipherSuites() {
cipherIDs[cipher.Name] = cipher.ID
}
cipherNameList := strings.Split(ciphers, ":")
cipherIDList := make([]uint16, 0, len(cipherNameList))
for _, name := range cipherNameList {
id, ok := cipherIDs[name]
if !ok {
log.Printf("WARNING: Unknown cipher \"%s\"", name)
}
cipherIDList = append(cipherIDList, id)
}
return cipherIDList
}