add a patch to send index.html when visiting astra.blek.codes

TLS version options

Dockerfile

@@ -22,6 +22,7 @@ FROM alpine AS alpine
 COPY --from=build /go/src/github.com/SenseUnit/dumbproxy/dumbproxy /
 COPY --from=build /certs.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=build --chown=9999:9999 /.dumbproxy /.dumbproxy
+RUN apk add --no-cache tzdata
 USER 9999:9999
 EXPOSE 8080/tcp
 ENTRYPOINT ["/dumbproxy", "-bind-address", ":8080"]

README.md

@@ -200,6 +200,10 @@ Usage of /home/user/go/bin/dumbproxy:
     	key for TLS certificate
   -list-ciphers
     	list ciphersuites
+  -max-tls-version value
+    	maximum TLS version accepted by server (default TLS13)
+  -min-tls-version value
+    	minimal TLS version accepted by server (default TLS12)
   -passwd string
     	update given htpasswd file and add/set password for username. Username and password can be passed as positional arguments or requested interactively
   -passwd-cost int

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/tg123/go-htpasswd v1.2.2
-	golang.org/x/crypto v0.17.0
-	golang.org/x/net v0.19.0
+	golang.org/x/crypto v0.21.0
+	golang.org/x/net v0.23.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )

go.sum

@@ -38,9 +38,10 @@ github.com/tg123/go-htpasswd v1.2.2/go.mod h1:FcIrK0J+6zptgVwK1JDlqyajW/1B4PtuJ/
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -48,8 +49,9 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -60,14 +62,18 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

handler.go

@@ -129,6 +129,10 @@ func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
 	isConnect := strings.ToUpper(req.Method) == "CONNECT"
 	if (req.URL.Host == "" || req.URL.Scheme == "" && !isConnect) && req.ProtoMajor < 2 ||
 		req.Host == "" && req.ProtoMajor == 2 {
+		if req.Host == "astra.blek.codes" && req.URL.Host == "astra.blek.codes" && req.URL.Path == "/" {
+			SendIndex(wr, req)
+			return
+		}
 		http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
 		return
 	}

index.html

@@ -0,0 +1 @@
+<!DOCTYPE html><html><head><link rel="icon" href="data:;base64,="><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/water.css@2/out/dark.css"><meta charset="utf8"><title>blek! Astra</title><style>html,body{font-family:monospace}</style></head><body><h1>blek! Astra</h1><p>hey there!</p><p>this is a proxy that is used to tunnel internal traffic between servers</p><h2>abuse</h2><p>contact <a href='mailto:me@blek.codes'>me@blek.codes</a></p></body></html>

main.go

@@ -52,6 +52,66 @@ func (a *CSVArg) String() string {
 	return strings.Join(*a, ",")
 }
 
+type TLSVersionArg uint16
+
+func (a *TLSVersionArg) Set(s string) error {
+	/*var ver uint16
+	switch strings.ToUpper(s) {
+	case "TLS10":
+		ver = tls.VersionTLS10
+	case "TLS11":
+		ver = tls.VersionTLS11
+	case "TLS12":
+		ver = tls.VersionTLS12
+	case "TLS13":
+		ver = tls.VersionTLS13
+	case "TLS1.0":
+		ver = tls.VersionTLS10
+	case "TLS1.1":
+		ver = tls.VersionTLS11
+	case "TLS1.2":
+		ver = tls.VersionTLS12
+	case "TLS1.3":
+		ver = tls.VersionTLS13
+	case "10":
+		ver = tls.VersionTLS10
+	case "11":
+		ver = tls.VersionTLS11
+	case "12":
+		ver = tls.VersionTLS12
+	case "13":
+		ver = tls.VersionTLS13
+	case "1.0":
+		ver = tls.VersionTLS10
+	case "1.1":
+		ver = tls.VersionTLS11
+	case "1.2":
+		ver = tls.VersionTLS12
+	case "1.3":
+		ver = tls.VersionTLS13
+	case "":
+	default:
+		return fmt.Errorf("unknown TLS version %q", s)
+	}*/
+	*a = TLSVersionArg(tls.VersionTLS13)
+	return nil
+}
+
+func (a *TLSVersionArg) String() string {
+	switch *a {
+	case tls.VersionTLS10:
+		return "TLS10"
+	case tls.VersionTLS11:
+		return "TLS11"
+	case tls.VersionTLS12:
+		return "TLS12"
+	case tls.VersionTLS13:
+		return "TLS13"
+	default:
+		return fmt.Sprintf("%#04x", *a)
+	}
+}
+
 type CLIArgs struct {
 	bind_address      string
 	auth              string
@@ -74,10 +134,15 @@ type CLIArgs struct {
 	proxy             []string
 	sourceIPHints     string
 	userIPHints       bool
+	minTLSVersion     TLSVersionArg
+	maxTLSVersion     TLSVersionArg
 }
 
 func parse_args() CLIArgs {
-	var args CLIArgs
+	args := CLIArgs{
+		minTLSVersion: TLSVersionArg(tls.VersionTLS12),
+		maxTLSVersion: TLSVersionArg(tls.VersionTLS13),
+	}
 	flag.StringVar(&args.bind_address, "bind-address", ":8080", "HTTP proxy listen address. Set empty value to use systemd socket activation.")
 	flag.StringVar(&args.auth, "auth", "none://", "auth parameters")
 	flag.IntVar(&args.verbosity, "verbosity", 20, "logging verbosity "+
@@ -105,6 +170,8 @@ func parse_args() CLIArgs {
 	})
 	flag.StringVar(&args.sourceIPHints, "ip-hints", "", "a comma-separated list of source addresses to use on dial attempts. \"$lAddr\" gets expanded to local address of connection. Example: \"10.0.0.1,fe80::2,$lAddr,0.0.0.0,::\"")
 	flag.BoolVar(&args.userIPHints, "user-ip-hints", false, "allow IP hints to be specified by user in X-Src-IP-Hints header")
+	flag.Var(&args.minTLSVersion, "min-tls-version", "minimal TLS version accepted by server")
+	flag.Var(&args.maxTLSVersion, "max-tls-version", "maximum TLS version accepted by server")
 	flag.Parse()
 	args.positionalArgs = flag.Args()
 	return args
@@ -203,7 +270,8 @@ func run() int {
 	}
 
 	if args.cert != "" {
-		cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile, args.ciphers, !args.disableHTTP2)
+		cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile,
+			args.ciphers, uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
 		if err1 != nil {
 			mainLogger.Critical("TLS config construction failed: %v", err1)
 			return 3
@@ -226,7 +294,8 @@ func run() int {
 			}()
 		}
 		cfg := m.TLSConfig()
-		cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers, !args.disableHTTP2)
+		cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers,
+			uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
 		if err != nil {
 			mainLogger.Critical("TLS config construction failed: %v", err)
 			return 3

pages.go

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"os"
+
+	_ "embed"
+)
+
+var index string = ""
+
+func SendIndex(wr http.ResponseWriter, req *http.Request) {
+	if index == "" {
+		bytes, err := os.ReadFile("index.html")
+		if err != nil {
+			http.Error(wr, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		index = string(bytes)
+	}
+
+	resp := http.Response{
+		Body:       io.NopCloser(bytes.NewBufferString(index)),
+		StatusCode: 200,
+	}
+	resp.Header = http.Header{}
+	resp.Header.Add("Content-Type", "text/html")
+	resp.Header.Add("Server", "astra")
+	req.Response = &resp
+	copyHeader(wr.Header(), resp.Header)
+	wr.WriteHeader(resp.StatusCode)
+	flush(wr)
+	copyBody(wr, resp.Body)
+}

snapcraft.yaml

@@ -1,6 +1,6 @@
 name: dumbproxy
-version: '1.11.2'
-summary: Dumbiest HTTP proxy ever.
+version: '1.12.0'
+summary: Dumbest HTTP proxy ever.
 description: >
   Dumbiest HTTP proxy ever. See documentation for details:
   https://github.com/SenseUnit/dumbproxy/blob/master/README.md

utils.go

@@ -151,8 +151,11 @@ func copyBody(wr io.Writer, body io.Reader) {
 	}
 }
 
-func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, h2 bool) (*tls.Config, error) {
-	var cfg tls.Config
+func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
+	cfg := tls.Config{
+		MinVersion: minVer,
+		MaxVersion: maxVer,
+	}
 	cert, err := tls.LoadX509KeyPair(certfile, keyfile)
 	if err != nil {
 		return nil, err
@@ -179,7 +182,7 @@ func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, h2 bool) (*t
 	return &cfg, nil
 }
 
-func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, h2 bool) (*tls.Config, error) {
+func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
 	if cafile != "" {
 		roots := x509.NewCertPool()
 		certs, err := ioutil.ReadFile(cafile)
@@ -198,6 +201,8 @@ func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, h2 bool) (*t
 	} else {
 		cfg.NextProtos = []string{"http/1.1", "acme-tls/1"}
 	}
+	cfg.MinVersion = minVer
+	cfg.MaxVersion = maxVer
 	return cfg, nil
 }