authelia attempt failed

.gitignore

@@ -1,6 +1,10 @@
 lz4
 rclone
 rcloner
+exec
+exec-*
+**/exec
+**/exec-*
 Go
 cloudly
 dockfile

Dockerfile

@@ -0,0 +1,16 @@
+
+FROM golang:1.13-alpine as certs
+RUN apk update && apk add --no-cache ca-certificates
+
+FROM busybox:glibc
+RUN mkdir -p /var/log
+WORKDIR /main
+COPY --from=certs /etc/ssl/certs /etc/ssl/certs
+
+COPY . .
+
+ENV GOPATH=""
+ENV MNT="/mnt/"
+ENTRYPOINT ["/main/exec-rproxy3"]
+CMD []
+

conf.yaml

@@ -1,11 +0,0 @@
-p: 54243
-r:
-- echo:http://localhost:49982
-- echo2:http://192.168.0.86:38090
-#crt: ./testdata/rproxy3server.crt
-#key: ./testdata/rproxy3server.key
-#user: bel
-#pass: bel
-rate: 1
-burst: 2
-timeout: 10

config/config.go

@@ -1,14 +1,15 @@
 package config
 
 import (
+	"encoding/json"
 	"fmt"
+	"log"
 	"strings"
 	"time"
 )
 
 type Proxy struct {
 	To string
-	BOAuthZ bool
 }
 
 func parseProxy(s string) (string, Proxy) {
@@ -21,12 +22,14 @@ func parseProxy(s string) (string, Proxy) {
 	if len(l) > 1 {
 		p.To = l[1]
 	}
-	if len(l) > 2 {
-		p.BOAuthZ = l[2] == "true"
-	}
 	return key, p
 }
 
+func GetAuthelia() (string, bool) {
+	authelia := conf.Get("authelia").GetString()
+	return authelia, authelia != ""
+}
+
 func GetBOAuthZ() (string, bool) {
 	boauthz := conf.Get("oauth").GetString()
 	return boauthz, boauthz != ""
@@ -43,9 +46,15 @@ func GetPort() string {
 	return ":" + fmt.Sprint(port)
 }
 
+func GetAltPort() string {
+	port := conf.Get("ap").GetInt()
+	return ":" + fmt.Sprint(port)
+}
+
 func GetRate() (int, int) {
 	rate := conf.Get("r").GetInt()
 	burst := conf.Get("b").GetInt()
+	log.Println("rate/burst:", rate, burst)
 	return rate, burst
 }
 
@@ -75,3 +84,27 @@ func GetTimeout() time.Duration {
 	timeout := conf.Get("timeout").GetDuration()
 	return timeout
 }
+
+func GetCORS(key string) bool {
+	cors := conf.GetString("cors")
+	var m map[string]bool
+	if err := json.Unmarshal([]byte(cors), &m); err != nil {
+		return false
+	}
+	_, ok := m[key]
+	return ok
+}
+
+func GetNoPath(key string) bool {
+	nopath := conf.GetString("nopath")
+	var m map[string]bool
+	if err := json.Unmarshal([]byte(nopath), &m); err != nil {
+		return false
+	}
+	_, ok := m[key]
+	return ok
+}
+
+func GetCompression() bool {
+	return conf.GetBool("compression")
+}

config/new.go

@@ -3,6 +3,7 @@ package config
 import (
 	"fmt"
 	"local/args"
+	"local/logb"
 	"log"
 	"os"
 	"strings"
@@ -26,23 +27,34 @@ func Refresh() error {
 		return err
 	}
 	conf = as
+	logb.Set(logb.LevelFromString(as.GetString("level")))
 	return nil
 }
 
 func parseArgs() (*args.ArgSet, error) {
-	as := args.NewArgSet()
+	configFiles := []string{}
+	if v, ok := os.LookupEnv("CONFIG"); ok {
+		configFiles = strings.Split(v, ",")
+	}
+	as := args.NewArgSet(configFiles...)
 
 	as.Append(args.STRING, "user", "username for basic auth", "")
 	as.Append(args.STRING, "pass", "password for basic auth", "")
 	as.Append(args.INT, "p", "port for service", 51555)
+	as.Append(args.INT, "ap", "alt port for always http service", 51556)
 	as.Append(args.INT, "r", "rate per second for requests", 100)
 	as.Append(args.INT, "b", "burst requests", 100)
+	as.Append(args.BOOL, "compress", "enable compression", true)
 	as.Append(args.STRING, "crt", "path to crt for ssl", "")
 	as.Append(args.STRING, "key", "path to key for ssl", "")
 	as.Append(args.STRING, "tcp", "address for tcp only tunnel", "")
 	as.Append(args.DURATION, "timeout", "timeout for tunnel", time.Minute)
-	as.Append(args.STRING, "proxy", "double-comma separated from,scheme://to.tld:port,oauth,,", "")
+	as.Append(args.STRING, "proxy", "double-comma separated (+ if auth)from,scheme://to.tld:port,,", "")
 	as.Append(args.STRING, "oauth", "url for boauthz", "")
+	as.Append(args.STRING, "authelia", "url for authelia", "")
+	as.Append(args.STRING, "cors", "json dict key:true for keys to set CORS permissive headers, like {\"from\":true}", "{}")
+	as.Append(args.STRING, "nopath", "json dict key:true for keys to remove all path info from forwarded request, like -cors", "{}")
+	as.Append(args.STRING, "level", "log level", "info")
 
 	err := as.Parse()
 	return as, err

example_config.yaml

@@ -0,0 +1,11 @@
+user: ""
+pass: ""
+port: 51555
+r: 100
+b: 100
+crt: ""
+key: ""
+tcp: ""
+timeout: 1m
+proxy: a,http://localhost:41912,,+b,http://localhost:41912
+oauth: http://localhost:23456

server/new.go

@@ -9,10 +9,15 @@ import (
 
 func New() *Server {
 	port := config.GetPort()
+	altport := config.GetAltPort()
 	r, b := config.GetRate()
-	return &Server{
+	server := &Server{
 		db:      storage.NewMap(),
 		addr:    port,
+		altaddr: altport,
 		limiter: rate.NewLimiter(rate.Limit(r), b),
 	}
+	_, server.auth.BOAuthZ = config.GetBOAuthZ()
+	_, server.auth.Authelia = config.GetAuthelia()
+	return server
 }

server/proxy.go

@@ -37,7 +37,7 @@ func (s *Server) Proxy(w http.ResponseWriter, r *http.Request) {
 		log.Printf("unknown host lookup %q", r.Host)
 		return
 	}
-	r.Host = newURL.Host
+	//r.Host = newURL.Host
 	proxy := httputil.NewSingleHostReverseProxy(newURL)
 	proxy.Transport = transport
 	proxy.ServeHTTP(w, r)
@@ -49,10 +49,10 @@ func (s *Server) lookup(host string) (*url.URL, error) {
 	return v.URL(), err
 }
 
-func (s *Server) lookupBOAuthZ(host string) (bool, error) {
+func (s *Server) lookupAuth(host string) (bool, error) {
 	v := packable.NewString()
 	err := s.db.Get(nsBOAuthZ, host, v)
-	return v.String() != "", err
+	return v.String() == "true", err
 }
 
 func mapKey(host string) string {
@@ -69,6 +69,8 @@ func (rp *redirPurge) RoundTrip(r *http.Request) (*http.Response, error) {
 	if loc := resp.Header.Get("Location"); loc != "" {
 		resp.Header.Set("Location", strings.Replace(loc, rp.targetHost, rp.proxyHost, 1))
 	}
+	// google floc https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+	resp.Header.Set("Permissions-Policy", "interest-cohort=()")
 	return resp, err
 }
 

server/server.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"local/logb"
 	"local/oauth2/oauth2client"
 	"local/rproxy3/config"
 	"local/rproxy3/storage"
@@ -15,6 +16,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"path"
 	"strings"
 	"time"
 
@@ -47,36 +49,36 @@ func (ls listenerScheme) String() string {
 type Server struct {
 	db       storage.DB
 	addr     string
+	altaddr  string
 	username string
 	password string
 	limiter  *rate.Limiter
+	auth     struct {
+		BOAuthZ  bool
+		Authelia bool
+	}
 }
 
 func (s *Server) Route(src string, dst config.Proxy) error {
+	hasOAuth := strings.HasPrefix(src, "+")
+	src = strings.TrimPrefix(src, "+")
 	log.Printf("Adding route %q -> %v...\n", src, dst)
 	u, err := url.Parse(dst.To)
 	if err != nil {
 		return err
 	}
-	s.db.Set(nsBOAuthZ, src, packable.NewString(fmt.Sprint(dst.BOAuthZ)))
+	s.db.Set(nsBOAuthZ, src, packable.NewString(fmt.Sprint(hasOAuth)))
 	return s.db.Set(nsRouting, src, packable.NewURL(u))
 }
 
 func (s *Server) Run() error {
-	scheme := schemeHTTP
-	if _, _, ok := config.GetSSL(); ok {
-		scheme = schemeHTTPS
-	}
-	if _, ok := config.GetTCP(); ok {
-		scheme = schemeTCP
-	}
+	go s.alt()
+	scheme := getScheme()
 	log.Printf("Listening for %v on %v...\n", scheme, s.addr)
 	switch scheme {
 	case schemeHTTP:
-		log.Printf("Serve http")
 		return http.ListenAndServe(s.addr, s)
 	case schemeHTTPS:
-		log.Printf("Serve https")
 		c, k, _ := config.GetSSL()
 		httpsServer := &http.Server{
 			Addr:    s.addr,
@@ -96,15 +98,112 @@ func (s *Server) Run() error {
 		}
 		return httpsServer.ListenAndServeTLS(c, k)
 	case schemeTCP:
-		log.Printf("Serve tcp")
 		addr, _ := config.GetTCP()
 		return s.ServeTCP(addr)
 	}
 	return errors.New("did not load server")
 }
 
-func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
+func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		authelia, ok := config.GetAuthelia()
+		if !ok {
+			panic("howd i get here")
+		}
+		url, err := url.Parse(authelia)
+		if err != nil {
+			panic(fmt.Sprintf("bad config for authelia url: %v", err))
+		}
+		url.Path = "/api/verify"
+		logb.Verbosef("authelia @ %s", url.String())
+		req, err := http.NewRequest(http.MethodGet, url.String(), nil)
+		if err != nil {
+			panic(err.Error())
+		}
+		r2 := r.Clone(r.Context())
+		if r2.URL.Host == "" {
+			r2.URL.Host = r2.Host
+		}
+		if r2.URL.Scheme == "" {
+			r2.URL.Scheme = "https"
+		}
+		for _, httpreq := range []*http.Request{r, req} {
+			for k, v := range map[string]string{
+				"X-Original-Url":    r2.URL.String(),
+				"X-Forwarded-Proto": r2.URL.Scheme,
+				"X-Forwarded-Host":  r2.URL.Host,
+				"X-Forwarded-Uri":   r2.URL.String(),
+			} {
+				if _, ok := httpreq.Header[k]; !ok {
+					logb.Verbosef("authelia header setting %s:%s", k, v)
+					httpreq.Header.Set(k, v)
+				}
+			}
+		}
+		if cookie, err := r.Cookie("authelia_session"); err == nil {
+			logb.Verbosef("authelia session found in cookies; %+v", cookie)
+			req.AddCookie(cookie)
+		}
+		c := &http.Client{
+			Timeout: time.Minute,
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			},
+		}
+
+		autheliaKey := mapKey(req.Host)
+		logb.Verbosef("request to %s is authelia %s? %v", r.Host, autheliaKey, strings.HasPrefix(r.Host, autheliaKey))
+		if strings.HasPrefix(r.Host, autheliaKey) {
+			logb.Debugf("no authelia for %s because it has prefix %s", r.Host, autheliaKey)
+			foo(w, r)
+			return
+		}
+
+		resp, err := c.Do(req)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		logb.Debugf(
+			"authelia: %+v, %+v \n\t-> \n\t(%d) %+v, %+v",
+			req,
+			req.Cookies(),
+			resp.StatusCode,
+			resp.Header,
+			resp.Cookies(),
+		)
+		defer resp.Body.Close()
+		if resp.StatusCode == http.StatusOK {
+			for k := range resp.Header {
+				if strings.HasPrefix(k, "Remote-") {
+					cookie := &http.Cookie{
+						Name:     k,
+						Value:    resp.Header.Get(k),
+						Path:     "/",
+						SameSite: http.SameSiteLaxMode,
+						Expires:  time.Now().Add(24 * time.Hour * 30),
+					}
+					logb.Verbosef("setting authelia cookie in response: %+v", cookie)
+					http.SetCookie(w, cookie)
+					logb.Verbosef("setting authelia cookie in request: %+v", cookie)
+					r.AddCookie(cookie)
+				}
+			}
+			foo(w, r)
+			return
+		}
+		url.Path = ""
+		q := url.Query()
+		q.Set("rd", r2.URL.String())
+		url.RawQuery = q.Encode()
+		logb.Verbosef("authelia status %d, rd'ing %s", resp.StatusCode, url.String())
+		http.Redirect(w, r, url.String(), http.StatusFound)
+	}
+}
+
+func (s *Server) doBOAuthZ(foo http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		key := mapKey(r.Host)
 		rusr, rpwd, ok := config.GetAuth()
 		if ok {
 			usr, pwd, ok := r.BasicAuth()
@@ -114,17 +213,20 @@ func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
 				return
 			}
 		}
-		ok, err := s.lookupBOAuthZ(mapKey(r.Host))
+		ok, err := s.lookupAuth(key)
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			return
 		}
-		if boauthz, useoauth := config.GetBOAuthZ(); ok && useoauth {
-			err := oauth2client.Authenticate(boauthz, w, r)
+		if url, exists := config.GetBOAuthZ(); ok && exists {
+			err := oauth2client.Authenticate(url, key, w, r)
 			if err != nil {
 				return
 			}
 		}
+		if config.GetNoPath(key) && path.Ext(r.URL.Path) == "" {
+			r.URL.Path = "/"
+		}
 		foo(w, r)
 	}
 }
@@ -161,13 +263,24 @@ func pipe(a, b net.Conn) {
 
 func (s *Server) Pre(foo http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		ctx, can := context.WithTimeout(r.Context(), time.Second*time.Duration(config.GetTimeout()))
+		ctx, can := context.WithTimeout(r.Context(), time.Duration(config.GetTimeout()))
 		defer can()
 		if err := s.limiter.Wait(ctx); err != nil {
 			w.WriteHeader(http.StatusTooManyRequests)
 			return
 		}
-		s.doAuth(foo)(w, r)
+		if did := s.doCORS(w, r); did {
+			return
+		}
+		if s.auth.BOAuthZ {
+			logb.Verbosef("doing boauthz for request to %s", r.URL.String())
+			s.doBOAuthZ(foo)(w, r)
+		} else if s.auth.Authelia {
+			logb.Verbosef("doing authelia for request to %s", r.URL.String())
+			s.doAuthelia(foo)(w, r)
+		} else {
+			foo(w, r)
+		}
 	}
 }
 
@@ -175,6 +288,22 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.Pre(s.Proxy)(w, r)
 }
 
+func (s *Server) doCORS(w http.ResponseWriter, r *http.Request) bool {
+	key := mapKey(r.Host)
+	if !config.GetCORS(key) {
+		return false
+	}
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Allow-Headers", "X-Auth-Token, content-type, Content-Type")
+	if r.Method != "OPTIONS" {
+		return false
+	}
+	w.Header().Set("Content-Length", "0")
+	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS, TRACE, PATCH, HEAD, DELETE")
+	return true
+}
+
 func getProxyAuth(r *http.Request) (string, string) {
 	proxyAuthHeader := r.Header.Get("Proxy-Authorization")
 	proxyAuthB64 := strings.TrimPrefix(proxyAuthHeader, "Basic ")
@@ -186,3 +315,39 @@ func getProxyAuth(r *http.Request) (string, string) {
 	proxyAuthSplit := strings.Split(proxyAuth, ":")
 	return proxyAuthSplit[0], proxyAuthSplit[1]
 }
+
+func (s *Server) alt() {
+	switch getScheme() {
+	case schemeHTTP:
+	case schemeHTTPS:
+	default:
+		return
+	}
+	foo := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		r.URL.Scheme = getScheme().String()
+		if hostname := r.URL.Hostname(); hostname != "" {
+			r.URL.Host = r.URL.Hostname() + s.addr
+		} else if hostname := r.URL.Host; hostname != "" {
+			r.URL.Host = r.URL.Host + s.addr
+		} else {
+			u := url.URL{Host: r.Host}
+			r.URL.Host = u.Hostname() + s.addr
+		}
+		http.Redirect(w, r, r.URL.String(), http.StatusSeeOther)
+	})
+	log.Println("redirecting from", s.altaddr)
+	if err := http.ListenAndServe(s.altaddr, foo); err != nil {
+		panic(err)
+	}
+}
+
+func getScheme() listenerScheme {
+	scheme := schemeHTTP
+	if _, _, ok := config.GetSSL(); ok {
+		scheme = schemeHTTPS
+	}
+	if _, ok := config.GetTCP(); ok {
+		scheme = schemeTCP
+	}
+	return scheme
+}

testdata/index.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="X-UA-Compatible" content="ie=edge" />
+    <title>Go WebSocket Tutorial</title>
+  </head>
+  <body>
+    <h2>Hello World</h2>
+
+    <script>
+        let socket = new WebSocket("ws://a.bel.test:51555/ws");
+         document.getElementsByTagName("body")[0].innerHTML += "<br>connecting";
+
+        socket.onopen = () => {
+            document.getElementsByTagName("body")[0].innerHTML += "<br>connected";
+            socket.send("Hi From the Client!")
+        };
+
+        socket.onclose = event => {
+            document.getElementsByTagName("body")[0].innerHTML += "<br>disconnected";
+            socket.send("Client Closed!")
+        };
+
+        socket.onerror = error => {
+            document.getElementsByTagName("body")[0].innerHTML += "<br>error:" + error;
+            console.log("Socket Error: ", error);
+        };
+        socket.onmessage = function(msgevent) {
+            document.getElementsByTagName("body")[0].innerHTML += "<br>got:" + msgevent.data;
+        };
+
+    </script>
+  </body>
+</html>

testdata/ws.go

@@ -0,0 +1,76 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"time"
+
+	"github.com/gorilla/websocket"
+)
+
+func homePage(w http.ResponseWriter, r *http.Request) {
+	b, _ := ioutil.ReadFile("./index.html")
+	fmt.Fprintf(w, "%s", b)
+}
+
+func setupRoutes() {
+	http.HandleFunc("/", homePage)
+	http.HandleFunc("/ws", wsEndpoint)
+}
+
+func main() {
+	fmt.Println("Hello World")
+	setupRoutes()
+	log.Fatal(http.ListenAndServe(":8080", nil))
+}
+
+var upgrader = websocket.Upgrader{
+	ReadBufferSize:  1024,
+	WriteBufferSize: 1024,
+}
+
+func reader(conn *websocket.Conn) {
+	for {
+		// read in a message
+		messageType, p, err := conn.ReadMessage()
+		if err != nil {
+			log.Println(err)
+			return
+		}
+		// print out that message for clarity
+		fmt.Println(string(p))
+
+		if err := conn.WriteMessage(messageType, p); err != nil {
+			log.Println(err)
+			return
+		}
+
+	}
+}
+func wsEndpoint(w http.ResponseWriter, r *http.Request) {
+	upgrader.CheckOrigin = func(r *http.Request) bool { return true }
+
+	// upgrade this connection to a WebSocket
+	// connection
+	ws, err := upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		log.Println(err)
+	}
+
+	log.Println("Client Connected")
+	// listen indefinitely for new messages coming
+	// through on our WebSocket connection
+	go reader(ws)
+	for {
+		log.Println("writing...")
+		err = ws.WriteMessage(1, []byte("Hi Client!"))
+		log.Println("written")
+		if err != nil {
+			log.Println(err)
+			return
+		}
+		time.Sleep(time.Second)
+	}
+}