Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
af240639cb | ||
|
|
c623792c2f | ||
|
|
cebb518e05 | ||
|
|
177e0d88da | ||
|
|
9b0bccd9ca | ||
|
|
1af274dc1d | ||
|
|
ec1e0cdf2e | ||
|
|
61811e8e61 |
BIN
config/.config.go.un~
Normal file
BIN
config/.config.go.un~
Normal file
Binary file not shown.
BIN
config/.new.go.un~
Normal file
BIN
config/.new.go.un~
Normal file
Binary file not shown.
@@ -1,6 +1,7 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"log"
|
||||
"strings"
|
||||
@@ -24,6 +25,11 @@ func parseProxy(s string) (string, Proxy) {
|
||||
return key, p
|
||||
}
|
||||
|
||||
func GetAuthelia() (string, bool) {
|
||||
authelia := conf.Get("authelia").GetString()
|
||||
return authelia, authelia != ""
|
||||
}
|
||||
|
||||
func GetBOAuthZ() (string, bool) {
|
||||
boauthz := conf.Get("oauth").GetString()
|
||||
return boauthz, boauthz != ""
|
||||
@@ -40,6 +46,11 @@ func GetPort() string {
|
||||
return ":" + fmt.Sprint(port)
|
||||
}
|
||||
|
||||
func GetAltPort() string {
|
||||
port := conf.Get("ap").GetInt()
|
||||
return ":" + fmt.Sprint(port)
|
||||
}
|
||||
|
||||
func GetRate() (int, int) {
|
||||
rate := conf.Get("r").GetInt()
|
||||
burst := conf.Get("b").GetInt()
|
||||
@@ -73,3 +84,27 @@ func GetTimeout() time.Duration {
|
||||
timeout := conf.Get("timeout").GetDuration()
|
||||
return timeout
|
||||
}
|
||||
|
||||
func GetCORS(key string) bool {
|
||||
cors := conf.GetString("cors")
|
||||
var m map[string]bool
|
||||
if err := json.Unmarshal([]byte(cors), &m); err != nil {
|
||||
return false
|
||||
}
|
||||
_, ok := m[key]
|
||||
return ok
|
||||
}
|
||||
|
||||
func GetNoPath(key string) bool {
|
||||
nopath := conf.GetString("nopath")
|
||||
var m map[string]bool
|
||||
if err := json.Unmarshal([]byte(nopath), &m); err != nil {
|
||||
return false
|
||||
}
|
||||
_, ok := m[key]
|
||||
return ok
|
||||
}
|
||||
|
||||
func GetCompression() bool {
|
||||
return conf.GetBool("compression")
|
||||
}
|
||||
|
||||
@@ -3,6 +3,7 @@ package config
|
||||
import (
|
||||
"fmt"
|
||||
"local/args"
|
||||
"local/logb"
|
||||
"log"
|
||||
"os"
|
||||
"strings"
|
||||
@@ -26,6 +27,7 @@ func Refresh() error {
|
||||
return err
|
||||
}
|
||||
conf = as
|
||||
logb.Set(logb.LevelFromString(as.GetString("level")))
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -39,14 +41,20 @@ func parseArgs() (*args.ArgSet, error) {
|
||||
as.Append(args.STRING, "user", "username for basic auth", "")
|
||||
as.Append(args.STRING, "pass", "password for basic auth", "")
|
||||
as.Append(args.INT, "p", "port for service", 51555)
|
||||
as.Append(args.INT, "ap", "alt port for always http service", 51556)
|
||||
as.Append(args.INT, "r", "rate per second for requests", 100)
|
||||
as.Append(args.INT, "b", "burst requests", 100)
|
||||
as.Append(args.BOOL, "compress", "enable compression", true)
|
||||
as.Append(args.STRING, "crt", "path to crt for ssl", "")
|
||||
as.Append(args.STRING, "key", "path to key for ssl", "")
|
||||
as.Append(args.STRING, "tcp", "address for tcp only tunnel", "")
|
||||
as.Append(args.DURATION, "timeout", "timeout for tunnel", time.Minute)
|
||||
as.Append(args.STRING, "proxy", "double-comma separated (+ if oauth)from,scheme://to.tld:port,oauth,,", "")
|
||||
as.Append(args.STRING, "proxy", "double-comma separated (+ if auth)from,scheme://to.tld:port,,", "")
|
||||
as.Append(args.STRING, "oauth", "url for boauthz", "")
|
||||
as.Append(args.STRING, "authelia", "url for authelia", "")
|
||||
as.Append(args.STRING, "cors", "json dict key:true for keys to set CORS permissive headers, like {\"from\":true}", "{}")
|
||||
as.Append(args.STRING, "nopath", "json dict key:true for keys to remove all path info from forwarded request, like -cors", "{}")
|
||||
as.Append(args.STRING, "level", "log level", "info")
|
||||
|
||||
err := as.Parse()
|
||||
return as, err
|
||||
|
||||
@@ -9,10 +9,15 @@ import (
|
||||
|
||||
func New() *Server {
|
||||
port := config.GetPort()
|
||||
altport := config.GetAltPort()
|
||||
r, b := config.GetRate()
|
||||
return &Server{
|
||||
server := &Server{
|
||||
db: storage.NewMap(),
|
||||
addr: port,
|
||||
altaddr: altport,
|
||||
limiter: rate.NewLimiter(rate.Limit(r), b),
|
||||
}
|
||||
_, server.auth.BOAuthZ = config.GetBOAuthZ()
|
||||
_, server.auth.Authelia = config.GetAuthelia()
|
||||
return server
|
||||
}
|
||||
|
||||
@@ -37,7 +37,7 @@ func (s *Server) Proxy(w http.ResponseWriter, r *http.Request) {
|
||||
log.Printf("unknown host lookup %q", r.Host)
|
||||
return
|
||||
}
|
||||
r.Host = newURL.Host
|
||||
//r.Host = newURL.Host
|
||||
proxy := httputil.NewSingleHostReverseProxy(newURL)
|
||||
proxy.Transport = transport
|
||||
proxy.ServeHTTP(w, r)
|
||||
@@ -49,7 +49,7 @@ func (s *Server) lookup(host string) (*url.URL, error) {
|
||||
return v.URL(), err
|
||||
}
|
||||
|
||||
func (s *Server) lookupBOAuthZ(host string) (bool, error) {
|
||||
func (s *Server) lookupAuth(host string) (bool, error) {
|
||||
v := packable.NewString()
|
||||
err := s.db.Get(nsBOAuthZ, host, v)
|
||||
return v.String() == "true", err
|
||||
|
||||
183
server/server.go
183
server/server.go
@@ -7,6 +7,7 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"local/logb"
|
||||
"local/oauth2/oauth2client"
|
||||
"local/rproxy3/config"
|
||||
"local/rproxy3/storage"
|
||||
@@ -15,6 +16,7 @@ import (
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"path"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@@ -47,9 +49,14 @@ func (ls listenerScheme) String() string {
|
||||
type Server struct {
|
||||
db storage.DB
|
||||
addr string
|
||||
altaddr string
|
||||
username string
|
||||
password string
|
||||
limiter *rate.Limiter
|
||||
auth struct {
|
||||
BOAuthZ bool
|
||||
Authelia bool
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) Route(src string, dst config.Proxy) error {
|
||||
@@ -65,20 +72,13 @@ func (s *Server) Route(src string, dst config.Proxy) error {
|
||||
}
|
||||
|
||||
func (s *Server) Run() error {
|
||||
scheme := schemeHTTP
|
||||
if _, _, ok := config.GetSSL(); ok {
|
||||
scheme = schemeHTTPS
|
||||
}
|
||||
if _, ok := config.GetTCP(); ok {
|
||||
scheme = schemeTCP
|
||||
}
|
||||
go s.alt()
|
||||
scheme := getScheme()
|
||||
log.Printf("Listening for %v on %v...\n", scheme, s.addr)
|
||||
switch scheme {
|
||||
case schemeHTTP:
|
||||
log.Printf("Serve http")
|
||||
return http.ListenAndServe(s.addr, s)
|
||||
case schemeHTTPS:
|
||||
log.Printf("Serve https")
|
||||
c, k, _ := config.GetSSL()
|
||||
httpsServer := &http.Server{
|
||||
Addr: s.addr,
|
||||
@@ -98,15 +98,107 @@ func (s *Server) Run() error {
|
||||
}
|
||||
return httpsServer.ListenAndServeTLS(c, k)
|
||||
case schemeTCP:
|
||||
log.Printf("Serve tcp")
|
||||
addr, _ := config.GetTCP()
|
||||
return s.ServeTCP(addr)
|
||||
}
|
||||
return errors.New("did not load server")
|
||||
}
|
||||
|
||||
func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
|
||||
func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
authelia, ok := config.GetAuthelia()
|
||||
if !ok {
|
||||
panic("howd i get here")
|
||||
}
|
||||
url, err := url.Parse(authelia)
|
||||
if err != nil {
|
||||
panic(fmt.Sprintf("bad config for authelia url: %v", err))
|
||||
}
|
||||
url.Path = "/api/verify"
|
||||
req, err := http.NewRequest(http.MethodGet, url.String(), nil)
|
||||
if err != nil {
|
||||
panic(err.Error())
|
||||
}
|
||||
r2 := r.Clone(r.Context())
|
||||
if r2.URL.Host == "" {
|
||||
r2.URL.Host = r2.Host
|
||||
}
|
||||
if r2.URL.Scheme == "" {
|
||||
r2.URL.Scheme = "https"
|
||||
}
|
||||
for _, httpreq := range []*http.Request{r, req} {
|
||||
for k, v := range map[string]string{
|
||||
"X-Original-Url": r2.URL.String(),
|
||||
"X-Forwarded-Proto": r2.URL.Scheme,
|
||||
"X-Forwarded-Host": r2.URL.Host,
|
||||
"X-Forwarded-Uri": r2.URL.String(),
|
||||
} {
|
||||
if _, ok := httpreq.Header[k]; !ok {
|
||||
httpreq.Header.Set(k, v)
|
||||
}
|
||||
}
|
||||
}
|
||||
if cookie, err := r.Cookie("authelia_session"); err == nil {
|
||||
req.AddCookie(cookie)
|
||||
}
|
||||
c := &http.Client{
|
||||
Timeout: time.Minute,
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||
},
|
||||
}
|
||||
|
||||
autheliaKey := mapKey(req.Host)
|
||||
if strings.HasPrefix(r.Host, autheliaKey) {
|
||||
logb.Debugf("no authelia for %s because it has prefix %s", r.Host, autheliaKey)
|
||||
foo(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
resp, err := c.Do(req)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
logb.Debugf(
|
||||
"authelia: %+v, %+v \n\t-> \n\t(%d) %+v, %+v",
|
||||
req,
|
||||
req.Cookies(),
|
||||
resp.StatusCode,
|
||||
resp.Header,
|
||||
resp.Cookies(),
|
||||
)
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode == http.StatusOK {
|
||||
for k := range resp.Header {
|
||||
if strings.HasPrefix(k, "Remote-") {
|
||||
cookie := &http.Cookie{
|
||||
Name: k,
|
||||
Value: resp.Header.Get(k),
|
||||
Path: "/",
|
||||
Domain: r2.Host,
|
||||
SameSite: http.SameSiteLaxMode,
|
||||
Secure: true,
|
||||
HttpOnly: true,
|
||||
Expires: time.Now().Add(24 * time.Hour * 30),
|
||||
}
|
||||
http.SetCookie(w, cookie)
|
||||
}
|
||||
}
|
||||
foo(w, r)
|
||||
return
|
||||
}
|
||||
url.Path = ""
|
||||
q := url.Query()
|
||||
q.Set("rd", r2.URL.String())
|
||||
url.RawQuery = q.Encode()
|
||||
http.Redirect(w, r, url.String(), http.StatusFound)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) doBOAuthZ(foo http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
key := mapKey(r.Host)
|
||||
rusr, rpwd, ok := config.GetAuth()
|
||||
if ok {
|
||||
usr, pwd, ok := r.BasicAuth()
|
||||
@@ -116,8 +208,7 @@ func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
}
|
||||
key := mapKey(r.Host)
|
||||
ok, err := s.lookupBOAuthZ(key)
|
||||
ok, err := s.lookupAuth(key)
|
||||
if err != nil {
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
return
|
||||
@@ -128,6 +219,9 @@ func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
}
|
||||
if config.GetNoPath(key) && path.Ext(r.URL.Path) == "" {
|
||||
r.URL.Path = "/"
|
||||
}
|
||||
foo(w, r)
|
||||
}
|
||||
}
|
||||
@@ -170,7 +264,16 @@ func (s *Server) Pre(foo http.HandlerFunc) http.HandlerFunc {
|
||||
w.WriteHeader(http.StatusTooManyRequests)
|
||||
return
|
||||
}
|
||||
s.doAuth(foo)(w, r)
|
||||
if did := s.doCORS(w, r); did {
|
||||
return
|
||||
}
|
||||
if s.auth.BOAuthZ {
|
||||
s.doBOAuthZ(foo)(w, r)
|
||||
} else if s.auth.Authelia {
|
||||
s.doAuthelia(foo)(w, r)
|
||||
} else {
|
||||
foo(w, r)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -178,6 +281,22 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
s.Pre(s.Proxy)(w, r)
|
||||
}
|
||||
|
||||
func (s *Server) doCORS(w http.ResponseWriter, r *http.Request) bool {
|
||||
key := mapKey(r.Host)
|
||||
if !config.GetCORS(key) {
|
||||
return false
|
||||
}
|
||||
w.Header().Set("Access-Control-Allow-Origin", "*")
|
||||
w.Header().Set("Access-Control-Allow-Headers", "X-Auth-Token, content-type, Content-Type")
|
||||
if r.Method != "OPTIONS" {
|
||||
return false
|
||||
}
|
||||
w.Header().Set("Content-Length", "0")
|
||||
w.Header().Set("Content-Type", "text/plain")
|
||||
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS, TRACE, PATCH, HEAD, DELETE")
|
||||
return true
|
||||
}
|
||||
|
||||
func getProxyAuth(r *http.Request) (string, string) {
|
||||
proxyAuthHeader := r.Header.Get("Proxy-Authorization")
|
||||
proxyAuthB64 := strings.TrimPrefix(proxyAuthHeader, "Basic ")
|
||||
@@ -189,3 +308,39 @@ func getProxyAuth(r *http.Request) (string, string) {
|
||||
proxyAuthSplit := strings.Split(proxyAuth, ":")
|
||||
return proxyAuthSplit[0], proxyAuthSplit[1]
|
||||
}
|
||||
|
||||
func (s *Server) alt() {
|
||||
switch getScheme() {
|
||||
case schemeHTTP:
|
||||
case schemeHTTPS:
|
||||
default:
|
||||
return
|
||||
}
|
||||
foo := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
r.URL.Scheme = getScheme().String()
|
||||
if hostname := r.URL.Hostname(); hostname != "" {
|
||||
r.URL.Host = r.URL.Hostname() + s.addr
|
||||
} else if hostname := r.URL.Host; hostname != "" {
|
||||
r.URL.Host = r.URL.Host + s.addr
|
||||
} else {
|
||||
u := url.URL{Host: r.Host}
|
||||
r.URL.Host = u.Hostname() + s.addr
|
||||
}
|
||||
http.Redirect(w, r, r.URL.String(), http.StatusSeeOther)
|
||||
})
|
||||
log.Println("redirecting from", s.altaddr)
|
||||
if err := http.ListenAndServe(s.altaddr, foo); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
|
||||
func getScheme() listenerScheme {
|
||||
scheme := schemeHTTP
|
||||
if _, _, ok := config.GetSSL(); ok {
|
||||
scheme = schemeHTTPS
|
||||
}
|
||||
if _, ok := config.GetTCP(); ok {
|
||||
scheme = schemeTCP
|
||||
}
|
||||
return scheme
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user