mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 67 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5292 Commits
20 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
oragono/irc/listeners.go

listeners.go 6.3KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223 
  1. // Copyright (c) 2020 Shivaram Lingamneni <slingamn@cs.stanford.edu>

  2. // released under the MIT license

  3. 

  4. package irc

  5. 

  6. import (

  7. 	"errors"

  8. 	"io/fs"

  9. 	"net"

  10. 	"net/http"

  11. 	"os"

  12. 	"strings"

  13. 	"time"

  14. 

  15. 	"github.com/gorilla/websocket"

  16. 

  17. 	"github.com/ergochat/ergo/irc/utils"

  18. )

  19. 

  20. var (

  21. 	errCantReloadListener = errors.New("can't switch a listener between stream and websocket")

  22. )

  23. 

  24. // IRCListener is an abstract wrapper for a listener (TCP port or unix domain socket).

  25. // Server tracks these by listen address and can reload or stop them during rehash.

  26. type IRCListener interface {

  27. 	Reload(config utils.ListenerConfig) error

  28. 	Stop() error

  29. }

  30. 

  31. // NewListener creates a new listener according to the specifications in the config file

  32. func NewListener(server *Server, addr string, config utils.ListenerConfig, bindMode os.FileMode) (result IRCListener, err error) {

  33. 	baseListener, err := createBaseListener(server, addr, bindMode)

  34. 	if err != nil {

  35. 		return

  36. 	}

  37. 

  38. 	wrappedListener := utils.NewReloadableListener(baseListener, config)

  39. 

  40. 	if config.WebSocket {

  41. 		return NewWSListener(server, addr, wrappedListener, config)

  42. 	} else {

  43. 		return NewNetListener(server, addr, wrappedListener, config)

  44. 	}

  45. }

  46. 

  47. func createBaseListener(server *Server, addr string, bindMode os.FileMode) (listener net.Listener, err error) {

  48. 	addr = strings.TrimPrefix(addr, "unix:")

  49. 	if strings.HasPrefix(addr, "/") {

  50. 		// https://stackoverflow.com/a/34881585

  51. 		removeErr := os.Remove(addr)

  52. 		if removeErr != nil && !errors.Is(removeErr, fs.ErrNotExist) {

  53. 			server.logger.Warning("listeners", "could not delete unix domain listener", addr, removeErr.Error())

  54. 		}

  55. 		listener, err = net.Listen("unix", addr)

  56. 		if err == nil && bindMode != 0 {

  57. 			os.Chmod(addr, bindMode)

  58. 		}

  59. 	} else {

  60. 		listener, err = net.Listen("tcp", addr)

  61. 	}

  62. 	return

  63. }

  64. 

  65. // NetListener is an IRCListener for a regular stream socket (TCP or unix domain)

  66. type NetListener struct {

  67. 	listener *utils.ReloadableListener

  68. 	server   *Server

  69. 	addr     string

  70. }

  71. 

  72. func NewNetListener(server *Server, addr string, listener *utils.ReloadableListener, config utils.ListenerConfig) (result *NetListener, err error) {

  73. 	nl := NetListener{

  74. 		server:   server,

  75. 		listener: listener,

  76. 		addr:     addr,

  77. 	}

  78. 	go nl.serve()

  79. 	return &nl, nil

  80. }

  81. 

  82. func (nl *NetListener) Reload(config utils.ListenerConfig) error {

  83. 	if config.WebSocket {

  84. 		return errCantReloadListener

  85. 	}

  86. 	nl.listener.Reload(config)

  87. 	return nil

  88. }

  89. 

  90. func (nl *NetListener) Stop() error {

  91. 	return nl.listener.Close()

  92. }

  93. 

  94. func (nl *NetListener) serve() {

  95. 	for {

  96. 		conn, err := nl.listener.Accept()

  97. 

  98. 		if err == nil {

  99. 			// hand off the connection

  100. 			wConn, ok := conn.(*utils.WrappedConn)

  101. 			if ok {

  102. 				confirmProxyData(wConn, "", "", "", nl.server.Config())

  103. 				go nl.server.RunClient(NewIRCStreamConn(wConn))

  104. 			} else {

  105. 				nl.server.logger.Error("internal", "invalid connection type", nl.addr)

  106. 			}

  107. 		} else if err == net.ErrClosed {

  108. 			return

  109. 		} else {

  110. 			nl.server.logger.Error("internal", "accept error", nl.addr, err.Error())

  111. 		}

  112. 	}

  113. }

  114. 

  115. // WSListener is a listener for IRC-over-websockets (initially HTTP, then upgraded to a

  116. // different application protocol that provides a message-based API, possibly with TLS)

  117. type WSListener struct {

  118. 	listener   *utils.ReloadableListener

  119. 	httpServer *http.Server

  120. 	server     *Server

  121. 	addr       string

  122. }

  123. 

  124. func NewWSListener(server *Server, addr string, listener *utils.ReloadableListener, config utils.ListenerConfig) (result *WSListener, err error) {

  125. 	result = &WSListener{

  126. 		listener: listener,

  127. 		server:   server,

  128. 		addr:     addr,

  129. 	}

  130. 	result.httpServer = &http.Server{

  131. 		Handler:      http.HandlerFunc(result.handle),

  132. 		ReadTimeout:  10 * time.Second,

  133. 		WriteTimeout: 10 * time.Second,

  134. 	}

  135. 	go result.httpServer.Serve(listener)

  136. 	return

  137. }

  138. 

  139. func (wl *WSListener) Reload(config utils.ListenerConfig) error {

  140. 	if !config.WebSocket {

  141. 		return errCantReloadListener

  142. 	}

  143. 	wl.listener.Reload(config)

  144. 	return nil

  145. }

  146. 

  147. func (wl *WSListener) Stop() error {

  148. 	return wl.httpServer.Close()

  149. }

  150. 

  151. func (wl *WSListener) handle(w http.ResponseWriter, r *http.Request) {

  152. 	config := wl.server.Config()

  153. 	remoteAddr := r.RemoteAddr

  154. 	xff := r.Header.Get("X-Forwarded-For")

  155. 	xfp := r.Header.Get("X-Forwarded-Proto")

  156. 

  157. 	wsUpgrader := websocket.Upgrader{

  158. 		CheckOrigin: func(r *http.Request) bool {

  159. 			if len(config.Server.WebSockets.allowedOriginRegexps) == 0 {

  160. 				return true

  161. 			}

  162. 			origin := strings.TrimSpace(r.Header.Get("Origin"))

  163. 			if len(origin) == 0 {

  164. 				return false

  165. 			}

  166. 			for _, re := range config.Server.WebSockets.allowedOriginRegexps {

  167. 				if re.MatchString(origin) {

  168. 					return true

  169. 				}

  170. 			}

  171. 			return false

  172. 		},

  173. 		Subprotocols: []string{"text.ircv3.net", "binary.ircv3.net"},

  174. 	}

  175. 

  176. 	conn, err := wsUpgrader.Upgrade(w, r, nil)

  177. 	if err != nil {

  178. 		wl.server.logger.Info("internal", "websocket upgrade error", wl.addr, err.Error())

  179. 		return

  180. 	}

  181. 

  182. 	wConn, ok := conn.UnderlyingConn().(*utils.WrappedConn)

  183. 	if !ok {

  184. 		wl.server.logger.Error("internal", "non-proxied connection on websocket", wl.addr)

  185. 		conn.Close()

  186. 		return

  187. 	}

  188. 

  189. 	confirmProxyData(wConn, remoteAddr, xff, xfp, config)

  190. 

  191. 	// avoid a DoS attack from buffering excessively large messages:

  192. 	conn.SetReadLimit(int64(maxReadQBytes()))

  193. 

  194. 	go wl.server.RunClient(NewIRCWSConn(conn))

  195. }

  196. 

  197. // validate conn.ProxiedIP and conn.Secure against config, HTTP headers, etc.

  198. func confirmProxyData(conn *utils.WrappedConn, remoteAddr, xForwardedFor, xForwardedProto string, config *Config) {

  199. 	if conn.ProxiedIP != nil {

  200. 		if !utils.IPInNets(utils.AddrToIP(conn.RemoteAddr()), config.Server.proxyAllowedFromNets) {

  201. 			conn.ProxiedIP = nil

  202. 		}

  203. 	} else if xForwardedFor != "" {

  204. 		proxiedIP := utils.HandleXForwardedFor(remoteAddr, xForwardedFor, config.Server.proxyAllowedFromNets)

  205. 		// don't set proxied IP if it is redundant with the actual IP

  206. 		if proxiedIP != nil && !proxiedIP.Equal(utils.AddrToIP(conn.RemoteAddr())) {

  207. 			conn.ProxiedIP = proxiedIP

  208. 		}

  209. 	}

  210. 

  211. 	if conn.TLS || conn.Tor {

  212. 		// we terminated our own encryption:

  213. 		conn.Secure = true

  214. 	} else if !conn.WebSocket {

  215. 		// plaintext normal connection: loopback and secureNets are secure

  216. 		realIP := utils.AddrToIP(conn.RemoteAddr())

  217. 		conn.Secure = realIP.IsLoopback() || utils.IPInNets(realIP, config.Server.secureNets)

  218. 	} else {

  219. 		// plaintext websocket: trust X-Forwarded-Proto from a trusted source

  220. 		conn.Secure = utils.IPInNets(utils.AddrToIP(conn.RemoteAddr()), config.Server.proxyAllowedFromNets) &&

  221. 			xForwardedProto == "https"

  222. 	}

  223. }