mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 67 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3097 Commits
20 Branches
Tree: c92192ef48
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c92192ef48'
${ noResults }
oragono/irc/utils/proxy.go

proxy.go 4.1KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174 
  1. // Copyright (c) 2020 Shivaram Lingamneni <slingamn@cs.stanford.edu>

  2. // released under the MIT license

  3. 

  4. package utils

  5. 

  6. import (

  7. 	"crypto/tls"

  8. 	"errors"

  9. 	"net"

  10. 	"strings"

  11. 	"sync"

  12. 	"time"

  13. )

  14. 

  15. // TODO: handle PROXY protocol v2 (the binary protocol)

  16. 

  17. const (

  18. 	// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

  19. 	// "a 108-byte buffer is always enough to store all the line and a trailing zero

  20. 	// for string processing."

  21. 	maxProxyLineLen = 107

  22. )

  23. 

  24. var (

  25. 	ErrBadProxyLine = errors.New("invalid PROXY line")

  26. 	// TODO(golang/go#4373): replace this with the stdlib ErrNetClosing

  27. 	ErrNetClosing = errors.New("use of closed network connection")

  28. )

  29. 

  30. // ListenerConfig is all the information about how to process

  31. // incoming IRC connections on a listener.

  32. type ListenerConfig struct {

  33. 	TLSConfig     *tls.Config

  34. 	ProxyDeadline time.Duration

  35. 	RequireProxy  bool

  36. 	// these are just metadata for easier tracking,

  37. 	// they are not used by ReloadableListener:

  38. 	Tor       bool

  39. 	STSOnly   bool

  40. 	WebSocket bool

  41. }

  42. 

  43. // read a PROXY line one byte at a time, to ensure we don't read anything beyond

  44. // that into a buffer, which would break the TLS handshake

  45. func readRawProxyLine(conn net.Conn, deadline time.Duration) (result string) {

  46. 	// normally this is covered by ping timeouts, but we're doing this outside

  47. 	// of the normal client goroutine:

  48. 	conn.SetDeadline(time.Now().Add(deadline))

  49. 	defer conn.SetDeadline(time.Time{})

  50. 

  51. 	var buf [maxProxyLineLen]byte

  52. 	oneByte := make([]byte, 1)

  53. 	i := 0

  54. 	for i < maxProxyLineLen {

  55. 		n, err := conn.Read(oneByte)

  56. 		if err != nil {

  57. 			return

  58. 		} else if n == 1 {

  59. 			buf[i] = oneByte[0]

  60. 			if buf[i] == '\n' {

  61. 				candidate := string(buf[0 : i+1])

  62. 				if strings.HasPrefix(candidate, "PROXY") {

  63. 					return candidate

  64. 				} else {

  65. 					return

  66. 				}

  67. 			}

  68. 			i += 1

  69. 		}

  70. 	}

  71. 

  72. 	// no \r\n, fail out

  73. 	return

  74. }

  75. 

  76. // ParseProxyLine parses a PROXY protocol (v1) line and returns the remote IP.

  77. func ParseProxyLine(line string) (ip net.IP, err error) {

  78. 	params := strings.Fields(line)

  79. 	if len(params) != 6 || params[0] != "PROXY" {

  80. 		return nil, ErrBadProxyLine

  81. 	}

  82. 	ip = net.ParseIP(params[2])

  83. 	if ip == nil {

  84. 		return nil, ErrBadProxyLine

  85. 	}

  86. 	return ip.To16(), nil

  87. }

  88. 

  89. /// WrappedConn is a net.Conn with some additional data stapled to it;

  90. // the proxied IP, if one was read via the PROXY protocol, and the listener

  91. // configuration.

  92. type WrappedConn struct {

  93. 	net.Conn

  94. 	ProxiedIP net.IP

  95. 	Config    ListenerConfig

  96. }

  97. 

  98. // ReloadableListener is a wrapper for net.Listener that allows reloading

  99. // of config data for postprocessing connections (TLS, PROXY protocol, etc.)

  100. type ReloadableListener struct {

  101. 	// TODO: make this lock-free

  102. 	sync.Mutex

  103. 	realListener net.Listener

  104. 	config       ListenerConfig

  105. 	isClosed     bool

  106. }

  107. 

  108. func NewReloadableListener(realListener net.Listener, config ListenerConfig) *ReloadableListener {

  109. 	return &ReloadableListener{

  110. 		realListener: realListener,

  111. 		config:       config,

  112. 	}

  113. }

  114. 

  115. func (rl *ReloadableListener) Reload(config ListenerConfig) {

  116. 	rl.Lock()

  117. 	rl.config = config

  118. 	rl.Unlock()

  119. }

  120. 

  121. func (rl *ReloadableListener) Accept() (conn net.Conn, err error) {

  122. 	conn, err = rl.realListener.Accept()

  123. 

  124. 	rl.Lock()

  125. 	config := rl.config

  126. 	isClosed := rl.isClosed

  127. 	rl.Unlock()

  128. 

  129. 	if isClosed {

  130. 		if err == nil {

  131. 			conn.Close()

  132. 		}

  133. 		err = ErrNetClosing

  134. 	}

  135. 	if err != nil {

  136. 		return nil, err

  137. 	}

  138. 

  139. 	var proxiedIP net.IP

  140. 	if config.RequireProxy {

  141. 		// this will occur synchronously on the goroutine calling Accept(),

  142. 		// but that's OK because this listener *requires* a PROXY line,

  143. 		// therefore it must be used with proxies that always send the line

  144. 		// and we won't get slowloris'ed waiting for the client response

  145. 		proxyLine := readRawProxyLine(conn, config.ProxyDeadline)

  146. 		proxiedIP, err = ParseProxyLine(proxyLine)

  147. 		if err != nil {

  148. 			conn.Close()

  149. 			return nil, err

  150. 		}

  151. 	}

  152. 

  153. 	if config.TLSConfig != nil {

  154. 		conn = tls.Server(conn, config.TLSConfig)

  155. 	}

  156. 

  157. 	return &WrappedConn{

  158. 		Conn:      conn,

  159. 		ProxiedIP: proxiedIP,

  160. 		Config:    config,

  161. 	}, nil

  162. }

  163. 

  164. func (rl *ReloadableListener) Close() error {

  165. 	rl.Lock()

  166. 	rl.isClosed = true

  167. 	rl.Unlock()

  168. 

  169. 	return rl.realListener.Close()

  170. }

  171. 

  172. func (rl *ReloadableListener) Addr() net.Addr {

  173. 	return rl.realListener.Addr()

  174. }