tlstunnel/server.go

259 lines
5.8 KiB
Go
Raw Normal View History

package tlstunnel
2020-09-08 15:13:39 +00:00
import (
2020-09-09 12:08:20 +00:00
"context"
2020-09-08 16:24:16 +00:00
"crypto/tls"
2020-09-08 15:13:39 +00:00
"fmt"
"io"
2020-09-08 16:24:16 +00:00
"log"
2020-09-08 15:13:39 +00:00
"net"
"strings"
2020-09-08 16:24:16 +00:00
"git.sr.ht/~emersion/go-scfg"
2020-09-08 16:24:16 +00:00
"github.com/caddyserver/certmagic"
2020-09-09 12:52:41 +00:00
"github.com/pires/go-proxyproto"
2020-10-09 12:45:55 +00:00
"github.com/pires/go-proxyproto/tlvparse"
2020-09-08 15:13:39 +00:00
)
type Server struct {
2020-10-19 15:27:29 +00:00
Listeners map[string]*Listener // indexed by listening address
Frontends []*Frontend
ManagedNames []string
UnmanagedCerts []tls.Certificate
ACMEManager *certmagic.ACMEManager
ACMEConfig *certmagic.Config
2020-09-08 16:24:16 +00:00
}
func NewServer() *Server {
cfg := certmagic.NewDefault()
2020-09-09 12:08:20 +00:00
mgr := certmagic.NewACMEManager(cfg, certmagic.DefaultACME)
mgr.Agreed = true
// We're a TLS server, we don't speak HTTP
2020-09-09 12:08:20 +00:00
mgr.DisableHTTPChallenge = true
2020-09-08 16:24:16 +00:00
cfg.Issuer = mgr
cfg.Revoker = mgr
return &Server{
2020-09-09 12:08:20 +00:00
Listeners: make(map[string]*Listener),
2020-09-10 12:37:59 +00:00
ACMEManager: mgr,
ACMEConfig: cfg,
}
2020-09-08 15:13:39 +00:00
}
func (srv *Server) Load(cfg scfg.Block) error {
return parseConfig(srv, cfg)
}
func (srv *Server) RegisterListener(addr string) *Listener {
// TODO: normalize addr with net.LookupPort
ln, ok := srv.Listeners[addr]
if !ok {
ln = newListener(srv, addr)
srv.Listeners[addr] = ln
}
return ln
}
func (srv *Server) Start() error {
2020-10-19 15:27:29 +00:00
for _, cert := range srv.UnmanagedCerts {
if err := srv.ACMEConfig.CacheUnmanagedTLSCertificate(cert, nil); err != nil {
return err
}
}
if err := srv.ACMEConfig.ManageAsync(context.Background(), srv.ManagedNames); err != nil {
2020-09-09 12:08:20 +00:00
return fmt.Errorf("failed to manage TLS certificates: %v", err)
}
for _, ln := range srv.Listeners {
if err := ln.Start(); err != nil {
return err
}
}
return nil
}
type Listener struct {
Address string
Server *Server
Frontends map[string]*Frontend // indexed by server name
2020-09-08 15:13:39 +00:00
}
func newListener(srv *Server, addr string) *Listener {
return &Listener{
Address: addr,
Server: srv,
Frontends: make(map[string]*Frontend),
}
}
func (ln *Listener) RegisterFrontend(name string, fe *Frontend) error {
if _, ok := ln.Frontends[name]; ok {
return fmt.Errorf("listener %q: duplicate frontends for server name %q", ln.Address, name)
}
ln.Frontends[name] = fe
return nil
}
func (ln *Listener) Start() error {
netLn, err := net.Listen("tcp", ln.Address)
if err != nil {
return err
}
log.Printf("listening on %q", ln.Address)
go func() {
if err := ln.serve(netLn); err != nil {
log.Fatalf("listener %q: %v", ln.Address, err)
}
}()
return nil
}
func (ln *Listener) serve(netLn net.Listener) error {
2020-09-08 15:13:39 +00:00
for {
conn, err := netLn.Accept()
2020-09-08 15:13:39 +00:00
if err != nil {
return fmt.Errorf("failed to accept connection: %v", err)
}
2020-09-08 16:24:16 +00:00
go func() {
if err := ln.handle(conn); err != nil {
log.Printf("listener %q: %v", ln.Address, err)
2020-09-08 16:24:16 +00:00
}
}()
2020-09-08 15:13:39 +00:00
}
}
func (ln *Listener) handle(conn net.Conn) error {
defer conn.Close()
// TODO: setup timeouts
tlsConn := tls.Server(conn, ln.Server.ACMEConfig.TLSConfig())
if err := tlsConn.Handshake(); err != nil {
return err
}
tlsState := tlsConn.ConnectionState()
fe, ok := ln.Frontends[tlsState.ServerName]
if !ok {
// match wildcard certificates, allowing only a single, non-partial wildcard, in the left-most label
i := strings.IndexByte(tlsState.ServerName, '.')
// don't allow wildcards with only a TLD (eg *.com)
if i >= 0 && strings.IndexByte(tlsState.ServerName[i+1:], '.') >= 0 {
fe, ok = ln.Frontends["*"+tlsState.ServerName[i:]]
}
}
if !ok {
fe, ok = ln.Frontends[""]
}
if !ok {
return fmt.Errorf("can't find frontend for server name %q", tlsState.ServerName)
}
return fe.handle(tlsConn, &tlsState)
}
type Frontend struct {
Server *Server
Backend Backend
}
func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) error {
2020-09-08 15:13:39 +00:00
defer downstream.Close()
be := &fe.Backend
upstream, err := net.Dial(be.Network, be.Address)
if err != nil {
return fmt.Errorf("failed to dial backend: %v", err)
}
defer upstream.Close()
2020-09-09 12:52:41 +00:00
if be.Proxy {
h := proxyproto.HeaderProxyFromAddrs(2, downstream.RemoteAddr(), downstream.LocalAddr())
var tlvs []proxyproto.TLV
if tlsState.ServerName != "" {
tlvs = append(tlvs, authorityTLV(tlsState.ServerName))
}
2020-10-09 12:45:55 +00:00
if tlv, err := sslTLV(tlsState); err != nil {
return fmt.Errorf("failed to set PROXY protocol header SSL TLV: %v", err)
} else {
tlvs = append(tlvs, tlv)
}
if err := h.SetTLVs(tlvs); err != nil {
return fmt.Errorf("failed to set PROXY protocol header TLVs: %v", err)
}
2020-09-09 12:52:41 +00:00
if _, err := h.WriteTo(upstream); err != nil {
return fmt.Errorf("failed to write PROXY protocol header: %v", err)
}
}
2020-09-08 15:13:39 +00:00
return duplexCopy(upstream, downstream)
}
type Backend struct {
Network string
Address string
2020-09-09 12:52:41 +00:00
Proxy bool
2020-09-08 15:13:39 +00:00
}
func duplexCopy(a, b io.ReadWriter) error {
done := make(chan error, 2)
go func() {
_, err := io.Copy(a, b)
done <- err
}()
go func() {
_, err := io.Copy(b, a)
done <- err
}()
return <-done
}
2020-10-09 12:45:55 +00:00
func newTLV(t proxyproto.PP2Type, v []byte) proxyproto.TLV {
return proxyproto.TLV{
2020-10-09 12:45:55 +00:00
Type: t,
Length: len(v),
Value: v,
}
}
2020-10-09 12:45:55 +00:00
func authorityTLV(name string) proxyproto.TLV {
return newTLV(proxyproto.PP2_TYPE_AUTHORITY, []byte(name))
}
func sslTLV(state *tls.ConnectionState) (proxyproto.TLV, error) {
pp2ssl := tlvparse.PP2SSL{
Client: tlvparse.PP2_BITFIELD_CLIENT_SSL, // all of our connections are TLS
Verify: 1, // we haven't checked the client cert
}
var version string
switch state.Version {
case tls.VersionTLS10:
version = "TLSv1.0"
case tls.VersionTLS11:
version = "TLSv1.1"
case tls.VersionTLS12:
version = "TLSv1.2"
case tls.VersionTLS13:
version = "TLSv1.3"
}
if version != "" {
versionTLV := newTLV(proxyproto.PP2_SUBTYPE_SSL_VERSION, []byte(version))
pp2ssl.TLV = append(pp2ssl.TLV, versionTLV)
}
// TODO: add PP2_SUBTYPE_SSL_CIPHER, PP2_SUBTYPE_SSL_SIG_ALG, PP2_SUBTYPE_SSL_KEY_ALG
// TODO: check client-provided cert, if any
return pp2ssl.Marshal()
}