2023-11-26 14:47:49 +00:00
|
|
|
use ahash::{HashMap, HashMapExt};
|
2023-12-29 17:03:43 +00:00
|
|
|
use anyhow::anyhow;
|
2024-01-14 18:18:57 +00:00
|
|
|
use bytes::Bytes;
|
2023-12-25 17:06:44 +00:00
|
|
|
use futures_util::{pin_mut, FutureExt, Stream, StreamExt};
|
2024-01-14 18:18:57 +00:00
|
|
|
use http_body_util::combinators::BoxBody;
|
|
|
|
|
use http_body_util::{BodyStream, Either, StreamBody};
|
2023-10-23 17:11:12 +00:00
|
|
|
use std::cmp::min;
|
2023-12-01 21:25:01 +00:00
|
|
|
use std::fmt::Debug;
|
2023-11-27 07:36:21 +00:00
|
|
|
use std::future::Future;
|
2024-01-11 08:19:32 +00:00
|
|
|
use std::net::{IpAddr, SocketAddr};
|
2023-10-23 17:11:12 +00:00
|
|
|
use std::ops::{Deref, Not};
|
|
|
|
|
use std::pin::Pin;
|
|
|
|
|
use std::sync::Arc;
|
2023-12-29 17:03:43 +00:00
|
|
|
use std::time::Duration;
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2024-01-07 17:37:50 +00:00
|
|
|
use super::{tunnel_to_jwt_token, JwtTunnelConfig, RemoteAddr, JWT_DECODE, JWT_HEADER_PREFIX};
|
2024-01-12 16:54:56 +00:00
|
|
|
use crate::{socks5, tcp, tls, udp, LocalProtocol, TlsServerConfig, WsServerConfig};
|
2024-01-14 18:18:57 +00:00
|
|
|
use hyper::body::{Frame, Incoming};
|
2023-12-26 20:16:34 +00:00
|
|
|
use hyper::header::{COOKIE, SEC_WEBSOCKET_PROTOCOL};
|
2023-12-01 21:25:01 +00:00
|
|
|
use hyper::http::HeaderValue;
|
2024-01-14 18:18:57 +00:00
|
|
|
use hyper::server::conn::{http1, http2};
|
2023-10-23 17:11:12 +00:00
|
|
|
use hyper::service::service_fn;
|
2024-01-16 23:20:54 +00:00
|
|
|
use hyper::{http, Request, Response, StatusCode, Version};
|
2024-01-14 18:18:57 +00:00
|
|
|
use hyper_util::rt::TokioExecutor;
|
2023-10-23 17:11:12 +00:00
|
|
|
use jsonwebtoken::TokenData;
|
2023-11-26 14:47:49 +00:00
|
|
|
use once_cell::sync::Lazy;
|
|
|
|
|
use parking_lot::Mutex;
|
2023-10-28 23:33:22 +00:00
|
|
|
|
2024-01-07 15:51:55 +00:00
|
|
|
use crate::socks5::Socks5Stream;
|
2023-12-29 17:03:43 +00:00
|
|
|
use crate::tunnel::tls_reloader::TlsReloader;
|
2024-01-14 18:18:57 +00:00
|
|
|
use crate::tunnel::transport::http2::{Http2TunnelRead, Http2TunnelWrite};
|
|
|
|
|
use crate::tunnel::transport::websocket::{WebsocketTunnelRead, WebsocketTunnelWrite};
|
2023-11-26 17:22:28 +00:00
|
|
|
use crate::udp::UdpStream;
|
2024-01-11 08:19:32 +00:00
|
|
|
use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
|
2024-01-12 16:54:56 +00:00
|
|
|
use tokio::net::{TcpListener, TcpStream};
|
2023-11-27 07:36:21 +00:00
|
|
|
use tokio::select;
|
|
|
|
|
use tokio::sync::{mpsc, oneshot};
|
2023-12-29 17:03:43 +00:00
|
|
|
use tokio_rustls::TlsAcceptor;
|
2024-01-14 18:18:57 +00:00
|
|
|
use tokio_stream::wrappers::ReceiverStream;
|
2023-10-28 16:18:48 +00:00
|
|
|
use tracing::{error, info, span, warn, Instrument, Level, Span};
|
2023-10-23 17:11:12 +00:00
|
|
|
use url::Host;
|
2024-01-07 17:37:50 +00:00
|
|
|
use uuid::Uuid;
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2023-12-25 17:06:44 +00:00
|
|
|
async fn run_tunnel(
|
2023-10-23 17:11:12 +00:00
|
|
|
server_config: &WsServerConfig,
|
2023-12-25 17:06:44 +00:00
|
|
|
jwt: TokenData<JwtTunnelConfig>,
|
2024-01-11 08:19:32 +00:00
|
|
|
client_address: SocketAddr,
|
2024-01-07 17:37:50 +00:00
|
|
|
) -> anyhow::Result<(RemoteAddr, Pin<Box<dyn AsyncRead + Send>>, Pin<Box<dyn AsyncWrite + Send>>)> {
|
2023-10-23 17:11:12 +00:00
|
|
|
match jwt.claims.p {
|
2023-10-31 07:32:52 +00:00
|
|
|
LocalProtocol::Udp { timeout, .. } => {
|
2024-01-11 08:19:32 +00:00
|
|
|
let remote = RemoteAddr::try_from(jwt.claims)?;
|
2023-12-19 21:41:11 +00:00
|
|
|
let cnx = udp::connect(
|
2024-01-11 08:19:32 +00:00
|
|
|
&remote.host,
|
|
|
|
|
remote.port,
|
2023-12-19 21:41:11 +00:00
|
|
|
timeout.unwrap_or(Duration::from_secs(10)),
|
|
|
|
|
&server_config.dns_resolver,
|
|
|
|
|
)
|
|
|
|
|
.await?;
|
2024-01-07 17:37:50 +00:00
|
|
|
|
|
|
|
|
Ok((remote, Box::pin(cnx.clone()), Box::pin(cnx)))
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
2024-01-11 08:19:32 +00:00
|
|
|
LocalProtocol::Tcp { proxy_protocol } => {
|
|
|
|
|
let remote = RemoteAddr::try_from(jwt.claims)?;
|
|
|
|
|
let mut socket = tcp::connect(
|
|
|
|
|
&remote.host,
|
|
|
|
|
remote.port,
|
2023-12-19 21:41:11 +00:00
|
|
|
server_config.socket_so_mark,
|
|
|
|
|
Duration::from_secs(10),
|
|
|
|
|
&server_config.dns_resolver,
|
|
|
|
|
)
|
2024-01-11 08:19:32 +00:00
|
|
|
.await?;
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2024-01-11 08:19:32 +00:00
|
|
|
if proxy_protocol {
|
|
|
|
|
let header = ppp::v2::Builder::with_addresses(
|
|
|
|
|
ppp::v2::Version::Two | ppp::v2::Command::Proxy,
|
|
|
|
|
ppp::v2::Protocol::Stream,
|
|
|
|
|
(client_address, socket.local_addr().unwrap()),
|
|
|
|
|
)
|
|
|
|
|
.build()
|
|
|
|
|
.unwrap();
|
|
|
|
|
let _ = socket.write_all(&header).await;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let (rx, tx) = socket.into_split();
|
2024-01-07 17:37:50 +00:00
|
|
|
Ok((remote, Box::pin(rx), Box::pin(tx)))
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
2023-11-26 14:47:49 +00:00
|
|
|
LocalProtocol::ReverseTcp => {
|
|
|
|
|
#[allow(clippy::type_complexity)]
|
2023-11-27 07:36:21 +00:00
|
|
|
static SERVERS: Lazy<Mutex<HashMap<(Host<String>, u16), mpsc::Receiver<TcpStream>>>> =
|
2023-11-26 14:47:49 +00:00
|
|
|
Lazy::new(|| Mutex::new(HashMap::with_capacity(0)));
|
|
|
|
|
|
|
|
|
|
let local_srv = (Host::parse(&jwt.claims.r)?, jwt.claims.rp);
|
2023-11-27 07:36:21 +00:00
|
|
|
let bind = format!("{}:{}", local_srv.0, local_srv.1);
|
2023-12-01 19:20:33 +00:00
|
|
|
let listening_server = tcp::run_server(bind.parse()?, false);
|
2023-11-27 07:36:21 +00:00
|
|
|
let tcp = run_listening_server(&local_srv, SERVERS.deref(), listening_server).await?;
|
|
|
|
|
let (local_rx, local_tx) = tcp.into_split();
|
2023-11-26 14:47:49 +00:00
|
|
|
|
2024-01-07 17:37:50 +00:00
|
|
|
let remote = RemoteAddr {
|
|
|
|
|
protocol: jwt.claims.p,
|
|
|
|
|
host: local_srv.0,
|
|
|
|
|
port: local_srv.1,
|
|
|
|
|
};
|
|
|
|
|
Ok((remote, Box::pin(local_rx), Box::pin(local_tx)))
|
2023-11-26 14:47:49 +00:00
|
|
|
}
|
2023-11-26 17:22:28 +00:00
|
|
|
LocalProtocol::ReverseUdp { timeout } => {
|
|
|
|
|
#[allow(clippy::type_complexity)]
|
2023-11-27 07:36:21 +00:00
|
|
|
static SERVERS: Lazy<Mutex<HashMap<(Host<String>, u16), mpsc::Receiver<UdpStream>>>> =
|
|
|
|
|
Lazy::new(|| Mutex::new(HashMap::with_capacity(0)));
|
2023-11-26 17:22:28 +00:00
|
|
|
|
|
|
|
|
let local_srv = (Host::parse(&jwt.claims.r)?, jwt.claims.rp);
|
2023-11-27 07:36:21 +00:00
|
|
|
let bind = format!("{}:{}", local_srv.0, local_srv.1);
|
2023-12-03 09:24:31 +00:00
|
|
|
let listening_server =
|
|
|
|
|
udp::run_server(bind.parse()?, timeout, |_| Ok(()), |send_socket| Ok(send_socket.clone()));
|
2023-11-27 07:36:21 +00:00
|
|
|
let udp = run_listening_server(&local_srv, SERVERS.deref(), listening_server).await?;
|
2023-11-26 17:22:28 +00:00
|
|
|
let (local_rx, local_tx) = tokio::io::split(udp);
|
|
|
|
|
|
2024-01-07 17:37:50 +00:00
|
|
|
let remote = RemoteAddr {
|
|
|
|
|
protocol: jwt.claims.p,
|
|
|
|
|
host: local_srv.0,
|
|
|
|
|
port: local_srv.1,
|
|
|
|
|
};
|
|
|
|
|
Ok((remote, Box::pin(local_rx), Box::pin(local_tx)))
|
2023-11-26 17:22:28 +00:00
|
|
|
}
|
2023-12-01 21:25:01 +00:00
|
|
|
LocalProtocol::ReverseSocks5 => {
|
|
|
|
|
#[allow(clippy::type_complexity)]
|
2024-01-07 15:51:55 +00:00
|
|
|
static SERVERS: Lazy<Mutex<HashMap<(Host<String>, u16), mpsc::Receiver<(Socks5Stream, (Host, u16))>>>> =
|
2023-12-01 21:25:01 +00:00
|
|
|
Lazy::new(|| Mutex::new(HashMap::with_capacity(0)));
|
|
|
|
|
|
|
|
|
|
let local_srv = (Host::parse(&jwt.claims.r)?, jwt.claims.rp);
|
|
|
|
|
let bind = format!("{}:{}", local_srv.0, local_srv.1);
|
2024-01-07 15:51:55 +00:00
|
|
|
let listening_server = socks5::run_server(bind.parse()?, None);
|
2024-01-07 16:03:42 +00:00
|
|
|
let (stream, local_srv) = run_listening_server(&local_srv, SERVERS.deref(), listening_server).await?;
|
2024-01-07 17:37:50 +00:00
|
|
|
let protocol = stream.local_protocol();
|
2024-01-07 16:03:42 +00:00
|
|
|
let (local_rx, local_tx) = tokio::io::split(stream);
|
2023-12-01 21:25:01 +00:00
|
|
|
|
2024-01-07 17:37:50 +00:00
|
|
|
let remote = RemoteAddr {
|
|
|
|
|
protocol,
|
|
|
|
|
host: local_srv.0,
|
|
|
|
|
port: local_srv.1,
|
|
|
|
|
};
|
|
|
|
|
Ok((remote, Box::pin(local_rx), Box::pin(local_tx)))
|
2023-12-01 21:25:01 +00:00
|
|
|
}
|
2024-01-12 18:31:00 +00:00
|
|
|
#[cfg(unix)]
|
|
|
|
|
LocalProtocol::ReverseUnix { ref path } => {
|
2024-01-12 16:54:56 +00:00
|
|
|
use crate::unix_socket;
|
|
|
|
|
use tokio::net::UnixStream;
|
|
|
|
|
|
2024-01-12 18:31:00 +00:00
|
|
|
#[allow(clippy::type_complexity)]
|
|
|
|
|
static SERVERS: Lazy<Mutex<HashMap<(Host<String>, u16), mpsc::Receiver<UnixStream>>>> =
|
|
|
|
|
Lazy::new(|| Mutex::new(HashMap::with_capacity(0)));
|
|
|
|
|
|
|
|
|
|
let local_srv = (Host::parse(&jwt.claims.r)?, jwt.claims.rp);
|
|
|
|
|
let listening_server = unix_socket::run_server(path);
|
|
|
|
|
let stream = run_listening_server(&local_srv, SERVERS.deref(), listening_server).await?;
|
|
|
|
|
let (local_rx, local_tx) = stream.into_split();
|
|
|
|
|
|
|
|
|
|
let remote = RemoteAddr {
|
|
|
|
|
protocol: jwt.claims.p.clone(),
|
|
|
|
|
host: local_srv.0,
|
|
|
|
|
port: local_srv.1,
|
|
|
|
|
};
|
|
|
|
|
Ok((remote, Box::pin(local_rx), Box::pin(local_tx)))
|
|
|
|
|
}
|
|
|
|
|
#[cfg(not(unix))]
|
|
|
|
|
LocalProtocol::ReverseUnix { ref path } => {
|
|
|
|
|
error!("Received an unsupported target protocol {:?}", jwt.claims);
|
|
|
|
|
Err(anyhow::anyhow!("Invalid upgrade request"))
|
|
|
|
|
}
|
|
|
|
|
LocalProtocol::Stdio
|
|
|
|
|
| LocalProtocol::Socks5 { .. }
|
|
|
|
|
| LocalProtocol::TProxyTcp
|
|
|
|
|
| LocalProtocol::TProxyUdp { .. }
|
|
|
|
|
| LocalProtocol::Unix { .. } => {
|
|
|
|
|
error!("Received an unsupported target protocol {:?}", jwt.claims);
|
|
|
|
|
Err(anyhow::anyhow!("Invalid upgrade request"))
|
|
|
|
|
}
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-27 07:36:21 +00:00
|
|
|
#[allow(clippy::type_complexity)]
|
2023-12-01 21:25:01 +00:00
|
|
|
async fn run_listening_server<T, Fut, FutOut, E>(
|
2023-11-27 07:36:21 +00:00
|
|
|
local_srv: &(Host, u16),
|
|
|
|
|
servers: &Mutex<HashMap<(Host<String>, u16), mpsc::Receiver<T>>>,
|
|
|
|
|
gen_listening_server: Fut,
|
|
|
|
|
) -> anyhow::Result<T>
|
|
|
|
|
where
|
|
|
|
|
Fut: Future<Output = anyhow::Result<FutOut>>,
|
2023-12-01 21:25:01 +00:00
|
|
|
FutOut: Stream<Item = Result<T, E>> + Send + 'static,
|
|
|
|
|
E: Debug + Send,
|
2023-11-27 07:36:21 +00:00
|
|
|
T: Send + 'static,
|
|
|
|
|
{
|
|
|
|
|
let listening_server = servers.lock().remove(local_srv);
|
|
|
|
|
let mut listening_server = if let Some(listening_server) = listening_server {
|
|
|
|
|
listening_server
|
|
|
|
|
} else {
|
|
|
|
|
let listening_server = gen_listening_server.await?;
|
|
|
|
|
let (tx, rx) = mpsc::channel::<T>(1);
|
|
|
|
|
let fut = async move {
|
|
|
|
|
pin_mut!(listening_server);
|
|
|
|
|
loop {
|
|
|
|
|
select! {
|
|
|
|
|
biased;
|
|
|
|
|
cnx = listening_server.next() => {
|
|
|
|
|
match cnx {
|
|
|
|
|
None => break,
|
|
|
|
|
Some(Err(err)) => {
|
|
|
|
|
warn!("Error while listening for incoming connections {err:?}");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
Some(Ok(cnx)) => {
|
|
|
|
|
if tx.send_timeout(cnx, Duration::from_secs(30)).await.is_err() {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
_ = tx.closed() => {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
info!("Stopping listening server");
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
tokio::spawn(fut.instrument(Span::current()));
|
|
|
|
|
rx
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let cnx = listening_server
|
|
|
|
|
.recv()
|
|
|
|
|
.await
|
|
|
|
|
.ok_or_else(|| anyhow!("listening server stopped"))?;
|
|
|
|
|
servers.lock().insert(local_srv.clone(), listening_server);
|
|
|
|
|
Ok(cnx)
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-25 17:06:44 +00:00
|
|
|
#[inline]
|
2024-01-11 08:19:32 +00:00
|
|
|
fn extract_x_forwarded_for(req: &Request<Incoming>) -> Result<Option<(IpAddr, &str)>, Response<String>> {
|
2023-12-25 17:06:44 +00:00
|
|
|
let Some(x_forward_for) = req.headers().get("X-Forwarded-For") else {
|
|
|
|
|
return Ok(None);
|
|
|
|
|
};
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2024-01-11 08:19:32 +00:00
|
|
|
// X-Forwarded-For: <client>, <proxy1>, <proxy2>
|
|
|
|
|
let x_forward_for = x_forward_for.to_str().unwrap_or_default();
|
|
|
|
|
let x_forward_for = x_forward_for.split_once(',').map(|x| x.0).unwrap_or(x_forward_for);
|
|
|
|
|
let ip: Option<IpAddr> = x_forward_for.parse().ok();
|
|
|
|
|
Ok(ip.map(|ip| (ip, x_forward_for)))
|
2023-12-25 17:06:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[inline]
|
|
|
|
|
fn validate_url(
|
|
|
|
|
req: &Request<Incoming>,
|
|
|
|
|
path_restriction_prefix: &Option<Vec<String>>,
|
|
|
|
|
) -> Result<(), Response<String>> {
|
2023-10-23 17:11:12 +00:00
|
|
|
if !req.uri().path().ends_with("/events") {
|
2023-10-30 07:13:38 +00:00
|
|
|
warn!("Rejecting connection with bad upgrade request: {}", req.uri());
|
2023-12-25 17:06:44 +00:00
|
|
|
return Err(http::Response::builder()
|
2023-10-23 17:11:12 +00:00
|
|
|
.status(StatusCode::BAD_REQUEST)
|
2023-12-15 08:47:06 +00:00
|
|
|
.body("Invalid upgrade request".into())
|
|
|
|
|
.unwrap());
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
|
|
|
|
|
2023-12-25 17:06:44 +00:00
|
|
|
if let Some(paths_prefix) = &path_restriction_prefix {
|
2023-10-23 17:11:12 +00:00
|
|
|
let path = req.uri().path();
|
|
|
|
|
let min_len = min(path.len(), 1);
|
2023-12-03 21:32:05 +00:00
|
|
|
let mut max_len = 0;
|
2023-10-23 17:11:12 +00:00
|
|
|
if &path[0..min_len] != "/"
|
2023-12-03 21:32:05 +00:00
|
|
|
|| !paths_prefix.iter().any(|p| {
|
|
|
|
|
max_len = min(path.len(), p.len() + 1);
|
|
|
|
|
p == &path[min_len..max_len]
|
|
|
|
|
})
|
2023-10-23 17:11:12 +00:00
|
|
|
|| !path[max_len..].starts_with('/')
|
|
|
|
|
{
|
2023-10-30 07:13:38 +00:00
|
|
|
warn!("Rejecting connection with bad path prefix in upgrade request: {}", req.uri());
|
2023-12-25 17:06:44 +00:00
|
|
|
return Err(http::Response::builder()
|
2023-10-23 17:11:12 +00:00
|
|
|
.status(StatusCode::BAD_REQUEST)
|
2023-12-15 08:47:06 +00:00
|
|
|
.body("Invalid upgrade request".to_string())
|
|
|
|
|
.unwrap());
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-25 17:06:44 +00:00
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[inline]
|
|
|
|
|
fn extract_tunnel_info(req: &Request<Incoming>) -> Result<TokenData<JwtTunnelConfig>, Response<String>> {
|
2023-12-26 20:16:34 +00:00
|
|
|
let jwt = req
|
|
|
|
|
.headers()
|
|
|
|
|
.get(SEC_WEBSOCKET_PROTOCOL)
|
|
|
|
|
.and_then(|header| header.to_str().ok())
|
|
|
|
|
.and_then(|header| header.split_once(JWT_HEADER_PREFIX))
|
|
|
|
|
.map(|(_prefix, jwt)| jwt)
|
2024-01-14 18:18:57 +00:00
|
|
|
.or_else(|| req.headers().get(COOKIE).and_then(|header| header.to_str().ok()))
|
2023-12-26 20:16:34 +00:00
|
|
|
.unwrap_or_default();
|
|
|
|
|
|
|
|
|
|
let (validation, decode_key) = JWT_DECODE.deref();
|
|
|
|
|
let jwt = match jsonwebtoken::decode(jwt, decode_key, validation) {
|
|
|
|
|
Ok(jwt) => jwt,
|
2023-12-25 17:06:44 +00:00
|
|
|
err => {
|
2023-12-26 20:16:34 +00:00
|
|
|
warn!(
|
|
|
|
|
"error while decoding jwt for tunnel info {:?} header {:?}",
|
|
|
|
|
err,
|
|
|
|
|
req.headers().get(SEC_WEBSOCKET_PROTOCOL)
|
|
|
|
|
);
|
2023-12-25 17:06:44 +00:00
|
|
|
return Err(http::Response::builder()
|
|
|
|
|
.status(StatusCode::BAD_REQUEST)
|
|
|
|
|
.body("Invalid upgrade request".to_string())
|
|
|
|
|
.unwrap());
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
Ok(jwt)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[inline]
|
|
|
|
|
fn validate_destination(
|
|
|
|
|
_req: &Request<Incoming>,
|
|
|
|
|
jwt: &TokenData<JwtTunnelConfig>,
|
|
|
|
|
destination_restriction: &Option<Vec<String>>,
|
|
|
|
|
) -> Result<(), Response<String>> {
|
|
|
|
|
let Some(allowed_dests) = &destination_restriction else {
|
|
|
|
|
return Ok(());
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let requested_dest = format!("{}:{}", jwt.claims.r, jwt.claims.rp);
|
|
|
|
|
if allowed_dests.iter().any(|dest| dest == &requested_dest).not() {
|
|
|
|
|
warn!("Rejecting connection with not allowed destination: {}", requested_dest);
|
|
|
|
|
return Err(http::Response::builder()
|
|
|
|
|
.status(StatusCode::BAD_REQUEST)
|
|
|
|
|
.body("Invalid upgrade request".to_string())
|
|
|
|
|
.unwrap());
|
|
|
|
|
}
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2023-12-25 17:06:44 +00:00
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-14 18:18:57 +00:00
|
|
|
async fn ws_server_upgrade(
|
2024-01-11 08:19:32 +00:00
|
|
|
server_config: Arc<WsServerConfig>,
|
|
|
|
|
mut client_addr: SocketAddr,
|
|
|
|
|
mut req: Request<Incoming>,
|
|
|
|
|
) -> Response<String> {
|
2023-12-25 17:06:44 +00:00
|
|
|
if !fastwebsockets::upgrade::is_upgrade_request(&req) {
|
|
|
|
|
warn!("Rejecting connection with bad upgrade request: {}", req.uri());
|
|
|
|
|
return http::Response::builder()
|
|
|
|
|
.status(StatusCode::BAD_REQUEST)
|
|
|
|
|
.body("Invalid upgrade request".to_string())
|
|
|
|
|
.unwrap();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
match extract_x_forwarded_for(&req) {
|
2024-01-11 08:19:32 +00:00
|
|
|
Ok(Some((x_forward_for, x_forward_for_str))) => {
|
2023-12-25 17:06:44 +00:00
|
|
|
info!("Request X-Forwarded-For: {:?}", x_forward_for);
|
2024-01-11 08:19:32 +00:00
|
|
|
Span::current().record("forwarded_for", x_forward_for_str);
|
|
|
|
|
client_addr.set_ip(x_forward_for);
|
2023-12-25 17:06:44 +00:00
|
|
|
}
|
|
|
|
|
Ok(_) => {}
|
|
|
|
|
Err(err) => return err,
|
2024-01-11 08:19:32 +00:00
|
|
|
};
|
2023-12-25 17:06:44 +00:00
|
|
|
|
|
|
|
|
if let Err(err) = validate_url(&req, &server_config.restrict_http_upgrade_path_prefix) {
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let jwt = match extract_tunnel_info(&req) {
|
|
|
|
|
Ok(jwt) => jwt,
|
|
|
|
|
Err(err) => return err,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
Span::current().record("id", &jwt.claims.id);
|
|
|
|
|
Span::current().record("remote", format!("{}:{}", jwt.claims.r, jwt.claims.rp));
|
|
|
|
|
|
|
|
|
|
if let Err(err) = validate_destination(&req, &jwt, &server_config.restrict_to) {
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-12 18:31:00 +00:00
|
|
|
let req_protocol = jwt.claims.p.clone();
|
2024-01-11 08:19:32 +00:00
|
|
|
let tunnel = match run_tunnel(&server_config, jwt, client_addr).await {
|
2023-12-25 17:06:44 +00:00
|
|
|
Ok(ret) => ret,
|
|
|
|
|
Err(err) => {
|
|
|
|
|
warn!("Rejecting connection with bad upgrade request: {} {}", err, req.uri());
|
|
|
|
|
return http::Response::builder()
|
|
|
|
|
.status(StatusCode::BAD_REQUEST)
|
|
|
|
|
.body("Invalid upgrade request".to_string())
|
|
|
|
|
.unwrap();
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2024-01-07 17:37:50 +00:00
|
|
|
let (remote_addr, local_rx, local_tx) = tunnel;
|
2024-01-07 20:47:29 +00:00
|
|
|
info!("connected to {:?} {}:{}", req_protocol, remote_addr.host, remote_addr.port);
|
2023-12-01 21:25:01 +00:00
|
|
|
let (mut response, fut) = match fastwebsockets::upgrade::upgrade(&mut req) {
|
2023-10-23 17:11:12 +00:00
|
|
|
Ok(ret) => ret,
|
|
|
|
|
Err(err) => {
|
2023-10-30 07:13:38 +00:00
|
|
|
warn!("Rejecting connection with bad upgrade request: {} {}", err, req.uri());
|
2023-12-25 17:06:44 +00:00
|
|
|
return http::Response::builder()
|
2023-10-23 17:11:12 +00:00
|
|
|
.status(StatusCode::BAD_REQUEST)
|
2023-12-15 08:47:06 +00:00
|
|
|
.body(format!("Invalid upgrade request: {:?}", err))
|
2023-12-25 17:06:44 +00:00
|
|
|
.unwrap();
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
tokio::spawn(
|
|
|
|
|
async move {
|
|
|
|
|
let (ws_rx, mut ws_tx) = match fut.await {
|
|
|
|
|
Ok(ws) => ws.split(tokio::io::split),
|
|
|
|
|
Err(err) => {
|
|
|
|
|
error!("Error during http upgrade request: {:?}", err);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
let (close_tx, close_rx) = oneshot::channel::<()>();
|
|
|
|
|
ws_tx.set_auto_apply_mask(server_config.websocket_mask_frame);
|
|
|
|
|
|
2024-01-13 20:06:57 +00:00
|
|
|
tokio::task::spawn(
|
2024-01-14 18:18:57 +00:00
|
|
|
super::transport::io::propagate_remote_to_local(local_tx, WebsocketTunnelRead::new(ws_rx), close_rx)
|
|
|
|
|
.instrument(Span::current()),
|
2024-01-13 20:06:57 +00:00
|
|
|
);
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2024-01-14 18:18:57 +00:00
|
|
|
let _ = super::transport::io::propagate_local_to_remote(
|
|
|
|
|
local_rx,
|
|
|
|
|
WebsocketTunnelWrite::new(ws_tx),
|
|
|
|
|
close_tx,
|
|
|
|
|
None,
|
|
|
|
|
)
|
|
|
|
|
.await;
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
|
|
|
|
.instrument(Span::current()),
|
|
|
|
|
);
|
|
|
|
|
|
2024-01-07 17:37:50 +00:00
|
|
|
if req_protocol == LocalProtocol::ReverseSocks5 {
|
|
|
|
|
let Ok(header_val) = HeaderValue::from_str(&tunnel_to_jwt_token(Uuid::from_u128(0), &remote_addr)) else {
|
|
|
|
|
error!("Bad headervalue for reverse socks5: {} {}", remote_addr.host, remote_addr.port);
|
2023-12-25 17:06:44 +00:00
|
|
|
return http::Response::builder()
|
|
|
|
|
.status(StatusCode::BAD_REQUEST)
|
|
|
|
|
.body("Invalid upgrade request".to_string())
|
|
|
|
|
.unwrap();
|
|
|
|
|
};
|
|
|
|
|
response.headers_mut().insert(COOKIE, header_val);
|
2023-12-04 07:50:47 +00:00
|
|
|
}
|
2023-12-26 20:16:34 +00:00
|
|
|
response
|
|
|
|
|
.headers_mut()
|
|
|
|
|
.insert(SEC_WEBSOCKET_PROTOCOL, HeaderValue::from_static("v1"));
|
2023-12-15 08:47:06 +00:00
|
|
|
|
2023-12-25 17:06:44 +00:00
|
|
|
Response::from_parts(response.into_parts().0, "".to_string())
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
|
|
|
|
|
2024-01-14 18:18:57 +00:00
|
|
|
async fn http_server_upgrade(
|
|
|
|
|
server_config: Arc<WsServerConfig>,
|
|
|
|
|
mut client_addr: SocketAddr,
|
|
|
|
|
req: Request<Incoming>,
|
|
|
|
|
) -> Response<Either<String, BoxBody<Bytes, anyhow::Error>>> {
|
|
|
|
|
match extract_x_forwarded_for(&req) {
|
|
|
|
|
Ok(Some((x_forward_for, x_forward_for_str))) => {
|
|
|
|
|
info!("Request X-Forwarded-For: {:?}", x_forward_for);
|
|
|
|
|
Span::current().record("forwarded_for", x_forward_for_str);
|
|
|
|
|
client_addr.set_ip(x_forward_for);
|
|
|
|
|
}
|
|
|
|
|
Ok(_) => {}
|
|
|
|
|
Err(err) => return err.map(Either::Left),
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if let Err(err) = validate_url(&req, &server_config.restrict_http_upgrade_path_prefix) {
|
|
|
|
|
return err.map(Either::Left);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let jwt = match extract_tunnel_info(&req) {
|
|
|
|
|
Ok(jwt) => jwt,
|
|
|
|
|
Err(err) => return err.map(Either::Left),
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
Span::current().record("id", &jwt.claims.id);
|
|
|
|
|
Span::current().record("remote", format!("{}:{}", jwt.claims.r, jwt.claims.rp));
|
|
|
|
|
|
|
|
|
|
if let Err(err) = validate_destination(&req, &jwt, &server_config.restrict_to) {
|
|
|
|
|
return err.map(Either::Left);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let req_protocol = jwt.claims.p.clone();
|
|
|
|
|
let tunnel = match run_tunnel(&server_config, jwt, client_addr).await {
|
|
|
|
|
Ok(ret) => ret,
|
|
|
|
|
Err(err) => {
|
|
|
|
|
warn!("Rejecting connection with bad upgrade request: {} {}", err, req.uri());
|
|
|
|
|
return http::Response::builder()
|
|
|
|
|
.status(StatusCode::BAD_REQUEST)
|
|
|
|
|
.body(Either::Left("Invalid upgrade request".to_string()))
|
|
|
|
|
.unwrap();
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let (remote_addr, local_rx, local_tx) = tunnel;
|
|
|
|
|
info!("connected to {:?} {}:{}", req_protocol, remote_addr.host, remote_addr.port);
|
|
|
|
|
|
|
|
|
|
let ws_rx = BodyStream::new(req.into_body());
|
|
|
|
|
let (ws_tx, rx) = mpsc::channel::<Bytes>(1024);
|
|
|
|
|
let body = BoxBody::new(StreamBody::new(
|
|
|
|
|
ReceiverStream::new(rx).map(|s| -> anyhow::Result<Frame<Bytes>> { Ok(Frame::data(s)) }),
|
|
|
|
|
));
|
|
|
|
|
|
|
|
|
|
let mut response = Response::builder()
|
|
|
|
|
.status(StatusCode::OK)
|
|
|
|
|
.body(Either::Right(body))
|
|
|
|
|
.expect("bug: failed to build response");
|
|
|
|
|
|
|
|
|
|
tokio::spawn(
|
|
|
|
|
async move {
|
|
|
|
|
let (close_tx, close_rx) = oneshot::channel::<()>();
|
|
|
|
|
tokio::task::spawn(
|
|
|
|
|
super::transport::io::propagate_remote_to_local(local_tx, Http2TunnelRead::new(ws_rx), close_rx)
|
|
|
|
|
.instrument(Span::current()),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let _ =
|
|
|
|
|
super::transport::io::propagate_local_to_remote(local_rx, Http2TunnelWrite::new(ws_tx), close_tx, None)
|
|
|
|
|
.await;
|
|
|
|
|
}
|
|
|
|
|
.instrument(Span::current()),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if req_protocol == LocalProtocol::ReverseSocks5 {
|
|
|
|
|
let Ok(header_val) = HeaderValue::from_str(&tunnel_to_jwt_token(Uuid::from_u128(0), &remote_addr)) else {
|
|
|
|
|
error!("Bad header value for reverse socks5: {} {}", remote_addr.host, remote_addr.port);
|
|
|
|
|
return http::Response::builder()
|
|
|
|
|
.status(StatusCode::BAD_REQUEST)
|
|
|
|
|
.body(Either::Left("Invalid upgrade request".to_string()))
|
|
|
|
|
.unwrap();
|
|
|
|
|
};
|
|
|
|
|
response.headers_mut().insert(COOKIE, header_val);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
response
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-29 17:03:43 +00:00
|
|
|
struct TlsContext<'a> {
|
|
|
|
|
tls_acceptor: Arc<TlsAcceptor>,
|
|
|
|
|
tls_reloader: TlsReloader,
|
|
|
|
|
tls_config: &'a TlsServerConfig,
|
|
|
|
|
}
|
|
|
|
|
impl TlsContext<'_> {
|
2023-12-30 22:38:05 +00:00
|
|
|
#[inline]
|
2023-12-29 17:03:43 +00:00
|
|
|
pub fn tls_acceptor(&mut self) -> &Arc<TlsAcceptor> {
|
2023-12-29 18:03:40 +00:00
|
|
|
if self.tls_reloader.should_reload_certificate() {
|
2024-01-13 22:31:54 +00:00
|
|
|
match tls::tls_acceptor(self.tls_config, Some(vec![b"h2".to_vec(), b"http/1.1".to_vec()])) {
|
2023-12-29 17:03:43 +00:00
|
|
|
Ok(acceptor) => self.tls_acceptor = Arc::new(acceptor),
|
|
|
|
|
Err(err) => error!("Cannot reload TLS certificate {:?}", err),
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
&self.tls_acceptor
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-23 17:11:12 +00:00
|
|
|
pub async fn run_server(server_config: Arc<WsServerConfig>) -> anyhow::Result<()> {
|
2023-10-30 07:13:38 +00:00
|
|
|
info!("Starting wstunnel server listening on {}", server_config.bind);
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2023-12-29 08:56:47 +00:00
|
|
|
// setup upgrade request handler
|
2024-01-14 18:18:57 +00:00
|
|
|
let mk_websocket_upgrade_fn = |server_config: Arc<WsServerConfig>, client_addr: SocketAddr| {
|
2024-01-11 08:19:32 +00:00
|
|
|
move |req: Request<Incoming>| {
|
2024-01-14 18:18:57 +00:00
|
|
|
ws_server_upgrade(server_config.clone(), client_addr, req).map::<anyhow::Result<_>, _>(Ok)
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let mk_http_upgrade_fn = |server_config: Arc<WsServerConfig>, client_addr: SocketAddr| {
|
|
|
|
|
move |req: Request<Incoming>| {
|
|
|
|
|
http_server_upgrade(server_config.clone(), client_addr, req).map::<anyhow::Result<_>, _>(Ok)
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let mk_auto_upgrade_fn = |server_config: Arc<WsServerConfig>, client_addr: SocketAddr| {
|
|
|
|
|
move |req: Request<Incoming>| {
|
|
|
|
|
let server_config = server_config.clone();
|
|
|
|
|
async move {
|
2024-01-16 23:20:54 +00:00
|
|
|
if fastwebsockets::upgrade::is_upgrade_request(&req) {
|
|
|
|
|
ws_server_upgrade(server_config.clone(), client_addr, req)
|
|
|
|
|
.map(|response| Ok::<_, anyhow::Error>(response.map(Either::Left)))
|
|
|
|
|
.await
|
|
|
|
|
} else if req.version() == Version::HTTP_2 {
|
2024-01-14 18:18:57 +00:00
|
|
|
http_server_upgrade(server_config.clone(), client_addr, req)
|
|
|
|
|
.map::<anyhow::Result<_>, _>(Ok)
|
|
|
|
|
.await
|
|
|
|
|
} else {
|
2024-01-16 23:20:54 +00:00
|
|
|
error!("Invalid protocol version request, got {:?} while expecting either websocket http1 upgrade or http2", req.version());
|
|
|
|
|
Ok(http::Response::builder()
|
|
|
|
|
.status(StatusCode::BAD_REQUEST)
|
|
|
|
|
.body(Either::Left("Invalid protocol request".to_string()))
|
|
|
|
|
.unwrap())
|
2024-01-14 18:18:57 +00:00
|
|
|
}
|
|
|
|
|
}
|
2024-01-11 08:19:32 +00:00
|
|
|
}
|
|
|
|
|
};
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2023-12-29 08:56:47 +00:00
|
|
|
// Init TLS if needed
|
2023-12-29 17:03:43 +00:00
|
|
|
let mut tls_context = if let Some(tls_config) = &server_config.tls {
|
|
|
|
|
let tls_context = TlsContext {
|
2024-01-13 22:31:54 +00:00
|
|
|
tls_acceptor: Arc::new(tls::tls_acceptor(tls_config, Some(vec![b"h2".to_vec(), b"http/1.1".to_vec()]))?),
|
2023-12-29 17:03:43 +00:00
|
|
|
tls_reloader: TlsReloader::new(server_config.clone())?,
|
|
|
|
|
tls_config,
|
|
|
|
|
};
|
|
|
|
|
Some(tls_context)
|
2023-10-23 17:11:12 +00:00
|
|
|
} else {
|
|
|
|
|
None
|
|
|
|
|
};
|
|
|
|
|
|
2023-12-29 08:56:47 +00:00
|
|
|
// Bind server and run forever to serve incoming connections.
|
|
|
|
|
let listener = TcpListener::bind(&server_config.bind).await?;
|
2023-10-23 17:11:12 +00:00
|
|
|
loop {
|
2023-12-29 08:56:47 +00:00
|
|
|
let (stream, peer_addr) = match listener.accept().await {
|
|
|
|
|
Ok(ret) => ret,
|
|
|
|
|
Err(err) => {
|
|
|
|
|
warn!("Error while accepting connection {:?}", err);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
};
|
2023-10-23 17:11:12 +00:00
|
|
|
let _ = stream.set_nodelay(true);
|
|
|
|
|
|
|
|
|
|
let span = span!(
|
|
|
|
|
Level::INFO,
|
|
|
|
|
"tunnel",
|
|
|
|
|
id = tracing::field::Empty,
|
|
|
|
|
remote = tracing::field::Empty,
|
|
|
|
|
peer = peer_addr.to_string(),
|
|
|
|
|
forwarded_for = tracing::field::Empty
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
info!("Accepting connection");
|
2024-01-14 18:18:57 +00:00
|
|
|
let server_config = server_config.clone();
|
|
|
|
|
|
|
|
|
|
// Check if we need to enable TLS or not
|
|
|
|
|
match tls_context.as_mut() {
|
|
|
|
|
Some(tls) => {
|
|
|
|
|
// Reload TLS certificate if needed
|
|
|
|
|
let tls_acceptor = tls.tls_acceptor().clone();
|
|
|
|
|
let fut = async move {
|
|
|
|
|
info!("Doing TLS handshake");
|
|
|
|
|
let tls_stream = match tls_acceptor.accept(stream).await {
|
|
|
|
|
Ok(tls_stream) => hyper_util::rt::TokioIo::new(tls_stream),
|
|
|
|
|
Err(err) => {
|
|
|
|
|
error!("error while accepting TLS connection {}", err);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
match tls_stream.inner().get_ref().1.alpn_protocol() {
|
|
|
|
|
// http2
|
|
|
|
|
Some(b"h2") => {
|
|
|
|
|
let mut conn_builder = http2::Builder::new(TokioExecutor::new());
|
|
|
|
|
if let Some(ping) = server_config.websocket_ping_frequency {
|
|
|
|
|
conn_builder.keep_alive_interval(ping);
|
|
|
|
|
}
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2024-01-14 18:18:57 +00:00
|
|
|
let http_upgrade_fn = mk_http_upgrade_fn(server_config, peer_addr);
|
|
|
|
|
let con_fut = conn_builder.serve_connection(tls_stream, service_fn(http_upgrade_fn));
|
|
|
|
|
if let Err(e) = con_fut.await {
|
|
|
|
|
error!("Error while upgrading cnx to http: {:?}", e);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// websocket
|
|
|
|
|
_ => {
|
|
|
|
|
let websocket_upgrade_fn = mk_websocket_upgrade_fn(server_config, peer_addr);
|
|
|
|
|
let conn_fut = http1::Builder::new()
|
|
|
|
|
.serve_connection(tls_stream, service_fn(websocket_upgrade_fn))
|
|
|
|
|
.with_upgrades();
|
|
|
|
|
|
|
|
|
|
if let Err(e) = conn_fut.await {
|
|
|
|
|
error!("Error while upgrading cnx: {:?}", e);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
};
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
2024-01-14 18:18:57 +00:00
|
|
|
.instrument(span);
|
|
|
|
|
|
|
|
|
|
tokio::spawn(fut);
|
|
|
|
|
// Normal
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
2024-01-14 18:18:57 +00:00
|
|
|
// HTTP without TLS
|
|
|
|
|
None => {
|
|
|
|
|
let fut = async move {
|
|
|
|
|
let stream = hyper_util::rt::TokioIo::new(stream);
|
|
|
|
|
let mut conn_fut = hyper_util::server::conn::auto::Builder::new(TokioExecutor::new());
|
|
|
|
|
if let Some(ping) = server_config.websocket_ping_frequency {
|
|
|
|
|
conn_fut.http2().keep_alive_interval(ping);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let websocket_upgrade_fn = mk_auto_upgrade_fn(server_config, peer_addr);
|
|
|
|
|
let upgradable = conn_fut.serve_connection_with_upgrades(stream, service_fn(websocket_upgrade_fn));
|
|
|
|
|
|
|
|
|
|
if let Err(e) = upgradable.await {
|
|
|
|
|
error!("Error while upgrading cnx to websocket: {:?}", e);
|
|
|
|
|
}
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
2024-01-14 18:18:57 +00:00
|
|
|
.instrument(span);
|
2023-10-23 17:11:12 +00:00
|
|
|
|
2024-01-14 18:18:57 +00:00
|
|
|
tokio::spawn(fut);
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-10-23 17:11:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
