Skip to content

Commit

Permalink
Clean up HTTP proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
fortuna committed Oct 26, 2023
1 parent 9eb8507 commit e00414c
Show file tree
Hide file tree
Showing 5 changed files with 134 additions and 57 deletions.
2 changes: 1 addition & 1 deletion x/examples/http2transport/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ func main() {
defer listener.Close()
log.Printf("Proxy listening on %v", listener.Addr().String())

server := http.Server{Handler: httpproxy.NewConnectHandler(dialer)}
server := http.Server{Handler: httpproxy.NewProxyHandler(dialer)}
go func() {
if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
log.Fatalf("Error running web server: %v", err)
Expand Down
62 changes: 7 additions & 55 deletions x/httpproxy/connect_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,68 +15,26 @@
package httpproxy

import (
"context"
"fmt"
"io"
"net"
"net/http"
"strings"

"github.com/Jigsaw-Code/outline-sdk/transport"
)

type handler struct {
type connectHandler struct {
dialer transport.StreamDialer
client http.Client
}

var _ http.Handler = (*handler)(nil)
var _ http.Handler = (*connectHandler)(nil)

// ServeHTTP implements [http.Handler].ServeHTTP for CONNECT requests, using the internal [transport.StreamDialer].
func (h *handler) ServeHTTP(proxyResp http.ResponseWriter, proxyReq *http.Request) {
// TODO(fortuna): For public services (not local), we need authentication and drain on failures to avoid fingerprinting.
if proxyReq.Method == http.MethodConnect {
h.handleConnect(proxyResp, proxyReq)
func (h *connectHandler) ServeHTTP(proxyResp http.ResponseWriter, proxyReq *http.Request) {
if proxyReq.Method != http.MethodConnect {
proxyResp.Header().Add("Allow", "CONNECT")
http.Error(proxyResp, fmt.Sprintf("Method %v is not supported", proxyReq.Method), http.StatusMethodNotAllowed)
return
}
if proxyReq.URL.Host != "" {
h.handleHTTPProxyRequest(proxyResp, proxyReq)
return
}
http.Error(proxyResp, "Not Found", http.StatusNotFound)
}

func (h *handler) handleHTTPProxyRequest(proxyResp http.ResponseWriter, proxyReq *http.Request) {
// We create a new request that uses a relative path + Host header, instead of the absolute URL in the proxy request.
targetReq, err := http.NewRequestWithContext(proxyReq.Context(), proxyReq.Method, proxyReq.URL.String(), proxyReq.Body)
if err != nil {
http.Error(proxyResp, "Error creating target request", http.StatusInternalServerError)
return
}
for key, values := range proxyReq.Header {
for _, value := range values {
targetReq.Header.Add(key, value)
}
}
targetResp, err := h.client.Do(targetReq)
if err != nil {
http.Error(proxyResp, "Failed to fetch destination", http.StatusServiceUnavailable)
return
}
defer targetResp.Body.Close()
for key, values := range targetResp.Header {
for _, value := range values {
proxyResp.Header().Add(key, value)
}
}
_, err = io.Copy(proxyResp, targetResp.Body)
if err != nil {
http.Error(proxyResp, "Failed write response", http.StatusServiceUnavailable)
return
}
}

func (h *handler) handleConnect(proxyResp http.ResponseWriter, proxyReq *http.Request) {
// Validate the target address.
_, portStr, err := net.SplitHostPort(proxyReq.Host)
if err != nil {
Expand Down Expand Up @@ -128,11 +86,5 @@ func (h *handler) handleConnect(proxyResp http.ResponseWriter, proxyReq *http.Re
// The resulting handler is currently vulnerable to probing attacks. It's ok as a localhost proxy
// but it may be vulnerable if used as a public proxy.
func NewConnectHandler(dialer transport.StreamDialer) http.Handler {
dialContext := func(ctx context.Context, network, addr string) (net.Conn, error) {
if !strings.HasPrefix(network, "tcp") {
return nil, fmt.Errorf("protocol not supported: %v", network)
}
return dialer.Dial(ctx, addr)
}
return &handler{dialer, http.Client{Transport: &http.Transport{DialContext: dialContext}}}
return &connectHandler{dialer}
}
77 changes: 77 additions & 0 deletions x/httpproxy/forward_handler.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
// Copyright 2023 Jigsaw Operations LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package httpproxy

import (
"context"
"fmt"
"io"
"net"
"net/http"
"strings"

"github.com/Jigsaw-Code/outline-sdk/transport"
)

type forwardHandler struct {
client http.Client
}

var _ http.Handler = (*forwardHandler)(nil)

func (h *forwardHandler) ServeHTTP(proxyResp http.ResponseWriter, proxyReq *http.Request) {
if proxyReq.URL.Host == "" {
http.Error(proxyResp, "Must specify an absolute request target", http.StatusNotFound)
return
}
// We create a new request that uses a relative path + Host header, instead of the absolute URL in the proxy request.
targetReq, err := http.NewRequestWithContext(proxyReq.Context(), proxyReq.Method, proxyReq.URL.String(), proxyReq.Body)
if err != nil {
http.Error(proxyResp, "Error creating target request", http.StatusInternalServerError)
return
}
for key, values := range proxyReq.Header {
for _, value := range values {
targetReq.Header.Add(key, value)
}
}
targetResp, err := h.client.Do(targetReq)
if err != nil {
http.Error(proxyResp, "Failed to fetch destination", http.StatusServiceUnavailable)
return
}
defer targetResp.Body.Close()
for key, values := range targetResp.Header {
for _, value := range values {
proxyResp.Header().Add(key, value)
}
}
_, err = io.Copy(proxyResp, targetResp.Body)
if err != nil {
http.Error(proxyResp, "Failed write response", http.StatusServiceUnavailable)
return
}
}

// NewForwardHandler creates a [http.Handler] that handles absolute HTTP requests using the given [http.Client].
func NewForwardHandler(dialer transport.StreamDialer) http.Handler {
dialContext := func(ctx context.Context, network, addr string) (net.Conn, error) {
if !strings.HasPrefix(network, "tcp") {
return nil, fmt.Errorf("protocol not supported: %v", network)
}
return dialer.Dial(ctx, addr)
}
return &forwardHandler{http.Client{Transport: &http.Transport{DialContext: dialContext}}}
}
48 changes: 48 additions & 0 deletions x/httpproxy/proxy_handler.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
// Copyright 2023 Jigsaw Operations LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package httpproxy

import (
"net/http"

"github.com/Jigsaw-Code/outline-sdk/transport"
)

type proxyHandler struct {
connectHandler http.Handler
forwardHandler http.Handler
}

// ServeHTTP implements [http.Handler].ServeHTTP for CONNECT and absolute URL requests, using the internal [transport.StreamDialer].
func (h *proxyHandler) ServeHTTP(proxyResp http.ResponseWriter, proxyReq *http.Request) {
// TODO(fortuna): For public services (not local), we need authentication and drain on failures to avoid fingerprinting.
if proxyReq.Method == http.MethodConnect {
h.connectHandler.ServeHTTP(proxyResp, proxyReq)
return
}
if proxyReq.URL.Host != "" {
h.forwardHandler.ServeHTTP(proxyResp, proxyReq)
return
}
http.Error(proxyResp, "Not Found", http.StatusNotFound)
}

// NewProxyHandler creates a [http.Handler] that works as a web proxy using the given dialer to deach the destination.
func NewProxyHandler(dialer transport.StreamDialer) http.Handler {
return &proxyHandler{
connectHandler: NewConnectHandler(dialer),
forwardHandler: NewForwardHandler(dialer),
}
}
2 changes: 1 addition & 1 deletion x/mobileproxy/mobileproxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ func RunProxy(localAddress string, transportConfig string) (*Proxy, error) {
return nil, fmt.Errorf("could not listen on address %v: %v", localAddress, err)
}

server := &http.Server{Handler: httpproxy.NewConnectHandler(dialer)}
server := &http.Server{Handler: httpproxy.NewProxyHandler(dialer)}
go server.Serve(listener)

host, portStr, err := net.SplitHostPort(listener.Addr().String())
Expand Down

0 comments on commit e00414c

Please sign in to comment.