cloudflared-mirror/websocket/websocket.go

package websocket

import (
	"crypto/sha1"
	"encoding/base64"
	"io"
	"net"
	"net/http"
	"net/url"
	"time"

	"github.com/cloudflare/cloudflared/h2mux"

	"github.com/gorilla/websocket"
	"github.com/rs/zerolog"
)

var stripWebsocketHeaders = []string{
	"Upgrade",
	"Connection",
	"Sec-Websocket-Key",
	"Sec-Websocket-Version",
	"Sec-Websocket-Extensions",
}

// IsWebSocketUpgrade checks to see if the request is a WebSocket connection.
func IsWebSocketUpgrade(req *http.Request) bool {
	return websocket.IsWebSocketUpgrade(req)
}

// ClientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing
// the connection. The response body may not contain the entire response and does
// not need to be closed by the application.
func ClientConnect(req *http.Request, dialler *websocket.Dialer) (*websocket.Conn, *http.Response, error) {
	req.URL.Scheme = ChangeRequestScheme(req.URL)
	wsHeaders := websocketHeaders(req)
	if dialler == nil {
		dialler = &websocket.Dialer{
			Proxy: http.ProxyFromEnvironment,
		}
	}
	conn, response, err := dialler.Dial(req.URL.String(), wsHeaders)
	if err != nil {
		return nil, response, err
	}
	response.Header.Set("Sec-WebSocket-Accept", generateAcceptKey(req))
	return conn, response, nil
}

// StartProxyServer will start a websocket server that will decode
// the websocket data and write the resulting data to the provided
func StartProxyServer(
	log *zerolog.Logger,
	listener net.Listener,
	staticHost string,
	shutdownC <-chan struct{},
	streamHandler func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger),
) error {
	upgrader := websocket.Upgrader{
		ReadBufferSize:  1024,
		WriteBufferSize: 1024,
	}
	h := handler{
		upgrader:      upgrader,
		log:           log,
		staticHost:    staticHost,
		streamHandler: streamHandler,
	}

	httpServer := &http.Server{Addr: listener.Addr().String(), Handler: &h}
	go func() {
		<-shutdownC
		_ = httpServer.Close()
	}()

	return httpServer.Serve(listener)
}

// HTTP handler for the websocket proxy.
type handler struct {
	log           *zerolog.Logger
	staticHost    string
	upgrader      websocket.Upgrader
	streamHandler func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)
}

func (h *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	// If remote is an empty string, get the destination from the client.
	finalDestination := h.staticHost
	if finalDestination == "" {
		if jumpDestination := r.Header.Get(h2mux.CFJumpDestinationHeader); jumpDestination == "" {
			h.log.Error().Msg("Did not receive final destination from client. The --destination flag is likely not set")
			return
		} else {
			finalDestination = jumpDestination
		}
	}

	stream, err := net.Dial("tcp", finalDestination)
	if err != nil {
		h.log.Err(err).Msg("Cannot connect to remote")
		return
	}
	defer stream.Close()

	if !websocket.IsWebSocketUpgrade(r) {
		_, _ = w.Write(nonWebSocketRequestPage())
		return
	}
	conn, err := h.upgrader.Upgrade(w, r, nil)
	if err != nil {
		h.log.Err(err).Msg("failed to upgrade")
		return
	}
	_ = conn.SetReadDeadline(time.Now().Add(pongWait))
	conn.SetPongHandler(func(string) error { _ = conn.SetReadDeadline(time.Now().Add(pongWait)); return nil })
	gorillaConn := &GorillaConn{Conn: conn, log: h.log}
	go gorillaConn.pinger(r.Context())
	defer conn.Close()

	h.streamHandler(gorillaConn, stream, h.log)
}

// NewResponseHeader returns headers needed to return to origin for completing handshake
func NewResponseHeader(req *http.Request) http.Header {
	header := http.Header{}
	header.Add("Connection", "Upgrade")
	header.Add("Sec-Websocket-Accept", generateAcceptKey(req))
	header.Add("Upgrade", "websocket")
	return header
}

// the gorilla websocket library sets its own Upgrade, Connection, Sec-WebSocket-Key,
// Sec-WebSocket-Version and Sec-Websocket-Extensions headers.
// https://github.com/gorilla/websocket/blob/master/client.go#L189-L194.
func websocketHeaders(req *http.Request) http.Header {
	wsHeaders := make(http.Header)
	for key, val := range req.Header {
		wsHeaders[key] = val
	}
	// Assume the header keys are in canonical format.
	for _, header := range stripWebsocketHeaders {
		wsHeaders.Del(header)
	}
	wsHeaders.Set("Host", req.Host) // See TUN-1097
	return wsHeaders
}

// sha1Base64 sha1 and then base64 encodes str.
func sha1Base64(str string) string {
	hasher := sha1.New()
	_, _ = io.WriteString(hasher, str)
	hash := hasher.Sum(nil)
	return base64.StdEncoding.EncodeToString(hash)
}

// generateAcceptKey returns the string needed for the Sec-WebSocket-Accept header.
// https://tools.ietf.org/html/rfc6455#section-1.3 describes this process in more detail.
func generateAcceptKey(req *http.Request) string {
	return sha1Base64(req.Header.Get("Sec-WebSocket-Key") + "258EAFA5-E914-47DA-95CA-C5AB0DC85B11")
}

// ChangeRequestScheme is needed as the gorilla websocket library requires the ws scheme.
// (even though it changes it back to http/https, but ¯\_(ツ)_/¯.)
func ChangeRequestScheme(reqURL *url.URL) string {
	switch reqURL.Scheme {
	case "https":
		return "wss"
	case "http":
		return "ws"
	case "":
		return "ws"
	default:
		return reqURL.Scheme
	}
}
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`package websocket`

			`import (`
			`"crypto/sha1"`
			`"encoding/base64"`
			`"io"`
			`"net"`
			`"net/http"`
TUN-3506: OriginService needs to set request host and scheme for websocket requests 2020-11-05 13:52:46 +00:00			`"net/url"`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`"time"`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00
AUTH-2369: RDP Bastion prototype 2020-05-04 20:15:17 +00:00			`"github.com/cloudflare/cloudflared/h2mux"`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`"github.com/gorilla/websocket"`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`"github.com/rs/zerolog"`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`)`

AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`var stripWebsocketHeaders = []string{`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`"Upgrade",`
			`"Connection",`
			`"Sec-Websocket-Key",`
			`"Sec-Websocket-Version",`
			`"Sec-Websocket-Extensions",`
			`}`

			`// IsWebSocketUpgrade checks to see if the request is a WebSocket connection.`
			`func IsWebSocketUpgrade(req *http.Request) bool {`
			`return websocket.IsWebSocketUpgrade(req)`
			`}`

			`// ClientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing`
			`// the connection. The response body may not contain the entire response and does`
			`// not need to be closed by the application.`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`func ClientConnect(req http.Request, dialler websocket.Dialer) (websocket.Conn, http.Response, error) {`
TUN-3506: OriginService needs to set request host and scheme for websocket requests 2020-11-05 13:52:46 +00:00			`req.URL.Scheme = ChangeRequestScheme(req.URL)`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`wsHeaders := websocketHeaders(req)`
TUN-3492: Refactor OriginService, shrink its interface 2020-10-30 21:37:40 +00:00			`if dialler == nil {`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`dialler = &websocket.Dialer{`
			`Proxy: http.ProxyFromEnvironment,`
			`}`
TUN-3492: Refactor OriginService, shrink its interface 2020-10-30 21:37:40 +00:00			`}`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`conn, response, err := dialler.Dial(req.URL.String(), wsHeaders)`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`if err != nil {`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`return nil, response, err`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`}`
			`response.Header.Set("Sec-WebSocket-Accept", generateAcceptKey(req))`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`return conn, response, nil`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`}`

AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`// StartProxyServer will start a websocket server that will decode`
			`// the websocket data and write the resulting data to the provided`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`func StartProxyServer(`
			`log *zerolog.Logger,`
			`listener net.Listener,`
			`staticHost string,`
			`shutdownC <-chan struct{},`
TUN-3799: extended the Stream interface to take a logger and added debug logs for io.Copy errors 2021-02-04 15:07:18 +00:00			`streamHandler func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger),`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`) error {`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`upgrader := websocket.Upgrader{`
			`ReadBufferSize: 1024,`
			`WriteBufferSize: 1024,`
			`}`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`h := handler{`
			`upgrader: upgrader,`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`log: log,`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`staticHost: staticHost,`
			`streamHandler: streamHandler,`
			`}`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`httpServer := &http.Server{Addr: listener.Addr().String(), Handler: &h}`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`go func() {`
			`<-shutdownC`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`_ = httpServer.Close()`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}()`

TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`return httpServer.Serve(listener)`
			`}`
AUTH-2369: RDP Bastion prototype 2020-05-04 20:15:17 +00:00
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`// HTTP handler for the websocket proxy.`
			`type handler struct {`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`log *zerolog.Logger`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`staticHost string`
			`upgrader websocket.Upgrader`
TUN-3799: extended the Stream interface to take a logger and added debug logs for io.Copy errors 2021-02-04 15:07:18 +00:00			`streamHandler func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`}`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`func (h handler) ServeHTTP(w http.ResponseWriter, r http.Request) {`
			`// If remote is an empty string, get the destination from the client.`
			`finalDestination := h.staticHost`
			`if finalDestination == "" {`
			`if jumpDestination := r.Header.Get(h2mux.CFJumpDestinationHeader); jumpDestination == "" {`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`h.log.Error().Msg("Did not receive final destination from client. The --destination flag is likely not set")`
AUTH-1188: UX Review and Changes for CLI SSH Access 2018-10-19 20:44:35 +00:00			`return`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`} else {`
			`finalDestination = jumpDestination`
AUTH-1188: UX Review and Changes for CLI SSH Access 2018-10-19 20:44:35 +00:00			`}`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`}`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`stream, err := net.Dial("tcp", finalDestination)`
			`if err != nil {`
TUN-3471: Add structured log context to logs 2020-12-28 18:10:01 +00:00			`h.log.Err(err).Msg("Cannot connect to remote")`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`return`
			`}`
			`defer stream.Close()`

			`if !websocket.IsWebSocketUpgrade(r) {`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`_, _ = w.Write(nonWebSocketRequestPage())`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`return`
			`}`
			`conn, err := h.upgrader.Upgrade(w, r, nil)`
			`if err != nil {`
TUN-3471: Add structured log context to logs 2020-12-28 18:10:01 +00:00			`h.log.Err(err).Msg("failed to upgrade")`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00			`return`
			`}`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`_ = conn.SetReadDeadline(time.Now().Add(pongWait))`
			`conn.SetPongHandler(func(string) error { _ = conn.SetReadDeadline(time.Now().Add(pongWait)); return nil })`
Allow partial reads from a GorillaConn; add SetDeadline (from net.Conn) (#330) * Allow partial reads from a GorillaConn; add SetDeadline (from net.Conn) The current implementation of GorillaConn will drop data if the websocket frame isn't read 100%. For example, if a websocket frame is size=3, and Read() is called with a []byte of len=1, the 2 other bytes in the frame are lost forever. This is currently masked by the fact that this is used primarily in io.Copy to another socket (in ingress.Stream) - as long as the read buffer used by io.Copy is big enough (it is 321024, so in theory we could see this today?) then data is copied over to the other socket. The client then can do partial reads just fine as the kernel will take care of the buffer from here on out. I hit this by trying to create my own tunnel and avoiding ingress.Stream, but this could be a real bug today I think if a websocket frame bigger than 321024 was received, although it is also possible that we are lucky and the upstream size which I haven't checked uses a smaller buffer than that always. The test I added hangs before my change, succeeds after. Also add SetDeadline so that GorillaConn fully implements net.Conn * Comment formatting; fast path * Avoid intermediate buffer for first len(p) bytes; import order 2021-03-09 15:57:04 +00:00			`gorillaConn := &GorillaConn{Conn: conn, log: h.log}`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`go gorillaConn.pinger(r.Context())`
			`defer conn.Close()`

TUN-3799: extended the Stream interface to take a logger and added debug logs for io.Copy errors 2021-02-04 15:07:18 +00:00			`h.streamHandler(gorillaConn, stream, h.log)`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`
TUN-3549: Use a separate handler for each websocket proxy 2020-11-16 19:06:36 +00:00
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`// NewResponseHeader returns headers needed to return to origin for completing handshake`
			`func NewResponseHeader(req *http.Request) http.Header {`
			`header := http.Header{}`
			`header.Add("Connection", "Upgrade")`
			`header.Add("Sec-Websocket-Accept", generateAcceptKey(req))`
			`header.Add("Upgrade", "websocket")`
			`return header`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`}`

TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`// the gorilla websocket library sets its own Upgrade, Connection, Sec-WebSocket-Key,`
			`// Sec-WebSocket-Version and Sec-Websocket-Extensions headers.`
			`// https://github.com/gorilla/websocket/blob/master/client.go#L189-L194.`
			`func websocketHeaders(req *http.Request) http.Header {`
			`wsHeaders := make(http.Header)`
			`for key, val := range req.Header {`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`wsHeaders[key] = val`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`}`
			`// Assume the header keys are in canonical format.`
AUTH-1070: added SSH/protocol forwarding 2018-09-21 15:18:23 +00:00			`for _, header := range stripWebsocketHeaders {`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`wsHeaders.Del(header)`
			`}`
TUN-1097: Host missing from WebSocket request 2018-10-19 21:51:54 +00:00			`wsHeaders.Set("Host", req.Host) // See TUN-1097`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`return wsHeaders`
			`}`

			`// sha1Base64 sha1 and then base64 encodes str.`
			`func sha1Base64(str string) string {`
			`hasher := sha1.New()`
TUN-3470: Replace in-house logger calls with zerolog 2020-11-25 06:55:13 +00:00			`_, _ = io.WriteString(hasher, str)`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`hash := hasher.Sum(nil)`
			`return base64.StdEncoding.EncodeToString(hash)`
			`}`

			`// generateAcceptKey returns the string needed for the Sec-WebSocket-Accept header.`
			`// https://tools.ietf.org/html/rfc6455#section-1.3 describes this process in more detail.`
			`func generateAcceptKey(req *http.Request) string {`
			`return sha1Base64(req.Header.Get("Sec-WebSocket-Key") + "258EAFA5-E914-47DA-95CA-C5AB0DC85B11")`
			`}`

TUN-3506: OriginService needs to set request host and scheme for websocket requests 2020-11-05 13:52:46 +00:00			`// ChangeRequestScheme is needed as the gorilla websocket library requires the ws scheme.`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`// (even though it changes it back to http/https, but ¯\_(ツ)_/¯.)`
TUN-3506: OriginService needs to set request host and scheme for websocket requests 2020-11-05 13:52:46 +00:00			`func ChangeRequestScheme(reqURL *url.URL) string {`
			`switch reqURL.Scheme {`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`case "https":`
			`return "wss"`
			`case "http":`
			`return "ws"`
TUN-3506: OriginService needs to set request host and scheme for websocket requests 2020-11-05 13:52:46 +00:00			`case "":`
			`return "ws"`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`default:`
TUN-3506: OriginService needs to set request host and scheme for websocket requests 2020-11-05 13:52:46 +00:00			`return reqURL.Scheme`
TUN-528: Move cloudflared into a separate repo 2018-05-01 23:45:06 +00:00			`}`
			`}`