2018-05-01 23:45:06 +00:00
|
|
|
package websocket
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bufio"
|
|
|
|
"crypto/sha1"
|
|
|
|
"crypto/tls"
|
|
|
|
"encoding/base64"
|
2019-10-02 20:56:28 +00:00
|
|
|
"encoding/binary"
|
2019-10-09 21:56:47 +00:00
|
|
|
"encoding/json"
|
2018-05-01 23:45:06 +00:00
|
|
|
"errors"
|
|
|
|
"io"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
2018-09-21 15:18:23 +00:00
|
|
|
"time"
|
2018-05-01 23:45:06 +00:00
|
|
|
|
2019-10-09 21:56:47 +00:00
|
|
|
"github.com/cloudflare/cloudflared/sshserver"
|
2018-05-01 23:45:06 +00:00
|
|
|
"github.com/gorilla/websocket"
|
2018-09-21 15:18:23 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2018-05-01 23:45:06 +00:00
|
|
|
)
|
|
|
|
|
2018-09-21 15:18:23 +00:00
|
|
|
const (
|
|
|
|
// Time allowed to write a message to the peer.
|
|
|
|
writeWait = 10 * time.Second
|
|
|
|
|
|
|
|
// Time allowed to read the next pong message from the peer.
|
|
|
|
pongWait = 60 * time.Second
|
|
|
|
|
|
|
|
// Send pings to peer with this period. Must be less than pongWait.
|
|
|
|
pingPeriod = (pongWait * 9) / 10
|
|
|
|
)
|
|
|
|
|
|
|
|
var stripWebsocketHeaders = []string{
|
2018-05-01 23:45:06 +00:00
|
|
|
"Upgrade",
|
|
|
|
"Connection",
|
|
|
|
"Sec-Websocket-Key",
|
|
|
|
"Sec-Websocket-Version",
|
|
|
|
"Sec-Websocket-Extensions",
|
|
|
|
}
|
|
|
|
|
2018-09-21 15:18:23 +00:00
|
|
|
// Conn is a wrapper around the standard gorilla websocket
|
|
|
|
// but implements a ReadWriter
|
|
|
|
type Conn struct {
|
|
|
|
*websocket.Conn
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read will read messages from the websocket connection
|
|
|
|
func (c *Conn) Read(p []byte) (int, error) {
|
|
|
|
_, message, err := c.Conn.ReadMessage()
|
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return copy(p, message), nil
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
// Write will write messages to the websocket connection
|
|
|
|
func (c *Conn) Write(p []byte) (int, error) {
|
|
|
|
if err := c.Conn.WriteMessage(websocket.BinaryMessage, p); err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return len(p), nil
|
|
|
|
}
|
|
|
|
|
2018-05-01 23:45:06 +00:00
|
|
|
// IsWebSocketUpgrade checks to see if the request is a WebSocket connection.
|
|
|
|
func IsWebSocketUpgrade(req *http.Request) bool {
|
|
|
|
return websocket.IsWebSocketUpgrade(req)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ClientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing
|
|
|
|
// the connection. The response body may not contain the entire response and does
|
|
|
|
// not need to be closed by the application.
|
|
|
|
func ClientConnect(req *http.Request, tlsClientConfig *tls.Config) (*websocket.Conn, *http.Response, error) {
|
|
|
|
req.URL.Scheme = changeRequestScheme(req)
|
|
|
|
wsHeaders := websocketHeaders(req)
|
|
|
|
|
|
|
|
d := &websocket.Dialer{TLSClientConfig: tlsClientConfig}
|
|
|
|
conn, response, err := d.Dial(req.URL.String(), wsHeaders)
|
|
|
|
if err != nil {
|
2018-09-21 15:18:23 +00:00
|
|
|
return nil, response, err
|
2018-05-01 23:45:06 +00:00
|
|
|
}
|
|
|
|
response.Header.Set("Sec-WebSocket-Accept", generateAcceptKey(req))
|
|
|
|
return conn, response, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// HijackConnection takes over an HTTP connection. Caller is responsible for closing connection.
|
|
|
|
func HijackConnection(w http.ResponseWriter) (net.Conn, *bufio.ReadWriter, error) {
|
|
|
|
hj, ok := w.(http.Hijacker)
|
|
|
|
if !ok {
|
|
|
|
return nil, nil, errors.New("hijack error")
|
|
|
|
}
|
|
|
|
|
|
|
|
conn, brw, err := hj.Hijack()
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
return conn, brw, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Stream copies copy data to & from provided io.ReadWriters.
|
|
|
|
func Stream(conn, backendConn io.ReadWriter) {
|
|
|
|
proxyDone := make(chan struct{}, 2)
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
io.Copy(conn, backendConn)
|
|
|
|
proxyDone <- struct{}{}
|
|
|
|
}()
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
io.Copy(backendConn, conn)
|
|
|
|
proxyDone <- struct{}{}
|
|
|
|
}()
|
|
|
|
|
|
|
|
// If one side is done, we are done.
|
|
|
|
<-proxyDone
|
|
|
|
}
|
|
|
|
|
2020-03-31 14:56:22 +00:00
|
|
|
// DefaultStreamHandler is provided to the the standard websocket to origin stream
|
|
|
|
// This exist to allow SOCKS to deframe data before it gets to the origin
|
|
|
|
func DefaultStreamHandler(wsConn *Conn, remoteConn net.Conn) {
|
|
|
|
Stream(wsConn, remoteConn)
|
|
|
|
}
|
|
|
|
|
2018-09-21 15:18:23 +00:00
|
|
|
// StartProxyServer will start a websocket server that will decode
|
|
|
|
// the websocket data and write the resulting data to the provided
|
2020-03-31 14:56:22 +00:00
|
|
|
func StartProxyServer(logger *logrus.Logger, listener net.Listener, remote string, shutdownC <-chan struct{}, streamHandler func(wsConn *Conn, remoteConn net.Conn)) error {
|
2018-09-21 15:18:23 +00:00
|
|
|
upgrader := websocket.Upgrader{
|
|
|
|
ReadBufferSize: 1024,
|
|
|
|
WriteBufferSize: 1024,
|
|
|
|
}
|
|
|
|
|
|
|
|
httpServer := &http.Server{Addr: listener.Addr().String(), Handler: nil}
|
|
|
|
go func() {
|
|
|
|
<-shutdownC
|
|
|
|
httpServer.Close()
|
|
|
|
}()
|
|
|
|
|
|
|
|
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
stream, err := net.Dial("tcp", remote)
|
|
|
|
if err != nil {
|
|
|
|
logger.WithError(err).Error("Cannot connect to remote.")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
defer stream.Close()
|
|
|
|
|
2018-10-19 20:44:35 +00:00
|
|
|
if !websocket.IsWebSocketUpgrade(r) {
|
|
|
|
w.Write(nonWebSocketRequestPage())
|
|
|
|
return
|
|
|
|
}
|
2018-09-21 15:18:23 +00:00
|
|
|
conn, err := upgrader.Upgrade(w, r, nil)
|
|
|
|
if err != nil {
|
|
|
|
logger.WithError(err).Error("failed to upgrade")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
conn.SetReadDeadline(time.Now().Add(pongWait))
|
|
|
|
conn.SetPongHandler(func(string) error { conn.SetReadDeadline(time.Now().Add(pongWait)); return nil })
|
|
|
|
done := make(chan struct{})
|
|
|
|
go pinger(logger, conn, done)
|
|
|
|
defer func() {
|
2018-10-31 16:44:39 +00:00
|
|
|
done <- struct{}{}
|
2018-09-21 15:18:23 +00:00
|
|
|
conn.Close()
|
|
|
|
}()
|
2019-10-02 20:56:28 +00:00
|
|
|
|
2019-10-09 21:56:47 +00:00
|
|
|
token := r.Header.Get("cf-access-token")
|
2019-10-02 20:56:28 +00:00
|
|
|
if destination := r.Header.Get("CF-Access-SSH-Destination"); destination != "" {
|
2019-10-09 21:56:47 +00:00
|
|
|
if err := sendSSHPreamble(stream, destination, token); err != nil {
|
|
|
|
logger.WithError(err).Error("Failed to send SSH preamble")
|
|
|
|
return
|
2019-10-02 20:56:28 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-31 14:56:22 +00:00
|
|
|
streamHandler(&Conn{conn}, stream)
|
2018-09-21 15:18:23 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
return httpServer.Serve(listener)
|
|
|
|
}
|
|
|
|
|
2019-10-09 21:56:47 +00:00
|
|
|
// sendSSHPreamble sends the final SSH destination address to the cloudflared SSH proxy
|
2019-10-02 20:56:28 +00:00
|
|
|
// The destination is preceded by its length
|
2019-10-09 21:56:47 +00:00
|
|
|
func sendSSHPreamble(stream net.Conn, destination, token string) error {
|
|
|
|
preamble := &sshserver.SSHPreamble{Destination: destination, JWT: token}
|
|
|
|
payload, err := json.Marshal(preamble)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-10-16 15:53:46 +00:00
|
|
|
if uint16(len(payload)) > ^uint16(0) {
|
|
|
|
return errors.New("ssh preamble payload too large")
|
|
|
|
}
|
|
|
|
|
2019-10-09 21:56:47 +00:00
|
|
|
sizeBytes := make([]byte, sshserver.SSHPreambleLength)
|
2019-10-16 15:53:46 +00:00
|
|
|
binary.BigEndian.PutUint16(sizeBytes, uint16(len(payload)))
|
2019-10-02 20:56:28 +00:00
|
|
|
if _, err := stream.Write(sizeBytes); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-10-09 21:56:47 +00:00
|
|
|
if _, err := stream.Write(payload); err != nil {
|
2019-10-02 20:56:28 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-05-01 23:45:06 +00:00
|
|
|
// the gorilla websocket library sets its own Upgrade, Connection, Sec-WebSocket-Key,
|
|
|
|
// Sec-WebSocket-Version and Sec-Websocket-Extensions headers.
|
|
|
|
// https://github.com/gorilla/websocket/blob/master/client.go#L189-L194.
|
|
|
|
func websocketHeaders(req *http.Request) http.Header {
|
|
|
|
wsHeaders := make(http.Header)
|
|
|
|
for key, val := range req.Header {
|
2018-09-21 15:18:23 +00:00
|
|
|
wsHeaders[key] = val
|
2018-05-01 23:45:06 +00:00
|
|
|
}
|
|
|
|
// Assume the header keys are in canonical format.
|
2018-09-21 15:18:23 +00:00
|
|
|
for _, header := range stripWebsocketHeaders {
|
2018-05-01 23:45:06 +00:00
|
|
|
wsHeaders.Del(header)
|
|
|
|
}
|
2018-10-19 21:51:54 +00:00
|
|
|
wsHeaders.Set("Host", req.Host) // See TUN-1097
|
2018-05-01 23:45:06 +00:00
|
|
|
return wsHeaders
|
|
|
|
}
|
|
|
|
|
|
|
|
// sha1Base64 sha1 and then base64 encodes str.
|
|
|
|
func sha1Base64(str string) string {
|
|
|
|
hasher := sha1.New()
|
|
|
|
io.WriteString(hasher, str)
|
|
|
|
hash := hasher.Sum(nil)
|
|
|
|
return base64.StdEncoding.EncodeToString(hash)
|
|
|
|
}
|
|
|
|
|
|
|
|
// generateAcceptKey returns the string needed for the Sec-WebSocket-Accept header.
|
|
|
|
// https://tools.ietf.org/html/rfc6455#section-1.3 describes this process in more detail.
|
|
|
|
func generateAcceptKey(req *http.Request) string {
|
|
|
|
return sha1Base64(req.Header.Get("Sec-WebSocket-Key") + "258EAFA5-E914-47DA-95CA-C5AB0DC85B11")
|
|
|
|
}
|
|
|
|
|
|
|
|
// changeRequestScheme is needed as the gorilla websocket library requires the ws scheme.
|
|
|
|
// (even though it changes it back to http/https, but ¯\_(ツ)_/¯.)
|
|
|
|
func changeRequestScheme(req *http.Request) string {
|
|
|
|
switch req.URL.Scheme {
|
|
|
|
case "https":
|
|
|
|
return "wss"
|
|
|
|
case "http":
|
|
|
|
return "ws"
|
|
|
|
default:
|
|
|
|
return req.URL.Scheme
|
|
|
|
}
|
|
|
|
}
|
2018-09-21 15:18:23 +00:00
|
|
|
|
|
|
|
// pinger simulates the websocket connection to keep it alive
|
|
|
|
func pinger(logger *logrus.Logger, ws *websocket.Conn, done chan struct{}) {
|
|
|
|
ticker := time.NewTicker(pingPeriod)
|
|
|
|
defer ticker.Stop()
|
|
|
|
for {
|
|
|
|
select {
|
|
|
|
case <-ticker.C:
|
|
|
|
if err := ws.WriteControl(websocket.PingMessage, []byte{}, time.Now().Add(writeWait)); err != nil {
|
|
|
|
logger.WithError(err).Debug("failed to send ping message")
|
|
|
|
}
|
|
|
|
case <-done:
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|