go-gost/gost
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

improve http handler

Browse Source
This commit is contained in:
ginuerzh 2021-10-30 21:01:10 +08:00
parent 57a4d116d4
commit 248f7e4318
2 changed files with 184 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

221
pkg/components/handler/http/handler.go
View File

@ -3,10 +3,17 @@ package http
import ( import (
"bufio" "bufio"
"context" "context"
"encoding/base64"
"encoding/binary"
"errors"
"hash/crc32"
"net" "net"
"net/http" "net/http"
"net/http/httputil" "net/http/httputil"
"os"
"strconv"
"strings" "strings"
"time"
"github.com/go-gost/gost/pkg/auth" "github.com/go-gost/gost/pkg/auth"
"github.com/go-gost/gost/pkg/chain" "github.com/go-gost/gost/pkg/chain"
@ -43,9 +50,9 @@ func (h *Handler) Init(md md.Metadata) error {
} }
func (h *Handler) parseMetadata(md md.Metadata) error { func (h *Handler) parseMetadata(md md.Metadata) error {
h.md.proxyAgent = md.GetString(proxyAgent) h.md.proxyAgent = md.GetString(proxyAgentKey)
if v, _ := md.Get(auths).([]interface{}); len(v) > 0 { if v, _ := md.Get(authsKey).([]interface{}); len(v) > 0 {
authenticator := auth.NewLocalAuthenticator(nil) authenticator := auth.NewLocalAuthenticator(nil)
for _, auth := range v { for _, auth := range v {
if s, _ := auth.(string); s != "" { if s, _ := auth.(string); s != "" {
@ -59,6 +66,17 @@ func (h *Handler) parseMetadata(md md.Metadata) error {
} }
h.md.authenticator = authenticator h.md.authenticator = authenticator
} }
if v := md.GetString(probeResistKey); v != "" {
if ss := strings.SplitN(v, ":", 2); len(ss) == 2 {
h.md.probeResist = &probeResist{
Type: ss[0],
Value: ss[1],
Knock: md.GetString(knockKey),
}
}
}
return nil return nil
} }
@ -66,8 +84,8 @@ func (h *Handler) Handle(ctx context.Context, conn net.Conn) {
defer conn.Close() defer conn.Close()
h.logger = h.logger.WithFields(map[string]interface{}{ h.logger = h.logger.WithFields(map[string]interface{}{
"src": conn.RemoteAddr(), "src": conn.RemoteAddr().String(),
"local": conn.LocalAddr(), "local": conn.LocalAddr().String(),
}) })
req, err := http.ReadRequest(bufio.NewReader(conn)) req, err := http.ReadRequest(bufio.NewReader(conn))
@ -85,43 +103,32 @@ func (h *Handler) handleRequest(ctx context.Context, conn net.Conn, req *http.Re
return return
} }
/* // try to get the actual host.
// try to get the actual host. if v := req.Header.Get("Gost-Target"); v != "" {
if v := req.Header.Get("Gost-Target"); v != "" { if h, err := h.decodeServerName(v); err == nil {
if h, err := decodeServerName(v); err == nil { req.Host = h
req.Host = h
}
} }
*/ }
req.Header.Del("Gost-Target")
host := req.Host host := req.Host
if _, port, _ := net.SplitHostPort(host); port == "" { if _, port, _ := net.SplitHostPort(host); port == "" {
host = net.JoinHostPort(host, "80") host = net.JoinHostPort(host, "80")
} }
h.logger = h.logger.WithFields(map[string]interface{}{ fields := map[string]interface{}{
"dst": host, "dst": host,
}) }
if u, _, _ := h.basicProxyAuth(req.Header.Get("Proxy-Authorization")); u != "" {
fields["user"] = u
}
h.logger = h.logger.WithFields(fields)
if h.logger.IsLevelEnabled(logger.DebugLevel) { if h.logger.IsLevelEnabled(logger.DebugLevel) {
dump, _ := httputil.DumpRequest(req, false) dump, _ := httputil.DumpRequest(req, false)
h.logger.Debug(string(dump)) h.logger.Debug(string(dump))
} }
/*
u, _, _ := basicProxyAuth(req.Header.Get("Proxy-Authorization"))
if u != "" {
u += "@"
}
log.Logf("[http] %s%s -> %s -> %s",
u, conn.RemoteAddr(), h.options.Node.String(), host)
if Debug {
dump, _ := httputil.DumpRequest(req, false)
log.Logf("[http] %s -> %s\n%s", conn.RemoteAddr(), conn.LocalAddr(), string(dump))
}
req.Header.Del("Gost-Target")
*/
resp := &http.Response{ resp := &http.Response{
ProtoMajor: 1, ProtoMajor: 1,
ProtoMinor: 1, ProtoMinor: 1,
@ -164,24 +171,20 @@ func (h *Handler) handleRequest(ctx context.Context, conn net.Conn, req *http.Re
} }
*/ */
/* if !h.authenticate(conn, req, resp) {
if !h.authenticate(conn, req, resp) { return
return }
}
*/
if req.Method == "PRI" || if req.Method == "PRI" ||
(req.Method != http.MethodConnect && req.URL.Scheme != "http") { (req.Method != http.MethodConnect && req.URL.Scheme != "http") {
resp.StatusCode = http.StatusBadRequest resp.StatusCode = http.StatusBadRequest
/*
if Debug {
dump, _ := httputil.DumpResponse(resp, false)
log.Logf("[http] %s <- %s\n%s",
conn.RemoteAddr(), conn.LocalAddr(), string(dump))
}
*/
resp.Write(conn) resp.Write(conn)
if h.logger.IsLevelEnabled(logger.DebugLevel) {
dump, _ := httputil.DumpResponse(resp, false)
h.logger.Debug(string(dump))
}
return return
} }
@ -190,14 +193,12 @@ func (h *Handler) handleRequest(ctx context.Context, conn net.Conn, req *http.Re
cc, err := h.dial(ctx, host) cc, err := h.dial(ctx, host)
if err != nil { if err != nil {
resp.StatusCode = http.StatusServiceUnavailable resp.StatusCode = http.StatusServiceUnavailable
/*
if Debug {
dump, _ := httputil.DumpResponse(resp, false)
log.Logf("[http] %s <- %s\n%s", conn.RemoteAddr(), conn.LocalAddr(), string(dump))
}
*/
resp.Write(conn) resp.Write(conn)
if h.logger.IsLevelEnabled(logger.DebugLevel) {
dump, _ := httputil.DumpResponse(resp, false)
h.logger.Debug(string(dump))
}
return return
} }
defer cc.Close() defer cc.Close()
@ -205,11 +206,19 @@ func (h *Handler) handleRequest(ctx context.Context, conn net.Conn, req *http.Re
if req.Method == http.MethodConnect { if req.Method == http.MethodConnect {
resp.StatusCode = http.StatusOK resp.StatusCode = http.StatusOK
resp.Status = "200 Connection established" resp.Status = "200 Connection established"
resp.Write(conn)
if h.logger.IsLevelEnabled(logger.DebugLevel) {
dump, _ := httputil.DumpResponse(resp, false)
h.logger.Debug(string(dump))
}
if err = resp.Write(conn); err != nil {
h.logger.Warn(err)
return
}
} else { } else {
req.Header.Del("Proxy-Connection") req.Header.Del("Proxy-Connection")
if err = req.Write(cc); err != nil { if err = req.Write(cc); err != nil {
h.logger.Warn(err)
return return
} }
} }
@ -252,9 +261,123 @@ func (h *Handler) dial(ctx context.Context, addr string) (conn net.Conn, err err
conn, err = route.Dial(ctx, "tcp", addr) conn, err = route.Dial(ctx, "tcp", addr)
if err != nil { if err != nil {
h.logger.Warn("retry:", err)
continue continue
} }
} }
return return
} }
func (h *Handler) decodeServerName(s string) (string, error) {
b, err := base64.RawURLEncoding.DecodeString(s)
if err != nil {
return "", err
}
if len(b) < 4 {
return "", errors.New("invalid name")
}
v, err := base64.RawURLEncoding.DecodeString(string(b[4:]))
if err != nil {
return "", err
}
if crc32.ChecksumIEEE(v) != binary.BigEndian.Uint32(b[:4]) {
return "", errors.New("invalid name")
}
return string(v), nil
}
func (h *Handler) basicProxyAuth(proxyAuth string) (username, password string, ok bool) {
if proxyAuth == "" {
return
}
if !strings.HasPrefix(proxyAuth, "Basic ") {
return
}
c, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(proxyAuth, "Basic "))
if err != nil {
return
}
cs := string(c)
s := strings.IndexByte(cs, ':')
if s < 0 {
return
}
return cs[:s], cs[s+1:], true
}
func (h *Handler) authenticate(conn net.Conn, req *http.Request, resp *http.Response) (ok bool) {
u, p, _ := h.basicProxyAuth(req.Header.Get("Proxy-Authorization"))
if h.md.authenticator == nil || h.md.authenticator.Authenticate(u, p) {
return true
}
pr := h.md.probeResist
// probing resistance is enabled, and knocking host is mismatch.
if pr != nil && (pr.Knock == "" || !strings.EqualFold(req.URL.Hostname(), pr.Knock)) {
resp.StatusCode = http.StatusServiceUnavailable // default status code
switch pr.Type {
case "code":
resp.StatusCode, _ = strconv.Atoi(pr.Value)
case "web":
url := pr.Value
if !strings.HasPrefix(url, "http") {
url = "http://" + url
}
if r, err := http.Get(url); err == nil {
resp = r
defer r.Body.Close()
}
case "host":
cc, err := net.Dial("tcp", pr.Value)
if err == nil {
defer cc.Close()
req.Write(cc)
handler.Transport(conn, cc)
return
}
case "file":
f, _ := os.Open(pr.Value)
if f != nil {
resp.StatusCode = http.StatusOK
if finfo, _ := f.Stat(); finfo != nil {
resp.ContentLength = finfo.Size()
}
resp.Header.Set("Content-Type", "text/html")
resp.Body = f
}
}
}
if resp.StatusCode == 0 {
resp.StatusCode = http.StatusProxyAuthRequired
resp.Header.Add("Proxy-Authenticate", "Basic realm=\"gost\"")
if strings.ToLower(req.Header.Get("Proxy-Connection")) == "keep-alive" {
// XXX libcurl will keep sending auth request in same conn
// which we don't supported yet.
resp.Header.Add("Connection", "close")
resp.Header.Add("Proxy-Connection", "close")
}
h.logger.Info("proxy authentication required")
} else {
resp.Header = http.Header{}
resp.Header.Set("Server", "nginx/1.20.1")
resp.Header.Set("Date", time.Now().Format(http.TimeFormat))
if resp.StatusCode == http.StatusOK {
resp.Header.Set("Connection", "keep-alive")
}
}
if h.logger.IsLevelEnabled(logger.DebugLevel) {
dump, _ := httputil.DumpResponse(resp, false)
h.logger.Debug(string(dump))
}
resp.Write(conn)
return
}

15
pkg/components/handler/http/metadata.go
View File

@ -3,9 +3,11 @@ package http
import "github.com/go-gost/gost/pkg/auth" import "github.com/go-gost/gost/pkg/auth"
const ( const (
addr = "addr" addrKey = "addr"
proxyAgent = "proxyAgent" proxyAgentKey = "proxyAgent"
auths = "auths" authsKey = "auths"
probeResistKey = "probeResist"
knockKey = "knock"
) )
type metadata struct { type metadata struct {
@ -13,4 +15,11 @@ type metadata struct {
authenticator auth.Authenticator authenticator auth.Authenticator
proxyAgent string proxyAgent string
retryCount int retryCount int
probeResist *probeResist
}
type probeResist struct {
Type string
Value string
Knock string
} }