mirror of
https://github.com/dstotijn/hetty.git
synced 2025-07-01 18:47:29 -04:00
140 lines
3.2 KiB
Go
140 lines
3.2 KiB
Go
package proxy
|
|
|
|
import (
|
|
"context"
|
|
"crypto"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"log"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
)
|
|
|
|
func errorHandler(w http.ResponseWriter, r *http.Request, err error) {
|
|
if err == context.Canceled {
|
|
return
|
|
}
|
|
log.Printf("[ERROR]: Proxy error: %v", err)
|
|
w.WriteHeader(http.StatusBadGateway)
|
|
}
|
|
|
|
// Proxy implements http.Handler and offers MITM behaviour for modifying
|
|
// HTTP requests and responses.
|
|
type Proxy struct {
|
|
certConfig *CertConfig
|
|
handler http.Handler
|
|
|
|
// TODO: Add mutex for modifier funcs.
|
|
reqModifier RequestModifyFunc
|
|
resModifier ResponseModifyFunc
|
|
}
|
|
|
|
// NewProxy returns a new Proxy.
|
|
func NewProxy(ca *x509.Certificate, key crypto.PrivateKey) (*Proxy, error) {
|
|
certConfig, err := NewCertConfig(ca, key)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
p := &Proxy{
|
|
certConfig: certConfig,
|
|
reqModifier: nopReqModifier,
|
|
resModifier: nopResModifier,
|
|
}
|
|
|
|
p.handler = &httputil.ReverseProxy{
|
|
Director: p.modifyRequest,
|
|
ModifyResponse: p.modifyResponse,
|
|
ErrorHandler: errorHandler,
|
|
}
|
|
|
|
return p, nil
|
|
}
|
|
|
|
func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method == http.MethodConnect {
|
|
p.handleConnect(w, r)
|
|
return
|
|
}
|
|
|
|
p.handler.ServeHTTP(w, r)
|
|
}
|
|
|
|
func (p *Proxy) modifyRequest(r *http.Request) {
|
|
// Fix r.URL for HTTPS requests after CONNECT.
|
|
if r.URL.Scheme == "" {
|
|
r.URL.Host = r.Host
|
|
r.URL.Scheme = "https"
|
|
}
|
|
|
|
p.reqModifier(r)
|
|
}
|
|
|
|
func (p *Proxy) modifyResponse(res *http.Response) error {
|
|
return p.resModifier(res)
|
|
}
|
|
|
|
// handleConnect hijacks the incoming HTTP request and sets up an HTTP tunnel.
|
|
// During the TLS handshake with the client, we use the proxy's CA config to
|
|
// create a certificate on-the-fly.
|
|
func (p *Proxy) handleConnect(w http.ResponseWriter, r *http.Request) {
|
|
hj, ok := w.(http.Hijacker)
|
|
if !ok {
|
|
log.Printf("[ERROR] handleConnect: ResponseWriter is not a http.Hijacker (type: %T)", w)
|
|
writeError(w, r, http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
clientConn, _, err := hj.Hijack()
|
|
if err != nil {
|
|
log.Printf("[ERROR] Hijacking client connection failed: %v", err)
|
|
writeError(w, r, http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
defer clientConn.Close()
|
|
|
|
// Secure connection to client.
|
|
clientConn, err = p.clientTLSConn(clientConn)
|
|
if err != nil {
|
|
log.Printf("[ERROR] Securing client connection failed: %v", err)
|
|
return
|
|
}
|
|
clientConnNotify := ConnNotify{clientConn, make(chan struct{})}
|
|
|
|
l := &OnceAcceptListener{clientConnNotify.Conn}
|
|
|
|
err = http.Serve(l, p.handler)
|
|
if err != nil && err != ErrAlreadyAccepted {
|
|
log.Printf("[ERROR] Serving HTTP request failed: %v", err)
|
|
}
|
|
<-clientConnNotify.closed
|
|
}
|
|
|
|
func (p *Proxy) clientTLSConn(conn net.Conn) (*tls.Conn, error) {
|
|
tlsConfig := p.certConfig.TLSConfig()
|
|
|
|
tlsConn := tls.Server(conn, tlsConfig)
|
|
if err := tlsConn.Handshake(); err != nil {
|
|
tlsConn.Close()
|
|
return nil, fmt.Errorf("handshake error: %v", err)
|
|
}
|
|
|
|
return tlsConn, nil
|
|
}
|
|
|
|
func (p *Proxy) UseRequestModifier(fn RequestModifyFunc) {
|
|
p.reqModifier = fn
|
|
}
|
|
|
|
func (p *Proxy) UseResponseModifier(fn ResponseModifyFunc) {
|
|
p.resModifier = fn
|
|
}
|
|
|
|
func writeError(w http.ResponseWriter, r *http.Request, code int) {
|
|
http.Error(w, http.StatusText(code), code)
|
|
}
|