]> Sergey Matveev's repositories - tofuproxy.git/blob - tls.go
Download link for 0.5.0 release
[tofuproxy.git] / tls.go
1 // tofuproxy -- flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU
2 //              manager, WARC/geminispace browser
3 // Copyright (C) 2021-2024 Sergey Matveev <stargrave@stargrave.org>
4 //
5 // This program is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, version 3 of the License.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 // GNU General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License
15 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
16
17 package tofuproxy
18
19 import (
20         "crypto"
21         "crypto/tls"
22         "crypto/x509"
23         "fmt"
24         "log"
25         "net/http"
26         "time"
27
28         ttls "go.stargrave.org/tofuproxy/tls"
29 )
30
31 var (
32         TLSNextProtoS = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
33         CACert        *x509.Certificate
34         CAPrv         crypto.PrivateKey
35 )
36
37 type Handler struct{}
38
39 func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
40         if req.Method != http.MethodConnect {
41                 roundTrip(w, req)
42                 return
43         }
44         hj, ok := w.(http.Hijacker)
45         if !ok {
46                 log.Fatalln("no hijacking")
47         }
48         conn, _, err := hj.Hijack()
49         if err != nil {
50                 log.Fatalln(err)
51         }
52         defer conn.Close()
53         fmt.Fprintf(
54                 conn, "%s %d %s\r\n\r\n",
55                 req.Proto, http.StatusOK, http.StatusText(http.StatusOK),
56         )
57         host, _, _ := ttls.SplitHostPort(req.Host)
58         hostCertsM.Lock()
59         keypair, ok := hostCerts[host]
60         if !ok || !keypair.cert.NotAfter.After(time.Now().Add(time.Hour)) {
61                 keypair = newX509Keypair(host, CACert, CAPrv)
62                 hostCerts[host] = keypair
63         }
64         hostCertsM.Unlock()
65         tlsConn := tls.Server(conn, &tls.Config{
66                 Certificates: []tls.Certificate{{
67                         Certificate: [][]byte{keypair.cert.Raw},
68                         PrivateKey:  keypair.prv,
69                 }},
70         })
71         if err = tlsConn.Handshake(); err != nil {
72                 log.Printf("TLS error %s: %+v\n", host, err)
73                 return
74         }
75         srv := http.Server{
76                 Handler:      &HTTPSHandler{host: req.Host},
77                 TLSNextProto: TLSNextProtoS,
78         }
79         err = srv.Serve(&SingleListener{conn: tlsConn})
80         if err != nil {
81                 if _, ok := err.(AlreadyAccepted); !ok {
82                         log.Printf("TLS serve error %s: %+v\n", host, err)
83                         return
84                 }
85         }
86 }
87
88 type HTTPSHandler struct {
89         host string
90 }
91
92 func (h *HTTPSHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
93         req.URL.Scheme = "https"
94         req.URL.Host = h.host
95         roundTrip(w, req)
96 }