]> Sergey Matveev's repositories - tofuproxy.git/blob - main.go
projects / tofuproxy.git / blob


a4b8a32d8516dccf757fb1f30a027893381f2f37
[tofuproxy.git] / main.go
1 /*
2 Copyright (C) 2021 Sergey Matveev <stargrave@stargrave.org>
3
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, version 3 of the License.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program.  If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 package main
18
19 import (
20         "context"
21         "crypto"
22         "crypto/tls"
23         "crypto/x509"
24         "flag"
25         "fmt"
26         "io"
27         "io/ioutil"
28         "log"
29         "net"
30         "net/http"
31         "os"
32         "os/exec"
33         "path/filepath"
34         "strings"
35         "time"
36
37         "github.com/dustin/go-humanize"
38         "go.cypherpunks.ru/ucspi"
39 )
40
41 var (
42         tlsNextProtoS = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
43         caCert        *x509.Certificate
44         caPrv         crypto.PrivateKey
45         transport     = http.Transport{
46                 DialTLSContext:    dialTLS,
47                 ForceAttemptHTTP2: true,
48         }
49         sessionCache = tls.NewLRUClientSessionCache(1024)
50
51         CmdDWebP = "dwebp"
52         CmdDJXL  = "djxl"
53
54         imageExts = map[string]struct{}{
55                 ".apng": {},
56                 ".avif": {},
57                 ".gif":  {},
58                 ".heic": {},
59                 ".jp2":  {},
60                 ".jpeg": {},
61                 ".jpg":  {},
62                 ".jxl":  {},
63                 ".mng":  {},
64                 ".png":  {},
65                 ".svg":  {},
66                 ".tif":  {},
67                 ".tiff": {},
68                 ".webp": {},
69         }
70 )
71
72 func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
73         host := strings.TrimSuffix(addr, ":443")
74         cfg := tls.Config{
75                 VerifyPeerCertificate: func(
76                         rawCerts [][]byte,
77                         verifiedChains [][]*x509.Certificate,
78                 ) error {
79                         return verifyCert(host, nil, rawCerts, verifiedChains)
80                 },
81                 ClientSessionCache: sessionCache,
82                 NextProtos:         []string{"h2", "http/1.1"},
83         }
84         conn, dialErr := tls.Dial(network, addr, &cfg)
85         if dialErr != nil {
86                 if _, ok := dialErr.(ErrRejected); ok {
87                         return nil, dialErr
88                 }
89                 cfg.InsecureSkipVerify = true
90                 cfg.VerifyPeerCertificate = func(
91                         rawCerts [][]byte,
92                         verifiedChains [][]*x509.Certificate,
93                 ) error {
94                         return verifyCert(host, dialErr, rawCerts, verifiedChains)
95                 }
96                 var err error
97                 conn, err = tls.Dial(network, addr, &cfg)
98                 if err != nil {
99                         sinkErr <- fmt.Sprintf("%s\t%s", addr, dialErr.Error())
100                         return nil, err
101                 }
102         }
103         connState := conn.ConnectionState()
104         if connState.DidResume {
105                 sinkTLS <- fmt.Sprintf(
106                         "%s\t%s %s\t%s\t%s",
107                         strings.TrimSuffix(addr, ":443"),
108                         ucspi.TLSVersion(connState.Version),
109                         tls.CipherSuiteName(connState.CipherSuite),
110                         spkiHash(connState.PeerCertificates[0]),
111                         connState.NegotiatedProtocol,
112                 )
113         }
114         return conn, nil
115 }
116
117 func roundTrip(w http.ResponseWriter, req *http.Request) {
118         if req.Method == http.MethodHead {
119                 http.Error(w, "go away", http.StatusMethodNotAllowed)
120                 return
121         }
122         sinkReq <- fmt.Sprintf("%s %s", req.Method, req.URL.String())
123         host := strings.TrimSuffix(req.URL.Host, ":443")
124
125         for _, spy := range SpyDomains {
126                 if strings.HasSuffix(host, spy) {
127                         http.NotFound(w, req)
128                         sinkOther <- fmt.Sprintf(
129                                 "%s %s\t%d\tspy one",
130                                 req.Method,
131                                 req.URL.String(),
132                                 http.StatusNotFound,
133                         )
134                         return
135                 }
136         }
137
138         if strings.HasPrefix(req.URL.Host, "www.reddit.com") {
139                 req.URL.Host = "old.reddit.com"
140                 http.Redirect(w, req, req.URL.String(), http.StatusMovedPermanently)
141                 return
142         }
143
144         resp, err := transport.RoundTrip(req)
145         if err != nil {
146                 sinkErr <- fmt.Sprintf("%s\t%s", req.URL.Host, err.Error())
147                 w.WriteHeader(http.StatusBadGateway)
148                 w.Write([]byte(err.Error()))
149                 return
150         }
151
152         for k, vs := range resp.Header {
153                 if k == "Location" || k == "Content-Type" || k == "Content-Length" {
154                         continue
155                 }
156                 for _, v := range vs {
157                         w.Header().Add(k, v)
158                 }
159         }
160
161         switch resp.Header.Get("Content-Type") {
162         case "application/font-woff", "application/font-sfnt":
163                 // Those are deprecated types
164                 fallthrough
165         case "font/otf", "font/ttf", "font/woff", "font/woff2":
166                 http.NotFound(w, req)
167                 sinkOther <- fmt.Sprintf(
168                         "%s %s\t%d\tfonts are not allowed",
169                         req.Method,
170                         req.URL.String(),
171                         http.StatusNotFound,
172                 )
173                 resp.Body.Close()
174                 return
175         case "image/webp":
176                 if strings.Contains(req.Header.Get("User-Agent"), "AppleWebKit/538.15") {
177                         // My Xombrero
178                         break
179                 }
180                 tmpFd, err := ioutil.TempFile("", "tofuproxy.*.webp")
181                 if err != nil {
182                         log.Fatalln(err)
183                 }
184                 defer tmpFd.Close()
185                 defer os.Remove(tmpFd.Name())
186                 defer resp.Body.Close()
187                 if _, err = io.Copy(tmpFd, resp.Body); err != nil {
188                         log.Printf("Error during %s: %+v\n", req.URL, err)
189                         http.Error(w, err.Error(), http.StatusBadGateway)
190                         return
191                 }
192                 tmpFd.Close()
193                 cmd := exec.Command(CmdDWebP, tmpFd.Name(), "-o", "-")
194                 data, err := cmd.Output()
195                 if err != nil {
196                         http.Error(w, err.Error(), http.StatusBadGateway)
197                         return
198                 }
199                 w.Header().Add("Content-Type", "image/png")
200                 w.WriteHeader(http.StatusOK)
201                 w.Write(data)
202                 sinkOther <- fmt.Sprintf(
203                         "%s %s\t%d\tWebP transcoded to PNG",
204                         req.Method,
205                         req.URL.String(),
206                         http.StatusOK,
207                 )
208                 return
209         case "image/jxl":
210                 tmpFd, err := ioutil.TempFile("", "tofuproxy.*.jxl")
211                 if err != nil {
212                         log.Fatalln(err)
213                 }
214                 defer tmpFd.Close()
215                 defer os.Remove(tmpFd.Name())
216                 defer resp.Body.Close()
217                 if _, err = io.Copy(tmpFd, resp.Body); err != nil {
218                         log.Printf("Error during %s: %+v\n", req.URL, err)
219                         http.Error(w, err.Error(), http.StatusBadGateway)
220                         return
221                 }
222                 tmpFd.Close()
223                 dstFn := tmpFd.Name() + ".png"
224                 cmd := exec.Command(CmdDJXL, tmpFd.Name(), dstFn)
225                 err = cmd.Run()
226                 defer os.Remove(dstFn)
227                 if err != nil {
228                         http.Error(w, err.Error(), http.StatusBadGateway)
229                         return
230                 }
231                 data, err := ioutil.ReadFile(dstFn)
232                 if err != nil {
233                         http.Error(w, err.Error(), http.StatusBadGateway)
234                         return
235                 }
236                 w.Header().Add("Content-Type", "image/png")
237                 w.WriteHeader(http.StatusOK)
238                 w.Write(data)
239                 sinkOther <- fmt.Sprintf(
240                         "%s %s\t%d\tJPEG XL transcoded to PNG",
241                         req.Method,
242                         req.URL.String(),
243                         http.StatusOK,
244                 )
245                 return
246         }
247
248         if req.Method == http.MethodGet {
249                 var redirType string
250                 switch resp.StatusCode {
251                 case http.StatusMovedPermanently, http.StatusPermanentRedirect:
252                         redirType = "permanent"
253                         goto Redir
254                 case http.StatusFound, http.StatusSeeOther, http.StatusTemporaryRedirect:
255                         if strings.Contains(req.Header.Get("User-Agent"), "newsboat/") {
256                                 goto NoRedir
257                         }
258                         if _, ok := imageExts[filepath.Ext(req.URL.Path)]; ok {
259                                 goto NoRedir
260                         }
261                         redirType = "temporary"
262                 default:
263                         goto NoRedir
264                 }
265         Redir:
266                 resp.Body.Close()
267                 w.Header().Add("Content-Type", "text/html")
268                 w.WriteHeader(http.StatusOK)
269                 location := resp.Header.Get("Location")
270                 w.Write([]byte(
271                         fmt.Sprintf(
272                                 `<html>
273 <head><title>%d %s: %s redirection</title></head>
274 <body>Redirection to <a href="%s">%s</a>
275 </body></html>`,
276                                 resp.StatusCode, http.StatusText(resp.StatusCode),
277                                 redirType, location, location,
278                         )))
279                 sinkRedir <- fmt.Sprintf(
280                         "%s %s\t%s\t%s", req.Method, resp.Status, req.URL.String(), location,
281                 )
282                 return
283         }
284
285 NoRedir:
286         for _, h := range []string{"Location", "Content-Type", "Content-Length"} {
287                 if v := resp.Header.Get(h); v != "" {
288                         w.Header().Add(h, v)
289                 }
290         }
291         w.WriteHeader(resp.StatusCode)
292         n, err := io.Copy(w, resp.Body)
293         if err != nil {
294                 log.Printf("Error during %s: %+v\n", req.URL, err)
295         }
296         resp.Body.Close()
297         msg := fmt.Sprintf(
298                 "%s %s\t%s\t%s\t%s",
299                 req.Method,
300                 req.URL.String(),
301                 resp.Status,
302                 resp.Header.Get("Content-Type"),
303                 humanize.IBytes(uint64(n)),
304         )
305         if resp.StatusCode == http.StatusOK {
306                 sinkOK <- msg
307         } else {
308                 sinkOther <- msg
309         }
310 }
311
312 type Handler struct{}
313
314 func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
315         if req.Method != http.MethodConnect {
316                 roundTrip(w, req)
317                 return
318         }
319         hj, ok := w.(http.Hijacker)
320         if !ok {
321                 log.Fatalln("no hijacking")
322         }
323         conn, _, err := hj.Hijack()
324         if err != nil {
325                 log.Fatalln(err)
326         }
327         defer conn.Close()
328         conn.Write([]byte(fmt.Sprintf(
329                 "%s %d %s\r\n\r\n",
330                 req.Proto,
331                 http.StatusOK, http.StatusText(http.StatusOK),
332         )))
333         host := strings.Split(req.Host, ":")[0]
334         hostCertsM.Lock()
335         keypair, ok := hostCerts[host]
336         if !ok || !keypair.cert.NotAfter.After(time.Now().Add(time.Hour)) {
337                 keypair = newKeypair(host, caCert, caPrv)
338                 hostCerts[host] = keypair
339         }
340         hostCertsM.Unlock()
341         tlsConn := tls.Server(conn, &tls.Config{
342                 Certificates: []tls.Certificate{{
343                         Certificate: [][]byte{keypair.cert.Raw},
344                         PrivateKey:  keypair.prv,
345                 }},
346         })
347         if err = tlsConn.Handshake(); err != nil {
348                 log.Printf("TLS error %s: %+v\n", host, err)
349                 return
350         }
351         srv := http.Server{
352                 Handler:      &HTTPSHandler{host: req.Host},
353                 TLSNextProto: tlsNextProtoS,
354         }
355         err = srv.Serve(&SingleListener{conn: tlsConn})
356         if err != nil {
357                 if _, ok := err.(AlreadyAccepted); !ok {
358                         log.Printf("TLS serve error %s: %+v\n", host, err)
359                         return
360                 }
361         }
362 }
363
364 type HTTPSHandler struct {
365         host string
366 }
367
368 func (h *HTTPSHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
369         req.URL.Scheme = "https"
370         req.URL.Host = h.host
371         roundTrip(w, req)
372 }
373
374 func main() {
375         crtPath := flag.String("cert", "cert.pem", "Path to server X.509 certificate")
376         prvPath := flag.String("key", "prv.pem", "Path to server PKCS#8 private key")
377         bind := flag.String("bind", "[::1]:8080", "Bind address")
378         certs = flag.String("certs", "certs", "Directory with pinned certificates")
379         dnsSrv = flag.String("dns", "[::1]:53", "DNS server")
380         fifos = flag.String("fifos", "fifos", "Directory with FIFOs")
381         notai = flag.Bool("notai", false, "Do not prepend TAI64N to logs")
382         flag.Parse()
383         log.SetFlags(log.Lshortfile)
384         fifoInit()
385
386         var err error
387         _, caCert, err = ucspi.CertificateFromFile(*crtPath)
388         if err != nil {
389                 log.Fatalln(err)
390         }
391         caPrv, err = ucspi.PrivateKeyFromFile(*prvPath)
392         if err != nil {
393                 log.Fatalln(err)
394         }
395
396         ln, err := net.Listen("tcp", *bind)
397         if err != nil {
398                 log.Fatalln(err)
399         }
400         srv := http.Server{
401                 Handler:      &Handler{},
402                 TLSNextProto: tlsNextProtoS,
403         }
404         log.Println("listening:", *bind)
405         if err := srv.Serve(ln); err != nil {
406                 log.Fatalln(err)
407         }
408 }
Flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU manager, WARC/geminispace browser