X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;ds=sidebyside;f=trip.go;h=4f3e1d6de56ac6e86bf174abe481caf9227d5ae1;hb=HEAD;hp=3ad6eb178f1dca2c24d738c883ae7481d5b3a65e;hpb=cb0d759766dd7183adc00f097760fc82ff2796d0;p=tofuproxy.git diff --git a/trip.go b/trip.go index 3ad6eb1..0e179a5 100644 --- a/trip.go +++ b/trip.go @@ -1,19 +1,18 @@ -/* -tofuproxy -- HTTP proxy with TLS certificates management -Copyright (C) 2021 Sergey Matveev - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation, version 3 of the License. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. - -You should have received a copy of the GNU General Public License -along with this program. If not, see . -*/ +// tofuproxy -- flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU +// manager, WARC/geminispace browser +// Copyright (C) 2021-2024 Sergey Matveev +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, version 3 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see . package tofuproxy @@ -27,8 +26,10 @@ import ( "time" "github.com/dustin/go-humanize" + "go.stargrave.org/tofuproxy/caches" "go.stargrave.org/tofuproxy/fifos" "go.stargrave.org/tofuproxy/rounds" + ttls "go.stargrave.org/tofuproxy/tls" ) var ( @@ -40,7 +41,7 @@ var ( MaxIdleConns: http.DefaultTransport.(*http.Transport).MaxIdleConns, IdleConnTimeout: http.DefaultTransport.(*http.Transport).IdleConnTimeout * 2, TLSHandshakeTimeout: time.Minute, - DialTLSContext: dialTLS, + DialTLSContext: ttls.DialTLS, ForceAttemptHTTP2: true, } proxyHeaders = map[string]struct{}{ @@ -58,10 +59,12 @@ type Round func( ) (bool, error) func roundTrip(w http.ResponseWriter, req *http.Request) { - fifos.SinkReq <- fmt.Sprintf("%s %s", req.Method, req.URL.String()) + defer req.Body.Close() + fifos.LogReq <- fmt.Sprintf("%s %s", req.Method, req.URL) host := strings.TrimSuffix(req.URL.Host, ":443") for _, round := range []Round{ - rounds.RoundNoHead, + rounds.RoundGemini, + rounds.RoundWARC, rounds.RoundDenySpy, rounds.RoundRedditOld, rounds.RoundHabrImage, @@ -71,13 +74,56 @@ func roundTrip(w http.ResponseWriter, req *http.Request) { } } + reqFlags := []string{} + unauthorized := false + + caches.HTTPAuthCacheM.RLock() + if creds, ok := caches.HTTPAuthCache[req.URL.Host]; ok { + req.SetBasicAuth(creds[0], creds[1]) + unauthorized = true + } + caches.HTTPAuthCacheM.RUnlock() + +Retry: resp, err := transport.RoundTrip(req) if err != nil { - fifos.SinkErr <- fmt.Sprintf("%s\t%s", req.URL.Host, err.Error()) + fifos.LogErr <- fmt.Sprintf("%s\t%s", req.URL.Host, err.Error()) http.Error(w, err.Error(), http.StatusBadGateway) return } + if resp.StatusCode == http.StatusUnauthorized { + resp.Body.Close() + caches.HTTPAuthCacheM.Lock() + if unauthorized { + delete(caches.HTTPAuthCache, req.URL.Host) + } else { + unauthorized = true + } + fifos.LogVarious <- fmt.Sprintf( + "%s %s\tHTTP authorization required", req.Method, req.URL.Host, + ) + var user, pass string + user, pass, err = authDialog(host, resp.Header.Get("WWW-Authenticate")) + if err != nil { + caches.HTTPAuthCacheM.Unlock() + fifos.LogErr <- fmt.Sprintf("%s\t%s", req.URL.Host, err.Error()) + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + caches.HTTPAuthCache[req.URL.Host] = [2]string{user, pass} + caches.HTTPAuthCacheM.Unlock() + req.SetBasicAuth(user, pass) + fifos.LogHTTPAuth <- fmt.Sprintf("%s %s\t%s", req.Method, req.URL, user) + goto Retry + } + if unauthorized { + reqFlags = append(reqFlags, "auth") + } + if resp.TLS != nil && resp.TLS.NegotiatedProtocol != "" { + reqFlags = append(reqFlags, resp.TLS.NegotiatedProtocol) + } + for k, vs := range resp.Header { if _, ok := proxyHeaders[k]; ok { continue @@ -87,20 +133,23 @@ func roundTrip(w http.ResponseWriter, req *http.Request) { } } - for _, round := range []Round{ - rounds.RoundDenyFonts, - rounds.RoundTranscodeWebP, - rounds.RoundTranscodeJXL, - rounds.RoundTranscodeAVIF, - rounds.RoundRedirectHTML, - } { - cont, err := round(host, resp, w, req) - if err != nil { - http.Error(w, err.Error(), http.StatusBadGateway) - return - } - if !cont { - return + { + var cont bool + for _, round := range []Round{ + rounds.RoundDenyFonts, + rounds.RoundTranscodeWebP, + rounds.RoundTranscodeJXL, + rounds.RoundTranscodeAVIF, + rounds.RoundRedirectHTML, + } { + cont, err = round(host, resp, w, req) + if err != nil { + http.Error(w, err.Error(), http.StatusBadGateway) + return + } + if !cont { + return + } } } @@ -116,16 +165,16 @@ func roundTrip(w http.ResponseWriter, req *http.Request) { } resp.Body.Close() msg := fmt.Sprintf( - "%s %s\t%s\t%s\t%s", - req.Method, - req.URL.String(), + "%s %s\t%s\t%s\t%s\t%s", + req.Method, req.URL, resp.Status, resp.Header.Get("Content-Type"), humanize.IBytes(uint64(n)), + strings.Join(reqFlags, ","), ) if resp.StatusCode == http.StatusOK { - fifos.SinkOK <- msg + fifos.LogOK <- msg } else { - fifos.SinkOther <- msg + fifos.LogNonOK <- msg } }