Merge pull request #3 from go-httpproxy/develop

v1.2

Author: orkunkaraduman

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2018, go-httpproxy authors.
+Copyright (c) 2018, "httpproxy" authors.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -8,7 +8,7 @@ modification, are permitted provided that the following conditions are met:
     * Redistributions in binary form must reproduce the above copyright
       notice, this list of conditions and the following disclaimer in the
       documentation and/or other materials provided with the distribution.
-    * Neither the name of the go-httpproxy authors nor the
+    * Neither the name of the "httpproxy" authors nor the
       names of its contributors may be used to endorse or promote products
       derived from this software without specific prior written permission.
 

README.md

@@ -1,23 +1,14 @@
-# A Go HTTP proxy library which has KISS principle
+# Go HTTP proxy library
 
-## Introduction
+[![GoDoc](https://godoc.org/github.com/go-httpproxy/httpproxy?status.svg)](https://godoc.org/github.com/go-httpproxy/httpproxy)
 
-`github.com/go-httpproxy/httpproxy` repository provides an HTTP proxy library
-for Go (golang).
-
-The library is regular HTTP proxy; supports HTTP, HTTPS through CONNECT. And
-also provides HTTPS connection using "Man in the Middle" style attack.
+Package httpproxy provides a customizable HTTP proxy; supports HTTP, HTTPS through
+CONNECT. And also provides HTTPS connection using "Man in the Middle" style
+attack.
 
 It's easy to use. `httpproxy.Proxy` implements `Handler` interface of `net/http`
 package to offer `http.ListenAndServe` function.
 
-### Keep it simple, stupid!
-
-> KISS is an acronym for "Keep it simple, stupid" as a design principle. The
-KISS principle states that most systems work best if they are kept simple rather
-than made complicated; therefore simplicity should be a key goal in design and
-unnecessary complexity should be avoided.  [Wikipedia]
-
 ## Usage
 
 Library has two significant structs: Proxy and Context.
@@ -27,7 +18,7 @@ Library has two significant structs: Proxy and Context.
 ```go
 // Proxy defines parameters for running an HTTP Proxy. It implements
 // http.Handler interface for ListenAndServe function. If you need, you must
-// fill Proxy struct before handling requests.
+// set Proxy struct before handling requests.
 type Proxy struct {
 	// Session number of last proxy request.
 	SessionNo int64
@@ -68,8 +59,12 @@ type Proxy struct {
 	OnResponse func(ctx *Context, req *http.Request, resp *http.Response)
 
 	// If ConnectAction is ConnectMitm, it sets chunked to Transfer-Encoding.
-	// By default, it is true.
+	// By default, true.
 	MitmChunked bool
+
+	// HTTP Authentication type. If it's not specified (""), uses "Basic".
+	// By default, "".
+	AuthType string
 }
 ```
 
@@ -176,11 +171,3 @@ func main() {
 	http.ListenAndServe(":8080", prx)
 }
 ```
-
-## GoDoc
-
-[https://godoc.org/github.com/go-httpproxy/httpproxy](https://godoc.org/github.com/go-httpproxy/httpproxy)
-
-## To-Do
-
-* GoDoc

ca.go

@@ -10,10 +10,11 @@ import (
 	mrand "math/rand"
 	"net"
 	"sort"
+	"sync"
 	"time"
 )
 
-// Default certificate.
+// DefaultCaCert provides default CA certificate.
 var DefaultCaCert = []byte(`-----BEGIN CERTIFICATE-----
 MIIFkzCCA3ugAwIBAgIJAKEbW2ujNjX9MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
 BAYTAlRSMREwDwYDVQQIDAhJc3RhbmJ1bDEVMBMGA1UECgwMZ28taHR0cHByb3h5
@@ -47,7 +48,7 @@ Ii9Vb07WDMQXou0ZZs7rnjAKo+sfFElTFewtS1wif4ZYBUJN1ln9G8qKaxbAiElm
 MgzNfZ7WlnaJf2rfHJbvK9VqJ9z6dLRYPjCHhakJBtzsMdxysEGJ
 -----END CERTIFICATE-----`)
 
-// Default key.
+// DefaultCaKey provides default CA key.
 var DefaultCaKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
 MIIJKQIBAAKCAgEA18cwaaZzhdDEpUXpR9pkYRqsSdT30WhynFhFtcaBOf4eYdpt
 AJWL2ipo3Ac6bh+YgWfywG4prrSfWOJl+dQ59w439vLek/waBcEeFx+wJ6PFu0ur
@@ -100,7 +101,82 @@ s39uFDUnxsMb2Nl3JcNJHYBTm9ubjAZSo/3NuB0z/Gm+ssOcExTD//vW7BxxSAcs
 /xlPPTPbY5qoMAT7kK71kd4Ypnqbcs3UPpAHtcPkjWpuWOlebK0J7UYToj4f
 -----END RSA PRIVATE KEY-----`)
 
-func signHosts(ca tls.Certificate, hosts []string) (cert tls.Certificate, error error) {
+// CaSigner is a certificate signer by CA certificate. It supports caching.
+type CaSigner struct {
+	// Ca specifies CA certificate. You must set before using.
+	Ca *tls.Certificate
+
+	mu        sync.RWMutex
+	certMap   map[string]*tls.Certificate
+	certList  []string
+	certIndex int
+	certMax   int
+}
+
+// NewCaSigner returns a new CaSigner without caching.
+func NewCaSigner() *CaSigner {
+	return NewCaSignerCache(0)
+}
+
+// NewCaSignerCache returns a new CaSigner with caching given max.
+func NewCaSignerCache(max int) *CaSigner {
+	if max < 0 {
+		max = 0
+	}
+	return &CaSigner{
+		certMap:   make(map[string]*tls.Certificate),
+		certList:  make([]string, max),
+		certIndex: 0,
+		certMax:   max,
+	}
+}
+
+// SignHost generates TLS certificate given single host, signed by CA certificate.
+func (c *CaSigner) SignHost(host string) (cert *tls.Certificate) {
+	if host == "" {
+		return
+	}
+	if c.certMax <= 0 {
+		crt, err := SignHosts(*c.Ca, []string{host})
+		if err != nil {
+			return nil
+		}
+		cert = crt
+		return
+	}
+	func() {
+		c.mu.RLock()
+		defer c.mu.RUnlock()
+		cert = c.certMap[host]
+	}()
+	if cert != nil {
+		return
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	cert = c.certMap[host]
+	if cert != nil {
+		return
+	}
+	crt, err := SignHosts(*c.Ca, []string{host})
+	if err != nil {
+		return nil
+	}
+	cert = crt
+	if len(c.certMap) >= c.certMax {
+		delete(c.certMap, c.certList[c.certIndex])
+	}
+	c.certMap[host] = cert
+	c.certList[c.certIndex] = host
+	c.certIndex++
+	if c.certIndex >= c.certMax {
+		c.certIndex = 0
+	}
+	return
+}
+
+// SignHosts generates TLS certificate given hosts, signed by CA certificate.
+func SignHosts(ca tls.Certificate, hosts []string) (cert *tls.Certificate, error error) {
 	var x509ca *x509.Certificate
 	if x509ca, error = x509.ParseCertificate(ca.Certificate[0]); error != nil {
 		return
@@ -136,7 +212,7 @@ func signHosts(ca tls.Certificate, hosts []string) (cert tls.Certificate, error
 	if derBytes, error = x509.CreateCertificate(rnd, &template, x509ca, &certPriv.PublicKey, ca.PrivateKey); error != nil {
 		return
 	}
-	return tls.Certificate{
+	return &tls.Certificate{
 		Certificate: [][]byte{derBytes, ca.Certificate[0]},
 		PrivateKey:  certPriv,
 	}, nil

connrespwr.go

@@ -8,6 +8,8 @@ import (
 	"sync"
 )
 
+// ConnResponseWriter implements http.ResponseWriter interface to use hijacked
+// HTTP connection.
 type ConnResponseWriter struct {
 	Conn        net.Conn
 	mu          sync.Mutex
@@ -16,14 +18,17 @@ type ConnResponseWriter struct {
 	headersSent bool
 }
 
+// NewConnResponseWriter returns a new ConnResponseWriter.
 func NewConnResponseWriter(conn net.Conn) *ConnResponseWriter {
 	return &ConnResponseWriter{Conn: conn, header: make(http.Header)}
 }
 
+// Header returns the header map that will be sent by WriteHeader.
 func (c *ConnResponseWriter) Header() http.Header {
 	return c.header
 }
 
+// Write writes the data to the connection as part of an HTTP reply.
 func (c *ConnResponseWriter) Write(body []byte) (int, error) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
@@ -46,10 +51,12 @@ func (c *ConnResponseWriter) Write(body []byte) (int, error) {
 	return c.Conn.Write(body)
 }
 
+// WriteHeader sends an HTTP response header with status code.
 func (c *ConnResponseWriter) WriteHeader(code int) {
 	c.code = code
 }
 
+// Close closes network connection.
 func (c *ConnResponseWriter) Close() error {
 	return c.Conn.Close()
 }

doing.go

@@ -36,24 +36,42 @@ func doAuth(ctx *Context, w http.ResponseWriter, r *http.Request) bool {
 	if ctx.Prx.OnAuth == nil {
 		return false
 	}
-	authparts := strings.SplitN(r.Header.Get("Proxy-Authorization"), " ", 2)
-	if len(authparts) >= 2 {
-		switch authparts[0] {
-		case "Basic":
-			userpassraw, err := base64.StdEncoding.DecodeString(authparts[1])
-			if err == nil {
-				userpass := strings.SplitN(string(userpassraw), ":", 2)
-				if len(userpass) >= 2 && ctx.Prx.OnAuth(ctx, userpass[0], userpass[1]) {
-					return false
+	prxAuthType := ctx.Prx.AuthType
+	if prxAuthType == "" {
+		prxAuthType = "Basic"
+	}
+	unauthorized := false
+	authParts := strings.SplitN(r.Header.Get("Proxy-Authorization"), " ", 2)
+	if len(authParts) >= 2 {
+		authType := authParts[0]
+		authData := authParts[1]
+		if prxAuthType == authType {
+			unauthorized = true
+			switch authType {
+			case "Basic":
+				userpassraw, err := base64.StdEncoding.DecodeString(authData)
+				if err == nil {
+					userpass := strings.SplitN(string(userpassraw), ":", 2)
+					if len(userpass) >= 2 && ctx.Prx.OnAuth(ctx, userpass[0], userpass[1]) {
+						return false
+					}
 				}
+			default:
+				unauthorized = false
 			}
 		}
 	}
 	if r.Close {
 		defer r.Body.Close()
 	}
-	err := ServeInMemory(w, 407, map[string][]string{"Proxy-Authenticate": {"Basic"}},
-		[]byte("Proxy Authentication Required"))
+	respCode := 407
+	respBody := "Proxy Authentication Required"
+	if unauthorized {
+		respCode = 401
+		respBody = "Unauthorized"
+	}
+	err := ServeInMemory(w, respCode, map[string][]string{"Proxy-Authenticate": {prxAuthType}},
+		[]byte(respBody))
 	if err != nil && !isConnectionClosed(err) {
 		doError(ctx, "Auth", ErrResponseWrite, err)
 	}
@@ -88,9 +106,6 @@ func doConnect(ctx *Context, w http.ResponseWriter, r *http.Request) (w2 http.Re
 	if ctx.Prx.OnConnect != nil {
 		var newHost string
 		ctx.ConnectAction, newHost = ctx.Prx.OnConnect(ctx, host)
-		if ctx.ConnectAction == ConnectNone {
-			ctx.ConnectAction = ConnectProxy
-		}
 		if newHost != "" {
 			host = newHost
 		}
@@ -138,13 +153,13 @@ func doConnect(ctx *Context, w http.ResponseWriter, r *http.Request) (w2 http.Re
 		remoteConn.Close()
 	case ConnectMitm:
 		tlsConfig := &tls.Config{}
-		cert, err := signHosts(ctx.Prx.Ca, []string{stripPort(host)})
-		if err != nil {
+		cert := ctx.Prx.signer.SignHost(stripPort(host))
+		if cert == nil {
 			hijConn.Close()
 			doError(ctx, "Connect", ErrTLSSignHost, err)
 			return
 		}
-		tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
+		tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)
 		if _, err := hijConn.Write([]byte("HTTP/1.1 200 OK\r\n\r\n")); err != nil {
 			hijConn.Close()
 			if !isConnectionClosed(err) {
@@ -162,7 +177,8 @@ func doConnect(ctx *Context, w http.ResponseWriter, r *http.Request) (w2 http.Re
 		}
 		ctx.hijTLSReader = bufio.NewReader(ctx.hijTLSConn)
 		w2 = NewConnResponseWriter(ctx.hijTLSConn)
-		return
+	default:
+		hijConn.Close()
 	}
 	return
 }
@@ -219,7 +235,7 @@ func doRequest(ctx *Context, w http.ResponseWriter, r *http.Request) (bool, erro
 	return true, err
 }
 
-func doResponse(ctx *Context, w http.ResponseWriter, r *http.Request) (bool, error) {
+func doResponse(ctx *Context, w http.ResponseWriter, r *http.Request) error {
 	resp, err := ctx.Prx.Rt.RoundTrip(r)
 	if err != nil {
 		if r.Close {
@@ -228,7 +244,11 @@ func doResponse(ctx *Context, w http.ResponseWriter, r *http.Request) (bool, err
 		if err != context.Canceled && !isConnectionClosed(err) {
 			doError(ctx, "Response", ErrRoundTrip, err)
 		}
-		return false, err
+		err := ServeInMemory(w, 502, nil, []byte("Bad Gateway"))
+		if err != nil && !isConnectionClosed(err) {
+			doError(ctx, "Response", ErrResponseWrite, err)
+		}
+		return err
 	}
 	if ctx.Prx.OnResponse != nil {
 		ctx.Prx.OnResponse(ctx, r, resp)
@@ -241,5 +261,5 @@ func doResponse(ctx *Context, w http.ResponseWriter, r *http.Request) (bool, err
 	if err != nil && !isConnectionClosed(err) {
 		doError(ctx, "Response", ErrResponseWrite, err)
 	}
-	return true, err
+	return err
 }