root/sclient.js
2
1
Fork 0
mirror of https://git.coolaj86.com/coolaj86/sclient.js synced 2025-04-21 21:50:37 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: root:master
Branches Tags
root:master
root:v1.4.3
root:v1.4.2
root:v1.4.1
root:v1.4.0
root:v1.3.0
root:v1.2.2
root:v1.2.1
root:v1.2.0
root:v1.0.4
root:v1.0.3
root:v1.0.2
root:v1.0.1
root:v1.0.0
..
compare: root:v1.0.3
Branches Tags
root:master
root:v1.4.3
root:v1.4.2
root:v1.4.1
root:v1.4.0
root:v1.3.0
root:v1.2.2
root:v1.2.1
root:v1.2.0
root:v1.0.4
root:v1.0.3
root:v1.0.2
root:v1.0.1
root:v1.0.0

No commits in common. "master" and "v1.0.3" have entirely different histories.
master ... v1.0.3

4 changed files with 63 additions and 360 deletions
Show Stats Expand all files Collapse all files

71
README.md
View File

@ -9,7 +9,7 @@ Unwrap a TLS connection:
```bash
$ sclient whatever.com:443 localhost:3000
> [listening] whatever.com:443 <= localhost:3000
> [listening] telebit.cloud:443 <= localhost:3000
```
Connect via Telnet
@ -24,30 +24,6 @@ Connect via netcat (nc)
$ nc localhost 3000
```
cURL
```bash
$ curl http://localhost:3000 -H 'Host: whatever.com'
```
Inverse SSH proxy (ssh over https):
```bash
$ sclient ssh user@example.com
```
(this is the same as a normal SSH Proxy, just easier to type):
```bash
$ ssh -o ProxyCommand="sclient %h" user@example.com
```
Inverse rsync proxy (rsync over https):
```bash
$ sclient rsync user@example.com:path/ path/
```
A poor man's (or Windows user's) makeshift replacement for `openssl s_client`, `stunnel`, or `socat`.
Install
@ -69,12 +45,9 @@ Usage
=====
```bash
sclient [flags] [ssh|rsync] <remote> [local]
sclient <remote> <local> [-k | --insecure]
```
* flags
* `-k, --insecure` ignore invalid TLS (SSL/HTTPS) certificates
* `--servername <string>` spoof SNI (to disable use IP as &lt;remote&gt; and do not use this option)
* remote
* must have servername (i.e. example.com)
* port is optional (default is 443)
@ -100,43 +73,5 @@ sclient telebit.cloud:443 localhost:3000
Ignore a bad TLS/SSL/HTTPS certificate and connect anyway.
```bash
sclient -k badtls.telebit.cloud:443 localhost:3000
```
### Reading from stdin
```bash
sclient telebit.cloud:443 -
```
```bash
sclient telebit.cloud:443 - </path/to/file
```
### ssh over https
```bash
sclient ssh user@telebit.cloud
```
### rsync over https
```bash
sclient rsync -av user@telebit.cloud:my-project/ ~/my-project/
```
### Piping
```bash
printf "GET / HTTP/1.1\r\nHost: telebit.cloud\r\n\r\n" | sclient telebit.cloud:443
```
Testing for security vulnerabilities on the remote:
```bash
sclient --servername "Robert'); DROP TABLE Students;" -k example.com localhost:3000
```
```bash
sclient --servername "../../../.hidden/private.txt" -k example.com localhost:3000
sclient badtls.telebit.cloud:443 localhost:3000 -k
```

277
bin/sclient.js
View File

@ -1,262 +1,57 @@
#!/usr/bin/env node
'use strict';
var pkg = require('../package.json');
var remote;
var local;
var isPiped = !process.stdin.isTTY;
var remote = (process.argv[2]||'').split(':');
var local = (process.argv[3]||'').split(':');
var localAddress;
var localPort;
var rejectUnauthorized;
function usage() {
console.info("");
console.info("sclient.js v" + pkg.version);
console.info("Usage: sclient [--servername <string>] [-k | --insecure] <servername:port> <port>");
console.info("Usage: sclient <servername:port> <port> [-k | --insecure]");
console.info(" ex: sclient whatever.com 3000");
console.info(" (whatever.com:443 localhost:3000)");
console.info(" ex: sclient whatever.com:4080 0.0.0.0:3000");
console.info("");
process.exit(0);
}
function parseFlags(argv) {
var args = argv.slice();
var flags = {};
args.some(function (arg, i) {
if (/^-k|--?insecure$/.test(arg)) {
flags.rejectUnauthorized = false;
args.splice(i, 1);
return true;
}
});
args.some(function (arg, i) {
if (/^--?servername$/.test(arg)) {
flags.servername = args[i + 1];
if (!flags.servername || /^-/.test(flags.servername)) {
usage();
process.exit(2);
}
args.splice(i, 2);
return true;
}
});
args.some(function (arg, i) {
if (/^--?p(ort)?$/.test(arg)) {
flags.port = args[i + 1];
if (!flags.port || /^-/.test(flags.port)) {
usage();
process.exit(201);
}
args.splice(i, 2);
return true;
}
});
args.some(function (arg, i) {
if (/^--?ssh$/.test(arg)) {
flags.wrapSsh = true;
args.splice(i, 1);
return true;
}
});
args.some(function (arg, i) {
if (/^--?socks5$/.test(arg)) {
flags.socks5 = args[i + 1];
if (!flags.socks5 || /^-/.test(flags.socks5)) {
usage();
process.exit(202);
}
args.splice(i, 2);
return true;
}
});
// This works for most (but not all)
// of the ssh and rsync flags - because they mostly don't have arguments
args.sort(function (a, b) {
if ('-' === a[0]) {
if ('-' === b[0]) {
return 0;
}
return 1;
}
if ('-' === b[0]) {
return -1;
}
return 0;
});
return {
flags: flags
, args: args
};
if (!remote[0]) {
usage();
return;
}
if (!remote[1]) {
remote[1] = 443;
}
var sclient = require('../');
function testRemote(opts) {
var emitter = new (require('events').EventEmitter)();
sclient._test(opts).then(function () {
// connected successfully (and closed)
sclient._listen(emitter, opts);
}).catch(function (err) {
// did not connect succesfully
sclient._listen(emitter, opts);
console.warn("[warn] '" + opts.remoteAddr + ":" + opts.remotePort
+ "' may not be accepting connections: ", err.toString(), '\n');
});
emitter.once('listening', function (opts) {
console.info('[listening] ' + opts.remoteAddr + ":" + opts.remotePort
+ " <= " + opts.localAddress + ":" + opts.localPort);
if (opts.command) {
var args = [
opts.remoteUser + 'localhost'
, '-p', opts.localPort
// we're _inverse_ proxying ssh, so we must alias the serveranem and ignore the IP
, '-o', 'HostKeyAlias=' + opts.remoteAddr
, '-o', 'CheckHostIP=no'
];
var spawn = require('child_process').spawn;
if ('rsync' === opts.command) {
var remote = args.shift() + ':' + opts.remotePath;
args = [ remote, '-e', 'ssh ' + args.join(' ') ];
}
if (opts.socks5) {
args.push('-D');
args.push('localhost:' + opts.socks5);
}
args = args.concat(opts.args);
var child = spawn(opts.command, args, { stdio: 'inherit' });
child.on('exit', function () {
console.info('closing...');
});
child.on('close', function () {
opts.server.close();
});
}
});
emitter.on('connect', function (sock) {
console.info('[connect] ' + sock.localAddress.replace('::1', 'localhost') + ":" + sock.localPort
+ " => " + opts.remoteAddr + ":" + opts.remotePort);
});
emitter.on('remote-error', function (err) {
console.error('[error] (remote) ' + err.toString());
});
emitter.on('local-error', function (err) {
console.error('[error] (local) ' + err.toString());
});
if (!local[0]) {
usage();
return;
}
if (local[0] === String(parseInt(local[0], 10))) {
localPort = parseInt(local[0], 10);
localAddress = 'localhost';
} else {
localAddress = local[0];
localPort = parseInt(local[1], 10);
}
function main() {
var cmd = parseFlags(process.argv);
var binParam;
var remoteUser;
// Re-arrange argument order for ssh
if (cmd.flags.wrapSsh) {
cmd.args.splice(3, 0, 'ssh');
} else if (-1 !== [ 'ssh', 'rsync', 'vpn' ].indexOf((cmd.args[2]||'').split(':')[0])) {
cmd.flags.wrapSsh = true;
binParam = cmd.args.splice(2, 1);
cmd.args.splice(3, 0, binParam[0]);
}
remoteUser = (cmd.args[2]||'').split('@');
if (remoteUser[1]) {
// has 'user@' in front
remote = (remoteUser[1]||'').split(':');
remoteUser = remoteUser[0] + '@';
} else {
// no 'user@' in front
remote = (remoteUser[0]||'').split(':');
remoteUser = '';
}
local = (cmd.args[3]||'').split(':');
if (-1 !== [ 'ssh', 'rsync', 'vpn' ].indexOf(local[0])) {
cmd.flags.wrapSsh = true;
}
if (cmd.flags.wrapSsh) {
process.argv = cmd.args;
} else if (4 !== cmd.args.length) {
// arg 0 is node
// arg 1 is sclient
// arg 2 is remote
// arg 3 is local (or ssh or rsync)
if (isPiped) {
local = ['|'];
} else {
usage();
process.exit(1);
}
}
// Check for the first argument (what to connect to)
if (!remote[0]) {
usage();
return;
}
if (!local[0]) {
usage();
return;
}
// check if it looks like a port number
if (local[0] === String(parseInt(local[0], 10))) {
localPort = parseInt(local[0], 10);
localAddress = 'localhost';
} else {
localAddress = local[0]; // potentially '-' or '|' or '$'
localPort = parseInt(local[1], 10);
}
var opts = {
remoteUser: remoteUser
, remoteAddr: remote[0]
, remotePort: remote[1] || 443
, localAddress: localAddress
, localPort: localPort
, rejectUnauthorized: cmd.flags.rejectUnauthorized
, servername: cmd.flags.servername
, stdin: null
, stdout: null
};
if ('-' === localAddress || '|' === localAddress) {
opts.stdin = process.stdin;
opts.stdout = process.stdout;
// no need for port
} else if (-1 !== [ 'ssh', 'rsync', 'vpn' ].indexOf(localAddress)) {
cmd.flags.wrapSsh = true;
opts.localAddress = 'localhost';
opts.localPort = local[1] || 0; // choose at random
opts.command = localAddress;
opts.args = cmd.args.slice(4); // node, sclient, ssh, addr
opts.socks5 = cmd.flags.socks5;
if ('rsync' === opts.command) {
opts.remotePath = opts.remotePort;
opts.remotePort = 0;
}
if ('vpn' === opts.command) {
opts.command = 'ssh';
if (!opts.socks5) {
usage();
return;
}
}
if (!opts.remotePort) {
opts.remotePort = cmd.flags.port || 443;
}
} else if (!localPort) {
usage();
return;
}
testRemote(opts);
if (!localPort) {
usage();
return;
}
main();
if (/^-k|--insecure$/.test(process.argv[4])) {
rejectUnauthorized = false;
}
var opts = {
remoteAddr: remote[0]
, remotePort: remote[1]
, localAddress: localAddress
, localPort: localPort
, rejectUnauthorized: rejectUnauthorized
};
require('../')(opts);

71
index.js
View File

@ -1,39 +1,26 @@
'use strict';
var PromiseA = global.Promise;
var net = require('net');
var tls = require('tls');
function listenForConns(emitter, opts) {
function pipeConn(c, out) {
function listenForConns(opts) {
var server = net.createServer(function (c) {
var sclient = tls.connect({
servername: opts.remoteAddr, host: opts.remoteAddr, port: opts.remotePort
, rejectUnauthorized: opts.rejectUnauthorized
}, function () {
emitter.emit('connect', sclient);
console.info('[connect] ' + sclient.localAddress.replace('::1', 'localhost') + ":" + sclient.localPort
+ " => " + opts.remoteAddr + ":" + opts.remotePort);
c.pipe(sclient);
sclient.pipe(out || c);
sclient.pipe(c);
});
sclient.on('error', function (err) {
emitter.emit('remote-error', err);
console.error('[error] (remote) ' + err.toString());
});
c.on('error', function (err) {
emitter.emit('local-error', err);
console.error('[error] (local) ' + err.toString());
});
if (out) {
out.on('error', function (err) {
emitter.emit('local-error', err);
});
}
}
if ('-' === opts.localAddress || '|' === opts.localAddress) {
pipeConn(opts.stdin, opts.stdout);
return;
}
var server = net.createServer(pipeConn);
});
server.on('error', function (err) {
console.error('[error] ' + err.toString());
});
@ -41,38 +28,24 @@ function listenForConns(emitter, opts) {
host: opts.localAddress
, port: opts.localPort
}, function () {
opts.localPort = this.address().port;
opts.server = this;
emitter.emit('listening', opts);
console.info('[listening] ' + opts.remoteAddr + ":" + opts.remotePort
+ " <= " + opts.localAddress + ":" + opts.localPort);
});
}
function testConn(opts) {
return new PromiseA(function (resolve, reject) {
// Test connection first
var tlsOpts = {
host: opts.remoteAddr, port: opts.remotePort
, rejectUnauthorized: opts.rejectUnauthorized
};
if (opts.servername) {
tlsOpts.servername = opts.servername;
} else if (/^[\w\.\-]+\.[a-z]{2,}$/i.test(opts.remoteAddr)) {
tlsOpts.servername = opts.remoteAddr.toLowerCase();
}
if (opts.alpn) {
tlsOpts.ALPNProtocols = [ 'http', 'h2' ];
}
var tlsSock = tls.connect(tlsOpts, function () {
tlsSock.end();
resolve();
});
tlsSock.on('error', function (err) {
reject(err);
});
// Test connection first
var tlsSock = tls.connect({
servername: opts.remoteAddr, host: opts.remoteAddr, port: opts.remotePort
, rejectUnauthorized: opts.rejectUnauthorized
}, function () {
tlsSock.end();
listenForConns(opts);
});
tlsSock.on('error', function (err) {
console.warn("[warn] '" + opts.remoteAddr + ":" + opts.remotePort + "' may not be accepting connections: ", err.toString(), '\n');
listenForConns(opts);
});
}
// no public exports yet
// the API is for the commandline only
module.exports._test = testConn;
module.exports._listen = listenForConns;
module.exports = testConn;

4
package.json
View File

@ -1,9 +1,9 @@
{
"name": "sclient",
"version": "1.4.3",
"version": "1.0.3",
"description": "Secure Client for exposing TLS (aka SSL) secured services as plain-text connections locally. Also ideal for multiplexing a single port with multiple protocols using SNI.",
"main": "index.js",
"homepage": "https://telebit.cloud/sclient/",
"homepage": "https://git.coolaj86.com/coolaj86/sclient.js",
"bin": {
"sclient": "bin/sclient.js"
},