heavier refactoring

This commit is contained in:
AJ ONeal 2020-04-30 04:43:36 -06:00
parent 09d296df2a
commit e740d2ca0f
14 changed files with 276 additions and 154 deletions

2
.gitignore vendored
View File

@ -1,3 +1,5 @@
.env
.env.*
certs certs
*.exe *.exe
/telebitd /telebitd

View File

@ -32,7 +32,12 @@ tmp $ serve-https -p 8080 -d /tmp --servername hfc.rootprojects.org --agree-tos
### Start Tunnel Client ### Start Tunnel Client
```bash ```bash
node-tunnel-client $ bin/stunnel.js --locals http://hfc.rootprojects.org:8080,http://test1.hfc.rootprojects.org:8080 --stunneld wss://localhost.rootprojects.org:8443 --secret abc123 # For .env
TELEBIT_SECRET=abcdef1234567890
```
```bash
node-tunnel-client $ bin/stunnel.js --locals http://hfc.rootprojects.org:8080,http://test1.hfc.rootprojects.org:8080 --stunneld wss://localhost.rootprojects.org:8443 --secret abcdef1234567890
``` ```
### Execute RVPN ### Execute RVPN

View File

@ -8,46 +8,49 @@ import (
"io" "io"
"io/ioutil" "io/ioutil"
"log" "log"
"net/http"
"os" "os"
"time"
telebit "git.coolaj86.com/coolaj86/go-telebitd"
"git.coolaj86.com/coolaj86/go-telebitd/relay"
"git.coolaj86.com/coolaj86/go-telebitd/server"
jwt "github.com/dgrijalva/jwt-go"
"github.com/spf13/viper" "github.com/spf13/viper"
lumberjack "gopkg.in/natefinch/lumberjack.v2" lumberjack "gopkg.in/natefinch/lumberjack.v2"
telebit "git.coolaj86.com/coolaj86/go-telebitd" _ "github.com/joho/godotenv/autoload"
"git.coolaj86.com/coolaj86/go-telebitd/server"
) )
var ( var (
logfile = "stdout" logfile = "stdout"
configPath = "./" configPath = "./"
configFile = "go-rvpn-server" configFile = "telebit-relay"
loginfo *log.Logger loginfo *log.Logger
logdebug *log.Logger logdebug *log.Logger
logFlags = log.Ldate | log.Lmicroseconds | log.Lshortfile logFlags = log.Ldate | log.Lmicroseconds | log.Lshortfile
argWssClientListener string argWssClientListener string
argGenericBinding int tcpPort int
argServerBinding string argServerBinding string
argServerAdminBinding string argServerAdminBinding string
argServerExternalBinding string argServerExternalBinding string
argDeadTime int argDeadTime int
connectionTable *server.Table connectionTable *server.Table
secretKey = "abc123" secretKey string
wssHostName = "localhost.rootprojects.org" wssHostName = "localhost.rootprojects.org"
adminHostName = telebit.InvalidAdminDomain adminHostName = telebit.InvalidAdminDomain
idle int idle int
dwell int dwell int
cancelcheck int cancelcheck int
lbDefaultMethod string lbDefaultMethod string
serverName string nickname string
) )
func init() { func init() {
flag.StringVar(&logfile, "log", logfile, "Log file (or stdout/stderr; empty for none)") flag.StringVar(&logfile, "log", logfile, "Log file (or stdout/stderr; empty for none)")
flag.StringVar(&configPath, "config-path", configPath, "Configuration File Path") flag.StringVar(&configPath, "config-path", configPath, "Configuration File Path")
flag.StringVar(&configFile, "config-file", configFile, "Configuration File Name") flag.StringVar(&secretKey, "secret", "", "a >= 16-character random string for JWT key signing")
} }
var logoutput io.Writer var logoutput io.Writer
@ -55,6 +58,15 @@ var logoutput io.Writer
//Main -- main entry point //Main -- main entry point
func main() { func main() {
flag.Parse() flag.Parse()
if "" == secretKey {
secretKey = os.Getenv("TELEBIT_SECRET")
}
if len(secretKey) < 16 {
fmt.Fprintf(os.Stderr, "Invalid secret: %q. See --help for details.\n", secretKey)
os.Exit(1)
}
switch logfile { switch logfile {
case "stdout": case "stdout":
logoutput = os.Stdout logoutput = os.Stdout
@ -89,54 +101,51 @@ func main() {
wssHostName = viper.Get("rvpn.wssdomain").(string) wssHostName = viper.Get("rvpn.wssdomain").(string)
adminHostName = viper.Get("rvpn.admindomain").(string) adminHostName = viper.Get("rvpn.admindomain").(string)
argGenericBinding = viper.GetInt("rvpn.genericlistener") tcpPort = viper.GetInt("rvpn.port")
deadtime := viper.Get("rvpn.deadtime").(map[string]interface{}) deadtime := viper.Get("rvpn.deadtime").(map[string]interface{})
idle = deadtime["idle"].(int) idle = deadtime["idle"].(int)
dwell = deadtime["dwell"].(int) dwell = deadtime["dwell"].(int)
cancelcheck = deadtime["cancelcheck"].(int) cancelcheck = deadtime["cancelcheck"].(int)
lbDefaultMethod = viper.Get("rvpn.loadbalancing.defaultmethod").(string) lbDefaultMethod = viper.Get("rvpn.loadbalancing.defaultmethod").(string)
serverName = viper.Get("rvpn.serverName").(string) nickname = viper.Get("rvpn.serverName").(string)
loginfo.Println("startup") loginfo.Println("startup")
certbundle, err := tls.LoadX509KeyPair("certs/fullchain.pem", "certs/privkey.pem")
if err != nil {
loginfo.Println(err)
return
}
ctx, cancelContext := context.WithCancel(context.Background()) ctx, cancelContext := context.WithCancel(context.Background())
defer cancelContext() defer cancelContext()
serverStatus := server.NewStatus(ctx) serverStatus := server.NewStatus(ctx)
serverStatus.AdminDomain = adminHostName serverStatus.AdminDomain = adminHostName
serverStatus.WssDomain = wssHostName serverStatus.WssDomain = wssHostName
serverStatus.Name = serverName serverStatus.Name = nickname
serverStatus.StartTime = time.Now()
serverStatus.DeadTime = server.NewStatusDeadTime(dwell, idle, cancelcheck) serverStatus.DeadTime = server.NewStatusDeadTime(dwell, idle, cancelcheck)
serverStatus.LoadbalanceDefaultMethod = lbDefaultMethod serverStatus.LoadbalanceDefaultMethod = lbDefaultMethod
// Setup for GenericListenServe. connectionTable := server.NewTable(dwell, idle, lbDefaultMethod)
// - establish context for the generic listener
// - startup listener
// - accept with peek buffer.
// - peek at the 1st 30 bytes.
// - check for tls
// - if tls, establish, protocol peek buffer, else decrypted
// - match protocol
connectionTracking := server.NewTracking() tlsConfig := &tls.Config{
serverStatus.ConnectionTracking = connectionTracking GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
go connectionTracking.Run(ctx) // TODO
// 1. call out to greenlock for validation
// 2. push challenges through http channel
// 3. receive certificates (or don't)
certbundle, err := tls.LoadX509KeyPair("certs/fullchain.pem", "certs/privkey.pem")
if err != nil {
return nil, err
}
return &certbundle, nil
},
}
connectionTable = server.NewTable(dwell, idle) authorizer := func(r *http.Request) (*server.Authz, error) {
serverStatus.ConnectionTable = connectionTable // do we have a valid wss_client?
go connectionTable.Run(ctx, lbDefaultMethod) tokenString := r.URL.Query().Get("access_token")
_, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
return []byte(secretKey), nil
})
return nil, err
}
genericListeners := server.NewGenerListeners(ctx, secretKey, certbundle, serverStatus) r := relay.New(ctx, tlsConfig, authorizer, serverStatus, connectionTable)
//serverStatus.GenericListeners = genericListeners r.ListenAndServe(tcpPort)
go genericListeners.Run(ctx, argGenericBinding)
select {}
} }

1
go.mod
View File

@ -6,6 +6,7 @@ require (
github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/gorilla/mux v1.7.4 github.com/gorilla/mux v1.7.4
github.com/gorilla/websocket v1.4.2 github.com/gorilla/websocket v1.4.2
github.com/joho/godotenv v1.3.0
github.com/spf13/pflag v1.0.5 github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.6.3 github.com/spf13/viper v1.6.3
gopkg.in/natefinch/lumberjack.v2 v2.0.0 gopkg.in/natefinch/lumberjack.v2 v2.0.0

2
go.sum
View File

@ -49,6 +49,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=

52
relay/relay.go Normal file
View File

@ -0,0 +1,52 @@
package relay
import (
"context"
"crypto/tls"
"git.coolaj86.com/coolaj86/go-telebitd/server"
)
type Relay struct {
ctx context.Context
status *server.Status
mx *server.MPlexy
table *server.Table
}
func New(ctx context.Context, tlsConfig *tls.Config, authz server.Authorizer, status *server.Status, table *server.Table) *Relay {
return &Relay{
ctx: ctx,
status: status,
table: table,
mx: server.New(ctx, tlsConfig, authz, status),
}
}
func (r *Relay) ListenAndServe(port int) error {
serverStatus := r.status
// Setup for GenericListenServe.
// - establish context for the generic listener
// - startup listener
// - accept with peek buffer.
// - peek at the 1st 30 bytes.
// - check for tls
// - if tls, establish, protocol peek buffer, else decrypted
// - match protocol
connectionTracking := server.NewTracking()
serverStatus.ConnectionTracking = connectionTracking
go connectionTracking.Run(r.ctx)
serverStatus.ConnectionTable = r.table
go serverStatus.ConnectionTable.Run(r.ctx)
//serverStatus.GenericListeners = genericListeners
// blocks until it can listen, which it can't until started
go r.mx.MultiListenAndServe(port)
return r.mx.Run()
}

View File

@ -17,7 +17,7 @@ Docker version 17.03.0-ce, build 60ccb22
cd $GOPATH/src/git.coolaj86.com/coolaj86 cd $GOPATH/src/git.coolaj86.com/coolaj86
git clone git@git.coolaj86.com:coolaj86/go-telebitd.git git clone git@git.coolaj86.com:coolaj86/go-telebitd.git
cd go-rvpn-server cd telebit-relay
go get go get
``` ```
@ -36,7 +36,7 @@ Step 2/3 : LABEL maintainer "henry.f.camacho@gmail.com"
---> Running in 5cdffef8e33d ---> Running in 5cdffef8e33d
---> f7e09c097612 ---> f7e09c097612
Removing intermediate container 5cdffef8e33d Removing intermediate container 5cdffef8e33d
Step 3/3 : WORKDIR "/go-rvpn-server" Step 3/3 : WORKDIR "/telebit-relay"
---> 182aa9c814f2 ---> 182aa9c814f2
Removing intermediate container f136550d6d48 Removing intermediate container f136550d6d48
Successfully built 182aa9c814f2 Successfully built 182aa9c814f2

View File

@ -1,5 +1,5 @@
FROM golang:1.7.5 FROM golang:1.14
LABEL maintainer "henry.f.camacho@gmail.com" LABEL maintainer "aj@therootcompany.com"
WORKDIR "/go-rvpn-server" WORKDIR "/telebit-relay"

View File

@ -21,10 +21,11 @@ type Table struct {
domainRevoke chan *DomainMapping domainRevoke chan *DomainMapping
dwell int dwell int
idle int idle int
balanceMethod string
} }
//NewTable -- consructor //NewTable -- consructor
func NewTable(dwell, idle int) (p *Table) { func NewTable(dwell, idle int, balanceMethod string) (p *Table) {
p = new(Table) p = new(Table)
p.connections = make(map[*Connection][]string) p.connections = make(map[*Connection][]string)
p.domains = make(map[string]*DomainLoadBalance) p.domains = make(map[string]*DomainLoadBalance)
@ -34,6 +35,7 @@ func NewTable(dwell, idle int) (p *Table) {
p.domainRevoke = make(chan *DomainMapping) p.domainRevoke = make(chan *DomainMapping)
p.dwell = dwell p.dwell = dwell
p.idle = idle p.idle = idle
p.balanceMethod = balanceMethod
return return
} }
@ -88,7 +90,7 @@ func (c *Table) GetConnection(serverID int64) (*Connection, error) {
} }
//Run -- Execute //Run -- Execute
func (c *Table) Run(ctx context.Context, defaultMethod string) { func (c *Table) Run(ctx context.Context) {
loginfo.Println("ConnectionTable starting") loginfo.Println("ConnectionTable starting")
go c.reaper(c.dwell, c.idle) go c.reaper(c.dwell, c.idle)
@ -122,7 +124,7 @@ func (c *Table) Run(ctx context.Context, defaultMethod string) {
c.domains[newDomain].AddConnection(connection) c.domains[newDomain].AddConnection(connection)
} else { } else {
//if not, then add as the 1st to the list of connections //if not, then add as the 1st to the list of connections
c.domains[newDomain] = NewDomainLoadBalance(defaultMethod) c.domains[newDomain] = NewDomainLoadBalance(c.balanceMethod)
c.domains[newDomain].AddConnection(connection) c.domains[newDomain].AddConnection(connection)
} }

View File

@ -6,6 +6,7 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"encoding/hex" "encoding/hex"
"fmt"
"log" "log"
"net" "net"
"net/http" "net/http"
@ -31,7 +32,7 @@ const (
//ctxConnectionTable contextKey = "connectionTable" //ctxConnectionTable contextKey = "connectionTable"
ctxConfig contextKey = "config" ctxConfig contextKey = "tlsConfig"
ctxListenerRegistration contextKey = "listenerRegistration" ctxListenerRegistration contextKey = "listenerRegistration"
ctxConnectionTrack contextKey = "connectionTrack" ctxConnectionTrack contextKey = "connectionTrack"
ctxWssHostName contextKey = "wsshostname" ctxWssHostName contextKey = "wsshostname"
@ -40,21 +41,26 @@ const (
ctxLoadbalanceDefaultMethod contextKey = "lbdefaultmethod" ctxLoadbalanceDefaultMethod contextKey = "lbdefaultmethod"
) )
// TODO isn't this restriction in the TLS lib?
// or are we just pre-checking for remote hosts?
type tlsScheme int
const ( const (
encryptNone int = iota encryptNone tlsScheme = iota
encryptSSLV2 encryptSSLV2
encryptSSLV3 encryptSSLV3
encryptTLS10 encryptTLS10
encryptTLS11 encryptTLS11
encryptTLS12 encryptTLS12
encryptTLS13
) )
//GenericListenAndServe -- used to lisen for any https traffic on 443 (8443) // multiListenAndServe -- used to lisen for any https traffic on 443 (8443)
// - setup generic TCP listener, unencrypted TCP, with a Deadtime out // - setup generic TCP listener, unencrypted TCP, with a Deadtime out
// - leaverage the wedgeConn to peek into the buffer. // - leaverage the wedgeConn to peek into the buffer.
// - if TLS, consume connection with TLS certbundle, pass to request identifier // - if TLS, consume connection with TLS certbundle, pass to request identifier
// - else, just pass to the request identififer // - else, just pass to the request identififer
func GenericListenAndServe(ctx context.Context, listenerRegistration *ListenerRegistration) { func (mx *MPlexy) multiListenAndServe(ctx context.Context, listenerRegistration *ListenerRegistration) {
loginfo.Println(":" + string(listenerRegistration.port)) loginfo.Println(":" + string(listenerRegistration.port))
cancelCheck := ctx.Value(ctxCancelCheck).(int) cancelCheck := ctx.Value(ctxCancelCheck).(int)
@ -95,18 +101,24 @@ func GenericListenAndServe(ctx context.Context, listenerRegistration *ListenerRe
return return
} }
fmt.Println("New connection from %v on %v", conn.LocalAddr(), conn.RemoteAddr())
// TODO maybe put these into something like mx.newConnCh and have an mx.Accept()?
wedgeConn := NewWedgeConn(conn) wedgeConn := NewWedgeConn(conn)
go acceptTCPOrTLS(ctx, wedgeConn) go mx.accept(ctx, wedgeConn)
} }
} }
} }
//acceptTCPOrTLS - //accept -
// - accept a wedgeConnection along with all the other required attritvues // - accept a wedgeConnection along with all the other required attritvues
// - peek into the buffer, determine TLS or unencrypted // - peek into the buffer, determine TLS or unencrypted
// - if TSL, then terminate with a TLS endpoint, pass to handleStream // - if TSL, then terminate with a TLS endpoint, pass to handleStream
// - if clearText, pass to handleStream // - if clearText, pass to handleStream
func acceptTCPOrTLS(ctx context.Context, wConn *WedgeConn) { func (mx *MPlexy) accept(ctx context.Context, wConn *WedgeConn) {
// TODO shouldn't this responsibility fall elsewhere?
// (otherwise I think we're keeping this function in memory while something else fails to end)
// (i.e. something, somewhere is missing a `go doStuff()`
defer wConn.Close() defer wConn.Close()
peekCnt := 10 peekCnt := 10
@ -136,20 +148,24 @@ func acceptTCPOrTLS(ctx context.Context, wConn *WedgeConn) {
} else if bytes.Contains(peek[0:3], []byte{0x16, 0x03, 0x03}) { } else if bytes.Contains(peek[0:3], []byte{0x16, 0x03, 0x03}) {
encryptMode = encryptTLS12 encryptMode = encryptTLS12
} else if bytes.Contains(peek[0:3], []byte{0x16, 0x03, 0x04}) {
encryptMode = encryptTLS13
} }
oneConn := &oneConnListener{wConn} oneConn := &oneConnListener{wConn}
config := ctx.Value(ctxConfig).(*tls.Config) tlsConfig := ctx.Value(ctxConfig).(*tls.Config)
if encryptMode == encryptSSLV2 { if encryptMode == encryptSSLV2 {
loginfo.Println("SSLv2 is not accepted") loginfo.Println("<= SSLv2 is not accepted")
return return
} }
if encryptMode == encryptNone { if encryptMode == encryptNone {
loginfo.Println("Handle Unencrypted") loginfo.Println("Handle Unencrypted")
handleStream(ctx, wConn) mx.handleStream(ctx, wConn)
return return
} }
@ -177,9 +193,10 @@ func acceptTCPOrTLS(ctx context.Context, wConn *WedgeConn) {
loginfo.Println("sni:", sniHostName) loginfo.Println("sni:", sniHostName)
// This is where a target device connects to receive traffic
if sniHostName == wssHostName { if sniHostName == wssHostName {
//handle WSS Path //handle WSS Path
tlsListener := tls.NewListener(oneConn, config) tlsListener := tls.NewListener(oneConn, tlsConfig)
conn, err := tlsListener.Accept() conn, err := tlsListener.Accept()
if err != nil { if err != nil {
@ -188,12 +205,16 @@ func acceptTCPOrTLS(ctx context.Context, wConn *WedgeConn) {
} }
tlsWedgeConn := NewWedgeConn(conn) tlsWedgeConn := NewWedgeConn(conn)
handleStream(ctx, tlsWedgeConn) mx.handleStream(ctx, tlsWedgeConn)
return return
}
// This is where an admin of the relay manages it
if sniHostName == adminHostName {
// TODO mx.Admin.CheckRemoteIP(conn) here
} else if sniHostName == adminHostName {
// handle admin path // handle admin path
tlsListener := tls.NewListener(oneConn, config) tlsListener := tls.NewListener(oneConn, tlsConfig)
conn, err := tlsListener.Accept() conn, err := tlsListener.Accept()
if err != nil { if err != nil {
@ -202,16 +223,13 @@ func acceptTCPOrTLS(ctx context.Context, wConn *WedgeConn) {
} }
tlsWedgeConn := NewWedgeConn(conn) tlsWedgeConn := NewWedgeConn(conn)
handleStream(ctx, tlsWedgeConn) mx.handleStream(ctx, tlsWedgeConn)
return return
}
} else {
//traffic not terminating on the rvpn do not decrypt //traffic not terminating on the rvpn do not decrypt
loginfo.Println("processing non terminating traffic", wssHostName, sniHostName) loginfo.Println("processing non terminating traffic", wssHostName, sniHostName)
handleExternalHTTPRequest(ctx, wConn, sniHostName, "https") handleExternalHTTPRequest(ctx, wConn, sniHostName, "https")
}
return
} }
//handleStream -- //handleStream --
@ -222,7 +240,7 @@ func acceptTCPOrTLS(ctx context.Context, wConn *WedgeConn) {
// - attempt to identify as ADMIN/API session // - attempt to identify as ADMIN/API session
// - else handle as raw http // - else handle as raw http
// - handle other? // - handle other?
func handleStream(ctx context.Context, wConn *WedgeConn) { func (mx *MPlexy) handleStream(ctx context.Context, wConn *WedgeConn) {
loginfo.Println("handle Stream") loginfo.Println("handle Stream")
loginfo.Println("conn", wConn.LocalAddr().String(), wConn.RemoteAddr().String()) loginfo.Println("conn", wConn.LocalAddr().String(), wConn.RemoteAddr().String())
@ -234,6 +252,9 @@ func handleStream(ctx context.Context, wConn *WedgeConn) {
return return
} }
// TODO handle by TCP port as well
// (which needs a short read timeout since servers expect clients to say hello)
// HTTP Identifcation // CRLF // HTTP Identifcation // CRLF
if !bytes.Contains(peek[:], []byte{0x0d, 0x0a}) { if !bytes.Contains(peek[:], []byte{0x0d, 0x0a}) {
return return
@ -252,14 +273,11 @@ func handleStream(ctx context.Context, wConn *WedgeConn) {
return return
} }
// do we have a valid wss_client? // TODO add newtypes
secretKey := ctx.Value(ctxSecretKey).(string) // TODO check if this is a websocket
tokenString := r.URL.Query().Get("access_token") _, err = mx.authorize(r)
result, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
return []byte(secretKey), nil
})
if err == nil && result.Valid { if err == nil {
loginfo.Println("Valid WSS dected...sending to handler") loginfo.Println("Valid WSS dected...sending to handler")
oneConn := &oneConnListener{wConn} oneConn := &oneConnListener{wConn}
handleWssClient(ctx, oneConn) handleWssClient(ctx, oneConn)
@ -268,6 +286,7 @@ func handleStream(ctx context.Context, wConn *WedgeConn) {
//if yes, prep the oneConn and send it to the handler //if yes, prep the oneConn and send it to the handler
return return
} }
if strings.Contains(r.Host, telebit.InvalidAdminDomain) { if strings.Contains(r.Host, telebit.InvalidAdminDomain) {
loginfo.Println("admin") loginfo.Println("admin")
oneConn := &oneConnListener{wConn} oneConn := &oneConnListener{wConn}

View File

@ -4,11 +4,28 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"net" "net"
"net/http"
) )
//ListenerRegistrationStatus - post registration status //ListenerRegistrationStatus - post registration status
type ListenerRegistrationStatus int type ListenerRegistrationStatus int
// Authz represents grants or privileges of a client
// clientID
// domains that may be forwarded
// # of domains that may be forwarded
// ports that may be forwarded (i.e. allow special ports < 1024, exclude 443, 25, etc)
// # of ports that may be forwarded
// # of concurrent conections
// # bandwith rate (i.e. 5 mbps)
// # bandwith cap per time period (i.e. 100 MB / hour)
// # throttled rate (i.e. 0 (kill), or 1 mbps)
type Authz struct {
}
// Authorizer is called when a new client connects and we need to know something about it
type Authorizer func(*http.Request) (*Authz, error)
const ( const (
listenerAdded ListenerRegistrationStatus = iota listenerAdded ListenerRegistrationStatus = iota
listenerExists listenerExists
@ -40,79 +57,80 @@ func NewListenerRegistration(port int) (p *ListenerRegistration) {
p = new(ListenerRegistration) p = new(ListenerRegistration)
p.port = port p.port = port
p.commCh = make(chan *ListenerRegistration) p.commCh = make(chan *ListenerRegistration)
return return p
} }
// Servers - // MPlexy -
type Servers struct { type MPlexy struct {
listeners map[*net.Listener]int listeners map[*net.Listener]int
ctx context.Context ctx context.Context
connnectionTable *Table connnectionTable *Table
connectionTracking *Tracking connectionTracking *Tracking
secretKey string authorize Authorizer
certbundle tls.Certificate tlsConfig *tls.Config
register chan *ListenerRegistration register chan *ListenerRegistration
servers *Servers
wssHostName string wssHostName string
adminHostName string adminHostName string
cancelCheck int cancelCheck int
lbDefaultMethod string lbDefaultMethod string
serverStatus *Status serverStatus *Status
//xservers *MPlexy
} }
// NewGenerListeners creates tcp (and https and wss?) listeners // New creates tcp (and https and wss?) listeners
func NewGenerListeners(ctx context.Context, secretKey string, certbundle tls.Certificate, serverStatus *Status) (p *Servers) { func New(ctx context.Context, tlsConfig *tls.Config, authz Authorizer, serverStatus *Status) (mx *MPlexy) {
p = &Servers{} mx = &MPlexy{
p.listeners = make(map[*net.Listener]int) listeners: make(map[*net.Listener]int),
p.ctx = ctx ctx: ctx,
p.connnectionTable = serverStatus.ConnectionTable connnectionTable: serverStatus.ConnectionTable,
p.connectionTracking = serverStatus.ConnectionTracking connectionTracking: serverStatus.ConnectionTracking,
p.secretKey = secretKey authorize: authz,
p.certbundle = certbundle tlsConfig: tlsConfig,
p.register = make(chan *ListenerRegistration) register: make(chan *ListenerRegistration),
p.wssHostName = serverStatus.WssDomain wssHostName: serverStatus.WssDomain,
p.adminHostName = serverStatus.AdminDomain adminHostName: serverStatus.AdminDomain,
p.cancelCheck = serverStatus.DeadTime.cancelcheck cancelCheck: serverStatus.DeadTime.cancelcheck,
p.lbDefaultMethod = serverStatus.LoadbalanceDefaultMethod lbDefaultMethod: serverStatus.LoadbalanceDefaultMethod,
p.serverStatus = serverStatus serverStatus: serverStatus,
return }
return mx
} }
//Run -- Execute //Run -- Execute
// - execute the GenericLister // - execute the GenericLister
// - pass initial port, we'll announce that // - pass initial port, we'll announce that
func (gl *Servers) Run(ctx context.Context, initialPort int) { func (mx *MPlexy) Run() error {
loginfo.Println("ConnectionTable starting") loginfo.Println("ConnectionTable starting")
config := &tls.Config{Certificates: []tls.Certificate{gl.certbundle}} loginfo.Println(mx.connectionTracking)
ctx = context.WithValue(ctx, ctxSecretKey, gl.secretKey) ctx := mx.ctx
loginfo.Println(gl.connectionTracking) // For just this bit
ctx = context.WithValue(ctx, ctxConnectionTrack, mx.connectionTracking)
ctx = context.WithValue(ctx, ctxConnectionTrack, gl.connectionTracking) // For all Listeners
ctx = context.WithValue(ctx, ctxConfig, config) ctx = context.WithValue(ctx, ctxConfig, mx.tlsConfig)
ctx = context.WithValue(ctx, ctxListenerRegistration, gl.register) ctx = context.WithValue(ctx, ctxListenerRegistration, mx.register)
ctx = context.WithValue(ctx, ctxWssHostName, gl.wssHostName) ctx = context.WithValue(ctx, ctxWssHostName, mx.wssHostName)
ctx = context.WithValue(ctx, ctxAdminHostName, gl.adminHostName) ctx = context.WithValue(ctx, ctxAdminHostName, mx.adminHostName)
ctx = context.WithValue(ctx, ctxCancelCheck, gl.cancelCheck) ctx = context.WithValue(ctx, ctxCancelCheck, mx.cancelCheck)
ctx = context.WithValue(ctx, ctxLoadbalanceDefaultMethod, gl.lbDefaultMethod) ctx = context.WithValue(ctx, ctxLoadbalanceDefaultMethod, mx.lbDefaultMethod)
ctx = context.WithValue(ctx, ctxServerStatus, gl.serverStatus) ctx = context.WithValue(ctx, ctxServerStatus, mx.serverStatus)
go func(ctx context.Context) {
for { for {
select { select {
case <-ctx.Done(): case <-ctx.Done():
loginfo.Println("Cancel signal hit") loginfo.Println("Cancel signal hit")
return return nil
case registration := <-gl.register: case registration := <-mx.register:
loginfo.Println("register fired", registration.port) loginfo.Println("register fired", registration.port)
// check to see if port is already running // check to see if port is already running
for listener := range gl.listeners { for listener := range mx.listeners {
if gl.listeners[listener] == registration.port { if mx.listeners[listener] == registration.port {
loginfo.Println("listener already running", registration.port) loginfo.Println("listener already running", registration.port)
registration.status = listenerExists registration.status = listenerExists
registration.commCh <- registration registration.commCh <- registration
@ -120,19 +138,26 @@ func (gl *Servers) Run(ctx context.Context, initialPort int) {
} }
loginfo.Println("listener starting up ", registration.port) loginfo.Println("listener starting up ", registration.port)
loginfo.Println(ctx.Value(ctxConnectionTrack).(*Tracking)) loginfo.Println(ctx.Value(ctxConnectionTrack).(*Tracking))
go GenericListenAndServe(ctx, registration) go mx.multiListenAndServe(ctx, registration)
status := <-registration.commCh status := <-registration.commCh
if status.status == listenerAdded { if status.status == listenerAdded {
gl.listeners[status.listener] = status.port mx.listeners[status.listener] = status.port
} else if status.status == listenerFault { } else if status.status == listenerFault {
loginfo.Println("Unable to create a new listerer", registration.port) loginfo.Println("Unable to create a new listerer", registration.port)
} }
} }
} }
}(ctx) return nil
}
newListener := NewListenerRegistration(initialPort)
gl.register <- newListener func (mx *MPlexy) Start() {
go mx.Run()
}
// MultiListenAndServe starts another listener (to the same application) on a new port
func (mx *MPlexy) MultiListenAndServe(port int) {
// TODO how to associate a listening device with a given plain port
mx.register <- NewListenerRegistration(port)
} }

View File

@ -15,13 +15,13 @@ type Status struct {
DeadTime *StatusDeadTime DeadTime *StatusDeadTime
ConnectionTracking *Tracking ConnectionTracking *Tracking
ConnectionTable *Table ConnectionTable *Table
servers *Servers
LoadbalanceDefaultMethod string LoadbalanceDefaultMethod string
AdminStats *TrafficStats AdminStats *TrafficStats
AdminReqTyoe *AdminReqType AdminReqTyoe *AdminReqType
TrafficStats *TrafficStats TrafficStats *TrafficStats
ExtConnections *ConnectionStats ExtConnections *ConnectionStats
WSSConnections *ConnectionStats WSSConnections *ConnectionStats
//servers *MPlexy
} }
//NewStatus -- //NewStatus --
@ -32,7 +32,9 @@ func NewStatus(ctx context.Context) (p *Status) {
p.TrafficStats = new(TrafficStats) p.TrafficStats = new(TrafficStats)
p.ExtConnections = new(ConnectionStats) p.ExtConnections = new(ConnectionStats)
p.WSSConnections = new(ConnectionStats) p.WSSConnections = new(ConnectionStats)
return // TODO any reason not to set StartTime like this?
p.StartTime = time.Now()
return p
} }
// South Facing Functions // South Facing Functions

View File

@ -2,4 +2,7 @@ package telebit
// InvalidAdminDomain is a domain that can only be accessed by Domain Fronting // InvalidAdminDomain is a domain that can only be accessed by Domain Fronting
// (i.e. trixy clients sending fake headers), not browsers // (i.e. trixy clients sending fake headers), not browsers
var InvalidAdminDomain = "rvpn.rootprojects.invalid" var InvalidAdminDomain = "chilly-bobcat-15.telebit.io"
//var InvalidAdminDomain = "invalid.rootprojects.org"
//var InvalidAdminDomain = "rvpn.rootprojects.invalid"