code refactoring

addon-dailer
lqqyt2423 3 years ago
parent c3dc20feb5
commit 7f55903797

@ -277,7 +277,7 @@ func (ca *CA) GetCert(commonName string) (*tls.Certificate, error) {
ca.cacheMu.Lock()
if val, ok := ca.cache.Get(commonName); ok {
ca.cacheMu.Unlock()
log.WithField("commonName", commonName).Debug("GetCert")
log.Debugf("ca GetCert: %v", commonName)
return val.(*tls.Certificate), nil
}
ca.cacheMu.Unlock()
@ -301,7 +301,7 @@ func (ca *CA) GetCert(commonName string) (*tls.Certificate, error) {
// TODO: 是否应该支持多个 SubjectAltName
func (ca *CA) DummyCert(commonName string) (*tls.Certificate, error) {
log.WithField("commonName", commonName).Debug("DummyCert")
log.Debugf("ca DummyCert: %v", commonName)
template := &x509.Certificate{
SerialNumber: big.NewInt(time.Now().UnixNano() / 100000),
Subject: pkix.Name{

@ -104,7 +104,7 @@ func getTlsKeyLogWriter() io.Writer {
writer, err := os.OpenFile(logfile, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0666)
if err != nil {
log.WithField("in", "getTlsKeyLogWriter").Debug(err)
log.Debugf("getTlsKeyLogWriter OpenFile error: %v", err)
return
}

@ -1,8 +1,15 @@
package proxy
import (
"bufio"
"context"
"crypto/tls"
"net"
"net/http"
"strings"
"github.com/lqqyt2423/go-mitmproxy/cert"
log "github.com/sirupsen/logrus"
)
// 拦截 https 流量通用接口
@ -23,3 +30,148 @@ func (i *forward) Start() error {
func (i *forward) Dial(req *http.Request) (net.Conn, error) {
return net.Dial("tcp", req.Host)
}
// 模拟了标准库中 server 运行,目的是仅通过当前进程内存转发 socket 数据,不需要经过 tcp 或 unix socket
type pipeAddr struct {
remoteAddr string
}
func (pipeAddr) Network() string { return "pipe" }
func (a *pipeAddr) String() string { return a.remoteAddr }
// add Peek method for conn
type pipeConn struct {
net.Conn
r *bufio.Reader
host string
remoteAddr string
connContext *ConnContext
}
func newPipeConn(c net.Conn, req *http.Request) *pipeConn {
return &pipeConn{
Conn: c,
r: bufio.NewReader(c),
host: req.Host,
remoteAddr: req.RemoteAddr,
connContext: req.Context().Value(connContextKey).(*ConnContext),
}
}
func (c *pipeConn) Peek(n int) ([]byte, error) {
return c.r.Peek(n)
}
func (c *pipeConn) Read(data []byte) (int, error) {
return c.r.Read(data)
}
func (c *pipeConn) RemoteAddr() net.Addr {
return &pipeAddr{remoteAddr: c.remoteAddr}
}
// 建立客户端和服务端通信的通道
func newPipes(req *http.Request) (net.Conn, *pipeConn) {
client, srv := net.Pipe()
server := newPipeConn(srv, req)
return client, server
}
// mock net.Listener
type middleListener struct {
connChan chan net.Conn
}
func (l *middleListener) Accept() (net.Conn, error) { return <-l.connChan, nil }
func (l *middleListener) Close() error { return nil }
func (l *middleListener) Addr() net.Addr { return nil }
// middle: man-in-the-middle server
type middle struct {
proxy *Proxy
ca *cert.CA
listener *middleListener
server *http.Server
}
func newMiddle(proxy *Proxy) (interceptor, error) {
ca, err := cert.NewCA(proxy.Opts.CaRootPath)
if err != nil {
return nil, err
}
m := &middle{
proxy: proxy,
ca: ca,
listener: &middleListener{
connChan: make(chan net.Conn),
},
}
server := &http.Server{
Handler: m,
ConnContext: func(ctx context.Context, c net.Conn) context.Context {
return context.WithValue(ctx, connContextKey, c.(*tls.Conn).NetConn().(*pipeConn).connContext)
},
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // disable http2
TLSConfig: &tls.Config{
GetCertificate: func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
log.Debugf("middle GetCertificate ServerName: %v\n", chi.ServerName)
return ca.GetCert(chi.ServerName)
},
},
}
m.server = server
return m, nil
}
func (m *middle) Start() error {
return m.server.ServeTLS(m.listener, "", "")
}
// todo: should block until ServerConnected
func (m *middle) Dial(req *http.Request) (net.Conn, error) {
pipeClientConn, pipeServerConn := newPipes(req)
go m.intercept(pipeServerConn)
return pipeClientConn, nil
}
func (m *middle) ServeHTTP(res http.ResponseWriter, req *http.Request) {
if strings.EqualFold(req.Header.Get("Connection"), "Upgrade") && strings.EqualFold(req.Header.Get("Upgrade"), "websocket") {
// wss
defaultWebSocket.wss(res, req)
return
}
if req.URL.Scheme == "" {
req.URL.Scheme = "https"
}
if req.URL.Host == "" {
req.URL.Host = req.Host
}
m.proxy.ServeHTTP(res, req)
}
// 解析 connect 流量
// 如果是 tls 流量,则进入 listener.Accept => Middle.ServeHTTP
// 否则很可能是 ws 流量
func (m *middle) intercept(pipeServerConn *pipeConn) {
buf, err := pipeServerConn.Peek(3)
if err != nil {
log.Errorf("Peek error: %v\n", err)
pipeServerConn.Close()
return
}
// https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/net/tls.py is_tls_record_magic
if buf[0] == 0x16 && buf[1] == 0x03 && buf[2] <= 0x03 {
// tls
pipeServerConn.connContext.ClientConn.Tls = true
pipeServerConn.connContext.initHttpsServerConn()
m.listener.connChan <- pipeServerConn
} else {
// ws
defaultWebSocket.ws(pipeServerConn, pipeServerConn.host)
}
}

@ -1,160 +0,0 @@
package proxy
import (
"bufio"
"context"
"crypto/tls"
"net"
"net/http"
"strings"
"github.com/lqqyt2423/go-mitmproxy/cert"
log "github.com/sirupsen/logrus"
)
// 模拟了标准库中 server 运行,目的是仅通过当前进程内存转发 socket 数据,不需要经过 tcp 或 unix socket
type pipeAddr struct {
remoteAddr string
}
func (pipeAddr) Network() string { return "pipe" }
func (a *pipeAddr) String() string { return a.remoteAddr }
// add Peek method for conn
type pipeConn struct {
net.Conn
r *bufio.Reader
host string
remoteAddr string
connContext *ConnContext
}
func newPipeConn(c net.Conn, req *http.Request) *pipeConn {
return &pipeConn{
Conn: c,
r: bufio.NewReader(c),
host: req.Host,
remoteAddr: req.RemoteAddr,
connContext: req.Context().Value(connContextKey).(*ConnContext),
}
}
func (c *pipeConn) Peek(n int) ([]byte, error) {
return c.r.Peek(n)
}
func (c *pipeConn) Read(data []byte) (int, error) {
return c.r.Read(data)
}
func (c *pipeConn) RemoteAddr() net.Addr {
return &pipeAddr{remoteAddr: c.remoteAddr}
}
// 建立客户端和服务端通信的通道
func newPipes(req *http.Request) (net.Conn, *pipeConn) {
client, srv := net.Pipe()
server := newPipeConn(srv, req)
return client, server
}
// mock net.Listener
type middleListener struct {
connChan chan net.Conn
}
func (l *middleListener) Accept() (net.Conn, error) { return <-l.connChan, nil }
func (l *middleListener) Close() error { return nil }
func (l *middleListener) Addr() net.Addr { return nil }
// middle: man-in-the-middle server
type middle struct {
proxy *Proxy
ca *cert.CA
listener *middleListener
server *http.Server
}
func newMiddle(proxy *Proxy) (interceptor, error) {
ca, err := cert.NewCA(proxy.Opts.CaRootPath)
if err != nil {
return nil, err
}
m := &middle{
proxy: proxy,
ca: ca,
listener: &middleListener{
connChan: make(chan net.Conn),
},
}
server := &http.Server{
Handler: m,
ConnContext: func(ctx context.Context, c net.Conn) context.Context {
return context.WithValue(ctx, connContextKey, c.(*tls.Conn).NetConn().(*pipeConn).connContext)
},
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // disable http2
TLSConfig: &tls.Config{
GetCertificate: func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
log.Debugf("Middle GetCertificate ServerName: %v\n", chi.ServerName)
return ca.GetCert(chi.ServerName)
},
},
}
m.server = server
return m, nil
}
func (m *middle) Start() error {
return m.server.ServeTLS(m.listener, "", "")
}
// todo: should block until ServerConnected
func (m *middle) Dial(req *http.Request) (net.Conn, error) {
pipeClientConn, pipeServerConn := newPipes(req)
go m.intercept(pipeServerConn)
return pipeClientConn, nil
}
func (m *middle) ServeHTTP(res http.ResponseWriter, req *http.Request) {
if strings.EqualFold(req.Header.Get("Connection"), "Upgrade") && strings.EqualFold(req.Header.Get("Upgrade"), "websocket") {
// wss
defaultWebSocket.wss(res, req)
return
}
if req.URL.Scheme == "" {
req.URL.Scheme = "https"
}
if req.URL.Host == "" {
req.URL.Host = req.Host
}
m.proxy.ServeHTTP(res, req)
}
// 解析 connect 流量
// 如果是 tls 流量,则进入 listener.Accept => Middle.ServeHTTP
// 否则很可能是 ws 流量
func (m *middle) intercept(pipeServerConn *pipeConn) {
log := log.WithField("in", "middle.intercept").WithField("host", pipeServerConn.host)
buf, err := pipeServerConn.Peek(3)
if err != nil {
log.Errorf("Peek error: %v\n", err)
pipeServerConn.Close()
return
}
// https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/net/tls.py is_tls_record_magic
if buf[0] == 0x16 && buf[1] == 0x03 && buf[2] <= 0x03 {
// tls
pipeServerConn.connContext.ClientConn.Tls = true
pipeServerConn.connContext.initHttpsServerConn()
m.listener.connChan <- pipeServerConn
} else {
// ws
defaultWebSocket.ws(pipeServerConn, pipeServerConn.host)
}
}

@ -107,8 +107,6 @@ func (proxy *Proxy) ServeHTTP(res http.ResponseWriter, req *http.Request) {
"method": req.Method,
})
log.Debug("receive request")
if !req.URL.IsAbs() || req.URL.Host == "" {
res.WriteHeader(400)
_, err := io.WriteString(res, "此为代理服务器,不能直接发起请求")
@ -259,8 +257,6 @@ func (proxy *Proxy) handleConnect(res http.ResponseWriter, req *http.Request) {
"host": req.Host,
})
log.Debug("receive connect")
conn, err := proxy.interceptor.Dial(req)
if err != nil {
log.Error(err)

Loading…
Cancel
Save