You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

160 lines
3.9 KiB
Go

package proxy
import (
"bufio"
"context"
"crypto/tls"
"net"
"net/http"
"strings"
"github.com/lqqyt2423/go-mitmproxy/cert"
)
// 模拟了标准库中 server 运行,目的是仅通过当前进程内存转发 socket 数据,不需要经过 tcp 或 unix socket
type pipeAddr struct {
remoteAddr string
}
func (pipeAddr) Network() string { return "pipe" }
func (a *pipeAddr) String() string { return a.remoteAddr }
// add Peek method for conn
type pipeConn struct {
net.Conn
r *bufio.Reader
host string
remoteAddr string
connContext *ConnContext
}
func newPipeConn(c net.Conn, req *http.Request) *pipeConn {
return &pipeConn{
Conn: c,
r: bufio.NewReader(c),
host: req.Host,
remoteAddr: req.RemoteAddr,
connContext: req.Context().Value(connContextKey).(*ConnContext),
}
}
func (c *pipeConn) Peek(n int) ([]byte, error) {
return c.r.Peek(n)
}
func (c *pipeConn) Read(data []byte) (int, error) {
return c.r.Read(data)
}
func (c *pipeConn) RemoteAddr() net.Addr {
return &pipeAddr{remoteAddr: c.remoteAddr}
}
// 建立客户端和服务端通信的通道
func newPipes(req *http.Request) (net.Conn, *pipeConn) {
client, srv := net.Pipe()
server := newPipeConn(srv, req)
return client, server
}
// mock net.Listener
type middleListener struct {
connChan chan net.Conn
}
func (l *middleListener) Accept() (net.Conn, error) { return <-l.connChan, nil }
func (l *middleListener) Close() error { return nil }
func (l *middleListener) Addr() net.Addr { return nil }
// middle: man-in-the-middle server
type middle struct {
proxy *Proxy
ca *cert.CA
listener *middleListener
server *http.Server
}
func newMiddle(proxy *Proxy) (interceptor, error) {
ca, err := cert.NewCA(proxy.Opts.CaRootPath)
if err != nil {
return nil, err
}
m := &middle{
proxy: proxy,
ca: ca,
listener: &middleListener{
connChan: make(chan net.Conn),
},
}
server := &http.Server{
Handler: m,
ConnContext: func(ctx context.Context, c net.Conn) context.Context {
return context.WithValue(ctx, connContextKey, c.(*tls.Conn).NetConn().(*pipeConn).connContext)
},
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // disable http2
TLSConfig: &tls.Config{
GetCertificate: func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
log.Debugf("Middle GetCertificate ServerName: %v\n", chi.ServerName)
return ca.GetCert(chi.ServerName)
},
},
}
m.server = server
return m, nil
}
func (m *middle) Start() error {
return m.server.ServeTLS(m.listener, "", "")
}
// todo: should block until ServerConnected
func (m *middle) Dial(req *http.Request) (net.Conn, error) {
pipeClientConn, pipeServerConn := newPipes(req)
go m.intercept(pipeServerConn)
return pipeClientConn, nil
}
func (m *middle) ServeHTTP(res http.ResponseWriter, req *http.Request) {
if strings.EqualFold(req.Header.Get("Connection"), "Upgrade") && strings.EqualFold(req.Header.Get("Upgrade"), "websocket") {
// wss
defaultWebSocket.wss(res, req)
return
}
if req.URL.Scheme == "" {
req.URL.Scheme = "https"
}
if req.URL.Host == "" {
req.URL.Host = req.Host
}
m.proxy.ServeHTTP(res, req)
}
// 解析 connect 流量
// 如果是 tls 流量,则进入 listener.Accept => Middle.ServeHTTP
// 否则很可能是 ws 流量
func (m *middle) intercept(pipeServerConn *pipeConn) {
log := log.WithField("in", "middle.intercept").WithField("host", pipeServerConn.host)
buf, err := pipeServerConn.Peek(3)
if err != nil {
log.Errorf("Peek error: %v\n", err)
pipeServerConn.Close()
return
}
// https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/net/tls.py is_tls_record_magic
if buf[0] == 0x16 && buf[1] == 0x03 && buf[2] <= 0x03 {
// tls
pipeServerConn.connContext.ClientConn.Tls = true
pipeServerConn.connContext.InitHttpsServerConn()
m.listener.connChan <- pipeServerConn
} else {
// ws
defaultWebSocket.ws(pipeServerConn, pipeServerConn.host)
}
}