2017-04-13 23:42:37 +00:00
|
|
|
'use strict';
|
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
module.exports.create = function (deps, config) {
|
|
|
|
console.log('config', config);
|
|
|
|
|
2017-04-13 23:42:37 +00:00
|
|
|
//var PromiseA = global.Promise;
|
|
|
|
var PromiseA = require('bluebird');
|
2017-04-27 02:16:47 +00:00
|
|
|
var greenlock = require('greenlock');
|
|
|
|
var listeners = require('./servers').listeners;
|
2017-04-27 23:00:09 +00:00
|
|
|
var parseSni = require('sni');
|
|
|
|
var modules = { };
|
|
|
|
var program = {
|
|
|
|
tlsOptions: require('localhost.daplie.me-certificates').merge({})
|
2017-04-28 19:07:05 +00:00
|
|
|
// , acmeDirectoryUrl: 'https://acme-v01.api.letsencrypt.org/directory'
|
|
|
|
, acmeDirectoryUrl: 'https://acme-staging.api.letsencrypt.org/directory'
|
|
|
|
// , challengeType: 'tls-sni-01' // won't work with a tunnel
|
|
|
|
, challengeType: 'http-01'
|
2017-04-27 23:00:09 +00:00
|
|
|
};
|
2017-04-27 02:16:47 +00:00
|
|
|
var secureContexts = {};
|
2017-04-27 23:00:09 +00:00
|
|
|
var tunnelAdminTlsOpts = {};
|
|
|
|
var tls = require('tls');
|
2017-05-09 20:16:21 +00:00
|
|
|
var domainMatches = require('./match-domain').match;
|
2017-05-08 23:59:45 +00:00
|
|
|
|
2017-04-27 23:00:09 +00:00
|
|
|
var tlsRouter = {
|
2017-05-08 23:59:45 +00:00
|
|
|
proxy: function (socket, opts, mod) {
|
|
|
|
var newConn = deps.net.createConnection({
|
|
|
|
port: mod.port
|
|
|
|
, host: mod.address || '127.0.0.1'
|
2017-04-28 01:23:52 +00:00
|
|
|
|
2017-05-08 23:59:45 +00:00
|
|
|
, servername: opts.servername
|
|
|
|
, data: opts.data
|
|
|
|
, remoteFamily: opts.family || socket.remoteFamily || socket._remoteFamily || socket._handle._parent.owner.stream.remoteFamily
|
|
|
|
, remoteAddress: opts.address || socket.remoteAddress || socket._remoteAddress || socket._handle._parent.owner.stream.remoteAddress
|
|
|
|
, remotePort: opts.port || socket.remotePort || socket._remotePort || socket._handle._parent.owner.stream.remotePort
|
|
|
|
}, function () {
|
|
|
|
// this will happen before 'data' is triggered
|
|
|
|
});
|
2017-04-27 02:16:47 +00:00
|
|
|
|
2017-05-08 23:59:45 +00:00
|
|
|
newConn.pipe(socket);
|
|
|
|
socket.pipe(newConn);
|
|
|
|
}
|
|
|
|
, terminate: function (socket) {
|
|
|
|
// We terminate the TLS by emitting the connections of the TLS server and it should handle
|
|
|
|
// everything we need to do for us.
|
|
|
|
program.tlsTunnelServer.emit('connection', socket);
|
|
|
|
}
|
2017-04-27 22:05:34 +00:00
|
|
|
|
2017-05-08 23:59:45 +00:00
|
|
|
, handleModules: function (socket, opts) {
|
|
|
|
// needs to wind up in one of 2 states:
|
|
|
|
// 1. SNI-based Proxy / Tunnel (we don't even need to put it through the tlsSocket)
|
|
|
|
// 2. Terminated (goes on to a particular module or route, including the admin interface)
|
2017-04-27 22:05:34 +00:00
|
|
|
|
2017-05-08 23:59:45 +00:00
|
|
|
var handled = (config.tls.modules || []).some(function (mod) {
|
|
|
|
var relevant = mod.domains.some(function (pattern) {
|
|
|
|
return domainMatches(pattern, opts.servername);
|
2017-04-27 22:05:34 +00:00
|
|
|
});
|
2017-05-08 23:59:45 +00:00
|
|
|
if (!relevant) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (mod.name === 'proxy') {
|
|
|
|
tlsRouter.proxy(socket, opts, mod);
|
|
|
|
}
|
|
|
|
else if (mod.name === 'terminate') {
|
|
|
|
tlsRouter.terminate(socket);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
console.error('saw unknown TLS module', mod);
|
|
|
|
return false;
|
|
|
|
}
|
2017-04-27 22:05:34 +00:00
|
|
|
|
2017-05-08 23:59:45 +00:00
|
|
|
return true;
|
|
|
|
});
|
2017-04-27 02:16:47 +00:00
|
|
|
|
2017-05-08 23:59:45 +00:00
|
|
|
// We gotta do something, so when in doubt terminate the TLS since we don't really have
|
|
|
|
// any good place to default to when proxying.
|
|
|
|
if (!handled) {
|
|
|
|
tlsRouter.terminate(socket);
|
|
|
|
}
|
2017-04-27 23:00:09 +00:00
|
|
|
}
|
|
|
|
|
2017-05-08 23:59:45 +00:00
|
|
|
, processSocket: function (socket, firstChunk, opts) {
|
|
|
|
if (opts.hyperPeek) {
|
|
|
|
// See "PEEK COMMENT" for more info
|
|
|
|
// This was already peeked at by the tunneler and this connection has been created
|
|
|
|
// in a way that should work with node's TLS server, so we don't need to do any
|
|
|
|
// of the myDuplex stuff that we need to do with non-tunnel connections.
|
|
|
|
tlsRouter.handleModules(socket, opts);
|
|
|
|
return;
|
2017-04-27 23:00:09 +00:00
|
|
|
}
|
|
|
|
|
2017-05-08 23:59:45 +00:00
|
|
|
// Why all this wacky-do with the myDuplex?
|
|
|
|
// because https://github.com/nodejs/node/issues/8854, that's why
|
|
|
|
// (because node's internal networking layer == 💩 sometimes)
|
|
|
|
var myDuplex = require('tunnel-packer').Stream.create(socket);
|
|
|
|
myDuplex.remoteAddress = opts.remoteAddress || myDuplex.remoteAddress;
|
|
|
|
myDuplex.remotePort = opts.remotePort || myDuplex.remotePort;
|
|
|
|
|
|
|
|
socket.on('data', function (chunk) {
|
|
|
|
console.log('[' + Date.now() + '] tls socket data', chunk.byteLength);
|
|
|
|
myDuplex.push(chunk);
|
|
|
|
});
|
|
|
|
socket.on('error', function (err) {
|
|
|
|
console.error('[error] httpsTunnel (Admin) TODO close');
|
|
|
|
console.error(err);
|
|
|
|
myDuplex.emit('error', err);
|
|
|
|
});
|
|
|
|
socket.on('close', function () {
|
|
|
|
myDuplex.end();
|
|
|
|
});
|
|
|
|
|
|
|
|
var address = opts.localAddress || socket.localAddress;
|
|
|
|
var port = opts.localPort || socket.localPort;
|
|
|
|
console.log('[tlsRouter] ' + address + ':' + port + ' servername', opts.servername, myDuplex.remoteAddress);
|
|
|
|
|
|
|
|
tlsRouter.handleModules(myDuplex, opts);
|
|
|
|
process.nextTick(function () {
|
|
|
|
// this must happen after the socket is emitted to the next in the chain,
|
|
|
|
// but before any more data comes in via the network
|
|
|
|
socket.unshift(firstChunk);
|
|
|
|
});
|
2017-04-27 23:00:09 +00:00
|
|
|
}
|
|
|
|
};
|
2017-04-27 02:16:47 +00:00
|
|
|
|
|
|
|
|
2017-04-28 01:23:52 +00:00
|
|
|
// opts = { servername, encrypted, peek, data, remoteAddress, remotePort }
|
|
|
|
function peek(conn, firstChunk, opts) {
|
|
|
|
// TODO port/service-based routing can do here
|
2017-04-27 02:16:47 +00:00
|
|
|
|
2017-04-28 19:07:05 +00:00
|
|
|
// TLS byte 1 is handshake and byte 6 is client hello
|
|
|
|
if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) {
|
2017-04-28 01:23:52 +00:00
|
|
|
opts.servername = (parseSni(firstChunk)||'').toLowerCase() || 'localhost.invalid';
|
2017-05-08 23:59:45 +00:00
|
|
|
tlsRouter.processSocket(conn, firstChunk, opts);
|
2017-04-28 01:23:52 +00:00
|
|
|
return;
|
|
|
|
}
|
2017-04-27 02:16:47 +00:00
|
|
|
|
2017-05-09 21:46:49 +00:00
|
|
|
// This doesn't work with TLS, but now that we know this isn't a TLS connection we can
|
|
|
|
// unshift the first chunk back onto the connection for future use. The unshift should
|
|
|
|
// happen after any listeners are attached to it but before any new data comes in.
|
|
|
|
if (!opts.hyperPeek) {
|
|
|
|
process.nextTick(function () {
|
|
|
|
conn.unshift(firstChunk);
|
2017-04-28 01:23:52 +00:00
|
|
|
});
|
|
|
|
}
|
|
|
|
|
2017-05-09 21:46:49 +00:00
|
|
|
// Connection is not TLS, check for HTTP next.
|
|
|
|
if (firstChunk[0] > 32 && firstChunk[0] < 127) {
|
|
|
|
var firstStr = firstChunk.toString();
|
|
|
|
if (/HTTP\//i.test(firstStr)) {
|
|
|
|
if (!modules.http) {
|
|
|
|
modules.http = require('./modules/http.js').create(deps, config);
|
|
|
|
}
|
|
|
|
|
|
|
|
conn.__opts = opts;
|
|
|
|
modules.http.emit('connection', conn);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
console.warn('failed to identify protocol from first chunk', firstChunk);
|
|
|
|
conn.close();
|
2017-04-28 01:23:52 +00:00
|
|
|
}
|
|
|
|
function netHandler(conn, opts) {
|
|
|
|
opts = opts || {};
|
|
|
|
console.log('[netHandler]', conn.localAddres, conn.localPort, opts.encrypted);
|
|
|
|
|
|
|
|
// XXX PEEK COMMENT XXX
|
|
|
|
// TODO we can have our cake and eat it too
|
|
|
|
// we can skip the need to wrap the TLS connection twice
|
|
|
|
// because we've already peeked at the data,
|
|
|
|
// but this needs to be handled better before we enable that
|
|
|
|
// (because it creates new edge cases)
|
|
|
|
if (opts.hyperPeek) {
|
|
|
|
console.log('hyperpeek');
|
|
|
|
peek(conn, opts.firstChunk, opts);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
conn.once('data', function (chunk) {
|
|
|
|
peek(conn, chunk, opts);
|
2017-04-27 02:16:47 +00:00
|
|
|
});
|
2017-04-13 23:42:37 +00:00
|
|
|
}
|
|
|
|
|
2017-05-03 19:55:16 +00:00
|
|
|
function dnsListener(msg) {
|
|
|
|
var dgram = require('dgram');
|
|
|
|
var socket = dgram.createSocket('udp4');
|
|
|
|
socket.send(msg, config.dns.proxy.port, config.dns.proxy.address || '127.0.0.1');
|
|
|
|
}
|
|
|
|
|
2017-05-08 22:52:37 +00:00
|
|
|
function createTcpForwarder(mod) {
|
|
|
|
var destination = mod.address.split(':');
|
|
|
|
|
|
|
|
return function (conn) {
|
|
|
|
var newConn = deps.net.createConnection({
|
|
|
|
port: destination[1]
|
|
|
|
, host: destination[0] || '127.0.0.1'
|
|
|
|
|
|
|
|
, remoteFamily: conn.remoteFamily
|
|
|
|
, remoteAddress: conn.remoteAddress
|
|
|
|
, remotePort: conn.remotePort
|
|
|
|
}, function () {
|
|
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
newConn.pipe(conn);
|
|
|
|
conn.pipe(newConn);
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2017-04-27 23:00:09 +00:00
|
|
|
function approveDomains(opts, certs, cb) {
|
|
|
|
// This is where you check your database and associated
|
|
|
|
// email addresses with domains and agreements and such
|
|
|
|
|
|
|
|
// The domains being approved for the first time are listed in opts.domains
|
|
|
|
// Certs being renewed are listed in certs.altnames
|
|
|
|
|
|
|
|
function complete(err, stuff) {
|
|
|
|
opts.email = stuff.email;
|
|
|
|
opts.agreeTos = stuff.agreeTos;
|
|
|
|
opts.server = stuff.server;
|
|
|
|
opts.challengeType = stuff.challengeType;
|
|
|
|
|
|
|
|
cb(null, { options: opts, certs: certs });
|
|
|
|
}
|
|
|
|
|
|
|
|
if (certs) {
|
|
|
|
// TODO make sure the same options are used for renewal as for registration?
|
|
|
|
opts.domains = certs.altnames;
|
|
|
|
|
|
|
|
cb(null, { options: opts, certs: certs });
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// check config for domain name
|
|
|
|
if (-1 !== config.tls.servernames.indexOf(opts.domain)) {
|
|
|
|
// TODO how to handle SANs?
|
|
|
|
// TODO fetch domain-specific email
|
|
|
|
// TODO fetch domain-specific acmeDirectory
|
|
|
|
// NOTE: you can also change other options such as `challengeType` and `challenge`
|
|
|
|
// opts.challengeType = 'http-01';
|
|
|
|
// opts.challenge = require('le-challenge-fs').create({}); // TODO this doesn't actually work yet
|
|
|
|
complete(null, {
|
|
|
|
email: config.tls.email, agreeTos: true, server: program.acmeDirectoryUrl, challengeType: program.challengeType });
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
// TODO ask http module about the default path (/srv/www/:hostname)
|
|
|
|
// (if it exists, we can allow and add to config)
|
|
|
|
if (!modules.http) {
|
2017-04-28 01:23:52 +00:00
|
|
|
modules.http = require('./modules/http.js').create(deps, config);
|
2017-04-27 23:00:09 +00:00
|
|
|
}
|
|
|
|
modules.http.checkServername(opts.domain).then(function (stuff) {
|
2017-04-28 19:07:05 +00:00
|
|
|
if (!stuff || !stuff.domains) {
|
2017-04-27 23:00:09 +00:00
|
|
|
// TODO once precheck is implemented we can just let it pass if it passes, yknow?
|
|
|
|
cb(new Error('domain is not allowed'));
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
complete(null, {
|
|
|
|
domain: stuff.domain || stuff.domains[0]
|
|
|
|
, domains: stuff.domains
|
2017-04-28 19:07:05 +00:00
|
|
|
, email: stuff.email || program.email
|
|
|
|
, server: stuff.acmeDirectoryUrl || program.acmeDirectoryUrl
|
|
|
|
, challengeType: stuff.challengeType || program.challengeType
|
|
|
|
, challenge: stuff.challenge
|
2017-04-27 23:00:09 +00:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}, cb);
|
|
|
|
}
|
2017-04-27 02:16:47 +00:00
|
|
|
|
|
|
|
function getAcme() {
|
|
|
|
return greenlock.create({
|
|
|
|
|
|
|
|
//server: 'staging'
|
|
|
|
server: 'https://acme-v01.api.letsencrypt.org/directory'
|
|
|
|
|
|
|
|
, challenges: {
|
|
|
|
// TODO dns-01
|
|
|
|
'http-01': require('le-challenge-fs').create({ webrootPath: '/tmp/acme-challenges', debug: config.debug })
|
|
|
|
, 'tls-sni-01': require('le-challenge-sni').create({ debug: config.debug })
|
|
|
|
//, 'dns-01': require('le-challenge-ddns').create()
|
2017-04-13 23:42:37 +00:00
|
|
|
}
|
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
, store: require('le-store-certbot').create({ webrootPath: '/tmp/acme-challenges' })
|
2017-04-13 23:42:37 +00:00
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
//, email: program.email
|
2017-04-13 23:42:37 +00:00
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
//, agreeTos: program.agreeTos
|
2017-04-13 23:42:37 +00:00
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
, approveDomains: approveDomains
|
2017-04-13 23:42:37 +00:00
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
//, approvedDomains: program.servernames
|
2017-04-13 23:42:37 +00:00
|
|
|
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
2017-04-28 01:23:52 +00:00
|
|
|
deps.tunnel = deps.tunnel || {};
|
|
|
|
deps.tunnel.net = {
|
|
|
|
createConnection: function (opts, cb) {
|
2017-04-28 19:07:05 +00:00
|
|
|
console.log('[gl.tunnel] creating connection');
|
|
|
|
|
|
|
|
// here "reader" means the socket that looks like the connection being accepted
|
|
|
|
// here "writer" means the remote-looking part of the socket that driving the connection
|
|
|
|
var writer;
|
2017-04-28 01:23:52 +00:00
|
|
|
var wrapOpts = {};
|
2017-04-28 19:07:05 +00:00
|
|
|
var rawTls = opts.tls || (0x16 === opts.data[0]) && (0x01 === opts.data[5]);
|
2017-04-28 01:23:52 +00:00
|
|
|
|
2017-04-28 19:07:05 +00:00
|
|
|
function usePair(err, reader) {
|
|
|
|
if (err) {
|
|
|
|
process.nextTick(function () {
|
|
|
|
writer.emit('error', err);
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
2017-04-28 01:23:52 +00:00
|
|
|
|
2017-04-28 19:07:05 +00:00
|
|
|
// this has the normal net/tcp stuff plus our custom stuff
|
|
|
|
// opts = { address, port,
|
|
|
|
// hostname, servername, tls, encrypted, data, localAddress, localPort, remoteAddress, remotePort, remoteFamily }
|
|
|
|
Object.keys(opts).forEach(function (key) {
|
|
|
|
wrapOpts[key] = opts[key];
|
|
|
|
try {
|
|
|
|
reader[key] = opts[key];
|
|
|
|
} catch(e) {
|
|
|
|
// can't set real socket getters, like remoteAddr
|
|
|
|
}
|
|
|
|
});
|
2017-04-28 01:23:52 +00:00
|
|
|
|
2017-04-28 19:07:05 +00:00
|
|
|
// A few more extra specialty options
|
|
|
|
wrapOpts.localAddress = wrapOpts.localAddress || '127.0.0.2'; // TODO use the tunnel's external address
|
|
|
|
wrapOpts.localPort = wrapOpts.localPort || 'tunnel-0';
|
|
|
|
try {
|
|
|
|
reader._remoteAddress = wrapOpts.remoteAddress;
|
|
|
|
reader._remotePort = wrapOpts.remotePort;
|
2017-04-28 19:11:12 +00:00
|
|
|
reader._remoteFamily = wrapOpts.remoteFamily;
|
2017-04-28 19:07:05 +00:00
|
|
|
reader._localAddress = wrapOpts.localAddress;
|
|
|
|
reader._localPort = wrapOpts.localPort;
|
2017-04-28 19:11:12 +00:00
|
|
|
reader._localFamily = wrapOpts.localFamily;
|
2017-04-28 19:07:05 +00:00
|
|
|
} catch(e) {
|
|
|
|
}
|
2017-04-28 01:23:52 +00:00
|
|
|
|
2017-04-28 19:07:05 +00:00
|
|
|
netHandler(reader, wrapOpts);
|
2017-04-28 01:23:52 +00:00
|
|
|
|
2017-04-28 19:07:05 +00:00
|
|
|
process.nextTick(function () {
|
|
|
|
//opts.data = wrapOpts.data;
|
|
|
|
|
|
|
|
// this cb will cause the stream to emit its (actually) first data event
|
|
|
|
// (even though it already gave a peek into that first data chunk)
|
|
|
|
console.log('[tunnel] callback, data should begin to flow');
|
|
|
|
cb();
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
wrapOpts.firstChunk = opts.data;
|
|
|
|
wrapOpts.hyperPeek = !!opts.data;
|
|
|
|
// encrypted meaning is *terminated* TLS
|
|
|
|
// tls meaning is *raw* TLS
|
|
|
|
if (rawTls) {
|
|
|
|
// TLS sockets must actually use a socket with a file descriptor
|
|
|
|
// https://nodejs.org/api/net.html#net_class_net_socket
|
|
|
|
|
|
|
|
writer = require('socket-pair').create(function (err, other) {
|
|
|
|
usePair(err, other);
|
|
|
|
});
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
// stream-pair can only be used by TCP sockets, not tls
|
|
|
|
writer = require('stream-pair').create();
|
|
|
|
usePair(null, writer.other);
|
|
|
|
}
|
2017-04-28 01:23:52 +00:00
|
|
|
|
2017-04-28 19:07:05 +00:00
|
|
|
return writer;
|
2017-04-28 01:23:52 +00:00
|
|
|
}
|
|
|
|
};
|
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
Object.keys(program.tlsOptions).forEach(function (key) {
|
|
|
|
tunnelAdminTlsOpts[key] = program.tlsOptions[key];
|
|
|
|
});
|
|
|
|
tunnelAdminTlsOpts.SNICallback = function (sni, cb) {
|
|
|
|
console.log("[tlsOptions.SNICallback] SNI: '" + sni + "'");
|
2017-04-13 23:42:37 +00:00
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
var tlsOptions;
|
2017-04-13 23:42:37 +00:00
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
// Static Certs
|
|
|
|
if (/.*localhost.*\.daplie\.me/.test(sni.toLowerCase())) {
|
|
|
|
// TODO implement
|
|
|
|
if (!secureContexts[sni]) {
|
|
|
|
tlsOptions = require('localhost.daplie.me-certificates').mergeTlsOptions(sni, {});
|
2017-04-13 23:42:37 +00:00
|
|
|
}
|
2017-04-27 02:16:47 +00:00
|
|
|
if (tlsOptions) {
|
|
|
|
secureContexts[sni] = tls.createSecureContext(tlsOptions);
|
2017-04-13 23:42:37 +00:00
|
|
|
}
|
2017-04-27 02:16:47 +00:00
|
|
|
if (secureContexts[sni]) {
|
|
|
|
console.log('Got static secure context:', sni, secureContexts[sni]);
|
|
|
|
cb(null, secureContexts[sni]);
|
2017-04-13 23:42:37 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-04-27 02:16:47 +00:00
|
|
|
if (!program.greenlock) {
|
|
|
|
program.greenlock = getAcme();
|
2017-04-13 23:42:37 +00:00
|
|
|
}
|
2017-04-27 22:05:34 +00:00
|
|
|
(program.greenlock.tlsOptions||program.greenlock.httpsOptions).SNICallback(sni, cb);
|
2017-04-27 02:16:47 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
program.tlsTunnelServer = tls.createServer(tunnelAdminTlsOpts, function (tlsSocket) {
|
2017-04-27 22:05:34 +00:00
|
|
|
console.log('(pre-terminated) tls connection, addr:', tlsSocket.remoteAddress);
|
2017-04-27 02:16:47 +00:00
|
|
|
// things get a little messed up here
|
|
|
|
//tlsSocket.on('data', function (chunk) {
|
|
|
|
// console.log('terminated data:', chunk.toString());
|
|
|
|
//});
|
|
|
|
//(program.httpTunnelServer || program.httpServer).emit('connection', tlsSocket);
|
2017-04-27 23:00:09 +00:00
|
|
|
//tcpRouter.get(conn.localAddress, conn.localPort)(conn, firstChunk, { encrypted: false });
|
2017-04-28 01:23:52 +00:00
|
|
|
netHandler(tlsSocket, {
|
2017-04-27 22:05:34 +00:00
|
|
|
servername: tlsSocket.servername
|
|
|
|
, encrypted: true
|
|
|
|
// remoteAddress... ugh... https://github.com/nodejs/node/issues/8854
|
2017-04-28 19:11:12 +00:00
|
|
|
, remoteAddress: tlsSocket.remoteAddress || tlsSocket._remoteAddress || tlsSocket._handle._parent.owner.stream.remoteAddress
|
|
|
|
, remotePort: tlsSocket.remotePort || tlsSocket._remotePort || tlsSocket._handle._parent.owner.stream.remotePort
|
|
|
|
, remoteFamily: tlsSocket.remoteFamily || tlsSocket._remoteFamily || tlsSocket._handle._parent.owner.stream.remoteFamily
|
2017-04-27 22:05:34 +00:00
|
|
|
});
|
2017-04-27 02:16:47 +00:00
|
|
|
});
|
|
|
|
|
2017-05-08 22:52:37 +00:00
|
|
|
var listenPromises = [];
|
|
|
|
var tcpPortMap = {};
|
2017-05-08 23:47:51 +00:00
|
|
|
function addPorts(bindList) {
|
|
|
|
if (!bindList) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
if (Array.isArray(bindList)) {
|
|
|
|
bindList.forEach(function (port) {
|
|
|
|
tcpPortMap[port] = true;
|
|
|
|
});
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
tcpPortMap[bindList] = true;
|
|
|
|
}
|
2017-05-08 22:52:37 +00:00
|
|
|
}
|
2017-05-08 23:47:51 +00:00
|
|
|
|
|
|
|
addPorts(config.tcp.bind);
|
|
|
|
(config.tcp.modules || []).forEach(function (mod) {
|
2017-05-08 22:52:37 +00:00
|
|
|
if (mod.name === 'forward') {
|
|
|
|
var forwarder = createTcpForwarder(mod);
|
|
|
|
mod.ports.forEach(function (port) {
|
|
|
|
if (!tcpPortMap[port]) {
|
|
|
|
console.log("forwarding port", port, "that wasn't specified in bind");
|
|
|
|
} else {
|
|
|
|
delete tcpPortMap[port];
|
|
|
|
}
|
|
|
|
listenPromises.push(listeners.tcp.add(port, forwarder));
|
|
|
|
});
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
console.warn('unknown TCP module specified', mod);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
// Even though these ports were specified in different places we treat any TCP
|
|
|
|
// connections we haven't been told to just forward exactly as is equal so that
|
|
|
|
// we can potentially use the same ports for different protocols.
|
|
|
|
addPorts(config.tls.bind);
|
|
|
|
addPorts(config.http.bind);
|
|
|
|
|
|
|
|
Object.keys(tcpPortMap).forEach(function (port) {
|
|
|
|
listenPromises.push(listeners.tcp.add(port, netHandler));
|
2017-05-03 19:55:16 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
if (config.dns.bind) {
|
|
|
|
if (Array.isArray(config.dns.bind)) {
|
2017-05-08 22:52:37 +00:00
|
|
|
config.dns.bind.map(function (port) {
|
|
|
|
listenPromises.push(listeners.udp.add(port, dnsListener));
|
|
|
|
});
|
2017-05-03 19:55:16 +00:00
|
|
|
} else {
|
|
|
|
listenPromises.push(listeners.udp.add(config.dns.bind, dnsListener));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return PromiseA.all(listenPromises);
|
2017-04-13 23:42:37 +00:00
|
|
|
};
|