Merge branch 'master' of git.daplie.com:Daplie/goldilocks.js
This commit is contained in:
commit
4b2e6b1600
|
@ -1,3 +1,8 @@
|
|||
v1.1.4 - Improved responsiveness to config updates
|
||||
* changed which TCP/UDP ports are bound to on config update
|
||||
* update tunnel server settings on config update
|
||||
* update socks5 setting on config update
|
||||
|
||||
v1.1.3 - Better late than never... here's some stuff we've got
|
||||
* fixed (probably) network settings not being readable
|
||||
* supports timeouts in loopback check
|
||||
|
|
|
@ -174,6 +174,14 @@ var mdnsSchema = {
|
|||
}
|
||||
};
|
||||
|
||||
var tunnelSvrSchema = {
|
||||
type: 'object'
|
||||
, properties: {
|
||||
servernames: { type: 'array', items: { type: 'string' }}
|
||||
, secret: { type: 'string' }
|
||||
}
|
||||
};
|
||||
|
||||
var ddnsSchema = {
|
||||
type: 'object'
|
||||
, properties: {
|
||||
|
@ -223,6 +231,7 @@ var mainSchema = {
|
|||
, ddns: ddnsSchema
|
||||
, socks5: socks5Schema
|
||||
, device: deviceSchema
|
||||
, tunnel_server: tunnelSvrSchema
|
||||
}
|
||||
, additionalProperties: false
|
||||
};
|
||||
|
|
|
@ -5,6 +5,7 @@ module.exports.create = function (deps, conf) {
|
|||
var network = deps.PromiseA.promisifyAll(deps.recase.camelCopy(require('network')));
|
||||
var loopback = require('./loopback').create(deps, conf);
|
||||
var dnsCtrl = require('./dns-ctrl').create(deps, conf);
|
||||
var tunnelClients = require('./tunnel-client-manager').create(deps, conf);
|
||||
var equal = require('deep-equal');
|
||||
|
||||
var loopbackDomain;
|
||||
|
@ -44,7 +45,7 @@ module.exports.create = function (deps, conf) {
|
|||
async function startTunnel(tunnelSession, mod, domainList) {
|
||||
try {
|
||||
var dnsSession = await getSession(mod.tokenId);
|
||||
var tunnelDomain = await deps.tunnelClients.start(tunnelSession || dnsSession, domainList);
|
||||
var tunnelDomain = await tunnelClients.start(tunnelSession || dnsSession, domainList);
|
||||
|
||||
var addrList;
|
||||
try {
|
||||
|
@ -82,12 +83,12 @@ module.exports.create = function (deps, conf) {
|
|||
tunnelActive = true;
|
||||
}
|
||||
async function disconnectTunnels() {
|
||||
deps.tunnelClients.disconnect();
|
||||
tunnelClients.disconnect();
|
||||
tunnelActive = false;
|
||||
await Promise.resolve();
|
||||
}
|
||||
async function checkTunnelTokens() {
|
||||
var oldTokens = deps.tunnelClients.current();
|
||||
var oldTokens = tunnelClients.current();
|
||||
|
||||
var newTokens = await iterateAllModules(function checkTokens(mod, domainList) {
|
||||
if (mod.type !== 'dns@oauth3.org') { return null; }
|
||||
|
@ -103,7 +104,7 @@ module.exports.create = function (deps, conf) {
|
|||
}
|
||||
});
|
||||
|
||||
await Promise.all(Object.values(oldTokens).map(deps.tunnelClients.remove));
|
||||
await Promise.all(Object.values(oldTokens).map(tunnelClients.remove));
|
||||
|
||||
if (!newTokens.length) { return; }
|
||||
|
||||
|
|
|
@ -6,6 +6,52 @@ module.exports.create = function (deps, config) {
|
|||
var activeTunnels = {};
|
||||
var activeDomains = {};
|
||||
|
||||
var customNet = {
|
||||
createConnection: function (opts, cb) {
|
||||
console.log('[gl.tunnel] creating connection');
|
||||
|
||||
// here "reader" means the socket that looks like the connection being accepted
|
||||
// here "writer" means the remote-looking part of the socket that driving the connection
|
||||
var writer;
|
||||
|
||||
function usePair(err, reader) {
|
||||
if (err) {
|
||||
process.nextTick(function () {
|
||||
writer.emit('error', err);
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
var wrapOpts = Object.assign({localAddress: '127.0.0.2', localPort: 'tunnel-0'}, opts);
|
||||
wrapOpts.firstChunk = opts.data;
|
||||
wrapOpts.hyperPeek = !!opts.data;
|
||||
|
||||
// Also override the remote and local address info. We use `defineProperty` because
|
||||
// otherwise we run into problems of setting properties with only getters defined.
|
||||
Object.defineProperty(reader, 'remoteAddress', { value: wrapOpts.remoteAddress });
|
||||
Object.defineProperty(reader, 'remotePort', { value: wrapOpts.remotePort });
|
||||
Object.defineProperty(reader, 'remoteFamiliy', { value: wrapOpts.remoteFamiliy });
|
||||
Object.defineProperty(reader, 'localAddress', { value: wrapOpts.localAddress });
|
||||
Object.defineProperty(reader, 'localPort', { value: wrapOpts.localPort });
|
||||
Object.defineProperty(reader, 'localFamiliy', { value: wrapOpts.localFamiliy });
|
||||
|
||||
deps.tcp.handler(reader, wrapOpts);
|
||||
process.nextTick(function () {
|
||||
// this cb will cause the stream to emit its (actually) first data event
|
||||
// (even though it already gave a peek into that first data chunk)
|
||||
console.log('[tunnel] callback, data should begin to flow');
|
||||
cb();
|
||||
});
|
||||
}
|
||||
|
||||
// We used to use `stream-pair` for non-tls connections, but there are places
|
||||
// that require properties/functions to be present on the socket that aren't
|
||||
// present on a JSStream so it caused problems.
|
||||
writer = require('socket-pair').create(usePair);
|
||||
return writer;
|
||||
}
|
||||
};
|
||||
|
||||
function fillData(data) {
|
||||
if (typeof data === 'string') {
|
||||
data = { jwt: data };
|
||||
|
@ -70,7 +116,7 @@ module.exports.create = function (deps, config) {
|
|||
// get the promise that should tell us more about if it worked or not.
|
||||
activeTunnels[data.tunnelUrl] = stunnel.connect({
|
||||
stunneld: data.tunnelUrl
|
||||
, net: deps.tunnel.net
|
||||
, net: customNet
|
||||
// NOTE: the ports here aren't that important since we are providing a custom
|
||||
// `net.createConnection` that doesn't actually use the port. What is important
|
||||
// is that any services we are interested in are listed in this object and have
|
|
@ -1,303 +0,0 @@
|
|||
'use strict';
|
||||
|
||||
module.exports.create = function (deps, config) {
|
||||
console.log('config', config);
|
||||
|
||||
//var PromiseA = global.Promise;
|
||||
var PromiseA = require('bluebird');
|
||||
var listeners = require('./servers').listeners;
|
||||
var domainUtils = require('./domain-utils');
|
||||
var modules;
|
||||
|
||||
var addrProperties = [
|
||||
'remoteAddress'
|
||||
, 'remotePort'
|
||||
, 'remoteFamily'
|
||||
, 'localAddress'
|
||||
, 'localPort'
|
||||
, 'localFamily'
|
||||
];
|
||||
|
||||
function nameMatchesDomains(name, domainList) {
|
||||
return domainList.some(function (pattern) {
|
||||
return domainUtils.match(pattern, name);
|
||||
});
|
||||
}
|
||||
|
||||
function loadModules() {
|
||||
modules = {};
|
||||
|
||||
modules.tls = require('./modules/tls').create(deps, config, tcpHandler);
|
||||
modules.http = require('./modules/http').create(deps, config, modules.tls.middleware);
|
||||
}
|
||||
|
||||
function checkTcpProxy(conn, opts) {
|
||||
var proxied = false;
|
||||
|
||||
// TCP Proxying (ie forwarding based on domain name not incoming port) only works for
|
||||
// TLS wrapped connections, so if the opts don't give us a servername or don't tell us
|
||||
// this is the decrypted side of a TLS connection we can't handle it here.
|
||||
if (!opts.servername || !opts.encrypted) { return proxied; }
|
||||
|
||||
function proxy(mod) {
|
||||
// First thing we need to add to the connection options is where to proxy the connection to
|
||||
var newConnOpts = domainUtils.separatePort(mod.address || '');
|
||||
newConnOpts.port = newConnOpts.port || mod.port;
|
||||
newConnOpts.host = newConnOpts.host || mod.host || 'localhost';
|
||||
|
||||
// Then we add all of the connection address information. We need to prefix all of the
|
||||
// properties with '_' so we can provide the information to any connection `createConnection`
|
||||
// implementation but not have the default implementation try to bind the same local port.
|
||||
addrProperties.forEach(function (name) {
|
||||
newConnOpts['_' + name] = opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
|
||||
});
|
||||
|
||||
deps.proxy(conn, newConnOpts);
|
||||
return true;
|
||||
}
|
||||
|
||||
proxied = config.domains.some(function (dom) {
|
||||
if (!dom.modules || !Array.isArray(dom.modules.tcp)) { return false; }
|
||||
if (!nameMatchesDomains(opts.servername, dom.names)) { return false; }
|
||||
|
||||
return dom.modules.tcp.some(function (mod) {
|
||||
if (mod.type !== 'proxy') { return false; }
|
||||
|
||||
return proxy(mod);
|
||||
});
|
||||
});
|
||||
|
||||
proxied = proxied || config.tcp.modules.some(function (mod) {
|
||||
if (mod.type !== 'proxy') { return false; }
|
||||
if (!nameMatchesDomains(opts.servername, mod.domains)) { return false; }
|
||||
|
||||
return proxy(mod);
|
||||
});
|
||||
|
||||
return proxied;
|
||||
}
|
||||
|
||||
// opts = { servername, encrypted, peek, data, remoteAddress, remotePort }
|
||||
function peek(conn, firstChunk, opts) {
|
||||
if (!modules) {
|
||||
loadModules();
|
||||
}
|
||||
|
||||
opts.firstChunk = firstChunk;
|
||||
conn.__opts = opts;
|
||||
// TODO port/service-based routing can do here
|
||||
|
||||
// TLS byte 1 is handshake and byte 6 is client hello
|
||||
if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) {
|
||||
modules.tls.emit('connection', conn);
|
||||
return;
|
||||
}
|
||||
|
||||
// This doesn't work with TLS, but now that we know this isn't a TLS connection we can
|
||||
// unshift the first chunk back onto the connection for future use. The unshift should
|
||||
// happen after any listeners are attached to it but before any new data comes in.
|
||||
if (!opts.hyperPeek) {
|
||||
process.nextTick(function () {
|
||||
conn.unshift(firstChunk);
|
||||
});
|
||||
}
|
||||
|
||||
// Connection is not TLS, check for HTTP next.
|
||||
if (firstChunk[0] > 32 && firstChunk[0] < 127) {
|
||||
var firstStr = firstChunk.toString();
|
||||
if (/HTTP\//i.test(firstStr)) {
|
||||
modules.http.emit('connection', conn);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
console.warn('failed to identify protocol from first chunk', firstChunk);
|
||||
conn.destroy();
|
||||
}
|
||||
function tcpHandler(conn, opts) {
|
||||
function getProp(name) {
|
||||
return opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
|
||||
}
|
||||
opts = opts || {};
|
||||
var logName = getProp('remoteAddress') + ':' + getProp('remotePort') + ' -> ' +
|
||||
getProp('localAddress') + ':' + getProp('localPort');
|
||||
console.log('[tcpHandler]', logName, 'connection started - encrypted: ' + (opts.encrypted || false));
|
||||
|
||||
var start = Date.now();
|
||||
conn.on('timeout', function () {
|
||||
console.log('[tcpHandler]', logName, 'connection timed out', (Date.now()-start)/1000);
|
||||
});
|
||||
conn.on('end', function () {
|
||||
console.log('[tcpHandler]', logName, 'connection ended', (Date.now()-start)/1000);
|
||||
});
|
||||
conn.on('close', function () {
|
||||
console.log('[tcpHandler]', logName, 'connection closed', (Date.now()-start)/1000);
|
||||
});
|
||||
|
||||
if (checkTcpProxy(conn, opts)) { return; }
|
||||
|
||||
// XXX PEEK COMMENT XXX
|
||||
// TODO we can have our cake and eat it too
|
||||
// we can skip the need to wrap the TLS connection twice
|
||||
// because we've already peeked at the data,
|
||||
// but this needs to be handled better before we enable that
|
||||
// (because it creates new edge cases)
|
||||
if (opts.hyperPeek) {
|
||||
console.log('hyperpeek');
|
||||
peek(conn, opts.firstChunk, opts);
|
||||
return;
|
||||
}
|
||||
|
||||
function onError(err) {
|
||||
console.error('[error] socket errored peeking -', err);
|
||||
conn.destroy();
|
||||
}
|
||||
conn.once('error', onError);
|
||||
conn.once('data', function (chunk) {
|
||||
conn.removeListener('error', onError);
|
||||
peek(conn, chunk, opts);
|
||||
});
|
||||
}
|
||||
|
||||
function udpHandler(port, msg) {
|
||||
if (!Array.isArray(config.udp.modules)) {
|
||||
return;
|
||||
}
|
||||
var socket = require('dgram').createSocket('udp4');
|
||||
config.udp.modules.forEach(function (mod) {
|
||||
if (mod.type !== 'forward') {
|
||||
console.warn('found bad DNS module', mod);
|
||||
return;
|
||||
}
|
||||
if (mod.ports.indexOf(port) < 0) {
|
||||
return;
|
||||
}
|
||||
|
||||
var dest = require('./domain-utils').separatePort(mod.address || '');
|
||||
dest.port = dest.port || mod.port;
|
||||
dest.host = dest.host || mod.host || 'localhost';
|
||||
socket.send(msg, dest.port, dest.host);
|
||||
});
|
||||
}
|
||||
|
||||
function createTcpForwarder(mod) {
|
||||
var dest = require('./domain-utils').separatePort(mod.address || '');
|
||||
dest.port = dest.port || mod.port;
|
||||
dest.host = dest.host || mod.host || 'localhost';
|
||||
|
||||
return function (conn) {
|
||||
var newConnOpts = {};
|
||||
addrProperties.forEach(function (name) {
|
||||
newConnOpts['_'+name] = conn[name];
|
||||
});
|
||||
|
||||
deps.proxy(conn, Object.assign(newConnOpts, dest));
|
||||
};
|
||||
}
|
||||
|
||||
deps.tunnel = deps.tunnel || {};
|
||||
deps.tunnel.net = {
|
||||
createConnection: function (opts, cb) {
|
||||
console.log('[gl.tunnel] creating connection');
|
||||
|
||||
// here "reader" means the socket that looks like the connection being accepted
|
||||
// here "writer" means the remote-looking part of the socket that driving the connection
|
||||
var writer;
|
||||
var wrapOpts = {};
|
||||
|
||||
function usePair(err, reader) {
|
||||
if (err) {
|
||||
process.nextTick(function () {
|
||||
writer.emit('error', err);
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
// this has the normal net/tcp stuff plus our custom stuff
|
||||
// opts = { address, port,
|
||||
// hostname, servername, tls, encrypted, data, localAddress, localPort, remoteAddress, remotePort, remoteFamily }
|
||||
Object.keys(opts).forEach(function (key) {
|
||||
wrapOpts[key] = opts[key];
|
||||
try {
|
||||
reader[key] = opts[key];
|
||||
} catch(e) {
|
||||
// can't set real socket getters, like remoteAddr
|
||||
}
|
||||
});
|
||||
|
||||
// A few more extra specialty options
|
||||
wrapOpts.localAddress = wrapOpts.localAddress || '127.0.0.2'; // TODO use the tunnel's external address
|
||||
wrapOpts.localPort = wrapOpts.localPort || 'tunnel-0';
|
||||
try {
|
||||
reader._remoteAddress = wrapOpts.remoteAddress;
|
||||
reader._remotePort = wrapOpts.remotePort;
|
||||
reader._remoteFamily = wrapOpts.remoteFamily;
|
||||
reader._localAddress = wrapOpts.localAddress;
|
||||
reader._localPort = wrapOpts.localPort;
|
||||
reader._localFamily = wrapOpts.localFamily;
|
||||
} catch(e) {
|
||||
}
|
||||
|
||||
tcpHandler(reader, wrapOpts);
|
||||
|
||||
process.nextTick(function () {
|
||||
// this cb will cause the stream to emit its (actually) first data event
|
||||
// (even though it already gave a peek into that first data chunk)
|
||||
console.log('[tunnel] callback, data should begin to flow');
|
||||
cb();
|
||||
});
|
||||
}
|
||||
|
||||
wrapOpts.firstChunk = opts.data;
|
||||
wrapOpts.hyperPeek = !!opts.data;
|
||||
|
||||
// We used to use `stream-pair` for non-tls connections, but there are places
|
||||
// that require properties/functions to be present on the socket that aren't
|
||||
// present on a JSStream so it caused problems.
|
||||
writer = require('socket-pair').create(usePair);
|
||||
return writer;
|
||||
}
|
||||
};
|
||||
deps.tunnelClients = require('./tunnel-client-manager').create(deps, config);
|
||||
deps.tunnelServer = require('./tunnel-server-manager').create(deps, config);
|
||||
|
||||
var listenPromises = [];
|
||||
var tcpPortMap = {};
|
||||
config.tcp.bind.filter(Number).forEach(function (port) {
|
||||
tcpPortMap[port] = true;
|
||||
});
|
||||
|
||||
(config.tcp.modules || []).forEach(function (mod) {
|
||||
if (mod.type === 'forward') {
|
||||
var forwarder = createTcpForwarder(mod);
|
||||
mod.ports.forEach(function (port) {
|
||||
if (!tcpPortMap[port]) {
|
||||
console.log("forwarding port", port, "that wasn't specified in bind");
|
||||
} else {
|
||||
delete tcpPortMap[port];
|
||||
}
|
||||
listenPromises.push(listeners.tcp.add(port, forwarder));
|
||||
});
|
||||
}
|
||||
else if (mod.type !== 'proxy') {
|
||||
console.warn('unknown TCP module specified', mod);
|
||||
}
|
||||
});
|
||||
|
||||
var portList = Object.keys(tcpPortMap).map(Number).sort();
|
||||
portList.forEach(function (port) {
|
||||
listenPromises.push(listeners.tcp.add(port, tcpHandler));
|
||||
});
|
||||
|
||||
if (config.udp.bind) {
|
||||
config.udp.bind.forEach(function (port) {
|
||||
listenPromises.push(listeners.udp.add(port, udpHandler.bind(port)));
|
||||
});
|
||||
}
|
||||
|
||||
if (!config.mdns.disabled) {
|
||||
require('./mdns').start(deps, config, portList[0]);
|
||||
}
|
||||
|
||||
return PromiseA.all(listenPromises);
|
||||
};
|
102
lib/mdns.js
102
lib/mdns.js
|
@ -2,6 +2,7 @@
|
|||
|
||||
var PromiseA = require('bluebird');
|
||||
var queryName = '_cloud._tcp.local';
|
||||
var dnsSuite = require('dns-suite');
|
||||
|
||||
function createResponse(name, ownerIds, packet, ttl, mainPort) {
|
||||
var rpacket = {
|
||||
|
@ -85,20 +86,19 @@ function createResponse(name, ownerIds, packet, ttl, mainPort) {
|
|||
});
|
||||
});
|
||||
|
||||
return require('dns-suite').DNSPacket.write(rpacket);
|
||||
return dnsSuite.DNSPacket.write(rpacket);
|
||||
}
|
||||
|
||||
module.exports.start = function (deps, config, mainPort) {
|
||||
var socket = require('dgram').createSocket({ type: 'udp4', reuseAddr: true });
|
||||
var dns = require('dns-suite');
|
||||
module.exports.create = function (deps, config) {
|
||||
var socket;
|
||||
var nextBroadcast = -1;
|
||||
|
||||
socket.on('message', function (message, rinfo) {
|
||||
function handlePacket(message, rinfo) {
|
||||
// console.log('Received %d bytes from %s:%d', message.length, rinfo.address, rinfo.port);
|
||||
|
||||
var packet;
|
||||
try {
|
||||
packet = dns.DNSPacket.parse(message);
|
||||
packet = dnsSuite.DNSPacket.parse(message);
|
||||
}
|
||||
catch (er) {
|
||||
// `dns-suite` actually errors on a lot of the packets floating around in our network,
|
||||
|
@ -108,16 +108,12 @@ module.exports.start = function (deps, config, mainPort) {
|
|||
}
|
||||
|
||||
// Only respond to queries.
|
||||
if (packet.header.qr !== 0) {
|
||||
return;
|
||||
}
|
||||
if (packet.header.qr !== 0) { return; }
|
||||
// Only respond if they were asking for cloud devices.
|
||||
if (packet.question.length !== 1 || packet.question[0].name !== queryName) {
|
||||
return;
|
||||
}
|
||||
if (packet.question[0].typeName !== 'PTR' || packet.question[0].className !== 'IN' ) {
|
||||
return;
|
||||
}
|
||||
if (packet.question.length !== 1) { return; }
|
||||
if (packet.question[0].name !== queryName) { return; }
|
||||
if (packet.question[0].typeName !== 'PTR') { return; }
|
||||
if (packet.question[0].className !== 'IN' ) { return; }
|
||||
|
||||
var proms = [
|
||||
deps.storage.mdnsId.get()
|
||||
|
@ -131,7 +127,7 @@ module.exports.start = function (deps, config, mainPort) {
|
|||
];
|
||||
|
||||
PromiseA.all(proms).then(function (results) {
|
||||
var resp = createResponse(results[0], results[1], packet, config.mdns.ttl, mainPort);
|
||||
var resp = createResponse(results[0], results[1], packet, config.mdns.ttl, deps.tcp.mainPort);
|
||||
var now = Date.now();
|
||||
if (now > nextBroadcast) {
|
||||
socket.send(resp, config.mdns.port, config.mdns.broadcast);
|
||||
|
@ -140,18 +136,68 @@ module.exports.start = function (deps, config, mainPort) {
|
|||
socket.send(resp, rinfo.port, rinfo.address);
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
socket.bind(config.mdns.port, function () {
|
||||
var addr = this.address();
|
||||
console.log('bound on UDP %s:%d for mDNS', addr.address, addr.port);
|
||||
function start() {
|
||||
socket = require('dgram').createSocket({ type: 'udp4', reuseAddr: true });
|
||||
socket.on('message', handlePacket);
|
||||
|
||||
socket.setBroadcast(true);
|
||||
socket.addMembership(config.mdns.broadcast);
|
||||
// This is supposed to be a local device discovery mechanism, so we shouldn't
|
||||
// need to hop through any gateways. This helps with security by making it
|
||||
// much more difficult for someone to use us as part of a DDoS attack by
|
||||
// spoofing the UDP address a request came from.
|
||||
socket.setTTL(1);
|
||||
});
|
||||
return new Promise(function (resolve, reject) {
|
||||
socket.once('error', reject);
|
||||
|
||||
socket.bind(config.mdns.port, function () {
|
||||
var addr = this.address();
|
||||
console.log('bound on UDP %s:%d for mDNS', addr.address, addr.port);
|
||||
|
||||
socket.setBroadcast(true);
|
||||
socket.addMembership(config.mdns.broadcast);
|
||||
// This is supposed to be a local device discovery mechanism, so we shouldn't
|
||||
// need to hop through any gateways. This helps with security by making it
|
||||
// much more difficult for someone to use us as part of a DDoS attack by
|
||||
// spoofing the UDP address a request came from.
|
||||
socket.setTTL(1);
|
||||
|
||||
socket.removeListener('error', reject);
|
||||
resolve();
|
||||
});
|
||||
});
|
||||
}
|
||||
function stop() {
|
||||
return new Promise(function (resolve, reject) {
|
||||
socket.once('error', reject);
|
||||
|
||||
socket.close(function () {
|
||||
socket.removeListener('error', reject);
|
||||
socket = null;
|
||||
resolve();
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
function updateConf() {
|
||||
var promise;
|
||||
if (config.mdns.disabled) {
|
||||
if (socket) {
|
||||
promise = stop();
|
||||
}
|
||||
} else {
|
||||
if (!socket) {
|
||||
promise = start();
|
||||
} else if (socket.address().port !== config.mdns.port) {
|
||||
promise = stop().then(start);
|
||||
} else {
|
||||
// Can't check membership, so just add the current broadcast address to make sure
|
||||
// it's set. If it's already set it will throw an exception (at least on linux).
|
||||
try {
|
||||
socket.addMembership(config.mdns.broadcast);
|
||||
} catch (e) {}
|
||||
promise = Promise.resolve();
|
||||
}
|
||||
}
|
||||
}
|
||||
updateConf();
|
||||
|
||||
return {
|
||||
updateConf
|
||||
};
|
||||
};
|
||||
|
|
|
@ -10,20 +10,16 @@ module.exports.addTcpListener = function (port, handler) {
|
|||
|
||||
if (stat) {
|
||||
if (stat._closing) {
|
||||
module.exports.destroyTcpListener(port);
|
||||
}
|
||||
else if (handler !== stat.handler) {
|
||||
|
||||
// we'll replace the current listener
|
||||
stat.server.destroy();
|
||||
} else {
|
||||
// We're already listening on the port, so we only have 2 options. We can either
|
||||
// replace the handler or reject with an error. (Though neither is really needed
|
||||
// if the handlers are the same). Until there is reason to do otherwise we are
|
||||
// opting for the replacement.
|
||||
stat.handler = handler;
|
||||
resolve();
|
||||
return;
|
||||
}
|
||||
else {
|
||||
// this exact listener is already open
|
||||
resolve();
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
var enableDestroy = require('server-destroy');
|
||||
|
@ -34,7 +30,7 @@ module.exports.addTcpListener = function (port, handler) {
|
|||
stat = serversMap[port] = {
|
||||
server: server
|
||||
, handler: handler
|
||||
, _closing: null
|
||||
, _closing: false
|
||||
};
|
||||
|
||||
// Add .destroy so we can close all open connections. Better if added before listen
|
||||
|
@ -66,14 +62,24 @@ module.exports.addTcpListener = function (port, handler) {
|
|||
});
|
||||
});
|
||||
};
|
||||
module.exports.closeTcpListener = function (port) {
|
||||
module.exports.closeTcpListener = function (port, timeout) {
|
||||
return new PromiseA(function (resolve) {
|
||||
var stat = serversMap[port];
|
||||
if (!stat) {
|
||||
resolve();
|
||||
return;
|
||||
}
|
||||
stat.server.once('close', resolve);
|
||||
stat._closing = true;
|
||||
|
||||
var timeoutId;
|
||||
if (timeout) {
|
||||
timeoutId = setTimeout(() => stat.server.destroy(), timeout);
|
||||
}
|
||||
|
||||
stat.server.once('close', function () {
|
||||
clearTimeout(timeoutId);
|
||||
resolve();
|
||||
});
|
||||
stat.server.close();
|
||||
});
|
||||
};
|
||||
|
@ -84,7 +90,9 @@ module.exports.destroyTcpListener = function (port) {
|
|||
}
|
||||
};
|
||||
module.exports.listTcpListeners = function () {
|
||||
return Object.keys(serversMap).map(Number).filter(Boolean);
|
||||
return Object.keys(serversMap).map(Number).filter(function (port) {
|
||||
return port && !serversMap[port]._closing;
|
||||
});
|
||||
};
|
||||
|
||||
|
||||
|
|
|
@ -63,15 +63,29 @@ module.exports.create = function (deps, config) {
|
|||
});
|
||||
}
|
||||
|
||||
if (config.socks5 && config.socks5.enabled) {
|
||||
start(config.socks5.port).catch(function (err) {
|
||||
console.error('failed to start Socks5 proxy', err);
|
||||
});
|
||||
var configEnabled = false;
|
||||
function updateConf() {
|
||||
var wanted = config.socks5 && config.socks5.enabled;
|
||||
|
||||
if (configEnabled && !wanted) {
|
||||
stop().catch(function (err) {
|
||||
console.error('failed to stop socks5 proxy on config change', err);
|
||||
});
|
||||
configEnabled = false;
|
||||
}
|
||||
if (wanted && !configEnabled) {
|
||||
start(config.socks5.port).catch(function (err) {
|
||||
console.error('failed to start Socks5 proxy', err);
|
||||
});
|
||||
configEnabled = true;
|
||||
}
|
||||
}
|
||||
process.nextTick(updateConf);
|
||||
|
||||
return {
|
||||
curState: curState
|
||||
, start: start
|
||||
, stop: stop
|
||||
curState
|
||||
, start
|
||||
, stop
|
||||
, updateConf
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
'use strict';
|
||||
|
||||
module.exports.create = function (deps, conf, greenlockMiddleware) {
|
||||
module.exports.create = function (deps, conf, tcpMods) {
|
||||
var PromiseA = require('bluebird');
|
||||
var statAsync = PromiseA.promisify(require('fs').stat);
|
||||
var domainMatches = require('../domain-utils').match;
|
||||
|
@ -162,8 +162,8 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
|
|||
return false;
|
||||
}
|
||||
|
||||
if (deps.tunnelServer.isClientDomain(separatePort(headers.host).host)) {
|
||||
deps.tunnelServer.handleClientConn(conn);
|
||||
if (deps.stunneld.isClientDomain(separatePort(headers.host).host)) {
|
||||
deps.stunneld.handleClientConn(conn);
|
||||
process.nextTick(function () {
|
||||
conn.unshift(opts.firstChunk);
|
||||
conn.resume();
|
||||
|
@ -172,7 +172,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
|
|||
}
|
||||
|
||||
if (!acmeServer) {
|
||||
acmeServer = require('http').createServer(greenlockMiddleware);
|
||||
acmeServer = require('http').createServer(tcpMods.tls.middleware);
|
||||
}
|
||||
return emitConnection(acmeServer, conn, opts);
|
||||
}
|
||||
|
@ -214,8 +214,8 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
|
|||
return emitConnection(adminServer, conn, opts);
|
||||
}
|
||||
|
||||
if (deps.tunnelServer.isAdminDomain(host)) {
|
||||
deps.tunnelServer.handleAdminConn(conn);
|
||||
if (deps.stunneld.isAdminDomain(host)) {
|
||||
deps.stunneld.handleAdminConn(conn);
|
||||
process.nextTick(function () {
|
||||
conn.unshift(opts.firstChunk);
|
||||
conn.resume();
|
||||
|
@ -241,7 +241,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
|
|||
res.statusCode = 502;
|
||||
res.setHeader('Connection', 'close');
|
||||
res.setHeader('Content-Type', 'text/html');
|
||||
res.end(require('../proxy-conn').getRespBody(err, conf.debug));
|
||||
res.end(tcpMods.proxy.getRespBody(err, conf.debug));
|
||||
});
|
||||
|
||||
proxyServer = http.createServer(function (req, res) {
|
||||
|
@ -292,7 +292,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
|
|||
newConnOpts.remoteAddress = opts.address || conn.remoteAddress;
|
||||
newConnOpts.remotePort = opts.port || conn.remotePort;
|
||||
|
||||
deps.proxy(conn, newConnOpts, opts.firstChunk);
|
||||
tcpMods.proxy(conn, newConnOpts, opts.firstChunk);
|
||||
}
|
||||
|
||||
function checkProxy(mod, conn, opts, headers) {
|
|
@ -0,0 +1,240 @@
|
|||
'use strict';
|
||||
|
||||
module.exports.create = function (deps, config) {
|
||||
console.log('config', config);
|
||||
|
||||
var listeners = require('../servers').listeners.tcp;
|
||||
var domainUtils = require('../domain-utils');
|
||||
var modules;
|
||||
|
||||
var addrProperties = [
|
||||
'remoteAddress'
|
||||
, 'remotePort'
|
||||
, 'remoteFamily'
|
||||
, 'localAddress'
|
||||
, 'localPort'
|
||||
, 'localFamily'
|
||||
];
|
||||
|
||||
function nameMatchesDomains(name, domainList) {
|
||||
return domainList.some(function (pattern) {
|
||||
return domainUtils.match(pattern, name);
|
||||
});
|
||||
}
|
||||
|
||||
function proxy(mod, conn, opts) {
|
||||
// First thing we need to add to the connection options is where to proxy the connection to
|
||||
var newConnOpts = domainUtils.separatePort(mod.address || '');
|
||||
newConnOpts.port = newConnOpts.port || mod.port;
|
||||
newConnOpts.host = newConnOpts.host || mod.host || 'localhost';
|
||||
|
||||
// Then we add all of the connection address information. We need to prefix all of the
|
||||
// properties with '_' so we can provide the information to any connection `createConnection`
|
||||
// implementation but not have the default implementation try to bind the same local port.
|
||||
addrProperties.forEach(function (name) {
|
||||
newConnOpts['_' + name] = opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
|
||||
});
|
||||
|
||||
modules.proxy(conn, newConnOpts);
|
||||
return true;
|
||||
}
|
||||
|
||||
function checkTcpProxy(conn, opts) {
|
||||
var proxied = false;
|
||||
|
||||
// TCP Proxying (ie routing based on domain name [vs local port]) only works for
|
||||
// TLS wrapped connections, so if the opts don't give us a servername or don't tell us
|
||||
// this is the decrypted side of a TLS connection we can't handle it here.
|
||||
if (!opts.servername || !opts.encrypted) { return proxied; }
|
||||
|
||||
proxied = config.domains.some(function (dom) {
|
||||
if (!dom.modules || !Array.isArray(dom.modules.tcp)) { return false; }
|
||||
if (!nameMatchesDomains(opts.servername, dom.names)) { return false; }
|
||||
|
||||
return dom.modules.tcp.some(function (mod) {
|
||||
if (mod.type !== 'proxy') { return false; }
|
||||
|
||||
return proxy(mod, conn, opts);
|
||||
});
|
||||
});
|
||||
|
||||
proxied = proxied || config.tcp.modules.some(function (mod) {
|
||||
if (mod.type !== 'proxy') { return false; }
|
||||
if (!nameMatchesDomains(opts.servername, mod.domains)) { return false; }
|
||||
|
||||
return proxy(mod, conn, opts);
|
||||
});
|
||||
|
||||
return proxied;
|
||||
}
|
||||
|
||||
function checkTcpForward(conn, opts) {
|
||||
// TCP forwarding (ie routing connections based on local port) requires the local port
|
||||
if (!conn.localPort) { return false; }
|
||||
|
||||
return config.tcp.modules.some(function (mod) {
|
||||
if (mod.type !== 'forward') { return false; }
|
||||
if (mod.ports.indexOf(conn.localPort) < 0) { return false; }
|
||||
|
||||
return proxy(mod, conn, opts);
|
||||
});
|
||||
}
|
||||
|
||||
// opts = { servername, encrypted, peek, data, remoteAddress, remotePort }
|
||||
function peek(conn, firstChunk, opts) {
|
||||
opts.firstChunk = firstChunk;
|
||||
conn.__opts = opts;
|
||||
// TODO port/service-based routing can do here
|
||||
|
||||
// TLS byte 1 is handshake and byte 6 is client hello
|
||||
if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) {
|
||||
modules.tls.emit('connection', conn);
|
||||
return;
|
||||
}
|
||||
|
||||
// This doesn't work with TLS, but now that we know this isn't a TLS connection we can
|
||||
// unshift the first chunk back onto the connection for future use. The unshift should
|
||||
// happen after any listeners are attached to it but before any new data comes in.
|
||||
if (!opts.hyperPeek) {
|
||||
process.nextTick(function () {
|
||||
conn.unshift(firstChunk);
|
||||
});
|
||||
}
|
||||
|
||||
// Connection is not TLS, check for HTTP next.
|
||||
if (firstChunk[0] > 32 && firstChunk[0] < 127) {
|
||||
var firstStr = firstChunk.toString();
|
||||
if (/HTTP\//i.test(firstStr)) {
|
||||
modules.http.emit('connection', conn);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
console.warn('failed to identify protocol from first chunk', firstChunk);
|
||||
conn.destroy();
|
||||
}
|
||||
function tcpHandler(conn, opts) {
|
||||
function getProp(name) {
|
||||
return opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
|
||||
}
|
||||
opts = opts || {};
|
||||
var logName = getProp('remoteAddress') + ':' + getProp('remotePort') + ' -> ' +
|
||||
getProp('localAddress') + ':' + getProp('localPort');
|
||||
console.log('[tcpHandler]', logName, 'connection started - encrypted: ' + (opts.encrypted || false));
|
||||
|
||||
var start = Date.now();
|
||||
conn.on('timeout', function () {
|
||||
console.log('[tcpHandler]', logName, 'connection timed out', (Date.now()-start)/1000);
|
||||
});
|
||||
conn.on('end', function () {
|
||||
console.log('[tcpHandler]', logName, 'connection ended', (Date.now()-start)/1000);
|
||||
});
|
||||
conn.on('close', function () {
|
||||
console.log('[tcpHandler]', logName, 'connection closed', (Date.now()-start)/1000);
|
||||
});
|
||||
|
||||
if (checkTcpForward(conn, opts)) { return; }
|
||||
if (checkTcpProxy(conn, opts)) { return; }
|
||||
|
||||
// XXX PEEK COMMENT XXX
|
||||
// TODO we can have our cake and eat it too
|
||||
// we can skip the need to wrap the TLS connection twice
|
||||
// because we've already peeked at the data,
|
||||
// but this needs to be handled better before we enable that
|
||||
// (because it creates new edge cases)
|
||||
if (opts.hyperPeek) {
|
||||
console.log('hyperpeek');
|
||||
peek(conn, opts.firstChunk, opts);
|
||||
return;
|
||||
}
|
||||
|
||||
function onError(err) {
|
||||
console.error('[error] socket errored peeking -', err);
|
||||
conn.destroy();
|
||||
}
|
||||
conn.once('error', onError);
|
||||
conn.once('data', function (chunk) {
|
||||
conn.removeListener('error', onError);
|
||||
peek(conn, chunk, opts);
|
||||
});
|
||||
}
|
||||
|
||||
modules = {};
|
||||
modules.tcpHandler = tcpHandler;
|
||||
modules.proxy = require('./proxy-conn').create(deps, config);
|
||||
modules.tls = require('./tls').create(deps, config, modules);
|
||||
modules.http = require('./http').create(deps, config, modules);
|
||||
|
||||
function updateListeners() {
|
||||
var current = listeners.list();
|
||||
var wanted = config.tcp.bind;
|
||||
|
||||
if (!Array.isArray(wanted)) { wanted = []; }
|
||||
wanted = wanted.map(Number).filter((port) => port > 0 && port < 65356);
|
||||
|
||||
var closeProms = current.filter(function (port) {
|
||||
return wanted.indexOf(port) < 0;
|
||||
}).map(function (port) {
|
||||
return listeners.close(port, 1000);
|
||||
});
|
||||
|
||||
// We don't really need to filter here since listening on the same port with the
|
||||
// same handler function twice is basically a no-op.
|
||||
var openProms = wanted.map(function (port) {
|
||||
return listeners.add(port, tcpHandler);
|
||||
});
|
||||
|
||||
return Promise.all(closeProms.concat(openProms));
|
||||
}
|
||||
|
||||
var mainPort;
|
||||
function updateConf() {
|
||||
updateListeners().catch(function (err) {
|
||||
console.error('Error updating TCP listeners to match bind configuration');
|
||||
console.error(err);
|
||||
});
|
||||
|
||||
var unforwarded = {};
|
||||
config.tcp.bind.forEach(function (port) {
|
||||
unforwarded[port] = true;
|
||||
});
|
||||
|
||||
config.tcp.modules.forEach(function (mod) {
|
||||
if (['forward', 'proxy'].indexOf(mod.type) < 0) {
|
||||
console.warn('unknown TCP module type specified', JSON.stringify(mod));
|
||||
}
|
||||
if (mod.type !== 'forward') { return; }
|
||||
|
||||
mod.ports.forEach(function (port) {
|
||||
if (!unforwarded[port]) {
|
||||
console.warn('trying to forward TCP port ' + port + ' multiple times or it is unbound');
|
||||
} else {
|
||||
delete unforwarded[port];
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
// Not really sure what we can reasonably do to prevent this. At least not without making
|
||||
// our configuration validation more complicated.
|
||||
if (!Object.keys(unforwarded).length) {
|
||||
console.warn('no bound TCP ports are not being forwarded, admin interface will be inaccessible');
|
||||
}
|
||||
|
||||
// If we are listening on port 443 make that the main port we respond to mDNS queries with
|
||||
// otherwise choose the lowest number port we are bound to but not forwarding.
|
||||
if (unforwarded['443']) {
|
||||
mainPort = 443;
|
||||
} else {
|
||||
mainPort = Object.keys(unforwarded).map(Number).sort((a, b) => a - b)[0];
|
||||
}
|
||||
}
|
||||
updateConf();
|
||||
|
||||
var result = {
|
||||
updateConf
|
||||
, handler: tcpHandler
|
||||
};
|
||||
Object.defineProperty(result, 'mainPort', {enumerable: true, get: () => mainPort});
|
||||
|
||||
return result;
|
||||
};
|
|
@ -32,7 +32,7 @@ module.exports.getRespBody = getRespBody;
|
|||
module.exports.sendBadGateway = sendBadGateway;
|
||||
|
||||
module.exports.create = function (deps, config) {
|
||||
return function proxy(conn, newConnOpts, firstChunk, decrypt) {
|
||||
function proxy(conn, newConnOpts, firstChunk, decrypt) {
|
||||
var connected = false;
|
||||
newConnOpts.allowHalfOpen = true;
|
||||
var newConn = deps.net.createConnection(newConnOpts, function () {
|
||||
|
@ -73,5 +73,9 @@ module.exports.create = function (deps, config) {
|
|||
newConn.on('close', function () {
|
||||
conn.destroy();
|
||||
});
|
||||
};
|
||||
}
|
||||
|
||||
proxy.getRespBody = getRespBody;
|
||||
proxy.sendBadGateway = sendBadGateway;
|
||||
return proxy;
|
||||
};
|
|
@ -1,6 +1,6 @@
|
|||
'use strict';
|
||||
|
||||
module.exports.create = function (deps, config, netHandler) {
|
||||
module.exports.create = function (deps, config, tcpMods) {
|
||||
var path = require('path');
|
||||
var tls = require('tls');
|
||||
var parseSni = require('sni');
|
||||
|
@ -208,7 +208,7 @@ module.exports.create = function (deps, config, netHandler) {
|
|||
var terminateServer = tls.createServer(terminatorOpts, function (socket) {
|
||||
console.log('(post-terminated) tls connection, addr:', extractSocketProp(socket, 'remoteAddress'));
|
||||
|
||||
netHandler(socket, {
|
||||
tcpMods.tcpHandler(socket, {
|
||||
servername: socket.servername
|
||||
, encrypted: true
|
||||
// remoteAddress... ugh... https://github.com/nodejs/node/issues/8854
|
||||
|
@ -232,7 +232,7 @@ module.exports.create = function (deps, config, netHandler) {
|
|||
newConnOpts.remoteAddress = opts.address || extractSocketProp(socket, 'remoteAddress');
|
||||
newConnOpts.remotePort = opts.port || extractSocketProp(socket, 'remotePort');
|
||||
|
||||
deps.proxy(socket, newConnOpts, opts.firstChunk, function () {
|
||||
tcpMods.proxy(socket, newConnOpts, opts.firstChunk, function () {
|
||||
// This function is called in the event of a connection error and should decrypt
|
||||
// the socket so the proxy module can send a 502 HTTP response.
|
||||
var tlsOpts = localhostCerts.mergeTlsOptions('localhost.daplie.me', {isServer: true});
|
||||
|
@ -291,8 +291,8 @@ module.exports.create = function (deps, config, netHandler) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (deps.tunnelServer.isClientDomain(opts.servername)) {
|
||||
deps.tunnelServer.handleClientConn(socket);
|
||||
if (deps.stunneld.isClientDomain(opts.servername)) {
|
||||
deps.stunneld.handleClientConn(socket);
|
||||
if (!opts.hyperPeek) {
|
||||
process.nextTick(function () {
|
||||
socket.unshift(opts.firstChunk);
|
|
@ -1,61 +1,131 @@
|
|||
'use strict';
|
||||
|
||||
module.exports.create = function (deps, config) {
|
||||
if (!config.tunnelServer || !Array.isArray(config.tunnelServer.servernames) || !config.tunnelServer.secret) {
|
||||
return {
|
||||
isAdminDomain: function () { return false; }
|
||||
, isClientDomain: function () { return false; }
|
||||
};
|
||||
}
|
||||
function httpsTunnel(servername, conn) {
|
||||
console.error('tunnel server received encrypted connection to', servername);
|
||||
conn.end();
|
||||
}
|
||||
function handleHttp(servername, conn) {
|
||||
console.error('tunnel server received un-encrypted connection to', servername);
|
||||
conn.end([
|
||||
'HTTP/1.1 404 Not Found'
|
||||
, 'Date: ' + (new Date()).toUTCString()
|
||||
, 'Connection: close'
|
||||
, 'Content-Type: text/html'
|
||||
, 'Content-Length: 9'
|
||||
, ''
|
||||
, 'Not Found'
|
||||
].join('\r\n'));
|
||||
}
|
||||
function rejectNonWebsocket(req, res) {
|
||||
// status code 426 = Upgrade Required
|
||||
res.statusCode = 426;
|
||||
res.setHeader('Content-Type', 'application/json');
|
||||
res.send({error: { message: 'Only websockets accepted for tunnel server' }});
|
||||
}
|
||||
|
||||
var tunnelOpts = Object.assign({}, config.tunnelServer);
|
||||
// This function should not be called because connections to the admin domains
|
||||
var defaultConfig = {
|
||||
servernames: []
|
||||
, secret: null
|
||||
};
|
||||
var tunnelFuncs = {
|
||||
// These functions should not be called because connections to the admin domains
|
||||
// should already be decrypted, and connections to non-client domains should never
|
||||
// be given to us in the first place.
|
||||
tunnelOpts.httpsTunnel = function (servername, conn) {
|
||||
console.error('tunnel server received encrypted connection to', servername);
|
||||
conn.end();
|
||||
};
|
||||
tunnelOpts.httpsInvalid = tunnelOpts.httpsTunnel;
|
||||
// This function should not be called because ACME challenges should be handled
|
||||
httpsTunnel: httpsTunnel
|
||||
, httpsInvalid: httpsTunnel
|
||||
// These function should not be called because ACME challenges should be handled
|
||||
// before admin domain connections are given to us, and the only non-encrypted
|
||||
// client connections that should be given to us are ACME challenges.
|
||||
tunnelOpts.handleHttp = function (servername, conn) {
|
||||
console.error('tunnel server received un-encrypted connection to', servername);
|
||||
conn.end([
|
||||
'HTTP/1.1 404 Not Found'
|
||||
, 'Date: ' + (new Date()).toUTCString()
|
||||
, 'Connection: close'
|
||||
, 'Content-Type: text/html'
|
||||
, 'Content-Length: 9'
|
||||
, ''
|
||||
, 'Not Found'
|
||||
].join('\r\n'));
|
||||
};
|
||||
tunnelOpts.handleInsecureHttp = tunnelOpts.handleHttp;
|
||||
, handleHttp: handleHttp
|
||||
, handleInsecureHttp: handleHttp
|
||||
};
|
||||
|
||||
var tunnelServer = require('stunneld').create(tunnelOpts);
|
||||
module.exports.create = function (deps, config) {
|
||||
var equal = require('deep-equal');
|
||||
var enableDestroy = require('server-destroy');
|
||||
var currentOpts = Object.assign({}, defaultConfig);
|
||||
|
||||
var httpServer = require('http').createServer(function (req, res) {
|
||||
// status code 426 = Upgrade Required
|
||||
res.statusCode = 426;
|
||||
res.setHeader('Content-Type', 'application/json');
|
||||
res.end(JSON.stringify({error: {
|
||||
message: 'Only websockets accepted for tunnel server'
|
||||
}}));
|
||||
});
|
||||
var wsServer = new (require('ws').Server)({ server: httpServer });
|
||||
wsServer.on('connection', tunnelServer.ws);
|
||||
var httpServer, wsServer, stunneld;
|
||||
function start() {
|
||||
if (httpServer || wsServer || stunneld) {
|
||||
throw new Error('trying to start already started tunnel server');
|
||||
}
|
||||
httpServer = require('http').createServer(rejectNonWebsocket);
|
||||
enableDestroy(httpServer);
|
||||
|
||||
wsServer = new (require('ws').Server)({ server: httpServer });
|
||||
|
||||
var tunnelOpts = Object.assign({}, tunnelFuncs, currentOpts);
|
||||
stunneld = require('stunneld').create(tunnelOpts);
|
||||
wsServer.on('connection', stunneld.ws);
|
||||
}
|
||||
|
||||
function stop() {
|
||||
if (!httpServer || !wsServer || !stunneld) {
|
||||
throw new Error('trying to stop unstarted tunnel server (or it got into semi-initialized state');
|
||||
}
|
||||
wsServer.close();
|
||||
wsServer = null;
|
||||
httpServer.destroy();
|
||||
httpServer = null;
|
||||
// Nothing to close here, just need to set it to null to allow it to be garbage-collected.
|
||||
stunneld = null;
|
||||
}
|
||||
|
||||
function updateConf() {
|
||||
var newOpts = Object.assign({}, defaultConfig, config.tunnelServer);
|
||||
if (!Array.isArray(newOpts.servernames)) {
|
||||
newOpts.servernames = [];
|
||||
}
|
||||
var trimmedOpts = {
|
||||
servernames: newOpts.servernames.slice().sort()
|
||||
, secret: newOpts.secret
|
||||
};
|
||||
|
||||
if (equal(trimmedOpts, currentOpts)) {
|
||||
return;
|
||||
}
|
||||
currentOpts = trimmedOpts;
|
||||
|
||||
// Stop what's currently running, then if we are still supposed to be running then we
|
||||
// can start it again with the updated options. It might be possible to make use of
|
||||
// the existing http and ws servers when the config changes, but I'm not sure what
|
||||
// state the actions needed to close all existing connections would put them in.
|
||||
if (httpServer || wsServer || stunneld) {
|
||||
stop();
|
||||
}
|
||||
if (currentOpts.servernames.length && currentOpts.secret) {
|
||||
start();
|
||||
}
|
||||
}
|
||||
process.nextTick(updateConf);
|
||||
|
||||
return {
|
||||
isAdminDomain: function (domain) {
|
||||
return config.tunnelServer.servernames.indexOf(domain) !== -1;
|
||||
return currentOpts.servernames.indexOf(domain) !== -1;
|
||||
}
|
||||
, handleAdminConn: function (conn) {
|
||||
httpServer.emit('connection', conn);
|
||||
if (!httpServer) {
|
||||
console.error(new Error('handleAdminConn called with no active tunnel server'));
|
||||
conn.end();
|
||||
} else {
|
||||
return httpServer.emit('connection', conn);
|
||||
}
|
||||
}
|
||||
|
||||
, isClientDomain: tunnelServer.isClientDomain
|
||||
, handleClientConn: tunnelServer.tcp
|
||||
, isClientDomain: function (domain) {
|
||||
if (!stunneld) { return false; }
|
||||
return stunneld.isClientDomain(domain);
|
||||
}
|
||||
, handleClientConn: function (conn) {
|
||||
if (!stunneld) {
|
||||
console.error(new Error('handleClientConn called with no active tunnel server'));
|
||||
conn.end();
|
||||
} else {
|
||||
return stunneld.tcp(conn);
|
||||
}
|
||||
}
|
||||
|
||||
, updateConf
|
||||
};
|
||||
};
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
'use strict';
|
||||
|
||||
module.exports.create = function (deps, config) {
|
||||
var listeners = require('./servers').listeners.udp;
|
||||
|
||||
function packetHandler(port, msg) {
|
||||
if (!Array.isArray(config.udp.modules)) {
|
||||
return;
|
||||
}
|
||||
|
||||
var socket = require('dgram').createSocket('udp4');
|
||||
config.udp.modules.forEach(function (mod) {
|
||||
if (mod.type !== 'forward') {
|
||||
// To avoid logging bad modules every time we get a UDP packet we assign a warned
|
||||
// property to the module (non-enumerable so it won't be saved to the config or
|
||||
// show up in the API).
|
||||
if (!mod.warned) {
|
||||
console.warn('found bad DNS module', mod);
|
||||
Object.defineProperty(mod, 'warned', {value: true, enumerable: false});
|
||||
}
|
||||
return;
|
||||
}
|
||||
if (mod.ports.indexOf(port) < 0) {
|
||||
return;
|
||||
}
|
||||
|
||||
var dest = require('./domain-utils').separatePort(mod.address || '');
|
||||
dest.port = dest.port || mod.port;
|
||||
dest.host = dest.host || mod.host || 'localhost';
|
||||
socket.send(msg, dest.port, dest.host);
|
||||
});
|
||||
}
|
||||
|
||||
function updateListeners() {
|
||||
var current = listeners.list();
|
||||
var wanted = config.udp.bind;
|
||||
|
||||
if (!Array.isArray(wanted)) { wanted = []; }
|
||||
wanted = wanted.map(Number).filter((port) => port > 0 && port < 65356);
|
||||
|
||||
current.forEach(function (port) {
|
||||
if (wanted.indexOf(port) < 0) {
|
||||
listeners.close(port);
|
||||
}
|
||||
});
|
||||
wanted.forEach(function (port) {
|
||||
if (current.indexOf(port) < 0) {
|
||||
listeners.add(port, packetHandler.bind(port));
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
updateListeners();
|
||||
return {
|
||||
updateConf: updateListeners
|
||||
};
|
||||
};
|
|
@ -48,13 +48,15 @@ function create(conf) {
|
|||
|
||||
modules = {
|
||||
storage: require('./storage').create(deps, conf)
|
||||
, proxy: require('./proxy-conn').create(deps, conf)
|
||||
, socks5: require('./socks5-server').create(deps, conf)
|
||||
, ddns: require('./ddns').create(deps, conf)
|
||||
, mdns: require('./mdns').create(deps, conf)
|
||||
, udp: require('./udp').create(deps, conf)
|
||||
, tcp: require('./tcp').create(deps, conf)
|
||||
, stunneld: require('./tunnel-server-manager').create(deps, config)
|
||||
};
|
||||
Object.assign(deps, modules);
|
||||
|
||||
require('./goldilocks.js').create(deps, conf);
|
||||
process.removeListener('message', create);
|
||||
process.on('message', update);
|
||||
}
|
||||
|
|
|
@ -448,7 +448,11 @@
|
|||
"integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA="
|
||||
},
|
||||
"dns-suite": {
|
||||
"version": "git+https://git@git.daplie.com/Daplie/dns-suite#950867c452323da776c050363b22d8f06a8ed414"
|
||||
"version": "git+https://git@git.daplie.com/Daplie/dns-suite#6352cf4b516d94f0283c9c7cd024431bf974f049",
|
||||
"requires": {
|
||||
"bluebird": "3.5.0",
|
||||
"hexdump.js": "1.0.5"
|
||||
}
|
||||
},
|
||||
"duplexer2": {
|
||||
"version": "0.1.4",
|
||||
|
@ -820,6 +824,11 @@
|
|||
"sntp": "1.0.9"
|
||||
}
|
||||
},
|
||||
"hexdump.js": {
|
||||
"version": "1.0.5",
|
||||
"resolved": "https://registry.npmjs.org/hexdump.js/-/hexdump.js-1.0.5.tgz",
|
||||
"integrity": "sha1-xbxlSoIvAzjzEX5fXzVgZd6HmDQ="
|
||||
},
|
||||
"hmac-drbg": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
|
||||
|
@ -2077,7 +2086,7 @@
|
|||
}
|
||||
},
|
||||
"stunnel": {
|
||||
"version": "git+https://git.daplie.com/Daplie/node-tunnel-client.git#cad0e561fbea5c5dbbf5fc10ed95833dd3573ebc",
|
||||
"version": "git+https://git.daplie.com/Daplie/node-tunnel-client.git#114847e31abe9a0c5f0598b892dd98b37fe9622e",
|
||||
"requires": {
|
||||
"bluebird": "3.5.0",
|
||||
"commander": "2.9.0",
|
||||
|
@ -2089,7 +2098,7 @@
|
|||
}
|
||||
},
|
||||
"stunneld": {
|
||||
"version": "git+https://git.daplie.com/Daplie/node-tunnel-server.git#54ca2782dde84b3d2c61a3257f7d859b7012ea59",
|
||||
"version": "git+https://git.daplie.com/Daplie/node-tunnel-server.git#ae91fd5049251ed1f9fcd6806d7b9872454c67db",
|
||||
"requires": {
|
||||
"bluebird": "3.5.0",
|
||||
"cluster-store": "2.0.6",
|
||||
|
@ -2099,8 +2108,15 @@
|
|||
"localhost.daplie.me-certificates": "1.3.5",
|
||||
"redirect-https": "1.1.4",
|
||||
"sni": "1.0.0",
|
||||
"tunnel-packer": "1.3.0",
|
||||
"tunnel-packer": "1.4.0",
|
||||
"ws": "2.3.1"
|
||||
},
|
||||
"dependencies": {
|
||||
"tunnel-packer": {
|
||||
"version": "1.4.0",
|
||||
"resolved": "https://registry.npmjs.org/tunnel-packer/-/tunnel-packer-1.4.0.tgz",
|
||||
"integrity": "sha512-99GYAtKnbMVd87hQMxiR/Pq62jOWzOH/K6EOs87nU6U4p5uso+fZyYuO+upb+hhonXuNI/sZR/ByVxPFrnzMog=="
|
||||
}
|
||||
}
|
||||
},
|
||||
"terminal-forms.js": {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "goldilocks",
|
||||
"version": "1.1.3",
|
||||
"version": "1.1.4",
|
||||
"description": "The node.js webserver that's just right, Greenlock (HTTPS/TLS/SSL via ACME/Let's Encrypt) and tunneling (RVPN) included.",
|
||||
"main": "bin/goldilocks.js",
|
||||
"repository": {
|
||||
|
|
Loading…
Reference in New Issue