added tunnel server

2017-06-14 10:58:56 -06:00 · 2017-06-14 10:58:56 -06:00 · 61018d9303
parent 30777af804
commit 61018d9303
10 changed files with 686 additions and 332 deletions
--- a/etc/goldilocks/goldilocks.example.yml
+++ b/etc/goldilocks/goldilocks.example.yml
@ -9,6 +9,16 @@ tcp:
        - 22
      address: '127.0.0.1:8022'
 # tunnel: jwt
 # tunnel:
 #   - jwt1
 #   - jwt2
 tunnel_server:
  secret: abc123
  servernames:
    - 'tunnel.localhost.com'
 tls:
  acme:
    email: 'joe.shmoe@example.com'
--- a/lib/app.js
+++ b/lib/app.js
@ -155,7 +155,7 @@ module.exports = function (myDeps, conf, overrideHttp) {
            }).then(function (result) {
              console.log('got a token from the tunnel server?');
              result.owner = owner;
-              return deps.tunneler.add(result);
+              return deps.tunnelClients.add(result);
            });
          /*
          });
--- a/lib/goldilocks.js
+++ b/lib/goldilocks.js
@ -176,7 +176,8 @@ module.exports.create = function (deps, config) {
      return writer;
    }
  };
-  deps.tunneler = require('./tunnel-manager').create(deps, config);
+  deps.tunnelClients = require('./tunnel-client-manager').create(deps, config);
  deps.tunnelServer = require('./tunnel-server-manager').create(deps, config);
  var listenPromises = [];
  var tcpPortMap = {};
--- a/lib/modules/http.js
+++ b/lib/modules/http.js
@ -151,11 +151,19 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
  }
  var acmeServer;
-  function checkACME(conn, opts, headers) {
+  function checkAcme(conn, opts, headers) {
    if (headers.url.indexOf('/.well-known/acme-challenge/') !== 0) {
      return false;
    }
    if (deps.tunnelServer.isClientDomain(separatePort(headers.host).host)) {
      deps.tunnelServer.handleClientConn(conn);
      process.nextTick(function () {
        conn.unshift(opts.firstChunk);
      });
      return true;
    }
    if (!acmeServer) {
      acmeServer = require('http').createServer(greenlockMiddleware);
    }
@ -177,19 +185,29 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
    return emitConnection(httpsRedirectServer, conn, opts);
  }
  var adminDomains;
  var adminServer;
  function checkAdmin(conn, opts, headers) {
    var host = separatePort(headers.host).host;
    var admin = require('./admin').adminDomains.some(function (domain) {
      return host === domain;
    });
-    if (admin) {
+    if (!adminDomains) {
      adminDomains = require('./admin').adminDomains;
    }
    if (adminDomains.indexOf(host) !== -1) {
      if (!adminServer) {
        adminServer = require('./admin').create(deps, conf);
      }
      return emitConnection(adminServer, conn, opts);
    }
    if (deps.tunnelServer.isAdminDomain(host)) {
      deps.tunnelServer.handleAdminConn(conn);
      process.nextTick(function () {
        conn.unshift(opts.firstChunk);
      });
      return true;
    }
    return false;
  }
@ -386,7 +404,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
    var opts = conn.__opts;
    parseHeaders(conn, opts)
      .then(function (headers) {
-        if (checkACME(conn, opts, headers))  { return; }
+        if (checkAcme(conn, opts, headers))  { return; }
        if (checkHttps(conn, opts, headers)) { return; }
        if (checkAdmin(conn, opts, headers)) { return; }
--- a/lib/modules/tls.js
+++ b/lib/modules/tls.js
@ -260,6 +260,16 @@ module.exports.create = function (deps, config, netHandler) {
      return;
    }
    if (deps.tunnelServer.isClientDomain(opts.servername)) {
      deps.tunnelServer.handleClientConn(socket);
      if (!opts.hyperPeek) {
        process.nextTick(function () {
          socket.unshift(opts.firstChunk);
        });
      }
      return;
    }
    function checkModule(mod) {
      if (mod.name === 'proxy') {
        return proxy(socket, opts, mod);
--- a/lib/tunnel-client-manager.js
+++ b/lib/tunnel-client-manager.js
--- a/lib/tunnel-server-manager.js
+++ b/lib/tunnel-server-manager.js
@ -0,0 +1,61 @@
 'use strict';
 module.exports.create = function (deps, config) {
  if (!config.tunnelServer || !Array.isArray(config.tunnelServer.servernames) || !config.tunnelServer.secret) {
    return {
      isAdminDomain:  function () { return false; },
      isClientDomain: function () { return false; },
    };
  }
  var tunnelOpts = Object.assign({}, config.tunnelServer);
  // This function should not be called because connections to the admin domains
  // should already be decrypted, and connections to non-client domains should never
  // be given to us in the first place.
  tunnelOpts.httpsTunnel = function (servername, conn) {
    console.error('tunnel server received encrypted connection to', servername);
    conn.end();
  };
  tunnelOpts.httpsInvalid = tunnelOpts.httpsTunnel;
  // This function should not be called because ACME challenges should be handled
  // before admin domain connections are given to us, and the only non-encrypted
  // client connections that should be given to us are ACME challenges.
  tunnelOpts.handleHttp = function (servername, conn) {
    console.error('tunnel server received un-encrypted connection to', servername);
    conn.end([
      'HTTP/1.1 404 Not Found'
    , 'Date: ' + (new Date()).toUTCString()
    , 'Connection: close'
    , 'Content-Type: text/html'
    , 'Content-Length: 9'
    , ''
    , 'Not Found'
    ].join('\r\n'));
  };
  tunnelOpts.handleInsecureHttp = tunnelOpts.handleHttp;
  var tunnelServer = require('stunneld').create(tunnelOpts);
  var httpServer = require('http').createServer(function (req, res) {
    // status code 426 = Upgrade Required
    res.statusCode = 426;
    res.setHeader('Content-Type', 'application/json');
    res.end(JSON.stringify({error: {
      message: 'Only websockets accepted for tunnel server'
    }}));
  });
  var wsServer = new (require('ws').Server)({ server: httpServer });
  wsServer.on('connection', tunnelServer.ws);
  return {
    isAdminDomain: function (domain) {
      return config.tunnelServer.servernames.indexOf(domain) !== -1;
    },
    handleAdminConn: function (conn) {
      httpServer.emit('connection', conn);
    },
    isClientDomain: tunnelServer.isClientDomain,
    handleClientConn: tunnelServer.tcp
  };
 };
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -41,7 +41,7 @@
    "bluebird": "^3.4.6",
    "body-parser": "git+https://github.com/expressjs/body-parser.git#1.16.1",
    "commander": "^2.9.0",
-    "dns-suite": "git+https://git@git.daplie.com:Daplie/dns-suite#v1",
+    "dns-suite": "git+https://git@git.daplie.com/Daplie/dns-suite#v1",
    "express": "git+https://github.com/expressjs/express.git#4.x",
    "finalhandler": "^0.4.0",
    "greenlock": "git+https://git.daplie.com/Daplie/node-greenlock.git#master",
@ -65,6 +65,8 @@
    "sni": "^1.0.0",
    "socket-pair": "^1.0.1",
    "stunnel": "git+https://git.daplie.com/Daplie/node-tunnel-client.git#v1",
-    "tunnel-packer": "^1.3.0"
+    "stunneld": "git+https://git.daplie.com/Daplie/node-tunnel-server.git#v1",
    "tunnel-packer": "^1.3.0",
    "ws": "^2.3.1"
  }
 }
--- a/packages/apis/com.daplie.goldilocks/index.js
+++ b/packages/apis/com.daplie.goldilocks/index.js
@ -160,7 +160,7 @@ module.exports.create = function (deps, conf) {
      isAuthorized(req, res, function () {
        if ('POST' !== req.method) {
          res.setHeader('Content-Type', 'application/json');
-          return deps.tunneler.get(req.userId).then(function (result) {
+          return deps.tunnelClients.get(req.userId).then(function (result) {
            res.end(JSON.stringify(result));
          }, function (err) {
            res.statusCode = 500;