coolaj86/sclient
1
0
Fork 0
mirror of https://github.com/therootcompany/sclient synced 2024-11-16 17:09:00 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: coolaj86:master
Branches Tags
coolaj86:master
coolaj86:main
coolaj86:v1.5.0
coolaj86:v1.4.1
coolaj86:v1.4.0
coolaj86:v1.3.3
coolaj86:v1.3.2
coolaj86:v1.3.1
coolaj86:v1.3.0
coolaj86:v1.2.1
coolaj86:v1.2.0
coolaj86:v1.1.0
coolaj86:v1.0.2
coolaj86:v1.0.1
coolaj86:v1.0.0
..
compare: coolaj86:v1.0.1
Branches Tags
coolaj86:main
coolaj86:master
coolaj86:v1.5.0
coolaj86:v1.4.1
coolaj86:v1.4.0
coolaj86:v1.3.3
coolaj86:v1.3.2
coolaj86:v1.3.1
coolaj86:v1.3.0
coolaj86:v1.2.1
coolaj86:v1.2.0
coolaj86:v1.1.0
coolaj86:v1.0.2
coolaj86:v1.0.1
coolaj86:v1.0.0

No commits in common. "master" and "v1.0.1" have entirely different histories.
master ... v1.0.1

13 changed files with 150 additions and 443 deletions
Show Stats Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,4 +0,0 @@
/sclient
/cmd/sclient/sclient
dist

37
.goreleaser.yml
View File

@ -1,37 +0,0 @@
before:
hooks:
- go mod download
- go generate ./...
builds:
- main: ./cmd/sclient/main.go
env:
- CGO_ENABLED=0
goos:
- linux
- windows
- darwin
goarch:
- 386
- amd64
- arm
- arm64
goarm:
- 6
- 7
archives:
- replacements:
386: i386
amd64: x86_64
format_overrides:
- goos: windows
format: zip
checksum:
name_template: 'checksums.txt'
snapshot:
name_template: "{{ .Tag }}-next"
changelog:
sort: asc
filters:
exclude:
- '^docs:'
- '^test:'

125
README.md
View File

@ -1,4 +1,5 @@
# sclient sclient.go
==========
Secure Client for exposing TLS (aka SSL) secured services as plain-text connections locally. Secure Client for exposing TLS (aka SSL) secured services as plain-text connections locally.
@ -7,75 +8,60 @@ Also ideal for multiplexing a single port with multiple protocols using SNI.
Unwrap a TLS connection: Unwrap a TLS connection:
```bash ```bash
sclient whatever.com:443 localhost:3000 $ sclient whatever.com:443 localhost:3000
> [listening] telebit.cloud:443 <= localhost:3000
> [listening] whatever.com:443 <= localhost:3000
``` ```
Connect via Telnet Connect via Telnet
```bash ```bash
telnet localhost 3000 $ telnet localhost 3000
``` ```
Connect via netcat (nc) Connect via netcat (nc)
```bash ```bash
nc localhost 3000 $ nc localhost 3000
```
cURL
```bash
curl http://localhost:3000 -H 'Host: whatever.com'
``` ```
A poor man's (or Windows user's) makeshift replacement for `openssl s_client`, `stunnel`, or `socat`. A poor man's (or Windows user's) makeshift replacement for `openssl s_client`, `stunnel`, or `socat`.
# Table of Contents Install
=======
- [Install](#install) ### macOS, Linux, Windows
- [Usage](#usage)
- [Examples](#examples)
- [Build from Source](#build-from-source)
# Install For the moment you'll have to install go and compile `sclient` yourself:
### Mac, Linux * <https://golang.org/doc/install#install>
```bash ```bash
curl -sS https://webinstall.dev/sclient | bash git clone https://git.coolaj86.com/coolaj86/sclient.go.git
pushd sclient.go
go build sclient*.go
rsync -av sclient-cli /usr/local/bin/sclient
``` ```
```bash ```bash
curl.exe -A MS https://webinstall.dev/sclient | powershell go run sclient*.go example.com:443 localhost:3000
``` ```
### Downloads Usage
=====
Check the [Github Releases](https://github.com/therootcompany/sclient/releases) for
- macOS (x64) Apple Silicon [coming soon](https://github.com/golang/go/issues/39782)
- Linux (x64, i386, arm64, arm6, arm7)
- Windows 10 (x64, i386)
# Usage
```bash ```bash
sclient [flags] <remote> <local> sclient <remote> <local> [-k | --insecure]
``` ```
- flags * remote
- -k, --insecure ignore invalid TLS (SSL/HTTPS) certificates * must have servername (i.e. example.com)
- --servername <string> spoof SNI (to disable use IP as &lt;remote&gt; and do not use this option) * port is optional (default is 443)
- remote * local
- must have servername (i.e. example.com) * address is optional (default is localhost)
- port is optional (default is 443) * must have port (i.e. 3000)
- local
- address is optional (default is localhost)
- must have port (i.e. 3000)
# Examples Examples
========
Bridge between `telebit.cloud` and local port `3000`. Bridge between `telebit.cloud` and local port `3000`.
@ -92,60 +78,5 @@ sclient telebit.cloud:443 localhost:3000
Ignore a bad TLS/SSL/HTTPS certificate and connect anyway. Ignore a bad TLS/SSL/HTTPS certificate and connect anyway.
```bash ```bash
sclient -k badtls.telebit.cloud:443 localhost:3000 sclient badtls.telebit.cloud:443 localhost:3000 -k
```
Reading from stdin
```bash
sclient telebit.cloud:443 -
```
```bash
sclient telebit.cloud:443 - </path/to/file
```
Piping
```bash
printf "GET / HTTP/1.1\r\nHost: telebit.cloud\r\n\r\n" | sclient telebit.cloud:443
```
Testing for security vulnerabilities on the remote:
```bash
sclient --servername "Robert'); DROP TABLE Students;" -k example.com localhost:3000
```
```bash
sclient --servername "../../../.hidden/private.txt" -k example.com localhost:3000
```
# Build from source
You'll need to install [Go](https://golang.org).
See [webinstall.dev/golang](https://webinstall.dev/golang) for install instructions.
```bash
curl -sS https://webinstall.dev/golang | bash
```
Then you can install and run as per usual.
```bash
git clone https://git.rootprojects.org/root/sclient.go.git
pushd sclient.go
go build -o dist/sclient cmd/sclient/main.go
sudo rsync -av dist/sclient /usr/local/bin/sclient
popd
sclient example.com:443 localhost:3000
```
## Install or Run with Go
```bash
go get git.rootprojects.org/root/sclient.go/cmd/sclient
go run git.rootprojects.org/root/sclient.go/cmd/sclient example.com:443 localhost:3000
``` ```

126
cmd/sclient/main.go
View File

@ -1,126 +0,0 @@
package main
import (
"flag"
"fmt"
"os"
"strconv"
"strings"
sclient "git.rootprojects.org/root/sclient.go"
)
var (
// commit refers to the abbreviated commit hash
commit = "0000000"
// version refers to the most recent tag, plus any commits made since then
version = "v0.0.0-pre0+0000000"
// GitTimestamp refers to the timestamp of the most recent commit
date = "0000-00-00T00:00:00+0000"
)
func ver() string {
return fmt.Sprintf("sclient %s (%s) %s", version, commit[:7], date)
}
func usage() {
fmt.Fprintf(os.Stderr, "\n%s\n"+
"\nusage: sclient <remote> <local>\n"+
"\n"+
" ex: sclient example.com 3000\n"+
" (sclient example.com:443 localhost:3000)\n"+
"\n"+
" ex: sclient example.com:8443 0.0.0.0:4080\n"+
"\n"+
" ex: sclient example.com:443 -\n"+
"\n", ver())
flag.PrintDefaults()
fmt.Println()
}
func main() {
if len(os.Args) >= 2 {
if "version" == strings.TrimLeft(os.Args[1], "-") {
fmt.Printf("%s\n", ver())
os.Exit(0)
return
}
}
flag.Usage = usage
insecure := flag.Bool("k", false, "alias for --insecure")
silent := flag.Bool("s", false, "alias of --silent")
servername := flag.String("servername", "", "specify a servername different from <remote> (to disable SNI use an IP as <remote> and do use this option)")
flag.BoolVar(insecure, "insecure", false, "ignore bad TLS/SSL/HTTPS certificates")
flag.BoolVar(silent, "silent", false, "less verbose output")
flag.Parse()
remotestr := flag.Arg(0)
localstr := flag.Arg(1)
i := flag.NArg()
if 2 != i {
// We may omit the second argument if we're going straight to stdin
if stat, _ := os.Stdin.Stat(); 1 == i && (stat.Mode()&os.ModeCharDevice) == 0 {
localstr = "|"
} else {
usage()
os.Exit(1)
}
}
sclient := &sclient.Tunnel{
RemotePort: 443,
LocalAddress: "localhost",
InsecureSkipVerify: *insecure,
ServerName: *servername,
Silent: *silent,
}
remote := strings.Split(remotestr, ":")
//remoteAddr, remotePort, err := net.SplitHostPort(remotestr)
if 2 == len(remote) {
rport, err := strconv.Atoi(remote[1])
if nil != err {
usage()
os.Exit(0)
}
sclient.RemotePort = rport
} else if 1 != len(remote) {
usage()
os.Exit(0)
}
sclient.RemoteAddress = remote[0]
if "-" == localstr || "|" == localstr {
// User may specify stdin/stdout instead of net
sclient.LocalAddress = localstr
sclient.LocalPort = -1
} else {
// Test that argument is a local address
local := strings.Split(localstr, ":")
if 1 == len(local) {
lport, err := strconv.Atoi(local[0])
if nil != err {
usage()
os.Exit(0)
}
sclient.LocalPort = lport
} else {
lport, err := strconv.Atoi(local[1])
if nil != err {
usage()
os.Exit(0)
}
sclient.LocalAddress = local[0]
sclient.LocalPort = lport
}
}
err := sclient.DialAndListen()
if nil != err {
fmt.Fprintf(os.Stderr, "%s\n", err)
//usage()
//os.Exit(6)
}
}

43
doc.go
View File

@ -1,43 +0,0 @@
/*
sclient unwraps SSL.
It makes secure remote connections (such as HTTPS) available locally as plain-text connections -
similar to `stunnel` or `openssl s_client`.
There are a variety of reasons that you might want to do that,
but we created it specifically to be able to upgrade applications with legacy
security protocols - like SSH, OpenVPN, and Postgres - to take
advantage of the features of modern TLS, such as ALPN and SNI
(which makes them routable through almost every type of firewall).
See https://telebit.cloud/sclient for more info.
Package Basics
In the simplest case you'll just be setting a ServerName and connection info:
servername := "example.com"
sclient := &sclient.Tunnel{
ServerName: servername,
RemoteAddress: servername,
RemotePort: 443,
LocalAddress: "localhost",
LocalPort: 3000,
}
err := sclient.DialAndListen()
Try the CLI
If you'd like to better understand what sclient does, you can try it out with `go run`:
go get git.rootprojects.org/root/sclient.go/cmd/sclient
go run git.rootprojects.org/root/sclient.go/cmd/sclient example.com:443 localhost:3000
curl http://localhost:3000 -H "Host: example.com"
Pre-built versions for various platforms are also available at
https://telebit.cloud/sclient
*/
package sclient

3
go.mod
View File

@ -1,3 +0,0 @@
module git.rootprojects.org/root/sclient.go
go 1.12

82
sclient-cli.go Normal file
View File

@ -0,0 +1,82 @@
package main
import (
"flag"
"fmt"
"os"
"strconv"
"strings"
)
func usage() {
fmt.Fprintf(os.Stderr, "\nusage: go run sclient*.go <remote> <local>\n"+
"\n"+
" ex: sclient example.com 3000\n"+
" (sclient example.com:443 localhost:3000)\n"+
"\n"+
" ex: sclient example.com:8443 0.0.0.0:4080\n"+
"\n")
flag.PrintDefaults()
fmt.Println()
}
func main() {
flag.Usage = usage
insecure := flag.Bool("k", false, "ignore bad TLS/SSL/HTTPS certificates")
flag.BoolVar(insecure, "insecure", false, "ignore bad TLS/SSL/HTTPS certificates")
flag.Parse()
// NArg, Arg, Args
i := flag.NArg()
if 2 != i {
usage()
os.Exit(0)
}
opts := &SclientOpts{}
opts.RemotePort = 443
opts.LocalAddress = "localhost"
opts.InsecureSkipVerify = *insecure
remote := strings.Split(flag.Arg(0), ":")
//remoteAddr, remotePort, err := net.SplitHostPort(flag.Arg(0))
if 2 == len(remote) {
rport, err := strconv.Atoi(remote[1])
if nil != err {
usage()
os.Exit(0)
}
opts.RemotePort = rport
} else if 1 != len(remote) {
usage()
os.Exit(0)
}
opts.RemoteAddress = remote[0]
local := strings.Split(flag.Arg(1), ":")
//localAddr, localPort, err := net.SplitHostPort(flag.Arg(0))
if 1 == len(local) {
lport, err := strconv.Atoi(local[0])
if nil != err {
usage()
os.Exit(0)
}
opts.LocalPort = lport
} else {
lport, err := strconv.Atoi(local[1])
if nil != err {
usage()
os.Exit(0)
}
opts.LocalAddress = local[0]
opts.LocalPort = lport
}
sclient := &Sclient{}
err := sclient.DialAndListen(opts)
if nil != err {
usage()
os.Exit(0)
}
}

143
sclient.go
View File

@ -1,4 +1,4 @@
package sclient package main
import ( import (
"crypto/tls" "crypto/tls"
@ -10,110 +10,27 @@ import (
"strings" "strings"
) )
// Tunnel specifies which remote encrypted connection to make available as a plain connection locally. type SclientOpts struct {
type Tunnel struct {
RemoteAddress string RemoteAddress string
RemotePort int RemotePort int
LocalAddress string LocalAddress string
LocalPort int LocalPort int
InsecureSkipVerify bool InsecureSkipVerify bool
ServerName string
Silent bool
} }
// DialAndListen will create a test TLS connection to the remote address and then type Sclient struct{}
// begin listening locally. Each local connection will result in a separate remote connection.
func (t *Tunnel) DialAndListen() error {
remote := t.RemoteAddress + ":" + strconv.Itoa(t.RemotePort)
conn, err := tls.Dial("tcp", remote,
&tls.Config{
ServerName: t.ServerName,
InsecureSkipVerify: t.InsecureSkipVerify,
})
if err != nil { func pipe(r net.Conn, w net.Conn, t string) {
fmt.Fprintf(os.Stderr, "[warn] '%s' may not be accepting connections: %s\n", remote, err)
} else {
conn.Close()
}
// use stdin/stdout
if "-" == t.LocalAddress || "|" == t.LocalAddress {
var name string
network := "stdio"
if "|" == t.LocalAddress {
name = "pipe"
} else {
name = "stdin"
}
conn := &stdnet{os.Stdin, os.Stdout, &stdaddr{net.UnixAddr{Name: name, Net: network}}}
t.handleConnection(remote, conn)
return nil
}
// use net.Conn
local := t.LocalAddress + ":" + strconv.Itoa(t.LocalPort)
ln, err := net.Listen("tcp", local)
if err != nil {
return err
}
if !t.Silent {
fmt.Fprintf(os.Stdout, "[listening] %s:%d <= %s:%d\n",
t.RemoteAddress, t.RemotePort, t.LocalAddress, t.LocalPort)
}
for {
conn, err := ln.Accept()
if nil != err {
fmt.Fprintf(os.Stderr, "[error] %s\n", err)
continue
}
go t.handleConnection(remote, conn)
}
}
// I wonder if I can get this to exactly mirror UnixAddr without passing it in
type stdaddr struct {
net.UnixAddr
}
type stdnet struct {
in *os.File // os.Stdin
out *os.File // os.Stdout
addr *stdaddr
}
func (rw *stdnet) Read(buf []byte) (n int, err error) {
return rw.in.Read(buf)
}
func (rw *stdnet) Write(buf []byte) (n int, err error) {
return rw.out.Write(buf)
}
func (rw *stdnet) Close() error {
return rw.in.Close()
}
func (rw *stdnet) RemoteAddr() net.Addr {
return rw.addr
}
// not all of net.Conn, just RWC and RemoteAddr()
type netReadWriteCloser interface {
io.ReadWriteCloser
RemoteAddr() net.Addr
}
func pipe(r netReadWriteCloser, w netReadWriteCloser, t string) {
buffer := make([]byte, 2048) buffer := make([]byte, 2048)
for { for {
done := false done := false
// NOTE: count may be > 0 even if there's an err // NOTE: count may be > 0 even if there's an err
//fmt.Fprintf(os.Stdout, "[debug] (%s) reading\n", t)
count, err := r.Read(buffer) count, err := r.Read(buffer)
//fmt.Fprintf(os.Stdout, "[debug] (%s) reading\n", t)
if nil != err { if nil != err {
//fmt.Fprintf(os.Stdout, "[debug] (%s:%d) error reading %s\n", t, count, err) //fmt.Fprintf(os.Stdout, "[debug] (%s:%d) error reading %s\n", t, count, err)
if io.EOF != err { if io.EOF != err {
fmt.Fprintf(os.Stderr, "[read error] (%s:%d) %s\n", t, count, err) fmt.Fprintf(os.Stderr, "[read error] (%s:%s) %s\n", t, count, err)
} }
r.Close() r.Close()
//w.Close() //w.Close()
@ -139,12 +56,9 @@ func pipe(r netReadWriteCloser, w netReadWriteCloser, t string) {
} }
} }
func (t *Tunnel) handleConnection(remote string, conn netReadWriteCloser) { func handleConnection(remote string, conn net.Conn, opts *SclientOpts) {
sclient, err := tls.Dial("tcp", remote, sclient, err := tls.Dial("tcp", remote,
&tls.Config{ &tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify})
ServerName: t.ServerName,
InsecureSkipVerify: t.InsecureSkipVerify,
})
if err != nil { if err != nil {
fmt.Fprintf(os.Stderr, "[error] (remote) %s\n", err) fmt.Fprintf(os.Stderr, "[error] (remote) %s\n", err)
@ -152,16 +66,39 @@ func (t *Tunnel) handleConnection(remote string, conn netReadWriteCloser) {
return return
} }
if !t.Silent { fmt.Fprintf(os.Stdout, "[connect] %s => %s:%d\n",
if "stdio" == conn.RemoteAddr().Network() { strings.Replace(conn.RemoteAddr().String(), "[::1]:", "localhost:", 1), opts.RemoteAddress, opts.RemotePort)
fmt.Fprintf(os.Stdout, "(connected to %s:%d and reading from %s)\n",
t.RemoteAddress, t.RemotePort, conn.RemoteAddr().String())
} else {
fmt.Fprintf(os.Stdout, "[connect] %s => %s:%d\n",
strings.Replace(conn.RemoteAddr().String(), "[::1]:", "localhost:", 1), t.RemoteAddress, t.RemotePort)
}
}
go pipe(conn, sclient, "local") go pipe(conn, sclient, "local")
pipe(sclient, conn, "remote") pipe(sclient, conn, "remote")
} }
func (*Sclient) DialAndListen(opts *SclientOpts) error {
remote := opts.RemoteAddress + ":" + strconv.Itoa(opts.RemotePort)
conn, err := tls.Dial("tcp", remote,
&tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify})
if err != nil {
fmt.Fprintf(os.Stderr, "[warn] '%s' may not be accepting connections: %s\n", remote, err)
} else {
conn.Close()
}
local := opts.LocalAddress + ":" + strconv.Itoa(opts.LocalPort)
ln, err := net.Listen("tcp", local)
if err != nil {
return err
}
fmt.Fprintf(os.Stdout, "[listening] %s:%d <= %s:%d\n",
opts.RemoteAddress, opts.RemotePort, opts.LocalAddress, opts.LocalPort)
for {
conn, err := ln.Accept()
if nil != err {
fmt.Fprintf(os.Stderr, "[error] %s\n", err)
continue
}
go handleConnection(remote, conn, opts)
}
}

11
staticcheck.conf
View File

@ -1,11 +0,0 @@
# I like my yoda conditions ST1017
checks = ["all", "-ST1017", "-ST1000", "-ST1003", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-ST1023"]
initialisms = ["ACL", "API", "ASCII", "CPU", "CSS", "DNS",
"EOF", "GUID", "HTML", "HTTP", "HTTPS", "ID",
"IP", "JSON", "QPS", "RAM", "RPC", "SLA",
"SMTP", "SQL", "SSH", "TCP", "TLS", "TTL",
"UDP", "UI", "GID", "UID", "UUID", "URI",
"URL", "UTF8", "VM", "XML", "XMPP", "XSRF",
"XSS", "SIP", "RTP", "AMQP", "DB", "TS"]
dot_import_whitelist = []
http_status_code_whitelist = ["200", "400", "404", "500"]

5
tests/get.bin
View File

@ -1,5 +0,0 @@
GET / HTTP/1.1
Host: telebit.cloud
Connection: close

8
tests/localhost.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
go run -race sclient*.go telebit.cloud:443 localhost:3000 &
my_pid=$!
sleep 5
netcat localhost 3000 < tests/get.bin
kill $my_pid

3
tests/pipe.sh
View File

@ -1,3 +0,0 @@
#!/bin/bash
cat tests/get.bin | go run -race sclient*.go telebit.cloud:443

3
tests/stdin.sh
View File

@ -1,3 +0,0 @@
#!/bin/bash
go run -race sclient*.go telebit.cloud:443 - < ./tests/get.bin