diff --git a/CHANGELOG b/CHANGELOG index fe84a7f..8e0dfb1 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,8 @@ +v1.1.4 - Improved responsiveness to config updates + * changed which TCP/UDP ports are bound to on config update + * update tunnel server settings on config update + * update socks5 setting on config update + v1.1.3 - Better late than never... here's some stuff we've got * fixed (probably) network settings not being readable * supports timeouts in loopback check diff --git a/lib/admin/config.js b/lib/admin/config.js index 4e3c82f..d0a6ef0 100644 --- a/lib/admin/config.js +++ b/lib/admin/config.js @@ -174,6 +174,14 @@ var mdnsSchema = { } }; +var tunnelSvrSchema = { + type: 'object' +, properties: { + servernames: { type: 'array', items: { type: 'string' }} + , secret: { type: 'string' } + } +}; + var ddnsSchema = { type: 'object' , properties: { @@ -223,6 +231,7 @@ var mainSchema = { , ddns: ddnsSchema , socks5: socks5Schema , device: deviceSchema + , tunnel_server: tunnelSvrSchema } , additionalProperties: false }; diff --git a/lib/ddns/index.js b/lib/ddns/index.js index d089527..fb72030 100644 --- a/lib/ddns/index.js +++ b/lib/ddns/index.js @@ -5,6 +5,7 @@ module.exports.create = function (deps, conf) { var network = deps.PromiseA.promisifyAll(deps.recase.camelCopy(require('network'))); var loopback = require('./loopback').create(deps, conf); var dnsCtrl = require('./dns-ctrl').create(deps, conf); + var tunnelClients = require('./tunnel-client-manager').create(deps, conf); var equal = require('deep-equal'); var loopbackDomain; @@ -44,7 +45,7 @@ module.exports.create = function (deps, conf) { async function startTunnel(tunnelSession, mod, domainList) { try { var dnsSession = await getSession(mod.tokenId); - var tunnelDomain = await deps.tunnelClients.start(tunnelSession || dnsSession, domainList); + var tunnelDomain = await tunnelClients.start(tunnelSession || dnsSession, domainList); var addrList; try { @@ -82,12 +83,12 @@ module.exports.create = function (deps, conf) { tunnelActive = true; } async function disconnectTunnels() { - deps.tunnelClients.disconnect(); + tunnelClients.disconnect(); tunnelActive = false; await Promise.resolve(); } async function checkTunnelTokens() { - var oldTokens = deps.tunnelClients.current(); + var oldTokens = tunnelClients.current(); var newTokens = await iterateAllModules(function checkTokens(mod, domainList) { if (mod.type !== 'dns@oauth3.org') { return null; } @@ -103,7 +104,7 @@ module.exports.create = function (deps, conf) { } }); - await Promise.all(Object.values(oldTokens).map(deps.tunnelClients.remove)); + await Promise.all(Object.values(oldTokens).map(tunnelClients.remove)); if (!newTokens.length) { return; } diff --git a/lib/tunnel-client-manager.js b/lib/ddns/tunnel-client-manager.js similarity index 69% rename from lib/tunnel-client-manager.js rename to lib/ddns/tunnel-client-manager.js index 8153245..01f9290 100644 --- a/lib/tunnel-client-manager.js +++ b/lib/ddns/tunnel-client-manager.js @@ -6,6 +6,52 @@ module.exports.create = function (deps, config) { var activeTunnels = {}; var activeDomains = {}; + var customNet = { + createConnection: function (opts, cb) { + console.log('[gl.tunnel] creating connection'); + + // here "reader" means the socket that looks like the connection being accepted + // here "writer" means the remote-looking part of the socket that driving the connection + var writer; + + function usePair(err, reader) { + if (err) { + process.nextTick(function () { + writer.emit('error', err); + }); + return; + } + + var wrapOpts = Object.assign({localAddress: '127.0.0.2', localPort: 'tunnel-0'}, opts); + wrapOpts.firstChunk = opts.data; + wrapOpts.hyperPeek = !!opts.data; + + // Also override the remote and local address info. We use `defineProperty` because + // otherwise we run into problems of setting properties with only getters defined. + Object.defineProperty(reader, 'remoteAddress', { value: wrapOpts.remoteAddress }); + Object.defineProperty(reader, 'remotePort', { value: wrapOpts.remotePort }); + Object.defineProperty(reader, 'remoteFamiliy', { value: wrapOpts.remoteFamiliy }); + Object.defineProperty(reader, 'localAddress', { value: wrapOpts.localAddress }); + Object.defineProperty(reader, 'localPort', { value: wrapOpts.localPort }); + Object.defineProperty(reader, 'localFamiliy', { value: wrapOpts.localFamiliy }); + + deps.tcp.handler(reader, wrapOpts); + process.nextTick(function () { + // this cb will cause the stream to emit its (actually) first data event + // (even though it already gave a peek into that first data chunk) + console.log('[tunnel] callback, data should begin to flow'); + cb(); + }); + } + + // We used to use `stream-pair` for non-tls connections, but there are places + // that require properties/functions to be present on the socket that aren't + // present on a JSStream so it caused problems. + writer = require('socket-pair').create(usePair); + return writer; + } + }; + function fillData(data) { if (typeof data === 'string') { data = { jwt: data }; @@ -70,7 +116,7 @@ module.exports.create = function (deps, config) { // get the promise that should tell us more about if it worked or not. activeTunnels[data.tunnelUrl] = stunnel.connect({ stunneld: data.tunnelUrl - , net: deps.tunnel.net + , net: customNet // NOTE: the ports here aren't that important since we are providing a custom // `net.createConnection` that doesn't actually use the port. What is important // is that any services we are interested in are listed in this object and have diff --git a/lib/goldilocks.js b/lib/goldilocks.js deleted file mode 100644 index b3226e1..0000000 --- a/lib/goldilocks.js +++ /dev/null @@ -1,303 +0,0 @@ -'use strict'; - -module.exports.create = function (deps, config) { - console.log('config', config); - - //var PromiseA = global.Promise; - var PromiseA = require('bluebird'); - var listeners = require('./servers').listeners; - var domainUtils = require('./domain-utils'); - var modules; - - var addrProperties = [ - 'remoteAddress' - , 'remotePort' - , 'remoteFamily' - , 'localAddress' - , 'localPort' - , 'localFamily' - ]; - - function nameMatchesDomains(name, domainList) { - return domainList.some(function (pattern) { - return domainUtils.match(pattern, name); - }); - } - - function loadModules() { - modules = {}; - - modules.tls = require('./modules/tls').create(deps, config, tcpHandler); - modules.http = require('./modules/http').create(deps, config, modules.tls.middleware); - } - - function checkTcpProxy(conn, opts) { - var proxied = false; - - // TCP Proxying (ie forwarding based on domain name not incoming port) only works for - // TLS wrapped connections, so if the opts don't give us a servername or don't tell us - // this is the decrypted side of a TLS connection we can't handle it here. - if (!opts.servername || !opts.encrypted) { return proxied; } - - function proxy(mod) { - // First thing we need to add to the connection options is where to proxy the connection to - var newConnOpts = domainUtils.separatePort(mod.address || ''); - newConnOpts.port = newConnOpts.port || mod.port; - newConnOpts.host = newConnOpts.host || mod.host || 'localhost'; - - // Then we add all of the connection address information. We need to prefix all of the - // properties with '_' so we can provide the information to any connection `createConnection` - // implementation but not have the default implementation try to bind the same local port. - addrProperties.forEach(function (name) { - newConnOpts['_' + name] = opts[name] || opts['_'+name] || conn[name] || conn['_'+name]; - }); - - deps.proxy(conn, newConnOpts); - return true; - } - - proxied = config.domains.some(function (dom) { - if (!dom.modules || !Array.isArray(dom.modules.tcp)) { return false; } - if (!nameMatchesDomains(opts.servername, dom.names)) { return false; } - - return dom.modules.tcp.some(function (mod) { - if (mod.type !== 'proxy') { return false; } - - return proxy(mod); - }); - }); - - proxied = proxied || config.tcp.modules.some(function (mod) { - if (mod.type !== 'proxy') { return false; } - if (!nameMatchesDomains(opts.servername, mod.domains)) { return false; } - - return proxy(mod); - }); - - return proxied; - } - - // opts = { servername, encrypted, peek, data, remoteAddress, remotePort } - function peek(conn, firstChunk, opts) { - if (!modules) { - loadModules(); - } - - opts.firstChunk = firstChunk; - conn.__opts = opts; - // TODO port/service-based routing can do here - - // TLS byte 1 is handshake and byte 6 is client hello - if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) { - modules.tls.emit('connection', conn); - return; - } - - // This doesn't work with TLS, but now that we know this isn't a TLS connection we can - // unshift the first chunk back onto the connection for future use. The unshift should - // happen after any listeners are attached to it but before any new data comes in. - if (!opts.hyperPeek) { - process.nextTick(function () { - conn.unshift(firstChunk); - }); - } - - // Connection is not TLS, check for HTTP next. - if (firstChunk[0] > 32 && firstChunk[0] < 127) { - var firstStr = firstChunk.toString(); - if (/HTTP\//i.test(firstStr)) { - modules.http.emit('connection', conn); - return; - } - } - - console.warn('failed to identify protocol from first chunk', firstChunk); - conn.destroy(); - } - function tcpHandler(conn, opts) { - function getProp(name) { - return opts[name] || opts['_'+name] || conn[name] || conn['_'+name]; - } - opts = opts || {}; - var logName = getProp('remoteAddress') + ':' + getProp('remotePort') + ' -> ' + - getProp('localAddress') + ':' + getProp('localPort'); - console.log('[tcpHandler]', logName, 'connection started - encrypted: ' + (opts.encrypted || false)); - - var start = Date.now(); - conn.on('timeout', function () { - console.log('[tcpHandler]', logName, 'connection timed out', (Date.now()-start)/1000); - }); - conn.on('end', function () { - console.log('[tcpHandler]', logName, 'connection ended', (Date.now()-start)/1000); - }); - conn.on('close', function () { - console.log('[tcpHandler]', logName, 'connection closed', (Date.now()-start)/1000); - }); - - if (checkTcpProxy(conn, opts)) { return; } - - // XXX PEEK COMMENT XXX - // TODO we can have our cake and eat it too - // we can skip the need to wrap the TLS connection twice - // because we've already peeked at the data, - // but this needs to be handled better before we enable that - // (because it creates new edge cases) - if (opts.hyperPeek) { - console.log('hyperpeek'); - peek(conn, opts.firstChunk, opts); - return; - } - - function onError(err) { - console.error('[error] socket errored peeking -', err); - conn.destroy(); - } - conn.once('error', onError); - conn.once('data', function (chunk) { - conn.removeListener('error', onError); - peek(conn, chunk, opts); - }); - } - - function udpHandler(port, msg) { - if (!Array.isArray(config.udp.modules)) { - return; - } - var socket = require('dgram').createSocket('udp4'); - config.udp.modules.forEach(function (mod) { - if (mod.type !== 'forward') { - console.warn('found bad DNS module', mod); - return; - } - if (mod.ports.indexOf(port) < 0) { - return; - } - - var dest = require('./domain-utils').separatePort(mod.address || ''); - dest.port = dest.port || mod.port; - dest.host = dest.host || mod.host || 'localhost'; - socket.send(msg, dest.port, dest.host); - }); - } - - function createTcpForwarder(mod) { - var dest = require('./domain-utils').separatePort(mod.address || ''); - dest.port = dest.port || mod.port; - dest.host = dest.host || mod.host || 'localhost'; - - return function (conn) { - var newConnOpts = {}; - addrProperties.forEach(function (name) { - newConnOpts['_'+name] = conn[name]; - }); - - deps.proxy(conn, Object.assign(newConnOpts, dest)); - }; - } - - deps.tunnel = deps.tunnel || {}; - deps.tunnel.net = { - createConnection: function (opts, cb) { - console.log('[gl.tunnel] creating connection'); - - // here "reader" means the socket that looks like the connection being accepted - // here "writer" means the remote-looking part of the socket that driving the connection - var writer; - var wrapOpts = {}; - - function usePair(err, reader) { - if (err) { - process.nextTick(function () { - writer.emit('error', err); - }); - return; - } - - // this has the normal net/tcp stuff plus our custom stuff - // opts = { address, port, - // hostname, servername, tls, encrypted, data, localAddress, localPort, remoteAddress, remotePort, remoteFamily } - Object.keys(opts).forEach(function (key) { - wrapOpts[key] = opts[key]; - try { - reader[key] = opts[key]; - } catch(e) { - // can't set real socket getters, like remoteAddr - } - }); - - // A few more extra specialty options - wrapOpts.localAddress = wrapOpts.localAddress || '127.0.0.2'; // TODO use the tunnel's external address - wrapOpts.localPort = wrapOpts.localPort || 'tunnel-0'; - try { - reader._remoteAddress = wrapOpts.remoteAddress; - reader._remotePort = wrapOpts.remotePort; - reader._remoteFamily = wrapOpts.remoteFamily; - reader._localAddress = wrapOpts.localAddress; - reader._localPort = wrapOpts.localPort; - reader._localFamily = wrapOpts.localFamily; - } catch(e) { - } - - tcpHandler(reader, wrapOpts); - - process.nextTick(function () { - // this cb will cause the stream to emit its (actually) first data event - // (even though it already gave a peek into that first data chunk) - console.log('[tunnel] callback, data should begin to flow'); - cb(); - }); - } - - wrapOpts.firstChunk = opts.data; - wrapOpts.hyperPeek = !!opts.data; - - // We used to use `stream-pair` for non-tls connections, but there are places - // that require properties/functions to be present on the socket that aren't - // present on a JSStream so it caused problems. - writer = require('socket-pair').create(usePair); - return writer; - } - }; - deps.tunnelClients = require('./tunnel-client-manager').create(deps, config); - deps.tunnelServer = require('./tunnel-server-manager').create(deps, config); - - var listenPromises = []; - var tcpPortMap = {}; - config.tcp.bind.filter(Number).forEach(function (port) { - tcpPortMap[port] = true; - }); - - (config.tcp.modules || []).forEach(function (mod) { - if (mod.type === 'forward') { - var forwarder = createTcpForwarder(mod); - mod.ports.forEach(function (port) { - if (!tcpPortMap[port]) { - console.log("forwarding port", port, "that wasn't specified in bind"); - } else { - delete tcpPortMap[port]; - } - listenPromises.push(listeners.tcp.add(port, forwarder)); - }); - } - else if (mod.type !== 'proxy') { - console.warn('unknown TCP module specified', mod); - } - }); - - var portList = Object.keys(tcpPortMap).map(Number).sort(); - portList.forEach(function (port) { - listenPromises.push(listeners.tcp.add(port, tcpHandler)); - }); - - if (config.udp.bind) { - config.udp.bind.forEach(function (port) { - listenPromises.push(listeners.udp.add(port, udpHandler.bind(port))); - }); - } - - if (!config.mdns.disabled) { - require('./mdns').start(deps, config, portList[0]); - } - - return PromiseA.all(listenPromises); -}; diff --git a/lib/mdns.js b/lib/mdns.js index d41f25a..2c64bfd 100644 --- a/lib/mdns.js +++ b/lib/mdns.js @@ -2,6 +2,7 @@ var PromiseA = require('bluebird'); var queryName = '_cloud._tcp.local'; +var dnsSuite = require('dns-suite'); function createResponse(name, ownerIds, packet, ttl, mainPort) { var rpacket = { @@ -85,20 +86,19 @@ function createResponse(name, ownerIds, packet, ttl, mainPort) { }); }); - return require('dns-suite').DNSPacket.write(rpacket); + return dnsSuite.DNSPacket.write(rpacket); } -module.exports.start = function (deps, config, mainPort) { - var socket = require('dgram').createSocket({ type: 'udp4', reuseAddr: true }); - var dns = require('dns-suite'); +module.exports.create = function (deps, config) { + var socket; var nextBroadcast = -1; - socket.on('message', function (message, rinfo) { + function handlePacket(message, rinfo) { // console.log('Received %d bytes from %s:%d', message.length, rinfo.address, rinfo.port); var packet; try { - packet = dns.DNSPacket.parse(message); + packet = dnsSuite.DNSPacket.parse(message); } catch (er) { // `dns-suite` actually errors on a lot of the packets floating around in our network, @@ -108,16 +108,12 @@ module.exports.start = function (deps, config, mainPort) { } // Only respond to queries. - if (packet.header.qr !== 0) { - return; - } + if (packet.header.qr !== 0) { return; } // Only respond if they were asking for cloud devices. - if (packet.question.length !== 1 || packet.question[0].name !== queryName) { - return; - } - if (packet.question[0].typeName !== 'PTR' || packet.question[0].className !== 'IN' ) { - return; - } + if (packet.question.length !== 1) { return; } + if (packet.question[0].name !== queryName) { return; } + if (packet.question[0].typeName !== 'PTR') { return; } + if (packet.question[0].className !== 'IN' ) { return; } var proms = [ deps.storage.mdnsId.get() @@ -131,7 +127,7 @@ module.exports.start = function (deps, config, mainPort) { ]; PromiseA.all(proms).then(function (results) { - var resp = createResponse(results[0], results[1], packet, config.mdns.ttl, mainPort); + var resp = createResponse(results[0], results[1], packet, config.mdns.ttl, deps.tcp.mainPort); var now = Date.now(); if (now > nextBroadcast) { socket.send(resp, config.mdns.port, config.mdns.broadcast); @@ -140,18 +136,68 @@ module.exports.start = function (deps, config, mainPort) { socket.send(resp, rinfo.port, rinfo.address); } }); - }); + } - socket.bind(config.mdns.port, function () { - var addr = this.address(); - console.log('bound on UDP %s:%d for mDNS', addr.address, addr.port); + function start() { + socket = require('dgram').createSocket({ type: 'udp4', reuseAddr: true }); + socket.on('message', handlePacket); - socket.setBroadcast(true); - socket.addMembership(config.mdns.broadcast); - // This is supposed to be a local device discovery mechanism, so we shouldn't - // need to hop through any gateways. This helps with security by making it - // much more difficult for someone to use us as part of a DDoS attack by - // spoofing the UDP address a request came from. - socket.setTTL(1); - }); + return new Promise(function (resolve, reject) { + socket.once('error', reject); + + socket.bind(config.mdns.port, function () { + var addr = this.address(); + console.log('bound on UDP %s:%d for mDNS', addr.address, addr.port); + + socket.setBroadcast(true); + socket.addMembership(config.mdns.broadcast); + // This is supposed to be a local device discovery mechanism, so we shouldn't + // need to hop through any gateways. This helps with security by making it + // much more difficult for someone to use us as part of a DDoS attack by + // spoofing the UDP address a request came from. + socket.setTTL(1); + + socket.removeListener('error', reject); + resolve(); + }); + }); + } + function stop() { + return new Promise(function (resolve, reject) { + socket.once('error', reject); + + socket.close(function () { + socket.removeListener('error', reject); + socket = null; + resolve(); + }); + }); + } + + function updateConf() { + var promise; + if (config.mdns.disabled) { + if (socket) { + promise = stop(); + } + } else { + if (!socket) { + promise = start(); + } else if (socket.address().port !== config.mdns.port) { + promise = stop().then(start); + } else { + // Can't check membership, so just add the current broadcast address to make sure + // it's set. If it's already set it will throw an exception (at least on linux). + try { + socket.addMembership(config.mdns.broadcast); + } catch (e) {} + promise = Promise.resolve(); + } + } + } + updateConf(); + + return { + updateConf + }; }; diff --git a/lib/servers.js b/lib/servers.js index 5d4aa05..8b3da88 100644 --- a/lib/servers.js +++ b/lib/servers.js @@ -10,20 +10,16 @@ module.exports.addTcpListener = function (port, handler) { if (stat) { if (stat._closing) { - module.exports.destroyTcpListener(port); - } - else if (handler !== stat.handler) { - - // we'll replace the current listener + stat.server.destroy(); + } else { + // We're already listening on the port, so we only have 2 options. We can either + // replace the handler or reject with an error. (Though neither is really needed + // if the handlers are the same). Until there is reason to do otherwise we are + // opting for the replacement. stat.handler = handler; resolve(); return; } - else { - // this exact listener is already open - resolve(); - return; - } } var enableDestroy = require('server-destroy'); @@ -34,7 +30,7 @@ module.exports.addTcpListener = function (port, handler) { stat = serversMap[port] = { server: server , handler: handler - , _closing: null + , _closing: false }; // Add .destroy so we can close all open connections. Better if added before listen @@ -66,14 +62,24 @@ module.exports.addTcpListener = function (port, handler) { }); }); }; -module.exports.closeTcpListener = function (port) { +module.exports.closeTcpListener = function (port, timeout) { return new PromiseA(function (resolve) { var stat = serversMap[port]; if (!stat) { resolve(); return; } - stat.server.once('close', resolve); + stat._closing = true; + + var timeoutId; + if (timeout) { + timeoutId = setTimeout(() => stat.server.destroy(), timeout); + } + + stat.server.once('close', function () { + clearTimeout(timeoutId); + resolve(); + }); stat.server.close(); }); }; @@ -84,7 +90,9 @@ module.exports.destroyTcpListener = function (port) { } }; module.exports.listTcpListeners = function () { - return Object.keys(serversMap).map(Number).filter(Boolean); + return Object.keys(serversMap).map(Number).filter(function (port) { + return port && !serversMap[port]._closing; + }); }; diff --git a/lib/socks5-server.js b/lib/socks5-server.js index b717f8f..fb27d09 100644 --- a/lib/socks5-server.js +++ b/lib/socks5-server.js @@ -63,15 +63,29 @@ module.exports.create = function (deps, config) { }); } - if (config.socks5 && config.socks5.enabled) { - start(config.socks5.port).catch(function (err) { - console.error('failed to start Socks5 proxy', err); - }); + var configEnabled = false; + function updateConf() { + var wanted = config.socks5 && config.socks5.enabled; + + if (configEnabled && !wanted) { + stop().catch(function (err) { + console.error('failed to stop socks5 proxy on config change', err); + }); + configEnabled = false; + } + if (wanted && !configEnabled) { + start(config.socks5.port).catch(function (err) { + console.error('failed to start Socks5 proxy', err); + }); + configEnabled = true; + } } + process.nextTick(updateConf); return { - curState: curState - , start: start - , stop: stop + curState + , start + , stop + , updateConf }; }; diff --git a/lib/modules/http.js b/lib/tcp/http.js similarity index 97% rename from lib/modules/http.js rename to lib/tcp/http.js index 13bb9f6..00ea688 100644 --- a/lib/modules/http.js +++ b/lib/tcp/http.js @@ -1,6 +1,6 @@ 'use strict'; -module.exports.create = function (deps, conf, greenlockMiddleware) { +module.exports.create = function (deps, conf, tcpMods) { var PromiseA = require('bluebird'); var statAsync = PromiseA.promisify(require('fs').stat); var domainMatches = require('../domain-utils').match; @@ -162,8 +162,8 @@ module.exports.create = function (deps, conf, greenlockMiddleware) { return false; } - if (deps.tunnelServer.isClientDomain(separatePort(headers.host).host)) { - deps.tunnelServer.handleClientConn(conn); + if (deps.stunneld.isClientDomain(separatePort(headers.host).host)) { + deps.stunneld.handleClientConn(conn); process.nextTick(function () { conn.unshift(opts.firstChunk); conn.resume(); @@ -172,7 +172,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) { } if (!acmeServer) { - acmeServer = require('http').createServer(greenlockMiddleware); + acmeServer = require('http').createServer(tcpMods.tls.middleware); } return emitConnection(acmeServer, conn, opts); } @@ -214,8 +214,8 @@ module.exports.create = function (deps, conf, greenlockMiddleware) { return emitConnection(adminServer, conn, opts); } - if (deps.tunnelServer.isAdminDomain(host)) { - deps.tunnelServer.handleAdminConn(conn); + if (deps.stunneld.isAdminDomain(host)) { + deps.stunneld.handleAdminConn(conn); process.nextTick(function () { conn.unshift(opts.firstChunk); conn.resume(); @@ -241,7 +241,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) { res.statusCode = 502; res.setHeader('Connection', 'close'); res.setHeader('Content-Type', 'text/html'); - res.end(require('../proxy-conn').getRespBody(err, conf.debug)); + res.end(tcpMods.proxy.getRespBody(err, conf.debug)); }); proxyServer = http.createServer(function (req, res) { @@ -292,7 +292,7 @@ module.exports.create = function (deps, conf, greenlockMiddleware) { newConnOpts.remoteAddress = opts.address || conn.remoteAddress; newConnOpts.remotePort = opts.port || conn.remotePort; - deps.proxy(conn, newConnOpts, opts.firstChunk); + tcpMods.proxy(conn, newConnOpts, opts.firstChunk); } function checkProxy(mod, conn, opts, headers) { diff --git a/lib/tcp/index.js b/lib/tcp/index.js new file mode 100644 index 0000000..fb69fc9 --- /dev/null +++ b/lib/tcp/index.js @@ -0,0 +1,240 @@ +'use strict'; + +module.exports.create = function (deps, config) { + console.log('config', config); + + var listeners = require('../servers').listeners.tcp; + var domainUtils = require('../domain-utils'); + var modules; + + var addrProperties = [ + 'remoteAddress' + , 'remotePort' + , 'remoteFamily' + , 'localAddress' + , 'localPort' + , 'localFamily' + ]; + + function nameMatchesDomains(name, domainList) { + return domainList.some(function (pattern) { + return domainUtils.match(pattern, name); + }); + } + + function proxy(mod, conn, opts) { + // First thing we need to add to the connection options is where to proxy the connection to + var newConnOpts = domainUtils.separatePort(mod.address || ''); + newConnOpts.port = newConnOpts.port || mod.port; + newConnOpts.host = newConnOpts.host || mod.host || 'localhost'; + + // Then we add all of the connection address information. We need to prefix all of the + // properties with '_' so we can provide the information to any connection `createConnection` + // implementation but not have the default implementation try to bind the same local port. + addrProperties.forEach(function (name) { + newConnOpts['_' + name] = opts[name] || opts['_'+name] || conn[name] || conn['_'+name]; + }); + + modules.proxy(conn, newConnOpts); + return true; + } + + function checkTcpProxy(conn, opts) { + var proxied = false; + + // TCP Proxying (ie routing based on domain name [vs local port]) only works for + // TLS wrapped connections, so if the opts don't give us a servername or don't tell us + // this is the decrypted side of a TLS connection we can't handle it here. + if (!opts.servername || !opts.encrypted) { return proxied; } + + proxied = config.domains.some(function (dom) { + if (!dom.modules || !Array.isArray(dom.modules.tcp)) { return false; } + if (!nameMatchesDomains(opts.servername, dom.names)) { return false; } + + return dom.modules.tcp.some(function (mod) { + if (mod.type !== 'proxy') { return false; } + + return proxy(mod, conn, opts); + }); + }); + + proxied = proxied || config.tcp.modules.some(function (mod) { + if (mod.type !== 'proxy') { return false; } + if (!nameMatchesDomains(opts.servername, mod.domains)) { return false; } + + return proxy(mod, conn, opts); + }); + + return proxied; + } + + function checkTcpForward(conn, opts) { + // TCP forwarding (ie routing connections based on local port) requires the local port + if (!conn.localPort) { return false; } + + return config.tcp.modules.some(function (mod) { + if (mod.type !== 'forward') { return false; } + if (mod.ports.indexOf(conn.localPort) < 0) { return false; } + + return proxy(mod, conn, opts); + }); + } + + // opts = { servername, encrypted, peek, data, remoteAddress, remotePort } + function peek(conn, firstChunk, opts) { + opts.firstChunk = firstChunk; + conn.__opts = opts; + // TODO port/service-based routing can do here + + // TLS byte 1 is handshake and byte 6 is client hello + if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) { + modules.tls.emit('connection', conn); + return; + } + + // This doesn't work with TLS, but now that we know this isn't a TLS connection we can + // unshift the first chunk back onto the connection for future use. The unshift should + // happen after any listeners are attached to it but before any new data comes in. + if (!opts.hyperPeek) { + process.nextTick(function () { + conn.unshift(firstChunk); + }); + } + + // Connection is not TLS, check for HTTP next. + if (firstChunk[0] > 32 && firstChunk[0] < 127) { + var firstStr = firstChunk.toString(); + if (/HTTP\//i.test(firstStr)) { + modules.http.emit('connection', conn); + return; + } + } + + console.warn('failed to identify protocol from first chunk', firstChunk); + conn.destroy(); + } + function tcpHandler(conn, opts) { + function getProp(name) { + return opts[name] || opts['_'+name] || conn[name] || conn['_'+name]; + } + opts = opts || {}; + var logName = getProp('remoteAddress') + ':' + getProp('remotePort') + ' -> ' + + getProp('localAddress') + ':' + getProp('localPort'); + console.log('[tcpHandler]', logName, 'connection started - encrypted: ' + (opts.encrypted || false)); + + var start = Date.now(); + conn.on('timeout', function () { + console.log('[tcpHandler]', logName, 'connection timed out', (Date.now()-start)/1000); + }); + conn.on('end', function () { + console.log('[tcpHandler]', logName, 'connection ended', (Date.now()-start)/1000); + }); + conn.on('close', function () { + console.log('[tcpHandler]', logName, 'connection closed', (Date.now()-start)/1000); + }); + + if (checkTcpForward(conn, opts)) { return; } + if (checkTcpProxy(conn, opts)) { return; } + + // XXX PEEK COMMENT XXX + // TODO we can have our cake and eat it too + // we can skip the need to wrap the TLS connection twice + // because we've already peeked at the data, + // but this needs to be handled better before we enable that + // (because it creates new edge cases) + if (opts.hyperPeek) { + console.log('hyperpeek'); + peek(conn, opts.firstChunk, opts); + return; + } + + function onError(err) { + console.error('[error] socket errored peeking -', err); + conn.destroy(); + } + conn.once('error', onError); + conn.once('data', function (chunk) { + conn.removeListener('error', onError); + peek(conn, chunk, opts); + }); + } + + modules = {}; + modules.tcpHandler = tcpHandler; + modules.proxy = require('./proxy-conn').create(deps, config); + modules.tls = require('./tls').create(deps, config, modules); + modules.http = require('./http').create(deps, config, modules); + + function updateListeners() { + var current = listeners.list(); + var wanted = config.tcp.bind; + + if (!Array.isArray(wanted)) { wanted = []; } + wanted = wanted.map(Number).filter((port) => port > 0 && port < 65356); + + var closeProms = current.filter(function (port) { + return wanted.indexOf(port) < 0; + }).map(function (port) { + return listeners.close(port, 1000); + }); + + // We don't really need to filter here since listening on the same port with the + // same handler function twice is basically a no-op. + var openProms = wanted.map(function (port) { + return listeners.add(port, tcpHandler); + }); + + return Promise.all(closeProms.concat(openProms)); + } + + var mainPort; + function updateConf() { + updateListeners().catch(function (err) { + console.error('Error updating TCP listeners to match bind configuration'); + console.error(err); + }); + + var unforwarded = {}; + config.tcp.bind.forEach(function (port) { + unforwarded[port] = true; + }); + + config.tcp.modules.forEach(function (mod) { + if (['forward', 'proxy'].indexOf(mod.type) < 0) { + console.warn('unknown TCP module type specified', JSON.stringify(mod)); + } + if (mod.type !== 'forward') { return; } + + mod.ports.forEach(function (port) { + if (!unforwarded[port]) { + console.warn('trying to forward TCP port ' + port + ' multiple times or it is unbound'); + } else { + delete unforwarded[port]; + } + }); + }); + + // Not really sure what we can reasonably do to prevent this. At least not without making + // our configuration validation more complicated. + if (!Object.keys(unforwarded).length) { + console.warn('no bound TCP ports are not being forwarded, admin interface will be inaccessible'); + } + + // If we are listening on port 443 make that the main port we respond to mDNS queries with + // otherwise choose the lowest number port we are bound to but not forwarding. + if (unforwarded['443']) { + mainPort = 443; + } else { + mainPort = Object.keys(unforwarded).map(Number).sort((a, b) => a - b)[0]; + } + } + updateConf(); + + var result = { + updateConf + , handler: tcpHandler + }; + Object.defineProperty(result, 'mainPort', {enumerable: true, get: () => mainPort}); + + return result; +}; diff --git a/lib/proxy-conn.js b/lib/tcp/proxy-conn.js similarity index 92% rename from lib/proxy-conn.js rename to lib/tcp/proxy-conn.js index 625a864..db020d6 100644 --- a/lib/proxy-conn.js +++ b/lib/tcp/proxy-conn.js @@ -32,7 +32,7 @@ module.exports.getRespBody = getRespBody; module.exports.sendBadGateway = sendBadGateway; module.exports.create = function (deps, config) { - return function proxy(conn, newConnOpts, firstChunk, decrypt) { + function proxy(conn, newConnOpts, firstChunk, decrypt) { var connected = false; newConnOpts.allowHalfOpen = true; var newConn = deps.net.createConnection(newConnOpts, function () { @@ -73,5 +73,9 @@ module.exports.create = function (deps, config) { newConn.on('close', function () { conn.destroy(); }); - }; + } + + proxy.getRespBody = getRespBody; + proxy.sendBadGateway = sendBadGateway; + return proxy; }; diff --git a/lib/modules/tls.js b/lib/tcp/tls.js similarity index 97% rename from lib/modules/tls.js rename to lib/tcp/tls.js index 63d4d38..60868a0 100644 --- a/lib/modules/tls.js +++ b/lib/tcp/tls.js @@ -1,6 +1,6 @@ 'use strict'; -module.exports.create = function (deps, config, netHandler) { +module.exports.create = function (deps, config, tcpMods) { var path = require('path'); var tls = require('tls'); var parseSni = require('sni'); @@ -208,7 +208,7 @@ module.exports.create = function (deps, config, netHandler) { var terminateServer = tls.createServer(terminatorOpts, function (socket) { console.log('(post-terminated) tls connection, addr:', extractSocketProp(socket, 'remoteAddress')); - netHandler(socket, { + tcpMods.tcpHandler(socket, { servername: socket.servername , encrypted: true // remoteAddress... ugh... https://github.com/nodejs/node/issues/8854 @@ -232,7 +232,7 @@ module.exports.create = function (deps, config, netHandler) { newConnOpts.remoteAddress = opts.address || extractSocketProp(socket, 'remoteAddress'); newConnOpts.remotePort = opts.port || extractSocketProp(socket, 'remotePort'); - deps.proxy(socket, newConnOpts, opts.firstChunk, function () { + tcpMods.proxy(socket, newConnOpts, opts.firstChunk, function () { // This function is called in the event of a connection error and should decrypt // the socket so the proxy module can send a 502 HTTP response. var tlsOpts = localhostCerts.mergeTlsOptions('localhost.daplie.me', {isServer: true}); @@ -291,8 +291,8 @@ module.exports.create = function (deps, config, netHandler) { return; } - if (deps.tunnelServer.isClientDomain(opts.servername)) { - deps.tunnelServer.handleClientConn(socket); + if (deps.stunneld.isClientDomain(opts.servername)) { + deps.stunneld.handleClientConn(socket); if (!opts.hyperPeek) { process.nextTick(function () { socket.unshift(opts.firstChunk); diff --git a/lib/tunnel-server-manager.js b/lib/tunnel-server-manager.js index cdada29..a2963e3 100644 --- a/lib/tunnel-server-manager.js +++ b/lib/tunnel-server-manager.js @@ -1,61 +1,131 @@ 'use strict'; -module.exports.create = function (deps, config) { - if (!config.tunnelServer || !Array.isArray(config.tunnelServer.servernames) || !config.tunnelServer.secret) { - return { - isAdminDomain: function () { return false; } - , isClientDomain: function () { return false; } - }; - } +function httpsTunnel(servername, conn) { + console.error('tunnel server received encrypted connection to', servername); + conn.end(); +} +function handleHttp(servername, conn) { + console.error('tunnel server received un-encrypted connection to', servername); + conn.end([ + 'HTTP/1.1 404 Not Found' + , 'Date: ' + (new Date()).toUTCString() + , 'Connection: close' + , 'Content-Type: text/html' + , 'Content-Length: 9' + , '' + , 'Not Found' + ].join('\r\n')); +} +function rejectNonWebsocket(req, res) { + // status code 426 = Upgrade Required + res.statusCode = 426; + res.setHeader('Content-Type', 'application/json'); + res.send({error: { message: 'Only websockets accepted for tunnel server' }}); +} - var tunnelOpts = Object.assign({}, config.tunnelServer); - // This function should not be called because connections to the admin domains +var defaultConfig = { + servernames: [] +, secret: null +}; +var tunnelFuncs = { + // These functions should not be called because connections to the admin domains // should already be decrypted, and connections to non-client domains should never // be given to us in the first place. - tunnelOpts.httpsTunnel = function (servername, conn) { - console.error('tunnel server received encrypted connection to', servername); - conn.end(); - }; - tunnelOpts.httpsInvalid = tunnelOpts.httpsTunnel; - // This function should not be called because ACME challenges should be handled + httpsTunnel: httpsTunnel +, httpsInvalid: httpsTunnel + // These function should not be called because ACME challenges should be handled // before admin domain connections are given to us, and the only non-encrypted // client connections that should be given to us are ACME challenges. - tunnelOpts.handleHttp = function (servername, conn) { - console.error('tunnel server received un-encrypted connection to', servername); - conn.end([ - 'HTTP/1.1 404 Not Found' - , 'Date: ' + (new Date()).toUTCString() - , 'Connection: close' - , 'Content-Type: text/html' - , 'Content-Length: 9' - , '' - , 'Not Found' - ].join('\r\n')); - }; - tunnelOpts.handleInsecureHttp = tunnelOpts.handleHttp; +, handleHttp: handleHttp +, handleInsecureHttp: handleHttp +}; - var tunnelServer = require('stunneld').create(tunnelOpts); +module.exports.create = function (deps, config) { + var equal = require('deep-equal'); + var enableDestroy = require('server-destroy'); + var currentOpts = Object.assign({}, defaultConfig); - var httpServer = require('http').createServer(function (req, res) { - // status code 426 = Upgrade Required - res.statusCode = 426; - res.setHeader('Content-Type', 'application/json'); - res.end(JSON.stringify({error: { - message: 'Only websockets accepted for tunnel server' - }})); - }); - var wsServer = new (require('ws').Server)({ server: httpServer }); - wsServer.on('connection', tunnelServer.ws); + var httpServer, wsServer, stunneld; + function start() { + if (httpServer || wsServer || stunneld) { + throw new Error('trying to start already started tunnel server'); + } + httpServer = require('http').createServer(rejectNonWebsocket); + enableDestroy(httpServer); + + wsServer = new (require('ws').Server)({ server: httpServer }); + + var tunnelOpts = Object.assign({}, tunnelFuncs, currentOpts); + stunneld = require('stunneld').create(tunnelOpts); + wsServer.on('connection', stunneld.ws); + } + + function stop() { + if (!httpServer || !wsServer || !stunneld) { + throw new Error('trying to stop unstarted tunnel server (or it got into semi-initialized state'); + } + wsServer.close(); + wsServer = null; + httpServer.destroy(); + httpServer = null; + // Nothing to close here, just need to set it to null to allow it to be garbage-collected. + stunneld = null; + } + + function updateConf() { + var newOpts = Object.assign({}, defaultConfig, config.tunnelServer); + if (!Array.isArray(newOpts.servernames)) { + newOpts.servernames = []; + } + var trimmedOpts = { + servernames: newOpts.servernames.slice().sort() + , secret: newOpts.secret + }; + + if (equal(trimmedOpts, currentOpts)) { + return; + } + currentOpts = trimmedOpts; + + // Stop what's currently running, then if we are still supposed to be running then we + // can start it again with the updated options. It might be possible to make use of + // the existing http and ws servers when the config changes, but I'm not sure what + // state the actions needed to close all existing connections would put them in. + if (httpServer || wsServer || stunneld) { + stop(); + } + if (currentOpts.servernames.length && currentOpts.secret) { + start(); + } + } + process.nextTick(updateConf); return { isAdminDomain: function (domain) { - return config.tunnelServer.servernames.indexOf(domain) !== -1; + return currentOpts.servernames.indexOf(domain) !== -1; } , handleAdminConn: function (conn) { - httpServer.emit('connection', conn); + if (!httpServer) { + console.error(new Error('handleAdminConn called with no active tunnel server')); + conn.end(); + } else { + return httpServer.emit('connection', conn); + } } - , isClientDomain: tunnelServer.isClientDomain - , handleClientConn: tunnelServer.tcp + , isClientDomain: function (domain) { + if (!stunneld) { return false; } + return stunneld.isClientDomain(domain); + } + , handleClientConn: function (conn) { + if (!stunneld) { + console.error(new Error('handleClientConn called with no active tunnel server')); + conn.end(); + } else { + return stunneld.tcp(conn); + } + } + + , updateConf }; }; diff --git a/lib/udp.js b/lib/udp.js new file mode 100644 index 0000000..8d50267 --- /dev/null +++ b/lib/udp.js @@ -0,0 +1,57 @@ +'use strict'; + +module.exports.create = function (deps, config) { + var listeners = require('./servers').listeners.udp; + + function packetHandler(port, msg) { + if (!Array.isArray(config.udp.modules)) { + return; + } + + var socket = require('dgram').createSocket('udp4'); + config.udp.modules.forEach(function (mod) { + if (mod.type !== 'forward') { + // To avoid logging bad modules every time we get a UDP packet we assign a warned + // property to the module (non-enumerable so it won't be saved to the config or + // show up in the API). + if (!mod.warned) { + console.warn('found bad DNS module', mod); + Object.defineProperty(mod, 'warned', {value: true, enumerable: false}); + } + return; + } + if (mod.ports.indexOf(port) < 0) { + return; + } + + var dest = require('./domain-utils').separatePort(mod.address || ''); + dest.port = dest.port || mod.port; + dest.host = dest.host || mod.host || 'localhost'; + socket.send(msg, dest.port, dest.host); + }); + } + + function updateListeners() { + var current = listeners.list(); + var wanted = config.udp.bind; + + if (!Array.isArray(wanted)) { wanted = []; } + wanted = wanted.map(Number).filter((port) => port > 0 && port < 65356); + + current.forEach(function (port) { + if (wanted.indexOf(port) < 0) { + listeners.close(port); + } + }); + wanted.forEach(function (port) { + if (current.indexOf(port) < 0) { + listeners.add(port, packetHandler.bind(port)); + } + }); + } + + updateListeners(); + return { + updateConf: updateListeners + }; +}; diff --git a/lib/worker.js b/lib/worker.js index 665c48e..2e3629f 100644 --- a/lib/worker.js +++ b/lib/worker.js @@ -48,13 +48,15 @@ function create(conf) { modules = { storage: require('./storage').create(deps, conf) - , proxy: require('./proxy-conn').create(deps, conf) , socks5: require('./socks5-server').create(deps, conf) , ddns: require('./ddns').create(deps, conf) + , mdns: require('./mdns').create(deps, conf) + , udp: require('./udp').create(deps, conf) + , tcp: require('./tcp').create(deps, conf) + , stunneld: require('./tunnel-server-manager').create(deps, config) }; Object.assign(deps, modules); - require('./goldilocks.js').create(deps, conf); process.removeListener('message', create); process.on('message', update); } diff --git a/package-lock.json b/package-lock.json index 67f9108..804184b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -448,7 +448,11 @@ "integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA=" }, "dns-suite": { - "version": "git+https://git@git.daplie.com/Daplie/dns-suite#950867c452323da776c050363b22d8f06a8ed414" + "version": "git+https://git@git.daplie.com/Daplie/dns-suite#6352cf4b516d94f0283c9c7cd024431bf974f049", + "requires": { + "bluebird": "3.5.0", + "hexdump.js": "1.0.5" + } }, "duplexer2": { "version": "0.1.4", @@ -820,6 +824,11 @@ "sntp": "1.0.9" } }, + "hexdump.js": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/hexdump.js/-/hexdump.js-1.0.5.tgz", + "integrity": "sha1-xbxlSoIvAzjzEX5fXzVgZd6HmDQ=" + }, "hmac-drbg": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz", @@ -2077,7 +2086,7 @@ } }, "stunnel": { - "version": "git+https://git.daplie.com/Daplie/node-tunnel-client.git#cad0e561fbea5c5dbbf5fc10ed95833dd3573ebc", + "version": "git+https://git.daplie.com/Daplie/node-tunnel-client.git#114847e31abe9a0c5f0598b892dd98b37fe9622e", "requires": { "bluebird": "3.5.0", "commander": "2.9.0", @@ -2089,7 +2098,7 @@ } }, "stunneld": { - "version": "git+https://git.daplie.com/Daplie/node-tunnel-server.git#54ca2782dde84b3d2c61a3257f7d859b7012ea59", + "version": "git+https://git.daplie.com/Daplie/node-tunnel-server.git#ae91fd5049251ed1f9fcd6806d7b9872454c67db", "requires": { "bluebird": "3.5.0", "cluster-store": "2.0.6", @@ -2099,8 +2108,15 @@ "localhost.daplie.me-certificates": "1.3.5", "redirect-https": "1.1.4", "sni": "1.0.0", - "tunnel-packer": "1.3.0", + "tunnel-packer": "1.4.0", "ws": "2.3.1" + }, + "dependencies": { + "tunnel-packer": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/tunnel-packer/-/tunnel-packer-1.4.0.tgz", + "integrity": "sha512-99GYAtKnbMVd87hQMxiR/Pq62jOWzOH/K6EOs87nU6U4p5uso+fZyYuO+upb+hhonXuNI/sZR/ByVxPFrnzMog==" + } } }, "terminal-forms.js": { diff --git a/package.json b/package.json index 2cd1c2c..bd7a739 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "goldilocks", - "version": "1.1.3", + "version": "1.1.4", "description": "The node.js webserver that's just right, Greenlock (HTTPS/TLS/SSL via ACME/Let's Encrypt) and tunneling (RVPN) included.", "main": "bin/goldilocks.js", "repository": {