304 lines
		
	
	
		
			9.9 KiB
		
	
	
	
		
			JavaScript
		
	
	
	
	
	
			
		
		
	
	
			304 lines
		
	
	
		
			9.9 KiB
		
	
	
	
		
			JavaScript
		
	
	
	
	
	
| 'use strict';
 | |
| 
 | |
| module.exports.create = function (deps, config) {
 | |
|   console.log('config', config);
 | |
| 
 | |
|   //var PromiseA = global.Promise;
 | |
|   var PromiseA = require('bluebird');
 | |
|   var listeners = require('./servers').listeners;
 | |
|   var domainUtils = require('./domain-utils');
 | |
|   var modules;
 | |
| 
 | |
|   var addrProperties = [
 | |
|     'remoteAddress'
 | |
|   , 'remotePort'
 | |
|   , 'remoteFamily'
 | |
|   , 'localAddress'
 | |
|   , 'localPort'
 | |
|   , 'localFamily'
 | |
|   ];
 | |
| 
 | |
|   function nameMatchesDomains(name, domainList) {
 | |
|     return domainList.some(function (pattern) {
 | |
|       return domainUtils.match(pattern, name);
 | |
|     });
 | |
|   }
 | |
| 
 | |
|   function loadModules() {
 | |
|     modules = {};
 | |
| 
 | |
|     modules.tls  = require('./modules/tls').create(deps, config, tcpHandler);
 | |
|     modules.http = require('./modules/http').create(deps, config, modules.tls.middleware);
 | |
|   }
 | |
| 
 | |
|   function checkTcpProxy(conn, opts) {
 | |
|     var proxied = false;
 | |
| 
 | |
|     // TCP Proxying (ie forwarding based on domain name not incoming port) only works for
 | |
|     // TLS wrapped connections, so if the opts don't give us a servername or don't tell us
 | |
|     // this is the decrypted side of a TLS connection we can't handle it here.
 | |
|     if (!opts.servername || !opts.encrypted) { return proxied; }
 | |
| 
 | |
|     function proxy(mod) {
 | |
|       // First thing we need to add to the connection options is where to proxy the connection to
 | |
|       var newConnOpts = domainUtils.separatePort(mod.address || '');
 | |
|       newConnOpts.port = newConnOpts.port || mod.port;
 | |
|       newConnOpts.host = newConnOpts.host || mod.host || 'localhost';
 | |
| 
 | |
|       // Then we add all of the connection address information. We need to prefix all of the
 | |
|       // properties with '_' so we can provide the information to any connection `createConnection`
 | |
|       // implementation but not have the default implementation try to bind the same local port.
 | |
|       addrProperties.forEach(function (name) {
 | |
|         newConnOpts['_' + name] = opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
 | |
|       });
 | |
| 
 | |
|       deps.proxy(conn, newConnOpts);
 | |
|       return true;
 | |
|     }
 | |
| 
 | |
|     proxied = config.domains.some(function (dom) {
 | |
|       if (!dom.modules || !Array.isArray(dom.modules.tcp)) { return false; }
 | |
|       if (!nameMatchesDomains(opts.servername, dom.names)) { return false; }
 | |
| 
 | |
|       return dom.modules.tcp.some(function (mod) {
 | |
|         if (mod.type !== 'proxy') { return false; }
 | |
| 
 | |
|         return proxy(mod);
 | |
|       });
 | |
|     });
 | |
| 
 | |
|     proxied = proxied || config.tcp.modules.some(function (mod) {
 | |
|       if (mod.type !== 'proxy') { return false; }
 | |
|       if (!nameMatchesDomains(opts.servername, mod.domains)) { return false; }
 | |
| 
 | |
|       return proxy(mod);
 | |
|     });
 | |
| 
 | |
|     return proxied;
 | |
|   }
 | |
| 
 | |
|   // opts = { servername, encrypted, peek, data, remoteAddress, remotePort }
 | |
|   function peek(conn, firstChunk, opts) {
 | |
|     if (!modules) {
 | |
|       loadModules();
 | |
|     }
 | |
| 
 | |
|     opts.firstChunk = firstChunk;
 | |
|     conn.__opts = opts;
 | |
|     // TODO port/service-based routing can do here
 | |
| 
 | |
|     // TLS byte 1 is handshake and byte 6 is client hello
 | |
|     if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) {
 | |
|       modules.tls.emit('connection', conn);
 | |
|       return;
 | |
|     }
 | |
| 
 | |
|     // This doesn't work with TLS, but now that we know this isn't a TLS connection we can
 | |
|     // unshift the first chunk back onto the connection for future use. The unshift should
 | |
|     // happen after any listeners are attached to it but before any new data comes in.
 | |
|     if (!opts.hyperPeek) {
 | |
|       process.nextTick(function () {
 | |
|         conn.unshift(firstChunk);
 | |
|       });
 | |
|     }
 | |
| 
 | |
|     // Connection is not TLS, check for HTTP next.
 | |
|     if (firstChunk[0] > 32 && firstChunk[0] < 127) {
 | |
|       var firstStr = firstChunk.toString();
 | |
|       if (/HTTP\//i.test(firstStr)) {
 | |
|         modules.http.emit('connection', conn);
 | |
|         return;
 | |
|       }
 | |
|     }
 | |
| 
 | |
|     console.warn('failed to identify protocol from first chunk', firstChunk);
 | |
|     conn.destroy();
 | |
|   }
 | |
|   function tcpHandler(conn, opts) {
 | |
|     function getProp(name) {
 | |
|       return opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
 | |
|     }
 | |
|     opts = opts || {};
 | |
|     var logName = getProp('remoteAddress') + ':' + getProp('remotePort') + ' -> ' +
 | |
|                   getProp('localAddress')  + ':' + getProp('localPort');
 | |
|     console.log('[tcpHandler]', logName, 'connection started - encrypted: ' + (opts.encrypted || false));
 | |
| 
 | |
|     var start = Date.now();
 | |
|     conn.on('timeout', function () {
 | |
|       console.log('[tcpHandler]', logName, 'connection timed out', (Date.now()-start)/1000);
 | |
|     });
 | |
|     conn.on('end', function () {
 | |
|       console.log('[tcpHandler]', logName, 'connection ended', (Date.now()-start)/1000);
 | |
|     });
 | |
|     conn.on('close', function () {
 | |
|       console.log('[tcpHandler]', logName, 'connection closed', (Date.now()-start)/1000);
 | |
|     });
 | |
| 
 | |
|     if (checkTcpProxy(conn, opts)) { return; }
 | |
| 
 | |
|     // XXX PEEK COMMENT XXX
 | |
|     // TODO we can have our cake and eat it too
 | |
|     // we can skip the need to wrap the TLS connection twice
 | |
|     // because we've already peeked at the data,
 | |
|     // but this needs to be handled better before we enable that
 | |
|     // (because it creates new edge cases)
 | |
|     if (opts.hyperPeek) {
 | |
|       console.log('hyperpeek');
 | |
|       peek(conn, opts.firstChunk, opts);
 | |
|       return;
 | |
|     }
 | |
| 
 | |
|     function onError(err) {
 | |
|       console.error('[error] socket errored peeking -', err);
 | |
|       conn.destroy();
 | |
|     }
 | |
|     conn.once('error', onError);
 | |
|     conn.once('data', function (chunk) {
 | |
|       conn.removeListener('error', onError);
 | |
|       peek(conn, chunk, opts);
 | |
|     });
 | |
|   }
 | |
| 
 | |
|   function udpHandler(port, msg) {
 | |
|     if (!Array.isArray(config.udp.modules)) {
 | |
|       return;
 | |
|     }
 | |
|     var socket = require('dgram').createSocket('udp4');
 | |
|     config.udp.modules.forEach(function (mod) {
 | |
|       if (mod.type !== 'forward') {
 | |
|         console.warn('found bad DNS module', mod);
 | |
|         return;
 | |
|       }
 | |
|       if (mod.ports.indexOf(port) < 0) {
 | |
|         return;
 | |
|       }
 | |
| 
 | |
|       var dest = require('./domain-utils').separatePort(mod.address || '');
 | |
|       dest.port = dest.port || mod.port;
 | |
|       dest.host = dest.host || mod.host || 'localhost';
 | |
|       socket.send(msg, dest.port, dest.host);
 | |
|     });
 | |
|   }
 | |
| 
 | |
|   function createTcpForwarder(mod) {
 | |
|     var dest = require('./domain-utils').separatePort(mod.address || '');
 | |
|     dest.port = dest.port || mod.port;
 | |
|     dest.host = dest.host || mod.host || 'localhost';
 | |
| 
 | |
|     return function (conn) {
 | |
|       var newConnOpts = {};
 | |
|       addrProperties.forEach(function (name) {
 | |
|         newConnOpts['_'+name] = conn[name];
 | |
|       });
 | |
| 
 | |
|       deps.proxy(conn, Object.assign(newConnOpts, dest));
 | |
|     };
 | |
|   }
 | |
| 
 | |
|   deps.tunnel = deps.tunnel || {};
 | |
|   deps.tunnel.net = {
 | |
|     createConnection: function (opts, cb) {
 | |
|       console.log('[gl.tunnel] creating connection');
 | |
| 
 | |
|       // here "reader" means the socket that looks like the connection being accepted
 | |
|       // here "writer" means the remote-looking part of the socket that driving the connection
 | |
|       var writer;
 | |
|       var wrapOpts = {};
 | |
| 
 | |
|       function usePair(err, reader) {
 | |
|         if (err) {
 | |
|           process.nextTick(function () {
 | |
|             writer.emit('error', err);
 | |
|           });
 | |
|           return;
 | |
|         }
 | |
| 
 | |
|         // this has the normal net/tcp stuff plus our custom stuff
 | |
|         // opts = { address, port,
 | |
|         //          hostname, servername, tls, encrypted, data, localAddress, localPort, remoteAddress, remotePort, remoteFamily }
 | |
|         Object.keys(opts).forEach(function (key) {
 | |
|           wrapOpts[key] = opts[key];
 | |
|           try {
 | |
|             reader[key] = opts[key];
 | |
|           } catch(e) {
 | |
|             // can't set real socket getters, like remoteAddr
 | |
|           }
 | |
|         });
 | |
| 
 | |
|         // A few more extra specialty options
 | |
|         wrapOpts.localAddress = wrapOpts.localAddress || '127.0.0.2'; // TODO use the tunnel's external address
 | |
|         wrapOpts.localPort = wrapOpts.localPort || 'tunnel-0';
 | |
|         try {
 | |
|           reader._remoteAddress = wrapOpts.remoteAddress;
 | |
|           reader._remotePort = wrapOpts.remotePort;
 | |
|           reader._remoteFamily = wrapOpts.remoteFamily;
 | |
|           reader._localAddress = wrapOpts.localAddress;
 | |
|           reader._localPort = wrapOpts.localPort;
 | |
|           reader._localFamily = wrapOpts.localFamily;
 | |
|         } catch(e) {
 | |
|         }
 | |
| 
 | |
|         tcpHandler(reader, wrapOpts);
 | |
| 
 | |
|         process.nextTick(function () {
 | |
|           // this cb will cause the stream to emit its (actually) first data event
 | |
|           // (even though it already gave a peek into that first data chunk)
 | |
|           console.log('[tunnel] callback, data should begin to flow');
 | |
|           cb();
 | |
|         });
 | |
|       }
 | |
| 
 | |
|       wrapOpts.firstChunk = opts.data;
 | |
|       wrapOpts.hyperPeek = !!opts.data;
 | |
| 
 | |
|       // We used to use `stream-pair` for non-tls connections, but there are places
 | |
|       // that require properties/functions to be present on the socket that aren't
 | |
|       // present on a JSStream so it caused problems.
 | |
|       writer = require('socket-pair').create(usePair);
 | |
|       return writer;
 | |
|     }
 | |
|   };
 | |
|   deps.tunnelClients = require('./tunnel-client-manager').create(deps, config);
 | |
|   deps.tunnelServer = require('./tunnel-server-manager').create(deps, config);
 | |
| 
 | |
|   var listenPromises = [];
 | |
|   var tcpPortMap = {};
 | |
|   config.tcp.bind.filter(Number).forEach(function (port) {
 | |
|     tcpPortMap[port] = true;
 | |
|   });
 | |
| 
 | |
|   (config.tcp.modules || []).forEach(function (mod) {
 | |
|     if (mod.type === 'forward') {
 | |
|       var forwarder = createTcpForwarder(mod);
 | |
|       mod.ports.forEach(function (port) {
 | |
|         if (!tcpPortMap[port]) {
 | |
|           console.log("forwarding port", port, "that wasn't specified in bind");
 | |
|         } else {
 | |
|           delete tcpPortMap[port];
 | |
|         }
 | |
|         listenPromises.push(listeners.tcp.add(port, forwarder));
 | |
|       });
 | |
|     }
 | |
|     else if (mod.type !== 'proxy') {
 | |
|       console.warn('unknown TCP module specified', mod);
 | |
|     }
 | |
|   });
 | |
| 
 | |
|   var portList = Object.keys(tcpPortMap).map(Number).sort();
 | |
|   portList.forEach(function (port) {
 | |
|     listenPromises.push(listeners.tcp.add(port, tcpHandler));
 | |
|   });
 | |
| 
 | |
|   if (config.udp.bind) {
 | |
|     config.udp.bind.forEach(function (port) {
 | |
|       listenPromises.push(listeners.udp.add(port, udpHandler.bind(port)));
 | |
|     });
 | |
|   }
 | |
| 
 | |
|   if (!config.mdns.disabled) {
 | |
|     require('./mdns').start(deps, config, portList[0]);
 | |
|   }
 | |
| 
 | |
|   return PromiseA.all(listenPromises);
 | |
| };
 |