silence more output, fix minor output bugs

.gitignore

@@ -0,0 +1,4 @@
+/sclient
+/cmd/sclient/sclient
+
+dist

.goreleaser.yml

@@ -0,0 +1,37 @@
+before:
+  hooks:
+    - go mod download
+    - go generate ./...
+builds:
+  - main: ./cmd/sclient/main.go
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - 386
+      - amd64
+      - arm
+      - arm64
+    goarm:
+      - 6
+      - 7
+archives:
+  - replacements:
+      386: i386
+      amd64: x86_64
+    format_overrides:
+      - goos: windows
+        format: zip
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ .Tag }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'

README.md

@@ -1,5 +1,4 @@
-sclient.go
+# sclient
-==========
 
 Secure Client for exposing TLS (aka SSL) secured services as plain-text connections locally.
 
@@ -8,60 +7,75 @@ Also ideal for multiplexing a single port with multiple protocols using SNI.
 Unwrap a TLS connection:
 
 ```bash
-$ sclient whatever.com:443 localhost:3000
+sclient whatever.com:443 localhost:3000
-> [listening] telebit.cloud:443 <= localhost:3000
+
+> [listening] whatever.com:443 <= localhost:3000
 ```
 
 Connect via Telnet
 
 ```bash
-$ telnet localhost 3000
+telnet localhost 3000
 ```
 
 Connect via netcat (nc)
 
 ```bash
-$ nc localhost 3000
+nc localhost 3000
+```
+
+cURL
+
+```bash
+curl http://localhost:3000 -H 'Host: whatever.com'
 ```
 
 A poor man's (or Windows user's) makeshift replacement for `openssl s_client`, `stunnel`, or `socat`.
 
-Install
+# Table of Contents
-=======
 
-### macOS, Linux, Windows
+- [Install](#install)
+- [Usage](#usage)
+- [Examples](#examples)
+- [Build from Source](#build-from-source)
 
-For the moment you'll have to install go and compile `sclient` yourself:
+# Install
 
-* <https://golang.org/doc/install#install>
+### Mac, Linux
 
 ```bash
-git clone https://git.coolaj86.com/coolaj86/sclient.go.git
+curl -sS https://webinstall.dev/sclient | bash
-pushd sclient.go
-go build sclient*.go
-rsync -av sclient-cli /usr/local/bin/sclient
 ```
 
 ```bash
-go run sclient*.go example.com:443 localhost:3000
+curl.exe -A MS https://webinstall.dev/sclient | powershell
 ```
 
-Usage
+### Downloads
-=====
+
+Check the [Github Releases](https://github.com/therootcompany/sclient/releases) for
+
+- macOS (x64) Apple Silicon [coming soon](https://github.com/golang/go/issues/39782)
+- Linux (x64, i386, arm64, arm6, arm7)
+- Windows 10 (x64, i386)
+
+# Usage
 
 ```bash
-sclient <remote> <local> [-k | --insecure]
+sclient [flags] <remote> <local>
 ```
 
-* remote
+- flags
-  * must have servername (i.e. example.com)
+  - -k, --insecure ignore invalid TLS (SSL/HTTPS) certificates
-  * port is optional (default is 443)
+  - --servername <string> spoof SNI (to disable use IP as &lt;remote&gt; and do not use this option)
-* local
+- remote
-  * address is optional (default is localhost)
+  - must have servername (i.e. example.com)
-  * must have port (i.e. 3000)
+  - port is optional (default is 443)
+- local
+  - address is optional (default is localhost)
+  - must have port (i.e. 3000)
 
-Examples
+# Examples
-========
 
 Bridge between `telebit.cloud` and local port `3000`.
 
@@ -78,5 +92,60 @@ sclient telebit.cloud:443 localhost:3000
 Ignore a bad TLS/SSL/HTTPS certificate and connect anyway.
 
 ```bash
-sclient badtls.telebit.cloud:443 localhost:3000 -k
+sclient -k badtls.telebit.cloud:443 localhost:3000
+```
+
+Reading from stdin
+
+```bash
+sclient telebit.cloud:443 -
+```
+
+```bash
+sclient telebit.cloud:443 - </path/to/file
+```
+
+Piping
+
+```bash
+printf "GET / HTTP/1.1\r\nHost: telebit.cloud\r\n\r\n" | sclient telebit.cloud:443
+```
+
+Testing for security vulnerabilities on the remote:
+
+```bash
+sclient --servername "Robert'); DROP TABLE Students;" -k example.com localhost:3000
+```
+
+```bash
+sclient --servername "../../../.hidden/private.txt" -k example.com localhost:3000
+```
+
+# Build from source
+
+You'll need to install [Go](https://golang.org).
+See [webinstall.dev/golang](https://webinstall.dev/golang) for install instructions.
+
+```bash
+curl -sS https://webinstall.dev/golang | bash
+```
+
+Then you can install and run as per usual.
+
+```bash
+git clone https://git.rootprojects.org/root/sclient.go.git
+
+pushd sclient.go
+  go build -o dist/sclient cmd/sclient/main.go
+  sudo rsync -av dist/sclient /usr/local/bin/sclient
+popd
+
+sclient example.com:443 localhost:3000
+```
+
+## Install or Run with Go
+
+```bash
+go get git.rootprojects.org/root/sclient.go/cmd/sclient
+go run git.rootprojects.org/root/sclient.go/cmd/sclient example.com:443 localhost:3000
 ```

cmd/sclient/main.go

@@ -0,0 +1,126 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	sclient "git.rootprojects.org/root/sclient.go"
+)
+
+var (
+	// commit refers to the abbreviated commit hash
+	commit = "0000000"
+	// version refers to the most recent tag, plus any commits made since then
+	version = "v0.0.0-pre0+0000000"
+	// GitTimestamp refers to the timestamp of the most recent commit
+	date = "0000-00-00T00:00:00+0000"
+)
+
+func ver() string {
+	return fmt.Sprintf("sclient %s (%s) %s", version, commit[:7], date)
+}
+
+func usage() {
+	fmt.Fprintf(os.Stderr, "\n%s\n"+
+		"\nusage: sclient <remote> <local>\n"+
+		"\n"+
+		"   ex: sclient example.com 3000\n"+
+		"      (sclient example.com:443 localhost:3000)\n"+
+		"\n"+
+		"   ex: sclient example.com:8443 0.0.0.0:4080\n"+
+		"\n"+
+		"   ex: sclient example.com:443 -\n"+
+		"\n", ver())
+	flag.PrintDefaults()
+	fmt.Println()
+}
+
+func main() {
+	if len(os.Args) >= 2 {
+		if "version" == strings.TrimLeft(os.Args[1], "-") {
+			fmt.Printf("%s\n", ver())
+			os.Exit(0)
+			return
+		}
+	}
+
+	flag.Usage = usage
+	insecure := flag.Bool("k", false, "alias for --insecure")
+	silent := flag.Bool("s", false, "alias of --silent")
+	servername := flag.String("servername", "", "specify a servername different from <remote> (to disable SNI use an IP as <remote> and do use this option)")
+	flag.BoolVar(insecure, "insecure", false, "ignore bad TLS/SSL/HTTPS certificates")
+	flag.BoolVar(silent, "silent", false, "less verbose output")
+	flag.Parse()
+	remotestr := flag.Arg(0)
+	localstr := flag.Arg(1)
+
+	i := flag.NArg()
+	if 2 != i {
+		// We may omit the second argument if we're going straight to stdin
+		if stat, _ := os.Stdin.Stat(); 1 == i && (stat.Mode()&os.ModeCharDevice) == 0 {
+			localstr = "|"
+		} else {
+			usage()
+			os.Exit(1)
+		}
+	}
+
+	sclient := &sclient.Tunnel{
+		RemotePort:         443,
+		LocalAddress:       "localhost",
+		InsecureSkipVerify: *insecure,
+		ServerName:         *servername,
+		Silent:             *silent,
+	}
+
+	remote := strings.Split(remotestr, ":")
+	//remoteAddr, remotePort, err := net.SplitHostPort(remotestr)
+	if 2 == len(remote) {
+		rport, err := strconv.Atoi(remote[1])
+		if nil != err {
+			usage()
+			os.Exit(0)
+		}
+		sclient.RemotePort = rport
+	} else if 1 != len(remote) {
+		usage()
+		os.Exit(0)
+	}
+	sclient.RemoteAddress = remote[0]
+
+	if "-" == localstr || "|" == localstr {
+		// User may specify stdin/stdout instead of net
+		sclient.LocalAddress = localstr
+		sclient.LocalPort = -1
+	} else {
+		// Test that argument is a local address
+		local := strings.Split(localstr, ":")
+
+		if 1 == len(local) {
+			lport, err := strconv.Atoi(local[0])
+			if nil != err {
+				usage()
+				os.Exit(0)
+			}
+			sclient.LocalPort = lport
+		} else {
+			lport, err := strconv.Atoi(local[1])
+			if nil != err {
+				usage()
+				os.Exit(0)
+			}
+			sclient.LocalAddress = local[0]
+			sclient.LocalPort = lport
+		}
+	}
+
+	err := sclient.DialAndListen()
+	if nil != err {
+		fmt.Fprintf(os.Stderr, "%s\n", err)
+		//usage()
+		//os.Exit(6)
+	}
+}

doc.go

@@ -0,0 +1,43 @@
+/*
+sclient unwraps SSL.
+
+It makes secure remote connections (such as HTTPS) available locally as plain-text connections -
+similar to `stunnel` or `openssl s_client`.
+
+There are a variety of reasons that you might want to do that,
+but we created it specifically to be able to upgrade applications with legacy
+security protocols - like SSH, OpenVPN, and Postgres - to take
+advantage of the features of modern TLS, such as ALPN and SNI
+(which makes them routable through almost every type of firewall).
+
+See https://telebit.cloud/sclient for more info.
+
+Package Basics
+
+In the simplest case you'll just be setting a ServerName and connection info:
+
+	servername := "example.com"
+
+	sclient := &sclient.Tunnel{
+		ServerName:         servername,
+		RemoteAddress:      servername,
+		RemotePort:         443,
+		LocalAddress:       "localhost",
+		LocalPort:          3000,
+	}
+
+	err := sclient.DialAndListen()
+
+Try the CLI
+
+If you'd like to better understand what sclient does, you can try it out with `go run`:
+
+	go get git.rootprojects.org/root/sclient.go/cmd/sclient
+	go run git.rootprojects.org/root/sclient.go/cmd/sclient example.com:443 localhost:3000
+	curl http://localhost:3000 -H "Host: example.com"
+
+Pre-built versions for various platforms are also available at
+https://telebit.cloud/sclient
+
+*/
+package sclient

go.mod

@@ -0,0 +1,3 @@
+module git.rootprojects.org/root/sclient.go
+
+go 1.12

sclient-cli.go

@@ -1,82 +0,0 @@
-package main
-
-import (
-	"flag"
-	"fmt"
-	"os"
-	"strconv"
-	"strings"
-)
-
-func usage() {
-	fmt.Fprintf(os.Stderr, "\nusage: go run sclient*.go <remote> <local>\n"+
-		"\n"+
-		"   ex: sclient example.com 3000\n"+
-		"      (sclient example.com:443 localhost:3000)\n"+
-		"\n"+
-		"   ex: sclient example.com:8443 0.0.0.0:4080\n"+
-		"\n")
-	flag.PrintDefaults()
-	fmt.Println()
-}
-
-func main() {
-	flag.Usage = usage
-	insecure := flag.Bool("k", false, "ignore bad TLS/SSL/HTTPS certificates")
-	flag.BoolVar(insecure, "insecure", false, "ignore bad TLS/SSL/HTTPS certificates")
-	flag.Parse()
-
-	// NArg, Arg, Args
-	i := flag.NArg()
-	if 2 != i {
-		usage()
-		os.Exit(0)
-	}
-
-	opts := &SclientOpts{}
-	opts.RemotePort = 443
-	opts.LocalAddress = "localhost"
-	opts.InsecureSkipVerify = *insecure
-
-	remote := strings.Split(flag.Arg(0), ":")
-	//remoteAddr, remotePort, err := net.SplitHostPort(flag.Arg(0))
-	if 2 == len(remote) {
-		rport, err := strconv.Atoi(remote[1])
-		if nil != err {
-			usage()
-			os.Exit(0)
-		}
-		opts.RemotePort = rport
-	} else if 1 != len(remote) {
-		usage()
-		os.Exit(0)
-	}
-	opts.RemoteAddress = remote[0]
-
-	local := strings.Split(flag.Arg(1), ":")
-	//localAddr, localPort, err := net.SplitHostPort(flag.Arg(0))
-
-	if 1 == len(local) {
-		lport, err := strconv.Atoi(local[0])
-		if nil != err {
-			usage()
-			os.Exit(0)
-		}
-		opts.LocalPort = lport
-	} else {
-		lport, err := strconv.Atoi(local[1])
-		if nil != err {
-			usage()
-			os.Exit(0)
-		}
-		opts.LocalAddress = local[0]
-		opts.LocalPort = lport
-	}
-
-	sclient := &Sclient{}
-	err := sclient.DialAndListen(opts)
-	if nil != err {
-		usage()
-		os.Exit(0)
-	}
-}

sclient.go

@@ -1,4 +1,4 @@
-package main
+package sclient
 
 import (
 	"crypto/tls"
@@ -10,27 +10,110 @@ import (
 	"strings"
 )
 
-type SclientOpts struct {
+// Tunnel specifies which remote encrypted connection to make available as a plain connection locally.
+type Tunnel struct {
 	RemoteAddress      string
 	RemotePort         int
 	LocalAddress       string
 	LocalPort          int
 	InsecureSkipVerify bool
+	ServerName         string
+	Silent             bool
 }
 
-type Sclient struct{}
+// DialAndListen will create a test TLS connection to the remote address and then
+// begin listening locally. Each local connection will result in a separate remote connection.
+func (t *Tunnel) DialAndListen() error {
+	remote := t.RemoteAddress + ":" + strconv.Itoa(t.RemotePort)
+	conn, err := tls.Dial("tcp", remote,
+		&tls.Config{
+			ServerName:         t.ServerName,
+			InsecureSkipVerify: t.InsecureSkipVerify,
+		})
 
-func pipe(r net.Conn, w net.Conn, t string) {
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "[warn] '%s' may not be accepting connections: %s\n", remote, err)
+	} else {
+		conn.Close()
+	}
+
+	// use stdin/stdout
+	if "-" == t.LocalAddress || "|" == t.LocalAddress {
+		var name string
+		network := "stdio"
+		if "|" == t.LocalAddress {
+			name = "pipe"
+		} else {
+			name = "stdin"
+		}
+		conn := &stdnet{os.Stdin, os.Stdout, &stdaddr{net.UnixAddr{Name: name, Net: network}}}
+		t.handleConnection(remote, conn)
+		return nil
+	}
+
+	// use net.Conn
+	local := t.LocalAddress + ":" + strconv.Itoa(t.LocalPort)
+	ln, err := net.Listen("tcp", local)
+	if err != nil {
+		return err
+	}
+
+	if !t.Silent {
+		fmt.Fprintf(os.Stdout, "[listening] %s:%d <= %s:%d\n",
+			t.RemoteAddress, t.RemotePort, t.LocalAddress, t.LocalPort)
+	}
+
+	for {
+		conn, err := ln.Accept()
+		if nil != err {
+			fmt.Fprintf(os.Stderr, "[error] %s\n", err)
+			continue
+		}
+		go t.handleConnection(remote, conn)
+	}
+}
+
+// I wonder if I can get this to exactly mirror UnixAddr without passing it in
+type stdaddr struct {
+	net.UnixAddr
+}
+
+type stdnet struct {
+	in   *os.File // os.Stdin
+	out  *os.File // os.Stdout
+	addr *stdaddr
+}
+
+func (rw *stdnet) Read(buf []byte) (n int, err error) {
+	return rw.in.Read(buf)
+}
+func (rw *stdnet) Write(buf []byte) (n int, err error) {
+	return rw.out.Write(buf)
+}
+func (rw *stdnet) Close() error {
+	return rw.in.Close()
+}
+func (rw *stdnet) RemoteAddr() net.Addr {
+	return rw.addr
+}
+
+// not all of net.Conn, just RWC and RemoteAddr()
+type netReadWriteCloser interface {
+	io.ReadWriteCloser
+	RemoteAddr() net.Addr
+}
+
+func pipe(r netReadWriteCloser, w netReadWriteCloser, t string) {
 	buffer := make([]byte, 2048)
 	for {
 		done := false
 		// NOTE: count may be > 0 even if there's an err
-		count, err := r.Read(buffer)
 		//fmt.Fprintf(os.Stdout, "[debug] (%s) reading\n", t)
+		count, err := r.Read(buffer)
 		if nil != err {
 			//fmt.Fprintf(os.Stdout, "[debug] (%s:%d) error reading %s\n", t, count, err)
 			if io.EOF != err {
-				fmt.Fprintf(os.Stderr, "[read error] (%s:%s) %s\n", t, count, err)
+				fmt.Fprintf(os.Stderr, "[read error] (%s:%d) %s\n", t, count, err)
 			}
 			r.Close()
 			//w.Close()
@@ -56,9 +139,12 @@ func pipe(r net.Conn, w net.Conn, t string) {
 	}
 }
 
-func handleConnection(remote string, conn net.Conn, opts *SclientOpts) {
+func (t *Tunnel) handleConnection(remote string, conn netReadWriteCloser) {
 	sclient, err := tls.Dial("tcp", remote,
-		&tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify})
+		&tls.Config{
+			ServerName:         t.ServerName,
+			InsecureSkipVerify: t.InsecureSkipVerify,
+		})
 
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "[error] (remote) %s\n", err)
@@ -66,39 +152,16 @@ func handleConnection(remote string, conn net.Conn, opts *SclientOpts) {
 		return
 	}
 
+	if !t.Silent {
+		if "stdio" == conn.RemoteAddr().Network() {
+			fmt.Fprintf(os.Stdout, "(connected to %s:%d and reading from %s)\n",
+				t.RemoteAddress, t.RemotePort, conn.RemoteAddr().String())
+		} else {
 			fmt.Fprintf(os.Stdout, "[connect] %s => %s:%d\n",
-		strings.Replace(conn.RemoteAddr().String(), "[::1]:", "localhost:", 1), opts.RemoteAddress, opts.RemotePort)
+				strings.Replace(conn.RemoteAddr().String(), "[::1]:", "localhost:", 1), t.RemoteAddress, t.RemotePort)
+		}
+	}
 
 	go pipe(conn, sclient, "local")
 	pipe(sclient, conn, "remote")
 }
-
-func (*Sclient) DialAndListen(opts *SclientOpts) error {
-	remote := opts.RemoteAddress + ":" + strconv.Itoa(opts.RemotePort)
-	conn, err := tls.Dial("tcp", remote,
-		&tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify})
-
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "[warn] '%s' may not be accepting connections: %s\n", remote, err)
-	} else {
-		conn.Close()
-	}
-
-	local := opts.LocalAddress + ":" + strconv.Itoa(opts.LocalPort)
-	ln, err := net.Listen("tcp", local)
-	if err != nil {
-		return err
-	}
-
-	fmt.Fprintf(os.Stdout, "[listening] %s:%d <= %s:%d\n",
-		opts.RemoteAddress, opts.RemotePort, opts.LocalAddress, opts.LocalPort)
-
-	for {
-		conn, err := ln.Accept()
-		if nil != err {
-			fmt.Fprintf(os.Stderr, "[error] %s\n", err)
-			continue
-		}
-		go handleConnection(remote, conn, opts)
-	}
-}

staticcheck.conf

@@ -0,0 +1,11 @@
+# I like my yoda conditions ST1017
+checks = ["all", "-ST1017", "-ST1000", "-ST1003", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-ST1023"]
+initialisms = ["ACL", "API", "ASCII", "CPU", "CSS", "DNS",
+	"EOF", "GUID", "HTML", "HTTP", "HTTPS", "ID",
+	"IP", "JSON", "QPS", "RAM", "RPC", "SLA",
+	"SMTP", "SQL", "SSH", "TCP", "TLS", "TTL",
+	"UDP", "UI", "GID", "UID", "UUID", "URI",
+	"URL", "UTF8", "VM", "XML", "XMPP", "XSRF",
+	"XSS", "SIP", "RTP", "AMQP", "DB", "TS"]
+dot_import_whitelist = []
+http_status_code_whitelist = ["200", "400", "404", "500"]

tests/get.bin

@@ -0,0 +1,5 @@
+GET / HTTP/1.1
+Host: telebit.cloud
+Connection: close
+
+

tests/localhost.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+go run -race sclient*.go telebit.cloud:443 localhost:3000 &
+my_pid=$!
+sleep 5
+
+netcat localhost 3000 < tests/get.bin
+kill $my_pid

tests/pipe.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+cat tests/get.bin | go run -race sclient*.go telebit.cloud:443

tests/stdin.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+go run -race sclient*.go telebit.cloud:443 - < ./tests/get.bin