1
1
mirror of https://git.sr.ht/~emersion/tlstunnel synced 2024-11-19 15:53:50 +01:00
tlstunnel/directives.go
delthas d314adee59 Add support for backend PROXY protocol v1
This is enabled with backend /* ... */ { proxy_version 1 }
2023-02-09 15:28:44 +01:00

304 lines
7.4 KiB
Go

package tlstunnel
import (
"crypto/sha256"
"crypto/subtle"
"crypto/tls"
"crypto/x509"
"encoding/hex"
"fmt"
"net"
"net/url"
"os"
"os/exec"
"strconv"
"strings"
"git.sr.ht/~emersion/go-scfg"
"github.com/caddyserver/certmagic"
)
func parseConfig(srv *Server, cfg scfg.Block) error {
for _, d := range cfg {
var err error
switch d.Name {
case "frontend":
err = parseFrontend(srv, d)
case "tls":
err = parseTLS(srv, d)
default:
return fmt.Errorf("unknown %q directive", d.Name)
}
if err != nil {
return fmt.Errorf("directive %q: %v", d.Name, err)
}
}
return nil
}
func parseFrontend(srv *Server, d *scfg.Directive) error {
frontend := &Frontend{}
srv.Frontends = append(srv.Frontends, frontend)
// TODO: support multiple backends
backendDirective := d.Children.Get("backend")
if backendDirective == nil {
return fmt.Errorf("missing backend directive in frontend block")
}
if err := parseBackend(&frontend.Backend, backendDirective); err != nil {
return err
}
unmanaged := false
tlsDirective := d.Children.Get("tls")
if tlsDirective != nil {
var err error
unmanaged, err = parseFrontendTLS(srv, tlsDirective)
if err != nil {
return err
}
}
protocolDirective := d.Children.Get("protocol")
if protocolDirective != nil {
frontend.Protocols = protocolDirective.Params
}
addresses := append([]string(nil), d.Params...)
for _, listenDirective := range d.Children.GetAll("listen") {
addresses = append(addresses, listenDirective.Params...)
}
if len(addresses) == 0 {
return fmt.Errorf("missing listening addresses in frontend block")
}
for _, addr := range addresses {
host, port, err := net.SplitHostPort(addr)
if err != nil {
return fmt.Errorf("failed to parse frontend address %q: %v", addr, err)
}
if host != "" && !unmanaged {
srv.ManagedNames = append(srv.ManagedNames, host)
}
// TODO: allow to customize listen host
addr := net.JoinHostPort("", port)
ln := srv.RegisterListener(addr)
if err := ln.RegisterFrontend(host, frontend); err != nil {
return err
}
}
return nil
}
func parseBackend(backend *Backend, d *scfg.Directive) error {
var backendURI string
if err := d.ParseParams(&backendURI); err != nil {
return err
}
if !strings.Contains(backendURI, ":/") {
// This is a raw domain name, make it an URL with an empty scheme
backendURI = "//" + backendURI
}
u, err := url.Parse(backendURI)
if err != nil {
return fmt.Errorf("failed to parse backend URI %q: %v", backendURI, err)
}
if strings.HasSuffix(u.Scheme, "+proxy") {
u.Scheme = strings.TrimSuffix(u.Scheme, "+proxy")
backend.Proxy = true
}
switch u.Scheme {
case "tls":
host, _, err := net.SplitHostPort(u.Host)
if err != nil {
return fmt.Errorf("failed to parse backend address %q: %v", u.Host, err)
}
backend.TLSConfig = &tls.Config{
ServerName: host,
}
fallthrough
case "", "tcp":
backend.Network = "tcp"
backend.Address = u.Host
case "unix":
backend.Network = "unix"
backend.Address = u.Path
default:
return fmt.Errorf("failed to setup backend %q: unsupported URI scheme", backendURI)
}
for _, child := range d.Children {
switch child.Name {
case "tls_certfp":
if backend.TLSConfig == nil {
return fmt.Errorf("tls_certfp requires a tls:// backend address")
}
var algo, wantCertFP string
if err := child.ParseParams(&algo, &wantCertFP); err != nil {
return err
}
if algo != "sha-256" {
return fmt.Errorf("directive tls_certfp: only sha-256 is supported")
}
wantCertFP = strings.ReplaceAll(wantCertFP, ":", "")
wantSum, err := hex.DecodeString(wantCertFP)
if err != nil {
return fmt.Errorf("directive tls_certfp: invalid fingerprint: %v", err)
} else if len(wantSum) != sha256.Size {
return fmt.Errorf("directive tls_certfp: invalid fingerprint length")
}
backend.TLSConfig.InsecureSkipVerify = true
backend.TLSConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
if len(rawCerts) == 0 {
return fmt.Errorf("the server didn't present any TLS certificate")
}
for _, rawCert := range rawCerts {
sum := sha256.Sum256(rawCert)
if subtle.ConstantTimeCompare(sum[:], wantSum) == 1 {
return nil // fingerprints match
}
}
sum := sha256.Sum256(rawCerts[0])
remoteCertFP := hex.EncodeToString(sum[:])
return fmt.Errorf("configured TLS certificate fingerprint doesn't match the server's - %s", remoteCertFP)
}
case "proxy_version":
var version string
if err := child.ParseParams(&version); err != nil {
return err
}
v, err := strconv.Atoi(version)
if err != nil {
return fmt.Errorf("directive proxy_version: invalid version: %v", err)
}
switch v {
case 1, 2:
backend.ProxyVersion = v
default:
return fmt.Errorf("directive proxy_version: unknown version: %v", v)
}
}
}
return nil
}
func parseFrontendTLS(srv *Server, d *scfg.Directive) (unmanaged bool, err error) {
for _, child := range d.Children {
switch child.Name {
case "load":
var certPath, keyPath string
if err := child.ParseParams(&certPath, &keyPath); err != nil {
return false, err
}
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
return false, fmt.Errorf("directive \"load\": %v", err)
}
srv.UnmanagedCerts = append(srv.UnmanagedCerts, cert)
unmanaged = true
default:
return false, fmt.Errorf("unknown %q directive", child.Name)
}
}
return unmanaged, nil
}
func parseTLS(srv *Server, d *scfg.Directive) error {
for _, child := range d.Children {
switch child.Name {
case "acme_ca":
var caURL string
if err := child.ParseParams(&caURL); err != nil {
return err
}
srv.ACMEIssuer.CA = caURL
case "email":
var email string
if err := child.ParseParams(&email); err != nil {
return err
}
srv.ACMEIssuer.Email = email
case "on_demand":
if err := parseTLSOnDemand(srv, child); err != nil {
return err
}
case "acme_dns_command":
var cmdName string
if err := child.ParseParams(&cmdName); err != nil {
return err
}
cmdParams := child.Params[1:]
srv.ACMEIssuer.DNS01Solver = &certmagic.DNS01Solver{
DNSProvider: &commandDNSProvider{
Name: cmdName,
Params: cmdParams,
},
}
default:
return fmt.Errorf("unknown %q directive", child.Name)
}
}
return nil
}
func parseTLSOnDemand(srv *Server, d *scfg.Directive) error {
if srv.ACMEConfig.OnDemand == nil {
srv.ACMEConfig.OnDemand = &certmagic.OnDemandConfig{}
}
for _, child := range d.Children {
switch child.Name {
case "validate_command":
var cmdName string
if err := child.ParseParams(&cmdName); err != nil {
return err
}
decisionFunc := srv.ACMEConfig.OnDemand.DecisionFunc
srv.ACMEConfig.OnDemand.DecisionFunc = func(name string) error {
if decisionFunc != nil {
if err := decisionFunc(name); err != nil {
return err
}
}
// If the user has explicitly requested a certificate for this
// name to be maintained, no need to perform the command check
for _, n := range srv.ManagedNames {
if strings.EqualFold(n, name) {
return nil
}
}
cmd := exec.Command(cmdName, child.Params[1:]...)
cmd.Env = append(os.Environ(), "TLSTUNNEL_NAME="+name)
if err := cmd.Run(); err != nil {
return fmt.Errorf("failed to validate domain %q with command %q: %v", name, cmdName, err)
}
return nil
}
default:
return fmt.Errorf("unknown %q directive", child.Name)
}
}
return nil
}