dpcore.go 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504
  1. package dpcore
  2. import (
  3. "context"
  4. "errors"
  5. "io"
  6. "log"
  7. "net"
  8. "net/http"
  9. "net/url"
  10. "strings"
  11. "time"
  12. "imuslab.com/zoraxy/mod/dynamicproxy/domainsniff"
  13. "imuslab.com/zoraxy/mod/dynamicproxy/permissionpolicy"
  14. )
  15. // ReverseProxy is an HTTP Handler that takes an incoming request and
  16. // sends it to another server, proxying the response back to the
  17. // client, support http, also support https tunnel using http.hijacker
  18. type ReverseProxy struct {
  19. // Set the timeout of the proxy server, default is 5 minutes
  20. Timeout time.Duration
  21. // Director must be a function which modifies
  22. // the request into a new request to be sent
  23. // using Transport. Its response is then copied
  24. // back to the original client unmodified.
  25. // Director must not access the provided Request
  26. // after returning.
  27. Director func(*http.Request)
  28. // The transport used to perform proxy requests.
  29. // default is http.DefaultTransport.
  30. Transport http.RoundTripper
  31. // FlushInterval specifies the flush interval
  32. // to flush to the client while copying the
  33. // response body. If zero, no periodic flushing is done.
  34. FlushInterval time.Duration
  35. // ErrorLog specifies an optional logger for errors
  36. // that occur when attempting to proxy the request.
  37. // If nil, logging goes to os.Stderr via the log package's
  38. // standard logger.
  39. ErrorLog *log.Logger
  40. // ModifyResponse is an optional function that
  41. // modifies the Response from the backend.
  42. // If it returns an error, the proxy returns a StatusBadGateway error.
  43. ModifyResponse func(*http.Response) error
  44. //Prepender is an optional prepend text for URL rewrite
  45. Prepender string
  46. Verbal bool
  47. //Appended by Zoraxy project
  48. }
  49. type ResponseRewriteRuleSet struct {
  50. /* Basic Rewrite Rulesets */
  51. ProxyDomain string
  52. OriginalHost string
  53. UseTLS bool
  54. NoCache bool
  55. PathPrefix string //Vdir prefix for root, / will be rewrite to this
  56. UpstreamHeaders [][]string
  57. DownstreamHeaders [][]string
  58. /* Advance Usecase Options */
  59. HostHeaderOverwrite string //Force overwrite of request "Host" header (advanced usecase)
  60. NoRemoveHopByHop bool //Do not remove hop-by-hop headers (advanced usecase)
  61. /* System Information Payload */
  62. Version string //Version number of Zoraxy, use for X-Proxy-By
  63. }
  64. type requestCanceler interface {
  65. CancelRequest(req *http.Request)
  66. }
  67. type DpcoreOptions struct {
  68. IgnoreTLSVerification bool //Disable all TLS verification when request pass through this proxy router
  69. FlushInterval time.Duration //Duration to flush in normal requests. Stream request or keep-alive request will always flush with interval of -1 (immediately)
  70. }
  71. func NewDynamicProxyCore(target *url.URL, prepender string, dpcOptions *DpcoreOptions) *ReverseProxy {
  72. targetQuery := target.RawQuery
  73. director := func(req *http.Request) {
  74. req.URL.Scheme = target.Scheme
  75. req.URL.Host = target.Host
  76. req.URL.Path, req.URL.RawPath = joinURLPath(target, req.URL)
  77. if targetQuery == "" || req.URL.RawQuery == "" {
  78. req.URL.RawQuery = targetQuery + req.URL.RawQuery
  79. } else {
  80. req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
  81. }
  82. }
  83. //Hack the default transporter to handle more connections
  84. thisTransporter := http.DefaultTransport
  85. optimalConcurrentConnection := 32
  86. thisTransporter.(*http.Transport).MaxIdleConns = optimalConcurrentConnection * 2
  87. thisTransporter.(*http.Transport).MaxIdleConnsPerHost = optimalConcurrentConnection
  88. thisTransporter.(*http.Transport).IdleConnTimeout = 30 * time.Second
  89. thisTransporter.(*http.Transport).MaxConnsPerHost = optimalConcurrentConnection * 2
  90. thisTransporter.(*http.Transport).DisableCompression = true
  91. if dpcOptions.IgnoreTLSVerification {
  92. //Ignore TLS certificate validation error
  93. thisTransporter.(*http.Transport).TLSClientConfig.InsecureSkipVerify = true
  94. }
  95. return &ReverseProxy{
  96. Director: director,
  97. Prepender: prepender,
  98. FlushInterval: dpcOptions.FlushInterval,
  99. Verbal: false,
  100. Transport: thisTransporter,
  101. }
  102. }
  103. func singleJoiningSlash(a, b string) string {
  104. aslash := strings.HasSuffix(a, "/")
  105. bslash := strings.HasPrefix(b, "/")
  106. switch {
  107. case aslash && bslash:
  108. return a + b[1:]
  109. case !aslash && !bslash:
  110. return a + "/" + b
  111. }
  112. return a + b
  113. }
  114. func joinURLPath(a, b *url.URL) (path, rawpath string) {
  115. if a.RawPath == "" && b.RawPath == "" {
  116. return singleJoiningSlash(a.Path, b.Path), ""
  117. }
  118. // Same as singleJoiningSlash, but uses EscapedPath to determine
  119. // whether a slash should be added
  120. apath := a.EscapedPath()
  121. bpath := b.EscapedPath()
  122. aslash := strings.HasSuffix(apath, "/")
  123. bslash := strings.HasPrefix(bpath, "/")
  124. switch {
  125. case aslash && bslash:
  126. return a.Path + b.Path[1:], apath + bpath[1:]
  127. case !aslash && !bslash:
  128. return a.Path + "/" + b.Path, apath + "/" + bpath
  129. }
  130. return a.Path + b.Path, apath + bpath
  131. }
  132. func copyHeader(dst, src http.Header) {
  133. for k, vv := range src {
  134. for _, v := range vv {
  135. dst.Add(k, v)
  136. }
  137. }
  138. }
  139. // Hop-by-hop headers. These are removed when sent to the backend.
  140. // http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
  141. var hopHeaders = []string{
  142. //"Connection",
  143. "Proxy-Connection", // non-standard but still sent by libcurl and rejected by e.g. google
  144. "Keep-Alive",
  145. "Proxy-Authenticate",
  146. "Proxy-Authorization",
  147. "Te", // canonicalized version of "TE"
  148. "Trailer", // not Trailers per URL above; http://www.rfc-editor.org/errata_search.php?eid=4522
  149. "Transfer-Encoding",
  150. //"Upgrade", // handled by websocket proxy in higher layer abstraction
  151. }
  152. // Copy response from src to dst with given flush interval, reference from httputil.ReverseProxy
  153. func (p *ReverseProxy) copyResponse(dst http.ResponseWriter, src io.Reader, flushInterval time.Duration) error {
  154. var w io.Writer = dst
  155. if flushInterval != 0 {
  156. mlw := &maxLatencyWriter{
  157. dst: dst,
  158. flush: http.NewResponseController(dst).Flush,
  159. latency: flushInterval,
  160. }
  161. defer mlw.stop()
  162. // set up initial timer so headers get flushed even if body writes are delayed
  163. mlw.flushPending = true
  164. mlw.t = time.AfterFunc(flushInterval, mlw.delayedFlush)
  165. w = mlw
  166. }
  167. var buf []byte
  168. _, err := p.copyBuffer(w, src, buf)
  169. return err
  170. }
  171. // Copy with given buffer size. Default to 64k
  172. func (p *ReverseProxy) copyBuffer(dst io.Writer, src io.Reader, buf []byte) (int64, error) {
  173. if len(buf) == 0 {
  174. buf = make([]byte, 64*1024)
  175. }
  176. var written int64
  177. for {
  178. nr, rerr := src.Read(buf)
  179. if rerr != nil && rerr != io.EOF && rerr != context.Canceled {
  180. p.logf("dpcore read error during body copy: %v", rerr)
  181. }
  182. if nr > 0 {
  183. nw, werr := dst.Write(buf[:nr])
  184. if nw > 0 {
  185. written += int64(nw)
  186. }
  187. if werr != nil {
  188. return written, werr
  189. }
  190. if nr != nw {
  191. return written, io.ErrShortWrite
  192. }
  193. }
  194. if rerr != nil {
  195. if rerr == io.EOF {
  196. rerr = nil
  197. }
  198. return written, rerr
  199. }
  200. }
  201. }
  202. func (p *ReverseProxy) logf(format string, args ...interface{}) {
  203. if p.ErrorLog != nil {
  204. p.ErrorLog.Printf(format, args...)
  205. } else {
  206. log.Printf(format, args...)
  207. }
  208. }
  209. func (p *ReverseProxy) ProxyHTTP(rw http.ResponseWriter, req *http.Request, rrr *ResponseRewriteRuleSet) (int, error) {
  210. transport := p.Transport
  211. outreq := new(http.Request)
  212. // Shallow copies of maps, like header
  213. *outreq = *req
  214. if cn, ok := rw.(http.CloseNotifier); ok {
  215. if requestCanceler, ok := transport.(requestCanceler); ok {
  216. // After the Handler has returned, there is no guarantee
  217. // that the channel receives a value, so to make sure
  218. reqDone := make(chan struct{})
  219. defer close(reqDone)
  220. clientGone := cn.CloseNotify()
  221. go func() {
  222. select {
  223. case <-clientGone:
  224. requestCanceler.CancelRequest(outreq)
  225. case <-reqDone:
  226. }
  227. }()
  228. }
  229. }
  230. p.Director(outreq)
  231. outreq.Close = false
  232. //Only skip origin rewrite iff proxy target require TLS and it is external domain name like github.com
  233. if rrr.HostHeaderOverwrite != "" {
  234. //Use user defined overwrite header value, see issue #255
  235. outreq.Host = rrr.HostHeaderOverwrite
  236. } else if !(rrr.UseTLS && isExternalDomainName(rrr.ProxyDomain)) {
  237. // Always use the original host, see issue #164
  238. outreq.Host = rrr.OriginalHost
  239. }
  240. // We may modify the header (shallow copied above), so we only copy it.
  241. outreq.Header = make(http.Header)
  242. copyHeader(outreq.Header, req.Header)
  243. // Remove hop-by-hop headers.
  244. if !rrr.NoRemoveHopByHop {
  245. removeHeaders(outreq.Header, rrr.NoCache)
  246. }
  247. // Add X-Forwarded-For Header.
  248. addXForwardedForHeader(outreq)
  249. // Add user defined headers (to upstream)
  250. injectUserDefinedHeaders(outreq.Header, rrr.UpstreamHeaders)
  251. // Rewrite outbound UA, must be after user headers
  252. rewriteUserAgent(outreq.Header, "Zoraxy/"+rrr.Version)
  253. //Fix proxmox transfer encoding bug if detected Proxmox Cookie
  254. if domainsniff.IsProxmox(req) {
  255. outreq.TransferEncoding = []string{"identity"}
  256. }
  257. res, err := transport.RoundTrip(outreq)
  258. if err != nil {
  259. if p.Verbal {
  260. p.logf("http: proxy error: %v", err)
  261. }
  262. //rw.WriteHeader(http.StatusBadGateway)
  263. return http.StatusBadGateway, err
  264. }
  265. // Remove hop-by-hop headers listed in the "Connection" header of the response, Remove hop-by-hop headers.
  266. if !rrr.NoRemoveHopByHop {
  267. removeHeaders(res.Header, rrr.NoCache)
  268. }
  269. //Remove the User-Agent header if exists
  270. if _, ok := res.Header["User-Agent"]; ok {
  271. //Server to client request should not contains a User-Agent header
  272. res.Header.Del("User-Agent")
  273. }
  274. if p.ModifyResponse != nil {
  275. if err := p.ModifyResponse(res); err != nil {
  276. if p.Verbal {
  277. p.logf("http: proxy error: %v", err)
  278. }
  279. //rw.WriteHeader(http.StatusBadGateway)
  280. return http.StatusBadGateway, err
  281. }
  282. }
  283. //Add debug X-Proxy-By tracker
  284. res.Header.Set("x-proxy-by", "zoraxy/"+rrr.Version)
  285. //Custom Location header rewriter functions
  286. if res.Header.Get("Location") != "" {
  287. locationRewrite := res.Header.Get("Location")
  288. originLocation := res.Header.Get("Location")
  289. res.Header.Set("zr-origin-location", originLocation)
  290. if strings.HasPrefix(originLocation, "http://") || strings.HasPrefix(originLocation, "https://") {
  291. //Full path
  292. //Replace the forwarded target with expected Host
  293. lr, err := replaceLocationHost(locationRewrite, rrr, req.TLS != nil)
  294. if err == nil {
  295. locationRewrite = lr
  296. }
  297. } else if strings.HasPrefix(originLocation, "/") && rrr.PathPrefix != "" {
  298. //Back to the root of this proxy object
  299. //fmt.Println(rrr.ProxyDomain, rrr.OriginalHost)
  300. locationRewrite = strings.TrimSuffix(rrr.PathPrefix, "/") + originLocation
  301. } else {
  302. //Relative path. Do not modifiy location header
  303. }
  304. //Custom redirection to this rproxy relative path
  305. res.Header.Set("Location", locationRewrite)
  306. }
  307. // Add user defined headers (to downstream)
  308. injectUserDefinedHeaders(res.Header, rrr.DownstreamHeaders)
  309. // Copy header from response to client.
  310. copyHeader(rw.Header(), res.Header)
  311. // inject permission policy headers
  312. permissionpolicy.InjectPermissionPolicyHeader(rw, nil)
  313. // The "Trailer" header isn't included in the Transport's response, Build it up from Trailer.
  314. if len(res.Trailer) > 0 {
  315. trailerKeys := make([]string, 0, len(res.Trailer))
  316. for k := range res.Trailer {
  317. trailerKeys = append(trailerKeys, k)
  318. }
  319. rw.Header().Add("Trailer", strings.Join(trailerKeys, ", "))
  320. }
  321. rw.WriteHeader(res.StatusCode)
  322. if len(res.Trailer) > 0 {
  323. // Force chunking if we saw a response trailer.
  324. // This prevents net/http from calculating the length for short
  325. // bodies and adding a Content-Length.
  326. if fl, ok := rw.(http.Flusher); ok {
  327. fl.Flush()
  328. }
  329. }
  330. //Get flush interval in real time and start copying the request
  331. flushInterval := p.getFlushInterval(req, res)
  332. p.copyResponse(rw, res.Body, flushInterval)
  333. // close now, instead of defer, to populate res.Trailer
  334. res.Body.Close()
  335. copyHeader(rw.Header(), res.Trailer)
  336. return res.StatusCode, nil
  337. }
  338. func (p *ReverseProxy) ProxyHTTPS(rw http.ResponseWriter, req *http.Request) (int, error) {
  339. hij, ok := rw.(http.Hijacker)
  340. if !ok {
  341. p.logf("http server does not support hijacker")
  342. return http.StatusNotImplemented, errors.New("http server does not support hijacker")
  343. }
  344. clientConn, _, err := hij.Hijack()
  345. if err != nil {
  346. if p.Verbal {
  347. p.logf("http: proxy error: %v", err)
  348. }
  349. return http.StatusInternalServerError, err
  350. }
  351. proxyConn, err := net.Dial("tcp", req.URL.Host)
  352. if err != nil {
  353. if p.Verbal {
  354. p.logf("http: proxy error: %v", err)
  355. }
  356. return http.StatusInternalServerError, err
  357. }
  358. // The returned net.Conn may have read or write deadlines
  359. // already set, depending on the configuration of the
  360. // Server, to set or clear those deadlines as needed
  361. // we set timeout to 5 minutes
  362. deadline := time.Now()
  363. if p.Timeout == 0 {
  364. deadline = deadline.Add(time.Minute * 5)
  365. } else {
  366. deadline = deadline.Add(p.Timeout)
  367. }
  368. err = clientConn.SetDeadline(deadline)
  369. if err != nil {
  370. if p.Verbal {
  371. p.logf("http: proxy error: %v", err)
  372. }
  373. return http.StatusGatewayTimeout, err
  374. }
  375. err = proxyConn.SetDeadline(deadline)
  376. if err != nil {
  377. if p.Verbal {
  378. p.logf("http: proxy error: %v", err)
  379. }
  380. return http.StatusGatewayTimeout, err
  381. }
  382. _, err = clientConn.Write([]byte("HTTP/1.0 200 OK\r\n\r\n"))
  383. if err != nil {
  384. if p.Verbal {
  385. p.logf("http: proxy error: %v", err)
  386. }
  387. return http.StatusInternalServerError, err
  388. }
  389. go func() {
  390. io.Copy(clientConn, proxyConn)
  391. clientConn.Close()
  392. proxyConn.Close()
  393. }()
  394. io.Copy(proxyConn, clientConn)
  395. proxyConn.Close()
  396. clientConn.Close()
  397. return http.StatusOK, nil
  398. }
  399. func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request, rrr *ResponseRewriteRuleSet) (int, error) {
  400. if req.Method == "CONNECT" {
  401. return p.ProxyHTTPS(rw, req)
  402. } else {
  403. return p.ProxyHTTP(rw, req, rrr)
  404. }
  405. }