route/cmd/routed/server.go

package main

import (
	"crypto/tls"
	"errors"
	"net"
	"net/http"
	"net/http/httputil"
	"time"

	"git.xeserv.us/xena/route/internal/database"
	"git.xeserv.us/xena/route/internal/tun2"
	proto "git.xeserv.us/xena/route/proto"
	"github.com/Xe/ln"
	"github.com/lucas-clemente/quic-go/h2quic"
	"github.com/mtneug/pkg/ulid"
	kcp "github.com/xtaci/kcp-go"
	"golang.org/x/crypto/acme/autocert"
	"golang.org/x/net/context"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
)

// RPC constants
const (
	RPCPort uint16 = 39453
)

// Server is the main server type.
type Server struct {
	cfg *Config
	db  database.Storage
	ts  *tun2.Server

	QuicServer *h2quic.Server

	*autocert.Manager
}

// Config configures Server
type Config struct {
	BoltDBPath string `env:"BOLTDB_PATH,required"`

	WebAddr        string `env:"WEB_ADDR,required"`
	SSLAddr        string `env:"SSL_ADDR,required"`
	QuicAddr       string `env:"QUIC_ADDR,required"`
	BackendTCPAddr string `env:"BACKEND_TCP_ADDR,required"`
	BackendKCPAddr string `env:"BACKEND_KCP_ADDR,required"`
	GRPCAddr       string `env:"GRPC_ADDR,required"`

	DomainSuffix string `env:"DOMAIN_SUFFIX,required"`
	ACMEEmail    string `env:"ACME_EMAIL,required"`
	CertKey      *[32]byte
}

// listenTCP configures a listener for TCP+TLS agent connections.
func (s *Server) listenTCP(ctx context.Context, addr string, tcfg *tls.Config) {
	l, err := tls.Listen("tcp", addr, tcfg)
	if err != nil {
		panic(err)
	}

	ln.Log(ctx, ln.Action("tcp+tls listening"), ln.F{"addr": l.Addr()})

	for {
		conn, err := l.Accept()
		if err != nil {
			ln.Error(ctx, err, ln.Action("accept backend client socket"))
		}

		ln.Log(ctx, ln.F{
			"action":  "new backend client",
			"addr":    conn.RemoteAddr(),
			"network": conn.RemoteAddr().Network(),
		})

		go s.ts.HandleConn(conn, false)
	}
}

// listenKCP configures a listener for KCP+TLS agent connections.
func (s *Server) listenKCP(ctx context.Context, addr string, tcfg *tls.Config) {
	l, err := kcp.Listen(addr)
	if err != nil {
		panic(err)
	}

	ln.Log(ctx, ln.Action("kcp+tls listening"), ln.F{"addr": l.Addr()})

	for {
		conn, err := l.Accept()
		if err != nil {
			ln.Error(ctx, err, ln.F{"kind": "kcp", "addr": l.Addr().String()})
		}

		ln.Log(ctx, ln.F{
			"action":  "new_client",
			"network": conn.RemoteAddr().Network(),
			"addr":    conn.RemoteAddr(),
		})

		tc := tls.Server(conn, tcfg)

		go s.ts.HandleConn(tc, true)
	}
}

// New creates a new Server
func New(cfg Config) (*Server, error) {
	if cfg.CertKey == nil {
		return nil, errors.New("no cert decryption key, can't do anything")
	}

	db, err := database.NewBoltStorage(cfg.BoltDBPath, cfg.CertKey)
	if err != nil {
		return nil, err
	}

	m := &autocert.Manager{
		Prompt:     autocert.AcceptTOS,
		Cache:      database.Cache(db),
		HostPolicy: nil,
		Email:      cfg.ACMEEmail,
	}

	tcfg := &tun2.ServerConfig{
		Storage: &storageWrapper{
			Storage: db,
		},
	}

	ts, err := tun2.NewServer(tcfg)
	if err != nil {
		return nil, err
	}

	s := &Server{
		cfg: &cfg,
		db:  db,
		ts:  ts,

		Manager: m,
	}

	tc := &tls.Config{
		GetCertificate: m.GetCertificate,
	}

	go s.listenKCP(context.Background(), cfg.BackendKCPAddr, tc)
	go s.listenTCP(context.Background(), cfg.BackendTCPAddr, tc)

	// gRPC setup
	gs := grpc.NewServer(grpc.Creds(credentials.NewTLS(tc)))

	proto.RegisterBackendsServer(gs, &Backend{Server: s})
	proto.RegisterRoutesServer(gs, &Route{Server: s})
	proto.RegisterTokensServer(gs, &Token{Server: s})

	l, err := net.Listen("tcp", cfg.GRPCAddr)
	if err != nil {
		return nil, err
	}

	go gs.Serve(l)

	return s, nil
}

// Director removes headers that are typically stripped off at request ingress.
func (s *Server) Director(r *http.Request) {
	r.Header.Del("X-Forwarded-For")
	r.Header.Del("X-Client-Ip")
}

// ServeHTTP proxies traffic to a remote backend based on the request meta-information.
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	if r.Header.Get("X-Tor2web") != "" {
		http.Error(w, "tor2web proxy use is not allowed", 400)
		return
	}

	host, _, err := net.SplitHostPort(r.RemoteAddr)
	if err != nil {
		http.Error(w, err.Error(), 500)
		return
	}
	r.Header.Set("X-Remote-Ip", host)
	r.Header.Set("X-Request-Ingress", time.Now().Format(time.RFC3339))

	rid := ulid.New().String()
	r.Header.Set("X-Request-Id", rid)
	w.Header().Set("X-Request-Id", rid)
	s.QuicServer.SetQuicHeaders(w.Header())

	// http://www.gnuterrypratchett.com/
	w.Header().Set("X-Clacks-Overhead", "GNU Ashlynn")

	rp := &httputil.ReverseProxy{
		Director:      s.Director,
		Transport:     s.ts,
		FlushInterval: 1 * time.Second,
	}

	rp.ServeHTTP(w, r)
}

// insecureRedirect redirects a client to https if they connect over plain HTTP.
func insecureRedirect(w http.ResponseWriter, r *http.Request) {
	switch r.Method {
	case http.MethodPatch, http.MethodPut, http.MethodPost:
		http.Error(w, "use https", http.StatusNotAcceptable)
		ln.Log(r.Context(), ln.Action("cannot redirect (wrong method)"), ln.F{"remote": r.RemoteAddr, "host": r.Host, "path": r.URL.Path})
		return
	}

	r.URL.Host = r.Host
	r.URL.Scheme = "https"

	ln.Log(r.Context(), ln.Action("redirecting insecure HTTP to HTTPS"), ln.F{"remote": r.RemoteAddr, "host": r.Host, "path": r.URL.Path})

	http.Redirect(w, r, r.URL.String(), http.StatusPermanentRedirect)
}
cmd/routed: move internal/server here 2017-12-15 18:18:13 +00:00			`package main`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00
			`import (`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`"crypto/tls"`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`"errors"`
			`"net"`
			`"net/http"`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`"net/http/httputil"`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`"time"`

database: move to internal/ 2017-09-30 13:41:35 +00:00			`"git.xeserv.us/xena/route/internal/database"`
move everything in lib/ to internal/ 2017-10-01 15:23:08 +00:00			`"git.xeserv.us/xena/route/internal/tun2"`
server: fix build 2017-04-29 03:08:11 +00:00			`proto "git.xeserv.us/xena/route/proto"`
adjust for tun2 api changes 2017-10-04 07:00:16 +00:00			`"github.com/Xe/ln"`
cmd/routed: alt-svc fix again 2018-01-03 19:12:21 +00:00			`"github.com/lucas-clemente/quic-go/h2quic"`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`"github.com/mtneug/pkg/ulid"`
adjust for tun2 api changes 2017-10-04 07:00:16 +00:00			`kcp "github.com/xtaci/kcp-go"`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`"golang.org/x/crypto/acme/autocert"`
adjust for tun2 api changes 2017-10-04 07:00:16 +00:00			`"golang.org/x/net/context"`
server: fix build 2017-04-29 03:08:11 +00:00			`"google.golang.org/grpc"`
server: do ssl good 2017-04-29 05:30:32 +00:00			`"google.golang.org/grpc/credentials"`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`)`

			`// RPC constants`
			`const (`
			`RPCPort uint16 = 39453`
			`)`

cmd/routed: document a few things better 2018-01-17 06:23:00 +00:00			`// Server is the main server type.`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`type Server struct {`
make everything work again 2017-01-20 00:31:22 +00:00			`cfg *Config`
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`db database.Storage`
			`ts *tun2.Server`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00
cmd/routed: alt-svc fix again 2018-01-03 19:12:21 +00:00			`QuicServer *h2quic.Server`

server: fix build 2017-04-29 03:08:11 +00:00			`*autocert.Manager`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`}`

make everything work again 2017-01-20 00:31:22 +00:00			`// Config configures Server`
			`type Config struct {`
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			BoltDBPath string `env:"BOLTDB_PATH,required"`
server,main: simplify config code 2017-03-27 04:39:19 +00:00
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			WebAddr string `env:"WEB_ADDR,required"`
			SSLAddr string `env:"SSL_ADDR,required"`
cmd/routed: add quic support 2017-12-12 02:51:45 +00:00			QuicAddr string `env:"QUIC_ADDR,required"`
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			BackendTCPAddr string `env:"BACKEND_TCP_ADDR,required"`
			BackendKCPAddr string `env:"BACKEND_KCP_ADDR,required"`
			GRPCAddr string `env:"GRPC_ADDR,required"`
server,main: simplify config code 2017-03-27 04:39:19 +00:00
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			DomainSuffix string `env:"DOMAIN_SUFFIX,required"`
			ACMEEmail string `env:"ACME_EMAIL,required"`
server,main: simplify config code 2017-03-27 04:39:19 +00:00			`CertKey *[32]byte`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`}`

cmd/routed: document a few things better 2018-01-17 06:23:00 +00:00			`// listenTCP configures a listener for TCP+TLS agent connections.`
adjust for tun2 api changes 2017-10-04 07:00:16 +00:00			`func (s Server) listenTCP(ctx context.Context, addr string, tcfg tls.Config) {`
			`l, err := tls.Listen("tcp", addr, tcfg)`
			`if err != nil {`
			`panic(err)`
			`}`

			`ln.Log(ctx, ln.Action("tcp+tls listening"), ln.F{"addr": l.Addr()})`

			`for {`
			`conn, err := l.Accept()`
			`if err != nil {`
			`ln.Error(ctx, err, ln.Action("accept backend client socket"))`
			`}`

			`ln.Log(ctx, ln.F{`
			`"action": "new backend client",`
			`"addr": conn.RemoteAddr(),`
			`"network": conn.RemoteAddr().Network(),`
			`})`

			`go s.ts.HandleConn(conn, false)`
			`}`
			`}`

cmd/routed: document a few things better 2018-01-17 06:23:00 +00:00			`// listenKCP configures a listener for KCP+TLS agent connections.`
adjust for tun2 api changes 2017-10-04 07:00:16 +00:00			`func (s Server) listenKCP(ctx context.Context, addr string, tcfg tls.Config) {`
			`l, err := kcp.Listen(addr)`
			`if err != nil {`
			`panic(err)`
			`}`

internal/server: fixup logging of tcp/kcp servers listening 2017-10-04 07:19:56 +00:00			`ln.Log(ctx, ln.Action("kcp+tls listening"), ln.F{"addr": l.Addr()})`
adjust for tun2 api changes 2017-10-04 07:00:16 +00:00
			`for {`
			`conn, err := l.Accept()`
			`if err != nil {`
			`ln.Error(ctx, err, ln.F{"kind": "kcp", "addr": l.Addr().String()})`
			`}`

			`ln.Log(ctx, ln.F{`
			`"action": "new_client",`
			`"network": conn.RemoteAddr().Network(),`
			`"addr": conn.RemoteAddr(),`
			`})`

			`tc := tls.Server(conn, tcfg)`

			`go s.ts.HandleConn(tc, true)`
			`}`
			`}`

Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`// New creates a new Server`
make everything work again 2017-01-20 00:31:22 +00:00			`func New(cfg Config) (*Server, error) {`
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`if cfg.CertKey == nil {`
			`return nil, errors.New("no cert decryption key, can't do anything")`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`}`

server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`db, err := database.NewBoltStorage(cfg.BoltDBPath, cfg.CertKey)`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`if err != nil {`
			`return nil, err`
			`}`

server: fix build 2017-04-29 03:08:11 +00:00			`m := &autocert.Manager{`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`Prompt: autocert.AcceptTOS,`
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`Cache: database.Cache(db),`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`HostPolicy: nil,`
server,main: simplify config code 2017-03-27 04:39:19 +00:00			`Email: cfg.ACMEEmail,`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`}`

			`tcfg := &tun2.ServerConfig{`
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`Storage: &storageWrapper{`
			`Storage: db,`
			`},`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`}`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`ts, err := tun2.NewServer(tcfg)`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`if err != nil {`
			`return nil, err`
			`}`
adjust for tun2 api changes 2017-10-04 07:00:16 +00:00
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`s := &Server{`
			`cfg: &cfg,`
			`db: db,`
			`ts: ts,`
server: rip out tunnel 2017-03-26 19:51:37 +00:00
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`Manager: m,`
server: grpc hack 2017-01-28 00:14:05 +00:00			`}`

internal/server: clean up NewServer 2017-10-06 17:54:09 +00:00			`tc := &tls.Config{`
adjust for tun2 api changes 2017-10-04 07:00:16 +00:00			`GetCertificate: m.GetCertificate,`
internal/server: clean up NewServer 2017-10-06 17:54:09 +00:00			`}`
adjust for tun2 api changes 2017-10-04 07:00:16 +00:00
internal/server: clean up NewServer 2017-10-06 17:54:09 +00:00			`go s.listenKCP(context.Background(), cfg.BackendKCPAddr, tc)`
			`go s.listenTCP(context.Background(), cfg.BackendTCPAddr, tc)`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00
internal/server: clean up NewServer 2017-10-06 17:54:09 +00:00			`// gRPC setup`
			`gs := grpc.NewServer(grpc.Creds(credentials.NewTLS(tc)))`
server: fix build 2017-04-29 03:08:11 +00:00
vendor: update grpc 2017-09-30 16:47:47 +00:00			`proto.RegisterBackendsServer(gs, &Backend{Server: s})`
server: fix build 2017-04-29 03:08:11 +00:00			`proto.RegisterRoutesServer(gs, &Route{Server: s})`
			`proto.RegisterTokensServer(gs, &Token{Server: s})`

server: do ssl good 2017-04-29 05:30:32 +00:00			`l, err := net.Listen("tcp", cfg.GRPCAddr)`
server: fix build 2017-04-29 03:08:11 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`go gs.Serve(l)`

server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`return s, nil`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`}`

server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`// Director removes headers that are typically stripped off at request ingress.`
			`func (s Server) Director(r http.Request) {`
server: properly do X-Forwarded-For 2017-01-22 17:49:14 +00:00			`r.Header.Del("X-Forwarded-For")`
fix everything forever 2017-03-26 20:47:42 +00:00			`r.Header.Del("X-Client-Ip")`
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`}`
server: properly do X-Forwarded-For 2017-01-22 17:49:14 +00:00
cmd/routed: document a few things better 2018-01-17 06:23:00 +00:00			`// ServeHTTP proxies traffic to a remote backend based on the request meta-information.`
server: support new database, shim certificate management 2017-04-28 23:27:34 +00:00			`func (s Server) ServeHTTP(w http.ResponseWriter, r http.Request) {`
server: properly do X-Forwarded-For 2017-01-22 17:49:14 +00:00			`if r.Header.Get("X-Tor2web") != "" {`
			`http.Error(w, "tor2web proxy use is not allowed", 400)`
			`return`
			`}`

			`host, _, err := net.SplitHostPort(r.RemoteAddr)`
			`if err != nil {`
			`http.Error(w, err.Error(), 500)`
			`return`
			`}`
fix everything forever 2017-03-26 20:47:42 +00:00			`r.Header.Set("X-Remote-Ip", host)`
			`r.Header.Set("X-Request-Ingress", time.Now().Format(time.RFC3339))`
server: simplify host creation 2017-01-20 01:17:18 +00:00
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`rid := ulid.New().String()`
server: set requestID for each request 2017-01-23 16:03:14 +00:00			`r.Header.Set("X-Request-Id", rid)`
			`w.Header().Set("X-Request-Id", rid)`
cmd/routed: alt-svc fix again 2018-01-03 19:12:21 +00:00			`s.QuicServer.SetQuicHeaders(w.Header())`
server: set requestID for each request 2017-01-23 16:03:14 +00:00
server: add X-Clacks-Overhead header 2017-02-08 02:25:14 +00:00			`// http://www.gnuterrypratchett.com/`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`w.Header().Set("X-Clacks-Overhead", "GNU Ashlynn")`
server: add X-Clacks-Overhead header 2017-02-08 02:25:14 +00:00
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`rp := &httputil.ReverseProxy{`
server: director 2017-03-26 20:02:22 +00:00			`Director: s.Director,`
server: rip out tunnel 2017-03-26 19:51:37 +00:00			`Transport: s.ts,`
			`FlushInterval: 1 * time.Second,`
			`}`

			`rp.ServeHTTP(w, r)`
Move things around, set up a more structured app 2017-01-18 17:02:44 +00:00			`}`
cmd/routed: use HTTP-01 challenges 2018-01-17 04:49:45 +00:00
			`// insecureRedirect redirects a client to https if they connect over plain HTTP.`
			`func insecureRedirect(w http.ResponseWriter, r *http.Request) {`
			`switch r.Method {`
			`case http.MethodPatch, http.MethodPut, http.MethodPost:`
			`http.Error(w, "use https", http.StatusNotAcceptable)`
			`ln.Log(r.Context(), ln.Action("cannot redirect (wrong method)"), ln.F{"remote": r.RemoteAddr, "host": r.Host, "path": r.URL.Path})`
			`return`
			`}`

			`r.URL.Host = r.Host`
			`r.URL.Scheme = "https"`

			`ln.Log(r.Context(), ln.Action("redirecting insecure HTTP to HTTPS"), ln.F{"remote": r.RemoteAddr, "host": r.Host, "path": r.URL.Path})`

			`http.Redirect(w, r, r.URL.String(), http.StatusPermanentRedirect)`
			`}`