Merge pull request #101 from fatedier/maodanp/http_auth

Maodanp/http auth
This commit is contained in:
fatedier 2016-09-05 22:25:01 -05:00 committed by GitHub
commit 8c497793c5
10 changed files with 110 additions and 19 deletions

View File

@ -41,6 +41,11 @@ auth_token = 123
# if proxy type equals http, custom_domains must be set separated by commas # if proxy type equals http, custom_domains must be set separated by commas
custom_domains = web01.yourdomain.com,web01.yourdomain2.com custom_domains = web01.yourdomain.com,web01.yourdomain2.com
# http username and password are safety certification for http protoc
# if not set, you can access this custom_domains without certification
http_username = admin
http_password = admin
[web02] [web02]
# if type equals https, vhost_https_port must be set # if type equals https, vhost_https_port must be set
type = https type = https

View File

@ -150,6 +150,8 @@ func loginToServer(cli *client.ProxyClient) (c *conn.Conn, err error) {
ProxyType: cli.Type, ProxyType: cli.Type,
PoolCount: cli.PoolCount, PoolCount: cli.PoolCount,
HostHeaderRewrite: cli.HostHeaderRewrite, HostHeaderRewrite: cli.HostHeaderRewrite,
HttpUserName: cli.HttpUserName,
HttpPassWord: cli.HttpPassWord,
Timestamp: nowTime, Timestamp: nowTime,
} }
if cli.PrivilegeMode { if cli.PrivilegeMode {

View File

@ -287,6 +287,8 @@ func doLogin(req *msg.ControlReq, c *conn.Conn) (ret int64, info string) {
s.UseEncryption = req.UseEncryption s.UseEncryption = req.UseEncryption
s.UseGzip = req.UseGzip s.UseGzip = req.UseGzip
s.HostHeaderRewrite = req.HostHeaderRewrite s.HostHeaderRewrite = req.HostHeaderRewrite
s.HttpUserName = req.HttpUserName
s.HttpPassWord = req.HttpPassWord
if req.PoolCount > server.MaxPoolCount { if req.PoolCount > server.MaxPoolCount {
s.PoolCount = server.MaxPoolCount s.PoolCount = server.MaxPoolCount
} else if req.PoolCount < 0 { } else if req.PoolCount < 0 {

View File

@ -156,6 +156,16 @@ func LoadConf(confFile string) (err error) {
if ok { if ok {
proxyClient.HostHeaderRewrite = tmpStr proxyClient.HostHeaderRewrite = tmpStr
} }
//http_username
tmpStr, ok = section["http_username"]
if ok {
proxyClient.HttpUserName = tmpStr
}
//http_password
tmpStr, ok = section["http_password"]
if ok {
proxyClient.HttpPassWord = tmpStr
}
} }
// privilege_mode // privilege_mode

View File

@ -24,4 +24,6 @@ type BaseConf struct {
PrivilegeToken string PrivilegeToken string
PoolCount int64 PoolCount int64
HostHeaderRewrite string HostHeaderRewrite string
HttpUserName string
HttpPassWord string
} }

View File

@ -35,6 +35,8 @@ type ControlReq struct {
RemotePort int64 `json:"remote_port"` RemotePort int64 `json:"remote_port"`
CustomDomains []string `json:"custom_domains, omitempty"` CustomDomains []string `json:"custom_domains, omitempty"`
HostHeaderRewrite string `json:"host_header_rewrite"` HostHeaderRewrite string `json:"host_header_rewrite"`
HttpUserName string `json:"http_username"`
HttpPassWord string `json:"http_password"`
Timestamp int64 `json:"timestamp"` Timestamp int64 `json:"timestamp"`
} }

View File

@ -72,6 +72,8 @@ func NewProxyServerFromCtlMsg(req *msg.ControlReq) (p *ProxyServer) {
} }
p.CustomDomains = req.CustomDomains p.CustomDomains = req.CustomDomains
p.HostHeaderRewrite = req.HostHeaderRewrite p.HostHeaderRewrite = req.HostHeaderRewrite
p.HttpUserName = req.HttpUserName
p.HttpPassWord = req.HttpPassWord
return return
} }
@ -88,7 +90,8 @@ func (p *ProxyServer) Init() {
func (p *ProxyServer) Compare(p2 *ProxyServer) bool { func (p *ProxyServer) Compare(p2 *ProxyServer) bool {
if p.Name != p2.Name || p.AuthToken != p2.AuthToken || p.Type != p2.Type || if p.Name != p2.Name || p.AuthToken != p2.AuthToken || p.Type != p2.Type ||
p.BindAddr != p2.BindAddr || p.ListenPort != p2.ListenPort || p.HostHeaderRewrite != p2.HostHeaderRewrite { p.BindAddr != p2.BindAddr || p.ListenPort != p2.ListenPort || p.HostHeaderRewrite != p2.HostHeaderRewrite ||
p.HttpUserName != p2.HttpUserName || p.HttpPassWord != p2.HttpPassWord {
return false return false
} }
if len(p.CustomDomains) != len(p2.CustomDomains) { if len(p.CustomDomains) != len(p2.CustomDomains) {
@ -122,7 +125,7 @@ func (p *ProxyServer) Start(c *conn.Conn) (err error) {
p.listeners = append(p.listeners, l) p.listeners = append(p.listeners, l)
} else if p.Type == "http" { } else if p.Type == "http" {
for _, domain := range p.CustomDomains { for _, domain := range p.CustomDomains {
l, err := VhostHttpMuxer.Listen(domain, p.HostHeaderRewrite) l, err := VhostHttpMuxer.Listen(domain, p.HostHeaderRewrite, p.HttpUserName, p.HttpPassWord)
if err != nil { if err != nil {
return err return err
} }
@ -130,7 +133,7 @@ func (p *ProxyServer) Start(c *conn.Conn) (err error) {
} }
} else if p.Type == "https" { } else if p.Type == "https" {
for _, domain := range p.CustomDomains { for _, domain := range p.CustomDomains {
l, err := VhostHttpsMuxer.Listen(domain, p.HostHeaderRewrite) l, err := VhostHttpsMuxer.Listen(domain, p.HostHeaderRewrite, p.HttpUserName, p.HttpPassWord)
if err != nil { if err != nil {
return err return err
} }

View File

@ -17,6 +17,7 @@ package vhost
import ( import (
"bufio" "bufio"
"bytes" "bytes"
"encoding/base64"
"fmt" "fmt"
"io" "io"
"net" "net"
@ -33,21 +34,29 @@ type HttpMuxer struct {
*VhostMuxer *VhostMuxer
} }
func GetHttpHostname(c *conn.Conn) (_ net.Conn, routerName string, err error) { func GetHttpRequestInfo(c *conn.Conn) (_ net.Conn, _ map[string]string, err error) {
reqInfoMap := make(map[string]string, 0)
sc, rd := newShareConn(c.TcpConn) sc, rd := newShareConn(c.TcpConn)
request, err := http.ReadRequest(bufio.NewReader(rd)) request, err := http.ReadRequest(bufio.NewReader(rd))
if err != nil { if err != nil {
return sc, "", err return sc, reqInfoMap, err
} }
// hostName
tmpArr := strings.Split(request.Host, ":") tmpArr := strings.Split(request.Host, ":")
routerName = tmpArr[0] reqInfoMap["Host"] = tmpArr[0]
// Authorization
authStr := request.Header.Get("Authorization")
if authStr != "" {
reqInfoMap["Authorization"] = authStr
}
request.Body.Close() request.Body.Close()
return sc, routerName, nil return sc, reqInfoMap, nil
} }
func NewHttpMuxer(listener *conn.Listener, timeout time.Duration) (*HttpMuxer, error) { func NewHttpMuxer(listener *conn.Listener, timeout time.Duration) (*HttpMuxer, error) {
mux, err := NewVhostMuxer(listener, GetHttpHostname, HttpHostNameRewrite, timeout) mux, err := NewVhostMuxer(listener, GetHttpRequestInfo, HttpAuthFunc, HttpHostNameRewrite, timeout)
return &HttpMuxer{mux}, err return &HttpMuxer{mux}, err
} }
@ -169,3 +178,38 @@ func changeHostName(buff *bytes.Buffer, rewriteHost string) (_ []byte, err error
retBuf.Write(peek) retBuf.Write(peek)
return retBuf.Bytes(), err return retBuf.Bytes(), err
} }
func HttpAuthFunc(c *conn.Conn, userName, passWord, authorization string) (bAccess bool, err error) {
s := strings.SplitN(authorization, " ", 2)
if len(s) != 2 {
res := noAuthResponse()
res.Write(c.TcpConn)
return
}
b, err := base64.StdEncoding.DecodeString(s[1])
if err != nil {
return
}
pair := strings.SplitN(string(b), ":", 2)
if len(pair) != 2 {
return
}
if pair[0] != userName || pair[1] != passWord {
return
}
return true, nil
}
func noAuthResponse() *http.Response {
header := make(map[string][]string)
header["WWW-Authenticate"] = []string{`Basic realm="Restricted"`}
res := &http.Response{
Status: "401 Not authorized",
StatusCode: 401,
Proto: "HTTP/1.1",
ProtoMajor: 1,
ProtoMinor: 1,
Header: header,
}
return res
}

View File

@ -48,7 +48,7 @@ type HttpsMuxer struct {
} }
func NewHttpsMuxer(listener *conn.Listener, timeout time.Duration) (*HttpsMuxer, error) { func NewHttpsMuxer(listener *conn.Listener, timeout time.Duration) (*HttpsMuxer, error) {
mux, err := NewVhostMuxer(listener, GetHttpsHostname, nil, timeout) mux, err := NewVhostMuxer(listener, GetHttpsHostname, nil, nil, timeout)
return &HttpsMuxer{mux}, err return &HttpsMuxer{mux}, err
} }
@ -178,11 +178,13 @@ func readHandshake(rd io.Reader) (host string, err error) {
return return
} }
func GetHttpsHostname(c *conn.Conn) (sc net.Conn, routerName string, err error) { func GetHttpsHostname(c *conn.Conn) (sc net.Conn, _ map[string]string, err error) {
reqInfoMap := make(map[string]string, 0)
sc, rd := newShareConn(c.TcpConn) sc, rd := newShareConn(c.TcpConn)
host, err := readHandshake(rd) host, err := readHandshake(rd)
if err != nil { if err != nil {
return sc, "", err return sc, reqInfoMap, err
} }
return sc, host, nil reqInfoMap["Host"] = host
return sc, reqInfoMap, nil
} }

View File

@ -1,5 +1,3 @@
// Copyright 2016 fatedier, fatedier@gmail.com
//
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License. // you may not use this file except in compliance with the License.
// You may obtain a copy of the License at // You may obtain a copy of the License at
@ -26,23 +24,26 @@ import (
"github.com/fatedier/frp/src/utils/conn" "github.com/fatedier/frp/src/utils/conn"
) )
type muxFunc func(*conn.Conn) (net.Conn, string, error) type muxFunc func(*conn.Conn) (net.Conn, map[string]string, error)
type httpAuthFunc func(*conn.Conn, string, string, string) (bool, error)
type hostRewriteFunc func(*conn.Conn, string) (net.Conn, error) type hostRewriteFunc func(*conn.Conn, string) (net.Conn, error)
type VhostMuxer struct { type VhostMuxer struct {
listener *conn.Listener listener *conn.Listener
timeout time.Duration timeout time.Duration
vhostFunc muxFunc vhostFunc muxFunc
authFunc httpAuthFunc
rewriteFunc hostRewriteFunc rewriteFunc hostRewriteFunc
registryMap map[string]*Listener registryMap map[string]*Listener
mutex sync.RWMutex mutex sync.RWMutex
} }
func NewVhostMuxer(listener *conn.Listener, vhostFunc muxFunc, rewriteFunc hostRewriteFunc, timeout time.Duration) (mux *VhostMuxer, err error) { func NewVhostMuxer(listener *conn.Listener, vhostFunc muxFunc, authFunc httpAuthFunc, rewriteFunc hostRewriteFunc, timeout time.Duration) (mux *VhostMuxer, err error) {
mux = &VhostMuxer{ mux = &VhostMuxer{
listener: listener, listener: listener,
timeout: timeout, timeout: timeout,
vhostFunc: vhostFunc, vhostFunc: vhostFunc,
authFunc: authFunc,
rewriteFunc: rewriteFunc, rewriteFunc: rewriteFunc,
registryMap: make(map[string]*Listener), registryMap: make(map[string]*Listener),
} }
@ -51,7 +52,7 @@ func NewVhostMuxer(listener *conn.Listener, vhostFunc muxFunc, rewriteFunc hostR
} }
// listen for a new domain name, if rewriteHost is not empty and rewriteFunc is not nil, then rewrite the host header to rewriteHost // listen for a new domain name, if rewriteHost is not empty and rewriteFunc is not nil, then rewrite the host header to rewriteHost
func (v *VhostMuxer) Listen(name string, rewriteHost string) (l *Listener, err error) { func (v *VhostMuxer) Listen(name string, rewriteHost, userName, passWord string) (l *Listener, err error) {
v.mutex.Lock() v.mutex.Lock()
defer v.mutex.Unlock() defer v.mutex.Unlock()
if _, exist := v.registryMap[name]; exist { if _, exist := v.registryMap[name]; exist {
@ -61,6 +62,8 @@ func (v *VhostMuxer) Listen(name string, rewriteHost string) (l *Listener, err e
l = &Listener{ l = &Listener{
name: name, name: name,
rewriteHost: rewriteHost, rewriteHost: rewriteHost,
userName: userName,
passWord: passWord,
mux: v, mux: v,
accept: make(chan *conn.Conn), accept: make(chan *conn.Conn),
} }
@ -109,13 +112,13 @@ func (v *VhostMuxer) handle(c *conn.Conn) {
return return
} }
sConn, name, err := v.vhostFunc(c) sConn, reqInfoMap, err := v.vhostFunc(c)
if err != nil { if err != nil {
c.Close() c.Close()
return return
} }
name = strings.ToLower(name) name := strings.ToLower(reqInfoMap["Host"])
// get listener by hostname // get listener by hostname
l, ok := v.getListener(name) l, ok := v.getListener(name)
if !ok { if !ok {
@ -123,6 +126,19 @@ func (v *VhostMuxer) handle(c *conn.Conn) {
return return
} }
// if authFunc is exist and userName/password is set
// verify user access
if l.mux.authFunc != nil &&
l.userName != "" && l.passWord != "" {
bAccess, err := l.mux.authFunc(c, l.userName, l.passWord, reqInfoMap["Authorization"])
if bAccess == false || err != nil {
res := noAuthResponse()
res.Write(c.TcpConn)
c.Close()
return
}
}
if err = sConn.SetDeadline(time.Time{}); err != nil { if err = sConn.SetDeadline(time.Time{}); err != nil {
c.Close() c.Close()
return return
@ -135,6 +151,8 @@ func (v *VhostMuxer) handle(c *conn.Conn) {
type Listener struct { type Listener struct {
name string name string
rewriteHost string rewriteHost string
userName string
passWord string
mux *VhostMuxer // for closing VhostMuxer mux *VhostMuxer // for closing VhostMuxer
accept chan *conn.Conn accept chan *conn.Conn
} }
@ -154,6 +172,7 @@ func (l *Listener) Accept() (*conn.Conn, error) {
} }
conn.SetTcpConn(sConn) conn.SetTcpConn(sConn)
} }
return conn, nil return conn, nil
} }