mirror of
https://github.com/boringproxy/boringproxy.git
synced 2025-02-25 18:55:29 -06:00
8653583cec
Added X-Forwarded-For and Forwarded for server TLS termination. Haven't yet figured out a way to make this work for client TLS termination.
116 lines
2.9 KiB
Go
116 lines
2.9 KiB
Go
package boringproxy
|
|
|
|
import (
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
func proxyRequest(w http.ResponseWriter, r *http.Request, tunnel Tunnel, httpClient *http.Client, port int) {
|
|
|
|
if tunnel.AuthUsername != "" || tunnel.AuthPassword != "" {
|
|
username, password, ok := r.BasicAuth()
|
|
if !ok {
|
|
w.Header()["WWW-Authenticate"] = []string{"Basic"}
|
|
w.WriteHeader(401)
|
|
return
|
|
}
|
|
|
|
if username != tunnel.AuthUsername || password != tunnel.AuthPassword {
|
|
w.Header()["WWW-Authenticate"] = []string{"Basic"}
|
|
w.WriteHeader(401)
|
|
// TODO: should probably use a better form of rate limiting
|
|
time.Sleep(2 * time.Second)
|
|
return
|
|
}
|
|
}
|
|
|
|
downstreamReqHeaders := r.Header.Clone()
|
|
|
|
// TODO: should probably pass in address instead of using localhost,
|
|
// mostly for client-terminated TLS
|
|
upstreamAddr := fmt.Sprintf("localhost:%d", port)
|
|
upstreamUrl := fmt.Sprintf("http://%s%s", upstreamAddr, r.URL.RequestURI())
|
|
|
|
upstreamReq, err := http.NewRequest(r.Method, upstreamUrl, r.Body)
|
|
if err != nil {
|
|
errMessage := fmt.Sprintf("%s", err)
|
|
w.WriteHeader(500)
|
|
io.WriteString(w, errMessage)
|
|
return
|
|
}
|
|
|
|
// ContentLength needs to be set manually because otherwise it is
|
|
// stripped by golang. See:
|
|
// https://golang.org/pkg/net/http/#Request.Write
|
|
upstreamReq.ContentLength = r.ContentLength
|
|
|
|
upstreamReq.Header = downstreamReqHeaders
|
|
|
|
upstreamReq.Header["X-Forwarded-Host"] = []string{r.Host}
|
|
|
|
// TODO: Handle IPv6 addresses
|
|
addrParts := strings.Split(r.RemoteAddr, ":")
|
|
remoteIp := addrParts[0]
|
|
|
|
xForwardedFor := downstreamReqHeaders.Get("X-Forwarded-For")
|
|
if xForwardedFor == "" {
|
|
xForwardedFor = remoteIp
|
|
} else {
|
|
xForwardedFor = xForwardedFor + ", " + remoteIp
|
|
}
|
|
upstreamReq.Header.Set("X-Forwarded-For", xForwardedFor)
|
|
|
|
upstreamReq.Header.Set("Forwarded", fmt.Sprintf("for=%s", remoteIp))
|
|
|
|
upstreamReq.Host = fmt.Sprintf("%s:%d", tunnel.ClientAddress, tunnel.ClientPort)
|
|
|
|
upstreamRes, err := httpClient.Do(upstreamReq)
|
|
if err != nil {
|
|
errMessage := fmt.Sprintf("%s", err)
|
|
w.WriteHeader(502)
|
|
io.WriteString(w, errMessage)
|
|
return
|
|
}
|
|
defer upstreamRes.Body.Close()
|
|
|
|
var forwardHeaders map[string][]string
|
|
|
|
if r.ProtoMajor > 1 {
|
|
forwardHeaders = stripConnectionHeaders(upstreamRes.Header)
|
|
} else {
|
|
forwardHeaders = upstreamRes.Header
|
|
}
|
|
|
|
downstreamResHeaders := w.Header()
|
|
|
|
for k, v := range forwardHeaders {
|
|
downstreamResHeaders[k] = v
|
|
}
|
|
|
|
w.WriteHeader(upstreamRes.StatusCode)
|
|
io.Copy(w, upstreamRes.Body)
|
|
}
|
|
|
|
// Need to strip out headers that shouldn't be forwarded from HTTP/1.1 to
|
|
// HTTP/2. See https://tools.ietf.org/html/rfc7540#section-8.1.2.2
|
|
var connectionHeaders = []string{
|
|
"Connection", "Keep-Alive", "Proxy-Connection", "Transfer-Encoding", "Upgrade",
|
|
}
|
|
|
|
func stripConnectionHeaders(headers map[string][]string) map[string][]string {
|
|
forwardHeaders := make(map[string][]string)
|
|
|
|
for k, v := range headers {
|
|
if stringInArray(k, connectionHeaders) {
|
|
continue
|
|
}
|
|
|
|
forwardHeaders[k] = v
|
|
}
|
|
|
|
return forwardHeaders
|
|
}
|