From 6057ffca8037daf2d148ccfbdf58c8e2e824ac9d Mon Sep 17 00:00:00 2001 From: rofl0r Date: Tue, 20 Nov 2018 16:07:52 +0000 Subject: [PATCH 1/2] use CONNECT method if request contains upgrade header this should allow using websockets or other upgraded connections on a standard (non-encrypted) proxified HTTP connection. testcase: $ telnet localhost 8888 GET / HTTP/1.1 Host: echo.websocket.org:80 Upgrade: websocket Connection: Upgrade Origin: http://echo.websocket.org Sec-WebSocket-Key: 5KNqfsPZ9m/BbeRlVpf7MQ== Sec-WebSocket-Version: 13 --- src/reqs.c | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/src/reqs.c b/src/reqs.c index a6289a4..dfa56b1 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -90,7 +90,7 @@ * connections. The request line is allocated from the heap, but it must * be freed in another function. */ -static int read_request_line (struct conn_s *connptr) +static int read_request_line (struct conn_s *connptr, char** lines, size_t* lines_len) { ssize_t len; @@ -104,6 +104,12 @@ retry: return -1; } + *lines = saferealloc(*lines, *lines_len + len + 1); + if(*lines) { + strcpy(*lines + *lines_len, connptr->request_line); + *lines_len += len; + } + /* * Strip the new line and carriage return from the string. */ @@ -672,7 +678,7 @@ add_header_to_connection (orderedmap hashofheaders, char *header, size_t len) /* * Read all the headers from the stream */ -static int get_all_headers (int fd, orderedmap hashofheaders) +static int get_all_headers (int fd, orderedmap hashofheaders, char** lines, size_t* lines_len) { char *line = NULL; char *header = NULL; @@ -692,6 +698,14 @@ static int get_all_headers (int fd, orderedmap hashofheaders) return -1; } + if(lines) { + *lines = saferealloc(*lines, *lines_len + linelen + 1); + if(*lines) { + strcpy(*lines + *lines_len, line); + *lines_len += linelen; + } + } + /* * If we received a CR LF or a non-continuation line, then add * the accumulated header field, if any, to the hashmap, and @@ -1062,7 +1076,7 @@ retry: /* * Get all the headers from the remote server in a big hash */ - if (get_all_headers (connptr->server_fd, hashofheaders) < 0) { + if (get_all_headers (connptr->server_fd, hashofheaders, NULL, NULL) < 0) { log_message (LOG_WARNING, "Could not retrieve all the headers from the remote server."); orderedmap_destroy (hashofheaders); @@ -1577,6 +1591,8 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr) char sock_ipaddr[IP_LENGTH]; char peer_ipaddr[IP_LENGTH]; + char *lines = NULL; + size_t lines_len = 0; getpeer_information (addr, peer_ipaddr, sizeof(peer_ipaddr)); @@ -1620,7 +1636,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr) HC_FAIL(); } - if (read_request_line (connptr) < 0) { + if (read_request_line (connptr, &lines, &lines_len) < 0) { update_stats (STAT_BADCONN); indicate_http_error (connptr, 408, "Timeout", "detail", @@ -1646,7 +1662,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr) /* * Get all the headers from the client in a big hash. */ - if (get_all_headers (connptr->client_fd, hashofheaders) < 0) { + if (get_all_headers (connptr->client_fd, hashofheaders, &lines, &lines_len) < 0) { log_message (LOG_WARNING, "Could not retrieve all the headers from the client"); indicate_http_error (connptr, 400, "Bad Request", @@ -1739,6 +1755,11 @@ e401: "file descriptor %d.", request->host, connptr->server_fd); + if(orderedmap_find (hashofheaders, "upgrade")) { + connptr->connect_method = TRUE; + safe_write (connptr->server_fd, lines, lines_len); + } + if (!connptr->connect_method) establish_http_connection (connptr, request); } @@ -1783,6 +1804,7 @@ e401: connptr->client_fd, connptr->server_fd); done: + safefree(lines); free_request_struct (request); orderedmap_destroy (hashofheaders); conn_destroy_contents (connptr); From 991e47d8ebd4b12710828b2b486535e4c25ba26c Mon Sep 17 00:00:00 2001 From: rofl0r Date: Sat, 29 Dec 2018 16:39:04 +0000 Subject: [PATCH 2/2] connection upgrade: do not emit 200 header when establishing conn a tri-state connect_method enum was introduced for this purpose. if connect_method is set to CM_UPGRADE, the "HTTP/1.0 200 Connection established" response won't be emitted. --- src/conns.h | 9 ++++++++- src/reqs.c | 6 ++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/src/conns.h b/src/conns.h index 9618efb..2f33b36 100644 --- a/src/conns.h +++ b/src/conns.h @@ -24,6 +24,12 @@ #include "main.h" #include "hsearch.h" +enum connect_method_e { + CM_FALSE = 0, + CM_TRUE = 1, + CM_UPGRADE = 2, +}; + /* * Connection Definition */ @@ -37,8 +43,9 @@ struct conn_s { /* The request line (first line) from the client */ char *request_line; + enum connect_method_e connect_method; + /* Booleans */ - unsigned int connect_method; unsigned int show_stats; /* diff --git a/src/reqs.c b/src/reqs.c index dfa56b1..911fb34 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -454,7 +454,7 @@ BAD_REQUEST_ERROR: goto fail; } - connptr->connect_method = TRUE; + connptr->connect_method = CM_TRUE; } else { #ifdef TRANSPARENT_PROXY if (!do_transparent_proxy @@ -1756,7 +1756,7 @@ e401: connptr->server_fd); if(orderedmap_find (hashofheaders, "upgrade")) { - connptr->connect_method = TRUE; + connptr->connect_method = CM_UPGRADE; safe_write (connptr->server_fd, lines, lines_len); } @@ -1786,6 +1786,8 @@ e401: HC_FAIL(); } + } else if (connptr->connect_method == CM_UPGRADE) { + /* NOP */ ; } else { if (send_ssl_response (connptr) < 0) { log_message (LOG_ERR,