2014-01-19 05:16:24 +00:00
|
|
|
import os, socket, time
|
|
|
|
import threading
|
2012-06-13 06:16:47 +00:00
|
|
|
from OpenSSL import SSL
|
2014-01-19 05:16:24 +00:00
|
|
|
from netlib import tcp, http, certutils, http_status, http_auth
|
2013-07-23 22:32:56 +00:00
|
|
|
import utils, flow, version, platform, controller
|
2010-02-16 04:09:07 +00:00
|
|
|
|
2013-03-24 20:20:26 +00:00
|
|
|
|
2014-01-04 21:58:53 +00:00
|
|
|
TRANSPARENT_SSL_PORTS = [443, 8443]
|
|
|
|
|
2013-02-23 01:08:28 +00:00
|
|
|
KILL = 0
|
|
|
|
|
2010-02-16 04:09:07 +00:00
|
|
|
|
|
|
|
class ProxyError(Exception):
|
2012-12-30 09:41:58 +00:00
|
|
|
def __init__(self, code, msg, headers=None):
|
|
|
|
self.code, self.msg, self.headers = code, msg, headers
|
2010-02-16 04:09:07 +00:00
|
|
|
|
|
|
|
def __str__(self):
|
|
|
|
return "ProxyError(%s, %s)"%(self.code, self.msg)
|
|
|
|
|
|
|
|
|
2013-02-16 23:42:48 +00:00
|
|
|
class Log:
|
2012-06-30 12:15:03 +00:00
|
|
|
def __init__(self, msg):
|
|
|
|
self.msg = msg
|
|
|
|
|
|
|
|
|
2011-09-09 02:49:34 +00:00
|
|
|
class ProxyConfig:
|
2013-08-31 00:14:18 +00:00
|
|
|
def __init__(self, certfile = None, cacert = None, clientcerts = None, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, forward_proxy=None, transparent_proxy=None, authenticator=None):
|
2011-02-08 17:00:59 +00:00
|
|
|
self.certfile = certfile
|
|
|
|
self.cacert = cacert
|
2012-05-23 21:09:03 +00:00
|
|
|
self.clientcerts = clientcerts
|
2012-07-03 10:56:25 +00:00
|
|
|
self.no_upstream_cert = no_upstream_cert
|
2011-09-09 03:27:31 +00:00
|
|
|
self.body_size_limit = body_size_limit
|
2012-02-18 01:45:22 +00:00
|
|
|
self.reverse_proxy = reverse_proxy
|
2013-08-31 00:14:18 +00:00
|
|
|
self.forward_proxy = forward_proxy
|
2012-06-14 21:47:04 +00:00
|
|
|
self.transparent_proxy = transparent_proxy
|
2012-12-30 09:41:58 +00:00
|
|
|
self.authenticator = authenticator
|
2013-08-12 04:04:02 +00:00
|
|
|
self.certstore = certutils.CertStore()
|
2013-01-04 01:19:32 +00:00
|
|
|
|
2013-01-06 03:44:12 +00:00
|
|
|
|
2012-06-18 21:58:50 +00:00
|
|
|
class ServerConnection(tcp.TCPClient):
|
2013-02-24 09:24:21 +00:00
|
|
|
def __init__(self, config, scheme, host, port, sni):
|
2012-06-25 03:53:26 +00:00
|
|
|
tcp.TCPClient.__init__(self, host, port)
|
|
|
|
self.config = config
|
2013-02-24 09:24:21 +00:00
|
|
|
self.scheme, self.sni = scheme, sni
|
2012-06-10 04:02:48 +00:00
|
|
|
self.requestcount = 0
|
2013-03-19 16:21:52 +00:00
|
|
|
self.tcp_setup_timestamp = None
|
|
|
|
self.ssl_setup_timestamp = None
|
|
|
|
|
2013-02-24 09:24:21 +00:00
|
|
|
def connect(self):
|
2012-06-25 03:53:26 +00:00
|
|
|
tcp.TCPClient.connect(self)
|
2013-03-19 16:21:52 +00:00
|
|
|
self.tcp_setup_timestamp = time.time()
|
2013-02-24 09:24:21 +00:00
|
|
|
if self.scheme == "https":
|
2012-06-25 03:53:26 +00:00
|
|
|
clientcert = None
|
|
|
|
if self.config.clientcerts:
|
2013-01-18 04:08:30 +00:00
|
|
|
path = os.path.join(self.config.clientcerts, self.host.encode("idna")) + ".pem"
|
2013-01-06 03:44:12 +00:00
|
|
|
if os.path.exists(path):
|
2012-06-25 03:53:26 +00:00
|
|
|
clientcert = path
|
2012-07-01 00:10:32 +00:00
|
|
|
try:
|
2013-02-24 09:24:21 +00:00
|
|
|
self.convert_to_ssl(cert=clientcert, sni=self.sni)
|
2013-03-19 16:21:52 +00:00
|
|
|
self.ssl_setup_timestamp = time.time()
|
2012-07-01 00:10:32 +00:00
|
|
|
except tcp.NetLibError, v:
|
|
|
|
raise ProxyError(400, str(v))
|
2012-06-25 03:53:26 +00:00
|
|
|
|
2012-06-09 20:13:50 +00:00
|
|
|
def send(self, request):
|
2012-06-10 04:02:48 +00:00
|
|
|
self.requestcount += 1
|
2013-01-06 03:44:12 +00:00
|
|
|
d = request._assemble()
|
|
|
|
if not d:
|
|
|
|
raise ProxyError(502, "Cannot transmit an incomplete request.")
|
2013-01-28 08:59:03 +00:00
|
|
|
self.wfile.write(d)
|
|
|
|
self.wfile.flush()
|
2010-02-16 04:09:07 +00:00
|
|
|
|
|
|
|
def terminate(self):
|
2013-07-28 06:05:04 +00:00
|
|
|
if self.connection:
|
|
|
|
try:
|
|
|
|
self.wfile.flush()
|
2013-07-29 21:42:29 +00:00
|
|
|
except tcp.NetLibDisconnect: # pragma: no cover
|
2013-07-28 06:05:04 +00:00
|
|
|
pass
|
2012-06-16 04:22:51 +00:00
|
|
|
self.connection.close()
|
2010-02-16 04:09:07 +00:00
|
|
|
|
2013-01-28 22:35:57 +00:00
|
|
|
|
2013-03-24 20:20:26 +00:00
|
|
|
|
2013-02-24 04:35:24 +00:00
|
|
|
class RequestReplayThread(threading.Thread):
|
|
|
|
def __init__(self, config, flow, masterq):
|
|
|
|
self.config, self.flow, self.channel = config, flow, controller.Channel(masterq)
|
|
|
|
threading.Thread.__init__(self)
|
|
|
|
|
|
|
|
def run(self):
|
|
|
|
try:
|
|
|
|
r = self.flow.request
|
2013-02-24 09:24:21 +00:00
|
|
|
server = ServerConnection(self.config, r.scheme, r.host, r.port, r.host)
|
|
|
|
server.connect()
|
2013-02-24 04:35:24 +00:00
|
|
|
server.send(r)
|
|
|
|
httpversion, code, msg, headers, content = http.read_response(
|
|
|
|
server.rfile, r.method, self.config.body_size_limit
|
|
|
|
)
|
|
|
|
response = flow.Response(
|
2013-08-22 22:01:19 +00:00
|
|
|
self.flow.request, httpversion, code, msg, headers, content, server.cert,
|
|
|
|
server.rfile.first_byte_timestamp
|
2013-02-24 04:35:24 +00:00
|
|
|
)
|
2014-01-04 01:42:32 +00:00
|
|
|
self.channel.ask("response", response)
|
2013-02-24 04:35:24 +00:00
|
|
|
except (ProxyError, http.HttpError, tcp.NetLibError), v:
|
|
|
|
err = flow.Error(self.flow.request, str(v))
|
2014-01-04 01:42:32 +00:00
|
|
|
self.channel.ask("error", err)
|
2013-02-24 04:35:24 +00:00
|
|
|
|
|
|
|
|
2013-02-28 20:05:39 +00:00
|
|
|
class HandleSNI:
|
2014-01-16 01:33:14 +00:00
|
|
|
def __init__(self, handler, client_conn, host, port, key):
|
2013-02-28 20:05:39 +00:00
|
|
|
self.handler, self.client_conn, self.host, self.port = handler, client_conn, host, port
|
2014-01-16 01:33:14 +00:00
|
|
|
self.key = key
|
2013-02-28 20:05:39 +00:00
|
|
|
|
2014-01-11 23:49:19 +00:00
|
|
|
def __call__(self, client_connection):
|
2013-02-28 20:05:39 +00:00
|
|
|
try:
|
2014-01-11 23:49:19 +00:00
|
|
|
sn = client_connection.get_servername()
|
2013-02-28 20:05:39 +00:00
|
|
|
if sn:
|
|
|
|
self.handler.get_server_connection(self.client_conn, "https", self.host, self.port, sn)
|
2014-01-16 01:33:14 +00:00
|
|
|
dummycert = self.handler.find_cert(self.client_conn, self.host, self.port, sn)
|
2013-02-28 20:05:39 +00:00
|
|
|
new_context = SSL.Context(SSL.TLSv1_METHOD)
|
|
|
|
new_context.use_privatekey_file(self.key)
|
2014-01-16 01:33:14 +00:00
|
|
|
new_context.use_certificate(dummycert.x509)
|
2014-01-11 23:49:19 +00:00
|
|
|
client_connection.set_context(new_context)
|
2013-02-28 20:05:39 +00:00
|
|
|
self.handler.sni = sn.decode("utf8").encode("idna")
|
|
|
|
# An unhandled exception in this method will core dump PyOpenSSL, so
|
|
|
|
# make dang sure it doesn't happen.
|
2014-01-19 05:16:24 +00:00
|
|
|
except Exception: # pragma: no cover
|
2013-02-28 20:05:39 +00:00
|
|
|
pass
|
|
|
|
|
|
|
|
|
2012-06-18 21:58:50 +00:00
|
|
|
class ProxyHandler(tcp.BaseHandler):
|
2013-02-16 23:42:48 +00:00
|
|
|
def __init__(self, config, connection, client_address, server, channel, server_version):
|
|
|
|
self.channel, self.server_version = channel, server_version
|
2012-06-10 04:02:48 +00:00
|
|
|
self.config = config
|
|
|
|
self.proxy_connect_state = None
|
2012-06-27 00:12:11 +00:00
|
|
|
self.sni = None
|
2013-02-24 09:24:21 +00:00
|
|
|
self.server_conn = None
|
2012-06-18 21:58:50 +00:00
|
|
|
tcp.BaseHandler.__init__(self, connection, client_address, server)
|
2010-02-16 04:09:07 +00:00
|
|
|
|
2013-12-12 06:54:13 +00:00
|
|
|
def get_server_connection(self, cc, scheme, host, port, sni, request=None):
|
2013-03-02 02:06:49 +00:00
|
|
|
"""
|
|
|
|
When SNI is in play, this means we have an SSL-encrypted
|
|
|
|
connection, which means that the entire handler is dedicated to a
|
|
|
|
single server connection - no multiplexing. If this assumption ever
|
|
|
|
breaks, we'll have to do something different with the SNI host
|
|
|
|
variable on the handler object.
|
2013-12-12 08:22:55 +00:00
|
|
|
|
2013-12-12 09:00:23 +00:00
|
|
|
`conn_info` holds the initial connection's parameters, as the
|
|
|
|
hook might change them. Also, the hook might require an initial
|
|
|
|
request to figure out connection settings; in this case it can
|
|
|
|
set require_request, which will cause the connection to be
|
|
|
|
re-opened after the client's request arrives.
|
2013-03-02 02:06:49 +00:00
|
|
|
"""
|
2013-02-24 09:24:21 +00:00
|
|
|
sc = self.server_conn
|
2013-03-02 01:52:05 +00:00
|
|
|
if not sni:
|
|
|
|
sni = host
|
2013-12-12 08:22:55 +00:00
|
|
|
conn_info = (scheme, host, port, sni)
|
2013-12-16 21:10:06 +00:00
|
|
|
if sc and (conn_info != sc.conn_info or (request and sc.require_request)):
|
2013-02-24 09:24:21 +00:00
|
|
|
sc.terminate()
|
|
|
|
self.server_conn = None
|
|
|
|
self.log(
|
|
|
|
cc,
|
|
|
|
"switching connection", [
|
|
|
|
"%s://%s:%s (sni=%s) -> %s://%s:%s (sni=%s)"%(
|
|
|
|
scheme, host, port, sni,
|
|
|
|
sc.scheme, sc.host, sc.port, sc.sni
|
|
|
|
)
|
|
|
|
]
|
|
|
|
)
|
|
|
|
if not self.server_conn:
|
|
|
|
try:
|
|
|
|
self.server_conn = ServerConnection(self.config, scheme, host, port, sni)
|
2013-12-12 09:00:23 +00:00
|
|
|
|
|
|
|
# Additional attributes, used if the server_connect hook
|
|
|
|
# needs to change parameters
|
|
|
|
self.server_conn.request = request
|
|
|
|
self.server_conn.require_request = False
|
|
|
|
|
2013-12-12 08:22:55 +00:00
|
|
|
self.server_conn.conn_info = conn_info
|
2014-01-04 01:42:32 +00:00
|
|
|
self.channel.ask("serverconnect", self.server_conn)
|
2013-02-24 09:24:21 +00:00
|
|
|
self.server_conn.connect()
|
|
|
|
except tcp.NetLibError, v:
|
|
|
|
raise ProxyError(502, v)
|
|
|
|
return self.server_conn
|
|
|
|
|
|
|
|
def del_server_connection(self):
|
2013-07-27 22:50:25 +00:00
|
|
|
if self.server_conn:
|
|
|
|
self.server_conn.terminate()
|
2013-02-24 09:24:21 +00:00
|
|
|
self.server_conn = None
|
|
|
|
|
2010-02-16 04:09:07 +00:00
|
|
|
def handle(self):
|
2011-08-03 10:38:23 +00:00
|
|
|
cc = flow.ClientConnect(self.client_address)
|
2012-06-30 12:15:03 +00:00
|
|
|
self.log(cc, "connect")
|
2014-01-04 01:42:32 +00:00
|
|
|
self.channel.ask("clientconnect", cc)
|
2012-06-10 04:02:48 +00:00
|
|
|
while self.handle_request(cc) and not cc.close:
|
|
|
|
pass
|
|
|
|
cc.close = True
|
2013-07-27 22:50:25 +00:00
|
|
|
self.del_server_connection()
|
2012-06-30 12:15:03 +00:00
|
|
|
|
2013-02-16 23:42:48 +00:00
|
|
|
cd = flow.ClientDisconnect(cc)
|
2012-06-30 12:15:03 +00:00
|
|
|
self.log(
|
|
|
|
cc, "disconnect",
|
|
|
|
[
|
|
|
|
"handled %s requests"%cc.requestcount]
|
|
|
|
)
|
2014-01-04 01:42:32 +00:00
|
|
|
self.channel.tell("clientdisconnect", cd)
|
2010-11-12 15:01:17 +00:00
|
|
|
|
|
|
|
def handle_request(self, cc):
|
2010-02-16 04:09:07 +00:00
|
|
|
try:
|
2012-06-10 04:02:48 +00:00
|
|
|
request, err = None, None
|
2012-06-23 03:08:01 +00:00
|
|
|
request = self.read_request(cc)
|
2010-11-12 15:01:17 +00:00
|
|
|
if request is None:
|
|
|
|
return
|
2011-07-23 01:37:06 +00:00
|
|
|
cc.requestcount += 1
|
2011-02-16 09:37:04 +00:00
|
|
|
|
2014-01-04 01:42:32 +00:00
|
|
|
request_reply = self.channel.ask("request", request)
|
2014-01-04 01:35:11 +00:00
|
|
|
if request_reply is None or request_reply == KILL:
|
|
|
|
return
|
|
|
|
elif isinstance(request_reply, flow.Response):
|
|
|
|
request = False
|
|
|
|
response = request_reply
|
2014-01-04 01:42:32 +00:00
|
|
|
response_reply = self.channel.ask("response", response)
|
2010-11-12 12:18:42 +00:00
|
|
|
else:
|
2014-01-04 01:35:11 +00:00
|
|
|
request = request_reply
|
|
|
|
if self.config.reverse_proxy:
|
|
|
|
scheme, host, port = self.config.reverse_proxy
|
|
|
|
elif self.config.forward_proxy:
|
|
|
|
scheme, host, port = self.config.forward_proxy
|
2012-04-23 21:43:14 +00:00
|
|
|
else:
|
2014-01-04 01:35:11 +00:00
|
|
|
scheme, host, port = request.scheme, request.host, request.port
|
|
|
|
|
|
|
|
# If we've already pumped a request over this connection,
|
|
|
|
# it's possible that the server has timed out. If this is
|
|
|
|
# the case, we want to reconnect without sending an error
|
|
|
|
# to the client.
|
|
|
|
while 1:
|
|
|
|
sc = self.get_server_connection(cc, scheme, host, port, self.sni, request=request)
|
|
|
|
sc.send(request)
|
|
|
|
if sc.requestcount == 1: # add timestamps only for first request (others are not directly affected)
|
|
|
|
request.tcp_setup_timestamp = sc.tcp_setup_timestamp
|
|
|
|
request.ssl_setup_timestamp = sc.ssl_setup_timestamp
|
|
|
|
sc.rfile.reset_timestamps()
|
|
|
|
try:
|
|
|
|
peername = sc.connection.getpeername()
|
|
|
|
if peername:
|
|
|
|
request.ip = peername[0]
|
|
|
|
httpversion, code, msg, headers, content = http.read_response(
|
|
|
|
sc.rfile,
|
|
|
|
request.method,
|
|
|
|
self.config.body_size_limit
|
|
|
|
)
|
2014-01-19 05:16:24 +00:00
|
|
|
except http.HttpErrorConnClosed:
|
2014-01-04 01:35:11 +00:00
|
|
|
self.del_server_connection()
|
|
|
|
if sc.requestcount > 1:
|
|
|
|
continue
|
2013-02-24 01:04:56 +00:00
|
|
|
else:
|
2014-01-04 01:35:11 +00:00
|
|
|
raise
|
2014-01-19 05:16:24 +00:00
|
|
|
except http.HttpError:
|
2014-01-04 01:35:11 +00:00
|
|
|
raise ProxyError(502, "Invalid server response.")
|
|
|
|
else:
|
|
|
|
break
|
2013-02-23 01:08:28 +00:00
|
|
|
|
2014-01-04 01:35:11 +00:00
|
|
|
response = flow.Response(
|
|
|
|
request, httpversion, code, msg, headers, content, sc.cert,
|
|
|
|
sc.rfile.first_byte_timestamp
|
|
|
|
)
|
2014-01-04 01:42:32 +00:00
|
|
|
response_reply = self.channel.ask("response", response)
|
2014-01-04 01:35:11 +00:00
|
|
|
# Not replying to the server invalidates the server
|
|
|
|
# connection, so we terminate.
|
2013-02-23 01:08:28 +00:00
|
|
|
if response_reply == KILL:
|
2014-01-04 01:35:11 +00:00
|
|
|
sc.terminate()
|
|
|
|
|
|
|
|
if response_reply == KILL:
|
|
|
|
return
|
|
|
|
else:
|
|
|
|
response = response_reply
|
|
|
|
self.send_response(response)
|
|
|
|
if request and http.connection_close(request.httpversion, request.headers):
|
|
|
|
return
|
|
|
|
# We could keep the client connection when the server
|
|
|
|
# connection needs to go away. However, we want to mimic
|
|
|
|
# behaviour as closely as possible to the client, so we
|
|
|
|
# disconnect.
|
|
|
|
if http.connection_close(response.httpversion, response.headers):
|
2012-06-10 04:02:48 +00:00
|
|
|
return
|
2013-08-10 11:07:22 +00:00
|
|
|
except (IOError, ProxyError, http.HttpError, tcp.NetLibError), e:
|
2012-07-08 11:49:44 +00:00
|
|
|
if hasattr(e, "code"):
|
2012-06-30 12:15:03 +00:00
|
|
|
cc.error = "%s: %s"%(e.code, e.msg)
|
2012-07-08 11:49:44 +00:00
|
|
|
else:
|
|
|
|
cc.error = str(e)
|
2012-06-30 12:15:03 +00:00
|
|
|
|
2011-07-23 01:37:06 +00:00
|
|
|
if request:
|
2012-06-30 12:15:03 +00:00
|
|
|
err = flow.Error(request, cc.error)
|
2014-01-04 01:42:32 +00:00
|
|
|
self.channel.ask("error", err)
|
2012-06-30 12:15:03 +00:00
|
|
|
self.log(
|
|
|
|
cc, cc.error,
|
|
|
|
["url: %s"%request.get_url()]
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
self.log(cc, cc.error)
|
|
|
|
if isinstance(e, ProxyError):
|
2012-12-30 09:41:58 +00:00
|
|
|
self.send_error(e.code, e.msg, e.headers)
|
2012-06-10 04:02:48 +00:00
|
|
|
else:
|
|
|
|
return True
|
2010-02-16 04:09:07 +00:00
|
|
|
|
2012-06-30 12:15:03 +00:00
|
|
|
def log(self, cc, msg, subs=()):
|
|
|
|
msg = [
|
|
|
|
"%s:%s: "%cc.address + msg
|
|
|
|
]
|
|
|
|
for i in subs:
|
|
|
|
msg.append(" -> "+i)
|
|
|
|
msg = "\n".join(msg)
|
|
|
|
l = Log(msg)
|
2014-01-04 01:42:32 +00:00
|
|
|
self.channel.tell("log", l)
|
2012-06-30 12:15:03 +00:00
|
|
|
|
2013-02-28 20:05:39 +00:00
|
|
|
def find_cert(self, cc, host, port, sni):
|
2011-02-19 23:53:42 +00:00
|
|
|
if self.config.certfile:
|
2013-12-10 02:13:37 +00:00
|
|
|
with open(self.config.certfile, "rb") as f:
|
|
|
|
return certutils.SSLCert.from_pem(f.read())
|
2011-02-08 17:00:59 +00:00
|
|
|
else:
|
2012-02-27 02:05:45 +00:00
|
|
|
sans = []
|
2012-07-03 10:56:25 +00:00
|
|
|
if not self.config.no_upstream_cert:
|
2013-02-28 20:05:39 +00:00
|
|
|
conn = self.get_server_connection(cc, "https", host, port, sni)
|
|
|
|
sans = conn.cert.altnames
|
2013-12-12 02:24:17 +00:00
|
|
|
if conn.cert.cn:
|
|
|
|
host = conn.cert.cn.decode("utf8").encode("idna")
|
2013-01-05 12:16:08 +00:00
|
|
|
ret = self.config.certstore.get_cert(host, sans, self.config.cacert)
|
2011-02-19 23:53:42 +00:00
|
|
|
if not ret:
|
2013-03-02 03:59:16 +00:00
|
|
|
raise ProxyError(502, "Unable to generate dummy cert.")
|
2011-02-19 23:53:42 +00:00
|
|
|
return ret
|
2011-02-08 17:00:59 +00:00
|
|
|
|
2013-09-26 10:38:13 +00:00
|
|
|
def establish_ssl(self, client_conn, host, port):
|
|
|
|
dummycert = self.find_cert(client_conn, host, port, host)
|
|
|
|
sni = HandleSNI(
|
2014-01-16 01:33:14 +00:00
|
|
|
self, client_conn, host, port, self.config.certfile or self.config.cacert
|
2013-09-26 10:38:13 +00:00
|
|
|
)
|
|
|
|
try:
|
|
|
|
self.convert_to_ssl(dummycert, self.config.certfile or self.config.cacert, handle_sni=sni)
|
|
|
|
except tcp.NetLibError, v:
|
|
|
|
raise ProxyError(400, str(v))
|
|
|
|
|
2012-06-26 11:51:38 +00:00
|
|
|
def get_line(self, fp):
|
|
|
|
"""
|
|
|
|
Get a line, possibly preceded by a blank.
|
|
|
|
"""
|
|
|
|
line = fp.readline()
|
2010-11-12 15:01:17 +00:00
|
|
|
if line == "\r\n" or line == "\n": # Possible leftover from previous message
|
2012-06-26 11:51:38 +00:00
|
|
|
line = fp.readline()
|
|
|
|
return line
|
2012-06-09 09:27:43 +00:00
|
|
|
|
2013-12-10 00:47:19 +00:00
|
|
|
def read_request(self, client_conn):
|
|
|
|
self.rfile.reset_timestamps()
|
|
|
|
if self.config.transparent_proxy:
|
|
|
|
return self.read_request_transparent(client_conn)
|
|
|
|
elif self.config.reverse_proxy:
|
|
|
|
return self.read_request_reverse(client_conn)
|
|
|
|
else:
|
|
|
|
return self.read_request_proxy(client_conn)
|
|
|
|
|
2013-01-28 09:26:25 +00:00
|
|
|
def read_request_transparent(self, client_conn):
|
|
|
|
orig = self.config.transparent_proxy["resolver"].original_addr(self.connection)
|
|
|
|
if not orig:
|
|
|
|
raise ProxyError(502, "Transparent mode failure: could not resolve original destination.")
|
2013-03-23 02:42:25 +00:00
|
|
|
self.log(client_conn, "transparent to %s:%s"%orig)
|
|
|
|
|
2013-01-28 09:26:25 +00:00
|
|
|
host, port = orig
|
2013-03-17 01:35:36 +00:00
|
|
|
if port in self.config.transparent_proxy["sslports"]:
|
2013-01-28 09:26:25 +00:00
|
|
|
scheme = "https"
|
|
|
|
else:
|
|
|
|
scheme = "http"
|
2013-12-09 18:10:15 +00:00
|
|
|
|
2013-12-10 00:47:19 +00:00
|
|
|
return self._read_request_origin_form(client_conn, scheme, host, port)
|
2013-12-09 18:10:15 +00:00
|
|
|
|
2013-12-10 00:47:19 +00:00
|
|
|
def read_request_reverse(self, client_conn):
|
|
|
|
scheme, host, port = self.config.reverse_proxy
|
|
|
|
return self._read_request_origin_form(client_conn, scheme, host, port)
|
|
|
|
|
|
|
|
def read_request_proxy(self, client_conn):
|
|
|
|
# Check for a CONNECT command.
|
|
|
|
if not self.proxy_connect_state:
|
|
|
|
line = self.get_line(self.rfile)
|
|
|
|
if line == "":
|
|
|
|
return None
|
|
|
|
self.proxy_connect_state = self._read_request_authority_form(line)
|
2013-12-09 18:10:15 +00:00
|
|
|
|
2013-12-10 00:47:19 +00:00
|
|
|
# Check for an actual request
|
|
|
|
if self.proxy_connect_state:
|
|
|
|
host, port, _ = self.proxy_connect_state
|
|
|
|
return self._read_request_origin_form(client_conn, "https", host, port)
|
|
|
|
else:
|
|
|
|
# noinspection PyUnboundLocalVariable
|
|
|
|
return self._read_request_absolute_form(client_conn, line)
|
|
|
|
|
|
|
|
def _read_request_authority_form(self, line):
|
2013-12-10 01:30:07 +00:00
|
|
|
"""
|
|
|
|
The authority-form of request-target is only used for CONNECT requests.
|
|
|
|
The CONNECT method is used to request a tunnel to the destination server.
|
|
|
|
This function sends a "200 Connection established" response to the client
|
|
|
|
and returns the host information that can be used to process further requests in origin-form.
|
|
|
|
An example authority-form request line would be:
|
|
|
|
CONNECT www.example.com:80 HTTP/1.1
|
|
|
|
"""
|
2013-12-10 00:47:19 +00:00
|
|
|
connparts = http.parse_init_connect(line)
|
|
|
|
if connparts:
|
|
|
|
self.read_headers(authenticate=True)
|
|
|
|
# respond according to http://tools.ietf.org/html/draft-luotonen-web-proxy-tunneling-01 section 3.2
|
|
|
|
self.wfile.write(
|
|
|
|
'HTTP/1.1 200 Connection established\r\n' +
|
|
|
|
('Proxy-agent: %s\r\n'%self.server_version) +
|
|
|
|
'\r\n'
|
|
|
|
)
|
|
|
|
self.wfile.flush()
|
|
|
|
return connparts
|
|
|
|
|
|
|
|
def _read_request_absolute_form(self, client_conn, line):
|
2013-12-10 01:30:07 +00:00
|
|
|
"""
|
|
|
|
When making a request to a proxy (other than CONNECT or OPTIONS),
|
|
|
|
a client must send the target uri in absolute-form.
|
|
|
|
An example absolute-form request line would be:
|
|
|
|
GET http://www.example.com/foo.html HTTP/1.1
|
|
|
|
"""
|
2013-12-10 00:47:19 +00:00
|
|
|
r = http.parse_init_proxy(line)
|
|
|
|
if not r:
|
|
|
|
raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
|
|
|
|
method, scheme, host, port, path, httpversion = r
|
|
|
|
headers = self.read_headers(authenticate=True)
|
2013-12-15 05:33:18 +00:00
|
|
|
self.handle_expect_header(headers, httpversion)
|
|
|
|
content = http.read_http_body(
|
|
|
|
self.rfile, headers, self.config.body_size_limit, True
|
2013-12-10 00:47:19 +00:00
|
|
|
)
|
2014-01-04 21:58:53 +00:00
|
|
|
r = flow.Request(
|
2013-12-10 00:47:19 +00:00
|
|
|
client_conn, httpversion, host, port, scheme, method, path, headers, content,
|
|
|
|
self.rfile.first_byte_timestamp, utils.timestamp()
|
|
|
|
)
|
2014-01-04 21:58:53 +00:00
|
|
|
r.set_live(self.rfile, self.wfile)
|
|
|
|
return r
|
2013-12-10 00:47:19 +00:00
|
|
|
|
|
|
|
def _read_request_origin_form(self, client_conn, scheme, host, port):
|
2013-12-09 18:10:15 +00:00
|
|
|
"""
|
2013-12-10 01:30:07 +00:00
|
|
|
Read a HTTP request with regular (origin-form) request line.
|
|
|
|
An example origin-form request line would be:
|
|
|
|
GET /foo.html HTTP/1.1
|
|
|
|
|
2013-12-10 00:47:19 +00:00
|
|
|
The request destination is already known from one of the following sources:
|
|
|
|
1) transparent proxy: destination provided by platform resolver
|
|
|
|
2) reverse proxy: fixed destination
|
|
|
|
3) regular proxy: known from CONNECT command.
|
2013-12-09 18:10:15 +00:00
|
|
|
"""
|
|
|
|
if scheme.lower() == "https" and not self.ssl_established:
|
|
|
|
self.establish_ssl(client_conn, host, port)
|
2013-12-10 00:47:19 +00:00
|
|
|
|
2013-01-28 09:26:25 +00:00
|
|
|
line = self.get_line(self.rfile)
|
|
|
|
if line == "":
|
|
|
|
return None
|
2013-12-10 00:47:19 +00:00
|
|
|
|
2013-01-28 09:26:25 +00:00
|
|
|
r = http.parse_init_http(line)
|
|
|
|
if not r:
|
|
|
|
raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
|
|
|
|
method, path, httpversion = r
|
|
|
|
headers = self.read_headers(authenticate=False)
|
2013-12-15 05:33:18 +00:00
|
|
|
self.handle_expect_header(headers, httpversion)
|
|
|
|
content = http.read_http_body(
|
|
|
|
self.rfile, headers, self.config.body_size_limit, True
|
2013-12-10 00:47:19 +00:00
|
|
|
)
|
2014-01-04 21:58:53 +00:00
|
|
|
r = flow.Request(
|
2013-12-10 00:47:19 +00:00
|
|
|
client_conn, httpversion, host, port, scheme, method, path, headers, content,
|
|
|
|
self.rfile.first_byte_timestamp, utils.timestamp()
|
|
|
|
)
|
2014-01-04 21:58:53 +00:00
|
|
|
r.set_live(self.rfile, self.wfile)
|
|
|
|
return r
|
2010-02-16 04:09:07 +00:00
|
|
|
|
2013-12-15 05:33:18 +00:00
|
|
|
def handle_expect_header(self, headers, httpversion):
|
|
|
|
if "expect" in headers:
|
|
|
|
if "100-continue" in headers['expect'] and httpversion >= (1, 1):
|
|
|
|
#FIXME: Check if content-length is over limit
|
|
|
|
self.wfile.write('HTTP/1.1 100 Continue\r\n'
|
|
|
|
'\r\n')
|
|
|
|
del headers['expect']
|
|
|
|
|
2012-12-30 09:41:58 +00:00
|
|
|
def read_headers(self, authenticate=False):
|
|
|
|
headers = http.read_headers(self.rfile)
|
|
|
|
if headers is None:
|
|
|
|
raise ProxyError(400, "Invalid headers")
|
2012-12-30 21:56:44 +00:00
|
|
|
if authenticate and self.config.authenticator:
|
|
|
|
if self.config.authenticator.authenticate(headers):
|
|
|
|
self.config.authenticator.clean(headers)
|
|
|
|
else:
|
|
|
|
raise ProxyError(
|
|
|
|
407,
|
|
|
|
"Proxy Authentication Required",
|
|
|
|
self.config.authenticator.auth_challenge_headers()
|
|
|
|
)
|
2012-12-30 09:41:58 +00:00
|
|
|
return headers
|
|
|
|
|
2010-02-16 04:09:07 +00:00
|
|
|
def send_response(self, response):
|
2012-05-16 03:42:58 +00:00
|
|
|
d = response._assemble()
|
|
|
|
if not d:
|
2013-01-06 03:44:12 +00:00
|
|
|
raise ProxyError(502, "Cannot transmit an incomplete response.")
|
2012-05-16 03:42:58 +00:00
|
|
|
self.wfile.write(d)
|
2010-02-16 04:09:07 +00:00
|
|
|
self.wfile.flush()
|
|
|
|
|
2012-12-30 09:41:58 +00:00
|
|
|
def send_error(self, code, body, headers):
|
2011-01-27 01:19:48 +00:00
|
|
|
try:
|
2012-06-30 12:15:03 +00:00
|
|
|
response = http_status.RESPONSES.get(code, "Unknown")
|
2012-12-30 09:41:58 +00:00
|
|
|
html_content = '<html><head>\n<title>%d %s</title>\n</head>\n<body>\n%s\n</body>\n</html>'%(code, response, body)
|
2010-11-12 15:01:17 +00:00
|
|
|
self.wfile.write("HTTP/1.1 %s %s\r\n" % (code, response))
|
2012-07-03 02:12:52 +00:00
|
|
|
self.wfile.write("Server: %s\r\n"%self.server_version)
|
2011-01-27 01:19:48 +00:00
|
|
|
self.wfile.write("Content-type: text/html\r\n")
|
2012-12-30 09:41:58 +00:00
|
|
|
self.wfile.write("Content-Length: %d\r\n"%len(html_content))
|
2013-06-17 08:52:19 +00:00
|
|
|
if headers:
|
|
|
|
for key, value in headers.items():
|
|
|
|
self.wfile.write("%s: %s\r\n"%(key, value))
|
2012-12-30 09:41:58 +00:00
|
|
|
self.wfile.write("Connection: close\r\n")
|
2011-01-27 01:19:48 +00:00
|
|
|
self.wfile.write("\r\n")
|
2012-12-30 09:41:58 +00:00
|
|
|
self.wfile.write(html_content)
|
2011-01-27 01:19:48 +00:00
|
|
|
self.wfile.flush()
|
2011-06-23 05:00:55 +00:00
|
|
|
except:
|
2011-01-27 01:19:48 +00:00
|
|
|
pass
|
2010-02-16 04:09:07 +00:00
|
|
|
|
|
|
|
|
2011-03-12 00:47:37 +00:00
|
|
|
class ProxyServerError(Exception): pass
|
|
|
|
|
2012-06-15 23:40:44 +00:00
|
|
|
|
2012-06-18 21:58:50 +00:00
|
|
|
class ProxyServer(tcp.TCPServer):
|
2010-02-16 04:09:07 +00:00
|
|
|
allow_reuse_address = True
|
2012-04-02 01:24:51 +00:00
|
|
|
bound = True
|
2012-07-03 02:12:52 +00:00
|
|
|
def __init__(self, config, port, address='', server_version=version.NAMEVERSION):
|
2011-03-12 00:47:37 +00:00
|
|
|
"""
|
|
|
|
Raises ProxyServerError if there's a startup problem.
|
|
|
|
"""
|
2011-02-19 23:53:42 +00:00
|
|
|
self.config, self.port, self.address = config, port, address
|
2012-07-03 02:12:52 +00:00
|
|
|
self.server_version = server_version
|
2011-03-12 00:47:37 +00:00
|
|
|
try:
|
2012-06-18 21:58:50 +00:00
|
|
|
tcp.TCPServer.__init__(self, (address, port))
|
2011-03-12 00:47:37 +00:00
|
|
|
except socket.error, v:
|
|
|
|
raise ProxyServerError('Error starting proxy server: ' + v.strerror)
|
2013-02-16 23:42:48 +00:00
|
|
|
self.channel = None
|
2010-02-16 04:09:07 +00:00
|
|
|
|
2013-02-16 23:42:48 +00:00
|
|
|
def start_slave(self, klass, channel):
|
|
|
|
slave = klass(channel, self)
|
2012-04-02 01:24:51 +00:00
|
|
|
slave.start()
|
|
|
|
|
2013-02-16 23:42:48 +00:00
|
|
|
def set_channel(self, channel):
|
|
|
|
self.channel = channel
|
2010-02-16 04:09:07 +00:00
|
|
|
|
2012-06-15 23:40:44 +00:00
|
|
|
def handle_connection(self, request, client_address):
|
2013-02-16 23:42:48 +00:00
|
|
|
h = ProxyHandler(self.config, request, client_address, self, self.channel, self.server_version)
|
2012-06-24 23:37:12 +00:00
|
|
|
h.handle()
|
2013-03-02 23:13:33 +00:00
|
|
|
h.finish()
|
2010-02-16 04:09:07 +00:00
|
|
|
|
2011-02-19 23:53:42 +00:00
|
|
|
|
2012-04-02 01:24:51 +00:00
|
|
|
class DummyServer:
|
|
|
|
bound = False
|
|
|
|
def __init__(self, config):
|
|
|
|
self.config = config
|
|
|
|
|
2013-03-02 23:13:33 +00:00
|
|
|
def start_slave(self, *args):
|
2012-04-02 01:24:51 +00:00
|
|
|
pass
|
|
|
|
|
|
|
|
def shutdown(self):
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
2011-02-19 23:53:42 +00:00
|
|
|
# Command-line utils
|
|
|
|
def certificate_option_group(parser):
|
2012-08-17 17:04:39 +00:00
|
|
|
group = parser.add_argument_group("SSL")
|
|
|
|
group.add_argument(
|
2011-02-19 23:53:42 +00:00
|
|
|
"--cert", action="store",
|
2012-08-17 17:04:39 +00:00
|
|
|
type = str, dest="cert", default=None,
|
2011-02-19 23:53:42 +00:00
|
|
|
help = "User-created SSL certificate file."
|
|
|
|
)
|
2012-08-17 17:04:39 +00:00
|
|
|
group.add_argument(
|
2012-05-23 21:09:03 +00:00
|
|
|
"--client-certs", action="store",
|
2012-08-17 17:04:39 +00:00
|
|
|
type = str, dest = "clientcerts", default=None,
|
2012-05-23 21:09:03 +00:00
|
|
|
help = "Client certificate directory."
|
|
|
|
)
|
2011-02-19 23:53:42 +00:00
|
|
|
|
|
|
|
|
2012-06-26 08:08:24 +00:00
|
|
|
|
2011-09-09 03:27:31 +00:00
|
|
|
def process_proxy_options(parser, options):
|
2011-02-19 23:53:42 +00:00
|
|
|
if options.cert:
|
|
|
|
options.cert = os.path.expanduser(options.cert)
|
|
|
|
if not os.path.exists(options.cert):
|
2013-03-02 22:58:57 +00:00
|
|
|
return parser.error("Manually created certificate does not exist: %s"%options.cert)
|
2011-03-18 03:45:31 +00:00
|
|
|
|
|
|
|
cacert = os.path.join(options.confdir, "mitmproxy-ca.pem")
|
|
|
|
cacert = os.path.expanduser(cacert)
|
|
|
|
if not os.path.exists(cacert):
|
2012-02-29 00:20:53 +00:00
|
|
|
certutils.dummy_ca(cacert)
|
2011-09-09 03:27:31 +00:00
|
|
|
body_size_limit = utils.parse_size(options.body_size_limit)
|
2012-06-26 08:08:24 +00:00
|
|
|
if options.reverse_proxy and options.transparent_proxy:
|
2013-03-02 22:58:57 +00:00
|
|
|
return parser.error("Can't set both reverse proxy and transparent proxy.")
|
2012-06-26 08:08:24 +00:00
|
|
|
|
|
|
|
if options.transparent_proxy:
|
2012-06-29 23:24:41 +00:00
|
|
|
if not platform.resolver:
|
2013-03-02 22:58:57 +00:00
|
|
|
return parser.error("Transparent mode not supported on this platform.")
|
2012-06-26 08:08:24 +00:00
|
|
|
trans = dict(
|
2012-09-16 23:05:20 +00:00
|
|
|
resolver = platform.resolver(),
|
2012-06-26 08:08:24 +00:00
|
|
|
sslports = TRANSPARENT_SSL_PORTS
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
trans = None
|
|
|
|
|
2012-02-18 01:45:22 +00:00
|
|
|
if options.reverse_proxy:
|
|
|
|
rp = utils.parse_proxy_spec(options.reverse_proxy)
|
|
|
|
if not rp:
|
2013-03-02 22:58:57 +00:00
|
|
|
return parser.error("Invalid reverse proxy specification: %s"%options.reverse_proxy)
|
2012-02-18 01:45:22 +00:00
|
|
|
else:
|
|
|
|
rp = None
|
|
|
|
|
2013-08-31 00:14:18 +00:00
|
|
|
if options.forward_proxy:
|
|
|
|
fp = utils.parse_proxy_spec(options.forward_proxy)
|
|
|
|
if not fp:
|
|
|
|
return parser.error("Invalid forward proxy specification: %s"%options.forward_proxy)
|
|
|
|
else:
|
|
|
|
fp = None
|
|
|
|
|
2012-05-23 21:09:03 +00:00
|
|
|
if options.clientcerts:
|
|
|
|
options.clientcerts = os.path.expanduser(options.clientcerts)
|
|
|
|
if not os.path.exists(options.clientcerts) or not os.path.isdir(options.clientcerts):
|
2014-01-04 21:58:53 +00:00
|
|
|
return parser.error(
|
|
|
|
"Client certificate directory does not exist or is not a directory: %s"%options.clientcerts
|
|
|
|
)
|
2012-05-23 21:09:03 +00:00
|
|
|
|
2013-01-02 04:35:44 +00:00
|
|
|
if (options.auth_nonanonymous or options.auth_singleuser or options.auth_htpasswd):
|
|
|
|
if options.auth_singleuser:
|
|
|
|
if len(options.auth_singleuser.split(':')) != 2:
|
2013-03-02 22:58:57 +00:00
|
|
|
return parser.error("Invalid single-user specification. Please use the format username:password")
|
2012-12-30 09:41:58 +00:00
|
|
|
username, password = options.auth_singleuser.split(':')
|
2013-03-02 21:37:06 +00:00
|
|
|
password_manager = http_auth.PassManSingleUser(username, password)
|
2013-01-02 04:35:44 +00:00
|
|
|
elif options.auth_nonanonymous:
|
2013-03-02 21:37:06 +00:00
|
|
|
password_manager = http_auth.PassManNonAnon()
|
2012-12-30 09:41:58 +00:00
|
|
|
elif options.auth_htpasswd:
|
2013-03-02 22:58:57 +00:00
|
|
|
try:
|
|
|
|
password_manager = http_auth.PassManHtpasswd(options.auth_htpasswd)
|
|
|
|
except ValueError, v:
|
|
|
|
return parser.error(v.message)
|
2013-03-02 21:37:06 +00:00
|
|
|
authenticator = http_auth.BasicProxyAuth(password_manager, "mitmproxy")
|
2012-12-30 09:41:58 +00:00
|
|
|
else:
|
2013-03-02 21:37:06 +00:00
|
|
|
authenticator = http_auth.NullProxyAuth(None)
|
2012-12-30 09:41:58 +00:00
|
|
|
|
2011-09-09 02:49:34 +00:00
|
|
|
return ProxyConfig(
|
2011-02-19 23:53:42 +00:00
|
|
|
certfile = options.cert,
|
2011-03-18 03:45:31 +00:00
|
|
|
cacert = cacert,
|
2012-05-23 21:09:03 +00:00
|
|
|
clientcerts = options.clientcerts,
|
2012-02-16 14:33:27 +00:00
|
|
|
body_size_limit = body_size_limit,
|
2012-07-03 10:56:25 +00:00
|
|
|
no_upstream_cert = options.no_upstream_cert,
|
2012-06-26 08:08:24 +00:00
|
|
|
reverse_proxy = rp,
|
2013-08-31 00:14:18 +00:00
|
|
|
forward_proxy = fp,
|
2012-08-06 21:09:35 +00:00
|
|
|
transparent_proxy = trans,
|
2012-12-30 09:41:58 +00:00
|
|
|
authenticator = authenticator
|
2011-02-19 23:53:42 +00:00
|
|
|
)
|