mirror of
https://github.com/Grasscutters/mitmproxy.git
synced 2024-12-03 12:23:46 +00:00
remove old code
This commit is contained in:
parent
08655cb956
commit
3873e08339
@ -1,37 +0,0 @@
|
|||||||
# This script makes mitmproxy switch to passthrough mode for all HTTP
|
|
||||||
# responses with "Connection: Upgrade" header. This is useful to make
|
|
||||||
# WebSockets work in untrusted environments.
|
|
||||||
#
|
|
||||||
# Note: Chrome (and possibly other browsers), when explicitly configured
|
|
||||||
# to use a proxy (i.e. mitmproxy's regular mode), send a CONNECT request
|
|
||||||
# to the proxy before they initiate the websocket connection.
|
|
||||||
# To make WebSockets work in these cases, supply
|
|
||||||
# `--ignore :80$` as an additional parameter.
|
|
||||||
# (see http://mitmproxy.org/doc/features/passthrough.html)
|
|
||||||
|
|
||||||
import netlib.http.semantics
|
|
||||||
|
|
||||||
from libmproxy.protocol.tcp import TCPHandler
|
|
||||||
from libmproxy.protocol import KILL
|
|
||||||
from libmproxy.script import concurrent
|
|
||||||
|
|
||||||
|
|
||||||
def start(context, argv):
|
|
||||||
netlib.http.semantics.Request._headers_to_strip_off.remove("Connection")
|
|
||||||
netlib.http.semantics.Request._headers_to_strip_off.remove("Upgrade")
|
|
||||||
|
|
||||||
|
|
||||||
def done(context):
|
|
||||||
netlib.http.semantics.Request._headers_to_strip_off.append("Connection")
|
|
||||||
netlib.http.semantics.Request._headers_to_strip_off.append("Upgrade")
|
|
||||||
|
|
||||||
|
|
||||||
@concurrent
|
|
||||||
def response(context, flow):
|
|
||||||
value = flow.response.headers.get_first("Connection", None)
|
|
||||||
if value and value.upper() == "UPGRADE":
|
|
||||||
# We need to send the response manually now...
|
|
||||||
flow.client_conn.send(flow.client_conn.protocol.assemble(flow.response))
|
|
||||||
# ...and then delegate to tcp passthrough.
|
|
||||||
TCPHandler(flow.live.c, log=False).handle_messages()
|
|
||||||
flow.reply(KILL)
|
|
@ -8,15 +8,16 @@ import Cookie
|
|||||||
import cookielib
|
import cookielib
|
||||||
import os
|
import os
|
||||||
import re
|
import re
|
||||||
|
from libmproxy.protocol.http import HTTPFlow
|
||||||
from libmproxy.protocol2.http_replay import RequestReplayThread
|
from libmproxy.protocol2.http_replay import RequestReplayThread
|
||||||
|
|
||||||
from netlib import odict, wsgi, tcp
|
from netlib import odict, wsgi
|
||||||
from netlib.http.semantics import CONTENT_MISSING
|
from netlib.http.semantics import CONTENT_MISSING
|
||||||
import netlib.http
|
import netlib.http
|
||||||
|
|
||||||
from . import controller, protocol, tnetstring, filt, script, version
|
from . import controller, protocol, tnetstring, filt, script, version
|
||||||
from .onboarding import app
|
from .onboarding import app
|
||||||
from .protocol import http, handle
|
from .protocol import http
|
||||||
from .proxy.config import HostMatcher
|
from .proxy.config import HostMatcher
|
||||||
from .proxy.connection import ClientConnection, ServerConnection
|
from .proxy.connection import ClientConnection, ServerConnection
|
||||||
import urlparse
|
import urlparse
|
||||||
@ -1090,7 +1091,7 @@ class FlowReader:
|
|||||||
"Incompatible serialized data version: %s" % v
|
"Incompatible serialized data version: %s" % v
|
||||||
)
|
)
|
||||||
off = self.fo.tell()
|
off = self.fo.tell()
|
||||||
yield handle.protocols[data["type"]]["flow"].from_state(data)
|
yield HTTPFlow.from_state(data)
|
||||||
except ValueError as v:
|
except ValueError as v:
|
||||||
# Error is due to EOF
|
# Error is due to EOF
|
||||||
if self.fo.tell() == off and self.fo.read() == '':
|
if self.fo.tell() == off and self.fo.read() == '':
|
||||||
|
@ -1,20 +0,0 @@
|
|||||||
from __future__ import absolute_import
|
|
||||||
from . import http, tcp
|
|
||||||
|
|
||||||
protocols = {
|
|
||||||
'http': dict(handler=http.HTTPHandler, flow=http.HTTPFlow),
|
|
||||||
'tcp': dict(handler=tcp.TCPHandler)
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def protocol_handler(protocol):
|
|
||||||
"""
|
|
||||||
@type protocol: str
|
|
||||||
@returns: libmproxy.protocol.primitives.ProtocolHandler
|
|
||||||
"""
|
|
||||||
if protocol in protocols:
|
|
||||||
return protocols[protocol]["handler"]
|
|
||||||
|
|
||||||
raise NotImplementedError(
|
|
||||||
"Unknown Protocol: %s" %
|
|
||||||
protocol) # pragma: nocover
|
|
@ -1,62 +1,9 @@
|
|||||||
from __future__ import absolute_import
|
from __future__ import absolute_import
|
||||||
import Cookie
|
|
||||||
import copy
|
|
||||||
import threading
|
|
||||||
import time
|
|
||||||
import urllib
|
|
||||||
import urlparse
|
|
||||||
from email.utils import parsedate_tz, formatdate, mktime_tz
|
|
||||||
|
|
||||||
import netlib
|
from .primitives import Flow
|
||||||
from netlib import http, tcp, odict, utils, encoding
|
|
||||||
from netlib.http import cookies, http1, http2
|
|
||||||
from netlib.http.http1 import HTTP1Protocol
|
|
||||||
from netlib.http.semantics import CONTENT_MISSING
|
|
||||||
|
|
||||||
from .tcp import TCPHandler
|
|
||||||
from .primitives import KILL, ProtocolHandler, Flow, Error
|
|
||||||
from ..proxy.connection import ServerConnection
|
|
||||||
from .. import utils, controller, stateobject, proxy
|
|
||||||
|
|
||||||
from .http_wrappers import decoded, HTTPRequest, HTTPResponse
|
from .http_wrappers import decoded, HTTPRequest, HTTPResponse
|
||||||
|
|
||||||
|
|
||||||
class KillSignal(Exception):
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
||||||
def send_connect_request(conn, host, port, update_state=True):
|
|
||||||
upstream_request = HTTPRequest(
|
|
||||||
"authority",
|
|
||||||
"CONNECT",
|
|
||||||
None,
|
|
||||||
host,
|
|
||||||
port,
|
|
||||||
None,
|
|
||||||
(1, 1),
|
|
||||||
odict.ODictCaseless(),
|
|
||||||
""
|
|
||||||
)
|
|
||||||
|
|
||||||
# we currently only support HTTP/1 CONNECT requests
|
|
||||||
protocol = http1.HTTP1Protocol(conn)
|
|
||||||
|
|
||||||
conn.send(protocol.assemble(upstream_request))
|
|
||||||
resp = HTTPResponse.from_protocol(protocol, upstream_request.method)
|
|
||||||
if resp.status_code != 200:
|
|
||||||
raise proxy.ProxyError(resp.status_code,
|
|
||||||
"Cannot establish SSL " +
|
|
||||||
"connection with upstream proxy: \r\n" +
|
|
||||||
repr(resp))
|
|
||||||
if update_state:
|
|
||||||
conn.state.append(("http", {
|
|
||||||
"state": "connect",
|
|
||||||
"host": host,
|
|
||||||
"port": port}
|
|
||||||
))
|
|
||||||
return resp
|
|
||||||
|
|
||||||
|
|
||||||
class HTTPFlow(Flow):
|
class HTTPFlow(Flow):
|
||||||
"""
|
"""
|
||||||
A HTTPFlow is a collection of objects representing a single HTTP
|
A HTTPFlow is a collection of objects representing a single HTTP
|
||||||
@ -143,556 +90,3 @@ class HTTPFlow(Flow):
|
|||||||
if self.response:
|
if self.response:
|
||||||
c += self.response.replace(pattern, repl, *args, **kwargs)
|
c += self.response.replace(pattern, repl, *args, **kwargs)
|
||||||
return c
|
return c
|
||||||
|
|
||||||
|
|
||||||
class HTTPHandler(ProtocolHandler):
|
|
||||||
"""
|
|
||||||
HTTPHandler implements mitmproxys understanding of the HTTP protocol.
|
|
||||||
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __init__(self, c):
|
|
||||||
super(HTTPHandler, self).__init__(c)
|
|
||||||
self.expected_form_in = c.config.mode.http_form_in
|
|
||||||
self.expected_form_out = c.config.mode.http_form_out
|
|
||||||
self.skip_authentication = False
|
|
||||||
|
|
||||||
def handle_messages(self):
|
|
||||||
while self.handle_flow():
|
|
||||||
pass
|
|
||||||
|
|
||||||
def get_response_from_server(self, flow):
|
|
||||||
self.c.establish_server_connection()
|
|
||||||
|
|
||||||
for attempt in (0, 1):
|
|
||||||
try:
|
|
||||||
if not self.c.server_conn.protocol:
|
|
||||||
# instantiate new protocol if connection does not have one yet
|
|
||||||
# TODO: select correct protocol based on ALPN (?)
|
|
||||||
self.c.server_conn.protocol = http1.HTTP1Protocol(self.c.server_conn)
|
|
||||||
# self.c.server_conn.protocol = http2.HTTP2Protocol(self.c.server_conn)
|
|
||||||
# self.c.server_conn.protocol.perform_connection_preface()
|
|
||||||
|
|
||||||
self.c.server_conn.send(self.c.server_conn.protocol.assemble(flow.request))
|
|
||||||
|
|
||||||
# Only get the headers at first...
|
|
||||||
flow.response = HTTPResponse.from_protocol(
|
|
||||||
self.c.server_conn.protocol,
|
|
||||||
flow.request.method,
|
|
||||||
body_size_limit=self.c.config.body_size_limit,
|
|
||||||
include_body=False,
|
|
||||||
)
|
|
||||||
break
|
|
||||||
except (tcp.NetLibError, http.HttpErrorConnClosed) as v:
|
|
||||||
self.c.log(
|
|
||||||
"error in server communication: %s" % repr(v),
|
|
||||||
level="debug"
|
|
||||||
)
|
|
||||||
if attempt == 0:
|
|
||||||
# In any case, we try to reconnect at least once. This is
|
|
||||||
# necessary because it might be possible that we already
|
|
||||||
# initiated an upstream connection after clientconnect that
|
|
||||||
# has already been expired, e.g consider the following event
|
|
||||||
# log:
|
|
||||||
# > clientconnect (transparent mode destination known)
|
|
||||||
# > serverconnect
|
|
||||||
# > read n% of large request
|
|
||||||
# > server detects timeout, disconnects
|
|
||||||
# > read (100-n)% of large request
|
|
||||||
# > send large request upstream
|
|
||||||
self.c.server_reconnect()
|
|
||||||
else:
|
|
||||||
raise
|
|
||||||
|
|
||||||
# call the appropriate script hook - this is an opportunity for an
|
|
||||||
# inline script to set flow.stream = True
|
|
||||||
flow = self.c.channel.ask("responseheaders", flow)
|
|
||||||
if flow is None or flow == KILL:
|
|
||||||
raise KillSignal()
|
|
||||||
else:
|
|
||||||
# now get the rest of the request body, if body still needs to be
|
|
||||||
# read but not streaming this response
|
|
||||||
if flow.response.stream:
|
|
||||||
flow.response.content = CONTENT_MISSING
|
|
||||||
else:
|
|
||||||
if isinstance(self.c.server_conn.protocol, http1.HTTP1Protocol):
|
|
||||||
# streaming is only supported with HTTP/1 at the moment
|
|
||||||
flow.response.content = self.c.server_conn.protocol.read_http_body(
|
|
||||||
flow.response.headers,
|
|
||||||
self.c.config.body_size_limit,
|
|
||||||
flow.request.method,
|
|
||||||
flow.response.code,
|
|
||||||
False
|
|
||||||
)
|
|
||||||
flow.response.timestamp_end = utils.timestamp()
|
|
||||||
|
|
||||||
def handle_flow(self):
|
|
||||||
flow = HTTPFlow(self.c.client_conn, self.c.server_conn, self.live)
|
|
||||||
|
|
||||||
try:
|
|
||||||
try:
|
|
||||||
if not flow.client_conn.protocol:
|
|
||||||
# instantiate new protocol if connection does not have one yet
|
|
||||||
# the first request might be a CONNECT - which is currently only supported with HTTP/1
|
|
||||||
flow.client_conn.protocol = http1.HTTP1Protocol(self.c.client_conn)
|
|
||||||
|
|
||||||
req = HTTPRequest.from_protocol(
|
|
||||||
flow.client_conn.protocol,
|
|
||||||
body_size_limit=self.c.config.body_size_limit
|
|
||||||
)
|
|
||||||
except tcp.NetLibError:
|
|
||||||
# don't throw an error for disconnects that happen
|
|
||||||
# before/between requests.
|
|
||||||
return False
|
|
||||||
|
|
||||||
self.c.log(
|
|
||||||
"request",
|
|
||||||
"debug",
|
|
||||||
[repr(req)]
|
|
||||||
)
|
|
||||||
ret = self.process_request(flow, req)
|
|
||||||
if ret:
|
|
||||||
# instantiate new protocol if connection does not have one yet
|
|
||||||
# TODO: select correct protocol based on ALPN (?)
|
|
||||||
flow.client_conn.protocol = http1.HTTP1Protocol(self.c.client_conn)
|
|
||||||
# flow.client_conn.protocol = http2.HTTP2Protocol(self.c.client_conn, is_server=True)
|
|
||||||
if ret is not None:
|
|
||||||
return ret
|
|
||||||
|
|
||||||
# Be careful NOT to assign the request to the flow before
|
|
||||||
# process_request completes. This is because the call can raise an
|
|
||||||
# exception. If the request object is already attached, this results
|
|
||||||
# in an Error object that has an attached request that has not been
|
|
||||||
# sent through to the Master.
|
|
||||||
flow.request = req
|
|
||||||
request_reply = self.c.channel.ask("request", flow)
|
|
||||||
if request_reply is None or request_reply == KILL:
|
|
||||||
raise KillSignal()
|
|
||||||
|
|
||||||
# The inline script may have changed request.host
|
|
||||||
self.process_server_address(flow)
|
|
||||||
|
|
||||||
if isinstance(request_reply, HTTPResponse):
|
|
||||||
flow.response = request_reply
|
|
||||||
else:
|
|
||||||
self.get_response_from_server(flow)
|
|
||||||
|
|
||||||
# no further manipulation of self.c.server_conn beyond this point
|
|
||||||
# we can safely set it as the final attribute value here.
|
|
||||||
flow.server_conn = self.c.server_conn
|
|
||||||
|
|
||||||
self.c.log(
|
|
||||||
"response",
|
|
||||||
"debug",
|
|
||||||
[repr(flow.response)]
|
|
||||||
)
|
|
||||||
response_reply = self.c.channel.ask("response", flow)
|
|
||||||
if response_reply is None or response_reply == KILL:
|
|
||||||
raise KillSignal()
|
|
||||||
|
|
||||||
self.send_response_to_client(flow)
|
|
||||||
|
|
||||||
if self.check_close_connection(flow):
|
|
||||||
return False
|
|
||||||
|
|
||||||
# We sent a CONNECT request to an upstream proxy.
|
|
||||||
if flow.request.form_in == "authority" and flow.response.code == 200:
|
|
||||||
# TODO: Possibly add headers (memory consumption/usefulness
|
|
||||||
# tradeoff) Make sure to add state info before the actual
|
|
||||||
# processing of the CONNECT request happens. During an SSL
|
|
||||||
# upgrade, we may receive an SNI indication from the client,
|
|
||||||
# which resets the upstream connection. If this is the case, we
|
|
||||||
# must already re-issue the CONNECT request at this point.
|
|
||||||
self.c.server_conn.state.append(
|
|
||||||
(
|
|
||||||
"http", {
|
|
||||||
"state": "connect",
|
|
||||||
"host": flow.request.host,
|
|
||||||
"port": flow.request.port
|
|
||||||
}
|
|
||||||
)
|
|
||||||
)
|
|
||||||
if not self.process_connect_request(
|
|
||||||
(flow.request.host, flow.request.port)):
|
|
||||||
return False
|
|
||||||
|
|
||||||
# If the user has changed the target server on this connection,
|
|
||||||
# restore the original target server
|
|
||||||
flow.live.restore_server()
|
|
||||||
|
|
||||||
return True # Next flow please.
|
|
||||||
except (
|
|
||||||
http.HttpAuthenticationError,
|
|
||||||
http.HttpError,
|
|
||||||
proxy.ProxyError,
|
|
||||||
tcp.NetLibError,
|
|
||||||
) as e:
|
|
||||||
self.handle_error(e, flow)
|
|
||||||
except KillSignal:
|
|
||||||
self.c.log("Connection killed", "info")
|
|
||||||
finally:
|
|
||||||
flow.live = None # Connection is not live anymore.
|
|
||||||
return False
|
|
||||||
|
|
||||||
def handle_server_reconnect(self, state):
|
|
||||||
if state["state"] == "connect":
|
|
||||||
send_connect_request(
|
|
||||||
self.c.server_conn,
|
|
||||||
state["host"],
|
|
||||||
state["port"],
|
|
||||||
update_state=False
|
|
||||||
)
|
|
||||||
else: # pragma: nocover
|
|
||||||
raise RuntimeError("Unknown State: %s" % state["state"])
|
|
||||||
|
|
||||||
def handle_error(self, error, flow=None):
|
|
||||||
message = repr(error)
|
|
||||||
message_debug = None
|
|
||||||
|
|
||||||
if isinstance(error, tcp.NetLibError):
|
|
||||||
message = None
|
|
||||||
message_debug = "TCP connection closed unexpectedly."
|
|
||||||
elif "tlsv1 alert unknown ca" in message:
|
|
||||||
message = "TLSv1 Alert Unknown CA: The client does not trust the proxy's certificate."
|
|
||||||
elif "handshake error" in message:
|
|
||||||
message_debug = message
|
|
||||||
message = "SSL handshake error: The client may not trust the proxy's certificate."
|
|
||||||
|
|
||||||
if message:
|
|
||||||
self.c.log(message, level="info")
|
|
||||||
if message_debug:
|
|
||||||
self.c.log(message_debug, level="debug")
|
|
||||||
|
|
||||||
if flow:
|
|
||||||
# TODO: no flows without request or with both request and response
|
|
||||||
# at the moment.
|
|
||||||
if flow.request and not flow.response:
|
|
||||||
flow.error = Error(message or message_debug)
|
|
||||||
self.c.channel.ask("error", flow)
|
|
||||||
try:
|
|
||||||
status_code = getattr(error, "code", 502)
|
|
||||||
headers = getattr(error, "headers", None)
|
|
||||||
|
|
||||||
html_message = message or ""
|
|
||||||
if message_debug:
|
|
||||||
html_message += "<pre>%s</pre>" % message_debug
|
|
||||||
self.send_error(status_code, html_message, headers)
|
|
||||||
except:
|
|
||||||
pass
|
|
||||||
|
|
||||||
def send_error(self, status_code, message, headers):
|
|
||||||
response = http.status_codes.RESPONSES.get(status_code, "Unknown")
|
|
||||||
body = """
|
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<title>%d %s</title>
|
|
||||||
</head>
|
|
||||||
<body>%s</body>
|
|
||||||
</html>
|
|
||||||
""" % (status_code, response, message)
|
|
||||||
|
|
||||||
if not headers:
|
|
||||||
headers = odict.ODictCaseless()
|
|
||||||
assert isinstance(headers, odict.ODictCaseless)
|
|
||||||
|
|
||||||
headers["Server"] = [self.c.config.server_version]
|
|
||||||
headers["Connection"] = ["close"]
|
|
||||||
headers["Content-Length"] = [len(body)]
|
|
||||||
headers["Content-Type"] = ["text/html"]
|
|
||||||
|
|
||||||
resp = HTTPResponse(
|
|
||||||
(1, 1), # if HTTP/2 is used, this value is ignored anyway
|
|
||||||
status_code,
|
|
||||||
response,
|
|
||||||
headers,
|
|
||||||
body,
|
|
||||||
)
|
|
||||||
|
|
||||||
# if no protocol is assigned yet - just assume HTTP/1
|
|
||||||
# TODO: maybe check ALPN and use HTTP/2 if required?
|
|
||||||
protocol = self.c.client_conn.protocol or http1.HTTP1Protocol(self.c.client_conn)
|
|
||||||
self.c.client_conn.send(protocol.assemble(resp))
|
|
||||||
|
|
||||||
def process_request(self, flow, request):
|
|
||||||
"""
|
|
||||||
@returns:
|
|
||||||
True, if the request should not be sent upstream
|
|
||||||
False, if the connection should be aborted
|
|
||||||
None, if the request should be sent upstream
|
|
||||||
(a status code != None should be returned directly by handle_flow)
|
|
||||||
"""
|
|
||||||
|
|
||||||
if not self.skip_authentication:
|
|
||||||
self.authenticate(request)
|
|
||||||
|
|
||||||
# Determine .scheme, .host and .port attributes
|
|
||||||
# For absolute-form requests, they are directly given in the request.
|
|
||||||
# For authority-form requests, we only need to determine the request scheme.
|
|
||||||
# For relative-form requests, we need to determine host and port as
|
|
||||||
# well.
|
|
||||||
if not request.scheme:
|
|
||||||
request.scheme = "https" if flow.server_conn and flow.server_conn.ssl_established else "http"
|
|
||||||
if not request.host:
|
|
||||||
# Host/Port Complication: In upstream mode, use the server we CONNECTed to,
|
|
||||||
# not the upstream proxy.
|
|
||||||
if flow.server_conn:
|
|
||||||
for s in flow.server_conn.state:
|
|
||||||
if s[0] == "http" and s[1]["state"] == "connect":
|
|
||||||
request.host, request.port = s[1]["host"], s[1]["port"]
|
|
||||||
if not request.host and flow.server_conn:
|
|
||||||
request.host, request.port = flow.server_conn.address.host, flow.server_conn.address.port
|
|
||||||
|
|
||||||
|
|
||||||
# Now we can process the request.
|
|
||||||
if request.form_in == "authority":
|
|
||||||
if self.c.client_conn.ssl_established:
|
|
||||||
raise http.HttpError(
|
|
||||||
400,
|
|
||||||
"Must not CONNECT on already encrypted connection"
|
|
||||||
)
|
|
||||||
|
|
||||||
if self.c.config.mode == "regular":
|
|
||||||
self.c.set_server_address((request.host, request.port))
|
|
||||||
# Update server_conn attribute on the flow
|
|
||||||
flow.server_conn = self.c.server_conn
|
|
||||||
|
|
||||||
# since we currently only support HTTP/1 CONNECT requests
|
|
||||||
# the response must be HTTP/1 as well
|
|
||||||
self.c.client_conn.send(
|
|
||||||
('HTTP/%s.%s 200 ' % (request.httpversion[0], request.httpversion[1])) +
|
|
||||||
'Connection established\r\n' +
|
|
||||||
'Content-Length: 0\r\n' +
|
|
||||||
('Proxy-agent: %s\r\n' % self.c.config.server_version) +
|
|
||||||
'\r\n'
|
|
||||||
)
|
|
||||||
return self.process_connect_request(self.c.server_conn.address)
|
|
||||||
elif self.c.config.mode == "upstream":
|
|
||||||
return None
|
|
||||||
else:
|
|
||||||
# CONNECT should never occur if we don't expect absolute-form
|
|
||||||
# requests
|
|
||||||
pass
|
|
||||||
|
|
||||||
elif request.form_in == self.expected_form_in:
|
|
||||||
request.form_out = self.expected_form_out
|
|
||||||
if request.form_in == "absolute":
|
|
||||||
if request.scheme != "http":
|
|
||||||
raise http.HttpError(
|
|
||||||
400,
|
|
||||||
"Invalid request scheme: %s" % request.scheme
|
|
||||||
)
|
|
||||||
if self.c.config.mode == "regular":
|
|
||||||
# Update info so that an inline script sees the correct
|
|
||||||
# value at flow.server_conn
|
|
||||||
self.c.set_server_address((request.host, request.port))
|
|
||||||
flow.server_conn = self.c.server_conn
|
|
||||||
|
|
||||||
elif request.form_in == "relative":
|
|
||||||
if self.c.config.mode == "spoof":
|
|
||||||
# Host header
|
|
||||||
h = request.pretty_host(hostheader=True)
|
|
||||||
if h is None:
|
|
||||||
raise http.HttpError(
|
|
||||||
400,
|
|
||||||
"Invalid request: No host information"
|
|
||||||
)
|
|
||||||
p = netlib.utils.parse_url("http://" + h)
|
|
||||||
request.scheme = p[0]
|
|
||||||
request.host = p[1]
|
|
||||||
request.port = p[2]
|
|
||||||
self.c.set_server_address((request.host, request.port))
|
|
||||||
flow.server_conn = self.c.server_conn
|
|
||||||
|
|
||||||
if self.c.config.mode == "sslspoof":
|
|
||||||
# SNI is processed in server.py
|
|
||||||
if not (flow.server_conn and flow.server_conn.ssl_established):
|
|
||||||
raise http.HttpError(
|
|
||||||
400,
|
|
||||||
"Invalid request: No host information"
|
|
||||||
)
|
|
||||||
|
|
||||||
return None
|
|
||||||
|
|
||||||
raise http.HttpError(
|
|
||||||
400, "Invalid HTTP request form (expected: %s, got: %s)" % (
|
|
||||||
self.expected_form_in, request.form_in
|
|
||||||
)
|
|
||||||
)
|
|
||||||
|
|
||||||
def process_server_address(self, flow):
|
|
||||||
# Depending on the proxy mode, server handling is entirely different
|
|
||||||
# We provide a mostly unified API to the user, which needs to be
|
|
||||||
# unfiddled here
|
|
||||||
# ( See also: https://github.com/mitmproxy/mitmproxy/issues/337 )
|
|
||||||
address = tcp.Address((flow.request.host, flow.request.port))
|
|
||||||
|
|
||||||
ssl = (flow.request.scheme == "https")
|
|
||||||
|
|
||||||
if self.c.config.mode == "upstream":
|
|
||||||
# The connection to the upstream proxy may have a state we may need
|
|
||||||
# to take into account.
|
|
||||||
connected_to = None
|
|
||||||
for s in flow.server_conn.state:
|
|
||||||
if s[0] == "http" and s[1]["state"] == "connect":
|
|
||||||
connected_to = tcp.Address((s[1]["host"], s[1]["port"]))
|
|
||||||
|
|
||||||
# We need to reconnect if the current flow either requires a
|
|
||||||
# (possibly impossible) change to the connection state, e.g. the
|
|
||||||
# host has changed but we already CONNECTed somewhere else.
|
|
||||||
needs_server_change = (
|
|
||||||
ssl != self.c.server_conn.ssl_established
|
|
||||||
or
|
|
||||||
# HTTP proxying is "stateless", CONNECT isn't.
|
|
||||||
(connected_to and address != connected_to)
|
|
||||||
)
|
|
||||||
|
|
||||||
if needs_server_change:
|
|
||||||
# force create new connection to the proxy server to reset
|
|
||||||
# state
|
|
||||||
self.live.change_server(self.c.server_conn.address, force=True)
|
|
||||||
if ssl:
|
|
||||||
send_connect_request(
|
|
||||||
self.c.server_conn,
|
|
||||||
address.host,
|
|
||||||
address.port
|
|
||||||
)
|
|
||||||
self.c.establish_ssl(server=True)
|
|
||||||
else:
|
|
||||||
# If we're not in upstream mode, we just want to update the host
|
|
||||||
# and possibly establish TLS. This is a no op if the addresses
|
|
||||||
# match.
|
|
||||||
self.live.change_server(address, ssl=ssl)
|
|
||||||
|
|
||||||
flow.server_conn = self.c.server_conn
|
|
||||||
|
|
||||||
def send_response_to_client(self, flow):
|
|
||||||
if not flow.response.stream:
|
|
||||||
# no streaming:
|
|
||||||
# we already received the full response from the server and can
|
|
||||||
# send it to the client straight away.
|
|
||||||
self.c.client_conn.send(self.c.client_conn.protocol.assemble(flow.response))
|
|
||||||
else:
|
|
||||||
if isinstance(self.c.client_conn.protocol, http2.HTTP2Protocol):
|
|
||||||
raise NotImplementedError("HTTP streaming with HTTP/2 is currently not supported.")
|
|
||||||
|
|
||||||
|
|
||||||
# streaming:
|
|
||||||
# First send the headers and then transfer the response
|
|
||||||
# incrementally:
|
|
||||||
h = self.c.client_conn.protocol._assemble_response_first_line(flow.response)
|
|
||||||
self.c.client_conn.send(h + "\r\n")
|
|
||||||
h = self.c.client_conn.protocol._assemble_response_headers(flow.response, preserve_transfer_encoding=True)
|
|
||||||
self.c.client_conn.send(h + "\r\n")
|
|
||||||
|
|
||||||
chunks = self.c.server_conn.protocol.read_http_body_chunked(
|
|
||||||
flow.response.headers,
|
|
||||||
self.c.config.body_size_limit,
|
|
||||||
flow.request.method,
|
|
||||||
flow.response.code,
|
|
||||||
False,
|
|
||||||
4096
|
|
||||||
)
|
|
||||||
|
|
||||||
if callable(flow.response.stream):
|
|
||||||
chunks = flow.response.stream(chunks)
|
|
||||||
|
|
||||||
for chunk in chunks:
|
|
||||||
for part in chunk:
|
|
||||||
self.c.client_conn.wfile.write(part)
|
|
||||||
self.c.client_conn.wfile.flush()
|
|
||||||
|
|
||||||
flow.response.timestamp_end = utils.timestamp()
|
|
||||||
|
|
||||||
def check_close_connection(self, flow):
|
|
||||||
"""
|
|
||||||
Checks if the connection should be closed depending on the HTTP
|
|
||||||
semantics. Returns True, if so.
|
|
||||||
"""
|
|
||||||
|
|
||||||
# TODO: add logic for HTTP/2
|
|
||||||
|
|
||||||
close_connection = (
|
|
||||||
http1.HTTP1Protocol.connection_close(
|
|
||||||
flow.request.httpversion,
|
|
||||||
flow.request.headers
|
|
||||||
) or http1.HTTP1Protocol.connection_close(
|
|
||||||
flow.response.httpversion,
|
|
||||||
flow.response.headers
|
|
||||||
) or http1.HTTP1Protocol.expected_http_body_size(
|
|
||||||
flow.response.headers,
|
|
||||||
False,
|
|
||||||
flow.request.method,
|
|
||||||
flow.response.code) == -1
|
|
||||||
)
|
|
||||||
if close_connection:
|
|
||||||
if flow.request.form_in == "authority" and flow.response.code == 200:
|
|
||||||
# Workaround for
|
|
||||||
# https://github.com/mitmproxy/mitmproxy/issues/313: Some
|
|
||||||
# proxies (e.g. Charles) send a CONNECT response with HTTP/1.0
|
|
||||||
# and no Content-Length header
|
|
||||||
pass
|
|
||||||
else:
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
def process_connect_request(self, address):
|
|
||||||
"""
|
|
||||||
Process a CONNECT request.
|
|
||||||
Returns True if the CONNECT request has been processed successfully.
|
|
||||||
Returns False, if the connection should be closed immediately.
|
|
||||||
"""
|
|
||||||
address = tcp.Address.wrap(address)
|
|
||||||
if self.c.config.check_ignore(address):
|
|
||||||
self.c.log("Ignore host: %s:%s" % address(), "info")
|
|
||||||
TCPHandler(self.c, log=False).handle_messages()
|
|
||||||
return False
|
|
||||||
else:
|
|
||||||
self.expected_form_in = "relative"
|
|
||||||
self.expected_form_out = "relative"
|
|
||||||
self.skip_authentication = True
|
|
||||||
|
|
||||||
# In practice, nobody issues a CONNECT request to send unencrypted
|
|
||||||
# HTTP requests afterwards. If we don't delegate to TCP mode, we
|
|
||||||
# should always negotiate a SSL connection.
|
|
||||||
#
|
|
||||||
# FIXME: Turns out the previous statement isn't entirely true.
|
|
||||||
# Chrome on Windows CONNECTs to :80 if an explicit proxy is
|
|
||||||
# configured and a websocket connection should be established. We
|
|
||||||
# don't support websocket at the moment, so it fails anyway, but we
|
|
||||||
# should come up with a better solution to this if we start to
|
|
||||||
# support WebSockets.
|
|
||||||
should_establish_ssl = (
|
|
||||||
address.port in self.c.config.ssl_ports
|
|
||||||
or
|
|
||||||
not self.c.config.check_tcp(address)
|
|
||||||
)
|
|
||||||
|
|
||||||
if should_establish_ssl:
|
|
||||||
self.c.log(
|
|
||||||
"Received CONNECT request to SSL port. "
|
|
||||||
"Upgrading to SSL...", "debug"
|
|
||||||
)
|
|
||||||
server_ssl = not self.c.config.no_upstream_cert
|
|
||||||
if server_ssl:
|
|
||||||
self.c.establish_server_connection()
|
|
||||||
self.c.establish_ssl(server=server_ssl, client=True)
|
|
||||||
self.c.log("Upgrade to SSL completed.", "debug")
|
|
||||||
|
|
||||||
if self.c.config.check_tcp(address):
|
|
||||||
self.c.log(
|
|
||||||
"Generic TCP mode for host: %s:%s" % address(),
|
|
||||||
"info"
|
|
||||||
)
|
|
||||||
TCPHandler(self.c).handle_messages()
|
|
||||||
return False
|
|
||||||
|
|
||||||
return True
|
|
||||||
|
|
||||||
def authenticate(self, request):
|
|
||||||
if self.c.config.authenticator:
|
|
||||||
if self.c.config.authenticator.authenticate(request.headers):
|
|
||||||
self.c.config.authenticator.clean(request.headers)
|
|
||||||
else:
|
|
||||||
raise http.HttpAuthenticationError(
|
|
||||||
self.c.config.authenticator.auth_challenge_headers())
|
|
||||||
return request.headers
|
|
@ -1,20 +1,12 @@
|
|||||||
from __future__ import absolute_import
|
from __future__ import absolute_import
|
||||||
import Cookie
|
import Cookie
|
||||||
import copy
|
import copy
|
||||||
import threading
|
|
||||||
import time
|
import time
|
||||||
import urllib
|
|
||||||
import urlparse
|
|
||||||
from email.utils import parsedate_tz, formatdate, mktime_tz
|
from email.utils import parsedate_tz, formatdate, mktime_tz
|
||||||
|
|
||||||
import netlib
|
from netlib import odict, encoding
|
||||||
from netlib import http, tcp, odict, utils, encoding
|
from netlib.http import semantics, CONTENT_MISSING
|
||||||
from netlib.http import cookies, semantics, http1
|
from .. import utils, stateobject
|
||||||
|
|
||||||
from .tcp import TCPHandler
|
|
||||||
from .primitives import KILL, ProtocolHandler, Flow, Error
|
|
||||||
from ..proxy.connection import ServerConnection
|
|
||||||
from .. import utils, controller, stateobject, proxy
|
|
||||||
|
|
||||||
|
|
||||||
class decoded(object):
|
class decoded(object):
|
||||||
|
@ -1,11 +1,10 @@
|
|||||||
from __future__ import absolute_import
|
from __future__ import absolute_import
|
||||||
import copy
|
import copy
|
||||||
import uuid
|
import uuid
|
||||||
import netlib.tcp
|
|
||||||
from .. import stateobject, utils, version
|
from .. import stateobject, utils, version
|
||||||
from ..proxy.connection import ClientConnection, ServerConnection
|
from ..proxy.connection import ClientConnection, ServerConnection
|
||||||
|
|
||||||
|
|
||||||
KILL = 0 # const for killed requests
|
KILL = 0 # const for killed requests
|
||||||
|
|
||||||
|
|
||||||
@ -165,130 +164,3 @@ class Flow(stateobject.StateObject):
|
|||||||
self.intercepted = False
|
self.intercepted = False
|
||||||
self.reply()
|
self.reply()
|
||||||
master.handle_accept_intercept(self)
|
master.handle_accept_intercept(self)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class ProtocolHandler(object):
|
|
||||||
"""
|
|
||||||
A ProtocolHandler implements an application-layer protocol, e.g. HTTP.
|
|
||||||
See: libmproxy.protocol.http.HTTPHandler
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __init__(self, c):
|
|
||||||
self.c = c
|
|
||||||
"""@type: libmproxy.proxy.server.ConnectionHandler"""
|
|
||||||
self.live = LiveConnection(c)
|
|
||||||
"""@type: LiveConnection"""
|
|
||||||
|
|
||||||
def handle_messages(self):
|
|
||||||
"""
|
|
||||||
This method gets called if a client connection has been made. Depending
|
|
||||||
on the proxy settings, a server connection might already exist as well.
|
|
||||||
"""
|
|
||||||
raise NotImplementedError # pragma: nocover
|
|
||||||
|
|
||||||
def handle_server_reconnect(self, state):
|
|
||||||
"""
|
|
||||||
This method gets called if a server connection needs to reconnect and
|
|
||||||
there's a state associated with the server connection (e.g. a
|
|
||||||
previously-sent CONNECT request or a SOCKS proxy request). This method
|
|
||||||
gets called after the connection has been restablished but before SSL is
|
|
||||||
established.
|
|
||||||
"""
|
|
||||||
raise NotImplementedError # pragma: nocover
|
|
||||||
|
|
||||||
def handle_error(self, error):
|
|
||||||
"""
|
|
||||||
This method gets called should there be an uncaught exception during the
|
|
||||||
connection. This might happen outside of handle_messages, e.g. if the
|
|
||||||
initial SSL handshake fails in transparent mode.
|
|
||||||
"""
|
|
||||||
raise error # pragma: nocover
|
|
||||||
|
|
||||||
|
|
||||||
class LiveConnection(object):
|
|
||||||
"""
|
|
||||||
This facade allows interested parties (FlowMaster, inline scripts) to
|
|
||||||
interface with a live connection, without exposing the internals
|
|
||||||
of the ConnectionHandler.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __init__(self, c):
|
|
||||||
self.c = c
|
|
||||||
"""@type: libmproxy.proxy.server.ConnectionHandler"""
|
|
||||||
self._backup_server_conn = None
|
|
||||||
"""@type: libmproxy.proxy.connection.ServerConnection"""
|
|
||||||
|
|
||||||
def change_server(
|
|
||||||
self,
|
|
||||||
address,
|
|
||||||
ssl=None,
|
|
||||||
sni=None,
|
|
||||||
force=False,
|
|
||||||
persistent_change=False):
|
|
||||||
"""
|
|
||||||
Change the server connection to the specified address.
|
|
||||||
@returns:
|
|
||||||
True, if a new connection has been established,
|
|
||||||
False, if an existing connection has been used
|
|
||||||
"""
|
|
||||||
address = netlib.tcp.Address.wrap(address)
|
|
||||||
|
|
||||||
ssl_mismatch = (
|
|
||||||
ssl is not None and
|
|
||||||
(
|
|
||||||
(self.c.server_conn.connection and ssl != self.c.server_conn.ssl_established)
|
|
||||||
or
|
|
||||||
(sni is not None and sni != self.c.server_conn.sni)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
address_mismatch = (address != self.c.server_conn.address)
|
|
||||||
|
|
||||||
if persistent_change:
|
|
||||||
self._backup_server_conn = None
|
|
||||||
|
|
||||||
if ssl_mismatch or address_mismatch or force:
|
|
||||||
|
|
||||||
self.c.log(
|
|
||||||
"Change server connection: %s:%s -> %s:%s [persistent: %s]" % (
|
|
||||||
self.c.server_conn.address.host,
|
|
||||||
self.c.server_conn.address.port,
|
|
||||||
address.host,
|
|
||||||
address.port,
|
|
||||||
persistent_change
|
|
||||||
),
|
|
||||||
"debug"
|
|
||||||
)
|
|
||||||
|
|
||||||
if not self._backup_server_conn and not persistent_change:
|
|
||||||
self._backup_server_conn = self.c.server_conn
|
|
||||||
self.c.server_conn = None
|
|
||||||
else:
|
|
||||||
# This is at least the second temporary change. We can kill the
|
|
||||||
# current connection.
|
|
||||||
self.c.del_server_connection()
|
|
||||||
|
|
||||||
self.c.set_server_address(address)
|
|
||||||
self.c.establish_server_connection(ask=False)
|
|
||||||
if ssl:
|
|
||||||
self.c.establish_ssl(server=True, sni=sni)
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
def restore_server(self):
|
|
||||||
# TODO: Similar to _backup_server_conn, introduce _cache_server_conn,
|
|
||||||
# which keeps the changed connection open This may be beneficial if a
|
|
||||||
# user is rewriting all requests from http to https or similar.
|
|
||||||
if not self._backup_server_conn:
|
|
||||||
return
|
|
||||||
|
|
||||||
self.c.log("Restore original server connection: %s:%s -> %s:%s" % (
|
|
||||||
self.c.server_conn.address.host,
|
|
||||||
self.c.server_conn.address.port,
|
|
||||||
self._backup_server_conn.address.host,
|
|
||||||
self._backup_server_conn.address.port
|
|
||||||
), "debug")
|
|
||||||
|
|
||||||
self.c.del_server_connection()
|
|
||||||
self.c.server_conn = self._backup_server_conn
|
|
||||||
self._backup_server_conn = None
|
|
||||||
|
@ -1,97 +0,0 @@
|
|||||||
from __future__ import absolute_import
|
|
||||||
import select
|
|
||||||
import socket
|
|
||||||
from .primitives import ProtocolHandler
|
|
||||||
from netlib.utils import cleanBin
|
|
||||||
from netlib.tcp import NetLibError
|
|
||||||
|
|
||||||
|
|
||||||
class TCPHandler(ProtocolHandler):
|
|
||||||
"""
|
|
||||||
TCPHandler acts as a generic TCP forwarder.
|
|
||||||
Data will be .log()ed, but not stored any further.
|
|
||||||
"""
|
|
||||||
|
|
||||||
chunk_size = 4096
|
|
||||||
|
|
||||||
def __init__(self, c, log=True):
|
|
||||||
super(TCPHandler, self).__init__(c)
|
|
||||||
self.log = log
|
|
||||||
|
|
||||||
def handle_messages(self):
|
|
||||||
self.c.establish_server_connection()
|
|
||||||
|
|
||||||
server = "%s:%s" % self.c.server_conn.address()[:2]
|
|
||||||
buf = memoryview(bytearray(self.chunk_size))
|
|
||||||
conns = [self.c.client_conn.rfile, self.c.server_conn.rfile]
|
|
||||||
|
|
||||||
try:
|
|
||||||
while True:
|
|
||||||
r, _, _ = select.select(conns, [], [], 10)
|
|
||||||
for rfile in r:
|
|
||||||
if self.c.client_conn.rfile == rfile:
|
|
||||||
src, dst = self.c.client_conn, self.c.server_conn
|
|
||||||
direction = "-> tcp ->"
|
|
||||||
src_str, dst_str = "client", server
|
|
||||||
else:
|
|
||||||
dst, src = self.c.client_conn, self.c.server_conn
|
|
||||||
direction = "<- tcp <-"
|
|
||||||
dst_str, src_str = "client", server
|
|
||||||
|
|
||||||
closed = False
|
|
||||||
if src.ssl_established:
|
|
||||||
# Unfortunately, pyOpenSSL lacks a recv_into function.
|
|
||||||
# We need to read a single byte before .pending()
|
|
||||||
# becomes usable
|
|
||||||
contents = src.rfile.read(1)
|
|
||||||
contents += src.rfile.read(src.connection.pending())
|
|
||||||
if not contents:
|
|
||||||
closed = True
|
|
||||||
else:
|
|
||||||
size = src.connection.recv_into(buf)
|
|
||||||
if not size:
|
|
||||||
closed = True
|
|
||||||
|
|
||||||
if closed:
|
|
||||||
conns.remove(src.rfile)
|
|
||||||
# Shutdown connection to the other peer
|
|
||||||
if dst.ssl_established:
|
|
||||||
# We can't half-close a connection, so we just close everything here.
|
|
||||||
# Sockets will be cleaned up on a higher level.
|
|
||||||
return
|
|
||||||
else:
|
|
||||||
dst.connection.shutdown(socket.SHUT_WR)
|
|
||||||
|
|
||||||
if len(conns) == 0:
|
|
||||||
return
|
|
||||||
continue
|
|
||||||
|
|
||||||
if src.ssl_established or dst.ssl_established:
|
|
||||||
# if one of the peers is over SSL, we need to send
|
|
||||||
# bytes/strings
|
|
||||||
if not src.ssl_established:
|
|
||||||
# we revc'd into buf but need bytes/string now.
|
|
||||||
contents = buf[:size].tobytes()
|
|
||||||
if self.log:
|
|
||||||
self.c.log(
|
|
||||||
"%s %s\r\n%s" % (
|
|
||||||
direction, dst_str, cleanBin(contents)
|
|
||||||
),
|
|
||||||
"info"
|
|
||||||
)
|
|
||||||
# Do not use dst.connection.send here, which may raise
|
|
||||||
# OpenSSL-specific errors.
|
|
||||||
dst.send(contents)
|
|
||||||
else:
|
|
||||||
# socket.socket.send supports raw bytearrays/memoryviews
|
|
||||||
if self.log:
|
|
||||||
self.c.log(
|
|
||||||
"%s %s\r\n%s" % (
|
|
||||||
direction, dst_str, cleanBin(buf.tobytes())
|
|
||||||
),
|
|
||||||
"info"
|
|
||||||
)
|
|
||||||
dst.connection.send(buf[:size])
|
|
||||||
except (socket.error, NetLibError) as e:
|
|
||||||
self.c.log("TCP connection closed unexpectedly.", "debug")
|
|
||||||
return
|
|
Loading…
Reference in New Issue
Block a user