2020-12-24 09:56:10 +01:00
|
|
|
package proxy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bufio"
|
|
|
|
"crypto/tls"
|
|
|
|
"encoding/base64"
|
|
|
|
"fmt"
|
|
|
|
"net"
|
2022-06-22 19:38:43 +02:00
|
|
|
"net/http"
|
2020-12-24 09:56:10 +01:00
|
|
|
"net/url"
|
2021-03-09 17:54:09 +01:00
|
|
|
"strings"
|
2021-01-11 11:50:10 +01:00
|
|
|
"time"
|
2020-12-24 09:56:10 +01:00
|
|
|
|
2021-03-12 02:35:49 +01:00
|
|
|
"github.com/VictoriaMetrics/VictoriaMetrics/lib/logger"
|
2020-12-24 09:56:10 +01:00
|
|
|
"github.com/VictoriaMetrics/VictoriaMetrics/lib/netutil"
|
2021-03-09 17:54:09 +01:00
|
|
|
"github.com/VictoriaMetrics/VictoriaMetrics/lib/promauth"
|
2020-12-24 09:56:10 +01:00
|
|
|
"github.com/VictoriaMetrics/fasthttp"
|
2021-04-04 00:29:54 +02:00
|
|
|
"golang.org/x/net/proxy"
|
2020-12-24 09:56:10 +01:00
|
|
|
)
|
|
|
|
|
2023-08-12 14:03:08 +02:00
|
|
|
var validURLSchemes = []string{"http", "https", "socks5", "tls+socks5"}
|
|
|
|
|
|
|
|
func isURLSchemeValid(scheme string) bool {
|
|
|
|
for _, vs := range validURLSchemes {
|
|
|
|
if scheme == vs {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2020-12-24 09:56:10 +01:00
|
|
|
// URL implements YAML.Marshaler and yaml.Unmarshaler interfaces for url.URL.
|
|
|
|
type URL struct {
|
2022-05-06 23:02:54 +02:00
|
|
|
URL *url.URL
|
2020-12-24 09:56:10 +01:00
|
|
|
}
|
|
|
|
|
2021-03-12 02:35:49 +01:00
|
|
|
// MustNewURL returns new URL for the given u.
|
2021-10-26 20:21:08 +02:00
|
|
|
func MustNewURL(u string) *URL {
|
2021-03-12 02:35:49 +01:00
|
|
|
pu, err := url.Parse(u)
|
|
|
|
if err != nil {
|
|
|
|
logger.Panicf("BUG: cannot parse u=%q: %s", u, err)
|
|
|
|
}
|
2021-10-26 20:21:08 +02:00
|
|
|
return &URL{
|
2022-05-06 23:02:54 +02:00
|
|
|
URL: pu,
|
2021-03-12 02:35:49 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-05-06 23:02:54 +02:00
|
|
|
// GetURL return the underlying url.
|
|
|
|
func (u *URL) GetURL() *url.URL {
|
|
|
|
if u == nil || u.URL == nil {
|
2020-12-24 09:56:10 +01:00
|
|
|
return nil
|
|
|
|
}
|
2022-05-06 23:02:54 +02:00
|
|
|
return u.URL
|
2020-12-24 09:56:10 +01:00
|
|
|
}
|
|
|
|
|
2021-04-03 23:40:08 +02:00
|
|
|
// IsHTTPOrHTTPS returns true if u is http or https
|
|
|
|
func (u *URL) IsHTTPOrHTTPS() bool {
|
2022-05-06 23:02:54 +02:00
|
|
|
pu := u.GetURL()
|
2021-04-03 23:40:08 +02:00
|
|
|
if pu == nil {
|
|
|
|
return false
|
|
|
|
}
|
2022-05-06 23:02:54 +02:00
|
|
|
scheme := u.URL.Scheme
|
2021-04-03 23:40:08 +02:00
|
|
|
return scheme == "http" || scheme == "https"
|
|
|
|
}
|
|
|
|
|
2021-03-12 02:35:49 +01:00
|
|
|
// String returns string representation of u.
|
|
|
|
func (u *URL) String() string {
|
2022-05-06 23:02:54 +02:00
|
|
|
pu := u.GetURL()
|
2021-03-12 02:35:49 +01:00
|
|
|
if pu == nil {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
return pu.String()
|
|
|
|
}
|
|
|
|
|
2022-06-22 19:38:43 +02:00
|
|
|
// SetHeaders sets headers to req according to u and ac configs.
|
2023-10-17 11:58:19 +02:00
|
|
|
func (u *URL) SetHeaders(ac *promauth.Config, req *http.Request) error {
|
|
|
|
ah, err := u.getAuthHeader(ac)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-06-22 19:38:43 +02:00
|
|
|
if ah != "" {
|
|
|
|
req.Header.Set("Proxy-Authorization", ah)
|
|
|
|
}
|
2023-10-17 11:58:19 +02:00
|
|
|
return ac.SetHeaders(req, false)
|
2022-06-22 19:38:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// SetFasthttpHeaders sets headers to req according to u and ac configs.
|
2023-10-17 11:58:19 +02:00
|
|
|
func (u *URL) SetFasthttpHeaders(ac *promauth.Config, req *fasthttp.Request) error {
|
|
|
|
ah, err := u.getAuthHeader(ac)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-06-22 19:38:43 +02:00
|
|
|
if ah != "" {
|
|
|
|
req.Header.Set("Proxy-Authorization", ah)
|
|
|
|
}
|
2023-10-17 11:58:19 +02:00
|
|
|
return ac.SetFasthttpHeaders(req, false)
|
2022-06-22 19:38:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// getAuthHeader returns Proxy-Authorization auth header for the given u and ac.
|
2023-10-17 11:58:19 +02:00
|
|
|
func (u *URL) getAuthHeader(ac *promauth.Config) (string, error) {
|
2021-04-03 23:40:08 +02:00
|
|
|
authHeader := ""
|
|
|
|
if ac != nil {
|
2023-10-17 11:58:19 +02:00
|
|
|
var err error
|
|
|
|
authHeader, err = ac.GetAuthHeader()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
2021-04-03 23:40:08 +02:00
|
|
|
}
|
2022-05-06 23:02:54 +02:00
|
|
|
if u == nil || u.URL == nil {
|
2023-10-17 11:58:19 +02:00
|
|
|
return authHeader, nil
|
2021-04-03 23:40:08 +02:00
|
|
|
}
|
2022-05-06 23:02:54 +02:00
|
|
|
pu := u.URL
|
2021-04-03 23:40:08 +02:00
|
|
|
if pu.User != nil && len(pu.User.Username()) > 0 {
|
|
|
|
userPasswordEncoded := base64.StdEncoding.EncodeToString([]byte(pu.User.String()))
|
|
|
|
authHeader = "Basic " + userPasswordEncoded
|
|
|
|
}
|
2023-10-17 11:58:19 +02:00
|
|
|
return authHeader, nil
|
2021-04-03 23:40:08 +02:00
|
|
|
}
|
|
|
|
|
2020-12-24 09:56:10 +01:00
|
|
|
// MarshalYAML implements yaml.Marshaler interface.
|
|
|
|
func (u *URL) MarshalYAML() (interface{}, error) {
|
2022-05-06 23:02:54 +02:00
|
|
|
if u.URL == nil {
|
2020-12-24 09:56:10 +01:00
|
|
|
return nil, nil
|
|
|
|
}
|
2022-05-06 23:02:54 +02:00
|
|
|
return u.URL.String(), nil
|
2020-12-24 09:56:10 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// UnmarshalYAML implements yaml.Unmarshaler interface.
|
|
|
|
func (u *URL) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
|
|
|
var s string
|
|
|
|
if err := unmarshal(&s); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
parsedURL, err := url.Parse(s)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot parse proxy_url=%q as *url.URL: %w", s, err)
|
|
|
|
}
|
2023-08-12 14:03:08 +02:00
|
|
|
if !isURLSchemeValid(parsedURL.Scheme) {
|
|
|
|
return fmt.Errorf("cannot parse proxy_url=%q unsupported scheme format=%q, valid schemes: %s", s, parsedURL.Scheme, validURLSchemes)
|
|
|
|
}
|
2022-05-06 23:02:54 +02:00
|
|
|
u.URL = parsedURL
|
2020-12-24 09:56:10 +01:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-03-09 17:54:09 +01:00
|
|
|
// NewDialFunc returns dial func for the given u and ac.
|
|
|
|
func (u *URL) NewDialFunc(ac *promauth.Config) (fasthttp.DialFunc, error) {
|
2022-05-06 23:02:54 +02:00
|
|
|
if u == nil || u.URL == nil {
|
2020-12-24 09:56:10 +01:00
|
|
|
return defaultDialFunc, nil
|
|
|
|
}
|
2022-05-06 23:02:54 +02:00
|
|
|
pu := u.URL
|
2023-08-12 14:03:08 +02:00
|
|
|
if !isURLSchemeValid(pu.Scheme) {
|
|
|
|
return nil, fmt.Errorf("unknown scheme=%q for proxy_url=%q, must be in %s", pu.Scheme, pu.Redacted(), validURLSchemes)
|
2020-12-24 09:56:10 +01:00
|
|
|
}
|
2021-04-05 11:56:51 +02:00
|
|
|
isTLS := (pu.Scheme == "https" || pu.Scheme == "tls+socks5")
|
2021-03-09 17:54:09 +01:00
|
|
|
proxyAddr := addMissingPort(pu.Host, isTLS)
|
2021-03-12 09:40:55 +01:00
|
|
|
var tlsCfg *tls.Config
|
|
|
|
if isTLS {
|
|
|
|
tlsCfg = ac.NewTLSConfig()
|
|
|
|
if !tlsCfg.InsecureSkipVerify && tlsCfg.ServerName == "" {
|
|
|
|
tlsCfg.ServerName = tlsServerName(proxyAddr)
|
|
|
|
}
|
|
|
|
}
|
2021-04-05 11:56:51 +02:00
|
|
|
if pu.Scheme == "socks5" || pu.Scheme == "tls+socks5" {
|
|
|
|
return socks5DialFunc(proxyAddr, pu, tlsCfg)
|
|
|
|
}
|
2020-12-24 09:56:10 +01:00
|
|
|
dialFunc := func(addr string) (net.Conn, error) {
|
2021-03-09 17:54:09 +01:00
|
|
|
proxyConn, err := defaultDialFunc(proxyAddr)
|
2020-12-24 09:56:10 +01:00
|
|
|
if err != nil {
|
2021-03-11 12:43:36 +01:00
|
|
|
return nil, fmt.Errorf("cannot connect to proxy %q: %w", pu.Redacted(), err)
|
2020-12-24 09:56:10 +01:00
|
|
|
}
|
2021-03-09 17:54:09 +01:00
|
|
|
if isTLS {
|
2021-03-12 09:40:55 +01:00
|
|
|
proxyConn = tls.Client(proxyConn, tlsCfg)
|
2020-12-24 09:56:10 +01:00
|
|
|
}
|
2023-10-17 11:58:19 +02:00
|
|
|
authHeader, err := u.getAuthHeader(ac)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("cannot get auth header: %s", err)
|
|
|
|
}
|
2021-05-14 19:00:05 +02:00
|
|
|
if authHeader != "" {
|
|
|
|
authHeader = "Proxy-Authorization: " + authHeader + "\r\n"
|
2022-06-22 19:38:43 +02:00
|
|
|
authHeader += ac.HeadersNoAuthString()
|
2021-05-14 19:00:05 +02:00
|
|
|
}
|
2021-03-09 19:39:38 +01:00
|
|
|
conn, err := sendConnectRequest(proxyConn, proxyAddr, addr, authHeader)
|
2020-12-24 09:56:10 +01:00
|
|
|
if err != nil {
|
|
|
|
_ = proxyConn.Close()
|
2021-03-11 12:43:36 +01:00
|
|
|
return nil, fmt.Errorf("error when sending CONNECT request to proxy %q: %w", pu.Redacted(), err)
|
2020-12-24 09:56:10 +01:00
|
|
|
}
|
|
|
|
return conn, nil
|
|
|
|
}
|
|
|
|
return dialFunc, nil
|
|
|
|
}
|
|
|
|
|
2021-04-05 11:56:51 +02:00
|
|
|
func socks5DialFunc(proxyAddr string, pu *url.URL, tlsCfg *tls.Config) (fasthttp.DialFunc, error) {
|
2021-04-04 00:29:54 +02:00
|
|
|
var sac *proxy.Auth
|
|
|
|
if pu.User != nil {
|
|
|
|
username := pu.User.Username()
|
|
|
|
password, _ := pu.User.Password()
|
|
|
|
sac = &proxy.Auth{
|
|
|
|
User: username,
|
|
|
|
Password: password,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
network := netutil.GetTCPNetwork()
|
2021-04-05 11:56:51 +02:00
|
|
|
var dialer proxy.Dialer = proxy.Direct
|
|
|
|
if tlsCfg != nil {
|
|
|
|
dialer = &tls.Dialer{
|
2021-04-05 12:45:24 +02:00
|
|
|
Config: tlsCfg,
|
2021-04-05 11:56:51 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
d, err := proxy.SOCKS5(network, proxyAddr, sac, dialer)
|
2021-04-04 00:29:54 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("cannot create socks5 proxy for url: %s, err: %w", pu.Redacted(), err)
|
|
|
|
}
|
|
|
|
dialFunc := func(addr string) (net.Conn, error) {
|
|
|
|
return d.Dial(network, addr)
|
|
|
|
}
|
|
|
|
return dialFunc, nil
|
|
|
|
}
|
|
|
|
|
2021-03-09 17:54:09 +01:00
|
|
|
func addMissingPort(addr string, isTLS bool) string {
|
|
|
|
if strings.IndexByte(addr, ':') >= 0 {
|
|
|
|
return addr
|
|
|
|
}
|
|
|
|
port := "80"
|
|
|
|
if isTLS {
|
|
|
|
port = "443"
|
|
|
|
}
|
|
|
|
return addr + ":" + port
|
|
|
|
}
|
|
|
|
|
|
|
|
func tlsServerName(addr string) string {
|
|
|
|
host, _, err := net.SplitHostPort(addr)
|
|
|
|
if err != nil {
|
|
|
|
return addr
|
|
|
|
}
|
|
|
|
return host
|
|
|
|
}
|
|
|
|
|
2020-12-24 09:56:10 +01:00
|
|
|
func defaultDialFunc(addr string) (net.Conn, error) {
|
2021-03-16 23:16:06 +01:00
|
|
|
network := netutil.GetTCPNetwork()
|
2021-01-11 11:50:10 +01:00
|
|
|
// Do not use fasthttp.Dial because of https://github.com/VictoriaMetrics/VictoriaMetrics/issues/987
|
|
|
|
return net.DialTimeout(network, addr, 5*time.Second)
|
2020-12-24 09:56:10 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// sendConnectRequest sends CONNECT request to proxyConn for the given addr and authHeader and returns the established connection to dstAddr.
|
2021-03-09 19:39:38 +01:00
|
|
|
func sendConnectRequest(proxyConn net.Conn, proxyAddr, dstAddr, authHeader string) (net.Conn, error) {
|
|
|
|
req := "CONNECT " + dstAddr + " HTTP/1.1\r\nHost: " + proxyAddr + "\r\n" + authHeader + "\r\n"
|
2020-12-24 09:56:10 +01:00
|
|
|
if _, err := proxyConn.Write([]byte(req)); err != nil {
|
|
|
|
return nil, fmt.Errorf("cannot send CONNECT request for dstAddr=%q: %w", dstAddr, err)
|
|
|
|
}
|
|
|
|
var res fasthttp.Response
|
|
|
|
res.SkipBody = true
|
|
|
|
conn := &bufferedReaderConn{
|
|
|
|
br: bufio.NewReader(proxyConn),
|
|
|
|
Conn: proxyConn,
|
|
|
|
}
|
|
|
|
if err := res.Read(conn.br); err != nil {
|
|
|
|
return nil, fmt.Errorf("cannot read CONNECT response for dstAddr=%q: %w", dstAddr, err)
|
|
|
|
}
|
|
|
|
if statusCode := res.Header.StatusCode(); statusCode != 200 {
|
2021-04-03 02:02:52 +02:00
|
|
|
return nil, fmt.Errorf("unexpected status code received: %d; want: 200; response body: %q", statusCode, res.Body())
|
2020-12-24 09:56:10 +01:00
|
|
|
}
|
|
|
|
return conn, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type bufferedReaderConn struct {
|
|
|
|
net.Conn
|
|
|
|
br *bufio.Reader
|
|
|
|
}
|
|
|
|
|
|
|
|
func (brc *bufferedReaderConn) Read(p []byte) (int, error) {
|
|
|
|
return brc.br.Read(p)
|
|
|
|
}
|