Merge pull request #673 from slingamn/proxytls.18

fix #561, take two
2019-11-23 22:09:45 -05:00 · 2019-11-23 22:09:45 -05:00 · fec1139dc8
commit fec1139dc8
parent c6bd0aea8d 7432ef07a7
5 changed files with 94 additions and 27 deletions
--- a/irc/client.go
+++ b/irc/client.go
@ -190,11 +190,11 @@ type ClientDetails struct {
 }

 // RunClient sets up a new client and runs its goroutine.
-func (server *Server) RunClient(conn clientConn) {
+func (server *Server) RunClient(conn clientConn, proxyLine string) {
 	var isBanned bool
 	var banMsg string
 	var realIP net.IP
-	if conn.Config.IsTor {
+	if conn.Config.Tor {
 		realIP = utils.IPv4LoopbackAddress
 		isBanned, banMsg = server.checkTorLimits()
 	} else {
@ -221,8 +221,8 @@ func (server *Server) RunClient(conn clientConn) {
 		atime:     now,
 		channels:  make(ChannelSet),
 		ctime:     now,
-		isSTSOnly: conn.Config.IsSTSOnly,
-		isTor:     conn.Config.IsTor,
+		isSTSOnly: conn.Config.STSOnly,
+		isTor:     conn.Config.Tor,
 		languages: server.Languages().Default(),
 		loginThrottle: connection_limits.GenericThrottle{
 			Duration: config.Accounts.LoginThrottling.Duration,
@ -254,7 +254,7 @@ func (server *Server) RunClient(conn clientConn) {
 		client.certfp, _ = socket.CertFP()
 	}

-	if conn.Config.IsTor {
+	if conn.Config.Tor {
 		client.SetMode(modes.TLS, true)
 		// cover up details of the tor proxying infrastructure (not a user privacy concern,
 		// but a hardening measure):
@ -278,7 +278,7 @@ func (server *Server) RunClient(conn clientConn) {
 	client.proxiedIP = session.proxiedIP

 	server.stats.Add()
-	client.run(session)
+	client.run(session, proxyLine)
 }

 func (client *Client) doIdentLookup(conn net.Conn) {
@ -371,11 +371,9 @@ func (client *Client) t(originalString string) string {
 	return languageManager.Translate(client.Languages(), originalString)
 }

-//
-// command goroutine
-//
-
-func (client *Client) run(session *Session) {
+// main client goroutine: read lines and execute the corresponding commands
+// `proxyLine` is the PROXY-before-TLS line, if there was one
+func (client *Client) run(session *Session, proxyLine string) {

 	defer func() {
 		if r := recover(); r != nil {
@ -414,7 +412,14 @@ func (client *Client) run(session *Session) {
 	for {
 		maxlenRest := session.MaxlenRest()

-		line, err := session.socket.Read()
+		var line string
+		var err error
+		if proxyLine == "" {
+			line, err = session.socket.Read()
+		} else {
+			line = proxyLine // pretend we're just now receiving the proxy-before-TLS line
+			proxyLine = ""
+		}
 		if err != nil {
 			quitMessage := "connection closed"
 			if err == errReadQ {
@ -483,7 +488,7 @@ func (client *Client) run(session *Session) {
 			break
 		} else if session.client != client {
 			// bouncer reattach
-			go session.client.run(session)
+			go session.client.run(session, "")
 			break
 		}
 	}
--- a/irc/config.go
+++ b/irc/config.go
@ -39,8 +39,9 @@ import (

 // TLSListenConfig defines configuration options for listening on TLS.
 type TLSListenConfig struct {
-	Cert string
-	Key  string
+	Cert  string
+	Key   string
+	Proxy bool
 }

 // This is the YAML-deserializable type of the value of the `Server.Listeners` map
@ -53,9 +54,10 @@ type listenerConfigBlock struct {
 // listenerConfig is the config governing a particular listener (bound address),
 // in particular whether it has TLS or Tor (or both) enabled.
 type listenerConfig struct {
-	TLSConfig *tls.Config
-	IsTor     bool
-	IsSTSOnly bool
+	TLSConfig      *tls.Config
+	Tor            bool
+	STSOnly        bool
+	ProxyBeforeTLS bool
 }

 type AccountConfig struct {
@ -517,9 +519,9 @@ func (conf *Config) prepareListeners() (err error) {
 	if 0 < len(conf.Server.Listeners) {
 		for addr, block := range conf.Server.Listeners {
 			var lconf listenerConfig
-			lconf.IsTor = block.Tor
-			lconf.IsSTSOnly = block.STSOnly
-			if lconf.IsSTSOnly && !conf.Server.STS.Enabled {
+			lconf.Tor = block.Tor
+			lconf.STSOnly = block.STSOnly
+			if lconf.STSOnly && !conf.Server.STS.Enabled {
 				return fmt.Errorf("%s is configured as a STS-only listener, but STS is disabled", addr)
 			}
 			if block.TLS.Cert != "" {
@ -528,6 +530,7 @@ func (conf *Config) prepareListeners() (err error) {
 					return err
 				}
 				lconf.TLSConfig = tlsConfig
+				lconf.ProxyBeforeTLS = block.TLS.Proxy
 			}
 			listeners[addr] = lconf
 		}
@ -540,7 +543,7 @@ func (conf *Config) prepareListeners() (err error) {
 		}
 		for _, addr := range conf.Server.Listen {
 			var lconf listenerConfig
-			lconf.IsTor = torListeners[addr]
+			lconf.Tor = torListeners[addr]
 			tlsListenConf, ok := conf.Server.TLSListeners[addr]
 			if ok {
 				tlsConfig, err := loadTlsConfig(tlsListenConf)
@ -837,5 +840,10 @@ func LoadConfig(filename string) (config *Config, err error) {
 		return nil, err
 	}

+	err = config.prepareListeners()
+	if err != nil {
+		return nil, fmt.Errorf("failed to prepare listeners: %v", err)
+	}
+
 	return config, nil
 }
--- a/irc/gateways.go
+++ b/irc/gateways.go
@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net"
 	"strings"
+	"time"

 	"github.com/oragono/oragono/irc/modes"
 	"github.com/oragono/oragono/irc/utils"
@ -20,6 +21,13 @@ var (
 	errBadProxyLine      = errors.New("Invalid PROXY/WEBIRC command")
 )

+const (
+	// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+	// "a 108-byte buffer is always enough to store all the line and a trailing zero
+	// for string processing."
+	maxProxyLineLen = 107
+)
+
 type webircConfig struct {
 	PasswordString string `yaml:"password"`
 	Password       []byte `yaml:"password-bytes"`
@ -75,10 +83,10 @@ func (client *Client) ApplyProxiedIP(session *Session, proxiedIP string, tls boo

 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
-	session.proxiedIP = parsedProxiedIP
 	client.proxiedIP = parsedProxiedIP
-	session.rawHostname = rawHostname
 	client.rawHostname = rawHostname
+	session.proxiedIP = parsedProxiedIP
+	session.rawHostname = rawHostname
 	client.cloakedHostname = cloakedHostname
 	// nickmask will be updated when the client completes registration
 	// set tls info
@ -118,3 +126,36 @@ func handleProxyCommand(server *Server, client *Client, session *Session, line s
 		return errBadGatewayAddress
 	}
 }
+
+// read a PROXY line one byte at a time, to ensure we don't read anything beyond
+// that into a buffer, which would break the TLS handshake
+func readRawProxyLine(conn net.Conn) (result string) {
+	// normally this is covered by ping timeouts, but we're doing this outside
+	// of the normal client goroutine:
+	conn.SetDeadline(time.Now().Add(time.Minute))
+	defer conn.SetDeadline(time.Time{})
+
+	var buf [maxProxyLineLen]byte
+	oneByte := make([]byte, 1)
+	i := 0
+	for i < maxProxyLineLen {
+		n, err := conn.Read(oneByte)
+		if err != nil {
+			return
+		} else if n == 1 {
+			buf[i] = oneByte[0]
+			if buf[i] == '\n' {
+				candidate := string(buf[0 : i+1])
+				if strings.HasPrefix(candidate, "PROXY") {
+					return candidate
+				} else {
+					return
+				}
+			}
+			i += 1
+		}
+	}
+
+	// no \r\n, fail out
+	return
+}
--- a/irc/server.go
+++ b/irc/server.go
@ -304,6 +304,15 @@ func (server *Server) createListener(addr string, conf listenerConfig, bindMode
 				listener.Close()
 				return
 			} else if err == nil {
+				var proxyLine string
+				if conf.ProxyBeforeTLS {
+					proxyLine = readRawProxyLine(conn)
+					if proxyLine == "" {
+						server.logger.Error("internal", "bad TLS-proxy line from", addr)
+						conn.Close()
+						continue
+					}
+				}
 				if conf.TLSConfig != nil {
 					conn = tls.Server(conn, conf.TLSConfig)
 				}
@ -312,7 +321,7 @@ func (server *Server) createListener(addr string, conf listenerConfig, bindMode
 					Config: conf,
 				}
 				// hand off the connection
-				go server.RunClient(newConn)
+				go server.RunClient(newConn, proxyLine)
 			} else {
 				server.logger.Error("internal", "accept error", addr, err.Error())
 			}
@ -857,7 +866,7 @@ func (server *Server) loadDatastore(config *Config) error {
 func (server *Server) setupListeners(config *Config) (err error) {
 	logListener := func(addr string, config listenerConfig) {
 		server.logger.Info("listeners",
-			fmt.Sprintf("now listening on %s, tls=%t, tor=%t.", addr, (config.TLSConfig != nil), config.IsTor),
+			fmt.Sprintf("now listening on %s, tls=%t, tlsproxy=%t, tor=%t.", addr, (config.TLSConfig != nil), config.ProxyBeforeTLS, config.Tor),
 		)
 	}

@ -884,7 +893,7 @@ func (server *Server) setupListeners(config *Config) (err error) {
 	publicPlaintextListener := ""
 	// create new listeners that were not previously configured
 	for newAddr, newConfig := range config.Server.trueListeners {
-		if strings.HasPrefix(newAddr, ":") && !newConfig.IsTor && !newConfig.IsSTSOnly && newConfig.TLSConfig == nil {
+		if strings.HasPrefix(newAddr, ":") && !newConfig.Tor && !newConfig.STSOnly && newConfig.TLSConfig == nil {
 			publicPlaintextListener = newAddr
 		}
 		_, exists := server.listeners[newAddr]
--- a/oragono.yaml
+++ b/oragono.yaml
@ -30,6 +30,10 @@ server:
            tls:
                key: tls.key
                cert: tls.crt
+                # 'proxy' should typically be false. It's only for Kubernetes-style load
+                # balancing that does not terminate TLS, but sends an initial PROXY line
+                # in plaintext.
+                proxy: false

        # Example of a Unix domain socket for proxying:
        # "/tmp/oragono_sock":