2017-04-13 17:42:37 -06:00
|
|
|
'use strict';
|
|
|
|
|
|
2017-04-26 20:16:47 -06:00
|
|
|
module.exports.create = function (deps, config) {
|
|
|
|
|
console.log('config', config);
|
|
|
|
|
|
2017-10-30 15:57:18 -06:00
|
|
|
var listeners = require('../servers').listeners.tcp;
|
|
|
|
|
var domainUtils = require('../domain-utils');
|
2017-05-10 16:05:54 -06:00
|
|
|
var modules;
|
|
|
|
|
|
2017-10-26 14:39:51 -06:00
|
|
|
var addrProperties = [
|
|
|
|
|
'remoteAddress'
|
|
|
|
|
, 'remotePort'
|
|
|
|
|
, 'remoteFamily'
|
|
|
|
|
, 'localAddress'
|
|
|
|
|
, 'localPort'
|
|
|
|
|
, 'localFamily'
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
function nameMatchesDomains(name, domainList) {
|
|
|
|
|
return domainList.some(function (pattern) {
|
|
|
|
|
return domainUtils.match(pattern, name);
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-26 18:43:51 -06:00
|
|
|
function proxy(mod, conn, opts) {
|
|
|
|
|
// First thing we need to add to the connection options is where to proxy the connection to
|
|
|
|
|
var newConnOpts = domainUtils.separatePort(mod.address || '');
|
|
|
|
|
newConnOpts.port = newConnOpts.port || mod.port;
|
|
|
|
|
newConnOpts.host = newConnOpts.host || mod.host || 'localhost';
|
|
|
|
|
|
|
|
|
|
// Then we add all of the connection address information. We need to prefix all of the
|
|
|
|
|
// properties with '_' so we can provide the information to any connection `createConnection`
|
|
|
|
|
// implementation but not have the default implementation try to bind the same local port.
|
|
|
|
|
addrProperties.forEach(function (name) {
|
|
|
|
|
newConnOpts['_' + name] = opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
|
|
|
|
|
});
|
|
|
|
|
|
2017-10-30 15:57:18 -06:00
|
|
|
modules.proxy(conn, newConnOpts);
|
2017-10-26 18:43:51 -06:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-26 14:39:51 -06:00
|
|
|
function checkTcpProxy(conn, opts) {
|
|
|
|
|
var proxied = false;
|
|
|
|
|
|
2017-10-26 18:43:51 -06:00
|
|
|
// TCP Proxying (ie routing based on domain name [vs local port]) only works for
|
2017-10-26 14:39:51 -06:00
|
|
|
// TLS wrapped connections, so if the opts don't give us a servername or don't tell us
|
|
|
|
|
// this is the decrypted side of a TLS connection we can't handle it here.
|
|
|
|
|
if (!opts.servername || !opts.encrypted) { return proxied; }
|
|
|
|
|
|
|
|
|
|
proxied = config.domains.some(function (dom) {
|
|
|
|
|
if (!dom.modules || !Array.isArray(dom.modules.tcp)) { return false; }
|
|
|
|
|
if (!nameMatchesDomains(opts.servername, dom.names)) { return false; }
|
|
|
|
|
|
|
|
|
|
return dom.modules.tcp.some(function (mod) {
|
|
|
|
|
if (mod.type !== 'proxy') { return false; }
|
|
|
|
|
|
2017-10-26 18:43:51 -06:00
|
|
|
return proxy(mod, conn, opts);
|
2017-10-26 14:39:51 -06:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
proxied = proxied || config.tcp.modules.some(function (mod) {
|
|
|
|
|
if (mod.type !== 'proxy') { return false; }
|
|
|
|
|
if (!nameMatchesDomains(opts.servername, mod.domains)) { return false; }
|
|
|
|
|
|
2017-10-26 18:43:51 -06:00
|
|
|
return proxy(mod, conn, opts);
|
2017-10-26 14:39:51 -06:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return proxied;
|
2017-05-10 16:05:54 -06:00
|
|
|
}
|
2017-04-26 20:16:47 -06:00
|
|
|
|
2017-10-26 18:43:51 -06:00
|
|
|
function checkTcpForward(conn, opts) {
|
|
|
|
|
// TCP forwarding (ie routing connections based on local port) requires the local port
|
|
|
|
|
if (!conn.localPort) { return false; }
|
|
|
|
|
|
|
|
|
|
return config.tcp.modules.some(function (mod) {
|
|
|
|
|
if (mod.type !== 'forward') { return false; }
|
|
|
|
|
if (mod.ports.indexOf(conn.localPort) < 0) { return false; }
|
|
|
|
|
|
|
|
|
|
return proxy(mod, conn, opts);
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-27 19:23:52 -06:00
|
|
|
// opts = { servername, encrypted, peek, data, remoteAddress, remotePort }
|
|
|
|
|
function peek(conn, firstChunk, opts) {
|
2017-05-10 12:56:47 -06:00
|
|
|
opts.firstChunk = firstChunk;
|
|
|
|
|
conn.__opts = opts;
|
2017-04-27 19:23:52 -06:00
|
|
|
// TODO port/service-based routing can do here
|
2017-04-26 20:16:47 -06:00
|
|
|
|
2017-04-28 13:07:05 -06:00
|
|
|
// TLS byte 1 is handshake and byte 6 is client hello
|
|
|
|
|
if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) {
|
2017-05-10 12:56:47 -06:00
|
|
|
modules.tls.emit('connection', conn);
|
2017-04-27 19:23:52 -06:00
|
|
|
return;
|
|
|
|
|
}
|
2017-04-26 20:16:47 -06:00
|
|
|
|
2017-05-09 15:46:49 -06:00
|
|
|
// This doesn't work with TLS, but now that we know this isn't a TLS connection we can
|
|
|
|
|
// unshift the first chunk back onto the connection for future use. The unshift should
|
|
|
|
|
// happen after any listeners are attached to it but before any new data comes in.
|
|
|
|
|
if (!opts.hyperPeek) {
|
|
|
|
|
process.nextTick(function () {
|
|
|
|
|
conn.unshift(firstChunk);
|
2017-04-27 19:23:52 -06:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-09 15:46:49 -06:00
|
|
|
// Connection is not TLS, check for HTTP next.
|
|
|
|
|
if (firstChunk[0] > 32 && firstChunk[0] < 127) {
|
|
|
|
|
var firstStr = firstChunk.toString();
|
|
|
|
|
if (/HTTP\//i.test(firstStr)) {
|
|
|
|
|
modules.http.emit('connection', conn);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
console.warn('failed to identify protocol from first chunk', firstChunk);
|
2017-09-15 18:25:23 -06:00
|
|
|
conn.destroy();
|
2017-04-27 19:23:52 -06:00
|
|
|
}
|
2017-10-26 14:39:51 -06:00
|
|
|
function tcpHandler(conn, opts) {
|
2017-09-11 15:57:25 -06:00
|
|
|
function getProp(name) {
|
|
|
|
|
return opts[name] || opts['_'+name] || conn[name] || conn['_'+name];
|
|
|
|
|
}
|
2017-04-27 19:23:52 -06:00
|
|
|
opts = opts || {};
|
2017-09-11 15:57:25 -06:00
|
|
|
var logName = getProp('remoteAddress') + ':' + getProp('remotePort') + ' -> ' +
|
|
|
|
|
getProp('localAddress') + ':' + getProp('localPort');
|
2017-10-26 14:39:51 -06:00
|
|
|
console.log('[tcpHandler]', logName, 'connection started - encrypted: ' + (opts.encrypted || false));
|
2017-09-11 15:57:25 -06:00
|
|
|
|
|
|
|
|
var start = Date.now();
|
|
|
|
|
conn.on('timeout', function () {
|
2017-10-26 14:39:51 -06:00
|
|
|
console.log('[tcpHandler]', logName, 'connection timed out', (Date.now()-start)/1000);
|
2017-09-11 15:57:25 -06:00
|
|
|
});
|
|
|
|
|
conn.on('end', function () {
|
2017-10-26 14:39:51 -06:00
|
|
|
console.log('[tcpHandler]', logName, 'connection ended', (Date.now()-start)/1000);
|
2017-09-11 15:57:25 -06:00
|
|
|
});
|
|
|
|
|
conn.on('close', function () {
|
2017-10-26 14:39:51 -06:00
|
|
|
console.log('[tcpHandler]', logName, 'connection closed', (Date.now()-start)/1000);
|
2017-09-11 15:57:25 -06:00
|
|
|
});
|
2017-04-27 19:23:52 -06:00
|
|
|
|
2017-10-26 18:43:51 -06:00
|
|
|
if (checkTcpForward(conn, opts)) { return; }
|
|
|
|
|
if (checkTcpProxy(conn, opts)) { return; }
|
2017-10-26 14:39:51 -06:00
|
|
|
|
2017-04-27 19:23:52 -06:00
|
|
|
// XXX PEEK COMMENT XXX
|
|
|
|
|
// TODO we can have our cake and eat it too
|
|
|
|
|
// we can skip the need to wrap the TLS connection twice
|
|
|
|
|
// because we've already peeked at the data,
|
|
|
|
|
// but this needs to be handled better before we enable that
|
|
|
|
|
// (because it creates new edge cases)
|
|
|
|
|
if (opts.hyperPeek) {
|
|
|
|
|
console.log('hyperpeek');
|
|
|
|
|
peek(conn, opts.firstChunk, opts);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-26 19:28:39 -06:00
|
|
|
function onError(err) {
|
|
|
|
|
console.error('[error] socket errored peeking -', err);
|
|
|
|
|
conn.destroy();
|
|
|
|
|
}
|
|
|
|
|
conn.once('error', onError);
|
2017-04-27 19:23:52 -06:00
|
|
|
conn.once('data', function (chunk) {
|
2017-05-26 19:28:39 -06:00
|
|
|
conn.removeListener('error', onError);
|
2017-04-27 19:23:52 -06:00
|
|
|
peek(conn, chunk, opts);
|
2017-04-26 20:16:47 -06:00
|
|
|
});
|
2017-04-13 17:42:37 -06:00
|
|
|
}
|
|
|
|
|
|
2017-11-08 12:05:38 -07:00
|
|
|
process.nextTick(function () {
|
|
|
|
|
modules = {};
|
|
|
|
|
modules.tcpHandler = tcpHandler;
|
|
|
|
|
modules.proxy = require('./proxy-conn').create(deps, config);
|
|
|
|
|
modules.tls = require('./tls').create(deps, config, modules);
|
|
|
|
|
modules.http = require('./http').create(deps, config, modules);
|
|
|
|
|
});
|
2017-10-30 15:57:18 -06:00
|
|
|
|
2017-10-26 18:43:51 -06:00
|
|
|
function updateListeners() {
|
|
|
|
|
var current = listeners.list();
|
|
|
|
|
var wanted = config.tcp.bind;
|
|
|
|
|
|
|
|
|
|
if (!Array.isArray(wanted)) { wanted = []; }
|
|
|
|
|
wanted = wanted.map(Number).filter((port) => port > 0 && port < 65356);
|
|
|
|
|
|
|
|
|
|
var closeProms = current.filter(function (port) {
|
|
|
|
|
return wanted.indexOf(port) < 0;
|
|
|
|
|
}).map(function (port) {
|
|
|
|
|
return listeners.close(port, 1000);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// We don't really need to filter here since listening on the same port with the
|
|
|
|
|
// same handler function twice is basically a no-op.
|
|
|
|
|
var openProms = wanted.map(function (port) {
|
|
|
|
|
return listeners.add(port, tcpHandler);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return Promise.all(closeProms.concat(openProms));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var mainPort;
|
|
|
|
|
function updateConf() {
|
|
|
|
|
updateListeners().catch(function (err) {
|
|
|
|
|
console.error('Error updating TCP listeners to match bind configuration');
|
|
|
|
|
console.error(err);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
var unforwarded = {};
|
|
|
|
|
config.tcp.bind.forEach(function (port) {
|
|
|
|
|
unforwarded[port] = true;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
config.tcp.modules.forEach(function (mod) {
|
|
|
|
|
if (['forward', 'proxy'].indexOf(mod.type) < 0) {
|
|
|
|
|
console.warn('unknown TCP module type specified', JSON.stringify(mod));
|
|
|
|
|
}
|
|
|
|
|
if (mod.type !== 'forward') { return; }
|
2017-05-08 17:47:51 -06:00
|
|
|
|
2017-05-08 16:52:37 -06:00
|
|
|
mod.ports.forEach(function (port) {
|
2017-10-26 18:43:51 -06:00
|
|
|
if (!unforwarded[port]) {
|
|
|
|
|
console.warn('trying to forward TCP port ' + port + ' multiple times or it is unbound');
|
2017-05-08 16:52:37 -06:00
|
|
|
} else {
|
2017-10-26 18:43:51 -06:00
|
|
|
delete unforwarded[port];
|
2017-05-08 16:52:37 -06:00
|
|
|
}
|
|
|
|
|
});
|
2017-10-26 18:43:51 -06:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Not really sure what we can reasonably do to prevent this. At least not without making
|
|
|
|
|
// our configuration validation more complicated.
|
|
|
|
|
if (!Object.keys(unforwarded).length) {
|
|
|
|
|
console.warn('no bound TCP ports are not being forwarded, admin interface will be inaccessible');
|
2017-05-08 16:52:37 -06:00
|
|
|
}
|
|
|
|
|
|
2017-10-26 18:43:51 -06:00
|
|
|
// If we are listening on port 443 make that the main port we respond to mDNS queries with
|
|
|
|
|
// otherwise choose the lowest number port we are bound to but not forwarding.
|
|
|
|
|
if (unforwarded['443']) {
|
|
|
|
|
mainPort = 443;
|
|
|
|
|
} else {
|
|
|
|
|
mainPort = Object.keys(unforwarded).map(Number).sort((a, b) => a - b)[0];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
updateConf();
|
2017-05-23 16:23:43 -06:00
|
|
|
|
2017-10-27 12:56:09 -06:00
|
|
|
var result = {
|
2017-10-26 18:43:51 -06:00
|
|
|
updateConf
|
2017-10-31 18:10:46 -06:00
|
|
|
, handler: tcpHandler
|
2017-10-26 18:43:51 -06:00
|
|
|
};
|
2017-10-27 12:56:09 -06:00
|
|
|
Object.defineProperty(result, 'mainPort', {enumerable: true, get: () => mainPort});
|
|
|
|
|
|
|
|
|
|
return result;
|
2017-04-13 17:42:37 -06:00
|
|
|
};
|
