telebit-relay.js/lib/unwrap-tls.js

'use strict';

var sni = require('sni');
var pipeWs = require('./pipe-ws.js');

module.exports.createTcpConnectionHandler = function (state) {
  var Devices = state.Devices;

  return function onTcpConnection(conn, serviceport) {
    serviceport = serviceport || conn.localPort;
    // this works when I put it here, but I don't know if it's tls yet here
    // httpsServer.emit('connection', socket);
    //tls3000.emit('connection', socket);

    //var tlsSocket = new tls.TLSSocket(socket, { secureContext: tls.createSecureContext(tlsOpts) });
    //tlsSocket.on('data', function (chunk) {
    //  console.log('dummy', chunk.byteLength);
    //});

    //return;
    conn.once('data', function (firstChunk) {
      var service = 'tcp';
      var servername;
      var str;
      var m;

      conn.pause();
      conn.unshift(firstChunk);

      // BUG XXX: this assumes that the packet won't be chunked smaller
      // than the 'hello' or the point of the 'Host' header.
      // This is fairly reasonable, but there are edge cases where
      // it does not hold (such as manual debugging with telnet)
      // and so it should be fixed at some point in the future

      // defer after return (instead of being in many places)
      function deferData(fn) {
        if (fn) {
          state[fn](servername, conn);
        }
        process.nextTick(function () {
          conn.resume();
        });
      }

      function tryTls() {
        var vhost;

        if (!servername) {
          if (state.debug) { console.log("No SNI was given, so there's nothing we can do here"); }
          deferData('httpsInvalid');
          return;
        }

        if (!state.servernames.length) {
          console.info("[Setup] https => admin => setup => (needs bogus tls certs to start?)");
          deferData('httpsSetupServer');
          return;
        }

        if (-1 !== state.servernames.indexOf(servername)) {
          if (state.debug) { console.log("[Admin]", servername); }
          deferData('httpsTunnel');
          return;
        }

        if (state.config.nowww && /^www\./i.test(servername)) {
          console.log("TODO: use www bare redirect");
        }

        function run() {
          var nextDevice = Devices.next(state.deviceLists, servername);
          if (!nextDevice) {
            if (state.debug) { console.log("No devices match the given servername"); }
            deferData('httpsInvalid');
            return;
          }

          if (state.debug) { console.log("pipeWs(servername, service, deviceLists['" + servername + "'], socket)"); }
          deferData();
          pipeWs(servername, service, nextDevice, conn, serviceport);
        }

        // TODO don't run an fs check if we already know this is working elsewhere
        //if (!state.validHosts) { state.validHosts = {}; }
        if (state.config.vhost) {
          vhost = state.config.vhost.replace(/:hostname/, (servername||'reallydoesntexist'));
          if (state.debug) { console.log("[tcp] [vhost]", state.config.vhost, "=>", vhost); }
          //state.httpsVhost(servername, conn);
          //return;
          require('fs').readdir(vhost, function (err, nodes) {
            if (state.debug && err) { console.log("VHOST error", err); }
            if (err || !nodes) { run(); return; }
            //if (nodes) { deferData('httpsVhost'); return; }
            deferData('httpsVhost');
          });
          return;
        }

        run();
      }

      // https://github.com/mscdex/httpolyglot/issues/3#issuecomment-173680155
      if (22 === firstChunk[0]) {
        // TLS
        service = 'https';
        servername = (sni(firstChunk)||'').toLowerCase().trim();
        if (state.debug) { console.log("[tcp] tls hello from '" + servername + "'"); }
        tryTls();
        return;
      }

      if (firstChunk[0] > 32 && firstChunk[0] < 127) {
        str = firstChunk.toString();
        m = str.match(/(?:^|[\r\n])Host: ([^\r\n]+)[\r\n]*/im);
        servername = (m && m[1].toLowerCase() || '').split(':')[0];
        if (state.debug) { console.log("[tcp] http hostname '" + servername + "'"); }

        if (/HTTP\//i.test(str)) {
          if (!state.servernames.length) {
            console.info("[tcp] No admin servername. Entering setup mode.");
            deferData();
            state.httpSetupServer.emit('connection', conn);
            return;
          }

          service = 'http';
          // TODO make https redirect configurable
          // /^\/\.well-known\/acme-challenge\//.test(str)
          if (/well-known/.test(str)) {
            // HTTP
            if (Devices.exist(state.deviceLists, servername)) {
              deferData();
              pipeWs(servername, service, Devices.next(state.deviceLists, servername), conn, serviceport);
              return;
            }
            deferData('handleHttp');
            return;
          }

          // redirect to https
          deferData('handleInsecureHttp');
          return;
        }
      }

      console.error("Got unexpected connection", str);
      conn.write(JSON.stringify({ error: {
        message: "not sure what you were trying to do there..."
      , code: 'E_INVALID_PROTOCOL' }
      }));
      conn.end();
    });
    conn.on('error', function (err) {
      console.error('[error] tcp socket raw TODO forward and close');
      console.error(err);
    });
  };
};
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`'use strict';`

			`var sni = require('sni');`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`var pipeWs = require('./pipe-ws.js');`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`module.exports.createTcpConnectionHandler = function (state) {`
			`var Devices = state.Devices;`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00
typo fixes and pass serviceport 2018-05-31 06:12:37 +00:00			`return function onTcpConnection(conn, serviceport) {`
minor optimization 2018-05-31 06:18:02 +00:00			`serviceport = serviceport \|\| conn.localPort;`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`// this works when I put it here, but I don't know if it's tls yet here`
			`// httpsServer.emit('connection', socket);`
			`//tls3000.emit('connection', socket);`

			`//var tlsSocket = new tls.TLSSocket(socket, { secureContext: tls.createSecureContext(tlsOpts) });`
			`//tlsSocket.on('data', function (chunk) {`
			`// console.log('dummy', chunk.byteLength);`
			`//});`

			`//return;`
			`conn.once('data', function (firstChunk) {`
major refactor (only briefly tested) 2018-06-19 23:43:28 +00:00			`var service = 'tcp';`
			`var servername;`
			`var str;`
			`var m;`

still playing peekaboo... 2018-05-26 21:21:03 +00:00			`conn.pause();`
			`conn.unshift(firstChunk);`

move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`// BUG XXX: this assumes that the packet won't be chunked smaller`
			`// than the 'hello' or the point of the 'Host' header.`
			`// This is fairly reasonable, but there are edge cases where`
			`// it does not hold (such as manual debugging with telnet)`
			`// and so it should be fixed at some point in the future`

			`// defer after return (instead of being in many places)`
still playing peekaboo... 2018-05-26 21:21:03 +00:00			`function deferData(fn) {`
			`if (fn) {`
major refactor (only briefly tested) 2018-06-19 23:43:28 +00:00			`state[fn](servername, conn);`
still playing peekaboo... 2018-05-26 21:21:03 +00:00			`}`
			`process.nextTick(function () {`
			`conn.resume();`
			`});`
			`}`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00
			`function tryTls() {`
one step closer to the edge, but without the break 2018-05-24 19:19:50 +00:00			`var vhost;`

more efficient checking 2018-06-30 23:10:18 +00:00			`if (!servername) {`
			`if (state.debug) { console.log("No SNI was given, so there's nothing we can do here"); }`
			`deferData('httpsInvalid');`
			`return;`
			`}`

add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (!state.servernames.length) {`
			`console.info("[Setup] https => admin => setup => (needs bogus tls certs to start?)");`
still playing peekaboo... 2018-05-26 21:21:03 +00:00			`deferData('httpsSetupServer');`
turning into a service, first steps 2018-05-23 11:12:39 +00:00			`return;`
			`}`

add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (-1 !== state.servernames.indexOf(servername)) {`
			`if (state.debug) { console.log("[Admin]", servername); }`
still playing peekaboo... 2018-05-26 21:21:03 +00:00			`deferData('httpsTunnel');`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`return;`
			`}`

add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (state.config.nowww && /^www\./i.test(servername)) {`
one step closer to the edge, but without the break 2018-05-24 19:19:50 +00:00			`console.log("TODO: use www bare redirect");`
			`}`

fix some sni and vhost stuff 2018-06-14 09:59:19 +00:00			`function run() {`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`var nextDevice = Devices.next(state.deviceLists, servername);`
one step closer to the edge, but without the break 2018-05-24 19:19:50 +00:00			`if (!nextDevice) {`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (state.debug) { console.log("No devices match the given servername"); }`
still playing peekaboo... 2018-05-26 21:21:03 +00:00			`deferData('httpsInvalid');`
one step closer to the edge, but without the break 2018-05-24 19:19:50 +00:00			`return;`
			`}`

major refactor (only briefly tested) 2018-06-19 23:43:28 +00:00			`if (state.debug) { console.log("pipeWs(servername, service, deviceLists['" + servername + "'], socket)"); }`
still playing peekaboo... 2018-05-26 21:21:03 +00:00			`deferData();`
major refactor (only briefly tested) 2018-06-19 23:43:28 +00:00			`pipeWs(servername, service, nextDevice, conn, serviceport);`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`}`

add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`// TODO don't run an fs check if we already know this is working elsewhere`
			`//if (!state.validHosts) { state.validHosts = {}; }`
			`if (state.config.vhost) {`
fix some sni and vhost stuff 2018-06-14 09:59:19 +00:00			`vhost = state.config.vhost.replace(/:hostname/, (servername\|\|'reallydoesntexist'));`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (state.debug) { console.log("[tcp] [vhost]", state.config.vhost, "=>", vhost); }`
major refactor (only briefly tested) 2018-06-19 23:43:28 +00:00			`//state.httpsVhost(servername, conn);`
one step closer to the edge, but without the break 2018-05-24 19:19:50 +00:00			`//return;`
			`require('fs').readdir(vhost, function (err, nodes) {`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (state.debug && err) { console.log("VHOST error", err); }`
major refactor (only briefly tested) 2018-06-19 23:43:28 +00:00			`if (err \|\| !nodes) { run(); return; }`
fix some sni and vhost stuff 2018-06-14 09:59:19 +00:00			`//if (nodes) { deferData('httpsVhost'); return; }`
			`deferData('httpsVhost');`
one step closer to the edge, but without the break 2018-05-24 19:19:50 +00:00			`});`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`return;`
			`}`

one step closer to the edge, but without the break 2018-05-24 19:19:50 +00:00			`run();`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`}`

			`// https://github.com/mscdex/httpolyglot/issues/3#issuecomment-173680155`
			`if (22 === firstChunk[0]) {`
			`// TLS`
			`service = 'https';`
fix some sni and vhost stuff 2018-06-14 09:59:19 +00:00			`servername = (sni(firstChunk)\|\|'').toLowerCase().trim();`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (state.debug) { console.log("[tcp] tls hello from '" + servername + "'"); }`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`tryTls();`
			`return;`
			`}`

			`if (firstChunk[0] > 32 && firstChunk[0] < 127) {`
			`str = firstChunk.toString();`
			`m = str.match(/(?:^\|[\r\n])Host: ([^\r\n]+)[\r\n]*/im);`
			`servername = (m && m[1].toLowerCase() \|\| '').split(':')[0];`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (state.debug) { console.log("[tcp] http hostname '" + servername + "'"); }`
turning into a service, first steps 2018-05-23 11:12:39 +00:00
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`if (/HTTP\//i.test(str)) {`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (!state.servernames.length) {`
			`console.info("[tcp] No admin servername. Entering setup mode.");`
still playing peekaboo... 2018-05-26 21:21:03 +00:00			`deferData();`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`state.httpSetupServer.emit('connection', conn);`
turning into a service, first steps 2018-05-23 11:12:39 +00:00			`return;`
			`}`

move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`service = 'http';`
turning into a service, first steps 2018-05-23 11:12:39 +00:00			`// TODO make https redirect configurable`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`// /^\/\.well-known\/acme-challenge\//.test(str)`
			`if (/well-known/.test(str)) {`
			`// HTTP`
add dynamic tcp and cleanup 2018-06-01 06:41:32 +00:00			`if (Devices.exist(state.deviceLists, servername)) {`
still playing peekaboo... 2018-05-26 21:21:03 +00:00			`deferData();`
major refactor (only briefly tested) 2018-06-19 23:43:28 +00:00			`pipeWs(servername, service, Devices.next(state.deviceLists, servername), conn, serviceport);`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`return;`
			`}`
still playing peekaboo... 2018-05-26 21:21:03 +00:00			`deferData('handleHttp');`
			`return;`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`}`
still playing peekaboo... 2018-05-26 21:21:03 +00:00
			`// redirect to https`
			`deferData('handleInsecureHttp');`
move tls-unwrapping (it may be sharable with client) 2018-04-25 17:41:20 +00:00			`return;`
			`}`
			`}`

			`console.error("Got unexpected connection", str);`
			`conn.write(JSON.stringify({ error: {`
			`message: "not sure what you were trying to do there..."`
			`, code: 'E_INVALID_PROTOCOL' }`
			`}));`
			`conn.end();`
			`});`
			`conn.on('error', function (err) {`
			`console.error('[error] tcp socket raw TODO forward and close');`
			`console.error(err);`
			`});`
			`};`
			`};`