-
-
Notifications
You must be signed in to change notification settings - Fork 21
/
https_connect_proxy.rs
192 lines (178 loc) · 6.2 KB
/
https_connect_proxy.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
//! This example demonstrates how to create an https proxy.
//!
//! This proxy example does not perform any TLS termination on the actual proxied traffic.
//! It is an adoptation of the `http_connect_proxy` example with tls termination for the incoming connections.
//!
//! # Run the example
//!
//! ```sh
//! cargo run --example https_connect_proxy --features=http-full,rustls
//! ```
//!
//! # Expected output
//!
//! The server will start and listen on `:62016`. You can use `curl` to interact with the service:
//!
//! ```sh
//! curl --proxy-insecure -v -x https://127.0.0.1:62016 --proxy-user 'john:secret' http://www.example.com
//! curl --proxy-insecure -k -v https://127.0.0.1:62016 --proxy-user 'john:secret' https://www.example.com
//! ```
//!
//! You should see in both cases the responses from the example domains.
//!
//! In case you want to use it in a standard browser,
//! you'll need to first import and trust the generated certificate.
use rama::{
graceful::Shutdown,
http::{
client::HttpClient,
layer::{
proxy_auth::ProxyAuthLayer,
trace::TraceLayer,
upgrade::{UpgradeLayer, Upgraded},
},
matcher::MethodMatcher,
server::HttpServer,
Body, IntoResponse, Request, Response, StatusCode,
},
net::http::RequestContext,
net::stream::layer::http::BodyLimitLayer,
net::tls::{
server::{SelfSignedData, ServerAuth, ServerConfig},
ApplicationProtocol, SecureTransport,
},
net::user::Basic,
rt::Executor,
service::service_fn,
tcp::{client::default_tcp_connect, server::TcpListener, utils::is_connection_error},
tls::std::server::TlsAcceptorLayer,
Context, Layer, Service,
};
use std::convert::Infallible;
use std::time::Duration;
use tracing::metadata::LevelFilter;
use tracing_subscriber::{fmt, prelude::*, EnvFilter};
#[tokio::main]
async fn main() {
tracing_subscriber::registry()
.with(fmt::layer())
.with(
EnvFilter::builder()
.with_default_directive(LevelFilter::DEBUG.into())
.from_env_lossy(),
)
.init();
let shutdown = Shutdown::default();
let tls_server_config = ServerConfig {
application_layer_protocol_negotiation: Some(vec![
ApplicationProtocol::HTTP_2,
ApplicationProtocol::HTTP_11,
]),
..ServerConfig::new(ServerAuth::SelfSigned(SelfSignedData {
organisation_name: Some("Example Server Acceptor".to_owned()),
..Default::default()
}))
};
let tls_service_data = tls_server_config
.try_into()
.expect("create tls server config");
// create tls proxy
shutdown.spawn_task_fn(|guard| async move {
let tcp_service = TcpListener::build()
.bind("127.0.0.1:62016")
.await
.expect("bind tcp proxy to 127.0.0.1:62016");
let exec = Executor::graceful(guard.clone());
let http_service = HttpServer::auto(exec.clone()).service(
(
TraceLayer::new_for_http(),
// See [`ProxyAuthLayer::with_labels`] for more information,
// e.g. can also be used to extract upstream proxy filter
ProxyAuthLayer::new(Basic::new("john", "secret")),
UpgradeLayer::new(
MethodMatcher::CONNECT,
service_fn(http_connect_accept),
service_fn(http_connect_proxy),
),
)
.layer(service_fn(http_plain_proxy)),
);
tcp_service
.serve_graceful(
guard,
(
// protect the http proxy from too large bodies, both from request and response end
BodyLimitLayer::symmetric(2 * 1024 * 1024),
TlsAcceptorLayer::new(tls_service_data).with_store_client_hello(true),
)
.layer(http_service),
)
.await;
});
shutdown
.shutdown_with_limit(Duration::from_secs(30))
.await
.expect("graceful shutdown");
}
async fn http_connect_accept<S>(
mut ctx: Context<S>,
req: Request,
) -> Result<(Response, Context<S>, Request), Response>
where
S: Clone + Send + Sync + 'static,
{
match ctx.get_or_try_insert_with_ctx::<RequestContext, _>(|ctx| (ctx, &req).try_into()) {
Ok(request_ctx) => tracing::info!("accept CONNECT to {}", request_ctx.authority),
Err(err) => {
tracing::error!(err = %err, "error extracting authority");
return Err(StatusCode::BAD_REQUEST.into_response());
}
}
tracing::info!(
"proxy secure transport ingress: {:?}",
ctx.get::<SecureTransport>()
);
Ok((StatusCode::OK.into_response(), ctx, req))
}
async fn http_connect_proxy<S>(ctx: Context<S>, mut upgraded: Upgraded) -> Result<(), Infallible>
where
S: Clone + Send + Sync + 'static,
{
let authority = ctx // assumption validated by `http_connect_accept`
.get::<RequestContext>()
.unwrap()
.authority
.clone();
tracing::info!("CONNECT to {authority}");
let (mut stream, _) = match default_tcp_connect(&ctx, authority).await {
Ok(stream) => stream,
Err(err) => {
tracing::error!(error = %err, "error connecting to host");
return Ok(());
}
};
if let Err(err) = tokio::io::copy_bidirectional(&mut upgraded, &mut stream).await {
if !is_connection_error(&err) {
tracing::error!(error = %err, "error copying data");
}
}
Ok(())
}
async fn http_plain_proxy<S>(ctx: Context<S>, req: Request) -> Result<Response, Infallible>
where
S: Clone + Send + Sync + 'static,
{
let client = HttpClient::default();
let uri = req.uri().clone();
tracing::debug!(uri = %req.uri(), "proxy connect plain text request");
match client.serve(ctx, req).await {
Ok(resp) => Ok(resp),
Err(err) => {
tracing::error!(error = %err, uri = %uri, "error in client request");
Ok(Response::builder()
.status(StatusCode::INTERNAL_SERVER_ERROR)
.body(Body::empty())
.unwrap())
}
}
}