Start of tcpproxy. No Listener or reverse dialing yet.

Author: bradfitz

LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2017 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,3 @@
+# tcpproxy
+
+See https://godoc.org/github.com/bradfitz/tcpproxy/

http.go

@@ -0,0 +1,97 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tcpproxy
+
+import (
+	"bufio"
+	"bytes"
+	"net/http"
+)
+
+// AddHTTPHostRoute appends a route to the ipPort listener that says
+// if the incoming HTTP/1.x Host header name is httpHost, the
+// connection is given to dest. If it doesn't match, rule processing
+// continues for any additional routes on ipPort.
+//
+// The ipPort is any valid net.Listen TCP address.
+func (p *Proxy) AddHTTPHostRoute(ipPort, httpHost string, dest Target) {
+	p.addRoute(ipPort, httpHostMatch(httpHost), dest)
+}
+
+type httpHostMatch string
+
+func (host httpHostMatch) match(br *bufio.Reader) bool {
+	return httpHostHeader(br) == string(host)
+}
+
+// httpHostHeader returns the HTTP Host header from br without
+// consuming any of its bytes. It returns "" if it can't find one.
+func httpHostHeader(br *bufio.Reader) string {
+	const maxPeek = 4 << 10
+	peekSize := 0
+	for {
+		peekSize++
+		if peekSize > maxPeek {
+			b, _ := br.Peek(br.Buffered())
+			return httpHostHeaderFromBytes(b)
+		}
+		b, err := br.Peek(peekSize)
+		if n := br.Buffered(); n > peekSize {
+			b, _ = br.Peek(n)
+			peekSize = n
+		}
+		if len(b) > 0 {
+			if b[0] < 'A' || b[0] > 'Z' {
+				// Doesn't look like an HTTP verb
+				// (GET, POST, etc).
+				return ""
+			}
+			if bytes.Index(b, crlfcrlf) != -1 || bytes.Index(b, lflf) != -1 {
+				req, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(b)))
+				if err != nil {
+					return ""
+				}
+				if len(req.Header["Host"]) > 1 {
+					// TODO(bradfitz): what does
+					// ReadRequest do if there are
+					// multiple Host headers?
+					return ""
+				}
+				return req.Host
+			}
+		}
+		if err != nil {
+			return httpHostHeaderFromBytes(b)
+		}
+	}
+}
+
+var (
+	lfHostColon = []byte("\nHost:")
+	lfhostColon = []byte("\nhost:")
+	crlf        = []byte("\r\n")
+	lf          = []byte("\n")
+	crlfcrlf    = []byte("\r\n\r\n")
+	lflf        = []byte("\n\n")
+)
+
+func httpHostHeaderFromBytes(b []byte) string {
+	if i := bytes.Index(b, lfHostColon); i != -1 {
+		return string(bytes.TrimSpace(untilEOL(b[i+len(lfHostColon):])))
+	}
+	if i := bytes.Index(b, lfhostColon); i != -1 {
+		return string(bytes.TrimSpace(untilEOL(b[i+len(lfhostColon):])))
+	}
+	return ""
+}
+
+// untilEOL returns v, truncated before the first '\n' byte, if any.
+// The returned slice may include a '\r' at the end.
+func untilEOL(v []byte) []byte {
+	if i := bytes.IndexByte(v, '\n'); i != -1 {
+		return v[:i]
+	}
+	return v
+}

sni.go

@@ -0,0 +1,66 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tcpproxy
+
+import (
+	"bufio"
+	"bytes"
+	"crypto/tls"
+	"io"
+	"net"
+)
+
+// AddSNIRoute appends a route to the ipPort listener that says if the
+// incoming TLS SNI server name is sni, the connection is given to
+// dest. If it doesn't match, rule processing continues for any
+// additional routes on ipPort.
+//
+// The ipPort is any valid net.Listen TCP address.
+func (p *Proxy) AddSNIRoute(ipPort, sni string, dest Target) {
+	p.addRoute(ipPort, sniMatch(sni), dest)
+}
+
+type sniMatch string
+
+func (sni sniMatch) match(br *bufio.Reader) bool {
+	return clientHelloServerName(br) == string(sni)
+}
+
+// clientHelloServerName returns the SNI server name inside the TLS ClientHello,
+// without consuming any bytes from br.
+// On any error, the empty string is returned.
+func clientHelloServerName(br *bufio.Reader) (sni string) {
+	const recordHeaderLen = 5
+	hdr, err := br.Peek(recordHeaderLen)
+	if err != nil {
+		return ""
+	}
+	const recordTypeHandshake = 0x16
+	if hdr[0] != recordTypeHandshake {
+		return "" // Not TLS.
+	}
+	recLen := int(hdr[3])<<8 | int(hdr[4]) // ignoring version in hdr[1:3]
+	helloBytes, err := br.Peek(recordHeaderLen + recLen)
+	if err != nil {
+		return ""
+	}
+	tls.Server(sniSniffConn{r: bytes.NewReader(helloBytes)}, &tls.Config{
+		GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
+			sni = hello.ServerName
+			return nil, nil
+		},
+	}).Handshake()
+	return
+}
+
+// sniSniffConn is a net.Conn that reads from r, fails on Writes,
+// and crashes otherwise.
+type sniSniffConn struct {
+	r        io.Reader
+	net.Conn // nil; crash on any unexpected use
+}
+
+func (c sniSniffConn) Read(p []byte) (int, error) { return c.r.Read(p) }
+func (sniSniffConn) Write(p []byte) (int, error)  { return 0, io.EOF }