nodpi-https-proxy: add --block-http option, better parsing for destination, quieter conn errors

Author: mk-fg

README.md

@@ -2588,14 +2588,15 @@ Not a replacement for wireshark or tcpdump firehose-filters.
 ##### [nodpi-https-proxy](nodpi-https-proxy)
 
 Simpler ~100-line version of [GVCoder09/NoDPI] http-proxy script,
-which fragments https requests where it detects SNI that won't be
-allowed through by some censorshit DPI otherwise.
+which fragments https requests where it detects SNI domains that won't
+be allowed through by some state-censorshit DPI devices otherwise.
 
-Rewritten to not have as much needless stats, boilerplate, verbosity
-and cross-platform cruft, to make easier adjustments, e.g. to start/stop
-as-needed in systemd user session:
+Rewritten to not have as much needless stats, boilerplate, verbosity and
+cross-platform cruft, to make easier adjustments, e.g. to block plain http
+and start/stop as-needed in systemd user session:
 
 ``` ini
+# nodpi.socket
 [Socket]
 ListenStream=127.0.0.1:8101
 
@@ -2604,9 +2605,10 @@ WantedBy=sockets.target
 ```
 
 ``` ini
+# nodpi.service
 [Service]
 Type=exec
-ExecStart=nodpi-https-proxy -t 600
+ExecStart=nodpi-https-proxy --block-http --idle-timeout 600
 ```
 
 [GVCoder09/NoDPI]: https://github.com/GVCoder09/NoDPI

nodpi-https-proxy

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-import os, sys, socket, logging, inspect, random, signal, asyncio, contextlib as cl
+import os, sys, socket, logging, inspect, random, signal, asyncio
 
 
 err_fmt = lambda err: f'[{err.__class__.__name__}] {err}'
@@ -9,8 +9,8 @@ class HTTPSFragProxy:
 
 	buff_sz = 1500
 
-	def __init__(self, sni_list=None, idle_timeout=None, **bind):
-		self.idle_timeout, self.bind = idle_timeout, bind
+	def __init__(self, sni_list=None, idle_timeout=None, block_http=False, **bind):
+		self.idle_timeout, self.block_http, self.bind = idle_timeout, block_http, bind
 		if sni_list is not None:
 			if not sni_list: sni_list = [b'\0'] # match nothing
 			else: sni_list = list(s.strip().encode() for s in sni_list)
@@ -33,47 +33,48 @@ class HTTPSFragProxy:
 				return os.kill(os.getpid(), signal.SIGTERM)
 			self.activity.clear()
 
-	async def conn_wrap(self, func, reader, writer, close_writer=False):
+	async def conn_wrap(self, func, cid, reader, writer, close_writer=True):
 		try: await func(reader, writer)
-		except Exception as err:
+		except Exception as err: # handles client closing connection too
 			writer.close()
-			self.log.exception('Failed handing connection: %s', err_fmt(err))
+			self.log.info('Connection error [%s]: %s', ':'.join(cid), err_fmt(err))
 		finally:
 			if close_writer: writer.close()
 
 	def conn_handle(self, reader, writer):
-		return self.conn_wrap(self._conn_handle, reader, writer)
-	async def _conn_handle(self, reader, writer):
+		cid = list(map(str, writer.get_extra_info('peername')))
+		return self.conn_wrap(lambda *a: self._conn_handle(cid, *a), cid, reader, writer)
+
+	async def _conn_handle(self, cid, reader, writer):
 		self.activity.set()
-		cid = ':'.join(map(str, writer.get_extra_info('peername')))
 		http_data = await reader.read(self.buff_sz)
 		if not http_data: writer.close(); return
-		method, url = (headers := http_data.split(b'\r\n'))[0].decode().split()[:2]
+		method, url = dst = http_data.split(b'\r\n')[0].decode().split()[:2]
 		self.log.debug( 'Connection [%s] ::'
-			' %s %s [buff=%d]', cid, method, url, len(http_data) )
+			' %s %s [buff=%d]', ':'.join(cid), method, url, len(http_data) )
+		cid.extend(dst)
 
-		if https := (method == 'CONNECT'): # https
-			host, _, port = url.partition(':')
-			port = int(port) if port else 443
-		else: # paintext http
-			host_header = next((h for h in headers if h.startswith(b'Host: ')), None)
-			if not host_header: raise ValueError('Missing Host header')
-			host, _, port = host_header[6:].partition(b':')
-			host, port = host.decode(), int(port) if port else 80
+		if https := (method == 'CONNECT'): port_default = 443
+		elif not url.startswith('http://') or self.block_http: raise ValueError(url)
+		else: url, port_default = url[7:].split('/', 1)[0], 80
+		host, _, port = url.rpartition(':')
+		if host and port and port.isdigit(): port = int(port)
+		else: host, port = url, port_default
+		if host[0] == '[' and host[-1] == ']': host = host[1:-1] # raw ipv6
 
 		try: xreader, xwriter = await asyncio.open_connection(host, port)
-		except OSError as err: return self.log.info( 'Connection [%s]'
-			' to %s:%s failed (tls=%s): %s', cid, host, port, int(https), err_fmt(err) )
+		except OSError as err: return self.log.info( 'Connection [%s] to %s:%s'
+			' failed (tls=%s): %s', ':'.join(cid), host, port, int(https), err_fmt(err) )
 		self.activity.set()
 		if not https: xwriter.write(http_data); await xwriter.drain()
 		else:
 			writer.write(b'HTTP/1.1 200 Connection Established\r\n\r\n')
 			await writer.drain()
-			await self.conn_wrap(self.fragment_data, reader, xwriter)
+			await self.conn_wrap(self.fragment_data, cid, reader, xwriter, False)
 
 		for task in asyncio.as_completed([
-				self.conn_wrap(self.pipe, reader, xwriter, True),
-				self.conn_wrap(self.pipe, xreader, writer, True) ]):
+				self.conn_wrap(self.pipe, cid, reader, xwriter),
+				self.conn_wrap(self.pipe, cid, xreader, writer) ]):
 			await task
 
 	async def fragment_data(self, reader, writer):
@@ -121,22 +122,20 @@ def main(args=None):
 		Default is to apply such fragmentation to all processed connections.'''))
 	parser.add_argument('-t', '--idle-timeout', type=float, metavar='seconds', help=dd('''
 		Stop after number of seconds being idle. Useful if started from systemd socket.'''))
+	parser.add_argument('--block-http', action='store_true', help=dd('''
+		Reject/close insecure plaintext http connections made through the proxy.'''))
 	parser.add_argument('--debug', action='store_true', help='Verbose logging to stderr.')
 	opts = parser.parse_args(sys.argv[1:] if args is None else args)
 
-	@cl.contextmanager
-	def in_file(path):
-		if not path or path == '-': return (yield sys.stdin)
-		if path[0] == '%': path = int(path[1:])
-		with open(path) as src: yield src
-
 	logging.basicConfig( format='%(levelname)s :: %(message)s',
 		level=logging.WARNING if not opts.debug else logging.DEBUG )
 	log = logging.getLogger('nhp.main')
 
 	sni_list = None
-	if opts.frag_domains:
-		with in_file(opts.frag_domains) as src: sni_list = src.read().split()
+	if p := opts.frag_domains:
+		if not p or p == '-': src = sys.stdin
+		else: src = open(p if p[0] != '%' else int(p[1:]))
+		sni_list = src.read().split()
 
 	sd_pid, sd_fds = (int(os.environ.get(f'LISTEN_{k}', 0)) for k in ['PID', 'FDS'])
 	if sd_pid == os.getpid() and sd_fds:
@@ -147,7 +146,8 @@ def main(args=None):
 	else:
 		host, _, port = opts.bind.partition(':'); port = int(port or 8101)
 		proxy = dict(host=host, port=port)
-	proxy = HTTPSFragProxy(sni_list=sni_list, idle_timeout=opts.idle_timeout, **proxy)
+	proxy = HTTPSFragProxy( sni_list=sni_list,
+		idle_timeout=opts.idle_timeout, block_http=opts.block_http, **proxy )
 
 	log.debug( 'Starting proxy (%s)...',
 		f'{len(sni_list):,d} SNI domains' if sni_list is not None else 'fragmenting any SNI' )