GitHub/ergo
3
0
Fork 0
mirror of https://github.com/ergochat/ergo.git synced 2024-11-25 21:39:25 +01:00
Code Issues Projects Releases Wiki Activity

fix #561, take 2

Browse Source
This commit is contained in:
Shivaram Lingamneni 2019-11-20 17:14:42 -05:00
parent 5cce365092
commit 50783d5276
5 changed files with 85 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
irc/client.go
View File

@ -190,7 +190,7 @@ type ClientDetails struct {
} }
// RunClient sets up a new client and runs its goroutine. // RunClient sets up a new client and runs its goroutine.
func (server *Server) RunClient(conn clientConn) { func (server *Server) RunClient(conn clientConn, proxyLine string) {
var isBanned bool var isBanned bool
var banMsg string var banMsg string
var realIP net.IP var realIP net.IP
@ -278,7 +278,7 @@ func (server *Server) RunClient(conn clientConn) {
client.proxiedIP = session.proxiedIP client.proxiedIP = session.proxiedIP
server.stats.Add() server.stats.Add()
client.run(session) client.run(session, proxyLine)
} }
func (client *Client) doIdentLookup(conn net.Conn) { func (client *Client) doIdentLookup(conn net.Conn) {
@ -371,11 +371,9 @@ func (client *Client) t(originalString string) string {
return languageManager.Translate(client.Languages(), originalString) return languageManager.Translate(client.Languages(), originalString)
} }
// // main client goroutine: read lines and execute the corresponding commands
// command goroutine // `proxyLine` is the PROXY-before-TLS line, if there was one
// func (client *Client) run(session *Session, proxyLine string) {
func (client *Client) run(session *Session) {
defer func() { defer func() {
if r := recover(); r != nil { if r := recover(); r != nil {
@ -414,7 +412,14 @@ func (client *Client) run(session *Session) {
for { for {
maxlenRest := session.MaxlenRest() maxlenRest := session.MaxlenRest()
line, err := session.socket.Read() var line string
var err error
if proxyLine == "" {
line, err = session.socket.Read()
} else {
line = proxyLine // pretend we're just now receiving the proxy-before-TLS line
proxyLine = ""
}
if err != nil { if err != nil {
quitMessage := "connection closed" quitMessage := "connection closed"
if err == errReadQ { if err == errReadQ {
@ -483,7 +488,7 @@ func (client *Client) run(session *Session) {
break break
} else if session.client != client { } else if session.client != client {
// bouncer reattach // bouncer reattach
go session.client.run(session) go session.client.run(session, "")
break break
} }
} }

8
irc/config.go
View File

@ -41,6 +41,7 @@ import (
type TLSListenConfig struct { type TLSListenConfig struct {
Cert string Cert string
Key string Key string
Proxy bool
} }
// This is the YAML-deserializable type of the value of the `Server.Listeners` map // This is the YAML-deserializable type of the value of the `Server.Listeners` map
@ -56,6 +57,7 @@ type listenerConfig struct {
TLSConfig *tls.Config TLSConfig *tls.Config
IsTor bool IsTor bool
IsSTSOnly bool IsSTSOnly bool
IsTLSProxy bool
} }
type AccountConfig struct { type AccountConfig struct {
@ -529,6 +531,7 @@ func (conf *Config) prepareListeners() (err error) {
return err return err
} }
lconf.TLSConfig = tlsConfig lconf.TLSConfig = tlsConfig
lconf.IsTLSProxy = block.TLS.Proxy
} }
listeners[addr] = lconf listeners[addr] = lconf
} }
@ -848,5 +851,10 @@ func LoadConfig(filename string) (config *Config, err error) {
return nil, err return nil, err
} }
err = config.prepareListeners()
if err != nil {
return nil, fmt.Errorf("failed to prepare listeners: %v", err)
}
return config, nil return config, nil
} }

45
irc/gateways.go
View File

@ -10,6 +10,7 @@ import (
"fmt" "fmt"
"net" "net"
"strings" "strings"
"time"
"github.com/oragono/oragono/irc/modes" "github.com/oragono/oragono/irc/modes"
"github.com/oragono/oragono/irc/utils" "github.com/oragono/oragono/irc/utils"
@ -20,6 +21,13 @@ var (
errBadProxyLine = errors.New("Invalid PROXY/WEBIRC command") errBadProxyLine = errors.New("Invalid PROXY/WEBIRC command")
) )
const (
// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
// "a 108-byte buffer is always enough to store all the line and a trailing zero
// for string processing."
maxProxyLineLen = 107
)
type webircConfig struct { type webircConfig struct {
PasswordString string `yaml:"password"` PasswordString string `yaml:"password"`
Password []byte `yaml:"password-bytes"` Password []byte `yaml:"password-bytes"`
@ -75,10 +83,10 @@ func (client *Client) ApplyProxiedIP(session *Session, proxiedIP string, tls boo
client.stateMutex.Lock() client.stateMutex.Lock()
defer client.stateMutex.Unlock() defer client.stateMutex.Unlock()
session.proxiedIP = parsedProxiedIP
client.proxiedIP = parsedProxiedIP client.proxiedIP = parsedProxiedIP
session.rawHostname = rawHostname
client.rawHostname = rawHostname client.rawHostname = rawHostname
session.proxiedIP = parsedProxiedIP
session.rawHostname = rawHostname
client.cloakedHostname = cloakedHostname client.cloakedHostname = cloakedHostname
// nickmask will be updated when the client completes registration // nickmask will be updated when the client completes registration
// set tls info // set tls info
@ -118,3 +126,36 @@ func handleProxyCommand(server *Server, client *Client, session *Session, line s
return errBadGatewayAddress return errBadGatewayAddress
} }
} }
// read a PROXY line one byte at a time, to ensure we don't read anything beyond
// that into a buffer, which would break the TLS handshake
func readRawProxyLine(conn net.Conn) (result string) {
// normally this is covered by ping timeouts, but we're doing this outside
// of the normal client goroutine:
conn.SetDeadline(time.Now().Add(time.Minute))
defer conn.SetDeadline(time.Time{})
var buf [maxProxyLineLen]byte
oneByte := make([]byte, 1)
i := 0
for i < maxProxyLineLen {
n, err := conn.Read(oneByte)
if err != nil {
return
} else if n == 1 {
buf[i] = oneByte[0]
if buf[i] == '\n' {
candidate := string(buf[0 : i+1])
if strings.HasPrefix(candidate, "PROXY") {
return candidate
} else {
return
}
}
i += 1
}
}
// no \r\n, fail out
return
}

13
irc/server.go
View File

@ -307,6 +307,15 @@ func (server *Server) createListener(addr string, conf listenerConfig, bindMode
listener.Close() listener.Close()
return return
} else if err == nil { } else if err == nil {
var proxyLine string
if conf.IsTLSProxy {
proxyLine = readRawProxyLine(conn)
if proxyLine == "" {
server.logger.Error("internal", "bad TLS-proxy line from", addr)
conn.Close()
continue
}
}
if conf.TLSConfig != nil { if conf.TLSConfig != nil {
conn = tls.Server(conn, conf.TLSConfig) conn = tls.Server(conn, conf.TLSConfig)
} }
@ -315,7 +324,7 @@ func (server *Server) createListener(addr string, conf listenerConfig, bindMode
Config: conf, Config: conf,
} }
// hand off the connection // hand off the connection
go server.RunClient(newConn) go server.RunClient(newConn, proxyLine)
} else { } else {
server.logger.Error("internal", "accept error", addr, err.Error()) server.logger.Error("internal", "accept error", addr, err.Error())
} }
@ -868,7 +877,7 @@ func (server *Server) loadDatastore(config *Config) error {
func (server *Server) setupListeners(config *Config) (err error) { func (server *Server) setupListeners(config *Config) (err error) {
logListener := func(addr string, config listenerConfig) { logListener := func(addr string, config listenerConfig) {
server.logger.Info("listeners", server.logger.Info("listeners",
fmt.Sprintf("now listening on %s, tls=%t, tor=%t.", addr, (config.TLSConfig != nil), config.IsTor), fmt.Sprintf("now listening on %s, tls=%t, tlsproxy=%t, tor=%t.", addr, (config.TLSConfig != nil), config.IsTLSProxy, config.IsTor),
) )
} }

4
oragono.yaml
View File

@ -30,6 +30,10 @@ server:
tls: tls:
key: tls.key key: tls.key
cert: tls.crt cert: tls.crt
# 'proxy' should typically be false. It's only for Kubernetes-style load
# balancing that does not terminate TLS, but sends an initial PROXY line
# in plaintext.
proxy: false
# Example of a Unix domain socket for proxying: # Example of a Unix domain socket for proxying:
# "/tmp/oragono_sock": # "/tmp/oragono_sock":