commit a336f89a1e0796026a473151b3f3035af93c947f Author: fangdingjun Date: Sat May 12 17:05:20 2018 +0800 init commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5c44f8e --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*.key +*.pem +tlsendpoint* \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100755 index 0000000..341c30b --- /dev/null +++ b/LICENSE @@ -0,0 +1,166 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + + This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + + 0. Additional Definitions. + + As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + + "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + + An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + + A "Combined Work" is a work produced by combining or linking an +Application with the Library. The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + + The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + + The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + + You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + + If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + + a) under this License, provided that you make a good faith effort to + ensure that, in the event an Application does not supply the + function or data, the facility still operates, and performs + whatever part of its purpose remains meaningful, or + + b) under the GNU GPL, with none of the additional permissions of + this License applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + + The object code form of an Application may incorporate material from +a header file that is part of the Library. You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + + a) Give prominent notice with each copy of the object code that the + Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the object code with a copy of the GNU GPL and this license + document. + + 4. Combined Works. + + You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + + a) Give prominent notice with each copy of the Combined Work that + the Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the Combined Work with a copy of the GNU GPL and this license + document. + + c) For a Combined Work that displays copyright notices during + execution, include the copyright notice for the Library among + these notices, as well as a reference directing the user to the + copies of the GNU GPL and this license document. + + d) Do one of the following: + + 0) Convey the Minimal Corresponding Source under the terms of this + License, and the Corresponding Application Code in a form + suitable for, and under terms that permit, the user to + recombine or relink the Application with a modified version of + the Linked Version to produce a modified Combined Work, in the + manner specified by section 6 of the GNU GPL for conveying + Corresponding Source. + + 1) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (a) uses at run time + a copy of the Library already present on the user's computer + system, and (b) will operate properly with a modified version + of the Library that is interface-compatible with the Linked + Version. + + e) Provide Installation Information, but only if you would otherwise + be required to provide such information under section 6 of the + GNU GPL, and only to the extent that such information is + necessary to install and execute a modified version of the + Combined Work produced by recombining or relinking the + Application with a modified version of the Linked Version. (If + you use option 4d0, the Installation Information must accompany + the Minimal Corresponding Source and Corresponding Application + Code. If you use option 4d1, you must provide the Installation + Information in the manner specified by section 6 of the GNU GPL + for conveying Corresponding Source.) + + 5. Combined Libraries. + + You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + + a) Accompany the combined library with a copy of the same work based + on the Library, uncombined with any other library facilities, + conveyed under the terms of this License. + + b) Give prominent notice with the combined library that part of it + is a work based on the Library, and explaining where to find the + accompanying uncombined form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + + The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + + If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. + diff --git a/README.md b/README.md new file mode 100644 index 0000000..629bfff --- /dev/null +++ b/README.md @@ -0,0 +1,21 @@ +tlsendpoint +============ + +a tls termination util that forward the request to backend server by sni name + +support many different kind of backends, tcp, unix, tls... + + +example: + + client A requests with sni name a.example.com forward to 127.0.0.1:8081 + + client B requests with sni name b.example.com forward to + 127.0.0.1:8082 + +usage + + go get github.com/fangdingjun/tlsendpoint + cp $GOPATH/src/github.com/fangdingjun/tlsendpoint/config_example.yaml config.yaml + vim config.yaml + $GOPATH/bin/tlsendpoint -c config.yaml \ No newline at end of file diff --git a/config.go b/config.go new file mode 100644 index 0000000..c5dbe34 --- /dev/null +++ b/config.go @@ -0,0 +1,60 @@ +package main + +import ( + "crypto/tls" + "io/ioutil" + "log" + "net/url" + + "github.com/go-yaml/yaml" +) + +type conf struct { + Listen []string `yaml:"listen"` + Forward []forward `yaml:"forward"` + Certificate []certificate `yaml:"certificate"` + DefaultBackend string `yaml:"default_backend"` +} + +type forward struct { + SNI string `yaml:"sni"` + Backend string `yaml:"backend"` +} + +type certificate struct { + Cert string `yaml:"cert"` + Key string `yaml:"key"` +} + +func loadConfig(f string) (c *conf, err error) { + data, err := ioutil.ReadFile(f) + if err != nil { + return + } + c = &conf{} + if err = yaml.Unmarshal(data, c); err != nil { + return + } + return +} + +func (f forward) match(sni string) bool { + if f.SNI == sni { + return true + } + return false +} + +func (f forward) getBackend() *url.URL { + u, err := url.Parse(f.Backend) + if err != nil { + log.Println(err) + return nil + } + return u +} + +func (c certificate) load() (tls.Certificate, error) { + cert, err := tls.LoadX509KeyPair(c.Cert, c.Key) + return cert, err +} diff --git a/config_example.yaml b/config_example.yaml new file mode 100644 index 0000000..d233f7d --- /dev/null +++ b/config_example.yaml @@ -0,0 +1,27 @@ +listen: + - :10312 + - 127.0.0.1:11113 + +certificate: + - + cert: a.pem + key: a.key + - + cert: b.pem + key: b.key + +forward: + - + sni: a.example.com + backend: tcp://127.0.0.1:9002 + - + sni: b.example.com + backend: http://127.0.0.1:8001 + - + sni: b.example.com + backend: unix:///tmp/a.sock + - + sni: d.example.com + backend: tls://localhost:1921 + +default_backend: tcp://localhost:1212 diff --git a/config_test.go b/config_test.go new file mode 100644 index 0000000..0d9a8a9 --- /dev/null +++ b/config_test.go @@ -0,0 +1,14 @@ +package main + +import ( + "fmt" + "testing" +) + +func TestConfig(t *testing.T) { + c, err := loadConfig("config_example.yaml") + if err != nil { + t.Fatal(err) + } + fmt.Printf("%+v\n", c) +} diff --git a/handler.go b/handler.go new file mode 100644 index 0000000..180d6b9 --- /dev/null +++ b/handler.go @@ -0,0 +1,121 @@ +package main + +import ( + "crypto/tls" + "fmt" + "io" + "log" + "net" + "net/url" + "strings" +) + +func initHandler() { + var _certs []tls.Certificate + for _, _c := range _config.Certificate { + _cert, err := _c.load() + if err != nil { + log.Println("load certificate failed", err) + continue + } + _certs = append(_certs, _cert) + + } + _tlsconfig := &tls.Config{ + Certificates: _certs, + } + _tlsconfig.BuildNameToCertificate() + + for _, _l := range _config.Listen { + l, err := tls.Listen("tcp", _l, _tlsconfig) + if err != nil { + log.Fatal(err) + } + + go func(l net.Listener) { + defer l.Close() + for { + c, err := l.Accept() + if err != nil { + break + } + go handleConnection(c) + } + }(l) + } +} + +func handleConnection(c net.Conn) { + defer c.Close() + + log.Printf("connection from %s", c.RemoteAddr().String()) + tlsconn := c.(*tls.Conn) + connstate := tlsconn.ConnectionState() + for !connstate.HandshakeComplete { + if err := tlsconn.Handshake(); err != nil { + log.Println(err) + return + } + connstate = tlsconn.ConnectionState() + } + + log.Printf("handshake complete") + servername := connstate.ServerName + var backend *url.URL + for _, f := range _config.Forward { + if !f.match(servername) { + continue + } + backend = f.getBackend() + break + } + if backend == nil { + _b, err := url.Parse(_config.DefaultBackend) + if err != nil { + log.Println(err) + return + } + backend = _b + } + log.Printf("sni name %s, get backend: %s", servername, backend.String()) + handleForward(tlsconn, backend) +} + +func handleForward(c *tls.Conn, b *url.URL) { + var remote net.Conn + var err error + + log.Printf("forward to %s", b.String()) + switch b.Scheme { + case "tcp": + remote, err = net.Dial("tcp", b.Host) + case "unix": + remote, err = net.Dial("unix", b.Host) + case "http": + if !strings.Contains(b.Host, ":") { + b.Host = fmt.Sprintf("%s:80", b.Host) + } + remote, err = net.Dial("tcp", b.Host) + case "tls": + h, _, _ := net.SplitHostPort(b.Host) + remote, err = tls.Dial("tcp", b.Host, &tls.Config{ServerName: h}) + } + + if err != nil { + log.Println(err) + return + } + log.Println("begin data forward") + + defer remote.Close() + ch := make(chan struct{}, 2) + go func() { + io.Copy(c, remote) + ch <- struct{}{} + }() + go func() { + io.Copy(remote, c) + ch <- struct{}{} + }() + <-ch +} diff --git a/main.go b/main.go new file mode 100644 index 0000000..93b51f6 --- /dev/null +++ b/main.go @@ -0,0 +1,23 @@ +package main + +import ( + "flag" + "log" +) + +var _config *conf + +func main() { + var configfile string + flag.StringVar(&configfile, "c", "config.yaml", "config file") + flag.Parse() + + cfg, err := loadConfig(configfile) + if err != nil { + log.Fatal(err) + } + _config = cfg + + initHandler() + select {} +}