clash/listener/http/proxy.go

package http

import (
	"net"
	"net/http"
	"strings"
	"time"

	"github.com/Dreamacro/clash/adapter/inbound"
	"github.com/Dreamacro/clash/common/cache"
	N "github.com/Dreamacro/clash/common/net"
	C "github.com/Dreamacro/clash/constant"
	authStore "github.com/Dreamacro/clash/listener/auth"
	"github.com/Dreamacro/clash/log"
)

func HandleConn(c net.Conn, in chan<- C.ConnContext, cache *cache.Cache) {
	client := newClient(c.RemoteAddr(), in)
	defer client.CloseIdleConnections()

	conn := N.NewBufferedConn(c)

	keepAlive := true
	trusted := cache == nil // disable authenticate if cache is nil

	for keepAlive {
		request, err := ReadRequest(conn.Reader())
		if err != nil {
			break
		}

		request.RemoteAddr = conn.RemoteAddr().String()

		keepAlive = strings.TrimSpace(strings.ToLower(request.Header.Get("Proxy-Connection"))) == "keep-alive"

		var resp *http.Response

		if !trusted {
			resp = authenticate(request, cache)

			trusted = resp == nil
		}

		if trusted {
			if request.Method == http.MethodConnect {
				resp = responseWith(200)
				resp.Status = "Connection established"
				resp.ContentLength = -1

				if resp.Write(conn) != nil {
					break // close connection
				}

				in <- inbound.NewHTTPS(request, conn)

				return // hijack connection
			}

			host := request.Header.Get("Host")
			if host != "" {
				request.Host = host
			}

			request.RequestURI = ""

			removeHopByHopHeaders(request.Header)
			removeExtraHTTPHostPort(request)

			if request.URL.Scheme == "" || request.URL.Host == "" {
				resp = responseWith(http.StatusBadRequest)
			} else {
				resp, err = client.Do(request)
				if err != nil {
					resp = responseWith(http.StatusBadGateway)
				}
			}

			removeHopByHopHeaders(resp.Header)
		}

		if keepAlive {
			resp.Header.Set("Proxy-Connection", "keep-alive")
			resp.Header.Set("Connection", "keep-alive")
			resp.Header.Set("Keep-Alive", "timeout=4")
		}

		resp.Close = !keepAlive

		err = resp.Write(conn)
		if err != nil {
			break // close connection
		}
	}

	conn.Close()
}

func authenticate(request *http.Request, cache *cache.Cache) *http.Response {
	authenticator := authStore.Authenticator()
	if authenticator != nil {
		credential := parseBasicProxyAuthorization(request)
		if credential == "" {
			resp := responseWith(http.StatusProxyAuthRequired)
			resp.Header.Set("Proxy-Authenticate", "Basic")
			return resp
		}

		var authed interface{}
		if authed = cache.Get(credential); authed == nil {
			user, pass, err := decodeBasicProxyAuthorization(credential)
			authed = err == nil && authenticator.Verify(user, pass)
			cache.Put(credential, authed, time.Minute)
		}
		if !authed.(bool) {
			log.Infoln("Auth failed from %s", request.RemoteAddr)

			return responseWith(http.StatusForbidden)
		}
	}

	return nil
}

func responseWith(statusCode int) *http.Response {
	return &http.Response{
		StatusCode: statusCode,
		Status:     http.StatusText(statusCode),
		Proto:      "HTTP/1.1",
		ProtoMajor: 1,
		ProtoMinor: 1,
		Header:     http.Header{},
	}
}
Refactor: plain http proxy (#1443) 2021-06-15 09:13:40 +00:00			`package http`

			`import (`
			`"net"`
			`"net/http"`
			`"strings"`
			`"time"`

			`"github.com/Dreamacro/clash/adapter/inbound"`
			`"github.com/Dreamacro/clash/common/cache"`
			`N "github.com/Dreamacro/clash/common/net"`
			`C "github.com/Dreamacro/clash/constant"`
			`authStore "github.com/Dreamacro/clash/listener/auth"`
			`"github.com/Dreamacro/clash/log"`
			`)`

			`func HandleConn(c net.Conn, in chan<- C.ConnContext, cache *cache.Cache) {`
			`client := newClient(c.RemoteAddr(), in)`
			`defer client.CloseIdleConnections()`

			`conn := N.NewBufferedConn(c)`

			`keepAlive := true`
			`trusted := cache == nil // disable authenticate if cache is nil`

			`for keepAlive {`
Fix: HTTP proxy internal linkage signature (#1555) 2021-08-20 15:38:47 +00:00			`request, err := ReadRequest(conn.Reader())`
Refactor: plain http proxy (#1443) 2021-06-15 09:13:40 +00:00			`if err != nil {`
			`break`
			`}`

			`request.RemoteAddr = conn.RemoteAddr().String()`

			`keepAlive = strings.TrimSpace(strings.ToLower(request.Header.Get("Proxy-Connection"))) == "keep-alive"`

			`var resp *http.Response`

			`if !trusted {`
			`resp = authenticate(request, cache)`

			`trusted = resp == nil`
			`}`

			`if trusted {`
			`if request.Method == http.MethodConnect {`
			`resp = responseWith(200)`
			`resp.Status = "Connection established"`
Fix: remove Content-Length from CONNECT response (#1502) 2021-07-22 10:06:03 +00:00			`resp.ContentLength = -1`
Refactor: plain http proxy (#1443) 2021-06-15 09:13:40 +00:00
			`if resp.Write(conn) != nil {`
			`break // close connection`
			`}`

			`in <- inbound.NewHTTPS(request, conn)`

			`return // hijack connection`
			`}`

			`host := request.Header.Get("Host")`
			`if host != "" {`
			`request.Host = host`
			`}`

			`request.RequestURI = ""`

Fix: http/https proxy authentication (#1613) 2021-09-13 16:08:23 +00:00			`removeHopByHopHeaders(request.Header)`
			`removeExtraHTTPHostPort(request)`
Refactor: plain http proxy (#1443) 2021-06-15 09:13:40 +00:00
			`if request.URL.Scheme == "" \|\| request.URL.Host == "" {`
			`resp = responseWith(http.StatusBadRequest)`
			`} else {`
			`resp, err = client.Do(request)`
			`if err != nil {`
			`resp = responseWith(http.StatusBadGateway)`
			`}`
			`}`

Fix: http/https proxy authentication (#1613) 2021-09-13 16:08:23 +00:00			`removeHopByHopHeaders(resp.Header)`
			`}`
Refactor: plain http proxy (#1443) 2021-06-15 09:13:40 +00:00
			`if keepAlive {`
			`resp.Header.Set("Proxy-Connection", "keep-alive")`
			`resp.Header.Set("Connection", "keep-alive")`
			`resp.Header.Set("Keep-Alive", "timeout=4")`
			`}`

			`resp.Close = !keepAlive`

			`err = resp.Write(conn)`
			`if err != nil {`
			`break // close connection`
			`}`
			`}`

			`conn.Close()`
			`}`

			`func authenticate(request http.Request, cache cache.Cache) *http.Response {`
			`authenticator := authStore.Authenticator()`
			`if authenticator != nil {`
Fix: http/https proxy authentication (#1613) 2021-09-13 16:08:23 +00:00			`credential := parseBasicProxyAuthorization(request)`
Refactor: plain http proxy (#1443) 2021-06-15 09:13:40 +00:00			`if credential == "" {`
			`resp := responseWith(http.StatusProxyAuthRequired)`
			`resp.Header.Set("Proxy-Authenticate", "Basic")`
			`return resp`
			`}`

			`var authed interface{}`
			`if authed = cache.Get(credential); authed == nil {`
Fix: http/https proxy authentication (#1613) 2021-09-13 16:08:23 +00:00			`user, pass, err := decodeBasicProxyAuthorization(credential)`
Refactor: plain http proxy (#1443) 2021-06-15 09:13:40 +00:00			`authed = err == nil && authenticator.Verify(user, pass)`
			`cache.Put(credential, authed, time.Minute)`
			`}`
			`if !authed.(bool) {`
			`log.Infoln("Auth failed from %s", request.RemoteAddr)`

			`return responseWith(http.StatusForbidden)`
			`}`
			`}`

			`return nil`
			`}`

			`func responseWith(statusCode int) *http.Response {`
			`return &http.Response{`
			`StatusCode: statusCode,`
			`Status: http.StatusText(statusCode),`
			`Proto: "HTTP/1.1",`
			`ProtoMajor: 1,`
			`ProtoMinor: 1,`
			`Header: http.Header{},`
			`}`
			`}`