mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-25 14:45:52 -05:00
Improved DNS based web relay, #4210
This commit is contained in:
parent
5ba9d7e503
commit
b33900dfbf
@ -218,9 +218,13 @@ module.exports.CreateWebRelay = function (parent, db, args, domain) {
|
||||
if (obj.relayActive == false) { console.log("ERROR: Attempt to use an unconnected tunnel"); return false; }
|
||||
parent.lastOperation = obj.lastOperation = Date.now();
|
||||
|
||||
// Check if this is a websocket
|
||||
if (req.headers['upgrade'] == 'websocket') { console.log('Attempt to process a websocket in HTTP tunnel method.'); res.end(); return false; }
|
||||
|
||||
// Construct the HTTP request
|
||||
var request = req.method + ' ' + req.url + ' HTTP/' + req.httpVersion + '\r\n';
|
||||
const blockedHeaders = ['origin', 'cookie', 'upgrade-insecure-requests', 'sec-ch-ua', 'sec-ch-ua-mobile', 'dnt', 'sec-fetch-user', 'sec-ch-ua-platform', 'sec-fetch-site', 'sec-fetch-mode', 'sec-fetch-dest']; // These are headers we do not forward
|
||||
const blockedHeaders = ['host', 'origin', 'cookie', 'upgrade-insecure-requests', 'sec-ch-ua', 'sec-ch-ua-mobile', 'dnt', 'sec-fetch-user', 'sec-ch-ua-platform', 'sec-fetch-site', 'sec-fetch-mode', 'sec-fetch-dest']; // These are headers we do not forward
|
||||
request += 'host: central.mesh.meshcentral.com\r\n';
|
||||
for (var i in req.headers) { if (blockedHeaders.indexOf(i) == -1) { request += i + ': ' + req.headers[i] + '\r\n'; } }
|
||||
var cookieStr = '';
|
||||
for (var i in parent.webCookies) { if (cookieStr != '') { cookieStr += '; ' } cookieStr += (i + '=' + parent.webCookies[i].value); }
|
||||
|
188
webserver.js
188
webserver.js
@ -13,7 +13,7 @@
|
||||
/*jshint esversion: 6 */
|
||||
'use strict';
|
||||
|
||||
// SerialTunnel object is used to embed TLS within another connection.
|
||||
// SerialTunnel object is used to embed TLS within another connection.e
|
||||
function SerialTunnel(options) {
|
||||
var obj = new require('stream').Duplex(options);
|
||||
obj.forwardwrite = null;
|
||||
@ -5742,6 +5742,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||
if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); }
|
||||
obj.app.use(obj.session(sessionOptions));
|
||||
|
||||
// Handle all incoming web sockets, see if some need to be handled as web relays
|
||||
obj.app.ws('/*', function (ws, req, next) {
|
||||
if ((obj.webRelayRouter != null) && (req.hostname == obj.args.relaydns)) { handleWebRelayWebSocket(ws, req); return; }
|
||||
return next();
|
||||
});
|
||||
|
||||
// Add HTTP security headers to all responses
|
||||
obj.app.use(function (req, res, next) {
|
||||
// Check if a session is destroyed
|
||||
@ -5842,23 +5848,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||
}
|
||||
|
||||
// If this is a web relay connection, handle it here.
|
||||
if ((typeof obj.args.relaydns == 'string') && (req.headers.host == obj.args.relaydns) && (!req.url.startsWith('/control-redirect.ashx?n='))) {
|
||||
// If this is a normal request (GET, POST, etc) handle it here
|
||||
if ((req.session.userid != null) && (req.session.rid != null)) {
|
||||
var relaySession = webRelaySessions[req.session.userid + '/' + req.session.rid];
|
||||
if (relaySession != null) {
|
||||
// The web relay session is valid, use it
|
||||
relaySession.handleRequest(req, res);
|
||||
} else {
|
||||
// No web relay ession with this relay identifier, close the HTTP request.
|
||||
res.sendStatus(404);
|
||||
}
|
||||
} else {
|
||||
// The user is not logged in or does not have a relay identifier, close the HTTP request.
|
||||
res.sendStatus(404);
|
||||
}
|
||||
return;
|
||||
}
|
||||
if ((obj.webRelayRouter != null) && (req.hostname == obj.args.relaydns)) { return obj.webRelayRouter(req, res); }
|
||||
|
||||
// Get the domain for this request
|
||||
const domain = req.xdomain = getDomain(req);
|
||||
@ -6125,65 +6115,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||
});
|
||||
}
|
||||
|
||||
// Setup web relay on this web server if needed
|
||||
// We set this up when a DNS name is used as a web relay instead of a port
|
||||
if (typeof obj.args.relaydns == 'string') {
|
||||
// This is the magic URL that will setup the relay session
|
||||
obj.app.get('/control-redirect.ashx', function (req, res, next) {
|
||||
if (req.headers.host != obj.args.relaydns) { res.sendStatus(404); return; }
|
||||
if ((req.session.userid == null) && obj.args.user && obj.users['user//' + obj.args.user.toLowerCase()]) { req.session.userid = 'user//' + obj.args.user.toLowerCase(); } // Use a default user if needed
|
||||
if ((req.session == null) || (req.session.userid == null)) { res.redirect('/'); return; }
|
||||
res.set({ 'Cache-Control': 'no-store' });
|
||||
parent.debug('web', 'webRelaySetup');
|
||||
|
||||
// Check that all the required arguments are present
|
||||
if ((req.session.userid == null) || (req.query.n == null) || (req.query.p == null) || ((req.query.appid != 1) && (req.query.appid != 2))) { res.redirect('/'); return; }
|
||||
|
||||
// Get the user and domain information
|
||||
const userid = req.session.userid;
|
||||
const domainid = userid.split('/')[1];
|
||||
const domain = parent.config.domains[domainid];
|
||||
const nodeid = ((req.query.relayid != null) ? req.query.relayid : req.query.n);
|
||||
const addr = (req.query.addr != null) ? req.query.addr : '127.0.0.1';
|
||||
const port = parseInt(req.query.p);
|
||||
const appid = parseInt(req.query.appid);
|
||||
|
||||
// Check to see if we already have a multi-relay session that matches exactly this device and port for this user
|
||||
var relaySession = null;
|
||||
for (var i in webRelaySessions) {
|
||||
const xrelaySession = webRelaySessions[i];
|
||||
if ((xrelaySession.domain.id == domain.id) && (xrelaySession.userid == userid) && (xrelaySession.nodeid == nodeid) && (xrelaySession.addr == addr) && (xrelaySession.port == port) && (xrelaySession.appid == appid)) {
|
||||
relaySession = xrelaySession; // We found an exact match
|
||||
}
|
||||
}
|
||||
|
||||
if (relaySession != null) {
|
||||
// Since we found a match, use it
|
||||
req.session.rid = relaySession.sessionId;
|
||||
} else {
|
||||
// Create a web relay session
|
||||
relaySession = require('./apprelays.js').CreateWebRelaySession(parent, db, req, args, domain, userid, nodeid, addr, port, appid);
|
||||
relaySession.onclose = function (sessionId) {
|
||||
// Remove the relay session
|
||||
delete webRelaySessions[sessionId];
|
||||
// If there are not more relay sessions, clear the cleanup timer
|
||||
if ((Object.keys(webRelaySessions).length == 0) && (webRelayCleanupTimer != null)) { clearInterval(webRelayCleanupTimer); webRelayCleanupTimer = null; }
|
||||
}
|
||||
relaySession.sessionId = webRelayNextSessionId++;
|
||||
|
||||
// Set the multi-tunnel session
|
||||
webRelaySessions[userid + '/' + relaySession.sessionId] = relaySession;
|
||||
req.session.rid = relaySession.sessionId;
|
||||
|
||||
// Setup the cleanup timer if needed
|
||||
if (webRelayCleanupTimer == null) { webRelayCleanupTimer = setInterval(checkWebRelaySessionsTimeout, 10000); }
|
||||
}
|
||||
|
||||
// Redirect to root
|
||||
res.redirect('/');
|
||||
});
|
||||
}
|
||||
|
||||
// Setup firebase push only server
|
||||
if ((obj.parent.firebase != null) && (obj.parent.config.firebase)) {
|
||||
if (obj.parent.config.firebase.pushrelayserver) { parent.debug('email', 'Firebase-pushrelay-handler'); obj.app.post(url + 'firebaserelay.aspx', obj.bodyParser.urlencoded({ extended: false }), handleFirebasePushOnlyRelayRequest); }
|
||||
@ -6515,7 +6446,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Server redirects
|
||||
@ -6609,6 +6539,73 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||
obj.agentapp.get(url + 'meshagents', obj.handleMeshAgentRequest);
|
||||
}
|
||||
|
||||
// Setup web relay on this web server if needed
|
||||
// We set this up when a DNS name is used as a web relay instead of a port
|
||||
if (typeof obj.args.relaydns == 'string') {
|
||||
obj.webRelayRouter = require('express').Router();
|
||||
|
||||
// This is the magic URL that will setup the relay session
|
||||
obj.webRelayRouter.get('/control-redirect.ashx', function (req, res, next) {
|
||||
if (req.headers.host != obj.args.relaydns) { res.sendStatus(404); return; }
|
||||
if ((req.session.userid == null) && obj.args.user && obj.users['user//' + obj.args.user.toLowerCase()]) { req.session.userid = 'user//' + obj.args.user.toLowerCase(); } // Use a default user if needed
|
||||
if ((req.session == null) || (req.session.userid == null)) { res.redirect('/'); return; }
|
||||
res.set({ 'Cache-Control': 'no-store' });
|
||||
parent.debug('web', 'webRelaySetup');
|
||||
|
||||
// Check that all the required arguments are present
|
||||
if ((req.session.userid == null) || (req.query.n == null) || (req.query.p == null) || ((req.query.appid != 1) && (req.query.appid != 2))) { res.redirect('/'); return; }
|
||||
|
||||
// Get the user and domain information
|
||||
const userid = req.session.userid;
|
||||
const domainid = userid.split('/')[1];
|
||||
const domain = parent.config.domains[domainid];
|
||||
const nodeid = ((req.query.relayid != null) ? req.query.relayid : req.query.n);
|
||||
const addr = (req.query.addr != null) ? req.query.addr : '127.0.0.1';
|
||||
const port = parseInt(req.query.p);
|
||||
const appid = parseInt(req.query.appid);
|
||||
|
||||
// Check to see if we already have a multi-relay session that matches exactly this device and port for this user
|
||||
var relaySession = null;
|
||||
for (var i in webRelaySessions) {
|
||||
const xrelaySession = webRelaySessions[i];
|
||||
if ((xrelaySession.domain.id == domain.id) && (xrelaySession.userid == userid) && (xrelaySession.nodeid == nodeid) && (xrelaySession.addr == addr) && (xrelaySession.port == port) && (xrelaySession.appid == appid)) {
|
||||
relaySession = xrelaySession; // We found an exact match
|
||||
}
|
||||
}
|
||||
|
||||
if (relaySession != null) {
|
||||
// Since we found a match, use it
|
||||
req.session.rid = relaySession.sessionId;
|
||||
} else {
|
||||
// Create a web relay session
|
||||
relaySession = require('./apprelays.js').CreateWebRelaySession(parent, db, req, args, domain, userid, nodeid, addr, port, appid);
|
||||
relaySession.onclose = function (sessionId) {
|
||||
// Remove the relay session
|
||||
delete webRelaySessions[sessionId];
|
||||
// If there are not more relay sessions, clear the cleanup timer
|
||||
if ((Object.keys(webRelaySessions).length == 0) && (webRelayCleanupTimer != null)) { clearInterval(webRelayCleanupTimer); webRelayCleanupTimer = null; }
|
||||
}
|
||||
relaySession.sessionId = webRelayNextSessionId++;
|
||||
|
||||
// Set the multi-tunnel session
|
||||
webRelaySessions[userid + '/' + relaySession.sessionId] = relaySession;
|
||||
req.session.rid = relaySession.sessionId;
|
||||
|
||||
// Setup the cleanup timer if needed
|
||||
if (webRelayCleanupTimer == null) { webRelayCleanupTimer = setInterval(checkWebRelaySessionsTimeout, 10000); }
|
||||
}
|
||||
|
||||
// Redirect to root
|
||||
res.redirect('/');
|
||||
});
|
||||
|
||||
// Handle all incoming requests as web relays
|
||||
obj.webRelayRouter.get('/*', function (req, res) { handleWebRelayRequest(req, res); })
|
||||
|
||||
// Handle all incoming requests as web relays
|
||||
obj.webRelayRouter.post('/*', function (req, res) { handleWebRelayRequest(req, res); })
|
||||
}
|
||||
|
||||
// Indicates to ExpressJS that the override public folder should be used to serve static files.
|
||||
if (parent.config.domains[i].webpublicpath != null) {
|
||||
// Use domain public path
|
||||
@ -6648,6 +6645,41 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||
if (doneFunc) doneFunc();
|
||||
}
|
||||
|
||||
|
||||
// Handle an incoming request as a web relay
|
||||
function handleWebRelayRequest(req, res) {
|
||||
if ((req.session.userid != null) && (req.session.rid != null)) {
|
||||
var relaySession = webRelaySessions[req.session.userid + '/' + req.session.rid];
|
||||
if (relaySession != null) {
|
||||
// The web relay session is valid, use it
|
||||
relaySession.handleRequest(req, res);
|
||||
} else {
|
||||
// No web relay ession with this relay identifier, close the HTTP request.
|
||||
res.sendStatus(404);
|
||||
}
|
||||
} else {
|
||||
// The user is not logged in or does not have a relay identifier, close the HTTP request.
|
||||
res.sendStatus(404);
|
||||
}
|
||||
}
|
||||
|
||||
// Handle an incoming websocket connection as a web relay
|
||||
function handleWebRelayWebSocket(ws, req) {
|
||||
if ((req.session.userid != null) && (req.session.rid != null)) {
|
||||
var relaySession = webRelaySessions[req.session.userid + '/' + req.session.rid];
|
||||
if (relaySession != null) {
|
||||
// The multi-tunnel session is valid, use it
|
||||
relaySession.handleWebSocket(ws, req);
|
||||
} else {
|
||||
// No multi-tunnel session with this relay identifier, close the websocket.
|
||||
ws.close();
|
||||
}
|
||||
} else {
|
||||
// The user is not logged in or does not have a relay identifier, close the websocket.
|
||||
ws.close();
|
||||
}
|
||||
}
|
||||
|
||||
// Perform server inner authentication
|
||||
// This is a type of server authentication where the client will open the socket regardless of the TLS certificate and request that the server
|
||||
// sign a client nonce with the server agent cert and return the response. Only after that will the client send the client authentication username
|
||||
|
Loading…
Reference in New Issue
Block a user