Improved DNS based web relay, #4210

This commit is contained in:
Ylian Saint-Hilaire 2022-07-03 18:17:57 -07:00
parent 5ba9d7e503
commit b33900dfbf
2 changed files with 115 additions and 79 deletions

View File

@ -218,9 +218,13 @@ module.exports.CreateWebRelay = function (parent, db, args, domain) {
if (obj.relayActive == false) { console.log("ERROR: Attempt to use an unconnected tunnel"); return false; } if (obj.relayActive == false) { console.log("ERROR: Attempt to use an unconnected tunnel"); return false; }
parent.lastOperation = obj.lastOperation = Date.now(); parent.lastOperation = obj.lastOperation = Date.now();
// Check if this is a websocket
if (req.headers['upgrade'] == 'websocket') { console.log('Attempt to process a websocket in HTTP tunnel method.'); res.end(); return false; }
// Construct the HTTP request // Construct the HTTP request
var request = req.method + ' ' + req.url + ' HTTP/' + req.httpVersion + '\r\n'; var request = req.method + ' ' + req.url + ' HTTP/' + req.httpVersion + '\r\n';
const blockedHeaders = ['origin', 'cookie', 'upgrade-insecure-requests', 'sec-ch-ua', 'sec-ch-ua-mobile', 'dnt', 'sec-fetch-user', 'sec-ch-ua-platform', 'sec-fetch-site', 'sec-fetch-mode', 'sec-fetch-dest']; // These are headers we do not forward const blockedHeaders = ['host', 'origin', 'cookie', 'upgrade-insecure-requests', 'sec-ch-ua', 'sec-ch-ua-mobile', 'dnt', 'sec-fetch-user', 'sec-ch-ua-platform', 'sec-fetch-site', 'sec-fetch-mode', 'sec-fetch-dest']; // These are headers we do not forward
request += 'host: central.mesh.meshcentral.com\r\n';
for (var i in req.headers) { if (blockedHeaders.indexOf(i) == -1) { request += i + ': ' + req.headers[i] + '\r\n'; } } for (var i in req.headers) { if (blockedHeaders.indexOf(i) == -1) { request += i + ': ' + req.headers[i] + '\r\n'; } }
var cookieStr = ''; var cookieStr = '';
for (var i in parent.webCookies) { if (cookieStr != '') { cookieStr += '; ' } cookieStr += (i + '=' + parent.webCookies[i].value); } for (var i in parent.webCookies) { if (cookieStr != '') { cookieStr += '; ' } cookieStr += (i + '=' + parent.webCookies[i].value); }

View File

@ -13,7 +13,7 @@
/*jshint esversion: 6 */ /*jshint esversion: 6 */
'use strict'; 'use strict';
// SerialTunnel object is used to embed TLS within another connection. // SerialTunnel object is used to embed TLS within another connection.e
function SerialTunnel(options) { function SerialTunnel(options) {
var obj = new require('stream').Duplex(options); var obj = new require('stream').Duplex(options);
obj.forwardwrite = null; obj.forwardwrite = null;
@ -5742,6 +5742,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); } if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); }
obj.app.use(obj.session(sessionOptions)); obj.app.use(obj.session(sessionOptions));
// Handle all incoming web sockets, see if some need to be handled as web relays
obj.app.ws('/*', function (ws, req, next) {
if ((obj.webRelayRouter != null) && (req.hostname == obj.args.relaydns)) { handleWebRelayWebSocket(ws, req); return; }
return next();
});
// Add HTTP security headers to all responses // Add HTTP security headers to all responses
obj.app.use(function (req, res, next) { obj.app.use(function (req, res, next) {
// Check if a session is destroyed // Check if a session is destroyed
@ -5842,23 +5848,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
} }
// If this is a web relay connection, handle it here. // If this is a web relay connection, handle it here.
if ((typeof obj.args.relaydns == 'string') && (req.headers.host == obj.args.relaydns) && (!req.url.startsWith('/control-redirect.ashx?n='))) { if ((obj.webRelayRouter != null) && (req.hostname == obj.args.relaydns)) { return obj.webRelayRouter(req, res); }
// If this is a normal request (GET, POST, etc) handle it here
if ((req.session.userid != null) && (req.session.rid != null)) {
var relaySession = webRelaySessions[req.session.userid + '/' + req.session.rid];
if (relaySession != null) {
// The web relay session is valid, use it
relaySession.handleRequest(req, res);
} else {
// No web relay ession with this relay identifier, close the HTTP request.
res.sendStatus(404);
}
} else {
// The user is not logged in or does not have a relay identifier, close the HTTP request.
res.sendStatus(404);
}
return;
}
// Get the domain for this request // Get the domain for this request
const domain = req.xdomain = getDomain(req); const domain = req.xdomain = getDomain(req);
@ -6125,65 +6115,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
}); });
} }
// Setup web relay on this web server if needed
// We set this up when a DNS name is used as a web relay instead of a port
if (typeof obj.args.relaydns == 'string') {
// This is the magic URL that will setup the relay session
obj.app.get('/control-redirect.ashx', function (req, res, next) {
if (req.headers.host != obj.args.relaydns) { res.sendStatus(404); return; }
if ((req.session.userid == null) && obj.args.user && obj.users['user//' + obj.args.user.toLowerCase()]) { req.session.userid = 'user//' + obj.args.user.toLowerCase(); } // Use a default user if needed
if ((req.session == null) || (req.session.userid == null)) { res.redirect('/'); return; }
res.set({ 'Cache-Control': 'no-store' });
parent.debug('web', 'webRelaySetup');
// Check that all the required arguments are present
if ((req.session.userid == null) || (req.query.n == null) || (req.query.p == null) || ((req.query.appid != 1) && (req.query.appid != 2))) { res.redirect('/'); return; }
// Get the user and domain information
const userid = req.session.userid;
const domainid = userid.split('/')[1];
const domain = parent.config.domains[domainid];
const nodeid = ((req.query.relayid != null) ? req.query.relayid : req.query.n);
const addr = (req.query.addr != null) ? req.query.addr : '127.0.0.1';
const port = parseInt(req.query.p);
const appid = parseInt(req.query.appid);
// Check to see if we already have a multi-relay session that matches exactly this device and port for this user
var relaySession = null;
for (var i in webRelaySessions) {
const xrelaySession = webRelaySessions[i];
if ((xrelaySession.domain.id == domain.id) && (xrelaySession.userid == userid) && (xrelaySession.nodeid == nodeid) && (xrelaySession.addr == addr) && (xrelaySession.port == port) && (xrelaySession.appid == appid)) {
relaySession = xrelaySession; // We found an exact match
}
}
if (relaySession != null) {
// Since we found a match, use it
req.session.rid = relaySession.sessionId;
} else {
// Create a web relay session
relaySession = require('./apprelays.js').CreateWebRelaySession(parent, db, req, args, domain, userid, nodeid, addr, port, appid);
relaySession.onclose = function (sessionId) {
// Remove the relay session
delete webRelaySessions[sessionId];
// If there are not more relay sessions, clear the cleanup timer
if ((Object.keys(webRelaySessions).length == 0) && (webRelayCleanupTimer != null)) { clearInterval(webRelayCleanupTimer); webRelayCleanupTimer = null; }
}
relaySession.sessionId = webRelayNextSessionId++;
// Set the multi-tunnel session
webRelaySessions[userid + '/' + relaySession.sessionId] = relaySession;
req.session.rid = relaySession.sessionId;
// Setup the cleanup timer if needed
if (webRelayCleanupTimer == null) { webRelayCleanupTimer = setInterval(checkWebRelaySessionsTimeout, 10000); }
}
// Redirect to root
res.redirect('/');
});
}
// Setup firebase push only server // Setup firebase push only server
if ((obj.parent.firebase != null) && (obj.parent.config.firebase)) { if ((obj.parent.firebase != null) && (obj.parent.config.firebase)) {
if (obj.parent.config.firebase.pushrelayserver) { parent.debug('email', 'Firebase-pushrelay-handler'); obj.app.post(url + 'firebaserelay.aspx', obj.bodyParser.urlencoded({ extended: false }), handleFirebasePushOnlyRelayRequest); } if (obj.parent.config.firebase.pushrelayserver) { parent.debug('email', 'Firebase-pushrelay-handler'); obj.app.post(url + 'firebaserelay.aspx', obj.bodyParser.urlencoded({ extended: false }), handleFirebasePushOnlyRelayRequest); }
@ -6515,7 +6446,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
} }
} }
} }
} }
// Server redirects // Server redirects
@ -6609,6 +6539,73 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
obj.agentapp.get(url + 'meshagents', obj.handleMeshAgentRequest); obj.agentapp.get(url + 'meshagents', obj.handleMeshAgentRequest);
} }
// Setup web relay on this web server if needed
// We set this up when a DNS name is used as a web relay instead of a port
if (typeof obj.args.relaydns == 'string') {
obj.webRelayRouter = require('express').Router();
// This is the magic URL that will setup the relay session
obj.webRelayRouter.get('/control-redirect.ashx', function (req, res, next) {
if (req.headers.host != obj.args.relaydns) { res.sendStatus(404); return; }
if ((req.session.userid == null) && obj.args.user && obj.users['user//' + obj.args.user.toLowerCase()]) { req.session.userid = 'user//' + obj.args.user.toLowerCase(); } // Use a default user if needed
if ((req.session == null) || (req.session.userid == null)) { res.redirect('/'); return; }
res.set({ 'Cache-Control': 'no-store' });
parent.debug('web', 'webRelaySetup');
// Check that all the required arguments are present
if ((req.session.userid == null) || (req.query.n == null) || (req.query.p == null) || ((req.query.appid != 1) && (req.query.appid != 2))) { res.redirect('/'); return; }
// Get the user and domain information
const userid = req.session.userid;
const domainid = userid.split('/')[1];
const domain = parent.config.domains[domainid];
const nodeid = ((req.query.relayid != null) ? req.query.relayid : req.query.n);
const addr = (req.query.addr != null) ? req.query.addr : '127.0.0.1';
const port = parseInt(req.query.p);
const appid = parseInt(req.query.appid);
// Check to see if we already have a multi-relay session that matches exactly this device and port for this user
var relaySession = null;
for (var i in webRelaySessions) {
const xrelaySession = webRelaySessions[i];
if ((xrelaySession.domain.id == domain.id) && (xrelaySession.userid == userid) && (xrelaySession.nodeid == nodeid) && (xrelaySession.addr == addr) && (xrelaySession.port == port) && (xrelaySession.appid == appid)) {
relaySession = xrelaySession; // We found an exact match
}
}
if (relaySession != null) {
// Since we found a match, use it
req.session.rid = relaySession.sessionId;
} else {
// Create a web relay session
relaySession = require('./apprelays.js').CreateWebRelaySession(parent, db, req, args, domain, userid, nodeid, addr, port, appid);
relaySession.onclose = function (sessionId) {
// Remove the relay session
delete webRelaySessions[sessionId];
// If there are not more relay sessions, clear the cleanup timer
if ((Object.keys(webRelaySessions).length == 0) && (webRelayCleanupTimer != null)) { clearInterval(webRelayCleanupTimer); webRelayCleanupTimer = null; }
}
relaySession.sessionId = webRelayNextSessionId++;
// Set the multi-tunnel session
webRelaySessions[userid + '/' + relaySession.sessionId] = relaySession;
req.session.rid = relaySession.sessionId;
// Setup the cleanup timer if needed
if (webRelayCleanupTimer == null) { webRelayCleanupTimer = setInterval(checkWebRelaySessionsTimeout, 10000); }
}
// Redirect to root
res.redirect('/');
});
// Handle all incoming requests as web relays
obj.webRelayRouter.get('/*', function (req, res) { handleWebRelayRequest(req, res); })
// Handle all incoming requests as web relays
obj.webRelayRouter.post('/*', function (req, res) { handleWebRelayRequest(req, res); })
}
// Indicates to ExpressJS that the override public folder should be used to serve static files. // Indicates to ExpressJS that the override public folder should be used to serve static files.
if (parent.config.domains[i].webpublicpath != null) { if (parent.config.domains[i].webpublicpath != null) {
// Use domain public path // Use domain public path
@ -6648,6 +6645,41 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if (doneFunc) doneFunc(); if (doneFunc) doneFunc();
} }
// Handle an incoming request as a web relay
function handleWebRelayRequest(req, res) {
if ((req.session.userid != null) && (req.session.rid != null)) {
var relaySession = webRelaySessions[req.session.userid + '/' + req.session.rid];
if (relaySession != null) {
// The web relay session is valid, use it
relaySession.handleRequest(req, res);
} else {
// No web relay ession with this relay identifier, close the HTTP request.
res.sendStatus(404);
}
} else {
// The user is not logged in or does not have a relay identifier, close the HTTP request.
res.sendStatus(404);
}
}
// Handle an incoming websocket connection as a web relay
function handleWebRelayWebSocket(ws, req) {
if ((req.session.userid != null) && (req.session.rid != null)) {
var relaySession = webRelaySessions[req.session.userid + '/' + req.session.rid];
if (relaySession != null) {
// The multi-tunnel session is valid, use it
relaySession.handleWebSocket(ws, req);
} else {
// No multi-tunnel session with this relay identifier, close the websocket.
ws.close();
}
} else {
// The user is not logged in or does not have a relay identifier, close the websocket.
ws.close();
}
}
// Perform server inner authentication // Perform server inner authentication
// This is a type of server authentication where the client will open the socket regardless of the TLS certificate and request that the server // This is a type of server authentication where the client will open the socket regardless of the TLS certificate and request that the server
// sign a client nonce with the server agent cert and return the response. Only after that will the client send the client authentication username // sign a client nonce with the server agent cert and return the response. Only after that will the client send the client authentication username