mirror of
https://github.com/lightninglabs/aperture.git
synced 2025-12-17 09:04:19 +01:00
514 lines
15 KiB
Go
514 lines
15 KiB
Go
package proxy
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"os"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/lightninglabs/aperture/auth"
|
|
"github.com/lightninglabs/aperture/l402"
|
|
"google.golang.org/grpc/codes"
|
|
)
|
|
|
|
const (
|
|
// formatPattern is the pattern in which the request log will be
|
|
// printed. This is loosely oriented on the apache log format.
|
|
// An example entry would look like this:
|
|
// 2019-11-09 04:07:55.072 [INF] PRXY: 66.249.69.89 - -
|
|
// "GET /availability/v1/btc.json HTTP/1.1" "" "Mozilla/5.0 ..."
|
|
formatPattern = "- - \"%s %s %s\" \"%s\" \"%s\""
|
|
hdrContentType = "Content-Type"
|
|
hdrGrpcStatus = "Grpc-Status"
|
|
hdrGrpcMessage = "Grpc-Message"
|
|
hdrTypeGrpc = "application/grpc"
|
|
)
|
|
|
|
// LocalService is an interface that describes a service that is handled
|
|
// internally by aperture and is not proxied to another backend.
|
|
type LocalService interface {
|
|
http.Handler
|
|
|
|
// IsHandling returns true if the local service is handling the given
|
|
// request. If one of the local services returns true on this method
|
|
// then a request is not forwarded/proxied to any of the remote
|
|
// backends.
|
|
IsHandling(r *http.Request) bool
|
|
}
|
|
|
|
// localService is a struct that represents a service that is local to aperture
|
|
// and is not proxied to a remote backend.
|
|
type localService struct {
|
|
handler http.Handler
|
|
isHandling func(r *http.Request) bool
|
|
}
|
|
|
|
// NewLocalService creates a new local service.
|
|
func NewLocalService(h http.Handler, f func(r *http.Request) bool) LocalService {
|
|
return &localService{handler: h, isHandling: f}
|
|
}
|
|
|
|
// ServeHTTP is the http.Handler implementation.
|
|
func (l *localService) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
|
|
l.handler.ServeHTTP(rw, r)
|
|
}
|
|
|
|
// IsHandling returns true if the local service is handling the given
|
|
// request.
|
|
func (l *localService) IsHandling(r *http.Request) bool {
|
|
return l.isHandling(r)
|
|
}
|
|
|
|
// Proxy is a HTTP, HTTP/2 and gRPC handler that takes an incoming request,
|
|
// uses its authenticator to validate the request's headers, and either returns
|
|
// a challenge to the client or forwards the request to another server and
|
|
// proxies the response back to the client.
|
|
type Proxy struct {
|
|
proxyBackend *httputil.ReverseProxy
|
|
localServices []LocalService
|
|
authenticator auth.Authenticator
|
|
services []*Service
|
|
blocklist map[string]struct{}
|
|
}
|
|
|
|
// New returns a new Proxy instance that proxies between the services specified,
|
|
// using the auth to validate each request's headers and get new challenge
|
|
// headers if necessary.
|
|
func New(auth auth.Authenticator, services []*Service,
|
|
blocklist []string, localServices ...LocalService) (*Proxy, error) {
|
|
|
|
blMap := make(map[string]struct{})
|
|
for _, ip := range blocklist {
|
|
parsed := net.ParseIP(ip)
|
|
if parsed == nil {
|
|
log.Warnf("Could not parse IP %q in blocklist; skipping", ip)
|
|
continue
|
|
}
|
|
blMap[parsed.String()] = struct{}{}
|
|
}
|
|
|
|
proxy := &Proxy{
|
|
localServices: localServices,
|
|
authenticator: auth,
|
|
services: services,
|
|
blocklist: blMap,
|
|
}
|
|
err := proxy.UpdateServices(services)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return proxy, nil
|
|
}
|
|
|
|
// ServeHTTP checks a client's headers for appropriate authorization and either
|
|
// returns a challenge or forwards their request to the target backend service.
|
|
func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
// Parse and log the remote IP address. We also need the parsed IP
|
|
// address for the freebie count.
|
|
remoteIP, prefixLog := NewRemoteIPPrefixLog(log, r.RemoteAddr)
|
|
logRequest := func() {
|
|
prefixLog.Infof(formatPattern, r.Method, r.RequestURI, r.Proto,
|
|
r.Referer(), r.UserAgent())
|
|
}
|
|
defer logRequest()
|
|
|
|
// Blocklist check
|
|
if _, blocked := p.blocklist[remoteIP.String()]; blocked {
|
|
log.Debugf("Blocked request from IP: %s", remoteIP)
|
|
addCorsHeaders(w.Header())
|
|
sendDirectResponse(w, r, http.StatusForbidden, "access denied")
|
|
return
|
|
}
|
|
|
|
// For OPTIONS requests we only need to set the CORS headers, not serve
|
|
// any content;
|
|
if r.Method == "OPTIONS" {
|
|
addCorsHeaders(w.Header())
|
|
sendDirectResponse(w, r, http.StatusOK, "")
|
|
return
|
|
}
|
|
|
|
// If the request is a gRPC request, we need to set the Content-Type
|
|
// header to application/grpc.
|
|
if strings.HasPrefix(r.Header.Get(hdrContentType), hdrTypeGrpc) {
|
|
w.Header().Set(hdrContentType, hdrTypeGrpc)
|
|
}
|
|
|
|
// Requests that can't be matched to a service backend will be
|
|
// dispatched to the static file server. If the file exists in the
|
|
// static file folder it will be served, otherwise the static server
|
|
// will return a 404 for us.
|
|
target, ok := matchService(r, p.services)
|
|
if !ok {
|
|
// This isn't a request for any configured remote backend that
|
|
// we are proxying for. So we give it to the local service that
|
|
// claims is responsible for it.
|
|
for _, ls := range p.localServices {
|
|
if ls.IsHandling(r) {
|
|
prefixLog.Debugf("Dispatching request %s to "+
|
|
"local service.", r.URL.Path)
|
|
ls.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
}
|
|
|
|
// If we get here, something is quite wrong. At least the static
|
|
// file server should have picked up the request and serve a
|
|
// 404 response. So nothing we can do here except returning an
|
|
// error.
|
|
addCorsHeaders(w.Header())
|
|
sendDirectResponse(w, r, http.StatusInternalServerError, "")
|
|
return
|
|
}
|
|
|
|
resourceName := target.ResourceName(r.URL.Path)
|
|
|
|
// Determine auth level required to access service and dispatch request
|
|
// accordingly.
|
|
authLevel := target.AuthRequired(r)
|
|
skipInvoiceCreation := target.SkipInvoiceCreation(r)
|
|
switch {
|
|
case authLevel.IsOn():
|
|
// Determine if the header contains the authentication
|
|
// required for the given resource. The call to Accept is
|
|
// called in each case body rather than outside the switch so
|
|
// as to avoid calling this possibly expensive call for static
|
|
// resources.
|
|
acceptAuth := p.authenticator.Accept(&r.Header, resourceName)
|
|
if !acceptAuth {
|
|
if skipInvoiceCreation {
|
|
addCorsHeaders(w.Header())
|
|
sendDirectResponse(
|
|
w, r, http.StatusUnauthorized,
|
|
"unauthorized",
|
|
)
|
|
|
|
return
|
|
}
|
|
|
|
price, err := target.pricer.GetPrice(r.Context(), r)
|
|
if err != nil {
|
|
prefixLog.Errorf("error getting "+
|
|
"resource price: %v", err)
|
|
sendDirectResponse(
|
|
w, r, http.StatusInternalServerError,
|
|
"failure fetching "+
|
|
"resource price",
|
|
)
|
|
return
|
|
}
|
|
|
|
// If the price returned is zero, then break out of the
|
|
// switch statement and allow access to the service.
|
|
if price == 0 {
|
|
break
|
|
}
|
|
|
|
prefixLog.Infof("Authentication failed. Sending 402.")
|
|
p.handlePaymentRequired(w, r, resourceName, price)
|
|
return
|
|
}
|
|
|
|
case authLevel.IsFreebie():
|
|
// We only need to respect the freebie counter if the user
|
|
// is not authenticated at all.
|
|
acceptAuth := p.authenticator.Accept(&r.Header, resourceName)
|
|
if !acceptAuth {
|
|
ok, err := target.freebieDB.CanPass(r, remoteIP)
|
|
if err != nil {
|
|
prefixLog.Errorf("Error querying freebie db: "+
|
|
"%v", err)
|
|
sendDirectResponse(
|
|
w, r, http.StatusInternalServerError,
|
|
"freebie DB failure",
|
|
)
|
|
return
|
|
}
|
|
if !ok {
|
|
price, err := target.pricer.GetPrice(
|
|
r.Context(), r,
|
|
)
|
|
if err != nil {
|
|
prefixLog.Errorf("error getting "+
|
|
"resource price: %v", err)
|
|
sendDirectResponse(
|
|
w, r, http.StatusInternalServerError,
|
|
"failure fetching "+
|
|
"resource price",
|
|
)
|
|
return
|
|
}
|
|
|
|
// If the price returned is zero, then break
|
|
// out of the switch statement and allow access
|
|
// to the service.
|
|
if price == 0 {
|
|
break
|
|
}
|
|
|
|
p.handlePaymentRequired(
|
|
w, r, resourceName, target.Price,
|
|
)
|
|
return
|
|
}
|
|
_, err = target.freebieDB.TallyFreebie(r, remoteIP)
|
|
if err != nil {
|
|
prefixLog.Errorf("Error updating freebie db: "+
|
|
"%v", err)
|
|
sendDirectResponse(
|
|
w, r, http.StatusInternalServerError,
|
|
"freebie DB failure",
|
|
)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
// If we got here, it means everything is OK to pass the request to the
|
|
// service backend via the reverse proxy.
|
|
p.proxyBackend.ServeHTTP(w, r)
|
|
}
|
|
|
|
// UpdateServices re-configures the proxy to use a new set of backend services.
|
|
func (p *Proxy) UpdateServices(services []*Service) error {
|
|
err := prepareServices(services)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
certPool, err := certPool(services)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
transport := &http.Transport{
|
|
ForceAttemptHTTP2: true,
|
|
TLSClientConfig: &tls.Config{
|
|
RootCAs: certPool,
|
|
InsecureSkipVerify: true,
|
|
},
|
|
}
|
|
|
|
p.proxyBackend = &httputil.ReverseProxy{
|
|
Director: p.director,
|
|
Transport: &trailerFixingTransport{next: transport},
|
|
ModifyResponse: func(res *http.Response) error {
|
|
addCorsHeaders(res.Header)
|
|
return nil
|
|
},
|
|
|
|
// A negative value means to flush immediately after each write
|
|
// to the client.
|
|
FlushInterval: -1,
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Close cleans up the Proxy by closing any remaining open connections.
|
|
func (p *Proxy) Close() error {
|
|
var returnErr error
|
|
for _, s := range p.services {
|
|
if err := s.pricer.Close(); err != nil {
|
|
log.Errorf("error while closing the pricer of "+
|
|
"service %s: %v", s.Name, err)
|
|
returnErr = err
|
|
}
|
|
}
|
|
|
|
return returnErr
|
|
}
|
|
|
|
// director is a method that rewrites an incoming request to be forwarded to a
|
|
// backend service.
|
|
func (p *Proxy) director(req *http.Request) {
|
|
target, ok := matchService(req, p.services)
|
|
if ok {
|
|
// Rewrite address and protocol in the request so the
|
|
// real service is called instead.
|
|
req.Host = target.Address
|
|
req.URL.Host = target.Address
|
|
req.URL.Scheme = target.Protocol
|
|
|
|
// Make sure we always forward the authorization in the correct/
|
|
// default format so the backend knows what to do with it.
|
|
mac, preimage, err := l402.FromHeader(&req.Header)
|
|
if err == nil {
|
|
// It could be that there is no auth information because
|
|
// none is needed for this particular request. So we
|
|
// only continue if no error is set.
|
|
err := l402.SetHeader(&req.Header, mac, preimage)
|
|
if err != nil {
|
|
log.Errorf("could not set header: %v", err)
|
|
}
|
|
}
|
|
|
|
// Now overwrite header fields of the client request
|
|
// with the fields from the configuration file.
|
|
for name, value := range target.Headers {
|
|
req.Header.Add(name, value)
|
|
}
|
|
}
|
|
}
|
|
|
|
// certPool builds a pool of x509 certificates from the backend services.
|
|
func certPool(services []*Service) (*x509.CertPool, error) {
|
|
cp := x509.NewCertPool()
|
|
for _, service := range services {
|
|
if service.TLSCertPath == "" {
|
|
continue
|
|
}
|
|
|
|
b, err := os.ReadFile(service.TLSCertPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !cp.AppendCertsFromPEM(b) {
|
|
return nil, fmt.Errorf("credentials: failed to " +
|
|
"append certificate")
|
|
}
|
|
}
|
|
|
|
return cp, nil
|
|
}
|
|
|
|
// matchService tries to match a backend service to an HTTP request by regular
|
|
// expression matching the host and path.
|
|
func matchService(req *http.Request, services []*Service) (*Service, bool) {
|
|
for _, service := range services {
|
|
hostRegexp := service.compiledHostRegexp
|
|
if !hostRegexp.MatchString(req.Host) {
|
|
log.Tracef("Req host [%s] doesn't match [%s].",
|
|
req.Host, hostRegexp)
|
|
continue
|
|
}
|
|
|
|
if service.compiledPathRegexp == nil {
|
|
log.Debugf("Host [%s] matched pattern [%s] and path "+
|
|
"expression is empty. Using service [%s].",
|
|
req.Host, hostRegexp, service.Address)
|
|
return service, true
|
|
}
|
|
|
|
pathRegexp := service.compiledPathRegexp
|
|
if !pathRegexp.MatchString(req.URL.Path) {
|
|
log.Tracef("Req path [%s] doesn't match [%s].",
|
|
req.URL.Path, pathRegexp)
|
|
continue
|
|
}
|
|
|
|
log.Debugf("Host [%s] matched pattern [%s] and path [%s] "+
|
|
"matched [%s]. Using service [%s].",
|
|
req.Host, hostRegexp, req.URL.Path, pathRegexp,
|
|
service.Address)
|
|
return service, true
|
|
}
|
|
log.Debugf("No backend service matched request [%s%s].", req.Host,
|
|
req.URL.Path)
|
|
return nil, false
|
|
}
|
|
|
|
// addCorsHeaders adds HTTP header fields that are required for Cross Origin
|
|
// Resource Sharing. These header fields are needed to signal to the browser
|
|
// that it's ok to allow requests to sub domains, even if the JS was served from
|
|
// the top level domain.
|
|
func addCorsHeaders(header http.Header) {
|
|
log.Debugf("Adding CORS headers to response.")
|
|
|
|
header.Add("Access-Control-Allow-Origin", "*")
|
|
header.Add("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
|
|
header.Add("Access-Control-Expose-Headers", "WWW-Authenticate")
|
|
header.Add(
|
|
"Access-Control-Allow-Headers",
|
|
"Authorization, Grpc-Metadata-macaroon, WWW-Authenticate",
|
|
)
|
|
}
|
|
|
|
// handlePaymentRequired returns fresh challenge header fields and status code
|
|
// to the client signaling that a payment is required to fulfil the request.
|
|
func (p *Proxy) handlePaymentRequired(w http.ResponseWriter, r *http.Request,
|
|
serviceName string, servicePrice int64) {
|
|
|
|
header, err := p.authenticator.FreshChallengeHeader(
|
|
serviceName, servicePrice,
|
|
)
|
|
if err != nil {
|
|
log.Errorf("Error creating new challenge header: %v", err)
|
|
sendDirectResponse(
|
|
w, r, http.StatusInternalServerError,
|
|
"challenge failure",
|
|
)
|
|
return
|
|
}
|
|
|
|
addCorsHeaders(header)
|
|
|
|
for name, value := range header {
|
|
w.Header().Set(name, value[0])
|
|
for i := 1; i < len(value); i++ {
|
|
w.Header().Add(name, value[i])
|
|
}
|
|
}
|
|
|
|
sendDirectResponse(w, r, http.StatusPaymentRequired, "payment required")
|
|
}
|
|
|
|
// sendDirectResponse sends a response directly to the client without proxying
|
|
// anything to a backend. The given error is transported in a way the client can
|
|
// understand. This means, for a gRPC client it is sent as specific header
|
|
// fields.
|
|
func sendDirectResponse(w http.ResponseWriter, r *http.Request,
|
|
statusCode int, errInfo string) {
|
|
|
|
// Find out if the client is a normal HTTP or a gRPC client. Every gRPC
|
|
// request should have the Content-Type header field set accordingly
|
|
// so we can use that.
|
|
switch {
|
|
case strings.HasPrefix(r.Header.Get(hdrContentType), hdrTypeGrpc):
|
|
w.Header().Set(hdrGrpcStatus, strconv.Itoa(int(codes.Internal)))
|
|
w.Header().Set(hdrGrpcMessage, errInfo)
|
|
|
|
// As per the gRPC spec, we need to send a 200 OK status code
|
|
// even if the request failed. The Grpc-Status and Grpc-Message
|
|
// header fields are enough to inform any gRPC compliant client
|
|
// about the error. See:
|
|
// https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md#responses
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
default:
|
|
http.Error(w, errInfo, statusCode)
|
|
}
|
|
}
|
|
|
|
type trailerFixingTransport struct {
|
|
next http.RoundTripper
|
|
}
|
|
|
|
// RoundTrip is a transport round tripper implementation that fixes an issue
|
|
// in the official httputil.ReverseProxy implementation. Apparently the HTTP/2
|
|
// trailers aren't properly forwarded in some cases. We fix this by always
|
|
// copying the Grpc-Status and Grpc-Message fields to the trailers, as those are
|
|
// usually expected to be in the trailer fields.
|
|
// Inspired by https://github.com/elazarl/goproxy/issues/408.
|
|
func (l *trailerFixingTransport) RoundTrip(req *http.Request) (*http.Response,
|
|
error) {
|
|
|
|
resp, err := l.next.RoundTrip(req)
|
|
if resp != nil && len(resp.Trailer) == 0 {
|
|
if len(resp.Header.Values(hdrGrpcStatus)) > 0 {
|
|
resp.Trailer = make(http.Header)
|
|
grpcStatus := resp.Header.Get(hdrGrpcStatus)
|
|
grpcMessage := resp.Header.Get(hdrGrpcMessage)
|
|
resp.Trailer.Add(hdrGrpcStatus, grpcStatus)
|
|
resp.Trailer.Add(hdrGrpcMessage, grpcMessage)
|
|
}
|
|
}
|
|
return resp, err
|
|
}
|