mirror of
https://github.com/lightninglabs/aperture.git
synced 2025-12-18 09:34:20 +01:00
134 lines
2.9 KiB
Go
134 lines
2.9 KiB
Go
package proxy
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"regexp"
|
|
|
|
"github.com/lightninglabs/kirin/auth"
|
|
)
|
|
|
|
// Proxy is a HTTP, HTTP/2 and gRPC handler that takes an incoming request,
|
|
// uses its authenticator to validate the request's headers, and either returns
|
|
// a challenge to the client or forwards the request to another server and
|
|
// proxies the response back to the client.
|
|
type Proxy struct {
|
|
server *httputil.ReverseProxy
|
|
|
|
authenticator auth.Authenticator
|
|
}
|
|
|
|
// New returns a new Proxy instance that proxies between the services specified,
|
|
// using the auth to validate each request's headers and get new challenge
|
|
// headers if necessary.
|
|
func New(auth auth.Authenticator, services []*Service) (*Proxy, error) {
|
|
cp, err := certPool(services)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
tlsConfig := &tls.Config{
|
|
RootCAs: cp,
|
|
InsecureSkipVerify: true,
|
|
}
|
|
transport := &http.Transport{
|
|
ForceAttemptHTTP2: true,
|
|
TLSClientConfig: tlsConfig,
|
|
}
|
|
grpcProxy := &httputil.ReverseProxy{
|
|
Director: director(auth, services),
|
|
Transport: transport,
|
|
FlushInterval: -1,
|
|
}
|
|
|
|
return &Proxy{
|
|
grpcProxy,
|
|
auth,
|
|
}, nil
|
|
}
|
|
|
|
func certPool(services []*Service) (*x509.CertPool, error) {
|
|
cp := x509.NewCertPool()
|
|
for _, service := range services {
|
|
if service.TLSCertPath == "" {
|
|
continue
|
|
}
|
|
|
|
b, err := ioutil.ReadFile(service.TLSCertPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !cp.AppendCertsFromPEM(b) {
|
|
return nil, fmt.Errorf("credentials: failed to append " +
|
|
"certificate")
|
|
}
|
|
}
|
|
|
|
return cp, nil
|
|
}
|
|
|
|
func matchService(req *http.Request, services []*Service) (*Service, bool) {
|
|
for _, service := range services {
|
|
hostRegexp := regexp.MustCompile(service.HostRegexp)
|
|
if !hostRegexp.MatchString(req.Host) {
|
|
continue
|
|
}
|
|
|
|
if service.PathRegexp == "" {
|
|
return service, true
|
|
}
|
|
|
|
urlRegexp := regexp.MustCompile(service.PathRegexp)
|
|
if !urlRegexp.MatchString(req.URL.Path) {
|
|
continue
|
|
}
|
|
|
|
return service, true
|
|
|
|
}
|
|
return nil, false
|
|
}
|
|
|
|
func director(auth auth.Authenticator, services []*Service) func(req *http.Request) {
|
|
return func(req *http.Request) {
|
|
target, ok := matchService(req, services)
|
|
if ok {
|
|
req.URL.Scheme = "http"
|
|
if target.TLSCertPath != "" {
|
|
req.URL.Scheme = "https"
|
|
}
|
|
|
|
req.URL.Host = target.Address
|
|
}
|
|
}
|
|
}
|
|
|
|
// ServeHTTP checks a client's headers for appropriate authorization and either
|
|
// returns a challenge or forwards their request to the target backend service.
|
|
func (g *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
if !g.authenticator.Accept(&r.Header) {
|
|
challengeHeader, err := g.authenticator.FreshChallengeHeader(r)
|
|
if err != nil {
|
|
w.WriteHeader(500)
|
|
return
|
|
}
|
|
|
|
for name, value := range challengeHeader {
|
|
w.Header().Set(name, value[0])
|
|
for i := 1; i < len(value); i++ {
|
|
w.Header().Add(name, value[i])
|
|
}
|
|
}
|
|
|
|
w.WriteHeader(402)
|
|
return
|
|
}
|
|
|
|
g.server.ServeHTTP(w, r)
|
|
}
|