forked from chrislusf/teeproxy
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathteeproxy.go
More file actions
277 lines (242 loc) · 8.24 KB
/
teeproxy.go
File metadata and controls
277 lines (242 loc) · 8.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
package main
import (
"bytes"
"crypto/tls"
"flag"
"io"
"io/ioutil"
"log"
"math/rand"
"net"
"net/http"
"net/url"
"runtime"
"strings"
"time"
)
// Console flags
var (
listen = flag.String("l", ":8888", "port to accept requests")
targetProduction = flag.String("a", "localhost:8080", "where production traffic goes. http://localhost:8080/production")
altTarget = flag.String("b", "localhost:8081", "where testing traffic goes. response are skipped. http://localhost:8081/test")
debug = flag.Bool("debug", false, "more logging, showing ignored output")
productionTimeout = flag.Int("a.timeout", 2500, "timeout in milliseconds for production traffic")
alternateTimeout = flag.Int("b.timeout", 1000, "timeout in milliseconds for alternate site traffic")
productionHostRewrite = flag.Bool("a.rewrite", false, "rewrite the host header when proxying production traffic")
alternateHostRewrite = flag.Bool("b.rewrite", false, "rewrite the host header when proxying alternate site traffic")
percent = flag.Float64("p", 100.0, "float64 percentage of traffic to send to testing")
tlsPrivateKey = flag.String("key.file", "", "path to the TLS private key file")
tlsCertificate = flag.String("cert.file", "", "path to the TLS certificate file")
forwardClientIP = flag.Bool("forward-client-ip", false, "enable forwarding of the client IP to the backend using the 'X-Forwarded-For' and 'Forwarded' headers")
closeConnections = flag.Bool("close-connections", false, "close connections to the clients and backends")
)
// Sets the request URL.
//
// This turns a inbound request (a request without URL) into an outbound request.
func setRequestTarget(request *http.Request, target *string) {
URL, err := url.Parse("http://" + *target + request.URL.String())
if err != nil {
log.Println(err)
}
request.URL = URL
}
// Sends a request and returns the response.
func handleRequest(request *http.Request, timeout time.Duration) (*http.Response) {
transport := &http.Transport{
// NOTE(girone): DialTLS is not needed here, because the teeproxy works
// as an SSL terminator.
Dial: (&net.Dialer{ // go1.8 deprecated: Use DialContext instead
Timeout: timeout,
KeepAlive: 10 * timeout,
}).Dial,
// Close connections to the production and alternative servers?
DisableKeepAlives: *closeConnections,
//IdleConnTimeout: timeout, // go1.8
TLSHandshakeTimeout: timeout,
ResponseHeaderTimeout: timeout,
ExpectContinueTimeout: timeout,
}
// Do not use http.Client here, because it's higher level and processes
// redirects internally, which is not what we want.
//client := &http.Client{
// Timeout: timeout,
// Transport: transport,
//}
//response, err := client.Do(request)
response, err := transport.RoundTrip(request)
if err != nil {
log.Println("Request failed:", err)
}
return response
}
// handler contains the address of the main Target and the one for the Alternative target
type handler struct {
Target string
Alternative string
Randomizer rand.Rand
}
// ServeHTTP duplicates the incoming request (req) and does the request to the
// Target and the Alternate target discading the Alternate response
func (h handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
var productionRequest, alternativeRequest *http.Request
if *forwardClientIP {
updateForwardedHeaders(req)
}
if *percent == 100.0 || h.Randomizer.Float64()*100 < *percent {
alternativeRequest, productionRequest = DuplicateRequest(req)
go func() {
defer func() {
if r := recover(); r != nil && *debug {
log.Println("Recovered in ServeHTTP(alternate request) from:", r)
}
}()
setRequestTarget(alternativeRequest, altTarget)
if *alternateHostRewrite {
alternativeRequest.Host = h.Alternative
}
timeout := time.Duration(*alternateTimeout) * time.Millisecond
// This keeps responses from the alternative target away from the outside world.
alternateResponse := handleRequest(alternativeRequest, timeout)
if alternateResponse != nil {
// NOTE(girone): Even though we do not care about the second
// response, we still need to close the Body reader. Otherwise
// the connection stays open and we would soon run out of file
// descriptors.
alternateResponse.Body.Close()
}
}()
} else {
productionRequest = req
}
defer func() {
if r := recover(); r != nil && *debug {
log.Println("Recovered in ServeHTTP(production request) from:", r)
}
}()
setRequestTarget(productionRequest, targetProduction)
if *productionHostRewrite {
productionRequest.Host = h.Target
}
timeout := time.Duration(*productionTimeout) * time.Millisecond
resp := handleRequest(productionRequest, timeout)
if resp != nil {
defer resp.Body.Close()
// Forward response headers.
for k, v := range resp.Header {
w.Header()[k] = v
}
w.WriteHeader(resp.StatusCode)
// Forward response body.
body, _ := ioutil.ReadAll(resp.Body)
w.Write(body)
}
}
func main() {
flag.Parse()
log.Printf("Starting teeproxy at %s sending to A: %s and B: %s",
*listen, *targetProduction, *altTarget)
runtime.GOMAXPROCS(runtime.NumCPU())
var err error
var listener net.Listener
if len(*tlsPrivateKey) > 0 {
cer, err := tls.LoadX509KeyPair(*tlsCertificate, *tlsPrivateKey)
if err != nil {
log.Fatalf("Failed to load certficate: %s and private key: %s", *tlsCertificate, *tlsPrivateKey)
}
config := &tls.Config{Certificates: []tls.Certificate{cer}}
listener, err = tls.Listen("tcp", *listen, config)
if err != nil {
log.Fatalf("Failed to listen to %s: %s", *listen, err)
}
} else {
listener, err = net.Listen("tcp", *listen)
if err != nil {
log.Fatalf("Failed to listen to %s: %s", *listen, err)
}
}
h := handler{
Target: *targetProduction,
Alternative: *altTarget,
Randomizer: *rand.New(rand.NewSource(time.Now().UnixNano())),
}
server := &http.Server{
Handler: h,
}
if *closeConnections {
// Close connections to clients by setting the "Connection": "close" header in the response.
server.SetKeepAlivesEnabled(false)
}
server.Serve(listener)
}
type nopCloser struct {
io.Reader
}
func (nopCloser) Close() error { return nil }
func DuplicateRequest(request *http.Request) (request1 *http.Request, request2 *http.Request) {
b1 := new(bytes.Buffer)
b2 := new(bytes.Buffer)
w := io.MultiWriter(b1, b2)
io.Copy(w, request.Body)
defer request.Body.Close()
request1 = &http.Request{
Method: request.Method,
URL: request.URL,
Proto: request.Proto,
ProtoMajor: request.ProtoMajor,
ProtoMinor: request.ProtoMinor,
Header: request.Header,
Body: nopCloser{b1},
Host: request.Host,
ContentLength: request.ContentLength,
Close: true,
}
request2 = &http.Request{
Method: request.Method,
URL: request.URL,
Proto: request.Proto,
ProtoMajor: request.ProtoMajor,
ProtoMinor: request.ProtoMinor,
Header: request.Header,
Body: nopCloser{b2},
Host: request.Host,
ContentLength: request.ContentLength,
Close: true,
}
return
}
func updateForwardedHeaders(request *http.Request) {
positionOfColon := strings.LastIndex(request.RemoteAddr, ":")
var remoteIP string
if positionOfColon != -1 {
remoteIP = request.RemoteAddr[:positionOfColon]
} else {
Logger.Printf("The default format of request.RemoteAddr should be IP:Port but was %s\n", remoteIP)
remoteIP = request.RemoteAddr
}
insertOrExtendForwardedHeader(request, remoteIP)
insertOrExtendXFFHeader(request, remoteIP)
}
const XFF_HEADER = "X-Forwarded-For"
func insertOrExtendXFFHeader(request *http.Request, remoteIP string) {
header := request.Header.Get(XFF_HEADER)
if header != "" {
// extend
request.Header.Set(XFF_HEADER, header + ", " + remoteIP)
} else {
// insert
request.Header.Set(XFF_HEADER, remoteIP)
}
}
const FORWARDED_HEADER = "Forwarded"
// Implementation according to rfc7239
func insertOrExtendForwardedHeader(request *http.Request, remoteIP string) {
extension := "for=" + remoteIP
header := request.Header.Get(FORWARDED_HEADER)
if header != "" {
// extend
request.Header.Set(FORWARDED_HEADER, header + ", " + extension)
} else {
// insert
request.Header.Set(FORWARDED_HEADER, extension)
}
}