b8ae2a2af4
Motivation: HTTP is a plaintext protocol which means that someone may be able to eavesdrop the data. To prevent this, HTTPS should be used whenever possible. However, maintaining using https:// in all URLs may be difficult. The nohttp tool can help here. The tool scans all the files in a repository and reports where http:// is used. Modifications: - Added nohttp (via checkstyle) into the build process. - Suppressed findings for the websites that don't support HTTPS or that are not reachable Result: - Prevent using HTTP in the future. - Encourage users to use HTTPS when they follow the links they found in the code.
164 lines
6.3 KiB
Java
164 lines
6.3 KiB
Java
/*
|
|
* Copyright 2014 The Netty Project
|
|
*
|
|
* The Netty Project licenses this file to you under the Apache License,
|
|
* version 2.0 (the "License"); you may not use this file except in compliance
|
|
* with the License. You may obtain a copy of the License at:
|
|
*
|
|
* https://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
* License for the specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
|
|
package io.netty.handler.proxy;
|
|
|
|
import io.netty.buffer.Unpooled;
|
|
import io.netty.channel.ChannelHandlerContext;
|
|
import io.netty.channel.ChannelPipeline;
|
|
import io.netty.channel.socket.SocketChannel;
|
|
import io.netty.handler.codec.LineBasedFrameDecoder;
|
|
import io.netty.handler.codec.http.DefaultFullHttpResponse;
|
|
import io.netty.handler.codec.http.FullHttpRequest;
|
|
import io.netty.handler.codec.http.FullHttpResponse;
|
|
import io.netty.handler.codec.http.HttpHeaderNames;
|
|
import io.netty.handler.codec.http.HttpMethod;
|
|
import io.netty.handler.codec.http.HttpObjectAggregator;
|
|
import io.netty.handler.codec.http.HttpResponseStatus;
|
|
import io.netty.handler.codec.http.HttpServerCodec;
|
|
import io.netty.handler.codec.http.HttpVersion;
|
|
import io.netty.util.internal.SocketUtils;
|
|
|
|
import java.net.InetSocketAddress;
|
|
import java.net.SocketAddress;
|
|
import java.nio.charset.StandardCharsets;
|
|
import java.util.Base64;
|
|
|
|
import static org.hamcrest.CoreMatchers.is;
|
|
import static org.hamcrest.MatcherAssert.assertThat;
|
|
import static org.hamcrest.Matchers.*;
|
|
|
|
final class HttpProxyServer extends ProxyServer {
|
|
|
|
HttpProxyServer(boolean useSsl, TestMode testMode, InetSocketAddress destination) {
|
|
super(useSsl, testMode, destination);
|
|
}
|
|
|
|
HttpProxyServer(
|
|
boolean useSsl, TestMode testMode, InetSocketAddress destination, String username, String password) {
|
|
super(useSsl, testMode, destination, username, password);
|
|
}
|
|
|
|
@Override
|
|
protected void configure(SocketChannel ch) throws Exception {
|
|
ChannelPipeline p = ch.pipeline();
|
|
switch (testMode) {
|
|
case INTERMEDIARY:
|
|
p.addLast(new HttpServerCodec());
|
|
p.addLast(new HttpObjectAggregator(1));
|
|
p.addLast(new HttpIntermediaryHandler());
|
|
break;
|
|
case TERMINAL:
|
|
p.addLast(new HttpServerCodec());
|
|
p.addLast(new HttpObjectAggregator(1));
|
|
p.addLast(new HttpTerminalHandler());
|
|
break;
|
|
case UNRESPONSIVE:
|
|
p.addLast(UnresponsiveHandler.INSTANCE);
|
|
break;
|
|
}
|
|
}
|
|
|
|
private boolean authenticate(ChannelHandlerContext ctx, FullHttpRequest req) {
|
|
assertThat(req.method(), is(HttpMethod.CONNECT));
|
|
|
|
if (testMode != TestMode.INTERMEDIARY) {
|
|
ctx.pipeline().addBefore(ctx.name(), "lineDecoder", new LineBasedFrameDecoder(64, false, true));
|
|
}
|
|
|
|
ctx.pipeline().remove(HttpObjectAggregator.class);
|
|
ctx.pipeline().get(HttpServerCodec.class).removeInboundHandler();
|
|
|
|
boolean authzSuccess = false;
|
|
if (username != null) {
|
|
CharSequence authz = req.headers().get(HttpHeaderNames.PROXY_AUTHORIZATION);
|
|
if (authz != null) {
|
|
String[] authzParts = authz.toString().split(" ", 2);
|
|
byte[] authzCreds = Base64.getDecoder().decode(authzParts[1]);
|
|
|
|
String expectedAuthz = username + ':' + password;
|
|
authzSuccess = "Basic".equals(authzParts[0]) &&
|
|
expectedAuthz.equals(new String(authzCreds, StandardCharsets.UTF_8));
|
|
}
|
|
} else {
|
|
authzSuccess = true;
|
|
}
|
|
|
|
return authzSuccess;
|
|
}
|
|
|
|
private final class HttpIntermediaryHandler extends IntermediaryHandler {
|
|
|
|
private SocketAddress intermediaryDestination;
|
|
|
|
@Override
|
|
protected boolean handleProxyProtocol(ChannelHandlerContext ctx, Object msg) throws Exception {
|
|
FullHttpRequest req = (FullHttpRequest) msg;
|
|
FullHttpResponse res;
|
|
if (!authenticate(ctx, req)) {
|
|
res = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED);
|
|
res.headers().set(HttpHeaderNames.CONTENT_LENGTH, 0);
|
|
} else {
|
|
res = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK);
|
|
String uri = req.uri();
|
|
int lastColonPos = uri.lastIndexOf(':');
|
|
assertThat(lastColonPos, is(greaterThan(0)));
|
|
intermediaryDestination = SocketUtils.socketAddress(
|
|
uri.substring(0, lastColonPos), Integer.parseInt(uri.substring(lastColonPos + 1)));
|
|
}
|
|
|
|
ctx.write(res);
|
|
ctx.pipeline().get(HttpServerCodec.class).removeOutboundHandler();
|
|
return true;
|
|
}
|
|
|
|
@Override
|
|
protected SocketAddress intermediaryDestination() {
|
|
return intermediaryDestination;
|
|
}
|
|
}
|
|
|
|
private final class HttpTerminalHandler extends TerminalHandler {
|
|
|
|
@Override
|
|
protected boolean handleProxyProtocol(ChannelHandlerContext ctx, Object msg) throws Exception {
|
|
FullHttpRequest req = (FullHttpRequest) msg;
|
|
FullHttpResponse res;
|
|
boolean sendGreeting = false;
|
|
|
|
if (!authenticate(ctx, req)) {
|
|
res = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED);
|
|
res.headers().set(HttpHeaderNames.CONTENT_LENGTH, 0);
|
|
} else if (!req.uri().equals(destination.getHostString() + ':' + destination.getPort())) {
|
|
res = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.FORBIDDEN);
|
|
res.headers().set(HttpHeaderNames.CONTENT_LENGTH, 0);
|
|
} else {
|
|
res = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK);
|
|
sendGreeting = true;
|
|
}
|
|
|
|
ctx.write(res);
|
|
ctx.pipeline().get(HttpServerCodec.class).removeOutboundHandler();
|
|
|
|
if (sendGreeting) {
|
|
ctx.write(Unpooled.copiedBuffer("0\n", StandardCharsets.US_ASCII));
|
|
}
|
|
|
|
return true;
|
|
}
|
|
}
|
|
}
|