#!/usr/bin/perl
#
# Copyright (c) 2006-2010 by Karl J. Runge <runge@karlrunge.com>
#
# connect_switch is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# connect_switch is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with connect_switch; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# or see <http://www.gnu.org/licenses/>.
#
#
# connect_switch:
#
# A kludge script that sits between web clients and a mod_ssl (https)
# enabled apache webserver.
#
# If an incoming web client connection makes a proxy CONNECT request
# it is handled directly by this script (apache is not involved).
# Otherwise, all other connections are forwarded to the apache webserver.
#
# This can be useful for VNC redirection using an existing https (port
# 443) webserver, thereby not requiring a 2nd (non-https) port open on
# the firewall for the CONNECT requests.
#
# It does not seem possible (to me) to achieve this entirely within apache
# because the CONNECT request appears to be forwarded encrypted to
# the remote host and so the SSL dies immediately.
#
# It can also be used to redirect ANY protocol, e.g. SSH, not just VNC.
# See CONNECT_SWITCH_APPLY_VNC_OFFSET=0 to disable VNC 5900 shift.
#
# Note: There is no need to use this script for a non-ssl apache webserver
# port because mod_proxy works fine for doing the switching all inside
# apache (see ProxyRequests and AllowCONNECT parameters).
#
#
# Apache configuration:
#
# The mod_ssl configuration is often in a file named ssl.conf. In the
# simplest case you change something like this:
#
# From:
#
# Listen 443
#
# <VirtualHost _default_:443>
# ...
# </VirtualHost>
#
# To:
#
# Listen 127.0.0.1:443
#
# <VirtualHost _default_:443>
# ...
# </VirtualHost>
#
# (i.e. just change the Listen directive).
#
# If you have mod_ssl listening on a different internal port, you do
# not need to specify the localhost Listen address.
#
# It is probably a good idea to set $listen_host below to the known
# IP address you want the service to listen on (to avoid localhost where
# apache is listening).
#
####################################################################
# NOTE: For more info on configuration settings, read below for
# all of the CONNECT_SWITCH_* env. var. parameters.
####################################################################
####################################################################
# Allow env vars to also be specified on cmdline:
#
foreach my $arg (@ARGV) {
if ($arg =~ /^(CONNECT_SWITCH.*?)=(.*)$/) {
$ENV{$1} = $2;
}
}
# Set up logging:
#
if (exists $ENV{CONNECT_SWITCH_LOGFILE}) {
close STDOUT;
if (!open(STDOUT, ">>$ENV{CONNECT_SWITCH_LOGFILE}")) {
die "connect_switch: $ENV{CONNECT_SWITCH_LOGFILE} $!\n";
}
close STDERR;
open(STDERR, ">&STDOUT");
}
select(STDERR); $| = 1;
select(STDOUT); $| = 1;
# interrupt handler:
#
my $looppid = '';
my $pidfile = '';
my $listen_sock = ''; # declared here for get_out()
#
sub get_out {
print STDERR "$_[0]:\t$$ looppid=$looppid\n";
close $listen_sock if $listen_sock;
if ($looppid) {
kill 'TERM', $looppid;
fsleep(0.2);
}
unlink $pidfile if $pidfile;
exit 0;
}
$SIG{INT} = \&get_out;
$SIG{TERM} = \&get_out;
# pidfile:
#
sub open_pidfile {
if (exists $ENV{CONNECT_SWITCH_PIDFILE}) {
my $pf = $ENV{CONNECT_SWITCH_PIDFILE};
if (open(PID, ">$pf")) {
print PID "$$\n";
close PID;
$pidfile = $pf;
} else {
print STDERR "could not open pidfile: $pf - $! - continuing...\n";
}
delete $ENV{CONNECT_SWITCH_PIDFILE};
}
}
####################################################################
# Set CONNECT_SWITCH_LOOP=1 to have this script create an outer loop
# restarting itself if it ever exits. Set CONNECT_SWITCH_LOOP=BG to
# do this in the background as a daemon.
if (exists $ENV{CONNECT_SWITCH_LOOP}) {
my $csl = $ENV{CONNECT_SWITCH_LOOP};
if ($csl ne 'BG' && $csl ne '1') {
die "connect_switch: invalid CONNECT_SWITCH_LOOP.\n";
}
if ($csl eq 'BG') {
# go into bg as "daemon":
setpgrp(0, 0);
my $pid = fork();
if (! defined $pid) {
die "connect_switch: $!\n";
} elsif ($pid) {
wait;
exit 0;
}
if (fork) {
exit 0;
}
setpgrp(0, 0);
close STDIN;
if (! $ENV{CONNECT_SWITCH_LOGFILE}) {
close STDOUT;
close STDERR;
}
}
delete $ENV{CONNECT_SWITCH_LOOP};
if (exists $ENV{CONNECT_SWITCH_PIDFILE}) {
open_pidfile();
}
print STDERR "connect_switch: starting service at ", scalar(localtime), " master-pid=$$\n";
while (1) {
$looppid = fork;
if (! defined $looppid) {
sleep 10;
} elsif ($looppid) {
wait;
} else {
exec $0;
exit 1;
}
print STDERR "connect_switch: re-starting service at ", scalar(localtime), " master-pid=$$\n";
sleep 1;
}
exit 0;
}
if (exists $ENV{CONNECT_SWITCH_PIDFILE}) {
open_pidfile();
}
############################################################################
# The defaults for hosts and ports (you can override them below if needed):
#
# Look below for these environment variables that let you set the various
# parameters without needing to edit this script:
#
# CONNECT_SWITCH_LISTEN
# CONNECT_SWITCH_HTTPD
# CONNECT_SWITCH_ALLOWED
# CONNECT_SWITCH_ALLOW_FILE
# CONNECT_SWITCH_VERBOSE
# CONNECT_SWITCH_APPLY_VNC_OFFSET
# CONNECT_SWITCH_VNC_OFFSET
# CONNECT_SWITCH_LISTEN_IPV6
# CONNECT_SWITCH_BUFSIZE
# CONNECT_SWITCH_LOGFILE
# CONNECT_SWITCH_PIDFILE
# CONNECT_SWITCH_MAX_CONNECTIONS
#
# You can also set these on the cmdline:
# connect_switch CONNECT_SWITCH_LISTEN=X CONNECT_SWITCH_ALLOW_FILE=Y ...
#
# By default we will use hostname and assume it resolves:
#
my $hostname = `hostname`;
chomp $hostname;
my $listen_host = $hostname;
my $listen_port = 443;
# Let user override listening situation, e.g. multihomed:
#
if (exists $ENV{CONNECT_SWITCH_LISTEN}) {
#
# E.g. CONNECT_SWITCH_LISTEN=192.168.0.32:443
#
$listen_host = '';
$listen_port = '';
if ($ENV{CONNECT_SWITCH_LISTEN} =~ /^(.*):(\d+)$/) {
($listen_host, $listen_port) = ($1, $2);
}
}
my $httpd_host = 'localhost';
my $httpd_port = 443;
if (exists $ENV{CONNECT_SWITCH_HTTPD}) {
#
# E.g. CONNECT_SWITCH_HTTPD=127.0.0.1:443
#
$httpd_host = '';
$httpd_port = '';
if ($ENV{CONNECT_SWITCH_HTTPD} =~ /^(.*):(\d+)$/) {
($httpd_host, $httpd_port) = ($1, $2);
}
}
my $bufsize = 8192;
if (exists $ENV{CONNECT_SWITCH_BUFSIZE}) {
#
# E.g. CONNECT_SWITCH_BUFSIZE=32768
#
$bufsize = $ENV{CONNECT_SWITCH_BUFSIZE};
}
############################################################################
# You can/should override the host/port settings here:
#
#$listen_host = '23.45.67.89'; # set to your interface IP number.
#$listen_port = 555; # and/or nonstandard port.
#$httpd_host = 'somehost'; # maybe you redir https to another machine.
#$httpd_port = 666; # and/or nonstandard port.
# You must set the allowed host:port CONNECT redirection list.
# Only these host:port pairs will be redirected to.
# Port ranges are allowed too: host:5900-5930.
# If there is one entry named ALL all connections are allow.
# You must supply something, default is deny.
#
my @allowed = qw(
machine1:5915
machine2:5900
);
if (exists $ENV{CONNECT_SWITCH_ALLOWED}) {
#
# E.g. CONNECT_SWITCH_ALLOWED=machine1:5915,machine2:5900
#
@allowed = split(/,/, $ENV{CONNECT_SWITCH_ALLOWED});
}
# Or you could also use an external "allow file".
# They get added to the @allowed list.
# The file is re-read for each new connection.
#
# Format of $allow_file:
#
# host1 vncdisp
# host2 vncdisp
#
# where, e.g. vncdisp = 15 => port 5915, say
#
# joesbox 15
# fredsbox 15
# rupert 1
# For examply, mine is:
#
my $allow_file = '/dist/apache/2.0/conf/vnc.hosts';
$allow_file = '';
if (exists $ENV{CONNECT_SWITCH_ALLOW_FILE}) {
# E.g. CONNECT_SWITCH_ALLOW_FILE=/usr/local/etc/allow.txt
$allow_file = $ENV{CONNECT_SWITCH_ALLOW_FILE};
}
# Set to 1 to re-map to vnc port, e.g. 'hostname 15' to 'hostname 5915'
# i.e. assume a port 0 <= port < 200 is actually a VNC display
# and add 5900 to it. Set to 0 to not do the mapping.
# Note that negative ports, e.g. 'joesbox -22' go directly to -port.
#
my $apply_vnc_offset = 1;
my $vnc_offset = 5900;
if (exists $ENV{CONNECT_SWITCH_APPLY_VNC_OFFSET}) {
#
# E.g. CONNECT_SWITCH_APPLY_VNC_OFFSET=0
#
$apply_vnc_offset = $ENV{CONNECT_SWITCH_APPLY_VNC_OFFSET};
}
if (exists $ENV{CONNECT_SWITCH_VNC_OFFSET}) {
#
# E.g. CONNECT_SWITCH_VNC_OFFSET=6000
#
$vnc_offset = $ENV{CONNECT_SWITCH_VNC_OFFSET};
}
# Set to 1 or higher for more info output:
#
my $verbose = 0;
if (exists $ENV{CONNECT_SWITCH_VERBOSE}) {
#
# E.g. CONNECT_SWITCH_VERBOSE=1
#
$verbose = $ENV{CONNECT_SWITCH_VERBOSE};
}
# zero means loop forever, positive value means exit after handling that
# many connections.
#
my $cmax = 0;
if (exists $ENV{CONNECT_SWITCH_MAX_CONNECTIONS}) {
$cmax = $ENV{CONNECT_SWITCH_MAX_CONNECTIONS};
}
#===========================================================================
# No need for any changes below here.
#===========================================================================
use IO::Socket::INET;
use strict;
use warnings;
# Test for INET6 support:
#
my $have_inet6 = 0;
eval "use IO::Socket::INET6;";
$have_inet6 = 1 if $@ eq "";
my $killpid = 1;
setpgrp(0, 0);
if (exists $ENV{CONNECT_SWITCH_LISTEN_IPV6}) {
# note we leave out LocalAddr.
my $cmd = '
$listen_sock = IO::Socket::INET6->new(
Listen => 10,
LocalPort => $listen_port,
ReuseAddr => 1,
Domain => AF_INET6,
Proto => "tcp"
);
';
eval $cmd;
die "$@\n" if $@;
} else {
$listen_sock = IO::Socket::INET->new(
Listen => 10,
LocalAddr => $listen_host,
LocalPort => $listen_port,
ReuseAddr => 1,
Proto => "tcp"
);
}
if (! $listen_sock) {
die "connect_switch: $!\n";
}
my $current_fh1 = '';
my $current_fh2 = '';
my $conn = 0;
while (1) {
$conn++;
if ($cmax > 0 && $conn > $cmax) {
print STDERR "last connection ($cmax)\n" if $verbose;
last;
}
print STDERR "listening for connection: $conn\n" if $verbose;
my ($client, $ip) = $listen_sock->accept();
if (! $client) {
fsleep(0.5);
next;
}
print STDERR "conn: $conn -- ", $client->peerhost(), " at ", scalar(localtime), "\n" if $verbose;
my $pid = fork();
if (! defined $pid) {
die "connect_switch: $!\n";
} elsif ($pid) {
wait;
next;
} else {
close $listen_sock;
if (fork) {
exit 0;
}
setpgrp(0, 0);
handle_conn($client);
}
}
exit 0;
sub handle_conn {
my $client = shift;
my $start = time();
my @allow = @allowed;
# read allow file. Note we read it for every connection
# to allow the admin to modify it w/o restarting us.
# better way would be to read in parent and check mtime.
#
if ($allow_file && -f $allow_file) {
if (open(ALLOW, "<$allow_file")) {
while (<ALLOW>) {
next if /^\s*#/;
next if /^\s*$/;
chomp;
my ($host, $dpy) = split(' ', $_);
next if ! defined $host;
next if ! defined $dpy;
if ($dpy < 0) {
$dpy = -$dpy;
} elsif ($apply_vnc_offset) {
$dpy += $vnc_offset if $dpy < 200;
}
push @allow, "$host:$dpy";
}
close(ALLOW);
} else {
warn "$allow_file: $!\n";
}
}
# Read the first 7 bytes of connection, see if it is 'CONNECT'
#
my $str = '';
my $N = 0;
my $isconn = 1;
for (my $i = 0; $i < 7; $i++) {
my $b;
sysread($client, $b, 1);
$str .= $b;
$N++;
print STDERR "read: '$str'\n" if $verbose > 1;
my $cstr = substr('CONNECT', 0, $i+1);
if ($str ne $cstr) {
$isconn = 0;
last;
}
}
my $sock = '';
if ($isconn) {
# it is CONNECT, read rest of HTTP header:
#
while ($str !~ /\r\n\r\n/) {
my $b;
sysread($client, $b, 1);
$str .= $b;
}
print STDERR "read: $str\n" if $verbose > 1;
# get http version and host:port
#
my $ok = 0;
my $hostport = '';
my $http_vers = '1.0';
if ($str =~ /^CONNECT\s+(\S+)\s+HTTP\/(\S+)/) {
$hostport = $1;
$http_vers = $2;
my $h = '';
my $p = '';
if ($hostport =~ /^(.*):(\d+)$/) {
($h, $p) = ($1, $2);
}
if ($p =~ /^\d+$/) {
# check allowed host list:
foreach my $hp (@allow) {
if ($hp eq 'ALL') {
$ok = 1;
}
if ($hp eq $hostport) {
$ok = 1;
}
if ($hp =~ /^(.*):(\d+)-(\d+)$/) {
my $ahost = $1;
my $pmin = $2;
my $pmax = $3;
if ($h eq $ahost) {
if ($p >= $pmin && $p <= $pmax) {
$ok = 1;
}
}
}
last if $ok;
}
}
}
my $msg_1 = "HTTP/$http_vers 200 Connection Established\r\n"
. "Proxy-agent: connect_switch v0.2\r\n\r\n";
my $msg_2 = "HTTP/$http_vers 502 Bad Gateway\r\n"
. "Connection: close\r\n\r\n";
if (! $ok) {
# disallowed. drop with message.
#
syswrite($client, $msg_2, length($msg_2));
close $client;
exit 0;
}
my $host = '';
my $port = '';
if ($hostport =~ /^(.*):(\d+)$/) {
($host, $port) = ($1, $2);
}
print STDERR "connecting to: $host:$port\n" if $verbose;
$sock = IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $port,
Proto => "tcp"
);
print STDERR "connect to host='$host' port='$port' failed: $!\n" if !$sock;
if (! $sock && $have_inet6) {
eval {$sock = IO::Socket::INET6->new(
PeerAddr => $host,
PeerPort => $port,
Proto => "tcp"
);};
print STDERR "connect to host='$host' port='$port' failed: $! (ipv6)\n" if !$sock;
}
my $msg;
# send the connect proxy reply:
#
if ($sock) {
$msg = $msg_1;
} else {
$msg = $msg_2;
}
syswrite($client, $msg, length($msg));
$str = '';
} else {
# otherwise, redirect to apache for normal https:
#
print STDERR "connecting to: $httpd_host:$httpd_port\n" if $verbose;
$sock = IO::Socket::INET->new(
PeerAddr => $httpd_host,
PeerPort => $httpd_port,
Proto => "tcp"
);
if (! $sock && $have_inet6) {
eval {$sock = IO::Socket::INET6->new(
PeerAddr => $httpd_host,
PeerPort => $httpd_port,
Proto => "tcp"
);};
}
}
if (! $sock) {
close $client;
die "connect_switch: $!\n";
}
# get ready for xfer phase:
#
$current_fh1 = $client;
$current_fh2 = $sock;
$SIG{TERM} = sub {print STDERR "got sigterm\[$$]\n" if $verbose; close $current_fh1; close $current_fh2; exit 0};
my $parent = $$;
if (my $child = fork()) {
xfer($sock, $client, 'S->C');
if ($killpid) {
fsleep(0.5);
kill 'TERM', $child;
}
} else {
# write those first bytes if not CONNECT:
#
if ($str ne '' && $N > 0) {
syswrite($sock, $str, $N);
}
xfer($client, $sock, 'C->S');
if ($killpid) {
fsleep(0.75);
kill 'TERM', $parent;
}
}
if ($verbose > 1) {
my $dt = time() - $start;
print STDERR "duration\[$$]: $dt seconds. ", scalar(localtime), "\n";
}
exit 0;
}
sub xfer {
my($in, $out, $lab) = @_;
my ($RIN, $WIN, $EIN, $ROUT);
$RIN = $WIN = $EIN = "";
$ROUT = "";
vec($RIN, fileno($in), 1) = 1;
vec($WIN, fileno($in), 1) = 1;
$EIN = $RIN | $WIN;
my $buf;
while (1) {
my $nf = 0;
while (! $nf) {
$nf = select($ROUT=$RIN, undef, undef, undef);
}
my $len = sysread($in, $buf, $bufsize);
if (! defined($len)) {
next if $! =~ /^Interrupted/;
print STDERR "connect_switch\[$lab/$conn/$$]: $!\n";
last;
} elsif ($len == 0) {
print STDERR "connect_switch\[$lab/$conn/$$]: "
. "Input is EOF.\n";
last;
}
if (0) {
# very verbose debugging of data:
syswrite(STDERR , "\n$lab: ", 6);
syswrite(STDERR , $buf, $len);
}
my $offset = 0;
my $quit = 0;
while ($len) {
my $written = syswrite($out, $buf, $len, $offset);
if (! defined $written) {
print STDERR "connect_switch\[$lab/$conn/$$]: "
. "Output is EOF. $!\n";
$quit = 1;
last;
}
$len -= $written;
$offset += $written;
}
last if $quit;
}
close($in);
close($out);
}
sub fsleep {
my ($time) = @_;
select(undef, undef, undef, $time) if $time;
}