Add websocket tunneling support

client/websocket.go

@@ -0,0 +1,109 @@
+package client
+
+import (
+ "crypto/tls"
+ "errors"
+ "fmt"
+ "net"
+ "net/http"
+ "strings"
+ "time"
+
+ onet "github.com/Jigsaw-Code/outline-ss-server/net"
+ ss "github.com/Jigsaw-Code/outline-ss-server/shadowsocks"
+ "github.com/Jigsaw-Code/outline-ss-server/websocket"
+ "github.com/shadowsocks/go-shadowsocks2/socks"
+)
+
+type WebsocketOptions struct {
+ // Addr is the address of the websocket server. It can either an IP address or a domain name.
+ Addr string
+ // Port is the destination port of the websocket connection.
+ Port int
+ // Host is the hostname to use in the Host header of HTTP request made to the websocket server.
+ // If empty, the header will be set to `Addr` if it is a domain name.
+ Host string
+ // SNI is the hostname to use in the server name extension of the TLS handshake. If empty, it will be set to `Host`.
+ SNI string
+ // Path is the HTTP path to use when connecting to the websocket server.
+ Path string
+ // Password is the password to use for the shadowsocks connection tunnelled inside the websocket connection.
+ Password string
+ // Ciphter is the cipher to use for the shadowsocks connection tunnelled inside the websocket connection.
+ Cipher string
+}
+
+// NewWebsocketClient creates a client that routes connections to a Shadowsocks proxy
+// tunneled inside a websocket connection.
+func NewWebsocketClient(opts WebsocketOptions) (Client, error) {
+ proxy := opts.Addr
+ if proxy == "" {
+ proxy = opts.Host
+ }
+ if proxy == "" {
+ return nil, fmt.Errorf("neither Addr or Host are defined")
+ }
+
+ ss, err := NewClient(proxy, opts.Port, opts.Password, opts.Cipher)
+ if err != nil {
+ return nil, err
+ }
+
+ if strings.HasPrefix(opts.Path, "/") {
+ opts.Path = opts.Path[1:]
+ }
+
+ addrIP := net.ParseIP(opts.Addr)
+ if opts.Host == "" && addrIP == nil {
+ opts.Host = opts.Addr
+ }
+
+ if opts.SNI == "" {
+ opts.SNI = opts.Host
+ }
+
+ return &wsClient{
+ ssClient: ss.(*ssClient),
+ opts: opts,
+ }, nil
+}
+
+type wsClient struct {
+ *ssClient
+ opts WebsocketOptions
+}
+
+func (c *wsClient) DialTCP(laddr *net.TCPAddr, raddr string) (onet.DuplexConn, error) {
+ socksTargetAddr := socks.ParseAddr(raddr)
+ if socksTargetAddr == nil {
+ return nil, errors.New("Failed to parse target address")
+ }
+
+ h := make(http.Header)
+ if c.opts.Host != "" {
+ h.Set("Host", c.opts.Host)
+ }
+ d := websocket.Dialer{
+ TLSClientConfig: &tls.Config{
+ InsecureSkipVerify: true,
+ ServerName: c.opts.SNI,
+ },
+ HandshakeTimeout: websocket.DefaultHandshakeTimeout,
+ }
+ proxyConn, err := d.Dial(fmt.Sprintf("wss://%s:%d/%s", c.proxyIP, c.opts.Port, c.opts.Path), h)
+ if err != nil {
+ return nil, err
+ }
+
+ ssw := ss.NewShadowsocksWriter(proxyConn, c.cipher)
+ _, err = ssw.LazyWrite(socksTargetAddr)
+ if err != nil {
+ proxyConn.Close()
+ return nil, errors.New("Failed to write target address")
+ }
+ time.AfterFunc(helloWait, func() {
+ ssw.Flush()
+ })
+ ssr := ss.NewShadowsocksReader(proxyConn, c.cipher)
+ return onet.WrapConn(proxyConn, ssr, ssw), nil
+}

client/websocket_test.go

@@ -0,0 +1,151 @@
+package client
+
+import (
+ "crypto/tls"
+ "net"
+ "net/http"
+ "testing"
+ "time"
+
+ onet "github.com/Jigsaw-Code/outline-ss-server/net"
+ ss "github.com/Jigsaw-Code/outline-ss-server/shadowsocks"
+ "github.com/Jigsaw-Code/outline-ss-server/websocket"
+)
+
+const (
+ testWSPath = "/test"
+)
+
+func TestWebsocketClient(t *testing.T) {
+ testCases := []struct {
+ name string
+ opts WebsocketOptions
+ wantHost string
+ wantSNI string
+ }{
+ {
+ name: "with_ip_host",
+ opts: WebsocketOptions{Addr: "127.0.0.1", Host: "example.com"},
+ wantHost: "example.com",
+ wantSNI: "example.com",
+ },
+ {
+ name: "with_ip_host_sni",
+ opts: WebsocketOptions{Addr: "127.0.0.1", Host: "example.com", SNI: "sni.com"},
+ wantHost: "example.com",
+ wantSNI: "sni.com",
+ },
+ {
+ name: "with_domain",
+ opts: WebsocketOptions{Addr: "localhost"},
+ wantHost: "localhost",
+ wantSNI: "localhost",
+ },
+ {
+ name: "with_domain_host",
+ opts: WebsocketOptions{Addr: "localhost", Host: "example.com"},
+ wantHost: "example.com",
+ wantSNI: "example.com",
+ },
+ {
+ name: "with_domain_host_sni",
+ opts: WebsocketOptions{Addr: "localhost", Host: "example.com", SNI: "sni.com"},
+ wantHost: "example.com",
+ wantSNI: "sni.com",
+ },
+ }
+
+ proxy, hostCh, sniCh := startWebsocketShadowsocksEchoProxy(t)
+ defer close(hostCh)
+ defer close(sniCh)
+ defer proxy.Close()
+ _, proxyPort, err := splitHostPortNumber(proxy.Addr().String())
+ if err != nil {
+ t.Fatalf("Failed to parse proxy address: %v", err)
+ }
+
+ for _, tc := range testCases {
+ t.Run(tc.name, func(t *testing.T) {
+ tc.opts.Password = testPassword
+ tc.opts.Cipher = ss.TestCipher
+ tc.opts.Port = proxyPort
+ tc.opts.Path = testWSPath
+
+ d, err := NewWebsocketClient(tc.opts)
+ if err != nil {
+ t.Fatalf("Failed to create WebsocketClient: %v", err)
+ }
+ conn, err := d.DialTCP(nil, testTargetAddr)
+ if err != nil {
+ t.Fatalf("WebsocketClient.DialTCP failed: %v", err)
+ }
+
+ select {
+ case sni := <-sniCh:
+ if sni != tc.wantSNI {
+ t.Fatalf("Wrong server name in TLS handshake server. got='%v' want='%v'", sni, tc.wantSNI)
+ }
+ case <-time.After(50 * time.Millisecond):
+ t.Fatal("TLS connection state not recevied")
+ }
+ select {
+ case host := <-hostCh:
+ if host != tc.wantHost {
+ t.Fatalf("Wrong host header. got='%v' want='%v'", host, tc.wantHost)
+ }
+ case <-time.After(50 * time.Millisecond):
+ t.Fatal("HTTP request not recevied")
+ }
+
+ conn.SetReadDeadline(time.Now().Add(time.Second * 5))
+ expectEchoPayload(conn, ss.MakeTestPayload(1024), make([]byte, 1024), t)
+ conn.Close()
+ })
+ }
+}
+
+func startWebsocketShadowsocksEchoProxy(t *testing.T) (net.Listener, chan string, chan string) {
+ proxy, _ := startShadowsocksTCPEchoProxy(testTargetAddr, t)
+
+ hostCh := make(chan string, 1)
+ sniCh := make(chan string, 1)
+
+ handler := func(w http.ResponseWriter, r *http.Request) {
+ u := websocket.Upgrader{HandshakeTimeout: 50 * time.Millisecond}
+ c, err := u.Upgrade(w, r, nil)
+ defer c.Close()
+
+ hostCh <- r.Host
+
+ if r.URL.Path != testWSPath {
+ t.Logf("Wrong Path received on request. got='%v' want='%v'", testWSPath, r.URL.Path)
+ return
+ }
+
+ targetC, err := net.Dial("tcp", proxy.Addr().String())
+ if err != nil {
+ t.Logf("Failed to connect to TCP echo server: %v", err)
+ return
+ }
+
+ onet.Relay(c, targetC.(*net.TCPConn))
+ }
+
+ l, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 0})
+ if err != nil {
+ t.Fatalf("Starting websocket listener failed: %v", err)
+ }
+
+ go func() {
+ srv := &http.Server{Handler: http.HandlerFunc(handler)}
+ srv.TLSConfig = &tls.Config{
+ VerifyConnection: func(cs tls.ConnectionState) error {
+ sniCh <- cs.ServerName
+ return nil
+ },
+ }
+ srv.ServeTLS(l, websocket.TestCert, websocket.TestKey)
+ }()
+
+ return l, hostCh, sniCh
+}

go.mod

@@ -2,6 +2,7 @@ module github.com/Jigsaw-Code/outline-ss-server
 
 require (
  github.com/goreleaser/goreleaser v1.12.3
+ github.com/gorilla/websocket v1.5.0
  github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
  github.com/oschwald/geoip2-golang v1.8.0
  github.com/prometheus/client_golang v1.13.0
@@ -104,7 +105,6 @@ require (
  github.com/goreleaser/chglog v0.2.2 // indirect
  github.com/goreleaser/fileglob v1.3.0 // indirect
  github.com/goreleaser/nfpm/v2 v2.20.0 // indirect
- github.com/gorilla/websocket v1.5.0 // indirect
  github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
  github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
  github.com/hashicorp/go-version v1.2.1 // indirect

server.go

@@ -212,19 +212,25 @@ func readConfig(filename string) (*Config, error) {
 
 func main() {
  var flags struct {
- ConfigFile string
- MetricsAddr string
- IPCountryDB string
- natTimeout time.Duration
- replayHistory int
- Verbose bool
- Version bool
+ ConfigFile string
+ MetricsAddr string
+ IPCountryDB string
+ natTimeout time.Duration
+ replayHistory int
+ Verbose bool
+ Version bool
+ WebsocketServer bool
+ TLSCert string
+ TLSKey string
  }
  flag.StringVar(&flags.ConfigFile, "config", "", "Configuration filename")
  flag.StringVar(&flags.MetricsAddr, "metrics", "", "Address for the Prometheus metrics")
  flag.StringVar(&flags.IPCountryDB, "ip_country_db", "", "Path to the ip-to-country mmdb file")
  flag.DurationVar(&flags.natTimeout, "udptimeout", defaultNatTimeout, "UDP tunnel timeout")
  flag.IntVar(&flags.replayHistory, "replay_history", 0, "Replay buffer size (# of handshakes)")
+ flag.BoolVar(&flags.WebsocketServer, "websocket", false, "Enables the websocket serve")
+ flag.StringVar(&flags.TLSCert, "tls-cert", "ssl.crt", "Path to tls certificate to use for the websocket server")
+ flag.StringVar(&flags.TLSKey, "tls-key", "ssl.key", "Path to tls key to use for the websocket server")
  flag.BoolVar(&flags.Verbose, "verbose", false, "Enables verbose logging output")
  flag.BoolVar(&flags.Version, "version", false, "The version of the server")
 
@@ -266,11 +272,19 @@ func main() {
  }
  m := metrics.NewPrometheusShadowsocksMetrics(ipCountryDB, prometheus.DefaultRegisterer)
  m.SetBuildInfo(version)
- _, err = RunSSServer(flags.ConfigFile, flags.natTimeout, m, flags.replayHistory)
+ ssServer, err := RunSSServer(flags.ConfigFile, flags.natTimeout, m, flags.replayHistory)
  if err != nil {
  logger.Fatal(err)
  }
 
+ if flags.WebsocketServer {
+ if flags.TLSCert == "" || flags.TLSKey == "" {
+ log.Fatalln("TLS cert and key not specified")
+ flag.Usage()
+ }
+ RunWebsocketServer(ssServer, 443, flags.TLSCert, flags.TLSKey)
+ }
+
  sigCh := make(chan os.Signal, 1)
  signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
  <-sigCh

service/tcp.go

@@ -143,6 +143,8 @@ type TCPService interface {
  Stop() error
  // GracefulStop calls Stop(), and then blocks until all resources have been cleaned up.
  GracefulStop() error
+ // HandleConnection takes a shadowsocks client connection and starts a relay to the destination address.
+ HandleConnection(listenerPort int, clientTCPConn onet.DuplexConn)
 }
 
 func (s *tcpService) SetTargetIPValidator(targetIPValidator onet.TargetIPValidator) {
@@ -207,12 +209,12 @@ func (s *tcpService) Serve(listener *net.TCPListener) error {
  logger.Errorf("Panic in TCP handler: %v", r)
  }
  }()
- s.handleConnection(listener.Addr().(*net.TCPAddr).Port, clientTCPConn)
+ s.HandleConnection(listener.Addr().(*net.TCPAddr).Port, clientTCPConn)
  }()
  }
 }
 
-func (s *tcpService) handleConnection(listenerPort int, clientTCPConn *net.TCPConn) {
+func (s *tcpService) HandleConnection(listenerPort int, clientTCPConn onet.DuplexConn) {
  clientLocation, err := s.m.GetLocation(clientTCPConn.RemoteAddr())
  if err != nil {
  logger.Warningf("Failed location lookup: %v", err)
@@ -221,7 +223,9 @@ func (s *tcpService) handleConnection(listenerPort int, clientTCPConn *net.TCPCo
  s.m.AddOpenTCPConnection(clientLocation)
 
  connStart := time.Now()
- clientTCPConn.SetKeepAlive(true)
+ if tcp, ok := clientTCPConn.(*net.TCPConn); ok {
+ tcp.SetKeepAlive(true)
+ }
  // Set a deadline to receive the address to the target.
  clientTCPConn.SetReadDeadline(connStart.Add(s.readTimeout))
  var proxyMetrics metrics.ProxyMetrics

ssl.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElDCCAnwCCQDlCwAerg6zUzANBgkqhkiG9w0BAQsFADAMMQowCAYDVQQDDAEq
+MB4XDTIyMTAzMTAyMDAxMloXDTI1MDcyNzAyMDAxMlowDDEKMAgGA1UEAwwBKjCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOV0rN2wcoWuwHtvYyjKO3NL
+WQSCB1u/bDrJYXEFCjCaQFuEVWjW44vHwBnTanWPt2TcEN8ZZ7Nd3fku8ZN7I7i9
+3CPRUDatBD/IE6s90JY0dR8i4ZavOorTD8D8Xg5ioh9KdyEnEmgZpDjzENBEJQZa
+jUMytEwM5BJYO1QY6TInRbC0XCigouPBdhHR88kc5e/+tAqY7UC5x48CkLIcDAxQ
+IzPBdGWheSPjLYLn6XM0QkatZK6/7q40f03BMt29AVvwN3XgU9xBwr4Iij5nC3AV
+RfwBbySx+d+5rIxfsm6L5xOP0Zm5IueWNyCa8JDYrxdOf35bcm9VdPvay0IDp4Dr
+gTqWRvLWzBCmsXKdOIDo3O0W3UcSfzjyiue+VKNJFOFEpS02RfqaQZ4k+YpS1QIz
+3CyzDb7GVq4gNTO7P4hcMXvWxJPqoA6QYAeboHMQr695ucdjF4hebbVMNajXndhf
+BPmvAGKZivUn/PZND1vTj331mqWUMQTJOyvUVv+ZpEobhr3GQvScbFw5zLOaR5ud
+LAxgmtcyspCC4MQhu7bNPtnP5jhBXmdiNf7bbUQFgnaGDrNKELMIUeY3/TLAs6cv
+U+ZbrbofL3eGMZtCeH/7izZxX2cS1OxcHNesqOU7+ZLznbu7AXGrDo6lH/4VbC44
+YaKbn4oxfplUpQcmWWvJAgMBAAEwDQYJKoZIhvcNAQELBQADggIBABdLOenVrN4/
+D2NZJiD027LVcxnWTEjCCMgoaZ1eeQdaHlpQueL1hpZDTnFCZEsbnp77GFqXhNt4
+lnUgF4n8JmFoqR39MCu76k7VlndLTG2aMPOrc6zfe2JUeaC4Q6/BwothMu1xuz6P
+kbWResrXVIbdVH+NPqN3SFzye8MQzBkNcgiNRY9syzaPXUD3OfOYT6xnUU6orqsX
+LWnCuakRK9YlaK9X6BdPen12wyAbKg+M4eUMTnC/VTRFjHz8H8CnYjk/bzoxUQZG
+QV9XK+2dw0A0MLNXiWtoUmemS/ty+tSMnvEMdfXyskJcP3qVbywp4G4E1cUiHw9z
+e+0xYZQnaX0I6ztZWliK8ELHEucS+M20VODVUEryKl/zpqq7Rpx16T4VRrnqtYj2
+MqGLWhjUvDRFsuDaVCTbP8oZS3CrR6p0pfHqatYXcRY8E1YeMaGBMz5DKpgEhbjo
+2x6md9E7LWVRa4FQu0N/V5xlTUSGUzzgLAXIXhLiKT0B+FutG914zN8z6AOQ7DMY
+IhhosVG535/mL8AnPAoDorOSz5Vk1OxPWYCLFiUZK8rqcP3+z0xe4S/bsoGaz7Oc
+J/LzGxaanEKi53lS3zg/N4QYWmWe++l59fZVPa0HiAPsMCoHnOGPuhnULzGeGuPJ
++bLSo9WYo8HwVFk6RHeKkJcDoYRQIyO+
+-----END CERTIFICATE-----