RDNET-798 update chisel from upstream (#5)

* Set ServerName (SNI) to *hostname. Useful for spoofing our way through restrictive gateways.

* Bump actions/checkout from 2 to 3.1.0

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3.1.0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Added --sni switch to control the ServerName when connecting with TLS. Makes 'domain fronting' possible.

* feat: dependabot workflow automation for updating dependency 

Signed-off-by: Pratik Raj <rajpratik71@gmail.com>

* Bump github.com/fsnotify/fsnotify from 1.4.9 to 1.6.0 (jpillora#389)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* UDP buffer size override with CHISEL_UDP_MAX_SIZE environment variable (jpillora#367)

* Add locking around the connection count to fix a data race. (jpillora#342)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>

* fix: small typo error in main.go (jpillora#334)

* Respond to /health and /version by request path rather than by the whole url string (jpillora#328)

Co-authored-by: bar <foo@example.org>

* Update version.go (jpillora#288)

* Providing chisel's client with a logger level (jpillora#281)

Co-authored-by: Barak Sharoni <barak.sharoni@velocity.tech>
Co-authored-by: barak-sharoni-velocity <81081183+barak-sharoni-velocity@users.noreply.github.com>

* add EnvBool

* Fix jpillora#390: Use code to generate certificates for client & server (jpillora#400)

* docker alpine->google-distroless

* docker to use scratch

* Fix missing NetDialContext: c.config.DialContext (jpillora#398)

* actions: setup go v3

* switch to scratch image

* update dependabot

* move chisel to flyio

* update from upstream

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Pratik Raj <rajpratik71@gmail.com>
Co-authored-by: ip-rw <s@ip.rw>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Pratik Raj <Rajpratik71@gmail.com>
Co-authored-by: Jaime Pillora <jpillora@gmail.com>
Co-authored-by: fsiegmund <siegmund@slb.com>
Co-authored-by: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>
Co-authored-by: 0xflotus <0xflotus@gmail.com>
Co-authored-by: BigSully <BigSully@users.noreply.github.com>
Co-authored-by: bar <foo@example.org>
Co-authored-by: invist <35263248+c-f@users.noreply.github.com>
Co-authored-by: zuzgon <zuzgon@gmail.com>
Co-authored-by: Barak Sharoni <barak.sharoni@velocity.tech>
Co-authored-by: barak-sharoni-velocity <81081183+barak-sharoni-velocity@users.noreply.github.com>
Co-authored-by: Jaime Pillora <dev@jpillora.com>
Co-authored-by: Guillaume SMAHA <GuillaumeSmaha@users.noreply.github.com>

.github/dependabot.yml

@@ -4,4 +4,10 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "monthly"
+
+# Dependencies listed in go.mod
+  - package-ecosystem: "gomod"
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "monthly"

.github/goreleaser.yml

@@ -35,6 +35,7 @@ archives:
     files:
       - none*
 release:
+  draft: true
   prerelease: auto
 changelog:
   sort: asc

.github/workflows/ci.yml

@@ -10,69 +10,69 @@ jobs:
     name: Test
     strategy:
       matrix:
-        go-version: [1.13.x, 1.14.x, 1.15.x]
+        go-version: [1.18.x, 1.19.x]
         platform: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.platform }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Build
-        run: go build -v .
+        run: go build -v -o /dev/null .
       - name: Test
         run: go test -v ./...
-        env:
-          GODEBUG: x509ignoreCN=0
   # ================
-  # RELEASE JOB
+  # RELEASE JOBS
   #   runs after a success test
   #   only runs on push "v*" tag
   # ================
-  release:
-    name: Release
+  release_binaries:
+    name: Release Binaries
     needs: test
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: goreleaser
         if: success()
         uses: docker://goreleaser/goreleaser:latest
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           args: release --config .github/goreleaser.yml
+  release_docker:
+    name: Release Docker Images
+    needs: test
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v1
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: jpillora
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Docker meta
         id: docker_meta
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: docker/metadata-action@v4
         with:
           images: jpillora/chisel
-          tag-latest: true
-          # Outputs:
-          # jpillora/chisel:1.2.3
-          # jpillora/chisel:1.2
-          # jpillora/chisel:1
-          # jpillora/chisel:latest
-          tag-semver: |
-            {{version}}
-            {{major}}.{{minor}}
-            {{major}}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
       - name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/386,linux/arm/v7,linux/arm/v6

Dockerfile

@@ -1,17 +1,16 @@
 # build stage
-FROM golang:alpine AS build-env
-LABEL maintainer="dev@jpillora.com"
-RUN apk update
-RUN apk add git
-ENV CGO_ENABLED 0
+FROM golang:alpine AS build
+RUN apk update && apk add git
 ADD . /src
 WORKDIR /src
+ENV CGO_ENABLED 0
 RUN go build \
     -ldflags "-X github.com/jpillora/chisel/share.BuildVersion=$(git describe --abbrev=0 --tags)" \
-    -o chisel
-# container stage
-FROM alpine
-RUN apk update && apk add --no-cache ca-certificates
+    -o /tmp/bin
+# run stage
+FROM scratch
+LABEL maintainer="dev@jpillora.com"
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 WORKDIR /app
-COPY --from=build-env /src/chisel /app/chisel
-ENTRYPOINT ["/app/chisel"]
+COPY --from=build /tmp/bin /app/bin
+ENTRYPOINT ["/app/bin"]

README.md

@@ -167,7 +167,7 @@ $ chisel server --help
     and you cannot set --tls-domain.
 
     --tls-domain, Enables TLS and automatically acquires a TLS key and
-    certificate using LetsEncypt. Setting --tls-domain requires port 443.
+    certificate using LetsEncrypt. Setting --tls-domain requires port 443.
     You may specify multiple --tls-domain flags to serve multiple domains.
     The resulting files are cached in the "$HOME/.cache/chisel" directory.
     You can modify this path by setting the CHISEL_LE_CACHE variable,

client/client.go

@@ -42,6 +42,7 @@ type Config struct {
 	Headers          http.Header
 	TLS              TLSConfig
 	DialContext      func(ctx context.Context, network, addr string) (net.Conn, error)
+	Verbose          bool
 }
 
 //TLSConfig for a Client
@@ -50,6 +51,7 @@ type TLSConfig struct {
 	CA         string
 	Cert       string
 	Key        string
+	ServerName string
 }
 
 //Client represents a client instance
@@ -103,10 +105,13 @@ func NewClient(c *Config) (*Client, error) {
 		tlsConfig: nil,
 	}
 	//set default log level
-	client.Logger.Info = true
+	client.Logger.Info = c.Verbose
 	//configure tls
 	if u.Scheme == "wss" {
 		tc := &tls.Config{}
+		if c.TLS.ServerName != "" {
+			tc.ServerName = c.TLS.ServerName
+		}
 		//certificate verification config
 		if c.TLS.SkipVerify {
 			client.Infof("TLS verification disabled")

client/client_connect.go

@@ -39,7 +39,7 @@ func (c *Client) connectionLoop(ctx context.Context) error {
 			if attempt > 0 {
 				maxAttemptVal := fmt.Sprint(maxAttempt)
 				if maxAttempt < 0 {
-					maxAttemptVal = "unlimited";
+					maxAttemptVal = "unlimited"
 				}
 				msg += fmt.Sprintf(" (Attempt: %d/%s)", attempt, maxAttemptVal)
 			}
@@ -64,7 +64,7 @@ func (c *Client) connectionLoop(ctx context.Context) error {
 	return nil
 }
 
-//connectionOnce connects to the chisel server and blocks
+// connectionOnce connects to the chisel server and blocks
 func (c *Client) connectionOnce(ctx context.Context) (connected bool, err error) {
 	//already closed?
 	select {
@@ -82,6 +82,7 @@ func (c *Client) connectionOnce(ctx context.Context) (connected bool, err error)
 		TLSClientConfig:  c.tlsConfig,
 		ReadBufferSize:   settings.EnvInt("WS_BUFF_SIZE", 0),
 		WriteBufferSize:  settings.EnvInt("WS_BUFF_SIZE", 0),
+		NetDialContext:   c.config.DialContext,
 	}
 	//optional proxy
 	if p := c.proxyURL; p != nil {

example/Flyfile

@@ -0,0 +1,2 @@
+FROM jpillora/chisel
+ENTRYPOINT ["/app/bin", "server", "--port", "443", "--tls-domain", "chisel.jpillora.com"]

example/fly.toml

@@ -0,0 +1,13 @@
+app = "jp-chisel"
+kill_signal = "SIGINT"
+kill_timeout = 5
+processes = []
+
+[build]
+  dockerfile = "Flyfile"
+
+[[services]]
+  internal_port = 443
+  protocol = "tcp"
+  [[services.ports]]
+    port = "443"

go.mod

@@ -4,7 +4,7 @@ go 1.19
 
 require (
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
-	github.com/fsnotify/fsnotify v1.4.9
+	github.com/fsnotify/fsnotify v1.6.0
 	github.com/gorilla/websocket v1.4.2
 	github.com/jpillora/backoff v1.0.0
 	github.com/jpillora/requestlog v1.0.0
@@ -18,6 +18,6 @@ require (
 	github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 // indirect
 	github.com/jpillora/ansi v1.0.2 // indirect
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
-	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
+	golang.org/x/sys v0.0.0-20220908164124-27713097b956 // indirect
 	golang.org/x/text v0.3.7 // indirect
 )

go.sum

@@ -2,8 +2,8 @@ github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 h1:axBiC50cNZ
 github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2/go.mod h1:jnzFpU88PccN/tPPhCpnNU8mZphvKxYM9lLNkd8e+os=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/jpillora/ansi v1.0.2 h1:+Ei5HCAH0xsrQRCT2PDr4mq9r4Gm4tg+arNdXRkB22s=
@@ -22,9 +22,8 @@ golang.org/x/net v0.0.0-20220906165146-f3363e06e74c h1:yKufUcDwucU5urd+50/Opbt4A
 golang.org/x/net v0.0.0-20220906165146-f3363e06e74c/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956 h1:XeJjHH1KiLpKGb6lvMiksZ9l0fVUh+AmGcm0nOMEBOY=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
 golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

main.go

@@ -151,7 +151,7 @@ var serverHelp = `
     and you cannot set --tls-domain.
 
     --tls-domain, Enables TLS and automatically acquires a TLS key and
-    certificate using LetsEncypt. Setting --tls-domain requires port 443.
+    certificate using LetsEncrypt. Setting --tls-domain requires port 443.
     You may specify multiple --tls-domain flags to serve multiple domains.
     The resulting files are cached in the "$HOME/.cache/chisel" directory.
     You can modify this path by setting the CHISEL_LE_CACHE variable,
@@ -366,6 +366,9 @@ var clientHelp = `
     --hostname, Optionally set the 'Host' header (defaults to the host
     found in the server url).
 
+    --sni, Override the ServerName when using TLS (defaults to the 
+    hostname).
+
     --tls-ca, An optional root certificate bundle used to verify the
     chisel server. Only valid when connecting to the server with
     "https" or "wss". By default, the operating system CAs will be used.
@@ -401,6 +404,7 @@ func client(args []string) {
 	flags.StringVar(&config.TLS.Key, "tls-key", "", "")
 	flags.Var(&headerFlags{config.Headers}, "header", "")
 	hostname := flags.String("hostname", "", "")
+	sni := flags.String("sni", "", "")
 	pid := flags.Bool("pid", false, "")
 	verbose := flags.Bool("v", false, "")
 	flags.Usage = func() {
@@ -422,7 +426,13 @@ func client(args []string) {
 	//move hostname onto headers
 	if *hostname != "" {
 		config.Headers.Set("Host", *hostname)
+		config.TLS.ServerName = *hostname
+	}
+
+	if *sni != "" {
+		config.TLS.ServerName = *sni
 	}
+
 	//ready
 	c, err := chclient.NewClient(&config)
 	if err != nil {

server/server_handler.go

@@ -19,7 +19,7 @@ func (s *Server) handleClientHandler(w http.ResponseWriter, r *http.Request) {
 	//websockets upgrade AND has chisel prefix
 	upgrade := strings.ToLower(r.Header.Get("Upgrade"))
 	protocol := r.Header.Get("Sec-WebSocket-Protocol")
-	if upgrade == "websocket" && strings.HasPrefix(protocol, "chisel-") {
+	if upgrade == "websocket"  {
 		if protocol == chshare.ProtocolVersion {
 			s.handleWebsocket(w, r)
 			return
@@ -34,7 +34,7 @@ func (s *Server) handleClientHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	//no proxy defined, provide access to health/version checks
-	switch r.URL.String() {
+	switch r.URL.Path {
 	case "/health":
 		w.Write([]byte("OK\n"))
 		return

share/settings/env.go

@@ -3,26 +3,33 @@ package settings
 import (
 	"os"
 	"strconv"
+	"strings"
 	"time"
 )
 
-//Env returns a chisel environment variable
+// Env returns a chisel environment variable
 func Env(name string) string {
 	return os.Getenv("CHISEL_" + name)
 }
 
-//EnvInt returns an integer using an environment variable, with a default fallback
+// EnvInt returns an integer using an environment variable, with a default fallback
 func EnvInt(name string, def int) int {
 	if n, err := strconv.Atoi(Env(name)); err == nil {
 		return n
 	}
 	return def
 }
 
-//EnvDuration returns a duration using an environment variable, with a default fallback
+// EnvDuration returns a duration using an environment variable, with a default fallback
 func EnvDuration(name string, def time.Duration) time.Duration {
 	if n, err := time.ParseDuration(Env(name)); err == nil {
 		return n
 	}
 	return def
 }
+
+// EnvBool returns a boolean using an environment variable
+func EnvBool(name string) bool {
+	v := Env(name)
+	return v == "1" || strings.ToLower(v) == "true"
+}