diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 361daab..5025f0a 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -18,7 +18,7 @@ jobs: - uses: actions-rs/toolchain@v1 with: profile: minimal - toolchain: stable + toolchain: nightly override: true - uses: actions-rs/cargo@v1 with: @@ -71,7 +71,7 @@ jobs: - uses: actions-rs/toolchain@v1 with: - toolchain: stable + toolchain: nightly override: true - name: Test Dev diff --git a/Cargo.toml b/Cargo.toml index c3fa51f..09c4773 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,7 +1,11 @@ [package] name = "hyper-reverse-proxy" version = "0.5.2-dev" -authors = ["Brendan Zabarauskas ", "Felipe Noronha ", "Jan Kantert "] +authors = [ + "Brendan Zabarauskas ", + "Felipe Noronha ", + "Jan Kantert ", +] license = "Apache-2.0" description = "A simple reverse proxy, to be used with Hyper and Tokio." homepage = "https://github.com/felipenoris/hyper-reverse-proxy" @@ -12,35 +16,25 @@ categories = ["network-programming", "web-programming"] readme = "README.md" edition = "2018" -include = [ - "Cargo.toml", - "LICENSE", - "src/**/*" -] +include = ["Cargo.toml", "LICENSE", "src/**/*"] [dependencies] -hyper = { version = "0.14.18", features = ["full"] } -hyper-trust-dns = { version = "0.4.2", optional = true, default-features = false, features = ["rustls-webpki", "rustls-http1"] } +hyper = { version = "0.14.18", features = ["client"] } lazy_static = "1.4.0" -rand = "0.8.5" tracing = "0.1.34" [dev-dependencies] +hyper = { version = "0.14.18", features = ["server"] } tokio = { version = "1.17.0", features = ["full"] } futures = "0.3.21" async-trait = "0.1.53" tokio-test = "0.4.2" test-context = "0.1.3" tokiotest-httpserver = "0.2.1" - -[features] -default = ["https"] - -https = ["hyper-trust-dns", "dnssec", "hyper-trust-dns/rustls-webpki", "http2"] -doh = ["hyper-trust-dns/dns-over-https-rustls"] -dot = ["hyper-trust-dns/dns-over-rustls"] -dnssec = ["hyper-trust-dns/dnssec-ring"] -http2 = ["hyper/http2", "hyper-trust-dns/rustls-http2"] -https-only = ["hyper-trust-dns/https-only"] -tls-1-2 = ["hyper-trust-dns/rustls-tls-12"] -native-cert-store = ["hyper-trust-dns/rustls-native"] +hyper-trust-dns = { version = "0.4.2", features = [ + "rustls-http2", + "dnssec-ring", + "dns-over-https-rustls", + "rustls-webpki" +] } +rand = "0.8.5" diff --git a/README.md b/README.md index 0deb0a6..64b2583 100644 --- a/README.md +++ b/README.md @@ -32,9 +32,17 @@ Add these dependencies to your `Cargo.toml` file. ```toml [dependencies] -hyper-reverse-proxy = "0.5" -hyper = { version = "0.14", features = ["full"] } -tokio = { version = "1", features = ["full"] } +hyper-reverse-proxy = "?" +hyper = { version = "?", features = ["full"] } +tokio = { version = "?", features = ["full"] } +lazy_static = "?" +hyper-trust-dns = { version = "?", features = [ + "rustls-http2", + "dnssec-ring", + "dns-over-https-rustls", + "rustls-webpki", + "https-only" +] } ``` The following example will set up a reverse proxy listening on `127.0.0.1:13900`, @@ -46,52 +54,65 @@ and will proxy these calls: * All other URLs will be handled by `debug_request` function, that will display request information. -```rust,no_run +```rust use hyper::server::conn::AddrStream; +use hyper::service::{make_service_fn, service_fn}; use hyper::{Body, Request, Response, Server, StatusCode}; -use hyper::service::{service_fn, make_service_fn}; -use std::{convert::Infallible, net::SocketAddr}; +use hyper_reverse_proxy::ReverseProxy; +use hyper_trust_dns::{RustlsHttpsConnector, TrustDnsResolver}; use std::net::IpAddr; +use std::{convert::Infallible, net::SocketAddr}; -fn debug_request(req: Request) -> Result, Infallible> { +lazy_static::lazy_static! { + static ref PROXY_CLIENT: ReverseProxy = { + ReverseProxy::new( + hyper::Client::builder().build::<_, hyper::Body>(TrustDnsResolver::default().into_rustls_webpki_https_connector()), + ) + }; +} + +fn debug_request(req: &Request) -> Result, Infallible> { let body_str = format!("{:?}", req); Ok(Response::new(Body::from(body_str))) } async fn handle(client_ip: IpAddr, req: Request) -> Result, Infallible> { if req.uri().path().starts_with("/target/first") { - // will forward requests to port 13901 - match hyper_reverse_proxy::call(client_ip, "http://127.0.0.1:13901", req).await { - Ok(response) => {Ok(response)} - Err(_error) => {Ok(Response::builder() - .status(StatusCode::INTERNAL_SERVER_ERROR) - .body(Body::empty()) - .unwrap())} + match PROXY_CLIENT.call(client_ip, "http://127.0.0.1:13901", req) + .await + { + Ok(response) => { + Ok(response) + }, + Err(_error) => { + Ok(Response::builder() + .status(StatusCode::INTERNAL_SERVER_ERROR) + .body(Body::empty()) + .unwrap())}, } } else if req.uri().path().starts_with("/target/second") { - // will forward requests to port 13902 - match hyper_reverse_proxy::call(client_ip, "http://127.0.0.1:13902", req).await { - Ok(response) => {Ok(response)} - Err(_error) => {Ok(Response::builder() - .status(StatusCode::INTERNAL_SERVER_ERROR) - .body(Body::empty()) - .unwrap())} + match PROXY_CLIENT.call(client_ip, "http://127.0.0.1:13902", req) + .await + { + Ok(response) => Ok(response), + Err(_error) => Ok(Response::builder() + .status(StatusCode::INTERNAL_SERVER_ERROR) + .body(Body::empty()) + .unwrap()), } } else { - debug_request(req) + debug_request(&req) } } #[tokio::main] async fn main() { let bind_addr = "127.0.0.1:8000"; - let addr:SocketAddr = bind_addr.parse().expect("Could not parse ip:port."); + let addr: SocketAddr = bind_addr.parse().expect("Could not parse ip:port."); let make_svc = make_service_fn(|conn: &AddrStream| { let remote_addr = conn.remote_addr().ip(); - async move { - Ok::<_, Infallible>(service_fn(move |req| handle(remote_addr, req))) - } + async move { Ok::<_, Infallible>(service_fn(move |req| handle(remote_addr, req))) } }); let server = Server::bind(&addr).serve(make_svc); @@ -104,33 +125,41 @@ async fn main() { } ``` -### Security +### A word about Security -Handling outgoing requests can be a security nightmare. This crate includes some features to reduce some of the risks. Everthing uses `rustls` benieth, a rust implementation for tls, faster and more secure as `openssl` +Handling outgoing requests can be a security nightmare. This crate does not control the client for the outgoing requests, as it needs to be supplied to the proxy call. The following chapters may give you an overview on how you can secure your client using the `hyper-trust-dns` crate. + +> You can see them being used in the example. #### HTTPS -By default the `https` feature is enabled which will allow you to request resources over https. This does not limit to only `https` traffic, if you would like so add the feature `https-only` to your `Cargo.toml` for this crate. +You should use a secure transport in order to know who you are talking to and so you can trust the connection. By default `hyper-trust-dns` enables the feature flag `https-only` which will panic if you supply a transport scheme which isn't `https`. It is a healthy default as it's not only you needing to trust the source but also everyone else seeing the content on unsecure connections. + +> ATTENTION: if you are running on a host with added certificates in your cert store, make sure to audit them in a interval, so neither old certificates nor malicious certificates are considered as valid by your client. #### TLS 1.2 -By default `tls 1.2` is disabled in favor of `tls 1.3`. As not yet all services support it `tls 1.2` can be enabled via the `tls-1-2` feature. +By default `tls 1.2` is disabled in favor of `tls 1.3`, because many parts of `tls 1.2` can be considered as attach friendly. As not yet all services support it `tls 1.2` can be enabled via the `rustls-tls-12` feature. + +> ATTENTION: make sure to audit the services you connect to on an interval #### DNSSEC -By default if you enable `https` (which is enabled by default) `dnssec` is enabled. +As dns queries and entries aren't "trustworthy" by default from a security standpoint. `DNSSEC` adds a new cryptographic layer for verification. To enable it use the `dnssec-ring` feature. #### HTTP/2 -While `http/3` might be just around the corner. `http/2` support can be enabled using the `http2` feature. +By default only rustlss `http1` feature is enabled for dns queries. While `http/3` might be just around the corner. `http/2` support can be enabled using the `rustls-http2` feature. #### DoT & DoH +DoT and DoH provide you with a secure transport between you and your dns. + By default none of them are enabled. If you would like to enabled them, you can do so using the features `doh` and `dot`. Recommendations: - - If you need to monitor network activities in relation to accessed ports, use `dot` - - If you are out in the wild and have no need to monitor based on ports, use `doh` as it will blend in with other `https` traffic + - If you need to monitor network activities in relation to accessed ports, use dot with the `dns-over-rustls` feature flag + - If you are out in the wild and have no need to monitor based on ports, doh with the `dns-over-https-rustls` feature flag as it will blend in with other `https` traffic It is highly recommended to use one of them. diff --git a/examples/simple.rs b/examples/simple.rs new file mode 100644 index 0000000..97ca731 --- /dev/null +++ b/examples/simple.rs @@ -0,0 +1,67 @@ +use hyper::server::conn::AddrStream; +use hyper::service::{make_service_fn, service_fn}; +use hyper::{Body, Request, Response, Server, StatusCode}; +use hyper_reverse_proxy::ReverseProxy; +use hyper_trust_dns::{RustlsHttpsConnector, TrustDnsResolver}; +use std::net::IpAddr; +use std::{convert::Infallible, net::SocketAddr}; + +lazy_static::lazy_static! { + static ref PROXY_CLIENT: ReverseProxy = { + ReverseProxy::new( + hyper::Client::builder().build::<_, hyper::Body>(TrustDnsResolver::default().into_rustls_webpki_https_connector()), + ) + }; +} + +fn debug_request(req: &Request) -> Result, Infallible> { + let body_str = format!("{:?}", req); + Ok(Response::new(Body::from(body_str))) +} + +async fn handle(client_ip: IpAddr, req: Request) -> Result, Infallible> { + if req.uri().path().starts_with("/target/first") { + match PROXY_CLIENT + .call(client_ip, "http://127.0.0.1:13901", req) + .await + { + Ok(response) => Ok(response), + Err(_error) => Ok(Response::builder() + .status(StatusCode::INTERNAL_SERVER_ERROR) + .body(Body::empty()) + .unwrap()), + } + } else if req.uri().path().starts_with("/target/second") { + match PROXY_CLIENT + .call(client_ip, "http://127.0.0.1:13902", req) + .await + { + Ok(response) => Ok(response), + Err(_error) => Ok(Response::builder() + .status(StatusCode::INTERNAL_SERVER_ERROR) + .body(Body::empty()) + .unwrap()), + } + } else { + debug_request(&req) + } +} + +#[tokio::main] +async fn main() { + let bind_addr = "127.0.0.1:8000"; + let addr: SocketAddr = bind_addr.parse().expect("Could not parse ip:port."); + + let make_svc = make_service_fn(|conn: &AddrStream| { + let remote_addr = conn.remote_addr().ip(); + async move { Ok::<_, Infallible>(service_fn(move |req| handle(remote_addr, req))) } + }); + + let server = Server::bind(&addr).serve(make_svc); + + println!("Running server on {:?}", addr); + + if let Err(e) = server.await { + eprintln!("server error: {}", e); + } +} diff --git a/src/lib.rs b/src/lib.rs index 341d1c4..620ea65 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -39,50 +39,63 @@ //! //! ```rust,no_run //! use hyper::server::conn::AddrStream; +//! use hyper::service::{make_service_fn, service_fn}; //! use hyper::{Body, Request, Response, Server, StatusCode}; -//! use hyper::service::{service_fn, make_service_fn}; -//! use std::{convert::Infallible, net::SocketAddr}; +//! use hyper_reverse_proxy::ReverseProxy; +//! use hyper_trust_dns::{RustlsHttpsConnector, TrustDnsResolver}; //! use std::net::IpAddr; +//! use std::{convert::Infallible, net::SocketAddr}; +//! +//! lazy_static::lazy_static! { +//! static ref PROXY_CLIENT: ReverseProxy = { +//! ReverseProxy::new( +//! hyper::Client::builder().build::<_, hyper::Body>(TrustDnsResolver::default().into_rustls_webpki_https_connector()), +//! ) +//! }; +//! } //! -//! fn debug_request(req: Request) -> Result, Infallible> { +//! fn debug_request(req: &Request) -> Result, Infallible> { //! let body_str = format!("{:?}", req); //! Ok(Response::new(Body::from(body_str))) //! } //! //! async fn handle(client_ip: IpAddr, req: Request) -> Result, Infallible> { //! if req.uri().path().starts_with("/target/first") { -//! // will forward requests to port 13901 -//! match hyper_reverse_proxy::call(client_ip, "http://127.0.0.1:13901", req).await { -//! Ok(response) => {Ok(response)} -//! Err(_error) => {Ok(Response::builder() -//! .status(StatusCode::INTERNAL_SERVER_ERROR) -//! .body(Body::empty()) -//! .unwrap())} +//! match PROXY_CLIENT.call(client_ip, "http://127.0.0.1:13901", req) +//! .await +//! { +//! Ok(response) => { +//! Ok(response) +//! }, +//! Err(_error) => { +//! Ok(Response::builder() +//! .status(StatusCode::INTERNAL_SERVER_ERROR) +//! .body(Body::empty()) +//! .unwrap())}, //! } //! } else if req.uri().path().starts_with("/target/second") { -//! // will forward requests to port 13902 -//! match hyper_reverse_proxy::call(client_ip, "http://127.0.0.1:13902", req).await { -//! Ok(response) => {Ok(response)} -//! Err(_error) => {Ok(Response::builder() -//! .status(StatusCode::INTERNAL_SERVER_ERROR) -//! .body(Body::empty()) -//! .unwrap())} +//! match PROXY_CLIENT.call(client_ip, "http://127.0.0.1:13902", req) +//! .await +//! { +//! Ok(response) => Ok(response), +//! Err(_error) => Ok(Response::builder() +//! .status(StatusCode::INTERNAL_SERVER_ERROR) +//! .body(Body::empty()) +//! .unwrap()), //! } //! } else { -//! debug_request(req) +//! debug_request(&req) //! } //! } //! //! #[tokio::main] //! async fn main() { //! let bind_addr = "127.0.0.1:8000"; -//! let addr:SocketAddr = bind_addr.parse().expect("Could not parse ip:port."); +//! let addr: SocketAddr = bind_addr.parse().expect("Could not parse ip:port."); //! //! let make_svc = make_service_fn(|conn: &AddrStream| { //! let remote_addr = conn.remote_addr().ip(); -//! async move { -//! Ok::<_, Infallible>(service_fn(move |req| handle(remote_addr, req))) -//! } +//! async move { Ok::<_, Infallible>(service_fn(move |req| handle(remote_addr, req))) } //! }); //! //! let server = Server::bind(&addr).serve(make_svc); @@ -93,6 +106,7 @@ //! eprintln!("server error: {}", e); //! } //! } +//! //! ``` #![cfg_attr(all(not(stable), test), feature(test))] @@ -102,12 +116,6 @@ extern crate tracing; #[cfg(all(not(stable), test))] extern crate test; -#[cfg(feature = "https")] -use hyper_trust_dns::TrustDnsResolver; - -#[cfg(not(feature = "https"))] -use hyper::client::{connect::dns::GaiResolver, HttpConnector}; - use hyper::header::{HeaderMap, HeaderName, HeaderValue, HOST}; use hyper::http::header::{InvalidHeaderValue, ToStrError}; use hyper::http::uri::InvalidUri; @@ -234,7 +242,7 @@ fn forward_uri(forward_url: &str, req: &Request) -> String { if base_url.ends_with('/') { let mut path1_chars = base_url.chars(); - path1_chars.next(); + path1_chars.next_back(); base_url = path1_chars.as_str(); } @@ -264,18 +272,10 @@ fn forward_uri(forward_url: &str, req: &Request) -> String { } else { debug!("Merging request and forward_url query"); - let request_query_items = req - .uri() - .query() - .unwrap_or("") - .split('&') - .collect::>() - .iter() - .map(|el| { - let parts = el.split('=').collect::>(); - (parts[0], if parts.len() > 1 { parts[1] } else { "" }) - }) - .collect::>(); + let request_query_items = req.uri().query().unwrap_or("").split('&').map(|el| { + let parts = el.split('=').collect::>(); + (parts[0], if parts.len() > 1 { parts[1] } else { "" }) + }); let forward_query_items = forward_url_query .split('&') @@ -285,8 +285,9 @@ fn forward_uri(forward_url: &str, req: &Request) -> String { }) .collect::>(); - for (key, value) in request_query_items.iter() { - if !forward_query_items.contains(key) { + for (key, value) in request_query_items { + if !forward_query_items.iter().any(|e| e == &key) { + url.push('&'); url.push_str(key); url.push('='); url.push_str(value); @@ -384,26 +385,11 @@ fn create_proxied_request( Ok(request) } -#[cfg(feature = "https")] -fn build_client() -> Client { - #[cfg(feature = "native-cert-store")] - let https = TrustDnsResolver::default().into_rustls_native_https_connector(); - - #[cfg(not(feature = "native-cert-store"))] - let https = TrustDnsResolver::default().into_rustls_webpki_https_connector(); - - Client::builder().build::<_, hyper::Body>(https) -} - -#[cfg(not(feature = "https"))] -fn build_client() -> Client, hyper::Body> { - Client::new() -} - -pub async fn call( +pub async fn call<'a, T: hyper::client::connect::Connect + Clone + Send + Sync + 'static>( client_ip: IpAddr, forward_uri: &str, request: Request, + client: &'a Client, ) -> Result, ProxyError> { info!( "Received proxy call from {} to {}, client: {}", @@ -414,7 +400,6 @@ pub async fn call( let proxied_request = create_proxied_request(client_ip, forward_uri, request)?; - let client = build_client(); let response = client.request(proxied_request).await?; let proxied_response = create_proxied_response(response); @@ -422,10 +407,29 @@ pub async fn call( Ok(proxied_response) } +pub struct ReverseProxy { + client: Client, +} + +impl ReverseProxy { + pub fn new(client: Client) -> Self { + Self { client } + } + + pub async fn call( + &self, + client_ip: IpAddr, + forward_uri: &str, + request: Request, + ) -> Result, ProxyError> { + call::(client_ip, forward_uri, request, &self.client).await + } +} + #[cfg(all(not(stable), test))] mod tests { use hyper::header::HeaderName; - use hyper::Uri; + use hyper::{Client, Uri}; use hyper::{HeaderMap, Request, Response}; use rand::distributions::Alphanumeric; use rand::prelude::*; @@ -480,6 +484,8 @@ mod tests { let client_ip = std::net::IpAddr::from(Ipv4Addr::from_str("0.0.0.0").unwrap()); + let client = Client::new(); + b.iter(|| { rt.block_on(async { let mut request = Request::builder().uri(uri.clone()); @@ -490,6 +496,7 @@ mod tests { client_ip, forward_url, request.body(hyper::Body::from("")).unwrap(), + &client, ) .await .unwrap(); diff --git a/tests/test_http.rs b/tests/test_http.rs index fe35d6f..e1f53ed 100644 --- a/tests/test_http.rs +++ b/tests/test_http.rs @@ -1,6 +1,9 @@ +use hyper::client::connect::dns::GaiResolver; +use hyper::client::HttpConnector; use hyper::server::conn::AddrStream; use hyper::service::{make_service_fn, service_fn}; use hyper::{Body, Client, Request, Response, Server, StatusCode, Uri}; +use hyper_reverse_proxy::ReverseProxy; use std::convert::Infallible; use std::net::{IpAddr, SocketAddr}; use test_context::test_context; @@ -10,6 +13,14 @@ use tokio::task::JoinHandle; use tokiotest_httpserver::handler::HandlerBuilder; use tokiotest_httpserver::{take_port, HttpTestContext}; +lazy_static::lazy_static! { + static ref PROXY_CLIENT: ReverseProxy> = { + ReverseProxy::new( + hyper::Client::new(), + ) + }; +} + struct ProxyTestContext { sender: Sender<()>, proxy_handler: JoinHandle>, @@ -52,12 +63,13 @@ async fn handle( req: Request, backend_port: u16, ) -> Result, Infallible> { - match hyper_reverse_proxy::call( - client_ip, - format!("http://127.0.0.1:{}", backend_port).as_str(), - req, - ) - .await + match PROXY_CLIENT + .call( + client_ip, + format!("http://127.0.0.1:{}", backend_port).as_str(), + req, + ) + .await { Ok(response) => Ok(response), Err(_) => Ok(Response::builder().status(502).body(Body::empty()).unwrap()), @@ -65,11 +77,12 @@ async fn handle( } #[async_trait::async_trait] -impl AsyncTestContext for ProxyTestContext { +impl<'a> AsyncTestContext for ProxyTestContext { async fn setup() -> ProxyTestContext { let http_back: HttpTestContext = AsyncTestContext::setup().await; let (sender, receiver) = tokio::sync::oneshot::channel::<()>(); let bp_to_move = http_back.port; + let make_svc = make_service_fn(move |conn: &AddrStream| { let remote_addr = conn.remote_addr().ip(); let back_port = bp_to_move;