#!/usr/bin/perl # # Copyright (c) 2006-2010 by Karl J. Runge # # connect_switch is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # connect_switch is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with connect_switch; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # or see . # # # connect_switch: # # A kludge script that sits between web clients and a mod_ssl (https) # enabled apache webserver. # # If an incoming web client connection makes a proxy CONNECT request # it is handled directly by this script (apache is not involved). # Otherwise, all other connections are forwarded to the apache webserver. # # This can be useful for VNC redirection using an existing https (port # 443) webserver, thereby not requiring a 2nd (non-https) port open on # the firewall for the CONNECT requests. # # It does not seem possible (to me) to achieve this entirely within apache # because the CONNECT request appears to be forwarded encrypted to # the remote host and so the SSL dies immediately. # # It can also be used to redirect ANY protocol, e.g. SSH, not just VNC. # See CONNECT_SWITCH_APPLY_VNC_OFFSET=0 to disable VNC 5900 shift. # # Note: There is no need to use this script for a non-ssl apache webserver # port because mod_proxy works fine for doing the switching all inside # apache (see ProxyRequests and AllowCONNECT parameters). # # # Apache configuration: # # The mod_ssl configuration is often in a file named ssl.conf. In the # simplest case you change something like this: # # From: # # Listen 443 # # # ... # # # To: # # Listen 127.0.0.1:443 # # # ... # # # (i.e. just change the Listen directive). # # If you have mod_ssl listening on a different internal port, you do # not need to specify the localhost Listen address. # # It is probably a good idea to set $listen_host below to the known # IP address you want the service to listen on (to avoid localhost where # apache is listening). # #################################################################### # NOTE: For more info on configuration settings, read below for # all of the CONNECT_SWITCH_* env. var. parameters. #################################################################### #################################################################### # Allow env vars to also be specified on cmdline: # foreach my $arg (@ARGV) { if ($arg =~ /^(CONNECT_SWITCH.*?)=(.*)$/) { $ENV{$1} = $2; } } # Set up logging: # if (exists $ENV{CONNECT_SWITCH_LOGFILE}) { close STDOUT; if (!open(STDOUT, ">>$ENV{CONNECT_SWITCH_LOGFILE}")) { die "connect_switch: $ENV{CONNECT_SWITCH_LOGFILE} $!\n"; } close STDERR; open(STDERR, ">&STDOUT"); } select(STDERR); $| = 1; select(STDOUT); $| = 1; # interrupt handler: # my $looppid = ''; my $pidfile = ''; my $listen_sock = ''; # declared here for get_out() # sub get_out { print STDERR "$_[0]:\t$$ looppid=$looppid\n"; close $listen_sock if $listen_sock; if ($looppid) { kill 'TERM', $looppid; fsleep(0.2); } unlink $pidfile if $pidfile; exit 0; } $SIG{INT} = \&get_out; $SIG{TERM} = \&get_out; # pidfile: # sub open_pidfile { if (exists $ENV{CONNECT_SWITCH_PIDFILE}) { my $pf = $ENV{CONNECT_SWITCH_PIDFILE}; if (open(PID, ">$pf")) { print PID "$$\n"; close PID; $pidfile = $pf; } else { print STDERR "could not open pidfile: $pf - $! - continuing...\n"; } delete $ENV{CONNECT_SWITCH_PIDFILE}; } } #################################################################### # Set CONNECT_SWITCH_LOOP=1 to have this script create an outer loop # restarting itself if it ever exits. Set CONNECT_SWITCH_LOOP=BG to # do this in the background as a daemon. if (exists $ENV{CONNECT_SWITCH_LOOP}) { my $csl = $ENV{CONNECT_SWITCH_LOOP}; if ($csl ne 'BG' && $csl ne '1') { die "connect_switch: invalid CONNECT_SWITCH_LOOP.\n"; } if ($csl eq 'BG') { # go into bg as "daemon": setpgrp(0, 0); my $pid = fork(); if (! defined $pid) { die "connect_switch: $!\n"; } elsif ($pid) { wait; exit 0; } if (fork) { exit 0; } setpgrp(0, 0); close STDIN; if (! $ENV{CONNECT_SWITCH_LOGFILE}) { close STDOUT; close STDERR; } } delete $ENV{CONNECT_SWITCH_LOOP}; if (exists $ENV{CONNECT_SWITCH_PIDFILE}) { open_pidfile(); } print STDERR "connect_switch: starting service at ", scalar(localtime), " master-pid=$$\n"; while (1) { $looppid = fork; if (! defined $looppid) { sleep 10; } elsif ($looppid) { wait; } else { exec $0; exit 1; } print STDERR "connect_switch: re-starting service at ", scalar(localtime), " master-pid=$$\n"; sleep 1; } exit 0; } if (exists $ENV{CONNECT_SWITCH_PIDFILE}) { open_pidfile(); } ############################################################################ # The defaults for hosts and ports (you can override them below if needed): # # Look below for these environment variables that let you set the various # parameters without needing to edit this script: # # CONNECT_SWITCH_LISTEN # CONNECT_SWITCH_HTTPD # CONNECT_SWITCH_ALLOWED # CONNECT_SWITCH_ALLOW_FILE # CONNECT_SWITCH_VERBOSE # CONNECT_SWITCH_APPLY_VNC_OFFSET # CONNECT_SWITCH_VNC_OFFSET # CONNECT_SWITCH_LISTEN_IPV6 # CONNECT_SWITCH_BUFSIZE # CONNECT_SWITCH_LOGFILE # CONNECT_SWITCH_PIDFILE # # You can also set these on the cmdline: # connect_switch CONNECT_SWITCH_LISTEN=X CONNECT_SWITCH_ALLOW_FILE=Y ... # # By default we will use hostname and assume it resolves: # my $hostname = `hostname`; chomp $hostname; my $listen_host = $hostname; my $listen_port = 443; # Let user override listening situation, e.g. multihomed: # if (exists $ENV{CONNECT_SWITCH_LISTEN}) { # # E.g. CONNECT_SWITCH_LISTEN=192.168.0.32:443 # ($listen_host, $listen_port) = split(/:/, $ENV{CONNECT_SWITCH_LISTEN}); } my $httpd_host = 'localhost'; my $httpd_port = 443; if (exists $ENV{CONNECT_SWITCH_HTTPD}) { # # E.g. CONNECT_SWITCH_HTTPD=127.0.0.1:443 # ($httpd_host, $httpd_port) = split(/:/, $ENV{CONNECT_SWITCH_HTTPD}); } my $bufsize = 8192; if (exists $ENV{CONNECT_SWITCH_BUFSIZE}) { # # E.g. CONNECT_SWITCH_BUFSIZE=32768 # $bufsize = $ENV{CONNECT_SWITCH_BUFSIZE}; } ############################################################################ # You can/should override the host/port settings here: # #$listen_host = '23.45.67.89'; # set to your interface IP number. #$listen_port = 555; # and/or nonstandard port. #$httpd_host = 'somehost'; # maybe you redir https to another machine. #$httpd_port = 666; # and/or nonstandard port. # You must set the allowed host:port CONNECT redirection list. # Only these host:port pairs will be redirected to. # Port ranges are allowed too: host:5900-5930. # If there is one entry named ALL all connections are allow. # You must supply something, default is deny. # my @allowed = qw( machine1:5915 machine2:5900 ); if (exists $ENV{CONNECT_SWITCH_ALLOWED}) { # # E.g. CONNECT_SWITCH_ALLOWED=machine1:5915,machine2:5900 # @allowed = split(/,/, $ENV{CONNECT_SWITCH_ALLOWED}); } # Or you could also use an external "allow file". # They get added to the @allowed list. # The file is re-read for each new connection. # # Format of $allow_file: # # host1 vncdisp # host2 vncdisp # # where, e.g. vncdisp = 15 => port 5915, say # # joesbox 15 # fredsbox 15 # rupert 1 # For examply, mine is: # my $allow_file = '/dist/apache/2.0/conf/vnc.hosts'; $allow_file = ''; if (exists $ENV{CONNECT_SWITCH_ALLOW_FILE}) { # E.g. CONNECT_SWITCH_ALLOW_FILE=/usr/local/etc/allow.txt $allow_file = $ENV{CONNECT_SWITCH_ALLOW_FILE}; } # Set to 1 to re-map to vnc port, e.g. 'hostname 15' to 'hostname 5915' # i.e. assume a port 0 <= port < 200 is actually a VNC display # and add 5900 to it. Set to 0 to not do the mapping. # Note that negative ports, e.g. 'joesbox -22' go directly to -port. # my $apply_vnc_offset = 1; my $vnc_offset = 5900; if (exists $ENV{CONNECT_SWITCH_APPLY_VNC_OFFSET}) { # # E.g. CONNECT_SWITCH_APPLY_VNC_OFFSET=0 # $apply_vnc_offset = $ENV{CONNECT_SWITCH_APPLY_VNC_OFFSET}; } if (exists $ENV{CONNECT_SWITCH_VNC_OFFSET}) { # # E.g. CONNECT_SWITCH_VNC_OFFSET=6000 # $vnc_offset = $ENV{CONNECT_SWITCH_VNC_OFFSET}; } # Set to 1 or higher for more info output: # my $verbose = 0; if (exists $ENV{CONNECT_SWITCH_VERBOSE}) { # # E.g. CONNECT_SWITCH_VERBOSE=1 # $verbose = $ENV{CONNECT_SWITCH_VERBOSE}; } #=========================================================================== # No need for any changes below here. #=========================================================================== use IO::Socket::INET; use strict; use warnings; my $killpid = 1; setpgrp(0, 0); if (exists $ENV{CONNECT_SWITCH_LISTEN_IPV6}) { # note we leave out LocalAddr. my $cmd = ' use IO::Socket::INET6; $listen_sock = IO::Socket::INET6->new( Listen => 10, LocalPort => $listen_port, ReuseAddr => 1, Domain => AF_INET6, Proto => "tcp" ); '; eval $cmd; die "$@\n" if $@; } else { $listen_sock = IO::Socket::INET->new( Listen => 10, LocalAddr => $listen_host, LocalPort => $listen_port, ReuseAddr => 1, Proto => "tcp" ); } if (! $listen_sock) { die "connect_switch: $!\n"; } my $current_fh1 = ''; my $current_fh2 = ''; my $conn = 0; while (1) { $conn++; print STDERR "listening for connection: $conn\n" if $verbose; my ($client, $ip) = $listen_sock->accept(); if (! $client) { fsleep(0.5); next; } print STDERR "conn: $conn -- ", $client->peerhost(), " at ", scalar(localtime), "\n" if $verbose; my $pid = fork(); if (! defined $pid) { die "connect_switch: $!\n"; } elsif ($pid) { wait; next; } else { close $listen_sock; if (fork) { exit 0; } setpgrp(0, 0); handle_conn($client); } } exit 0; sub handle_conn { my $client = shift; my $start = time(); my @allow = @allowed; # read allow file. Note we read it for every connection # to allow the admin to modify it w/o restarting us. # better way would be to read in parent and check mtime. # if ($allow_file && -f $allow_file) { if (open(ALLOW, "<$allow_file")) { while () { next if /^\s*#/; next if /^\s*$/; chomp; my ($host, $dpy) = split(' ', $_); next if ! defined $host; next if ! defined $dpy; if ($dpy < 0) { $dpy = -$dpy; } elsif ($apply_vnc_offset) { $dpy += $vnc_offset if $dpy < 200; } push @allow, "$host:$dpy"; } close(ALLOW); } else { warn "$allow_file: $!\n"; } } # Read the first 7 bytes of connection, see if it is 'CONNECT' # my $str = ''; my $N = 0; my $isconn = 1; for (my $i = 0; $i < 7; $i++) { my $b; sysread($client, $b, 1); $str .= $b; $N++; print STDERR "read: '$str'\n" if $verbose > 1; my $cstr = substr('CONNECT', 0, $i+1); if ($str ne $cstr) { $isconn = 0; last; } } my $sock = ''; if ($isconn) { # it is CONNECT, read rest of HTTP header: # while ($str !~ /\r\n\r\n/) { my $b; sysread($client, $b, 1); $str .= $b; } print STDERR "read: $str\n" if $verbose > 1; # get http version and host:port # my $ok = 0; my $hostport = ''; my $http_vers = '1.0'; if ($str =~ /^CONNECT\s+(\S+)\s+HTTP\/(\S+)/) { $hostport = $1; $http_vers = $2; my ($h, $p) = split(/:/, $hostport); if ($p =~ /^\d+$/) { # check allowed host list: foreach my $hp (@allow) { if ($hp eq 'ALL') { $ok = 1; } if ($hp eq $hostport) { $ok = 1; } if ($hp =~ /^(.*):(\d+)-(\d+)$/) { my $ahost = $1; my $pmin = $2; my $pmax = $3; if ($h eq $ahost) { if ($p >= $pmin && $p <= $pmax) { $ok = 1; } } } last if $ok; } } } my $msg_1 = "HTTP/$http_vers 200 Connection Established\r\n" . "Proxy-agent: connect_switch v0.2\r\n\r\n"; my $msg_2 = "HTTP/$http_vers 502 Bad Gateway\r\n" . "Connection: close\r\n\r\n"; if (! $ok) { # disallowed. drop with message. # syswrite($client, $msg_2, length($msg_2)); close $client; exit 0; } my ($host, $port) = split(/:/, $hostport); print STDERR "connecting to: $host:$port\n" if $verbose; $sock = IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port, Proto => "tcp" ); my $msg; # send the connect proxy reply: # if ($sock) { $msg = $msg_1; } else { $msg = $msg_2; } syswrite($client, $msg, length($msg)); $str = ''; } else { # otherwise, redirect to apache for normal https: # print STDERR "connecting to: $httpd_host:$httpd_port\n" if $verbose; $sock = IO::Socket::INET->new( PeerAddr => $httpd_host, PeerPort => $httpd_port, Proto => "tcp" ); } if (! $sock) { close $client; die "connect_switch: $!\n"; } # get ready for xfer phase: # $current_fh1 = $client; $current_fh2 = $sock; $SIG{TERM} = sub {print STDERR "got sigterm\[$$]\n" if $verbose; close $current_fh1; close $current_fh2; exit 0}; my $parent = $$; if (my $child = fork()) { xfer($sock, $client, 'S->C'); if ($killpid) { fsleep(0.5); kill 'TERM', $child; } } else { # write those first bytes if not CONNECT: # if ($str ne '' && $N > 0) { syswrite($sock, $str, $N); } xfer($client, $sock, 'C->S'); if ($killpid) { fsleep(0.75); kill 'TERM', $parent; } } if ($verbose > 1) { my $dt = time() - $start; print STDERR "duration\[$$]: $dt seconds. ", scalar(localtime), "\n"; } exit 0; } sub xfer { my($in, $out, $lab) = @_; my ($RIN, $WIN, $EIN, $ROUT); $RIN = $WIN = $EIN = ""; $ROUT = ""; vec($RIN, fileno($in), 1) = 1; vec($WIN, fileno($in), 1) = 1; $EIN = $RIN | $WIN; my $buf; while (1) { my $nf = 0; while (! $nf) { $nf = select($ROUT=$RIN, undef, undef, undef); } my $len = sysread($in, $buf, $bufsize); if (! defined($len)) { next if $! =~ /^Interrupted/; print STDERR "connect_switch\[$lab/$conn/$$]: $!\n"; last; } elsif ($len == 0) { print STDERR "connect_switch\[$lab/$conn/$$]: " . "Input is EOF.\n"; last; } if (0) { # very verbose debugging of data: syswrite(STDERR , "\n$lab: ", 6); syswrite(STDERR , $buf, $len); } my $offset = 0; my $quit = 0; while ($len) { my $written = syswrite($out, $buf, $len, $offset); if (! defined $written) { print STDERR "connect_switch\[$lab/$conn/$$]: " . "Output is EOF. $!\n"; $quit = 1; last; } $len -= $written; $offset += $written; } last if $quit; } close($in); close($out); } sub fsleep { my ($time) = @_; select(undef, undef, undef, $time) if $time; }