mirrors
/
rspamd
огледало од https://github.com/vstakhov/rspamd.git
Прати 1
Волим 0
Креирај огранак 0
Код Дискусије 0 Издања 159 Вики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6116 Комити
28 Гране
Дрво: d54124d738
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from 'd54124d738'
${ noResults }
rspamd/src/http_proxy.c

http_proxy.c 13KB
Датотека Blame Историја

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507 
  1. /*-

  2.  * Copyright 2016 Vsevolod Stakhov

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *   http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. #include "config.h"

  17. #include "libutil/util.h"

  18. #include "libutil/map.h"

  19. #include "libutil/upstream.h"

  20. #include "libserver/protocol.h"

  21. #include "libserver/cfg_file.h"

  22. #include "libserver/url.h"

  23. #include "libserver/dns.h"

  24. #include "libmime/message.h"

  25. #include "rspamd.h"

  26. #include "libserver/worker_util.h"

  27. #include "keypairs_cache.h"

  28. #include "ottery.h"

  29. #include "unix-std.h"

  30. 

  31. /* Rotate keys each minute by default */

  32. #define DEFAULT_ROTATION_TIME 60.0

  33. 

  34. gpointer init_http_proxy (struct rspamd_config *cfg);

  35. void start_http_proxy (struct rspamd_worker *worker);

  36. 

  37. worker_t http_proxy_worker = {

  38. 	"http_proxy",               /* Name */

  39. 	init_http_proxy,            /* Init function */

  40. 	start_http_proxy,           /* Start function */

  41. 	TRUE,                       /* Has socket */

  42. 	FALSE,                      /* Non unique */

  43. 	FALSE,                      /* Non threaded */

  44. 	TRUE,                       /* Killable */

  45. 	SOCK_STREAM,                /* TCP socket */

  46. 	RSPAMD_WORKER_VER

  47. };

  48. 

  49. struct rspamd_http_upstream {

  50. 	gchar *name;

  51. 	struct upstream_list *u;

  52. 	struct rspamd_cryptobox_pubkey *key;

  53. };

  54. 

  55. struct http_proxy_ctx {

  56. 	gdouble timeout;

  57. 	struct timeval io_tv;

  58. 	struct rspamd_config *cfg;

  59. 	/* DNS resolver */

  60. 	struct rspamd_dns_resolver *resolver;

  61. 	/* Events base */

  62. 	struct event_base *ev_base;

  63. 	/* Encryption key for clients */

  64. 	struct rspamd_cryptobox_keypair *key;

  65. 	/* Keys cache */

  66. 	struct rspamd_keypair_cache *keys_cache;

  67. 	/* Upstreams to use */

  68. 	GHashTable *upstreams;

  69. 	/* Default upstream */

  70. 	struct rspamd_http_upstream *default_upstream;

  71. 	/* Local rotating keypair for upstreams */

  72. 	struct rspamd_cryptobox_keypair *local_key;

  73. 	struct event rotate_ev;

  74. 	gdouble rotate_tm;

  75. };

  76. 

  77. struct http_proxy_session {

  78. 	struct http_proxy_ctx *ctx;

  79. 	struct event_base *ev_base;

  80. 	struct rspamd_cryptobox_keypair *local_key;

  81. 	struct rspamd_cryptobox_pubkey *remote_key;

  82. 	struct upstream *up;

  83. 	gint client_sock;

  84. 	gint backend_sock;

  85. 	rspamd_inet_addr_t *client_addr;

  86. 	struct rspamd_http_connection *client_conn;

  87. 	struct rspamd_http_connection *backend_conn;

  88. 	struct rspamd_dns_resolver *resolver;

  89. 	gboolean replied;

  90. };

  91. 

  92. static GQuark

  93. http_proxy_quark (void)

  94. {

  95. 	return g_quark_from_static_string ("http-proxy");

  96. }

  97. 

  98. static gboolean

  99. http_proxy_parse_upstream (rspamd_mempool_t *pool,

  100. 	const ucl_object_t *obj,

  101. 	gpointer ud,

  102. 	struct rspamd_rcl_section *section,

  103. 	GError **err)

  104. {

  105. 	const ucl_object_t *elt;

  106. 	struct rspamd_http_upstream *up = NULL;

  107. 	struct http_proxy_ctx *ctx;

  108. 	struct rspamd_rcl_struct_parser *pd = ud;

  109. 

  110. 	ctx = pd->user_struct;

  111. 

  112. 	if (ucl_object_type (obj) != UCL_OBJECT) {

  113. 		g_set_error (err, http_proxy_quark (), 100,

  114. 				"upstream option must be an object");

  115. 

  116. 		return FALSE;

  117. 	}

  118. 

  119. 	elt = ucl_object_find_key (obj, "name");

  120. 	if (elt == NULL) {

  121. 		g_set_error (err, http_proxy_quark (), 100,

  122. 				"upstream option must have some name definition");

  123. 

  124. 		return FALSE;

  125. 	}

  126. 

  127. 	up = g_slice_alloc0 (sizeof (*up));

  128. 	up->name = g_strdup (ucl_object_tostring (elt));

  129. 

  130. 	elt = ucl_object_find_key (obj, "key");

  131. 	if (elt != NULL) {

  132. 		up->key = rspamd_pubkey_from_base32 (ucl_object_tostring (elt), 0,

  133. 				RSPAMD_KEYPAIR_KEX, RSPAMD_CRYPTOBOX_MODE_25519);

  134. 

  135. 		if (up->key == NULL) {

  136. 			g_set_error (err, http_proxy_quark (), 100,

  137. 					"cannot read upstream key");

  138. 

  139. 			goto err;

  140. 		}

  141. 	}

  142. 

  143. 	elt = ucl_object_find_key (obj, "hosts");

  144. 

  145. 	if (elt == NULL) {

  146. 		g_set_error (err, http_proxy_quark (), 100,

  147. 				"upstream option must have some hosts definition");

  148. 

  149. 		goto err;

  150. 	}

  151. 

  152. 	up->u = rspamd_upstreams_create (ctx->cfg->ups_ctx);

  153. 	if (!rspamd_upstreams_from_ucl (up->u, elt, 11333, NULL)) {

  154. 		g_set_error (err, http_proxy_quark (), 100,

  155. 				"upstream has bad hosts definition");

  156. 

  157. 		goto err;

  158. 	}

  159. 

  160. 	elt = ucl_object_find_key (obj, "default");

  161. 	if (elt && ucl_object_toboolean (elt)) {

  162. 		ctx->default_upstream = up;

  163. 	}

  164. 

  165. 	g_hash_table_insert (ctx->upstreams, up->name, up);

  166. 

  167. 	return TRUE;

  168. 

  169. err:

  170. 

  171. 	if (up) {

  172. 		g_free (up->name);

  173. 		rspamd_upstreams_destroy (up->u);

  174. 

  175. 		if (up->key) {

  176. 			rspamd_pubkey_unref (up->key);

  177. 		}

  178. 

  179. 		g_slice_free1 (sizeof (*up), up);

  180. 	}

  181. 

  182. 	return FALSE;

  183. }

  184. 

  185. gpointer

  186. init_http_proxy (struct rspamd_config *cfg)

  187. {

  188. 	struct http_proxy_ctx *ctx;

  189. 	GQuark type;

  190. 

  191. 	type = g_quark_try_string ("http_proxy");

  192. 

  193. 	ctx = g_malloc0 (sizeof (struct http_proxy_ctx));

  194. 	ctx->timeout = 5.0;

  195. 	ctx->upstreams = g_hash_table_new (rspamd_strcase_hash, rspamd_strcase_equal);

  196. 	ctx->rotate_tm = DEFAULT_ROTATION_TIME;

  197. 	ctx->cfg = cfg;

  198. 

  199. 	rspamd_rcl_register_worker_option (cfg,

  200. 			type,

  201. 			"timeout",

  202. 			rspamd_rcl_parse_struct_time,

  203. 			ctx,

  204. 			G_STRUCT_OFFSET (struct http_proxy_ctx,

  205. 					timeout),

  206. 			RSPAMD_CL_FLAG_TIME_FLOAT,

  207. 			"IO timeout");

  208. 	rspamd_rcl_register_worker_option (cfg,

  209. 			type,

  210. 			"rotate",

  211. 			rspamd_rcl_parse_struct_time,

  212. 			ctx,

  213. 			G_STRUCT_OFFSET (struct http_proxy_ctx,

  214. 					rotate_tm),

  215. 			RSPAMD_CL_FLAG_TIME_FLOAT,

  216. 			"Rotation keys time, default: "

  217. 			G_STRINGIFY (DEFAULT_ROTATION_TIME) " seconds");

  218. 	rspamd_rcl_register_worker_option (cfg,

  219. 			type,

  220. 			"keypair",

  221. 			rspamd_rcl_parse_struct_keypair,

  222. 			ctx,

  223. 			G_STRUCT_OFFSET (struct http_proxy_ctx,

  224. 					key),

  225. 			0,

  226. 			"Server's keypair");

  227. 	rspamd_rcl_register_worker_option (cfg,

  228. 			type,

  229. 			"upstream",

  230. 			http_proxy_parse_upstream,

  231. 			ctx,

  232. 			0,

  233. 			0,

  234. 			"List of upstreams");

  235. 

  236. 	return ctx;

  237. }

  238. 

  239. static void

  240. proxy_session_cleanup (struct http_proxy_session *session)

  241. {

  242. 	rspamd_inet_address_destroy (session->client_addr);

  243. 

  244. 	if (session->backend_conn) {

  245. 		rspamd_http_connection_unref (session->backend_conn);

  246. 	}

  247. 	if (session->client_conn) {

  248. 		rspamd_http_connection_unref (session->client_conn);

  249. 	}

  250. 

  251. 	close (session->backend_sock);

  252. 	close (session->client_sock);

  253. 

  254. 	g_slice_free1 (sizeof (*session), session);

  255. }

  256. 

  257. static void

  258. proxy_client_write_error (struct http_proxy_session *session, gint code)

  259. {

  260. 	struct rspamd_http_message *reply;

  261. 

  262. 	reply = rspamd_http_new_message (HTTP_RESPONSE);

  263. 	reply->code = code;

  264. 	rspamd_http_connection_write_message (session->client_conn,

  265. 			reply, NULL, NULL, session, session->client_sock,

  266. 			&session->ctx->io_tv, session->ev_base);

  267. }

  268. 

  269. static void

  270. proxy_backend_error_handler (struct rspamd_http_connection *conn, GError *err)

  271. {

  272. 	struct http_proxy_session *session = conn->ud;

  273. 

  274. 	msg_info ("abnormally closing connection from backend: %s, error: %s",

  275. 		rspamd_inet_address_to_string (rspamd_upstream_addr (session->up)),

  276. 		err->message);

  277. 	rspamd_http_connection_reset (session->backend_conn);

  278. 	/* Terminate session immediately */

  279. 	proxy_client_write_error (session, err->code);

  280. }

  281. 

  282. static gint

  283. proxy_backend_finish_handler (struct rspamd_http_connection *conn,

  284. 	struct rspamd_http_message *msg)

  285. {

  286. 	struct http_proxy_session *session = conn->ud;

  287. 

  288. 	rspamd_http_connection_steal_msg (session->backend_conn);

  289. 	rspamd_http_message_remove_header (msg, "Content-Length");

  290. 	rspamd_http_message_remove_header (msg, "Key");

  291. 	rspamd_http_connection_reset (session->backend_conn);

  292. 	rspamd_http_connection_write_message (session->client_conn,

  293. 		msg, NULL, NULL, session, session->client_sock,

  294. 		&session->ctx->io_tv, session->ev_base);

  295. 

  296. 	return 0;

  297. }

  298. 

  299. static void

  300. proxy_client_error_handler (struct rspamd_http_connection *conn, GError *err)

  301. {

  302. 	struct http_proxy_session *session = conn->ud;

  303. 

  304. 	msg_info ("abnormally closing connection from: %s, error: %s",

  305. 		rspamd_inet_address_to_string (session->client_addr), err->message);

  306. 	/* Terminate session immediately */

  307. 	proxy_session_cleanup (session);

  308. }

  309. 

  310. static gint

  311. proxy_client_finish_handler (struct rspamd_http_connection *conn,

  312. 	struct rspamd_http_message *msg)

  313. {

  314. 	struct http_proxy_session *session = conn->ud;

  315. 	struct rspamd_http_upstream *backend = NULL;

  316. 	const rspamd_ftok_t *host;

  317. 	gchar hostbuf[512];

  318. 

  319. 	if (!session->replied) {

  320. 		host = rspamd_http_message_find_header (msg, "Host");

  321. 

  322. 		if (host == NULL) {

  323. 			backend = session->ctx->default_upstream;

  324. 		}

  325. 		else {

  326. 			rspamd_strlcpy (hostbuf, host->begin, MIN(host->len + 1, sizeof (hostbuf)));

  327. 			backend = g_hash_table_lookup (session->ctx->upstreams, hostbuf);

  328. 

  329. 			if (backend == NULL) {

  330. 				backend = session->ctx->default_upstream;

  331. 			}

  332. 		}

  333. 

  334. 		if (backend == NULL) {

  335. 			/* No backend */

  336. 			msg_err ("cannot find upstream for %s", host ? hostbuf : "default");

  337. 			goto err;

  338. 		}

  339. 		else {

  340. 			session->up = rspamd_upstream_get (backend->u,

  341. 					RSPAMD_UPSTREAM_ROUND_ROBIN, NULL, 0);

  342. 

  343. 			if (session->up == NULL) {

  344. 				msg_err ("cannot select upstream for %s", host ? hostbuf : "default");

  345. 				goto err;

  346. 			}

  347. 

  348. 			session->backend_sock = rspamd_inet_address_connect (

  349. 					rspamd_upstream_addr (session->up), SOCK_STREAM, TRUE);

  350. 

  351. 			if (session->backend_sock == -1) {

  352. 				msg_err ("cannot connect upstream for %s", host ? hostbuf : "default");

  353. 				rspamd_upstream_fail (session->up);

  354. 				goto err;

  355. 			}

  356. 

  357. 			rspamd_http_connection_steal_msg (session->client_conn);

  358. 			rspamd_http_message_remove_header (msg, "Content-Length");

  359. 			rspamd_http_message_remove_header (msg, "Key");

  360. 			rspamd_http_connection_reset (session->client_conn);

  361. 			session->backend_conn = rspamd_http_connection_new (

  362. 					NULL,

  363. 					proxy_backend_error_handler,

  364. 					proxy_backend_finish_handler,

  365. 					RSPAMD_HTTP_CLIENT_SIMPLE,

  366. 					RSPAMD_HTTP_CLIENT,

  367. 					session->ctx->keys_cache);

  368. 

  369. 			rspamd_http_connection_set_key (session->backend_conn,

  370. 					session->ctx->local_key);

  371. 			msg->peer_key = rspamd_pubkey_ref (backend->key);

  372. 			session->replied = TRUE;

  373. 

  374. 			rspamd_http_connection_write_message (session->backend_conn,

  375. 				msg, NULL, NULL, session, session->backend_sock,

  376. 				&session->ctx->io_tv, session->ev_base);

  377. 		}

  378. 	}

  379. 	else {

  380. 		proxy_session_cleanup (session);

  381. 	}

  382. 

  383. 	return 0;

  384. 

  385. err:

  386. 	session->replied = TRUE;

  387. 	proxy_client_write_error (session, 404);

  388. 

  389. 	return 0;

  390. }

  391. 

  392. static void

  393. proxy_accept_socket (gint fd, short what, void *arg)

  394. {

  395. 	struct rspamd_worker *worker = (struct rspamd_worker *) arg;

  396. 	struct http_proxy_ctx *ctx;

  397. 	rspamd_inet_addr_t *addr;

  398. 	struct http_proxy_session *session;

  399. 	gint nfd;

  400. 

  401. 	ctx = worker->ctx;

  402. 

  403. 	if ((nfd =

  404. 		rspamd_accept_from_socket (fd, &addr)) == -1) {

  405. 		msg_warn ("accept failed: %s", strerror (errno));

  406. 		return;

  407. 	}

  408. 	/* Check for EAGAIN */

  409. 	if (nfd == 0) {

  410. 		return;

  411. 	}

  412. 

  413. 	msg_info ("accepted connection from %s port %d",

  414. 		rspamd_inet_address_to_string (addr),

  415. 		rspamd_inet_address_get_port (addr));

  416. 

  417. 	session = g_slice_alloc0 (sizeof (*session));

  418. 	session->client_sock = nfd;

  419. 	session->client_addr = addr;

  420. 

  421. 	session->resolver = ctx->resolver;

  422. 

  423. 	session->client_conn = rspamd_http_connection_new (

  424. 		NULL,

  425. 		proxy_client_error_handler,

  426. 		proxy_client_finish_handler,

  427. 		0,

  428. 		RSPAMD_HTTP_SERVER,

  429. 		ctx->keys_cache);

  430. 	session->ev_base = ctx->ev_base;

  431. 	session->ctx = ctx;

  432. 

  433. 	if (ctx->key) {

  434. 		rspamd_http_connection_set_key (session->client_conn, ctx->key);

  435. 	}

  436. 

  437. 	rspamd_http_connection_read_message (session->client_conn,

  438. 		session,

  439. 		nfd,

  440. 		&ctx->io_tv,

  441. 		ctx->ev_base);

  442. }

  443. 

  444. static void

  445. proxy_rotate_key (gint fd, short what, void *arg)

  446. {

  447. 	struct timeval rot_tv;

  448. 	struct http_proxy_ctx *ctx = arg;

  449. 	gpointer kp;

  450. 

  451. 	double_to_tv (ctx->rotate_tm, &rot_tv);

  452. 	rot_tv.tv_sec += ottery_rand_range (rot_tv.tv_sec);

  453. 	event_del (&ctx->rotate_ev);

  454. 	event_add (&ctx->rotate_ev, &rot_tv);

  455. 

  456. 	kp = ctx->local_key;

  457. 	ctx->local_key = rspamd_keypair_new (RSPAMD_KEYPAIR_KEX,

  458. 			RSPAMD_CRYPTOBOX_MODE_25519);

  459. 	rspamd_keypair_unref (kp);

  460. }

  461. 

  462. void

  463. start_http_proxy (struct rspamd_worker *worker)

  464. {

  465. 	struct http_proxy_ctx *ctx = worker->ctx;

  466. 	struct timeval rot_tv;

  467. 

  468. 	ctx->ev_base = rspamd_prepare_worker (worker, "http_proxy",

  469. 			proxy_accept_socket);

  470. 

  471. 	rspamd_map_watch (worker->srv->cfg, ctx->ev_base);

  472. 

  473. 

  474. 	ctx->resolver = dns_resolver_init (worker->srv->logger,

  475. 			ctx->ev_base,

  476. 			worker->srv->cfg);

  477. 	double_to_tv (ctx->timeout, &ctx->io_tv);

  478. 

  479. 	rspamd_upstreams_library_config (worker->srv->cfg, ctx->cfg->ups_ctx,

  480. 			ctx->ev_base, ctx->resolver->r);

  481. 

  482. 	/* XXX: stupid default */

  483. 	ctx->keys_cache = rspamd_keypair_cache_new (256);

  484. 	ctx->local_key = rspamd_keypair_new (RSPAMD_KEYPAIR_KEX,

  485. 			RSPAMD_CRYPTOBOX_MODE_25519);

  486. 

  487. 	double_to_tv (ctx->rotate_tm, &rot_tv);

  488. 	rot_tv.tv_sec += ottery_rand_range (rot_tv.tv_sec);

  489. 	event_set (&ctx->rotate_ev, -1, EV_TIMEOUT, proxy_rotate_key, ctx);

  490. 	event_base_set (ctx->ev_base, &ctx->rotate_ev);

  491. 	event_add (&ctx->rotate_ev, &rot_tv);

  492. 

  493. 	event_base_loop (ctx->ev_base, 0);

  494. 	rspamd_worker_block_signals ();

  495. 

  496. 	g_mime_shutdown ();

  497. 	rspamd_log_close (worker->srv->logger);

  498. 

  499. 	if (ctx->key) {

  500. 		rspamd_keypair_unref (ctx->key);

  501. 	}

  502. 

  503. 	rspamd_keypair_cache_destroy (ctx->keys_cache);

  504. 

  505. 	exit (EXIT_SUCCESS);

  506. }