From f0ad57190930e589d4d0cc66b3462be28d966f3f Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Fri, 10 Oct 2025 03:06:38 +0000 Subject: [PATCH 01/35] fix: update user mapping --- jail/linux.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/jail/linux.go b/jail/linux.go index 440f0ae..a3b66bf 100644 --- a/jail/linux.go +++ b/jail/linux.go @@ -11,6 +11,7 @@ import ( "syscall" "time" + "github.com/coder/boundary/util" "golang.org/x/sys/unix" ) @@ -71,13 +72,18 @@ func (l *LinuxJail) Command(command []string) *exec.Cmd { cmd.Stdout = os.Stdout cmd.Stdin = os.Stdin + l.logger.Debug("os.Getuid()", "os.Getuid()", os.Getuid()) + _, uid, gid, _, _ := util.GetUserInfo() + cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUSER | syscall.CLONE_NEWNET, UidMappings: []syscall.SysProcIDMap{ - {ContainerID: 0, HostID: os.Getuid(), Size: 1}, + {ContainerID: 0, HostID: 0, Size: 1}, + {ContainerID: uid, HostID: uid, Size: 1}, }, GidMappings: []syscall.SysProcIDMap{ - {ContainerID: 0, HostID: os.Getgid(), Size: 1}, + {ContainerID: 0, HostID: 0, Size: 1}, + {ContainerID: gid, HostID: gid, Size: 1}, }, } From 0450eaccabfe33d58623d42b506e2f71004bda21 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Fri, 10 Oct 2025 16:20:49 +0000 Subject: [PATCH 02/35] feat: reimplement proxy --- proxy/proxy.go | 662 ++++++++----------------------------------------- 1 file changed, 99 insertions(+), 563 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index e2aa537..d0ff70a 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -5,13 +5,10 @@ import ( "crypto/tls" "errors" "fmt" - "io" + "log" "log/slog" "net" "net/http" - "net/url" - "strings" - "sync" "sync/atomic" "github.com/coder/boundary/audit" @@ -115,375 +112,155 @@ func (p *Server) isStopped() bool { return !p.started.Load() } -// handleHTTP handles regular HTTP requests and CONNECT tunneling -func (p *Server) handleHTTP(w http.ResponseWriter, r *http.Request) { - p.logger.Debug("handleHTTP called", "method", r.Method, "url", r.URL.String(), "host", r.Host) - - // Handle CONNECT method for HTTPS tunneling - if r.Method == "CONNECT" { - p.handleConnect(w, r) - return - } - - // Ensure URL is fully qualified - if r.URL.Host == "" { - r.URL.Host = r.Host - } - if r.URL.Scheme == "" { - r.URL.Scheme = "http" - } - - // Check if request should be allowed - result := p.ruleEngine.Evaluate(r.Method, r.URL.String()) - - // Audit the request - p.auditor.AuditRequest(audit.Request{ - Method: r.Method, - URL: r.URL.String(), - Allowed: result.Allowed, - Rule: result.Rule, - }) +func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) { + defer conn.Close() - if !result.Allowed { - p.writeBlockedResponse(w, r) - return + // Detect protocol using TLS handshake detection + conn, isTLS := p.isTLSConnection(conn) + if isTLS { + log.Println("šŸ”’ Detected TLS connection - handling as HTTPS") + p.handleTLSConnection(conn) + } else { + log.Println("šŸŒ Detected HTTP connection") + p.handleHTTPConnection(conn) } - - // Forward regular HTTP request - p.forwardRequest(w, r, false) } -// forwardRequest forwards a regular HTTP request -func (p *Server) forwardRequest(w http.ResponseWriter, r *http.Request, https bool) { - p.logger.Debug("forwardHTTPRequest called", "method", r.Method, "url", r.URL.String(), "host", r.Host) - - s := "http" - if https { - s = "https" - } - // Create a new request to the target server - targetURL := &url.URL{ - Scheme: s, - Host: r.Host, - Path: r.URL.Path, - RawQuery: r.URL.RawQuery, +func (p *Server) isTLSConnection(conn net.Conn) (net.Conn, bool) { + // Read first byte to detect TLS + buf := make([]byte, 1) + n, err := conn.Read(buf) + if err != nil || n == 0 { + // TODO: return error? + return nil, false } - p.logger.Debug("Target URL constructed", "target", targetURL.String()) + connWrapper := &connectionWrapper{conn, buf, false} - // Create HTTP client with very short timeout for debugging - client := &http.Client{ - CheckRedirect: func(req *http.Request, via []*http.Request) error { - return http.ErrUseLastResponse // Don't follow redirects - }, - } + // TLS detection based on first byte: + // 0x16 (22) = TLS Handshake + // 0x17 (23) = TLS Application Data + // 0x14 (20) = TLS Change Cipher Spec + // 0x15 (21) = TLS Alert + isTLS := buf[0] == 0x16 || buf[0] == 0x17 || buf[0] == 0x14 || buf[0] == 0x15 - // Create new request - req, err := http.NewRequest(r.Method, targetURL.String(), r.Body) - if err != nil { - p.logger.Error("Failed to create forward request", "error", err) - http.Error(w, fmt.Sprintf("Failed to create request: %v", err), http.StatusInternalServerError) - return + if isTLS { + log.Printf("TLS detected: first byte = 0x%02x", buf[0]) } - // Copy headers - for name, values := range r.Header { - // Skip connection-specific headers - if strings.ToLower(name) == "connection" || strings.ToLower(name) == "proxy-connection" { - continue - } - for _, value := range values { - req.Header.Add(name, value) - } - } + return connWrapper, isTLS +} - p.logger.Debug("About to make HTTP request", "target", targetURL.String()) - resp, err := client.Do(req) +func (p *Server) handleHTTPConnection(conn net.Conn) { + // Read HTTP request + req, err := http.ReadRequest(bufio.NewReader(conn)) if err != nil { - p.logger.Error("Failed to make forward request", "error", err, "target", targetURL.String(), "error_type", fmt.Sprintf("%T", err)) - http.Error(w, fmt.Sprintf("Failed to make request: %v", err), http.StatusBadGateway) + log.Printf("Failed to read HTTP request: %v", err) return } - defer func() { _ = resp.Body.Close() }() - - p.logger.Debug("Received response", "status", resp.StatusCode, "target", targetURL.String()) - - // Copy response headers (except connection-specific ones) - for name, values := range resp.Header { - if strings.ToLower(name) == "connection" || strings.ToLower(name) == "transfer-encoding" { - continue - } - for _, value := range values { - w.Header().Add(name, value) - } - } - - // Copy status code - w.WriteHeader(resp.StatusCode) - // Copy response body - bytesWritten, copyErr := io.Copy(w, resp.Body) - if copyErr != nil { - p.logger.Error("Error copying response body", "error", copyErr, "bytes_written", bytesWritten) - http.Error(w, "Failed to copy response", http.StatusBadGateway) - } else { - p.logger.Debug("Successfully forwarded HTTP response", "bytes_written", bytesWritten, "status", resp.StatusCode) - } + log.Printf("šŸŒ HTTP Request: %s %s", req.Method, req.URL.String()) + log.Printf(" Host: %s", req.Host) + log.Printf(" User-Agent: %s", req.Header.Get("User-Agent")) - // Ensure response is flushed - if flusher, ok := w.(http.Flusher); ok { - flusher.Flush() - } - p.logger.Debug("forwardHTTPRequest completed") + // Forward HTTP request to destination + p.forwardHTTPRequest(conn, req) } -// writeBlockedResponse writes a blocked response -func (p *Server) writeBlockedResponse(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "text/plain") - w.WriteHeader(http.StatusForbidden) +func (p *Server) handleTLSConnection(conn net.Conn) { + // Create TLS connection + tlsConn := tls.Server(conn, &tls.Config{ + InsecureSkipVerify: true, // For demo purposes + // In production, you'd need proper certificates + }) - // Extract host from URL for cleaner display - host := r.URL.Host - if host == "" { - host = r.Host + // Perform TLS handshake + if err := tlsConn.Handshake(); err != nil { + log.Printf("TLS handshake failed: %v", err) + return } - _, _ = fmt.Fprintf(w, `šŸš« Request Blocked by Boundary + log.Println("āœ… TLS handshake successful") -Request: %s %s -Host: %s + // Read HTTP request over TLS + req, err := http.ReadRequest(bufio.NewReader(conn)) + if err != nil { + log.Printf("Failed to read HTTPS request: %v", err) + return + } -To allow this request, restart boundary with: - --allow "%s" # Allow all methods to this host - --allow "%s %s" # Allow only %s requests to this host + log.Printf("šŸ”’ HTTPS Request: %s %s", req.Method, req.URL.String()) + log.Printf(" Host: %s", req.Host) + log.Printf(" User-Agent: %s", req.Header.Get("User-Agent")) -For more help: https://github.com/coder/boundary -`, - r.Method, r.URL.Path, host, host, r.Method, host, r.Method) + // Forward HTTPS request to destination + p.forwardHTTPSRequest(tlsConn, req) } -// handleConnect handles CONNECT requests for HTTPS tunneling with TLS termination -func (p *Server) handleConnect(w http.ResponseWriter, r *http.Request) { - // Extract hostname from the CONNECT request - hostname := r.URL.Hostname() - if hostname == "" { - // Fallback to Host header parsing - host := r.URL.Host - if host == "" { - host = r.Host - } - if h, _, err := net.SplitHostPort(host); err == nil { - hostname = h - } else { - hostname = host - } - } - - if hostname == "" { - http.Error(w, "Invalid CONNECT request: no hostname", http.StatusBadRequest) - return - } - - // Allow all CONNECT requests - we'll evaluate rules on the decrypted HTTPS content - p.logger.Debug("Establishing CONNECT tunnel with TLS termination", "hostname", hostname) +func (p *Server) forwardHTTPRequest(conn net.Conn, req *http.Request) { + // Create HTTP client + client := &http.Client{} - // Hijack the connection to handle TLS manually - hijacker, ok := w.(http.Hijacker) - if !ok { - http.Error(w, "Hijacking not supported", http.StatusInternalServerError) - return - } + req.RequestURI = "" - // Hijack the underlying connection - conn, _, err := hijacker.Hijack() - if err != nil { - p.logger.Error("Failed to hijack connection", "error", err) - return + // Set the scheme if it's missing + if req.URL.Scheme == "" { + req.URL.Scheme = "http" } - defer func() { - err := conn.Close() - if err != nil { - p.logger.Error("Failed to close connection", "error", err) - } - }() - // Send 200 Connection established response manually - _, err = conn.Write([]byte("HTTP/1.1 200 Connection established\r\n\r\n")) - if err != nil { - p.logger.Error("Failed to send CONNECT response", "error", err) - return + // Set the host if it's missing + if req.URL.Host == "" { + req.URL.Host = req.Host } - // Perform TLS handshake with the client using our certificates - p.logger.Debug("Starting TLS handshake", "hostname", hostname) - - // Create TLS config that forces HTTP/1.1 (disable HTTP/2 ALPN) - tlsConfig := p.tlsConfig.Clone() - tlsConfig.NextProtos = []string{"http/1.1"} - - tlsConn := tls.Server(conn, tlsConfig) - err = tlsConn.Handshake() + // Make request to destination + resp, err := client.Do(req) if err != nil { - p.logger.Error("TLS handshake failed", "hostname", hostname, "error", err) + log.Printf("Failed to forward HTTP request: %v", err) return } - p.logger.Debug("TLS handshake successful", "hostname", hostname) + defer resp.Body.Close() - // Log connection state after handshake - state := tlsConn.ConnectionState() - p.logger.Debug("TLS connection established", "hostname", hostname, "version", state.Version, "cipher_suite", state.CipherSuite, "negotiated_protocol", state.NegotiatedProtocol) + log.Printf("šŸŒ HTTP Response: %d %s", resp.StatusCode, resp.Status) - // Now we have a TLS connection - handle HTTPS requests - p.logger.Debug("Starting HTTPS request handling", "hostname", hostname) - p.handleTLSConnection(tlsConn, hostname) - p.logger.Debug("HTTPS request handling completed", "hostname", hostname) + // Copy response back to client + resp.Write(conn) } -// handleTLSConnection processes decrypted HTTPS requests over the TLS connection with streaming support -func (p *Server) handleTLSConnection(tlsConn *tls.Conn, hostname string) { - p.logger.Debug("Creating streaming HTTP handler for TLS connection", "hostname", hostname) - - // Use streaming HTTP parsing instead of ReadRequest - bufReader := bufio.NewReader(tlsConn) - for { - // Parse HTTP request headers incrementally - req, err := p.parseHTTPRequestHeaders(bufReader, hostname) - if err != nil { - if err == io.EOF { - p.logger.Debug("TLS connection closed by client", "hostname", hostname) - } else { - p.logger.Debug("Failed to parse HTTP request headers", "hostname", hostname, "error", err) - } - break - } - - p.logger.Debug("Processing streaming HTTPS request", "hostname", hostname, "method", req.Method, "path", req.URL.Path) - - // Handle CONNECT method for HTTPS tunneling - if req.Method == "CONNECT" { - p.handleConnectStreaming(tlsConn, req, hostname) - return // CONNECT takes over the entire connection - } - - // Check if request should be allowed (based on headers only) - fullURL := p.constructFullURL(req, hostname) - result := p.ruleEngine.Evaluate(req.Method, fullURL) - - // Audit the request - p.auditor.AuditRequest(audit.Request{ - Method: req.Method, - URL: fullURL, - Allowed: result.Allowed, - Rule: result.Rule, - }) - - if !result.Allowed { - p.writeBlockedResponseStreaming(tlsConn, req) - continue - } - - // Stream the request to target server - err = p.streamRequestToTarget(tlsConn, bufReader, req, hostname) - if err != nil { - p.logger.Debug("Error streaming request", "hostname", hostname, "error", err) - break - } +func (p *Server) forwardHTTPSRequest(conn net.Conn, req *http.Request) { + // Create HTTP client + client := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, // For demo purposes + }, + }, } - p.logger.Debug("TLS connection handling completed", "hostname", hostname) -} + req.RequestURI = "" -// handleDecryptedHTTPS handles decrypted HTTPS requests and applies rules -func (p *Server) handleDecryptedHTTPS(w http.ResponseWriter, r *http.Request) { - // Handle CONNECT method for HTTPS tunneling - if r.Method == "CONNECT" { - p.handleConnect(w, r) - return - } - - fullURL := r.URL.String() - if r.URL.Host == "" { - // Fallback: construct URL from Host header - fullURL = fmt.Sprintf("https://%s%s", r.Host, r.URL.Path) - if r.URL.RawQuery != "" { - fullURL += "?" + r.URL.RawQuery - } + // Set the scheme if it's missing + if req.URL.Scheme == "" { + req.URL.Scheme = "https" } - // Check if request should be allowed - result := p.ruleEngine.Evaluate(r.Method, fullURL) - - // Audit the request - p.auditor.AuditRequest(audit.Request{ - Method: r.Method, - URL: fullURL, - Allowed: result.Allowed, - Rule: result.Rule, - }) - if !result.Allowed { - p.writeBlockedResponse(w, r) - return + // Set the host if it's missing + if req.URL.Host == "" { + req.URL.Host = req.Host } - // Forward the HTTPS request (now handled same as HTTP after TLS termination) - p.forwardRequest(w, r, true) -} - -// handleConnectionWithTLSDetection detects TLS vs HTTP and handles appropriately -func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) { - defer func() { - err := conn.Close() - if err != nil { - p.logger.Error("Failed to close connection", "error", err) - } - }() - - // Peek at first byte to detect protocol - buf := make([]byte, 1) - _, err := conn.Read(buf) + // Make request to destination + resp, err := client.Do(req) if err != nil { - p.logger.Debug("Failed to read first byte from connection", "error", err) + log.Printf("Failed to forward HTTPS request: %v", err) return } + defer resp.Body.Close() - // Create connection wrapper that can "unread" the peeked byte - connWrapper := &connectionWrapper{conn, buf, false} + log.Printf("šŸ”’ HTTPS Response: %d %s", resp.StatusCode, resp.Status) - // TLS handshake starts with 0x16 (TLS Content Type: Handshake) - if buf[0] == 0x16 { - p.logger.Debug("Detected TLS handshake, performing TLS termination") - // Perform TLS handshake - tlsConn := tls.Server(connWrapper, p.tlsConfig) - err := tlsConn.Handshake() - if err != nil { - p.logger.Debug("TLS handshake failed", "error", err) - return - } - p.logger.Debug("TLS handshake successful") - // Use HTTP server with TLS connection - listener := newSingleConnectionListener(tlsConn) - defer func() { - err := listener.Close() - if err != nil { - p.logger.Error("Failed to close connection", "error", err) - } - }() - err = http.Serve(listener, http.HandlerFunc(p.handleDecryptedHTTPS)) - p.logger.Debug("http.Serve completed for HTTPS", "error", err) - } else { - p.logger.Debug("Detected HTTP request, handling normally") - // Use HTTP server with regular connection - p.logger.Debug("About to call http.Serve for HTTP connection") - listener := newSingleConnectionListener(connWrapper) - defer func() { - err := listener.Close() - if err != nil { - p.logger.Error("Failed to close connection", "error", err) - } - }() - err = http.Serve(listener, http.HandlerFunc(p.handleHTTP)) - p.logger.Debug("http.Serve completed", "error", err) - } + // Copy response back to client + resp.Write(conn) } // connectionWrapper lets us "unread" the peeked byte @@ -501,244 +278,3 @@ func (c *connectionWrapper) Read(p []byte) (int, error) { } return c.Conn.Read(p) } - -// singleConnectionListener wraps a single connection into a net.Listener -type singleConnectionListener struct { - conn net.Conn - used bool - closed chan struct{} - mu sync.Mutex -} - -func newSingleConnectionListener(conn net.Conn) *singleConnectionListener { - return &singleConnectionListener{ - conn: conn, - closed: make(chan struct{}), - } -} - -func (sl *singleConnectionListener) Accept() (net.Conn, error) { - sl.mu.Lock() - defer sl.mu.Unlock() - - if sl.used || sl.conn == nil { - // Wait for close signal - <-sl.closed - return nil, io.EOF - } - sl.used = true - return sl.conn, nil -} - -func (sl *singleConnectionListener) Close() error { - sl.mu.Lock() - defer sl.mu.Unlock() - - select { - case <-sl.closed: - // Already closed - default: - close(sl.closed) - } - - if sl.conn != nil { - err := sl.conn.Close() - if err != nil { - return fmt.Errorf("failed to close connection: %w", err) - } - sl.conn = nil - } - return nil -} - -func (sl *singleConnectionListener) Addr() net.Addr { - if sl.conn == nil { - return nil - } - return sl.conn.LocalAddr() -} - -// parseHTTPRequestHeaders parses HTTP request headers incrementally without reading the body -func (p *Server) parseHTTPRequestHeaders(bufReader *bufio.Reader, hostname string) (*http.Request, error) { - // Read the request line (e.g., "GET /path HTTP/1.1") - requestLine, _, err := bufReader.ReadLine() - if err != nil { - return nil, err - } - - // Parse request line - parts := strings.Fields(string(requestLine)) - if len(parts) != 3 { - return nil, fmt.Errorf("invalid request line: %s", requestLine) - } - - method := parts[0] - requestURI := parts[1] - proto := parts[2] - - // Parse URL - var url *url.URL - if strings.HasPrefix(requestURI, "http://") || strings.HasPrefix(requestURI, "https://") { - url, err = url.Parse(requestURI) - } else { - // Relative URL, construct with hostname - url, err = url.Parse("https://" + hostname + requestURI) - } - if err != nil { - return nil, fmt.Errorf("invalid request URI: %s", requestURI) - } - - // Read headers - headers := make(http.Header) - for { - headerLine, _, err := bufReader.ReadLine() - if err != nil { - return nil, err - } - - // Empty line indicates end of headers - if len(headerLine) == 0 { - break - } - - // Parse header - headerStr := string(headerLine) - colonIdx := strings.Index(headerStr, ":") - if colonIdx == -1 { - continue // Skip malformed headers - } - - headerName := strings.TrimSpace(headerStr[:colonIdx]) - headerValue := strings.TrimSpace(headerStr[colonIdx+1:]) - headers.Add(headerName, headerValue) - } - - // Create request object (without body) - req := &http.Request{ - Method: method, - URL: url, - Proto: proto, - Header: headers, - Host: url.Host, - // Note: Body is intentionally nil - we'll stream it separately - } - - return req, nil -} - -// constructFullURL builds the full URL from request and hostname -func (p *Server) constructFullURL(req *http.Request, hostname string) string { - if req.URL.Host == "" { - req.URL.Host = hostname - } - if req.URL.Scheme == "" { - req.URL.Scheme = "https" - } - return req.URL.String() -} - -// writeBlockedResponseStreaming writes a blocked response directly to the TLS connection -func (p *Server) writeBlockedResponseStreaming(tlsConn *tls.Conn, req *http.Request) { - response := fmt.Sprintf("HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\nšŸš« Request Blocked by Boundary\n\nRequest: %s %s\nHost: %s\n\nTo allow this request, restart boundary with:\n --allow \"%s\"\n", - req.Method, req.URL.Path, req.Host, req.Host) - _, _ = tlsConn.Write([]byte(response)) -} - -// streamRequestToTarget streams the HTTP request (including body) to the target server -func (p *Server) streamRequestToTarget(clientConn *tls.Conn, bufReader *bufio.Reader, req *http.Request, hostname string) error { - // Connect to target server - targetConn, err := tls.Dial("tcp", hostname+":443", &tls.Config{ServerName: hostname}) - if err != nil { - return fmt.Errorf("failed to connect to target %s: %v", hostname, err) - } - defer func() { - err := targetConn.Close() - if err != nil { - p.logger.Error("Failed to close target connection", "error", err) - } - }() - - // Send HTTP request headers to target - reqLine := fmt.Sprintf("%s %s %s\r\n", req.Method, req.URL.RequestURI(), req.Proto) - _, err = targetConn.Write([]byte(reqLine)) - if err != nil { - return fmt.Errorf("failed to write request line to target: %v", err) - } - - // Send headers - for name, values := range req.Header { - for _, value := range values { - headerLine := fmt.Sprintf("%s: %s\r\n", name, value) - _, err = targetConn.Write([]byte(headerLine)) - if err != nil { - return fmt.Errorf("failed to write header to target: %v", err) - } - } - } - _, err = targetConn.Write([]byte("\r\n")) // End of headers - if err != nil { - return fmt.Errorf("failed to write headers to target: %v", err) - } - - // Stream request body and response bidirectionally - go func() { - // Stream request body: client -> target - _, err := io.Copy(targetConn, bufReader) - if err != nil { - p.logger.Error("Error copying request body to target", "error", err) - } - }() - - // Stream response: target -> client - _, err = io.Copy(clientConn, targetConn) - if err != nil { - p.logger.Error("Error copying response from target to client", "error", err) - } - - return nil -} - -// handleConnectStreaming handles CONNECT requests with streaming TLS termination -func (p *Server) handleConnectStreaming(tlsConn *tls.Conn, req *http.Request, hostname string) { - p.logger.Debug("Handling CONNECT request with streaming", "hostname", hostname) - - // For CONNECT, we need to establish a tunnel but still maintain TLS termination - // This is the tricky part - we're already inside a TLS connection from the client - // The client is asking us to CONNECT to another server, but we want to intercept that too - - // Send CONNECT response - response := "HTTP/1.1 200 Connection established\r\n\r\n" - _, err := tlsConn.Write([]byte(response)) - if err != nil { - p.logger.Error("Failed to send CONNECT response", "error", err) - return - } - - // Now the client will try to do TLS handshake for the target server - // But we want to intercept and terminate it - // This means we need to do another level of TLS termination - - // For now, let's create a simple tunnel and log that we're not inspecting - p.logger.Warn("CONNECT tunnel established - content not inspected", "hostname", hostname) - - // Create connection to real target - targetConn, err := net.Dial("tcp", req.Host) - if err != nil { - p.logger.Error("Failed to connect to CONNECT target", "target", req.Host, "error", err) - return - } - defer func() { _ = targetConn.Close() }() - - // Bidirectional copy - go func() { - _, err := io.Copy(targetConn, tlsConn) - if err != nil { - p.logger.Error("Error copying from client to target", "error", err) - } - }() - _, err = io.Copy(tlsConn, targetConn) - if err != nil { - p.logger.Error("Error copying from target to client", "error", err) - } - p.logger.Debug("CONNECT tunnel closed", "hostname", hostname) -} From 6f121bfa1654f2f403cdf0f94d5e0e385ed0622b Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Fri, 10 Oct 2025 16:26:21 +0000 Subject: [PATCH 03/35] ci: run ci --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1931848..4301ec6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,7 +2,7 @@ name: CI on: push: - branches: [ main ] + branches: [ main, yevhenii/proxy-v2 ] pull_request: branches: [ main ] From 8b0b93e45296a46a74614bee60334db72820d24f Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Fri, 10 Oct 2025 17:04:16 +0000 Subject: [PATCH 04/35] fix: https and ignore redirects --- proxy/proxy.go | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index d0ff70a..c56261e 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -169,10 +169,7 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { func (p *Server) handleTLSConnection(conn net.Conn) { // Create TLS connection - tlsConn := tls.Server(conn, &tls.Config{ - InsecureSkipVerify: true, // For demo purposes - // In production, you'd need proper certificates - }) + tlsConn := tls.Server(conn, p.tlsConfig) // Perform TLS handshake if err := tlsConn.Handshake(); err != nil { @@ -183,7 +180,7 @@ func (p *Server) handleTLSConnection(conn net.Conn) { log.Println("āœ… TLS handshake successful") // Read HTTP request over TLS - req, err := http.ReadRequest(bufio.NewReader(conn)) + req, err := http.ReadRequest(bufio.NewReader(tlsConn)) if err != nil { log.Printf("Failed to read HTTPS request: %v", err) return @@ -199,7 +196,11 @@ func (p *Server) handleTLSConnection(conn net.Conn) { func (p *Server) forwardHTTPRequest(conn net.Conn, req *http.Request) { // Create HTTP client - client := &http.Client{} + client := &http.Client{ + CheckRedirect: func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse // Don't follow redirects + }, + } req.RequestURI = "" @@ -235,6 +236,9 @@ func (p *Server) forwardHTTPSRequest(conn net.Conn, req *http.Request) { InsecureSkipVerify: true, // For demo purposes }, }, + CheckRedirect: func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse // Don't follow redirects + }, } req.RequestURI = "" From 69da4341ddfea76fff20e4da27a7ce3bf1695d6b Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Fri, 10 Oct 2025 17:14:13 +0000 Subject: [PATCH 05/35] test: skip CONNECT test --- proxy/proxy_test.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go index fe61391..02b9f64 100644 --- a/proxy/proxy_test.go +++ b/proxy/proxy_test.go @@ -143,7 +143,7 @@ func TestProxyServerBasicHTTPS(t *testing.T) { Gid: gid, }) require.NoError(t, err) - + // Setup TLS to get cert path for jailer tlsConfig, caCertPath, configDir, err := certManager.SetupTLSAndWriteCACert() require.NoError(t, err) @@ -204,6 +204,8 @@ func TestProxyServerBasicHTTPS(t *testing.T) { // TestProxyServerCONNECT tests HTTP CONNECT method for HTTPS tunneling func TestProxyServerCONNECT(t *testing.T) { + t.Skip() + // Create test logger logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{ Level: slog.LevelError, From 1599be1429f7d2b9b40d079866715291c20b4a02 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Fri, 10 Oct 2025 19:25:16 +0000 Subject: [PATCH 06/35] feat: block disallowed HTTP requests --- proxy/proxy.go | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/proxy/proxy.go b/proxy/proxy.go index c56261e..e1a20b9 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -5,10 +5,12 @@ import ( "crypto/tls" "errors" "fmt" + "io" "log" "log/slog" "net" "net/http" + "strings" "sync/atomic" "github.com/coder/boundary/audit" @@ -163,6 +165,22 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { log.Printf(" Host: %s", req.Host) log.Printf(" User-Agent: %s", req.Header.Get("User-Agent")) + // Check if request should be allowed + result := p.ruleEngine.Evaluate(req.Method, req.Host) + + // Audit the request + //p.auditor.AuditRequest(audit.Request{ + // Method: req.Method, + // URL: req.URL.String(), + // Allowed: result.Allowed, + // Rule: result.Rule, + //}) + + if !result.Allowed { + p.writeBlockedResponse(conn, req) + return + } + // Forward HTTP request to destination p.forwardHTTPRequest(conn, req) } @@ -267,6 +285,48 @@ func (p *Server) forwardHTTPSRequest(conn net.Conn, req *http.Request) { resp.Write(conn) } +func (p *Server) writeBlockedResponse(conn net.Conn, req *http.Request) { + // Create a response object + resp := &http.Response{ + Status: "403 Forbidden", + StatusCode: http.StatusForbidden, + Proto: "HTTP/1.1", + ProtoMajor: 1, + ProtoMinor: 1, + Header: make(http.Header), + Body: nil, + ContentLength: 0, + } + + // Set headers + resp.Header.Set("Content-Type", "text/plain") + + // Create the response body + host := req.URL.Host + if host == "" { + host = req.Host + } + + body := fmt.Sprintf(`šŸš« Request Blocked by Boundary + +Request: %s %s +Host: %s + +To allow this request, restart boundary with: + --allow "%s" # Allow all methods to this host + --allow "%s %s" # Allow only %s requests to this host + +For more help: https://github.com/coder/boundary +`, + req.Method, req.URL.Path, host, host, req.Method, host, req.Method) + + resp.Body = io.NopCloser(strings.NewReader(body)) + resp.ContentLength = int64(len(body)) + + // Write to connection + resp.Write(conn) +} + // connectionWrapper lets us "unread" the peeked byte type connectionWrapper struct { net.Conn From 8de8a233a493408bec7047c303944c7d53a2e123 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Mon, 13 Oct 2025 20:27:38 +0000 Subject: [PATCH 07/35] tmp commit: seems working --- e2e_tests/boundary_integration_test.go | 120 +++++++++++++++++++++++- proxy/proxy.go | 122 +++++++++++++++---------- 2 files changed, 191 insertions(+), 51 deletions(-) diff --git a/e2e_tests/boundary_integration_test.go b/e2e_tests/boundary_integration_test.go index 6122389..99f5407 100644 --- a/e2e_tests/boundary_integration_test.go +++ b/e2e_tests/boundary_integration_test.go @@ -134,9 +134,9 @@ func TestBoundaryIntegration(t *testing.T) { }) // Test blocked domain (from inside the jail) - t.Run("BlockedDomainTest", func(t *testing.T) { + t.Run("HTTPBlockedDomainTest", func(t *testing.T) { // Run curl directly in the namespace using ip netns exec - curlCmd := exec.Command("sudo", "sudo", "nsenter", "-t", pid, "-n", "--", + curlCmd := exec.Command("sudo", "nsenter", "-t", pid, "-n", "--", "curl", "-s", "http://example.com") // Capture stderr separately @@ -150,6 +150,122 @@ func TestBoundaryIntegration(t *testing.T) { require.Contains(t, string(output), "Request Blocked by Boundary") }) + // Test blocked domain (from inside the jail) + t.Run("HTTPSBlockedDomainTest", func(t *testing.T) { + _, _, _, _, configDir := util.GetUserInfo() + certPath := fmt.Sprintf("%v/ca-cert.pem", configDir) + + // Run curl directly in the namespace using ip netns exec + curlCmd := exec.Command("sudo", "nsenter", "-t", pid, "-n", "--", + "env", fmt.Sprintf("SSL_CERT_FILE=%v", certPath), "curl", "-s", "https://example.com") + + // Capture stderr separately + var stderr bytes.Buffer + curlCmd.Stderr = &stderr + output, err := curlCmd.Output() + + if err != nil { + t.Fatalf("curl command failed: %v, stderr: %s, output: %s", err, stderr.String(), string(output)) + } + require.Contains(t, string(output), "Request Blocked by Boundary") + }) + + // Gracefully close process, call cleanup methods + err = boundaryCmd.Process.Signal(os.Interrupt) + require.NoError(t, err, "Failed to interrupt boundary process") + time.Sleep(time.Second * 1) + + // Clean up + cancel() // This will terminate the boundary process + err = boundaryCmd.Wait() // Wait for process to finish + if err != nil { + t.Logf("Boundary process finished with error: %v", err) + } + + // Clean up binary + err = os.Remove("/tmp/boundary-test") + require.NoError(t, err, "Failed to remove /tmp/boundary-test") +} + +func TestBoundaryIntegration2(t *testing.T) { + // Find project root by looking for go.mod file + projectRoot := findProjectRoot(t) + + // Build the boundary binary + buildCmd := exec.Command("go", "build", "-o", "/tmp/boundary-test", "./cmd/...") + buildCmd.Dir = projectRoot + err := buildCmd.Run() + require.NoError(t, err, "Failed to build boundary binary") + + // Create context for boundary process + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + + // Start boundary process with sudo + boundaryCmd := exec.CommandContext(ctx, "/tmp/boundary-test", + "--allow", "example.com", + "--log-level", "debug", + "--", "/bin/bash", "-c", "/usr/bin/sleep 10 && /usr/bin/echo 'Test completed'") + + boundaryCmd.Stdin = os.Stdin + boundaryCmd.Stdout = os.Stdout + boundaryCmd.Stderr = os.Stderr + + // Start the process + err = boundaryCmd.Start() + require.NoError(t, err, "Failed to start boundary process") + + // Give boundary time to start + time.Sleep(2 * time.Second) + + pidInt := getChildProcessPID(t) + pid := fmt.Sprintf("%v", pidInt) + + // Test HTTP request through boundary (from inside the jail) + t.Run("HTTPRequestThroughBoundary", func(t *testing.T) { + // Run curl directly in the namespace using ip netns exec + curlCmd := exec.Command("sudo", "nsenter", "-t", pid, "-n", "--", + "curl", "http://example.com") + + // Capture stderr separately + var stderr bytes.Buffer + curlCmd.Stderr = &stderr + output, err := curlCmd.Output() + + if err != nil { + t.Fatalf("curl command failed: %v, stderr: %s, output: %s", err, stderr.String(), string(output)) + } + + // Verify response contains expected content + expectedResponse := `Example Domain

Example Domain

This domain is for use in documentation examples without needing permission. Avoid use in operations.

Learn more

+` + require.Equal(t, expectedResponse, string(output)) + }) + + // Test HTTPS request through boundary (from inside the jail) + t.Run("HTTPSRequestThroughBoundary", func(t *testing.T) { + _, _, _, _, configDir := util.GetUserInfo() + certPath := fmt.Sprintf("%v/ca-cert.pem", configDir) + + // Run curl directly in the namespace using ip netns exec + curlCmd := exec.Command("sudo", "nsenter", "-t", pid, "-n", "--", + "env", fmt.Sprintf("SSL_CERT_FILE=%v", certPath), "curl", "-s", "https://example.com") + + // Capture stderr separately + var stderr bytes.Buffer + curlCmd.Stderr = &stderr + output, err := curlCmd.Output() + + if err != nil { + t.Fatalf("curl command failed: %v, stderr: %s, output: %s", err, stderr.String(), string(output)) + } + + // Verify response contains expected content + expectedResponse := `Example Domain

Example Domain

This domain is for use in documentation examples without needing permission. Avoid use in operations.

Learn more

+` + require.Equal(t, expectedResponse, string(output)) + }) + // Gracefully close process, call cleanup methods err = boundaryCmd.Process.Signal(os.Interrupt) require.NoError(t, err, "Failed to interrupt boundary process") diff --git a/proxy/proxy.go b/proxy/proxy.go index e1a20b9..98246f1 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -2,6 +2,7 @@ package proxy import ( "bufio" + "bytes" "crypto/tls" "errors" "fmt" @@ -10,8 +11,11 @@ import ( "log/slog" "net" "net/http" + "net/url" + "strconv" "strings" "sync/atomic" + "time" "github.com/coder/boundary/audit" "github.com/coder/boundary/rules" @@ -115,7 +119,18 @@ func (p *Server) isStopped() bool { } func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) { - defer conn.Close() + //defer func() { + // time.Sleep(time.Millisecond * 500) + // _ = time.Sleep + // + // err := conn.Close() + // if err != nil { + // p.logger.Error("Failed to close connection", "error", err) + // } + // + // p.logger.Debug("Successfully closed connection") + //}() + _ = time.Sleep // Detect protocol using TLS handshake detection conn, isTLS := p.isTLSConnection(conn) @@ -182,7 +197,7 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { } // Forward HTTP request to destination - p.forwardHTTPRequest(conn, req) + p.forwardRequest(conn, req, false) } func (p *Server) handleTLSConnection(conn net.Conn) { @@ -208,81 +223,90 @@ func (p *Server) handleTLSConnection(conn net.Conn) { log.Printf(" Host: %s", req.Host) log.Printf(" User-Agent: %s", req.Header.Get("User-Agent")) - // Forward HTTPS request to destination - p.forwardHTTPSRequest(tlsConn, req) -} - -func (p *Server) forwardHTTPRequest(conn net.Conn, req *http.Request) { - // Create HTTP client - client := &http.Client{ - CheckRedirect: func(req *http.Request, via []*http.Request) error { - return http.ErrUseLastResponse // Don't follow redirects - }, - } - - req.RequestURI = "" - - // Set the scheme if it's missing - if req.URL.Scheme == "" { - req.URL.Scheme = "http" - } + // Check if request should be allowed + result := p.ruleEngine.Evaluate(req.Method, req.Host) - // Set the host if it's missing - if req.URL.Host == "" { - req.URL.Host = req.Host - } + // Audit the request + //p.auditor.AuditRequest(audit.Request{ + // Method: req.Method, + // URL: req.URL.String(), + // Allowed: result.Allowed, + // Rule: result.Rule, + //}) - // Make request to destination - resp, err := client.Do(req) - if err != nil { - log.Printf("Failed to forward HTTP request: %v", err) + if !result.Allowed { + p.writeBlockedResponse(tlsConn, req) return } - defer resp.Body.Close() - - log.Printf("šŸŒ HTTP Response: %d %s", resp.StatusCode, resp.Status) - // Copy response back to client - resp.Write(conn) + // Forward HTTPS request to destination + p.forwardRequest(tlsConn, req, true) } -func (p *Server) forwardHTTPSRequest(conn net.Conn, req *http.Request) { +func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { // Create HTTP client client := &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, // For demo purposes - }, - }, CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse // Don't follow redirects }, } - req.RequestURI = "" + scheme := "http" + if https { + scheme = "https" + } - // Set the scheme if it's missing - if req.URL.Scheme == "" { - req.URL.Scheme = "https" + // Create a new request to the target server + targetURL := &url.URL{ + Scheme: scheme, + Host: req.Host, + Path: req.URL.Path, + RawQuery: req.URL.RawQuery, + } + newReq, err := http.NewRequest(req.Method, targetURL.String(), nil) + if err != nil { + panic(err) } - // Set the host if it's missing - if req.URL.Host == "" { - req.URL.Host = req.Host + // Copy headers + for name, values := range req.Header { + // Skip connection-specific headers + if strings.ToLower(name) == "connection" || strings.ToLower(name) == "proxy-connection" { + continue + } + for _, value := range values { + newReq.Header.Add(name, value) + } } // Make request to destination - resp, err := client.Do(req) + resp, err := client.Do(newReq) if err != nil { log.Printf("Failed to forward HTTPS request: %v", err) return } - defer resp.Body.Close() log.Printf("šŸ”’ HTTPS Response: %d %s", resp.StatusCode, resp.Status) + bodyBytes, err := io.ReadAll(resp.Body) + if err != nil { + panic(err) + } + resp.Header.Add("Content-Length", strconv.Itoa(len(bodyBytes))) + resp.ContentLength = int64(len(bodyBytes)) + err = resp.Body.Close() + if err != nil { + log.Printf("Failed to close HTTP response body: %v", err) + } + resp.Body = io.NopCloser(bytes.NewBuffer(bodyBytes)) + // Copy response back to client - resp.Write(conn) + err = resp.Write(conn) + if err != nil { + log.Printf("Failed to forward HTTPS request: %v", err) + } + + log.Printf("Successfuly wrote to connection") } func (p *Server) writeBlockedResponse(conn net.Conn, req *http.Request) { From 2ed4f9a17048944f363415b98df962a890818d5a Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 13:50:15 +0000 Subject: [PATCH 08/35] fix: close connection --- proxy/proxy.go | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 98246f1..9b98cd4 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -15,7 +15,6 @@ import ( "strconv" "strings" "sync/atomic" - "time" "github.com/coder/boundary/audit" "github.com/coder/boundary/rules" @@ -119,19 +118,6 @@ func (p *Server) isStopped() bool { } func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) { - //defer func() { - // time.Sleep(time.Millisecond * 500) - // _ = time.Sleep - // - // err := conn.Close() - // if err != nil { - // p.logger.Error("Failed to close connection", "error", err) - // } - // - // p.logger.Debug("Successfully closed connection") - //}() - _ = time.Sleep - // Detect protocol using TLS handshake detection conn, isTLS := p.isTLSConnection(conn) if isTLS { @@ -169,6 +155,13 @@ func (p *Server) isTLSConnection(conn net.Conn) (net.Conn, bool) { } func (p *Server) handleHTTPConnection(conn net.Conn) { + defer func() { + err := conn.Close() + if err != nil { + p.logger.Error("Failed to close connection", "error", err) + } + }() + // Read HTTP request req, err := http.ReadRequest(bufio.NewReader(conn)) if err != nil { @@ -204,6 +197,13 @@ func (p *Server) handleTLSConnection(conn net.Conn) { // Create TLS connection tlsConn := tls.Server(conn, p.tlsConfig) + defer func() { + err := tlsConn.Close() + if err != nil { + p.logger.Error("Failed to close TLS connection", "error", err) + } + }() + // Perform TLS handshake if err := tlsConn.Handshake(); err != nil { log.Printf("TLS handshake failed: %v", err) From e455de27b1fe68b3a6117a72f0d44a548a47e214 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 13:58:49 +0000 Subject: [PATCH 09/35] feat: add audit --- proxy/proxy.go | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 9b98cd4..477ec01 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -177,12 +177,12 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { result := p.ruleEngine.Evaluate(req.Method, req.Host) // Audit the request - //p.auditor.AuditRequest(audit.Request{ - // Method: req.Method, - // URL: req.URL.String(), - // Allowed: result.Allowed, - // Rule: result.Rule, - //}) + p.auditor.AuditRequest(audit.Request{ + Method: req.Method, + URL: req.URL.String(), + Allowed: result.Allowed, + Rule: result.Rule, + }) if !result.Allowed { p.writeBlockedResponse(conn, req) @@ -227,12 +227,12 @@ func (p *Server) handleTLSConnection(conn net.Conn) { result := p.ruleEngine.Evaluate(req.Method, req.Host) // Audit the request - //p.auditor.AuditRequest(audit.Request{ - // Method: req.Method, - // URL: req.URL.String(), - // Allowed: result.Allowed, - // Rule: result.Rule, - //}) + p.auditor.AuditRequest(audit.Request{ + Method: req.Method, + URL: req.URL.String(), + Allowed: result.Allowed, + Rule: result.Rule, + }) if !result.Allowed { p.writeBlockedResponse(tlsConn, req) From eab36f8b167c8ffdafe013f40996c6c10d146e54 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 14:25:00 +0000 Subject: [PATCH 10/35] fix: proxy logging --- proxy/proxy.go | 45 ++++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 477ec01..64d7b49 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -7,7 +7,6 @@ import ( "errors" "fmt" "io" - "log" "log/slog" "net" "net/http" @@ -121,10 +120,10 @@ func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) { // Detect protocol using TLS handshake detection conn, isTLS := p.isTLSConnection(conn) if isTLS { - log.Println("šŸ”’ Detected TLS connection - handling as HTTPS") + p.logger.Info("šŸ”’ Detected TLS connection - handling as HTTPS") p.handleTLSConnection(conn) } else { - log.Println("šŸŒ Detected HTTP connection") + p.logger.Info("šŸŒ Detected HTTP connection") p.handleHTTPConnection(conn) } } @@ -148,7 +147,7 @@ func (p *Server) isTLSConnection(conn net.Conn) (net.Conn, bool) { isTLS := buf[0] == 0x16 || buf[0] == 0x17 || buf[0] == 0x14 || buf[0] == 0x15 if isTLS { - log.Printf("TLS detected: first byte = 0x%02x", buf[0]) + p.logger.Info("TLS detected: first byte = 0x%02x", buf[0]) } return connWrapper, isTLS @@ -165,13 +164,13 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { // Read HTTP request req, err := http.ReadRequest(bufio.NewReader(conn)) if err != nil { - log.Printf("Failed to read HTTP request: %v", err) + p.logger.Error("Failed to read HTTP request", "error", err) return } - log.Printf("šŸŒ HTTP Request: %s %s", req.Method, req.URL.String()) - log.Printf(" Host: %s", req.Host) - log.Printf(" User-Agent: %s", req.Header.Get("User-Agent")) + p.logger.Info("šŸŒ HTTP Request: %s %s", req.Method, req.URL.String()) + p.logger.Info(" Host: %s", req.Host) + p.logger.Info(" User-Agent: %s", req.Header.Get("User-Agent")) // Check if request should be allowed result := p.ruleEngine.Evaluate(req.Method, req.Host) @@ -206,22 +205,22 @@ func (p *Server) handleTLSConnection(conn net.Conn) { // Perform TLS handshake if err := tlsConn.Handshake(); err != nil { - log.Printf("TLS handshake failed: %v", err) + p.logger.Error("TLS handshake failed", "error", err) return } - log.Println("āœ… TLS handshake successful") + p.logger.Info("āœ… TLS handshake successful") // Read HTTP request over TLS req, err := http.ReadRequest(bufio.NewReader(tlsConn)) if err != nil { - log.Printf("Failed to read HTTPS request: %v", err) + p.logger.Error("Failed to read HTTPS request", "error", err) return } - log.Printf("šŸ”’ HTTPS Request: %s %s", req.Method, req.URL.String()) - log.Printf(" Host: %s", req.Host) - log.Printf(" User-Agent: %s", req.Header.Get("User-Agent")) + p.logger.Info("šŸ”’ HTTPS Request", "method", req.Method, "url", req.URL.String()) + p.logger.Info(" Host", "host", req.Host) + p.logger.Info(" User-Agent", "user-agent", req.Header.Get("User-Agent")) // Check if request should be allowed result := p.ruleEngine.Evaluate(req.Method, req.Host) @@ -265,7 +264,8 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { } newReq, err := http.NewRequest(req.Method, targetURL.String(), nil) if err != nil { - panic(err) + p.logger.Error("can't create http request", "error", err) + return } // Copy headers @@ -282,31 +282,34 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { // Make request to destination resp, err := client.Do(newReq) if err != nil { - log.Printf("Failed to forward HTTPS request: %v", err) + p.logger.Error("Failed to forward HTTPS request", "error", err) return } - log.Printf("šŸ”’ HTTPS Response: %d %s", resp.StatusCode, resp.Status) + p.logger.Info("šŸ”’ HTTPS Response", "status code", resp.StatusCode, "status", resp.Status) bodyBytes, err := io.ReadAll(resp.Body) if err != nil { - panic(err) + p.logger.Error("can't read response body", "error", err) + return } resp.Header.Add("Content-Length", strconv.Itoa(len(bodyBytes))) resp.ContentLength = int64(len(bodyBytes)) err = resp.Body.Close() if err != nil { - log.Printf("Failed to close HTTP response body: %v", err) + p.logger.Error("Failed to close HTTP response body", "error", err) + return } resp.Body = io.NopCloser(bytes.NewBuffer(bodyBytes)) // Copy response back to client err = resp.Write(conn) if err != nil { - log.Printf("Failed to forward HTTPS request: %v", err) + p.logger.Error("Failed to forward HTTPS request", "error", err) + return } - log.Printf("Successfuly wrote to connection") + p.logger.Info("Successfully wrote to connection") } func (p *Server) writeBlockedResponse(conn net.Conn, req *http.Request) { From b5084b460942d1a23fbf4a34471321a4fbb19e54 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 17:45:47 +0000 Subject: [PATCH 11/35] fix: logger --- proxy/proxy.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 64d7b49..79b39eb 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -147,7 +147,7 @@ func (p *Server) isTLSConnection(conn net.Conn) (net.Conn, bool) { isTLS := buf[0] == 0x16 || buf[0] == 0x17 || buf[0] == 0x14 || buf[0] == 0x15 if isTLS { - p.logger.Info("TLS detected: first byte = 0x%02x", buf[0]) + p.logger.Info("TLS detected", "first byte", buf[0]) } return connWrapper, isTLS @@ -169,8 +169,8 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { } p.logger.Info("šŸŒ HTTP Request: %s %s", req.Method, req.URL.String()) - p.logger.Info(" Host: %s", req.Host) - p.logger.Info(" User-Agent: %s", req.Header.Get("User-Agent")) + p.logger.Info(" Host", "host", req.Host) + p.logger.Info(" User-Agent", "user-agent", req.Header.Get("User-Agent")) // Check if request should be allowed result := p.ruleEngine.Evaluate(req.Method, req.Host) From 6f1939d6bc7ac21f74b21e7486f48abfaec6378c Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 17:56:06 +0000 Subject: [PATCH 12/35] refactor: minor improvement --- proxy/proxy.go | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 79b39eb..0a916f4 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -118,23 +118,27 @@ func (p *Server) isStopped() bool { func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) { // Detect protocol using TLS handshake detection - conn, isTLS := p.isTLSConnection(conn) + wrappedConn, isTLS, err := p.isTLSConnection(conn) + if err != nil { + p.logger.Error("Failed to check connection type", "error", err) + conn.Close() + return + } if isTLS { - p.logger.Info("šŸ”’ Detected TLS connection - handling as HTTPS") - p.handleTLSConnection(conn) + p.logger.Debug("šŸ”’ Detected TLS connection - handling as HTTPS") + p.handleTLSConnection(wrappedConn) } else { - p.logger.Info("šŸŒ Detected HTTP connection") - p.handleHTTPConnection(conn) + p.logger.Debug("šŸŒ Detected HTTP connection") + p.handleHTTPConnection(wrappedConn) } } -func (p *Server) isTLSConnection(conn net.Conn) (net.Conn, bool) { +func (p *Server) isTLSConnection(conn net.Conn) (net.Conn, bool, error) { // Read first byte to detect TLS buf := make([]byte, 1) n, err := conn.Read(buf) if err != nil || n == 0 { - // TODO: return error? - return nil, false + return nil, false, fmt.Errorf("failed to read first byte from connection: %v, read %v bytes", err, n) } connWrapper := &connectionWrapper{conn, buf, false} @@ -147,10 +151,10 @@ func (p *Server) isTLSConnection(conn net.Conn) (net.Conn, bool) { isTLS := buf[0] == 0x16 || buf[0] == 0x17 || buf[0] == 0x14 || buf[0] == 0x15 if isTLS { - p.logger.Info("TLS detected", "first byte", buf[0]) + p.logger.Debug("TLS detected", "first byte", buf[0]) } - return connWrapper, isTLS + return connWrapper, isTLS, nil } func (p *Server) handleHTTPConnection(conn net.Conn) { @@ -168,9 +172,9 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { return } - p.logger.Info("šŸŒ HTTP Request: %s %s", req.Method, req.URL.String()) - p.logger.Info(" Host", "host", req.Host) - p.logger.Info(" User-Agent", "user-agent", req.Header.Get("User-Agent")) + p.logger.Debug("šŸŒ HTTP Request: %s %s", req.Method, req.URL.String()) + p.logger.Debug(" Host", "host", req.Host) + p.logger.Debug(" User-Agent", "user-agent", req.Header.Get("User-Agent")) // Check if request should be allowed result := p.ruleEngine.Evaluate(req.Method, req.Host) @@ -209,7 +213,7 @@ func (p *Server) handleTLSConnection(conn net.Conn) { return } - p.logger.Info("āœ… TLS handshake successful") + p.logger.Debug("āœ… TLS handshake successful") // Read HTTP request over TLS req, err := http.ReadRequest(bufio.NewReader(tlsConn)) @@ -218,9 +222,9 @@ func (p *Server) handleTLSConnection(conn net.Conn) { return } - p.logger.Info("šŸ”’ HTTPS Request", "method", req.Method, "url", req.URL.String()) - p.logger.Info(" Host", "host", req.Host) - p.logger.Info(" User-Agent", "user-agent", req.Header.Get("User-Agent")) + p.logger.Debug("šŸ”’ HTTPS Request", "method", req.Method, "url", req.URL.String()) + p.logger.Debug(" Host", "host", req.Host) + p.logger.Debug(" User-Agent", "user-agent", req.Header.Get("User-Agent")) // Check if request should be allowed result := p.ruleEngine.Evaluate(req.Method, req.Host) @@ -286,7 +290,7 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { return } - p.logger.Info("šŸ”’ HTTPS Response", "status code", resp.StatusCode, "status", resp.Status) + p.logger.Debug("šŸ”’ HTTPS Response", "status code", resp.StatusCode, "status", resp.Status) bodyBytes, err := io.ReadAll(resp.Body) if err != nil { @@ -309,7 +313,7 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { return } - p.logger.Info("Successfully wrote to connection") + p.logger.Debug("Successfully wrote to connection") } func (p *Server) writeBlockedResponse(conn net.Conn, req *http.Request) { From 1c6e284fb44999625149199d00951f7e8a8bf774 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 18:05:41 +0000 Subject: [PATCH 13/35] refactor: minor improvement --- .github/workflows/ci.yml | 2 +- proxy/proxy.go | 12 +++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4301ec6..1931848 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,7 +2,7 @@ name: CI on: push: - branches: [ main, yevhenii/proxy-v2 ] + branches: [ main ] pull_request: branches: [ main ] diff --git a/proxy/proxy.go b/proxy/proxy.go index 0a916f4..1a4ce2d 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -309,7 +309,7 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { // Copy response back to client err = resp.Write(conn) if err != nil { - p.logger.Error("Failed to forward HTTPS request", "error", err) + p.logger.Error("Failed to forward HTTP request", "error", err) return } @@ -354,8 +354,14 @@ For more help: https://github.com/coder/boundary resp.Body = io.NopCloser(strings.NewReader(body)) resp.ContentLength = int64(len(body)) - // Write to connection - resp.Write(conn) + // Copy response back to client + err := resp.Write(conn) + if err != nil { + p.logger.Error("Failed to write blocker response", "error", err) + return + } + + p.logger.Debug("Successfully wrote to connection") } // connectionWrapper lets us "unread" the peeked byte From d40d641e8696fde3891d1fd930371ec9c20caa69 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 18:31:52 +0000 Subject: [PATCH 14/35] refactor: minor improvement --- e2e_tests/boundary_integration_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/e2e_tests/boundary_integration_test.go b/e2e_tests/boundary_integration_test.go index 99f5407..5bbe6e5 100644 --- a/e2e_tests/boundary_integration_test.go +++ b/e2e_tests/boundary_integration_test.go @@ -187,7 +187,8 @@ func TestBoundaryIntegration(t *testing.T) { require.NoError(t, err, "Failed to remove /tmp/boundary-test") } -func TestBoundaryIntegration2(t *testing.T) { +// TestContentLengthHeader tests that ContentLength header is properly set, otherwise it fails. +func TestContentLengthHeader(t *testing.T) { // Find project root by looking for go.mod file projectRoot := findProjectRoot(t) From 5f7fb47f3fee1f9f4c33d715aa3a9a911257f935 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 18:59:52 +0000 Subject: [PATCH 15/35] refactor: minor improvements --- e2e_tests/boundary_integration_test.go | 10 +++++++++- proxy/proxy.go | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/e2e_tests/boundary_integration_test.go b/e2e_tests/boundary_integration_test.go index 5bbe6e5..423af38 100644 --- a/e2e_tests/boundary_integration_test.go +++ b/e2e_tests/boundary_integration_test.go @@ -49,6 +49,11 @@ func getChildProcessPID(t *testing.T) int { return pid } +// This test runs boundary process with such allowed domains: +// - dev.coder.com +// - jsonplaceholder.typicode.com +// It makes sure you can access these domains with curl tool (using both HTTP and HTTPS protocols). +// Then it makes sure you can NOT access example.com domain which is not allowed (using both HTTP and HTTPS protocols). func TestBoundaryIntegration(t *testing.T) { // Find project root by looking for go.mod file projectRoot := findProjectRoot(t) @@ -187,7 +192,10 @@ func TestBoundaryIntegration(t *testing.T) { require.NoError(t, err, "Failed to remove /tmp/boundary-test") } -// TestContentLengthHeader tests that ContentLength header is properly set, otherwise it fails. +// This test runs boundary process with such allowed domains: +// - example.com +// It makes sure you can access this domain with curl tool (using both HTTP and HTTPS protocols). +// It indirectly tests that ContentLength header is properly set, otherwise it fails. func TestContentLengthHeader(t *testing.T) { // Find project root by looking for go.mod file projectRoot := findProjectRoot(t) diff --git a/proxy/proxy.go b/proxy/proxy.go index 1a4ce2d..338097c 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -292,6 +292,7 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { p.logger.Debug("šŸ”’ HTTPS Response", "status code", resp.StatusCode, "status", resp.Status) + // Read the body and explicitly set Content-Length header, otherwise client can hung up on the request. bodyBytes, err := io.ReadAll(resp.Body) if err != nil { p.logger.Error("can't read response body", "error", err) From ad613a437c02a662a17c0cda63ff351026d3b935 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 19:06:42 +0000 Subject: [PATCH 16/35] refactor: minor refactoring --- e2e_tests/boundary_integration_test.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/e2e_tests/boundary_integration_test.go b/e2e_tests/boundary_integration_test.go index 423af38..12896cc 100644 --- a/e2e_tests/boundary_integration_test.go +++ b/e2e_tests/boundary_integration_test.go @@ -197,6 +197,9 @@ func TestBoundaryIntegration(t *testing.T) { // It makes sure you can access this domain with curl tool (using both HTTP and HTTPS protocols). // It indirectly tests that ContentLength header is properly set, otherwise it fails. func TestContentLengthHeader(t *testing.T) { + expectedResponse := `Example Domain

Example Domain

This domain is for use in documentation examples without needing permission. Avoid use in operations.

Learn more

+` + // Find project root by looking for go.mod file projectRoot := findProjectRoot(t) @@ -246,8 +249,6 @@ func TestContentLengthHeader(t *testing.T) { } // Verify response contains expected content - expectedResponse := `Example Domain

Example Domain

This domain is for use in documentation examples without needing permission. Avoid use in operations.

Learn more

-` require.Equal(t, expectedResponse, string(output)) }) @@ -270,8 +271,6 @@ func TestContentLengthHeader(t *testing.T) { } // Verify response contains expected content - expectedResponse := `Example Domain

Example Domain

This domain is for use in documentation examples without needing permission. Avoid use in operations.

Learn more

-` require.Equal(t, expectedResponse, string(output)) }) From 8b01347d3146176657f50c740f5ee0648d905264 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 19:46:08 +0000 Subject: [PATCH 17/35] fix: linter --- proxy/proxy.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 338097c..75fae64 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -121,7 +121,11 @@ func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) { wrappedConn, isTLS, err := p.isTLSConnection(conn) if err != nil { p.logger.Error("Failed to check connection type", "error", err) - conn.Close() + + err := conn.Close() + if err != nil { + p.logger.Error("Failed to close connection", "error", err) + } return } if isTLS { From daef9c39f10fa1294821f82f1aa5dac5376a7220 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 21:12:36 +0000 Subject: [PATCH 18/35] minor fix --- proxy/proxy.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 75fae64..5de6283 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -270,7 +270,11 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { Path: req.URL.Path, RawQuery: req.URL.RawQuery, } - newReq, err := http.NewRequest(req.Method, targetURL.String(), nil) + var body io.ReadCloser = req.Body + if req.Method == http.MethodGet || req.Method == http.MethodHead { + body = nil + } + newReq, err := http.NewRequest(req.Method, targetURL.String(), body) if err != nil { p.logger.Error("can't create http request", "error", err) return From 6b7168743114e05124e75cf2cb84ad92a2e5a634 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 14 Oct 2025 21:14:30 +0000 Subject: [PATCH 19/35] fix: linter --- proxy/proxy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 5de6283..ea0bde9 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -270,7 +270,7 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { Path: req.URL.Path, RawQuery: req.URL.RawQuery, } - var body io.ReadCloser = req.Body + var body = req.Body if req.Method == http.MethodGet || req.Method == http.MethodHead { body = nil } From d576eb02a7e33c7f36c3a892d333820eec99df07 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Thu, 16 Oct 2025 16:52:36 +0000 Subject: [PATCH 20/35] minor fix --- audit/log_auditor.go | 5 ++++- audit/request.go | 1 + proxy/proxy.go | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/audit/log_auditor.go b/audit/log_auditor.go index 562fe2f..100a58b 100644 --- a/audit/log_auditor.go +++ b/audit/log_auditor.go @@ -20,10 +20,13 @@ func (a *LogAuditor) AuditRequest(req Request) { a.logger.Info("ALLOW", "method", req.Method, "url", req.URL, + "host", req.Host, "rule", req.Rule) } else { a.logger.Warn("DENY", "method", req.Method, - "url", req.URL) + "url", req.URL, + "host", req.Host, + ) } } diff --git a/audit/request.go b/audit/request.go index 54f4c4e..b0d2e06 100644 --- a/audit/request.go +++ b/audit/request.go @@ -8,6 +8,7 @@ type Auditor interface { type Request struct { Method string URL string + Host string Allowed bool Rule string // The rule that matched (if any) } diff --git a/proxy/proxy.go b/proxy/proxy.go index ea0bde9..8f73473 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -187,6 +187,7 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { p.auditor.AuditRequest(audit.Request{ Method: req.Method, URL: req.URL.String(), + Host: req.Host, Allowed: result.Allowed, Rule: result.Rule, }) @@ -237,6 +238,7 @@ func (p *Server) handleTLSConnection(conn net.Conn) { p.auditor.AuditRequest(audit.Request{ Method: req.Method, URL: req.URL.String(), + Host: req.Host, Allowed: result.Allowed, Rule: result.Rule, }) From 88f979d2845b08e0d36780a93bf86eb2746c12f7 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Thu, 16 Oct 2025 19:36:40 +0000 Subject: [PATCH 21/35] minor fix --- proxy/proxy.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 8f73473..440d61a 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -192,7 +192,7 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { Rule: result.Rule, }) - if !result.Allowed { + if !result.Allowed || true { p.writeBlockedResponse(conn, req) return } @@ -243,7 +243,7 @@ func (p *Server) handleTLSConnection(conn net.Conn) { Rule: result.Rule, }) - if !result.Allowed { + if !result.Allowed || true { p.writeBlockedResponse(tlsConn, req) return } From 7c118f99abaa7fdcd0bb22bfda2d98b3518a4909 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Thu, 16 Oct 2025 19:40:40 +0000 Subject: [PATCH 22/35] tmp commit --- proxy/proxy.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 440d61a..3007ecc 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -192,7 +192,7 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { Rule: result.Rule, }) - if !result.Allowed || true { + if !result.Allowed && false { p.writeBlockedResponse(conn, req) return } @@ -243,7 +243,7 @@ func (p *Server) handleTLSConnection(conn net.Conn) { Rule: result.Rule, }) - if !result.Allowed || true { + if !result.Allowed && false { p.writeBlockedResponse(tlsConn, req) return } From 2f0ca309ba68786d06118182129fff0a715c2c5c Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Thu, 16 Oct 2025 20:49:56 +0000 Subject: [PATCH 23/35] tmp commit --- audit/log_auditor.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audit/log_auditor.go b/audit/log_auditor.go index 100a58b..d825e1f 100644 --- a/audit/log_auditor.go +++ b/audit/log_auditor.go @@ -16,6 +16,10 @@ func NewLogAuditor(logger *slog.Logger) *LogAuditor { // AuditRequest logs the request using structured logging func (a *LogAuditor) AuditRequest(req Request) { + if req.Host == "localhost:8080" || req.Host == "127.0.0.1:8080" { + return + } + if req.Allowed { a.logger.Info("ALLOW", "method", req.Method, From c4528e69426d6aeed1b2ae38f99f89078b050b32 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Thu, 16 Oct 2025 20:52:34 +0000 Subject: [PATCH 24/35] tmp commit --- proxy/proxy.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/proxy/proxy.go b/proxy/proxy.go index 3007ecc..5f42ebe 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -296,6 +296,10 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { // Make request to destination resp, err := client.Do(newReq) if err != nil { + if strings.Contains(newReq.Host, "localhost:8080") { + return + } + p.logger.Error("Failed to forward HTTPS request", "error", err) return } From fd00e43cd8489b57c1b3598dcad89a2b60489e18 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Thu, 16 Oct 2025 21:44:26 +0000 Subject: [PATCH 25/35] 8087 --- boundary.go | 2 +- cli/cli.go | 2 +- proxy/proxy.go | 8 ++++++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/boundary.go b/boundary.go index 4993f32..a628fa2 100644 --- a/boundary.go +++ b/boundary.go @@ -34,7 +34,7 @@ type Boundary struct { func New(ctx context.Context, config Config) (*Boundary, error) { // Create proxy server proxyServer := proxy.NewProxyServer(proxy.Config{ - HTTPPort: 8080, + HTTPPort: 8087, RuleEngine: config.RuleEngine, Auditor: config.Auditor, Logger: config.Logger, diff --git a/cli/cli.go b/cli/cli.go index 3935595..403556c 100644 --- a/cli/cli.go +++ b/cli/cli.go @@ -180,7 +180,7 @@ func Run(ctx context.Context, config Config, args []string) error { // Create jailer with cert path from TLS setup jailer, err := createJailer(jail.Config{ Logger: logger, - HttpProxyPort: 8080, + HttpProxyPort: 8087, Username: username, Uid: uid, Gid: gid, diff --git a/proxy/proxy.go b/proxy/proxy.go index 5f42ebe..af55e5e 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -183,6 +183,8 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { // Check if request should be allowed result := p.ruleEngine.Evaluate(req.Method, req.Host) + result.Allowed = true + // Audit the request p.auditor.AuditRequest(audit.Request{ Method: req.Method, @@ -192,7 +194,7 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { Rule: result.Rule, }) - if !result.Allowed && false { + if !result.Allowed { p.writeBlockedResponse(conn, req) return } @@ -234,6 +236,8 @@ func (p *Server) handleTLSConnection(conn net.Conn) { // Check if request should be allowed result := p.ruleEngine.Evaluate(req.Method, req.Host) + result.Allowed = true + // Audit the request p.auditor.AuditRequest(audit.Request{ Method: req.Method, @@ -243,7 +247,7 @@ func (p *Server) handleTLSConnection(conn net.Conn) { Rule: result.Rule, }) - if !result.Allowed && false { + if !result.Allowed { p.writeBlockedResponse(tlsConn, req) return } From 7d6ce37152ec255e1d18280c15a5316a7212b438 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Thu, 16 Oct 2025 22:19:43 +0000 Subject: [PATCH 26/35] debug log --- proxy/proxy.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index af55e5e..b2d6811 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -328,7 +328,12 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { // Copy response back to client err = resp.Write(conn) if err != nil { - p.logger.Error("Failed to forward HTTP request", "error", err) + p.logger.Error("Failed to forward HTTP request", + "error", err, + "host", req.Host, + "method", req.Method, + "bodyBytes", string(bodyBytes), + ) return } From 28a28fc0acba26ca3654607637c3e6a457d3c0e4 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Fri, 17 Oct 2025 13:39:48 +0000 Subject: [PATCH 27/35] more debug logging --- proxy/proxy.go | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index b2d6811..6723945 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -276,6 +276,24 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { Path: req.URL.Path, RawQuery: req.URL.RawQuery, } + + var requestBodyBytes []byte + { + var err error + // Read the body and explicitly set Content-Length header, otherwise client can hung up on the request. + requestBodyBytes, err = io.ReadAll(req.Body) + if err != nil { + p.logger.Error("can't read response body", "error", err) + return + } + err = req.Body.Close() + if err != nil { + p.logger.Error("Failed to close HTTP response body", "error", err) + return + } + req.Body = io.NopCloser(bytes.NewBuffer(requestBodyBytes)) + } + var body = req.Body if req.Method == http.MethodGet || req.Method == http.MethodHead { body = nil @@ -309,6 +327,11 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { } p.logger.Debug("šŸ”’ HTTPS Response", "status code", resp.StatusCode, "status", resp.Status) + p.logger.Debug("Forwarded Request", + "method", newReq.Method, + "host", newReq.Host, + "requestBodyBytes", string(requestBodyBytes), + ) // Read the body and explicitly set Content-Length header, otherwise client can hung up on the request. bodyBytes, err := io.ReadAll(resp.Body) @@ -328,7 +351,7 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { // Copy response back to client err = resp.Write(conn) if err != nil { - p.logger.Error("Failed to forward HTTP request", + p.logger.Error("Failed to forward back HTTP response", "error", err, "host", req.Host, "method", req.Method, From f83a392903939c1a99e70e0b7ef19b8ca82d5b9a Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Fri, 17 Oct 2025 13:47:16 +0000 Subject: [PATCH 28/35] more debug logging --- proxy/proxy.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/proxy/proxy.go b/proxy/proxy.go index 6723945..50a2336 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -331,7 +331,11 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { "method", newReq.Method, "host", newReq.Host, "requestBodyBytes", string(requestBodyBytes), + "URL", newReq.URL, ) + for hKey, hVal := range newReq.Header { + p.logger.Debug("Forwarded Request Header", hKey, hVal) + } // Read the body and explicitly set Content-Length header, otherwise client can hung up on the request. bodyBytes, err := io.ReadAll(resp.Body) From 8df6a207ce6fca915a4db33ebcd08e10653c7ac1 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Fri, 17 Oct 2025 20:28:00 +0000 Subject: [PATCH 29/35] remove unnecessary logging --- cli/cli.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cli/cli.go b/cli/cli.go index 403556c..4475b05 100644 --- a/cli/cli.go +++ b/cli/cli.go @@ -101,14 +101,16 @@ func isChild() bool { // Run executes the boundary command with the given configuration and arguments func Run(ctx context.Context, config Config, args []string) error { if isChild() { - log.Printf("boundary CHILD process is started") + // TODO: use logger + //log.Printf("boundary CHILD process is started") vethNetJail := os.Getenv("VETH_JAIL_NAME") err := jail.SetupChildNetworking(vethNetJail) if err != nil { return fmt.Errorf("failed to setup child networking: %v", err) } - log.Printf("child networking is successfully configured") + // TODO: use logger + //log.Printf("child networking is successfully configured") // Program to run bin := args[0] From 1a5965aed8e0848f97805f6baefef92ed39b4dec Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Sat, 18 Oct 2025 16:02:34 +0000 Subject: [PATCH 30/35] revert allow everything policy --- proxy/proxy.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index 50a2336..ec10935 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -183,7 +183,7 @@ func (p *Server) handleHTTPConnection(conn net.Conn) { // Check if request should be allowed result := p.ruleEngine.Evaluate(req.Method, req.Host) - result.Allowed = true + //result.Allowed = true // Audit the request p.auditor.AuditRequest(audit.Request{ @@ -236,7 +236,7 @@ func (p *Server) handleTLSConnection(conn net.Conn) { // Check if request should be allowed result := p.ruleEngine.Evaluate(req.Method, req.Host) - result.Allowed = true + //result.Allowed = true // Audit the request p.auditor.AuditRequest(audit.Request{ From 59990d83f4f0f07bbe33502b0e8f69bd1c10b5de Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Sat, 18 Oct 2025 19:26:44 +0000 Subject: [PATCH 31/35] fix logger --- cli/cli.go | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/cli/cli.go b/cli/cli.go index 4475b05..203dac5 100644 --- a/cli/cli.go +++ b/cli/cli.go @@ -100,17 +100,20 @@ func isChild() bool { // Run executes the boundary command with the given configuration and arguments func Run(ctx context.Context, config Config, args []string) error { + logger, err := setupLogging(config) + if err != nil { + return fmt.Errorf("could not set up logging: %v", err) + } + if isChild() { - // TODO: use logger - //log.Printf("boundary CHILD process is started") + logger.Info("boundary CHILD process is started") vethNetJail := os.Getenv("VETH_JAIL_NAME") err := jail.SetupChildNetworking(vethNetJail) if err != nil { return fmt.Errorf("failed to setup child networking: %v", err) } - // TODO: use logger - //log.Printf("child networking is successfully configured") + logger.Info("child networking is successfully configured") // Program to run bin := args[0] @@ -132,10 +135,6 @@ func Run(ctx context.Context, config Config, args []string) error { ctx, cancel := context.WithCancel(ctx) defer cancel() - logger, err := setupLogging(config) - if err != nil { - return fmt.Errorf("could not set up logging: %v", err) - } username, uid, gid, homeDir, configDir := util.GetUserInfo() // Get command arguments From a3c8e08c2e8d1b76059113b1ed0bdee3d26badbb Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Sat, 18 Oct 2025 19:37:58 +0000 Subject: [PATCH 32/35] make port configurable --- boundary.go | 3 ++- cli/cli.go | 11 ++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/boundary.go b/boundary.go index a628fa2..c60aa61 100644 --- a/boundary.go +++ b/boundary.go @@ -20,6 +20,7 @@ type Config struct { TLSConfig *tls.Config Logger *slog.Logger Jailer jail.Jailer + ProxyPort int } type Boundary struct { @@ -34,7 +35,7 @@ type Boundary struct { func New(ctx context.Context, config Config) (*Boundary, error) { // Create proxy server proxyServer := proxy.NewProxyServer(proxy.Config{ - HTTPPort: 8087, + HTTPPort: config.ProxyPort, RuleEngine: config.RuleEngine, Auditor: config.Auditor, Logger: config.Logger, diff --git a/cli/cli.go b/cli/cli.go index 203dac5..bfd6894 100644 --- a/cli/cli.go +++ b/cli/cli.go @@ -28,6 +28,7 @@ type Config struct { LogLevel string LogDir string Unprivileged bool + ProxyPort int64 } // NewCommand creates and returns the root serpent command @@ -86,6 +87,13 @@ func BaseCommand() *serpent.Command { Description: "Run in unprivileged mode (no network isolation, uses proxy environment variables).", Value: serpent.BoolOf(&config.Unprivileged), }, + { + Flag: "proxy-port", + Env: "PROXY_PORT", + Description: "Set a port for HTTP proxy.", + Default: "8080", + Value: serpent.Int64Of(&config.ProxyPort), + }, }, Handler: func(inv *serpent.Invocation) error { args := inv.Args @@ -181,7 +189,7 @@ func Run(ctx context.Context, config Config, args []string) error { // Create jailer with cert path from TLS setup jailer, err := createJailer(jail.Config{ Logger: logger, - HttpProxyPort: 8087, + HttpProxyPort: int(config.ProxyPort), Username: username, Uid: uid, Gid: gid, @@ -200,6 +208,7 @@ func Run(ctx context.Context, config Config, args []string) error { TLSConfig: tlsConfig, Logger: logger, Jailer: jailer, + ProxyPort: int(config.ProxyPort), }) if err != nil { return fmt.Errorf("failed to create boundary instance: %v", err) From 200574159701867daa0c3c28382f7fe814bad5fb Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Sat, 18 Oct 2025 23:58:35 +0000 Subject: [PATCH 33/35] remove invalid comment --- proxy/proxy.go | 1 - 1 file changed, 1 deletion(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index b1028f8..c52367f 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -276,7 +276,6 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { var requestBodyBytes []byte { var err error - // Read the body and explicitly set Content-Length header, otherwise client can hung up on the request. requestBodyBytes, err = io.ReadAll(req.Body) if err != nil { p.logger.Error("can't read response body", "error", err) From e83a46bf9bd466d6ba2fd1b8785be9101482c156 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Sun, 19 Oct 2025 00:04:58 +0000 Subject: [PATCH 34/35] don't log any sensitive information --- proxy/proxy.go | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index c52367f..744415c 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -273,21 +273,21 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { RawQuery: req.URL.RawQuery, } - var requestBodyBytes []byte - { - var err error - requestBodyBytes, err = io.ReadAll(req.Body) - if err != nil { - p.logger.Error("can't read response body", "error", err) - return - } - err = req.Body.Close() - if err != nil { - p.logger.Error("Failed to close HTTP response body", "error", err) - return - } - req.Body = io.NopCloser(bytes.NewBuffer(requestBodyBytes)) - } + //var requestBodyBytes []byte + //{ + // var err error + // requestBodyBytes, err = io.ReadAll(req.Body) + // if err != nil { + // p.logger.Error("can't read response body", "error", err) + // return + // } + // err = req.Body.Close() + // if err != nil { + // p.logger.Error("Failed to close HTTP response body", "error", err) + // return + // } + // req.Body = io.NopCloser(bytes.NewBuffer(requestBodyBytes)) + //} var body = req.Body if req.Method == http.MethodGet || req.Method == http.MethodHead { @@ -322,12 +322,12 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { p.logger.Debug("Forwarded Request", "method", newReq.Method, "host", newReq.Host, - "requestBodyBytes", string(requestBodyBytes), + //"requestBodyBytes", string(requestBodyBytes), "URL", newReq.URL, ) - for hKey, hVal := range newReq.Header { - p.logger.Debug("Forwarded Request Header", hKey, hVal) - } + //for hKey, hVal := range newReq.Header { + // p.logger.Debug("Forwarded Request Header", hKey, hVal) + //} // Read the body and explicitly set Content-Length header, otherwise client can hung up on the request. bodyBytes, err := io.ReadAll(resp.Body) @@ -351,7 +351,7 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { "error", err, "host", req.Host, "method", req.Method, - "bodyBytes", string(bodyBytes), + //"bodyBytes", string(bodyBytes), ) return } From 8f6cdec452166f8fa28d1aa9357060f97da31912 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Sun, 19 Oct 2025 20:19:49 +0000 Subject: [PATCH 35/35] fix bug with HTTP 2.0 --- proxy/proxy.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/proxy/proxy.go b/proxy/proxy.go index 744415c..10c6e59 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -344,6 +344,17 @@ func (p *Server) forwardRequest(conn net.Conn, req *http.Request, https bool) { } resp.Body = io.NopCloser(bytes.NewBuffer(bodyBytes)) + // The downstream client (Claude) always communicates over HTTP/1.1. + // However, Go's default HTTP client may negotiate an HTTP/2 connection + // with the upstream server via ALPN during TLS handshake. + // This can cause the response's Proto field to be set to "HTTP/2.0", + // which would produce an invalid response for an HTTP/1.1 client. + // To prevent this mismatch, we explicitly normalize the response + // to HTTP/1.1 before writing it back to the client. + resp.Proto = "HTTP/1.1" + resp.ProtoMajor = 1 + resp.ProtoMinor = 1 + // Copy response back to client err = resp.Write(conn) if err != nil {