-
-
Notifications
You must be signed in to change notification settings - Fork 61
/
httpmatcher.go
218 lines (187 loc) · 6.5 KB
/
httpmatcher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
// Copyright 2020 Matthew Holt
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package l4http
import (
"bufio"
"bytes"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
"github.com/mholt/caddy-l4/layer4"
"github.com/mholt/caddy-l4/modules/l4tls"
"golang.org/x/net/http2"
"golang.org/x/net/http2/hpack"
)
func init() {
caddy.RegisterModule(MatchHTTP{})
}
// MatchHTTP is able to match HTTP connections. The auto-generated
// documentation for this type is wrong; instead of an object, it
// is [an array of matcher set objects](https://caddyserver.com/docs/json/apps/http/servers/routes/match/).
type MatchHTTP struct {
MatcherSetsRaw caddyhttp.RawMatcherSets `json:"-" caddy:"namespace=http.matchers"`
matcherSets caddyhttp.MatcherSets
}
// CaddyModule returns the Caddy module information.
func (MatchHTTP) CaddyModule() caddy.ModuleInfo {
return caddy.ModuleInfo{
ID: "layer4.matchers.http",
New: func() caddy.Module { return new(MatchHTTP) },
}
}
// UnmarshalJSON satisfies the json.Unmarshaler interface.
func (m *MatchHTTP) UnmarshalJSON(b []byte) error {
return json.Unmarshal(b, &m.MatcherSetsRaw)
}
// MarshalJSON satisfies the json.Marshaler interface.
func (m MatchHTTP) MarshalJSON() ([]byte, error) {
return json.Marshal(m.MatcherSetsRaw)
}
// Provision sets up the handler.
func (m *MatchHTTP) Provision(ctx caddy.Context) error {
matchersIface, err := ctx.LoadModule(m, "MatcherSetsRaw")
if err != nil {
return fmt.Errorf("loading matcher modules: %v", err)
}
err = m.matcherSets.FromInterface(matchersIface)
if err != nil {
return err
}
return nil
}
// Match returns true if the conn starts with an HTTP request.
func (m MatchHTTP) Match(cx *layer4.Connection) (bool, error) {
// TODO: do we need a more standardized way to amortize matchers? or at least to remember decoded results from previous matchers?
req, ok := cx.GetVar("http_request").(*http.Request)
if !ok {
var err error
data := cx.MatchingBytes()
if !m.isHttp(data) {
return false, nil
}
// use bufio reader which exactly matches the size of prefetched data,
// to not trigger all bytes consumed error
bufReader := bufio.NewReaderSize(cx, len(data))
req, err = http.ReadRequest(bufReader)
if err != nil {
return false, err
}
// check if req is a http2 request made with prior knowledge and if so parse it
err = m.handleHttp2WithPriorKnowledge(bufReader, req)
if err != nil {
return false, err
}
// if the tls handler was used before fill in the TLS field of the request
// with the last aka innermost tls connection state
if connectionStates := l4tls.GetConnectionStates(cx); len(connectionStates) > 0 {
req.TLS = connectionStates[len(connectionStates)-1]
}
// in order to use request matchers, we have to populate the request context
req = caddyhttp.PrepareRequest(req, caddy.NewReplacer(), nil, nil)
// remember this for future use
cx.SetVar("http_request", req)
// also add values to the replacer (TODO: we could probably find a way to use the http app's replacer values)
repl := cx.Context.Value(layer4.ReplacerCtxKey).(*caddy.Replacer)
repl.Set("l4.http.host", req.Host)
}
// we have a valid HTTP request, so we can drill down further if there are
// any more matchers configured
return m.matcherSets.AnyMatch(req), nil
}
func (m MatchHTTP) isHttp(data []byte) bool {
// try to find the end of a http request line, for example " HTTP/1.1\r\n"
i := bytes.IndexByte(data, 0x0a) // find first new line
if i < 10 {
return false
}
// assume only \n line ending
start := i - 9 // position of space in front of HTTP
end := i - 3 // cut off version number "1.1" or "2.0"
// if we got a correct \r\n line ending shift the calculated start & end to the left
if data[i-1] == 0x0d {
start -= 1
end -= 1
}
return bytes.Compare(data[start:end], []byte(" HTTP/")) == 0
}
// Parses information from a http2 request with prior knowledge (RFC 7540 Section 3.4)
func (m MatchHTTP) handleHttp2WithPriorKnowledge(reader io.Reader, req *http.Request) error {
// Does req contain a valid http2 magic?
// https://github.com/golang/net/blob/a630d4f3e7a22f21271532b4b88e1693824a838f/http2/h2c/h2c.go#L74
if req.Method != "PRI" || len(req.Header) != 0 || req.URL.Path != "*" || req.Proto != "HTTP/2.0" {
return nil
}
const expectedBody = "SM\r\n\r\n"
body := make([]byte, len(expectedBody))
n, err := io.ReadFull(reader, body)
if err != nil {
return err
}
if string(body[:n]) != expectedBody {
return nil
}
framer := http2.NewFramer(io.Discard, reader)
// read the first 10 frames until we get a headers frame (skipping settings, window update & priority frames)
var frame http2.Frame
for i := 0; i < 10; i++ {
frame, err = framer.ReadFrame()
if err != nil {
return err
}
if frame.Header().Type == http2.FrameHeaders {
break
}
}
if frame.Header().Type != http2.FrameHeaders {
return fmt.Errorf("failed to read a http2 headers frame after 10 attempts")
}
decoder := hpack.NewDecoder(4096, nil) // max table size 4096 from http2.initialHeaderTableSize
headers, err := decoder.DecodeFull((frame.(*http2.HeadersFrame)).HeaderBlockFragment())
if err != nil {
return err
}
var scheme string
var authority string
var path string
for _, h := range headers {
if h.Name == ":method" {
req.Method = h.Value
} else if h.Name == ":path" {
path = h.Value
req.RequestURI = h.Value
} else if h.Name == ":scheme" {
scheme = h.Value
} else if h.Name == ":authority" {
authority = h.Value
req.Host = h.Value
} else {
req.Header.Add(h.Name, h.Value)
}
}
// According to http.Request.URL docs it only contains the value of RequestURI (so path only),
// but we can fill in more information
req.URL, err = url.Parse(fmt.Sprintf("%s://%s%s", scheme, authority, path))
return err
}
// Interface guards
var (
_ layer4.ConnMatcher = (*MatchHTTP)(nil)
_ caddy.Provisioner = (*MatchHTTP)(nil)
_ json.Marshaler = (*MatchHTTP)(nil)
_ json.Unmarshaler = (*MatchHTTP)(nil)
)