This is an automated email from the git hooks/post-receive script.
shelikhoo pushed a commit to branch main in repository pluggable-transports/snowflake.
commit b09a2e09b3e8abadac5f5b96662864eec4ebd597 Author: Shelikhoo xiaokangwang@outlook.com AuthorDate: Wed Apr 13 16:20:52 2022 +0100
Add Relay URL Check in Snowflake Proxy --- proxy/lib/snowflake.go | 9 ++++++++- proxy/main.go | 5 +++++ 2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/proxy/lib/snowflake.go b/proxy/lib/snowflake.go index 7e06c0f..7dbc976 100644 --- a/proxy/lib/snowflake.go +++ b/proxy/lib/snowflake.go @@ -119,6 +119,7 @@ type SnowflakeProxy struct { // There is no look ahead assertion when matching domain name suffix, // thus the string prepend the suffix does not need to be empty or ends with a dot. RelayDomainNamePattern string + AllowNonTLSRelay bool // NATProbeURL is the URL of the probe service we use for NAT checks NATProbeURL string // NATTypeMeasurementInterval is time before NAT type is retested @@ -496,7 +497,13 @@ func (sf *SnowflakeProxy) runSession(sid string) { return } matcher := namematcher.NewNameMatcher(sf.RelayDomainNamePattern) - if relayURL != "" && !matcher.IsMember(relayURL) { + parsedRelayURL, err := url.Parse(relayURL) + if err != nil { + log.Printf("bad offer from broker: bad Relay URL %v", err.Error()) + tokens.ret() + return + } + if relayURL != "" && (!matcher.IsMember(parsedRelayURL.Hostname()) || (!sf.AllowNonTLSRelay && parsedRelayURL.Scheme != "wss")) { log.Printf("bad offer from broker: rejected Relay URL") tokens.ret() return diff --git a/proxy/main.go b/proxy/main.go index 7d025ea..305d0b0 100644 --- a/proxy/main.go +++ b/proxy/main.go @@ -21,6 +21,8 @@ func main() { unsafeLogging := flag.Bool("unsafe-logging", false, "prevent logs from being scrubbed") keepLocalAddresses := flag.Bool("keep-local-addresses", false, "keep local LAN address ICE candidates") relayURL := flag.String("relay", sf.DefaultRelayURL, "websocket relay URL") + allowedRelayHostNamePattern := flag.String("allowed-relay-hostname-pattern", "", "a pattern to specify allowed hostname pattern for relay URL.") + allowNonTLSRelay := flag.Bool("allow-non-tls-relay", false, "allow relay without tls encryption") NATTypeMeasurementInterval := flag.Duration("nat-retest-interval", time.Hour*24, "the time interval in second before NAT type is retested, 0s disables retest. Valid time units are "s", "m", "h". ") SummaryInterval := flag.Duration("summary-interval", time.Hour, @@ -40,6 +42,9 @@ func main() {
NATTypeMeasurementInterval: *NATTypeMeasurementInterval, EventDispatcher: eventLogger, + + RelayDomainNamePattern: *allowedRelayHostNamePattern, + AllowNonTLSRelay: *allowNonTLSRelay, }
var logOutput io.Writer = os.Stderr