/* The MIT License (MIT) Copyright (c) 2019 winlin Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ /* This the main entrance of https-proxy, proxy to api or other http server. */ package main import ( "context" "crypto/tls" "flag" "fmt" oe "github.com/ossrs/go-oryx-lib/errors" oh "github.com/ossrs/go-oryx-lib/http" "github.com/ossrs/go-oryx-lib/https" ol "github.com/ossrs/go-oryx-lib/logger" "io/ioutil" "log" "net" "net/http" "net/http/httputil" "net/url" "os" "path" "strconv" "strings" "sync" ) type Strings []string func (v *Strings) String() string { return fmt.Sprintf("strings [%v]", strings.Join(*v, ",")) } func (v *Strings) Set(value string) error { *v = append(*v, value) return nil } func shouldProxyURL(srcPath, proxyPath string) bool { if !strings.HasSuffix(srcPath, "/") { // /api to /api/ // /api.js to /api.js/ // /api/100 to /api/100/ srcPath += "/" } if !strings.HasSuffix(proxyPath, "/") { // /api/ to /api/ // to match /api/ or /api/100 // and not match /api.js/ proxyPath += "/" } return strings.HasPrefix(srcPath, proxyPath) } // about x-real-ip and x-forwarded-for or // about X-Real-IP and X-Forwarded-For or // https://segmentfault.com/q/1010000002409659 // https://distinctplace.com/2014/04/23/story-behind-x-forwarded-for-and-x-real-ip-headers/ // @remark http proxy will set the X-Forwarded-For. func addProxyAddToHeader(remoteAddr, realIP string, fwd []string, header http.Header, omitForward bool) { rip, _, err := net.SplitHostPort(remoteAddr) if err != nil { return } if realIP != "" { header.Set("X-Real-IP", realIP) } else { header.Set("X-Real-IP", rip) } if !omitForward { header["X-Forwarded-For"] = fwd[:] header.Add("X-Forwarded-For", rip) } } func filterByPreHook(ctx context.Context, preHook *url.URL, req *http.Request) error { target := *preHook target.RawQuery = strings.Join([]string{target.RawQuery, req.URL.RawQuery}, "&") api := target.String() r, err := http.NewRequestWithContext(ctx, req.Method, api, nil) if err != nil { return err } // Add real ip and forwarded for to header. // We should append the forward for pass-by. addProxyAddToHeader(req.RemoteAddr, req.Header.Get("X-Real-IP"), req.Header["X-Forwarded-For"], r.Header, false) ol.Tf(ctx, "Pre-hook proxy addr req=%v, r=%v", req.Header, r.Header) r2, err := http.DefaultClient.Do(r) if err != nil { return err } defer r2.Body.Close() if r2.StatusCode != http.StatusOK { return fmt.Errorf("Pre-hook HTTP StatusCode=%v %v", r2.StatusCode, r2.Status) } b, err := ioutil.ReadAll(r2.Body) if err != nil { return err } ol.Tf(ctx, "Pre-hook %v url=%v, res=%v, headers=%v", req.Method, api, string(b), r.Header) return nil } func NewComplexProxy(ctx context.Context, proxyUrl, preHook *url.URL, originalRequest *http.Request) http.Handler { // Hook before proxy it. if preHook != nil { if err := filterByPreHook(ctx, preHook, originalRequest); err != nil { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ol.Ef(ctx, "Pre-hook err %+v", err) http.Error(w, err.Error(), http.StatusInternalServerError) }) } } // Start proxy it. proxy := &httputil.ReverseProxy{} proxyUrlQuery := proxyUrl.Query() // Create a proxy which attach a isolate logger. elogger := log.New(os.Stderr, fmt.Sprintf("%v ", originalRequest.RemoteAddr), log.LstdFlags) proxy.ErrorLog = elogger proxy.Director = func(r *http.Request) { // about the x-real-schema, we proxy to backend to identify the client schema. if rschema := r.Header.Get("X-Real-Schema"); rschema == "" { if r.TLS == nil { r.Header.Set("X-Real-Schema", "http") } else { r.Header.Set("X-Real-Schema", "https") } } // Add real ip and forwarded for to header. // We should omit the forward header, because the ReverseProxy will doit. addProxyAddToHeader(r.RemoteAddr, r.Header.Get("X-Real-IP"), r.Header["X-Forwarded-For"], r.Header, true) ol.Tf(ctx, "Proxy addr header %v", r.Header) r.URL.Scheme = proxyUrl.Scheme r.URL.Host = proxyUrl.Host // Trim the prefix path. if trimPrefix := proxyUrlQuery.Get("trimPrefix"); trimPrefix != "" { r.URL.Path = strings.TrimPrefix(r.URL.Path, trimPrefix) } // Aadd the prefix to path. if addPrefix := proxyUrlQuery.Get("addPrefix"); addPrefix != "" { r.URL.Path = addPrefix + r.URL.Path } // The original request.Host requested by the client. // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host if r.Header.Get("X-Forwarded-Host") == "" { r.Header.Set("X-Forwarded-Host", r.Host) } // Set the Host of client request to the upstream server's, to act as client // directly access the upstream server. if proxyUrlQuery.Get("modifyRequestHost") != "false" { r.Host = proxyUrl.Host } ra, url, rip := r.RemoteAddr, r.URL.String(), r.Header.Get("X-Real-Ip") ol.Tf(ctx, "proxy http rip=%v, addr=%v %v %v with headers %v", rip, ra, r.Method, url, r.Header) } proxy.ModifyResponse = func(w *http.Response) error { // We have already set the server, so remove the upstream one. if proxyUrlQuery.Get("keepUpsreamServer") != "true" { w.Header.Del("Server") } // We already added this header, it will cause chrome failed when duplicated. if w.Header.Get("Access-Control-Allow-Origin") != "" { w.Header.Del("Access-Control-Allow-Origin") } return nil } return proxy } func run(ctx context.Context) error { oh.Server = fmt.Sprintf("%v/%v", Signature(), Version()) fmt.Println(oh.Server, "HTTP/HTTPS static server with API proxy.") var httpPorts Strings flag.Var(&httpPorts, "t", "http listen") flag.Var(&httpPorts, "http", "http listen at. 0 to disable http.") var httpsPorts Strings flag.Var(&httpsPorts, "s", "https listen") flag.Var(&httpsPorts, "https", "https listen at. 0 to disable https. 443 to serve. ") var httpsDomains string flag.StringVar(&httpsDomains, "d", "", "https the allow domains") flag.StringVar(&httpsDomains, "domains", "", "https the allow domains, empty to allow all. for example: ossrs.net,www.ossrs.net") var html string flag.StringVar(&html, "r", "./html", "the www web root") flag.StringVar(&html, "root", "./html", "the www web root. support relative dir to argv[0].") var cacheFile string flag.StringVar(&cacheFile, "e", "./letsencrypt.cache", "https the cache for letsencrypt") flag.StringVar(&cacheFile, "cache", "./letsencrypt.cache", "https the cache for letsencrypt. support relative dir to argv[0].") var useLetsEncrypt bool flag.BoolVar(&useLetsEncrypt, "l", false, "whether use letsencrypt CA") flag.BoolVar(&useLetsEncrypt, "lets", false, "whether use letsencrypt CA. self sign if not.") var ssKey string flag.StringVar(&ssKey, "k", "", "https self-sign key") flag.StringVar(&ssKey, "ssk", "", "https self-sign key") var ssCert string flag.StringVar(&ssCert, "c", "", `https self-sign cert`) flag.StringVar(&ssCert, "ssc", "", `https self-sign cert`) var oproxies Strings flag.Var(&oproxies, "p", "proxy ruler") flag.Var(&oproxies, "proxy", "one or more proxy the matched path to backend, for example, -proxy http://127.0.0.1:8888/api/webrtc") var oprehooks Strings flag.Var(&oprehooks, "pre-hook", "the pre-hook ruler, with request") var sdomains, skeys, scerts Strings flag.Var(&sdomains, "sdomain", "the SSL hostname") flag.Var(&skeys, "skey", "the SSL key for domain") flag.Var(&scerts, "scert", "the SSL cert for domain") var trimSlashLimit int var noRedirectIndex, trimLastSlash bool flag.BoolVar(&noRedirectIndex, "no-redirect-index", false, "Whether serve with index.html without redirect.") flag.BoolVar(&trimLastSlash, "trim-last-slash", false, "Whether trim last slash by HTTP redirect(302).") flag.IntVar(&trimSlashLimit, "trim-slash-limit", 0, "Only trim last slash when got enough directories.") flag.Usage = func() { fmt.Println(fmt.Sprintf("Usage: %v -t http -s https -d domains -r root -e cache -l lets -k ssk -c ssc -p proxy", os.Args[0])) fmt.Println(fmt.Sprintf(" ")) fmt.Println(fmt.Sprintf("Options:")) fmt.Println(fmt.Sprintf(" -t, -http string")) fmt.Println(fmt.Sprintf(" Listen at port for HTTP server. Default: 0, disable HTTP.")) fmt.Println(fmt.Sprintf(" -s, -https string")) fmt.Println(fmt.Sprintf(" Listen at port for HTTPS server. Default: 0, disable HTTPS.")) fmt.Println(fmt.Sprintf(" -r, -root string")) fmt.Println(fmt.Sprintf(" The www root path. Supports relative to argv[0]=%v. Default: ./html", path.Dir(os.Args[0]))) fmt.Println(fmt.Sprintf(" -no-redirect-index=bool")) fmt.Println(fmt.Sprintf(" Whether serve with index.html without redirect. Default: false")) fmt.Println(fmt.Sprintf(" -p, -proxy string")) fmt.Println(fmt.Sprintf(" Proxy path to backend. For example: http://127.0.0.1:8888/api/webrtc")) fmt.Println(fmt.Sprintf(" Proxy path to backend. For example: http://127.0.0.1:8888/api/webrtc?modifyRequestHost=false")) fmt.Println(fmt.Sprintf(" Proxy path to backend. For example: http://127.0.0.1:8888/api/webrtc?keepUpsreamServer=true")) fmt.Println(fmt.Sprintf(" Proxy path to backend. For example: http://127.0.0.1:8888/api/webrtc?trimPrefix=/ffmpeg")) fmt.Println(fmt.Sprintf(" Proxy path to backend. For example: http://127.0.0.1:8888/api/webrtc?addPrefix=/release")) fmt.Println(fmt.Sprintf(" -pre-hook string")) fmt.Println(fmt.Sprintf(" Pre-hook to backend, with request. For example: http://127.0.0.1:8888/api/stat")) fmt.Println(fmt.Sprintf("Options for HTTPS(letsencrypt cert):")) fmt.Println(fmt.Sprintf(" -l, -lets=bool")) fmt.Println(fmt.Sprintf(" Whether use letsencrypt CA. Default: false")) fmt.Println(fmt.Sprintf(" -e, -cache string")) fmt.Println(fmt.Sprintf(" The letsencrypt cache. Default: ./letsencrypt.cache")) fmt.Println(fmt.Sprintf(" -d, -domains string")) fmt.Println(fmt.Sprintf(" Set the validate HTTPS domain. For example: ossrs.net,www.ossrs.net")) fmt.Println(fmt.Sprintf("Options for HTTPS(file-based cert):")) fmt.Println(fmt.Sprintf(" -k, -ssk string")) fmt.Println(fmt.Sprintf(" The self-sign or validate file-based key file.")) fmt.Println(fmt.Sprintf(" -c, -ssc string")) fmt.Println(fmt.Sprintf(" The self-sign or validate file-based cert file.")) fmt.Println(fmt.Sprintf(" -sdomain string")) fmt.Println(fmt.Sprintf(" For multiple HTTPS site, the domain name. For example: ossrs.net")) fmt.Println(fmt.Sprintf(" -skey string")) fmt.Println(fmt.Sprintf(" For multiple HTTPS site, the key file.")) fmt.Println(fmt.Sprintf(" -scert string")) fmt.Println(fmt.Sprintf(" For multiple HTTPS site, the cert file.")) fmt.Println(fmt.Sprintf("For example:")) fmt.Println(fmt.Sprintf(" %v -t 8080 -s 9443 -r ./html", os.Args[0])) fmt.Println(fmt.Sprintf(" %v -t 8080 -s 9443 -r ./html -p http://ossrs.net:1985/api/v1/versions", os.Args[0])) fmt.Println(fmt.Sprintf("Generate cert for self-sign HTTPS:")) fmt.Println(fmt.Sprintf(" openssl genrsa -out server.key 2048")) fmt.Println(fmt.Sprintf(` openssl req -new -x509 -key server.key -out server.crt -days 365 -subj "/C=CN/ST=Beijing/L=Beijing/O=Me/OU=Me/CN=me.org"`)) fmt.Println(fmt.Sprintf("For example:")) fmt.Println(fmt.Sprintf(" %v -s 9443 -r ./html -sdomain ossrs.net -skey ossrs.net.key -scert ossrs.net.pem", os.Args[0])) } flag.Parse() if useLetsEncrypt && len(httpsPorts) == 0 { return oe.Errorf("for letsencrypt, https=%v must be 0(disabled) or 443(enabled)", httpsPorts) } if len(httpPorts) == 0 && len(httpsPorts) == 0 { flag.Usage() os.Exit(-1) } // If trim last slash, we should enable no redirect index, to avoid infinitely redirect. if trimLastSlash { noRedirectIndex = true } fmt.Println(fmt.Sprintf("Config trimLastSlash=%v, trimSlashLimit=%v, noRedirectIndex=%v", trimLastSlash, trimSlashLimit, noRedirectIndex)) var proxyUrls []*url.URL proxies := make(map[string]*url.URL) for _, oproxy := range []string(oproxies) { if oproxy == "" { return oe.Errorf("empty proxy in %v", oproxies) } proxyUrl, err := url.Parse(oproxy) if err != nil { return oe.Wrapf(err, "parse proxy %v", oproxy) } if _, ok := proxies[proxyUrl.Path]; ok { return oe.Errorf("proxy %v duplicated", proxyUrl.Path) } proxyUrls = append(proxyUrls, proxyUrl) proxies[proxyUrl.Path] = proxyUrl ol.Tf(ctx, "Proxy %v to %v", proxyUrl.Path, oproxy) } var preHookUrls []*url.URL preHooks := make(map[string]*url.URL) for _, oprehook := range []string(oprehooks) { if oprehook == "" { return oe.Errorf("empty pre-hook in %v", oprehooks) } preHookUrl, err := url.Parse(oprehook) if err != nil { return oe.Wrapf(err, "parse pre-hook %v", oprehook) } if _, ok := preHooks[preHookUrl.Path]; ok { return oe.Errorf("pre-hook %v duplicated", preHookUrl.Path) } preHookUrls = append(preHookUrls, preHookUrl) preHooks[preHookUrl.Path] = preHookUrl ol.Tf(ctx, "pre-hook %v to %v", preHookUrl.Path, oprehook) } if !path.IsAbs(cacheFile) && path.IsAbs(os.Args[0]) { cacheFile = path.Join(path.Dir(os.Args[0]), cacheFile) } if !path.IsAbs(html) && path.IsAbs(os.Args[0]) { html = path.Join(path.Dir(os.Args[0]), html) } serveFileNoRedirect := func (w http.ResponseWriter, r *http.Request, name string) { upath := path.Join(html, path.Clean(r.URL.Path)) // Redirect without the last slash. if trimLastSlash && r.URL.Path != "/" && strings.HasSuffix(r.URL.Path, "/") { u := strings.TrimSuffix(r.URL.Path, "/") if r.URL.RawQuery != "" { u += "?" + r.URL.RawQuery } if strings.Count(u, "/") >= trimSlashLimit { http.Redirect(w, r, u, http.StatusFound) return } } // Append the index.html path if access a directory. if noRedirectIndex && !strings.Contains(path.Base(upath), ".") { if d, err := os.Stat(upath); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } else if d.IsDir() { upath = path.Join(upath, "index.html") } } http.ServeFile(w, r, upath) } http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { oh.SetHeader(w) if o := r.Header.Get("Origin"); len(o) > 0 { // SRS does not need cookie or credentials, so we disable CORS credentials, and use * for CORS origin, // headers, expose headers and methods. w.Header().Set("Access-Control-Allow-Origin", "*") // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers w.Header().Set("Access-Control-Allow-Headers", "*") // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods w.Header().Set("Access-Control-Allow-Methods", "*") // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers w.Header().Set("Access-Control-Expose-Headers", "*") // https://stackoverflow.com/a/24689738/17679565 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials w.Header().Set("Access-Control-Allow-Credentials", "false") } // For matched OPTIONS, directly return without response. if r.Method == "OPTIONS" { return } if proxyUrls == nil { if r.URL.Path == "/httpx/v1/versions" { oh.WriteVersion(w, r, Version()) return } serveFileNoRedirect(w, r, path.Join(html, path.Clean(r.URL.Path))) return } // Find pre-hook to serve with proxy. var preHook *url.URL for _, preHookUrl := range preHookUrls { if !shouldProxyURL(r.URL.Path, preHookUrl.Path) { continue } if p, ok := preHooks[preHookUrl.Path]; ok { preHook = p } } // Find proxy to serve it. for _, proxyUrl := range proxyUrls { if !shouldProxyURL(r.URL.Path, proxyUrl.Path) { continue } if proxy, ok := proxies[proxyUrl.Path]; ok { p := NewComplexProxy(ctx, proxy, preHook, r) p.ServeHTTP(w, r) return } } serveFileNoRedirect(w, r, path.Join(html, path.Clean(r.URL.Path))) }) var protos []string if len(httpPorts) > 0 { protos = append(protos, fmt.Sprintf("http(:%v)", strings.Join(httpPorts, ","))) } for _, httpsPort := range httpsPorts { if httpsPort == "0" { continue } s := httpsDomains if httpsDomains == "" { s = "all domains" } if useLetsEncrypt { protos = append(protos, fmt.Sprintf("https(:%v, %v, %v)", httpsPort, s, cacheFile)) } else { protos = append(protos, fmt.Sprintf("https(:%v)", httpsPort)) } if useLetsEncrypt { protos = append(protos, "letsencrypt") } else if ssKey != "" { protos = append(protos, fmt.Sprintf("self-sign(%v, %v)", ssKey, ssCert)) } else if len(sdomains) == 0 { return oe.New("no ssl config") } for i := 0; i < len(sdomains); i++ { sdomain, skey, scert := sdomains[i], skeys[i], scerts[i] if f, err := os.Open(scert); err != nil { return oe.Wrapf(err, "open cert %v for %v err %+v", scert, sdomain, err) } else { f.Close() } if f, err := os.Open(skey); err != nil { return oe.Wrapf(err, "open key %v for %v err %+v", skey, sdomain, err) } else { f.Close() } protos = append(protos, fmt.Sprintf("ssl(%v,%v,%v)", sdomain, skey, scert)) } } ol.Tf(ctx, "%v html root at %v", strings.Join(protos, ", "), string(html)) if len(httpsPorts) > 0 && !useLetsEncrypt && ssKey != "" { if f, err := os.Open(ssCert); err != nil { return oe.Wrapf(err, "open cert %v err %+v", ssCert, err) } else { f.Close() } if f, err := os.Open(ssKey); err != nil { return oe.Wrapf(err, "open key %v err %+v", ssKey, err) } else { f.Close() } } wg := sync.WaitGroup{} ctx, cancel := context.WithCancel(ctx) defer cancel() var httpServers []*http.Server for _, v := range httpPorts { httpPort, err := strconv.ParseInt(v, 10, 64) if err != nil { return oe.Wrapf(err, "parse %v", v) } wg.Add(1) go func(httpPort int) { defer wg.Done() ctx = ol.WithContext(ctx) if httpPort == 0 { ol.W(ctx, "http server disabled") return } defer cancel() hs := &http.Server{Addr: fmt.Sprintf(":%v", httpPort), Handler: nil} httpServers = append(httpServers, hs) ol.Tf(ctx, "http serve at %v", httpPort) if err := hs.ListenAndServe(); err != nil { ol.Ef(ctx, "http serve err %+v", err) return } ol.T("http server ok") }(int(httpPort)) } for _, v := range httpsPorts { httpsPort, err := strconv.ParseInt(v, 10, 64) if err != nil { return oe.Wrapf(err, "parse %v", v) } wg.Add(1) go func() { defer wg.Done() ctx = ol.WithContext(ctx) if httpsPort == 0 { ol.W(ctx, "https server disabled") return } defer cancel() var err error var m https.Manager if useLetsEncrypt { var domains []string if httpsDomains != "" { domains = strings.Split(httpsDomains, ",") } if m, err = https.NewLetsencryptManager("", domains, cacheFile); err != nil { ol.Ef(ctx, "create letsencrypt manager err %+v", err) return } } else if ssKey != "" { if m, err = https.NewSelfSignManager(ssCert, ssKey); err != nil { ol.Ef(ctx, "create self-sign manager err %+v", err) return } } else if len(sdomains) > 0 { if m, err = NewCertsManager(sdomains, skeys, scerts); err != nil { ol.Ef(ctx, "create ssl managers err %+v", err) return } } hss := &http.Server{ Addr: fmt.Sprintf(":%v", httpsPort), TLSConfig: &tls.Config{ GetCertificate: m.GetCertificate, }, } httpServers = append(httpServers, hss) ol.Tf(ctx, "https serve at %v", httpsPort) if err = hss.ListenAndServeTLS("", ""); err != nil { ol.Ef(ctx, "https serve err %+v", err) return } ol.T("https serve ok") }() } select { case <-ctx.Done(): for _, server := range httpServers { server.Close() } } wg.Wait() return nil } func main() { ctx := ol.WithContext(context.Background()) if err := run(ctx); err != nil { ol.Ef(ctx, "run err %+v", err) os.Exit(-1) } }