ei
/
mtg
mirror of https://github.com/9seconds/mtg


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402
							package cli

import (
	"context"
	"fmt"
	"net"
	"os"
	"strings"

	"github.com/9seconds/mtg/v2/antireplay"
	"github.com/9seconds/mtg/v2/events"
	"github.com/9seconds/mtg/v2/internal/config"
	"github.com/9seconds/mtg/v2/internal/proxyprotocol"
	"github.com/9seconds/mtg/v2/internal/utils"
	"github.com/9seconds/mtg/v2/ipblocklist"
	"github.com/9seconds/mtg/v2/ipblocklist/files"
	"github.com/9seconds/mtg/v2/logger"
	"github.com/9seconds/mtg/v2/mtglib"
	"github.com/9seconds/mtg/v2/network/v2"
	"github.com/9seconds/mtg/v2/stats"
	"github.com/pires/go-proxyproto"
	"github.com/rs/zerolog"
	"github.com/yl2chen/cidranger"
)

func makeLogger(conf *config.Config) mtglib.Logger {
	zerolog.TimeFieldFormat = zerolog.TimeFormatUnixMs
	zerolog.TimestampFieldName = "timestamp"
	zerolog.LevelFieldName = "level"

	if conf.Debug.Get(false) {
		zerolog.SetGlobalLevel(zerolog.DebugLevel)
	} else {
		zerolog.SetGlobalLevel(zerolog.WarnLevel)
	}

	baseLogger := zerolog.New(os.Stdout).With().Timestamp().Logger()

	return logger.NewZeroLogger(baseLogger)
}

func makeNetwork(conf *config.Config, version string) (mtglib.Network, error) {
	resolver, err := network.GetDNS(conf.GetDNS())
	if err != nil {
		return nil, fmt.Errorf("cannot create DNS resolver: %w", err)
	}

	base := network.New(
		resolver,
		"",
		conf.Network.Timeout.TCP.Get(0),
		conf.Network.Timeout.HTTP.Get(0),
		conf.Network.Timeout.Idle.Get(0),
		net.KeepAliveConfig{
			Enable:   !conf.Network.KeepAlive.Disabled.Get(false),
			Idle:     conf.Network.KeepAlive.Idle.Get(0),
			Interval: conf.Network.KeepAlive.Interval.Get(0),
			Count:    int(conf.Network.KeepAlive.Count.Get(0)),
		},
		int(conf.Network.TCPNotSentLowat.Get(network.DefaultTCPNotSentLowat)),
	)

	proxyDialers := make([]mtglib.Network, len(conf.Network.Proxies))
	for idx, v := range conf.Network.Proxies {
		value, err := network.NewProxyNetwork(base, v.Get(nil))
		if err != nil {
			return nil, fmt.Errorf("cannot use %v for proxy url: %w", v.Get(nil), err)
		}
		proxyDialers[idx] = value
	}

	switch len(proxyDialers) {
	case 0:
		return base, nil
	case 1:
		return proxyDialers[0], nil
	}

	value, err := network.Join(proxyDialers...)
	if err != nil {
		panic(err)
	}

	return value, nil
}

func makeAntiReplayCache(conf *config.Config) mtglib.AntiReplayCache {
	if !conf.Defense.AntiReplay.Enabled.Get(false) {
		return antireplay.NewNoop()
	}

	return antireplay.NewStableBloomFilter(
		conf.Defense.AntiReplay.MaxSize.Get(antireplay.DefaultStableBloomFilterMaxSize),
		conf.Defense.AntiReplay.ErrorRate.Get(antireplay.DefaultStableBloomFilterErrorRate),
	)
}

func makeIPBlocklist(conf config.ListConfig,
	logger mtglib.Logger,
	ntw mtglib.Network,
	updateCallback ipblocklist.FireholUpdateCallback,
) (mtglib.IPBlocklist, error) {
	if !conf.Enabled.Get(false) {
		return ipblocklist.NewNoop(), nil
	}

	remoteURLs := []string{}
	localFiles := []string{}

	for _, v := range conf.URLs {
		if v.IsRemote() {
			remoteURLs = append(remoteURLs, v.String())
		} else {
			localFiles = append(localFiles, v.String())
		}
	}

	blocklist, err := ipblocklist.NewFirehol(logger.Named("ipblockist"),
		ntw,
		conf.DownloadConcurrency.Get(1),
		remoteURLs,
		localFiles,
		updateCallback)
	if err != nil {
		return nil, fmt.Errorf("incorrect parameters for firehol: %w", err)
	}

	go blocklist.Run(conf.UpdateEach.Get(ipblocklist.DefaultFireholUpdateEach))

	return blocklist, nil
}

func makeIPAllowlist(conf config.ListConfig,
	logger mtglib.Logger,
	ntw mtglib.Network,
	updateCallback ipblocklist.FireholUpdateCallback,
) (mtglib.IPBlocklist, error) {
	var (
		allowlist mtglib.IPBlocklist
		err       error
	)

	if !conf.Enabled.Get(false) {
		allowlist, err = ipblocklist.NewFireholFromFiles(
			logger.Named("ipblocklist"),
			1,
			[]files.File{
				files.NewMem([]*net.IPNet{
					cidranger.AllIPv4,
					cidranger.AllIPv6,
				}),
			},
			updateCallback,
		)

		go allowlist.Run(conf.UpdateEach.Get(ipblocklist.DefaultFireholUpdateEach))
	} else {
		allowlist, err = makeIPBlocklist(
			conf,
			logger,
			ntw,
			updateCallback,
		)
	}

	if err != nil {
		return nil, fmt.Errorf("cannot build allowlist: %w", err)
	}

	return allowlist, nil
}

func makeEventStream(conf *config.Config, logger mtglib.Logger) (mtglib.EventStream, error) {
	factories := make([]events.ObserverFactory, 0, 2)

	if conf.Stats.StatsD.Enabled.Get(false) {
		statsdFactory, err := stats.NewStatsd(
			conf.Stats.StatsD.Address.Get(""),
			logger.Named("statsd"),
			conf.Stats.StatsD.MetricPrefix.Get(stats.DefaultStatsdMetricPrefix),
			conf.Stats.StatsD.TagFormat.Get(stats.DefaultStatsdTagFormat))
		if err != nil {
			return nil, fmt.Errorf("cannot build statsd observer: %w", err)
		}

		factories = append(factories, statsdFactory.Make)
	}

	if conf.Stats.Prometheus.Enabled.Get(false) {
		prometheus := stats.NewPrometheus(
			conf.Stats.Prometheus.MetricPrefix.Get(stats.DefaultMetricPrefix),
			conf.Stats.Prometheus.HTTPPath.Get("/"),
		)

		listener, err := net.Listen("tcp", conf.Stats.Prometheus.BindTo.Get(""))
		if err != nil {
			return nil, fmt.Errorf("cannot start a listener for prometheus: %w", err)
		}

		go prometheus.Serve(listener) //nolint: errcheck

		factories = append(factories, prometheus.Make)
	}

	if len(factories) > 0 {
		return events.NewEventStream(factories), nil
	}

	return events.NewNoopStream(), nil
}

func warnSNIMismatch(conf *config.Config, ntw mtglib.Network, log mtglib.Logger) {
	host := conf.Secret.Host
	if host == "" {
		return
	}

	addresses, err := net.DefaultResolver.LookupIPAddr(context.Background(), host)
	if err != nil {
		log.BindStr("hostname", host).
			WarningError("SNI-DNS check: cannot resolve secret hostname", err)
		return
	}

	ourIP4 := conf.PublicIPv4.Get(nil)
	if ourIP4 == nil {
		ourIP4 = getIP(ntw, "tcp4")
	}

	ourIP6 := conf.PublicIPv6.Get(nil)
	if ourIP6 == nil {
		ourIP6 = getIP(ntw, "tcp6")
	}

	if ourIP4 == nil && ourIP6 == nil {
		log.Warning("SNI-DNS check: cannot detect public IP address; set public-ipv4/public-ipv6 in config or run 'mtg doctor'")
		return
	}

	v4Match := ourIP4 == nil
	v6Match := ourIP6 == nil

	for _, addr := range addresses {
		if ourIP4 != nil && addr.IP.String() == ourIP4.String() {
			v4Match = true
		}

		if ourIP6 != nil && addr.IP.String() == ourIP6.String() {
			v6Match = true
		}
	}

	if v4Match && v6Match {
		return
	}

	resolved := make([]string, 0, len(addresses))
	for _, addr := range addresses {
		resolved = append(resolved, addr.IP.String())
	}

	our := ""
	if ourIP4 != nil {
		our = ourIP4.String()
	}

	if ourIP6 != nil {
		if our != "" {
			our += "/"
		}

		our += ourIP6.String()
	}

	entry := log.BindStr("hostname", host).
		BindStr("resolved", strings.Join(resolved, ", ")).
		BindStr("public_ip", our)

	if ourIP4 != nil {
		entry = entry.BindStr("ipv4_match", fmt.Sprintf("%t", v4Match))
	}

	if ourIP6 != nil {
		entry = entry.BindStr("ipv6_match", fmt.Sprintf("%t", v6Match))
	}

	entry.Warning("SNI-DNS mismatch: secret hostname does not resolve to this server's public IP. " +
		"DPI may detect and block the proxy. See 'mtg doctor' for details")
}

func warnDeprecatedDomainFronting(conf *config.Config, log mtglib.Logger) {
	if conf.DomainFrontingIP.Value != nil {
		log.Warning(`config option "domain-fronting-ip" is deprecated and ignored; use "host" in [domain-fronting] instead`)
	}

	if conf.DomainFronting.IP.Value != nil {
		log.Warning(`config option "ip" in [domain-fronting] is deprecated and ignored; use "host" instead`)
	}
}

func runProxy(conf *config.Config, version string) error { //nolint: funlen, cyclop
	logger := makeLogger(conf)

	logger.BindJSON("configuration", conf.String()).Debug("configuration")

	warnDeprecatedDomainFronting(conf, logger)

	eventStream, err := makeEventStream(conf, logger)
	if err != nil {
		return fmt.Errorf("cannot build event stream: %w", err)
	}

	ntw, err := makeNetwork(conf, version)
	if err != nil {
		return fmt.Errorf("cannot build network: %w", err)
	}

	warnSNIMismatch(conf, ntw, logger)

	blocklist, err := makeIPBlocklist(
		conf.Defense.Blocklist,
		logger.Named("blocklist"),
		ntw,
		func(ctx context.Context, size int) {
			eventStream.Send(ctx, mtglib.NewEventIPListSize(size, true))
		})
	if err != nil {
		return fmt.Errorf("cannot build ip blocklist: %w", err)
	}

	allowlist, err := makeIPAllowlist(
		conf.Defense.Allowlist,
		logger.Named("allowlist"),
		ntw,
		func(ctx context.Context, size int) {
			eventStream.Send(ctx, mtglib.NewEventIPListSize(size, false))
		},
	)
	if err != nil {
		return fmt.Errorf("cannot build ip allowlist: %w", err)
	}

	doppelGangerURLs := make([]string, len(conf.Defense.Doppelganger.URLs))
	for i, v := range conf.Defense.Doppelganger.URLs {
		doppelGangerURLs[i] = v.String()
	}

	opts := mtglib.ProxyOpts{
		Logger:          logger,
		Network:         ntw,
		AntiReplayCache: makeAntiReplayCache(conf),
		IPBlocklist:     blocklist,
		IPAllowlist:     allowlist,
		EventStream:     eventStream,

		Secret:                      conf.Secret,
		Concurrency:                 conf.GetConcurrency(mtglib.DefaultConcurrency),
		DomainFrontingPort:          conf.GetDomainFrontingPort(mtglib.DefaultDomainFrontingPort),
		DomainFrontingHost:          conf.GetDomainFrontingHost(),
		DomainFrontingProxyProtocol: conf.GetDomainFrontingProxyProtocol(false),
		PreferIP:                    conf.PreferIP.Get(mtglib.DefaultPreferIP),
		AutoUpdate:                  conf.AutoUpdate.Get(false),

		AllowFallbackOnUnknownDC: conf.AllowFallbackOnUnknownDC.Get(false),
		TolerateTimeSkewness:     conf.TolerateTimeSkewness.Value,
		IdleTimeout:              conf.Network.Timeout.Idle.Get(mtglib.DefaultIdleTimeout),
		HandshakeTimeout:         conf.Network.Timeout.Handshake.Get(mtglib.DefaultHandshakeTimeout),

		DoppelGangerURLs:    doppelGangerURLs,
		DoppelGangerPerRaid: conf.Defense.Doppelganger.Repeats.Get(mtglib.DoppelGangerPerRaid),
		DoppelGangerEach:    conf.Defense.Doppelganger.UpdateEach.Get(mtglib.DoppelGangerEach),
		DoppelGangerDRS:     conf.Defense.Doppelganger.DRS.Get(false),
	}

	proxy, err := mtglib.NewProxy(opts)
	if err != nil {
		return fmt.Errorf("cannot create a proxy: %w", err)
	}

	listener, err := utils.NewListener(conf.BindTo.Get(""), 0)
	if err != nil {
		return fmt.Errorf("cannot start proxy: %w", err)
	}

	if conf.ProxyProtocolListener.Get(false) {
		listener = &proxyprotocol.ListenerAdapter{
			Listener: proxyproto.Listener{
				Listener: listener,
			},
		}
	}

	ctx := utils.RootContext()

	go proxy.Serve(listener) //nolint: errcheck

	<-ctx.Done()
	listener.Close() //nolint: errcheck
	proxy.Shutdown()

	return nil
}