#!/usr/bin/env python ''' A WebSocket to TCP socket proxy with support for "wss://" encryption. Copyright 2011 Joel Martin Licensed under LGPL version 3 (see docs/LICENSE.LGPL-3) You can make a cert/key with openssl using: openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem as taken from http://docs.python.org/dev/library/ssl.html#certificates ''' import signal, socket, optparse, time, os, sys, subprocess, logging, errno, ssl from socketserver import ThreadingMixIn from http.server import HTTPServer import select from websockify import websockifyserver from websockify import auth_plugins as auth from urllib.parse import parse_qs, urlparse class ProxyRequestHandler(websockifyserver.WebSockifyRequestHandler): buffer_size = 65536 traffic_legend = """ Traffic Legend: } - Client receive }. - Client receive partial { - Target receive > - Target send >. - Target send partial < - Client send <. - Client send partial """ def send_auth_error(self, ex): self.send_response(ex.code, ex.msg) self.send_header('Content-Type', 'text/html') for name, val in ex.headers.items(): self.send_header(name, val) self.end_headers() def validate_connection(self): if not self.server.token_plugin: return host, port = self.get_target(self.server.token_plugin) if host == 'unix_socket': self.server.unix_target = port else: self.server.target_host = host self.server.target_port = port def auth_connection(self): if not self.server.auth_plugin: return try: # get client certificate data client_cert_data = self.request.getpeercert() # extract subject information client_cert_subject = client_cert_data['subject'] # flatten data structure client_cert_subject = dict([x[0] for x in client_cert_subject]) # add common name to headers (apache +StdEnvVars style) self.headers['SSL_CLIENT_S_DN_CN'] = client_cert_subject['commonName'] except (TypeError, AttributeError, KeyError): # not a SSL connection or client presented no certificate with valid data pass try: self.server.auth_plugin.authenticate( headers=self.headers, target_host=self.server.target_host, target_port=self.server.target_port) except auth.AuthenticationError: ex = sys.exc_info()[1] self.send_auth_error(ex) raise def new_websocket_client(self): """ Called after a new WebSocket connection has been established. """ use_tcp = False # Checking for a token is done in validate_connection() # Connect to the target if self.server.wrap_cmd: msg = "connecting to command: '%s' (port %s)" % (" ".join(self.server.wrap_cmd), self.server.target_port) elif self.server.unix_target: msg = "connecting to unix socket: %s" % self.server.unix_target else: msg = "connecting to: %s:%s" % ( self.server.target_host, self.server.target_port) if self.server.ssl_target: msg += " (using SSL)" self.log_message(msg) try: tsock = websockifyserver.WebSockifyServer.socket(self.server.target_host, self.server.target_port, connect=True, use_ssl=self.server.ssl_target, unix_socket=self.server.unix_target, use_tcp=use_tcp) except Exception as e: self.log_message("Failed to connect to %s:%s: %s", self.server.target_host, self.server.target_port, e) raise self.CClose(1011, "Failed to connect to downstream server") if use_tcp: self.request.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, 1) if not self.server.wrap_cmd and not self.server.unix_target: tsock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, 1) self.print_traffic(self.traffic_legend) # Start proxying try: self.do_proxy(tsock) finally: if tsock: tsock.shutdown(socket.SHUT_RDWR) tsock.close() if self.verbose: self.log_message("%s:%s: Closed target", self.server.target_host, self.server.target_port) def get_target(self, target_plugin): """ Gets a token from either the path or the host, depending on --host-token, and looks up a target for that token using the token plugin. Used by validate_connection() to set target_host and target_port. """ # The files in targets contain the lines # in the form of token: host:port if self.host_token: # Use hostname as token token = self.headers.get('Host') # Remove port from hostname, as it'll always be the one where # websockify listens (unless something between the client and # websockify is redirecting traffic, but that's beside the point) if token: token = token.partition(':')[0] else: # Extract the token parameter from url args = parse_qs(urlparse(self.path)[4]) # 4 is the query from url if 'token' in args and len(args['token']): token = args['token'][0].rstrip('\n') else: token = None if token is None: raise self.server.EClose("Token not present") result_pair = target_plugin.lookup(token) if result_pair is not None: return result_pair else: raise self.server.EClose("Token '%s' not found" % token) def do_proxy(self, target): """ Proxy client WebSocket to normal target socket. """ cqueue = [] c_pend = 0 tqueue = [] rlist = [self.request, target] if self.server.heartbeat: now = time.time() self.heartbeat = now + self.server.heartbeat else: self.heartbeat = None while True: wlist = [] if self.heartbeat is not None: now = time.time() if now > self.heartbeat: self.heartbeat = now + self.server.heartbeat self.send_ping() if tqueue: wlist.append(target) if cqueue or c_pend: wlist.append(self.request) try: ins, outs, excepts = select.select(rlist, wlist, [], 1) except (select.error, OSError): exc = sys.exc_info()[1] if hasattr(exc, 'errno'): err = exc.errno else: err = exc[0] if err != errno.EINTR: raise else: continue if excepts: raise Exception("Socket exception") if self.request in outs: # Send queued target data to the client c_pend = self.send_frames(cqueue) cqueue = [] if self.request in ins: # Receive client data, decode it, and queue for target bufs, closed = self.recv_frames() tqueue.extend(bufs) if closed: # TODO: What about blocking on client socket? if self.verbose: self.log_message("%s:%s: Client closed connection", self.server.target_host, self.server.target_port) raise self.CClose(closed['code'], closed['reason']) if target in outs: # Send queued client data to the target dat = tqueue.pop(0) sent = target.send(dat) if sent == len(dat): self.print_traffic(">") else: # requeue the remaining data tqueue.insert(0, dat[sent:]) self.print_traffic(".>") if target in ins: # Receive target data, encode it and queue for client buf = target.recv(self.buffer_size) if len(buf) == 0: if self.verbose: self.log_message("%s:%s: Target closed connection", self.server.target_host, self.server.target_port) raise self.CClose(1000, "Target closed") cqueue.append(buf) self.print_traffic("{") class WebSocketProxy(websockifyserver.WebSockifyServer): """ Proxy traffic to and from a WebSockets client to a normal TCP socket server target. """ buffer_size = 65536 def __init__(self, RequestHandlerClass=ProxyRequestHandler, *args, **kwargs): # Save off proxy specific options self.target_host = kwargs.pop('target_host', None) self.target_port = kwargs.pop('target_port', None) self.wrap_cmd = kwargs.pop('wrap_cmd', None) self.wrap_mode = kwargs.pop('wrap_mode', None) self.unix_target = kwargs.pop('unix_target', None) self.ssl_target = kwargs.pop('ssl_target', None) self.heartbeat = kwargs.pop('heartbeat', None) self.token_plugin = kwargs.pop('token_plugin', None) self.host_token = kwargs.pop('host_token', None) self.auth_plugin = kwargs.pop('auth_plugin', None) # Last 3 timestamps command was run self.wrap_times = [0, 0, 0] if self.wrap_cmd: wsdir = os.path.dirname(sys.argv[0]) rebinder_path = [os.path.join(wsdir, "..", "lib"), os.path.join(wsdir, "..", "lib", "websockify"), os.path.join(wsdir, ".."), wsdir] self.rebinder = None for rdir in rebinder_path: rpath = os.path.join(rdir, "rebind.so") if os.path.exists(rpath): self.rebinder = rpath break if not self.rebinder: raise Exception("rebind.so not found, perhaps you need to run make") self.rebinder = os.path.abspath(self.rebinder) self.target_host = "127.0.0.1" # Loopback # Find a free high port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind(('', 0)) self.target_port = sock.getsockname()[1] sock.close() os.environ.update({ "LD_PRELOAD": self.rebinder, "REBIND_OLD_PORT": str(kwargs['listen_port']), "REBIND_NEW_PORT": str(self.target_port)}) super().__init__(RequestHandlerClass, *args, **kwargs) def run_wrap_cmd(self): self.msg("Starting '%s'", " ".join(self.wrap_cmd)) self.wrap_times.append(time.time()) self.wrap_times.pop(0) self.cmd = subprocess.Popen( self.wrap_cmd, env=os.environ, preexec_fn=_subprocess_setup) self.spawn_message = True def started(self): """ Called after Websockets server startup (i.e. after daemonize) """ # Need to call wrapped command after daemonization so we can # know when the wrapped command exits if self.wrap_cmd: dst_string = "'%s' (port %s)" % (" ".join(self.wrap_cmd), self.target_port) elif self.unix_target: dst_string = self.unix_target else: dst_string = "%s:%s" % (self.target_host, self.target_port) if self.listen_fd != None: src_string = "inetd" else: src_string = "%s:%s" % (self.listen_host, self.listen_port) if self.token_plugin: msg = " - proxying from %s to targets generated by %s" % ( src_string, type(self.token_plugin).__name__) else: msg = " - proxying from %s to %s" % ( src_string, dst_string) if self.ssl_target: msg += " (using SSL)" self.msg("%s", msg) if self.wrap_cmd: self.run_wrap_cmd() def poll(self): # If we are wrapping a command, check it's status if self.wrap_cmd and self.cmd: ret = self.cmd.poll() if ret != None: self.vmsg("Wrapped command exited (or daemon). Returned %s" % ret) self.cmd = None if self.wrap_cmd and self.cmd == None: # Response to wrapped command being gone if self.wrap_mode == "ignore": pass elif self.wrap_mode == "exit": sys.exit(ret) elif self.wrap_mode == "respawn": now = time.time() avg = sum(self.wrap_times)/len(self.wrap_times) if (now - avg) < 10: # 3 times in the last 10 seconds if self.spawn_message: self.warn("Command respawning too fast") self.spawn_message = False else: self.run_wrap_cmd() def _subprocess_setup(): # Python installs a SIGPIPE handler by default. This is usually not what # non-Python successfulbprocesses expect. signal.signal(signal.SIGPIPE, signal.SIG_DFL) SSL_OPTIONS = { 'default': ssl.OP_ALL, 'tlsv1_1': ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1, 'tlsv1_2': ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1, 'tlsv1_3': ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2, } def select_ssl_version(version): """Returns SSL options for the most secure TSL version available on this Python version""" if version in SSL_OPTIONS: return SSL_OPTIONS[version] else: # It so happens that version names sorted lexicographically form a list # from the least to the most secure keys = list(SSL_OPTIONS.keys()) keys.sort() fallback = keys[-1] logger = logging.getLogger(WebSocketProxy.log_prefix) logger.warn("TLS version %s unsupported. Falling back to %s", version, fallback) return SSL_OPTIONS[fallback] def websockify_init(): # Setup basic logging to stderr. logger = logging.getLogger(WebSocketProxy.log_prefix) logger.propagate = False logger.setLevel(logging.INFO) stderr_handler = logging.StreamHandler() stderr_handler.setLevel(logging.DEBUG) log_formatter = logging.Formatter("%(message)s") stderr_handler.setFormatter(log_formatter) logger.addHandler(stderr_handler) # Setup optparse. usage = "\n %prog [options]" usage += " [source_addr:]source_port [target_addr:target_port]" usage += "\n %prog [options]" usage += " [source_addr:]source_port -- WRAP_COMMAND_LINE" parser = optparse.OptionParser(usage=usage) parser.add_option("--verbose", "-v", action="store_true", help="verbose messages") parser.add_option("--traffic", action="store_true", help="per frame traffic") parser.add_option("--record", help="record sessions to FILE.[session_number]", metavar="FILE") parser.add_option("--daemon", "-D", dest="daemon", action="store_true", help="become a daemon (background process)") parser.add_option("--run-once", action="store_true", help="handle a single WebSocket connection and exit") parser.add_option("--timeout", type=int, default=0, help="after TIMEOUT seconds exit when not connected") parser.add_option("--idle-timeout", type=int, default=0, help="server exits after TIMEOUT seconds if there are no " "active connections") parser.add_option("--cert", default="self.pem", help="SSL certificate file") parser.add_option("--key", default=None, help="SSL key file (if separate from cert)") parser.add_option("--key-password", default=None, help="SSL key password") parser.add_option("--ssl-only", action="store_true", help="disallow non-encrypted client connections") parser.add_option("--ssl-target", action="store_true", help="connect to SSL target as SSL client") parser.add_option("--verify-client", action="store_true", help="require encrypted client to present a valid certificate " "(needs Python 2.7.9 or newer or Python 3.4 or newer)") parser.add_option("--cafile", metavar="FILE", help="file of concatenated certificates of authorities trusted " "for validating clients (only effective with --verify-client). " "If omitted, system default list of CAs is used.") parser.add_option("--ssl-version", type="choice", default="default", choices=["default", "tlsv1_1", "tlsv1_2", "tlsv1_3"], action="store", help="minimum TLS version to use (default, tlsv1_1, tlsv1_2, tlsv1_3)") parser.add_option("--ssl-ciphers", action="store", help="list of ciphers allowed for connection. For a list of " "supported ciphers run `openssl ciphers`") parser.add_option("--unix-target", help="connect to unix socket target", metavar="FILE") parser.add_option("--inetd", help="inetd mode, receive listening socket from stdin", action="store_true") parser.add_option("--web", default=None, metavar="DIR", help="run webserver on same port. Serve files from DIR.") parser.add_option("--web-auth", action="store_true", help="require authentication to access webserver.") parser.add_option("--wrap-mode", default="exit", metavar="MODE", choices=["exit", "ignore", "respawn"], help="action to take when the wrapped program exits " "or daemonizes: exit (default), ignore, respawn") parser.add_option("--prefer-ipv6", "-6", action="store_true", dest="source_is_ipv6", help="prefer IPv6 when resolving source_addr") parser.add_option("--libserver", action="store_true", help="use Python library SocketServer engine") parser.add_option("--target-config", metavar="FILE", dest="target_cfg", help="Configuration file containing valid targets " "in the form 'token: host:port' or, alternatively, a " "directory containing configuration files of this form " "(DEPRECATED: use `--token-plugin TokenFile --token-source " " path/to/token/file` instead)") parser.add_option("--token-plugin", default=None, metavar="CLASS", help="use a Python class, usually one from websockify.token_plugins, " "such as TokenFile, to process tokens into host:port pairs") parser.add_option("--token-source", default=None, metavar="ARG", help="an argument to be passed to the token plugin " "on instantiation") parser.add_option("--host-token", action="store_true", help="use the host HTTP header as token instead of the " "token URL query parameter") parser.add_option("--auth-plugin", default=None, metavar="CLASS", help="use a Python class, usually one from websockify.auth_plugins, " "such as BasicHTTPAuth, to determine if a connection is allowed") parser.add_option("--auth-source", default=None, metavar="ARG", help="an argument to be passed to the auth plugin " "on instantiation") parser.add_option("--heartbeat", type=int, default=0, metavar="INTERVAL", help="send a ping to the client every INTERVAL seconds") parser.add_option("--log-file", metavar="FILE", dest="log_file", help="File where logs will be saved") parser.add_option("--syslog", default=None, metavar="SERVER", help="Log to syslog server. SERVER can be local socket, " "such as /dev/log, or a UDP host:port pair.") parser.add_option("--legacy-syslog", action="store_true", help="Use the old syslog protocol instead of RFC 5424. " "Use this if the messages produced by websockify seem abnormal.") (opts, args) = parser.parse_args() # Validate options. if opts.token_source and not opts.token_plugin: parser.error("You must use --token-plugin to use --token-source") if opts.host_token and not opts.token_plugin: parser.error("You must use --token-plugin to use --host-token") if opts.auth_source and not opts.auth_plugin: parser.error("You must use --auth-plugin to use --auth-source") if opts.web_auth and not opts.auth_plugin: parser.error("You must use --auth-plugin to use --web-auth") if opts.web_auth and not opts.web: parser.error("You must use --web to use --web-auth") if opts.legacy_syslog and not opts.syslog: parser.error("You must use --syslog to use --legacy-syslog") opts.ssl_options = select_ssl_version(opts.ssl_version) del opts.ssl_version if opts.log_file: # Setup logging to user-specified file. opts.log_file = os.path.abspath(opts.log_file) log_file_handler = logging.FileHandler(opts.log_file) log_file_handler.setLevel(logging.DEBUG) log_file_handler.setFormatter(log_formatter) logger.addHandler(log_file_handler) del opts.log_file if opts.syslog: # Determine how to connect to syslog... if opts.syslog.count(':'): # User supplied a host:port pair. syslog_host, syslog_port = opts.syslog.rsplit(':', 1) try: syslog_port = int(syslog_port) except ValueError: parser.error("Error parsing syslog port") syslog_dest = (syslog_host, syslog_port) else: # User supplied a local socket file. syslog_dest = os.path.abspath(opts.syslog) from websockify.sysloghandler import WebsockifySysLogHandler # Determine syslog facility. if opts.daemon: syslog_facility = WebsockifySysLogHandler.LOG_DAEMON else: syslog_facility = WebsockifySysLogHandler.LOG_USER # Start logging to syslog. syslog_handler = WebsockifySysLogHandler(address=syslog_dest, facility=syslog_facility, ident='websockify', legacy=opts.legacy_syslog) syslog_handler.setLevel(logging.DEBUG) syslog_handler.setFormatter(log_formatter) logger.addHandler(syslog_handler) del opts.syslog del opts.legacy_syslog if opts.verbose: logger.setLevel(logging.DEBUG) # Transform to absolute path as daemon may chdir if opts.target_cfg: opts.target_cfg = os.path.abspath(opts.target_cfg) if opts.target_cfg: opts.token_plugin = 'TokenFile' opts.token_source = opts.target_cfg del opts.target_cfg if sys.argv.count('--'): opts.wrap_cmd = args[1:] else: opts.wrap_cmd = None if not websockifyserver.ssl and opts.ssl_target: parser.error("SSL target requested and Python SSL module not loaded."); if opts.ssl_only and not os.path.exists(opts.cert): parser.error("SSL only and %s not found" % opts.cert) if opts.inetd: opts.listen_fd = sys.stdin.fileno() else: if len(args) < 1: parser.error("Too few arguments") arg = args.pop(0) # Parse host:port and convert ports to numbers if arg.count(':') > 0: opts.listen_host, opts.listen_port = arg.rsplit(':', 1) opts.listen_host = opts.listen_host.strip('[]') else: opts.listen_host, opts.listen_port = '', arg try: opts.listen_port = int(opts.listen_port) except ValueError: parser.error("Error parsing listen port") del opts.inetd if opts.wrap_cmd or opts.unix_target or opts.token_plugin: opts.target_host = None opts.target_port = None else: if len(args) < 1: parser.error("Too few arguments") arg = args.pop(0) if arg.count(':') > 0: opts.target_host, opts.target_port = arg.rsplit(':', 1) opts.target_host = opts.target_host.strip('[]') else: parser.error("Error parsing target") try: opts.target_port = int(opts.target_port) except ValueError: parser.error("Error parsing target port") if len(args) > 0 and opts.wrap_cmd == None: parser.error("Too many arguments") if opts.token_plugin is not None: if '.' not in opts.token_plugin: opts.token_plugin = ( 'websockify.token_plugins.%s' % opts.token_plugin) token_plugin_module, token_plugin_cls = opts.token_plugin.rsplit('.', 1) __import__(token_plugin_module) token_plugin_cls = getattr(sys.modules[token_plugin_module], token_plugin_cls) opts.token_plugin = token_plugin_cls(opts.token_source) del opts.token_source if opts.auth_plugin is not None: if '.' not in opts.auth_plugin: opts.auth_plugin = 'websockify.auth_plugins.%s' % opts.auth_plugin auth_plugin_module, auth_plugin_cls = opts.auth_plugin.rsplit('.', 1) __import__(auth_plugin_module) auth_plugin_cls = getattr(sys.modules[auth_plugin_module], auth_plugin_cls) opts.auth_plugin = auth_plugin_cls(opts.auth_source) del opts.auth_source # Create and start the WebSockets proxy libserver = opts.libserver del opts.libserver if libserver: # Use standard Python SocketServer framework server = LibProxyServer(**opts.__dict__) server.serve_forever() else: # Use internal service framework server = WebSocketProxy(**opts.__dict__) server.start_server() class LibProxyServer(ThreadingMixIn, HTTPServer): """ Just like WebSocketProxy, but uses standard Python SocketServer framework. """ def __init__(self, RequestHandlerClass=ProxyRequestHandler, **kwargs): # Save off proxy specific options self.target_host = kwargs.pop('target_host', None) self.target_port = kwargs.pop('target_port', None) self.wrap_cmd = kwargs.pop('wrap_cmd', None) self.wrap_mode = kwargs.pop('wrap_mode', None) self.unix_target = kwargs.pop('unix_target', None) self.ssl_target = kwargs.pop('ssl_target', None) self.token_plugin = kwargs.pop('token_plugin', None) self.auth_plugin = kwargs.pop('auth_plugin', None) self.heartbeat = kwargs.pop('heartbeat', None) self.token_plugin = None self.auth_plugin = None self.daemon = False # Server configuration listen_host = kwargs.pop('listen_host', '') listen_port = kwargs.pop('listen_port', None) web = kwargs.pop('web', '') # Configuration affecting base request handler self.only_upgrade = not web self.verbose = kwargs.pop('verbose', False) record = kwargs.pop('record', '') if record: self.record = os.path.abspath(record) self.run_once = kwargs.pop('run_once', False) self.handler_id = 0 for arg in kwargs.keys(): print("warning: option %s ignored when using --libserver" % arg) if web: os.chdir(web) super().__init__((listen_host, listen_port), RequestHandlerClass) def process_request(self, request, client_address): """Override process_request to implement a counter""" self.handler_id += 1 super().process_request(request, client_address) if __name__ == '__main__': websockify_init()