gandc/mtprotoproxy
1
0
Fork 0
mirror of https://github.com/alexbers/mtprotoproxy.git synced 2026-03-14 07:13:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
204 Commits 4 Branches 14 Tags
014e450e627a9ad56424aacfc2e2ffd6d60ba24f
Commit Graph

204 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alexander Bersenev
014e450e62 change readme 2019-08-21 02:03:55 +05:00
Alexander Bersenev
04491f8a6a use hand-made random generator to make randoms more unpredictable 2019-08-20 01:58:19 +05:00
Alexander Bersenev
e081d6b727 generate plausible x25519 public key for server hello also 2019-08-19 21:48:54 +05:00
Alexander Bersenev
ea28a7055a small readme fixes 2019-08-19 19:16:36 +05:00
Alexander Bersenev
45cb849ca9 change tls status from experimental to new 2019-08-19 18:50:52 +05:00
Alexander Bersenev
e66818326e generate plausible keys in the key share extension 2019-08-19 17:48:10 +05:00
Alexander Bersenev
4a1bf1ec6a print warning about default settings on stderr 2019-08-19 04:59:05 +05:00
Alexander Bersenev
854aaa1f24 add flush on print 2019-08-19 04:57:48 +05:00
Alexander Bersenev
5b0ad45cb9 cosmetic fix 2019-08-19 04:56:37 +05:00
Alexander Bersenev
26e00a7409 give some advices about non-secure settings on startup 2019-08-19 04:55:09 +05:00
Alexander Bersenev
ac6d20a897 redesing exception handling logic in handle_bad_client 2019-08-19 04:13:50 +05:00
Alexander Bersenev
06ed40c815 handle unknown ip situation, for example for unix-sockets 2019-08-19 03:44:08 +05:00
Alexander Bersenev
1938c7d3bb change comment 2019-08-19 03:33:04 +05:00
Alexander Bersenev
01fd1a34c2 be more clear about proxy protocol usage 2019-08-19 03:31:10 +05:00
Alexander Bersenev
1a0977b10e handle the connection resets 2019-08-19 00:25:54 +05:00
Alexander Bersenev
9dc8521c18 copy the way how the mask server closes the tcp connection to the client 2019-08-18 21:59:33 +05:00
Alexander Bersenev
4169e6acab move the import to the top of the file 2019-08-17 15:20:05 +05:00
Vladislav Grishenko
121a8974de add unix socket support (#127) 
Config option LISTEN_UNIX_SOCK = "/path/to/socket.file" allows to listen
on specified unix socket in additional to (or instead of) configured ip
addresses. Listening on a socket can be useful for connection from local
reverse proxy w/o wasting tcp ports and network subsystem resources just
for inter-process communication.
Default value is empty - socket not used.
 2019-08-17 15:11:49 +05:00
Alexander Bersenev
fdf5efe3d2 change max tls record size to make it look like complying https://tools.ietf.org/html/rfc8446\#section-5.2 instead of the section 5.1 2019-08-17 14:42:49 +05:00
Alexander Bersenev
015d0a2012 be more tolerate to time skewing. This should cover 90% of cases 2019-08-17 13:21:57 +05:00
Alexander Bersenev
dcad0bd51b if the client time is skewed, just print a message for a while. Additional analysis needed 2019-08-17 04:48:17 +05:00
Alexander Bersenev
da9e51ed03 better error texts 2019-08-17 02:07:17 +05:00
Alexander Bersenev
59306e6e67 take cert length from the masked host 2019-08-16 20:25:23 +05:00
Alexander Bersenev
7502d1dc31 add one more message about the client time skew 2019-08-16 18:11:50 +05:00
Alexander Bersenev
9df42cda79 time based protection against replay attack 2019-08-16 18:01:20 +05:00
Alexander Bersenev
a65f7a8e17 add one more nonce in the reserved nonces list 2019-08-16 16:45:22 +05:00
Alexander Bersenev
8a4bc77125 make default client handshake timeout random 2019-08-16 16:23:14 +05:00
Alexander Bersenev
294cb65738 rename the function from pseudo tls to the fake tls to make the terminology consistent 2019-08-16 16:15:09 +05:00
Alexander Bersenev
559c577df1 early break if the protocol is not tls 2019-08-16 15:17:07 +05:00
Alexander Bersenev
ccc8c3fb14 read initial tls header byte by byte 2019-08-16 15:07:27 +05:00
Alexander Bersenev
e061cd81c4 optimize reading a handshake by detecting tls early 2019-08-15 18:26:56 +05:00
Alexander Bersenev
7527d402d6 mimic as tls 1.3 instead of tls 1.2 to bypass uncrypted certificates problem 2019-08-15 16:23:44 +05:00
Vladislav Grishenko
f51a4bfe34 Add proxy protocol v1/v2 support (#119) 
* add proxy protocol v1/v2 support

With fake-tls enabled, it was still quite hard to use mtprotoproxy
as backend behing some reverse https/tls proxy (nginx, haproxy, etc)
because it still need client address & port info.
With nginx already configured to use stream proxy with proxy protocol,
it was impossibe to connect due additional proxy header transmission
before real hadshake.
Adding general support of proxy protocol fixed both issues.

New config option PROXY_PROTOCOL = True enables transparent support,
unproxied incoming connections will still be accepted.
Since reverse proxy needs to be trusted, option disabled by default.

References:
* https://www.haproxy.com/blog/haproxy/proxy-protocol/
* http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt

* slightly optimize proxy v1 error path

* rework proxy handler

* deny direct connection with enabled PROXY_PROTOCOl per specs
* simplify proxy header checking
* use textual form of proxy v1 header
* drop useless find() call

* fix client address logging
 2019-08-14 23:03:01 +05:00
Alexander Bersenev
d9fa5b222a remove unused variable 2019-08-14 04:07:36 +05:00
Alexander Bersenev
91ec36653e add slots to classes, thanks to MrMrRobat 2019-08-14 03:59:44 +05:00
Allineer
e43ae99911 Fix default port in the main script. 
Different port in main and config files. It's changed to 3256.
 2019-08-13 16:42:14 +05:00
Alexander Bersenev
ab52521a25 change the tls links to hex encoding until base64 is fixed 2019-08-13 16:26:38 +05:00
Alexander Bersenev
53184470e9 fixed cached readings in fake tls 2019-08-13 15:23:47 +05:00
Alexander Bersenev
48330f1e8a shrunk max tls record size according to https://tools.ietf.org/html/rfc8446\#section-5.1 2019-08-13 03:31:49 +05:00
Alexander Bersenev
4e2cb87685 change the comment 2019-08-13 02:52:41 +05:00
Alexander Bersenev
a030ae2978 redirect bad clients to some host 2019-08-13 02:06:17 +05:00
Alexander Bersenev
3d8961316e use urlsafe version of base64 encoder 2019-08-11 21:28:55 +05:00
Alexander Bersenev
d7c163c0dc add tls only mode 2019-08-11 21:22:10 +05:00
Alexander Bersenev
80062c95bc print proxy addresses and logins on reload 2019-07-26 14:51:41 +05:00
Alexander Bersenev
c1fdc4c0a3 move setting instant rst into a function 2019-07-25 02:09:10 +05:00
Alexander Bersenev
f5d41e9aa7 close tcp connection with rst when tls failed 2019-07-25 02:05:04 +05:00
Alexander Bersenev
4e754a75bd add an experimental note for the new proto 2019-07-24 03:16:03 +05:00
Alexander Bersenev
1a934f992d add fake-tls mode 2019-07-24 03:03:36 +05:00
Alexander Bersenev
c543bc1c3d launch script explicitely using python 2019-07-23 18:01:44 +05:00
Alexander Bersenev
96ba65aba0 add one more reserved string in the nonce beginnings 2019-07-23 10:26:58 +05:00