// 回写Request内容
func (self *Param) writeback(resp *http.Response) *http.Response {
	if resp == nil {
		resp = new(http.Response)
		resp.Request = new(http.Request)
	} else if resp.Request == nil {
		resp.Request = new(http.Request)

	resp.Request.Method = self.method
	resp.Request.Header = self.header
	resp.Request.Host = self.url.Host

	return resp
// FileFetcher's Fetch() implementation
func (this *fileFetcherExtender) Fetch(u *url.URL, userAgent string, headRequest bool) (*http.Response, error) {
	var res *http.Response = new(http.Response)
	var req *http.Request
	var e error

	if req, e = http.NewRequest("GET", u.String(), nil); e != nil {

	// Prepare the pseudo-request
	req.Header.Add("User-Agent", userAgent)

	// Open the file specified as path in u, relative to testdata/[host]/
	f, e := os.Open(path.Join(FileFetcherBasePath, u.Host, u.Path))
	if e != nil {
		// Treat errors as 404s - file not found
		res.Status = "404 Not Found"
		res.StatusCode = 404
	} else {
		res.Status = "200 OK"
		res.StatusCode = 200
		res.Body = f
	res.Request = req

	return res, e
func (rt *RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
	var (
		hashname = hashname.H(req.URL.Host)
		c        *e3x.Channel
		resp     *http.Response
		err      error

	x := rt.Endpoint.GetExchange(hashname)
	if x == nil {
		return nil, e3x.UnreachableEndpointError(hashname)

	c, err = x.Open("thtp", true)
	if err != nil {
		return nil, err

	err = rt.writeRequest(req, c)
	if err != nil {
		return nil, err

	resp, err = rt.readResponse(c)
	if err != nil {
		return nil, err

	resp.Request = req
	return resp, nil
// ResponderFromResponse wraps an *http.Response in a Responder
func ResponderFromResponse(resp *http.Response) Responder {
	return func(req *http.Request) (*http.Response, error) {
		res := new(http.Response)
		*res = *resp
		res.Request = req
		return res, nil
func RedirectResponse(req *http.Request, url string) *http.Response {
	res := new(http.Response)
	res.StatusCode = 302
	res.ProtoMajor = 1
	res.ProtoMinor = 1
	res.ContentLength = 0
	res.Request = req
	res.Header = make(map[string][]string)
	res.Header.Set("Location", url)
	return res
func (c *filterContext) Serve(res *http.Response) {
	res.Request = c.Request()

	if res.Header == nil {
		res.Header = make(http.Header)

	if res.Body == nil {
		res.Body = &bodyBuffer{&bytes.Buffer{}}

	c.servedWithResponse = true
	c.res = res
func SimpleResponse(req *http.Request, status int, headers http.Header, body string) *http.Response {
	res := new(http.Response)
	body_rdr := (*fixedResBody)(strings.NewReader(body))
	res.StatusCode = status
	res.ProtoMajor = 1
	res.ProtoMinor = 1
	res.ContentLength = int64((*strings.Reader)(body_rdr).Len())
	res.Request = req
	res.Header = make(map[string][]string)
	res.Body = body_rdr
	if headers != nil {
		res.Header = headers
	return res
// Generate an http.Response using the basic fields
func SimpleResponse(req *http.Request, status int, headers http.Header, contentLength int64, body io.Reader) *http.Response {
	res := new(http.Response)
	res.StatusCode = status
	res.ProtoMajor = 1
	res.ProtoMinor = 1
	res.ContentLength = contentLength
	res.Request = req
	res.Header = make(map[string][]string)
	if body_rdr, ok := body.(io.ReadCloser); ok {
		res.Body = body_rdr
	} else if body != nil {
		res.Body = ioutil.NopCloser(body)
	if headers != nil {
		res.Header = headers
	return res
func (r *response) Response() *http.Response {
	if r.Data == nil {
		r.Data = new(bytes.Buffer)
	out := new(http.Response)
	out.Status = fmt.Sprintf("%d %s", r.StatusCode, http.StatusText(r.StatusCode))
	out.StatusCode = r.StatusCode
	out.Proto = "HTTP/1.1"
	out.ProtoMajor = 1
	out.ProtoMinor = 1
	out.Header = r.Header
	out.Body = &readCloser{r.Data}
	out.ContentLength = int64(r.Data.Len())
	out.TransferEncoding = nil
	out.Close = true
	out.Trailer = make(http.Header)
	out.Request = r.Request
	return out
func (p *MockResponseWriter) String() string {
	resp := new(http.Response)
	resp.StatusCode = p.StatusCode
	resp.Proto = "HTTP/1.1"
	resp.ProtoMajor = 1
	resp.ProtoMinor = 1
	resp.Header = p.Headers
	resp.Body = ioutil.NopCloser(bytes.NewBuffer(p.Buffer.Bytes()))
	resp.ContentLength = int64(p.Buffer.Len())
	if p.Headers.Get("Transfer-Encoding") != "" {
		resp.TransferEncoding = []string{p.Headers.Get("Transfer-Encoding")}
	} else {
		resp.TransferEncoding = nil
	resp.Close = p.Headers.Get("Connection") == "close"
	resp.Trailer = make(http.Header)
	resp.Request = p.Request
	b, _ := httputil.DumpResponse(resp, true)
	return string(b)
func (h Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
	var err error

	remoteAddr := req.RemoteAddr

	// Prepare filter.Context
	ctx := filters.NewContext(req.Context(), h, h.Listener, rw, h.Branding)
	req = req.WithContext(ctx)

	// Enable transport http proxy
	if req.Method != "CONNECT" && !req.URL.IsAbs() {
		if req.URL.Scheme == "" {
			if req.TLS != nil && req.ProtoMajor == 1 {
				req.URL.Scheme = "https"
			} else {
				req.URL.Scheme = "http"

		if req.TLS != nil {
			if req.Host == "" {
				if req.URL.Host != "" {
					req.Host = req.URL.Host
				} else {
					req.Host = req.TLS.ServerName
			if req.URL.Host == "" {
				if req.Host != "" {
					req.URL.Host = req.Host
				} else {
					req.URL.Host = req.TLS.ServerName

	// Filter Request
	for _, f := range h.RequestFilters {
		ctx, req, err = f.Request(ctx, req)
		if req == filters.DummyRequest {
		if err != nil {
			if err != io.EOF {
				glog.Errorf("%s Filter Request %T error: %+v", remoteAddr, f, err)
		// Update context for request
		req = req.WithContext(ctx)

	if req.Body != nil {
		defer req.Body.Close()

	// Filter Request -> Response
	var resp *http.Response
	for _, f := range h.RoundTripFilters {
		ctx, resp, err = f.RoundTrip(ctx, req)
		if resp == filters.DummyResponse {
		// Unexcepted errors
		if err != nil {
			filters.SetRoundTripFilter(ctx, f)
			glog.Errorf("%s Filter RoundTrip %T error: %+v", remoteAddr, f, err)
			http.Error(rw, h.FormatError(ctx, err), http.StatusBadGateway)
		// Update context for request
		req = req.WithContext(ctx)
		// A roundtrip filter give a response
		if resp != nil {
			resp.Request = req
			filters.SetRoundTripFilter(ctx, f)

	// Filter Response
	for _, f := range h.ResponseFilters {
		if resp == nil || resp == filters.DummyResponse {
		ctx, resp, err = f.Response(ctx, resp)
		if err != nil {
			glog.Errorln("%s Filter %T Response error: %+v", remoteAddr, f, err)
			http.Error(rw, h.FormatError(ctx, err), http.StatusBadGateway)
		// Update context for request
		req = req.WithContext(ctx)

	if resp == nil {
		glog.Errorln("%s Handler %#v Response empty response", remoteAddr, h)
		http.Error(rw, h.FormatError(ctx, fmt.Errorf("empty response")), http.StatusBadGateway)

	if resp.Header.Get("Content-Length") == "" && resp.ContentLength >= 0 {
		resp.Header.Set("Content-Length", strconv.FormatInt(resp.ContentLength, 10))
	for key, values := range resp.Header {
		for _, value := range values {
			rw.Header().Add(key, value)
	if resp.Body != nil {
		defer resp.Body.Close()
		n, err := helpers.IOCopy(rw, resp.Body)
		if err != nil {
			if isClosedConnError(err) {
				glog.Infof("IOCopy %#v return %#v %T(%v)", resp.Body, n, err, err)
			} else {
				glog.Warningf("IOCopy %#v return %#v %T(%v)", resp.Body, n, err, err)
// ReadResponse reads an HTTP response. The header is taken from h,
// which must include the SPDY-specific fields starting with ':'.
// If r is not nil, the body will be read from r. If t is not nil,
// the trailer will be taken from t after the body is finished.
func ReadResponse(h, t http.Header, r io.Reader, req *http.Request) (*http.Response, error) {
	for _, s := range badRespHeaderFields {
		if _, ok := h[s]; ok {
			return nil, &badStringError{"invalid header field", s}

	var err error
	resp := new(http.Response)
	resp.Request = req
	resp.Close = true
	resp.Header = make(http.Header)
	copyHeader(resp.Header, h)
	f := strings.SplitN(h.Get(":status"), " ", 2)
	var s string
	if len(f) > 1 {
		s = f[1]
	resp.Status = f[0] + " " + s
	resp.StatusCode, err = strconv.Atoi(f[0])
	if err != nil {
		return nil, &badStringError{"malformed HTTP status code", f[0]}
	resp.Proto = h.Get(":version")
	var ok bool
	resp.ProtoMajor, resp.ProtoMinor, ok = http.ParseHTTPVersion(resp.Proto)
	if !ok {
		return nil, &badStringError{"malformed HTTP version", resp.Proto}

	realLength, err := fixLength(true, resp.StatusCode, req.Method, resp.Header)
	if err != nil {
		return nil, err
	if req.Method == "HEAD" {
		if n, err := parseContentLength(h.Get("Content-Length")); err != nil {
			return nil, err
		} else {
			resp.ContentLength = n
	} else {
		resp.ContentLength = realLength

	switch {
	case realLength == 0:
		r = eofReader
	case realLength > 0:
		if r == nil {
			// TODO(kr): return error
		r = io.LimitReader(r, realLength)
	if r == nil {
		r = eofReader
	body := &body{r: r}
	resp.Body = body
	if t != nil {
		body.hdr = resp
		body.trailer = t
	return resp, nil
func filterByUrl(w icap.ResponseWriter, req *icap.Request) {
	h := w.Header()
	h.Set("ISTag", ISTag)
	h.Set("Service", "SquidBlocker filter ICAP service")

	if *debug {
		fmt.Fprintln(os.Stderr, "Printing the full ICAP request")
		fmt.Fprintln(os.Stderr, req)
		fmt.Fprintln(os.Stderr, req.Request)
	switch req.Method {
	case "OPTIONS":
		h.Set("Methods", "REQMOD, RESPMOD")
		h.Set("Options-TTL", "1800")
		h.Set("Allow", "204")
		h.Set("Preview", "0")
		h.Set("Transfer-Preview", "*")
		h.Set("Max-Connections", "4000")
		h.Set("X-Include", "X-Client-IP, X-Authenticated-Groups, X-Authenticated-User, X-Subscriber-Id")
		w.WriteHeader(200, nil, false)
	case "REQMOD":

		// Check if the method is either OPTIONS\GET\POST\PUT etc
		// Also to analyse the request stucutre to verify what is the current one used
		// based on the RFC section at: http://tools.ietf.org/html/rfc7230#section-5.3
		// Treat the CONNECT method in a special way due to the fact that it cannot actually be modified.
		checkhost := ""
		port := "0"
		answer := *defaultAnswer
		var err error
		if *debug {
			fmt.Fprintln(os.Stderr, "Default CASE. Request to host: "+req.Request.URL.Host+", Request Method: "+req.Request.Method)
			fmt.Fprintln(os.Stderr, "The full url from the ICAP client request: "+req.Request.URL.String())

		checkhost, port, err = net.SplitHostPort(req.Request.URL.Host)
		if err != nil {
			_ = err
			checkhost = req.Request.URL.Host

		if port != "0" {
			if *debug {
				fmt.Fprintln(os.Stderr, "Rquest with port: "+port)

		if req.Request.Method == "CONNECT" && len(checkhost) > 0 && port != "0" {
			answer = check_tcp(checkhost, port)
		} else {
			answer = check(req.Request.URL.String())

		if *debug {
			fmt.Fprintln(os.Stderr, "ERRlog: reporting answer size => "+strconv.Itoa(len(answer)))
			fmt.Fprintln(os.Stderr, "ERRlog: reporitng answer => "+answer+", for =>"+req.Request.URL.String())

		// The next part comes to make sure that a DUNO respnse will be handled as the default answer/action
		if strings.HasPrefix(answer, "DUNO") {
			answer = *defaultAnswer + " rate=100 default_answer=yes"
			if *debug {
				fmt.Fprintln(os.Stderr, "ERRlog: reporting answer startsWith => \"DUNO\", taking default action")
				if len(*defaultAnswer) > 0 {
					fmt.Fprintln(os.Stderr, req.Request.URL.String()+" "+*defaultAnswer+" rate=40 default_answer=yes")
				} else {
					fmt.Fprintln(os.Stderr, req.Request.URL.String()+" OK state=DUNO")

		if strings.HasPrefix(answer, "OK") {
			if *debug {
				fmt.Fprintln(os.Stderr, "OK response and sending 204 back")
			w.WriteHeader(204, nil, false)
		if strings.HasPrefix(answer, "ERR") {
			if *debug {
				fmt.Fprintln(os.Stderr, "ERR response and sending 307 redirection back")
			resp := new(http.Response)
			resp.Status = "307 SquidBlocker this url has been filtered!"
			resp.StatusCode = 307
			resp.Proto = "HTTP/1.1"
			resp.ProtoMajor = 1
			resp.ProtoMinor = 1
			myMap := make(map[string][]string)
			//What if it is a connect request
			myMap["Location"] = append(myMap["Location"], *block_page+"?url="+url.QueryEscape(req.Request.URL.String()))
			resp.Header = myMap
			//resp.Body = ioutil.NopCloser(bytes.NewBufferString(body))
			//resp.ContentLength = int64(len(body))
			resp.Request = req.Request
			w.WriteHeader(200, resp, true)
		if *debug {
			fmt.Fprintln(os.Stderr, "Unknown asnwer and scenario, not adapting the request")
		w.WriteHeader(204, nil, false)
	case "RESPMOD":
		w.WriteHeader(204, nil, false)
		w.WriteHeader(405, nil, false)
		if *debug {
			fmt.Fprintln(os.Stderr, "Invalid request method")
// This is the RoundTrip() call when we are in replay mode.
func (r *roundTripper) replay(req *http.Request) (*http.Response, error) {
	// Ensure that the replay system is setup.

	// Read the body into a buffer.
	buffer := &bytes.Buffer{}
	var reqErr error
	if req.Body != nil {
		_, reqErr = io.Copy(buffer, req.Body)

	// Since this function deals with the requestList we need to lock.
	defer requestLock.Unlock()

	// Figure out which match function to use.
	f := Matcher
	if f == nil {
		f = matcher

	// Walk through the objects in our archive list and see if any of them
	// match the incoming request.
	rrSource := &RequestResponse{
		Request:          req,
		RequestBody:      buffer.Bytes(),
		RequestBodyError: reqErr,

	var rrMatch *RequestResponse
	for _, rr := range requestList {
		if f(rrSource, rr) {
			rrMatch = rr
	if rrMatch == nil {
		messageLines := []string{
			"Matcher didn't match any execeted queries.\n",
			"Details of the failed request:",
			fmt.Sprintf("URL: %s", req.URL.String()),
			fmt.Sprintf("Method: %s", req.Method),
		if len(req.Header) > 0 {
			messageLines = append(messageLines, "\nHeaders:")
			for key, value := range req.Header {
				messageLines = append(messageLines,
					fmt.Sprintf("    %s: %s", key, strings.Join(value, ", ")))
		if len(req.Trailer) > 0 {
			messageLines = append(messageLines, "\nTrailers:")
			for key, value := range req.Trailer {
				messageLines = append(messageLines,
					fmt.Sprintf("    %s: %s", key, strings.Join(value, ", ")))
		if len(buffer.Bytes()) > 0 {
			// This block is written a little funky in order to make testing
			// easier since it doesn't if/else as much.
			messageLines = append(messageLines, "Body:")
			length := len(buffer.Bytes())
			warning := ""
			if length > 512 {
				length = 512
				warning = "... (content truncated by dvr)"
			messageLines = append(messageLines,
		panicIfError(fmt.Errorf(strings.Join(messageLines, "\n")))

	// Check to see if the response was an error when recorded.
	if rrMatch.Response == nil {
		return nil, rrMatch.Error

	// Setup our response object.
	resp := new(http.Response)
	*resp = *rrMatch.Response
	resp.Request = req

	// Lastly we need to setup a bodyWriter for the Body. This will allow the
	// client to read the body we captured and it will return the error we
	// captured (if any) rather than EOF.
	resp.Body = &bodyWriter{
		data: rrMatch.ResponseBody,
		err:  rrMatch.ResponseBodyError,

	// And lastly we return the response.
	return resp, rrMatch.Error
func toShadowD(w icap.ResponseWriter, req *icap.Request) {
	local_debug := false
	if strings.Contains(req.URL.RawQuery, "debug=1") {
		local_debug = true

	h := w.Header()
	h.Set("ISTag", ISTag)
	h.Set("Service", "Shadower ICAP to WAF Connector")

	if *debug {
		fmt.Fprintln(os.Stderr, "Printing the full ICAP request")
		fmt.Fprintln(os.Stderr, req)
		fmt.Fprintln(os.Stderr, req.Request)
		fmt.Fprintln(os.Stderr, req.Response)
	switch req.Method {
	case "OPTIONS":
		h.Set("Methods", "REQMOD")
		h.Set("Options-TTL", "1800")
		h.Set("Allow", "204, 206")
		h.Set("Preview", "0")
		h.Set("Transfer-Preview", "*")
		h.Set("Max-Connections", *maxConnections)
		h.Set("X-Include", "X-Client-Ip, X-Authenticated-Groups, X-Authenticated-User, X-Subscriber-Id")
		w.WriteHeader(200, nil, false)
	case "REQMOD":
		modified := false
		nullBody := false
		allow206 := false
		allow204 := false
		xclientip := false

		if _, allow204Exists := req.Header["Allow"]; allow204Exists {
			if strings.Contains(req.Header["Allow"][0], "204") {
				allow204 = true

		if _, allow206Exists := req.Header["Allow"]; allow206Exists {
			if strings.Contains(req.Header["Allow"][0], "206") {
				allow206 = true

		if _, xclientipExists := req.Header["X-Client-Ip"]; xclientipExists {
			if len(req.Header["X-Client-Ip"][0]) > 1 {
				xclientip = true

		if _, encapsulationExists := req.Header["Encapsulated"]; encapsulationExists {
			if strings.Contains(req.Header["Encapsulated"][0], "null-body=") {
				nullBody = true

		if *debug || local_debug {
			for k, v := range req.Header {
				fmt.Fprintln(os.Stderr, "The ICAP headers:")
				fmt.Fprintln(os.Stderr, "key size:", len(req.Header[k]))
				fmt.Fprintln(os.Stderr, "key:", k, "value:", v)

		_, _, _, _ = nullBody, allow206, modified, allow204
		if xclientip {
			req.Request.RemoteAddr = req.Header["X-Client-Ip"][0]

		if wrongMethod(req) {
			if *debug {
				fmt.Println("This request has a", req.Request.Method, "method which is not being analyzed")
			w.WriteHeader(204, nil, false)

		if *debug || local_debug {
			for k, v := range req.Request.Header {
				fmt.Fprintln(os.Stderr, "key:", k, "value:", v)

		// Send the request to ShadowD
		// If an attack(5,6) was declared then send a custom 500 page
		// If OK then send a 204 back
		var resStatus = 1
		shodowdres, err := shadowServer.SendToShadowd(req.Request)
		newmap := make(map[string]interface{})
		err = json.Unmarshal([]byte(shodowdres), &newmap)
		if err != nil {

		switch int(newmap["status"].(float64)) {
		case shadowd.STATUS_OK:
			if *debug || local_debug {
				fmt.Println("Request reported, OK")
			w.WriteHeader(204, nil, false)
		case shadowd.STATUS_BAD_REQUEST:
			resStatus = 400
		case shadowd.STATUS_BAD_SIGNATURE:
			resStatus = 503
		case shadowd.STATUS_BAD_JSON:
			resStatus = 504
		case shadowd.STATUS_ATTACK:
			resStatus = 505
			resStatus = 506
			resStatus = 500

		resp := new(http.Response)
		resp.Status = "Internal Server Error"
		resp.StatusCode = resStatus
		resp.Proto = req.Request.Proto
		resp.ProtoMajor = req.Request.ProtoMajor
		resp.ProtoMinor = req.Request.ProtoMinor
		resp.Request = req.Request
		myHeaderMap := make(map[string][]string)
		resp.Header = myHeaderMap
		resp.Header.Set("X-Ngtech-Proxy", "Shadower")
		resp.Header.Set("X-Shadower", strconv.Itoa(resStatus))
		resp.Header.Set("Content-Type", "text/html")
		resp.Header.Set("Content-Length", strconv.Itoa(len(internalerrorpage)))
		w.WriteHeader(200, resp, true)
		io.WriteString(w, internalerrorpage)

		if *debug {
			fmt.Println("end of the line 204 response!.. Shouldn't happen.")
		w.WriteHeader(204, nil, false)
	case "RESPMOD":
		w.WriteHeader(204, nil, false)
		w.WriteHeader(405, nil, false)
		if *debug || local_debug {
			fmt.Fprintln(os.Stderr, "Invalid request method")
func (h Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
	var err error

	remoteAddr := req.RemoteAddr

	// Prepare filter.Context
	ctx := filters.NewContext(h.Listener, rw, req)

	// Enable transport http proxy
	if req.Method != "CONNECT" && !req.URL.IsAbs() {
		if req.URL.Scheme == "" {
			if req.TLS != nil && req.ProtoMajor == 1 {
				req.URL.Scheme = "https"
			} else {
				req.URL.Scheme = "http"
		if req.URL.Host == "" {
			if req.Host != "" {
				req.URL.Host = req.Host
			} else {
				if req.TLS != nil {
					req.URL.Host = req.TLS.ServerName

	// Filter Request
	for _, f := range h.RequestFilters {
		ctx, req, err = f.Request(ctx, req)
		// A roundtrip filter hijacked
		if ctx.Hijacked() {
		if err != nil {
			if err != io.EOF {
				glog.Errorf("%s Filter Request %T(%v) error: %v", remoteAddr, f, f, err)

	// Filter Request -> Response
	var resp *http.Response
	for _, f := range h.RoundTripFilters {
		ctx, resp, err = f.RoundTrip(ctx, req)
		// A roundtrip filter hijacked
		if ctx.Hijacked() {
		// Unexcepted errors
		if err != nil {
			glog.Errorf("%s Filter RoundTrip %T(%v) error: %v", remoteAddr, f, f, err)
		// A roundtrip filter give a response
		if resp != nil {
			resp.Request = req

	// Filter Response
	for _, f := range h.ResponseFilters {
		if resp == nil {
		ctx, resp, err = f.Response(ctx, resp)
		if err != nil {
			glog.Errorf("%s Filter Response %T(%v) error: %v", remoteAddr, f, f, err)

	if resp == nil {

	for key, values := range resp.Header {
		for _, value := range values {
			rw.Header().Add(key, value)
	if resp.Body != nil {
		defer resp.Body.Close()
		n, err := IoCopy(rw, resp.Body)
		if err != nil {
			glog.Errorf("IoCopy %#v return %#v %s", resp.Body, n, err)
func (r *Response) Response() *http.Response {
	out := new(http.Response)

	out.Status = fmt.Sprintf("%d %s", r.StatusCode, http.StatusText(r.StatusCode))
	out.StatusCode = r.StatusCode
	out.Header = r.Header

	out.Proto = "HTTP/1.1"
	out.ProtoMajor = 1
	out.ProtoMinor = 1

	if r.data == nil {
		out.Body = &ReadCloser{new(bytes.Buffer)}
	} else if unrequestedGzip(r) {
		// User-agents MUST support gzip compression.
		// Regardless of the Accept-Encoding sent by the user-agent, the server may
		// always send content encoded with gzip or deflate encoding.
		out.ContentLength = -1
		out.Body = &gzipReader{body: r.data}
	} else {
		out.Body = r.data
		out.ContentLength = r.data.written

	out.TransferEncoding = nil
	out.Close = true
	out.Trailer = make(http.Header)
	out.Request = r.Request
	return out