// eccaProxy: proxy the user requests and authenticate with the credentials we know.
func eccaProxy(req *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
//log.Println("\n\n\nRequest is ", req.Method, req.URL.String())
ctx.Logf("Start-of-eccaProxy handler")
for _, c := range req.Cookies() {
ctx.Logf("Cookie send by the client is: %#v", c.Name)
}
// set the scheme to https so we connect upstream securely
if req.URL.Scheme == "http" {
req.URL.Scheme = "https"
}
// Copy the body because we need it untouched. But we also need to parse
// the POST parameters and that eats the original buffer with the body
body, err := ioutil.ReadAll(req.Body)
check(err)
req.Body.Close() // close it before replacing. Prevents leaking file descriptors.
// give the data back immedeately.
req.Body = ioutil.NopCloser(bytes.NewReader(body))
// Read the parameters
req.ParseForm() // eats req.Body
req.Body = ioutil.NopCloser(bytes.NewReader(body)) // copy back in again
// Check for POST method with 'encrypt', 'sign' or 'initiate-direct-connection' parameter.
if req.Method == "POST" {
if req.Form.Get("initiate-direct-connection") == "required" {
// create a direct connection listener, awaiting reply
return initiateDirectConnection(req)
} else if req.Form.Get("encrypt") == "required" {
// transparantly encrypt and sign for a private message
return encryptMessage(req)
} else if req.Form.Get("sign") == "required" || req.Form.Get("sign") == "optional" {
// transparently sign the message before publication
return signMessage(req, ctx)
}
}
// Fetch the request from upstream
resp, err := fetchRequest(req, ctx)
if err != nil {
ctx.Warnf("There was an error fetching the users' request: %v", err)
return req, goproxy.NewResponse(req,
goproxy.ContentTypeText, http.StatusInternalServerError,
"Some server error!")
}
ctx.Logf("response is %#v", resp)
for _, c := range resp.Cookies() {
ctx.Logf("Cookie send by the server is: %#v\n", c.Name)
}
ctx.Logf("End-of-eccaProxy handler")
//log.Printf("Sleeping for 10 seconds...\n")
//time.Sleep(10 * time.Second)
return nil, resp // let goproxy send our response
}
func (c *TLSConfigCache) GetConfig(host string, ctx *goproxy.ProxyCtx) (*tls.Config, error) {
host = getWildcardHost(host)
c.lock.Lock()
cached, ok := c.cache[host]
if !ok {
// Register a config generation event
cached = CachedConfig{
Ready: make(chan struct{}),
}
c.cache[host] = cached
}
if ok {
c.hit += 1
} else {
c.miss += 1
}
hit := c.hit
miss := c.miss
c.lock.Unlock()
ctx.Warnf("signing hit/miss: %d/%d (%.1f%%)", hit, miss,
100.0*float64(hit)/float64(hit+miss))
if ok {
// config is being generated or is ready, grab it
<-cached.Ready
cfg := cached.Config
if cfg == nil {
return nil, fmt.Errorf("failed to generate TLS config for %s", host)
}
return cfg, nil
}
// Generate it
start := time.Now()
cfg, err := c.cfgBuilder(host, ctx)
stop := time.Now()
ctx.Warnf("signing %s in %.0fms", host,
float64(stop.Sub(start))/float64(time.Millisecond))
c.lock.Lock()
if err == nil {
c.cache[host] = CachedConfig{
Config: cfg,
Ready: cached.Ready,
}
} else {
delete(c.cache, host)
ctx.Warnf("failed to sign %s: %s", host, err)
}
close(cached.Ready)
c.lock.Unlock()
return cfg, err
}
