NOISSUE - Add WebSocket support to HTTP Proxy (#87)

* remove print line

Signed-off-by: Arvindh <arvindh91@gmail.com>

* add websocket to http proxy

Signed-off-by: Arvindh <arvindh91@gmail.com>

* add websocket to http proxy

Signed-off-by: Arvindh <arvindh91@gmail.com>

* initalized NewOriginChecker

Signed-off-by: Arvindh <arvindh91@gmail.com>

* add toolchain

Signed-off-by: Arvindh <arvindh91@gmail.com>

* remove toolchain

Signed-off-by: Arvindh <arvindh91@gmail.com>

* update the workflow

Signed-off-by: Arvindh <arvindh91@gmail.com>

* update the workflow

Signed-off-by: Arvindh <arvindh91@gmail.com>

* go mod tidy

Signed-off-by: Arvindh <arvindh91@gmail.com>

* convert to interface

Signed-off-by: Arvindh <arvindh91@gmail.com>

* convert to interface

Signed-off-by: Arvindh <arvindh91@gmail.com>

* convert to interface

Signed-off-by: Arvindh <arvindh91@gmail.com>

* format files

Signed-off-by: Arvindh <arvindh91@gmail.com>

* fix url path

Signed-off-by: Arvindh <arvindh91@gmail.com>

* fix targetUrl

Signed-off-by: Arvindh <arvindh91@gmail.com>

* fix mqtt ws

Signed-off-by: Arvindh <arvindh91@gmail.com>

* add env for listen and target portocol,host,port,path

Signed-off-by: Arvindh <arvindh91@gmail.com>

* upgrade liniter

Signed-off-by: Arvindh <arvindh91@gmail.com>

* fix linter errors

Signed-off-by: Arvindh <arvindh91@gmail.com>

* upgrade liniter

Signed-off-by: Arvindh <arvindh91@gmail.com>

* fix websocket proxy

Signed-off-by: Arvindh <arvindh91@gmail.com>

* update getPass func

Signed-off-by: Arvindh <arvindh91@gmail.com>

* websocket process

Signed-off-by: Arvindh <arvindh91@gmail.com>

* fix linter errors

Signed-off-by: Arvindh <arvindh91@gmail.com>

* move checkers to single interface

Signed-off-by: Arvindh <arvindh91@gmail.com>

* update prefix

Signed-off-by: Arvindh <arvindh91@gmail.com>

* modified checker

Signed-off-by: Arvindh <arvindh91@gmail.com>

* consolidate and format function names

Signed-off-by: Arvindh <arvindh91@gmail.com>

---------

Signed-off-by: Arvindh <arvindh91@gmail.com>

Author: arvindh123

.env

@@ -1,53 +1,88 @@
-MGATE_MQTT_WITHOUT_TLS_ADDRESS=:1884
-MGATE_MQTT_WITHOUT_TLS_TARGET=localhost:1883
+MGATE_MQTT_WITHOUT_TLS_HOST=localhost
+MGATE_MQTT_WITHOUT_TLS_PORT=1884
+MGATE_MQTT_WITHOUT_TLS_TARGET_PROTOCOL=mqtt
+MGATE_MQTT_WITHOUT_TLS_TARGET_HOST=localhost
+MGATE_MQTT_WITHOUT_TLS_TARGET_PORT=1883
 
-MGATE_MQTT_WITH_TLS_ADDRESS=:8883
-MGATE_MQTT_WITH_TLS_TARGET=localhost:1883
+MGATE_MQTT_WITH_TLS_HOST=localhost
+MGATE_MQTT_WITH_TLS_PORT=8883
+MGATE_MQTT_WITH_TLS_TARGET_PROTOCOL=mqtt
+MGATE_MQTT_WITH_TLS_TARGET_HOST=localhost
+MGATE_MQTT_WITH_TLS_TARGET_PORT=1883
 MGATE_MQTT_WITH_TLS_CERT_FILE=ssl/certs/server.crt
 MGATE_MQTT_WITH_TLS_KEY_FILE=ssl/certs/server.key
 MGATE_MQTT_WITH_TLS_SERVER_CA_FILE=ssl/certs/ca.crt
 
-MGATE_MQTT_WITH_MTLS_ADDRESS=:8884
-MGATE_MQTT_WITH_MTLS_TARGET=localhost:1883
+MGATE_MQTT_WITH_MTLS_HOST=localhost
+MGATE_MQTT_WITH_MTLS_PORT=8884
+MGATE_MQTT_WITH_MTLS_TARGET_PROTOCOL=mqtt
+MGATE_MQTT_WITH_MTLS_TARGET_HOST=localhost
+MGATE_MQTT_WITH_MTLS_TARGET_PORT=1883
 MGATE_MQTT_WITH_MTLS_CERT_FILE=ssl/certs/server.crt
 MGATE_MQTT_WITH_MTLS_KEY_FILE=ssl/certs/server.key
 MGATE_MQTT_WITH_MTLS_SERVER_CA_FILE=ssl/certs/ca.crt
 MGATE_MQTT_WITH_MTLS_CLIENT_CA_FILE=ssl/certs/ca.crt
 MGATE_MQTT_WITH_MTLS_CERT_VERIFICATION_METHODS=ocsp
 MGATE_MQTT_WITH_MTLS_OCSP_RESPONDER_URL=http://localhost:8080/ocsp
 
-MGATE_MQTT_WS_WITHOUT_TLS_ADDRESS=:8083
-MGATE_MQTT_WS_WITHOUT_TLS_TARGET=ws://localhost:8000/
+MGATE_MQTT_WS_WITHOUT_TLS_HOST=localhost
+MGATE_MQTT_WS_WITHOUT_TLS_PORT=8083
+MGATE_MQTT_WS_WITHOUT_TLS_PATH_PREFIX=/mgate-ws
+MGATE_MQTT_WS_WITHOUT_TLS_TARGET_PROTOCOL=ws
+MGATE_MQTT_WS_WITHOUT_TLS_TARGET_HOST=localhost
+MGATE_MQTT_WS_WITHOUT_TLS_TARGET_PORT=8000
+MGATE_MQTT_WS_WITHOUT_TLS_TARGET_PATH=
 
-MGATE_MQTT_WS_WITH_TLS_ADDRESS=:8084
-MGATE_MQTT_WS_WITH_TLS_TARGET=ws://localhost:8000/
+MGATE_MQTT_WS_WITH_TLS_HOST=localhost
+MGATE_MQTT_WS_WITH_TLS_PORT=8084
+MGATE_MQTT_WS_WITH_TLS_PATH_PREFIX=/mgate-ws
+MGATE_MQTT_WS_WITH_TLS_TARGET_PROTOCOL=ws
+MGATE_MQTT_WS_WITH_TLS_TARGET_HOST=localhost
+MGATE_MQTT_WS_WITH_TLS_TARGET_PORT=8000
+MGATE_MQTT_WS_WITH_TLS_TARGET_PATH=
 MGATE_MQTT_WS_WITH_TLS_CERT_FILE=ssl/certs/server.crt
 MGATE_MQTT_WS_WITH_TLS_KEY_FILE=ssl/certs/server.key
 MGATE_MQTT_WS_WITH_TLS_SERVER_CA_FILE=ssl/certs/ca.crt
 
-MGATE_MQTT_WS_WITH_MTLS_ADDRESS=:8085
-MGATE_MQTT_WS_WITH_MTLS_PATH_PREFIX=/mqtt
-MGATE_MQTT_WS_WITH_MTLS_TARGET=ws://localhost:8000/
+MGATE_MQTT_WS_WITH_MTLS_HOST=localhost
+MGATE_MQTT_WS_WITH_MTLS_PORT=8085
+MGATE_MQTT_WS_WITH_MTLS_PATH_PREFIX=/mgate-ws
+MGATE_MQTT_WS_WITH_MTLS_TARGET_PROTOCOL=ws
+MGATE_MQTT_WS_WITH_MTLS_TARGET_HOST=localhost
+MGATE_MQTT_WS_WITH_MTLS_TARGET_PORT=8000
+MGATE_MQTT_WS_WITH_MTLS_TARGET_PATH=
 MGATE_MQTT_WS_WITH_MTLS_CERT_FILE=ssl/certs/server.crt
 MGATE_MQTT_WS_WITH_MTLS_KEY_FILE=ssl/certs/server.key
 MGATE_MQTT_WS_WITH_MTLS_SERVER_CA_FILE=ssl/certs/ca.crt
 MGATE_MQTT_WS_WITH_MTLS_CLIENT_CA_FILE=ssl/certs/ca.crt
 MGATE_MQTT_WS_WITH_MTLS_CERT_VERIFICATION_METHODS=ocsp
 MGATE_MQTT_WS_WITH_MTLS_OCSP_RESPONDER_URL=http://localhost:8080/ocsp
 
-MGATE_HTTP_WITHOUT_TLS_ADDRESS=:8086
-MGATE_HTTP_WITHOUT_TLS_PATH_PREFIX=/messages
-MGATE_HTTP_WITHOUT_TLS_TARGET=http://localhost:8888/
+MGATE_HTTP_WITHOUT_TLS_PORT=8086
+MGATE_HTTP_WITHOUT_TLS_PATH_PREFIX=/mgate-http
+MGATE_HTTP_WITHOUT_TLS_TARGET_PROTOCOL=http
+MGATE_HTTP_WITHOUT_TLS_TARGET_HOST=localhost
+MGATE_HTTP_WITHOUT_TLS_TARGET_PORT=8888
+MGATE_HTTP_WITHOUT_TLS_TARGET_PATH=/messages
 
-MGATE_HTTP_WITH_TLS_ADDRESS=:8087
-MGATE_HTTP_WITH_TLS_PATH_PREFIX=/messages
+
+MGATE_HTTP_WITH_TLS_PORT=8087
+MGATE_HTTP_WITH_TLS_PATH_PREFIX=/mgate-http
+MGATE_HTTP_WITH_TLS_TARGET_PROTOCOL=http
+MGATE_HTTP_WITH_TLS_TARGET_HOST=localhost
+MGATE_HTTP_WITH_TLS_TARGET_PORT=8888
+MGATE_HTTP_WITH_TLS_TARGET_PATH=/messages
 MGATE_HTTP_WITH_TLS_TARGET=http://localhost:8888/
 MGATE_HTTP_WITH_TLS_CERT_FILE=ssl/certs/server.crt
 MGATE_HTTP_WITH_TLS_KEY_FILE=ssl/certs/server.key
 MGATE_HTTP_WITH_TLS_SERVER_CA_FILE=ssl/certs/ca.crt
 
-MGATE_HTTP_WITH_MTLS_ADDRESS=:8088
-MGATE_HTTP_WITH_MTLS_PATH_PREFIX=/messages
+MGATE_HTTP_WITH_MTLS_PORT=8088
+MGATE_HTTP_WITH_MTLS_PATH_PREFIX=/mgate-http
+MGATE_HTTP_WITH_MTLS_TARGET_PROTOCOL=http
+MGATE_HTTP_WITH_MTLS_TARGET_HOST=localhost
+MGATE_HTTP_WITH_MTLS_TARGET_PORT=8888
+MGATE_HTTP_WITH_MTLS_TARGET_PATH=/messages
 MGATE_HTTP_WITH_MTLS_TARGET=http://localhost:8888/
 MGATE_HTTP_WITH_MTLS_CERT_FILE=ssl/certs/server.crt
 MGATE_HTTP_WITH_MTLS_KEY_FILE=ssl/certs/server.key

.github/workflows/tests.yml

@@ -23,13 +23,13 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v4
         with:
-          go-version: 1.21.x
+          go-version: 1.22.x
           cache-dependency-path: "go.sum"
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
-          version: v1.61.0
+          version: v2.0.2
           args: --config .golangci.yml
 
       - name: Build Binaries

.golangci.yml

@@ -1,75 +1,91 @@
-# Copyright (c) Abstract Machines
-# SPDX-License-Identifier: Apache-2.0
-
-run:
-  timeout: 10m
-
-issues:
-  max-issues-per-linter: 100
-  max-same-issues: 100
-
-linters-settings:
-  gocritic:
-    enabled-checks:
-      - importShadow
-      - httpNoBody
-      - paramTypeCombine
-      - emptyStringTest
-      - builtinShadow
-      - exposedSyncMutex
-    disabled-checks:
-      - appendAssign
-    enabled-tags:
-      - diagnostic
-    disabled-tags:
-      - performance
-      - style
-      - experimental
-      - opinionated
-  misspell:
-    ignore-words:
-      - "mosquitto"
-  stylecheck:
-    checks: ["-ST1000", "-ST1003", "-ST1020", "-ST1021", "-ST1022"]
-  goheader:
-    template: |-
-      Copyright (c) Abstract Machines
-      SPDX-License-Identifier: Apache-2.0
-
+version: "2"
 linters:
-  disable-all: true
+  default: none
   enable:
-    - gocritic
-    - gosimple
-    - errcheck
-    - govet
-    - unused
-    - goconst
-    - godot
-    - godox
-    - ineffassign
-    - misspell
-    - stylecheck
-    - whitespace
-    - gci
-    - gofmt
-    - goimports
-    - loggercheck
-    - goheader
     - asasalint
     - asciicheck
     - bidichk
+    - copyloopvar
     - decorder
     - dogsled
+    - dupword
+    - errcheck
     - errchkjson
     - errname
-    - copyloopvar
     - ginkgolinter
     - gocheckcompilerdirectives
-    - gofumpt
+    - goconst
+    - gocritic
+    - godot
+    - godox
+    - goheader
     - goprintffuncname
+    - govet
     - importas
+    - ineffassign
+    - loggercheck
     - makezero
     - mirror
+    - misspell
     - nakedret
-    - dupword
+    - staticcheck
+    - unused
+    - whitespace
+  settings:
+    gocritic:
+      enabled-checks:
+        - importShadow
+        - httpNoBody
+        - paramTypeCombine
+        - emptyStringTest
+        - builtinShadow
+        - exposedSyncMutex
+      disabled-checks:
+        - appendAssign
+      enabled-tags:
+        - diagnostic
+      disabled-tags:
+        - performance
+        - style
+        - experimental
+        - opinionated
+    goheader:
+      template: |-
+        Copyright (c) Abstract Machines
+        SPDX-License-Identifier: Apache-2.0
+    misspell:
+      ignore-rules:
+        - mosquitto
+    staticcheck:
+      checks:
+        - -ST1000
+        - -ST1003
+        - -ST1020
+        - -ST1021
+        - -ST1022
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  max-issues-per-linter: 100
+  max-same-issues: 100
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

cmd/main.go

@@ -134,7 +134,7 @@ func main() {
 	}
 
 	// mGate server for HTTP without TLS
-	httpProxy, err := http.NewProxy(httpConfig, handler, logger)
+	httpProxy, err := http.NewProxy(httpConfig, handler, logger, []string{}, []string{})
 	if err != nil {
 		panic(err)
 	}
@@ -149,7 +149,7 @@ func main() {
 	}
 
 	// mGate server for HTTP with TLS
-	httpTLSProxy, err := http.NewProxy(httpTLSConfig, handler, logger)
+	httpTLSProxy, err := http.NewProxy(httpTLSConfig, handler, logger, []string{}, []string{})
 	if err != nil {
 		panic(err)
 	}
@@ -164,7 +164,7 @@ func main() {
 	}
 
 	// mGate server for HTTP with mTLS
-	httpMTLSProxy, err := http.NewProxy(httpMTLSConfig, handler, logger)
+	httpMTLSProxy, err := http.NewProxy(httpMTLSConfig, handler, logger, []string{}, []string{})
 	if err != nil {
 		panic(err)
 	}

config.go

@@ -11,10 +11,14 @@ import (
 )
 
 type Config struct {
-	Address    string `env:"ADDRESS"     envDefault:""`
-	PathPrefix string `env:"PATH_PREFIX" envDefault:"/"`
-	Target     string `env:"TARGET"      envDefault:""`
-	TLSConfig  *tls.Config
+	Host           string `env:"HOST"            envDefault:""`
+	Port           string `env:"PORT,required"            envDefault:""`
+	PathPrefix     string `env:"PATH_PREFIX"              envDefault:""`
+	TargetHost     string `env:"TARGET_HOST,required"     envDefault:""`
+	TargetPort     string `env:"TARGET_PORT,required"     envDefault:""`
+	TargetProtocol string `env:"TARGET_PROTOCOL,required" envDefault:""`
+	TargetPath     string `env:"TARGET_PATH"              envDefault:""`
+	TLSConfig      *tls.Config
 }
 
 func NewConfig(opts env.Options) (Config, error) {

examples/client/http/websocket/Readme.md

@@ -0,0 +1,3 @@
+## Requirements to run scripts 
+- [Websocat 4.0.0](https://github.com/vi/websocat)
+- OpenSSL

examples/client/http/websocket/with_mtls.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+protocol=wss
+host=localhost
+port=8088
+path="mgate-http/messages/ws"
+content="application/json"
+message="{\"message\": \"Hello mGate\"}"
+invalidPath="invalid_path"
+cafile=ssl/certs/ca.crt
+certfile=ssl/certs/client.crt
+keyfile=ssl/certs/client.key
+reovokedcertfile=ssl/certs/client_revoked.crt
+reovokedkeyfile=ssl/certs/client_revoked.key
+unknowncertfile=ssl/certs/client_unknown.crt
+unknownkeyfile=ssl/certs/client_unknown.key
+
+echo "Posting message to ${protocol}://${host}:${port}/${path} with tls, Authorization header, ca & client certificates ${cafile} ${certfile} ${keyfile}..."
+echo "${message}" | websocat --binary --ws-c-uri="${protocol}://${host}:${port}/${path}" -H "content-type:${content}" -H "Authorization:TOKEN" - ws-c:cmd:"openssl s_client -connect ${host}:${port} -quiet -verify_quiet -CAfile ${cafile} -cert ${certfile} -key ${keyfile}"
+
+
+echo -e "\nPosting message to ${protocol}://${host}:${port}/${path} with tls, basic authentication ca & client certificates ${cafile} ${certfile} ${keyfile}..."
+encoded=$(printf "username:password" | base64)
+echo "${message}" | websocat --binary --ws-c-uri="${protocol}://${host}:${port}/${path}" -H "content-type:${content}" -H "Authorization: Basic $encoded" - ws-c:cmd:"openssl s_client -connect ${host}:${port} -quiet -verify_quiet -CAfile ${cafile} -cert ${certfile} -key ${keyfile}"
+
+echo -e "\nPosting message to invalid path ${protocol}://${host}:${port}/${path}/${invalidPath} with tls, Authorization header, ca & client certificates ${cafile} ${certfile} ${keyfile}..."
+echo "${message}" | websocat --binary --ws-c-uri="${protocol}://${host}:${port}/${invalidPath}" -H "content-type:${content}" -H "Authorization:TOKEN" - ws-c:cmd:"openssl s_client -connect ${host}:${port} -quiet -verify_quiet -CAfile ${cafile} -cert ${certfile} -key ${keyfile}"
+
+echo -e "\nPosting message to ${protocol}://${host}:${port}/${path} with tls, Authorization header, ca certificates ${cafile} & reovked client certificate ${reovokedcertfile} ${reovokedkeyfile}..."
+echo "${message}" | websocat --binary --ws-c-uri="${protocol}://${host}:${port}/${path}" -H "content-type:${content}" -H "Authorization:TOKEN" - ws-c:cmd:"openssl s_client -connect ${host}:${port} -quiet -verify_quiet -CAfile ${cafile} -cert ${reovokedcertfile} -key ${reovokedkeyfile}"
+
+echo -e "\nPosting message to ${protocol}://${host}:${port}/${path} with tls, Authorization header, ca certificates ${cafile} & unknown client certificate ${unknowncertfile} ${unknownkeyfile}..."
+echo "${message}" | websocat --binary --ws-c-uri="${protocol}://${host}:${port}/${path}" -H "content-type:${content}" -H "Authorization:TOKEN" - ws-c:cmd:"openssl s_client -connect ${host}:${port} -quiet -verify_quiet -CAfile ${cafile} -cert ${unknowncertfile} -key ${unknownkeyfile}"
+
+echo -e "\nPosting message to ${protocol}://${host}:${port}/${path} with tls, Authorization header, ca certificate ${cafile} & without client certificates.."
+echo "${message}" | websocat --binary --ws-c-uri="${protocol}://${host}:${port}/${path}" -H "content-type:${content}" -H "Authorization:TOKEN" - ws-c:cmd:"openssl s_client -connect ${host}:${port} -quiet -verify_quiet -CAfile ${cafile}"
+
+echo -e "\nPosting message to ${protocol}://${host}:${port}/${path} with tls, Authorization header,  & without ca , client certificates.."
+echo "${message}" | websocat --binary --ws-c-uri="${protocol}://${host}:${port}/${path}" -H "content-type:${content}" -H "Authorization:TOKEN" - ws-c:cmd:"openssl s_client -connect ${host}:${port} -quiet -verify_quiet"

examples/client/http/websocket/with_tls.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+protocol=wss
+host=localhost
+port=8087
+path="mgate-http/messages/ws"
+content="application/json"
+message="{\"message\": \"Hello mGate\"}"
+invalidPath="invalid_path"
+cafile=ssl/certs/ca.crt
+certfile=ssl/certs/client.crt
+keyfile=ssl/certs/client.key
+reovokedcertfile=ssl/certs/client_revoked.crt
+reovokedkeyfile=ssl/certs/client_revoked.key
+unknowncertfile=ssl/certs/client_unknown.crt
+unknownkeyfile=ssl/certs/client_unknown.key
+
+echo "Posting message to ${protocol}://${host}:${port}/${path} with tls, Authorization header, ca certificate ${cafile}..."
+# echo "${message}" | websocat  -H "content-type:${content}" -H "Authorization:TOKEN" --binary --ws-c-uri="${protocol}://${host}:${port}/${path}" - ws-c:cmd:"openssl s_client -connect ${host}:${port} -quiet -verify_quiet -CAfile ${cafile}"
+echo "${message}" | SSL_CERT_FILE="${cafile}"  websocat  "${protocol}://${host}:${port}/${path}" -H "content-type:${content}" -H "Authorization:TOKEN"
+
+
+echo -e "\nPosting message to ${protocol}://${host}:${port}/${path} with tls, basic authentication ca certificate ${cafile}...."
+encoded=$(printf "username:password" | base64)
+echo "${message}" | SSL_CERT_FILE="${cafile}" websocat "${protocol}://${host}:${port}/${path}" -H "content-type:${content}" -H "Authorization: Basic $encoded"
+
+
+echo -e "\nPosting message to ${protocol}://${host}:${port}/${path} with tls, Authorization header, and without ca certificate.."
+echo "${message}" |  websocat "${protocol}://${host}:${port}/${path}" -H "content-type:${content}" -H "Authorization: Basic $encoded"
+