Add opt-in HTTP reverse-proxy tunnel path (#207)

Author: amalshaji

tunnel/internal/client/client/client.go

@@ -70,17 +70,18 @@ func (c *Client) Start(ctx context.Context, services ...string) error {
 			continue
 		}
 		clientConfigs = append(clientConfigs, config.ClientConfig{
-			ServerUrl:             c.config.ServerUrl,
-			SshUrl:                c.config.SshUrl,
-			TunnelUrl:             c.config.TunnelUrl,
-			SecretKey:             c.config.SecretKey,
-			Tunnel:                tunnel,
-			UseLocalHost:          c.config.UseLocalHost,
-			Debug:                 c.config.Debug,
-			EnableRequestLogging:  c.config.EnableRequestLogging,
-			HealthCheckInterval:   c.config.HealthCheckInterval,
-			HealthCheckMaxRetries: c.config.HealthCheckMaxRetries,
-			DisableTUI:            c.config.DisableTUI,
+			ServerUrl:              c.config.ServerUrl,
+			SshUrl:                 c.config.SshUrl,
+			TunnelUrl:              c.config.TunnelUrl,
+			SecretKey:              c.config.SecretKey,
+			Tunnel:                 tunnel,
+			UseLocalHost:           c.config.UseLocalHost,
+			Debug:                  c.config.Debug,
+			EnableRequestLogging:   c.config.EnableRequestLogging,
+			HealthCheckInterval:    c.config.HealthCheckInterval,
+			HealthCheckMaxRetries:  c.config.HealthCheckMaxRetries,
+			DisableTUI:             c.config.DisableTUI,
+			EnableHttpReverseProxy: c.config.EnableHttpReverseProxy,
 		})
 	}
 

tunnel/internal/client/config/config.go

@@ -68,6 +68,7 @@ type Config struct {
 	HealthCheckInterval        int      `yaml:"health_check_interval"`
 	HealthCheckMaxRetries      int      `yaml:"health_check_max_retries"`
 	DisableTUI                 bool     `yaml:"disable_tui"`
+	EnableHttpReverseProxy     bool     `yaml:"enable_http_reverse_proxy"`
 	DisableUpdateCheck         bool     `yaml:"disable_update_check"`
 }
 
@@ -121,17 +122,18 @@ func (c Config) GetAdminAddress() string {
 }
 
 type ClientConfig struct {
-	ServerUrl             string
-	SshUrl                string
-	TunnelUrl             string
-	SecretKey             string
-	Tunnel                Tunnel
-	UseLocalHost          bool
-	Debug                 bool
-	EnableRequestLogging  bool
-	HealthCheckInterval   int
-	HealthCheckMaxRetries int
-	DisableTUI            bool
+	ServerUrl              string
+	SshUrl                 string
+	TunnelUrl              string
+	SecretKey              string
+	Tunnel                 Tunnel
+	UseLocalHost           bool
+	Debug                  bool
+	EnableRequestLogging   bool
+	HealthCheckInterval    int
+	HealthCheckMaxRetries  int
+	DisableTUI             bool
+	EnableHttpReverseProxy bool
 }
 
 func (c *ClientConfig) GetHttpTunnelAddr() string {

tunnel/internal/client/ssh/ssh.go

@@ -9,6 +9,8 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/http/httputil"
+	"net/url"
 	"os"
 	"strings"
 	"sync"
@@ -33,6 +35,45 @@ var (
 	ErrLocalSetupIncomplete = fmt.Errorf("local setup incomplete")
 )
 
+type requestLogContextKey struct{}
+
+type requestLogData struct {
+	id      string
+	request *http.Request
+	body    []byte
+}
+
+type singleConnListener struct {
+	conn     net.Conn
+	accepted bool
+	closed   bool
+	mu       sync.Mutex
+}
+
+func (l *singleConnListener) Accept() (net.Conn, error) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	if l.closed || l.accepted {
+		return nil, net.ErrClosed
+	}
+
+	l.accepted = true
+	return l.conn, nil
+}
+
+func (l *singleConnListener) Close() error {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	l.closed = true
+	return nil
+}
+
+func (l *singleConnListener) Addr() net.Addr {
+	return l.conn.LocalAddr()
+}
+
 type SshClient struct {
 	config       config.ClientConfig
 	listener     net.Listener
@@ -216,6 +257,141 @@ func (s *SshClient) startListenerForClient() error {
 }
 
 func (s *SshClient) httpTunnel(src net.Conn, localEndpoint string) {
+	if s.config.EnableHttpReverseProxy {
+		s.httpTunnelReverseProxy(src, localEndpoint)
+		return
+	}
+
+	s.httpTunnelLegacy(src, localEndpoint)
+}
+
+func (s *SshClient) httpTunnelReverseProxy(src net.Conn, localEndpoint string) {
+	defer src.Close()
+
+	target := &url.URL{
+		Scheme: "http",
+		Host:   localEndpoint,
+	}
+
+	transport := &http.Transport{
+		Proxy:             http.ProxyFromEnvironment,
+		ForceAttemptHTTP2: false,
+		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			var d net.Dialer
+			return d.DialContext(ctx, network, localEndpoint)
+		},
+	}
+	defer transport.CloseIdleConnections()
+
+	proxy := httputil.NewSingleHostReverseProxy(target)
+	proxy.Transport = transport
+
+	defaultDirector := proxy.Director
+	proxy.Director = func(request *http.Request) {
+		host := request.Host
+		defaultDirector(request)
+		request.Host = host
+	}
+
+	proxy.ModifyResponse = func(response *http.Response) error {
+		if !s.config.EnableRequestLogging {
+			return nil
+		}
+
+		if response.StatusCode == http.StatusSwitchingProtocols {
+			return nil
+		}
+
+		if strings.Contains(response.Header.Get("Content-Type"), "text/event-stream") {
+			return nil
+		}
+
+		logData, ok := response.Request.Context().Value(requestLogContextKey{}).(*requestLogData)
+		if !ok || logData == nil || logData.request == nil {
+			return nil
+		}
+
+		responseBody, err := io.ReadAll(response.Body)
+		if err != nil {
+			if s.config.Debug {
+				s.logDebug("Failed to read response body from reverse proxy", err)
+			}
+			return err
+		}
+		response.Body.Close()
+		response.Body = io.NopCloser(bytes.NewBuffer(responseBody))
+
+		s.logHttpRequest(logData.id, logData.request, logData.body, response, responseBody)
+		return nil
+	}
+
+	proxy.ErrorHandler = func(writer http.ResponseWriter, request *http.Request, err error) {
+		if s.config.Debug {
+			s.logDebug("HTTP reverse proxy failed", err)
+		}
+
+		htmlContent := utils.LocalServerNotOnline(localEndpoint)
+		writer.Header().Set("X-Portr-Error", "true")
+		writer.Header().Set("X-Portr-Error-Reason", "local-server-not-online")
+		writer.Header().Set("Content-Type", "text/html")
+		writer.WriteHeader(http.StatusServiceUnavailable)
+		_, _ = writer.Write([]byte(htmlContent))
+	}
+
+	handler := http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
+		if request.Header.Get("X-Portr-Ping-Request") == "true" {
+			writer.WriteHeader(http.StatusOK)
+			return
+		}
+
+		if !s.config.EnableRequestLogging {
+			proxy.ServeHTTP(writer, request)
+			return
+		}
+
+		requestBody, err := io.ReadAll(request.Body)
+		if err != nil {
+			if s.config.Debug {
+				s.logDebug("Failed to read request body for reverse proxy logging", err)
+			}
+			http.Error(writer, "Bad Request", http.StatusBadRequest)
+			return
+		}
+		request.Body.Close()
+		request.Body = io.NopCloser(bytes.NewBuffer(requestBody))
+
+		requestForLog := request.Clone(context.Background())
+		requestForLog.Header = request.Header.Clone()
+		requestForLog.Host = request.Host
+		if request.URL != nil {
+			clonedURL := *request.URL
+			requestForLog.URL = &clonedURL
+		}
+
+		logCtx := context.WithValue(request.Context(), requestLogContextKey{}, &requestLogData{
+			id:      ulid.Make().String(),
+			request: requestForLog,
+			body:    requestBody,
+		})
+
+		proxy.ServeHTTP(writer, request.WithContext(logCtx))
+	})
+
+	server := &http.Server{
+		Handler:           handler,
+		ReadHeaderTimeout: 15 * time.Second,
+	}
+
+	listener := &singleConnListener{conn: src}
+	err := server.Serve(listener)
+	if err != nil && err != net.ErrClosed {
+		if s.config.Debug {
+			s.logDebug("Reverse proxy tunnel closed with error", err)
+		}
+	}
+}
+
+func (s *SshClient) httpTunnelLegacy(src net.Conn, localEndpoint string) {
 	var dst net.Conn
 
 	defer src.Close()