Spoof client source IP

Author: quentinmit

server/common/oursrc/scripts-proxy/ldap/conn.go

@@ -0,0 +1,61 @@
+package ldap
+
+import (
+	"fmt"
+	"log"
+	"sync"
+	"time"
+
+	ldap "gopkg.in/ldap.v3"
+)
+
+type conn struct {
+	server, baseDn string
+	// mu protects conn during reconnect cycles
+	// TODO: The ldap package supports multiple in-flight queries;
+	// by using a Mutex we are only going to issue one at a
+	// time. We should figure out how to do retry/reconnect
+	// behavior with parallel queries.
+	mu   sync.Mutex
+	conn *ldap.Conn
+}
+
+func (c *conn) reconnect() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.conn != nil {
+		c.conn.Close()
+	}
+	var err error
+	for {
+		log.Printf("connecting to %s", c.server)
+		c.conn, err = ldap.Dial("tcp", c.server)
+		if err == nil {
+			return
+		}
+		log.Printf("connecting to %s: %v", c.server, err)
+		time.Sleep(100 * time.Millisecond)
+	}
+}
+
+func (c *conn) resolvePool(hostname string) (string, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	escapedHostname := ldap.EscapeFilter(hostname)
+	req := &ldap.SearchRequest{
+		BaseDN:     c.baseDn,
+		Scope:      ldap.ScopeWholeSubtree,
+		Filter:     fmt.Sprintf("(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))", escapedHostname, escapedHostname),
+		Attributes: []string{"scriptsVhostPoolIPv4"},
+	}
+	sr, err := c.conn.Search(req)
+	if err != nil {
+		return "", err
+	}
+	for _, entry := range sr.Entries {
+		return entry.GetAttributeValue("scriptsVhostPoolIPv4"), nil
+	}
+	// Not found is not an error
+	return "", nil
+}

server/common/oursrc/scripts-proxy/ldap/pool.go

@@ -0,0 +1,48 @@
+package ldap
+
+import "log"
+
+// Pool handles a concurrency-safe pool of connections to LDAP servers.
+type Pool struct {
+	retries int
+	// connCh holds open connections to servers.
+	connCh chan *conn
+}
+
+// NewPool constructs a connection pool that queries for baseDn from servers.
+func NewPool(servers []string, baseDn string, retries int) *Pool {
+	p := &Pool{
+		retries: retries,
+		connCh:  make(chan *conn, len(servers)),
+	}
+	for _, s := range servers {
+		c := &conn{
+			server: s,
+			baseDn: baseDn,
+		}
+		go p.reconnect(c)
+	}
+	return p
+}
+
+func (p *Pool) reconnect(c *conn) {
+	c.reconnect()
+	p.connCh <- c
+}
+
+// ResolvePool attempts to resolve the pool for hostname to an IP address, returned as a string.
+func (p *Pool) ResolvePool(hostname string) (string, error) {
+	var ip string
+	var err error
+	for i := 0; i < p.retries; i++ {
+		c := <-p.connCh
+		ip, err = c.resolvePool(hostname)
+		if err == nil {
+			p.connCh <- c
+			return ip, err
+		}
+		log.Printf("resolving %q on %s: %v", hostname, c.server, err)
+		go p.reconnect(c)
+	}
+	return ip, err
+}

server/common/oursrc/scripts-proxy/main.go

@@ -8,25 +8,28 @@ import (
 	"net"
 	"strings"
 
+	"github.com/mit-scripts/scripts/server/common/oursrc/scripts-proxy/ldap"
 	"inet.af/tcpproxy"
-
-	ldap "gopkg.in/ldap.v3"
 )
 
 var (
 	httpAddrs   = flag.String("http_addrs", "0.0.0.0:80", "comma-separated addresses to listen for HTTP traffic on")
 	sniAddrs    = flag.String("sni_addrs", "0.0.0.0:443,0.0.0.0:444", "comma-separated addresses to listen for SNI traffic on")
-	ldapServer  = flag.String("ldap_server", "scripts-ldap.mit.edu:389", "LDAP server to query")
+	ldapServers = flag.String("ldap_servers", "scripts-ldap.mit.edu:389", "comma-spearated LDAP servers to query")
 	defaultHost = flag.String("default_host", "scripts.mit.edu", "default host to route traffic to if SNI/Host header cannot be parsed or cannot be found in LDAP")
 	baseDn      = flag.String("base_dn", "ou=VirtualHosts,dc=scripts,dc=mit,dc=edu", "base DN to query for hosts")
+	localRange  = flag.String("local_range", "18.4.86.0/24", "IP block for client IP spoofing. If the resolved destination address is in this subnet, the source IP address of the backend connection will be spoofed to match the client IP. This subnet needs to be local to the proxy.")
 )
 
+const ldapRetries = 3
+
 func always(context.Context, string) bool {
 	return true
 }
 
 type ldapTarget struct {
-	ldap *ldap.Conn
+	localPoolRange *net.IPNet
+	ldap           *ldap.Pool
 }
 
 // HandleConn is called by tcpproxy after receiving a connection and sniffing the host.
@@ -36,60 +39,60 @@ func (l *ldapTarget) HandleConn(netConn net.Conn) {
 	var pool string
 	var err error
 	if conn, ok := netConn.(*tcpproxy.Conn); ok {
-		pool, err = l.resolvePool(conn.HostName)
+		pool, err = l.ldap.ResolvePool(conn.HostName)
 		if err != nil {
 			log.Printf("resolving %q: %v", conn.HostName, err)
 		}
 	}
 	if pool == "" {
-		pool, err = l.resolvePool(*defaultHost)
+		pool, err = l.ldap.ResolvePool(*defaultHost)
 		if err != nil {
 			log.Printf("resolving default pool: %v", err)
 		}
 	}
+	// TODO: Serve an error page? Forward to scripts-director?
 	if pool == "" {
 		netConn.Close()
 		return
 	}
 	laddr := netConn.LocalAddr().(*net.TCPAddr)
-	dp := &tcpproxy.DialProxy{
-		Addr: fmt.Sprintf("%s:%d", pool, laddr.Port),
-		// TODO: Set DialContext to override the source address
-	}
-	dp.HandleConn(netConn)
-}
-
-func (l *ldapTarget) resolvePool(hostname string) (string, error) {
-	escapedHostname := ldap.EscapeFilter(hostname)
-	req := ldap.NewSearchRequest(
-		*baseDn,
-		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		fmt.Sprintf("(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))", escapedHostname, escapedHostname),
-		[]string{"scriptsVhostPoolIPv4"},
-		nil,
-	)
-	sr, err := l.ldap.Search(req)
+	destAddrStr := net.JoinHostPort(pool, fmt.Sprintf("%d", laddr.Port))
+	destAddr, err := net.ResolveTCPAddr("tcp", destAddrStr)
 	if err != nil {
-		return "", err
+		netConn.Close()
+		log.Printf("parsing pool address %q: %v", pool, err)
+		return
+	}
+	dp := &tcpproxy.DialProxy{
+		Addr: destAddrStr,
 	}
-	for _, entry := range sr.Entries {
-		return entry.GetAttributeValue("scriptsVhostPoolIPv4"), nil
+	if l.localPoolRange.Contains(destAddr.IP) {
+		raddr := netConn.RemoteAddr().(*net.TCPAddr)
+		sourceAddr := &net.TCPAddr{
+			IP: raddr.IP,
+		}
+		dp.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {
+			return net.DialTCP(network, sourceAddr, destAddr)
+		}
 	}
-	// Not found is not an error
-	return "", nil
+	dp.HandleConn(netConn)
 }
 
 func main() {
 	flag.Parse()
 
-	l, err := ldap.Dial("tcp", *ldapServer)
+	_, ipnet, err := net.ParseCIDR(*localRange)
 	if err != nil {
 		log.Fatal(err)
 	}
-	defer l.Close()
+
+	ldapPool := ldap.NewPool(strings.Split(*ldapServers, ","), *baseDn, ldapRetries)
 
 	var p tcpproxy.Proxy
-	t := &ldapTarget{ldap: l}
+	t := &ldapTarget{
+		localPoolRange: ipnet,
+		ldap:           ldapPool,
+	}
 	for _, addr := range strings.Split(*httpAddrs, ",") {
 		p.AddHTTPHostMatchRoute(addr, always, t)
 	}