conflict

Author: vdmkenny

.github/.jira_sync_config.yaml

@@ -0,0 +1,16 @@
+# See https://github.com/canonical/gh-jira-sync-bot for config
+settings:
+  jira_project_key: "ISD"
+
+  status_mapping:
+    opened: Untriaged
+    closed: done
+    not_planned: rejected
+
+  add_gh_comment: true
+
+  epic_key: ISD-3981
+
+  label_mapping:
+    bug: Bug
+    enhancement: Story

.github/workflows/integration-tests.yaml

@@ -7,56 +7,98 @@ on:
 jobs:
   integration-test:
     name: Run Integration Tests
-    runs-on: [ self-hosted, linux, x64, large ]
+    runs-on: [ self-hosted, linux, x64, jammy, large ]
 
     steps:
       - uses: actions/checkout@v2
 
-      - name: Build Aproxy Snap
+      - name: Build aproxy Snap
         id: snapcraft-build
         uses: snapcore/action-build@v1
+        with:
+          snapcraft-args: --build-for amd64
 
-      - name: Upload Aproxy Snap
-        uses: actions/upload-artifact@v3
+      - name: Upload aproxy Snap
+        uses: actions/upload-artifact@v4
         with:
           name: snap
           path: aproxy*.snap
 
-      - name: Install Aproxy Snap
+      - name: Install aproxy Snap
         run: |
           sudo snap install --dangerous aproxy_*_amd64.snap
 
-      - name: Configure Aproxy
+      - name: Show aproxy Configuration
+        run: |
+          sudo snap get aproxy
+
+      - name: Configure aproxy
         run: |
-          sudo snap set aproxy proxy=squid.internal:3128 listen=:23403
           sudo nft -f - << EOF
           define default-ip = $(ip route get $(ip route show 0.0.0.0/0 | grep -oP 'via \K\S+') | grep -oP 'src \K\S+')
           define private-ips = { 10.0.0.0/8, 127.0.0.1/8, 172.16.0.0/12, 192.168.0.0/16 }
+          define aproxy-port = $(sudo snap get aproxy listen | cut -d ":" -f 2)
           table ip aproxy
           flush table ip aproxy
           table ip aproxy {
                   chain prerouting {
                           type nat hook prerouting priority dstnat; policy accept;
-                          ip daddr != \$private-ips tcp dport { 80, 443 } counter dnat to \$default-ip:23403
+                          ip daddr != \$private-ips tcp dport { 80, 443, 11371, 4242 } counter dnat to \$default-ip:\$aproxy-port
                   }
 
                   chain output {
                           type nat hook output priority -100; policy accept;
-                          ip daddr != \$private-ips tcp dport { 80, 443 } counter dnat to \$default-ip:23403
+                          ip daddr != \$private-ips tcp dport { 80, 443, 11371, 4242 } counter dnat to \$default-ip:\$aproxy-port
                   }
           }
           EOF
 
+      - name: Start tcpdump
+        run: |
+          sudo tcpdump -i any -s 65535 -w capture.pcap &
+          echo $! > tcpdump.pid
+
       - name: Test HTTP
         run: |
-          curl --noproxy "*" http://example.com -svS -o /dev/null
+          timeout 60 curl --noproxy "*" http://example.com -svS -o /dev/null
 
       - name: Test HTTPS
         run: |
-          curl --noproxy "*" https://example.com -svS -o /dev/null
+          timeout 60 curl --noproxy "*" https://example.com -svS -o /dev/null
+
+      - name: Test HKP
+        run: |
+          timeout 60 gpg -vvv --keyserver hkp://keyserver.ubuntu.com --recv-keys E1DE584A8CCA52DC29550F18ABAC58F075A17EFA
+
+      - name: Test TCP4
+        run: |
+          sudo apt install -y socat
+          timeout 60 socat /dev/null TCP4:tcpbin.com:4242
 
       - name: Test Access Logs
         run: |
-          sudo snap logs aproxy.aproxy
           sudo snap logs aproxy.aproxy | grep -Fq "example.com:80"
           sudo snap logs aproxy.aproxy | grep -Fq "example.com:443"
+          sudo snap logs aproxy.aproxy | grep -Fq "keyserver.ubuntu.com:11371"
+          sudo snap logs aproxy.aproxy | grep -Eq "[0-9.]+:4242"
+
+      - name: Show Access Logs
+        if: failure()
+        run: |
+          sudo snap logs aproxy.aproxy -n=all
+
+      - name: Stop tcpdump
+        if: failure()
+        run: |
+          PID=$(cat tcpdump.pid)
+          if [ -n "$PID" ]; then
+            sudo kill -2 "$PID" || true
+          fi
+          sleep 1
+
+      - name: Upload tcpdump capture
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: tcpdump
+          path: capture.pcap

.github/workflows/publish.yaml

@@ -0,0 +1,33 @@
+name: Publish
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  tests:
+    uses: ./.github/workflows/tests.yaml
+
+  integration-tests:
+    uses: ./.github/workflows/integration-tests.yaml
+
+  publish:
+    name: Publish Aproxy
+    runs-on: ubuntu-latest
+    needs: [ tests, integration-tests ]
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build Aproxy Snap
+        id: snapcraft-build
+        uses: snapcore/action-build@v1
+
+      - name: Publish Aproxy
+        env:
+          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
+        run: |
+          for snap in aproxy*.snap
+          do
+            snapcraft upload $snap --release edge
+          done

CODEOWNERS

@@ -0,0 +1 @@
+*       @canonical/is-charms

aproxy.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"bufio"
+	"bytes"
 	"context"
 	"encoding/binary"
 	"errors"
@@ -18,12 +19,11 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
-	"syscall"
 
 	"golang.org/x/crypto/cryptobyte"
 )
 
-var version = "0.2.2"
+var version = "0.2.4"
 
 // PrereadConn is a wrapper around net.Conn that supports pre-reading from the underlying connection.
 // Any Read before the EndPreread can be undone and read again by calling the EndPreread function.
@@ -84,27 +84,24 @@ func PrereadSNI(conn *PrereadConn) (_ string, err error) {
 			err = fmt.Errorf("failed to preread TLS client hello: %w", err)
 		}
 	}()
-	typeVersionLen := make([]byte, 5)
-	n, err := conn.Read(typeVersionLen)
-	if n != 5 {
-		return "", errors.New("too short")
-	}
+	recordHeader := make([]byte, 5)
+	n, err := io.ReadFull(conn, recordHeader)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to read TLS record layer header: %w", err)
+	}
+	if n != 5 {
+		return "", fmt.Errorf("failed to read TLS record layer header: too short, less than 5 bytes (%d)", n)
 	}
-	if typeVersionLen[0] != 22 {
+	if recordHeader[0] != 22 {
 		return "", errors.New("not a TCP handshake")
 	}
-	msgLen := binary.BigEndian.Uint16(typeVersionLen[3:])
+	msgLen := binary.BigEndian.Uint16(recordHeader[3:])
 	buf := make([]byte, msgLen+5)
-	n, err = conn.Read(buf[5:])
+	n, err = io.ReadFull(conn, buf[5:])
 	if n != int(msgLen) {
-		return "", errors.New("too short")
-	}
-	if err != nil {
-		return "", err
+		return "", fmt.Errorf("client hello too short (%d < %d), err: %w", n, msgLen, err)
 	}
-	copy(buf[:5], typeVersionLen)
+	copy(buf[:5], recordHeader)
 	return extractSNI(buf)
 }
 
@@ -224,6 +221,7 @@ func DialProxy(proxy string) (net.Conn, error) {
 }
 
 // DialProxyConnect dials the TCP connection and finishes the HTTP CONNECT handshake with the proxy.
+// dst: HOST:PORT or IP:PORT
 func DialProxyConnect(proxy string, dst string) (net.Conn, error) {
 	conn, err := DialProxy(proxy)
 	if err != nil {
@@ -247,12 +245,12 @@ func DialProxyConnect(proxy string, dst string) (net.Conn, error) {
 		return nil, fmt.Errorf("failed to send connect request to http proxy: %w", err)
 	}
 	response, err := http.ReadResponse(bufio.NewReaderSize(conn, 0), &request)
-	if response.StatusCode != 200 {
-		return nil, fmt.Errorf("proxy return %d response for connect request", response.StatusCode)
-	}
 	if err != nil {
 		return nil, fmt.Errorf("failed to receive http connect response from proxy: %w", err)
 	}
+	if response.StatusCode != 200 {
+		return nil, fmt.Errorf("proxy return %d response for connect request", response.StatusCode)
+	}
 	return conn, nil
 }
 
@@ -268,11 +266,7 @@ func GetOriginalDst(conn *net.TCPConn) (*net.TCPAddr, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to convert connection to file: %w", err)
 	}
-	return GetsockoptIPv4OriginalDst(
-		int(file.Fd()),
-		syscall.SOL_IP,
-		80, // SO_ORIGINAL_DST
-	)
+	return GetsockoptIPv4OriginalDst(file.Fd())
 }
 
 // RelayTCP relays data between the incoming TCP connection and the proxy connection.
@@ -304,10 +298,34 @@ func RelayHTTP(conn io.ReadWriter, proxyConn io.ReadWriteCloser, logger *slog.Lo
 	}
 	req.URL.Host = req.Host
 	req.URL.Scheme = "http"
+	if req.UserAgent() == "" {
+		req.Header.Set("User-Agent", "")
+	}
 	req.Header.Set("Connection", "close")
-	if err := req.WriteProxy(proxyConn); err != nil {
-		logger.Error("failed to send HTTP request to proxy", "error", err)
-		return
+	if req.Proto == "HTTP/1.0" {
+		// no matter what the request protocol is, Go enforces a minimum version of HTTP/1.1
+		// this causes problems for HTTP/1.0 only clients like GPG (HKP)
+		// manually modify and send the HTTP/1.0 request to the proxy server
+		buf := bytes.NewBuffer(nil)
+		err := req.WriteProxy(buf)
+		if err != nil {
+			logger.Error("failed to serialize HTTP/1.0 request", "error", err)
+			return
+		}
+		reqStr := buf.String()
+		crlfIndex := strings.Index(reqStr, "\r\n")
+		protoSpaceIndex := strings.LastIndex(reqStr[:crlfIndex], " ")
+		reqStr = reqStr[:protoSpaceIndex+1] + "HTTP/1.0" + reqStr[crlfIndex:]
+		_, err = proxyConn.Write([]byte(reqStr))
+		if err != nil {
+			logger.Error("failed to send HTTP request to proxy", "error", err)
+			return
+		}
+	} else {
+		if err := req.WriteProxy(proxyConn); err != nil {
+			logger.Error("failed to send HTTP request to proxy", "error", err)
+			return
+		}
 	}
 	resp, err := http.ReadResponse(bufio.NewReader(proxyConn), req)
 	if err != nil {
@@ -349,7 +367,7 @@ func HandleConn(conn net.Conn, proxy string) {
 			logger.Info("relay TLS connection to proxy")
 			RelayTCP(consigned, proxyConn, logger)
 		}
-	case 80:
+	case 80, 11371:
 		host, err := PrereadHttpHost(consigned)
 		if err != nil {
 			logger.Error("failed to preread HTTP host from connection", "error", err)
@@ -367,13 +385,19 @@ func HandleConn(conn net.Conn, proxy string) {
 		logger.Info("relay HTTP connection to proxy")
 		RelayHTTP(consigned, proxyConn, logger)
 	default:
-		logger.Error(fmt.Sprintf("unknown destination port: %d", dst.Port))
-		return
+		logger = logger.With("host", fmt.Sprintf("%s:%d", dst.IP.String(), dst.Port))
+		proxyConn, err := DialProxyConnect(proxy, fmt.Sprintf("%s:%d", dst.IP.String(), dst.Port))
+		if err != nil {
+			logger.Error("failed to connect to tcp proxy", "error", err)
+			return
+		}
+		logger.Info("relay TCP connection to proxy")
+		RelayTCP(consigned, proxyConn, logger)
 	}
 }
 
 func main() {
-	proxyFlag := flag.String("proxy", "", "upstream HTTP proxy address in the 'host:port' format")
+	proxyFlag := flag.String("proxy", "", "upstream proxy address in the 'host:port' format")
 	listenFlag := flag.String("listen", ":8443", "the address and port on which the server will listen")
 	flag.Parse()
 	listenAddr := *listenFlag
@@ -387,7 +411,7 @@ func main() {
 	slog.Info(fmt.Sprintf("start listening on %s", listenAddr))
 	proxy := *proxyFlag
 	if proxy == "" {
-		log.Fatalf("no upstearm proxy specified")
+		log.Fatalf("no upstream proxy specified")
 	}
 	slog.Info(fmt.Sprintf("start forwarding to proxy %s", proxy))
 	go func() {

go.mod

@@ -1,5 +1,7 @@
 module aproxy
 
-go 1.21
+go 1.23.0
 
-require golang.org/x/crypto v0.17.0
+toolchain go1.24.1
+
+require golang.org/x/crypto v0.35.0

go.sum

@@ -1,2 +1,2 @@
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=

snap/snapcraft.yaml

@@ -1,5 +1,5 @@
 name: aproxy
-version: 0.2.2
+version: 0.2.4
 summary: Transparent proxy for HTTP and HTTPS/TLS connections.
 description: |
   Aproxy is a transparent proxy for HTTP and HTTPS/TLS connections. By 
@@ -17,6 +17,10 @@ architectures:
     build-for: amd64
   - build-on: amd64
     build-for: arm64
+  - build-on: amd64
+    build-for: s390x
+  - build-on: amd64
+    build-for: ppc64el
 
 apps:
   aproxy:
@@ -35,7 +39,11 @@ parts:
       - go
     override-build: |
       snapcraftctl build
-      export GOARCH=$SNAPCRAFT_TARGET_ARCH
+      if [ $SNAPCRAFT_TARGET_ARCH == ppc64el ]; then
+        export GOARCH=ppc64le
+      else
+        export GOARCH=$SNAPCRAFT_TARGET_ARCH
+      fi
       export CGO_ENABLED=0
       go mod download
       go build -ldflags="-w -s"