Add go code for a proxy server

y-popov · y-popov · commit 23a4fcc0604b · 2025-09-24T22:36:44.000+01:00
diff --git a/.github/workflows/function-deploy.yml b/.github/workflows/function-deploy.yml
@@ -0,0 +1,19 @@
+name: Deploy Serverless function
+on: push
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: goodsmileduck/yandex-serverless-action@v2
+        with:
+          token: ${{ secrets.YC_IAM_TOKEN }}
+          function_id: ${{ vars.YC_FUNCTION_ID }}
+          runtime: 'golang123'
+          memory: '128'
+          execution_timeout: 15
+          entrypoint: 'main.handleProxy'
+          environment: PROXY_USER=${{ vars.PROXY_USER }},PROXY_PASS=${{ secrets.PROXY_PASS }}
+          source: '.'
+          exclude: '.github/,terraform/'
diff --git a/main.go b/main.go
@@ -0,0 +1,159 @@
+package main
+
+import (
+	"io"
+	"log"
+	"log/slog"
+	"net"
+	"net/http"
+	"os"
+	"time"
+)
+
+// Main handler
+func handleProxy(w http.ResponseWriter, r *http.Request) {
+	// Auth first
+	if !checkAuth(r) {
+		w.Header().Set("Proxy-Authenticate", `Basic realm="Restricted"`)
+		http.Error(w, "Proxy Authentication Required", http.StatusProxyAuthRequired)
+		return
+	}
+
+	if r.Method == http.MethodConnect {
+		handleTunneling(w, r)
+	} else {
+		handleHTTP(w, r)
+	}
+}
+
+// Very simple auth check (Basic Auth)
+func checkAuth(r *http.Request) bool {
+	// Look for Proxy-Authorization header
+	auth := r.Header.Get("Proxy-Authorization")
+	if auth == "" {
+		return false
+	}
+
+	// Reuse Go's parsing logic by making a fake request
+	req := &http.Request{Header: http.Header{"Authorization": []string{auth}}}
+
+	username, password, ok := req.BasicAuth()
+	if !ok {
+		return false
+	}
+
+	// Get expected credentials from the environment
+	expectedUser := os.Getenv("PROXY_USER")
+	expectedPass := os.Getenv("PROXY_PASS")
+
+	return username == expectedUser && password == expectedPass
+}
+
+// Handle HTTPS tunneling (CONNECT)
+func handleTunneling(w http.ResponseWriter, r *http.Request) {
+	destConn, err := net.DialTimeout("tcp", r.Host, 10*time.Second)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+
+		return
+	}
+
+	defer callAndLogError(destConn.Close)
+
+	// Write 200 Connection Established to the client
+	w.WriteHeader(http.StatusOK)
+
+	// Hijack the connection to get the raw TCP stream
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
+
+		return
+	}
+
+	clientConn, _, err := hijacker.Hijack()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+
+		return
+	}
+
+	defer callAndLogError(clientConn.Close)
+
+	// Bidirectional copy between client and destination
+	go func() {
+		_, err = io.Copy(destConn, clientConn)
+		if err != nil {
+			slog.Error(err.Error())
+		}
+	}()
+
+	_, err = io.Copy(clientConn, destConn)
+	if err != nil {
+		slog.Error(err.Error())
+	}
+}
+
+// HTTP proxy handler
+func handleHTTP(w http.ResponseWriter, r *http.Request) {
+	// Create a new request based on the incoming one
+	outReq, err := http.NewRequest(r.Method, r.RequestURI, r.Body)
+	if err != nil {
+		http.Error(w, "Error creating request", http.StatusInternalServerError)
+
+		return
+	}
+
+	outReq.Header = r.Header.Clone()
+
+	// Use http.DefaultTransport to perform the request
+	resp, err := http.DefaultTransport.RoundTrip(outReq)
+	if err != nil {
+		http.Error(w, "Error forwarding request: "+err.Error(), http.StatusBadGateway)
+
+		return
+	}
+
+	defer callAndLogError(resp.Body.Close)
+
+	// Copy response headers
+	for key, values := range resp.Header {
+		for _, value := range values {
+			w.Header().Add(key, value)
+		}
+	}
+
+	// Write status code
+	w.WriteHeader(resp.StatusCode)
+
+	// Copy body
+	_, err = io.Copy(w, resp.Body)
+	if err != nil {
+		slog.Error(err.Error())
+	}
+}
+
+func callAndLogError(f func() error) {
+	if err := f(); err != nil {
+		slog.Error(err.Error())
+	}
+}
+
+func main() {
+	server := &http.Server{
+		Addr:    ":8080", // listen on port 8080
+		Handler: http.HandlerFunc(handleProxy),
+	}
+
+	// Check if port is available
+	ln, err := net.Listen("tcp", server.Addr)
+	if err != nil {
+		log.Fatalf("Could not listen on %s: %v", server.Addr, err)
+	}
+
+	log.Printf("Proxy server listening on %s", server.Addr)
+
+	if err = server.Serve(ln); err != nil {
+		log.Fatalf("Server failed: %v", err)
+	}
+}
diff --git a/main_test.go b/main_test.go
@@ -0,0 +1,170 @@
+package main
+
+import (
+	"bytes"
+	"encoding/base64"
+	"errors"
+	"io"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestHandleRequestAndRedirect(t *testing.T) {
+	tests := []struct {
+		name           string
+		requestMethod  string
+		requestBody    string
+		requestHeaders map[string]string
+		mockResponse   *http.Response
+		mockError      error
+		expectedCode   int
+		expectedBody   string
+		dropCreds      bool
+	}{
+		{
+			name:          "successful http request",
+			requestMethod: http.MethodGet,
+			mockResponse: &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       io.NopCloser(bytes.NewBufferString("success")),
+			},
+			expectedCode: http.StatusOK,
+			expectedBody: "success",
+		},
+		{
+			name:          "bad gateway on forward error",
+			requestMethod: http.MethodGet,
+			mockError:     errors.New("dial tcp connection failed"),
+			expectedCode:  http.StatusBadGateway,
+			expectedBody:  "Error forwarding request: dial tcp connection failed\n",
+		},
+		{
+			name:          "request with wrong credentials",
+			requestMethod: http.MethodGet,
+			expectedCode:  http.StatusProxyAuthRequired,
+			expectedBody:  "Proxy Authentication Required\n",
+			dropCreds:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			originalTransport := http.DefaultTransport
+			defer func() { http.DefaultTransport = originalTransport }()
+
+			http.DefaultTransport = &mockTransport{
+				response: tt.mockResponse,
+				err:      tt.mockError,
+			}
+
+			req := httptest.NewRequest(tt.requestMethod, "/test", bytes.NewBufferString(tt.requestBody))
+			for k, v := range tt.requestHeaders {
+				req.Header.Add(k, v)
+			}
+
+			if !tt.dropCreds {
+				req.Header.Add(
+					"Proxy-Authorization",
+					"Basic "+base64.StdEncoding.EncodeToString([]byte("test-user:valid-pass")),
+				)
+			}
+
+			rr := httptest.NewRecorder()
+
+			t.Setenv("PROXY_USER", "test-user")
+			t.Setenv("PROXY_PASS", "valid-pass")
+
+			handleProxy(rr, req)
+
+			res := rr.Result()
+
+			t.Cleanup(callAndLogCleanup(t, res.Body.Close))
+
+			if res.StatusCode != tt.expectedCode {
+				t.Errorf("expected status %d, got %d", tt.expectedCode, res.StatusCode)
+			}
+
+			body, _ := io.ReadAll(res.Body)
+			if string(body) != tt.expectedBody {
+				t.Errorf("expected body %q, got %q", tt.expectedBody, string(body))
+			}
+
+			if tt.mockResponse != nil {
+				for key, values := range tt.mockResponse.Header {
+					for _, value := range values {
+						if rr.Header().Get(key) != value {
+							t.Errorf("expected header %q with value %q, got %q", key, value, rr.Header().Get(key))
+						}
+					}
+				}
+			}
+		})
+	}
+}
+
+type mockTransport struct {
+	response *http.Response
+	err      error
+}
+
+func (m *mockTransport) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return m.response, m.err
+}
+
+func callAndLogCleanup(t *testing.T, f func() error) func() {
+	t.Helper()
+
+	return func() {
+		if err := f(); err != nil {
+			t.Log(err)
+		}
+	}
+}
+
+// Start a simple TCP echo server
+func startEchoServer(t *testing.T) (addr string, closeFn func()) {
+	ln, err := net.Listen("tcp", "127.0.0.1:0") // random free port
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	go func() {
+		for {
+			conn, err := ln.Accept()
+			if err != nil {
+				return
+			}
+
+			go func(c net.Conn) {
+				defer callAndLogError(c.Close)
+
+				_, err = io.Copy(c, c) // echo back
+				if err != nil {
+					t.Error(err)
+				}
+			}(conn)
+		}
+	}()
+
+	return ln.Addr().String(), func() { callAndLogError(ln.Close) }
+}
+
+func TestHandleTunneling(t *testing.T) {
+	// Start upstream echo server
+	targetAddr, closeEcho := startEchoServer(t)
+	t.Cleanup(closeEcho)
+
+	// Fake CONNECT request to proxy
+	req := httptest.NewRequest(http.MethodConnect, targetAddr, nil)
+	w := httptest.NewRecorder()
+
+	// Run tunneling handler
+	handleTunneling(w, req)
+
+	// The proxy should reply with 200 (connection established)
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+}
