archives/snowflake
2
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git synced 2025-10-13 20:11:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add Relay URL Check in Snowflake Proxy

Browse source
This commit is contained in:
Shelikhoo 2022-04-13 16:20:52 +01:00
parent 02c6f764c9
commit b09a2e09b3
No known key found for this signature in database
GPG key ID: C4D5E79D22B25316
2 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
proxy/lib/snowflake.go
View file

@ -119,6 +119,7 @@ type SnowflakeProxy struct {
// There is no look ahead assertion when matching domain name suffix, // There is no look ahead assertion when matching domain name suffix,
// thus the string prepend the suffix does not need to be empty or ends with a dot. // thus the string prepend the suffix does not need to be empty or ends with a dot.
RelayDomainNamePattern string RelayDomainNamePattern string
AllowNonTLSRelay bool
// NATProbeURL is the URL of the probe service we use for NAT checks // NATProbeURL is the URL of the probe service we use for NAT checks
NATProbeURL string NATProbeURL string
// NATTypeMeasurementInterval is time before NAT type is retested // NATTypeMeasurementInterval is time before NAT type is retested
@ -496,7 +497,13 @@ func (sf *SnowflakeProxy) runSession(sid string) {
return return
} }
matcher := namematcher.NewNameMatcher(sf.RelayDomainNamePattern) matcher := namematcher.NewNameMatcher(sf.RelayDomainNamePattern)
if relayURL != "" && !matcher.IsMember(relayURL) { parsedRelayURL, err := url.Parse(relayURL)
if err != nil {
log.Printf("bad offer from broker: bad Relay URL %v", err.Error())
tokens.ret()
return
}
if relayURL != "" && (!matcher.IsMember(parsedRelayURL.Hostname()) || (!sf.AllowNonTLSRelay && parsedRelayURL.Scheme != "wss")) {
log.Printf("bad offer from broker: rejected Relay URL") log.Printf("bad offer from broker: rejected Relay URL")
tokens.ret() tokens.ret()
return return

5
proxy/main.go
View file

@ -21,6 +21,8 @@ func main() {
unsafeLogging := flag.Bool("unsafe-logging", false, "prevent logs from being scrubbed") unsafeLogging := flag.Bool("unsafe-logging", false, "prevent logs from being scrubbed")
keepLocalAddresses := flag.Bool("keep-local-addresses", false, "keep local LAN address ICE candidates") keepLocalAddresses := flag.Bool("keep-local-addresses", false, "keep local LAN address ICE candidates")
relayURL := flag.String("relay", sf.DefaultRelayURL, "websocket relay URL") relayURL := flag.String("relay", sf.DefaultRelayURL, "websocket relay URL")
allowedRelayHostNamePattern := flag.String("allowed-relay-hostname-pattern", "", "a pattern to specify allowed hostname pattern for relay URL.")
allowNonTLSRelay := flag.Bool("allow-non-tls-relay", false, "allow relay without tls encryption")
NATTypeMeasurementInterval := flag.Duration("nat-retest-interval", time.Hour*24, NATTypeMeasurementInterval := flag.Duration("nat-retest-interval", time.Hour*24,
"the time interval in second before NAT type is retested, 0s disables retest. Valid time units are \"s\", \"m\", \"h\". ") "the time interval in second before NAT type is retested, 0s disables retest. Valid time units are \"s\", \"m\", \"h\". ")
SummaryInterval := flag.Duration("summary-interval", time.Hour, SummaryInterval := flag.Duration("summary-interval", time.Hour,
@ -40,6 +42,9 @@ func main() {
NATTypeMeasurementInterval: *NATTypeMeasurementInterval, NATTypeMeasurementInterval: *NATTypeMeasurementInterval,
EventDispatcher: eventLogger, EventDispatcher: eventLogger,
RelayDomainNamePattern: *allowedRelayHostNamePattern,
AllowNonTLSRelay: *allowNonTLSRelay,
} }
var logOutput io.Writer = os.Stderr var logOutput io.Writer = os.Stderr