Add basic auth, header logging, auth logging

jthomperoo · jthomperoo · commit c3d817eb4f1e · 2022-04-08T11:44:32.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+## Added
+- Basic auth support, can provide `--basic-auth 'username:password'` which the proxy then checks for valid auth
+provided in the `Proxy-Authentication` header.
+- Can choose if auth should be logged with the `--log-auth` option.
+- Can choose to log all request headers using the `--log-headers` option.
 
 ## [v1.0.0]
 ### Added
diff --git a/README.md b/README.md
@@ -7,14 +7,17 @@ Code based on the guide here: <https://medium.com/@mlowicki/http-s-proxy-in-gola
 
 ## Features
 
-- Supports HTTP and HTTPS.
-- Supports choosing which port.
-- Supports printing binary version number.
-- Supports specifying paths to certificate and private key file to use.
+- HTTP and HTTPS.
+- Can choose which port to run on.
+- Can specify paths to certificate and private key file to use.
 - Logs each proxied connection.
-- Supports log options can be supplied using `glog`.
+- Log options can be supplied using `glog`.
   - Can choose the log verbosity with the `-v` flag.
   - Can choose to log to a file.
+- Basic authentication.
+- Can log request headers.
+- Can log failed authentication attempt details.
+- Printing version number.
 
 ## Install
 
@@ -63,10 +66,16 @@ The program has the following options, you can see this list by using the `--hel
 Usage of simple-proxy:
   -alsologtostderr
     	log to standard error as well as files
+  -basic-auth string
+    	basic auth, format 'username:password', no auth if not provided
   -cert string
     	path to cert file
   -key string
     	path to key file
+  -log-auth
+    	log failed proxy auth details
+  -log-headers
+    	log request headers
   -log_backtrace_at value
     	when logging hits line file:N, emit a stack trace
   -log_dir string
diff --git a/main.go b/main.go
@@ -7,6 +7,8 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strings"
+	"time"
 
 	"github.com/golang/glog"
 	"github.com/jthomperoo/simple-proxy/proxy"
@@ -36,6 +38,12 @@ func main() {
 	flag.StringVar(&certPath, "cert", "", "path to cert file")
 	var keyPath string
 	flag.StringVar(&keyPath, "key", "", "path to key file")
+	var basicAuth string
+	flag.StringVar(&basicAuth, "basic-auth", "", "basic auth, format 'username:password', no auth if not provided")
+	var logAuth bool
+	flag.BoolVar(&logAuth, "log-auth", false, "log failed proxy auth details")
+	var logHeaders bool
+	flag.BoolVar(&logHeaders, "log-headers", false, "log request headers")
 	var timeoutSecs int
 	flag.IntVar(&timeoutSecs, "timeout", 10, "timeout in seconds")
 	flag.Parse()
@@ -50,12 +58,33 @@ func main() {
 	}
 
 	if protocol == httpsProtocol && (certPath == "" || keyPath == "") {
-		glog.Fatalf("If using HTTPS protocol --cert and --key are required")
+		glog.Fatalf("If using HTTPS protocol --cert and --key are required\n")
+	}
+
+	var handler http.Handler
+	if basicAuth == "" {
+		handler = &proxy.ProxyHandler{
+			Timeout:    time.Duration(timeoutSecs) * time.Second,
+			LogAuth:    logAuth,
+			LogHeaders: logHeaders,
+		}
+	} else {
+		parts := strings.Split(basicAuth, ":")
+		if len(parts) < 2 {
+			glog.Fatalf("Invalid basic auth provided, must be in format 'username:password', auth: %s\n", basicAuth)
+		}
+		handler = &proxy.ProxyHandler{
+			Timeout:    time.Duration(timeoutSecs) * time.Second,
+			Username:   &parts[0],
+			Password:   &parts[1],
+			LogAuth:    logAuth,
+			LogHeaders: logHeaders,
+		}
 	}
 
 	server := &http.Server{
 		Addr:    fmt.Sprintf(":%s", port),
-		Handler: proxy.NewProxyHandler(timeoutSecs),
+		Handler: handler,
 		// Disable HTTP/2.
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
 	}
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -1,9 +1,11 @@
 package proxy
 
 import (
+	"encoding/base64"
 	"io"
 	"net"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/golang/glog"
@@ -16,11 +18,34 @@ func NewProxyHandler(timeoutSeconds int) *ProxyHandler {
 }
 
 type ProxyHandler struct {
-	Timeout time.Duration
+	Timeout    time.Duration
+	Username   *string
+	Password   *string
+	LogAuth    bool
+	LogHeaders bool
 }
 
 func (p *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	glog.V(1).Infof("Serving '%s' request from '%s' to '%s'\n", r.Method, r.RemoteAddr, r.Host)
+	if p.LogHeaders {
+		for name, values := range r.Header {
+			for i, value := range values {
+				glog.V(1).Infof("'%s': [%d] %s", name, i, value)
+			}
+		}
+	}
+	if p.Username != nil && p.Password != nil {
+		username, password, ok := proxyBasicAuth(r)
+		if !ok || username != *p.Username || password != *p.Password {
+			if p.LogAuth {
+				glog.Errorf("Unauthorized, username: %s, password: %s\n", username, password)
+			} else {
+				glog.Errorln("Unauthorized")
+			}
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+	}
 	if r.Method == http.MethodConnect {
 		handleTunneling(w, r, p.Timeout)
 	} else {
@@ -77,3 +102,53 @@ func copyHeader(dst, src http.Header) {
 		}
 	}
 }
+
+func proxyBasicAuth(r *http.Request) (username, password string, ok bool) {
+	auth := r.Header.Get("Proxy-Authorization")
+	if auth == "" {
+		return
+	}
+	return parseBasicAuth(auth)
+}
+
+// parseBasicAuth parses an HTTP Basic Authentication string.
+// "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" returns ("Aladdin", "open sesame", true).
+func parseBasicAuth(auth string) (username, password string, ok bool) {
+	const prefix = "Basic "
+	// Case insensitive prefix match. See Issue 22736.
+	if len(auth) < len(prefix) || !equalFold(auth[:len(prefix)], prefix) {
+		return
+	}
+	c, err := base64.StdEncoding.DecodeString(auth[len(prefix):])
+	if err != nil {
+		return
+	}
+	cs := string(c)
+	s := strings.IndexByte(cs, ':')
+	if s < 0 {
+		return
+	}
+	return cs[:s], cs[s+1:], true
+}
+
+// EqualFold is strings.EqualFold, ASCII only. It reports whether s and t
+// are equal, ASCII-case-insensitively.
+func equalFold(s, t string) bool {
+	if len(s) != len(t) {
+		return false
+	}
+	for i := 0; i < len(s); i++ {
+		if lower(s[i]) != lower(t[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+// lower returns the ASCII lowercase version of b.
+func lower(b byte) byte {
+	if 'A' <= b && b <= 'Z' {
+		return b + ('a' - 'A')
+	}
+	return b
+}
