/*
* Copyright (c) 2014 The APN-PROXY Project
*
* The APN-PROXY Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package com.xx_dev.apn.proxy;
import com.xx_dev.apn.proxy.config.ApnProxyConfig;
import com.xx_dev.apn.proxy.config.ApnProxyListenType;
import com.xx_dev.apn.proxy.config.ApnProxyRemoteRule;
import com.xx_dev.apn.proxy.utils.HostNamePortUtil;
import com.xx_dev.apn.proxy.utils.HttpErrorUtil;
import com.xx_dev.apn.proxy.utils.LoggerUtil;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.codec.http.*;
import io.netty.util.CharsetUtil;
import io.netty.util.ReferenceCountUtil;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
/**
* @author xmx
* @version $Id: com.xx_dev.apn.proxy.ApnProxyPreHandler 14-1-8 16:13 (xmx) Exp $
*/
public class ApnProxyPreHandler extends ChannelInboundHandlerAdapter {
public static final String HANDLER_NAME = "apnproxy.pre";
private static final Logger logger = Logger.getLogger(ApnProxyPreHandler.class);
private static final Logger httpRestLogger = Logger.getLogger("HTTP_REST_LOGGER");
private static String[] forbiddenIps = new String[]{"10.", "172.16.", "172.17.",
"172.18.", "172.19.", "172.20.", "172.21.", "172.22.", "172.23.", "172.24.", "172.25.",
"172.26.", "172.27.", "172.28.", "172.29.", "172.30.", "172.31.", "192.168."};
private static int[] forbiddenPorts = new int[]{20, 21, 22};
private boolean isPacRequest = false;
@Override
public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
if (preCheck(ctx, msg)) {
ctx.fireChannelRead(msg);
} else {
ReferenceCountUtil.release(msg);
}
}
private boolean preCheck(ChannelHandlerContext ctx, Object msg) {
if (msg instanceof HttpRequest) {
HttpRequest httpRequest = (HttpRequest) msg;
String originalHost = HostNamePortUtil.getHostName(httpRequest);
LoggerUtil.info(httpRestLogger, ctx.channel().remoteAddress().toString(),
httpRequest.getMethod().name(),
httpRequest.getUri(), httpRequest.getProtocolVersion().text(),
httpRequest.headers().get(HttpHeaders.Names.USER_AGENT));
isPacRequest = false;
// pac request
if (StringUtils.equals(originalHost, ApnProxyConfig.getConfig().getPacHost())) {
isPacRequest = true;
String pacContent = null;
if (ApnProxyConfig.getConfig().getListenType() == ApnProxyListenType.SSL) {
pacContent = buildPacForSsl();
} else {
pacContent = buildPacForPlain();
}
ByteBuf pacResponseContent = Unpooled.copiedBuffer(pacContent, CharsetUtil.UTF_8);
FullHttpMessage pacResponseMsg = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1,
HttpResponseStatus.OK, pacResponseContent);
HttpHeaders.setContentLength(pacResponseMsg, pacResponseContent.readableBytes());
HttpHeaders.setHeader(pacResponseMsg, "X-APN-PROXY-PAC", "OK");
HttpHeaders.setHeader(pacResponseMsg, "X-APN-PROXY-URL", "https://github.com/apn-proxy/apn-proxy");
HttpHeaders.setHeader(pacResponseMsg, "X-APN-PROXY-MSG", "We need more commiters!");
ctx.write(pacResponseMsg);
ctx.flush();
return false;
}
// forbid request to proxy server internal network
for (String forbiddenIp : forbiddenIps) {
if (StringUtils.startsWith(originalHost, forbiddenIp)) {
String errorMsg = "Forbidden";
ctx.write(HttpErrorUtil.buildHttpErrorMessage(HttpResponseStatus.FORBIDDEN,
errorMsg));
ctx.flush();
return false;
}
}
// forbid request to proxy server local
if (StringUtils.equals(originalHost, "127.0.0.1")
|| StringUtils.equals(originalHost, "localhost")) {
String errorMsg = "Forbidden Host";
ctx.write(HttpErrorUtil.buildHttpErrorMessage(HttpResponseStatus.FORBIDDEN,
errorMsg));
ctx.flush();
return false;
}
// forbid reqeust to some port
int originalPort = HostNamePortUtil.getPort(httpRequest);
for (int fobiddenPort : forbiddenPorts) {
if (originalPort == fobiddenPort) {
String errorMsg = "Forbidden Port";
ctx.write(HttpErrorUtil.buildHttpErrorMessage(HttpResponseStatus.FORBIDDEN,
errorMsg));
ctx.flush();
return false;
}
}
} else {
if (isPacRequest) {
return false;
}
}
return true;
}
private String buildPacForPlain() {
StringBuilder sb = new StringBuilder();
sb.append("function FindProxyForURL(url, host){var PROXY = \"PROXY ")
.append(ApnProxyConfig.getConfig().getPacHost()).append(":")
.append(ApnProxyConfig.getConfig().getPort()).append("\";var DEFAULT = \"DIRECT\";");
sb.append("var domains = [");
for (ApnProxyRemoteRule remoteRule : ApnProxyConfig.getConfig().getRemoteRuleList()) {
for (String originalHost : remoteRule.getOriginalHostList()) {
sb.append("\"").append(originalHost).append("\",");
}
}
sb.deleteCharAt(sb.length() - 1);
sb.append("];");
sb.append("for (var i = 0; i < domains.length; i++) {if (dnsDomainIs(host, domains[i])) {return PROXY};}");
sb.append("return DEFAULT;}");
return sb.toString();
}
private String buildPacForSsl() {
StringBuilder sb = new StringBuilder();
sb.append("function FindProxyForURL(url, host){var PROXY = \"HTTPS ")
.append(ApnProxyConfig.getConfig().getPacHost()).append(":")
.append(ApnProxyConfig.getConfig().getPort()).append("\";");
sb.append("return PROXY;}");
return sb.toString();
}
@Override
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
logger.error(cause.getMessage(), cause);
ctx.close();
}
}