add reverse proxying websocket connections

if we recognize that a request for a WebForward is trying to turn the connection into a websocket, we forward it to the backend and check if the backend understands the websocket request. if so, we pass back the upgrade response and get out of the way, copying bytes between the two. we do log the total amount of bytes read from the client and written to the client. if the backend doesn't respond with a websocke response, or an invalid one, we respond with a regular non-websocket response. and we log details about the failed connection, should help with debugging and any bug reports. we don't try to parse the websocket framing, that's between the client and the backend. we could try to parse it, in part to protect the backend from bad frames, but it would be a lot of work and could be brittle in the face of extensions. this doesn't yet handle websocket connections when a http proxy is configured. we'll implement it when someone needs it. we do recognize it and fail the connection. for issue #25
2025-07-10 07:14:40 +03:00 · 2023-05-30 22:11:31 +02:00
parent aca64828bd
commit 259928ab62
15 changed files with 1966 additions and 49 deletions
--- a/http/webserver_test.go
+++ b/http/webserver_test.go
@ -2,6 +2,9 @@ package http

 import (
 	"bytes"
+	"fmt"
+	"io"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@ -10,6 +13,8 @@ import (
 	"strings"
 	"testing"

+	"golang.org/x/net/websocket"
+
 	"github.com/mjl-/mox/mox-"
 )

@ -119,3 +124,184 @@ func TestWebserver(t *testing.T) {
 	test("GET", "http://mox.example/bogus", nil, http.StatusNotFound, "", nil)         // path not registered.
 	test("GET", "http://bogus.mox.example/static/", nil, http.StatusNotFound, "", nil) // domain not registered.
 }
+
+func TestWebsocket(t *testing.T) {
+	os.RemoveAll("../testdata/websocket/data")
+	mox.ConfigStaticPath = "../testdata/websocket/mox.conf"
+	mox.ConfigDynamicPath = filepath.Join(filepath.Dir(mox.ConfigStaticPath), "domains.conf")
+	mox.MustLoadConfig(false)
+
+	srv := &serve{Webserver: true}
+
+	var handler http.Handler // Active handler during test.
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		handler.ServeHTTP(w, r)
+	}))
+
+	defer backend.Close()
+	backendURL, err := url.Parse(backend.URL)
+	if err != nil {
+		t.Fatalf("parsing backend url: %v", err)
+	}
+	backendURL.Path = "/"
+
+	// warning: it is not normally allowed to access the dynamic config without lock. don't propagate accesses like this!
+	mox.Conf.Dynamic.WebHandlers[len(mox.Conf.Dynamic.WebHandlers)-1].WebForward.TargetURL = backendURL
+
+	server := httptest.NewServer(srv)
+	defer server.Close()
+
+	serverURL, err := url.Parse(server.URL)
+	tcheck(t, err, "parsing server url")
+	_, port, err := net.SplitHostPort(serverURL.Host)
+	tcheck(t, err, "parsing host port in server url")
+	wsurl := fmt.Sprintf("ws://%s/ws/", net.JoinHostPort("localhost", port))
+
+	handler = websocket.Handler(func(c *websocket.Conn) {
+		io.Copy(c, c)
+	})
+
+	// Test a correct websocket connection.
+	wsconn, err := websocket.Dial(wsurl, "ignored", "http://ignored.example")
+	tcheck(t, err, "websocket dial")
+	_, err = fmt.Fprint(wsconn, "test")
+	tcheck(t, err, "write to websocket")
+	buf := make([]byte, 128)
+	n, err := wsconn.Read(buf)
+	tcheck(t, err, "read from websocket")
+	if string(buf[:n]) != "test" {
+		t.Fatalf(`got websocket data %q, expected "test"`, buf[:n])
+	}
+	err = wsconn.Close()
+	tcheck(t, err, "closing websocket connection")
+
+	// Test with server.ServeHTTP directly.
+	test := func(method string, reqhdrs map[string]string, expCode int, expHeaders map[string]string) {
+		t.Helper()
+
+		req := httptest.NewRequest(method, wsurl, nil)
+		for k, v := range reqhdrs {
+			req.Header.Add(k, v)
+		}
+		rw := httptest.NewRecorder()
+		rw.Body = &bytes.Buffer{}
+		srv.ServeHTTP(rw, req)
+		resp := rw.Result()
+		if resp.StatusCode != expCode {
+			t.Fatalf("got statuscode %d, expected %d", resp.StatusCode, expCode)
+		}
+		for k, v := range expHeaders {
+			if xv := resp.Header.Get(k); xv != v {
+				t.Fatalf("got %q for header %q, expected %q", xv, k, v)
+			}
+		}
+	}
+
+	wsreqhdrs := map[string]string{
+		"Upgrade":               "keep-alive, websocket",
+		"Connection":            "X, Upgrade",
+		"Sec-Websocket-Version": "13",
+		"Sec-Websocket-Key":     "AAAAAAAAAAAAAAAAAAAAAA==",
+	}
+
+	test("POST", wsreqhdrs, http.StatusBadRequest, nil)
+
+	clone := func(m map[string]string) map[string]string {
+		r := map[string]string{}
+		for k, v := range m {
+			r[k] = v
+		}
+		return r
+	}
+
+	hdrs := clone(wsreqhdrs)
+	hdrs["Sec-Websocket-Version"] = "14"
+	test("GET", hdrs, http.StatusBadRequest, map[string]string{"Sec-Websocket-Version": "13"})
+
+	httpurl := fmt.Sprintf("http://%s/ws/", net.JoinHostPort("localhost", port))
+
+	// Must now do actual HTTP requests and read the HTTP response. Cannot call
+	// ServeHTTP because ResponseRecorder is not a http.Hijacker.
+	test = func(method string, reqhdrs map[string]string, expCode int, expHeaders map[string]string) {
+		t.Helper()
+
+		req, err := http.NewRequest(method, httpurl, nil)
+		for k, v := range reqhdrs {
+			req.Header.Add(k, v)
+		}
+		resp, err := http.DefaultClient.Do(req)
+		tcheck(t, err, "http transaction")
+		if resp.StatusCode != expCode {
+			t.Fatalf("got statuscode %d, expected %d", resp.StatusCode, expCode)
+		}
+		for k, v := range expHeaders {
+			if xv := resp.Header.Get(k); xv != v {
+				t.Fatalf("got %q for header %q, expected %q", xv, k, v)
+			}
+		}
+	}
+
+	hdrs = clone(wsreqhdrs)
+	hdrs["Sec-Websocket-Key"] = "malformed"
+	test("GET", hdrs, http.StatusBadRequest, nil)
+
+	hdrs = clone(wsreqhdrs)
+	hdrs["Sec-Websocket-Key"] = "c2hvcnQK" // "short"
+	test("GET", hdrs, http.StatusBadRequest, nil)
+
+	// Not responding with a 101, but with regular 200 OK response.
+	handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "bad", http.StatusOK)
+	})
+	test("GET", wsreqhdrs, http.StatusBadRequest, nil)
+
+	// Respond with 101, but other websocket response headers missing.
+	handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusSwitchingProtocols)
+	})
+	test("GET", wsreqhdrs, http.StatusBadRequest, nil)
+
+	// With Upgrade: websocket, without Connection: Upgrade
+	handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Upgrade", "websocket")
+		w.WriteHeader(http.StatusSwitchingProtocols)
+	})
+	test("GET", wsreqhdrs, http.StatusBadRequest, nil)
+
+	// With malformed Sec-WebSocket-Accept response header.
+	handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h := w.Header()
+		h.Set("Upgrade", "websocket")
+		h.Set("Connection", "Upgrade")
+		h.Set("Sec-WebSocket-Accept", "malformed")
+		w.WriteHeader(http.StatusSwitchingProtocols)
+	})
+	test("GET", wsreqhdrs, http.StatusBadRequest, nil)
+
+	// With malformed Sec-WebSocket-Accept response header.
+	handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h := w.Header()
+		h.Set("Upgrade", "websocket")
+		h.Set("Connection", "Upgrade")
+		h.Set("Sec-WebSocket-Accept", "YmFk") // "bad"
+		w.WriteHeader(http.StatusSwitchingProtocols)
+	})
+	test("GET", wsreqhdrs, http.StatusBadRequest, nil)
+
+	// All good.
+	wsresphdrs := map[string]string{
+		"Connection":           "Upgrade",
+		"Upgrade":              "websocket",
+		"Sec-Websocket-Accept": "ICX+Yqv66kxgM0FcWaLWlFLwTAI=",
+		"X-Test":               "mox",
+	}
+	handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h := w.Header()
+		h.Set("Upgrade", "websocket")
+		h.Set("Connection", "Upgrade")
+		h.Set("Sec-WebSocket-Accept", "ICX+Yqv66kxgM0FcWaLWlFLwTAI=")
+		w.WriteHeader(http.StatusSwitchingProtocols)
+	})
+	test("GET", wsreqhdrs, http.StatusSwitchingProtocols, wsresphdrs)
+
+}