HTTP proxy support for outgoing request, manage access to hidden service (#7134)

author MIYAGI Hikaru <hcmiya@users.noreply.github.com>

Wed, 25 Apr 2018 00:14:49 +0000 (09:14 +0900)

committer Eugen Rochko <eugen@zeonfederated.com>

Wed, 25 Apr 2018 00:14:49 +0000 (02:14 +0200)
author MIYAGI Hikaru <hcmiya@users.noreply.github.com>
Wed, 25 Apr 2018 00:14:49 +0000 (09:14 +0900)
committer Eugen Rochko <eugen@zeonfederated.com>
Wed, 25 Apr 2018 00:14:49 +0000 (02:14 +0200)
diff --git a/.env.production.sample b/.env.production.sample

index 9de2c06506c238cc4bea7d94572e3cd3fb11488d..c936546da835b90f6c729506a3119841600b09ff 100644 (file)
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -214,3 +214,10 @@ STREAMING_CLUSTER_NUM=1
  # SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
  # SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
  # SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
+
+# Use HTTP proxy for outgoing request (optional)
+# http_proxy=http://gateway.local:8118
+# Access control for hidden service.
+# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
+# If you use transparent proxy to access to hidden service, uncomment following for skipping private address check.
+# HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY=true
diff --git a/app/lib/request.rb b/app/lib/request.rb

index dca93a6e959b58869d4cce783c1d1ed602d808d7..0acd654da0441fadeb35c1642b074c459e8673af 100644 (file)
--- a/app/lib/request.rb
+++ b/app/lib/request.rb
@@ -11,9 +11,10 @@ class Request
    def initialize(verb, url, **options)
      @verb    = verb
      @url     = Addressable::URI.parse(url).normalize
-    @options = options.merge(socket_class: Socket)
+    @options = options.merge(use_proxy? ? Rails.configuration.x.http_client_proxy : { socket_class: Socket })
      @headers = {}
  
+    raise Mastodon::HostValidationError, 'Instance does not support hidden service connections' if block_hidden_service?
      set_common_headers!
      set_digest! if options.key?(:body)
    end
@@ -99,6 +100,14 @@ class Request
      @http_client ||= HTTP.timeout(:per_operation, timeout).follow(max_hops: 2)
    end
  
+  def use_proxy?
+    Rails.configuration.x.http_client_proxy.present?
+  end
+
+  def block_hidden_service?
+    !Rails.configuration.x.access_to_hidden_service && /\.(onion|i2p)$/.match(@url.host)
+  end
+
    module ClientLimit
      def body_with_limit(limit = 1.megabyte)
        raise Mastodon::LengthValidationError if content_length.present? && content_length > limit
@@ -129,6 +138,7 @@ class Request
    class Socket < TCPSocket
      class << self
        def open(host, *args)
+        return super host, *args if thru_hidden_service? host
          outer_e = nil
          Addrinfo.foreach(host, nil, nil, :SOCK_STREAM) do |address|
            begin
@@ -142,6 +152,10 @@ class Request
        end
  
        alias new open
+
+      def thru_hidden_service?(host)
+        Rails.configuration.x.hidden_service_via_transparent_proxy && /\.(onion|i2p)$/.match(host)
+      end
      end
    end
  
diff --git a/config/initializers/http_client_proxy.rb b/config/initializers/http_client_proxy.rb

new file mode 100644 (file)

index 0000000..f5026d5
--- /dev/null
+++ b/config/initializers/http_client_proxy.rb
@@ -0,0 +1,24 @@
+Rails.application.configure do
+  config.x.http_client_proxy = {}
+  if ENV['http_proxy'].present?
+    proxy = URI.parse(ENV['http_proxy'])
+    raise "Unsupported proxy type: #{proxy.scheme}" unless %w(http https).include? proxy.scheme
+    raise "No proxy host" unless proxy.host
+
+    host = proxy.host
+    host = host[1...-1] if host[0] == '[' #for IPv6 address
+    config.x.http_client_proxy[:proxy] = { proxy_address: host, proxy_port: proxy.port, proxy_username: proxy.user, proxy_password: proxy.password }.compact
+  end
+
+  config.x.access_to_hidden_service = ENV['ALLOW_ACCESS_TO_HIDDEN_SERVICE'] == 'true'
+  config.x.hidden_service_via_transparent_proxy = ENV['HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY'] == 'true'
+end
+
+module Goldfinger
+  def self.finger(uri, opts = {})
+    to_hidden = /\.(onion|i2p)(:\d+)?$/.match(uri)
+    raise Mastodon::HostValidationError, 'Instance does not support hidden service connections' if !Rails.configuration.x.access_to_hidden_service && to_hidden
+    opts = opts.merge(Rails.configuration.x.http_client_proxy).merge(ssl: !to_hidden)
+    Goldfinger::Client.new(uri, opts).finger
+  end
+end
author	MIYAGI Hikaru <hcmiya@users.noreply.github.com>
	Wed, 25 Apr 2018 00:14:49 +0000 (09:14 +0900)
committer	Eugen Rochko <eugen@zeonfederated.com>
	Wed, 25 Apr 2018 00:14:49 +0000 (02:14 +0200)
.env.production.sample		patch \| blob \| history
app/lib/request.rb		patch \| blob \| history
config/initializers/http_client_proxy.rb	[new file with mode: 0644]	patch \| blob