Implement HTTP proxy authentication

3 years ago · 0fb58bec5d
4 changed files with 57 additions and 27 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -5,6 +5,7 @@ name = "tun2proxy"
 version = "0.1.1"

 [dependencies]
+base64 = { version = "0.21" }
 clap = { version = "4.1", features = ["derive"] }
 env_logger = "0.10"
 log = "0.4"
--- a/README.md
+++ b/README.md
@ -36,21 +36,39 @@ Note that if you paste these commands into a shell script, which you then run wi
 For DNS to work, you might need an additional tool like [dnsproxy](https://github.com/AdguardTeam/dnsproxy) that is
 configured to listen on a local UDP port and communicates with the upstream DNS server via TCP.

-## CLI
+## CLI (unstable)
 ```
 Tunnel interface to proxy.

-Usage: tun2proxy --tun <name> --proxy <type> --addr <ip:port>
+Usage: tun2proxy [OPTIONS] --tun <name> --proxy <type> --addr <ip:port>

 Options:
-  -t, --tun <name>      Name of the tun interface
-  -p, --proxy <type>    What proxy type to run [possible values: socks5, http]
-  -a, --addr <ip:port>  Server address with format ip:port
-  -h, --help            Print help (see more with '--help')
-  -V, --version         Print version
+  -t, --tun <name>
+          Name of the tun interface
+
+  -p, --proxy <type>
+          What proxy type to run
+
+          Possible values:
+          - socks5: SOCKS5 server to use
+          - http:   HTTP server to use
+
+  -a, --addr <ip:port>
+          Server address with format ip:port
+
+      --username <username>
+          Username for authentication
+
+      --password <password>
+          Password for authentication
+
+  -h, --help
+          Print help (see a summary with '-h')
+
+  -V, --version
+          Print version
 ```

 ## TODO
- Authentication for SOCKS (plain) and HTTP (base64)
 - UDP support for SOCKS
 - Virtual DNS
--- a/src/http.rs
+++ b/src/http.rs
@ -2,6 +2,7 @@ use crate::tun2proxy::{
    Connection, ConnectionManager, Credentials, IncomingDataEvent, IncomingDirection,
    OutgoingDataEvent, OutgoingDirection, ProxyError, TcpProxy,
 };
+use base64::Engine;
 use std::collections::VecDeque;
 use std::net::SocketAddr;

@ -25,28 +26,36 @@ pub struct HttpConnection {
 }

 impl HttpConnection {
-    fn new(connection: &Connection) -> Self {
-        let mut result = Self {
+    fn new(connection: &Connection, manager: std::rc::Rc<dyn ConnectionManager>) -> Self {
+        let mut server_outbuf: VecDeque<u8> = VecDeque::new();
+        {
+            let credentials = manager.get_credentials();
+            server_outbuf.extend(b"CONNECT ".iter());
+            server_outbuf.extend(connection.dst.to_string().as_bytes());
+            server_outbuf.extend(b" HTTP/1.1\r\nHost: ".iter());
+            server_outbuf.extend(connection.dst.to_string().as_bytes());
+            server_outbuf.extend(b"\r\n".iter());
+            if credentials.authenticate {
+                server_outbuf.extend(b"Proxy-Authorization: Basic ");
+                let mut auth_plain = credentials.username.clone();
+                auth_plain.extend(b":".iter());
+                auth_plain.extend(&credentials.password);
+                let auth_b64 = base64::engine::general_purpose::STANDARD.encode(auth_plain);
+                server_outbuf.extend(auth_b64.as_bytes().iter());
+                server_outbuf.extend(b"\r\n".iter());
+            }
+            server_outbuf.extend(b"\r\n".iter());
+        }
+
+        Self {
            state: HttpState::ExpectStatusCode,
            client_inbuf: Default::default(),
            server_inbuf: Default::default(),
            client_outbuf: Default::default(),
-            server_outbuf: Default::default(),
+            server_outbuf,
            data_buf: Default::default(),
            crlf_state: Default::default(),
-        };
-
-        result.server_outbuf.extend(b"CONNECT ".iter());
-        result
-            .server_outbuf
-            .extend(connection.dst.to_string().as_bytes());
-        result.server_outbuf.extend(b" HTTP/1.1\r\nHost: ".iter());
-        result
-            .server_outbuf
-            .extend(connection.dst.to_string().as_bytes());
-        result.server_outbuf.extend(b"\r\n\r\n".iter());
-
-        result
+        }
    }

    fn state_change(&mut self) -> Result<(), ProxyError> {
@ -167,12 +176,14 @@ impl ConnectionManager for HttpManager {
    fn new_connection(
        &self,
        connection: &Connection,
-        _manager: std::rc::Rc<dyn ConnectionManager>,
+        manager: std::rc::Rc<dyn ConnectionManager>,
    ) -> Option<std::boxed::Box<dyn TcpProxy>> {
        if connection.proto != smoltcp::wire::IpProtocol::Tcp.into() {
            return None;
        }
-        Some(std::boxed::Box::new(HttpConnection::new(connection)))
+        Some(std::boxed::Box::new(HttpConnection::new(
+            connection, manager,
+        )))
    }

    fn close_connection(&self, _: &Connection) {}
--- a/src/main.rs
+++ b/src/main.rs
@ -26,7 +26,7 @@ struct Args {
    #[clap(long, value_name = "username")]
    username: Option<String>,

-    /// Username for authentication
+    /// Password for authentication
    #[clap(long, value_name = "password")]
    password: Option<String>,
 }