proxy

package
v0.3.12 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2026 License: AGPL-3.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrNotHTTP             = errors.New("not an http/1.x request")
	ErrHTTPPreludeTooLarge = errors.New("http prelude exceeds limit")
)
View Source 
var ErrMissingSNI = errors.New("missing sni in clienthello")

ErrMissingSNI indicates a valid TLS ClientHello without an SNI value.

Functions

func GetBuffer 

func GetBuffer() *[]byte

GetBuffer retrieves a buffer from the pool.

func NewSingleConnListener 

func NewSingleConnListener(conn net.Conn) net.Listener

NewSingleConnListener creates a new SingleConnListener.

func PeekHTTPHostAndPrelude 

func PeekHTTPHostAndPrelude(conn net.Conn, timeouts PeekTimeouts, maxPrelude int) (host string, path string, prelude []byte, err error)

PeekHTTPHostAndPrelude uses net/http to parse the request line and headers to extract the Host and Path, while teeing all bytes read so they can be replayed to the backend as a prelude. Deadline behavior is governed by timeouts (see PeekTimeouts); AbsDeadline may be shared with an earlier TLS peek call so a single connection's total peek budget is bounded.

func PeekSNIAndPrelude 

func PeekSNIAndPrelude(conn net.Conn, timeouts PeekTimeouts, maxPrelude int) (string, []byte, error)

PeekSNIAndPrelude reads only as much as needed to obtain the SNI from the incoming TLS ClientHello using crypto/tls, capturing the bytes that were read so they can be replayed to the chosen backend. It returns the server name (lowercased) and the captured prelude. If the connection is not TLS or the handshake is malformed, an error is returned.

func PutBuffer 

func PutBuffer(buf *[]byte)

PutBuffer returns a buffer to the pool.

func WithPrelude 

func WithPrelude(conn net.Conn, prelude []byte) net.Conn

WithPrelude returns a net.Conn whose Read will yield prelude first, then the remaining bytes from conn. Useful when an earlier sniff consumed bytes that should still be visible to a protocol handler (e.g., serving ACME HTTP).

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client represents a single connection from an end-user.

func NewClient 

func NewClient(conn net.Conn, backend iface.Backend, cfg *config.Config, hostname string, isTLS bool) *Client

NewClient creates a new client handler.

func NewClientWithPrelude 

func NewClientWithPrelude(conn net.Conn, backend iface.Backend, cfg *config.Config, hostname string, initial []byte, isTLS bool) *Client

NewClientWithPrelude is like NewClient, but will send the provided initial bytes to the backend immediately after establishing the client association before streaming any further data read from conn. Useful when earlier sniff logic consumed and recorded initial bytes (e.g., TLS ClientHello or HTTP headers).

func (*Client) Start 

func (c *Client) Start()

Start begins the bi-directional proxying of data.

type Listener 

type Listener struct {
	// contains filtered or unexported fields
}

Listener is responsible for accepting incoming connections from end-users.

func NewListener 

func NewListener(cfg *config.Config, hub iface.Hub, pm iface.PeerManager, acme http.Handler, acmeTLS *tls.Config) *Listener

NewListener creates a new Listener instance.

func (*Listener) Run 

func (l *Listener) Run()

Run starts listeners on all configured proxy ports.

func (*Listener) Stop 

func (l *Listener) Stop()

Stop gracefully closes all active network listeners.

type PausableConn 

type PausableConn struct {
	net.Conn
	// contains filtered or unexported fields
}

PausableConn wraps a net.Conn with pause/resume capability. When paused, Read() blocks until Resume() is called or Close() is called.

func NewPausableConn 

func NewPausableConn(conn net.Conn) *PausableConn

NewPausableConn wraps an existing connection.

func (*PausableConn) Close 

func (pc *PausableConn) Close() error

Close unblocks waiting readers and closes the underlying connection.

func (*PausableConn) IsPaused 

func (pc *PausableConn) IsPaused() bool

IsPaused returns the current pause state.

func (*PausableConn) Pause 

func (pc *PausableConn) Pause()

Pause signals reads should block. Idempotent. No-op if already closed.

func (*PausableConn) Read 

func (pc *PausableConn) Read(b []byte) (int, error)

Read blocks if paused, then delegates to underlying conn.

func (*PausableConn) Resume 

func (pc *PausableConn) Resume()

Resume signals reads can proceed. Idempotent. No-op if already closed.

func (*PausableConn) Unwrap 

func (pc *PausableConn) Unwrap() net.Conn

Unwrap returns the underlying net.Conn for low-level TCP operations such as half-close (CloseWrite).

type PeekTimeouts added in v0.3.12 

type PeekTimeouts struct {
	FirstByte     time.Duration
	IdleExtension time.Duration
	AbsDeadline   time.Time
}

PeekTimeouts controls the deadline regime used by the protocol-sniff peek functions. The three-knob design accommodates slow-start clients (e.g., embedded devices doing ECDHE keygen between TCP accept and ClientHello emission) while bounding total peek duration against slowloris-style holdtime attacks.

Semantics:

  • FirstByte sets the initial read deadline. A truly silent client fails here. MUST be > 0; a zero-value PeekTimeouts{} will time out every peek immediately. Callers should obtain a populated struct via the config accessors (Config.PeekFirstByteTimeout etc.), never construct directly with zero values.
  • IdleExtension is added to the deadline on every successful kernel-level Read (n > 0). Once bytes are flowing, the caller stays patient as long as the client keeps producing bytes.
  • AbsDeadline is a hard wall-clock ceiling. The deadline never extends past it, regardless of activity. Callers share AbsDeadline across multiple sequential peek phases (TLS then HTTP) so a single connection's total peek time is bounded by one AbsDeadline, not two.

type SingleConnListener 

type SingleConnListener struct {
	// contains filtered or unexported fields
}

SingleConnListener is a net.Listener that exposes exactly one pre-existing connection to an http.Server. It returns the connection once from Accept. Subsequent Accept calls block until the connection is closed, then return net.ErrClosed. This prevents premature server shutdown races.

func (*SingleConnListener) Accept 

func (l *SingleConnListener) Accept() (net.Conn, error)

Accept returns the connection on the first call. On subsequent calls it blocks until the connection is closed, then returns net.ErrClosed.

func (*SingleConnListener) Addr 

func (l *SingleConnListener) Addr() net.Addr

Addr returns the single connection's local address.

func (*SingleConnListener) Close 

func (l *SingleConnListener) Close() error

Close closes the underlying connection and unblocks any Accept waiters.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.