merged jpillora#72 which adds reverse tunnelling (thanks @sunshineco!), fixed potential race, USR2 to print go stats, many small cleanups

Author: jpillora

Dockerfile

@@ -1,4 +1,4 @@
-# build stage (go modules! farewell GOPATH!)
+# build stage
 FROM golang:alpine AS build-env
 LABEL maintainer="[email protected]"
 RUN apk update

README.md

@@ -47,18 +47,18 @@ A [demo app](https://chisel-demo.herokuapp.com) on Heroku is running this `chise
 
 ```sh
 $ chisel server --port $PORT --proxy http://example.com
-# listens on $PORT, proxy web requests to 'http://example.com'
+# listens on $PORT, proxy web requests to http://example.com
 ```
 
 This demo app is also running a [simple file server](https://www.npmjs.com/package/serve) on `:3000`, which is normally inaccessible due to Heroku's firewall. However, if we tunnel in with:
 
 ```sh
 $ chisel client https://chisel-demo.herokuapp.com 3000
-# connects to 'https://chisel-demo.herokuapp.com',
+# connects to chisel server at https://chisel-demo.herokuapp.com,
 # tunnels your localhost:3000 to the server's localhost:3000
 ```
 
-and then visit [localhost:3000](http://localhost:3000/), we should see a directory listing of the demo app's root. Also, if we visit the [demo app](https://chisel-demo.herokuapp.com) in the browser we should hit the server's default proxy and see a copy of [example.com](http://example.com).
+and then visit [localhost:3000](http://localhost:3000/), we should see a directory listing. Also, if we visit the [demo app](https://chisel-demo.herokuapp.com) in the browser we should hit the server's default proxy and see a copy of [example.com](http://example.com).
 
 ### Usage
 

client/client.go

@@ -35,7 +35,6 @@ type Client struct {
 	*chshare.Logger
 	config       *Config
 	sshConfig    *ssh.ClientConfig
-	proxies      []*chshare.TCPProxy
 	sshConn      ssh.Conn
 	httpProxyURL *url.URL
 	server       string
@@ -132,43 +131,39 @@ func (c *Client) Start(ctx context.Context) error {
 	if c.httpProxyURL != nil {
 		via = " via " + c.httpProxyURL.String()
 	}
-	//prepare proxies
+	//prepare non-reverse proxies
 	for i, r := range c.config.shared.Remotes {
-		if r.Reverse {
-			continue
-		}
-		proxy := chshare.NewTCPProxy(c.Logger, func() ssh.Conn { return c.sshConn }, i, r)
-		if err := proxy.Start(ctx); err != nil {
-			return err
+		if !r.Reverse {
+			proxy := chshare.NewTCPProxy(c.Logger, func() ssh.Conn { return c.sshConn }, i, r)
+			if err := proxy.Start(ctx); err != nil {
+				return err
+			}
 		}
-		c.proxies = append(c.proxies, proxy)
 	}
 	c.Infof("Connecting to %s%s\n", c.server, via)
-	//
-	go c.loop()
+	//optional keepalive loop
+	if c.config.KeepAlive > 0 {
+		go c.keepAliveLoop()
+	}
+	//connection loop
+	go c.connectionLoop()
 	return nil
 }
 
-func (c *Client) loop() {
-	//optional keepalive loop
-	if c.config.KeepAlive > 0 {
-		go func() {
-			for range time.Tick(c.config.KeepAlive) {
-				if c.sshConn != nil {
-					c.sshConn.SendRequest("ping", true, nil)
-				} else {
-					break
-				}
-			}
-		}()
+func (c *Client) keepAliveLoop() {
+	for c.running {
+		time.Sleep(c.config.KeepAlive)
+		if c.sshConn != nil {
+			c.sshConn.SendRequest("ping", true, nil)
+		}
 	}
+}
+
+func (c *Client) connectionLoop() {
 	//connection loop!
 	var connerr error
 	b := &backoff.Backoff{Max: c.config.MaxRetryInterval}
-	for {
-		if !c.running {
-			break
-		}
+	for c.running {
 		if connerr != nil {
 			attempt := int(b.Attempt())
 			maxAttempt := c.config.MaxRetryCount
@@ -272,10 +267,11 @@ func (c *Client) connectStreams(chans <-chan ssh.NewChannel) {
 		remote := string(ch.ExtraData())
 		stream, reqs, err := ch.Accept()
 		if err != nil {
-			c.Logger.Debugf("Failed to accept stream: %s", err)
+			c.Debugf("Failed to accept stream: %s", err)
 			continue
 		}
 		go ssh.DiscardRequests(reqs)
-		go chshare.HandleTCPStream(c.Logger.Fork("tcp#%05d", c.connStats.New()), &c.connStats, stream, remote)
+		l := c.Logger.Fork("conn#%d", c.connStats.New())
+		go chshare.HandleTCPStream(l, &c.connStats, stream, remote)
 	}
 }

main.go

@@ -61,12 +61,17 @@ func main() {
 }
 
 var commonHelp = `
-    --pid Generate pid file in current directory
+    --pid Generate pid file in current working directory
 
     -v, Enable verbose logging
 
     --help, This help text
 
+  Signals:
+    The chisel process is listening for:
+      a SIGUSR2 to print process stats, and
+      a SIGHUP to short-circuit the client reconnect timer
+
   Version:
     ` + chshare.BuildVersion + `
 
@@ -181,6 +186,7 @@ func server(args []string) {
 	if *pid {
 		generatePidFile()
 	}
+	go chshare.GoStats()
 	if err = s.Run(*host, *port); err != nil {
 		log.Fatal(err)
 	}
@@ -219,12 +225,17 @@ var clientHelp = `
       5000:socks
       R:2222:localhost:22
 
-    *When the chisel server has --socks5 enabled, remotes can
+    When the chisel server has --socks5 enabled, remotes can
     specify "socks" in place of remote-host and remote-port.
     The default local host and port for a "socks" remote is
     127.0.0.1:1080. Connections to this remote will terminate
     at the server's internal SOCKS5 proxy.
 
+    When the chisel server has --reverse enabled, remotes can
+    be prefixed with R to denote that they are reversed. That
+    is, the server will listen and accept connections, and they
+    will be proxied through the client which specified the remote.
+
   Options:
 
     --fingerprint, A *strongly recommended* fingerprint string
@@ -276,11 +287,9 @@ func client(args []string) {
 	if len(args) < 2 {
 		log.Fatalf("A server and least one remote is required")
 	}
-
 	if *auth == "" {
 		*auth = os.Getenv("AUTH")
 	}
-
 	c, err := chclient.NewClient(&chclient.Config{
 		Fingerprint:      *fingerprint,
 		Auth:             *auth,
@@ -298,6 +307,7 @@ func client(args []string) {
 	if *pid {
 		generatePidFile()
 	}
+	go chshare.GoStats()
 	if err = c.Run(); err != nil {
 		log.Fatal(err)
 	}

server/handler.go

@@ -18,9 +18,14 @@ func (s *Server) handleClientHandler(w http.ResponseWriter, r *http.Request) {
 	//websockets upgrade AND has chisel prefix
 	upgrade := strings.ToLower(r.Header.Get("Upgrade"))
 	protocol := r.Header.Get("Sec-WebSocket-Protocol")
-	if upgrade == "websocket" && protocol == chshare.ProtocolVersion {
-		s.handleWebsocket(w, r)
-		return
+	if upgrade == "websocket" && strings.HasPrefix(protocol, "chisel-") {
+		if protocol == chshare.ProtocolVersion {
+			s.handleWebsocket(w, r)
+			return
+		}
+		//print into server logs and silently fall-through
+		s.Infof("ignored client connection using protocol version %s (expected %s)",
+			protocol, chshare.ProtocolVersion)
 	}
 	//proxy target was provided
 	if s.reverseProxy != nil {
@@ -62,8 +67,8 @@ func (s *Server) handleWebsocket(w http.ResponseWriter, req *http.Request) {
 	var user *chshare.User
 	if s.users.Len() > 0 {
 		sid := string(sshConn.SessionID())
-		user = s.sessions[sid]
-		defer delete(s.sessions, sid)
+		user, _ = s.sessions.Get(sid)
+		s.sessions.Del(sid)
 	}
 	//verify configuration
 	clog.Debugf("Verifying configuration")
@@ -76,6 +81,7 @@ func (s *Server) handleWebsocket(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 	failed := func(err error) {
+		clog.Debugf("Failed: %s", err)
 		r.Reply(false, []byte(err.Error()))
 	}
 	if r.Type != "config" {
@@ -87,6 +93,7 @@ func (s *Server) handleWebsocket(w http.ResponseWriter, req *http.Request) {
 		failed(s.Errorf("invalid config"))
 		return
 	}
+	//print if client and server  versions dont match
 	if c.Version != chshare.BuildVersion {
 		v := c.Version
 		if v == "" {
@@ -95,6 +102,7 @@ func (s *Server) handleWebsocket(w http.ResponseWriter, req *http.Request) {
 		clog.Infof("Client version (%s) differs from server version (%s)",
 			v, chshare.BuildVersion)
 	}
+	//confirm reverse tunnels are allowed
 	for _, r := range c.Remotes {
 		if r.Reverse && !s.reverseOk {
 			clog.Debugf("Denied reverse port forwarding request, please enable --reverse")
@@ -122,13 +130,12 @@ func (s *Server) handleWebsocket(w http.ResponseWriter, req *http.Request) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	for i, r := range c.Remotes {
-		if !r.Reverse {
-			continue
-		}
-		proxy := chshare.NewTCPProxy(s.Logger, func() ssh.Conn { return sshConn }, i, r)
-		if err := proxy.Start(ctx); err != nil {
-			failed(s.Errorf("start '%v' error: %v", r, err))
-			return
+		if r.Reverse {
+			proxy := chshare.NewTCPProxy(s.Logger, func() ssh.Conn { return sshConn }, i, r)
+			if err := proxy.Start(ctx); err != nil {
+				failed(s.Errorf("%s", err))
+				return
+			}
 		}
 	}
 	//success!
@@ -172,23 +179,22 @@ func (s *Server) handleSSHChannels(clientLog *chshare.Logger, chans <-chan ssh.N
 		//handle stream type
 		connID := s.connStats.New()
 		if socks {
-			go s.handleSocksStream(clientLog.Fork("socks#%05d", connID), stream)
+			go s.handleSocksStream(clientLog.Fork("socksconn#%d", connID), stream)
 		} else {
-			go chshare.HandleTCPStream(clientLog.Fork(" tcp#%05d", connID), &s.connStats, stream, remote)
+			go chshare.HandleTCPStream(clientLog.Fork("conn#%d", connID), &s.connStats, stream, remote)
 		}
 	}
 }
 
 func (s *Server) handleSocksStream(l *chshare.Logger, src io.ReadWriteCloser) {
 	conn := chshare.NewRWCConn(src)
-	// conn.SetDeadline(time.Now().Add(30 * time.Second))
 	s.connStats.Open()
-	l.Debugf("%s Opening", s.connStats.Status())
+	l.Debugf("%s Opening", s.connStats)
 	err := s.socksServer.ServeConn(conn)
 	s.connStats.Close()
 	if err != nil && !strings.HasSuffix(err.Error(), "EOF") {
-		l.Debugf("%s Closed (error: %s)", s.connStats.Status(), err)
+		l.Debugf("%s: Closed (error: %s)", s.connStats, err)
 	} else {
-		l.Debugf("%s Closed", s.connStats.Status())
+		l.Debugf("%s: Closed", s.connStats)
 	}
 }

server/server.go

@@ -36,7 +36,7 @@ type Server struct {
 	httpServer   *chshare.HTTPServer
 	reverseProxy *httputil.ReverseProxy
 	sessCount    int32
-	sessions     chshare.Users
+	sessions     *chshare.Users
 	socksServer  *socks5.Server
 	sshConfig    *ssh.ServerConfig
 	users        *chshare.UserIndex
@@ -54,7 +54,7 @@ func NewServer(config *Config) (*Server, error) {
 	s := &Server{
 		httpServer: chshare.NewHTTPServer(),
 		Logger:     chshare.NewLogger("server"),
-		sessions:   chshare.Users{},
+		sessions:   chshare.NewUsers(),
 		reverseOk:  config.Reverse,
 	}
 	s.Info = true
@@ -64,7 +64,6 @@ func NewServer(config *Config) (*Server, error) {
 			return nil, err
 		}
 	}
-
 	if config.Auth != "" {
 		u := &chshare.User{Addrs: []*regexp.Regexp{chshare.UserAllowAll}}
 		u.Name, u.Pass = chshare.ParseAuth(config.Auth)
@@ -87,7 +86,6 @@ func NewServer(config *Config) (*Server, error) {
 		PasswordCallback: s.authUser,
 	}
 	s.sshConfig.AddHostKey(private)
-
 	//setup reverse proxy
 	if config.Proxy != "" {
 		u, err := url.Parse(config.Proxy)
@@ -105,7 +103,6 @@ func NewServer(config *Config) (*Server, error) {
 			r.Host = u.Host
 		}
 	}
-
 	//setup socks server (not listening on any port!)
 	if config.Socks5 {
 		socksConfig := &socks5.Config{}
@@ -118,9 +115,12 @@ func NewServer(config *Config) (*Server, error) {
 		if err != nil {
 			return nil, err
 		}
-		s.Infof("SOCKS5 Enabled")
+		s.Infof("SOCKS5 server enabled")
+	}
+	//print when reverse tunnelling is enabled
+	if config.Reverse {
+		s.Infof("Reverse tunnelling enabled")
 	}
-
 	return s, nil
 }
 
@@ -168,13 +168,13 @@ func (s *Server) authUser(c ssh.ConnMetadata, password []byte) (*ssh.Permissions
 	}
 	// check the user exists and has matching password
 	n := c.User()
-	user, found := s.users.GetUser(n)
+	user, found := s.users.Get(n)
 	if !found || user.Pass != string(password) {
 		s.Debugf("Login failed for user: %s", n)
 		return nil, errors.New("Invalid authentication for username: %s")
 	}
 	// insert the user session map
 	// @note: this should probably have a lock on it given the map isn't thread-safe??
-	s.sessions[string(c.SessionID())] = user
+	s.sessions.Set(string(c.SessionID()), user)
 	return nil, nil
 }

share/connstats.go

@@ -22,6 +22,6 @@ func (c *ConnStats) Close() {
 	atomic.AddInt32(&c.open, -1)
 }
 
-func (c *ConnStats) Status() string {
+func (c *ConnStats) String() string {
 	return fmt.Sprintf("[%d/%d]", atomic.LoadInt32(&c.open), atomic.LoadInt32(&c.count))
 }

share/gostats.go

@@ -0,0 +1,29 @@
+package chshare
+
+import (
+	"log"
+	"os"
+	"os/signal"
+	"runtime"
+	"syscall"
+	"time"
+
+	"github.com/jpillora/sizestr"
+)
+
+//GoStats prints statistics to
+//stdout on SIGUSR2 (posix-only)
+func GoStats() {
+	//silence complaints from windows
+	const SIGUSR2 = syscall.Signal(0x1f)
+	time.Sleep(time.Second)
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, SIGUSR2)
+	for range c {
+		memStats := runtime.MemStats{}
+		runtime.ReadMemStats(&memStats)
+		log.Printf("recieved SIGUSR2, go-routines: %d, go-memory-usage: %s",
+			runtime.NumGoroutine(),
+			sizestr.ToString(int64(memStats.Alloc)))
+	}
+}