Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-09-11 08:55:32 +03:00
Code Issues Packages Projects Releases Wiki Activity

Started work on HTTP web relay, #4172

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2022-06-24 14:34:27 -07:00
parent a05215e9bf
commit 4dd5c18db4
4 changed files with 103 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
MeshCentralServer.njsproj
View File

@ -239,6 +239,7 @@
<Compile Include="translate\translate.js" />
<Compile Include="ua-parser.js" />
<Compile Include="webauthn.js" />
<Compile Include="webrelayserver.js" />
<Compile Include="webserver.js" />
<Compile Include="winservice.js" />
<Content Include="agents\codesign.cer" />
@ -696,6 +697,7 @@
<Folder Include="typings\globals\localforage\" />
<Folder Include="typings\globals\lru-cache\" />
<Folder Include="typings\globals\marked\" />
<Folder Include="typings\globals\moment-timezone\" />
<Folder Include="typings\globals\moment\" />
<Folder Include="typings\globals\node-forge\" />
<Folder Include="typings\globals\nodemailer\" />
@ -736,6 +738,7 @@
<TypeScriptCompile Include="typings\globals\localforage\index.d.ts" />
<TypeScriptCompile Include="typings\globals\lru-cache\index.d.ts" />
<TypeScriptCompile Include="typings\globals\marked\index.d.ts" />
<TypeScriptCompile Include="typings\globals\moment-timezone\index.d.ts" />
<TypeScriptCompile Include="typings\globals\moment\index.d.ts" />
<TypeScriptCompile Include="typings\globals\node-forge\index.d.ts" />
<TypeScriptCompile Include="typings\globals\nodemailer\index.d.ts" />

5
meshcentral.js
View File

@ -1646,6 +1646,11 @@ function CreateMeshCentralServer(config, args) {
obj.webserver = require('./webserver.js').CreateWebServer(obj, obj.db, obj.args, obj.certificates, obj.StartEx5);
if (obj.redirserver != null) { obj.redirserver.hookMainWebServer(obj.certificates); }
// Start the HTTP relay web server if needed
if ((obj.args.relayport != null) && (obj.args.relayport != 0)) {
obj.webrelayserver = require('./webrelayserver.js').CreateWebRelayServer(obj, obj.db, obj.args, obj.certificates, function () { });
}
// Update proxy certificates
if (obj.supportsProxyCertificatesRequest == true) { obj.updateProxyCertificates(true); }

2
redirserver.js
View File

@ -142,7 +142,7 @@ module.exports.CreateRedirServer = function (parent, db, args, func) {
obj.parent.updateServerState('redirect-port', port);
func(obj.port);
}).on('error', function (err) {
if ((err.code == 'EACCES') && (port < 65535)) { StartRedirServer(port + 1); } else { console.log(err); func(obj.port); }
if ((err.code == 'EACCES') && (port < 65535)) { StartRedirServer(port + 1, addr); } else { console.log(err); func(obj.port); }
});
}

94
webrelayserver.js Normal file
View File

@ -0,0 +1,94 @@
/**
* @description Meshcentral web relay server
* @author Ylian Saint-Hilaire
* @copyright Intel Corporation 2018-2022
* @license Apache-2.0
* @version v0.0.1
*/
/*jslint node: true */
/*jshint node: true */
/*jshint strict:false */
/*jshint -W097 */
/*jshint esversion: 6 */
"use strict";
// Construct a HTTP redirection web server object
module.exports.CreateWebRelayServer = function (parent, db, args, certificates, func) {
var obj = {};
obj.parent = parent;
obj.db = db;
obj.express = require('express');
obj.expressWs = null;
obj.tlsServer = null;
obj.net = require('net');
obj.app = obj.express();
obj.webRelayServer = null;
obj.port = null;
const constants = (require('crypto').constants ? require('crypto').constants : require('constants')); // require('constants') is deprecated in Node 11.10, use require('crypto').constants instead.
var tlsSessionStore = {}; // Store TLS session information for quick resume.
var tlsSessionStoreCount = 0; // Number of cached TLS session information in store.
// Add HTTP security headers to all responses
obj.app.use(function (req, res, next) {
parent.debug('webrequest', req.url + ' (RelayServer)');
res.removeHeader('X-Powered-By');
res.set({
'strict-transport-security': 'max-age=60000; includeSubDomains',
'Referrer-Policy': 'no-referrer',
'x-frame-options': 'SAMEORIGIN',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'Content-Security-Policy': "default-src 'none'; style-src 'self' 'unsafe-inline';"
});
return next();
});
// Start the server, only after users and meshes are loaded from the database.
if (args.tlsoffload) {
// Setup the HTTP server without TLS
obj.expressWs = require('express-ws')(obj.app, null, { wsOptions: { perMessageDeflate: (args.wscompression === true) } });
} else {
// Setup the HTTP server with TLS, use only TLS 1.2 and higher with perfect forward secrecy (PFS).
const tlsOptions = { cert: certificates.web.cert, key: certificates.web.key, ca: certificates.web.ca, rejectUnauthorized: true, ciphers: "HIGH:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_CHACHA20_POLY1305_SHA256", secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1 };
obj.tlsServer = require('https').createServer(tlsOptions, obj.app);
obj.tlsServer.on('secureConnection', function () { /*console.log('tlsServer secureConnection');*/ });
obj.tlsServer.on('error', function (err) { console.log('tlsServer error', err); });
obj.tlsServer.on('newSession', function (id, data, cb) { if (tlsSessionStoreCount > 1000) { tlsSessionStoreCount = 0; tlsSessionStore = {}; } tlsSessionStore[id.toString('hex')] = data; tlsSessionStoreCount++; cb(); });
obj.tlsServer.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); });
obj.expressWs = require('express-ws')(obj.app, obj.tlsServer, { wsOptions: { perMessageDeflate: (args.wscompression === true) } });
}
// Find a free port starting with the specified one and going up.
function CheckListenPort(port, addr, func) {
var s = obj.net.createServer(function (socket) { });
obj.webRelayServer = s.listen(port, addr, function () { s.close(function () { if (func) { func(port, addr); } }); }).on("error", function (err) {
if (args.exactports) { console.error("ERROR: MeshCentral HTTP relay server port " + port + " not available."); process.exit(); }
else { if (port < 65535) { CheckListenPort(port + 1, addr, func); } else { if (func) { func(0); } } }
});
}
// Start the ExpressJS web server, if the port is busy try the next one.
function StartWebRelayServer(port, addr) {
if (port == 0 || port == 65535) { return; }
if (obj.tlsServer != null) {
if (args.lanonly == true) {
obj.tcpServer = obj.tlsServer.listen(port, addr, function () { console.log('MeshCentral HTTPS relay server running on port ' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
} else {
obj.tcpServer = obj.tlsServer.listen(port, addr, function () { console.log('MeshCentral HTTPS relay server running on ' + certificates.CommonName + ':' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
obj.parent.updateServerState('servername', certificates.CommonName);
}
if (obj.parent.authlog) { obj.parent.authLog('https', 'Web relay server listening on ' + ((addr != null) ? addr : '0.0.0.0') + ' port ' + port + '.'); }
obj.parent.updateServerState('https-relay-port', port);
if (args.aliasport != null) { obj.parent.updateServerState('https-relay-aliasport', args.aliasport); }
} else {
obj.tcpServer = obj.app.listen(port, addr, function () { console.log('MeshCentral HTTP relay server running on port ' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
obj.parent.updateServerState('http-relay-port', port);
if (args.aliasport != null) { obj.parent.updateServerState('http-relay-aliasport', args.aliasport); }
}
}
CheckListenPort(args.relayport, args.relayportbind, StartWebRelayServer);
return obj;
};