-
Notifications
You must be signed in to change notification settings - Fork 3
/
authguard.go
99 lines (82 loc) · 2.95 KB
/
authguard.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package main
import (
"crypto/sha256"
"crypto/subtle"
"flag"
"log"
"net/http"
"net/http/httputil"
"os"
)
var (
// logger
logInfo = log.New(os.Stdout, "", 0)
logError = log.New(os.Stdout, "ERROR: ", 0)
// addresses and protocols
outerAddress = flag.String("web.listen-address", ":8080", "address exposed to outside")
innerAddress = flag.String("web.proxy-to", "127.0.0.1:8080", "address to proxy to")
innerScheme = flag.String("scheme", "http", "scheme to use for connection to target (either http or https)")
// HTTP basic auth
useAuth = flag.Bool("auth", true, "use HTTP-Basic-Auth for outer connection")
user = flag.String("user", "authguard", "user for HTTP basic auth outwards")
pass = flag.String("pass", "authguard", "password for HTTP basic auth outwards")
userhash [32]byte
passhash [32]byte
// TLS
crt = flag.String("crt", "", "path to TLS public key file for outer connection")
key = flag.String("key", "", "path to TLS private key file for outer connection")
// misc
logTimestamps = flag.Bool("config.log-timestamps", false, "Log with timestamps")
)
// director modifies the incoming http.request to go to the specified innerAddress
func director(r *http.Request) {
r.URL.Scheme = *innerScheme
r.URL.Host = *innerAddress
}
// performRedirect redirects the incoming request to what is specified in the innerAddress-field
func performRedirect(w http.ResponseWriter, r *http.Request) {
proxy := &httputil.ReverseProxy{Director: director}
proxy.ServeHTTP(w, r)
}
// redirectAfterAuthCheck checks for correct authentication-credentials and either applies
// the intended redirect or asks for authentication-credentials once again.
func redirectAfterAuthCheck(w http.ResponseWriter, r *http.Request) {
u, p, ok := r.BasicAuth()
uhash := sha256.Sum256([]byte(u))
phash := sha256.Sum256([]byte(p))
user_correct := subtle.ConstantTimeCompare(uhash[:], userhash[:]) == 1
pass_correct := subtle.ConstantTimeCompare(phash[:], passhash[:]) == 1
if ok && user_correct && pass_correct {
performRedirect(w, r)
} else {
// send out unauthenticated response asking for basic auth
// (to make sure people that mistyped can retry)
w.Header().Set("WWW-Authenticate", `Basic realm="all"`)
http.Error(w, "Unauthenticated", 401)
}
}
func main() {
flag.Parse()
if *logTimestamps {
logInfo.SetFlags(3)
logError.SetFlags(3)
}
userhash = sha256.Sum256([]byte(*user))
passhash = sha256.Sum256([]byte(*pass))
logInfo.Println("starting redirector from", *outerAddress, "to", *innerAddress)
if *useAuth {
logInfo.Println("HTTP Basic Auth enabled")
http.HandleFunc("/", redirectAfterAuthCheck)
} else {
logInfo.Println("HTTP Basic Auth disabled")
http.HandleFunc("/", performRedirect)
}
useTLS := *crt != "" && *key != ""
if useTLS {
logInfo.Println("TLS enabled")
logError.Fatal(http.ListenAndServeTLS(*outerAddress, *crt, *key, nil))
} else {
logInfo.Println("TLS disabled")
logError.Fatal(http.ListenAndServe(*outerAddress, nil))
}
}