From 470e76b79c9c8af194febc30336a4c67bf7d0ebc Mon Sep 17 00:00:00 2001 From: b Date: Tue, 10 Nov 2015 07:45:47 +0000 Subject: [PATCH] Proxy unlock authentication. git-svn-id: svn://botcastle1b/yplom/proxy@2 05ce6ebb-7522-4a6e-a768-0026ae12be9f --- access.pl | 16 ++++++ makefile | 23 +++++---- proxy.c | 13 +++++ proxy.pl | 145 ++++++++++++++++++++++++++++++++++++++++++++++++----- rewrite | 2 - rewrite.pl | 12 +++++ 6 files changed, 187 insertions(+), 24 deletions(-) create mode 100644 access.pl create mode 100644 proxy.c delete mode 100755 rewrite create mode 100755 rewrite.pl diff --git a/access.pl b/access.pl new file mode 100644 index 0000000..2f458b4 --- /dev/null +++ b/access.pl @@ -0,0 +1,16 @@ +#!/usr/bin/perl + +use constant REWRITE_URL => 'bicyclesonthemoon.info:59443'; + +$|=1; + +while () { + $a=$_; + if ($a =~ /^([0-9]+ )/) { + print $1; + } + print "ERR\n"; + open ($log,">>","/yplom/log/proxy/acl") or exit; + print $log $a; + close($log); +} diff --git a/makefile b/makefile index 5d0c7e3..ab1eef9 100644 --- a/makefile +++ b/makefile @@ -8,20 +8,23 @@ OD=/yplom/bin/proxy all: moveout copyout -moveout: proxy setuid exec - mv proxy $(OD) +moveout: proxy rewrite access setuid exec + mv proxy access rewrite $(OD) -copyout: rewrite setuid exec - cp rewrite $(OD) +copyout: proxy.pl setuid exec + cp proxy.pl $(OD) setuid: proxy chmod u+s proxy -exec: rewrite proxy - chmod +x rewrite proxy +exec: rewrite access proxy + chmod +x rewrite access proxy -#proxy: proxy.c -# $(CC) $(CF) -o proxy proxy.c +proxy: proxy.c + $(CC) $(CF) -o proxy proxy.c -proxy: proxy.pl - cp proxy.pl proxy +rewrite: rewrite.pl + cp rewrite.pl rewrite + +access: access.pl + cp access.pl access diff --git a/proxy.c b/proxy.c new file mode 100644 index 0000000..70a44c1 --- /dev/null +++ b/proxy.c @@ -0,0 +1,13 @@ +//The SETUID wrapper. + +#include +#include + +#define PROXY_PATH "/yplom/bin/proxy/proxy.pl" +#define PROXY_LOG "/yplom/log/proxy/proxy-stderr.log" + +int main(int argc, char *argv[], char *envp[]) +{ + freopen(PROXY_LOG,"at",stderr); + return execve(PROXY_PATH,argv,envp); +} diff --git a/proxy.pl b/proxy.pl index fd80538..94307f7 100755 --- a/proxy.pl +++ b/proxy.pl @@ -1,18 +1,118 @@ #!/usr/bin/perl -use constant UNLOCK_PROXY_URL => '/proxy/unlock'; +use POSIX qw(strftime); + +use constant ACCESS_LOG => '/yplom/log/proxy/access.log'; +use constant DATA_PATH => '/yplom/data/proxy/'; +use constant PASS_PATH => '/yplom/data/proxy/pass/'; +use constant ACCESS_PATH => '/yplom/data/proxy/access/'; +use constant UNLOCK_PROXY_URL => 'https://yplom.bicyclesonthemoon.info/proxy/unlock'; use constant UNLOCK_PROXY_HOST => qr/^yplom\.bicyclesonthemoon\.info(:[0-9]*)?$/; use constant UNLOCK_PROXY_PATH => qr/^\/proxy\/unlock\/?$/; +$accesstime = time(); + +delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; +$ENV{'PATH'}='/usr/local/bin:/usr/bin:/bin'; + if (($ENV{'HTTP_HOST'} =~ UNLOCK_PROXY_HOST) and ($ENV{'PATH_INFO'} =~ UNLOCK_PROXY_PATH)){ -# if (($ENV{'HTTP_HOST'} =~ /^yplom\.bicyclesonthemoon\.info(:(590)?80)?$/) and ($ENV{'PATH_INFO'} =~ /^\/proxy\/unlock\/?$/)){ - unlockpage(); + unlock(); } else { debag(); } +sub unlock { + if ($ENV{'REMOTE_ADDR'} =~ /^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/) { + $IP=$1; + } + + if ($ENV{'REQUEST_METHOD'} eq 'GET') { + %CGI=getcgi($ENV{'QUERY_STRING'}); + } + elsif ($ENV{'REQUEST_METHOD'} eq 'POST'){ + if ($ENV{'CONTENT_TYPE'} eq 'application/x-www-form-urlencoded'){ + %CGI=getcgi( ); + } + else{ + return unlockpage("Unsupported Content-type: $ENV{'CONTENT_TYPE'}.","Status: 415 Unsupported Media Type\n"); + } + } + else{ + return unlockpage("Unsupported method: $ENV{'REQUEST_METHOD'}.","Status: 405 Method Not Allowed\nAllow: GET, POST\n"); + } + + if ($CGI{'ip'} =~ /^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/) { + $IP=$1; + } + + if ($IP eq '') { + return unlockpage("$Invalid IP.","Status: 403 Forbidden\n"); + } + + if ($CGI{'username'} eq ''){ + return unlockpage(); + } + + if ($CGI{'password'} eq ''){ + return unlockpage('Password missing.',"Status: 403 Forbidden\n"); + } + + if ($CGI{'username'} !~ /^[A-Za-z0-9_]+$/){ + return unlockpage('Wrong username or password.',"Status: 403 Forbidden\n"); + } + + $passpath = PASS_PATH.$CGI{'username'}; + + open($passfile, "<", $passpath) or return unlockpage('Wrong username or password.',"Status: 403 Forbidden\n"); + $pass = <$passfile>; + close($passfile); + $pass =~ s/\n//g; + $pass = urldecode($pass); + + if ($pass ne $CGI{'password'}){ + return unlockpage('Wrong username or password.',"Status: 403 Forbidden\n"); + } + + open ($logfile, ">>", ACCESS_LOG) or return unlockpage("Couldn't log your action.","Status: 500 Internal Server Error\n"); + print $logfile strftime("%d.%m.%Y %H:%M:%S", gmtime($accesstime))." $ENV{'REMOTE_ADDR'} $CGI{'username'}\n"; + close($logfile); + + $accesspath=ACCESS_PATH.$IP; + open ($accessfile,">",$accesspath) or return unlockpage("$accesspath","Status: 403 Forbidden\n"); + print $accessfile "$accesstime\n$accesstime"; + close ($accessfile); + + return unlockedpage(); + +} + +sub getcgi { + my $arg; + my $varl; + my %cgi; + my $i = $_[0]; + $i =~ s/\n//g; + my @s = split('&',$i); + foreach my $l ( @s) { + ($arg,$val)=split('=',$l); + $cgi{$arg}=urldecode($val); + } + return %cgi; +} + +sub urldecode { + my $t = $_[0]; + $t =~ s/\+/ /g; + $t =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/eg; + return $t; +} + sub unlockpage { + (my $message, my $header)=@_; + if($header ne ''){ + print $header; + } print "Content-type: text/html\n\n"; print ''; print ''; @@ -20,17 +120,43 @@ sub unlockpage { print ''; print ''; print '

Unlock the proxy

'; - print '
'; + if($message ne ''){ + print $message; + } + print ''; print 'Username:
'; print 'Password:
'; + print 'IP:
'; print ''; - print '
'; - print "\n"; + print '
'; + print 'WARNING: The proxy will be unlocked for some time, for you and every '; + print 'computer in your local network which has the same public IP. Any '; + print 'action from your IP will be assumed to be your action. By submitting '; + print 'this form you agree to this.

'; + print 'The proxy will be locked again:
    '; + print '
  • $timeout_unlock minutes after unlocking
  • '; + print '
  • after $timeoout_inact minutes of inactivity
  • '; + print "
\n"; +} + +sub unlockedpage { + print "Content-type: text/html\n\n"; + print ''; + print ''; + print 'Unlocked'; + print ''; + print ''; + print '

Unlocked

'; + print "The proxy is now unlocked for IP $IP.

"; + print 'The proxy will be locked again:
    '; + print '
  • $timeout_unlock minutes after unlocking
  • '; + print '
  • after $timeoout_inact minutes of inactivity
  • '; + print "
\n"; } sub debag { print "Content-type: text/plain\n\n"; - print foreach $envk (keys %ENV) { + foreach $envk (keys %ENV) { print "$envk = $ENV{$envk}\n"; } print "\n"; @@ -48,8 +174,3 @@ sub debag { } print 'URL: ',$URL,"\n"; } - - - - - diff --git a/rewrite b/rewrite deleted file mode 100755 index cbef212..0000000 --- a/rewrite +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -echo "OK rewrite-url=\"bicyclesonthemoon.info:59443\"" diff --git a/rewrite.pl b/rewrite.pl new file mode 100755 index 0000000..2fc4088 --- /dev/null +++ b/rewrite.pl @@ -0,0 +1,12 @@ +#!/usr/bin/perl + +use constant REWRITE_URL => 'bicyclesonthemoon.info:59443'; + +$|=1; + +while () { + if ($_ =~ /^([0-9]+ )/) { + print $1; + } + print 'OK rewrite-url="'.REWRITE_URL."\"\n"; +} -- 2.30.2