apps/openlan
1
0
Fork 0
mirror of https://github.com/luscis/openlan.git synced 2025-11-01 13:02:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: trust OpenLAN ca

Browse Source
This commit is contained in:
Daniel Ding
2024-01-24 21:52:06 +08:00
parent cb08ea20cd
commit d189ba3ffb
4 changed files with 48 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
dist/rootfs/etc/openlan/proxy.json.example vendored
View File

@@ -21,7 +21,10 @@
}, },
{ {
"listen": "0.0.0.0:11082", "listen": "0.0.0.0:11082",
"forward": "https://192.168.100.11:10443" "forward": {
"protocol": "https",
"server": "192.168.100.11:10443"
}
}, },
{ {
"listen": "0.0.0.0:11083", "listen": "0.0.0.0:11083",

27
dist/rootfs/var/openlan/script/install.sh vendored
View File

@@ -6,18 +6,27 @@ tmp=""
installer="$0" installer="$0"
archive=$(grep -a -n "__ARCHIVE_BELOW__:$" $installer | cut -f1 -d:) archive=$(grep -a -n "__ARCHIVE_BELOW__:$" $installer | cut -f1 -d:)
OS="linux"
if type yum > /dev/null; then
OS="centos"
elif type apt > /dev/null; then
OS="ubuntu"
fi
function download() { function download() {
tmp=$(mktemp -d) tmp=$(mktemp -d)
tail -n +$((archive + 1)) $installer | gzip -dc - | tar -xf - -C $tmp tail -n +$((archive + 1)) $installer | gzip -dc - | tar -xf - -C $tmp
} }
function requires() { function requires() {
if type yum > /dev/null; then if [ "$OS"x == "centos"x ]; then
yum install -y xl2tpd openssl net-tools iptables iputils openvpn openvswitch dnsmasq bridge-utils iperf3 tcpdump ipset yum install -y openssl net-tools iptables iputils iperf3 tcpdump
elif type apt > /dev/null; then yum install -y openvpn openvswitch dnsmasq bridge-utils ipset
apt-get install -y xl2tpd net-tools iptables iproute2 openvpn openvswitch-switch dnsmasq bridge-utils iperf3 tcpdump ipset elif [ "$OS"x == "ubuntu"x ]; then
apt-get install -y net-tools iptables iproute2 tcpdump ca-certificates iperf3
apt-get install -y openvpn openvswitch-switch dnsmasq bridge-utils ipset
else else
echo "We didn't find any packet tool: yum or apt." echo "We didn't find any packet tool: $OS"
fi fi
} }
@@ -48,6 +57,14 @@ function post() {
[ ! -e "/var/openlan/confd/confd.sock" ] || { [ ! -e "/var/openlan/confd/confd.sock" ] || {
/usr/bin/ovsdb-client convert unix:///var/openlan/confd/confd.sock /var/openlan/confd.schema.json /usr/bin/ovsdb-client convert unix:///var/openlan/confd/confd.sock /var/openlan/confd.schema.json
} }
if [ "$OS"x == "centos"x ]; then
cp -rf /var/openlan/cert/ca.crt /etc/pki/ca-trust/source/anchors/OpenLAN_CA.crt
update-ca-trust
elif [ "$OS"x == "ubuntu"x ]; then
cp -rf /var/openlan/cert/ca.crt /usr/local/share/ca-certificates/OpenLAN_CA.crt
update-ca-certificates
fi
} }
function finish() { function finish() {

18
pkg/config/proxy.go
View File

@@ -23,13 +23,19 @@ type SocksProxy struct {
Auth Password `json:"auth,omitempty"` Auth Password `json:"auth,omitempty"`
} }
type HttpForward struct {
Protocol string `json:"protocol,omitempty"`
Server string `json:"server,omitempty"`
Insecure bool `json:"insecure,omitempty"`
}
type HttpProxy struct { type HttpProxy struct {
ConfDir string `json:"-"` ConfDir string `json:"-"`
Listen string `json:"listen,omitempty"` Listen string `json:"listen,omitempty"`
Auth Password `json:"auth,omitempty"` Auth Password `json:"auth,omitempty"`
Cert *Cert `json:"cert,omitempty"` Cert *Cert `json:"cert,omitempty"`
Password string `json:"password,omitempty"` Password string `json:"password,omitempty"`
Forward string `json:"forward,omitempty"` Forward *HttpForward `json:"forward,omitempty"`
} }
func (h *HttpProxy) Correct() { func (h *HttpProxy) Correct() {

22
pkg/proxy/http.go
View File

@@ -161,14 +161,12 @@ func (t *HttpProxy) tunnel(w http.ResponseWriter, conn net.Conn) {
t.out.Debug("HttpProxy.tunnel %s exit", conn.RemoteAddr()) t.out.Debug("HttpProxy.tunnel %s exit", conn.RemoteAddr())
} }
func (t *HttpProxy) openConn(remote string) (net.Conn, error) { func (t *HttpProxy) openConn(protocol, remote string, insecure bool) (net.Conn, error) {
if strings.HasPrefix(remote, "https://") { if protocol == "https" {
conf := &tls.Config{ conf := &tls.Config{
InsecureSkipVerify: true, InsecureSkipVerify: insecure,
} }
return tls.Dial("tcp", remote[8:], conf) return tls.Dial("tcp", remote, conf)
} else if strings.HasPrefix(remote, "http://") {
remote = remote[7:]
} }
return net.Dial("tcp", remote) return net.Dial("tcp", remote)
} }
@@ -234,15 +232,15 @@ func (t *HttpProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return return
} }
forward := t.cfg.Forward fow := t.cfg.Forward
if forward != "" { if fow != nil {
t.out.Info("HttpProxy.ServeHTTP %s %s -> %s via %s", r.Method, r.RemoteAddr, r.URL.Host, forward) t.out.Info("HttpProxy.ServeHTTP %s %s -> %s via %s", r.Method, r.RemoteAddr, r.URL.Host, fow.Server)
} else { } else {
t.out.Info("HttpProxy.ServeHTTP %s %s -> %s", r.Method, r.RemoteAddr, r.URL.Host) t.out.Info("HttpProxy.ServeHTTP %s %s -> %s", r.Method, r.RemoteAddr, r.URL.Host)
} }
if forward != "" { if fow != nil {
conn, err := t.openConn(forward) conn, err := t.openConn(fow.Protocol, fow.Server, fow.Insecure)
if err != nil { if err != nil {
http.Error(w, err.Error(), http.StatusBadGateway) http.Error(w, err.Error(), http.StatusBadGateway)
return return
@@ -255,7 +253,7 @@ func (t *HttpProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
conn.Write(dump) conn.Write(dump)
t.tunnel(w, conn) t.tunnel(w, conn)
} else if r.Method == "CONNECT" { //RFC-7231 Tunneling TCP based protocols through Web Proxy servers } else if r.Method == "CONNECT" { //RFC-7231 Tunneling TCP based protocols through Web Proxy servers
conn, err := t.openConn(r.URL.Host) conn, err := t.openConn("", r.URL.Host, true)
if err != nil { if err != nil {
http.Error(w, err.Error(), http.StatusBadGateway) http.Error(w, err.Error(), http.StatusBadGateway)
return return