mirror of
https://github.com/luscis/openlan.git
synced 2025-11-01 04:52:36 +08:00
fix: trust OpenLAN ca
This commit is contained in:
Daniel Ding
5
dist/rootfs/etc/openlan/proxy.json.example
vendored
5
dist/rootfs/etc/openlan/proxy.json.example
vendored
@@ -21,7 +21,10 @@
|
||||
},
|
||||
{
|
||||
"listen": "0.0.0.0:11082",
|
||||
"forward": "https://192.168.100.11:10443"
|
||||
"forward": {
|
||||
"protocol": "https",
|
||||
"server": "192.168.100.11:10443"
|
||||
}
|
||||
},
|
||||
{
|
||||
"listen": "0.0.0.0:11083",
|
||||
|
||||
27
dist/rootfs/var/openlan/script/install.sh
vendored
27
dist/rootfs/var/openlan/script/install.sh
vendored
@@ -6,18 +6,27 @@ tmp=""
|
||||
installer="$0"
|
||||
archive=$(grep -a -n "__ARCHIVE_BELOW__:$" $installer | cut -f1 -d:)
|
||||
|
||||
OS="linux"
|
||||
if type yum > /dev/null; then
|
||||
OS="centos"
|
||||
elif type apt > /dev/null; then
|
||||
OS="ubuntu"
|
||||
fi
|
||||
|
||||
function download() {
|
||||
tmp=$(mktemp -d)
|
||||
tail -n +$((archive + 1)) $installer | gzip -dc - | tar -xf - -C $tmp
|
||||
}
|
||||
|
||||
function requires() {
|
||||
if type yum > /dev/null; then
|
||||
yum install -y xl2tpd openssl net-tools iptables iputils openvpn openvswitch dnsmasq bridge-utils iperf3 tcpdump ipset
|
||||
elif type apt > /dev/null; then
|
||||
apt-get install -y xl2tpd net-tools iptables iproute2 openvpn openvswitch-switch dnsmasq bridge-utils iperf3 tcpdump ipset
|
||||
if [ "$OS"x == "centos"x ]; then
|
||||
yum install -y openssl net-tools iptables iputils iperf3 tcpdump
|
||||
yum install -y openvpn openvswitch dnsmasq bridge-utils ipset
|
||||
elif [ "$OS"x == "ubuntu"x ]; then
|
||||
apt-get install -y net-tools iptables iproute2 tcpdump ca-certificates iperf3
|
||||
apt-get install -y openvpn openvswitch-switch dnsmasq bridge-utils ipset
|
||||
else
|
||||
echo "We didn't find any packet tool: yum or apt."
|
||||
echo "We didn't find any packet tool: $OS"
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -48,6 +57,14 @@ function post() {
|
||||
[ ! -e "/var/openlan/confd/confd.sock" ] || {
|
||||
/usr/bin/ovsdb-client convert unix:///var/openlan/confd/confd.sock /var/openlan/confd.schema.json
|
||||
}
|
||||
|
||||
if [ "$OS"x == "centos"x ]; then
|
||||
cp -rf /var/openlan/cert/ca.crt /etc/pki/ca-trust/source/anchors/OpenLAN_CA.crt
|
||||
update-ca-trust
|
||||
elif [ "$OS"x == "ubuntu"x ]; then
|
||||
cp -rf /var/openlan/cert/ca.crt /usr/local/share/ca-certificates/OpenLAN_CA.crt
|
||||
update-ca-certificates
|
||||
fi
|
||||
}
|
||||
|
||||
function finish() {
|
||||
|
||||
@@ -23,13 +23,19 @@ type SocksProxy struct {
|
||||
Auth Password `json:"auth,omitempty"`
|
||||
}
|
||||
|
||||
type HttpForward struct {
|
||||
Protocol string `json:"protocol,omitempty"`
|
||||
Server string `json:"server,omitempty"`
|
||||
Insecure bool `json:"insecure,omitempty"`
|
||||
}
|
||||
|
||||
type HttpProxy struct {
|
||||
ConfDir string `json:"-"`
|
||||
Listen string `json:"listen,omitempty"`
|
||||
Auth Password `json:"auth,omitempty"`
|
||||
Cert *Cert `json:"cert,omitempty"`
|
||||
Password string `json:"password,omitempty"`
|
||||
Forward string `json:"forward,omitempty"`
|
||||
ConfDir string `json:"-"`
|
||||
Listen string `json:"listen,omitempty"`
|
||||
Auth Password `json:"auth,omitempty"`
|
||||
Cert *Cert `json:"cert,omitempty"`
|
||||
Password string `json:"password,omitempty"`
|
||||
Forward *HttpForward `json:"forward,omitempty"`
|
||||
}
|
||||
|
||||
func (h *HttpProxy) Correct() {
|
||||
|
||||
@@ -161,14 +161,12 @@ func (t *HttpProxy) tunnel(w http.ResponseWriter, conn net.Conn) {
|
||||
t.out.Debug("HttpProxy.tunnel %s exit", conn.RemoteAddr())
|
||||
}
|
||||
|
||||
func (t *HttpProxy) openConn(remote string) (net.Conn, error) {
|
||||
if strings.HasPrefix(remote, "https://") {
|
||||
func (t *HttpProxy) openConn(protocol, remote string, insecure bool) (net.Conn, error) {
|
||||
if protocol == "https" {
|
||||
conf := &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
InsecureSkipVerify: insecure,
|
||||
}
|
||||
return tls.Dial("tcp", remote[8:], conf)
|
||||
} else if strings.HasPrefix(remote, "http://") {
|
||||
remote = remote[7:]
|
||||
return tls.Dial("tcp", remote, conf)
|
||||
}
|
||||
return net.Dial("tcp", remote)
|
||||
}
|
||||
@@ -234,15 +232,15 @@ func (t *HttpProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
forward := t.cfg.Forward
|
||||
if forward != "" {
|
||||
t.out.Info("HttpProxy.ServeHTTP %s %s -> %s via %s", r.Method, r.RemoteAddr, r.URL.Host, forward)
|
||||
fow := t.cfg.Forward
|
||||
if fow != nil {
|
||||
t.out.Info("HttpProxy.ServeHTTP %s %s -> %s via %s", r.Method, r.RemoteAddr, r.URL.Host, fow.Server)
|
||||
} else {
|
||||
t.out.Info("HttpProxy.ServeHTTP %s %s -> %s", r.Method, r.RemoteAddr, r.URL.Host)
|
||||
}
|
||||
|
||||
if forward != "" {
|
||||
conn, err := t.openConn(forward)
|
||||
if fow != nil {
|
||||
conn, err := t.openConn(fow.Protocol, fow.Server, fow.Insecure)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), http.StatusBadGateway)
|
||||
return
|
||||
@@ -255,7 +253,7 @@ func (t *HttpProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
conn.Write(dump)
|
||||
t.tunnel(w, conn)
|
||||
} else if r.Method == "CONNECT" { //RFC-7231 Tunneling TCP based protocols through Web Proxy servers
|
||||
conn, err := t.openConn(r.URL.Host)
|
||||
conn, err := t.openConn("", r.URL.Host, true)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), http.StatusBadGateway)
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user