Drafting Fake-TLS V2

src/proxy/client.rs

@@ -30,7 +30,7 @@ use crate::protocol::tls;
 use crate::stats::{ReplayChecker, Stats};
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::middle_proxy::MePool;
-use crate::transport::{UpstreamManager, configure_client_socket};
+use crate::transport::{UpstreamManager, configure_client_socket, parse_proxy_protocol};
 
 use crate::proxy::direct_relay::handle_via_direct;
 use crate::proxy::handshake::{HandshakeSuccess, handle_mtproto_handshake, handle_tls_handshake};
@@ -53,7 +53,28 @@ where
     S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
 {
     stats.increment_connects_all();
-    debug!(peer = %peer, "New connection (generic stream)");
+    let mut real_peer = peer;
+
+    if config.server.proxy_protocol {
+        match parse_proxy_protocol(&mut stream, peer).await {
+            Ok(info) => {
+                debug!(
+                    peer = %peer,
+                    client = %info.src_addr,
+                    version = info.version,
+                    "PROXY protocol header parsed"
+                );
+                real_peer = info.src_addr;
+            }
+            Err(e) => {
+                stats.increment_connects_bad();
+                warn!(peer = %peer, error = %e, "Invalid PROXY protocol header");
+                return Err(e);
+            }
+        }
+    }
+
+    debug!(peer = %real_peer, "New connection (generic stream)");
 
     let handshake_timeout = Duration::from_secs(config.timeouts.client_handshake);
     let stats_for_timeout = stats.clone();
@@ -69,13 +90,13 @@ where
         stream.read_exact(&mut first_bytes).await?;
 
         let is_tls = tls::is_tls_handshake(&first_bytes[..3]);
-        debug!(peer = %peer, is_tls = is_tls, "Handshake type detected");
+        debug!(peer = %real_peer, is_tls = is_tls, "Handshake type detected");
 
         if is_tls {
             let tls_len = u16::from_be_bytes([first_bytes[3], first_bytes[4]]) as usize;
 
             if tls_len < 512 {
-                debug!(peer = %peer, tls_len = tls_len, "TLS handshake too short");
+                debug!(peer = %real_peer, tls_len = tls_len, "TLS handshake too short");
                 stats.increment_connects_bad();
                 let (reader, writer) = tokio::io::split(stream);
                 handle_bad_client(reader, writer, &first_bytes, &config).await;
@@ -89,7 +110,7 @@ where
             let (read_half, write_half) = tokio::io::split(stream);
 
             let (mut tls_reader, tls_writer, _tls_user) = match handle_tls_handshake(
-                &handshake, read_half, write_half, peer,
+                &handshake, read_half, write_half, real_peer,
                 &config, &replay_checker, &rng,
             ).await {
                 HandshakeResult::Success(result) => result,
@@ -107,7 +128,7 @@ where
                 .map_err(|_| ProxyError::InvalidHandshake("Short MTProto handshake".into()))?;
 
             let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
-                &mtproto_handshake, tls_reader, tls_writer, peer,
+                &mtproto_handshake, tls_reader, tls_writer, real_peer,
                 &config, &replay_checker, true,
             ).await {
                 HandshakeResult::Success(result) => result,
@@ -123,12 +144,12 @@ where
                 RunningClientHandler::handle_authenticated_static(
                     crypto_reader, crypto_writer, success,
                     upstream_manager, stats, config, buffer_pool, rng, me_pool,
-                    local_addr, peer, ip_tracker.clone(),
+                    local_addr, real_peer, ip_tracker.clone(),
                 ),
             )))
         } else {
             if !config.general.modes.classic && !config.general.modes.secure {
-                debug!(peer = %peer, "Non-TLS modes disabled");
+                debug!(peer = %real_peer, "Non-TLS modes disabled");
                 stats.increment_connects_bad();
                 let (reader, writer) = tokio::io::split(stream);
                 handle_bad_client(reader, writer, &first_bytes, &config).await;
@@ -142,7 +163,7 @@ where
             let (read_half, write_half) = tokio::io::split(stream);
 
             let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
-                &handshake, read_half, write_half, peer,
+                &handshake, read_half, write_half, real_peer,
                 &config, &replay_checker, false,
             ).await {
                 HandshakeResult::Success(result) => result,
@@ -166,7 +187,7 @@ where
                     rng,
                     me_pool,
                     local_addr,
-                    peer,
+                    real_peer,
                     ip_tracker.clone(),
                 )
             )))
@@ -275,6 +296,25 @@ impl RunningClientHandler {
     }
 
     async fn do_handshake(mut self) -> Result<HandshakeOutcome> {
+        if self.config.server.proxy_protocol {
+            match parse_proxy_protocol(&mut self.stream, self.peer).await {
+                Ok(info) => {
+                    debug!(
+                        peer = %self.peer,
+                        client = %info.src_addr,
+                        version = info.version,
+                        "PROXY protocol header parsed"
+                    );
+                    self.peer = info.src_addr;
+                }
+                Err(e) => {
+                    self.stats.increment_connects_bad();
+                    warn!(peer = %self.peer, error = %e, "Invalid PROXY protocol header");
+                    return Err(e);
+                }
+            }
+        }
+
         let mut first_bytes = [0u8; 5];
         self.stream.read_exact(&mut first_bytes).await?;