comparison mod_net_proxy/mod_net_proxy.lua @ 6348:9d3e6d2f25c7

mod_net_proxy: Add support for `proxy_out` and `proxy_secure`
author moparisthebest <admin@moparisthebest.com>
date Fri, 14 Nov 2025 02:06:22 -0400
parents 49fad071e644
children
comparison
equal deleted inserted replaced
6347:7ed4627ba65d 6348:9d3e6d2f25c7
13 local ip = require "util.ip"; 13 local ip = require "util.ip";
14 local net = require "util.net"; 14 local net = require "util.net";
15 local set = require "util.set"; 15 local set = require "util.set";
16 local portmanager = require "core.portmanager"; 16 local portmanager = require "core.portmanager";
17 local fmt = require "util.format".format; 17 local fmt = require "util.format".format;
18 local basic_resolver = require "net.resolvers.basic";
18 19
19 -- Backwards Compatibility 20 -- Backwards Compatibility
20 local function net_ntop_bc(input) 21 local function net_ntop_bc(input)
21 if input:len() == 4 then 22 if input:len() == 4 then
22 return string.format("%d.%d.%d.%d", input:byte(1, 4)); 23 return string.format("%d.%d.%d.%d", input:byte(1, 4));
464 module:provides("net", { 465 module:provides("net", {
465 name = "proxy"; 466 name = "proxy";
466 listener = listener; 467 listener = listener;
467 default_ports = mapped_ports; 468 default_ports = mapped_ports;
468 }); 469 });
470
471 function module.add_host(module)
472 local proxy_out = module:get_option("proxy_out", "");
473
474 local proxy_secure = module:get_option("proxy_secure", false);
475 local proxy_secure_in = proxy_secure or module:get_option("proxy_secure_in", false);
476 local proxy_secure_out = proxy_secure or module:get_option("proxy_secure_out", false);
477
478 if proxy_out ~= "" then
479 -- this redirects outgoing s2s connections to a static host:port
480 local host, port = proxy_out[1] or proxy_out, tonumber(proxy_out[2]) or 15270;
481 module:log("debug", "proxy_out: '%s:%d' proxy_secure_out: %s proxy_secure_in: %s", host, port, proxy_secure_out, proxy_secure_in);
482 module:hook("s2sout-pre-connect", function (event)
483 local session = event.session;
484
485 module:log("debug", "proxy_out redirect for '%s'", session.to_host);
486
487 if proxy_secure_out then
488 -- mark it secure so we will offer SASL EXTERNAL auth
489 session.secure = true;
490 end
491
492 event.resolver = basic_resolver.new(host, port, "tcp");
493 end);
494 else
495 module:log("debug", "proxy_secure_in: %s", proxy_secure_in);
496 end
497
498 if proxy_secure_in then
499 -- this hook marks incoming s2s as secure so we offer SASL EXTERNAL auth
500 module:hook("s2s-stream-features", function(event)
501 local session = event.origin;
502 -- check that proxyip isn't nil to make sure the connection was handled by this module
503 if session.conn.proxyip and session.type == "s2sin_unauthed" then
504 module:log("debug", "proxy_in for '%s' marked secure with validated cert", session.from_host);
505 session.secure = true;
506 session.cert_chain_status = "valid";
507 session.cert_identity_status = "valid";
508 end
509 end, 9000);
510 end
511
512 end