Mercurial > prosody-modules
comparison mod_net_proxy/mod_net_proxy.lua @ 6348:9d3e6d2f25c7
mod_net_proxy: Add support for `proxy_out` and `proxy_secure`
| author | moparisthebest <admin@moparisthebest.com> |
|---|---|
| date | Fri, 14 Nov 2025 02:06:22 -0400 |
| parents | 49fad071e644 |
| children |
comparison
equal
deleted
inserted
replaced
| 6347:7ed4627ba65d | 6348:9d3e6d2f25c7 |
|---|---|
| 13 local ip = require "util.ip"; | 13 local ip = require "util.ip"; |
| 14 local net = require "util.net"; | 14 local net = require "util.net"; |
| 15 local set = require "util.set"; | 15 local set = require "util.set"; |
| 16 local portmanager = require "core.portmanager"; | 16 local portmanager = require "core.portmanager"; |
| 17 local fmt = require "util.format".format; | 17 local fmt = require "util.format".format; |
| 18 local basic_resolver = require "net.resolvers.basic"; | |
| 18 | 19 |
| 19 -- Backwards Compatibility | 20 -- Backwards Compatibility |
| 20 local function net_ntop_bc(input) | 21 local function net_ntop_bc(input) |
| 21 if input:len() == 4 then | 22 if input:len() == 4 then |
| 22 return string.format("%d.%d.%d.%d", input:byte(1, 4)); | 23 return string.format("%d.%d.%d.%d", input:byte(1, 4)); |
| 464 module:provides("net", { | 465 module:provides("net", { |
| 465 name = "proxy"; | 466 name = "proxy"; |
| 466 listener = listener; | 467 listener = listener; |
| 467 default_ports = mapped_ports; | 468 default_ports = mapped_ports; |
| 468 }); | 469 }); |
| 470 | |
| 471 function module.add_host(module) | |
| 472 local proxy_out = module:get_option("proxy_out", ""); | |
| 473 | |
| 474 local proxy_secure = module:get_option("proxy_secure", false); | |
| 475 local proxy_secure_in = proxy_secure or module:get_option("proxy_secure_in", false); | |
| 476 local proxy_secure_out = proxy_secure or module:get_option("proxy_secure_out", false); | |
| 477 | |
| 478 if proxy_out ~= "" then | |
| 479 -- this redirects outgoing s2s connections to a static host:port | |
| 480 local host, port = proxy_out[1] or proxy_out, tonumber(proxy_out[2]) or 15270; | |
| 481 module:log("debug", "proxy_out: '%s:%d' proxy_secure_out: %s proxy_secure_in: %s", host, port, proxy_secure_out, proxy_secure_in); | |
| 482 module:hook("s2sout-pre-connect", function (event) | |
| 483 local session = event.session; | |
| 484 | |
| 485 module:log("debug", "proxy_out redirect for '%s'", session.to_host); | |
| 486 | |
| 487 if proxy_secure_out then | |
| 488 -- mark it secure so we will offer SASL EXTERNAL auth | |
| 489 session.secure = true; | |
| 490 end | |
| 491 | |
| 492 event.resolver = basic_resolver.new(host, port, "tcp"); | |
| 493 end); | |
| 494 else | |
| 495 module:log("debug", "proxy_secure_in: %s", proxy_secure_in); | |
| 496 end | |
| 497 | |
| 498 if proxy_secure_in then | |
| 499 -- this hook marks incoming s2s as secure so we offer SASL EXTERNAL auth | |
| 500 module:hook("s2s-stream-features", function(event) | |
| 501 local session = event.origin; | |
| 502 -- check that proxyip isn't nil to make sure the connection was handled by this module | |
| 503 if session.conn.proxyip and session.type == "s2sin_unauthed" then | |
| 504 module:log("debug", "proxy_in for '%s' marked secure with validated cert", session.from_host); | |
| 505 session.secure = true; | |
| 506 session.cert_chain_status = "valid"; | |
| 507 session.cert_identity_status = "valid"; | |
| 508 end | |
| 509 end, 9000); | |
| 510 end | |
| 511 | |
| 512 end |
