From bde4f10bfeff3b358aa698ba2f172a1bfadbd14e Mon Sep 17 00:00:00 2001 From: Andreas Hrubak Date: Wed, 10 Nov 2021 14:22:21 +0100 Subject: [PATCH] add autossl helper script and a connector script --- src/autossl | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/autossl-conn | 34 +++++++++++++++++++++++++++ src/autossl.sh | 19 --------------- 3 files changed, 104 insertions(+), 19 deletions(-) create mode 100755 src/autossl create mode 100755 src/autossl-conn delete mode 100755 src/autossl.sh diff --git a/src/autossl b/src/autossl new file mode 100755 index 0000000..4e7e6c5 --- /dev/null +++ b/src/autossl @@ -0,0 +1,70 @@ +#!/bin/bash + +# This is a helper script, wraps any command and sets up environment for +# autossl.so. +# Autossl.so is an LD_PRELOAD-ed library which intercepts network connections +# and upgrade them to TLS. +# +# This helper script provides convenience logic to help you type less when +# using it with common simple commands, like "wget ". You probably +# use it only with simple commands anyways, so this convenience logic is +# opt-out. Turn it off by set AUTOSSL_CONVENIENCE=off in your invoking +# environment. +# +# As part of the convenience it (1) replaces https url-like command line +# arguments to http (to let autossl.so intercept the plain connection and +# upgrade it back to https during the connection) and (2) find domain +# names in command line arguments and passes appropriate "-servername" +# parameter to the underlaying openssl command. +# +# Set OPENSSL_EXTRA_ARGS environment variable to pass more parameters to openssl. +# +# It has an embedding port mapping which contains common plain:tls port +# pairs for a given protocol, but you can extend it by setting splace +# separated "plain:tls" port number pairs in AUTOSSL_TLS_PORT_MAP env +# variable. +# +# See autossl.so docs for more info. + + +if [ $# = 0 ] +then + echo "Usage: autossl []" >&2 + exit -1 +else + declare -a args + servername='' + + if [ "$AUTOSSL_CONVENIENCE" = off ] + then + args=("$@") + else + for arg in "$@" + do + if [[ $arg =~ ^https://([^@/]*@)?([^/ :]+) ]] + then + servername=${BASH_REMATCH[2]} + fi + if [ "${arg:0:6}" = https: ] + then + arg=${arg/https:/http:} + fi + args+=("$arg") + done + + if [ -n "$servername" ] + then + OPENSSL_EXTRA_ARGS="$OPENSSL_EXTRA_ARGS${OPENSSL_EXTRA_ARGS:+ }-servername $servername" + export OPENSSL_EXTRA_ARGS + fi + fi + + echo "autossl: run: ${args[@]}" >&2 + + LD_PRELOAD=/usr/lib/yazzy-preload/autossl.so \ + AUTOSSL_UPGRADE_PORTS="80${AUTOSSL_UPGRADE_PORTS:+:}${AUTOSSL_UPGRADE_PORTS}" \ + AUTOSSL_TLS_CMD=/srv/bin/autossl-conn \ + AUTOSSL_TLS_PORT_MAP="21:990 23:992 25:465 80:443 110:995 119:563 143:993 194:994 389:636 $AUTOSSL_TLS_PORT_MAP" \ + AUTOSSL_ERRNO=5 \ + exec "${args[@]}" +fi diff --git a/src/autossl-conn b/src/autossl-conn new file mode 100755 index 0000000..b4cb796 --- /dev/null +++ b/src/autossl-conn @@ -0,0 +1,34 @@ +#!/bin/bash + +# This script is called by autossl.so. +# See variables in autossl.so and in autossl wrapper script's docs. + +ip=$1 +plaintext_port=$2 + +declare -A tls_ports +for pair in $AUTOSSL_TLS_PORT_MAP +do + from=${pair%%:*} + to=${pair##*:} + tls_ports[$from]=$to +done +unset pair from to + +tls_port=${tls_ports[$plaintext_port]} + +if [ -z $tls_port ] +then + unset AUTOSSL_UPGRADE_PORTS + exec nc -v "$ip" "$plaintext_port" +else + echo "autossl: opening TLS channel to $ip:$tls_port" >&2 + if [ "$AUTOSSL_BACKEND" = stunnel ] + then + echo "autossl: run: stunnel -f -c -r $ip:$tls_port" >&2 + exec stunnel -f -c -r "$ip:$tls_port" + else + echo "autossl: run: openssl s_client -connect $ip:$tls_port -quiet $OPENSSL_EXTRA_ARGS" >&2 + exec /usr/local/opt/openssl_1.1.1h/bin/openssl s_client -connect "$ip:$tls_port" -quiet $OPENSSL_EXTRA_ARGS + fi +fi diff --git a/src/autossl.sh b/src/autossl.sh deleted file mode 100755 index 435f32f..0000000 --- a/src/autossl.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -echo "autossl.sh here called with $*" >&2 - -ip=$1 -plain_port=$2 -declare -A tls_ports -tls_ports=([21]=990 [23]=992 [25]=465 [80]=443 [110]=995 [119]=563 [143]=993 [194]=994 [389]=636) - -tls_port=${tls_ports[$plain_port]} - -if [ -z $tls_port ] -then - unset AUTOSSL_UPGRADE_PORTS - exec nc -v "$ip" "$plain_port" -else - echo "autossl.sh: opening TLS channel to $ip:$tls_port" >&2 - openssl s_client -connect "$ip:$tls_port" -quiet -fi -- 2.11.4.GIT