更改错误的mitm文件

dump.go

@@ -32,10 +32,6 @@ func httpDump(req *http.Request, resp *http.Response) {
 	for headerName, headerContext := range req.Header {
 		fmt.Printf("%s: %s\n", Blue(headerName), headerContext)
 	}
-	fmt.Println(Green("Response:"))
-	for headerName, headerContext := range resp.Header {
-		fmt.Printf("%s: %s\n", Blue(headerName), headerContext)
-	}
 	if req.Method == "POST" {
 		fmt.Println(Green("URLEncoded form"))
 		err := req.ParseForm()
@@ -51,6 +47,11 @@ func httpDump(req *http.Request, resp *http.Response) {
 		}
 
 	}
+	fmt.Println(Green("Response:"))
+	for headerName, headerContext := range resp.Header {
+		fmt.Printf("%s: %s\n", Blue(headerName), headerContext)
+	}
+
 	respBody, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		logger.Println("func httpDump read resp body err:", err)

mitm.go

@@ -1,81 +1,342 @@
 package main
 
 import (
-	"flag"
+	"bufio"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"io"
 	"log"
+	"net"
 	"net/http"
-	"os"
+	"net/http/httputil"
+	"net/url"
+	"regexp"
+	"strings"
 	"sync"
 	"time"
 )
 
-const (
+type HandlerWrapper struct {
-	Version = "1.1"
+	MyConfig        *Cfg
-)
+	tlsConfig       *TlsConfig
+	wrapped         http.Handler
+	pk              *PrivateKey
+	pkPem           []byte
+	issuingCert     *Certificate
+	issuingCertPem  []byte
+	serverTLSConfig *tls.Config
+	dynamicCerts    *Cache
+	certMutex       sync.Mutex
+	https           bool
+}
 
-var (
+func (hw *HandlerWrapper) GenerateCertForClient() (err error) {
-	wg sync.WaitGroup
+	if hw.tlsConfig.Organization == "" {
-)
+		hw.tlsConfig.Organization = "gomitmproxy" + Version
+	}
+	if hw.tlsConfig.CommonName == "" {
+		hw.tlsConfig.CommonName = "gomitmproxy"
+	}
+	if hw.pk, err = LoadPKFromFile(hw.tlsConfig.PrivateKeyFile); err != nil {
+		hw.pk, err = GeneratePK(2048)
+		if err != nil {
+			return fmt.Errorf("Unable to generate private key: %s", err)
+		}
+		hw.pk.WriteToFile(hw.tlsConfig.PrivateKeyFile)
+	}
+	hw.pkPem = hw.pk.PEMEncoded()
+	hw.issuingCert, err = LoadCertificateFromFile(hw.tlsConfig.CertFile)
+	if err != nil || hw.issuingCert.ExpiresBefore(time.Now().AddDate(0, ONE_MONTH, 0)) {
+		hw.issuingCert, err = hw.pk.TLSCertificateFor(
+			hw.tlsConfig.Organization,
+			hw.tlsConfig.CommonName,
+			time.Now().AddDate(ONE_YEAR, 0, 0),
+			true,
+			nil)
+		if err != nil {
+			return fmt.Errorf("Unable to generate self-signed issuing certificate: %s", err)
+		}
+		hw.issuingCert.WriteToFile(hw.tlsConfig.CertFile)
+	}
+	hw.issuingCertPem = hw.issuingCert.PEMEncoded()
+	return
+}
 
-var logFile *os.File
+func (hw *HandlerWrapper) FakeCertForName(name string) (cert *tls.Certificate, err error) {
-var logger *log.Logger
+	kpCandidateIf, found := hw.dynamicCerts.Get(name)
+	if found {
+		return kpCandidateIf.(*tls.Certificate), nil
+	}
 
-func main() {
+	hw.certMutex.Lock()
-	var conf Cfg
+	defer hw.certMutex.Unlock()
+	kpCandidateIf, found = hw.dynamicCerts.Get(name)
+	if found {
+		return kpCandidateIf.(*tls.Certificate), nil
+	}
 
-	conf.Port = flag.String("port", "8080", "Listen port")
+	//create certificate
-	conf.Raddr = flag.String("raddr", "", "Remote addr")
+	certTTL := TWO_WEEKS
-	conf.Log = flag.String("log", "./error.log", "log file path")
+	generatedCert, err := hw.pk.TLSCertificateFor(
-	conf.Monitor = flag.Bool("m", false, "monitor mode")
+		hw.tlsConfig.Organization,
-	conf.Tls = flag.Bool("tls", false, "tls connect")
+		name,
-	flag.Parse()
+		time.Now().Add(certTTL),
+		false,
+		hw.issuingCert)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to issue certificate: %s", err)
+	}
+	keyPair, err := tls.X509KeyPair(generatedCert.PEMEncoded(), hw.pkPem)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to parse keypair for tls: %s", err)
+	}
 
-	var err error
+	cacheTTL := certTTL - ONE_DAY
-	logFile, err = os.Create(*conf.Log)
+	hw.dynamicCerts.Set(name, &keyPair, cacheTTL)
+	return &keyPair, nil
+}
+
+func (hw *HandlerWrapper) DumpHTTPAndHTTPs(resp http.ResponseWriter, req *http.Request) {
+	req.Header.Del("Proxy-Connection")
+	req.Header.Set("Connection", "Keep-Alive")
+
+	// handle connection
+	connIn, _, err := resp.(http.Hijacker).Hijack()
 	if err != nil {
-		log.Fatalln("fail to create log file!")
+		logger.Println("hijack error:", err)
 	}
+	defer connIn.Close()
 
-	logger = log.New(logFile, "[gomitmproxy]", log.LstdFlags|log.Llongfile)
+	var respOut *http.Response
+	host := req.Host
 
-	wg.Add(1)
+	matched, _ := regexp.MatchString(":[0-9]+$", host)
-	gomitmproxy(&conf)
+
-	wg.Wait()
+	if !hw.https {
-}
+		if !matched {
+			host += ":80"
+		}
+
+		connOut, err := net.DialTimeout("tcp", host, time.Second*30)
+		if err != nil {
+			logger.Println("dial to", host, "error:", err)
+			return
+		}
+
+		if err = req.Write(connOut); err != nil {
+			logger.Println("send to server error", err)
+			return
+		}
+
+		respOut, err = http.ReadResponse(bufio.NewReader(connOut), req)
+		if err != nil && err != io.EOF {
+			logger.Println("read response error:", err)
+		}
+
+	} else {
+		if !matched {
+			host += ":443"
+		}
+
+		connOut, err := tls.Dial("tcp", host, hw.tlsConfig.ServerTLSConfig)
+
+		if err != nil {
+			logger.Panicln("tls dial to", host, "error:", err)
+			return
+		}
+		if err = req.Write(connOut); err != nil {
+			logger.Println("send to server error", err)
+			return
+		}
 
-func gomitmproxy(conf *Cfg) {
+		respOut, err = http.ReadResponse(bufio.NewReader(connOut), req)
-	tlsConfig := NewTlsConfig("gomitmproxy-ca-pk.pem", "gomitmproxy-ca-cert.pem", "", "")
+		if err != nil && err != io.EOF {
+			logger.Println("read response error:", err)
+		}
+
+	}
 
-	handler, err := InitConfig(conf, tlsConfig)
+	if respOut == nil {
+		log.Println("respOut is nil")
+		return
+	}
+
+	respDump, err := httputil.DumpResponse(respOut, true)
 	if err != nil {
-		logger.Fatalf("InitConfig error: %s", err)
+		logger.Println("respDump error:", err)
 	}
 
-	server := &http.Server{
+	_, err = connIn.Write(respDump)
-		Addr:         ":" + *conf.Port,
+	if err != nil {
-		Handler:      handler,
+		logger.Println("connIn write error:", err)
-		ReadTimeout:  1 * time.Hour,
-		WriteTimeout: 1 * time.Hour,
 	}
 
-	go func() {
+	if *hw.MyConfig.Monitor {
-		log.Printf("proxy listening port:%s", *conf.Port)
+		go httpDump(req, respOut)
+	}
+
+}
 
-		if *conf.Tls {
+func (hw *HandlerWrapper) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
-			log.Println("ListenAndServeTLS")
+
-			err = server.ListenAndServeTLS("gomitmproxy-ca-cert.pem", "gomitmproxy-ca-pk.pem")
+	raddr := *hw.MyConfig.Raddr
+	if len(raddr) != 0 {
+		hw.Forward(resp, req, raddr)
+	} else {
+		if req.Method == "CONNECT" {
+			hw.https = true
+			hw.InterceptHTTPs(resp, req)
 		} else {
-			log.Println("ListenAndServe")
+			hw.https = false
-			err = server.ListenAndServe()
+			hw.DumpHTTPAndHTTPs(resp, req)
 		}
+	}
+}
+
+func (hw *HandlerWrapper) InterceptHTTPs(resp http.ResponseWriter, req *http.Request) {
+	addr := req.Host
+	host := strings.Split(addr, ":")[0]
+
+	cert, err := hw.FakeCertForName(host)
+	if err != nil {
+		msg := fmt.Sprintf("Could not get mitm cert for name: %s\nerror: %s", host, err)
+		respBadGateway(resp, msg)
+		return
+	}
+
+	// handle connection
+	connIn, _, err := resp.(http.Hijacker).Hijack()
+	if err != nil {
+		msg := fmt.Sprintf("Unable to access underlying connection from client: %s", err)
+		respBadGateway(resp, msg)
+		return
+	}
+	tlsConfig := copyTlsConfig(hw.tlsConfig.ServerTLSConfig)
+	tlsConfig.Certificates = []tls.Certificate{*cert}
+	tlsConnIn := tls.Server(connIn, tlsConfig)
+	listener := &mitmListener{tlsConnIn}
+	handler := http.HandlerFunc(func(resp2 http.ResponseWriter, req2 *http.Request) {
+		req2.URL.Scheme = "https"
+		req2.URL.Host = req2.Host
+		hw.DumpHTTPAndHTTPs(resp2, req2)
+
+	})
+
+	go func() {
+		err = http.Serve(listener, handler)
+		if err != nil && err != io.EOF {
+			logger.Printf("Error serving mitm'ed connection: %s", err)
+		}
+	}()
+
+	connIn.Write([]byte("HTTP/1.1 200 OK\r\n\r\n"))
+}
+
+func (hw *HandlerWrapper) Forward(resp http.ResponseWriter, req *http.Request, raddr string) {
+	connIn, _, err := resp.(http.Hijacker).Hijack()
+	connOut, err := net.Dial("tcp", raddr)
+	if err != nil {
+		logger.Println("dial tcp error", err)
+	}
+
+	err = connectProxyServer(connOut, raddr)
+	if err != nil {
+		logger.Println("connectProxyServer error:", err)
+	}
+
+	if req.Method == "CONNECT" {
+		b := []byte("HTTP/1.1 200 Connection Established\r\n" +
+			"Proxy-Agent: gomitmproxy/" + Version + "\r\n\r\n")
+		_, err := connIn.Write(b)
 		if err != nil {
-			logger.Fatalf("Unable to start HTTP proxy: %s", err)
+			logger.Println("Write Connect err:", err)
+			return
+		}
+	} else {
+		req.Header.Del("Proxy-Connection")
+		req.Header.Set("Connection", "Keep-Alive")
+		if err = req.Write(connOut); err != nil {
+			logger.Println("send to server err", err)
+			return
 		}
+	}
+	err = Transport(connIn, connOut)
+	if err != nil {
+		log.Println("trans error ", err)
+	}
+}
 
-		wg.Done()
+func InitConfig(conf *Cfg, tlsConfig *TlsConfig) (*HandlerWrapper, error) {
+	hw := &HandlerWrapper{
+		MyConfig:     conf,
+		tlsConfig:    tlsConfig,
+		dynamicCerts: NewCache(),
+	}
+	err := hw.GenerateCertForClient()
+	if err != nil {
+		return nil, err
+	}
+	return hw, nil
+}
 
-		log.Printf("gomitmproxy stop!!!!")
+func copyTlsConfig(template *tls.Config) *tls.Config {
-	}()
+	tlsConfig := &tls.Config{}
+	if template != nil {
+		*tlsConfig = *template
+	}
+	return tlsConfig
+}
+
+func respBadGateway(resp http.ResponseWriter, msg string) {
+	log.Println(msg)
+	resp.WriteHeader(502)
+	resp.Write([]byte(msg))
+}
+
+//两个io口的连接
+func Transport(conn1, conn2 net.Conn) (err error) {
+	rChan := make(chan error, 1)
+	wChan := make(chan error, 1)
+
+	go MyCopy(conn1, conn2, wChan)
+	go MyCopy(conn2, conn1, rChan)
+
+	select {
+	case err = <-wChan:
+	case err = <-rChan:
+	}
 
 	return
 }
+
+func MyCopy(src io.Reader, dst io.Writer, ch chan<- error) {
+	_, err := io.Copy(dst, src)
+	ch <- err
+}
+
+func connectProxyServer(conn net.Conn, addr string) error {
+
+	req := &http.Request{
+		Method:     "CONNECT",
+		URL:        &url.URL{Host: addr},
+		Host:       addr,
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+		Header:     make(http.Header),
+	}
+	req.Header.Set("Proxy-Connection", "keep-alive")
+
+	if err := req.Write(conn); err != nil {
+		return err
+	}
+
+	resp, err := http.ReadResponse(bufio.NewReader(conn), req)
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(resp.Status)
+	}
+	return nil
+}