Lib now dynamically accepts HTTPS clients and HTTP clients on a single port

Author: TechnikEmpire

CitadelCore/CitadelCore.csproj

@@ -12,13 +12,13 @@
     <PackageIconUrl />
     <RepositoryUrl>https://github.com/TechnikEmpire/CitadelCore</RepositoryUrl>
     <PackageTags>proxy filtering content-filtering transparent-proxy</PackageTags>
-    <PackageReleaseNotes>Fixes an issue where accessing content-type header could cause a null-ref exception.</PackageReleaseNotes>
+    <PackageReleaseNotes>Now dynamically handles HTTPS and HTTP streams on a single bound port. Clients no longer need to guess if a non-standard port connection is HTTP or HTTPS, the engine will figure this out itself.</PackageReleaseNotes>
     <Title>CitadelCore</Title>
     <Summary>Transparent filtering HTTP/S and Websocket/WebsocketSecure proxy.</Summary>
     <Description>Transparent filtering HTTP/S and Websocket/WebsocketSecure proxy.</Description>
-    <Version>3.6.2</Version>
-    <AssemblyVersion>3.6.2.0</AssemblyVersion>
-    <FileVersion>3.6.2.0</FileVersion>    
+    <Version>3.7.0</Version>
+    <AssemblyVersion>3.7.0.0</AssemblyVersion>
+    <FileVersion>3.7.0.0</FileVersion>    
   </PropertyGroup>
 
   <ItemGroup Label="dotnet pack instructions">

CitadelCore/Net/ConnectionAdapters/TlsSniConnectionAdapter.cs

@@ -30,7 +30,11 @@ namespace CitadelCore.Net.ConnectionAdapters
     /// </summary>
     internal class TlsSniConnectionAdapter : IConnectionAdapter
     {
-        public bool IsHttps => true;
+        public bool IsHttps
+        {
+            get;
+            private set;
+        }
 
         /// <summary>
         /// Holds our certificate store. This is responsible for spoofing, storing and retrieving TLS certificates.
@@ -78,15 +82,17 @@ private async Task<IAdaptedConnection> InnerOnConnectionAsync(ConnectionAdapterC
             {
                 // We start off by handing the connection stream off to a library that can do a peek
                 // read (which is really just doing buffering tricks, not an actual peek read).
-                var yourClientStream = new CustomBufferedStream(context.ConnectionStream, 4096);
+                var clientStream = new CustomBufferedStream(context.ConnectionStream, 4096);
 
                 // We then use the same lib to parse the "peeked" data and extract the SNI hostname.
-                var clientSslHelloInfo = await SslTools.PeekClientHello(yourClientStream);
+                var clientSslHelloInfo = await SslTools.PeekClientHello(clientStream);
 
                 switch (clientSslHelloInfo != null)
                 {
                     case true:
                         {
+                            IsHttps = true;
+
                             string sniHost = clientSslHelloInfo.Extensions?.FirstOrDefault(x => x.Name == "server_name")?.Data;
 
                             if (string.IsNullOrEmpty(sniHost) || string.IsNullOrWhiteSpace(sniHost))
@@ -96,7 +102,7 @@ private async Task<IAdaptedConnection> InnerOnConnectionAsync(ConnectionAdapterC
 
                             try
                             {
-                                var sslStream = new SslStream(yourClientStream, true,
+                                var sslStream = new SslStream(clientStream, true,
                                     (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>
                                     {
                                         // TODO - Handle client certificates. They should be pushed
@@ -142,7 +148,7 @@ private async Task<IAdaptedConnection> InnerOnConnectionAsync(ConnectionAdapterC
                                     ClientCertificate = sslStream.RemoteCertificate?.ToV2Certificate()
                                 });
 
-                                return new HttpsAdaptedConnection(sslStream);
+                                return new HttpsConnection(sslStream);
                             }
                             catch (Exception err)
                             {
@@ -155,8 +161,8 @@ private async Task<IAdaptedConnection> InnerOnConnectionAsync(ConnectionAdapterC
 
                     default:
                         {
-                            LoggerProxy.Default.Error("No client hello!");
-                            return s_closedConnection;
+                            IsHttps = false;
+                            return new HttpConnection(clientStream);
                         }
                 }
             }
@@ -168,11 +174,28 @@ private async Task<IAdaptedConnection> InnerOnConnectionAsync(ConnectionAdapterC
             }
         }
 
-        private class HttpsAdaptedConnection : IAdaptedConnection
+        private class HttpConnection : IAdaptedConnection
+        {
+            private readonly Stream _plainHttpStream;
+
+            public HttpConnection(Stream stream)
+            {
+                _plainHttpStream = stream;
+            }
+
+            public Stream ConnectionStream => _plainHttpStream;
+
+            public void Dispose()
+            {
+                _plainHttpStream.Dispose();
+            }
+        }
+
+        private class HttpsConnection : IAdaptedConnection
         {
             private readonly SslStream _sslStream;
 
-            public HttpsAdaptedConnection(SslStream sslStream)
+            public HttpsConnection(SslStream sslStream)
             {
                 _sslStream = sslStream;
             }

CitadelCore/Net/Handlers/FilterResponseHandlerFactory.cs

@@ -27,7 +27,7 @@ static FilterResponseHandlerFactory()
             // If this isn't set, we'll have a massive bottlenet on our upstream flow. The
             // performance gains here extreme. This must be set.
             ServicePointManager.DefaultConnectionLimit = ushort.MaxValue;
-
+            
             ServicePointManager.Expect100Continue = false;
             ServicePointManager.CheckCertificateRevocationList = true;
             ServicePointManager.ReusePort = true;

CitadelCore/Net/Proxy/ProxyServer.cs

@@ -55,16 +55,6 @@ public IPEndPoint V4HttpEndpoint
             get;
         }
 
-        /// <summary>
-        /// Gets the IPV4 endpoint where HTTPS connections are being received. This will be ANY:0
-        /// until Start has been called.
-        /// </summary>
-        public IPEndPoint V4HttpsEndpoint
-        {
-            private set;
-            get;
-        }
-
         /// <summary>
         /// Gets the IPV6 endpoint where HTTP connections are being received. This will be ANY:0
         /// until Start has been called.
@@ -75,16 +65,6 @@ public IPEndPoint V6HttpEndpoint
             get;
         }
 
-        /// <summary>
-        /// Gets the IPV6 endpoint where HTTPS connections are being received. This will be ANY:0
-        /// until Start has been called.
-        /// </summary>
-        public IPEndPoint V6HttpsEndpoint
-        {
-            private set;
-            get;
-        }
-
         /// <summary>
         /// Gets whether or not the server is currently running.
         /// </summary>
@@ -194,30 +174,26 @@ public void Start(int numThreads = 0)
 
                 // Create the public, v4 proxy.
                 IPEndPoint v4HttpEndpoint = null;
-                IPEndPoint v4HttpsEndpoint = null;
 
                 var publicV4Startup = new PublicServerStartup(null, _httpResponseFactory);
-                var publicV4Host = CreateHost<PublicServerStartup>(false, false, out v4HttpEndpoint, out v4HttpsEndpoint, publicV4Startup);
+                var publicV4Host = CreateHost<PublicServerStartup>(false, false, out v4HttpEndpoint, publicV4Startup);
 
                 V4HttpEndpoint = v4HttpEndpoint;
-                V4HttpsEndpoint = v4HttpsEndpoint;
 
                 // Create the public, v6 proxy.
                 IPEndPoint v6HttpEndpoint = null;
-                IPEndPoint v6HttpsEndpoint = null;
 
                 var publicV6Startup = new PublicServerStartup(null, _httpResponseFactory);
-                var publicV6Host = CreateHost<PublicServerStartup>(false, true, out v6HttpEndpoint, out v6HttpsEndpoint, publicV6Startup);
+                var publicV6Host = CreateHost<PublicServerStartup>(false, true, out v6HttpEndpoint, publicV6Startup);
 
                 V6HttpEndpoint = v6HttpEndpoint;
-                V6HttpsEndpoint = v6HttpsEndpoint;
 
                 // Create the private, v4 replay proxy
                 IPEndPoint privateV4HttpEndpoint = null;
                 IPEndPoint privateV4HttpsEndpoint = null;
 
                 var privateV4Startup = new PrivateServerStartup(null, _replayResponseFactory);
-                var privateV4Host = CreateHost<PrivateServerStartup>(true, false, out privateV4HttpEndpoint, out privateV4HttpsEndpoint, privateV4Startup);
+                var privateV4Host = CreateHost<PrivateServerStartup>(true, false, out privateV4HttpEndpoint, privateV4Startup);
 
                 _replayResponseFactory.V4HttpEndpoint = privateV4HttpEndpoint;
                 _replayResponseFactory.V4HttpsEndpoint = privateV4HttpsEndpoint;
@@ -231,9 +207,9 @@ public void Start(int numThreads = 0)
 
                 _diverter = CreateDiverter(
                         V4HttpEndpoint,
-                        V4HttpsEndpoint,
+                        V4HttpEndpoint,
                         V6HttpEndpoint,
-                        V6HttpsEndpoint
+                        V6HttpEndpoint
                     );
 
                 _diverter.ConfirmDenyFirewallAccess = (procPath) =>
@@ -369,9 +345,6 @@ protected virtual bool CertificateVerificationHandler(object sender, X509Certifi
         /// <param name="boundHttpEndpoint">
         /// The endpoint that the HTTP host was bound to.
         /// </param>
-        /// <param name="boundHttpsEndpoint">
-        /// The endpoint that the HTTPS host was bound to.
-        /// </param>
         /// <param name="startupInsance">
         /// The startup instance to use for the server.
         /// </param>
@@ -382,12 +355,11 @@ protected virtual bool CertificateVerificationHandler(object sender, X509Certifi
         /// In the event that the internal kestrel engine doesn't properly initialize, this method
         /// will throw.
         /// </exception>
-        private IWebHost CreateHost<T>(bool isPrivate, bool isV6, out IPEndPoint boundHttpEndpoint, out IPEndPoint boundHttpsEndpoint, IStartup startupInsance) where T : class
+        private IWebHost CreateHost<T>(bool isPrivate, bool isV6, out IPEndPoint boundHttpEndpoint, IStartup startupInsance) where T : class
         {
             WebHostBuilder ipWebhostBuilder = new WebHostBuilder();
 
             ListenOptions httpListenOptions = null;
-            ListenOptions httpsListenOptions = null;
 
             ipWebhostBuilder.UseSockets(opts =>
             {
@@ -418,21 +390,6 @@ private IWebHost CreateHost<T>(bool isPrivate, bool isV6, out IPEndPoint boundHt
                     // https://github.com/aspnet/Docs/issues/5242#issuecomment-380863456
                     // listenOpts.Protocols = HttpProtocols.Http1;
 
-                    httpsListenOptions = listenOpts;
-                });
-
-                // Listen for HTTP connections. Keep a reference to the options object so we can get
-                // the chosen port number after we call start.
-                opts.Listen(isV6 ? IPAddress.IPv6Any : IPAddress.Any, 0, listenOpts =>
-                {
-                    // Who doesn't love to kick that old Nagle to the curb?
-                    listenOpts.NoDelay = true;
-
-                    // HTTP 2 got cut last minute from 2.1 and MS speculates that it may take several
-                    // releases to get it properly included.
-                    // https://github.com/aspnet/Docs/issues/5242#issuecomment-380863456
-                    // listenOpts.Protocols = HttpProtocols.Http1;
-
                     httpListenOptions = listenOpts;
                 });
             });
@@ -465,7 +422,6 @@ private IWebHost CreateHost<T>(bool isPrivate, bool isV6, out IPEndPoint boundHt
             if (httpListenOptions != null)
             {
                 boundHttpEndpoint = httpListenOptions.IPEndPoint;
-                boundHttpsEndpoint = httpsListenOptions.IPEndPoint;
             }
             else
             {