1 // For all support, instructions and copyright go to: 2 // http://e2guardian.org/ 3 // Released under the GPL v2, with the OpenSSL exception described in the README file. 4 5 #ifndef __HPP_CONNECTIONHANDLER 6 #define __HPP_CONNECTIONHANDLER 7 8 // INCLUDES 9 #include <iostream> 10 #include <string> 11 #include "OptionContainer.hpp" 12 #include "FOptionContainer.hpp" 13 #include "LOptionContainer.hpp" 14 #include "NaughtyFilter.hpp" 15 #include "Socket.hpp" 16 #include "HTTPHeader.hpp" 17 #include "ICAPHeader.hpp" 18 #include "FatController.hpp" 19 #include "Auth.hpp" 20 21 // DECLARATIONS 22 23 // add a known clean URL to the cache 24 void addToClean(String &url, const int fg); 25 26 // record for storing information about POST data parts 27 // used for building up the POST data log column 28 struct postinfo { 29 // MIME type & original filename (if available) 30 std::string mimetype; 31 std::string filename; 32 // name of file containing headers & body info 33 // for this POST part (if it has been stored) 34 std::string storedname; 35 // size of part 36 size_t size; 37 // offset of body data from start of file 38 // (if post part was stored on disk) 39 size_t bodyoffset; 40 bool blocked; postinfopostinfo41 postinfo() 42 : size(0), bodyoffset(0), blocked(false){}; 43 }; 44 45 // the ConnectionHandler class - handles filtering, scanning, and blocking of 46 // data passed between a client and the external proxy. 47 class ConnectionHandler 48 { 49 public: 50 ConnectionHandler(); 51 // : clienthost(NULL) { 52 // ch_isiphost.comp(",*[a-z|A-Z].*"); 53 // ldl = o.currentList(); 54 // load_id = ldl->reload_id; 55 //} ~ConnectionHandler()56 ~ConnectionHandler() 57 { 58 delete clienthost; 59 }; 60 61 int load_id; 62 // pass data between proxy and client, filtering as we go. 63 int handlePeer(Socket &peerconn, String &ip, stat_rec* &dystat, unsigned int LC_type); 64 65 auth_rec SBauth; // record persists for whole connection 66 67 private: 68 int filtergroup; 69 int oldfg = 0; 70 bool matchedip; 71 bool persistent_authed; 72 bool overide_persist; 73 bool is_real_user; 74 75 std::string clientuser; 76 std::string oldclientuser; 77 std::string *clienthost; 78 std::string urlparams; 79 std::list<postinfo> postparts; 80 String lastcategory; 81 std::shared_ptr<LOptionContainer> ldl; 82 83 void peerDiag(const char *message, Socket &peersock ); 84 void upstreamDiag(const char *message, Socket &proxysock ); 85 86 int handleConnection(Socket &peerconn, String &ip, bool ismitm, Socket &proxyconn, stat_rec* &dystat); 87 88 #ifdef __SSLMITM 89 int handleTHTTPSConnection(Socket &peerconn, String &ip, Socket &proxysock, stat_rec* &dystat); 90 #endif 91 int handleICAPConnection(Socket &peerconn, String &ip, Socket &proxysock, stat_rec* &dystat); 92 int handleICAPreqmod(Socket &peerconn, String &ip, NaughtyFilter &checkme, ICAPHeader &icaphead, AuthPlugin *auth_plugin) ; 93 int handleICAPresmod(Socket &peerconn, String &ip, NaughtyFilter &checkme, ICAPHeader &icaphead, DataBuffer &docbody) ; 94 95 bool getdnstxt(std::string &clientip, String &user); 96 97 String dns_error(int herror); 98 99 // write a log entry containing the given data (if required) 100 // void doLog(std::string &who, std::string &from, String &where, unsigned int &port, 101 // std::string &what, String &how, off_t &size, std::string *cat, bool isnaughty, int naughtytype, 102 // bool isexception, bool istext, struct timeval *thestart, bool cachehit, int code, 103 // std::string &mimetype, bool wasinfected, bool wasscanned, int naughtiness, int filtergroup, 104 // HTTPHeader *reqheader, int message_no = 999, bool contentmodified = false, 105 // bool urlmodified = false, bool headermodified = false, 106 // bool headeradded = false); 107 108 void doLog(std::string &who, std::string &from, NaughtyFilter &cm); 109 void doRQLog(std::string &who, std::string &from, NaughtyFilter &cm, std::string &funct); 110 111 #ifdef __SSLMITM 112 bool goMITM(NaughtyFilter &checkme, Socket &proxysock, Socket &peerconn,bool &persistProxy, bool &authed, bool &persistent_authed, String &ip, stat_rec* &dystat, std::string &clientip, bool transparent = false); 113 #endif 114 115 116 // perform URL encoding on a string 117 std::string miniURLEncode(const char *s); 118 119 // RegExp ch_isiphost; 120 // RegResult Rch_isiphost; 121 bool genDenyAccess(Socket &peerconn, String &eheader, String &ebody, HTTPHeader *header, HTTPHeader *docheader, 122 String *url, NaughtyFilter *checkme, std::string *clientuser, std::string *clientip, 123 int filtergroup, 124 bool ispostblock, int headersent, bool wasinfected, bool scanerror, bool forceshow = false); 125 126 // show the relevant banned page depending upon the report level settings, request type, etc. 127 bool denyAccess(Socket *peerconn, Socket *proxysock, HTTPHeader *header, HTTPHeader *docheader, 128 String *url, NaughtyFilter *checkme, std::string *clientuser, std::string *clientip, 129 int filtergroup, bool ispostblock, int headersent, bool wasinfected, bool scanerror, bool forceshow = false); 130 131 // create temporary ban bypass URLs/cookies 132 String hashedURL(String *url, int filtergroup, std::string *clientip, bool infectionbypass, std::string *user); 133 // is this a temporary filter bypass URL? 134 int isBypassURL(String url, const char *magic, const char *clientip, bool *isvirusbypass, std::string &user); 135 // is this a scan bypass URL? (download previously scanned file) 136 bool isScanBypassURL(String url, const char *magic, const char *clientip); 137 String hashedCookie(String *url, const char *magic, std::string *clientip, int bypasstimestamp); 138 139 // do content scanning (AV filtering) and naughty filtering 140 void contentFilter(HTTPHeader *docheader, HTTPHeader *header, DataBuffer *docbody, Socket *proxysock, 141 Socket *peerconn, int *headersent, bool *pausedtoobig, off_t *docsize, NaughtyFilter *checkme, 142 bool wasclean, int filtergroup, std::deque<CSPlugin *> &responsescanner, std::string *clientuser, 143 std::string *clientip, bool *wasinfected, bool *wasscanned, bool isbypass, String &url, String &domain, 144 bool *scanerror, bool &contentmodified, String *csmessage); 145 146 // send a file to the client - used during bypass of blocked downloads 147 off_t sendFile(Socket *peerconn, NaughtyFilter &cm, String &url, bool is_icap = false, ICAPHeader *icap_head = NULL); 148 149 bool writeback_error( NaughtyFilter &cm, Socket & cl_sock, int mess_no1, int mess_no2, std::string mess); 150 bool gen_error_mess( Socket &peerconn, NaughtyFilter &cm, String &eheader, String &ebody, int mess_no1, int mess_no2, std::string mess); 151 152 bool doAuth(int &auth_result, bool &authed, int &filtergroup,AuthPlugin* auth_plugin, Socket & peerconn, Socket &proxysock, HTTPHeader & header, 153 bool only_client_ip = false, bool isconnect_like = false); 154 155 bool doAuth(int &auth_result, bool &authed, int &filtergroup,AuthPlugin* auth_plugin, Socket & peerconn, HTTPHeader & header, bool only_client_ip = false, bool isconnect_like = false); 156 157 bool checkByPass( NaughtyFilter &checkme, std::shared_ptr<LOptionContainer> & ldl, HTTPHeader &header, Socket & proxysock, 158 Socket &peerconn, std::string &clientip ); 159 bool sendScanFile( Socket &peerconn, NaughtyFilter &checkme, bool is_icap = false, ICAPHeader *icaphead = NULL); 160 161 void check_search_terms(NaughtyFilter &cm); 162 void check_content(NaughtyFilter &cm, DataBuffer &docbody, Socket &proxysock, Socket &peerconn, 163 std::deque<CSPlugin *> &responsescanners); 164 #ifdef __SSLMITM 165 //ssl certificat checking 166 void checkCertificate(String &hostname, Socket *sslSock, NaughtyFilter *checkme); 167 #endif //__SSLMITM 168 169 int sendProxyConnect(String &hostname, Socket *sock, NaughtyFilter *checkme); 170 171 int determineGroup(std::string &user, int &fg, ListContainer & uglc); 172 int connectUpstream(Socket &sock, NaughtyFilter &cm,int port); 173 }; 174 175 char *get_TLS_SNI(char *bytes, int* len); 176 177 #endif 178 179