Add access control header to responses, HTTPS support via MITM

Author: colin969

.github/workflows/nexus.yml

@@ -27,7 +27,7 @@ jobs:
           GOARCH: "386"
         run: go build -o "Flashpoint Proxy.exe" .
       - name: Package
-        run: zip Server.zip "./Flashpoint Proxy.exe" ./proxySettings.json
+        run: zip Server.zip "./Flashpoint Proxy.exe" ./proxySettings.json ./fpproxy.crt ./fpproxy.key
       - name: Generate Metadata
         run: |
           sudo apt install libarchive-zip-perl -y

.gitignore

@@ -1,4 +1,5 @@
 .idea
 main.exe
+fpproxy.csr
 Flashpoint Proxy.exe
 fpProxy.exe

fpproxy.crt

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICJDCCAcsCFFCWJV/hBHpY18k/14yUbDA6V/TTMAoGCCqGSM49BAMCMIGTMQsw
+CQYDVQQGEwJVUzETMBEGA1UECAwKU29tZS1TdGF0ZTEoMCYGA1UECgwfRmxhc2hw
+b2ludCBQcm94eSBVbnRydXN0ZWQgTUlUTTEoMCYGA1UECwwfRmxhc2hwb2ludCBQ
+cm94eSBVbnRydXN0ZWQgTUlUTTEbMBkGA1UEAwwSZnBwcm94eS5sb2NhbC5zaXRl
+MCAXDTIzMTAxNDEzNTQxNVoYDzIxMjMwOTIwMTM1NDE1WjCBkzELMAkGA1UEBhMC
+VVMxEzARBgNVBAgMClNvbWUtU3RhdGUxKDAmBgNVBAoMH0ZsYXNocG9pbnQgUHJv
+eHkgVW50cnVzdGVkIE1JVE0xKDAmBgNVBAsMH0ZsYXNocG9pbnQgUHJveHkgVW50
+cnVzdGVkIE1JVE0xGzAZBgNVBAMMEmZwcHJveHkubG9jYWwuc2l0ZTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABDOkMb4Fb+waYfEXg5OszAyjNqcp8PLTqSC2fcfC
+gX3Wqgvq4Vf46F4FViDKyo+E+6fOm3MauI3Vg2FGKUXf9jowCgYIKoZIzj0EAwID
+RwAwRAIgHyjrkkCwuOQm5JO5SKeH3Om8dQm6m6a+1k5max2RqakCICQRzrm0ERo4
+siAXSthMrOdDignP/cM10AcBe/J00Vw8
+-----END CERTIFICATE-----

fpproxy.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIGfj1mtowe1WiAMA3mK1VjgXV1lgUkliUxnk6lr5y/g5oAoGCCqGSM49
+AwEHoUQDQgAEM6QxvgVv7Bph8ReDk6zMDKM2pynw8tOpILZ9x8KBfdaqC+rhV/jo
+XgVWIMrKj4T7p86bcxq4jdWDYUYpRd/2Og==
+-----END EC PRIVATE KEY-----

gen-ca.sh

@@ -0,0 +1,3 @@
+openssl ecparam -out fpproxy.key -name prime256v1 -genkey
+openssl req -new -sha256 -key fpproxy.key -out fpproxy.csr
+openssl x509 -req -sha256 -days 36500 -in fpproxy.csr -signkey fpproxy.key -out fpproxy.crt

main.go

@@ -2,10 +2,13 @@ package main
 
 import (
 	"bufio"
+	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"flag"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -130,86 +133,155 @@ func setContentType(r *http.Request, resp *http.Response) {
 
 	rext := filepath.Ext(resp.Header.Get("ZIPSVR_FILENAME"))
 	ext := filepath.Ext(r.URL.Path)
+	mime := ""
 
-	//If the request already has an extension, just use it.
+	// If the request already has an extension, fetch the mime via extension
 	if ext != "" {
 		resp.Header.Set("Content-Type", proxySettings.ExtMimeTypes[ext[1:]])
-		return
+		mime = proxySettings.ExtMimeTypes[ext[1:]]
 	}
 
-	//If the response has an extension, use that.
-	if rext != "" {
+	// If the response has an extension, try and fetch the mime for that via extension
+	if mime == "" && rext != "" {
 		resp.Header.Set("Content-Type", proxySettings.ExtMimeTypes[rext[1:]])
-		return
+		mime = proxySettings.ExtMimeTypes[rext[1:]]
 	}
 
-	//Finally, just use the default type
-	resp.Header.Set("Content-Type", proxySettings.ExtMimeTypes["default"])
+	if mime == "" {
+		//Finally, just use the default type
+		mime = proxySettings.ExtMimeTypes["default"]
+	}
 
+	// If mime isn't accepted (and an accept header is given), then falsify the mime type
+	accepted := r.Header.Get("Accept")
+	if accepted != "" {
+		if !strings.Contains(accepted, mime) {
+			mime = strings.Split(accepted, ",")[0]
+		}
+	}
+
+	// Set content type header
+	resp.Header.Set("Content-Type", mime)
 }
 
-func main() {
-	//Handle the re-routing to local files or what not.
-	proxy.OnRequest().DoFunc(func(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
-		// Remove port from host if exists (old apps don't clean it before sending requests?)
-		r.URL.Host = strings.Split(r.URL.Host, ":")[0]
-		fmt.Printf("Proxy Request: %s\n", r.URL.Host+r.URL.Path)
-		newURL := *r.URL
-		if r.TLS == nil {
-			//HTTP request
-			newURL.Path = "content/" + r.URL.Host + r.URL.Path
-			newURL.Host = "127.0.0.1:" + proxySettings.ServerHTTPPort
-		} else {
-			//HTTPS request, currently goes to the same server
-			newURL.Path = "content/" + r.URL.Host + r.URL.Path
-			newURL.Host = "127.0.0.1:" + proxySettings.ServerHTTPSPort
-		}
+func handleRequest(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
+	// Remove port from host if exists (old apps don't clean it before sending requests?)
+	r.URL.Host = strings.Split(r.URL.Host, ":")[0]
+	fmt.Printf("Proxy Request: %s\n", r.URL.Host+r.URL.Path)
+
+	// Copy the original request
+	gamezipRequest := &http.Request{
+		Method: r.Method,
+		URL: &url.URL{
+			Scheme:   "http",
+			Host:     "127.0.0.1:" + proxySettings.ServerHTTPPort,
+			Path:     "content/" + r.URL.Host + r.URL.Path,
+			RawQuery: r.URL.RawQuery,
+		},
+		Header: make(http.Header),
+		Body:   r.Body,
+	}
+
+	// Clone the body into both requests by reading and making 2 new readers
+	contents, _ := ioutil.ReadAll(r.Body)
+	gamezipRequest.Body = ioutil.NopCloser(bytes.NewReader(contents))
+
+	// Make the request to the zip server.
+	client := &http.Client{}
+	proxyReq, err := http.NewRequest(gamezipRequest.Method, gamezipRequest.URL.String(), gamezipRequest.Body)
+	if err != nil {
+		fmt.Printf("UNHANDLED GAMEZIP ERROR: %s\n", err)
+	}
+	proxyReq.Header = gamezipRequest.Header
+	proxyResp, err := client.Do(proxyReq)
 
-		// Make the request to the zip server.
-		client := &http.Client{}
-		proxyReq, err := http.NewRequest(r.Method, newURL.String(), r.Body)
-		proxyReq.Header = r.Header
-		proxyResp, err := client.Do(proxyReq)
+	if proxyResp.StatusCode < 400 {
+		fmt.Printf("\tServing from Zip...\n")
+	}
 
-		if proxyResp.StatusCode < 400 {
-			fmt.Printf("\tServing from Zip...\n")
+	// Check Legacy
+	if proxyResp.StatusCode >= 400 {
+		// Copy the original request
+		legacyRequest := &http.Request{
+			Method: r.Method,
+			URL: &url.URL{
+				Scheme:   "http",
+				Host:     r.URL.Host,
+				Path:     r.URL.Path,
+				RawQuery: r.URL.RawQuery,
+			},
+			Header: make(http.Header),
+			Body:   r.Body,
+		}
+		// Copy in a new body reader
+		legacyRequest.Body = ioutil.NopCloser(bytes.NewReader(contents))
+
+		port := proxySettings.LegacyPHPPort
+
+		// Set the Proxy URL and apply it to the Transpor layer so that the request respects the proxy.
+		proxyURL, _ := url.Parse("http://127.0.0.1:" + port)
+		proxy := http.ProxyURL(proxyURL)
+		transport := &http.Transport{Proxy: proxy}
+
+		// A custom Dialer is required for the "localflash" urls, instead of using the DNS, we use this.
+		transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+			//Set Dialer timeout and keepalive to 30 seconds and force the address to localhost.
+			dialer := &net.Dialer{Timeout: 30 * time.Second, KeepAlive: 30 * time.Second}
+			addr = "127.0.0.1:" + port
+			return dialer.DialContext(ctx, network, addr)
 		}
 
-		// Check Legacy
-		if proxyResp.StatusCode >= 400 {
+		// Make the request with the custom transport
+		client := &http.Client{Transport: transport, Timeout: 300 * time.Second}
+		legacyResp, err := client.Do(legacyRequest)
+		// An error occured, log it for debug purposes
+		if err == nil {
 			fmt.Printf("\tServing from Legacy...\n")
+			proxyResp = legacyResp
+		} else {
+			fmt.Printf("UNHANDLED LEGACY ERROR: %s\n", err)
+			fmt.Printf("\tfailure legacy\n")
+		}
+	}
 
-			port := proxySettings.LegacyPHPPort
+	// Update the content type based upon ext for now.
+	setContentType(r, proxyResp)
 
-			// Set the Proxy URL and apply it to the Transpor layer so that the request respects the proxy.
-			proxyURL, _ := url.Parse("http://127.0.0.1:" + port)
-			proxy := http.ProxyURL(proxyURL)
-			transport := &http.Transport{Proxy: proxy}
+	// Add extra headers
+	proxyResp.Header.Set("Access-Control-Allow-Origin", "*")
+	// Keep Alive
+	if strings.ToLower(r.Header.Get("Connection")) == "keep-alive" {
+		proxyResp.Header.Set("Connection", "Keep-Alive")
+		proxyResp.Header.Set("Keep-Alive", "timeout=5; max=100")
+	}
 
-			// A custom Dialer is required for the "localflash" urls, instead of using the DNS, we use this.
-			transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
-				//Set Dialer timeout and keepalive to 30 seconds and force the address to localhost.
-				dialer := &net.Dialer{Timeout: 30 * time.Second, KeepAlive: 30 * time.Second}
-				addr = "127.0.0.1:" + port
-				return dialer.DialContext(ctx, network, addr)
-			}
+	return r, proxyResp
+}
 
-			// TODO: Investigate if I need to blank this out... I don't think this is required.
-			r.RequestURI = ""
+func main() {
+	// To create CA cert, refer to https://wiki.mozilla.org/SecurityEngineering/x509Certs#Self_Signed_Certs
+	// Replace CA in GoProxy
+	certFile := "fpproxy.crt"
+	keyFile := "fpproxy.key"
 
-			// Make the request with the custom transport.
-			client := &http.Client{Transport: transport, Timeout: 300 * time.Second}
-			proxyResp, err = client.Do(r)
-		}
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		panic(err)
+	}
 
-		// An error occured, log it for debug purposes
-		if err != nil {
-			fmt.Printf("UNHANDLED ERROR: %s\n", err)
-		}
+	goproxy.MitmConnect.TLSConfig = goproxy.TLSConfigFromCA(&cert)
+
+	// Handle HTTPS requests (DOES NOT HANDLE HTTP)
+	proxy.OnRequest().HandleConnect(goproxy.AlwaysMitm)
+	proxy.OnRequest().HijackConnect(func(req *http.Request, client net.Conn, ctx *goproxy.ProxyCtx) {
+		_, resp := handleRequest(req, ctx)
+		resp.Write(client)
+		client.Close()
+	})
 
-		// Update the content type based upon ext for now.
-		setContentType(r, proxyResp)
-		return r, proxyResp
+	// Handle HTTP requests (DOES NOT HANDLE HTTPS)
+	proxy.OnRequest().DoFunc(func(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
+		return handleRequest(r, ctx)
 	})
 
 	//Start ZIP server

proxySettings.json

@@ -149,6 +149,7 @@
 		"htm": "text/html",
 		"html": "text/html",
 		"js": "text/javascript",
+		"json": "application/json",
 		"xpg": "text/x-xpg",
 		"svf": "vector/x-svf",
 		"afl": "video/animaflex",