Fixes to ssl.alpn_port_override

GreaterFire · GreaterFire · commit 40f6e7b1094c · 2020-03-22T14:36:51.000-07:00
diff --git a/docs/config.md b/docs/config.md
@@ -174,7 +174,7 @@ The NAT config is for transparent proxy. You'll need to [setup iptables rules](h
         "alpn": [
             "http/1.1"
         ],
-        "alpn_port_override" : {
+        "alpn_port_override": {
             "h2": 81
         },
         "reuse_session": true,
@@ -219,7 +219,7 @@ The NAT config is for transparent proxy. You'll need to [setup iptables rules](h
     - `cipher_tls13`: a cipher list for TLS 1.3 to use
     - `prefer_server_cipher`: whether to prefer server cipher list in a connection
     - `alpn`: a list of `ALPN` protocols to reply
-    - alpn_port_override: overrides the remote port to the specified value if an ALPN is matched. Useful for running nginx http1.1 and http2 on different ports (#226).
+    - `alpn_port_override`: overrides the remote port to the specified value if an `ALPN` is matched. Useful for running NGINX with HTTP/1.1 and HTTP/2 Cleartext on different ports.
     - `reuse_session`: whether to reuse `SSL` session
     - `session_ticket`: whether to use session tickets for session resumption
     - `session_timeout`: if `reuse_session` is set to `true`, specify `SSL` session timeout
diff --git a/examples/server.json-example b/examples/server.json-example
@@ -19,7 +19,7 @@
         "alpn": [
             "http/1.1"
         ],
-        "alpn_port_override" : {
+        "alpn_port_override": {
             "h2": 81
         },
         "reuse_session": true,
diff --git a/src/core/config.cpp b/src/core/config.cpp
@@ -59,13 +59,14 @@ void Config::populate(const ptree &tree) {
     target_addr = tree.get("target_addr", string());
     target_port = tree.get("target_port", uint16_t());
     map<string, string>().swap(password);
-    for (auto& item: tree.get_child("password")) {
-        string p = item.second.get_value<string>();
-        password[SHA224(p)] = p;
+    if (tree.get_child_optional("password")) {
+        for (auto& item: tree.get_child("password")) {
+            string p = item.second.get_value<string>();
+            password[SHA224(p)] = p;
+        }
     }
     udp_timeout = tree.get("udp_timeout", 60);
     log_level = static_cast<Log::Level>(tree.get("log_level", 1));
-    map<string, uint16_t>().swap(alpn_port);
     ssl.verify = tree.get("ssl.verify", true);
     ssl.verify_hostname = tree.get("ssl.verify_hostname", true);
     ssl.cert = tree.get("ssl.cert", string());
@@ -76,14 +77,17 @@ void Config::populate(const ptree &tree) {
     ssl.prefer_server_cipher = tree.get("ssl.prefer_server_cipher", true);
     ssl.sni = tree.get("ssl.sni", string());
     ssl.alpn = "";
-    auto alpn_port_override = tree.get_child_optional("ssl.alpn_port_override");
-    for (auto& item: tree.get_child("ssl.alpn")) {
-        string proto = item.second.get_value<string>();
-        ssl.alpn += (char)((unsigned char)(proto.length()));
-        ssl.alpn += proto;
-        if (alpn_port_override) {
-            auto it = alpn_port_override->find(proto);
-            alpn_port[proto] = it != alpn_port_override->not_found() ? it->second.get_value<uint16_t>() : remote_port;
+    if (tree.get_child_optional("ssl.alpn")) {
+        for (auto& item: tree.get_child("ssl.alpn")) {
+            string proto = item.second.get_value<string>();
+            ssl.alpn += (char)((unsigned char)(proto.length()));
+            ssl.alpn += proto;
+        }
+    }
+    map<string, uint16_t>().swap(ssl.alpn_port_override);
+    if (tree.get_child_optional("ssl.alpn_port_override")) {
+        for (auto& item: tree.get_child("ssl.alpn_port_override")) {
+            ssl.alpn_port_override[item.first] = item.second.get_value<uint16_t>();
         }
     }
     ssl.reuse_session = tree.get("ssl.reuse_session", true);
diff --git a/src/core/config.h b/src/core/config.h
@@ -42,7 +42,6 @@ class Config {
     std::map<std::string, std::string> password;
     int udp_timeout;
     Log::Level log_level;
-    std::map<std::string, uint16_t> alpn_port;
     class SSLConfig {
     public:
         bool verify;
@@ -55,6 +54,7 @@ class Config {
         bool prefer_server_cipher;
         std::string sni;
         std::string alpn;
+        std::map<std::string, uint16_t> alpn_port_override;
         bool reuse_session;
         bool session_ticket;
         long session_timeout;
diff --git a/src/session/serversession.cpp b/src/session/serversession.cpp
@@ -153,17 +153,19 @@ void ServerSession::in_recv(const string &data) {
             }
         }
         string query_addr = valid ? req.address.address : config.remote_addr;
-        string query_port = [&]() {
+        string query_port = to_string([&]() {
             if (valid) {
-                return to_string(req.address.port);
-            } else {
-                const unsigned char *alpn_out = nullptr;
-                unsigned int alpn_len = 0;
-                SSL_get0_alpn_selected(in_socket.native_handle(), &alpn_out, &alpn_len);
-                auto it = config.alpn_port.find(std::string(alpn_out, alpn_out + alpn_len));
-                return to_string((it != config.alpn_port.end()) ? it->second : config.remote_port);
+                return req.address.port;
+            }
+            const unsigned char *alpn_out;
+            unsigned int alpn_len;
+            SSL_get0_alpn_selected(in_socket.native_handle(), &alpn_out, &alpn_len);
+            if (alpn_out == NULL) {
+                return config.remote_port;
             }
-        }();
+            auto it = config.ssl.alpn_port_override.find(std::string(alpn_out, alpn_out + alpn_len));
+            return it == config.ssl.alpn_port_override.end() ? config.remote_port : it->second;
+        }());
         if (valid) {
             out_write_buf = req.payload;
             if (req.command == TrojanRequest::UDP_ASSOCIATE) {
@@ -176,7 +178,7 @@ void ServerSession::in_recv(const string &data) {
                 Log::log_with_endpoint(in_endpoint, "requested connection to " + req.address.address + ':' + to_string(req.address.port), Log::INFO);
             }
         } else {
-            Log::log_with_endpoint(in_endpoint, "not trojan request, connecting to " + config.remote_addr + ':' + query_port, Log::WARN);
+            Log::log_with_endpoint(in_endpoint, "not trojan request, connecting to " + query_addr + ':' + query_port, Log::WARN);
             out_write_buf = data;
         }
         sent_len += out_write_buf.length();
diff --git a/tests/LinuxSmokeTest/server.json b/tests/LinuxSmokeTest/server.json
@@ -14,6 +14,7 @@
         "cipher_tls13": "",
         "prefer_server_cipher": true,
         "alpn": [],
+        "alpn_port_override": {},
         "reuse_session": false,
         "session_ticket": false,
         "session_timeout": 600,
