使用Rust实现http/https正向代理

相关库的安装

利用vcpkg安装openssl库

cobol 复制代码
vcpkg install openssl:x64-windows

并设置openssl库位置的环境变量

ruby 复制代码
$Env:OPENSSL_DIR="D:/vcpkg/packages/openssl_x64-windows/"

安装openssl软件,因为需要利用openssl生成自签名证书

Cargo依赖

cobol 复制代码
[dependencies]
anyhow = "1.0.81"
bytes = "1.6.0"
futures = "0.3.30"
http-body-util = "0.1.1"
hyper = { version = "1.2.0", features = ["full"] }
hyper-util = { version = "0.1.3", features = ["full"] }
openssl = "0.10.64"
tokio = { version = "1.37.0", features = ["full"] }
tokio-openssl = "0.6.4"
futures-util = "0.3.30"
tokio-util = "0.7.10"

利用OpenSSL生成自签名证书

cobol 复制代码
1、生成RSA私钥文件
openssl genrsa -out proxylea_private.key 2048
2、创建证书签名请求文件
openssl req -new -key proxylea_private.key -out server.csr
3、使用私钥为证书签名(自签名)
openssl x509 -req -days 3650 -in server.csr -signkey  proxylea_private.key -out proxylea_cert.crt
4、将proxylea_cert.crt证书导入电脑受信任根证书目录下

动态为相关网站颁发证书

1、生成RSA私钥文件
openssl genrsa -out proxylea_private.key 2048
2、创建证书签名请求文件
openssl req -new -key proxylea_private.key -out server.csr
3、使用私钥为证书签名(自签名)
openssl x509 -req -days 3650 -in server.csr -signkey  proxylea_private.key -out proxylea_cert.crt
4、将proxylea_cert.crt证书导入电脑受信任根证书目录下

效果如下,可以看见www.baidu.com网站的证书由自签名证书颁发。

利用hyper构建HTTP代理服务器

构建本地代理服务器

#[tokio::main]
pub async fn main() -> Result<()> {
    // This address is localhost
    let addr: SocketAddr = "127.0.0.1:7890".parse().unwrap();
 
    // Bind to the port and listen for incoming TCP connections
    let listener = TcpListener::bind(addr).await?;
    println!("Listening on http://{}", addr);
    loop {
        let (tcp_stream, addr) = listener.accept().await?;
        let msg = format!("{addr} connected");
        dbg!(msg);
        tokio::task::spawn(async move {
            let io = TokioIo::new(tcp_stream);
 
            let conn = http1::Builder::new()
                .serve_connection(io, service_fn(server_upgrade));
 
            // Don't forget to enable upgrades on the connection.
            let mut conn = conn.with_upgrades();
 
            let conn = Pin::new(&mut conn);
            if let Err(err) = conn.await {
                println!("Error serving connection: {:?}", err);
            }
        });
    }
}

将http协议升级到https

1、浏览器在进行https握手时,需要先发送一个CONNECT的http请求给代理服务器,代理服务器返回状态码200的http响应,代表浏览器与代理服务连接建立成功。

2、浏览器与代理服务器开始TLS握手,代理服务器开始连接远程网站服务器。

3、二者都连接成功时就可以传输数据了。

4、对于http请求,代理服务器与远程服务器连接成功后直接转发请求和响应。

/// Intercept local requests
fn intercept_request(mut request: Request<Incoming>) -> (Request<HttpBody>, Option<Response<HttpBody>>) {
    dbg!(request.uri().to_string());
    request.headers_mut().remove("Accept-Encoding");
    let req = request.map(|b| b.boxed());
 
    if let Some(Ok(host)) = req.headers().get(header::HOST).map(|h| h.to_str()) {
        if host.contains("127.0.0.1:7890")
            || host.contains("localhost:7890")
            || host.contains("baidu") {
            let resp = Response::builder()
                .header(header::CONTENT_TYPE, "text/plain")
                .body(full("Proxylea Server Power By Rust & Hyper\n"));
            return (req, Some(resp.unwrap()));
        }
    }
    (req, None)
}
 
/// Intercept remote responses
fn intercept_response(mut response: Response<Incoming>) -> Response<HttpBody> {
    dbg!({ format!("{:?}", response.headers()) });
    response.headers_mut().insert("proxy-server", "Proxylea".parse().unwrap());
    //let (parts,incoming)=resp.into_parts();
    let resp = response.map(|b| b.map_frame(|frame| {
        //You can modify and record the response body
        if let Some(bytes) = frame.data_ref() {
            //todo
        }
        frame
    }).boxed());
    resp
}

拦截本地浏览器请求和远程服务器响应

1、拦截浏览器对baidu网站的请求,并返回一些信息

2、拦截全部http响应,并且打印响应头和添加一些响应头

rust 复制代码
/// Intercept local requestsfn intercept_request(mut request: Request<Incoming>) -> (Request<HttpBody>, Option<Response<HttpBody>>) {    dbg!(request.uri().to_string());    request.headers_mut().remove("Accept-Encoding");    let req = request.map(|b| b.boxed());     if let Some(Ok(host)) = req.headers().get(header::HOST).map(|h| h.to_str()) {        if host.contains("127.0.0.1:7890")            || host.contains("localhost:7890")            || host.contains("baidu") {            let resp = Response::builder()                .header(header::CONTENT_TYPE, "text/plain")                .body(full("Proxylea Server Power By Rust & Hyper\n"));            return (req, Some(resp.unwrap()));        }    }    (req, None)} /// Intercept remote responsesfn intercept_response(mut response: Response<Incoming>) -> Response<HttpBody> {    dbg!({ format!("{:?}", response.headers()) });    response.headers_mut().insert("proxy-server", "Proxylea".parse().unwrap());    //let (parts,incoming)=resp.into_parts();    let resp = response.map(|b| b.map_frame(|frame| {        //You can modify and record the response body        if let Some(bytes) = frame.data_ref() {            //todo        }        frame    }).boxed());    resp}

结果展示

全部代码

整体代码写下来问题不大,主要是前面的openssl库的编译有些问题。Rust的hyper库类似于Java的Netty库,都属于底层库,但是hyper功能远不如Netty,hyper只是一个http相关的底层库。还有就是相关文档与资源实在是TM太少了,只能去看官方的example。从开发效率上来讲还是Netty更快(不如说是Java开发效率更快),但是学习hyper库有助于学习Rust的异步、特征、泛型,如果看见hyper库里面的pin_xx、poll_xx、各种特征与泛型非常自然的话,那么离熟练使用Rust也就不远了。

use std::error::Error;
use std::net::SocketAddr;
use std::pin::Pin;
use std::sync::Mutex;
 
use anyhow::{anyhow, Result};
use bytes::Bytes;
use futures::FutureExt;
use http_body_util::{BodyExt, Empty, Full};
use http_body_util::combinators::BoxBody;
use hyper::{header, Request, Response, StatusCode};
use hyper::body::{Body, Incoming};
use hyper::client::conn::http1::{Builder, Connection, SendRequest};
use hyper::rt::{Read, Write};
use hyper::server::conn::http1;
use hyper::service::service_fn;
use hyper::upgrade::Upgraded;
use hyper_util::rt::TokioIo;
use openssl::ssl::{Ssl, SslAcceptor, SslConnector, SslMethod, SslVerifyMode};
use tokio::net::{TcpListener, TcpStream};
use tokio_openssl::SslStream;
 
pub mod crt;
 
type HttpBody = BoxBody<Bytes, hyper::Error>;
 
#[tokio::main]
pub async fn main() -> Result<()> {
    // This address is localhost
    let addr: SocketAddr = "127.0.0.1:7890".parse().unwrap();
 
    // Bind to the port and listen for incoming TCP connections
    let listener = TcpListener::bind(addr).await?;
    println!("Listening on http://{}", addr);
    loop {
        let (tcp_stream, addr) = listener.accept().await?;
        let _msg = format!("{addr} connected");
        //dbg!(msg);
        tokio::task::spawn(async move {
            let io = TokioIo::new(tcp_stream);
 
            let conn = http1::Builder::new()
                .serve_connection(io, service_fn(handle));
 
            // Don't forget to enable upgrades on the connection.
            let mut conn = conn.with_upgrades();
 
            let conn = Pin::new(&mut conn);
            if let Err(err) = conn.await {
                println!("Error serving connection: {:?}", err);
            }
        });
    }
}
 
fn get_host_port(host_name: &str) -> (&str, u16) {
    match host_name.find(":") {
        None => {
            (host_name, 80)
        }
        Some(i) => {
            (&host_name[0..i], *&host_name[i + 1..].parse().unwrap_or(80))
        }
    }
}
 
fn not_found_host() -> Response<HttpBody> {
    Response::builder().status(404).body(full("not found host")).unwrap()
}
 
/// Our server HTTP handler to initiate HTTP upgrades.
async fn handle(mut req: Request<Incoming>) -> Result<Response<HttpBody>> {
    if req.method() != hyper::Method::CONNECT {
        let (host, port) = match req.headers().get(header::HOST) {
            None => {
                return Ok(not_found_host());
            }
            Some(h) => { get_host_port(h.to_str()?) }
        };
 
        let stream = TcpStream::connect((host, port)).await?;
        let io = TokioIo::new(stream);
 
        let (mut sender, conn) = Builder::new()
            .preserve_header_case(true)
            .title_case_headers(true)
            .handshake(io)
            .await?;
        tokio::task::spawn(async move {
            if let Err(err) = conn.await {
                println!("Connection failed: {:?}", err);
            }
        });
        let (req, resp) = intercept_request(req);
        return match resp {
            None => {
                let resp = sender.send_request(req).await?;
                Ok(resp.map(|b| b.boxed()))
            }
            Some(resp) => {
                Ok(resp)
            }
        };
    }
 
    let res = Response::new(empty());
    // handle https
    tokio::task::spawn(async move {
        match hyper::upgrade::on(&mut req).await {
            Ok(upgraded) => {
                if let Some(host) = req.uri().host() {
                    if let Err(e) = server_upgraded_https(host, upgraded).await {
                        let error_msg = format!("server io error: {}", e);
                        dbg!(error_msg);
                    };
                }
            }
            Err(e) => eprintln!("upgrade error: {}", e),
        }
    });
 
    Ok(res)
}
 
 
/// https upgraded
async fn server_upgraded_https(host: &str, upgraded: Upgraded) -> Result<()> {
    let upgraded = TokioIo::new(upgraded);
    // we have an upgraded connection that we can read and
    // write on directly.
    //
    let tls_acceptor = get_tls_acceptor(host);
    let ssl = Ssl::new(tls_acceptor.context())?;
    let mut tls_stream = SslStream::new(ssl, upgraded)?;
    if let Err(err) = SslStream::accept(Pin::new(&mut tls_stream)).await {
        return Err(anyhow!("error during tls handshake connection from : {}", err));
    }
    let stream = TokioIo::new(tls_stream);
 
    let (sender, conn) = https_remote_connect(host, 443).await?;
    tokio::spawn(async move {
        if let Err(err) = conn.await {
            let err_msg = format!("Connection failed: {:?}", err);
            dbg!(err_msg);
        }
    });
    let wrap_sender = Mutex::new(sender);
    if let Err(err) = http1::Builder::new()
        .serve_connection(stream, service_fn(|req| {
            let (req, resp) = intercept_request(req);
            async {
                match resp {
                    None => {
                        let remote_resp = wrap_sender.lock().unwrap().send_request(req);
                        match remote_resp.await {
                            Ok(resp) => {
                                Ok::<_, hyper::Error>(intercept_response(resp))
                            }
                            Err(err) => {
                                let resp = Response::builder()
                                    .status(StatusCode::INTERNAL_SERVER_ERROR)
                                    .header(header::CONTENT_TYPE, "text/plain")
                                    .body(full(err.to_string())).unwrap();
                                Ok::<_, hyper::Error>(resp)
                            }
                        }
                    }
                    Some(resp) => {
                        Ok::<_, hyper::Error>(resp)
                    }
                }
            }
        })).await {
        println!("Error serving connection: {:?}", err);
    }
 
    Ok(())
}
 
 
fn empty() -> HttpBody {
    Empty::<Bytes>::new()
        .map_err(|never| match never {})
        .boxed()
}
 
fn full<T: Into<Bytes>>(chunk: T) -> HttpBody {
    Full::new(chunk.into())
        .map_err(|never| match never {})
        .boxed()
}
 
/// Certificate not cached
fn get_tls_acceptor(host: &str) -> SslAcceptor {
    let mut tls_builder = SslAcceptor::mozilla_modern_v5(SslMethod::tls()).unwrap();
 
    let (crt, pri_key) = crt::get_crt_key(host);
 
    tls_builder.set_certificate(&crt).unwrap();
 
    tls_builder.set_private_key(&pri_key).unwrap();
 
    tls_builder.check_private_key().unwrap();
 
    let tls_acceptor = tls_builder.build();
    tls_acceptor
}
 
 
async fn https_remote_connect<B>(host: &str, port: u16) -> Result<(SendRequest<B>, Connection<TokioIo<SslStream<TcpStream>>, B>)>
    where
        B: Body + 'static,
        B::Data: Send,
        B::Error: Into<Box<dyn Error + Send + Sync>>, {
    let addr = format!("{}:{}", host, port);
    let tcp_stream = TcpStream::connect(addr).await?;
    let mut builder = SslConnector::builder(SslMethod::tls_client())?;
    builder.set_verify(SslVerifyMode::NONE);
    let connector = builder.build();
    let ssl = Ssl::new(connector.context())?;
    let mut tls_stream = SslStream::new(ssl, tcp_stream)?;
    if let Err(err) = SslStream::connect(Pin::new(&mut tls_stream)).await {
        return Err(anyhow!("error during tls handshake connection from : {}", err));
    }
    let io = TokioIo::new(tls_stream);
    Ok(hyper::client::conn::http1::handshake(io).await?)
}
 
/// Intercept local requests
fn intercept_request(mut request: Request<Incoming>) -> (Request<HttpBody>, Option<Response<HttpBody>>) {
    dbg!(request.uri().to_string());
    request.headers_mut().remove("Accept-Encoding");
    let req = request.map(|b| b.boxed());
 
    if let Some(Ok(host)) = req.headers().get(header::HOST).map(|h| h.to_str()) {
        if host.contains("127.0.0.1:7890")
            || host.contains("localhost:7890")
            || host.contains("baidu") {
            let resp = Response::builder()
                .header(header::CONTENT_TYPE, "text/plain")
                .body(full("Proxylea Server Power By Rust & Hyper\n"));
            return (req, Some(resp.unwrap()));
        }
    }
    (req, None)
}
 
/// Intercept remote responses
fn intercept_response(mut response: Response<Incoming>) -> Response<HttpBody> {
    dbg!({ format!("{:?}", response.headers()) });
    response.headers_mut().insert("proxy-server", "Proxylea".parse().unwrap());
    //let (parts,incoming)=resp.into_parts();
    let resp = response.map(|b| b.map_frame(|frame| {
        if let Some(bytes) = frame.data_ref() {
            //
        }
        frame
    }).boxed());
    resp
}
相关推荐
网络安全-老纪9 小时前
iOS应用网络安全之HTTPS
web安全·ios·https
lxkj_202419 小时前
修改ffmpeg实现https-flv内容加密
网络协议·https·ffmpeg
千羽星弦20 小时前
Apache和HTTPS证书的生成与安装
网络协议·https·apache
前端与小赵20 小时前
什么是Sass,有什么特点
前端·rust·sass
一个小坑货20 小时前
Rust基础
开发语言·后端·rust
Object~21 小时前
【第九课】Rust中泛型和特质
开发语言·后端·rust
码农飞飞1 天前
详解Rust结构体struct用法
开发语言·数据结构·后端·rust·成员函数·方法·结构体
ZHOU_WUYI1 天前
React 中使用 Axios 进行 HTTP 请求
javascript·react.js·http
可涵不会debug2 天前
【Linux|计算机网络】HTTPS工作原理与安全机制详解
linux·网络协议·http·网络安全·https
lu云之东2 天前
Harbor2.11.1生成自签证和配置HTTPS访问
网络协议·http·docker·https·harbor