added websockproxy package

Author: burggraf

packages/websockproxy/.gitignore

@@ -0,0 +1,36 @@
+*.py[cod]
+
+# C extensions
+*.so
+
+# Packages
+*.egg
+*.egg-info
+dist
+build
+eggs
+parts
+bin
+var
+sdist
+develop-eggs
+.installed.cfg
+lib
+lib64
+__pycache__
+
+# Installer logs
+pip-log.txt
+
+# Unit test / coverage reports
+.coverage
+.tox
+nosetests.xml
+
+# Translations
+*.mo
+
+# Mr Developer
+.mr.developer.cfg
+.project
+.pydevproject

packages/websockproxy/Dockerfile

@@ -0,0 +1,29 @@
+FROM ubuntu:focal
+
+LABEL org.opencontainers.image.authors="benjamin.c.burns@gmail.com,mark@supabase.io"
+
+RUN apt-get update && apt-get install -y python2 python2-dev iptables dnsmasq uml-utilities net-tools build-essential curl && apt-get clean
+
+RUN curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py && python2 get-pip.py && rm get-pip.py
+
+COPY --chown=netdev:netdev zzz_net_tun.rules /etc/udev/rules.d/zzz_net_tun.rules
+
+COPY docker-image-config/docker-startup.sh switchedrelay.py limiter.py requirements.txt /opt/websockproxy/
+COPY docker-image-config/dnsmasq/interface docker-image-config/dnsmasq/dhcp /etc/dnsmasq.d/
+
+WORKDIR /opt/websockproxy/
+
+RUN pip2 install -r /opt/websockproxy/requirements.txt
+
+# install tzdata to get around geographical questions during install
+RUN apt-get update
+RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata
+RUN apt-get install -y nano && apt-get install -y nginx
+
+COPY nginx.conf /etc/nginx
+COPY default /etc/nginx/sites-enabled
+#EXPOSE 80
+
+CMD /opt/websockproxy/docker-startup.sh
+
+

packages/websockproxy/LICENSE

@@ -0,0 +1,7 @@
+Copyright 2022 Benjamin C. Burns
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

packages/websockproxy/README.md

@@ -0,0 +1,43 @@
+# WebSockets Proxy
+
+A websocket ethernet switch built using Tornado in Python
+
+Implements crude rate limiting on WebSocket connections to prevent abuse.
+
+Could use some cleanup!
+
+## How it works
+
+It's quite simple. The program starts off by creating a TAP device and listening
+for websocket connections on port 80. When clients connect, ethernet frames
+received via the websocket are switched between connected clients and the TAP
+device. All communication is done via raw ethernet frames.
+
+To use this in support of a virtual network you must set up the host system as
+a DHCP server and router.
+
+SSL support is not included. To enable SSL, please use a reverse proxy with SSL
+and websockets support, such as nginx.
+
+## Getting Started
+
+The easiest way to get up and running is via its public docker image. This
+image will set up a fully contained router enviornment using IPTables for
+basic NAT functionality and dnsmasq for DHCP support.
+
+To set up the relay via docker simply run
+
+```shell
+docker rm -f relay && docker run --privileged --network host --name relay burggraf/pg_browser_websockproxy:1.0.4
+```
+
+and point jor1k, your VPN client, or your emulator of choice at
+ws://YOUR_HOSTNAME:8080/
+
+Note that the container must be run in priviliged mode so that it can create
+its TAP device and set up IPv4 masquerading.
+
+For better security be sure to set up an Nginx reverse proxy with SSL support
+along with a more isolated docker bridge and some host-side firewall rules
+which prevent clients of your relay from attempting to connect to your host
+machine.

packages/websockproxy/default

@@ -0,0 +1,14 @@
+map $server_port $upstream {
+    "~(\d)(\d\d\d)$" 10.5.$1.$2:5432;
+}
+server {
+        listen 6001-6254 so_keepalive=on;
+         
+        #allow <ip_address>;
+        #deny all;
+     
+        proxy_connect_timeout 60s;
+        proxy_socket_keepalive on;
+        proxy_pass $upstream;
+}
+

packages/websockproxy/docker-image-config/dnsmasq/dhcp

@@ -0,0 +1,2 @@
+dhcp-range=10.5.6.1,10.5.6.254,255.255.0.0,15m
+dhcp-option=6,0.0.0.0,8.8.8.8,8.8.4.4

packages/websockproxy/docker-image-config/dnsmasq/interface

@@ -0,0 +1,3 @@
+listen-address=10.5.0.1
+interface=tap0
+bind-interfaces

packages/websockproxy/docker-image-config/docker-startup.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+## Create and initialize TAP device ##
+tunctl
+
+ifconfig tap0 down
+ifconfig tap0 10.5.0.1
+ifconfig tap0 netmask 255.255.0.0
+ifconfig tap0 mtu 1500
+ifconfig tap0 up
+######################
+
+## IP Forwarding config for TAP device ##
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+/sbin/iptables -A FORWARD -i eth0 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+#Drop any packages destined for the host machine or any other docker containers
+#NOTE: double check that this matches your docker bridge subnet
+/sbin/iptables -A FORWARD -i tap0 -o eth0 -d 172.17.0.0/16 -j DROP
+
+/sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
+/sbin/iptables-save
+#########################################
+
+/etc/init.d/dnsmasq start
+nginx
+python2 switchedrelay.py

packages/websockproxy/limiter.py

@@ -0,0 +1,25 @@
+import time
+
+class RateLimitingState(object):
+    def __init__(self, rate, clientip, name):
+        self.name = name
+        self.clientip = clientip
+        self.rate = rate
+        self.allowance = rate
+        self.last_check = time.time()
+
+    def do_throttle(self, message):
+        current = time.time()
+        time_passed = current - self.last_check
+
+        self.last_check = current
+        self.allowance += time_passed * self.rate
+
+        if self.allowance > self.rate:
+            self.allowance = self.rate #throttle
+
+        if self.allowance > 1.0:
+            self.allowance -= len(message)
+            return True;
+
+        return False

packages/websockproxy/nginx.conf

@@ -0,0 +1,91 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	#access_log /var/log/nginx/access.log;
+	#error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	#include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+# 
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}
+stream {
+       #access_log  /var/log/nginx/db.access.log;
+       #error_log  /var/log/nginx/db.error.log;
+       include /etc/nginx/sites-enabled/default;
+}
+

packages/websockproxy/publish.sh

@@ -0,0 +1,2 @@
+docker build --platform linux/amd64 -t burggraf/pg_browser_websockproxy:1.0.4 .
+docker push burggraf/pg_browser_websockproxy:1.0.4

packages/websockproxy/relay.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=jor1k relay service
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=always
+ExecStart=/usr/bin/docker run --rm --privileged -p 8080:80 --name jor1k-relay benjamincburns/jor1k-relay:latest
+
+RestartSec=2min
+
+[Install]
+WantedBy=multi-user.target 

packages/websockproxy/requirements.txt

@@ -0,0 +1,4 @@
+argparse==1.2.1
+python-pytun==2.2.1
+tornado==3.1.1
+wsgiref==0.1.2