Commit 2a0e522a authored by Dietmar Maurer's avatar Dietmar Maurer

HTTPServer: implement websockets

We can avoid wss ceritificate errors this way (wsproxy.py throw certificate errors with firefox).
parent 3af7a07f
......@@ -8,7 +8,9 @@ use POSIX qw(strftime EINTR EAGAIN);
use Fcntl;
use IO::File;
use File::stat qw();
use MIME::Base64;
use Digest::MD5;
use Digest::SHA;
# use AnyEvent::Strict; # only use this for debugging
use AnyEvent::Util qw(guard fh_nonblocking WSAEWOULDBLOCK WSAEINPROGRESS);
use AnyEvent::Socket;
......@@ -375,6 +377,192 @@ sub send_file_start {
warn $@ if $@;
}
sub websocket_proxy {
my ($self, $reqstate, $wsaccept, $wsproto, $param) = @_;
eval {
my $remhost;
my $remport;
my $max_payload_size = 65536;
my $binary;
if ($wsproto eq 'binary') {
$binary = 1;
} elsif ($wsproto eq 'base64') {
$binary = 0;
} else {
die "websocket_proxy: unsupported protocol '$wsproto'\n";
}
if ($param->{port}) {
$remhost = '127.0.0.1';
$remport = $param->{port};
} elsif ($param->{socket}) {
$remhost = 'unix/';
$remport = $param->{socket};
} else {
die "websocket_proxy: missing port or socket\n";
}
tcp_connect $remhost, $remport, sub {
my ($fh) = @_
or die "connect to '$remhost:$remport' failed: $!";
print "$$: CONNECTed to '$remhost:$remport'\n" if $self->{debug};
$reqstate->{proxyhdl} = AnyEvent::Handle->new(
fh => $fh,
rbuf_max => 64*1024,
wbuf_max => 64*10*1024,
timeout => 5,
on_eof => sub {
my ($hdl) = @_;
eval {
$self->log_aborted_request($reqstate);
$self->client_do_disconnect($reqstate);
};
if (my $err = $@) { syslog('err', $err); }
},
on_error => sub {
my ($hdl, $fatal, $message) = @_;
eval {
$self->log_aborted_request($reqstate, $message);
$self->client_do_disconnect($reqstate);
};
if (my $err = $@) { syslog('err', "$err"); }
});
my $proxyhdlreader = sub {
my ($hdl) = @_;
my $len = length($hdl->{rbuf});
my $data = substr($hdl->{rbuf}, 0, $len, '');
my $string;
my $payload;
if ($binary) {
$string = "\x82"; # binary frame
$payload = $data;
} else {
$string = "\x81"; # text frame
$payload = encode_base64($data, '');
}
my $payload_len = length($payload);
if ($payload_len <= 125) {
$string .= pack 'C', $payload_len;
} elsif ($payload_len <= 0xffff) {
$string .= pack 'C', 126;
$string .= pack 'n', $payload_len;
} else {
$string .= pack 'C', 127;
$string .= pack 'Q>', $payload_len;
}
$string .= $payload;
$reqstate->{hdl}->push_write($string) if $reqstate->{hdl};
};
my $hdlreader = sub {
my ($hdl) = @_;
my $len = length($hdl->{rbuf});
return if $len < 2;
my $hdr = unpack('C', substr($hdl->{rbuf}, 0, 1));
my $opcode = $hdr & 0b00001111;
my $fin = $hdr & 0b10000000;
die "received fragmented websocket frame\n" if !$fin;
my $rsv = $hdr & 0b01110000;
die "received websocket frame with RSV flags\n" if $rsv;
my $payload_len = unpack 'C', substr($hdl->{rbuf}, 1, 1);
my $masked = $payload_len & 0b10000000;
die "received unmasked websocket frame from client\n" if !$masked;
my $offset = 2;
$payload_len = $payload_len & 0b01111111;
if ($payload_len == 126) {
return if $len < 4;
$payload_len = unpack('n', substr($hdl->{rbuf}, $offset, 2));
$offset += 2;
} elsif ($payload_len == 127) {
return if $len < 10;
$payload_len = unpack('Q>', substr($hdl->{rbuf}, $offset, 8));
$offset += 8;
}
die "received too large websocket frame (len = $payload_len)\n"
if ($payload_len > $max_payload_size) || ($payload_len < 0);
return if $len < ($offset + 4 + $payload_len);
my $data = substr($hdl->{rbuf}, 0, $len, ''); # now consume data
my @mask = (unpack('C', substr($data, $offset+0, 1)),
unpack('C', substr($data, $offset+1, 1)),
unpack('C', substr($data, $offset+2, 1)),
unpack('C', substr($data, $offset+3, 1)));
$offset += 4;
my $payload = substr($data, $offset, $payload_len);
for (my $i = 0; $i < $payload_len; $i++) {
my $d = unpack('C', substr($payload, $i, 1));
my $n = $d ^ $mask[$i % 4];
substr($payload, $i, 1, pack('C', $n));
}
$payload = decode_base64($payload) if !$binary;
if ($opcode == 1 || $opcode == 2) {
$reqstate->{proxyhdl}->push_write($payload) if $reqstate->{proxyhdl};
} elsif ($opcode == 8) {
# ignore close ?
print "websocket received close\n" if $self->{debug};
} else {
die "received unhandled websocket opcode $opcode\n";
}
};
my $proto = $reqstate->{proto} ? $reqstate->{proto}->{str} : 'HTTP/1.1';
$reqstate->{proxyhdl}->timeout(0);
$reqstate->{proxyhdl}->on_read($proxyhdlreader);
$reqstate->{hdl}->on_read($hdlreader);
# todo: use stop_read/start_read if write buffer grows to much
my $res = "$proto 101 Switching Protocols\015\012" .
"Upgrade: websocket\015\012" .
"Connection: upgrade\015\012" .
"Sec-WebSocket-Accept: $wsaccept\015\012" .
"Sec-WebSocket-Protocol: $wsproto\015\012" .
"\015\012";
print $res if $self->{debug};
$reqstate->{hdl}->push_write($res);
# log early
$reqstate->{log}->{code} = 101;
$self->log_request($reqstate);
};
};
if (my $err = $@) {
warn $err;
$self->log_aborted_request($reqstate, $err);
$self->client_do_disconnect($reqstate);
}
}
sub proxy_request {
my ($self, $reqstate, $clientip, $host, $method, $uri, $ticket, $token, $params) = @_;
......@@ -533,6 +721,8 @@ sub handle_api2_request {
$rpcenv->set_user(undef); # clear after request
my $upgrade = $r->header('upgrade');
if (my $host = $res->{proxy}) {
if ($self->{trusted_env}) {
......@@ -551,6 +741,26 @@ sub handle_api2_request {
$r->uri, $auth->{ticket}, $auth->{token}, $res->{proxy_params});
return;
} elsif ($upgrade && ($method eq 'GET') && ($path =~ m|websocket$|)) {
die "unable to upgrade protocol\n" if !$upgrade || ($upgrade ne 'websocket');
my $wsver = $r->header('sec-websocket-version');
die "unsupported websocket-version '$wsver'\n" if !$wsver || ($wsver ne '13');
my $wsproto_str = $r->header('sec-websocket-protocol');
die "missing websocket-protocol header" if !$wsproto_str;
my $wsproto;
foreach my $p (PVE::Tools::split_list($wsproto_str)) {
$wsproto = $p if !$wsproto && $p eq 'base64';
$wsproto = $p if $p eq 'binary';
}
die "unsupported websocket-protocol protocol '$wsproto_str'\n" if !$wsproto;
my $wskey = $r->header('sec-websocket-key');
die "missing websocket-key\n" if !$wskey;
# Note: Digest::SHA::sha1_base64 has wrong padding
my $wsaccept = Digest::SHA::sha1_base64("${wskey}258EAFA5-E914-47DA-95CA-C5AB0DC85B11") . "=";
if ($res->{status} == HTTP_OK) {
$self->websocket_proxy($reqstate, $wsaccept, $wsproto, $res->{data});
return;
}
}
my $delay = 0;
......
......@@ -536,7 +536,7 @@ Ext.define('PVE.noVNCConsole', {
var urlparams = Ext.urlEncode({
encrypt: 1,
port: param.port,
path: "api2/json/nodes/" + me.nodename + "/qemu/" + me.vmid + "/vncwebsocket?port=" + param.port,
password: param.ticket
});
box.load('/novnc/vnc_pve.html?' + urlparams);
......@@ -553,7 +553,7 @@ Ext.define('PVE.noVNCConsole', {
reloadnoVNC: function() {
PVE.Utils.API2Request({
url: me.url,
params: me.params,
params: { websocket: 1 },
method: me.method || 'POST',
failure: function(response, opts) {
box.update(gettext('Error') + ' ' + response.htmlStatus);
......@@ -692,8 +692,7 @@ Ext.define('PVE.novncConsole', {
Ext.apply(me, {
tbar: tbar,
url: "/nodes/" + me.nodename + "/qemu/" + me.vmid + "/vncproxy",
params: { websocket: 1 }
url: "/nodes/" + me.nodename + "/qemu/" + me.vmid + "/vncproxy"
});
me.callParent();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment