Exemple #1
        /// <summary>
        /// This is called when client is aware of proxy
        /// So for HTTPS requests client would send CONNECT header to negotiate a secure tcp tunnel via proxy
        /// </summary>
        /// <param name="endPoint"></param>
        /// <param name="tcpClient"></param>
        /// <returns></returns>
        private async Task HandleClient(ExplicitProxyEndPoint endPoint, TcpClient tcpClient)
            bool disposed = false;

            var clientStream = new CustomBufferedStream(tcpClient.GetStream(), BufferSize);

            var clientStreamReader = new CustomBinaryReader(clientStream, BufferSize);
            var clientStreamWriter = new HttpResponseWriter(clientStream, BufferSize);

            Uri httpRemoteUri;

                //read the first line HTTP command
                string httpCmd = await clientStreamReader.ReadLineAsync();

                if (string.IsNullOrEmpty(httpCmd))

                string  httpMethod;
                string  httpUrl;
                Version version;
                Request.ParseRequestLine(httpCmd, out httpMethod, out httpUrl, out version);

                httpRemoteUri = httpMethod == "CONNECT" ? new Uri("http://" + httpUrl) : new Uri(httpUrl);

                //filter out excluded host names
                bool excluded = false;

                if (endPoint.ExcludedHttpsHostNameRegex != null)
                    excluded = endPoint.ExcludedHttpsHostNameRegexList.Any(x => x.IsMatch(httpRemoteUri.Host));

                if (endPoint.IncludedHttpsHostNameRegex != null)
                    excluded = !endPoint.IncludedHttpsHostNameRegexList.Any(x => x.IsMatch(httpRemoteUri.Host));

                ConnectRequest connectRequest = null;

                //Client wants to create a secure tcp tunnel (probably its a HTTPS or Websocket request)
                if (httpMethod == "CONNECT")
                    connectRequest = new ConnectRequest
                        RequestUri  = httpRemoteUri,
                        OriginalUrl = httpUrl,
                        HttpVersion = version,

                    await HeaderParser.ReadHeaders(clientStreamReader, connectRequest.Headers);

                    var connectArgs = new TunnelConnectSessionEventArgs(BufferSize, endPoint, connectRequest);
                    connectArgs.ProxyClient.TcpClient    = tcpClient;
                    connectArgs.ProxyClient.ClientStream = clientStream;

                    if (TunnelConnectRequest != null)
                        await TunnelConnectRequest.InvokeParallelAsync(this, connectArgs, ExceptionFunc);

                    if (await CheckAuthorization(clientStreamWriter, connectArgs) == false)
                        if (TunnelConnectResponse != null)
                            await TunnelConnectResponse.InvokeParallelAsync(this, connectArgs, ExceptionFunc);


                    //write back successfull CONNECT response
                    connectArgs.WebSession.Response = ConnectResponse.CreateSuccessfullConnectResponse(version);
                    await clientStreamWriter.WriteResponseAsync(connectArgs.WebSession.Response);

                    var clientHelloInfo = await SslTools.PeekClientHello(clientStream);

                    bool isClientHello = clientHelloInfo != null;
                    if (isClientHello)
                        connectRequest.ClientHelloInfo = clientHelloInfo;

                    if (TunnelConnectResponse != null)
                        connectArgs.IsHttpsConnect = isClientHello;
                        await TunnelConnectResponse.InvokeParallelAsync(this, connectArgs, ExceptionFunc);

                    if (!excluded && isClientHello)
                        httpRemoteUri             = new Uri("https://" + httpUrl);
                        connectRequest.RequestUri = httpRemoteUri;

                        SslStream sslStream = null;

                            sslStream = new SslStream(clientStream);

                            string certName = HttpHelper.GetWildCardDomainName(httpRemoteUri.Host);

                            var certificate = endPoint.GenericCertificate ?? CertificateManager.CreateCertificate(certName, false);

                            //Successfully managed to authenticate the client using the fake certificate
                            await sslStream.AuthenticateAsServerAsync(certificate, false, SupportedSslProtocols, false);

                            //HTTPS server created - we can now decrypt the client's traffic
                            clientStream = new CustomBufferedStream(sslStream, BufferSize);

                            clientStreamReader = new CustomBinaryReader(clientStream, BufferSize);
                            clientStreamWriter = new HttpResponseWriter(clientStream, BufferSize);

                        //Now read the actual HTTPS request line
                        httpCmd = await clientStreamReader.ReadLineAsync();
                    //Hostname is excluded or it is not an HTTPS connect
                        //create new connection
                        using (var connection = await GetServerConnection(connectArgs, true))
                                if (isClientHello)
                                    if (clientStream.Available > 0)
                                        //send the buffered data
                                        var data = new byte[clientStream.Available];
                                        await clientStream.ReadAsync(data, 0, data.Length);

                                        await connection.Stream.WriteAsync(data, 0, data.Length);

                                        await connection.Stream.FlushAsync();

                                    var serverHelloInfo = await SslTools.PeekServerHello(connection.Stream);

                                    ((ConnectResponse)connectArgs.WebSession.Response).ServerHelloInfo = serverHelloInfo;

                                await TcpHelper.SendRaw(clientStream, connection.Stream, BufferSize,
                                                        (buffer, offset, count) => { connectArgs.OnDataSent(buffer, offset, count); }, (buffer, offset, count) => { connectArgs.OnDataReceived(buffer, offset, count); });


                //Now create the request
                disposed = await HandleHttpSessionRequest(tcpClient, httpCmd, clientStream, clientStreamReader, clientStreamWriter,
                                                          httpRemoteUri.Scheme == UriSchemeHttps?httpRemoteUri.Host : null, endPoint, connectRequest);
            catch (Exception e)
                ExceptionFunc(new Exception("Error whilst authorizing request", e));
                if (!disposed)
                    Dispose(clientStream, clientStreamReader, clientStreamWriter, null);
Exemple #2
        /// <summary>
        ///     Is the given stream starts with an SSL client hello?
        /// </summary>
        /// <param name="stream"></param>
        /// <param name="bufferPool"></param>
        /// <param name="cancellationToken"></param>
        /// <returns></returns>
        public static async Task <bool> IsClientHello(CustomBufferedStream stream, IBufferPool bufferPool, CancellationToken cancellationToken)
            var clientHello = await PeekClientHello(stream, bufferPool, cancellationToken);

            return(clientHello != null);
Exemple #3
        /// <summary>
        /// This is the core request handler method for a particular connection from client
        /// Will create new session (request/response) sequence until
        /// client/server abruptly terminates connection or by normal HTTP termination
        /// </summary>
        /// <param name="client"></param>
        /// <param name="httpCmd"></param>
        /// <param name="clientStream"></param>
        /// <param name="clientStreamReader"></param>
        /// <param name="clientStreamWriter"></param>
        /// <param name="httpsConnectHostname"></param>
        /// <param name="endPoint"></param>
        /// <param name="connectRequest"></param>
        /// <param name="isTransparentEndPoint"></param>
        /// <returns></returns>
        private async Task <bool> HandleHttpSessionRequest(TcpClient client, string httpCmd, CustomBufferedStream clientStream,
                                                           CustomBinaryReader clientStreamReader, HttpResponseWriter clientStreamWriter, string httpsConnectHostname,
                                                           ProxyEndPoint endPoint, ConnectRequest connectRequest, bool isTransparentEndPoint = false)
            bool disposed = false;

            TcpConnection connection = null;

            //Loop through each subsequest request on this particular client connection
            //(assuming HTTP connection is kept alive by client)
            while (true)
                if (string.IsNullOrEmpty(httpCmd))

                var args = new SessionEventArgs(BufferSize, endPoint, HandleHttpSessionResponse)
                    ProxyClient = { TcpClient = client },
                    WebSession  = { ConnectRequest = connectRequest }

                    string  httpMethod;
                    string  httpUrl;
                    Version version;
                    Request.ParseRequestLine(httpCmd, out httpMethod, out httpUrl, out version);

                    //Read the request headers in to unique and non-unique header collections
                    await HeaderParser.ReadHeaders(clientStreamReader, args.WebSession.Request.Headers);

                    var httpRemoteUri = new Uri(httpsConnectHostname == null
                        ? isTransparentEndPoint ? string.Concat("http://", args.WebSession.Request.Host, httpUrl) : httpUrl
                        : string.Concat("https://", args.WebSession.Request.Host ?? httpsConnectHostname, httpUrl));

                    args.WebSession.Request.RequestUri  = httpRemoteUri;
                    args.WebSession.Request.OriginalUrl = httpUrl;

                    args.WebSession.Request.Method      = httpMethod;
                    args.WebSession.Request.HttpVersion = version;
                    args.ProxyClient.ClientStream       = clientStream;
                    args.ProxyClient.ClientStreamReader = clientStreamReader;
                    args.ProxyClient.ClientStreamWriter = clientStreamWriter;

                    //proxy authorization check
                    if (httpsConnectHostname == null && await CheckAuthorization(clientStreamWriter, args) == false)

                    args.WebSession.Request.Host = args.WebSession.Request.RequestUri.Authority;

                    //if win auth is enabled
                    //we need a cache of request body
                    //so that we can send it after authentication in WinAuthHandler.cs
                    if (isWindowsAuthenticationEnabledAndSupported && args.WebSession.Request.HasBody)
                        await args.GetRequestBody();

                    //If user requested interception do it
                    if (BeforeRequest != null)
                        await BeforeRequest.InvokeParallelAsync(this, args, ExceptionFunc);

                    if (args.WebSession.Request.CancelRequest)

                    //create a new connection if hostname/upstream end point changes
                    if (connection != null &&
                        (!connection.HostName.Equals(args.WebSession.Request.RequestUri.Host, StringComparison.OrdinalIgnoreCase) ||
                         (args.WebSession.UpStreamEndPoint != null &&
                        connection = null;

                    if (connection == null)
                        connection = await GetServerConnection(args, false);

                    //if upgrading to websocket then relay the requet without reading the contents
                    if (args.WebSession.Request.UpgradeToWebSocket)
                        //prepare the prefix content
                        var    requestHeaders = args.WebSession.Request.Headers;
                        byte[] requestBytes;
                        using (var ms = new MemoryStream())
                            using (var writer = new HttpRequestWriter(ms, BufferSize))
                                requestBytes = ms.ToArray();

                        await connection.Stream.WriteAsync(requestBytes, 0, requestBytes.Length);

                        string httpStatus = await connection.StreamReader.ReadLineAsync();

                        Version responseVersion;
                        int     responseStatusCode;
                        string  responseStatusDescription;
                        Response.ParseResponseLine(httpStatus, out responseVersion, out responseStatusCode, out responseStatusDescription);
                        args.WebSession.Response.HttpVersion       = responseVersion;
                        args.WebSession.Response.StatusCode        = responseStatusCode;
                        args.WebSession.Response.StatusDescription = responseStatusDescription;

                        await HeaderParser.ReadHeaders(connection.StreamReader, args.WebSession.Response.Headers);

                        await clientStreamWriter.WriteResponseAsync(args.WebSession.Response);

                        //If user requested call back then do it
                        if (BeforeResponse != null && !args.WebSession.Response.ResponseLocked)
                            await BeforeResponse.InvokeParallelAsync(this, args, ExceptionFunc);

                        await TcpHelper.SendRaw(clientStream, connection.Stream, BufferSize,
                                                (buffer, offset, count) => { args.OnDataSent(buffer, offset, count); }, (buffer, offset, count) => { args.OnDataReceived(buffer, offset, count); });


                    //construct the web request that we are going to issue on behalf of the client.
                    disposed = await HandleHttpSessionRequestInternal(connection, args, false);

                    if (disposed)
                        //already disposed inside above method

                    //if connection is closing exit
                    if (args.WebSession.Response.KeepAlive == false)


                    // read the next request
                    httpCmd = await clientStreamReader.ReadLineAsync();
                catch (Exception e)
                    ExceptionFunc(new ProxyHttpException("Error occured whilst handling session request", e, args));

            if (!disposed)
                Dispose(clientStream, clientStreamReader, clientStreamWriter, connection);

        /// <summary>
        ///     This is called when this proxy acts as a reverse proxy (like a real http server).
        ///     So for HTTPS requests we would start SSL negotiation right away without expecting a CONNECT request from client
        /// </summary>
        /// <param name="endPoint">The transparent endpoint.</param>
        /// <param name="clientConnection">The client connection.</param>
        /// <returns></returns>
        private async Task handleClient(TransparentProxyEndPoint endPoint, TcpClientConnection clientConnection)
            var cancellationTokenSource = new CancellationTokenSource();
            var cancellationToken       = cancellationTokenSource.Token;

            var clientStream       = new CustomBufferedStream(clientConnection.GetStream(), BufferPool, BufferSize);
            var clientStreamWriter = new HttpResponseWriter(clientStream, BufferPool, BufferSize);

            SslStream sslStream = null;

                var clientHelloInfo = await SslTools.PeekClientHello(clientStream, BufferPool, cancellationToken);

                bool   isHttps       = clientHelloInfo != null;
                string httpsHostName = null;

                if (isHttps)
                    httpsHostName = clientHelloInfo.GetServerName() ?? endPoint.GenericCertificateName;

                    var args = new BeforeSslAuthenticateEventArgs(cancellationTokenSource)
                        SniHostName = httpsHostName

                    await endPoint.InvokeBeforeSslAuthenticate(this, args, ExceptionFunc);

                    if (cancellationTokenSource.IsCancellationRequested)
                        throw new Exception("Session was terminated by user.");

                    if (endPoint.DecryptSsl && args.DecryptSsl)
                        //do client authentication using certificate
                        X509Certificate2 certificate = null;
                            sslStream = new MySslStream(clientStream, false);

                            string certName = HttpHelper.GetWildCardDomainName(httpsHostName);
                            certificate = endPoint.GenericCertificate ??
                                          await CertificateManager.CreateServerCertificate(certName);

                            // Successfully managed to authenticate the client using the certificate
                            await sslStream.AuthenticateAsServerAsync(certificate, false, SslProtocols.Tls, false);

                            // HTTPS server created - we can now decrypt the client's traffic
                            clientStream = new CustomBufferedStream(new StreamWrapper(sslStream), BufferPool, BufferSize);

                            clientStreamWriter = new HttpResponseWriter(clientStream, BufferPool, BufferSize);
                        catch (Exception e)
                            var certname = certificate?.GetNameInfo(X509NameType.SimpleName, false);
                            var session  = new SessionEventArgs(this, endPoint, cancellationTokenSource)
                                ProxyClient = { Connection = clientConnection },
                                HttpClient  = { ConnectRequest = null }
                            throw new ProxyConnectException(
                                      $"Couldn't authenticate host '{httpsHostName}' with certificate '{certname}'.", e, session);
                        var connection = await tcpConnectionFactory.GetServerConnection(httpsHostName, endPoint.Port,
                                                                                        httpVersion : null, isHttps : false, applicationProtocols : null,
                                                                                        isConnect : true, proxyServer : this, session : null, upStreamEndPoint : UpStreamEndPoint,
                                                                                        externalProxy : UpStreamHttpsProxy, noCache : true, cancellationToken : cancellationToken);

                            int available = clientStream.Available;

                            if (available > 0)
                                // send the buffered data
                                var data = BufferPool.GetBuffer(BufferSize);
                                    // clientStream.Available should be at most BufferSize because it is using the same buffer size
                                    await clientStream.ReadAsync(data, 0, available, cancellationToken);

                                    await connection.StreamWriter.WriteAsync(data, 0, available, true, cancellationToken);

                            if (!clientStream.IsClosed && !connection.Stream.IsClosed)
                                await TcpHelper.SendRaw(clientStream, connection.Stream, BufferPool, BufferSize,
                                                        null, null, cancellationTokenSource, ExceptionFunc);
                            await tcpConnectionFactory.Release(connection, true);

                // HTTPS server created - we can now decrypt the client's traffic
                // Now create the request
                await handleHttpSessionRequest(endPoint, clientConnection, clientStream, clientStreamWriter,
                                               cancellationTokenSource, isHttps?httpsHostName : null, null, null);
            catch (ProxyException e)
                onException(clientStream, e);
            catch (IOException e)
                onException(clientStream, new Exception("Connection was aborted", e));
            catch (SocketException e)
                onException(clientStream, new Exception("Could not connect", e));
            catch (Exception e)
                onException(clientStream, new Exception("Error occured in whilst handling the client", e));

                if (!cancellationTokenSource.IsCancellationRequested)
        /// <summary>
        ///     This is the core request handler method for a particular connection from client.
        ///     Will create new session (request/response) sequence until
        ///     client/server abruptly terminates connection or by normal HTTP termination.
        /// </summary>
        /// <param name="endPoint">The proxy endpoint.</param>
        /// <param name="clientConnection">The client connection.</param>
        /// <param name="clientStream">The client stream.</param>
        /// <param name="clientStreamWriter">The client stream writer.</param>
        /// <param name="cancellationTokenSource">The cancellation token source for this async task.</param>
        /// <param name="httpsConnectHostname">
        ///     The https hostname as appeared in CONNECT request if this is a HTTPS request from
        ///     explicit endpoint.
        /// </param>
        /// <param name="connectRequest">The Connect request if this is a HTTPS request from explicit endpoint.</param>
        private async Task HandleHttpSessionRequest(ProxyEndPoint endPoint, TcpClientConnection clientConnection,
                                                    CustomBufferedStream clientStream, HttpResponseWriter clientStreamWriter,
                                                    CancellationTokenSource cancellationTokenSource, string httpsConnectHostname, ConnectRequest connectRequest)
            var cancellationToken = cancellationTokenSource.Token;
            TcpServerConnection serverConnection = null;
            bool serverConnectionClose           = false;

                // Loop through each subsequest request on this particular client connection
                // (assuming HTTP connection is kept alive by client)
                while (true)
                    // read the request line
                    string httpCmd = await clientStream.ReadLineAsync(cancellationToken);

                    if (string.IsNullOrEmpty(httpCmd))

                    var args = new SessionEventArgs(BufferSize, endPoint, cancellationTokenSource, ExceptionFunc)
                        ProxyClient = { ClientConnection = clientConnection },
                        WebSession  = { ConnectRequest = connectRequest }

                            Request.ParseRequestLine(httpCmd, out string httpMethod, out string httpUrl,
                                                     out var version);

                            // Read the request headers in to unique and non-unique header collections
                            await HeaderParser.ReadHeaders(clientStream, args.WebSession.Request.Headers,

                            Uri httpRemoteUri;
                            if (uriSchemeRegex.IsMatch(httpUrl))
                                    httpRemoteUri = new Uri(httpUrl);
                                catch (Exception ex)
                                    throw new Exception($"Invalid URI: '{httpUrl}'", ex);
                                string host        = args.WebSession.Request.Host ?? httpsConnectHostname;
                                string hostAndPath = host;
                                if (httpUrl.StartsWith("/"))
                                    hostAndPath += httpUrl;

                                string url = string.Concat(httpsConnectHostname == null ? "http://" : "https://",
                                    httpRemoteUri = new Uri(url);
                                catch (Exception ex)
                                    throw new Exception($"Invalid URI: '{url}'", ex);

                            var request = args.WebSession.Request;
                            request.RequestUri  = httpRemoteUri;
                            request.OriginalUrl = httpUrl;

                            request.Method                      = httpMethod;
                            request.HttpVersion                 = version;
                            args.ProxyClient.ClientStream       = clientStream;
                            args.ProxyClient.ClientStreamWriter = clientStreamWriter;

                            if (!args.IsTransparent)
                                // proxy authorization check
                                if (httpsConnectHostname == null && await CheckAuthorization(args) == false)
                                    await InvokeBeforeResponse(args);

                                    // send the response
                                    await clientStreamWriter.WriteResponseAsync(args.WebSession.Response,
                                                                                cancellationToken : cancellationToken);


                                request.Host = request.RequestUri.Authority;

                            // if win auth is enabled
                            // we need a cache of request body
                            // so that we can send it after authentication in WinAuthHandler.cs
                            if (isWindowsAuthenticationEnabledAndSupported && request.HasBody)
                                await args.GetRequestBody(cancellationToken);

                            request.OriginalHasBody = request.HasBody;

                            // If user requested interception do it
                            await InvokeBeforeRequest(args);

                            var response = args.WebSession.Response;

                            if (request.CancelRequest)
                                // syphon out the request body from client before setting the new body
                                await args.SyphonOutBodyAsync(true, cancellationToken);

                                await HandleHttpSessionResponse(args);

                                if (!response.KeepAlive)


                            // create a new connection if hostname/upstream end point changes
                            if (serverConnection != null &&
                                (!serverConnection.HostName.EqualsIgnoreCase(request.RequestUri.Host) ||
                                 args.WebSession.UpStreamEndPoint?.Equals(serverConnection.UpStreamEndPoint) ==
                                tcpConnectionFactory.Release(serverConnection, true);
                                serverConnection = null;

                            if (serverConnection == null)
                                serverConnection = await GetServerConnection(args, false, clientConnection.NegotiatedApplicationProtocol, cancellationToken);

                            // if upgrading to websocket then relay the requet without reading the contents
                            if (request.UpgradeToWebSocket)
                                // prepare the prefix content
                                await serverConnection.StreamWriter.WriteLineAsync(httpCmd, cancellationToken);

                                await serverConnection.StreamWriter.WriteHeadersAsync(request.Headers,
                                                                                      cancellationToken : cancellationToken);

                                string httpStatus = await serverConnection.Stream.ReadLineAsync(cancellationToken);

                                Response.ParseResponseLine(httpStatus, out var responseVersion,
                                                           out int responseStatusCode,
                                                           out string responseStatusDescription);
                                response.HttpVersion       = responseVersion;
                                response.StatusCode        = responseStatusCode;
                                response.StatusDescription = responseStatusDescription;

                                await HeaderParser.ReadHeaders(serverConnection.Stream, response.Headers,

                                if (!args.IsTransparent)
                                    await clientStreamWriter.WriteResponseAsync(response,
                                                                                cancellationToken : cancellationToken);

                                // If user requested call back then do it
                                if (!args.WebSession.Response.Locked)
                                    await InvokeBeforeResponse(args);

                                await TcpHelper.SendRaw(clientStream, serverConnection.Stream, BufferSize,
                                                        (buffer, offset, count) => { args.OnDataSent(buffer, offset, count); },
                                                        (buffer, offset, count) => { args.OnDataReceived(buffer, offset, count); },
                                                        cancellationTokenSource, ExceptionFunc);


                            // construct the web request that we are going to issue on behalf of the client.
                            await HandleHttpSessionRequestInternal(serverConnection, args);

                            if (args.WebSession.ServerConnection == null)

                            // if connection is closing exit
                            if (!response.KeepAlive)
                                serverConnectionClose = true;

                            if (cancellationTokenSource.IsCancellationRequested)
                                throw new Exception("Session was terminated by user.");
                        catch (Exception e) when(!(e is ProxyHttpException))
                            throw new ProxyHttpException("Error occured whilst handling session request", e, args);
                    catch (Exception e)
                        args.Exception        = e;
                        serverConnectionClose = true;
                        await InvokeAfterResponse(args);

                tcpConnectionFactory.Release(serverConnection, serverConnectionClose || !EnableConnectionPool);
Exemple #6
        public static async Task <bool> IsClientHello(CustomBufferedStream stream)
            var clientHello = await PeekClientHello(stream);

            return(clientHello != null);
Exemple #7
        public static async Task <bool> IsServerHello(CustomBufferedStream stream)
            var serverHello = await PeekServerHello(stream);

            return(serverHello != null);
        /// <summary>
        /// This is called when client is aware of proxy
        /// So for HTTPS requests client would send CONNECT header to negotiate a secure tcp tunnel via proxy
        /// </summary>
        /// <param name="endPoint"></param>
        /// <param name="tcpClient"></param>
        /// <returns></returns>
        private async Task HandleClient(ExplicitProxyEndPoint endPoint, TcpClient tcpClient)
            var clientStream = new CustomBufferedStream(tcpClient.GetStream(), BufferSize);

            var clientStreamReader = new CustomBinaryReader(clientStream, BufferSize);
            var clientStreamWriter = new HttpResponseWriter(clientStream, BufferSize);

                string connectHostname = null;

                ConnectRequest connectRequest = null;

                //Client wants to create a secure tcp tunnel (probably its a HTTPS or Websocket request)
                if (await HttpHelper.IsConnectMethod(clientStream) == 1)
                    //read the first line HTTP command
                    string httpCmd = await clientStreamReader.ReadLineAsync();

                    if (string.IsNullOrEmpty(httpCmd))

                    Request.ParseRequestLine(httpCmd, out string _, out string httpUrl, out var version);

                    var httpRemoteUri = new Uri("http://" + httpUrl);
                    connectHostname = httpRemoteUri.Host;

                    //filter out excluded host names
                    bool excluded = false;

                    if (endPoint.BeforeTunnelConnect != null)
                        excluded = await endPoint.BeforeTunnelConnect(connectHostname);

                    connectRequest = new ConnectRequest
                        RequestUri  = httpRemoteUri,
                        OriginalUrl = httpUrl,
                        HttpVersion = version,

                    await HeaderParser.ReadHeaders(clientStreamReader, connectRequest.Headers);

                    var connectArgs = new TunnelConnectSessionEventArgs(BufferSize, endPoint, connectRequest, ExceptionFunc);
                    connectArgs.ProxyClient.TcpClient    = tcpClient;
                    connectArgs.ProxyClient.ClientStream = clientStream;

                    await endPoint.InvokeTunnectConnectRequest(this, connectArgs, ExceptionFunc);

                    if (await CheckAuthorization(clientStreamWriter, connectArgs) == false)
                        await endPoint.InvokeTunnectConnectResponse(this, connectArgs, ExceptionFunc);


                    //write back successfull CONNECT response
                    var response = ConnectResponse.CreateSuccessfullConnectResponse(version);
                    connectArgs.WebSession.Response = response;

                    await clientStreamWriter.WriteResponseAsync(response);

                    var clientHelloInfo = await SslTools.PeekClientHello(clientStream);

                    bool isClientHello = clientHelloInfo != null;
                    if (isClientHello)
                        connectRequest.ClientHelloInfo = clientHelloInfo;

                    await endPoint.InvokeTunnectConnectResponse(this, connectArgs, ExceptionFunc, isClientHello);

                    if (!excluded && isClientHello)
                        connectRequest.RequestUri = new Uri("https://" + httpUrl);

                        SslStream sslStream = null;

                            sslStream = new SslStream(clientStream);

                            string certName = HttpHelper.GetWildCardDomainName(connectHostname);

                            var certificate = endPoint.GenericCertificate ?? await CertificateManager.CreateCertificateAsync(certName);

                            //Successfully managed to authenticate the client using the fake certificate
                            await sslStream.AuthenticateAsServerAsync(certificate, false, SupportedSslProtocols, false);

                            //HTTPS server created - we can now decrypt the client's traffic
                            clientStream = new CustomBufferedStream(sslStream, BufferSize);

                            clientStreamReader = new CustomBinaryReader(clientStream, BufferSize);
                            clientStreamWriter = new HttpResponseWriter(clientStream, BufferSize);

                        if (await HttpHelper.IsConnectMethod(clientStream) == -1)
                            // It can be for example some Google (Cloude Messaging for Chrome) magic
                            excluded = true;

                    //Hostname is excluded or it is not an HTTPS connect
                    if (excluded || !isClientHello)
                        //create new connection
                        using (var connection = await GetServerConnection(connectArgs, true))
                            if (isClientHello)
                                int available = clientStream.Available;
                                if (available > 0)
                                    //send the buffered data
                                    var data = BufferPool.GetBuffer(BufferSize);

                                        // clientStream.Available sbould be at most BufferSize because it is using the same buffer size
                                        await clientStream.ReadAsync(data, 0, available);

                                        await connection.StreamWriter.WriteAsync(data, 0, available, true);

                                var serverHelloInfo = await SslTools.PeekServerHello(connection.Stream);

                                ((ConnectResponse)connectArgs.WebSession.Response).ServerHelloInfo = serverHelloInfo;

                            await TcpHelper.SendRaw(clientStream, connection.Stream, BufferSize,
                                                    (buffer, offset, count) => { connectArgs.OnDataSent(buffer, offset, count); },
                                                    (buffer, offset, count) => { connectArgs.OnDataReceived(buffer, offset, count); },


                //Now create the request
                await HandleHttpSessionRequest(tcpClient, clientStream, clientStreamReader, clientStreamWriter, connectHostname, endPoint, connectRequest);
            catch (ProxyHttpException e)
            catch (IOException e)
                ExceptionFunc(new Exception("Connection was aborted", e));
            catch (SocketException e)
                ExceptionFunc(new Exception("Could not connect", e));
            catch (Exception e)
                ExceptionFunc(new Exception("Error occured in whilst handling the client", e));
Exemple #9
 public ServerHelloAlpnAdderStream(CustomBufferedStream stream)
     this.stream = stream;
Exemple #10
 public ClientHelloAlpnAdderStream(CustomBufferedStream stream)
     this.stream = stream;
        /// <summary>
        /// This is the core request handler method for a particular connection from client
        /// Will create new session (request/response) sequence until
        /// client/server abruptly terminates connection or by normal HTTP termination
        /// </summary>
        /// <param name="client"></param>
        /// <param name="clientStream"></param>
        /// <param name="clientStreamReader"></param>
        /// <param name="clientStreamWriter"></param>
        /// <param name="httpsConnectHostname"></param>
        /// <param name="endPoint"></param>
        /// <param name="connectRequest"></param>
        /// <param name="isTransparentEndPoint"></param>
        /// <returns></returns>
        private async Task HandleHttpSessionRequest(TcpClient client, CustomBufferedStream clientStream,
                                                    CustomBinaryReader clientStreamReader, HttpResponseWriter clientStreamWriter, string httpsConnectHostname,
                                                    ProxyEndPoint endPoint, ConnectRequest connectRequest, bool isTransparentEndPoint = false)
            TcpConnection connection = null;

                //Loop through each subsequest request on this particular client connection
                //(assuming HTTP connection is kept alive by client)
                while (true)
                    // read the request line
                    string httpCmd = await clientStreamReader.ReadLineAsync();

                    if (string.IsNullOrEmpty(httpCmd))

                    var args = new SessionEventArgs(BufferSize, endPoint, ExceptionFunc)
                        ProxyClient = { TcpClient = client },
                        WebSession  = { ConnectRequest = connectRequest }

                        Request.ParseRequestLine(httpCmd, out string httpMethod, out string httpUrl, out var version);

                        //Read the request headers in to unique and non-unique header collections
                        await HeaderParser.ReadHeaders(clientStreamReader, args.WebSession.Request.Headers);

                        Uri httpRemoteUri;
                        if (uriSchemeRegex.IsMatch(httpUrl))
                                httpRemoteUri = new Uri(httpUrl);
                            catch (Exception ex)
                                throw new Exception($"Invalid URI: '{httpUrl}'", ex);
                            string host        = args.WebSession.Request.Host ?? httpsConnectHostname;
                            string hostAndPath = host;
                            if (httpUrl.StartsWith("/"))
                                hostAndPath += httpUrl;

                            string url = string.Concat(httpsConnectHostname == null ? "http://" : "https://", hostAndPath);
                                httpRemoteUri = new Uri(url);
                            catch (Exception ex)
                                throw new Exception($"Invalid URI: '{url}'", ex);

                        args.WebSession.Request.RequestUri  = httpRemoteUri;
                        args.WebSession.Request.OriginalUrl = httpUrl;

                        args.WebSession.Request.Method      = httpMethod;
                        args.WebSession.Request.HttpVersion = version;
                        args.ProxyClient.ClientStream       = clientStream;
                        args.ProxyClient.ClientStreamReader = clientStreamReader;
                        args.ProxyClient.ClientStreamWriter = clientStreamWriter;

                        //proxy authorization check
                        if (!args.IsTransparent && httpsConnectHostname == null && await CheckAuthorization(clientStreamWriter, args) == false)

                        if (!isTransparentEndPoint)
                            args.WebSession.Request.Host = args.WebSession.Request.RequestUri.Authority;

                        //if win auth is enabled
                        //we need a cache of request body
                        //so that we can send it after authentication in WinAuthHandler.cs
                        if (isWindowsAuthenticationEnabledAndSupported && args.WebSession.Request.HasBody)
                            await args.GetRequestBody();

                        //If user requested interception do it
                        if (BeforeRequest != null)
                            await BeforeRequest.InvokeAsync(this, args, ExceptionFunc);

                        var response = args.WebSession.Response;

                        if (args.WebSession.Request.CancelRequest)
                            await HandleHttpSessionResponse(args);

                            if (!response.KeepAlive)


                        //create a new connection if hostname/upstream end point changes
                        if (connection != null &&
                            (!connection.HostName.Equals(args.WebSession.Request.RequestUri.Host, StringComparison.OrdinalIgnoreCase) ||
                             (args.WebSession.UpStreamEndPoint != null &&
                            connection = null;

                        if (connection == null)
                            connection = await GetServerConnection(args, false);

                        //if upgrading to websocket then relay the requet without reading the contents
                        if (args.WebSession.Request.UpgradeToWebSocket)
                            //prepare the prefix content
                            var requestHeaders = args.WebSession.Request.Headers;
                            await connection.StreamWriter.WriteLineAsync(httpCmd);

                            await connection.StreamWriter.WriteHeadersAsync(requestHeaders);

                            string httpStatus = await connection.StreamReader.ReadLineAsync();

                            Response.ParseResponseLine(httpStatus, out var responseVersion, out int responseStatusCode, out string responseStatusDescription);
                            response.HttpVersion       = responseVersion;
                            response.StatusCode        = responseStatusCode;
                            response.StatusDescription = responseStatusDescription;

                            await HeaderParser.ReadHeaders(connection.StreamReader, response.Headers);

                            if (!args.IsTransparent)
                                await clientStreamWriter.WriteResponseAsync(response);

                            //If user requested call back then do it
                            if (BeforeResponse != null && !args.WebSession.Response.ResponseLocked)
                                await BeforeResponse.InvokeAsync(this, args, ExceptionFunc);

                            await TcpHelper.SendRaw(clientStream, connection.Stream, BufferSize,
                                                    (buffer, offset, count) => { args.OnDataSent(buffer, offset, count); },
                                                    (buffer, offset, count) => { args.OnDataReceived(buffer, offset, count); },


                        //construct the web request that we are going to issue on behalf of the client.
                        await HandleHttpSessionRequestInternal(connection, args);

                        //if connection is closing exit
                        if (!response.KeepAlive)
                    catch (Exception e) when(!(e is ProxyHttpException))
                        throw new ProxyHttpException("Error occured whilst handling session request", e, args);
        private async Task <IAdaptedConnection> InnerOnConnectionAsync(ConnectionAdapterContext context)
            // We start off by handing the connection stream off to a library that can do a peek read
            // (which is really just doing buffering tricks, not an actual peek read).
            var yourClientStream = new CustomBufferedStream(context.ConnectionStream, 4096);

            // We then use the same lib to parse the "peeked" data and extract the SNI hostname.
            var clientSslHelloInfo = await SslTools.PeekClientHello(yourClientStream);

            switch (clientSslHelloInfo != null)
            case true:
                string sniHost = clientSslHelloInfo.Extensions?.FirstOrDefault(x => x.Name == "server_name")?.Data;

                if (string.IsNullOrEmpty(sniHost) || string.IsNullOrWhiteSpace(sniHost))
                    LoggerProxy.Default.Error("Failed to extract SNI hostname.");

                    var sslStream = new SslStream(yourClientStream, true,
                                                  (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>
                            // TODO - Handle client certificates. They should be pushed to the
                            // upstream connection eventually.
                            if (certificate != null)
                                LoggerProxy.Default.Info("CLIENT CERTIFICATE AVAILABLE!!!!!!!!!!!!!");


                    // Spoof a cert for the extracted SNI hostname.
                    var spoofedCert = m_certStore.GetSpoofedCertificateForHost(sniHost);

                        // Try to handshake.
                        await sslStream.AuthenticateAsServerAsync(spoofedCert, false, s_allowedTlsProtocols, false);
                    catch (OperationCanceledException oe)
                        LoggerProxy.Default.Error("Failed to complete client TLS handshake because the operation was cancelled.");


                    catch (IOException ex)
                        LoggerProxy.Default.Error("Failed to complete client TLS handshake because of IO exception.");



                    // Always set the feature even though the cert might be null
                    context.Features.Set <ITlsConnectionFeature>(new TlsConnectionFeature
                            ClientCertificate = sslStream.RemoteCertificate != null ? sslStream.RemoteCertificate.ToV2Certificate() : null

                    return(new HttpsAdaptedConnection(sslStream));
                catch (Exception err)
                    LoggerProxy.Default.Error("Failed to complete client TLS handshake because of unknown exception.");



Exemple #13
        /// <summary>
        /// This is called when client is aware of proxy
        /// So for HTTPS requests client would send CONNECT header to negotiate a secure tcp tunnel via proxy
        /// </summary>
        /// <param name="endPoint"></param>
        /// <param name="tcpClient"></param>
        /// <returns></returns>
        private async Task HandleClient(ExplicitProxyEndPoint endPoint, TcpClient tcpClient)
            var disposed = false;

            var clientStream = new CustomBufferedStream(tcpClient.GetStream(), BufferSize);

            var clientStreamReader = new CustomBinaryReader(clientStream, BufferSize);
            var clientStreamWriter = new StreamWriter(clientStream)
                NewLine = ProxyConstants.NewLine

            Uri httpRemoteUri;

                //read the first line HTTP command
                var httpCmd = await clientStreamReader.ReadLineAsync();

                if (string.IsNullOrEmpty(httpCmd))

                //break up the line into three components (method, remote URL & Http Version)
                var httpCmdSplit = httpCmd.Split(ProxyConstants.SpaceSplit, 3);

                //Find the request Verb
                var httpVerb = httpCmdSplit[0].ToUpper();

                httpRemoteUri = httpVerb == "CONNECT" ? new Uri("http://" + httpCmdSplit[1]) : new Uri(httpCmdSplit[1]);

                //parse the HTTP version
                var version = HttpHeader.Version11;
                if (httpCmdSplit.Length == 3)
                    var httpVersion = httpCmdSplit[2].Trim();

                    if (string.Equals(httpVersion, "HTTP/1.0", StringComparison.OrdinalIgnoreCase))
                        version = HttpHeader.Version10;

                //filter out excluded host names
                bool excluded = false;

                if (endPoint.ExcludedHttpsHostNameRegex != null)
                    excluded = endPoint.ExcludedHttpsHostNameRegexList.Any(x => x.IsMatch(httpRemoteUri.Host));

                if (endPoint.IncludedHttpsHostNameRegex != null)
                    excluded = !endPoint.IncludedHttpsHostNameRegexList.Any(x => x.IsMatch(httpRemoteUri.Host));

                List <HttpHeader> connectRequestHeaders = null;

                //Client wants to create a secure tcp tunnel (its a HTTPS request)
                if (httpVerb == "CONNECT" && !excluded &&
                    httpRemoteUri         = new Uri("https://" + httpCmdSplit[1]);
                    connectRequestHeaders = new List <HttpHeader>();
                    string tmpLine;
                    while (!string.IsNullOrEmpty(tmpLine = await clientStreamReader.ReadLineAsync()))
                        var header = tmpLine.Split(ProxyConstants.ColonSplit, 2);

                        var newHeader = new HttpHeader(header[0], header[1]);

                    if (await CheckAuthorization(clientStreamWriter, connectRequestHeaders) == false)

                    await WriteConnectResponse(clientStreamWriter, version);

                    SslStream sslStream = null;

                        sslStream = new SslStream(clientStream);

                        var certName = HttpHelper.GetWildCardDomainName(httpRemoteUri.Host);

                        var certificate = endPoint.GenericCertificate ??
                                          CertificateManager.CreateCertificate(certName, false);

                        //Successfully managed to authenticate the client using the fake certificate
                        await sslStream.AuthenticateAsServerAsync(certificate, false,
                                                                  SupportedSslProtocols, false);

                        //HTTPS server created - we can now decrypt the client's traffic
                        clientStream = new CustomBufferedStream(sslStream, BufferSize);

                        clientStreamReader = new CustomBinaryReader(clientStream, BufferSize);
                        clientStreamWriter = new StreamWriter(clientStream)
                            NewLine = ProxyConstants.NewLine

                    //Now read the actual HTTPS request line
                    httpCmd = await clientStreamReader.ReadLineAsync();
                //Sorry cannot do a HTTPS request decrypt to port 80 at this time
                else if (httpVerb == "CONNECT")
                    //Siphon out CONNECT request headers
                    await clientStreamReader.ReadAndIgnoreAllLinesAsync();

                    //write back successfull CONNECT response
                    await WriteConnectResponse(clientStreamWriter, version);

                    await TcpHelper.SendRaw(this,
                                            httpRemoteUri.Host, httpRemoteUri.Port,
                                            null, version, null,
                                            clientStream, tcpConnectionFactory);


                //Now create the request
                disposed = await HandleHttpSessionRequest(tcpClient, httpCmd, clientStream, clientStreamReader, clientStreamWriter,
                                                          httpRemoteUri.Scheme == Uri.UriSchemeHttps?httpRemoteUri.Host : null, endPoint,
            catch (Exception e)
                ExceptionFunc(new Exception("Error whilst authorizing request", e));
                if (!disposed)
                    Dispose(clientStream, clientStreamReader, clientStreamWriter, null);
Exemple #14
        /// <summary>
        ///     Creates a TCP connection to server
        /// </summary>
        /// <param name="remoteHostName"></param>
        /// <param name="remotePort"></param>
        /// <param name="httpVersion"></param>
        /// <param name="decryptSsl"></param>
        /// <param name="applicationProtocols"></param>
        /// <param name="isConnect"></param>
        /// <param name="proxyServer"></param>
        /// <param name="upStreamEndPoint"></param>
        /// <param name="externalProxy"></param>
        /// <param name="cancellationToken"></param>
        /// <returns></returns>
        internal async Task <TcpServerConnection> CreateClient(string remoteHostName, int remotePort,
                                                               Version httpVersion, bool decryptSsl, List <SslApplicationProtocol> applicationProtocols, bool isConnect,
                                                               ProxyServer proxyServer, IPEndPoint upStreamEndPoint, ExternalProxy externalProxy,
                                                               CancellationToken cancellationToken)
            bool useUpstreamProxy = false;

            // check if external proxy is set for HTTP/HTTPS
            if (externalProxy != null &&
                !(externalProxy.HostName == remoteHostName && externalProxy.Port == remotePort))
                useUpstreamProxy = true;

                // check if we need to ByPass
                if (externalProxy.BypassLocalhost && NetworkHelper.IsLocalIpAddress(remoteHostName))
                    useUpstreamProxy = false;

            TcpClient            tcpClient = null;
            CustomBufferedStream stream    = null;

            SslApplicationProtocol negotiatedApplicationProtocol = default;

                tcpClient = new TcpClient(upStreamEndPoint);

                // If this proxy uses another external proxy then create a tunnel request for HTTP/HTTPS connections
                if (useUpstreamProxy)
                    await tcpClient.ConnectAsync(externalProxy.HostName, externalProxy.Port);
                    await tcpClient.ConnectAsync(remoteHostName, remotePort);

                stream = new CustomBufferedStream(tcpClient.GetStream(), proxyServer.BufferSize);

                if (useUpstreamProxy && (isConnect || decryptSsl))
                    var writer         = new HttpRequestWriter(stream, proxyServer.BufferSize);
                    var connectRequest = new ConnectRequest
                        OriginalUrl = $"{remoteHostName}:{remotePort}",
                        HttpVersion = httpVersion

                    connectRequest.Headers.AddHeader(KnownHeaders.Connection, KnownHeaders.ConnectionKeepAlive);

                    if (!string.IsNullOrEmpty(externalProxy.UserName) && externalProxy.Password != null)
                            HttpHeader.GetProxyAuthorizationHeader(externalProxy.UserName, externalProxy.Password));

                    await writer.WriteRequestAsync(connectRequest, cancellationToken : cancellationToken);

                    string httpStatus = await stream.ReadLineAsync(cancellationToken);

                    Response.ParseResponseLine(httpStatus, out _, out int statusCode, out string statusDescription);

                    if (statusCode != 200 && !statusDescription.EqualsIgnoreCase("OK") &&
                        !statusDescription.EqualsIgnoreCase("Connection Established"))
                        throw new Exception("Upstream proxy failed to create a secure tunnel");

                    await stream.ReadAndIgnoreAllLinesAsync(cancellationToken);

                if (decryptSsl)
                    var sslStream = new SslStream(stream, false, proxyServer.ValidateServerCertificate,
                    stream = new CustomBufferedStream(sslStream, proxyServer.BufferSize);

                    var options = new SslClientAuthenticationOptions();
                    options.ApplicationProtocols           = applicationProtocols;
                    options.TargetHost                     = remoteHostName;
                    options.ClientCertificates             = null;
                    options.EnabledSslProtocols            = proxyServer.SupportedSslProtocols;
                    options.CertificateRevocationCheckMode = proxyServer.CheckCertificateRevocation;
                    await sslStream.AuthenticateAsClientAsync(options, cancellationToken);

                    negotiatedApplicationProtocol = sslStream.NegotiatedApplicationProtocol;

                tcpClient.ReceiveTimeout = proxyServer.ConnectionTimeOutSeconds * 1000;
                tcpClient.SendTimeout    = proxyServer.ConnectionTimeOutSeconds * 1000;
            catch (Exception)

            return(new TcpServerConnection(proxyServer, tcpClient)
                UpStreamProxy = externalProxy,
                UpStreamEndPoint = upStreamEndPoint,
                HostName = remoteHostName,
                Port = remotePort,
                IsHttps = decryptSsl,
                NegotiatedApplicationProtocol = negotiatedApplicationProtocol,
                UseUpstreamProxy = useUpstreamProxy,
                StreamWriter = new HttpRequestWriter(stream, proxyServer.BufferSize),
                Stream = stream,
                Version = httpVersion
Exemple #15
        /// <summary>
        ///     This is the core request handler method for a particular connection from client.
        ///     Will create new session (request/response) sequence until
        ///     client/server abruptly terminates connection or by normal HTTP termination.
        /// </summary>
        /// <param name="endPoint">The proxy endpoint.</param>
        /// <param name="clientConnection">The client connection.</param>
        /// <param name="clientStream">The client stream.</param>
        /// <param name="clientStreamWriter">The client stream writer.</param>
        /// <param name="cancellationTokenSource">The cancellation token source for this async task.</param>
        /// <param name="httpsConnectHostname">
        ///     The https hostname as appeared in CONNECT request if this is a HTTPS request from
        ///     explicit endpoint.
        /// </param>
        /// <param name="connectRequest">The Connect request if this is a HTTPS request from explicit endpoint.</param>
        /// <param name="prefetchConnectionTask">Prefetched server connection for current client using Connect/SNI headers.</param>
        private async Task handleHttpSessionRequest(ProxyEndPoint endPoint, TcpClientConnection clientConnection,
                                                    CustomBufferedStream clientStream, HttpResponseWriter clientStreamWriter,
                                                    CancellationTokenSource cancellationTokenSource, string httpsConnectHostname, ConnectRequest connectRequest,
                                                    Task <TcpServerConnection> prefetchConnectionTask = null)
            var prefetchTask = prefetchConnectionTask;
            TcpServerConnection connection = null;
            bool closeServerConnection     = false;

                var cancellationToken = cancellationTokenSource.Token;

                // Loop through each subsequest request on this particular client connection
                // (assuming HTTP connection is kept alive by client)
                while (true)
                    // read the request line
                    string httpCmd = await clientStream.ReadLineAsync(cancellationToken);

                    if (string.IsNullOrEmpty(httpCmd))

                    var args = new SessionEventArgs(this, endPoint, cancellationTokenSource)
                        ProxyClient = { ClientConnection = clientConnection },
                        WebSession  = { ConnectRequest = connectRequest }

                            Request.ParseRequestLine(httpCmd, out string httpMethod, out string httpUrl,
                                                     out var version);

                            // Read the request headers in to unique and non-unique header collections
                            await HeaderParser.ReadHeaders(clientStream, args.WebSession.Request.Headers,

                            Uri httpRemoteUri;
                            if (uriSchemeRegex.IsMatch(httpUrl))
                                    httpRemoteUri = new Uri(httpUrl);
                                catch (Exception ex)
                                    throw new Exception($"Invalid URI: '{httpUrl}'", ex);
                                string host        = args.WebSession.Request.Host ?? httpsConnectHostname;
                                string hostAndPath = host;
                                if (httpUrl.StartsWith("/"))
                                    hostAndPath += httpUrl;

                                string url = string.Concat(httpsConnectHostname == null ? "http://" : "https://",
                                    httpRemoteUri = new Uri(url);
                                catch (Exception ex)
                                    throw new Exception($"Invalid URI: '{url}'", ex);

                            var request = args.WebSession.Request;
                            request.RequestUri  = httpRemoteUri;
                            request.OriginalUrl = httpUrl;

                            request.Method                      = httpMethod;
                            request.HttpVersion                 = version;
                            args.ProxyClient.ClientStream       = clientStream;
                            args.ProxyClient.ClientStreamWriter = clientStreamWriter;

                            if (!args.IsTransparent)
                                // proxy authorization check
                                if (httpsConnectHostname == null && await checkAuthorization(args) == false)
                                    await invokeBeforeResponse(args);

                                    // send the response
                                    await clientStreamWriter.WriteResponseAsync(args.WebSession.Response,
                                                                                cancellationToken : cancellationToken);


                                request.Host = request.RequestUri.Authority;

                            // if win auth is enabled
                            // we need a cache of request body
                            // so that we can send it after authentication in WinAuthHandler.cs
                            if (isWindowsAuthenticationEnabledAndSupported && request.HasBody)
                                await args.GetRequestBody(cancellationToken);

                            //we need this to syphon out data from connection if API user changes them.

                            // If user requested interception do it
                            await invokeBeforeRequest(args);

                            var response = args.WebSession.Response;

                            if (request.CancelRequest)
                                // syphon out the request body from client before setting the new body
                                await args.SyphonOutBodyAsync(true, cancellationToken);

                                await handleHttpSessionResponse(args);

                                if (!response.KeepAlive)


                            //If prefetch task is available.
                            if (connection == null && prefetchTask != null)
                                connection   = await prefetchTask;
                                prefetchTask = null;

                            // create a new connection if cache key changes.
                            // only gets hit when connection pool is disabled.
                            // or when prefetch task has a unexpectedly different connection.
                            if (connection != null &&
                                (await tcpConnectionFactory.GetConnectionCacheKey(this, args,
                                 != connection.CacheKey))
                                await tcpConnectionFactory.Release(connection);

                                connection = null;

                            //a connection generator task with captured parameters via closure.
                            Func <Task <TcpServerConnection> > generator = () =>
                                                                           tcpConnectionFactory.GetServerConnection(this, args, isConnect: false,
                                                                                                                    applicationProtocol: clientConnection.NegotiatedApplicationProtocol,
                                                                                                                    noCache: false, cancellationToken: cancellationToken);

                            //for connection pool, retry fails until cache is exhausted.
                            var result = await retryPolicy <ServerConnectionException>().ExecuteAsync(async(serverConnection) =>
                                // if upgrading to websocket then relay the request without reading the contents
                                if (request.UpgradeToWebSocket)
                                    await handleWebSocketUpgrade(httpCmd, args, request,
                                                                 response, clientStream, clientStreamWriter,
                                                                 serverConnection, cancellationTokenSource, cancellationToken);
                                    closeServerConnection = true;

                                // construct the web request that we are going to issue on behalf of the client.
                                await handleHttpSessionRequestInternal(serverConnection, args);
                            }, generator, connection);

                            //update connection to latest used
                            connection = result.LatestConnection;

                            //throw if exception happened
                            if (!result.IsSuccess)
                                throw result.Exception;

                            if (!result.Continue)

                            //user requested
                            if (args.WebSession.CloseServerConnection)
                                closeServerConnection = true;

                            // if connection is closing exit
                            if (!response.KeepAlive)
                                closeServerConnection = true;

                            if (cancellationTokenSource.IsCancellationRequested)
                                throw new Exception("Session was terminated by user.");

                            //Get/release server connection for each HTTP session instead of per client connection.
                            //This will be more efficient especially when client is idly holding server connection
                            //between sessions without using it.
                            //Do not release authenticated connections for performance reasons.
                            //Otherwise it will keep authenticating per session.
                            if (EnableConnectionPool && !connection.IsWinAuthenticated)
                                await tcpConnectionFactory.Release(connection);

                                connection = null;
                        catch (Exception e) when(!(e is ProxyHttpException))
                            throw new ProxyHttpException("Error occured whilst handling session request", e, args);
                    catch (Exception e)
                        args.Exception        = e;
                        closeServerConnection = true;
                        await invokeAfterResponse(args);

                await tcpConnectionFactory.Release(connection,

                await tcpConnectionFactory.Release(prefetchTask, closeServerConnection);
Exemple #16
        /// <summary>
        ///     Creates a TCP connection to server
        /// </summary>
        /// <param name="remoteHostName">The remote hostname.</param>
        /// <param name="remotePort">The remote port.</param>
        /// <param name="httpVersion">The http version to use.</param>
        /// <param name="isHttps">Is this a HTTPS request.</param>
        /// <param name="applicationProtocols">The list of HTTPS application level protocol to negotiate if needed.</param>
        /// <param name="isConnect">Is this a CONNECT request.</param>
        /// <param name="proxyServer">The current ProxyServer instance.</param>
        /// <param name="session">The http session.</param>
        /// <param name="upStreamEndPoint">The local upstream endpoint to make request via.</param>
        /// <param name="externalProxy">The external proxy to make request via.</param>
        /// <param name="cancellationToken">The cancellation token for this async task.</param>
        /// <returns></returns>
        private async Task <TcpServerConnection> createServerConnection(string remoteHostName, int remotePort,
                                                                        Version httpVersion, bool isHttps, List <SslApplicationProtocol> applicationProtocols, bool isConnect,
                                                                        ProxyServer proxyServer, SessionEventArgsBase session, IPEndPoint upStreamEndPoint, ExternalProxy externalProxy,
                                                                        CancellationToken cancellationToken)
            //deny connection to proxy end points to avoid infinite connection loop.
            if (server.ProxyEndPoints.Any(x => x.Port == remotePort) &&
                throw new Exception($"A client is making HTTP request to one of the listening ports of this proxy {remoteHostName}:{remotePort}");

            if (externalProxy != null)
                if (server.ProxyEndPoints.Any(x => x.Port == externalProxy.Port) &&
                    throw new Exception($"A client is making HTTP request via external proxy to one of the listening ports of this proxy {remoteHostName}:{remotePort}");

            bool useUpstreamProxy = false;

            // check if external proxy is set for HTTP/HTTPS
            if (externalProxy != null &&
                !(externalProxy.HostName == remoteHostName && externalProxy.Port == remotePort))
                useUpstreamProxy = true;

                // check if we need to ByPass
                if (externalProxy.BypassLocalhost && NetworkHelper.IsLocalIpAddress(remoteHostName))
                    useUpstreamProxy = false;

            TcpClient            tcpClient = null;
            CustomBufferedStream stream    = null;

            SslApplicationProtocol negotiatedApplicationProtocol = default;

                tcpClient = new TcpClient(upStreamEndPoint)
                    ReceiveTimeout    = proxyServer.ConnectionTimeOutSeconds * 1000,
                    SendTimeout       = proxyServer.ConnectionTimeOutSeconds * 1000,
                    SendBufferSize    = proxyServer.BufferSize,
                    ReceiveBufferSize = proxyServer.BufferSize,
                    LingerState       = new LingerOption(true, proxyServer.TcpTimeWaitSeconds)

                //linux has a bug with socket reuse in .net core.
                if (proxyServer.ReuseSocket && RunTime.IsWindows || RunTime.IsRunningOnMono)
                    tcpClient.Client.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.ReuseAddress, true);

                var hostname = useUpstreamProxy ? externalProxy.HostName : remoteHostName;
                var port     = useUpstreamProxy ? externalProxy.Port : remotePort;

                var ipAddresses = await Dns.GetHostAddressesAsync(hostname);

                if (ipAddresses == null || ipAddresses.Length == 0)
                    throw new Exception($"Could not resolve the hostname {hostname}");

                if (session != null)
                    session.TimeLine["Dns Resolved"] = DateTime.Now;

                for (int i = 0; i < ipAddresses.Length; i++)
                        await tcpClient.ConnectAsync(ipAddresses[i], port);

                    catch (Exception e)
                        if (i == ipAddresses.Length - 1)
                            throw new Exception($"Could not establish connection to {hostname}", e);

                if (session != null)
                    session.TimeLine["Connection Established"] = DateTime.Now;

                await proxyServer.InvokeConnectionCreateEvent(tcpClient, false);

                stream = new CustomBufferedStream(tcpClient.GetStream(), proxyServer.BufferPool, proxyServer.BufferSize);

                if (useUpstreamProxy && (isConnect || isHttps))
                    var writer         = new HttpRequestWriter(stream, proxyServer.BufferPool, proxyServer.BufferSize);
                    var connectRequest = new ConnectRequest
                        OriginalUrl = $"{remoteHostName}:{remotePort}",
                        HttpVersion = httpVersion

                    connectRequest.Headers.AddHeader(KnownHeaders.Connection, KnownHeaders.ConnectionKeepAlive);

                    if (!string.IsNullOrEmpty(externalProxy.UserName) && externalProxy.Password != null)
                            HttpHeader.GetProxyAuthorizationHeader(externalProxy.UserName, externalProxy.Password));

                    await writer.WriteRequestAsync(connectRequest, cancellationToken : cancellationToken);

                    string httpStatus = await stream.ReadLineAsync(cancellationToken);

                    Response.ParseResponseLine(httpStatus, out _, out int statusCode, out string statusDescription);

                    if (statusCode != 200 && !statusDescription.EqualsIgnoreCase("OK") &&
                        !statusDescription.EqualsIgnoreCase("Connection Established"))
                        throw new Exception("Upstream proxy failed to create a secure tunnel");

                    await stream.ReadAndIgnoreAllLinesAsync(cancellationToken);

                if (isHttps)
                    var sslStream = new SslStream(stream, false, proxyServer.ValidateServerCertificate,
                    stream = new CustomBufferedStream(sslStream, proxyServer.BufferPool, proxyServer.BufferSize);

                    var options = new SslClientAuthenticationOptions
                        ApplicationProtocols           = applicationProtocols,
                        TargetHost                     = remoteHostName,
                        ClientCertificates             = null,
                        EnabledSslProtocols            = proxyServer.SupportedSslProtocols,
                        CertificateRevocationCheckMode = proxyServer.CheckCertificateRevocation
                    await sslStream.AuthenticateAsClientAsync(options, cancellationToken);

                    negotiatedApplicationProtocol = sslStream.NegotiatedApplicationProtocol;

                    if (session != null)
                        session.TimeLine["HTTPS Established"] = DateTime.Now;
            catch (Exception)

            return(new TcpServerConnection(proxyServer, tcpClient)
                UpStreamProxy = externalProxy,
                UpStreamEndPoint = upStreamEndPoint,
                HostName = remoteHostName,
                Port = remotePort,
                IsHttps = isHttps,
                NegotiatedApplicationProtocol = negotiatedApplicationProtocol,
                UseUpstreamProxy = useUpstreamProxy,
                StreamWriter = new HttpRequestWriter(stream, proxyServer.BufferPool, proxyServer.BufferSize),
                Stream = stream,
                Version = httpVersion
Exemple #17
        /// <summary>
        ///     This is called when client is aware of proxy
        ///     So for HTTPS requests client would send CONNECT header to negotiate a secure tcp tunnel via proxy
        /// </summary>
        /// <param name="endPoint">The explicit endpoint.</param>
        /// <param name="clientConnection">The client connection.</param>
        /// <returns>The task.</returns>
        private async Task HandleClient(ExplicitProxyEndPoint endPoint, TcpClientConnection clientConnection)
            var cancellationTokenSource = new CancellationTokenSource();
            var cancellationToken       = cancellationTokenSource.Token;

            var clientStream = new CustomBufferedStream(clientConnection.GetStream(), BufferSize);

            var clientStreamWriter = new HttpResponseWriter(clientStream, BufferSize);

                string connectHostname = null;
                TunnelConnectSessionEventArgs connectArgs = null;

                // Client wants to create a secure tcp tunnel (probably its a HTTPS or Websocket request)
                if (await HttpHelper.IsConnectMethod(clientStream) == 1)
                    // read the first line HTTP command
                    string httpCmd = await clientStream.ReadLineAsync(cancellationToken);

                    if (string.IsNullOrEmpty(httpCmd))

                    Request.ParseRequestLine(httpCmd, out string _, out string httpUrl, out var version);

                    var httpRemoteUri = new Uri("http://" + httpUrl);
                    connectHostname = httpRemoteUri.Host;

                    var connectRequest = new ConnectRequest
                        RequestUri  = httpRemoteUri,
                        OriginalUrl = httpUrl,
                        HttpVersion = version

                    await HeaderParser.ReadHeaders(clientStream, connectRequest.Headers, cancellationToken);

                    connectArgs = new TunnelConnectSessionEventArgs(BufferSize, endPoint, connectRequest,
                                                                    cancellationTokenSource, ExceptionFunc);
                    connectArgs.ProxyClient.ClientConnection = clientConnection;
                    connectArgs.ProxyClient.ClientStream     = clientStream;

                    await endPoint.InvokeBeforeTunnelConnectRequest(this, connectArgs, ExceptionFunc);

                    // filter out excluded host names
                    bool decryptSsl = endPoint.DecryptSsl && connectArgs.DecryptSsl;

                    if (connectArgs.DenyConnect)
                        if (connectArgs.WebSession.Response.StatusCode == 0)
                            connectArgs.WebSession.Response = new Response
                                HttpVersion       = HttpHeader.Version11,
                                StatusCode        = (int)HttpStatusCode.Forbidden,
                                StatusDescription = "Forbidden"

                        // send the response
                        await clientStreamWriter.WriteResponseAsync(connectArgs.WebSession.Response,
                                                                    cancellationToken : cancellationToken);


                    if (await CheckAuthorization(connectArgs) == false)
                        await endPoint.InvokeBeforeTunnectConnectResponse(this, connectArgs, ExceptionFunc);

                        // send the response
                        await clientStreamWriter.WriteResponseAsync(connectArgs.WebSession.Response,
                                                                    cancellationToken : cancellationToken);


                    // write back successfull CONNECT response
                    var response = ConnectResponse.CreateSuccessfullConnectResponse(version);

                    // Set ContentLength explicitly to properly handle HTTP 1.0
                    response.ContentLength = 0;
                    connectArgs.WebSession.Response = response;

                    await clientStreamWriter.WriteResponseAsync(response, cancellationToken : cancellationToken);

                    var clientHelloInfo = await SslTools.PeekClientHello(clientStream, cancellationToken);

                    bool isClientHello = clientHelloInfo != null;
                    if (isClientHello)
                        connectRequest.ClientHelloInfo = clientHelloInfo;

                    await endPoint.InvokeBeforeTunnectConnectResponse(this, connectArgs, ExceptionFunc, isClientHello);

                    if (decryptSsl && isClientHello)
                        connectRequest.RequestUri = new Uri("https://" + httpUrl);

                        bool http2Supproted = false;

                        var alpn = clientHelloInfo.GetAlpn();
                        if (alpn != null && alpn.Contains(SslApplicationProtocol.Http2))
                            // test server HTTP/2 support
                            // todo: this is a hack, because Titanium does not support HTTP protocol changing currently
                            var connection = await GetServerConnection(connectArgs, true,
                                                                       SslExtensions.Http2ProtocolAsList, cancellationToken);

                            http2Supproted = connection.NegotiatedApplicationProtocol == SslApplicationProtocol.Http2;
                            tcpConnectionFactory.Release(connection, true);

                        SslStream sslStream = null;

                            sslStream = new SslStream(clientStream);

                            string certName = HttpHelper.GetWildCardDomainName(connectHostname);

                            var certificate = endPoint.GenericCertificate ??
                                              await CertificateManager.CreateCertificateAsync(certName);

                            // Successfully managed to authenticate the client using the fake certificate
                            var options = new SslServerAuthenticationOptions();
                            if (http2Supproted)
                                options.ApplicationProtocols = clientHelloInfo.GetAlpn();
                                if (options.ApplicationProtocols == null || options.ApplicationProtocols.Count == 0)
                                    options.ApplicationProtocols = SslExtensions.Http11ProtocolAsList;

                            options.ServerCertificate              = certificate;
                            options.ClientCertificateRequired      = false;
                            options.EnabledSslProtocols            = SupportedSslProtocols;
                            options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck;
                            await sslStream.AuthenticateAsServerAsync(options, cancellationToken);

                            clientConnection.NegotiatedApplicationProtocol = sslStream.NegotiatedApplicationProtocol;

                            // HTTPS server created - we can now decrypt the client's traffic
                            clientStream       = new CustomBufferedStream(sslStream, BufferSize);
                            clientStreamWriter = new HttpResponseWriter(clientStream, BufferSize);
                        catch (Exception e)
                            throw new ProxyConnectException(
                                      $"Could'nt authenticate client '{connectHostname}' with fake certificate.", e, connectArgs);

                        if (await HttpHelper.IsConnectMethod(clientStream) == -1)
                            decryptSsl = false;

                    if (cancellationTokenSource.IsCancellationRequested)
                        throw new Exception("Session was terminated by user.");

                    // Hostname is excluded or it is not an HTTPS connect
                    if (!decryptSsl || !isClientHello)
                        // create new connection
                        var connection = await GetServerConnection(connectArgs, true,
                                                                   clientConnection.NegotiatedApplicationProtocol, cancellationToken);

                        if (isClientHello)
                            int available = clientStream.Available;
                            if (available > 0)
                                // send the buffered data
                                var data = BufferPool.GetBuffer(BufferSize);

                                    // clientStream.Available sbould be at most BufferSize because it is using the same buffer size
                                    await clientStream.ReadAsync(data, 0, available, cancellationToken);

                                    await connection.StreamWriter.WriteAsync(data, 0, available, true,

                            var serverHelloInfo =
                                await SslTools.PeekServerHello(connection.Stream, cancellationToken);

                            ((ConnectResponse)connectArgs.WebSession.Response).ServerHelloInfo = serverHelloInfo;

                        await TcpHelper.SendRaw(clientStream, connection.Stream, BufferSize,
                                                (buffer, offset, count) => { connectArgs.OnDataSent(buffer, offset, count); },
                                                (buffer, offset, count) => { connectArgs.OnDataReceived(buffer, offset, count); },
                                                connectArgs.CancellationTokenSource, ExceptionFunc);

                        tcpConnectionFactory.Release(connection, true);

                if (connectArgs != null && await HttpHelper.IsPriMethod(clientStream) == 1)
                    // todo
                    string httpCmd = await clientStream.ReadLineAsync(cancellationToken);

                    if (httpCmd == "PRI * HTTP/2.0")
                        // HTTP/2 Connection Preface
                        string line = await clientStream.ReadLineAsync(cancellationToken);

                        if (line != string.Empty)
                            throw new Exception($"HTTP/2 Protocol violation. Empty string expected, '{line}' received");

                        line = await clientStream.ReadLineAsync(cancellationToken);

                        if (line != "SM")
                            throw new Exception($"HTTP/2 Protocol violation. 'SM' expected, '{line}' received");

                        line = await clientStream.ReadLineAsync(cancellationToken);

                        if (line != string.Empty)
                            throw new Exception($"HTTP/2 Protocol violation. Empty string expected, '{line}' received");

                        // create new connection
                        var connection = await GetServerConnection(connectArgs, true, SslExtensions.Http2ProtocolAsList,

                        await connection.StreamWriter.WriteLineAsync("PRI * HTTP/2.0", cancellationToken);

                        await connection.StreamWriter.WriteLineAsync(cancellationToken);

                        await connection.StreamWriter.WriteLineAsync("SM", cancellationToken);

                        await connection.StreamWriter.WriteLineAsync(cancellationToken);

                        await Http2Helper.SendHttp2(clientStream, connection.Stream, BufferSize,
                                                    (buffer, offset, count) => { connectArgs.OnDataSent(buffer, offset, count); },
                                                    (buffer, offset, count) => { connectArgs.OnDataReceived(buffer, offset, count); },
                                                    connectArgs.CancellationTokenSource, clientConnection.Id, ExceptionFunc);
                        tcpConnectionFactory.Release(connection, true);

                // Now create the request
                await HandleHttpSessionRequest(endPoint, clientConnection, clientStream, clientStreamWriter,
                                               cancellationTokenSource, connectHostname, connectArgs?.WebSession.ConnectRequest);
            catch (ProxyException e)
                OnException(clientStream, e);
            catch (IOException e)
                OnException(clientStream, new Exception("Connection was aborted", e));
            catch (SocketException e)
                OnException(clientStream, new Exception("Could not connect", e));
            catch (Exception e)
                OnException(clientStream, new Exception("Error occured in whilst handling the client", e));
                if (!cancellationTokenSource.IsCancellationRequested)
Exemple #18
        /// <summary>
        ///     This is called when this proxy acts as a reverse proxy (like a real http server).
        ///     So for HTTPS requests we would start SSL negotiation right away without expecting a CONNECT request from client
        /// </summary>
        /// <param name="endPoint">The transparent endpoint.</param>
        /// <param name="clientConnection">The client connection.</param>
        /// <returns></returns>
        private async Task handleClient(TransparentProxyEndPoint endPoint, TcpClientConnection clientConnection)
            var cancellationTokenSource = new CancellationTokenSource();
            var cancellationToken       = cancellationTokenSource.Token;

            var clientStream       = new CustomBufferedStream(clientConnection.GetStream(), BufferPool, BufferSize);
            var clientStreamWriter = new HttpResponseWriter(clientStream, BufferPool, BufferSize);

            Task <TcpServerConnection> prefetchConnectionTask = null;
            bool closeServerConnection = false;
            bool calledRequestHandler  = false;

                var clientHelloInfo = await SslTools.PeekClientHello(clientStream, BufferPool, cancellationToken);

                bool   isHttps       = clientHelloInfo != null;
                string httpsHostName = null;

                if (isHttps)
                    httpsHostName = clientHelloInfo.GetServerName() ?? endPoint.GenericCertificateName;

                    var args = new BeforeSslAuthenticateEventArgs(cancellationTokenSource)
                        SniHostName = httpsHostName

                    await endPoint.InvokeBeforeSslAuthenticate(this, args, ExceptionFunc);

                    if (cancellationTokenSource.IsCancellationRequested)
                        throw new Exception("Session was terminated by user.");

                    if (endPoint.DecryptSsl && args.DecryptSsl)
                        if (EnableTcpServerConnectionPrefetch)
                            //don't pass cancellation token here
                            //it could cause floating server connections when client exits
                            prefetchConnectionTask = tcpConnectionFactory.GetServerConnection(httpsHostName, endPoint.Port,
                                                                                              httpVersion: null, isHttps: true, applicationProtocols: null, isConnect: false,
                                                                                              proxyServer: this, upStreamEndPoint: UpStreamEndPoint, externalProxy: UpStreamHttpsProxy,
                                                                                              noCache: false, cancellationToken: CancellationToken.None);

                        SslStream sslStream = null;

                        //do client authentication using fake certificate
                            sslStream = new SslStream(clientStream);

                            string certName    = HttpHelper.GetWildCardDomainName(httpsHostName);
                            var    certificate = await CertificateManager.CreateCertificateAsync(certName);

                            // Successfully managed to authenticate the client using the fake certificate
                            await sslStream.AuthenticateAsServerAsync(certificate, false, SslProtocols.Tls, false);

                            // HTTPS server created - we can now decrypt the client's traffic
                            clientStream = new CustomBufferedStream(sslStream, BufferPool, BufferSize);

                            clientStreamWriter = new HttpResponseWriter(clientStream, BufferPool, BufferSize);
                        catch (Exception e)
                            throw new ProxyConnectException(
                                      $"Could'nt authenticate client '{httpsHostName}' with fake certificate.", e, null);
                        var connection = await tcpConnectionFactory.GetServerConnection(httpsHostName, endPoint.Port,
                                                                                        httpVersion : null, isHttps : false, applicationProtocols : null,
                                                                                        isConnect : true, proxyServer : this, upStreamEndPoint : UpStreamEndPoint,
                                                                                        externalProxy : UpStreamHttpsProxy, noCache : true, cancellationToken : cancellationToken);

                            CustomBufferedStream serverStream = null;
                            int available = clientStream.Available;

                            if (available > 0)
                                // send the buffered data
                                var data = BufferPool.GetBuffer(BufferSize);
                                    // clientStream.Available sbould be at most BufferSize because it is using the same buffer size
                                    await clientStream.ReadAsync(data, 0, available, cancellationToken);

                                    serverStream = connection.Stream;
                                    await serverStream.WriteAsync(data, 0, available, cancellationToken);

                                    await serverStream.FlushAsync(cancellationToken);

                            await TcpHelper.SendRaw(clientStream, serverStream, BufferPool, BufferSize,
                                                    null, null, cancellationTokenSource, ExceptionFunc);
                            await tcpConnectionFactory.Release(connection, true);

                calledRequestHandler = true;
                // HTTPS server created - we can now decrypt the client's traffic
                // Now create the request
                await handleHttpSessionRequest(endPoint, clientConnection, clientStream, clientStreamWriter,
                                               cancellationTokenSource, isHttps?httpsHostName : null, null, prefetchConnectionTask);
            catch (ProxyException e)
                closeServerConnection = true;
                onException(clientStream, e);
            catch (IOException e)
                closeServerConnection = true;
                onException(clientStream, new Exception("Connection was aborted", e));
            catch (SocketException e)
                closeServerConnection = true;
                onException(clientStream, new Exception("Could not connect", e));
            catch (Exception e)
                closeServerConnection = true;
                onException(clientStream, new Exception("Error occured in whilst handling the client", e));
                if (!calledRequestHandler)
                    await tcpConnectionFactory.Release(prefetchConnectionTask, closeServerConnection);


                if (!cancellationTokenSource.IsCancellationRequested)
Exemple #19
        public static async Task <ClientHelloInfo> PeekClientHello(CustomBufferedStream clientStream)
            //detects the HTTPS ClientHello message as it is described in the following url:

            int recordType = await clientStream.PeekByteAsync(0);

            if ((recordType & 0x80) == 0x80)
                //SSL 2
                var peekStream = new CustomBufferedPeekStream(clientStream, 1);

                // length value + minimum length
                if (!await peekStream.EnsureBufferLength(10))

                int length = ((recordType & 0x7f) << 8) + peekStream.ReadByte();
                if (length < 9)
                    // Message body too short.

                if (peekStream.ReadByte() != 0x01)
                    // should be ClientHello

                int majorVersion = peekStream.ReadByte();
                int minorVersion = peekStream.ReadByte();

                int ciphersCount    = peekStream.ReadInt16() / 3;
                int sessionIdLength = peekStream.ReadInt16();
                int randomLength    = peekStream.ReadInt16();

                if (!await peekStream.EnsureBufferLength(ciphersCount * 3 + sessionIdLength + randomLength))

                int[] ciphers = new int[ciphersCount];
                for (int i = 0; i < ciphers.Length; i++)
                    ciphers[i] = (peekStream.ReadByte() << 16) + (peekStream.ReadByte() << 8) + peekStream.ReadByte();

                byte[] sessionId = peekStream.ReadBytes(sessionIdLength);
                byte[] random    = peekStream.ReadBytes(randomLength);

                var clientHelloInfo = new ClientHelloInfo
                    HandshakeVersion  = 2,
                    MajorVersion      = majorVersion,
                    MinorVersion      = minorVersion,
                    Random            = random,
                    SessionId         = sessionId,
                    Ciphers           = ciphers,
                    ClientHelloLength = peekStream.Position,

            else if (recordType == 0x16)
                var peekStream = new CustomBufferedPeekStream(clientStream, 1);

                //should contain at least 43 bytes
                // 2 version + 2 length + 1 type + 3 length(?) + 2 version +  32 random + 1 sessionid length
                if (!await peekStream.EnsureBufferLength(43))

                //SSL 3.0 or TLS 1.0, 1.1 and 1.2
                int majorVersion = peekStream.ReadByte();
                int minorVersion = peekStream.ReadByte();

                int length = peekStream.ReadInt16();

                if (peekStream.ReadByte() != 0x01)
                    // should be ClientHello

                length = peekStream.ReadInt24();

                majorVersion = peekStream.ReadByte();
                minorVersion = peekStream.ReadByte();

                byte[] random = peekStream.ReadBytes(32);
                length = peekStream.ReadByte();

                // sessionid + 2 ciphersData length
                if (!await peekStream.EnsureBufferLength(length + 2))

                byte[] sessionId = peekStream.ReadBytes(length);

                length = peekStream.ReadInt16();

                // ciphersData + compressionData length
                if (!await peekStream.EnsureBufferLength(length + 1))

                byte[] ciphersData = peekStream.ReadBytes(length);
                int[]  ciphers     = new int[ciphersData.Length / 2];
                for (int i = 0; i < ciphers.Length; i++)
                    ciphers[i] = (ciphersData[2 * i] << 8) + ciphersData[2 * i + 1];

                length = peekStream.ReadByte();
                if (length < 1)

                // compressionData
                if (!await peekStream.EnsureBufferLength(length))

                byte[] compressionData = peekStream.ReadBytes(length);

                int extenstionsStartPosition = peekStream.Position;

                var extensions = await ReadExtensions(majorVersion, minorVersion, peekStream);

                var clientHelloInfo = new ClientHelloInfo
                    HandshakeVersion        = 3,
                    MajorVersion            = majorVersion,
                    MinorVersion            = minorVersion,
                    Random                  = random,
                    SessionId               = sessionId,
                    Ciphers                 = ciphers,
                    CompressionData         = compressionData,
                    ClientHelloLength       = peekStream.Position,
                    EntensionsStartPosition = extenstionsStartPosition,
                    Extensions              = extensions,


        /// <summary>
        ///     This is called when client is aware of proxy
        ///     So for HTTPS requests client would send CONNECT header to negotiate a secure tcp tunnel via proxy
        /// </summary>
        /// <param name="endPoint">The explicit endpoint.</param>
        /// <param name="clientConnection">The client connection.</param>
        /// <returns>The task.</returns>
        private async Task handleClient(ExplicitProxyEndPoint endPoint, TcpClientConnection clientConnection)
            var cancellationTokenSource = new CancellationTokenSource();
            var cancellationToken       = cancellationTokenSource.Token;

            var clientStream       = new CustomBufferedStream(clientConnection.GetStream(), BufferPool);
            var clientStreamWriter = new HttpResponseWriter(clientStream, BufferPool);

            Task <TcpServerConnection> prefetchConnectionTask = null;
            bool closeServerConnection = false;
            bool calledRequestHandler  = false;

            SslStream sslStream = null;

                string connectHostname = null;
                TunnelConnectSessionEventArgs connectArgs = null;

                // Client wants to create a secure tcp tunnel (probably its a HTTPS or Websocket request)
                if (await HttpHelper.IsConnectMethod(clientStream, BufferPool, cancellationToken) == 1)
                    // read the first line HTTP command
                    string httpCmd = await clientStream.ReadLineAsync(cancellationToken);

                    if (string.IsNullOrEmpty(httpCmd))

                    Request.ParseRequestLine(httpCmd, out string _, out string httpUrl, out var version);

                    var httpRemoteUri = new Uri("http://" + httpUrl);
                    connectHostname = httpRemoteUri.Host;

                    var connectRequest = new ConnectRequest
                        RequestUri  = httpRemoteUri,
                        OriginalUrl = httpUrl,
                        HttpVersion = version

                    await HeaderParser.ReadHeaders(clientStream, connectRequest.Headers, cancellationToken);

                    connectArgs = new TunnelConnectSessionEventArgs(this, endPoint, connectRequest,
                    clientStream.DataRead               += (o, args) => connectArgs.OnDataSent(args.Buffer, args.Offset, args.Count);
                    clientStream.DataWrite              += (o, args) => connectArgs.OnDataReceived(args.Buffer, args.Offset, args.Count);
                    connectArgs.ProxyClient.Connection   = clientConnection;
                    connectArgs.ProxyClient.ClientStream = clientStream;

                    await endPoint.InvokeBeforeTunnelConnectRequest(this, connectArgs, ExceptionFunc);

                    // filter out excluded host names
                    bool decryptSsl = endPoint.DecryptSsl && connectArgs.DecryptSsl;

                    if (connectArgs.DenyConnect)
                        if (connectArgs.HttpClient.Response.StatusCode == 0)
                            connectArgs.HttpClient.Response = new Response
                                HttpVersion       = HttpHeader.Version11,
                                StatusCode        = (int)HttpStatusCode.Forbidden,
                                StatusDescription = "Forbidden"

                        // send the response
                        await clientStreamWriter.WriteResponseAsync(connectArgs.HttpClient.Response,
                                                                    cancellationToken : cancellationToken);


                    if (await checkAuthorization(connectArgs) == false)
                        await endPoint.InvokeBeforeTunnelConnectResponse(this, connectArgs, ExceptionFunc);

                        // send the response
                        await clientStreamWriter.WriteResponseAsync(connectArgs.HttpClient.Response,
                                                                    cancellationToken : cancellationToken);


                    // write back successful CONNECT response
                    var response = ConnectResponse.CreateSuccessfulConnectResponse(version);

                    // Set ContentLength explicitly to properly handle HTTP 1.0
                    response.ContentLength = 0;
                    connectArgs.HttpClient.Response = response;

                    await clientStreamWriter.WriteResponseAsync(response, cancellationToken : cancellationToken);

                    var clientHelloInfo = await SslTools.PeekClientHello(clientStream, BufferPool, cancellationToken);

                    bool isClientHello = clientHelloInfo != null;
                    if (isClientHello)
                        connectRequest.TunnelType      = TunnelType.Https;
                        connectRequest.ClientHelloInfo = clientHelloInfo;

                    await endPoint.InvokeBeforeTunnelConnectResponse(this, connectArgs, ExceptionFunc, isClientHello);

                    if (decryptSsl && isClientHello)
                        clientConnection.SslProtocol = clientHelloInfo.SslProtocol;
                        connectRequest.RequestUri    = new Uri("https://" + httpUrl);

                        bool http2Supported = false;

                        var alpn = clientHelloInfo.GetAlpn();
                        if (alpn != null && alpn.Contains(SslApplicationProtocol.Http2))
                            // test server HTTP/2 support
                                // todo: this is a hack, because Titanium does not support HTTP protocol changing currently
                                var connection = await tcpConnectionFactory.GetServerConnection(this, connectArgs,
                                                                                                isConnect : true, applicationProtocols : SslExtensions.Http2ProtocolAsList,
                                                                                                noCache : true, cancellationToken : cancellationToken);

                                http2Supported = connection.NegotiatedApplicationProtocol ==

                                // release connection back to pool instead of closing when connection pool is enabled.
                                await tcpConnectionFactory.Release(connection, true);
                            catch (Exception)
                                // ignore

                        if (EnableTcpServerConnectionPrefetch)
                            IPAddress[] ipAddresses = null;
                                // make sure the host can be resolved before creating the prefetch task
                                ipAddresses = await Dns.GetHostAddressesAsync(connectArgs.HttpClient.Request.RequestUri.Host);
                            catch (SocketException) { }

                            if (ipAddresses != null && ipAddresses.Length > 0)
                                // don't pass cancellation token here
                                // it could cause floating server connections when client exits
                                prefetchConnectionTask = tcpConnectionFactory.GetServerConnection(this, connectArgs,
                                                                                                  isConnect: true, applicationProtocols: null, noCache: false,
                                                                                                  cancellationToken: CancellationToken.None);

                        X509Certificate2 certificate = null;
                            sslStream = new SslStream(clientStream, false);

                            string certName = HttpHelper.GetWildCardDomainName(connectHostname);
                            certificate = endPoint.GenericCertificate ??
                                          await CertificateManager.CreateServerCertificate(certName);

                            // Successfully managed to authenticate the client using the fake certificate
                            var options = new SslServerAuthenticationOptions();
                            if (EnableHttp2 && http2Supported)
                                options.ApplicationProtocols = clientHelloInfo.GetAlpn();
                                if (options.ApplicationProtocols == null || options.ApplicationProtocols.Count == 0)
                                    options.ApplicationProtocols = SslExtensions.Http11ProtocolAsList;

                            options.ServerCertificate              = certificate;
                            options.ClientCertificateRequired      = false;
                            options.EnabledSslProtocols            = SupportedSslProtocols;
                            options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck;
                            await sslStream.AuthenticateAsServerAsync(options, cancellationToken);

                            clientConnection.NegotiatedApplicationProtocol = sslStream.NegotiatedApplicationProtocol;

                            // HTTPS server created - we can now decrypt the client's traffic
                            clientStream            = new CustomBufferedStream(sslStream, BufferPool);
                            clientStream.DataRead  += (o, args) => connectArgs.OnDecryptedDataSent(args.Buffer, args.Offset, args.Count);
                            clientStream.DataWrite += (o, args) => connectArgs.OnDecryptedDataReceived(args.Buffer, args.Offset, args.Count);
                            clientStreamWriter      = new HttpResponseWriter(clientStream, BufferPool);
                        catch (Exception e)
                            var certName = certificate?.GetNameInfo(X509NameType.SimpleName, false);
                            throw new ProxyConnectException(
                                      $"Couldn't authenticate host '{connectHostname}' with certificate '{certName}'.", e, connectArgs);

                        if (await HttpHelper.IsConnectMethod(clientStream, BufferPool, cancellationToken) == -1)
                            decryptSsl = false;

                        if (!decryptSsl)
                            await tcpConnectionFactory.Release(prefetchConnectionTask, true);

                            prefetchConnectionTask = null;

                    if (cancellationTokenSource.IsCancellationRequested)
                        throw new Exception("Session was terminated by user.");

                    // Hostname is excluded or it is not an HTTPS connect
                    if (!decryptSsl || !isClientHello)
                        if (!isClientHello)
                            connectRequest.TunnelType = TunnelType.Websocket;

                        // create new connection to server.
                        // If we detected that client tunnel CONNECTs without SSL by checking for empty client hello then
                        // this connection should not be HTTPS.
                        var connection = await tcpConnectionFactory.GetServerConnection(this, connectArgs,
                                                                                        isConnect : true, applicationProtocols : SslExtensions.Http2ProtocolAsList,
                                                                                        noCache : true, cancellationToken : cancellationToken);

                            if (isClientHello)
                                int available = clientStream.Available;
                                if (available > 0)
                                    // send the buffered data
                                    var data = BufferPool.GetBuffer();

                                        // clientStream.Available should be at most BufferSize because it is using the same buffer size
                                        await clientStream.ReadAsync(data, 0, available, cancellationToken);

                                        await connection.StreamWriter.WriteAsync(data, 0, available, true, cancellationToken);

                                var serverHelloInfo = await SslTools.PeekServerHello(connection.Stream, BufferPool, cancellationToken);

                                ((ConnectResponse)connectArgs.HttpClient.Response).ServerHelloInfo = serverHelloInfo;

                            if (!clientStream.IsClosed && !connection.Stream.IsClosed)
                                await TcpHelper.SendRaw(clientStream, connection.Stream, BufferPool,
                                                        null, null, connectArgs.CancellationTokenSource, ExceptionFunc);
                            await tcpConnectionFactory.Release(connection, true);


                if (connectArgs != null && await HttpHelper.IsPriMethod(clientStream, BufferPool, cancellationToken) == 1)
                    // todo
                    string httpCmd = await clientStream.ReadLineAsync(cancellationToken);

                    if (httpCmd == "PRI * HTTP/2.0")
                        connectArgs.HttpClient.ConnectRequest.TunnelType = TunnelType.Http2;

                        // HTTP/2 Connection Preface
                        string line = await clientStream.ReadLineAsync(cancellationToken);

                        if (line != string.Empty)
                            throw new Exception($"HTTP/2 Protocol violation. Empty string expected, '{line}' received");

                        line = await clientStream.ReadLineAsync(cancellationToken);

                        if (line != "SM")
                            throw new Exception($"HTTP/2 Protocol violation. 'SM' expected, '{line}' received");

                        line = await clientStream.ReadLineAsync(cancellationToken);

                        if (line != string.Empty)
                            throw new Exception($"HTTP/2 Protocol violation. Empty string expected, '{line}' received");

                        var connection = await tcpConnectionFactory.GetServerConnection(this, connectArgs,
                                                                                        isConnect : true, applicationProtocols : SslExtensions.Http2ProtocolAsList,
                                                                                        noCache : true, cancellationToken : cancellationToken);

                            await connection.StreamWriter.WriteLineAsync("PRI * HTTP/2.0", cancellationToken);

                            await connection.StreamWriter.WriteLineAsync(cancellationToken);

                            await connection.StreamWriter.WriteLineAsync("SM", cancellationToken);

                            await connection.StreamWriter.WriteLineAsync(cancellationToken);

                            await Http2Helper.SendHttp2(clientStream, connection.Stream,
                                                        () => new SessionEventArgs(this, endPoint, cancellationTokenSource)
                                ProxyClient = { Connection = clientConnection },
                                HttpClient  = { ConnectRequest = connectArgs?.HttpClient.ConnectRequest },
                                UserData    = connectArgs?.UserData
                                                        async args => { await onBeforeRequest(args); },
                                                        async args => { await onBeforeResponse(args); },
                                                        connectArgs.CancellationTokenSource, clientConnection.Id, ExceptionFunc);
                            await tcpConnectionFactory.Release(connection, true);

                calledRequestHandler = true;

                // Now create the request
                await handleHttpSessionRequest(endPoint, clientConnection, clientStream, clientStreamWriter,
                                               cancellationTokenSource, connectHostname, connectArgs, prefetchConnectionTask);
            catch (ProxyException e)
                closeServerConnection = true;
                onException(clientStream, e);
            catch (IOException e)
                closeServerConnection = true;
                onException(clientStream, new Exception("Connection was aborted", e));
            catch (SocketException e)
                closeServerConnection = true;
                onException(clientStream, new Exception("Could not connect", e));
            catch (Exception e)
                closeServerConnection = true;
                onException(clientStream, new Exception("Error occured in whilst handling the client", e));
                if (!calledRequestHandler)
                    await tcpConnectionFactory.Release(prefetchConnectionTask, closeServerConnection);


                if (!cancellationTokenSource.IsCancellationRequested)
Exemple #21
        public static async Task <ServerHelloInfo> PeekServerHello(CustomBufferedStream serverStream)
            //detects the HTTPS ClientHello message as it is described in the following url:

            int recordType = await serverStream.PeekByteAsync(0);

            if ((recordType & 0x80) == 0x80)
                //SSL 2
                // not tested. SSL2 is deprecated
                var peekStream = new CustomBufferedPeekStream(serverStream, 1);

                // length value + minimum length
                if (!await peekStream.EnsureBufferLength(39))

                int length = ((recordType & 0x7f) << 8) + peekStream.ReadByte();
                if (length < 38)
                    // Message body too short.

                if (peekStream.ReadByte() != 0x04)
                    // should be ServerHello

                int majorVersion = peekStream.ReadByte();
                int minorVersion = peekStream.ReadByte();

                // 32 bytes random + 1 byte sessionId + 2 bytes cipherSuite
                if (!await peekStream.EnsureBufferLength(35))

                byte[] random      = peekStream.ReadBytes(32);
                byte[] sessionId   = peekStream.ReadBytes(1);
                int    cipherSuite = peekStream.ReadInt16();

                var serverHelloInfo = new ServerHelloInfo
                    HandshakeVersion  = 2,
                    MajorVersion      = majorVersion,
                    MinorVersion      = minorVersion,
                    Random            = random,
                    SessionId         = sessionId,
                    CipherSuite       = cipherSuite,
                    ServerHelloLength = peekStream.Position,

            else if (recordType == 0x16)
                var peekStream = new CustomBufferedPeekStream(serverStream, 1);

                //should contain at least 43 bytes
                // 2 version + 2 length + 1 type + 3 length(?) + 2 version +  32 random + 1 sessionid length
                if (!await peekStream.EnsureBufferLength(43))

                //SSL 3.0 or TLS 1.0, 1.1 and 1.2
                int majorVersion = peekStream.ReadByte();
                int minorVersion = peekStream.ReadByte();

                int length = peekStream.ReadInt16();

                if (peekStream.ReadByte() != 0x02)
                    // should be ServerHello

                length = peekStream.ReadInt24();

                majorVersion = peekStream.ReadByte();
                minorVersion = peekStream.ReadByte();

                byte[] random = peekStream.ReadBytes(32);
                length = peekStream.ReadByte();

                // sessionid + cipherSuite + compressionMethod
                if (!await peekStream.EnsureBufferLength(length + 2 + 1))

                byte[] sessionId = peekStream.ReadBytes(length);

                int  cipherSuite       = peekStream.ReadInt16();
                byte compressionMethod = peekStream.ReadByte();

                int extenstionsStartPosition = peekStream.Position;

                var extensions = await ReadExtensions(majorVersion, minorVersion, peekStream);

                //var rawBytes = new CustomBufferedPeekStream(serverStream).ReadBytes(peekStream.Position);

                var serverHelloInfo = new ServerHelloInfo
                    HandshakeVersion        = 3,
                    MajorVersion            = majorVersion,
                    MinorVersion            = minorVersion,
                    Random                  = random,
                    SessionId               = sessionId,
                    CipherSuite             = cipherSuite,
                    CompressionMethod       = compressionMethod,
                    ServerHelloLength       = peekStream.Position,
                    EntensionsStartPosition = extenstionsStartPosition,
                    Extensions              = extensions,


Exemple #22
        /// <summary>
        ///     Creates a TCP connection to server
        /// </summary>
        /// <param name="remoteHostName">The remote hostname.</param>
        /// <param name="remotePort">The remote port.</param>
        /// <param name="httpVersion">The http version to use.</param>
        /// <param name="isHttps">Is this a HTTPS request.</param>
        /// <param name="sslProtocol">The SSL protocol.</param>
        /// <param name="applicationProtocols">The list of HTTPS application level protocol to negotiate if needed.</param>
        /// <param name="isConnect">Is this a CONNECT request.</param>
        /// <param name="proxyServer">The current ProxyServer instance.</param>
        /// <param name="session">The http session.</param>
        /// <param name="upStreamEndPoint">The local upstream endpoint to make request via.</param>
        /// <param name="externalProxy">The external proxy to make request via.</param>
        /// <param name="cancellationToken">The cancellation token for this async task.</param>
        /// <returns></returns>
        private async Task <TcpServerConnection> createServerConnection(string remoteHostName, int remotePort,
                                                                        Version httpVersion, bool isHttps, SslProtocols sslProtocol, List <SslApplicationProtocol>?applicationProtocols, bool isConnect,
                                                                        ProxyServer proxyServer, SessionEventArgsBase?session, IPEndPoint upStreamEndPoint, ExternalProxy?externalProxy,
                                                                        CancellationToken cancellationToken)
            // deny connection to proxy end points to avoid infinite connection loop.
            if (Server.ProxyEndPoints.Any(x => x.Port == remotePort) &&
                throw new Exception($"A client is making HTTP request to one of the listening ports of this proxy {remoteHostName}:{remotePort}");

            if (externalProxy != null)
                if (Server.ProxyEndPoints.Any(x => x.Port == externalProxy.Port) &&
                    throw new Exception($"A client is making HTTP request via external proxy to one of the listening ports of this proxy {remoteHostName}:{remotePort}");

            bool useUpstreamProxy = false;

            // check if external proxy is set for HTTP/HTTPS
            if (externalProxy != null &&
                !(externalProxy.HostName == remoteHostName && externalProxy.Port == remotePort))
                useUpstreamProxy = true;

                // check if we need to ByPass
                if (externalProxy.BypassLocalhost && NetworkHelper.IsLocalIpAddress(remoteHostName))
                    useUpstreamProxy = false;

            TcpClient?           tcpClient = null;
            CustomBufferedStream?stream    = null;

            SslApplicationProtocol negotiatedApplicationProtocol = default;

            bool retry = true;
            var  enabledSslProtocols = sslProtocol;

                var hostname = useUpstreamProxy ? externalProxy !.HostName : remoteHostName;
                var port     = useUpstreamProxy ? externalProxy !.Port : remotePort;

                var ipAddresses = await Dns.GetHostAddressesAsync(hostname);

                if (ipAddresses == null || ipAddresses.Length == 0)
                    throw new Exception($"Could not resolve the hostname {hostname}");

                if (session != null)
                    session.TimeLine["Dns Resolved"] = DateTime.Now;

                Array.Sort(ipAddresses, (x, y) => x.AddressFamily.CompareTo(y.AddressFamily));

                for (int i = 0; i < ipAddresses.Length; i++)
                        var ipAddress = ipAddresses[i];
                        if (upStreamEndPoint == null)
                            tcpClient = new TcpClient(ipAddress.AddressFamily);
                            tcpClient = new TcpClient(upStreamEndPoint);

                        tcpClient.NoDelay        = proxyServer.NoDelay;
                        tcpClient.ReceiveTimeout = proxyServer.ConnectionTimeOutSeconds * 1000;
                        tcpClient.SendTimeout    = proxyServer.ConnectionTimeOutSeconds * 1000;
                        tcpClient.LingerState    = new LingerOption(true, proxyServer.TcpTimeWaitSeconds);

                        if (proxyServer.ReuseSocket && RunTime.IsSocketReuseAvailable)
                            tcpClient.Client.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.ReuseAddress, true);

                        await tcpClient.ConnectAsync(ipAddress, port);

                    catch (Exception e)
                        if (i == ipAddresses.Length - 1)
                            throw new Exception($"Could not establish connection to {hostname}", e);

                        // dispose the current TcpClient and try the next address

                if (session != null)
                    session.TimeLine["Connection Established"] = DateTime.Now;

                await proxyServer.InvokeConnectionCreateEvent(tcpClient !, false);

                stream = new CustomBufferedStream(tcpClient !.GetStream(), proxyServer.BufferPool);

                if (useUpstreamProxy && (isConnect || isHttps))
                    var writer         = new HttpRequestWriter(stream, proxyServer.BufferPool);
                    var connectRequest = new ConnectRequest
                        OriginalUrl = $"{remoteHostName}:{remotePort}",
                        HttpVersion = httpVersion

                    connectRequest.Headers.AddHeader(KnownHeaders.Connection, KnownHeaders.ConnectionKeepAlive);

                    if (!string.IsNullOrEmpty(externalProxy !.UserName) && externalProxy.Password != null)
                            HttpHeader.GetProxyAuthorizationHeader(externalProxy.UserName, externalProxy.Password));

                    await writer.WriteRequestAsync(connectRequest, cancellationToken : cancellationToken);

                    string httpStatus = await stream.ReadLineAsync(cancellationToken)
                                        ?? throw new ServerConnectionException("Server connection was closed.");

                    Response.ParseResponseLine(httpStatus, out _, out int statusCode, out string statusDescription);

                    if (statusCode != 200 && !statusDescription.EqualsIgnoreCase("OK") &&
                        !statusDescription.EqualsIgnoreCase("Connection Established"))
                        throw new Exception("Upstream proxy failed to create a secure tunnel");

                    await stream.ReadAndIgnoreAllLinesAsync(cancellationToken);

                if (isHttps)
                    var sslStream = new SslStream(stream, false, proxyServer.ValidateServerCertificate,
                    stream = new CustomBufferedStream(sslStream, proxyServer.BufferPool);

                    var options = new SslClientAuthenticationOptions
                        ApplicationProtocols           = applicationProtocols,
                        TargetHost                     = remoteHostName,
                        ClientCertificates             = null !,
                        EnabledSslProtocols            = enabledSslProtocols,
                        CertificateRevocationCheckMode = proxyServer.CheckCertificateRevocation
                    await sslStream.AuthenticateAsClientAsync(options, cancellationToken);

                    negotiatedApplicationProtocol = sslStream.NegotiatedApplicationProtocol;

                    if (session != null)
                        session.TimeLine["HTTPS Established"] = DateTime.Now;
            catch (IOException ex) when(ex.HResult == unchecked ((int)0x80131620) && retry && enabledSslProtocols >= SslProtocols.Tls11)
                enabledSslProtocols = SslProtocols.Tls;
                retry = false;
                goto retry;
            catch (Exception)

            return(new TcpServerConnection(proxyServer, tcpClient, stream)
                UpStreamProxy = externalProxy,
                UpStreamEndPoint = upStreamEndPoint,
                HostName = remoteHostName,
                Port = remotePort,
                IsHttps = isHttps,
                NegotiatedApplicationProtocol = negotiatedApplicationProtocol,
                UseUpstreamProxy = useUpstreamProxy,
                Version = httpVersion
        /// <summary>
        ///  Creates a TCP connection to server
        /// </summary>
        /// <param name="server"></param>
        /// <param name="remoteHostName"></param>
        /// <param name="remotePort"></param>
        /// <param name="httpVersion"></param>
        /// <param name="isHttps"></param>
        /// <param name="isConnect"></param>
        /// <param name="upStreamEndPoint"></param>
        /// <param name="externalProxy"></param>
        /// <returns></returns>
        internal async Task <TcpConnection> CreateClient(ProxyServer server,
                                                         string remoteHostName, int remotePort, Version httpVersion, bool isHttps,
                                                         bool isConnect, IPEndPoint upStreamEndPoint, ExternalProxy externalProxy)
            bool useUpstreamProxy = false;

            //check if external proxy is set for HTTP/HTTPS
            if (externalProxy != null && !(externalProxy.HostName == remoteHostName && externalProxy.Port == remotePort))
                useUpstreamProxy = true;

                //check if we need to ByPass
                if (externalProxy.BypassLocalhost && NetworkHelper.IsLocalIpAddress(remoteHostName))
                    useUpstreamProxy = false;

            TcpClient            client = null;
            CustomBufferedStream stream = null;

                client = new TcpClient(upStreamEndPoint);

                //If this proxy uses another external proxy then create a tunnel request for HTTP/HTTPS connections
                if (useUpstreamProxy)
                    await client.ConnectAsync(externalProxy.HostName, externalProxy.Port);
                    await client.ConnectAsync(remoteHostName, remotePort);

                stream = new CustomBufferedStream(client.GetStream(), server.BufferSize);

                if (useUpstreamProxy && (isConnect || isHttps))
                    using (var writer = new HttpRequestWriter(stream, server.BufferSize))
                        await writer.WriteLineAsync($"CONNECT {remoteHostName}:{remotePort} HTTP/{httpVersion}");

                        await writer.WriteLineAsync($"Host: {remoteHostName}:{remotePort}");

                        await writer.WriteLineAsync("Connection: Keep-Alive");

                        if (!string.IsNullOrEmpty(externalProxy.UserName) && externalProxy.Password != null)
                            await HttpHeader.ProxyConnectionKeepAlive.WriteToStreamAsync(writer);

                            await writer.WriteLineAsync("Proxy-Authorization" + ": Basic " +
                                                                                   externalProxy.UserName + ":" + externalProxy.Password)));

                        await writer.WriteLineAsync();

                        await writer.FlushAsync();

                    using (var reader = new CustomBinaryReader(stream, server.BufferSize))
                        string result = await reader.ReadLineAsync();

                        if (!new[] { "200 OK", "connection established" }.Any(s => result.ContainsIgnoreCase(s)))
                            throw new Exception("Upstream proxy failed to create a secure tunnel");

                        await reader.ReadAndIgnoreAllLinesAsync();

                if (isHttps)
                    var sslStream = new SslStream(stream, false, server.ValidateServerCertificate, server.SelectClientCertificate);
                    stream = new CustomBufferedStream(sslStream, server.BufferSize);

                    await sslStream.AuthenticateAsClientAsync(remoteHostName, null, server.SupportedSslProtocols, server.CheckCertificateRevocation);

                client.ReceiveTimeout = server.ConnectionTimeOutSeconds * 1000;
                client.SendTimeout    = server.ConnectionTimeOutSeconds * 1000;
            catch (Exception)


            return(new TcpConnection
                UpStreamProxy = externalProxy,
                UpStreamEndPoint = upStreamEndPoint,
                HostName = remoteHostName,
                Port = remotePort,
                IsHttps = isHttps,
                UseUpstreamProxy = useUpstreamProxy,
                TcpClient = client,
                StreamReader = new CustomBinaryReader(stream, server.BufferSize),
                Stream = stream,
                Version = httpVersion
        /// <summary>
        ///     This is called when this proxy acts as a reverse proxy (like a real http server).
        ///     So for HTTPS requests we would start SSL negotiation right away without expecting a CONNECT request from client
        /// </summary>
        /// <param name="endPoint">The transparent endpoint.</param>
        /// <param name="clientConnection">The client connection.</param>
        /// <returns></returns>
        private async Task HandleClient(TransparentProxyEndPoint endPoint, TcpClientConnection clientConnection)
            var cancellationTokenSource = new CancellationTokenSource();
            var cancellationToken       = cancellationTokenSource.Token;

            var clientStream = new CustomBufferedStream(clientConnection.GetStream(), BufferSize);

            var clientStreamWriter = new HttpResponseWriter(clientStream, BufferSize);

                var clientHelloInfo = await SslTools.PeekClientHello(clientStream, cancellationToken);

                bool   isHttps       = clientHelloInfo != null;
                string httpsHostName = null;

                if (isHttps)
                    httpsHostName = clientHelloInfo.GetServerName() ?? endPoint.GenericCertificateName;

                    var args = new BeforeSslAuthenticateEventArgs(cancellationTokenSource)
                        SniHostName = httpsHostName

                    await endPoint.InvokeBeforeSslAuthenticate(this, args, ExceptionFunc);

                    if (cancellationTokenSource.IsCancellationRequested)
                        throw new Exception("Session was terminated by user.");

                    if (endPoint.DecryptSsl && args.DecryptSsl)
                        SslStream sslStream = null;

                            sslStream = new SslStream(clientStream);

                            string certName    = HttpHelper.GetWildCardDomainName(httpsHostName);
                            var    certificate = await CertificateManager.CreateCertificateAsync(certName);

                            // Successfully managed to authenticate the client using the fake certificate
                            await sslStream.AuthenticateAsServerAsync(certificate, false, SslProtocols.Tls, false);

                            // HTTPS server created - we can now decrypt the client's traffic
                            clientStream = new CustomBufferedStream(sslStream, BufferSize);

                            clientStreamWriter = new HttpResponseWriter(clientStream, BufferSize);
                        catch (Exception e)
                            throw new ProxyConnectException(
                                      $"Could'nt authenticate client '{httpsHostName}' with fake certificate.", e, null);
                        // create new connection
                        var connection = new TcpClient(UpStreamEndPoint);
                        await connection.ConnectAsync(httpsHostName, endPoint.Port);

                        connection.ReceiveTimeout = ConnectionTimeOutSeconds * 1000;
                        connection.SendTimeout    = ConnectionTimeOutSeconds * 1000;

                        using (connection)
                            var serverStream = connection.GetStream();

                            int available = clientStream.Available;
                            if (available > 0)
                                // send the buffered data
                                var data = BufferPool.GetBuffer(BufferSize);

                                    // clientStream.Available sbould be at most BufferSize because it is using the same buffer size
                                    await clientStream.ReadAsync(data, 0, available, cancellationToken);

                                    await serverStream.WriteAsync(data, 0, available, cancellationToken);

                                    await serverStream.FlushAsync(cancellationToken);

                            ////var serverHelloInfo = await SslTools.PeekServerHello(serverStream);

                            await TcpHelper.SendRaw(clientStream, serverStream, BufferSize,
                                                    null, null, cancellationTokenSource, ExceptionFunc);

                // HTTPS server created - we can now decrypt the client's traffic
                // Now create the request
                await HandleHttpSessionRequest(endPoint, clientConnection, clientStream, clientStreamWriter,
                                               cancellationTokenSource, isHttps?httpsHostName : null, null);
            catch (ProxyException e)
                OnException(clientStream, e);
            catch (IOException e)
                OnException(clientStream, new Exception("Connection was aborted", e));
            catch (SocketException e)
                OnException(clientStream, new Exception("Could not connect", e));
            catch (Exception e)
                OnException(clientStream, new Exception("Error occured in whilst handling the client", e));
                if (!cancellationTokenSource.IsCancellationRequested)