checker: Test SNAT configuration on HTTPonIP

This commit is contained in:
nemunaire 2022-04-29 22:34:12 +02:00
parent 532c36e486
commit 65dd0d51ca
2 changed files with 83 additions and 17 deletions

View File

@ -658,11 +658,31 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
if glueErr != nil { if glueErr != nil {
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr)) std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr))
} else if err := check_http(addr.String(), std.MyDelegatedDomain()); err == nil { } else if err := check_http(addr.String(), std.MyDelegatedDomain()); err == nil {
if verbose { if tunnel_version == 3 {
log.Printf("%s just unlocked HTTP challenge\n", std.Login) // Try port 80 on miniflux => should not respond if SNAT is correctly configured
} minifluxIP := tun.GetServerIP(6)
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonDelegatedDomain], ""); err != nil { if err := check_http(minifluxIP, std.MyDelegatedDomain()); err == nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) if verbose {
log.Printf("%s and HTTP (with DNS ip=%s): %s\n", std.Login, addr.String(), "Bad SNAT config")
}
if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], fmt.Errorf("Your SNAT on IPv6 is badly configured. See HTTP IP result.")); errreg != nil {
log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
}
} else {
if verbose {
log.Printf("%s just unlocked HTTP challenge\n", std.Login)
}
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonDelegatedDomain], ""); err != nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
}
}
} else {
if verbose {
log.Printf("%s just unlocked HTTP challenge\n", std.Login)
}
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonDelegatedDomain], ""); err != nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
}
} }
} else { } else {
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], err) std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], err)
@ -675,13 +695,35 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
if glueErr != nil { if glueErr != nil {
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr)) std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr))
} else if err := check_https(std.MyDelegatedDomain(), addr.String()); err == nil { } else if err := check_https(std.MyDelegatedDomain(), addr.String()); err == nil {
snicheck1 = true if tunnel_version == 3 {
snicheck1_tested = true // Try port 443 on miniflux => should not respond if SNAT is correctly configured
if verbose { minifluxIP := tun.GetServerIP(6)
log.Printf("%s just unlocked HTTPS challenge\n", std.Login) if err := check_https(std.MyDelegatedDomain(), minifluxIP); err == nil {
} if verbose {
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSonDelegatedDomain], ""); err != nil { log.Printf("%s and HTTPS (with DNS ip=%s): %s\n", std.Login, addr.String(), "Bad SNAT config")
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) }
if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], fmt.Errorf("Your SNAT on IPv6 is badly configured. You should not have SNAT on 443 port.")); errreg != nil {
log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
}
} else {
snicheck1 = true
snicheck1_tested = true
if verbose {
log.Printf("%s just unlocked HTTPS challenge\n", std.Login)
}
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSonDelegatedDomain], ""); err != nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
}
}
} else {
snicheck1 = true
snicheck1_tested = true
if verbose {
log.Printf("%s just unlocked HTTPS challenge\n", std.Login)
}
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSonDelegatedDomain], ""); err != nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
}
} }
} else { } else {
snicheck1_tested = true snicheck1_tested = true
@ -752,11 +794,31 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
// Check HTTP without DNS // Check HTTP without DNS
if err := check_http(stdIP, ""); err == nil { if err := check_http(stdIP, ""); err == nil {
if verbose { if tunnel_version == 3 {
log.Printf("%s just unlocked HTTP IP (without DNS) challenge\n", std.Login) // Try port 80 on miniflux => should not respond if SNAT is correctly configured
} minifluxIP := tun.GetServerIP(6)
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonIP], ""); err != nil { if err := check_http(minifluxIP, ""); err == nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) if verbose {
log.Printf("%s and HTTP IP (without DNS): %s\n", std.Login, "Bad SNAT config")
}
if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonIP], fmt.Errorf("Your SNAT on IPv6 is too large: it seems that all requests to port 80 behind the router are redirected to web host. Eg. [news]:80 should not respond, however it responds with contents.")); errreg != nil {
log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
}
} else {
if verbose {
log.Printf("%s just unlocked HTTP IP (without DNS) challenge\n", std.Login)
}
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonIP], ""); err != nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
}
}
} else {
if verbose {
log.Printf("%s just unlocked HTTP IP (without DNS) challenge\n", std.Login)
}
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonIP], ""); err != nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
}
} }
} else { } else {
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonIP], err) std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonIP], err)

View File

@ -132,6 +132,10 @@ func (tt *TunnelToken) GetStudentIP() string {
} }
} }
func (tt *TunnelToken) GetServerIP(suffix int) string {
return fmt.Sprintf("%s%x", StudentIP(tt.IdStudent).String(), suffix)
}
func (tt *TunnelToken) GenKeySign() []byte { func (tt *TunnelToken) GenKeySign() []byte {
stdprivkey := ed25519.NewKeyFromSeed(tt.token[:ed25519.SeedSize]) stdprivkey := ed25519.NewKeyFromSeed(tt.token[:ed25519.SeedSize])