teach/adlin
Archived
0
0
Fork 0
Code Issues 1 Pull Requests 4 Releases Activity

checker: Fix SNAT speaking and remove DNAT check on HTTPS (not possible)
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
nemunaire 2022-04-30 02:35:34 +02:00
parent f48170e50b
commit 9043bafe3d
2 changed files with 17 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
checker/checker.go
View File

@ -143,13 +143,13 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr)) std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr))
} else if err := check_http(addr.String(), std.MyDelegatedDomain()); err == nil { } else if err := check_http(addr.String(), std.MyDelegatedDomain()); err == nil {
if tunnel_version == 3 { if tunnel_version == 3 {
// Try port 80 on miniflux => should not respond if SNAT is correctly configured // Try port 80 on miniflux => should not respond if DNAT is correctly configured
minifluxIP := tun.GetServerIP(6) minifluxIP := tun.GetServerIP(6)
if err := check_http(minifluxIP, std.MyDelegatedDomain()); err == nil { if err := check_http(minifluxIP, std.MyDelegatedDomain()); err == nil {
if verbose { if verbose {
log.Printf("%s and HTTP (with DNS ip=%s): %s\n", std.Login, addr.String(), "Bad SNAT config") log.Printf("%s and HTTP (with DNS ip=%s): %s\n", std.Login, addr.String(), "Bad DNAT config")
} }
if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], fmt.Errorf("Your SNAT on IPv6 is badly configured. See HTTP IP result.")); errreg != nil { if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], fmt.Errorf("Your DNAT on IPv6 is badly configured. See HTTP IP result.")); errreg != nil {
log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg) log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
} }
} else { } else {
@ -178,18 +178,7 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
// Check HTTPs with DNS // Check HTTPs with DNS
if glueErr != nil { if glueErr != nil {
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr)) std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr))
} else if err := check_https(std.MyDelegatedDomain(), addr.String()); err == nil { } else if err := check_https(std.MyDelegatedDomain()); err == nil {
if tunnel_version == 3 {
// Try port 443 on miniflux => should not respond if SNAT is correctly configured
minifluxIP := tun.GetServerIP(6)
if err := check_https(std.MyDelegatedDomain(), minifluxIP); err == nil {
if verbose {
log.Printf("%s and HTTPS (with DNS ip=%s): %s\n", std.Login, addr.String(), "Bad SNAT config")
}
if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], fmt.Errorf("Your SNAT on IPv6 is badly configured. You should not have SNAT on 443 port.")); errreg != nil {
log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
}
} else {
snicheck1 = true snicheck1 = true
snicheck1_tested = true snicheck1_tested = true
if verbose { if verbose {
@ -198,17 +187,6 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSonDelegatedDomain], ""); err != nil { if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSonDelegatedDomain], ""); err != nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
} }
}
} else {
snicheck1 = true
snicheck1_tested = true
if verbose {
log.Printf("%s just unlocked HTTPS challenge\n", std.Login)
}
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSonDelegatedDomain], ""); err != nil {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
}
}
} else { } else {
snicheck1_tested = true snicheck1_tested = true
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], err) std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], err)
@ -279,13 +257,13 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
// Check HTTP without DNS // Check HTTP without DNS
if err := check_http(stdIP, ""); err == nil { if err := check_http(stdIP, ""); err == nil {
if tunnel_version == 3 { if tunnel_version == 3 {
// Try port 80 on miniflux => should not respond if SNAT is correctly configured // Try port 80 on miniflux => should not respond if DNAT is correctly configured
minifluxIP := tun.GetServerIP(6) minifluxIP := tun.GetServerIP(6)
if err := check_http(minifluxIP, ""); err == nil { if err := check_http(minifluxIP, ""); err == nil {
if verbose { if verbose {
log.Printf("%s and HTTP IP (without DNS): %s\n", std.Login, "Bad SNAT config") log.Printf("%s and HTTP IP (without DNS): %s\n", std.Login, "Bad DNAT config")
} }
if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonIP], fmt.Errorf("Your SNAT on IPv6 is too large: it seems that all requests to port 80 behind the router are redirected to web host. Eg. [news]:80 should not respond, however it responds with contents.")); errreg != nil { if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonIP], fmt.Errorf("Your DNAT on IPv6 is too large: it seems that all requests to port 80 behind the router are redirected to web host. Eg. [news]:80 should not respond, however it responds with contents.")); errreg != nil {
log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg) log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
} }
} else { } else {
@ -329,7 +307,7 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
} }
// Check HTTPs without DNS // Check HTTPs without DNS
if err := check_https(std.MyAssociatedDomain(), stdIP); err == nil { if err := check_https(std.MyAssociatedDomain()); err == nil {
if verbose { if verbose {
log.Printf("%s just unlocked HTTPS challenge\n", std.Login) log.Printf("%s just unlocked HTTPS challenge\n", std.Login)
} }

4
checker/checks.go
View File

@ -424,7 +424,7 @@ func check_http(ip, dn string) (err error) {
// PORT 443 // PORT 443
func check_https(domain, ip string) (err error) { func check_https(domain string) (err error) {
var resp *http.Response var resp *http.Response
resp, err = http.Get(fmt.Sprintf("https://%s/", strings.TrimSuffix(domain, "."))) resp, err = http.Get(fmt.Sprintf("https://%s/", strings.TrimSuffix(domain, ".")))
if err != nil { if err != nil {
@ -437,7 +437,7 @@ func check_https(domain, ip string) (err error) {
if loc != "" && strings.HasSuffix(dns.Fqdn(loc), domain) { if loc != "" && strings.HasSuffix(dns.Fqdn(loc), domain) {
if dns.Fqdn(loc) == domain { if dns.Fqdn(loc) == domain {
return fmt.Errorf("Redirection loop %s redirect to %s", domain, loc) return fmt.Errorf("Redirection loop %s redirect to %s", domain, loc)
} else if err = check_https(dns.Fqdn(loc), ip); err != nil { } else if err = check_https(dns.Fqdn(loc)); err != nil {
return fmt.Errorf("Error after following redirection to %s: %w", loc, err) return fmt.Errorf("Error after following redirection to %s: %w", loc, err)
} else { } else {
return return