Verified Commit b09a2e09 authored by shelikhoo's avatar shelikhoo
Browse files

Add Relay URL Check in Snowflake Proxy

parent 02c6f764
......@@ -119,6 +119,7 @@ type SnowflakeProxy struct {
// There is no look ahead assertion when matching domain name suffix,
// thus the string prepend the suffix does not need to be empty or ends with a dot.
RelayDomainNamePattern string
AllowNonTLSRelay bool
// NATProbeURL is the URL of the probe service we use for NAT checks
NATProbeURL string
// NATTypeMeasurementInterval is time before NAT type is retested
......@@ -496,7 +497,13 @@ func (sf *SnowflakeProxy) runSession(sid string) {
matcher := namematcher.NewNameMatcher(sf.RelayDomainNamePattern)
if relayURL != "" && !matcher.IsMember(relayURL) {
parsedRelayURL, err := url.Parse(relayURL)
if err != nil {
log.Printf("bad offer from broker: bad Relay URL %v", err.Error())
if relayURL != "" && (!matcher.IsMember(parsedRelayURL.Hostname()) || (!sf.AllowNonTLSRelay && parsedRelayURL.Scheme != "wss")) {
log.Printf("bad offer from broker: rejected Relay URL")
......@@ -21,6 +21,8 @@ func main() {
unsafeLogging := flag.Bool("unsafe-logging", false, "prevent logs from being scrubbed")
keepLocalAddresses := flag.Bool("keep-local-addresses", false, "keep local LAN address ICE candidates")
relayURL := flag.String("relay", sf.DefaultRelayURL, "websocket relay URL")
allowedRelayHostNamePattern := flag.String("allowed-relay-hostname-pattern", "", "a pattern to specify allowed hostname pattern for relay URL.")
allowNonTLSRelay := flag.Bool("allow-non-tls-relay", false, "allow relay without tls encryption")
NATTypeMeasurementInterval := flag.Duration("nat-retest-interval", time.Hour*24,
"the time interval in second before NAT type is retested, 0s disables retest. Valid time units are \"s\", \"m\", \"h\". ")
SummaryInterval := flag.Duration("summary-interval", time.Hour,
......@@ -40,6 +42,9 @@ func main() {
NATTypeMeasurementInterval: *NATTypeMeasurementInterval,
EventDispatcher: eventLogger,
RelayDomainNamePattern: *allowedRelayHostNamePattern,
AllowNonTLSRelay: *allowNonTLSRelay,
var logOutput io.Writer = os.Stderr
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment