vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-05-21 01:54:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
ntopng/src/HTTPserver.cpp

1646 lines
56 KiB
C++
Raw Blame History

/*
*
* (C) 2013-20 - ntop.org
*
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*/
#include "ntop_includes.h"
#define USE_LUA
#include "../third-party/mongoose/mongoose.c"
#undef USE_LUA
extern "C" {
#include "lua.h"
#include "lauxlib.h"
#include "lualib.h"
};
static HTTPserver *httpserver;
/* ****************************************** */
/*
* Send error message back to a client.
*/
int send_error(struct mg_connection *conn, int status, const char *reason, const char *fmt, ...) {
va_list ap;
conn->status_code = status;
(void) mg_printf(conn,
"HTTP/1.1 %d %s\r\n"
"Content-Type: text/html\r\n"
"Connection: close\r\n"
"\r\n", status, reason);
/* Errors 1xx, 204 and 304 MUST NOT send a body */
if(status > 199 && status != 204 && status != 304) {
char buf[BUFSIZ];
int len;
conn->num_bytes_sent = 0;
va_start(ap, fmt);
len = mg_vsnprintf(conn, buf, sizeof(buf), fmt, ap);
va_end(ap);
conn->num_bytes_sent += mg_write(conn, buf, len);
if(ntop->getTrace()->get_trace_level() >= TRACE_LEVEL_INFO)
cry(conn, "%s", buf);
else
cry_connection(conn, buf);
}
return(1);
}
/* ****************************************** */
const char *get_secure_cookie_attributes(const struct mg_request_info *request_info) {
if(request_info->is_ssl)
return " HttpOnly; SameSite=lax; Secure";
else
return " HttpOnly; SameSite=lax";
}
/* ****************************************** */
#ifndef HAVE_NEDGE
static void redirect_to_ssl(struct mg_connection *conn,
const struct mg_request_info *request_info) {
const char *host = mg_get_header(conn, "Host");
// u_int16_t port = ntop->get_HTTPserver()->get_port();
if(host != NULL) {
const char *p = strchr(host, ':');
if(p)
mg_printf(conn, "HTTP/1.1 302 Found\r\n"
"Location: https://%.*s:%u/%s\r\n\r\n",
(int) (p - host), host, ntop->getPrefs()->get_https_port(), request_info->uri);
else
mg_printf(conn, "HTTP/1.1 302 Found\r\n"
"Location: https://%s:%u/%s\r\n\r\n",
host, ntop->getPrefs()->get_https_port(), request_info->uri);
} else {
mg_printf(conn, "%s", "HTTP/1.1 500 Error\r\n\r\nHost: header is not set");
}
}
#endif
/* ****************************************** */
/* Generates a random token to protect against CSRF attacks.
* See ntop_get_csrf_value for more details. */
static void generate_csrf_token(char *csrf) {
char random_a[32], random_b[32];
#ifdef __OpenBSD__
snprintf(random_a, sizeof(random_a), "%d", arc4random());
snprintf(random_b, sizeof(random_b), "%lu", time(NULL)*arc4random());
#else
snprintf(random_a, sizeof(random_a), "%d", rand());
snprintf(random_b, sizeof(random_b), "%lu", time(NULL)*rand());
#endif
mg_md5(csrf, random_a, random_b, NULL);
}
/* ****************************************** */
bool HTTPserver::authorized_localhost_user_login(const struct mg_connection *conn) {
if(ntop->getPrefs()->is_localhost_users_login_disabled()
&& (conn->request_info.remote_ip == 0x7F000001 /* 127.0.0.1 */))
return true;
return false;
}
/* ****************************************** */
void HTTPserver::traceLogin(const char *user, bool authorized) {
if(ntop->getSystemInterface()
/* Can be NULL during startup so check is necessary */
&& ntop->getSystemInterface()->getAlertsQueue())
ntop->getSystemInterface()->getAlertsQueue()->pushLoginTrace(user, authorized);
}
/* ****************************************** */
// Generate session ID. buf must be 33 bytes in size.
// Note that it is easy to steal session cookies by sniffing traffic.
// This is why all communication must be SSL-ed.
static void generate_session_id(char *buf, const char *random, const char *user, const char *group) {
mg_md5(buf, random, user, group, NULL);
}
/* ****************************************** */
// Create a new session generating a Session ID that can be used as Cookie
static void create_session(const char * const user,
const char * const group,
bool localuser,
char *session_id,
u_int session_id_size,
u_int session_duration) {
char key[256], random[64];
char csrf[NTOP_CSRF_TOKEN_LENGTH];
char val[128];
snprintf(random, sizeof(random), "%d", rand());
generate_session_id(session_id, random, user, group);
generate_csrf_token(csrf);
// ntop->getTrace()->traceEvent(TRACE_ERROR, "==> %s\t%s", random, session_id);
/* Save session in redis */
snprintf(key, sizeof(key), "sessions.%s", session_id);
snprintf(val, sizeof(val), "%s|%s|%s|%c", user, group, csrf, localuser ? '1' : '0');
ntop->getRedis()->set(key, val, session_duration);
ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] Set session sessions.%s", session_id);
HTTPserver::traceLogin(user, true);
}
/* ****************************************** */
// Create a new session and set the session Cookie
static void set_session_cookie(const struct mg_connection * const conn,
const char * const user,
const char * const group,
bool localuser,
const char * const referer) {
char session_id[64];
u_int session_duration;
if(!strcmp(mg_get_request_info((struct mg_connection*)conn)->uri, "/metrics")
|| !strncmp(mg_get_request_info((struct mg_connection*)conn)->uri, LIVE_TRAFFIC_URL, strlen(LIVE_TRAFFIC_URL))
|| !strncmp(mg_get_request_info((struct mg_connection*)conn)->uri, GRAFANA_URL, strlen(GRAFANA_URL))
|| !strncmp(mg_get_request_info((struct mg_connection*)conn)->uri, POOL_MEMBERS_ASSOC_URL, strlen(POOL_MEMBERS_ASSOC_URL)))
return;
if(HTTPserver::authorized_localhost_user_login(conn))
return;
// do_auto_logout() is the getter for the command-line specified
// preference that defaults to true (i.e., auto_logout is enabled by default)
// If do_auto_logout() is disabled, then the runtime auto logout preference
// is taken into account.
// If do_auto_logout() is false, then the auto logout is disabled regardless
// of runtime preferences.
if(!ntop->getPrefs()->do_auto_logout() || !ntop->getPrefs()->do_auto_logout_at_runtime())
session_duration = EXTENDED_HTTP_SESSION_DURATION;
else
session_duration = ntop->getPrefs()->get_auth_session_duration();
create_session(user, group, localuser, session_id, sizeof(session_id), session_duration);
/* http://en.wikipedia.org/wiki/HTTP_cookie */
mg_printf((struct mg_connection *)conn, "HTTP/1.1 302 Found\r\n"
"Set-Cookie: session=%s; path=/; max-age=%u;%s\r\n" // Session ID
"Location: %s\r\n\r\n",
session_id, session_duration, get_secure_cookie_attributes(mg_get_request_info((struct mg_connection*)conn)),
referer ? referer : "/");
}
/* ****************************************** */
static void get_qsvar(const struct mg_request_info *request_info,
const char *name, char *dst, size_t dst_len) {
const char *qs = request_info->query_string;
mg_get_var(qs, strlen(qs == NULL ? "" : qs), name, dst, dst_len);
}
/* ****************************************** */
static int checkCaptive(const struct mg_connection *conn,
const struct mg_request_info *request_info,
char *username, char *password, char *label) {
#ifdef NTOPNG_PRO
if(ntop->getPrefs()->isCaptivePortalEnabled()
&& ntop->isCaptivePortalUser(username)) {
/*
This user logged onto ntopng via the captive portal
*/
u_int16_t host_pool_id;
int32_t limited_lifetime = -1; /* Unlimited by default */
#ifdef DEBUG
char buf[32];
ntop->getTrace()->traceEvent(TRACE_NORMAL, "[CAPTIVE] %s @ %s/%08X [Redirecting to %s%s]",
username, Utils::intoaV4((unsigned int)conn->request_info.remote_ip, buf, sizeof(buf)),
(unsigned int)conn->request_info.remote_ip,
mg_get_header(conn, "Host") ? mg_get_header(conn, "Host") : (char*)"",
request_info->uri);
#endif
char bridge_interface[32];
if(!ntop->getUserAllowedIfname(username, bridge_interface, sizeof(bridge_interface)))
return(0);
ntop->getUserHostPool(username, &host_pool_id);
ntop->hasUserLimitedLifetime(username, &limited_lifetime);
if(!ntop->addIPToLRUMatches(htonl((unsigned int)conn->request_info.remote_ip),
host_pool_id, label, limited_lifetime, bridge_interface))
return(0);
/* Success */
return(1);
}
#endif
return(0);
}
/* ****************************************** */
static int checkInformativeCaptive(const struct mg_connection *conn,
const struct mg_request_info *request_info) {
#ifdef NTOPNG_PRO
#ifdef DEBUG
char buf[32];
ntop->getTrace()->traceEvent(TRACE_NORMAL, "[CAPTIVE] @ %s/%08X [Redirecting to %s%s]",
Utils::intoaV4((unsigned int)conn->request_info.remote_ip, buf, sizeof(buf)),
(unsigned int)conn->request_info.remote_ip,
mg_get_header(conn, "Host") ? mg_get_header(conn, "Host") : (char*)"",
request_info->uri);
#endif
if(!ntop->addToNotifiedInformativeCaptivePortal(htonl((unsigned int)conn->request_info.remote_ip)))
return(0);
/* Success */
return(1);
#endif
return(0);
}
/* ****************************************** */
static int checkGrafana(const struct mg_connection *conn,
const struct mg_request_info *request_info) {
if(!strcmp(request_info->request_method, "OPTIONS") /* Allow for CORS inflight requests */
&& !strncmp(request_info->uri, GRAFANA_URL, strlen(GRAFANA_URL)))
/* Success */
return(1);
return(0);
}
/* ****************************************** */
static int isWhitelistedURI(const char * const uri) {
/* URL whitelist */
if((!strcmp(uri, LOGIN_URL))
|| (!strcmp(uri, AUTHORIZE_URL))
|| (!strcmp(uri, HOTSPOT_DETECT_URL))
|| (!strcmp(uri, HOTSPOT_DETECT_LUA_URL))
|| (!strcmp(uri, ntop->getPrefs()->getCaptivePortalUrl()))
|| (!strcmp(uri, KINDLE_WIFISTUB_URL))
)
return(1);
else
return(0);
}
/* ****************************************** */
#ifdef NO_SSL_DL /* see configure.seed */
static bool ssl_client_x509_auth(const struct mg_connection * const conn, const struct mg_request_info * const request_info,
char * const username, char * const group, bool * const localuser) {
bool ret = false;
X509 *cert = NULL;
X509_NAME *subj = NULL;
char subject[256];
char key[CONST_MAX_LEN_REDIS_KEY];
if((cert = SSL_get_peer_certificate(conn->ssl))) {
if((subj = X509_get_subject_name(cert))) {
X509_NAME_oneline(subj, subject, sizeof(subject));
if(SSL_get_verify_result(conn->ssl) == X509_V_OK
&& X509_NAME_get_text_by_NID(subj, NID_commonName, username, NTOP_USERNAME_MAXLEN) >= 0) {
snprintf(key, sizeof(key), CONST_STR_USER_GROUP, username);
bool group_exists = ntop->getRedis()->get(key, group, NTOP_GROUP_MAXLEN) >= 0;
if(ntop->existsUser(username)
&& group_exists) {
*localuser = true;
ntop->getTrace()->traceEvent(TRACE_INFO,"SSL user authenticated [username: %s][group: %s][subject: %s]", username, group, subject);
ret = true;
} else
ntop->getTrace()->traceEvent(TRACE_INFO,"SSL user: not found [user: %s]", username);
} else
ntop->getTrace()->traceEvent(TRACE_INFO,"SSL user: unknow certificate or missing NID_commonName [subject: %s]", subject);
}
X509_free(cert);
} else
ntop->getTrace()->traceEvent(TRACE_INFO,"SSL user: could not get certificate");
if(!ret)
username[0] = '\0', group[0] = '\0';
return ret;
};
#endif
/* ****************************************** */
// Return 1 if request is authorized, 0 otherwise.
// If 1 is returned, the username parameter will contain the authenticated user,
// which can also be "" or NTOP_NOLOGIN_USER .
static int getAuthorizedUser(struct mg_connection *conn,
const struct mg_request_info *request_info,
char *username, ssize_t username_len, char *group,
char *csrf, bool *localuser) {
char session_id[NTOP_SESSION_ID_LENGTH];
char key[64], val[128];
char password[MAX_PASSWORD_LEN];
char localuser_ch;
const char *auth_header_p;
string auth_type = "", auth_string = "";
bool user_login_disabled = !ntop->getPrefs()->is_users_login_enabled() ||
HTTPserver::authorized_localhost_user_login(conn);
/* Default */
username[0] = '\0';
group[0] = '\0';
*localuser = false;
/* Default assumes a token not associated to a session. When the user logs
using a session, the session CSRF token read from Redis is used instead. */
snprintf(csrf, NTOP_CSRF_TOKEN_LENGTH, "%s", NTOP_CSRF_TOKEN_NO_SESSION);
#ifdef DEBUG
ntop->getTrace()->traceEvent(TRACE_WARNING, "[AUTHORIZATION] [%s][%s]",
request_info->uri, request_info->query_string ? request_info->query_string : "");
#endif
/*
iOS / MacOS
1. HOTSPOT_DETECT_URL "/hotspot-detect.html"
2. HOTSPOT_DETECT_LUA_URL "/lua/hotspot-detect.lua"
3. CAPTIVE_PORTAL_URL "/lua/captive_portal.lua"
4. AUTHORIZE_CAPTIVE_LUA_URL "/lua/authorize_captive.lua"
5. logged in
Kindle
1. KINDLE_WIFISTUB_URL
*/
if(!strcmp(request_info->uri, AUTHORIZE_CAPTIVE_LUA_URL)) {
/* A captive portal request has been issued to the authorization url */
if(ntop->getPrefs()->isInformativeCaptivePortalEnabled()) {
/* If the captive portal is just informative, there's no need to check
any username or password. The request per se means the internet user
has accepted the 'terms of service'. */
return(checkInformativeCaptive(conn, request_info));
} else {
/* Here the captive portal is not just informative; it requires authentication.
For this reason it is necessary to check submitted username and password. */
if(!strcmp(request_info->request_method, "POST")) {
char post_data[1024];
char label[128];
int post_data_len = mg_read(conn, post_data, sizeof(post_data));
label[0] = '\0';
mg_get_var(post_data, post_data_len, "username", username, username_len);
mg_get_var(post_data, post_data_len, "password", password, sizeof(password));
mg_get_var(post_data, post_data_len, "label", label, sizeof(label));
return(ntop->checkCaptiveUserPassword(username, password, group)
&& checkCaptive(conn, request_info, username, password, label));
}
}
}
if(checkGrafana(conn, request_info) == 1) {
return(1);
}
if(user_login_disabled) {
strncpy(username, NTOP_NOLOGIN_USER, NTOP_USERNAME_MAXLEN);
username[NTOP_USERNAME_MAXLEN - 1] = '\0';
return(1);
}
#ifdef NO_SSL_DL
/* Try to authenticate using client TLS/SSL certificate */
if(request_info->is_ssl
&& ntop->getPrefs()->is_client_x509_auth_enabled()
&& ssl_client_x509_auth(conn, request_info, username, group, localuser))
return(1);
#endif
/* Try to decode Authorization header if present */
auth_header_p = mg_get_header(conn, "Authorization");
string auth_header = auth_header_p ? auth_header_p : "";
istringstream iss(auth_header);
getline(iss, auth_type, ' ');
if(auth_type == "Basic") {
string decoded_auth, user_s = "", pword_s = "";
/* In case auth type is Basic, info are encoded in base64 */
getline(iss, auth_string, ' ');
decoded_auth = Utils::base64_decode(auth_string);
istringstream authss(decoded_auth);
getline(authss, user_s, ':');
getline(authss, pword_s, ':');
strncpy(username, user_s.c_str(), NTOP_USERNAME_MAXLEN);
username[NTOP_USERNAME_MAXLEN - 1] = '\0';
return ntop->checkGuiUserPassword(conn, username, pword_s.c_str(), group, localuser);
}
/* NOTE: this is the only cookie needed for gui authentication */
mg_get_cookie(conn, "session", session_id, sizeof(session_id));
if(session_id[0] == '\0') {
/* Explicit username + password */
mg_get_cookie(conn, "user", username, NTOP_USERNAME_MAXLEN);
mg_get_cookie(conn, "password", password, sizeof(password));
if(username[0] && password[0])
return(ntop->checkGuiUserPassword(conn, username, password, group, localuser));
}
/* Important: validate the session */
snprintf(key, sizeof(key), "sessions.%s", session_id);
val[0] = '\0';
if((ntop->getRedis()->get(key, val, sizeof(val), true) < 0) || (!val[0])) {
ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] Session %s is expired", session_id);
return(0);
}
snprintf(key, sizeof(key), "%%%u[^|]|%%%u[^|]|%%%u[^|]|%%c", NTOP_USERNAME_MAXLEN-1,
NTOP_GROUP_MAXLEN-1, NTOP_CSRF_TOKEN_LENGTH-1);
if(sscanf(val, key, username, group, csrf, &localuser_ch) != 4) {
ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] Old Session format %s not supported", session_id);
return(0);
}
username[NTOP_USERNAME_MAXLEN-1] = '\0';
group[NTOP_GROUP_MAXLEN-1] = '\0';
csrf[NTOP_CSRF_TOKEN_LENGTH-1] = '\0';
*localuser = (localuser_ch == '1' ? true : false);
//ntop->getTrace()->traceEvent(TRACE_NORMAL, "[HTTP] Session %s successfully authenticated for %s", session_id, username);
// NOTE: no sense to extend the session here, since the user browser cookie will expire anyway!
//ntop->getRedis()->expire(key, HTTP_SESSION_DURATION); /* Extend session */
//ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] Session %s (for %s) is ok, extended for %u sec", session_id, username, HTTP_SESSION_DURATION);
return(1);
}
/* ****************************************** */
static int isCaptiveConnection(struct mg_connection *conn) {
return(ntop->getPrefs()->isCaptivePortalEnabled()
&& (ntohs(conn->client.lsa.sin.sin_port) == CAPTIVE_PORTAL_PORT)
);
}
/* ****************************************** */
static int isCaptiveURL(char *url) {
if((!strcmp(url, KINDLE_WIFISTUB_URL))
|| (!strcmp(url, HOTSPOT_DETECT_URL))
|| (!strcmp(url, HOTSPOT_DETECT_LUA_URL))
|| (!strcmp(url, ntop->getPrefs()->getCaptivePortalUrl()))
|| (!strcmp(url, AUTHORIZE_CAPTIVE_LUA_URL))
|| (!strcmp(url, "/"))
)
return(1);
else
return(0);
}
/* ****************************************** */
static bool isStaticResourceUrl(const struct mg_request_info *request_info, u_int len) {
if((len >= 3 && (!strncmp(&request_info->uri[len - 3], ".js", 3)))
|| (len >= 4 && (!strncmp(&request_info->uri[len - 4], ".css", 4)
|| !strncmp(&request_info->uri[len - 4], ".map", 4)
|| !strncmp(&request_info->uri[len - 4], ".ttf", 4)))
|| (len >= 6 && (!strncmp(&request_info->uri[len - 6], ".woff2", 6))))
return true;
return false;
}
/* ****************************************** */
/* this corresponds to the LAN interface address */
void HTTPserver::setCaptiveRedirectAddress(const char *addr) {
#ifdef NTOPNG_PRO
size_t max_wispr_size = 1024;
if(captive_redirect_addr)
free(captive_redirect_addr);
captive_redirect_addr = strdup(addr);
if(!wispr_captive_data)
wispr_captive_data = (char *) malloc(max_wispr_size);
const char *name =
#ifdef HAVE_NEDGE
ntop->getPro()->get_product_name()
#else
"ntopng"
#endif
;
snprintf(wispr_captive_data, max_wispr_size, "<HTML>\n\
<!--\n\
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\
<WISPAccessGatewayParam xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n\
xsi:noNamespaceSchemaLocation=\"http://www.acmewisp.com/WISPAccessGatewayParam.xsd\">\n\
<Redirect>\n\
<AccessProcedure>1.0</AccessProcedure>\n\
<AccessLocation>%s Network</AccessLocation>\n\
<LocationName>%s</LocationName>\n\
<LoginURL>http://%s:%u%s%s</LoginURL>\n\
<MessageType>100</MessageType>\n\
<ResponseCode>0</ResponseCode>\n\
</Redirect>\n\
</WISPAccessGatewayParam>\n\
-->\n\
</HTML>", name, name, addr, CAPTIVE_PORTAL_PORT,
ntop->getPrefs()->get_http_prefix(),
ntop->getPrefs()->getCaptivePortalUrl());
#endif
}
/* ****************************************** */
static char* make_referer(struct mg_connection *conn, char *buf, int bufsize) {
snprintf(buf, bufsize, "%s%s%s%s%s",
mg_get_header(conn, "Host") ? mg_get_header(conn, "Host") : (char*)"",
ntop->getPrefs()->get_http_prefix(),
conn->request_info.uri,
conn->request_info.query_string ? "?" : "",
conn->request_info.query_string ? conn->request_info.query_string : "");
return buf;
}
/* ****************************************** */
// Redirect user to the login form. In the cookie, store the original URL
// we came from, so that after the authorization we could redirect back.
static void redirect_to_login(struct mg_connection *conn,
const struct mg_request_info *request_info,
const char * const referer) {
char session_id[NTOP_SESSION_ID_LENGTH], buf[128];
char *referer_enc = NULL;
if(isCaptiveConnection(conn)) {
const char *wispr_data = ntop->get_HTTPserver()->getWisprCaptiveData();
mg_printf(conn, "HTTP/1.1 302 Found\r\n"
"Expires: 0\r\n"
"Cache-Control: no-store, no-cache, must-revalidate\t\n"
"Pragma: no-cache\r\n"
"Content-Type: text/html; charset=UTF-8\r\n"
"Content-Length: %lu\r\n"
"Location: http://%s:%u%s%s%s%s\r\n\r\n%s",
strlen(wispr_data),
ntop->get_HTTPserver()->getCaptiveRedirectAddress(), // LAN address
CAPTIVE_PORTAL_PORT,
ntop->getPrefs()->get_http_prefix(), ntop->getPrefs()->getCaptivePortalUrl(),
referer ? (char*)"?referer=" : "",
referer ? (referer_enc = Utils::urlEncode(referer)) : (char*)"",
wispr_data);
} else {
#ifdef DEBUG
ntop->getTrace()->traceEvent(TRACE_NORMAL, "[LOGIN] [Host: %s][URI: %s]",
mg_get_header(conn, "Host") ? mg_get_header(conn, "Host") : (char*)"",
request_info->uri);
#endif
mg_get_cookie(conn, "session", session_id, sizeof(session_id));
ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] %s(%s)", __FUNCTION__, session_id);
mg_printf(conn,
"HTTP/1.1 302 Found\r\n"
"Set-Cookie: session=%s; path=/; expires=Thu, 01-Jan-1970 00:00:01 GMT; max-age=0;%s\r\n" // Session ID
"Set-Cookie: user=; path=/; expires=Thu, 01-Jan-1970 00:00:01 GMT; max-age=0;\r\n"
"Set-Cookie: password=; path=/; expires=Thu, 01-Jan-1970 00:00:01 GMT; max-age=0;\r\n"
"Location: %s%s%s%s\r\n\r\n",
session_id,
get_secure_cookie_attributes(request_info),
ntop->getPrefs()->get_http_prefix(), Utils::getURL((char*)LOGIN_URL, buf, sizeof(buf)),
referer ? (char*)"?referer=" : "",
referer ? (referer_enc = Utils::urlEncode(referer)) : (char*)"");
}
if(referer_enc)
free(referer_enc);
}
/* ****************************************** */
int redirect_to_error_page(struct mg_connection *conn,
const struct mg_request_info *request_info,
const char *i18n_message,
char *script_path, char *error_message) {
char session_id[NTOP_SESSION_ID_LENGTH], decoded[512];
char referer[255];
char *referer_enc = NULL, *msg;
const char* url = "/lua/http_status_code.lua";
make_referer(conn, referer, sizeof(referer));
mg_get_cookie(conn, "session", session_id, sizeof(session_id));
ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] %s(%s)", __FUNCTION__, session_id);
msg = error_message ? Utils::urlEncode(error_message) : NULL;
if(msg) {
url_decode(msg, strlen(msg), decoded, sizeof(decoded)-1, 1);
} else
decoded[0] = '\0';
mg_printf(conn,
"HTTP/1.1 302 Found\r\n"
"Set-Cookie: session=%s; path=/;%s\r\n" // Session ID
"Location: %s%s?message=%s%s%s&error_message=%s\r\n\r\n%s\n\r", /* FIX */
session_id,
get_secure_cookie_attributes(request_info),
ntop->getPrefs()->get_http_prefix(),
url,
i18n_message,
(referer[0] != '\0') ? (char*)"&referer=" : (char*)"",
(referer[0] != '\0') ? (referer_enc = Utils::urlEncode(referer)) : (char*)"",
msg ? msg : "", decoded);
if(msg) free(msg);
if(referer_enc) free(referer_enc);
return(1);
}
/* ****************************************** */
#ifdef HAVE_MYSQL
/* Redirect user to a courtesy page that is used when database schema is being updated.
In the cookie, store the original URL we came from, so that after the authorization
we could redirect back.
*/
static void redirect_to_please_wait(struct mg_connection *conn,
const struct mg_request_info *request_info) {
char session_id[NTOP_SESSION_ID_LENGTH], buf[128];
char referer[255];
char *referer_enc = NULL;
make_referer(conn, referer, sizeof(referer));
mg_get_cookie(conn, "session", session_id, sizeof(session_id));
ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] %s(%s)", __FUNCTION__, session_id);
mg_printf(conn,
"HTTP/1.1 302 Found\r\n"
// "HTTP/1.1 401 Unauthorized\r\n"
// "WWW-Authenticate: Basic\r\n"
"Location: %s%s%s%s\r\n\r\n",
ntop->getPrefs()->get_http_prefix(), Utils::getURL((char*)PLEASE_WAIT_URL, buf, sizeof(buf)),
(referer[0] != '\0') ? (char*)"?referer=" : (char*)"",
(referer[0] != '\0') ? (referer_enc = Utils::urlEncode(referer)) : (char*)"");
if(referer_enc)
free(referer_enc);
}
#endif
/* ****************************************** */
static void redirect_to_password_change(struct mg_connection *conn,
const struct mg_request_info *request_info) {
char session_id[NTOP_SESSION_ID_LENGTH], buf[128];
char referer[255];
char *referer_enc = NULL;
make_referer(conn, referer, sizeof(referer));
mg_get_cookie(conn, "session", session_id, sizeof(session_id));
ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] %s(%s)", __FUNCTION__, session_id);
mg_printf(conn,
"HTTP/1.1 302 Found\r\n"
"Set-Cookie: session=%s; path=/;%s\r\n" // Session ID
"Location: %s%s%s%s\r\n\r\n", /* FIX */
session_id,
get_secure_cookie_attributes(request_info),
ntop->getPrefs()->get_http_prefix(), Utils::getURL((char*)CHANGE_PASSWORD_ULR, buf, sizeof(buf)),
(referer[0] != '\0') ? (char*)"?referer=" : (char*)"",
(referer[0] != '\0') ? (referer_enc = Utils::urlEncode(referer)) : (char*)"");
if(referer_enc)
free(referer_enc);
}
/* ****************************************** */
// A handler for the /authorize endpoint.
// Login page form sends user name and password to this endpoint.
static void authorize(struct mg_connection *conn,
const struct mg_request_info *request_info,
char *username, char *group, bool *localuser) {
char user[32] = { '\0' }, password[32] = { '\0' }, referer[256] = { '\0' };
if(!strcmp(request_info->request_method, "POST")) {
char post_data[1024];
int post_data_len = mg_read(conn, post_data, sizeof(post_data));
mg_get_var(post_data, post_data_len, "user", user, sizeof(user));
mg_get_var(post_data, post_data_len, "password", password, sizeof(password));
mg_get_var(post_data, post_data_len, "referer", referer, sizeof(referer));
} else {
// Fetch user name and password.
get_qsvar(request_info, "user", user, sizeof(user));
get_qsvar(request_info, "password", password, sizeof(password));
get_qsvar(request_info, "ref", referer, sizeof(referer));
if(referer[0] == '\0') {
for(int i=0; request_info->http_headers[i].name != NULL; i++) {
if(strcmp(request_info->http_headers[i].name, "Referer") == 0) {
snprintf(referer, sizeof(referer), "%s", request_info->http_headers[i].value);
break;
}
}
}
}
if(isCaptiveConnection(conn)
|| ntop->isCaptivePortalUser(user)
|| !ntop->checkGuiUserPassword(conn, user, password, group, localuser)) {
// Authentication failure, redirect to login
redirect_to_login(conn, request_info, (referer[0] == '\0') ? NULL : referer);
} else {
/* Referer url must begin with '/' */
if((referer[0] != '/') || (strcmp(referer, AUTHORIZE_URL) == 0)) {
char *r = strchr(referer, '/');
if(r)
memmove(referer, r, strlen(r)+1 /* with null terminator */);
else
strcpy(referer, "/");
}
/* Send session cookie and set user for the new session */
set_session_cookie(conn, user, group, *localuser, referer);
strncpy(username, user, NTOP_USERNAME_MAXLEN);
username[NTOP_USERNAME_MAXLEN - 1] = '\0';
}
}
/* ****************************************** */
// Used to retrieve a session cookie for third-party users via REST API
// Note: there is no connection directly tied to this request (out of bound)
bool HTTPserver::authorize_noconn(char *username, char *session_id, u_int session_id_size, u_int session_duration) {
char group[NTOP_GROUP_MAXLEN] = { 0 };
/* Note: we are not checking the user password as the admin
* or the same (authenticated) user is generating the session */
if (ntop->existsUserLocal(username)) {
strncpy(group, NTOP_UNKNOWN_GROUP, NTOP_GROUP_MAXLEN-1);
group[NTOP_GROUP_MAXLEN - 1] = '\0';
ntop->getUserGroupLocal(username, group);
create_session(username, group, true, session_id, session_id_size, session_duration);
return(true);
}
return(false);
}
/* ****************************************** */
static void uri_encode(const char *src, char *dst, u_int dst_len) {
u_int i = 0, j = 0;
memset(dst, 0, dst_len);
while(src[i] != '\0') {
if(src[i] == '<') {
dst[j++] = '&'; if(j == (dst_len-1)) break;
dst[j++] = 'l'; if(j == (dst_len-1)) break;
dst[j++] = 't'; if(j == (dst_len-1)) break;
dst[j++] = ';'; if(j == (dst_len-1)) break;
} else if(src[i] == '>') {
dst[j++] = '&'; if(j == (dst_len-1)) break;
dst[j++] = 'g'; if(j == (dst_len-1)) break;
dst[j++] = 't'; if(j == (dst_len-1)) break;
dst[j++] = ';'; if(j == (dst_len-1)) break;
} else {
dst[j++] = src[i]; if(j == (dst_len-1)) break;
}
i++;
}
}
/* ****************************************** */
static int handle_lua_request(struct mg_connection *conn) {
struct mg_request_info *request_info = (struct mg_request_info *)mg_get_request_info(conn);
char *crlf, *original_uri = NULL, tmp_uri[256];
u_int len;
char username[NTOP_USERNAME_MAXLEN] = { 0 };
char group[NTOP_GROUP_MAXLEN] = { 0 };
char csrf[NTOP_CSRF_TOKEN_LENGTH] = { 0 };
bool localuser = false;
char *referer = (char*)mg_get_header(conn, "Referer");
u_int8_t whitelisted;
strncpy(group, NTOP_UNKNOWN_GROUP, NTOP_GROUP_MAXLEN-1);
group[NTOP_GROUP_MAXLEN - 1] = '\0';
if(referer == NULL)
referer = (char*)"";
if((crlf = strstr(request_info->uri, "\r\n")))
*crlf = '\0'; /* Prevents HTTP splitting attacks */
len = (u_int)strlen(request_info->uri);
#ifdef HAVE_NEDGE
if(!ntop->getPro()->has_valid_license()) {
if (! ntop->getGlobals()->isShutdown()) {
ntop->getTrace()->traceEvent(TRACE_NORMAL, "License expired, shutting down...");
ntop->getGlobals()->shutdown();
ntop->shutdown();
}
}
#endif
#ifdef DEBUG
ntop->getTrace()->traceEvent(TRACE_NORMAL, "[Host: %s][URI: %s][%s][Referer: %s]",
mg_get_header(conn, "Host") ? mg_get_header(conn, "Host") : (char*)"",
request_info->uri,
request_info->query_string ? request_info->query_string : "",
(char*)mg_get_header(conn, "Referer"));
#endif
if((ntop->getRedis() == NULL /* Starting up... */)
|| (ntop->get_HTTPserver() == NULL)
|| (!ntop->get_HTTPserver()->accepts_requests())) {
/* return(redirect_to_error_page(conn, request_info, "shut_start", NULL, NULL)); */
return(send_error(conn, 403 /* Forbidden */, request_info->uri,
"<html><head><meta http-equiv=\"refresh\" content=\"3\"></head><body>Unable to serve requests at this time, possibly starting up or shutting down.</body></html>"));
}
#ifdef DEBUG
ntop->getTrace()->traceEvent(TRACE_NORMAL, "################# [HTTP] %s [%s]",
request_info->uri, referer);
#endif
#ifndef HAVE_NEDGE
if(ntop->get_HTTPserver()->is_ssl_enabled()
&& (!request_info->is_ssl)
&& isCaptiveURL(request_info->uri)
&& (!strstr(referer, HOTSPOT_DETECT_LUA_URL))
&& (!strstr(referer, ntop->getPrefs()->getCaptivePortalUrl()))
// && ((mg_get_header(conn, "Host") == NULL) || (mg_get_header(conn, "Host")[0] == '\0'))
) {
redirect_to_ssl(conn, request_info);
return(1);
} else
#endif
if(!strcmp(request_info->uri, HOTSPOT_DETECT_URL)) {
mg_printf(conn, "HTTP/1.1 302 Found\r\n"
"Expires: 0\r\n"
"Cache-Control: no-store, no-cache, must-revalidate\t\n"
"Pragma: no-cache\r\n"
"Location: http://%s%s%s%s\r\n\r\n",
mg_get_header(conn, "Host") ? mg_get_header(conn, "Host") : (char*)"",
HOTSPOT_DETECT_LUA_URL,
request_info->query_string ? "?" : "",
request_info->query_string ? request_info->query_string : "");
return(1);
} else if(strncmp(request_info->uri, NTOPNG_DATASOURCE_URL, 13) == 0) {
char *ds_hash = &request_info->uri[13];
char rsp[1024];
int rc = ntop->getRedis()->hashGet(NTOPNG_DATASOURCE_KEY, ds_hash, rsp, sizeof(rsp));
if(rc == 0) {
json_object *j = json_tokener_parse(rsp);
if(j) {
/* {"scope":"private","alias":"luca2","origin":"main.lua","data_retention":1,"hash":"543c484ea2af859a9157480cea8b5903"} */
json_object *jscope, *jorigin;
const char *scope = NULL, *origin = NULL;
if (json_object_object_get_ex(j, "scope", &jscope))
scope = json_object_get_string(jscope);
if (json_object_object_get_ex(j, "origin", &jorigin))
origin = json_object_get_string(jorigin);
if(scope != NULL && strcmp(scope, "public") != 0) {
/* This is a private URL and it needs authentication */
u_int8_t authorized = getAuthorizedUser(conn, request_info, username, sizeof(username), group, csrf, &localuser);
if(!authorized) {
char referer[255];
redirect_to_login(conn, request_info, make_referer(conn, referer, sizeof(referer)));
return(1); /* Handled */
}
}
if (origin != NULL) {
original_uri = request_info->uri;
snprintf(tmp_uri, sizeof(tmp_uri), "/lua/datasources/%s", origin);
}
json_object_put(j);
}
}
} else if(strncmp(request_info->uri, NTOPNG_WIDGET_URL, 9) == 0) {
char *ds_hash = &request_info->uri[9];
char rsp[1024];
int rc = ntop->getRedis()->hashGet(NTOPNG_WIDGET_KEY, ds_hash, rsp, sizeof(rsp));
if(rc == 0) {
json_object *j = json_tokener_parse(rsp);
if(j) {
/* {"scope":"private","alias":"luca2","origin":"main.lua","data_retention":1,"hash":"543c484ea2af859a9157480cea8b5903"} */
json_object *jorigin;
const char *origin = NULL;
if (json_object_object_get_ex(j, "origin", &jorigin))
origin = json_object_get_string(jorigin);
#if 0
const char *scope = json_object_get_string(json_object_object_get(j, "scope"));
if(strcmp(scope, "public") != 0) {
/* This is a private URL and it needs authentication */
u_int8_t authorized = getAuthorizedUser(conn, request_info, username, sizeof(username), group, csrf, &localuser);
if(!authorized) {
char referer[255];
redirect_to_login(conn, request_info, make_referer(conn, referer, sizeof(referer)));
return(1); /* Handled */
}
}
#endif
if (origin != NULL) {
original_uri = request_info->uri;
snprintf(tmp_uri, sizeof(tmp_uri), "/lua/widgets/%s", origin);
}
json_object_put(j);
}
}
}
#if 0
else if(!strcmp(request_info->uri, KINDLE_WIFISTUB_URL)) {
mg_printf(conn, "HTTP/1.1 302 Found\r\n"
"Expires: 0\r\n"
"Cache-Control: no-store, no-cache, must-revalidate\t\n"
"Pragma: no-cache\r\n"
"Referer: %s\r\n"
"Location: http://%s:%u%s%s%s\r\n\r\n",
request_info->uri,
mg_get_header(conn, "Host") ? mg_get_header(conn, "Host") : (char*)"",
CAPTIVE_PORTAL_PORT,
ntop->getPrefs()->getCaptivePortalUrl(),
request_info->query_string ? "?" : "",
request_info->query_string ? request_info->query_string : "");
return(1);
}
#endif
whitelisted = isWhitelistedURI(request_info->uri);
if(!isStaticResourceUrl(request_info, len)) {
/* Only check authorized for non-static resources */
u_int8_t authorized = getAuthorizedUser(conn, request_info, username, sizeof(username), group, csrf, &localuser);
/* Make sure there are existing interfaces for username. */
if(!ntop->checkUserInterfaces(username)) {
char session_id[NTOP_SESSION_ID_LENGTH];
mg_get_cookie(conn, "session", session_id, sizeof(session_id));
ntop->getTrace()->traceEvent(TRACE_WARNING, "[HTTP] user %s cannot login due to non-existent allowed_interface", username);
// send error and expire session cookie
mg_printf(conn,
"HTTP/1.1 403 Forbidden\r\n"
"Content-Type: text/html\r\n"
"Set-Cookie: session=%s; path=/; expires=Thu, 01-Jan-1970 00:00:01 GMT; max-age=0;%s\r\n" // Session ID
"Connection: close\r\n"
"\r\n\r\n%s", session_id,
get_secure_cookie_attributes(request_info),
ACCESS_DENIED_INTERFACES);
return(1);
}
if((!whitelisted) && (!authorized)) {
if(strcmp(request_info->uri, INTERFACE_DATA_URL) == 0) {
// avoid sending login redirect to allow js itself to redirect the user
return(send_error(conn, 403 /* Forbidden */, request_info->uri, "Login Required"));
} else {
char referer[255];
redirect_to_login(conn, request_info, make_referer(conn, referer, sizeof(referer)));
}
return(1);
} else if ((strcmp(request_info->uri, CHANGE_PASSWORD_ULR) != 0)
&& (strcmp(request_info->uri, LOGOUT_URL) != 0)
&& authorized
&& ntop->mustChangePassword(username)) {
redirect_to_password_change(conn, request_info);
return(1);
#ifdef HAVE_MYSQL
} else if(!whitelisted /* e.g. login.lua */
&& ntop->getPrefs()->do_dump_flows_on_mysql()
&& !MySQLDB::isDbCreated()
&& strcmp(request_info->uri, PLEASE_WAIT_URL)) {
redirect_to_please_wait(conn, request_info);
return(1);
#endif
} else if(strcmp(request_info->uri, AUTHORIZE_URL) == 0) {
authorize(conn, request_info, username, group, &localuser);
return(1);
}
}
#ifdef DEBUG
ntop->getTrace()->traceEvent(TRACE_WARNING, "Username = %s", username);
#endif
if(original_uri) {
request_info->uri = tmp_uri;
}
if(strstr(request_info->uri, "//")
|| strstr(request_info->uri, "&&")
|| strstr(request_info->uri, "??")
|| strstr(request_info->uri, "..")
|| strstr(request_info->uri, "\r")
|| strstr(request_info->uri, "\n")
) {
ntop->getTrace()->traceEvent(TRACE_WARNING, "[HTTP] The URL %s is invalid/dangerous",
request_info->uri);
if(original_uri) request_info->uri = original_uri;
return(redirect_to_error_page(conn, request_info, "bad_request", NULL, NULL));
}
if((strncmp(request_info->uri, "/lua/", 5) == 0)
|| (strcmp(request_info->uri, "/metrics") == 0)
|| (strncmp(request_info->uri, "/plugins/", 9) == 0)
|| (strcmp(request_info->uri, "/") == 0)) {
/* Lua Script */
char path[255] = { 0 }, uri[2048];
struct stat buf;
bool found;
if(strstr(request_info->uri, "/lua/pro")
&& (!ntop->getPrefs()->is_pro_edition())) {
if(original_uri) request_info->uri = original_uri;
return(redirect_to_error_page(conn, request_info, "pro_only", NULL, NULL));
}
if(strstr(request_info->uri, "/lua/pro/enterprise")
&& (!ntop->getPrefs()->is_enterprise_m_edition())) {
if(original_uri) request_info->uri = original_uri;
return(redirect_to_error_page(conn, request_info, "enterprise_only", NULL, NULL));
}
if((!whitelisted)
&& isCaptiveConnection(conn)
&& (!isCaptiveURL(request_info->uri))) {
redirect_to_login(conn, request_info, (referer[0] == '\0') ? NULL : referer);
if(original_uri) request_info->uri = original_uri;
return(0);
} else {
if(strcmp(request_info->uri, "/metrics") == 0)
snprintf(path, sizeof(path), "%s/lua/metrics.lua",
httpserver->get_scripts_dir());
else if(strncmp(request_info->uri, "/plugins/", 9) == 0)
snprintf(path, sizeof(path), "%s/scripts/%s",
ntop->get_plugins_dir(), request_info->uri + 9);
else
snprintf(path, sizeof(path), "%s%s%s",
httpserver->get_scripts_dir(),
Utils::getURL(len == 1 ? (char*)"/lua/index.lua" : request_info->uri, uri, sizeof(uri)),
len > 1 && request_info->uri[len-1] == '/' ? (char*)"index.lua" : (char*)"");
if(strlen(path) > 4 && strncmp(&path[strlen(path) - 4], ".lua", 4))
snprintf(&path[strlen(path)], sizeof(path) - strlen(path) - 1, "%s", (char*)".lua");
ntop->fixPath(path);
found = ((stat(path, &buf) == 0) && (S_ISREG(buf.st_mode))) ? true : false;
}
if(found) {
LuaEngine *l;
ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] %s [%s]", request_info->uri, path);
try {
l = new LuaEngine(NULL);
} catch(std::bad_alloc& ba) {
ntop->getTrace()->traceEvent(TRACE_ERROR, "[HTTP] Unable to start Lua interpreter.");
if(original_uri) request_info->uri = original_uri;
return(send_error(conn, 500 /* Internal server error */,
"Internal server error", "%s", "Unable to start Lua interpreter."));
}
bool attack_attempt;
// NOTE: username is stored into the engine context, so we must guarantee
// that LuaEngine is destroyed after username goes out of context! Indeeed we delete LuaEngine below.
l->handle_script_request(conn, request_info, path, &attack_attempt, username, group, csrf, localuser);
if(attack_attempt) {
char buf[32];
ntop->getTrace()->traceEvent(TRACE_WARNING, "[HTTP] Potential attack from %s on %s",
Utils::intoaV4((unsigned int)conn->request_info.remote_ip, buf, sizeof(buf)),
request_info->uri);
}
delete l;
if(original_uri) request_info->uri = original_uri;
return(1); /* Handled */
}
if(original_uri) request_info->uri = original_uri;
uri_encode(request_info->uri, uri, sizeof(uri)-1);
return(redirect_to_error_page(conn, request_info, "not_found", NULL, NULL));
} else {
/* Prevent short URI or .inc files to be served */
if((len < 4)
|| (strncmp(&request_info->uri[len-4], ".inc", 4) == 0)
|| (strncmp(&request_info->uri[len-4], ".pem", 4) == 0)
) {
return(redirect_to_error_page(conn, request_info, "forbidden", NULL, NULL));
} else {
ntop->getTrace()->traceEvent(TRACE_INFO, "[HTTP] Serving file %s%s",
ntop->get_HTTPserver()->get_docs_dir(), request_info->uri);
request_info->query_string = ""; /* Discard things like ?v=4.4.0 */
return(0); /* This is a static document so let mongoose handle it */
}
}
}
/* ****************************************** */
static int handle_http_message(const struct mg_connection *conn, const char *message) {
ntop->getTrace()->traceEvent(TRACE_ERROR, "[HTTP] %s", message);
return 1;
}
/* ****************************************** */
bool HTTPserver::check_ssl_cert(char *ssl_cert_path, size_t ssl_cert_path_len) {
struct stat s;
int stat_rc;
ssl_cert_path[0] = '\0';
snprintf(ssl_cert_path, ssl_cert_path_len, "%s/ssl/%s",
docs_dir, CONST_HTTPS_CERT_NAME);
stat_rc = stat(ssl_cert_path, &s);
if(stat_rc == 0) {
ntop->getTrace()->traceEvent(TRACE_INFO, "Found SSL certificate %s", ssl_cert_path);
return true;
}
ntop->getTrace()->traceEvent(TRACE_NORMAL,
"HTTPS Disabled: missing SSL certificate %s", ssl_cert_path);
ntop->getTrace()->traceEvent(TRACE_NORMAL,
"Please read https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to enable SSL.");
return false;
}
/* ****************************************** */
void HTTPserver::parseACL(char * const acl, u_int acl_len) {
char *net, *net_ctx, *slash, *sign, *acl_key;
u_int32_t mask, bits, num = 0;
struct in_addr ipaddr;
const char * const comma = ",";
if(!acl || !acl_len)
return;
if(!(acl_key = (char*)malloc(acl_len))) {
ntop->getTrace()->traceEvent(TRACE_ERROR, "Unable to allocate acl_key memory");
return;
}
acl[0] = '\0';
ntop->getRedis()->get((char*)HTTP_ACL_MANAGEMENT_PORT, acl_key, acl_len, true);
if(acl_key[0] == '\0')
snprintf(acl, acl_len, "+0.0.0.0/0");
else {
for(net = strtok_r(acl_key, comma, &net_ctx); net; net = strtok_r(NULL, comma, &net_ctx)) {
sign = net++; /* Either a + or a - */
if((slash = strchr(net, '/'))) {
*slash++ = '\0';
bits = atoi(slash);
mask = 1 << (32 - bits);
if(inet_pton(AF_INET, net, &ipaddr) == 1) {
ipaddr.s_addr = htonl(ntohl(ipaddr.s_addr) & ~(mask - 1));
snprintf(&acl[strlen(acl)], acl_len - strlen(acl) - 1,
"%s%c%s/%d",
num++ ? (char*)"," : (char*)"", *sign, inet_ntoa(ipaddr), bits);
}
}
}
ntop->getTrace()->traceEvent(TRACE_NORMAL, "Access Control List set to: %s", acl);
}
free(acl_key);
}
/* ****************************************** */
static unsigned char ssl_session_ctx_id[] = PACKAGE_NAME "-" NTOPNG_GIT_RELEASE;
#ifdef NO_SSL_DL
int handle_ssl_verify(int ok, X509_STORE_CTX *ctx) {
X509 *cert;
char buf[256];
int err, depth;
cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
ntop->getTrace()->traceEvent(TRACE_DEBUG, "ssl verify pre=%d cert=%s err=%i depth=%i",ok,buf,err,depth);
// Never fail, continue SSL/TLS handshake, if client cert is invalid we want to fallback to explicit login
return 1;
};
int init_client_x509_auth(void *ctx) {
char buf[256];
char ssl_ca_path[MAX_PATH];
char ssl_cert_path[MAX_PATH];
STACK_OF(X509_NAME) *certnames;
snprintf(ssl_cert_path, sizeof(ssl_cert_path), "%s/ssl/%s", ntop->getPrefs()->get_docs_dir(), CONST_HTTPS_CERT_NAME);
snprintf(ssl_ca_path, sizeof(ssl_ca_path), "%s/ssl/%s", ntop->getPrefs()->get_docs_dir(),CONST_HTTPS_AUTHCA_FILE);
ntop->fixPath(ssl_ca_path),
ntop->fixPath(ssl_cert_path);
if(!SSL_CTX_set_session_id_context((SSL_CTX*)ctx, ssl_session_ctx_id, sizeof(ssl_session_ctx_id)>SSL_MAX_SSL_SESSION_ID_LENGTH?SSL_MAX_SSL_SESSION_ID_LENGTH:sizeof(ssl_session_ctx_id))) {
ntop->getTrace()->traceEvent(TRACE_WARNING, "SSL session init failed: %s", ERR_reason_error_string(ERR_get_error()));
return 0;
}
if(!SSL_CTX_load_verify_locations((SSL_CTX*)ctx, ssl_ca_path, NULL)) {
ntop->getTrace()->traceEvent(TRACE_WARNING, "SSL load client CA from '%s' failed: %s",
ssl_ca_path,
ERR_reason_error_string(ERR_get_error()));
return 0;
}
if(!SSL_CTX_use_certificate_file((SSL_CTX*)ctx, ssl_cert_path, 1)
|| !SSL_CTX_use_PrivateKey_file((SSL_CTX*)ctx, ssl_cert_path, 1))
return 0;
if((certnames = SSL_load_client_CA_file(ssl_ca_path))) {
SSL_CTX_set_client_CA_list((SSL_CTX*)ctx, certnames);
if((certnames = SSL_CTX_get_client_CA_list((SSL_CTX*)ctx))) {
for(int i = 0; i < sk_X509_NAME_num(certnames); i++) {
X509_NAME_oneline(sk_X509_NAME_value(certnames, i), buf, sizeof(buf));
ntop->getTrace()->traceEvent(TRACE_NORMAL, "SSL loaded CA #%i: %s", i, buf);
}
}
} else
ntop->getTrace()->traceEvent(TRACE_WARNING, "No SSL client loaded");
SSL_CTX_set_verify((SSL_CTX*)ctx, SSL_VERIFY_PEER, handle_ssl_verify);
ntop->getTrace()->traceEvent(TRACE_NORMAL, "SSL init [ssl_ca_path: %s][ssl_cert_path: %s]", ssl_ca_path, ssl_cert_path);
return 1;
};
#endif
/* ****************************************** */
HTTPserver::HTTPserver(const char *_docs_dir, const char *_scripts_dir) {
bool good_ssl_cert = false;
struct timeval tv;
memset(ports, 0, sizeof(ports)), memset(access_log_path, 0, sizeof(access_log_path));
use_http = true;
ntop->getPrefs()->get_http_binding_addresses(&http_binding_addr1, &http_binding_addr2);
ntop->getPrefs()->get_https_binding_addresses(&https_binding_addr1, &https_binding_addr2);
wispr_captive_data = NULL;
captive_redirect_addr = NULL;
gui_access_restricted = false;
can_accept_requests = false;
httpd_v4 = NULL;
cur_http_options = 0;
/* Build the URL rewrite pattern, required to handle the additional
* httpdocs directory for the plugins. Need to configure the rewrite for both the
* plugins0 and plugins1 directories. See plugins_utils.getHttpdocsDir */
snprintf(plugins_httpdocs_rewrite, sizeof(plugins_httpdocs_rewrite),
"/plugins0_httpdocs/=%s/httpdocs/,/plugins1_httpdocs/=%s/httpdocs/",
ntop->get_plugins0_dir(), ntop->get_plugins1_dir());
/* HTTP options */
addHTTPOption("listening_ports", ports);
addHTTPOption("enable_directory_listing", "no");
addHTTPOption("document_root", _docs_dir);
addHTTPOption("url_rewrite_patterns", plugins_httpdocs_rewrite);
addHTTPOption("access_control_list", acl_management);
/* (char*)"extra_mime_types", (char*)"" */ /* see mongoose.c */
addHTTPOption("num_threads", "5");
/* Randomize data */
gettimeofday(&tv, NULL);
srand(tv.tv_sec + tv.tv_usec);
parseACL(acl_management, sizeof(acl_management));
if(strcmp(acl_management, "+0.0.0.0/0")
|| http_binding_addr1[0] || http_binding_addr2[0]
|| https_binding_addr1[0] || https_binding_addr2[0])
gui_access_restricted = true;
docs_dir = strdup(_docs_dir), scripts_dir = strdup(_scripts_dir);
ssl_enabled = false;
httpserver = this;
#ifdef HAVE_NEDGE
httpd_captive_v4 = NULL;
#endif
if(ntop->getPrefs()->get_http_port() == 0) use_http = false;
if(use_http) {
snprintf(ports, sizeof(ports), "%s%s%d",
http_binding_addr1,
(http_binding_addr1[0] == '\0') ? "" : ":",
ntop->getPrefs()->get_http_port());
if(http_binding_addr2[0] && strcmp(http_binding_addr1, http_binding_addr2)) {
snprintf(&ports[strlen(ports)],
sizeof(ports) - strlen(ports) - 1, ",%s:%d",
http_binding_addr2,
ntop->getPrefs()->get_http_port());
}
}
good_ssl_cert = check_ssl_cert(ssl_cert_path, sizeof(ssl_cert_path));
if(good_ssl_cert && ntop->getPrefs()->get_https_port() > 0) {
ssl_enabled = true;
addHTTPOption("ssl_certificate", ssl_cert_path);
snprintf(&ports[strlen(ports)],
sizeof(ports) - strlen(ports) - 1,
"%s%s%s%ds",
use_http ? (char*)"," : "",
https_binding_addr1,
(https_binding_addr1[0] == '\0') ? "" : ":",
ntop->getPrefs()->get_https_port());
if(http_binding_addr2[0] && strcmp(https_binding_addr1, https_binding_addr2)) {
snprintf(&ports[strlen(ports)],
sizeof(ports) - strlen(ports) - 1, ",%s:%d",
https_binding_addr2,
ntop->getPrefs()->get_https_port());
}
}
if((!use_http) && (!ssl_enabled)) {
ntop->getTrace()->traceEvent(TRACE_WARNING,
"The HTTP server on the default port");
snprintf(ports, sizeof(ports), "%d", ntop->getPrefs()->get_http_port());
use_http = true;
}
if(ntop->getPrefs()->is_access_log_enabled()) {
snprintf(access_log_path, sizeof(access_log_path), "%s/ntopng_access.log",
ntop->get_working_dir());
addHTTPOption("access_log_file", access_log_path);
ntop->getTrace()->traceEvent(TRACE_NORMAL, "HTTP logs will be stored on %s", access_log_path);
}
http_prefix = ntop->getPrefs()->get_http_prefix(),
http_prefix_len = strlen(ntop->getPrefs()->get_http_prefix());
/* NOTE: the HTTP server must be started now as here ntopng still
* has admin privileges to possibly bind to privileged ports. */
startHttpServer();
/* NOTE: requests are still rejected until start_accepting_requests is
* called. */
};
/* ****************************************** */
void HTTPserver::startHttpServer() {
struct mg_callbacks callbacks;
memset(&callbacks, 0, sizeof(callbacks));
callbacks.begin_request = handle_lua_request;
callbacks.log_message = handle_http_message;
#ifdef NO_SSL_DL
if(ntop->getPrefs()->is_client_x509_auth_enabled())
callbacks.init_ssl = init_client_x509_auth;
#endif
#ifdef DEBUG_HTTP_OPTIONS
{
const char **k = http_options;
printf("Dumping %d HTTP options:\n", cur_http_options/2);
while(*k && *(k+1)) {
printf(" %s=%s\n", *k, *(k+1));
k+=2;
}
}
#endif
httpd_v4 = mg_start(&callbacks, NULL, http_options);
if(httpd_v4 == NULL) {
ntop->getTrace()->traceEvent(TRACE_ERROR,
"Unable to start HTTP server (IPv4) on ports %s",
ports);
if(errno)
ntop->getTrace()->traceEvent(TRACE_ERROR, "%s", strerror(errno));
ntop->getTrace()->traceEvent(TRACE_ERROR, "Either port in use or another ntopng instance is running (using the same port)");
exit(-1);
}
ntop->getTrace()->traceEvent(TRACE_NORMAL, "Web server dirs [%s][%s]", docs_dir, scripts_dir);
if(use_http)
ntop->getTrace()->traceEvent(TRACE_NORMAL, "HTTP server listening on %s%s%d",
http_binding_addr1[0] != '\0' ? http_binding_addr1 : (char*)"",
http_binding_addr1[0] != '\0' ? (char*)":" : (char*)"",
ntop->getPrefs()->get_http_port());
if(ssl_enabled)
ntop->getTrace()->traceEvent(TRACE_NORMAL, "HTTPS server listening on %s%s%d",
https_binding_addr1[0] != '\0' ? https_binding_addr1 : (char*)"",
https_binding_addr1[0] != '\0' ? (char*)":" : (char*)"",
ntop->getPrefs()->get_https_port());
}
/* ****************************************** */
HTTPserver::~HTTPserver() {
if(httpd_v4) mg_stop(httpd_v4);
#ifdef HAVE_NEDGE
if(httpd_captive_v4) mg_stop(httpd_captive_v4);
#endif
if(wispr_captive_data) free(wispr_captive_data);
if(captive_redirect_addr) free(captive_redirect_addr);
free(docs_dir), free(scripts_dir);
ntop->getTrace()->traceEvent(TRACE_NORMAL, "HTTP server terminated");
};
/* ****************************************** */
#ifdef HAVE_NEDGE
void HTTPserver::startCaptiveServer() {
struct mg_callbacks captive_callbacks;
char captive_port[64];
char access_log_path[MAX_PATH] = {0};
snprintf(captive_port, sizeof(captive_port), "%u", CAPTIVE_PORTAL_PORT);
static const char * http_captive_options[] = {
(char*)"listening_ports", captive_port,
(char*)"enable_directory_listing", (char*)"no",
(char*)"document_root", (char*)docs_dir,
(char*)"num_threads", (char*)"10",
NULL, NULL, NULL, NULL,
NULL
};
if(ntop->getPrefs()->is_access_log_enabled()) {
int i;
snprintf(access_log_path, sizeof(access_log_path), "%s/captive_access.log",
ntop->get_working_dir());
for(i=0; http_captive_options[i] != NULL; i++)
;
http_captive_options[i] = (char*)"access_log_file", http_captive_options[i+1] = access_log_path;
ntop->getTrace()->traceEvent(TRACE_NORMAL, "Captive portal HTTP logs will be stored on %s", access_log_path);
}
if(httpd_captive_v4) {
mg_stop(httpd_captive_v4);
httpd_captive_v4 = NULL;
}
if(ntop->getPrefs()->isCaptivePortalEnabled()) {
/* TODO: make simpler callbacks for the captive portal */
memset(&captive_callbacks, 0, sizeof(captive_callbacks));
captive_callbacks.begin_request = handle_lua_request;
captive_callbacks.log_message = handle_http_message;
httpd_captive_v4 = mg_start(&captive_callbacks, NULL, http_captive_options);
if(httpd_captive_v4 == NULL) {
ntop->getTrace()->traceEvent(TRACE_ERROR,
"Unable to start HTTP (captive) server (IPv4) on port %s. "
"Captive portal needs port %s. Make sure this port"
"is not in use by ntopng (option -w) or by any other process.",
captive_port, captive_port);
if(errno)
ntop->getTrace()->traceEvent(TRACE_ERROR, "%s", strerror(errno));
exit(-1);
} else
ntop->getTrace()->traceEvent(TRACE_NORMAL, "HTTP (captive) server listening on port %s",
captive_port);
}
}
#endif
/* ****************************************** */
void HTTPserver::addHTTPOption(const char *k, const char*v) {
const int max_http_options = sizeof(http_options) / sizeof(http_options[0]);
if(httpd_v4) {
ntop->getTrace()->traceEvent(TRACE_ERROR, "HTTPserver::addHTTPOption called after HTTP server start. Please report this bug.");
throw 1;
}
/* NOTE: last two buckets in http_options are reserved for NULL,NULL */
if(cur_http_options+4 > max_http_options) {
ntop->getTrace()->traceEvent(TRACE_ERROR, "Max HTTP options reached. Please report this bug.");
throw 1;
}
http_options[cur_http_options++] = k;
http_options[cur_http_options++] = v;
http_options[cur_http_options+0] = NULL;
http_options[cur_http_options+1] = NULL;
}
/* ****************************************** */
bool HTTPserver::accepts_requests() {
return(can_accept_requests && !ntop->getGlobals()->isShutdown());
};
Reference in a new issue View git blame Copy permalink