Merge b2c85732d52f5ae83134a9d5f2c67e05875bdb00 into b4d5d8c756bfa7c5f4fc73c3dff48678d0110fce

.golangci.yml

@@ -88,7 +88,6 @@ linters-settings:
     excludes:
     - G401
     - G402
-    - G404
     - G501
 
 issues:

Release.md

@@ -1,3 +1,8 @@
 ### Features
 
-* Added a new plugin `tls2raw`: Enables TLS termination and forwarding of decrypted raw traffic to local service.
+* Added a new plugin "http2http" which allows forwarding HTTP requests to another HTTP server, supporting options like local address binding, host header rewrite, and custom request headers.
+* Added `enableHTTP2` option to control whether to enable HTTP/2 in plugin https2http and https2https, default is true.
+
+### Changes
+
+* Plugin https2http & https2https: return 421 `Misdirected Request` if host not match sni.

client/proxy/proxy.go

@@ -192,7 +192,7 @@ func (pxy *BaseProxy) HandleTCPWorkConnection(workConn net.Conn, m *msg.StartWor
 	if pxy.proxyPlugin != nil {
 		// if plugin is set, let plugin handle connection first
 		xl.Debugf("handle by plugin: %s", pxy.proxyPlugin.Name())
-		pxy.proxyPlugin.Handle(pxy.ctx, remote, workConn, &extraInfo)
+		pxy.proxyPlugin.Handle(remote, workConn, &extraInfo)
 		xl.Debugf("handle by plugin finished")
 		return
 	}

conf/frpc_full_example.toml

@@ -325,16 +325,6 @@ localAddr = "127.0.0.1:80"
 hostHeaderRewrite = "127.0.0.1"
 requestHeaders.set.x-from-where = "frp"
 
-[[proxies]]
-name = "plugin_tls2raw"
-type = "https"
-remotePort = 6008
-[proxies.plugin]
-type = "tls2raw"
-localAddr = "127.0.0.1:80"
-crtPath = "./server.crt"
-keyPath = "./server.key"
-
 [[proxies]]
 name = "secret_tcp"
 # If the type is secret tcp, remotePort is useless

pkg/config/v1/plugin.go

@@ -83,7 +83,6 @@ const (
 	PluginSocks5           = "socks5"
 	PluginStaticFile       = "static_file"
 	PluginUnixDomainSocket = "unix_domain_socket"
-	PluginTLS2Raw          = "tls2raw"
 )
 
 var clientPluginOptionsTypeMap = map[string]reflect.Type{
@@ -95,7 +94,6 @@ var clientPluginOptionsTypeMap = map[string]reflect.Type{
 	PluginSocks5:           reflect.TypeOf(Socks5PluginOptions{}),
 	PluginStaticFile:       reflect.TypeOf(StaticFilePluginOptions{}),
 	PluginUnixDomainSocket: reflect.TypeOf(UnixDomainSocketPluginOptions{}),
-	PluginTLS2Raw:          reflect.TypeOf(TLS2RawPluginOptions{}),
 }
 
 type HTTP2HTTPSPluginOptions struct {
@@ -176,12 +174,3 @@ type UnixDomainSocketPluginOptions struct {
 }
 
 func (o *UnixDomainSocketPluginOptions) Complete() {}
-
-type TLS2RawPluginOptions struct {
-	Type      string `json:"type,omitempty"`
-	LocalAddr string `json:"localAddr,omitempty"`
-	CrtPath   string `json:"crtPath,omitempty"`
-	KeyPath   string `json:"keyPath,omitempty"`
-}
-
-func (o *TLS2RawPluginOptions) Complete() {}

pkg/config/v1/validation/plugin.go

@@ -32,8 +32,6 @@ func ValidateClientPluginOptions(c v1.ClientPluginOptions) error {
 		return validateStaticFilePluginOptions(v)
 	case *v1.UnixDomainSocketPluginOptions:
 		return validateUnixDomainSocketPluginOptions(v)
-	case *v1.TLS2RawPluginOptions:
-		return validateTLS2RawPluginOptions(v)
 	}
 	return nil
 }
@@ -72,10 +70,3 @@ func validateUnixDomainSocketPluginOptions(c *v1.UnixDomainSocketPluginOptions)
 	}
 	return nil
 }
-
-func validateTLS2RawPluginOptions(c *v1.TLS2RawPluginOptions) error {
-	if c.LocalAddr == "" {
-		return errors.New("localAddr is required")
-	}
-	return nil
-}

pkg/plugin/client/http2http.go

@@ -12,12 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-//go:build !frps
-
 package plugin
 
 import (
-	"context"
 	"io"
 	stdlog "log"
 	"net"
@@ -80,7 +77,7 @@ func NewHTTP2HTTPPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 	return p, nil
 }
 
-func (p *HTTP2HTTPPlugin) Handle(_ context.Context, conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
+func (p *HTTP2HTTPPlugin) Handle(conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
 	wrapConn := netpkg.WrapReadWriteCloserToConn(conn, realConn)
 	_ = p.l.PutConn(wrapConn)
 }

pkg/plugin/client/http2https.go

@@ -17,7 +17,6 @@
 package plugin
 
 import (
-	"context"
 	"crypto/tls"
 	"io"
 	stdlog "log"
@@ -89,7 +88,7 @@ func NewHTTP2HTTPSPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 	return p, nil
 }
 
-func (p *HTTP2HTTPSPlugin) Handle(_ context.Context, conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
+func (p *HTTP2HTTPSPlugin) Handle(conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
 	wrapConn := netpkg.WrapReadWriteCloserToConn(conn, realConn)
 	_ = p.l.PutConn(wrapConn)
 }

pkg/plugin/client/http_proxy.go

@@ -18,7 +18,6 @@ package plugin
 
 import (
 	"bufio"
-	"context"
 	"encoding/base64"
 	"io"
 	"net"
@@ -69,7 +68,7 @@ func (hp *HTTPProxy) Name() string {
 	return v1.PluginHTTPProxy
 }
 
-func (hp *HTTPProxy) Handle(_ context.Context, conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
+func (hp *HTTPProxy) Handle(conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
 	wrapConn := netpkg.WrapReadWriteCloserToConn(conn, realConn)
 
 	sc, rd := libnet.NewSharedConn(wrapConn)

pkg/plugin/client/https2http.go

@@ -17,7 +17,6 @@
 package plugin
 
 import (
-	"context"
 	"crypto/tls"
 	"fmt"
 	"io"
@@ -86,7 +85,16 @@ func NewHTTPS2HTTPPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 		rp.ServeHTTP(w, r)
 	})
 
-	tlsConfig, err := transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
+	var (
+		tlsConfig *tls.Config
+		err       error
+	)
+	if opts.CrtPath != "" || opts.KeyPath != "" {
+		tlsConfig, err = p.genTLSConfig()
+	} else {
+		tlsConfig, err = transport.NewServerTLSConfig("", "", "")
+		tlsConfig.InsecureSkipVerify = true
+	}
 	if err != nil {
 		return nil, fmt.Errorf("gen TLS config error: %v", err)
 	}
@@ -106,7 +114,17 @@ func NewHTTPS2HTTPPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 	return p, nil
 }
 
-func (p *HTTPS2HTTPPlugin) Handle(_ context.Context, conn io.ReadWriteCloser, realConn net.Conn, extra *ExtraInfo) {
+func (p *HTTPS2HTTPPlugin) genTLSConfig() (*tls.Config, error) {
+	cert, err := tls.LoadX509KeyPair(p.opts.CrtPath, p.opts.KeyPath)
+	if err != nil {
+		return nil, err
+	}
+
+	config := &tls.Config{Certificates: []tls.Certificate{cert}}
+	return config, nil
+}
+
+func (p *HTTPS2HTTPPlugin) Handle(conn io.ReadWriteCloser, realConn net.Conn, extra *ExtraInfo) {
 	wrapConn := netpkg.WrapReadWriteCloserToConn(conn, realConn)
 	if extra.SrcAddr != nil {
 		wrapConn.SetRemoteAddr(extra.SrcAddr)

pkg/plugin/client/https2https.go

@@ -17,7 +17,6 @@
 package plugin
 
 import (
-	"context"
 	"crypto/tls"
 	"fmt"
 	"io"
@@ -92,7 +91,16 @@ func NewHTTPS2HTTPSPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 		rp.ServeHTTP(w, r)
 	})
 
-	tlsConfig, err := transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
+	var (
+		tlsConfig *tls.Config
+		err       error
+	)
+	if opts.CrtPath != "" || opts.KeyPath != "" {
+		tlsConfig, err = p.genTLSConfig()
+	} else {
+		tlsConfig, err = transport.NewServerTLSConfig("", "", "")
+		tlsConfig.InsecureSkipVerify = true
+	}
 	if err != nil {
 		return nil, fmt.Errorf("gen TLS config error: %v", err)
 	}
@@ -112,7 +120,17 @@ func NewHTTPS2HTTPSPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 	return p, nil
 }
 
-func (p *HTTPS2HTTPSPlugin) Handle(_ context.Context, conn io.ReadWriteCloser, realConn net.Conn, extra *ExtraInfo) {
+func (p *HTTPS2HTTPSPlugin) genTLSConfig() (*tls.Config, error) {
+	cert, err := tls.LoadX509KeyPair(p.opts.CrtPath, p.opts.KeyPath)
+	if err != nil {
+		return nil, err
+	}
+
+	config := &tls.Config{Certificates: []tls.Certificate{cert}}
+	return config, nil
+}
+
+func (p *HTTPS2HTTPSPlugin) Handle(conn io.ReadWriteCloser, realConn net.Conn, extra *ExtraInfo) {
 	wrapConn := netpkg.WrapReadWriteCloserToConn(conn, realConn)
 	if extra.SrcAddr != nil {
 		wrapConn.SetRemoteAddr(extra.SrcAddr)

pkg/plugin/client/plugin.go

@@ -15,7 +15,6 @@
 package plugin
 
 import (
-	"context"
 	"fmt"
 	"io"
 	"net"
@@ -58,7 +57,7 @@ type ExtraInfo struct {
 type Plugin interface {
 	Name() string
 
-	Handle(ctx context.Context, conn io.ReadWriteCloser, realConn net.Conn, extra *ExtraInfo)
+	Handle(conn io.ReadWriteCloser, realConn net.Conn, extra *ExtraInfo)
 	Close() error
 }
 

pkg/plugin/client/socks5.go

@@ -17,7 +17,6 @@
 package plugin
 
 import (
-	"context"
 	"io"
 	"log"
 	"net"
@@ -51,7 +50,7 @@ func NewSocks5Plugin(options v1.ClientPluginOptions) (p Plugin, err error) {
 	return
 }
 
-func (sp *Socks5Plugin) Handle(_ context.Context, conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
+func (sp *Socks5Plugin) Handle(conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
 	defer conn.Close()
 	wrapConn := netpkg.WrapReadWriteCloserToConn(conn, realConn)
 	_ = sp.Server.ServeConn(wrapConn)

pkg/plugin/client/static_file.go

@@ -17,7 +17,6 @@
 package plugin
 
 import (
-	"context"
 	"io"
 	"net"
 	"net/http"
@@ -70,7 +69,7 @@ func NewStaticFilePlugin(options v1.ClientPluginOptions) (Plugin, error) {
 	return sp, nil
 }
 
-func (sp *StaticFilePlugin) Handle(_ context.Context, conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
+func (sp *StaticFilePlugin) Handle(conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
 	wrapConn := netpkg.WrapReadWriteCloserToConn(conn, realConn)
 	_ = sp.l.PutConn(wrapConn)
 }

pkg/plugin/client/tls2raw.go

@@ -1,83 +0,0 @@
-// Copyright 2024 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build !frps
-
-package plugin
-
-import (
-	"context"
-	"crypto/tls"
-	"io"
-	"net"
-
-	libio "github.com/fatedier/golib/io"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/transport"
-	netpkg "github.com/fatedier/frp/pkg/util/net"
-	"github.com/fatedier/frp/pkg/util/xlog"
-)
-
-func init() {
-	Register(v1.PluginTLS2Raw, NewTLS2RawPlugin)
-}
-
-type TLS2RawPlugin struct {
-	opts *v1.TLS2RawPluginOptions
-
-	tlsConfig *tls.Config
-}
-
-func NewTLS2RawPlugin(options v1.ClientPluginOptions) (Plugin, error) {
-	opts := options.(*v1.TLS2RawPluginOptions)
-
-	p := &TLS2RawPlugin{
-		opts: opts,
-	}
-
-	tlsConfig, err := transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
-	if err != nil {
-		return nil, err
-	}
-	p.tlsConfig = tlsConfig
-	return p, nil
-}
-
-func (p *TLS2RawPlugin) Handle(ctx context.Context, conn io.ReadWriteCloser, realConn net.Conn, _ *ExtraInfo) {
-	xl := xlog.FromContextSafe(ctx)
-
-	wrapConn := netpkg.WrapReadWriteCloserToConn(conn, realConn)
-	tlsConn := tls.Server(wrapConn, p.tlsConfig)
-
-	if err := tlsConn.Handshake(); err != nil {
-		xl.Warnf("tls handshake error: %v", err)
-		return
-	}
-	rawConn, err := net.Dial("tcp", p.opts.LocalAddr)
-	if err != nil {
-		xl.Warnf("dial to local addr error: %v", err)
-		return
-	}
-
-	libio.Join(tlsConn, rawConn)
-}
-
-func (p *TLS2RawPlugin) Name() string {
-	return v1.PluginTLS2Raw
-}
-
-func (p *TLS2RawPlugin) Close() error {
-	return nil
-}

pkg/plugin/client/unix_domain_socket.go

@@ -17,14 +17,12 @@
 package plugin
 
 import (
-	"context"
 	"io"
 	"net"
 
 	libio "github.com/fatedier/golib/io"
 
 	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/util/xlog"
 )
 
 func init() {
@@ -50,11 +48,9 @@ func NewUnixDomainSocketPlugin(options v1.ClientPluginOptions) (p Plugin, err er
 	return
 }
 
-func (uds *UnixDomainSocketPlugin) Handle(ctx context.Context, conn io.ReadWriteCloser, _ net.Conn, extra *ExtraInfo) {
+func (uds *UnixDomainSocketPlugin) Handle(conn io.ReadWriteCloser, _ net.Conn, extra *ExtraInfo) {
-	xl := xlog.FromContextSafe(ctx)
 	localConn, err := net.DialUnix("unix", nil, uds.UnixAddr)
 	if err != nil {
-		xl.Warnf("dial to uds %s error: %v", uds.UnixAddr, err)
 		return
 	}
 	if extra.ProxyProtocolHeader != nil {

test/e2e/v1/plugin/client.go

@@ -402,50 +402,4 @@ var _ = ginkgo.Describe("[Feature: Client-Plugins]", func() {
 				Ensure()
 		})
 	})
-
-	ginkgo.It("tls2raw", func() {
-		generator := &cert.SelfSignedCertGenerator{}
-		artifacts, err := generator.Generate("example.com")
-		framework.ExpectNoError(err)
-		crtPath := f.WriteTempFile("tls2raw_server.crt", string(artifacts.Cert))
-		keyPath := f.WriteTempFile("tls2raw_server.key", string(artifacts.Key))
-
-		serverConf := consts.DefaultServerConfig
-		vhostHTTPSPort := f.AllocPort()
-		serverConf += fmt.Sprintf(`
-		vhostHTTPSPort = %d
-		`, vhostHTTPSPort)
-
-		localPort := f.AllocPort()
-		clientConf := consts.DefaultClientConfig + fmt.Sprintf(`
-		[[proxies]]
-		name = "tls2raw-test"
-		type = "https"
-		customDomains = ["example.com"]
-		[proxies.plugin]
-		type = "tls2raw"
-		localAddr = "127.0.0.1:%d"
-		crtPath = "%s"
-		keyPath = "%s"
-		`, localPort, crtPath, keyPath)
-
-		f.RunProcesses([]string{serverConf}, []string{clientConf})
-
-		localServer := httpserver.New(
-			httpserver.WithBindPort(localPort),
-			httpserver.WithResponse([]byte("test")),
-		)
-		f.RunServer("", localServer)
-
-		framework.NewRequestExpect(f).
-			Port(vhostHTTPSPort).
-			RequestModify(func(r *request.Request) {
-				r.HTTPS().HTTPHost("example.com").TLSConfig(&tls.Config{
-					ServerName:         "example.com",
-					InsecureSkipVerify: true,
-				})
-			}).
-			ExpectResp([]byte("test")).
-			Ensure()
-	})
 })