cvmts/src/net/ws/WSServer.ts

import * as http from 'http';
import { NetworkServer } from '../NetworkServer.js';
import EventEmitter from 'events';
import { WebSocketServer, WebSocket } from 'ws';
import internal from 'stream';
import IConfig from '../../IConfig.js';
import { isIP } from 'net';
import { IPDataManager } from '../../IPData.js';
import WSClient from './WSClient.js';
import { User } from '../../User.js';
import pino from 'pino';
import { BanManager } from '../../BanManager.js';

const kAllowedProtocols = [
	"guacamole" // Regular ol' collabvm1 protocol
]

export default class WSServer extends EventEmitter implements NetworkServer {
	private httpServer: http.Server;
	private wsServer: WebSocketServer;
	private clients: WSClient[];
	private Config: IConfig;
	private logger = pino({ name: 'CVMTS.WSServer' });
	private banmgr: BanManager;

	constructor(config: IConfig, banmgr: BanManager) {
		super();
		this.Config = config;
		this.clients = [];
		this.httpServer = http.createServer();
		this.wsServer = new WebSocketServer({ noServer: true, perMessageDeflate: false, clientTracking: false });
		this.httpServer.on('upgrade', (req: http.IncomingMessage, socket: internal.Duplex, head: Buffer) => this.httpOnUpgrade(req, socket, head));
		this.httpServer.on('request', (req, res) => {
			res.writeHead(426);
			res.write('This server only accepts WebSocket connections.');
			res.end();
		});
		this.banmgr = banmgr;
	}

	start(): void {
		this.httpServer.listen(this.Config.http.port, this.Config.http.host, () => {
			this.logger.info(`WebSocket server listening on ${this.Config.http.host}:${this.Config.http.port}`);
		});
	}

	stop(): void {
		this.httpServer.close();
	}

	private async httpOnUpgrade(req: http.IncomingMessage, socket: internal.Duplex, head: Buffer) {
		var killConnection = () => {
			socket.write('HTTP/1.1 400 Bad Request\n\n400 Bad Request');
			socket.destroy();
		};

		let protocol = req.headers['sec-websocket-protocol'];

		if (!protocol || kAllowedProtocols.indexOf(protocol) === -1) {
			killConnection();
			return;
		}

		if (this.Config.http.origin) {
			// If the client is not sending an Origin header, kill the connection.
			if (!req.headers.origin) {
				killConnection();
				return;
			}

			// Try to parse the Origin header sent by the client, if it fails, kill the connection.
			var _uri;
			var _host;
			try {
				_uri = new URL(req.headers.origin.toLowerCase());
				_host = _uri.host;
			} catch {
				killConnection();
				return;
			}

			// detect fake origin headers
			if (_uri.pathname !== '/' || _uri.search !== '') {
				killConnection();
				return;
			}

			// If the domain name is not in the list of allowed origins, kill the connection.
			if (!this.Config.http.originAllowedDomains.includes(_host)) {
				killConnection();
				return;
			}
		}

		let ip: string;
		if (this.Config.http.proxying) {
			// If the requesting IP isn't allowed to proxy, kill it
			if (this.Config.http.proxyAllowedIps.indexOf(req.socket.remoteAddress!) === -1) {
				killConnection();
				return;
			}
			// Make sure x-forwarded-for is set
			if (req.headers['x-forwarded-for'] === undefined) {
				killConnection();
				this.logger.error('X-Forwarded-For header not set. This is most likely a misconfiguration of your reverse proxy.');
				return;
			}
			try {
				// Get the first IP from the X-Forwarded-For variable
				ip = req.headers['x-forwarded-for']?.toString().replace(/\ /g, '').split(',')[0];
			} catch {
				// If we can't get the IP, kill the connection
				this.logger.error('Invalid X-Forwarded-For header. This is most likely a misconfiguration of your reverse proxy.');
				killConnection();
				return;
			}
			// If for some reason the IP isn't defined, kill it
			if (!ip) {
				killConnection();
				return;
			}
			// Make sure the IP is valid. If not, kill the connection.
			if (!isIP(ip)) {
				killConnection();
				return;
			}
		} else {
			if (!req.socket.remoteAddress) return;
			ip = req.socket.remoteAddress;
		}

		if (await this.banmgr.isIPBanned(ip)) {
			socket.write('HTTP/1.1 403 Forbidden\n\nYou have been banned.');
			socket.destroy();
			return;
		}

		this.wsServer.handleUpgrade(req, socket, head, (ws: WebSocket) => {
			this.wsServer.emit('connection', ws, req);
			this.onConnection(ws, req, ip, protocol);
		});
	}

	private onConnection(ws: WebSocket, req: http.IncomingMessage, ip: string, protocol: string) {
		let client = new WSClient(ws, ip);
		this.clients.push(client);
		let user = new User(client, protocol, IPDataManager.GetIPData(ip), this.Config);

		this.emit('connect', user);

		ws.on('error', (e) => {
			this.logger.error(`${e} (caused by connection ${ip})`);
			ws.close();
		});

		this.logger.info(`New WebSocket connection from ${user.IP.address}`);
	}
}
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`import * as http from 'http';`
make network abstraction pass bare buffer this bitrots tcp a bit. once the tcp protocol is replaced with a message based one it shouild be fine 2024-08-22 04:20:26 -04:00			`import { NetworkServer } from '../NetworkServer.js';`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`import EventEmitter from 'events';`
			`import { WebSocketServer, WebSocket } from 'ws';`
			`import internal from 'stream';`
re-org source tree slightly network layer is net/ protocol is protocol/ 2024-08-22 04:26:17 -04:00			`import IConfig from '../../IConfig.js';`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`import { isIP } from 'net';`
re-org source tree slightly network layer is net/ protocol is protocol/ 2024-08-22 04:26:17 -04:00			`import { IPDataManager } from '../../IPData.js';`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`import WSClient from './WSClient.js';`
re-org source tree slightly network layer is net/ protocol is protocol/ 2024-08-22 04:26:17 -04:00			`import { User } from '../../User.js';`
cvmts: Use npm versions of superqemu/nodejs-rfb. We publish them now, so let's use them in cvmts! Additionally, this removes the 'shared' module entirely, since it has little purpose anymore. The logger is replaced with pino (because superqemu uses pino for logging itself). 2024-07-16 08:29:52 -04:00			`import pino from 'pino';`
re-org source tree slightly network layer is net/ protocol is protocol/ 2024-08-22 04:26:17 -04:00			`import { BanManager } from '../../BanManager.js';`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00
cvmts: Move initial protocol selection to transport layer 2025-03-21 20:29:16 -04:00			`const kAllowedProtocols = [`
			`"guacamole" // Regular ol' collabvm1 protocol`
			`]`

abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`export default class WSServer extends EventEmitter implements NetworkServer {`
prettier reformat for merge (and remove jpeg-turbo Again) 2024-06-22 21:26:49 -04:00			`private httpServer: http.Server;`
			`private wsServer: WebSocketServer;`
			`private clients: WSClient[];`
			`private Config: IConfig;`
cvmts: Use npm versions of superqemu/nodejs-rfb. We publish them now, so let's use them in cvmts! Additionally, this removes the 'shared' module entirely, since it has little purpose anymore. The logger is replaced with pino (because superqemu uses pino for logging itself). 2024-07-16 08:29:52 -04:00			`private logger = pino({ name: 'CVMTS.WSServer' });`
Add internal banning (cvmban) using MySQL 2024-07-31 16:34:42 -04:00			`private banmgr: BanManager;`
prettier reformat for merge (and remove jpeg-turbo Again) 2024-06-22 21:26:49 -04:00
Add internal banning (cvmban) using MySQL 2024-07-31 16:34:42 -04:00			`constructor(config: IConfig, banmgr: BanManager) {`
prettier reformat for merge (and remove jpeg-turbo Again) 2024-06-22 21:26:49 -04:00			`super();`
			`this.Config = config;`
			`this.clients = [];`
			`this.httpServer = http.createServer();`
cvmts: Explicitly disable ws PMD/tracking Seems to fix or at least make a pretty bad memory leak much slower. I hate ws but the only other library is written by someone who isn't a very nice person (putting it on the nice side) 2024-09-05 04:15:19 -04:00			`this.wsServer = new WebSocketServer({ noServer: true, perMessageDeflate: false, clientTracking: false });`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`this.httpServer.on('upgrade', (req: http.IncomingMessage, socket: internal.Duplex, head: Buffer) => this.httpOnUpgrade(req, socket, head));`
			`this.httpServer.on('request', (req, res) => {`
			`res.writeHead(426);`
			`res.write('This server only accepts WebSocket connections.');`
			`res.end();`
			`});`
Add internal banning (cvmban) using MySQL 2024-07-31 16:34:42 -04:00			`this.banmgr = banmgr;`
prettier reformat for merge (and remove jpeg-turbo Again) 2024-06-22 21:26:49 -04:00			`}`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00
prettier reformat for merge (and remove jpeg-turbo Again) 2024-06-22 21:26:49 -04:00			`start(): void {`
			`this.httpServer.listen(this.Config.http.port, this.Config.http.host, () => {`
cvmts: Use npm versions of superqemu/nodejs-rfb. We publish them now, so let's use them in cvmts! Additionally, this removes the 'shared' module entirely, since it has little purpose anymore. The logger is replaced with pino (because superqemu uses pino for logging itself). 2024-07-16 08:29:52 -04:00			this.logger.info(`WebSocket server listening on ${this.Config.http.host}:${this.Config.http.port}`);
prettier reformat for merge (and remove jpeg-turbo Again) 2024-06-22 21:26:49 -04:00			`});`
			`}`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00
prettier reformat for merge (and remove jpeg-turbo Again) 2024-06-22 21:26:49 -04:00			`stop(): void {`
			`this.httpServer.close();`
			`}`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00
Add internal banning (cvmban) using MySQL 2024-07-31 16:34:42 -04:00			`private async httpOnUpgrade(req: http.IncomingMessage, socket: internal.Duplex, head: Buffer) {`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`var killConnection = () => {`
			`socket.write('HTTP/1.1 400 Bad Request\n\n400 Bad Request');`
			`socket.destroy();`
			`};`

cvmts: Move initial protocol selection to transport layer 2025-03-21 20:29:16 -04:00			`let protocol = req.headers['sec-websocket-protocol'];`

			`if (!protocol \|\| kAllowedProtocols.indexOf(protocol) === -1) {`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`killConnection();`
			`return;`
			`}`

			`if (this.Config.http.origin) {`
			`// If the client is not sending an Origin header, kill the connection.`
			`if (!req.headers.origin) {`
			`killConnection();`
			`return;`
			`}`

			`// Try to parse the Origin header sent by the client, if it fails, kill the connection.`
			`var _uri;`
			`var _host;`
			`try {`
			`_uri = new URL(req.headers.origin.toLowerCase());`
			`_host = _uri.host;`
			`} catch {`
			`killConnection();`
			`return;`
			`}`

			`// detect fake origin headers`
			`if (_uri.pathname !== '/' \|\| _uri.search !== '') {`
			`killConnection();`
			`return;`
			`}`

			`// If the domain name is not in the list of allowed origins, kill the connection.`
			`if (!this.Config.http.originAllowedDomains.includes(_host)) {`
			`killConnection();`
			`return;`
			`}`
			`}`

			`let ip: string;`
			`if (this.Config.http.proxying) {`
			`// If the requesting IP isn't allowed to proxy, kill it`
			`if (this.Config.http.proxyAllowedIps.indexOf(req.socket.remoteAddress!) === -1) {`
			`killConnection();`
			`return;`
			`}`
			`// Make sure x-forwarded-for is set`
			`if (req.headers['x-forwarded-for'] === undefined) {`
			`killConnection();`
cvmts: Use npm versions of superqemu/nodejs-rfb. We publish them now, so let's use them in cvmts! Additionally, this removes the 'shared' module entirely, since it has little purpose anymore. The logger is replaced with pino (because superqemu uses pino for logging itself). 2024-07-16 08:29:52 -04:00			`this.logger.error('X-Forwarded-For header not set. This is most likely a misconfiguration of your reverse proxy.');`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`return;`
			`}`
			`try {`
			`// Get the first IP from the X-Forwarded-For variable`
			`ip = req.headers['x-forwarded-for']?.toString().replace(/\ /g, '').split(',')[0];`
			`} catch {`
			`// If we can't get the IP, kill the connection`
cvmts: Use npm versions of superqemu/nodejs-rfb. We publish them now, so let's use them in cvmts! Additionally, this removes the 'shared' module entirely, since it has little purpose anymore. The logger is replaced with pino (because superqemu uses pino for logging itself). 2024-07-16 08:29:52 -04:00			`this.logger.error('Invalid X-Forwarded-For header. This is most likely a misconfiguration of your reverse proxy.');`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`killConnection();`
			`return;`
			`}`
			`// If for some reason the IP isn't defined, kill it`
			`if (!ip) {`
			`killConnection();`
			`return;`
			`}`
			`// Make sure the IP is valid. If not, kill the connection.`
			`if (!isIP(ip)) {`
			`killConnection();`
			`return;`
			`}`
			`} else {`
			`if (!req.socket.remoteAddress) return;`
			`ip = req.socket.remoteAddress;`
			`}`

Add internal banning (cvmban) using MySQL 2024-07-31 16:34:42 -04:00			`if (await this.banmgr.isIPBanned(ip)) {`
chore: comment config.example.toml and format code with prettier/cargo 2024-08-04 15:50:00 -04:00			`socket.write('HTTP/1.1 403 Forbidden\n\nYou have been banned.');`
Add internal banning (cvmban) using MySQL 2024-07-31 16:34:42 -04:00			`socket.destroy();`
			`return;`
			`}`

abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`this.wsServer.handleUpgrade(req, socket, head, (ws: WebSocket) => {`
			`this.wsServer.emit('connection', ws, req);`
cvmts: Move initial protocol selection to transport layer 2025-03-21 20:29:16 -04:00			`this.onConnection(ws, req, ip, protocol);`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`});`
			`}`

cvmts: Move initial protocol selection to transport layer 2025-03-21 20:29:16 -04:00			`private onConnection(ws: WebSocket, req: http.IncomingMessage, ip: string, protocol: string) {`
prettier reformat for merge (and remove jpeg-turbo Again) 2024-06-22 21:26:49 -04:00			`let client = new WSClient(ws, ip);`
			`this.clients.push(client);`
cvmts: Move initial protocol selection to transport layer 2025-03-21 20:29:16 -04:00			`let user = new User(client, protocol, IPDataManager.GetIPData(ip), this.Config);`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00
prettier reformat for merge (and remove jpeg-turbo Again) 2024-06-22 21:26:49 -04:00			`this.emit('connect', user);`
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00
			`ws.on('error', (e) => {`
cvmts: Use npm versions of superqemu/nodejs-rfb. We publish them now, so let's use them in cvmts! Additionally, this removes the 'shared' module entirely, since it has little purpose anymore. The logger is replaced with pino (because superqemu uses pino for logging itself). 2024-07-16 08:29:52 -04:00			this.logger.error(`${e} (caused by connection ${ip})`);
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`ws.close();`
			`});`

cvmts: Use npm versions of superqemu/nodejs-rfb. We publish them now, so let's use them in cvmts! Additionally, this removes the 'shared' module entirely, since it has little purpose anymore. The logger is replaced with pino (because superqemu uses pino for logging itself). 2024-07-16 08:29:52 -04:00			this.logger.info(`New WebSocket connection from ${user.IP.address}`);
abstract websocket to allow additional transport layers 2024-05-26 23:19:55 -04:00			`}`
cvmts: reimplement connection limit using ipdata 2024-06-19 17:56:55 -04:00			`}`