ego008 · May 8, 2018 13:17
diff --git a/tlsprox.go b/tlsprox.go
 /* tlsprox - minimal tls MITM transparent proxy... in go!
 * by @tam7t
 *
 * Usage:
 *  If we want to MITM https://example.com first get example.com's ip address
 *  then add localhost to /etc/hosts:
 *
 *  127.0.0.1 example.com
 *
 * 	> go build tlsprox.go
 * 	> sudo ./tlsprox.go -raddr=<example.com ip addr>:443
 */

 package main

 import (
 	"crypto/tls"
 	"flag"
 	"io"
 	"log"
 	"net"
 	"os"
 )

 func main() {
 	var certFile, keyFile, listenAddr, remoteAddr string

 	flag.StringVar(&certFile, "cert", "cert.pem", "certificate")
 	flag.StringVar(&keyFile, "key", "key.pem", "key")
 	flag.StringVar(&listenAddr, "laddr", ":443", "listener address")
 	flag.StringVar(&remoteAddr, "raddr", "8.8.8.8:443", "remote address")

 	flag.Parse()

 	var cert, _ = tls.LoadX509KeyPair(certFile, keyFile)
 	var tlsConfig = tls.Config{
 		Certificates: []tls.Certificate{cert},
 	}

 	log.Println("starting server")

 	listener, err := tls.Listen("tcp", listenAddr, &tlsConfig)
 	if err != nil {
 		log.Printf("could not listen for connections: ", err.Error())
 		os.Exit(1)
 	}

 	defer listener.Close()

 	for {
 		conn, err := listener.Accept()
 		conn.(*tls.Conn).Handshake()
 		if err != nil {
 			log.Printf("error accepting connection: %s", err)
 		} else {
 			log.Printf("accepted from %s", conn.RemoteAddr())
 			go handleConnection(conn, remoteAddr)
 		}
 	}
 }

 func handleConnection(conn net.Conn, remote string) {
 	defer conn.Close()

 	// make connection to remote

 	// When using /etc/hosts to set host=localhost for MITM, you cannot make the
 	// remote connection by hostname. Using ip for the tls connection will fail on
 	// cert validation so InsecureSkipVerify is set to true
 	remoteConn, err := tls.Dial("tcp", remote, &tls.Config{InsecureSkipVerify: true})
 	if err != nil {
 		log.Print("failed to connect to remote: " + err.Error())
 		return
 	}
 	defer remoteConn.Close()
 	remoteConn.Handshake()

 	serverClosed := make(chan struct{}, 1)
 	clientClosed := make(chan struct{}, 1)

 	go broker(remoteConn, conn, clientClosed) // forward client to remote
 	go broker(conn, remoteConn, serverClosed) // forward remote to client

 	// wait for one side of the connection to close
 	// and then signal the other side of the connection to close
 	var waitFor chan struct{}
 	select {
 	case <-clientClosed:
 		remoteConn.Close()
 		waitFor = serverClosed
 	case <-serverClosed:
 		conn.Close()
 		waitFor = clientClosed
 	}

 	// wait for the other side to finish shutting down
 	<-waitFor
 	log.Println("server: conn: closed")
 }

 // modified from
 // https://gist.github.com/jbardin/821d08cb64c01c84b81a
 func broker(dst, src net.Conn, srcClosed chan struct{}) {
 	io.Copy(dst, src) // blocks until either EOF on src or an error occurs
 	src.Close()
 	srcClosed <- struct{}{}
 }
	/* tlsprox - minimal tls MITM transparent proxy... in go!
	* by @tam7t
	*
	* Usage:
	* If we want to MITM https://example.com first get example.com's ip address
	* then add localhost to /etc/hosts:
	*
	* 127.0.0.1 example.com
	*
	* > go build tlsprox.go
	* > sudo ./tlsprox.go -raddr=<example.com ip addr>:443
	*/

	package main

	import (
	"crypto/tls"
	"flag"
	"io"
	"log"
	"net"
	"os"
	)

	func main() {
	var certFile, keyFile, listenAddr, remoteAddr string

	flag.StringVar(&certFile, "cert", "cert.pem", "certificate")
	flag.StringVar(&keyFile, "key", "key.pem", "key")
	flag.StringVar(&listenAddr, "laddr", ":443", "listener address")
	flag.StringVar(&remoteAddr, "raddr", "8.8.8.8:443", "remote address")

	flag.Parse()

	var cert, _ = tls.LoadX509KeyPair(certFile, keyFile)
	var tlsConfig = tls.Config{
	Certificates: []tls.Certificate{cert},
	}

	log.Println("starting server")

	listener, err := tls.Listen("tcp", listenAddr, &tlsConfig)
	if err != nil {
	log.Printf("could not listen for connections: ", err.Error())
	os.Exit(1)
	}

	defer listener.Close()

	for {
	conn, err := listener.Accept()
	conn.(*tls.Conn).Handshake()
	if err != nil {
	log.Printf("error accepting connection: %s", err)
	} else {
	log.Printf("accepted from %s", conn.RemoteAddr())
	go handleConnection(conn, remoteAddr)
	}
	}
	}

	func handleConnection(conn net.Conn, remote string) {
	defer conn.Close()

	// make connection to remote

	// When using /etc/hosts to set host=localhost for MITM, you cannot make the
	// remote connection by hostname. Using ip for the tls connection will fail on
	// cert validation so InsecureSkipVerify is set to true
	remoteConn, err := tls.Dial("tcp", remote, &tls.Config{InsecureSkipVerify: true})
	if err != nil {
	log.Print("failed to connect to remote: " + err.Error())
	return
	}
	defer remoteConn.Close()
	remoteConn.Handshake()

	serverClosed := make(chan struct{}, 1)
	clientClosed := make(chan struct{}, 1)

	go broker(remoteConn, conn, clientClosed) // forward client to remote
	go broker(conn, remoteConn, serverClosed) // forward remote to client

	// wait for one side of the connection to close
	// and then signal the other side of the connection to close
	var waitFor chan struct{}
	select {
	case <-clientClosed:
	remoteConn.Close()
	waitFor = serverClosed
	case <-serverClosed:
	conn.Close()
	waitFor = clientClosed
	}

	// wait for the other side to finish shutting down
	<-waitFor
	log.Println("server: conn: closed")
	}

	// modified from
	// https://gist.github.com/jbardin/821d08cb64c01c84b81a
	func broker(dst, src net.Conn, srcClosed chan struct{}) {
	io.Copy(dst, src) // blocks until either EOF on src or an error occurs
	src.Close()
	srcClosed <- struct{}{}
	}