qr, https, etc

Author: reflog

.gitignore

@@ -1,4 +1,5 @@
 /server.json
 /sing-box-config.json
 /data
-/dist
+/dist
+/lantern-server-manager

Dockerfile

@@ -1,7 +1,7 @@
 FROM alpine:edge
 
 # Set the timezone and install CA certificates
-RUN apk --no-cache add ca-certificates tzdata
+RUN apk --no-cache add ca-certificates tzdata qrencode
 
 COPY lantern-server-manager /app/server
 COPY --from=ghcr.io/sagernet/sing-box /usr/local/bin/sing-box /usr/local/bin/sing-box

Makefile

@@ -0,0 +1,20 @@
+lantern-server-manager:
+	CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o lantern-server-manager ./cmd/...
+
+packer:
+	@cd cloud/packer
+	@if [ -z "$(PKR_VAR_aws_secret_key)" ]; then \
+		echo "Error: PKR_VAR_aws_secret_key is not set"; \
+		exit 1; \
+	fi
+	@if [ -z "$(PKR_VAR_aws_access_key)" ]; then \
+		echo "Error: PKR_VAR_aws_access_key is not set"; \
+		exit 1; \
+	fi
+	# Make sure you have packer installed
+	@if ! command -v packer &> /dev/null; then \
+		echo "Error: packer is not installed"; \
+		exit 1; \
+	fi
+
+	@packer build .

auth/selfsigned.go

@@ -0,0 +1,93 @@
+// support HTTP/2.
+package auth
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"github.com/charmbracelet/log"
+	"math/big"
+	"net/http"
+	"os"
+	"path"
+	"time"
+)
+
+// Certificate returns a self-signed x509 certificate and private key.
+func Certificate(dataDir, ip string) (tls.Certificate, error) {
+	certPEM, _ := os.ReadFile(path.Join(dataDir, "cert.pem"))
+	keyPEM, _ := os.ReadFile(path.Join(dataDir, "key.pem"))
+	if keyPEM == nil || certPEM == nil {
+		log.Debug("Generating self-signed certificate")
+		key, err := rsa.GenerateKey(rand.Reader, 2048)
+		if err != nil {
+			return tls.Certificate{}, err
+		}
+
+		template := x509.Certificate{
+			SerialNumber: big.NewInt(1234),
+			Issuer: pkix.Name{
+				CommonName: ip,
+			},
+			Subject: pkix.Name{
+				CommonName: ip,
+			},
+			// We pre-expire the certs to make them explicitly invalid; they're only
+			// useful in contexts where they are not verified or validated.
+			NotBefore:   time.Now(),
+			NotAfter:    time.Now(),
+			DNSNames:    []string{ip},
+			KeyUsage:    x509.KeyUsageDigitalSignature,
+			ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		}
+
+		certificateBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
+		if err != nil {
+			return tls.Certificate{}, err
+		}
+
+		certPEMBuf := new(bytes.Buffer)
+		err = pem.Encode(certPEMBuf, &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: certificateBytes,
+		})
+		if err != nil {
+			return tls.Certificate{}, err
+		}
+
+		keyPEMBuf := new(bytes.Buffer)
+		err = pem.Encode(keyPEMBuf, &pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: x509.MarshalPKCS1PrivateKey(key),
+		})
+		if err != nil {
+			return tls.Certificate{}, err
+		}
+		certPEM = certPEMBuf.Bytes()
+		keyPEM = keyPEMBuf.Bytes()
+	} else {
+		log.Debug("Using existing self-signed certificate")
+	}
+	return tls.X509KeyPair(certPEM, keyPEM)
+}
+
+// SelfSignedListenAndServeTLS listens on the TCP network address addr and then calls
+// Serve with handler and a self-signed certificate to handle requests on
+// incoming TLS connections.
+func SelfSignedListenAndServeTLS(dataDir, publicIP, addr string, handler http.Handler) error {
+	cert, err := Certificate(dataDir, publicIP)
+	if err != nil {
+		return fmt.Errorf("failed to generate certificate: %w", err)
+	}
+
+	conf := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+	server := &http.Server{Addr: addr, Handler: handler, TLSConfig: conf}
+	return server.ListenAndServeTLS("", "")
+}

cloud/packer/main.pkr.hcl

@@ -0,0 +1,50 @@
+packer {
+  required_plugins {
+    amazon = {
+      source  = "github.com/hashicorp/amazon"
+      version = "~> 1"
+    }
+  }
+}
+
+source "amazon-ebs" "amazon-linux" {
+  ami_name      = "lantern-server-manager-${var.version}-{{timestamp}}"
+  instance_type = "t2.micro"
+  region        = var.aws_region
+  source_ami_filter {
+    filters = {
+      name                = "*amzn3-ami-hvm-*"
+      root-device-type    = "ebs"
+      virtualization-type = "hvm"
+    }
+    most_recent = true
+    owners      = ["amazon"]
+  }
+  ssh_username = "ec2-user"
+}
+
+build {
+  sources = ["source.amazon-ebs.amazon-linux"]
+
+  provisioner "file" {
+    source      = "../lantern-server-manager.service"
+    destination = "/tmp/lantern-server-manager.service"
+  }
+
+  provisioner "shell" {
+    inline = [
+      "yum install -y qrencode",
+      "curl -L https://github.com/SagerNet/sing-box/releases/download/v${var.sing_box_version}/sing-box-${var.sing_box_version}-linux-amd64.tar.gz -o /tmp/sing-box.tar.gz",
+      "curl -L https://github.com/getlantern/lantern-server-manager/releases/download/v${var.version}/lantern-server-manager_${var.version}_linux_amd64.tar.gz -o /tmp/lantern-server-manager.tar.gz",
+      "tar -xzf /tmp/lantern-server-manager.tar.gz -C /tmp",
+      "tar -xzf /tmp/sing-box.tar.gz -C /tmp",
+      "sudo mkdir -p /opt/lantern",
+      "sudo mv /tmp/sing-box-${var.sing_box_version}-linux-amd64/sing-box /usr/local/bin/sing-box",
+      "sudo mv /tmp/lantern-server-manager.service /opt/lantern/lantern-server-manager.service",
+      "sudo mv /tmp/lantern-server-manager /opt/lantern/lantern-server-manager",
+      "sudo systemctl enable /opt/lantern/lantern-server-manager.service",
+      "rm /home/ec2-user/.ssh/authorized_keys",
+      "sudo rm /root/.ssh/authorized_keys"
+    ]
+  }
+}

cloud/packer/vars.pkr.hcl

@@ -0,0 +1,23 @@
+variable "aws_region" {
+  default = "us-east-1"
+}
+
+variable "aws_secret_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "aws_access_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "version" {
+  type    = string
+  default = "0.0.2"
+}
+
+variable "sing_box_version" {
+  type    = string
+  default = "1.11.7"
+}

cmd/cmd_serve.go

@@ -2,11 +2,11 @@ package main
 
 import (
 	"fmt"
-	"github.com/sagernet/sing-box/option"
 	"net/http"
 	"time"
 
 	"github.com/charmbracelet/log"
+	"github.com/sagernet/sing-box/option"
 
 	"github.com/getlantern/lantern-server-manager/auth"
 	"github.com/getlantern/lantern-server-manager/common"
@@ -17,10 +17,7 @@ type ServeCmd struct {
 	singboxConfig *option.Options
 }
 
-func (c ServeCmd) Run() error {
-	if !common.CheckSingBoxInstalled() {
-		return fmt.Errorf("sing-box not found in PATH")
-	}
+func (c *ServeCmd) readConfigs() error {
 	var err error
 	c.serverConfig, err = common.ReadServerConfig(args.DataDir)
 	if err != nil {
@@ -35,13 +32,27 @@ func (c ServeCmd) Run() error {
 			return fmt.Errorf("failed to read sing-box config: %w", err)
 		}
 	}
+	if err = common.ValidateSingBoxConfig(args.DataDir); err != nil {
+		return fmt.Errorf("failed to validate sing-box config: %w", err)
+	}
 
-	if err := common.RestartSingBox(); err != nil {
+	if err = common.RestartSingBox(args.DataDir); err != nil {
 		return fmt.Errorf("failed to start sing-box: %w", err)
 	}
 
+	return nil
+}
+
+func (c *ServeCmd) Run() error {
+	if !common.CheckSingBoxInstalled() {
+		return fmt.Errorf("sing-box not found in PATH")
+	}
+	if err := c.readConfigs(); err != nil {
+		return err
+	}
+
 	printRootToken(c.serverConfig, c.singboxConfig)
-	go common.CheckConnectivity(c.serverConfig.IP, c.serverConfig.Port)
+	go common.CheckConnectivity(c.serverConfig.ExternalIP, c.serverConfig.Port)
 	srv := http.NewServeMux()
 	srv.Handle("GET /api/v1/health", http.HandlerFunc(c.healthCheckHandler))
 	srv.Handle("GET /api/v1/connect-config", auth.Middleware(c.serverConfig.HMACSecret, http.HandlerFunc(c.getConnectConfigHandler)))
@@ -57,11 +68,11 @@ func (c ServeCmd) Run() error {
 		fmt.Fprintf(w, "Welcome to Lantern Server Manager. In future, there will be UI here!")
 	})
 
-	return http.ListenAndServe(fmt.Sprintf(":%d", c.serverConfig.Port), srv)
+	return auth.SelfSignedListenAndServeTLS(args.DataDir, c.serverConfig.ExternalIP, fmt.Sprintf(":%d", c.serverConfig.Port), srv)
 }
 
-func (c ServeCmd) getConnectConfigHandler(writer http.ResponseWriter, r *http.Request) {
-	cfg, err := common.GenerateSingBoxConnectConfig(args.DataDir, c.serverConfig.IP, auth.GetRequestUsername(r))
+func (c *ServeCmd) getConnectConfigHandler(writer http.ResponseWriter, r *http.Request) {
+	cfg, err := common.GenerateSingBoxConnectConfig(args.DataDir, c.serverConfig.ExternalIP, auth.GetRequestUsername(r))
 	if err != nil {
 		log.Errorf("failed to generate connect config: %v", err)
 		http.Error(writer, "failed to generate connect config", http.StatusInternalServerError)
@@ -73,7 +84,7 @@ func (c ServeCmd) getConnectConfigHandler(writer http.ResponseWriter, r *http.Re
 
 const ShareLinkExpiration = 24 * time.Hour
 
-func (c ServeCmd) getShareLinkHandler(w http.ResponseWriter, r *http.Request) {
+func (c *ServeCmd) getShareLinkHandler(w http.ResponseWriter, r *http.Request) {
 	username := r.PathValue("name")
 	accessToken, err := auth.GenerateAccessToken(c.serverConfig.HMACSecret, username, time.Now().Add(ShareLinkExpiration))
 	if err != nil {
@@ -85,7 +96,7 @@ func (c ServeCmd) getShareLinkHandler(w http.ResponseWriter, r *http.Request) {
 	_, _ = w.Write([]byte(fmt.Sprintf(`{"token": "%s"}`, accessToken)))
 }
 
-func (c ServeCmd) revokeAccess(w http.ResponseWriter, r *http.Request) {
+func (c *ServeCmd) revokeAccess(w http.ResponseWriter, r *http.Request) {
 	username := r.PathValue("name")
 	if err := common.RevokeUser(args.DataDir, username); err != nil {
 		log.Errorf("failed to revoke user: %v", err)
@@ -96,7 +107,7 @@ func (c ServeCmd) revokeAccess(w http.ResponseWriter, r *http.Request) {
 	_, _ = w.Write([]byte(fmt.Sprintf(`{"status": "ok"}`)))
 }
 
-func (c ServeCmd) healthCheckHandler(w http.ResponseWriter, r *http.Request) {
+func (c *ServeCmd) healthCheckHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	_, _ = w.Write([]byte(`{"status": "ok"}`))
 }

common/public.go

@@ -1,23 +1,41 @@
 package common
 
 import (
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"github.com/charmbracelet/log"
+	"github.com/mroth/jitter"
 	"io"
 	"net/http"
 	"strings"
 	"time"
 )
 
+// CheckConnectivity checks the connectivity to the server via it's public ExternalIP and port.
 func CheckConnectivity(ip string, port int) {
 	time.Sleep(1 * time.Second)
-	_, err := http.Get(fmt.Sprintf("http://%s:%d/api/v1/health", ip, port))
-	if err != nil {
-		log.Errorf("Connectivity check failed. Please check the configuration: %v", err)
+	ticker := jitter.NewTicker(time.Minute, 0.2)
+	defer ticker.Stop()
+	client := http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		},
+	}
+	for {
+		req, _ := http.NewRequest("GET", fmt.Sprintf("https://%s:%d/api/v1/health", ip, port), nil)
+
+		_, err := client.Do(req)
+		if err != nil {
+			log.Errorf("Connectivity check failed. Please check the configuration, make sure that port %d is open. Error: %v", port, err)
+		}
+		<-ticker.C
 	}
 }
 
+// GetPublicIP fetches the public ExternalIP address of the server by trying a list of known services.
 func GetPublicIP() (string, error) {
 	hostsToTry := []string{
 		"https://icanhazip.com/",
@@ -39,5 +57,5 @@ func GetPublicIP() (string, error) {
 		_ = resp.Body.Close()
 		return strings.TrimSpace(string(body)), nil
 	}
-	return "", errors.New("no public IP found")
+	return "", errors.New("no public ExternalIP found")
 }