diff --git a/README.md b/README.md
index 5452e31..3d046d8 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
+
# Nostr Web Services (NWS)
-NWS replaces the IP layer in TCP transport using Nostr, enabling a secure connection between
-clients and backend services.
+NWS replaces the IP layer in TCP transport using Nostr, enabling secure connections between clients and backend services.
Exit node [domain names](#nws-domain-names) make private services accessible to entry nodes.
@@ -14,39 +14,38 @@ Exit node [domain names](#nws-domain-names) make private services accessible to
### NWS main components
-1. **Exit node**: It is a TCP reverse proxy that listens for incoming Nostr subscriptions and forwards the payload to your designated backend service.
-2. **Entry node**: It forwards tcp packets to the exit node using a SOCKS proxy and creates encrypted events for the exit node.
+1. **Exit node**: A TCP reverse proxy that listens for incoming Nostr subscriptions and forwards the payload to your designated backend service.
+2. **Entry node**: Forwards TCP packets to the exit node using a SOCKS proxy and creates encrypted events for the exit node.
### NWS domain names
There are two types of domain names resolved by NWS entry nodes:
-1. `.nostr` domains have base32 encoded public key hostnames and base32 encoded relays as subdomains.
-2. [nprofiles](https://nostr-nips.com/nip-19) are combinations of a Nostr public key and multiple relays.
+1. `.nostr` domains, which have base32 encoded public key hostnames and base32 encoded relays as subdomains.
+2. [nprofiles](https://nostr-nips.com/nip-19), which are combinations of a Nostr public key and multiple relays.
Both types of domains will be generated and printed in the console on startup
## Quickstart
-Running NWS using Docker is recommended. For instructions on running NWS on your local machine, refer to the [Build from source](#build-from-source) section.
+Using Docker to run NWS is recommended. For instructions on running NWS on your local machine, refer to the [Build from source](#build-from-source) section.
### Using Docker-Compose
-Please navigate to the `docker-compose.yaml` file and set `NOSTR_PRIVATE_KEY` to your own private key.
-Leaving it empty will generate a new private key on startup.
+Navigate to the `docker-compose.yaml` file and set `NOSTR_PRIVATE_KEY` to your private key. Leaving it empty will generate a new private key upon startup.
To set up using Docker Compose, run the following command:
-```
+```bash
docker compose up -d --build
```
-This will start an example environment, including:
-* Entry node
-* Exit node
-* Exit node with https reverse proxy
-* [Cashu Nutshell](https://github.com/cashubtc/nutshell) (backend service)
-* [nostr-relay](https://github.com/scsibug/nostr-rs-relay)
+This will start an example environment, including:
+- Entry node
+- Exit node
+- Exit node with HTTPS reverse proxy
+- [Cashu Nutshell](https://github.com/cashubtc/nutshell) (backend service)
+- [nostr-relay](https://github.com/scsibug/nostr-rs-relay)
You can run the following commands to receive your NWS domain:
@@ -55,47 +54,48 @@ docker logs exit-https 2>&1 | awk -F'domain=' '{if ($2) print $2}' | awk '{print
```
```bash
-docker logs exit 2>&1 | awk -F'domain=' '{if ($2) print $2}' | awk '{print $1}`
+docker logs exit 2>&1 | awk -F'domain=' '{if ($2) print $2}' | awk '{print $1}'
```
### Sending requests to the entry node
With the log information from the previous step, you can use the following command to send a request to the exit node domain:
-```
-curl -v -x socks5h://localhost:8882 http://"$(docker logs exit 2>&1 | awk -F'domain=' '{if ($2) print $2}' | awk '{print $1}' | tail -n 1)"/v1/info --insecure
+```bash
+curl -v -x socks5h://localhost:8882 http://"$(docker logs exit 2>&1 | awk -F'domain=' '{if ($2) print $2}' | awk '{print $1}' | tail -n 1)"/v1/info --insecure
```
-If the exit node supports TLS, you can choose to connect using https scheme
+If the exit node supports TLS, you can choose to connect using the HTTPS scheme:
-```
-curl -v -x socks5h://localhost:8882 https://"$(docker logs exit-https 2>&1 | awk -F'domain=' '{if ($2) print $2}' | awk '{print $1}' | tail -n 1)"/v1/info --insecure
+```bash
+curl -v -x socks5h://localhost:8882 https://"$(docker logs exit-https 2>&1 | awk -F'domain=' '{if ($2) print $2}' | awk '{print $1}' | tail -n 1)"/v1/info --insecure
```
-When using https, the entry node can be used as a service, since the operator will not be able to see the request data.
+When using HTTPS, the entry node can be used as a service, as the operator will not be able to see the request data.
-## Build from source
+## Build from Source
-The exit node must be set up to make your services reachable via Nostr.
+To make your services reachable via Nostr, set up the exit node.
### Exit node
-Configuration should be completed using environment variables.
-Alternatively, you can create a `.env` file in the current working directory with the following content:
+Configuration can be completed using environment variables. Alternatively, you can create a `.env` file in the current working directory with the following content:
+
```
-NOSTR_RELAYS = 'ws://localhost:6666;wss://relay.domain.com'
-NOSTR_PRIVATE_KEY = "EXITPRIVATEHEX"
-BACKEND_HOST = 'localhost:3338'
+NOSTR_RELAYS='ws://localhost:6666;wss://relay.domain.com'
+NOSTR_PRIVATE_KEY="EXITPRIVATEHEX"
+BACKEND_HOST='localhost:3338'
+PUBLIC=false
```
-- `NOSTR_RELAYS`: A list of nostr relays to publish events to. Will only be used if there was no relay data in the
- request.
-- `NOSTR_PRIVATE_KEY`: The private key to sign the events
-- `BACKEND_HOST`: The host of the backend to forward requests to
+- `NOSTR_RELAYS`: A list of Nostr relays to publish events to. Used only if there is no relay data in the request.
+- `NOSTR_PRIVATE_KEY`: The private key to sign the events.
+- `BACKEND_HOST`: The host of the backend to forward requests to.
+- `PUBLIC`: If set to true, the exit node will announce itself on the Nostr network, enabling other entry nodes to discover it for public internet traffic relaying.
To start the exit node, use this command:
-```
+```bash
go run cmd/exit/exit.go
```
@@ -106,15 +106,16 @@ If your backend services support TLS, your service can now start using TLS encry
### Entry node
To run an entry node for accessing NWS services behind exit nodes, use the following command:
-```
+
+```bash
go run cmd/entry/main.go
```
+
If you don't want to use the `PUBLIC_ADDRESS` feature, no further configuration is needed.
```
-PUBLIC_ADDRESS = ':'
+PUBLIC_ADDRESS=':'
```
-- `PUBLIC_ADDRESS`: This can be set if the entry node is publicly available. When set, the entry node will additionally bind to this address. Exit node discovery will still be done using Nostr. Once a connection is established, this public address will be used to transmit further data.
-- `NOSTR_RELAYS`: A list of nostr relays to publish events to. Will only be used if there was no relay data in the
- request.
+- `PUBLIC_ADDRESS`: This can be set if the entry node is publicly available. When set, the entry node will additionally bind to this address. Exit node discovery will still be done using Nostr. Once a connection is established, this public address will be used to transmit further data.
+- `NOSTR_RELAYS`: A list of Nostr relays to publish events to. Used only if there is no relay data in the request.
diff --git a/cmd/exit/.env b/cmd/exit/.env
index e6ecf34..86dfd2a 100644
--- a/cmd/exit/.env
+++ b/cmd/exit/.env
@@ -2,3 +2,4 @@
NOSTR_RELAYS = 'ws://localhost:6666'
NOSTR_PRIVATE_KEY = ""
BACKEND_HOST = 'localhost:3338'
+PUBLIC = false
diff --git a/config/config.go b/config/config.go
index d9caf3d..cc9cec1 100644
--- a/config/config.go
+++ b/config/config.go
@@ -10,8 +10,9 @@ import (
)
type EntryConfig struct {
- NostrRelays []string `env:"NOSTR_RELAYS" envSeparator:";"`
- PublicAddress string `env:"PUBLIC_ADDRESS"`
+ NostrRelays []string `env:"NOSTR_RELAYS" envSeparator:";"`
+ PublicAddress string `env:"PUBLIC_ADDRESS"`
+ PublicAddressBind string `env:"PUBLIC_ADDRESS_BIND"`
}
type ExitConfig struct {
@@ -21,6 +22,7 @@ type ExitConfig struct {
BackendScheme string `env:"BACKEND_SCHEME"`
HttpsPort int32
HttpsTarget string
+ Public bool `env:"PUBLIC"`
}
// load the and marshal Configuration from .env file from the UserHomeDir
diff --git a/exit/exit.go b/exit/exit.go
index 441f582..0de3f9e 100644
--- a/exit/exit.go
+++ b/exit/exit.go
@@ -61,6 +61,12 @@ func NewExit(ctx context.Context, exitNodeConfig *config.ExitConfig) *Exit {
// generate new private key
exitNodeConfig.NostrPrivateKey = nostr.GeneratePrivateKey()
slog.Warn(generateKeyMessage, "key", exitNodeConfig.NostrPrivateKey)
+ } else {
+ pubKey, err := nostr.GetPublicKey(exitNodeConfig.NostrPrivateKey)
+ if err != nil {
+ panic(err)
+ }
+ slog.Info("using public key", "key", pubKey)
}
// get public key from private key
pubKey, err := nostr.GetPublicKey(exitNodeConfig.NostrPrivateKey)
@@ -117,6 +123,10 @@ func NewExit(ctx context.Context, exitNodeConfig *config.ExitConfig) *Exit {
if err != nil {
panic(err)
}
+ err = exit.announceExitNode(ctx)
+ if err != nil {
+ panic(err)
+ }
return exit
}
@@ -235,6 +245,13 @@ func (e *Exit) processMessage(ctx context.Context, msg nostr.IncomingEvent) {
slog.Error("could not unmarshal message")
return
}
+ destination, err := protocol.Parse(protocolMessage.Destination)
+ if err != nil {
+ return
+ }
+ if destination.TLD == "nostr" {
+ protocolMessage.Destination = e.config.BackendHost
+ }
switch protocolMessage.Type {
case protocol.MessageConnect:
e.handleConnect(ctx, msg, protocolMessage)
@@ -268,8 +285,9 @@ func (e *Exit) handleConnect(
netstr.WithDst(receiver),
netstr.WithUUID(protocolMessage.Key),
)
+
var dst net.Conn
- dst, err = net.Dial("tcp", e.config.BackendHost)
+ dst, err = net.Dial("tcp", protocolMessage.Destination)
if err != nil {
slog.Error("could not connect to backend", "error", err)
return
@@ -282,23 +300,34 @@ func (e *Exit) handleConnect(
}
func (e *Exit) handleConnectReverse(protocolMessage *protocol.Message) {
+
e.mutexMap.Lock(protocolMessage.Key.String())
defer e.mutexMap.Unlock(protocolMessage.Key.String())
- connection, err := net.Dial("tcp", protocolMessage.Destination)
+ connection, err := net.Dial("tcp", protocolMessage.EntryPublicAddress)
if err != nil {
return
}
- var dst net.Conn
- dst, err = net.Dial("tcp", e.config.BackendHost)
- if err != nil {
- slog.Error("could not connect to backend", "error", err)
- return
- }
_, err = connection.Write([]byte(protocolMessage.Key.String()))
if err != nil {
return
}
+ // read single byte from the connection
+ readbuffer := make([]byte, 1)
+ _, err = connection.Read(readbuffer)
+ if err != nil {
+ return
+ }
+ if readbuffer[0] != 1 {
+ return
+ }
+ var dst net.Conn
+ dst, err = net.Dial("tcp", protocolMessage.Destination)
+ if err != nil {
+ slog.Error("could not connect to backend", "error", err)
+ return
+ }
+
go socks5.Proxy(dst, connection, nil)
go socks5.Proxy(connection, dst, nil)
}
diff --git a/exit/https.go b/exit/https.go
index a55f2c1..d87befe 100644
--- a/exit/https.go
+++ b/exit/https.go
@@ -21,30 +21,6 @@ import (
"time"
)
-func (e *Exit) DeleteEvent(ctx context.Context, ev *nostr.Event) error {
- for _, responseRelay := range e.config.NostrRelays {
- var relay *nostr.Relay
- relay, err := e.pool.EnsureRelay(responseRelay)
- if err != nil {
- return err
- }
- event := nostr.Event{
- CreatedAt: nostr.Now(),
- PubKey: e.publicKey,
- Kind: nostr.KindDeletion,
- Tags: nostr.Tags{
- nostr.Tag{"e", ev.ID},
- },
- }
- err = event.Sign(e.config.NostrPrivateKey)
- err = relay.Publish(ctx, event)
- if err != nil {
- return err
- }
- }
- return nil
-}
-
func (e *Exit) StartReverseProxy(httpTarget string, port int32) error {
ctx := context.Background()
ev := e.pool.QuerySingle(ctx, e.config.NostrRelays, nostr.Filter{
diff --git a/exit/nostr.go b/exit/nostr.go
new file mode 100644
index 0000000..c48268c
--- /dev/null
+++ b/exit/nostr.go
@@ -0,0 +1,69 @@
+package exit
+
+import (
+ "context"
+ "log/slog"
+ "strconv"
+ "time"
+
+ "github.com/nbd-wtf/go-nostr"
+)
+
+func (e *Exit) announceExitNode(ctx context.Context) error {
+ if !e.config.Public {
+ return nil
+ }
+ go func() {
+ for {
+ event := nostr.Event{
+ PubKey: e.publicKey,
+ CreatedAt: nostr.Now(),
+ Kind: nostr.KindTextNote,
+ Tags: nostr.Tags{
+ nostr.Tag{"n", "nws"},
+ nostr.Tag{"expiration", strconv.FormatInt(time.Now().Add(time.Second*10).Unix(), 20)},
+ },
+ }
+
+ err := event.Sign(e.config.NostrPrivateKey)
+ if err != nil {
+ slog.Error("could not sign event", "error", err)
+ continue
+ }
+ // publish the event
+ for _, relay := range e.relays {
+ err = relay.Publish(ctx, event)
+ if err != nil {
+ slog.Error("could not publish event", "error", err)
+ // do not return here, try to publish the event to other relays
+ }
+ }
+ time.Sleep(time.Second * 10)
+ }
+ }()
+ return nil
+}
+
+func (e *Exit) DeleteEvent(ctx context.Context, ev *nostr.Event) error {
+ for _, responseRelay := range e.config.NostrRelays {
+ var relay *nostr.Relay
+ relay, err := e.pool.EnsureRelay(responseRelay)
+ if err != nil {
+ return err
+ }
+ event := nostr.Event{
+ CreatedAt: nostr.Now(),
+ PubKey: e.publicKey,
+ Kind: nostr.KindDeletion,
+ Tags: nostr.Tags{
+ nostr.Tag{"e", ev.ID},
+ },
+ }
+ err = event.Sign(e.config.NostrPrivateKey)
+ err = relay.Publish(ctx, event)
+ if err != nil {
+ return err
+ }
+ }
+ return nil
+}
diff --git a/netstr/conn.go b/netstr/conn.go
index eae5a81..9088929 100644
--- a/netstr/conn.go
+++ b/netstr/conn.go
@@ -62,7 +62,9 @@ type NostrConnection struct {
sentBytes [][]byte
// sub represents a boolean value indicating if a connection should subscribe to a response when writing.
- sub bool
+ sub bool
+ defaultRelays []string
+ targetPublicKey string
}
// WriteNostrEvent writes the incoming event to the subscription channel of the NostrConnection.
@@ -149,8 +151,8 @@ func (nc *NostrConnection) handleNostrRead(b []byte, n int) (int, error) {
// Write writes data to the connection.
// It delegates the writing logic to handleNostrWrite method.
// The number of bytes written and error (if any) are returned.
-func (nc *NostrConnection) Write(b []byte) (n int, err error) {
- return nc.handleNostrWrite(b, err)
+func (nc *NostrConnection) Write(b []byte) (int, error) {
+ return nc.handleNostrWrite(b)
}
// handleNostrWrite handles the writing of a Nostr event.
@@ -158,10 +160,9 @@ func (nc *NostrConnection) Write(b []byte) (n int, err error) {
// creates a message signer, creates message options, signs the event,
// publishes the event to relays, and appends the sent bytes to the connection's sentBytes array.
// The method returns the number of bytes written and any error that occurred.
-func (nc *NostrConnection) handleNostrWrite(b []byte, err error) (int, error) {
+func (nc *NostrConnection) handleNostrWrite(b []byte) (int, error) {
// check if we have already sent this event
-
- publicKey, relays, err := ParseDestination(nc.dst)
+ publicKey, relays, err := nc.parseDestination()
if err != nil {
return 0, err
}
@@ -173,9 +174,15 @@ func (nc *NostrConnection) handleNostrWrite(b []byte, err error) (int, error) {
opts := []protocol.MessageOption{
protocol.WithUUID(nc.uuid),
protocol.WithType(protocol.MessageTypeSocks5),
+ protocol.WithDestination(nc.dst),
protocol.WithData(b),
}
- ev, err := signer.CreateSignedEvent(publicKey, protocol.KindEphemeralEvent, nostr.Tags{nostr.Tag{"p", publicKey}}, opts...)
+ ev, err := signer.CreateSignedEvent(
+ publicKey,
+ protocol.KindEphemeralEvent,
+ nostr.Tags{nostr.Tag{"p", publicKey}},
+ opts...,
+ )
if err != nil {
return 0, err
}
@@ -190,12 +197,16 @@ func (nc *NostrConnection) handleNostrWrite(b []byte, err error) (int, error) {
now := nostr.Now()
incomingEventChannel := nc.pool.SubMany(nc.ctx, relays,
nostr.Filters{
- {Kinds: []int{protocol.KindEphemeralEvent},
+ {
+ Kinds: []int{protocol.KindEphemeralEvent},
Authors: []string{publicKey},
Since: &now,
Tags: nostr.TagMap{
"p": []string{ev.PubKey},
- }}})
+ },
+ },
+ },
+ )
nc.subscriptionChan = incomingEventChannel
}
for _, responseRelay := range relays {
@@ -214,44 +225,58 @@ func (nc *NostrConnection) handleNostrWrite(b []byte, err error) (int, error) {
return len(b), nil
}
-// ParseDestination takes a destination string and returns a public key and relays.
+// parseDestination takes a destination string and returns a public key and relays.
// The destination can be "npub" or "nprofile".
// If the prefix is "npub", the public key is extracted.
// If the prefix is "nprofile", the public key and relays are extracted.
// Returns the public key, relays (if any), and any error encountered.
-func ParseDestination(destination string) (string, []string, error) {
+func (nc *NostrConnection) parseDestination() (string, []string, error) {
// check if destination ends with .nostr
- if strings.HasSuffix(destination, ".nostr") {
- return ParseDestinationDomain(destination)
- }
- // destination can be npub or nprofile
- prefix, pubKey, err := nip19.Decode(destination)
+ if strings.HasPrefix(nc.dst, "npub") || strings.HasPrefix(nc.dst, "nprofile") {
+ // destination can be npub or nprofile
+ prefix, pubKey, err := nip19.Decode(nc.dst)
- if err != nil {
- return "", nil, err
- }
+ if err != nil {
+ return "", nil, err
+ }
- var relays []string
- var publicKey string
+ var relays []string
+ var publicKey string
- switch prefix {
- case "npub":
- publicKey = pubKey.(string)
- case "nprofile":
- profilePointer := pubKey.(nostr.ProfilePointer)
- publicKey = profilePointer.PublicKey
- relays = profilePointer.Relays
+ switch prefix {
+ case "npub":
+ publicKey = pubKey.(string)
+ case "nprofile":
+ profilePointer := pubKey.(nostr.ProfilePointer)
+ publicKey = profilePointer.PublicKey
+ relays = profilePointer.Relays
+ }
+ return publicKey, relays, nil
}
- return publicKey, relays, nil
+ return nc.parseDestinationDomain()
}
-func ParseDestinationDomain(destination string) (string, []string, error) {
- url, err := protocol.Parse(destination)
+func (nc *NostrConnection) parseDestinationDomain() (string, []string, error) {
+ url, err := protocol.Parse(nc.dst)
if err != nil {
return "", nil, err
}
if !url.IsDomain {
+ // try to parse as ip
+ ip := net.ParseIP(url.Name)
+ if ip != nil {
+ return nc.targetPublicKey, nc.defaultRelays, nil
+ }
return "", nil, fmt.Errorf("destination is not a domain")
+
+ }
+ if url.TLD != "nostr" {
+ // parse public key
+ /*pubKey,err := nostr.GetPublicKey(nc.privateKey)
+ if err != nil {
+ return "", nil, err
+ }*/
+ return nc.targetPublicKey, nc.defaultRelays, nil
}
var subdomains []string
split := strings.Split(url.SubName, ".")
@@ -312,6 +337,20 @@ func WithPrivateKey(privateKey string) NostrConnOption {
}
}
+// WithPrivateKey sets the private key for the NostrConnConfig.
+func WithDefaultRelays(defaultRelays []string) NostrConnOption {
+ return func(config *NostrConnection) {
+ config.defaultRelays = defaultRelays
+ }
+}
+
+// WithTargetPublicKey sets the private key for the NostrConnConfig.
+func WithTargetPublicKey(pubKey string) NostrConnOption {
+ return func(config *NostrConnection) {
+ config.targetPublicKey = pubKey
+ }
+}
+
// WithSub is a function that returns a NostrConnOption. When this option is applied
// to a NostrConnConfig, it sets the 'sub' field to true, indicating that
// the connection will handle subscriptions.
diff --git a/netstr/dial.go b/netstr/dial.go
index cb42838..44dd96c 100644
--- a/netstr/dial.go
+++ b/netstr/dial.go
@@ -3,6 +3,7 @@ package netstr
import (
"context"
"fmt"
+ "github.com/asmogo/nws/config"
"github.com/asmogo/nws/protocol"
"github.com/google/uuid"
"github.com/nbd-wtf/go-nostr"
@@ -11,31 +12,41 @@ import (
)
type DialOptions struct {
- Pool *nostr.SimplePool
- PublicAddress string
- ConnectionID uuid.UUID
- MessageType protocol.MessageType
+ Pool *nostr.SimplePool
+ PublicAddress string
+ ConnectionID uuid.UUID
+ MessageType protocol.MessageType
+ TargetPublicKey string
}
// DialSocks connects to a destination using the provided SimplePool and returns a Dialer function.
-// It creates a new Connection using the specified context, private key, destination address, subscription flag, and connectionID.
+// It creates a new Connection using the specified context, private key, destination address,
// It parses the destination address to get the public key and relays.
// It creates a signed event using the private key, public key, and destination address.
// It ensures that the relays are available in the pool and publishes the signed event to each relay.
// Finally, it returns the Connection and nil error. If there are any errors, nil connection and the error are returned.
-func DialSocks(options DialOptions) func(ctx context.Context, net_, addr string) (net.Conn, error) {
+func DialSocks(options DialOptions, config *config.EntryConfig) func(ctx context.Context, net_, addr string) (net.Conn, error) {
return func(ctx context.Context, net_, addr string) (net.Conn, error) {
key := nostr.GeneratePrivateKey()
connection := NewConnection(ctx,
WithPrivateKey(key),
WithDst(addr),
WithSub(),
+ WithDefaultRelays(config.NostrRelays),
+ WithTargetPublicKey(options.TargetPublicKey),
WithUUID(options.ConnectionID))
- publicKey, relays, err := ParseDestination(addr)
- if err != nil {
- slog.Error("error parsing host", err)
- return nil, fmt.Errorf("error parsing host: %w", err)
+ var publicKey string
+ var relays []string
+ var err error
+ if options.TargetPublicKey != "" {
+ publicKey, relays = options.TargetPublicKey, config.NostrRelays
+ } else {
+ publicKey, relays, err = connection.parseDestination()
+ if err != nil {
+ slog.Error("error parsing host", err)
+ return nil, fmt.Errorf("error parsing host: %w", err)
+ }
}
// create nostr signed event
signer, err := protocol.NewEventSigner(key)
@@ -47,10 +58,10 @@ func DialSocks(options DialOptions) func(ctx context.Context, net_, addr string)
protocol.WithUUID(options.ConnectionID),
}
if options.PublicAddress != "" {
- opts = append(opts, protocol.WithDestination(options.PublicAddress))
- } else {
- opts = append(opts, protocol.WithDestination(addr)) // todo -- use public key instead
+ opts = append(opts, protocol.WithEntryPublicAddress(options.PublicAddress))
}
+ opts = append(opts, protocol.WithDestination(addr))
+
ev, err := signer.CreateSignedEvent(publicKey, protocol.KindEphemeralEvent,
nostr.Tags{nostr.Tag{"p", publicKey}},
opts...)
diff --git a/netstr/dns.go b/netstr/dns.go
index 471ebc3..55b6318 100644
--- a/netstr/dns.go
+++ b/netstr/dns.go
@@ -2,12 +2,50 @@ package netstr
import (
"context"
+ "fmt"
+ "github.com/nbd-wtf/go-nostr"
"net"
+ "strings"
+ "time"
)
// NostrDNS does not resolve anything
-type NostrDNS struct{}
+type NostrDNS struct {
+ pool *nostr.SimplePool
+ nostrRelays []string
+}
+
+func NewNostrDNS(pool *nostr.SimplePool, nostrRelays []string) *NostrDNS {
+ return &NostrDNS{
+ pool: pool,
+ nostrRelays: nostrRelays,
+ }
+}
func (d NostrDNS) Resolve(ctx context.Context, name string) (context.Context, net.IP, error) {
- return ctx, net.IP{0, 0, 0, 0}, nil
+ if strings.HasSuffix(name, ".nostr") || strings.HasPrefix(name, "npub") || strings.HasPrefix(name, "nprofile") {
+
+ return ctx, nil, nil
+ }
+ addr, err := net.ResolveIPAddr("ip", name)
+ if err != nil {
+ return ctx, nil, err
+ }
+ if d.pool == nil {
+ return ctx, nil, fmt.Errorf("pool is nil")
+ }
+ since := nostr.Timestamp(time.Now().Add(-time.Second * 10).Unix())
+ ev := d.pool.QuerySingle(ctx, d.nostrRelays, nostr.Filter{
+ Kinds: []int{nostr.KindTextNote},
+ Since: &since,
+ Tags: nostr.TagMap{"n": []string{"nws"}},
+ })
+ if ev == nil {
+ return ctx, nil, fmt.Errorf("failed to find exit node event")
+ }
+ if ev.CreatedAt < since {
+ return ctx, nil, fmt.Errorf("exit node event is expired")
+ }
+ ctx = context.WithValue(ctx, "publicKey", ev.PubKey)
+ return ctx, addr.IP, err
}
diff --git a/protocol/message.go b/protocol/message.go
index 7ecf161..4b85bef 100644
--- a/protocol/message.go
+++ b/protocol/message.go
@@ -14,10 +14,11 @@ var (
)
type Message struct {
- Key uuid.UUID `json:"key,omitempty"`
- Type MessageType `json:"type,omitempty"`
- Data []byte `json:"data,omitempty"`
- Destination string `json:"destination,omitempty"`
+ Key uuid.UUID `json:"key,omitempty"`
+ Type MessageType `json:"type,omitempty"`
+ Data []byte `json:"data,omitempty"`
+ Destination string `json:"destination,omitempty"`
+ EntryPublicAddress string `json:"entryPublicAddress,omitempty"`
}
type MessageOption func(*Message)
@@ -33,11 +34,18 @@ func WithType(messageType MessageType) MessageOption {
m.Type = messageType
}
}
+
func WithDestination(destination string) MessageOption {
return func(m *Message) {
m.Destination = destination
}
}
+
+func WithEntryPublicAddress(entryPublicAddress string) MessageOption {
+ return func(m *Message) {
+ m.EntryPublicAddress = entryPublicAddress
+ }
+}
func WithData(data []byte) MessageOption {
return func(m *Message) {
m.Data = data
diff --git a/proxy/proxy.go b/proxy/proxy.go
index 00b4a51..68f5237 100644
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -26,7 +26,7 @@ func New(ctx context.Context, config *config.EntryConfig) *Proxy {
socksServer, err := socks5.New(&socks5.Config{
AuthMethods: nil,
Credentials: nil,
- Resolver: netstr.NostrDNS{},
+ Resolver: netstr.NewNostrDNS(s.pool, config.NostrRelays),
Rules: nil,
Rewriter: nil,
BindIP: net.IP{0, 0, 0, 0},
diff --git a/socks5/request.go b/socks5/request.go
index 194115f..5e8f3c9 100644
--- a/socks5/request.go
+++ b/socks5/request.go
@@ -34,7 +34,7 @@ const (
)
var (
- unrecognizedAddrType = fmt.Errorf("Unrecognized address type")
+ unrecognizedAddrType = fmt.Errorf("unrecognized address type")
)
// AddressRewriter is used to rewrite a destination transparently
@@ -60,6 +60,9 @@ func (a *AddrSpec) String() string {
// Address returns a string suitable to dial; prefer returning IP-based
// address, fallback to FQDN
func (a AddrSpec) Address() string {
+ if a.IP == nil {
+ return a.FQDN
+ }
if 0 != len(a.IP) {
return net.JoinHostPort(a.IP.String(), strconv.Itoa(a.Port))
}
@@ -93,7 +96,7 @@ func NewRequest(bufConn io.Reader) (*Request, error) {
// Read the version byte
header := []byte{0, 0, 0}
if _, err := io.ReadAtLeast(bufConn, header, 3); err != nil {
- return nil, fmt.Errorf("Failed to get command version: %v", err)
+ return nil, fmt.Errorf("failed to get command version: %w", err)
}
// Ensure we are compatible
@@ -121,16 +124,20 @@ func (s *Server) handleRequest(req *Request, conn net.Conn) error {
// Resolve the address if we have a FQDN
dest := req.DestAddr
+ var targetPublicKey string
if dest.FQDN != "" {
ctx_, addr, err := s.config.Resolver.Resolve(ctx, dest.FQDN)
if err != nil {
if err := SendReply(conn, hostUnreachable, nil); err != nil {
- return fmt.Errorf("Failed to send reply: %v", err)
+ return fmt.Errorf("failed to send reply: %w", err)
}
- return fmt.Errorf("Failed to resolve destination '%v': %v", dest.FQDN, err)
+ return fmt.Errorf("failed to resolve destination '%v': %w", dest.FQDN, err)
}
ctx = ctx_
dest.IP = addr
+ if pubKey := ctx.Value("publicKey"); pubKey != nil {
+ targetPublicKey = pubKey.(string)
+ }
}
// Apply any address rewrites
@@ -142,49 +149,52 @@ func (s *Server) handleRequest(req *Request, conn net.Conn) error {
// Switch on the command
switch req.Command {
case ConnectCommand:
- return s.handleConnect(ctx, conn, req)
+ options := netstr.DialOptions{
+ Pool: s.pool,
+ PublicAddress: s.config.entryConfig.PublicAddress,
+ ConnectionID: uuid.New(),
+ TargetPublicKey: targetPublicKey,
+ }
+ return s.handleConnect(ctx, conn, req, options)
case BindCommand:
return s.handleBind(ctx, conn, req)
case AssociateCommand:
return s.handleAssociate(ctx, conn, req)
default:
if err := SendReply(conn, commandNotSupported, nil); err != nil {
- return fmt.Errorf("failed to send reply: %v", err)
+ return fmt.Errorf("failed to send reply: %w", err)
}
return fmt.Errorf("unsupported command: %d", req.Command)
}
}
// handleConnect is used to handle a connect command
-func (s *Server) handleConnect(ctx context.Context, conn net.Conn, req *Request) error {
+func (s *Server) handleConnect(ctx context.Context, conn net.Conn, req *Request, options netstr.DialOptions) error {
// Check if this is allowed
if ctx_, ok := s.config.Rules.Allow(ctx, req); !ok {
if err := SendReply(conn, ruleFailure, nil); err != nil {
- return fmt.Errorf("Failed to send reply: %v", err)
+ return fmt.Errorf("failed to send reply: %w", err)
}
- return fmt.Errorf("Connect to %v blocked by rules", req.DestAddr)
+ return fmt.Errorf("connect to %v blocked by rules", req.DestAddr)
} else {
ctx = ctx_
}
ch := make(chan net.Conn)
// Attempt to connect
- connectionID := uuid.New()
- options := netstr.DialOptions{
- Pool: s.pool,
- PublicAddress: s.config.entryConfig.PublicAddress,
- ConnectionID: connectionID,
- }
+
dial := s.config.Dial
if dial == nil {
if s.tcpListener != nil {
- s.tcpListener.AddConnectChannel(connectionID, ch)
+ s.tcpListener.AddConnectChannel(options.ConnectionID, ch)
options.MessageType = protocol.MessageConnectReverse
} else {
options.MessageType = protocol.MessageConnect
}
- dial = netstr.DialSocks(options)
+
+ dial = netstr.DialSocks(options, s.config.entryConfig)
}
- target, err := dial(ctx, "tcp", req.realDestAddr.FQDN)
+
+ target, err := dial(ctx, "tcp", req.realDestAddr.Address())
if err != nil {
msg := err.Error()
resp := hostUnreachable
@@ -204,7 +214,7 @@ func (s *Server) handleConnect(ctx context.Context, conn net.Conn, req *Request)
local := target.LocalAddr().(*net.TCPAddr)
bind := AddrSpec{IP: local.IP, Port: local.Port}
if err := SendReply(conn, successReply, &bind); err != nil {
- return fmt.Errorf("failed to send reply: %v", err)
+ return fmt.Errorf("failed to send reply: %w", err)
}
// read
if options.MessageType == protocol.MessageConnectReverse {
@@ -234,7 +244,7 @@ func (s *Server) handleBind(ctx context.Context, conn net.Conn, req *Request) er
// Check if this is allowed
if ctx_, ok := s.config.Rules.Allow(ctx, req); !ok {
if err := SendReply(conn, ruleFailure, nil); err != nil {
- return fmt.Errorf("Failed to send reply: %v", err)
+ return fmt.Errorf("failed to send reply: %w", err)
}
return fmt.Errorf("Bind to %v blocked by rules", req.DestAddr)
} else {
@@ -243,7 +253,7 @@ func (s *Server) handleBind(ctx context.Context, conn net.Conn, req *Request) er
// TODO: Support bind
if err := SendReply(conn, commandNotSupported, nil); err != nil {
- return fmt.Errorf("Failed to send reply: %v", err)
+ return fmt.Errorf("failed to send reply: %w", err)
}
return nil
}
@@ -253,16 +263,16 @@ func (s *Server) handleAssociate(ctx context.Context, conn net.Conn, req *Reques
// Check if this is allowed
if ctx_, ok := s.config.Rules.Allow(ctx, req); !ok {
if err := SendReply(conn, ruleFailure, nil); err != nil {
- return fmt.Errorf("Failed to send reply: %v", err)
+ return fmt.Errorf("failed to send reply: %w", err)
}
- return fmt.Errorf("Associate to %v blocked by rules", req.DestAddr)
+ return fmt.Errorf("associate to %v blocked by rules", req.DestAddr)
} else {
ctx = ctx_
}
// TODO: Support associate
if err := SendReply(conn, commandNotSupported, nil); err != nil {
- return fmt.Errorf("Failed to send reply: %v", err)
+ return fmt.Errorf("failed to send reply: %w", err)
}
return nil
}
@@ -347,7 +357,7 @@ func SendReply(w io.Writer, resp uint8, addr *AddrSpec) error {
addrPort = uint16(addr.Port)
default:
- return fmt.Errorf("Failed to format address: %v", addr)
+ return fmt.Errorf("failed to format address: %v", addr)
}
// Format the message
diff --git a/socks5/socks5.go b/socks5/socks5.go
index dca76a0..2667481 100644
--- a/socks5/socks5.go
+++ b/socks5/socks5.go
@@ -99,7 +99,7 @@ func New(conf *Config, pool *nostr.SimplePool, config *config.EntryConfig) (*Ser
pool: pool,
}
if conf.entryConfig.PublicAddress != "" {
- listener, err := NewTCPListener(conf.entryConfig.PublicAddress)
+ listener, err := NewTCPListener(conf.entryConfig.PublicAddressBind)
if err != nil {
return nil, err
}
diff --git a/socks5/tcp.go b/socks5/tcp.go
index 813dfe8..ed05e7f 100644
--- a/socks5/tcp.go
+++ b/socks5/tcp.go
@@ -49,13 +49,14 @@ func (l *TCPListener) handleConnection(conn net.Conn) {
if err != nil {
return
}
-
// check if uuid is in the map
ch, ok := l.connectChannels.Load(string(readbuffer))
if !ok {
slog.Error("uuid not found in map")
- return
+ continue
}
+ slog.Info("uuid found in map")
+ conn.Write([]byte{1})
// send the connection to the channel
ch <- conn
return