explicitly dont handle returns in certain places

README.md

@@ -1,11 +1,163 @@
 # probehost2
 an http endpoint to query network diagnosis tools from remote hosts
 
-# disclaimer
+- <a href="#probehost2">Overview</a>
+- <a href="#disclaimer">Disclaimer</a>
+- <a href="#installation">Installation</a>
+    - <a href="#building">Building</a>
+    - <a href="#systemd">Systemd</a>
+    - <a href="#docker">Docker</a>
+    - <a href="#proxy">Proxy</a>
+- <a href="#usage">Usage</a>
+    - <a href="#server">Server</a>
+    - <a href="#client">Client</a>
+        - <a href="#general">General</a>
+        - <a href="#ping">Ping</a>
+        - <a href="#mtr">MTR</a>
+        - <a href="#traceroute">Traceroute</a>
+
+# Disclaimer
 Dont expect good or even mediocre code here. This is my first take at go and is mostly for myself to learn. Suggestions and improvements are welcome.
 
-# installation
+Please note that this project does not include any kind of rate limiting or other protection. It is therefore heavily advised to only make it publicly reachable if a reverse proxy is in place. A sample config for <a href="caddyserver.com/">Caddy</a> can be found in the `caddy` subfolder. 
-wip
 
-# doc
+# Installation
-wip
+The runtime dependencies are currently `iputils`, `traceroute` and `mtr` (sometimes called `mtr-tiny`). `iputils` and `traceroute` can be substituted by `busybox`.
+
+## Building
+The app can be built with the latest Go toolchain.
+
+First get the external module dependencies:
+```sh
+go get -u
+```
+Then build the app, this already strips debug symbols. 
+```sh
+go build -ldflags "-s -w" -o "probehost2" main.go
+```
+(if this is unwanted, just leave out the ldflags argument)
+
+## Systemd
+Example files for a systemd service can be found in the `systemd` subfolder.
+
+## Docker
+A docker container based on <a href="https://alpinelinux.org">Alpine</a> can be built by using the included dockerfile (`docker/Dockerfile`).
+```sh
+docker build -f docker/Dockerfile . -t byreqz/probehost2:latest
+```
+A compose file can also be found in `docker/docker-compose.yml`.
+
+## Proxy
+Its recommended to only run this app together with a rate-limiting reverse-proxy. An example configuration for <a href="caddyserver.com/">Caddy</a> can be found in the `caddy` subfolder. 
+
+# Usage
+## Server
+The app currently has 4 runtime flags:
+- `-p / --listenport` -- sets the port to listen on
+- `-o / --logfilepath` -- sets the log output file
+- `-x / --disable-x-forwarded-for` -- disables checking for the X-Forwarded-For header
+- `-l / --allow-private` -- allows lookups of private IP ranges
+
+All of the Flags also have an accompanying environment value: `PROBEHOST_LOGPATH`, `PROBEHOST_ALLOW_PRIVATE`, `PROBEHOST_LISTEN_PORT` and `PROBEHOST_DISABLE_X_FORWARDED_FOR` but the options given via commandline have priority.
+
+The app will log every request including the IP thats querying and show failed requests on stdout.
+
+Requests that contain an X-Forwarded-For header (implying the app is behind a reverse proxy) will automatically log that address instead of the requesting IP (the proxy itself), this can be turned off with -x.
+
+## Client
+### General
+The app can be queried via HTTP/HTTPS with the following scheme:
+```
+https://[address]/[command]/[hosts]/[options]
+```
+
+- [address] = the IP or domain serving the site
+- [command] = the command to return, currently available:
+  - ping
+  - mtr
+  - traceroute
+- [hosts] = can be one or more hosts query, seperated by a comma
+- [options] = options to run the command with, seperated by a comma
+
+All inputs are validated and invalid input is discarded. If the request contains no valid data, the server will return HTTP 500.
+
+Local IP ranges are by default excluded from lookups, this currently only includes IPs and not hostnames and can be disabled on the server by passing the -l flag.
+
+Command options are based on the originally given cli flags but also have a more understandable altname.
+
+### Ping
+The default options are:
+- `-c 10`: send 10 pings
+
+Available options are:
+- `4` / `force4`: force IPv4
+- `6` / `force6`: force IPv6
+- `d` / `timestamps`: print timestamps
+- `n` / `nodns`: no dns name resolution
+- `v` / `verbose`: verbose output
+- `c1` / `count1`: send 1 ping
+- `c5` / `count5`: send 5 pings
+- `c10` / `count10`: send 10 pings
+
+Example query:
+```sh
+$ curl http://localhost:8000/ping/localhost/c1
+PING localhost(localhost (::1)) 56 data bytes
+64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.189 ms
+
+--- localhost ping statistics ---
+1 packets transmitted, 1 received, 0% packet loss, time 0ms
+rtt min/avg/max/mdev = 0.189/0.189/0.189/0.000 ms
+```
+
+### MTR
+The default options are:
+- `-r`: output using report mode
+- `-w`: output wide report
+- `-c10`: send 10 pings
+
+Available options are:
+- `4` / `force4`: force IPv4
+- `6` / `force6`: force IPv6
+- `u` / `udp`: use UDP instead of ICMP echo
+- `t` / `tcp`: use TCP instead of ICMP echo
+- `e` / `ext`: display information from ICMP extensions
+- `x` / `xml`: output xml
+- `n` / `nodns`: do not resolve host names
+- `b` / `cmb`: show IP numbers and host names
+- `z` / `asn`: display AS number
+- `c1` / `count1`: send 1 ping
+- `c5` / `count5`: send 5 pings
+- `c10` / `count10`: send 10 pings
+
+Example query:
+```
+$ curl http://localhost:8000/mtr/localhost/c1,z
+Start: 2022-01-02T00:06:56+0100
+HOST: xxx                 Loss%   Snt   Last   Avg  Best  Wrst StDev
+  1. AS???    localhost   0.0%     1    0.6   0.6   0.6   0.6   0.0
+```
+
+### Traceroute
+The default options are:
+- none
+
+Available options are:
+- `4` / `force4`: force IPv4
+- `6` / `force6`: force IPv6
+- `f` / `dnf`: do not fragment packets
+- `i` / `ìcmp`: use ICMP ECHO for tracerouting
+- `t` / `tcp`: use TCP SYN for tracerouting (default port is 80)
+- `n` / `nodns`: do not resolve IP addresses to their domain names
+- `u` / `udp`: use UDP to particular port for tracerouting (default port is 53)
+- `ul` / `udplite`: Use UDPLITE for tracerouting (default port is 53)
+- `d` / `dccp`: Use DCCP Request for tracerouting (default port is 33434)
+- `b` / `back`: Guess the number of hops in the backward path and print if it differs
+
+Example query:
+```
+$ curl http://localhost:8000/tracert/localhost/i 
+traceroute to localhost (127.0.0.1), 30 hops max, 60 byte packets
+ 1  localhost (127.0.0.1)  0.063 ms  0.008 ms  0.006 ms
+
+```

caddy/Caddyfile

@@ -0,0 +1,29 @@
+{
+        email [your email]
+        order rate_limit before basicauth
+}
+
+:80, :443 {
+        redir * https://[your domain]
+}
+
+[your domain] {
+        reverse_proxy [host]:[port]
+        log {
+                output file [path] {
+                        roll_size 10GiB
+                        roll_keep 10
+                }
+                level INFO
+        }
+        handle_errors {
+                respond "{http.error.status_code} {http.error.status_text}"
+        }
+        rate_limit {
+                zone dynamic {
+                        key {remote_host}
+                        events 2
+                        window 5s
+                }
+        }
+}

caddy/Dockerfile

@@ -0,0 +1,8 @@
+FROM caddy:builder AS builder
+
+RUN xcaddy build \
+    --with github.com/mholt/caddy-ratelimit \
+    --with github.com/caddy-dns/cloudflare
+FROM caddy:latest
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy

caddy/README.md

@@ -0,0 +1,5 @@
+# caddy
+
+This folder contains a sample configuration for caddy with ratelimiting enabled. this will allow 2 requests per IP every 5 seconds. For more on that, check here: https://github.com/mholt/caddy-ratelimit
+
+I have also included a dockerfile to build caddy with the ratelimiting module.

caddy/build.sh

@@ -0,0 +1 @@
+xcaddy build --with github.com/mholt/caddy-ratelimit

docker/Dockerfile

@@ -6,7 +6,7 @@ RUN CGO_ENABLED=0 go build -o probehost2
 
 FROM alpine:latest
 RUN apk update
-RUN apk add mtr
+RUN apk add mtr iputils
 COPY --from=builder /build/probehost2 /
 RUN touch /probehost2.log
 CMD ["/probehost2"]

docker/docker-compose.yml

@@ -5,6 +5,11 @@ services:
     container_name: probehost2
     image: byreqz/probehost2:latest
     restart: unless-stopped
+    environment:
+     - PROBEHOST_LOGPATH=/probehost2.log
+     - PROBEHOST_ALLOW_PRIVATE=false
+     - PROBEHOST_DISABLE_X_FORWARDED_FOR=false
+     - PROBEHOST_LISTEN_PORT=8000
     ports:
      - 1234:8000
     volumes:

main.go

@@ -1,34 +1,61 @@
 package main
+
 import (
 	"fmt"
+	"net"
+	"net/http"
 	"os"
 	"os/exec"
+	"strconv"
 	"strings"
-  "net/http"
-  "net"
 
 	log "github.com/sirupsen/logrus"
 	flag "github.com/spf13/pflag"
-
 )
 
 var logstdout = log.New()
 var logfile = log.New()
 
 var listenport int
-var usexforwardedfor bool
+var disablexforwardedfor bool
+var allowprivate bool
 
 func init() {
-  var logfilepath string
-  flag.StringVarP(&logfilepath, "logfilepath", "o","probehost2.log", "sets the output file for the log")
-  flag.IntVarP(&listenport, "port", "p", 8000, "sets the port to listen on")
-  flag.BoolVarP(&usexforwardedfor, "use-x-forwarded-for", "x", true, "specifies whether to show x-forwarded-for or the requesting IP")
-  flag.Parse()
-
 	logstdout.SetFormatter(&log.TextFormatter{
 		FullTimestamp: true})
 	logstdout.SetOutput(os.Stdout)
 	logstdout.SetLevel(log.InfoLevel)
+	var logfilepath string
+
+	if _, exists := os.LookupEnv("PROBEHOST_LOGPATH"); exists == true {
+		logfilepath, _ = os.LookupEnv("PROBEHOST_LOGPATH")
+	} else {
+		logfilepath = "probehost2.log"
+	}
+	if exists, _ := os.LookupEnv("PROBEHOST_ALLOW_PRIVATE"); exists == "true" {
+		allowprivate = true
+	} else {
+		allowprivate = false
+	}
+	if envvalue, exists := os.LookupEnv("PROBEHOST_LISTEN_PORT"); exists == true {
+		var err error
+		listenport, err = strconv.Atoi(envvalue)
+		if err != nil {
+			logstdout.Fatal("Failed to read PROBEHOST_LISTEN_PORT: ", err.Error())
+		}
+	} else {
+		listenport = 8000
+	}
+	if exists, _ := os.LookupEnv("PROBEHOST_DISABLE_X_FORWARDED_FOR"); exists == "true" {
+		disablexforwardedfor = true
+	} else {
+		disablexforwardedfor = false
+	}
+	flag.StringVarP(&logfilepath, "logfilepath", "o", logfilepath, "sets the output file for the log")
+	flag.IntVarP(&listenport, "port", "p", listenport, "sets the port to listen on")
+	flag.BoolVarP(&disablexforwardedfor, "disable-x-forwarded-for", "x", disablexforwardedfor, "whether to show x-forwarded-for or the requesting IP")
+	flag.BoolVarP(&allowprivate, "allow-private", "l", allowprivate, "whether to show lookups of private IP ranges")
+	flag.Parse()
 
 	logpath, err := os.OpenFile(logfilepath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0660)
 	if err != nil {
@@ -65,16 +92,38 @@ func runner(remoteip string, command string, args... string) string{
 	return string(cmd)
 }
 
-func validatehosts(hosts []string) []string{
+func validatehosts(hosts []string) ([]string, []string) {
-  var valid []string
+	var validhosts []string
+	var validports []string
 	for _, host := range hosts {
-    if net.ParseIP(host) != nil {
+		split := strings.Split(host, "_")
-      valid = append(valid, host)
+		host = split[0]
+		if hostparse := net.ParseIP(host); hostparse != nil {
+			if (net.IP.IsPrivate(hostparse) || net.IP.IsLoopback(hostparse)) && allowprivate {
+				validhosts = append(validhosts, host)
+			} else if !(net.IP.IsPrivate(hostparse) || net.IP.IsLoopback(hostparse)) {
+				validhosts = append(validhosts, host)
+			}
 		} else if _, err := net.LookupIP(host); err == nil {
-      valid = append(valid, host)
+			validhosts = append(validhosts, host)
+		} else {
+			continue
+		}
+
+		var port string
+		if len(split) > 1 {
+			port = split[1]
+			_, err := strconv.Atoi(port) // validate if port is just an int
+			if err == nil {
+				validports = append(validports, port)
+			} else {
+				validports = append(validports, "0")
+			}
+		} else {
+			validports = append(validports, "0")
 		}
 	}
-  return valid
+	return validhosts, validports
 }
 
 func parseopts(options []string, cmdopts map[string]string) []string {
@@ -88,7 +137,7 @@ func parseopts(options []string, cmdopts map[string]string) []string{
 func prerunner(req *http.Request, cmd string, cmdopts map[string]string, defaultopts []string) string {
 	geturl := strings.Split(req.URL.String(), "/")
 	targets := strings.Split(geturl[2], ",")
-  hosts := validatehosts(targets)
+	hosts, ports := validatehosts(targets)
 	var opts []string
 	opts = append(opts, defaultopts...)
 	if len(geturl) > 3 && len(geturl[3]) > 0 {
@@ -98,55 +147,83 @@ func prerunner(req *http.Request, cmd string, cmdopts map[string]string, default
 	var res string
 	var args []string
 	var remoteaddr string
-  if req.Header.Get("X-Forwarded-For") != "" && usexforwardedfor != false {
+	if req.Header.Get("X-Forwarded-For") != "" && disablexforwardedfor != true {
 		remoteaddr = req.Header.Get("X-Forwarded-For")
 	} else {
 		remoteaddr = req.RemoteAddr
 	}
-  for _, host := range hosts {
+	for i, host := range hosts {
-    args = append(args, opts...)
+		runargs := append(args, opts...)
-    args = append(args, host)
+		if ports[i] != "0" && cmd == "nping" {
-    res = fmt.Sprint(res, runner(remoteaddr, cmd, args...), "\n")
+			runargs = append(runargs, "-p"+ports[i])
+		}
+		runargs = append(runargs, host)
+		res = fmt.Sprint(res, runner(remoteaddr, cmd, runargs...), "\n")
 	}
 	return res
 }
 
 func ping(w http.ResponseWriter, req *http.Request) {
 	cmd := "ping"
-  cmdopts := map[string]string{"4": "-4", "6": "-6", "d": "-D", "n": "-n", "v": "-v", "c1": "-c1", "c5": "-c5", "c10": "-c10"}
+	cmdopts := map[string]string{
+		"4": "-4", "6": "-6", "d": "-D", "n": "-n", "v": "-v", "c1": "-c1", "c5": "-c5", "c10": "-c10",
+		"force4": "-4", "force6": "-6", "timestamps": "-D", "nodns": "-n", "verbose": "-v", "count1": "-c1", "count5": "-c5", "count10": "-c10",
+	}
 	var defaultopts []string
 	defaultopts = append(defaultopts, "-c10")
 	res := prerunner(req, cmd, cmdopts, defaultopts)
 	if strings.TrimSpace(res) == "" {
-    fmt.Fprintln(w, http.StatusInternalServerError)
+		http.Error(w, "500: Internal Server Error", http.StatusInternalServerError)
 	} else {
-    fmt.Fprint(w, strings.TrimSpace(res), "\n")
+		_, _ = fmt.Fprint(w, strings.TrimSpace(res), "\n")
 	}
 }
 
 func mtr(w http.ResponseWriter, req *http.Request) {
 	cmd := "mtr"
-  cmdopts := map[string]string{"4": "-4", "6": "-6", "u": "-u", "t": "-T", "e": "-e", "x": "-x", "n": "-n", "b": "-b", "z": "-z", "c1": "-c1", "c5": "-c5", "c10": "-c10"}
+	cmdopts := map[string]string{
+		"4": "-4", "6": "-6", "u": "-u", "t": "-T", "e": "-e", "x": "-x", "n": "-n", "b": "-b", "z": "-z", "c1": "-c1", "c5": "-c5", "c10": "-c10",
+		"force4": "-4", "force6": "-6", "udp": "-u", "tcp": "-T", "ext": "-e", "xml": "-x", "nodns": "-n", "cmb": "-b", "asn": "-z", "count1": "-c1", "count5": "-c5", "count10": "-c10",
+	}
 	var defaultopts []string
 	defaultopts = append(defaultopts, "-r", "-w", "-c10")
 	res := prerunner(req, cmd, cmdopts, defaultopts)
 	if strings.TrimSpace(res) == "" {
-    fmt.Fprintln(w, http.StatusInternalServerError)
+		http.Error(w, "500: Internal Server Error", http.StatusInternalServerError)
 	} else {
-    fmt.Fprint(w, strings.TrimSpace(res), "\n")
+		_, _ = fmt.Fprint(w, strings.TrimSpace(res), "\n")
 	}
 }
 
 func traceroute(w http.ResponseWriter, req *http.Request) {
 	cmd := "traceroute"
-  cmdopts := map[string]string{"4": "-4", "6": "-6", "dnf": "-F", "i": "-I", "t": "-T", "n": "-n", "u": "-U", "ul": "-UL", "d": "-D", "b": "--back"}
+	cmdopts := map[string]string{
+		"4": "-4", "6": "-6", "f": "-F", "i": "-I", "t": "-T", "n": "-n", "u": "-U", "ul": "-UL", "d": "-D", "b": "--back",
+		"force4": "-4", "force6": "-6", "dnf": "-F", "icmp": "-I", "tcp": "-T", "nodns": "-n", "udp": "-U", "udplite": "-UL", "dccp": "-D", "back": "--back",
+	}
 	var defaultopts []string
 	//defaultopts = append(defaultopts) // no default options for traceroute
 	res := prerunner(req, cmd, cmdopts, defaultopts)
 	if strings.TrimSpace(res) == "" {
-    fmt.Fprintln(w, http.StatusInternalServerError)
+		http.Error(w, "500: Internal Server Error", http.StatusInternalServerError)
 	} else {
-    fmt.Fprint(w, strings.TrimSpace(res), "\n")
+		_, _ = fmt.Fprint(w, strings.TrimSpace(res), "\n")
+	}
+}
+
+func nping(w http.ResponseWriter, req *http.Request) {
+	cmd := "nping"
+	cmdopts := map[string]string{
+		"4": "-4", "6": "-6", "u": "--udp", "t": "--tcp-connect", "v": "-v", "c1": "-c1", "c3": "-c3", "c5": "-c5",
+		"force4": "-4", "force6": "-6", "udp": "--udp", "tcp": "--tcp-connect", "verbose": "-v", "count1": "-c1", "count3": "-c3", "count5": "-c5",
+	}
+	var defaultopts []string
+	defaultopts = append(defaultopts, "-c3")
+	res := prerunner(req, cmd, cmdopts, defaultopts)
+	if strings.TrimSpace(res) == "" {
+		http.Error(w, "500: Internal Server Error", http.StatusInternalServerError)
+	} else {
+		_, _ = fmt.Fprint(w, strings.TrimSpace(res), "\n")
 	}
 }
 
@@ -155,7 +232,8 @@ func main() {
 	http.HandleFunc("/mtr/", mtr)
 	http.HandleFunc("/tracert/", traceroute)
 	http.HandleFunc("/traceroute/", traceroute)
+	http.HandleFunc("/nping/", nping)
 	logstdout.Info("Serving on :", listenport)
 	logfile.Info("Serving on :", listenport)
-  http.ListenAndServe(fmt.Sprint(":", listenport), nil)
+	_ = http.ListenAndServe(fmt.Sprint(":", listenport), nil)
 }