SMusatov
/
TechnitiumSoftware-DnsServer
mirror of https://github.com/TechnitiumSoftware/DnsServer.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510
							/*
Technitium DNS Server
Copyright (C) 2024  Shreyas Zare (shreyas@technitium.com)

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

*/

using DnsServerCore.ApplicationCommon;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.AspNetCore.StaticFiles;
using Microsoft.Extensions.FileProviders;
using Microsoft.Extensions.Logging;
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using TechnitiumLibrary;

namespace BlockPage
{
    public sealed class App : IDnsApplication
    {
        #region variables

        IReadOnlyDictionary<string, WebServer> _webServers;

        #endregion

        #region IDisposable

        bool _disposed;

        public void Dispose()
        {
            if (_disposed)
                return;

            StopAllWebServersAsync().Sync();

            _disposed = true;
        }

        #endregion

        #region private

        private async Task StopAllWebServersAsync()
        {
            if (_webServers is not null)
            {
                foreach (KeyValuePair<string, WebServer> webServerEntry in _webServers)
                    await webServerEntry.Value.DisposeAsync();

                _webServers = null;
            }
        }

        #endregion

        #region public

        public async Task InitializeAsync(IDnsServer dnsServer, string config)
        {
            using JsonDocument jsonDocument = JsonDocument.Parse(config);
            JsonElement jsonConfig = jsonDocument.RootElement;

            await StopAllWebServersAsync();

            Dictionary<string, WebServer> webServers = new Dictionary<string, WebServer>(3);
            _webServers = webServers;

            if (jsonConfig.ValueKind == JsonValueKind.Array)
            {
                foreach (JsonElement jsonWebServerConfig in jsonConfig.EnumerateArray())
                {
                    string name = jsonWebServerConfig.GetPropertyValue("name", "default");

                    if (!webServers.TryGetValue(name, out WebServer webServer))
                    {
                        webServer = new WebServer(dnsServer, name);

                        if (!webServers.TryAdd(webServer.Name, webServer))
                            throw new InvalidOperationException("Failed to update web server config. Please try again.");
                    }

                    await webServer.InitializeAsync(jsonWebServerConfig);
                }
            }
            else
            {
                WebServer webServer = new WebServer(dnsServer, "default");
                webServers.Add(webServer.Name, webServer);

                await webServer.InitializeAsync(jsonConfig);

                if (!jsonConfig.TryGetProperty("webServerUseSelfSignedTlsCertificate", out _))
                    config = config.Replace("\"webServerTlsCertificateFilePath\"", "\"webServerUseSelfSignedTlsCertificate\": true,\r\n  \"webServerTlsCertificateFilePath\"");

                if (!jsonConfig.TryGetProperty("enableWebServer", out _))
                    config = config.Replace("\"webServerLocalAddresses\"", "\"enableWebServer\": true,\r\n  \"webServerLocalAddresses\"");

                if (!jsonConfig.TryGetProperty("name", out _))
                    config = config.Replace("\"enableWebServer\"", "\"name\": \"default\",\r\n  \"enableWebServer\"");

                config = "[\r\n  " + config.Replace("\n", "\n  ").TrimEnd() + "\r\n]";
                await File.WriteAllTextAsync(Path.Combine(dnsServer.ApplicationFolder, "dnsApp.config"), config);
            }
        }

        #endregion

        #region properties

        public string Description
        { get { return "Serves a block page from a built-in web server that can be displayed to the end user when a website is blocked by the DNS server.\n\nNote: You need to manually set the Blocking Type as Custom Address in the blocking settings and configure the current server's IP address as Custom Blocking Addresses for the block page to be served to the users. Use a PKCS #12 certificate (.pfx or .p12) for enabling HTTPS support. Enabling HTTPS support will show certificate error to the user which is expected and the user will have to proceed ignoring the certificate error to be able to see the block page."; } }

        #endregion

        class WebServer : IAsyncDisposable
        {
            #region variables

            readonly IDnsServer _dnsServer;
            readonly string _name;

            IReadOnlyList<IPAddress> _webServerLocalAddresses = Array.Empty<IPAddress>();
            bool _webServerUseSelfSignedTlsCertificate;
            string _webServerTlsCertificateFilePath;
            string _webServerTlsCertificatePassword;
            string _webServerRootPath;
            bool _serveBlockPageFromWebServerRoot;

            byte[] _blockPageContent;

            WebApplication _webServer;

            X509Certificate2Collection _webServerTlsCertificateCollection;
            SslServerAuthenticationOptions _sslServerAuthenticationOptions;
            DateTime _webServerTlsCertificateLastModifiedOn;

            Timer _tlsCertificateUpdateTimer;
            const int TLS_CERTIFICATE_UPDATE_TIMER_INITIAL_INTERVAL = 60000;
            const int TLS_CERTIFICATE_UPDATE_TIMER_INTERVAL = 60000;

            #endregion

            #region constructor

            public WebServer(IDnsServer dnsServer, string name)
            {
                _dnsServer = dnsServer;
                _name = name;
            }

            #endregion

            #region IDisposable

            bool _disposed;

            public async ValueTask DisposeAsync()
            {
                if (_disposed)
                    return;

                await StopTlsCertificateUpdateTimerAsync();
                await StopWebServerAsync();

                _disposed = true;
            }

            #endregion

            #region private

            private async Task StartWebServerAsync()
            {
                WebApplicationBuilder builder = WebApplication.CreateBuilder();

                if (_serveBlockPageFromWebServerRoot)
                {
                    builder.Environment.ContentRootFileProvider = new PhysicalFileProvider(_dnsServer.ApplicationFolder)
                    {
                        UseActivePolling = true,
                        UsePollingFileWatcher = true
                    };

                    builder.Environment.WebRootFileProvider = new PhysicalFileProvider(_webServerRootPath)
                    {
                        UseActivePolling = true,
                        UsePollingFileWatcher = true
                    };
                }

                builder.WebHost.ConfigureKestrel(delegate (WebHostBuilderContext context, KestrelServerOptions serverOptions)
                {
                    //http
                    foreach (IPAddress webServiceLocalAddress in _webServerLocalAddresses)
                        serverOptions.Listen(webServiceLocalAddress, 80);

                    //https
                    if (_webServerTlsCertificateCollection is not null)
                    {
                        foreach (IPAddress webServiceLocalAddress in _webServerLocalAddresses)
                        {
                            serverOptions.Listen(webServiceLocalAddress, 443, delegate (ListenOptions listenOptions)
                            {
                                listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
                                listenOptions.UseHttps(delegate (SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken)
                                {
                                    return ValueTask.FromResult(_sslServerAuthenticationOptions);
                                }, null);
                            });
                        }
                    }

                    serverOptions.AddServerHeader = false;
                    serverOptions.Limits.MaxRequestBodySize = int.MaxValue;
                });

                builder.Logging.ClearProviders();

                _webServer = builder.Build();

                _webServer.UseDefaultFiles();
                _webServer.UseStaticFiles(new StaticFileOptions()
                {
                    OnPrepareResponse = delegate (StaticFileResponseContext ctx)
                    {
                        ctx.Context.Response.Headers["X-Robots-Tag"] = "noindex, nofollow";
                        ctx.Context.Response.Headers.CacheControl = "private, max-age=300";
                    },
                    ServeUnknownFileTypes = true
                });

                if (_serveBlockPageFromWebServerRoot)
                    _webServer.Use(RedirectToDefaultPageAsync);
                else
                    _webServer.Use(ServeDefaultPageAsync);

                try
                {
                    await _webServer.StartAsync();

                    foreach (IPAddress webServiceLocalAddress in _webServerLocalAddresses)
                    {
                        _dnsServer.WriteLog("Web server '" + _name + "' was bound successfully: " + new IPEndPoint(webServiceLocalAddress, 80).ToString());

                        if (_webServerTlsCertificateCollection is not null)
                            _dnsServer.WriteLog("Web server '" + _name + "' was bound successfully: " + new IPEndPoint(webServiceLocalAddress, 443).ToString());
                    }
                }
                catch (Exception ex)
                {
                    await StopWebServerAsync();

                    foreach (IPAddress webServiceLocalAddress in _webServerLocalAddresses)
                    {
                        _dnsServer.WriteLog("Web server '" + _name + "' failed to bind: " + new IPEndPoint(webServiceLocalAddress, 80).ToString());

                        if (_webServerTlsCertificateCollection is not null)
                            _dnsServer.WriteLog("Web server '" + _name + "' failed to bind: " + new IPEndPoint(webServiceLocalAddress, 443).ToString());
                    }

                    _dnsServer.WriteLog(ex);
                }
            }

            private async Task StopWebServerAsync()
            {
                if (_webServer is not null)
                {
                    await _webServer.DisposeAsync();
                    _webServer = null;
                }
            }

            private void LoadWebServiceTlsCertificate(string webServerTlsCertificateFilePath, string webServerTlsCertificatePassword)
            {
                FileInfo fileInfo = new FileInfo(webServerTlsCertificateFilePath);

                if (!fileInfo.Exists)
                    throw new ArgumentException("Web server '" + _name + "' TLS certificate file does not exists: " + webServerTlsCertificateFilePath);

                switch (Path.GetExtension(webServerTlsCertificateFilePath).ToLowerInvariant())
                {
                    case ".pfx":
                    case ".p12":
                        break;

                    default:
                        throw new ArgumentException("Web server '" + _name + "' TLS certificate file must be PKCS #12 formatted with .pfx or .p12 extension: " + webServerTlsCertificateFilePath);
                }

                _webServerTlsCertificateCollection = new X509Certificate2Collection();
                _webServerTlsCertificateCollection.Import(webServerTlsCertificateFilePath, webServerTlsCertificatePassword, X509KeyStorageFlags.PersistKeySet);

                X509Certificate2 serverCertificate = null;

                foreach (X509Certificate2 certificate in _webServerTlsCertificateCollection)
                {
                    if (certificate.HasPrivateKey)
                    {
                        serverCertificate = certificate;
                        break;
                    }
                }

                if (serverCertificate is null)
                    throw new ArgumentException("Web server '" + _name + "' TLS certificate file must contain a certificate with private key.");

                _sslServerAuthenticationOptions = new SslServerAuthenticationOptions()
                {
                    ServerCertificateContext = SslStreamCertificateContext.Create(serverCertificate, _webServerTlsCertificateCollection, false)
                };

                _webServerTlsCertificateLastModifiedOn = fileInfo.LastWriteTimeUtc;

                _dnsServer.WriteLog("Web server '" + _name + "' TLS certificate was loaded: " + webServerTlsCertificateFilePath);
            }

            private void StartTlsCertificateUpdateTimer()
            {
                if (_tlsCertificateUpdateTimer is null)
                {
                    _tlsCertificateUpdateTimer = new Timer(delegate (object state)
                    {
                        if (!string.IsNullOrEmpty(_webServerTlsCertificateFilePath))
                        {
                            try
                            {
                                FileInfo fileInfo = new FileInfo(_webServerTlsCertificateFilePath);

                                if (fileInfo.Exists && (fileInfo.LastWriteTimeUtc != _webServerTlsCertificateLastModifiedOn))
                                    LoadWebServiceTlsCertificate(_webServerTlsCertificateFilePath, _webServerTlsCertificatePassword);
                            }
                            catch (Exception ex)
                            {
                                _dnsServer.WriteLog("Web server '" + _name + "' encountered an error while updating TLS Certificate: " + _webServerTlsCertificateFilePath + "\r\n" + ex.ToString());
                            }
                        }

                    }, null, TLS_CERTIFICATE_UPDATE_TIMER_INITIAL_INTERVAL, TLS_CERTIFICATE_UPDATE_TIMER_INTERVAL);
                }
            }

            private async Task StopTlsCertificateUpdateTimerAsync()
            {
                if (_tlsCertificateUpdateTimer is not null)
                {
                    await _tlsCertificateUpdateTimer.DisposeAsync();
                    _tlsCertificateUpdateTimer = null;
                }
            }

            private Task RedirectToDefaultPageAsync(HttpContext context, RequestDelegate next)
            {
                context.Response.Redirect("/", false, true);

                return Task.CompletedTask;
            }

            private async Task ServeDefaultPageAsync(HttpContext context, RequestDelegate next)
            {
                HttpResponse response = context.Response;

                response.StatusCode = StatusCodes.Status200OK;
                response.ContentType = "text/html; charset=utf-8";
                response.ContentLength = _blockPageContent.Length;

                using (Stream s = context.Response.Body)
                {
                    await s.WriteAsync(_blockPageContent);
                }
            }

            #endregion

            #region public

            public async Task InitializeAsync(JsonElement jsonWebServerConfig)
            {
                bool enableWebServer = jsonWebServerConfig.GetPropertyValue("enableWebServer", true);
                if (!enableWebServer)
                {
                    await StopWebServerAsync();
                    return;
                }

                _webServerLocalAddresses = jsonWebServerConfig.ReadArray("webServerLocalAddresses", IPAddress.Parse);

                if (jsonWebServerConfig.TryGetProperty("webServerUseSelfSignedTlsCertificate", out JsonElement jsonWebServerUseSelfSignedTlsCertificate))
                    _webServerUseSelfSignedTlsCertificate = jsonWebServerUseSelfSignedTlsCertificate.GetBoolean();
                else
                    _webServerUseSelfSignedTlsCertificate = true;

                _webServerTlsCertificateFilePath = jsonWebServerConfig.GetProperty("webServerTlsCertificateFilePath").GetString();
                _webServerTlsCertificatePassword = jsonWebServerConfig.GetProperty("webServerTlsCertificatePassword").GetString();

                _webServerRootPath = jsonWebServerConfig.GetProperty("webServerRootPath").GetString();

                if (!Path.IsPathRooted(_webServerRootPath))
                    _webServerRootPath = Path.Combine(_dnsServer.ApplicationFolder, _webServerRootPath);

                _serveBlockPageFromWebServerRoot = jsonWebServerConfig.GetProperty("serveBlockPageFromWebServerRoot").GetBoolean();

                string blockPageTitle = jsonWebServerConfig.GetProperty("blockPageTitle").GetString();
                string blockPageHeading = jsonWebServerConfig.GetProperty("blockPageHeading").GetString();
                string blockPageMessage = jsonWebServerConfig.GetProperty("blockPageMessage").GetString();

                string blockPageContent = @"<html>
<head>
  <title>" + (blockPageTitle is null ? "" : blockPageTitle) + @"</title>
</head>
<body>
" + (blockPageHeading is null ? "" : "  <h1>" + blockPageHeading + "</h1>") + @"
" + (blockPageMessage is null ? "" : "  <p>" + blockPageMessage + "</p>") + @"
</body>
</html>";

                _blockPageContent = Encoding.UTF8.GetBytes(blockPageContent);

                try
                {
                    await StopWebServerAsync();

                    string selfSignedCertificateFilePath = Path.Combine(_dnsServer.ApplicationFolder, "self-signed-cert.pfx");

                    if (_webServerUseSelfSignedTlsCertificate)
                    {
                        string oldSelfSignedCertificateFilePath = Path.Combine(_dnsServer.ApplicationFolder, "cert.pfx");

                        if (!oldSelfSignedCertificateFilePath.Equals(_webServerTlsCertificateFilePath, Environment.OSVersion.Platform == PlatformID.Win32NT ? StringComparison.OrdinalIgnoreCase : StringComparison.Ordinal) && File.Exists(oldSelfSignedCertificateFilePath) && !File.Exists(selfSignedCertificateFilePath))
                            File.Move(oldSelfSignedCertificateFilePath, selfSignedCertificateFilePath);

                        if (!File.Exists(selfSignedCertificateFilePath))
                        {
                            RSA rsa = RSA.Create(2048);
                            CertificateRequest req = new CertificateRequest("cn=" + _dnsServer.ServerDomain, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                            X509Certificate2 cert = req.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(5));

                            await File.WriteAllBytesAsync(selfSignedCertificateFilePath, cert.Export(X509ContentType.Pkcs12, null as string));
                        }
                    }
                    else
                    {
                        File.Delete(selfSignedCertificateFilePath);
                    }

                    if (string.IsNullOrEmpty(_webServerTlsCertificateFilePath))
                    {
                        await StopTlsCertificateUpdateTimerAsync();

                        if (_webServerUseSelfSignedTlsCertificate)
                        {
                            LoadWebServiceTlsCertificate(selfSignedCertificateFilePath, null);
                        }
                        else
                        {
                            //disable HTTPS
                            _webServerTlsCertificateCollection = null;
                        }
                    }
                    else
                    {
                        LoadWebServiceTlsCertificate(_webServerTlsCertificateFilePath, _webServerTlsCertificatePassword);
                        StartTlsCertificateUpdateTimer();
                    }

                    await StartWebServerAsync();
                }
                catch (Exception ex)
                {
                    _dnsServer.WriteLog(ex);
                }
            }

            #endregion

            #region properties

            public string Name
            { get { return _name; } }

            #endregion
        }
    }
}