From bb1f6cd0e8d0464ae53266d4714187d34a115f68 Mon Sep 17 00:00:00 2001
From: Simone Margaritelli <evilsocket@gmail.com>
Date: Thu, 23 Jan 2020 15:48:57 +0100
Subject: [PATCH] new: added new http.proxy.redirect and https.proxy.redirect
 parameters to optionally disable iptables port redirection

---
 modules/http_proxy/http_proxy.go      |  9 +++-
 modules/http_proxy/http_proxy_base.go | 66 +++++++++++++++------------
 modules/https_proxy/https_proxy.go    | 10 +++-
 3 files changed, 55 insertions(+), 30 deletions(-)

diff --git a/modules/http_proxy/http_proxy.go b/modules/http_proxy/http_proxy.go
index 9cec358d..44d5d4c7 100644
--- a/modules/http_proxy/http_proxy.go
+++ b/modules/http_proxy/http_proxy.go
@@ -30,6 +30,10 @@ func NewHttpProxy(s *session.Session) *HttpProxy {
 		"8080",
 		"Port to bind the HTTP proxy to."))
 
+	mod.AddParam(session.NewBoolParameter("http.proxy.redirect",
+		"true",
+		"Enable or disable port redirection with iptables."))
+
 	mod.AddParam(session.NewStringParameter("http.proxy.script",
 		"",
 		"",
@@ -82,6 +86,7 @@ func (mod *HttpProxy) Configure() error {
 	var address string
 	var proxyPort int
 	var httpPort int
+	var doRedirect bool
 	var scriptPath string
 	var stripSSL bool
 	var jsToInject string
@@ -96,6 +101,8 @@ func (mod *HttpProxy) Configure() error {
 		return err
 	} else if err, httpPort = mod.IntParam("http.port"); err != nil {
 		return err
+	} else if err, doRedirect = mod.BoolParam("http.proxy.redirect"); err != nil {
+		return err
 	} else if err, scriptPath = mod.StringParam("http.proxy.script"); err != nil {
 		return err
 	} else if err, stripSSL = mod.BoolParam("http.proxy.sslstrip"); err != nil {
@@ -111,7 +118,7 @@ func (mod *HttpProxy) Configure() error {
 	mod.proxy.Blacklist = str.Comma(blacklist)
 	mod.proxy.Whitelist = str.Comma(whitelist)
 
-	return mod.proxy.Configure(address, proxyPort, httpPort, scriptPath, jsToInject, stripSSL)
+	return mod.proxy.Configure(address, proxyPort, httpPort, doRedirect, scriptPath, jsToInject, stripSSL)
 }
 
 func (mod *HttpProxy) Start() error {
diff --git a/modules/http_proxy/http_proxy_base.go b/modules/http_proxy/http_proxy_base.go
index f83d799f..13cce828 100644
--- a/modules/http_proxy/http_proxy_base.go
+++ b/modules/http_proxy/http_proxy_base.go
@@ -49,6 +49,7 @@ type HTTPProxy struct {
 	jsHook      string
 	isTLS       bool
 	isRunning   bool
+	doRedirect  bool
 	stripper    *SSLStripper
 	sniListener net.Listener
 	sess        *session.Session
@@ -73,15 +74,16 @@ func (l dummyLogger) Printf(format string, v ...interface{}) {
 
 func NewHTTPProxy(s *session.Session) *HTTPProxy {
 	p := &HTTPProxy{
-		Name:      "http.proxy",
-		Proxy:     goproxy.NewProxyHttpServer(),
-		sess:      s,
-		stripper:  NewSSLStripper(s, false),
-		isTLS:     false,
-		Server:    nil,
-		Blacklist: make([]string, 0),
-		Whitelist: make([]string, 0),
-		tag:       session.AsTag("http.proxy"),
+		Name:       "http.proxy",
+		Proxy:      goproxy.NewProxyHttpServer(),
+		sess:       s,
+		stripper:   NewSSLStripper(s, false),
+		isTLS:      false,
+		doRedirect: true,
+		Server:     nil,
+		Blacklist:  make([]string, 0),
+		Whitelist:  make([]string, 0),
+		tag:        session.AsTag("http.proxy"),
 	}
 
 	p.Proxy.Verbose = false
@@ -167,11 +169,13 @@ func (p *HTTPProxy) shouldProxy(req *http.Request) bool {
 	return true
 }
 
-func (p *HTTPProxy) Configure(address string, proxyPort int, httpPort int, scriptPath string, jsToInject string, stripSSL bool) error {
+func (p *HTTPProxy) Configure(address string, proxyPort int, httpPort int, doRedirect bool, scriptPath string,
+	jsToInject string, stripSSL bool) error {
 	var err error
 
 	p.stripper.Enable(stripSSL)
 	p.Address = address
+	p.doRedirect = doRedirect
 
 	if strings.HasPrefix(jsToInject, "http://") || strings.HasPrefix(jsToInject, "https://") {
 		p.jsHook = fmt.Sprintf("<script src=\"%s\" type=\"text/javascript\"></script></head>", jsToInject)
@@ -205,23 +209,27 @@ func (p *HTTPProxy) Configure(address string, proxyPort int, httpPort int, scrip
 		WriteTimeout: httpWriteTimeout,
 	}
 
-	if !p.sess.Firewall.IsForwardingEnabled() {
-		p.Info("enabling forwarding.")
-		p.sess.Firewall.EnableForwarding(true)
+	if p.doRedirect {
+		if !p.sess.Firewall.IsForwardingEnabled() {
+			p.Info("enabling forwarding.")
+			p.sess.Firewall.EnableForwarding(true)
+		}
+
+		p.Redirection = firewall.NewRedirection(p.sess.Interface.Name(),
+			"TCP",
+			httpPort,
+			p.Address,
+			proxyPort)
+
+		if err := p.sess.Firewall.EnableRedirection(p.Redirection, true); err != nil {
+			return err
+		}
+
+		p.Debug("applied redirection %s", p.Redirection.String())
+	} else {
+		p.Warning("port redirection disabled, the proxy must be set manually to work")
 	}
 
-	p.Redirection = firewall.NewRedirection(p.sess.Interface.Name(),
-		"TCP",
-		httpPort,
-		p.Address,
-		proxyPort)
-
-	if err := p.sess.Firewall.EnableRedirection(p.Redirection, true); err != nil {
-		return err
-	}
-
-	p.Debug("applied redirection %s", p.Redirection.String())
-
 	p.sess.UnkCmdCallback = func(cmd string) bool {
 		if p.Script != nil {
 			return p.Script.OnCommand(cmd)
@@ -267,8 +275,10 @@ func (p *HTTPProxy) TLSConfigFromCA(ca *tls.Certificate) func(host string, ctx *
 	}
 }
 
-func (p *HTTPProxy) ConfigureTLS(address string, proxyPort int, httpPort int, scriptPath string, certFile string, keyFile string, jsToInject string, stripSSL bool) (err error) {
-	if p.Configure(address, proxyPort, httpPort, scriptPath, jsToInject, stripSSL); err != nil {
+func (p *HTTPProxy) ConfigureTLS(address string, proxyPort int, httpPort int, doRedirect bool, scriptPath string,
+	certFile string,
+	keyFile string, jsToInject string, stripSSL bool) (err error) {
+	if err = p.Configure(address, proxyPort, httpPort, doRedirect, scriptPath, jsToInject, stripSSL); err != nil {
 		return err
 	}
 
@@ -402,7 +412,7 @@ func (p *HTTPProxy) Start() {
 }
 
 func (p *HTTPProxy) Stop() error {
-	if p.Redirection != nil {
+	if p.doRedirect && p.Redirection != nil {
 		p.Debug("disabling redirection %s", p.Redirection.String())
 		if err := p.sess.Firewall.EnableRedirection(p.Redirection, false); err != nil {
 			return err
diff --git a/modules/https_proxy/https_proxy.go b/modules/https_proxy/https_proxy.go
index 2ad85489..3ede17c2 100644
--- a/modules/https_proxy/https_proxy.go
+++ b/modules/https_proxy/https_proxy.go
@@ -33,6 +33,10 @@ func NewHttpsProxy(s *session.Session) *HttpsProxy {
 		"8083",
 		"Port to bind the HTTPS proxy to."))
 
+	mod.AddParam(session.NewBoolParameter("https.proxy.redirect",
+		"true",
+		"Enable or disable port redirection with iptables."))
+
 	mod.AddParam(session.NewBoolParameter("https.proxy.sslstrip",
 		"false",
 		"Enable or disable SSL stripping."))
@@ -97,6 +101,7 @@ func (mod *HttpsProxy) Configure() error {
 	var address string
 	var proxyPort int
 	var httpPort int
+	var doRedirect bool
 	var scriptPath string
 	var certFile string
 	var keyFile string
@@ -113,6 +118,8 @@ func (mod *HttpsProxy) Configure() error {
 		return err
 	} else if err, httpPort = mod.IntParam("https.port"); err != nil {
 		return err
+	} else if err, doRedirect = mod.BoolParam("https.proxy.redirect"); err != nil {
+		return err
 	} else if err, stripSSL = mod.BoolParam("https.proxy.sslstrip"); err != nil {
 		return err
 	} else if err, certFile = mod.StringParam("https.proxy.certificate"); err != nil {
@@ -153,7 +160,8 @@ func (mod *HttpsProxy) Configure() error {
 		mod.Info("loading proxy certification authority TLS certificate from %s", certFile)
 	}
 
-	return mod.proxy.ConfigureTLS(address, proxyPort, httpPort, scriptPath, certFile, keyFile, jsToInject, stripSSL)
+	return mod.proxy.ConfigureTLS(address, proxyPort, httpPort, doRedirect, scriptPath, certFile, keyFile, jsToInject,
+		stripSSL)
 }
 
 func (mod *HttpsProxy) Start() error {