https_proxy 0.3.0

Stealth HTTPS forward proxy with automatic Let's Encrypt TLS and nginx camouflage
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

//! Proxy authentication via `Proxy-Authorization: Basic` header.
//!
//! Validates Base64-encoded credentials against the configured user list.
//! Returns `false` (triggering a stealth 404) on missing, malformed, or
//! incorrect credentials.

use base64::engine::general_purpose::STANDARD;
use base64::Engine;
use hyper::body::Incoming;
use hyper::Request;

use crate::config::UserConfig;

/// Check the `Proxy-Authorization` header against the allowed user list.
///
/// Returns `true` only if the header is present, uses the `Basic` scheme,
/// decodes to valid UTF-8 in `username:password` form, and matches a
/// configured user.
pub fn check_proxy_auth(req: &Request<Incoming>, users: &[UserConfig]) -> bool {
    let header = req
        .headers()
        .get("proxy-authorization")
        .and_then(|v| v.to_str().ok());

    let credentials = match header {
        Some(h) if h.starts_with("Basic ") => {
            let encoded = &h[6..];
            match STANDARD.decode(encoded) {
                Ok(decoded) => String::from_utf8(decoded).ok(),
                Err(_) => None,
            }
        }
        _ => None,
    };

    match credentials {
        Some(cred) => cred.split_once(':').is_some_and(|(user, pass)| {
            users
                .iter()
                .any(|u| u.username == user && u.password == pass)
        }),
        None => false,
    }
}