first

overlay/Linux/usr/local/bin/pr$

@@ -0,0 +1,344 @@
+#!/bin/bash
+# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
+
+ROLE=proxy
+
+. /usr/local/bin/usr_local_tput.bash || exit 2
+
+## proxy_ami_cloudflared
+proxy_ami_cloudflared() {
+    [ $# -gt 0 ] || return 1
+    local ip=$1
+    # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
+    # a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
+    # https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
+    for no in "${CLOUDF[@]}" ; do
+	nopat=`sed -e 's/\.0.*//' <<< $no`
+	[[ $ip =~ ${nopat}.* ]] && {
+	    # WARN $url cloudflared $ip $no
+	    echo True
+	    return 0
+	    }
+    done
+    echo False
+    return 0
+}
+	
+## proxy_ami_cloudflared_py
+proxy_ami_cloudflared_py() {
+    [ $# -gt 0 ] || return 1
+    local ip=$1
+    a=`proxy_ami_cloudflared $ip`
+    if [ $? -eq 0 -a "$a" = True ] ; then
+	echo $a
+	return 0
+    fi
+    
+    for no in "${CLOUDF[@]}" ; do
+	a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
+	if [ $? -eq 0 -a "$a" = True ] ; then
+	    echo $a
+	    return 0
+	fi
+    done
+    echo False
+    return 0
+}
+
+# /usr/include/openssl/x509_vfy.h
+declare -A OPENSSL_X509_V
+OPENSSL_X509_V=(
+	[0]=OK
+	[1]=ERR_UNSPECIFIED
+	[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
+	[3]=ERR_UNABLE_TO_GET_CRL
+	[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
+	[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
+	[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
+	[7]=ERR_CERT_SIGNATURE_FAILURE
+	[8]=ERR_CRL_SIGNATURE_FAILURE
+	[9]=ERR_CERT_NOT_YET_VALID
+	[10]=ERR_CERT_HAS_EXPIRED
+	[11]=ERR_CRL_NOT_YET_VALID
+	[12]=ERR_CRL_HAS_EXPIRED
+	[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
+	[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
+	[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
+	[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
+	[17]=ERR_OUT_OF_MEM
+	[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+	[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
+	[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+	[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
+	[22]=ERR_CERT_CHAIN_TOO_LONG
+	[23]=ERR_CERT_REVOKED
+	[24]=ERR_INVALID_CA
+	[25]=ERR_PATH_LENGTH_EXCEEDED
+	[26]=ERR_INVALID_PURPOSE
+	[27]=ERR_CERT_UNTRUSTED
+	[28]=ERR_CERT_REJECTED
+	# These are 'informational' when looking for issuer cert
+	[29]=ERR_SUBJECT_ISSUER_MISMATCH
+	[30]=ERR_AKID_SKID_MISMATCH
+	[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
+	[32]=ERR_KEYUSAGE_NO_CERTSIGN
+	[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
+	[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
+	[35]=ERR_KEYUSAGE_NO_CRL_SIGN
+	[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+	[37]=ERR_INVALID_NON_CA
+	[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
+	[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+	[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+	[41]=ERR_INVALID_EXTENSION
+	[42]=ERR_INVALID_POLICY_EXTENSION
+	[43]=ERR_NO_EXPLICIT_POLICY
+	[44]=ERR_DIFFERENT_CRL_SCOPE
+	[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
+	[46]=ERR_UNNESTED_RESOURCE
+	[47]=ERR_PERMITTED_VIOLATION
+	[48]=ERR_EXCLUDED_VIOLATION
+	[49]=ERR_SUBTREE_MINMAX
+	# The application is not happy
+	[50]=ERR_APPLICATION_VERIFICATION
+	[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
+	[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+	[53]=ERR_UNSUPPORTED_NAME_SYNTAX
+	[54]=ERR_CRL_PATH_VALIDATION_ERROR
+	# Another issuer check debug option
+	[55]=ERR_PATH_LOOP
+	# Suite B mode algorithm violation
+	[56]=ERR_SUITE_B_INVALID_VERSION
+	[57]=ERR_SUITE_B_INVALID_ALGORITHM
+	[58]=ERR_SUITE_B_INVALID_CURVE
+	[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
+	[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
+	[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
+	# Host, email and IP check errors
+	[62]=ERR_HOSTNAME_MISMATCH
+	[63]=ERR_EMAIL_MISMATCH
+	[64]=ERR_IP_ADDRESS_MISMATCH
+	# DANE TLSA errors
+	[65]=ERR_DANE_NO_MATCH
+	# security level errors
+	[66]=ERR_EE_KEY_TOO_SMALL
+	[67]=ERR_CA_KEY_TOO_SMALL
+	[68]=ERR_CA_MD_TOO_WEAK
+	# Caller error
+	[69]=ERR_INVALID_CALL
+	# Issuer lookup error
+	[70]=ERR_STORE_LOOKUP
+	# Certificate transparency
+	[71]=ERR_NO_VALID_SCTS
+
+	[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
+	# OCSP status errors
+	[73]=ERR_OCSP_VERIFY_NEEDED  	# Need OCSP verification
+	[74]=ERR_OCSP_VERIFY_FAILED  	# Couldn't verify cert through OCSP
+	[75]=ERR_OCSP_CERT_UNKNOWN  	# Certificate wasn't recognized by the OCSP responder
+	[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
+	[77]=ERR_NO_ISSUER_PUBLIC_KEY
+	[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
+	[79]=ERR_EC_KEY_EXPLICIT_PARAMS
+	)
+
+# man 3 libcurl-errors
+declare -A CURLE
+CURLE=(
+	[0]=CURLE_OK
+	[1]=CURLE_UNSUPPORTED_PROTOCOL
+	[2]=CURLE_FAILED_INIT
+	[3]=CURLE_URL_MALFORMAT
+	[4]=CURLE_NOT_BUILT_IN
+	[5]=CURLE_COULDNT_RESOLVE_PROXY
+	[6]=CURLE_COULDNT_RESOLVE_HOST
+	[7]=CURLE_COULDNT_CONNECT
+	[8]=CURLE_WEIRD_SERVER_REPLY
+	[9]=CURLE_REMOTE_ACCESS_DENIED
+	[10]=CURLE_FTP_ACCEPT_FAILED
+	[11]=CURLE_FTP_WEIRD_PASS_REPLY
+	[12]=CURLE_FTP_ACCEPT_TIMEOUT
+	[13]=CURLE_FTP_WEIRD_PASV_REPLY
+	[14]=CURLE_FTP_WEIRD_227_FORMAT
+	[15]=CURLE_FTP_CANT_GET_HOST
+	[16]=CURLE_HTTP2
+	[17]=CURLE_FTP_COULDNT_SET_TYPE
+	[18]=CURLE_PARTIAL_FILE
+	[19]=CURLE_FTP_COULDNT_RETR_FILE
+	[21]=CURLE_QUOTE_ERROR
+	[22]=CURLE_HTTP_RETURNED_ERROR
+	[23]=CURLE_WRITE_ERROR
+	[25]=CURLE_UPLOAD_FAILED
+	[26]=CURLE_READ_ERROR
+	[27]=CURLE_OUT_OF_MEMORY
+	[28]=CURLE_OPERATION_TIMEDOUT
+	[30]=CURLE_FTP_PORT_FAILED
+	[31]=CURLE_FTP_COULDNT_USE_REST
+	[33]=CURLE_RANGE_ERROR
+	[34]=CURLE_HTTP_POST_ERROR
+	[35]=CURLE_SSL_CONNECT_ERROR
+	[36]=CURLE_BAD_DOWNLOAD_RESUME
+	[37]=CURLE_FILE_COULDNT_READ_FILE
+	[38]=CURLE_LDAP_CANNOT_BIND
+	[39]=CURLE_LDAP_SEARCH_FAILED
+	[41]=CURLE_FUNCTION_NOT_FOUND
+	[42]=CURLE_ABORTED_BY_CALLBACK
+	[43]=CURLE_BAD_FUNCTION_ARGUMENT
+	[45]=CURLE_INTERFACE_FAILED
+	[47]=CURLE_TOO_MANY_REDIRECTS
+	[48]=CURLE_UNKNOWN_OPTION
+	[49]=CURLE_SETOPT_OPTION_SYNTAX
+	[52]=CURLE_GOT_NOTHING
+	[53]=CURLE_SSL_ENGINE_NOTFOUND
+	[54]=CURLE_SSL_ENGINE_SETFAILED
+	[55]=CURLE_SEND_ERROR
+	[56]=CURLE_RECV_ERROR
+	[58]=CURLE_SSL_CERTPROBLEM
+	[59]=CURLE_SSL_CIPHER
+	[60]=CURLE_PEER_FAILED_VERIFICATION
+	[61]=CURLE_BAD_CONTENT_ENCODING
+	[62]=CURLE_LDAP_INVALID_URL
+	[63]=CURLE_FILESIZE_EXCEEDED
+	[64]=CURLE_USE_SSL_FAILED
+	[65]=CURLE_SEND_FAIL_REWIND
+	[66]=CURLE_SSL_ENGINE_INITFAILED
+	[67]=CURLE_LOGIN_DENIED
+	[68]=CURLE_TFTP_NOTFOUND
+	[69]=CURLE_TFTP_PERM
+	[70]=CURLE_REMOTE_DISK_FULL
+	[71]=CURLE_TFTP_ILLEGAL
+	[72]=CURLE_TFTP_UNKNOWNID
+	[73]=CURLE_REMOTE_FILE_EXISTS
+	[74]=CURLE_TFTP_NOSUCHUSER
+	[75]=CURLE_CONV_FAILED
+	[76]=CURLE_CONV_REQD
+	[77]=CURLE_SSL_CACERT_BADFILE
+	[78]=CURLE_REMOTE_FILE_NOT_FOUND
+	[79]=CURLE_SSH
+	[80]=CURLE_SSL_SHUTDOWN_FAILED
+	[81]=CURLE_AGAIN
+	[82]=CURLE_SSL_CRL_BADFILE
+	[83]=CURLE_SSL_ISSUER_ERROR
+	[84]=CURLE_FTP_PRET_FAILED
+	[85]=CURLE_RTSP_CSEQ_ERROR
+	[86]=CURLE_RTSP_SESSION_ERROR
+	[87]=CURLE_FTP_BAD_FILE_LIST
+	[88]=CURLE_CHUNK_FAILED
+	[89]=CURLE_NO_CONNECTION_AVAILABLE
+	[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
+	[91]=CURLE_SSL_INVALIDCERTSTATUS
+	[92]=CURLE_HTTP2_STREAM
+	[93]=CURLE_RECURSIVE_API_CALL
+	[94]=CURLE_AUTH_ERROR
+	[95]=CURLE_HTTP3
+	[96]=CURLE_QUIC_CONNECT_ERROR
+	[98]=CURLE_SSL_CLIENTCERT
+	[99]=CURLE_UNRECOVERABLE_POLL
+)
+
+#    20 HTTP response status codes
+declare -A HTTP_RESPONSE
+HTTP_RESPONSE=(
+	[100]="Continue"
+	[101]="Switching Protocols"
+	[103]="Early Hints"
+	[200]="OK"
+	[201]="Created"
+	[202]="Accepted"
+	[203]="Non-Authoritative Information"
+	[204]="No Content"
+	[205]="Reset Content"
+	[206]="Partial Content"
+	[300]="Multiple Choices"
+	[301]="Moved Permanently"
+	[302]="Found"
+	[303]="See Other"
+	[304]="Not Modified"
+	[307]="Temporary Redirect"
+	[308]="Permanent Redirect"
+	[400]="Bad Request"
+	[401]="Unauthorized"
+	[402]="Payment Required"
+	[403]="Forbidden"
+	[404]="Not Found"
+	[405]="Method Not Allowed"
+	[406]="Not Acceptable"
+	[407]="Proxy Authentication Required"
+	[408]="Request Timeout"
+	[409]="Conflict"
+	[410]="Gone"
+	[411]="Length Required"
+	[412]="Precondition Failed"
+	[413]="Payload Too Large"
+	[414]="URI Too Long"
+	[415]="Unsupported Media Type"
+	[416]="Range Not Satisfiable"
+	[417]="Expectation Failed"
+	[418]="Im a teapot"
+	[422]="Unprocessable Entity"
+	[425]="Too Early"
+	[426]="Upgrade Required"
+	[428]="Precondition Required"
+	[429]="Too Many Requests"
+	[431]="Request Header Fields Too Large"
+	[451]="Unavailable For Legal Reasons"
+	[500]="Internal Server Error"
+	[501]="Not Implemented"
+	[502]="Bad Gateway"
+	[503]="Service Unavailable"
+	[504]="Gateway Timeout"
+	[505]="HTTP Version Not Supported"
+	[506]="Variant Also Negotiates"
+	[507]="Insufficient Storage"
+	[508]="Loop Detected"
+	[510]="Not Extended"
+	[511]="Network Authentication Required"
+)
+
+# https://curl.se/docs/ssl-ciphers.html
+
+# openssl
+# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
+
+# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
+openssl=openssl
+# CURLOPT_TLS13_CIPHERS --tls13-ciphers
+if [ $openssl = openssl ] ; then
+    export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
+elif [ $openssl = nss ] ; then
+    export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
+fi
+
+declare -a NOTLSV3
+NOTLSV3=(
+    # connection refused
+    www.mirrorservice.org
+    # no ipv3
+    files.pythonhosted.org
+)
+
+#     https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
+declare -a CLOUDFN
+CLOUDFN=(
+    173.245.48.0/20
+    103.21.244.0/22
+    103.22.200.0/22
+    103.31.4.0/22
+    141.101.64.0/18
+    108.162.192.0/18
+    190.93.240.0/20
+    188.114.96.0/20
+    197.234.240.0/22
+    198.41.128.0/17
+    162.158.0.0/15
+    104.16.0.0/13
+    104.24.0.0/14
+    172.64.0.0/13
+    131.0.72.0/22
+)
+
+#for no in "${CLOUDF[@]}" ; do
+#  # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
+#  a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
+#done
+