#!/bin/bash # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*- ROLE=proxy . /usr/local/bin/usr_local_tput.bash || exit 2 ## proxy_ami_cloudflared proxy_ami_cloudflared() { [ $# -gt 0 ] || return 1 local ip=$1 # https://netaddr.readthedocs.io/en/latest/tutorial_01.html # a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"` # https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python for no in "${CLOUDF[@]}" ; do nopat=`sed -e 's/\.0.*//' <<< $no` [[ $ip =~ ${nopat}.* ]] && { # WARN $url cloudflared $ip $no echo True return 0 } done echo False return 0 } ## proxy_ami_cloudflared_py proxy_ami_cloudflared_py() { [ $# -gt 0 ] || return 1 local ip=$1 a=`proxy_ami_cloudflared $ip` if [ $? -eq 0 -a "$a" = True ] ; then echo $a return 0 fi for no in "${CLOUDF[@]}" ; do a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"` if [ $? -eq 0 -a "$a" = True ] ; then echo $a return 0 fi done echo False return 0 } # /usr/include/openssl/x509_vfy.h declare -A OPENSSL_X509_V OPENSSL_X509_V=( [0]=OK [1]=ERR_UNSPECIFIED [2]=ERR_UNABLE_TO_GET_ISSUER_CERT [3]=ERR_UNABLE_TO_GET_CRL [4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE [5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE [6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY [7]=ERR_CERT_SIGNATURE_FAILURE [8]=ERR_CRL_SIGNATURE_FAILURE [9]=ERR_CERT_NOT_YET_VALID [10]=ERR_CERT_HAS_EXPIRED [11]=ERR_CRL_NOT_YET_VALID [12]=ERR_CRL_HAS_EXPIRED [13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD [14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD [15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD [16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD [17]=ERR_OUT_OF_MEM [18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT [19]=ERR_SELF_SIGNED_CERT_IN_CHAIN [20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY [21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE [22]=ERR_CERT_CHAIN_TOO_LONG [23]=ERR_CERT_REVOKED [24]=ERR_INVALID_CA [25]=ERR_PATH_LENGTH_EXCEEDED [26]=ERR_INVALID_PURPOSE [27]=ERR_CERT_UNTRUSTED [28]=ERR_CERT_REJECTED # These are 'informational' when looking for issuer cert [29]=ERR_SUBJECT_ISSUER_MISMATCH [30]=ERR_AKID_SKID_MISMATCH [31]=ERR_AKID_ISSUER_SERIAL_MISMATCH [32]=ERR_KEYUSAGE_NO_CERTSIGN [33]=ERR_UNABLE_TO_GET_CRL_ISSUER [34]=ERR_UNHANDLED_CRITICAL_EXTENSION [35]=ERR_KEYUSAGE_NO_CRL_SIGN [36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION [37]=ERR_INVALID_NON_CA [38]=ERR_PROXY_PATH_LENGTH_EXCEEDED [39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE [40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED [41]=ERR_INVALID_EXTENSION [42]=ERR_INVALID_POLICY_EXTENSION [43]=ERR_NO_EXPLICIT_POLICY [44]=ERR_DIFFERENT_CRL_SCOPE [45]=ERR_UNSUPPORTED_EXTENSION_FEATURE [46]=ERR_UNNESTED_RESOURCE [47]=ERR_PERMITTED_VIOLATION [48]=ERR_EXCLUDED_VIOLATION [49]=ERR_SUBTREE_MINMAX # The application is not happy [50]=ERR_APPLICATION_VERIFICATION [51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE [52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX [53]=ERR_UNSUPPORTED_NAME_SYNTAX [54]=ERR_CRL_PATH_VALIDATION_ERROR # Another issuer check debug option [55]=ERR_PATH_LOOP # Suite B mode algorithm violation [56]=ERR_SUITE_B_INVALID_VERSION [57]=ERR_SUITE_B_INVALID_ALGORITHM [58]=ERR_SUITE_B_INVALID_CURVE [59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM [60]=ERR_SUITE_B_LOS_NOT_ALLOWED [61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 # Host, email and IP check errors [62]=ERR_HOSTNAME_MISMATCH [63]=ERR_EMAIL_MISMATCH [64]=ERR_IP_ADDRESS_MISMATCH # DANE TLSA errors [65]=ERR_DANE_NO_MATCH # security level errors [66]=ERR_EE_KEY_TOO_SMALL [67]=ERR_CA_KEY_TOO_SMALL [68]=ERR_CA_MD_TOO_WEAK # Caller error [69]=ERR_INVALID_CALL # Issuer lookup error [70]=ERR_STORE_LOOKUP # Certificate transparency [71]=ERR_NO_VALID_SCTS [72]=ERR_PROXY_SUBJECT_NAME_VIOLATION # OCSP status errors [73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification [74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP [75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder [76]=ERR_SIGNATURE_ALGORITHM_MISMATCH [77]=ERR_NO_ISSUER_PUBLIC_KEY [78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM [79]=ERR_EC_KEY_EXPLICIT_PARAMS ) # man 3 libcurl-errors declare -A CURLE CURLE=( [0]=CURLE_OK [1]=CURLE_UNSUPPORTED_PROTOCOL [2]=CURLE_FAILED_INIT [3]=CURLE_URL_MALFORMAT [4]=CURLE_NOT_BUILT_IN [5]=CURLE_COULDNT_RESOLVE_PROXY [6]=CURLE_COULDNT_RESOLVE_HOST [7]=CURLE_COULDNT_CONNECT [8]=CURLE_WEIRD_SERVER_REPLY [9]=CURLE_REMOTE_ACCESS_DENIED [10]=CURLE_FTP_ACCEPT_FAILED [11]=CURLE_FTP_WEIRD_PASS_REPLY [12]=CURLE_FTP_ACCEPT_TIMEOUT [13]=CURLE_FTP_WEIRD_PASV_REPLY [14]=CURLE_FTP_WEIRD_227_FORMAT [15]=CURLE_FTP_CANT_GET_HOST [16]=CURLE_HTTP2 [17]=CURLE_FTP_COULDNT_SET_TYPE [18]=CURLE_PARTIAL_FILE [19]=CURLE_FTP_COULDNT_RETR_FILE [21]=CURLE_QUOTE_ERROR [22]=CURLE_HTTP_RETURNED_ERROR [23]=CURLE_WRITE_ERROR [25]=CURLE_UPLOAD_FAILED [26]=CURLE_READ_ERROR [27]=CURLE_OUT_OF_MEMORY [28]=CURLE_OPERATION_TIMEDOUT [30]=CURLE_FTP_PORT_FAILED [31]=CURLE_FTP_COULDNT_USE_REST [33]=CURLE_RANGE_ERROR [34]=CURLE_HTTP_POST_ERROR [35]=CURLE_SSL_CONNECT_ERROR [36]=CURLE_BAD_DOWNLOAD_RESUME [37]=CURLE_FILE_COULDNT_READ_FILE [38]=CURLE_LDAP_CANNOT_BIND [39]=CURLE_LDAP_SEARCH_FAILED [41]=CURLE_FUNCTION_NOT_FOUND [42]=CURLE_ABORTED_BY_CALLBACK [43]=CURLE_BAD_FUNCTION_ARGUMENT [45]=CURLE_INTERFACE_FAILED [47]=CURLE_TOO_MANY_REDIRECTS [48]=CURLE_UNKNOWN_OPTION [49]=CURLE_SETOPT_OPTION_SYNTAX [52]=CURLE_GOT_NOTHING [53]=CURLE_SSL_ENGINE_NOTFOUND [54]=CURLE_SSL_ENGINE_SETFAILED [55]=CURLE_SEND_ERROR [56]=CURLE_RECV_ERROR [58]=CURLE_SSL_CERTPROBLEM [59]=CURLE_SSL_CIPHER [60]=CURLE_PEER_FAILED_VERIFICATION [61]=CURLE_BAD_CONTENT_ENCODING [62]=CURLE_LDAP_INVALID_URL [63]=CURLE_FILESIZE_EXCEEDED [64]=CURLE_USE_SSL_FAILED [65]=CURLE_SEND_FAIL_REWIND [66]=CURLE_SSL_ENGINE_INITFAILED [67]=CURLE_LOGIN_DENIED [68]=CURLE_TFTP_NOTFOUND [69]=CURLE_TFTP_PERM [70]=CURLE_REMOTE_DISK_FULL [71]=CURLE_TFTP_ILLEGAL [72]=CURLE_TFTP_UNKNOWNID [73]=CURLE_REMOTE_FILE_EXISTS [74]=CURLE_TFTP_NOSUCHUSER [75]=CURLE_CONV_FAILED [76]=CURLE_CONV_REQD [77]=CURLE_SSL_CACERT_BADFILE [78]=CURLE_REMOTE_FILE_NOT_FOUND [79]=CURLE_SSH [80]=CURLE_SSL_SHUTDOWN_FAILED [81]=CURLE_AGAIN [82]=CURLE_SSL_CRL_BADFILE [83]=CURLE_SSL_ISSUER_ERROR [84]=CURLE_FTP_PRET_FAILED [85]=CURLE_RTSP_CSEQ_ERROR [86]=CURLE_RTSP_SESSION_ERROR [87]=CURLE_FTP_BAD_FILE_LIST [88]=CURLE_CHUNK_FAILED [89]=CURLE_NO_CONNECTION_AVAILABLE [90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH [91]=CURLE_SSL_INVALIDCERTSTATUS [92]=CURLE_HTTP2_STREAM [93]=CURLE_RECURSIVE_API_CALL [94]=CURLE_AUTH_ERROR [95]=CURLE_HTTP3 [96]=CURLE_QUIC_CONNECT_ERROR [98]=CURLE_SSL_CLIENTCERT [99]=CURLE_UNRECOVERABLE_POLL ) # 20 HTTP response status codes declare -A HTTP_RESPONSE HTTP_RESPONSE=( [100]="Continue" [101]="Switching Protocols" [103]="Early Hints" [200]="OK" [201]="Created" [202]="Accepted" [203]="Non-Authoritative Information" [204]="No Content" [205]="Reset Content" [206]="Partial Content" [300]="Multiple Choices" [301]="Moved Permanently" [302]="Found" [303]="See Other" [304]="Not Modified" [307]="Temporary Redirect" [308]="Permanent Redirect" [400]="Bad Request" [401]="Unauthorized" [402]="Payment Required" [403]="Forbidden" [404]="Not Found" [405]="Method Not Allowed" [406]="Not Acceptable" [407]="Proxy Authentication Required" [408]="Request Timeout" [409]="Conflict" [410]="Gone" [411]="Length Required" [412]="Precondition Failed" [413]="Payload Too Large" [414]="URI Too Long" [415]="Unsupported Media Type" [416]="Range Not Satisfiable" [417]="Expectation Failed" [418]="Im a teapot" [422]="Unprocessable Entity" [425]="Too Early" [426]="Upgrade Required" [428]="Precondition Required" [429]="Too Many Requests" [431]="Request Header Fields Too Large" [451]="Unavailable For Legal Reasons" [500]="Internal Server Error" [501]="Not Implemented" [502]="Bad Gateway" [503]="Service Unavailable" [504]="Gateway Timeout" [505]="HTTP Version Not Supported" [506]="Variant Also Negotiates" [507]="Insufficient Storage" [508]="Loop Detected" [510]="Not Extended" [511]="Network Authentication Required" ) # https://curl.se/docs/ssl-ciphers.html # openssl # https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html # https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html openssl=openssl # CURLOPT_TLS13_CIPHERS --tls13-ciphers if [ $openssl = openssl ] ; then export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256" elif [ $openssl = nss ] ; then export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256" fi declare -a NOTLSV3 NOTLSV3=( # connection refused www.mirrorservice.org # no ipv3 files.pythonhosted.org ) # https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4 declare -a CLOUDFN CLOUDFN=( 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 ) #for no in "${CLOUDF[@]}" ; do # # https://netaddr.readthedocs.io/en/latest/tutorial_01.html # a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"` #done