Merge pull request #65 from skatsubo/chore/typos

Fix typos in text and comments and in http resp handling in code

Author: alexflint

README.md

@@ -55,7 +55,7 @@ sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
 sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
 ```
 
-What this does is disable a [recent kernel feature that restricts unpriveleged user namespaces](https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces). The above may also be needed on other distros that have disabled unpriveleged user namespaces by default. I will update this documentation as I learn more. I am investigating ways to avoid the need for this entirely by shipping an apparmor profile with httptap.
+What this does is disable a [recent kernel feature that restricts unprivileged user namespaces](https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces). The above may also be needed on other distros that have disabled unprivileged user namespaces by default. I will update this documentation as I learn more. I am investigating ways to avoid the need for this entirely by shipping an apparmor profile with httptap.
 
 # Quickstart
 
@@ -120,7 +120,7 @@ $ httptap --https 443 6443 -- kubectl get all --insecure-skip-tls-verify
 <ordinary kubectl output here>
 ```
 
-In the above, `--insecure-skip-tls-verify` is necessary because kubectl doesn't use the httptap-generated certificate authority, and `--https 443 6443` says to treat TCP connections on ports 443 and 6443 as HTTPS connections, which is needed because my cluter's API endpoint uses port 6443.
+In the above, `--insecure-skip-tls-verify` is necessary because kubectl doesn't use the httptap-generated certificate authority, and `--https 443 6443` says to treat TCP connections on ports 443 and 6443 as HTTPS connections, which is needed because my cluster's API endpoint uses port 6443.
 
 Let's see how DNS-over-HTTP works when you use `--doh-url` with curl:
 
@@ -174,11 +174,11 @@ There are many HAR viewers out there that can visualize this dump file. For exam
 
 ![HAR Analyzer Screenshot](docs/har-screenshot.png)
 
-Again, what you're looking at here is one HTTP request to https://monasticacademy.org that returns a 308 Redirect, followed by a second HTTP request to https://www.monasticacademy.org that return a 200 OK.
+Again, what you're looking at here is one HTTP request to https://monasticacademy.org that returns a 308 Redirect, followed by a second HTTP request to https://www.monasticacademy.org that returns a 200 OK.
 
 # Reaching localhost
 
-To reach a localhost port, replace "localhost" with "host.httptap.local" or the special IP address 169.254.77.65. Traffic to these destinations will routed to localhost on your machine.
+To reach a localhost port, replace "localhost" with "host.httptap.local" or the special IP address 169.254.77.65. Traffic to these destinations will be routed to localhost on your machine.
 
 The situation here is that in linux every network namespace automatically gets its own loopback device (127.0.0.1), and these can't be shared. This means that if a process running within httptap tries to connect to 127.0.0.1:1234, it'll actually be connecting to a "different" 127.0.0.1 from another process on your machine listening on this same address and port, and you won't be able to connect.
 
@@ -197,7 +197,7 @@ $ httptap --no-exit -- code --ignore-certificate-errors .
 ...
 ```
 
-You will have to press ctrl+C to kill httptap once you exit vscode.
+You will have to press Ctrl+C to kill httptap once you exit vscode.
 
 In the above, without `--no-exit`, httptap would exit immediately after launching vscode. However, even though the subprocess launched by httptap has exited, that subprocess created a whole separate process tree before it did so. That process tree is the actual GUI app, and it is still pinned to the httptap network namespace. If httptap exits then the network namespace will continue to exist, and the GUI app will continue to run, but nobody will be reading packets sent to the TUN device that is only available network interface in that network namespace, and as a result the app will have no network connectivity. The workaround for this is the `--no-exit` flag that asks httptap to keep proxying network traffic even after the immediate subprocess exits.
 
@@ -241,15 +241,15 @@ When you run `httptap -- <command>`, httptap runs `<command>` in an isolated net
 
 In linux, there is a kernel API for creating and configuring network interfaces. Conventionally, a network interface would be a physical ethernet or WiFi controller in your computer, but it is possible to create a special kind of network interface called a TUN device. A TUN device shows up to the system in the way that any network interface shows up, but any traffic written to it will be delivered to a file descriptor held by the process that created it. Httptap creates a TUN device and runs the subprocess in an environment in which all network traffic is routed through that device.
 
-There is also a kernel API in linux for creating network namespaces. A network namespace is a list of network interfaces and routing rules. When a process is started in linux, it can be run in a specified network namespace. By default, processes run in a root network namespace that we do not want to make chagnes to because doing so would affect all network traffic on the system. Instead, we create a network namespace in which there are only two network interfaces: a loopback device (127.0.0.1) and a TUN device that delivers traffic to us. Then we run the subprocess in that namespace.
+There is also a kernel API in linux for creating network namespaces. A network namespace is a list of network interfaces and routing rules. When a process is started in linux, it can be run in a specified network namespace. By default, processes run in a root network namespace that we do not want to make changes to because doing so would affect all network traffic on the system. Instead, we create a network namespace in which there are only two network interfaces: a loopback device (127.0.0.1) and a TUN device that delivers traffic to us. Then we run the subprocess in that namespace.
 
 The traffic from the network device is delivered to us as raw IP packets. We must parse the IP packets as well as the inner TCP and UDP packets, and write raw IP packets back to the subprocess. This requires a software implementation of the TCP/IP protocol, which is by far the most difficult part of httptap. The TCP/IP implementation in httptap is missing many aspects of the full TCP protocol, but still works reasonably well for its purpose.
 
 Suppose the subprocess makes an HTTP request to www.example.com. The first thing we receive is a TCP SYN packet addressed to 93.184.215.14 (the current IP address of example.com). We respond with a SYN+ACK packet with source address 93.184.215.14, though in truth the packet did not come from 93.184.215.14, but from us. Separately, we establish our own TCP connection to 93.184.215.14 using the ordinary sockets API in the linux kernel. When the subprocess sends data to 93.184.215.14 we relay it over our separate TCP connection, and vice versa for return data. This is a traditional transparent TCP proxy, and in this way we can view all data flowing to and from the subprocess, though we won't be able to decrypt HTTPS traffic without a bit more work.
 
 When a client makes an HTTPS request, it asks the server for evidence that it is who it says it is. If the server has a certificate signed by a certificate authority, it can use that certificate to prove that it is who it says it is. The client will only accept such a certificate if it trusts the certificate authority that signed the certificate. Operating systems, web browsers, and many other pieces of software come with a list of a few hundred certificate authorities that they trust. Many of these pieces of software have ways for users to add additional certificate authorities to this list. We make use of this.
 
-When httptap starts, it creates a certificate authority (actually a private key plus a corresponding x509 certificate), writes it to a file on the filesystem visible only to the subprocess, and sets a few environment variables -- again only visible to the subprocess being run -- that add this certificate authority to the list of trusted certificate authorities. Since the subprocess trusts this certificate authority, and httptap holds the private key for the certificate authority, it can prove to the subprocess that it is the server which which the subprocess was trying to communicate. In this way we can read the plaintext HTTP requests.
+When httptap starts, it creates a certificate authority (actually a private key plus a corresponding x509 certificate), writes it to a file on the filesystem visible only to the subprocess, and sets a few environment variables -- again only visible to the subprocess being run -- that add this certificate authority to the list of trusted certificate authorities. Since the subprocess trusts this certificate authority, and httptap holds the private key for the certificate authority, it can prove to the subprocess that it is the server which the subprocess was trying to communicate. In this way we can read the plaintext HTTP requests.
 
 # How it was made
 

dns.go

@@ -45,7 +45,7 @@ func (p dnsPairA) Answers() []string {
 	return answers
 }
 
-// dnsWatcher receives information about each intercepted DNS query, and the response provided
+// dnsWatcher receives information about each intercepted DNS query and the response provided
 type dnsWatcher func(*dnsCall)
 
 // the listeners waiting for HTTPCalls

http.go

@@ -49,7 +49,7 @@ var httpListeners []httpListener
 // the complete set of HTTP calls up to the present moment
 var httpCalls []*HTTPCall
 
-// the mutex that protects the above slcies
+// the mutex that protects the above slices
 var httpMu sync.Mutex
 
 // add a listener that will receive events for each next HTTP call; the set of historical
@@ -276,7 +276,7 @@ func proxyHTTPScheme(dst http.RoundTripper, conn net.Conn, outgoingScheme string
 	responsebody, err := decodeContent(&respbody, resp.Header["Content-Encoding"])
 	if err != nil {
 		errorf("error decoding response body as %v, will return raw bytes", resp.Header["Content-Encoding"])
-		requestbody = reqbody.Bytes()
+		responsebody = respbody.Bytes()
 	}
 
 	// make the summary the we will log to disk and expose via the API

httptap.go

@@ -764,7 +764,7 @@ func Main() error {
 		return fmt.Errorf("invalid stack %q; valid choices are 'gvisor' or 'homegrown'", args.Stack)
 	}
 
-	verbosef("launching third stage targetting uid %d, gid %d...", args.UID, args.GID)
+	verbosef("launching third stage targeting uid %d, gid %d...", args.UID, args.GID)
 
 	// launch the third stage in a second user namespace, this time with mappings reversed
 	cmd := exec.Command("/proc/self/exe")

tcp.go

@@ -287,7 +287,7 @@ func (s *tcpStream) Write(payload []byte) (int, error) {
 		SrcPort: layers.TCPPort(s.world.Port),
 		DstPort: layers.TCPPort(s.subprocess.Port),
 		Seq:     atomic.AddUint32(&s.seq, sz) - sz, // sequence number on our side
-		Ack:     atomic.LoadUint32(&s.ack),         // laste sequence number we saw on their side
+		Ack:     atomic.LoadUint32(&s.ack),         // last sequence number we saw on their side
 		ACK:     true,                              // this indicates that we are acknolwedging some bytes
 		Window:  64240,                             // number of bytes we are willing to receive (copied from sender)
 	}
@@ -333,10 +333,10 @@ func (s *tcpStream) Write(payload []byte) (int, error) {
 func (s *tcpStream) Close() error {
 	switch s.state {
 	case StateInit:
-		errorf("application tried tp close a TCP stream in state %v, returning error", s.state)
+		errorf("application tried to close a TCP stream in state %v, returning error", s.state)
 		return fmt.Errorf("cannot close TCP stream in state %v", s.state)
 	case StateFinished:
-		verbosef("application tried tp close a TCP stream in state %v, ignoring", s.state)
+		verbosef("application tried to close a TCP stream in state %v, ignoring", s.state)
 		return nil
 	}