lanhu/proxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

重命名包 client 为 edge;重命名包 server 为 gateway

Browse Source
This commit is contained in:
luorijun
2025-05-16 17:04:03 +08:00
parent 22f3c37478
commit 20ac7dbd91
37 changed files with 65 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

310
gateway/fwd/analysis.go Normal file
View File

@@ -0,0 +1,310 @@
package fwd
import (
"bufio"
"encoding/binary"
"fmt"
"io"
"log/slog"
"proxy-server/gateway/core"
"proxy-server/pkg/utils"
"strings"
"errors"
)
func analysisAndLog(conn *core.Conn, reader io.Reader) error {
buf := bufio.NewReader(reader)
domain, proto, err := sniffing(buf)
if err != nil {
err = fmt.Errorf("sniffing error: %w", err)
} else {
slog.Debug(
"用户访问记录",
slog.Int("uid", int(conn.Auth.Payload.ID)),
slog.String("user", conn.RemoteAddr().String()),
slog.String("proxy", conn.Protocol),
slog.String("node", conn.LocalAddr().String()),
slog.String("proto", proto),
slog.String("dest", conn.Dest.String()),
slog.String("domain", domain),
)
}
go func() {
discord(buf)
}()
return err
}
func sniffing(reader *bufio.Reader) (string, string, error) {
peek, err := reader.Peek(8)
if err != nil {
return "", "", fmt.Errorf("sniffing peek error: %w", err)
}
method, ok := isHttp(peek)
if ok {
domain, err := analysisHttp(reader)
return domain, "http(" + method + ")", err
}
tlsType, tlsVersion, ok := isTls(peek)
if ok {
var domain string
if tlsType == "handshake" {
domain, err = analysisTls(reader)
}
return domain, "tls(" + tlsType + "," + tlsVersion + ")", err
}
return "nil", "tcp", nil
}
func isHttp(bytes []byte) (string, bool) {
var blankIndex int
for i := range bytes {
if bytes[i] == ' ' {
blankIndex = i
break
}
}
method := string(bytes[:blankIndex])
switch method {
case "GET",
"POST",
"PUT",
"PATCH",
"DELETE",
"HEAD",
"OPTIONS",
"TRACE",
"CONNECT":
return method, true
}
return "", false
}
func isTls(bytes []byte) (string, string, bool) {
var tlsType string
switch bytes[0] {
case 0x14:
tlsType = "change-cipher-spec"
case 0x15:
tlsType = "alert"
case 0x16:
tlsType = "handshake"
case 0x17:
tlsType = "application-data"
}
var tlsVersion string
if bytes[1] == 0x03 {
switch bytes[2] {
case 0x00:
tlsVersion = "SSL3.0"
case 0x01:
tlsVersion = "TLS1.0"
case 0x02:
tlsVersion = "TLS1.1"
case 0x03:
tlsVersion = "TLS1.2"
}
}
if tlsType != "" && tlsVersion != "" {
return tlsType, tlsVersion, true
} else {
return "", "", false
}
}
func analysisHttp(reader *bufio.Reader) (string, error) {
// reade top
top, err := httpReadLine(reader)
if err != nil {
return "", fmt.Errorf("http read top error: %w", err)
}
// read header
host := strings.Split(top, " ")[1]
for {
line, err := httpReadLine(reader)
if err != nil {
return "", err
}
if line == "" {
break
}
if strings.HasPrefix(line, "Host: ") {
host = strings.TrimPrefix(line, "Host: ")
}
}
return host, nil
}
func httpReadLine(reader *bufio.Reader) (line string, err error) {
var lineStr strings.Builder
for {
line, prefix, err := reader.ReadLine()
if err != nil {
return "", fmt.Errorf("http read line error: %w", err)
}
lineStr.Write(line)
if !prefix {
break
}
}
return lineStr.String(), nil
}
func analysisTls(reader *bufio.Reader) (string, error) {
// tls record
_, err := utils.ReadBuffer(reader, 5)
if err != nil {
return "", fmt.Errorf("https read head error: %w", err)
}
// tls type
hsType, err := reader.ReadByte()
if err != nil {
return "", fmt.Errorf("https read hsType error: %w", err)
}
switch hsType {
case 0x01: // client hello
// length
_, err = utils.ReadBuffer(reader, 3)
if err != nil {
return "", fmt.Errorf("https read tls length error: %w", err)
}
// version
_, err = utils.ReadBuffer(reader, 2)
if err != nil {
return "", fmt.Errorf("https read version error: %w", err)
}
// random
_, err = utils.ReadBuffer(reader, 32)
if err != nil {
return "", fmt.Errorf("https read random error: %w", err)
}
// session id length
sessionIdLen, err := reader.ReadByte()
if err != nil {
return "", fmt.Errorf("https read sessionIdLen error: %w", err)
}
// session id
_, err = utils.ReadBuffer(reader, int(sessionIdLen))
if err != nil {
return "", fmt.Errorf("https read sessionId error: %w", err)
}
// cipher suites length
cLenBuf, err := utils.ReadBuffer(reader, 2)
if err != nil {
return "", fmt.Errorf("https read cLen error: %w", err)
}
cLen := binary.BigEndian.Uint16(cLenBuf)
// cipher suites
_, err = utils.ReadBuffer(reader, int(cLen))
if err != nil {
return "", fmt.Errorf("https read c error: %w", err)
}
// compression methods length
cmLen, err := reader.ReadByte()
if err != nil {
return "", fmt.Errorf("https read cmLen error: %w", err)
}
// compression methods
_, err = utils.ReadBuffer(reader, int(cmLen))
if err != nil {
return "", fmt.Errorf("https read cm error: %w", err)
}
// extensions length
eLenBuf, err := utils.ReadBuffer(reader, 2)
if err != nil {
return "", fmt.Errorf("https read eLen error: %w", err)
}
eLen := binary.BigEndian.Uint16(eLenBuf)
// extensions
host := ""
for i := 0; i < int(eLen); {
// extension type
eTypeBuf, err := utils.ReadBuffer(reader, 2)
if err != nil {
return "", fmt.Errorf("https read extension type error: %w", err)
}
eType := binary.BigEndian.Uint16(eTypeBuf)
// extension length
eLenBuf, err := utils.ReadBuffer(reader, 2)
if err != nil {
return "", fmt.Errorf("https read extension length error: %w", err)
}
eLen := binary.BigEndian.Uint16(eLenBuf)
// server name
if eType == 0x00 {
// server name list length
_, err = utils.ReadBuffer(reader, 2)
if err != nil {
return "", fmt.Errorf("https read server name list length error: %w", err)
}
// server name type
_, err = reader.ReadByte()
if err != nil {
return "", fmt.Errorf("https read server name type error: %w", err)
}
// server name length
sLenBuf, err := utils.ReadBuffer(reader, 2)
if err != nil {
return "", fmt.Errorf("https read server name length error: %w", err)
}
sLen := binary.BigEndian.Uint16(sLenBuf)
// server name
bytes, err := utils.ReadBuffer(reader, int(sLen))
if err != nil {
return "", fmt.Errorf("https read server name error: %w", err)
}
host = string(bytes)
return host, nil
} else {
// other extension
_, err = utils.ReadBuffer(reader, int(eLen))
if err != nil {
return "", fmt.Errorf("https read extension error: %w", err)
}
}
i += 4 + int(eLen)
}
default:
return "", nil
}
return "", errors.New("analysis https error")
}
func discord(reader *bufio.Reader) {
_, err := io.Copy(io.Discard, reader)
if err != nil {
slog.Error("analysis discord err", "err", err)
}
}

78
gateway/fwd/auth/auth.go Normal file
View File

@@ -0,0 +1,78 @@
package auth
import (
"fmt"
"net"
"proxy-server/gateway/app"
"proxy-server/gateway/core"
"strconv"
"time"
"errors"
)
type Protocol string
const (
Socks5 = Protocol("socks5")
Http = Protocol("http")
)
func Protect(conn net.Conn, proto Protocol, username, password *string) (*core.AuthContext, error) {
// 获取用户地址
remoteAddr := conn.RemoteAddr().String()
remoteHost, _, err := net.SplitHostPort(remoteAddr)
if err != nil {
return nil, fmt.Errorf("无法获取连接信息: %w", err)
}
// 获取服务端口
localAddr := conn.LocalAddr().String()
_, _localPort, err := net.SplitHostPort(localAddr)
localPort, err := strconv.ParseUint(_localPort, 10, 16)
if err != nil {
return nil, fmt.Errorf("noAuth 认证失败: %w", err)
}
// 查找权限配置
var permit, ok = app.Permits.Load(uint16(localPort))
if !ok {
return nil, errors.New("没有权限")
}
// 检查是否过期
if permit.Expire.Before(time.Now()) {
return nil, errors.New("权限已过期")
}
// 检查 IP 是否可用
if len(permit.Whitelists) > 0 {
var found = false
for _, allowedHost := range permit.Whitelists {
var allowed = net.ParseIP(allowedHost)
var remote = net.ParseIP(remoteHost)
if remote.Equal(allowed) {
found = true
break
}
}
if !found {
return nil, errors.New("不在白名单内")
}
}
if username != nil && password != nil {
if *username != permit.Username || *password != permit.Password {
return nil, errors.New("用户名或密码错误")
}
}
var id, _ = app.Assigns.Load(uint16(localPort))
return &core.AuthContext{
Timeout: time.Since(permit.Expire).Seconds(),
Payload: core.Payload{
ID: id,
},
}, nil
}

235
gateway/fwd/ctrl.go Normal file
View File

@@ -0,0 +1,235 @@
package fwd
import (
"bufio"
"context"
"encoding/binary"
"errors"
"fmt"
"io"
"log/slog"
"net"
"proxy-server/gateway/app"
"proxy-server/gateway/env"
"proxy-server/gateway/report"
"proxy-server/pkg/utils"
"strconv"
)
type CtrlCmdType int
const (
CtrlCmdPong CtrlCmdType = iota + 1
CtrlCmdPing
CtrlCmdOpen
CtrlCmdClose
CtrlCmdProxy
)
func (s *Service) listenCtrl() error {
ctrlPort := env.AppCtrlPort
slog.Debug("监听控制通道", slog.Uint64("port", uint64(ctrlPort)))
// 监听端口
ls, err := net.Listen("tcp", ":"+strconv.Itoa(int(ctrlPort)))
if err != nil {
return fmt.Errorf("监听控制通道失败: %w", err)
}
defer utils.Close(ls)
// 处理连接
// 异步等待连接
var connCh = make(chan net.Conn)
go func() {
for {
conn, err := ls.Accept()
if errors.Is(err, net.ErrClosed) {
slog.Debug("控制通道监听关闭")
return
}
if err != nil {
slog.Error("接受控制通道连接失败", "err", err)
return
}
select {
case connCh <- conn:
case <-s.ctx.Done():
utils.Close(conn)
return
}
}
}()
err = nil
for {
select {
case <-s.ctx.Done():
return nil
case conn := <-connCh:
s.ctrlConnWg.Add(1)
go func() {
defer s.ctrlConnWg.Done()
defer utils.Close(conn)
err := s.processCtrlConn(s.ctx, conn)
if err != nil {
slog.Error("处理控制通道连接失败", "err", err)
}
}()
}
}
}
func (s *Service) processCtrlConn(ctx context.Context, conn net.Conn) (err error) {
reader := bufio.NewReader(conn)
for {
// 循环等待直到服务关闭
select {
case <-ctx.Done():
return nil
default:
}
// 读取命令
cmdByte, err := reader.ReadByte()
if err != nil {
return fmt.Errorf("读取节点命令失败: %w", err)
}
var cmd = CtrlCmdType(cmdByte)
switch cmd {
// 连接建立命令
case CtrlCmdOpen:
var recv = make([]byte, 4)
_, err = io.ReadFull(reader, recv)
if err != nil {
return fmt.Errorf("读取节点 ID 失败: %w", err)
}
var client = int32(binary.BigEndian.Uint32(recv))
err = s.onOpen(conn, client)
if err != nil {
return fmt.Errorf("处理连接建立命令失败: %w", err)
}
// 心跳命令
case CtrlCmdPing:
err = s.onPing(conn)
if err != nil {
return fmt.Errorf("处理心跳命令失败: %w", err)
}
// 连接关闭命令
case CtrlCmdClose:
err = s.onClose(conn)
if err != nil {
return fmt.Errorf("处理关闭命令失败: %w", err)
}
return nil
// 忽略其他不应该由节点发起的命令
default:
return fmt.Errorf("无法处理控制命令: %d", cmd)
}
}
}
func (s *Service) onPing(conn net.Conn) (err error) {
return s.sendPong(conn)
}
func (s *Service) onOpen(conn net.Conn, client int32) (err error) {
// open 命令全局只执行一次
_, ok := app.Clients.Load(client)
if ok {
return fmt.Errorf("节点 ID %d 已经连接", client)
}
// 分配端口
var minim uint16 = 20000
var maxim uint16 = 60000
var port uint16
for i := minim; i < maxim; i++ {
var _, ok = app.Assigns.Load(i)
if !ok {
port = i
app.Assigns.Store(i, client)
app.Clients.Store(client, i)
break
}
}
if port == 0 {
return errors.New("没有可用的端口")
}
// 报告端口分配
if err = report.Assigned(client, port); err != nil {
return fmt.Errorf("报告端口分配失败: %w", err)
}
// 响应客户端
if err = s.sendPong(conn); err != nil {
return fmt.Errorf("响应客户端失败: %w", err)
}
// 启动转发服务
s.fwdLesWg.Add(1)
go func() {
defer s.fwdLesWg.Done()
slog.Info("监听转发端口", "port", port, "client", client)
err = s.listenUser(port, conn)
if err != nil {
slog.Error("监听转发端口失败", "port", port, "client", client, "err", err)
}
}()
return nil
}
func (s *Service) onClose(conn net.Conn) (err error) {
_, portStr, err := net.SplitHostPort(conn.LocalAddr().String())
if err != nil {
return err
}
port, err := strconv.ParseUint(portStr, 10, 16)
if err != nil {
return err
}
id, _ := app.Assigns.LoadAndDelete(uint16(port))
app.Clients.Delete(id)
app.Assigns.Delete(uint16(port))
app.Permits.Delete(uint16(port))
err = s.sendPong(conn)
if err != nil {
return err
}
return nil
}
func (s *Service) sendPong(conn net.Conn) (err error) {
_, err = conn.Write([]byte{byte(CtrlCmdPong)})
if err != nil {
return fmt.Errorf("响应客户端失败: %w", err)
}
return nil
}
func (s *Service) sendProxy(conn net.Conn, tag [16]byte, addr string) (err error) {
if len(addr) > 65535 {
return fmt.Errorf("代理地址过长: %s", addr)
}
buf := make([]byte, 1+16+2+len(addr))
buf[0] = byte(CtrlCmdProxy)
copy(buf[1:], tag[:])
binary.BigEndian.PutUint16(buf[17:], uint16(len(addr)))
copy(buf[19:], addr)
_, err = conn.Write(buf)
if err != nil {
return fmt.Errorf("发送代理命令失败: %w", err)
}
return nil
}

166
gateway/fwd/data.go Normal file
View File

@@ -0,0 +1,166 @@
package fwd
import (
"bufio"
"errors"
"fmt"
"github.com/google/uuid"
"io"
"log/slog"
"net"
"proxy-server/gateway/debug"
"proxy-server/gateway/env"
"proxy-server/gateway/fwd/metrics"
"proxy-server/pkg/utils"
"strconv"
"sync"
"time"
)
func (s *Service) listenData() error {
dataPort := env.AppDataPort
slog.Debug("监听数据通道", slog.Uint64("port", uint64(dataPort)))
// 监听端口
ls, err := net.Listen("tcp", ":"+strconv.Itoa(int(dataPort)))
if err != nil {
return fmt.Errorf("监听数据通道失败: %w", err)
}
defer utils.Close(ls)
// 异步等待连接
var connCh = make(chan net.Conn)
go func() {
for {
conn, err := ls.Accept()
if errors.Is(err, net.ErrClosed) {
slog.Debug("数据通道监听关闭")
return
}
if err != nil {
slog.Error("接受数据通道连接失败", "err", err)
return
}
select {
case connCh <- conn:
case <-s.ctx.Done():
utils.Close(conn)
return
}
}
}()
// 处理连接
for {
select {
case <-s.ctx.Done():
return nil
case conn := <-connCh:
s.dataConnWg.Add(1)
go func() {
defer s.dataConnWg.Done()
defer utils.Close(conn)
err := s.processDataConn(conn)
if err != nil {
slog.Error("处理数据通道连接失败", "err", err)
}
}()
}
}
}
func (s *Service) processDataConn(client net.Conn) error {
var reader = bufio.NewReader(client)
// 接收连接结果
var buf = make([]byte, 17)
_, err := io.ReadFull(reader, buf)
if err != nil {
return fmt.Errorf("从客户端获取连接结果失败: %w", err)
}
tag := buf[0:16]
status := buf[16]
// 加载用户连接
var tagStr = uuid.UUID(tag).String()
user, ok := s.userConnMap.LoadAndDelete(tagStr)
if !ok {
return fmt.Errorf("用户连接已关闭tag%s", tagStr)
}
defer utils.Close(user)
// 检查状态
if status != 1 {
return errors.New("目标地址建立连接失败")
}
// 转发数据
data := time.Now()
userPipeReader, userPipeWriter := io.Pipe()
defer utils.Close(userPipeWriter)
teeUser := io.TeeReader(user, userPipeWriter)
go func() {
err := analysisAndLog(user, userPipeReader)
if err != nil {
slog.Error("数据解析失败", "err", err)
}
}()
wg := sync.WaitGroup{}
wg.Add(2)
go func() {
defer wg.Done()
_, err := io.Copy(client, teeUser)
if err != nil {
slog.Error("数据转发失败 user->client", "err", err)
}
}()
go func() {
defer wg.Done()
_, err := io.Copy(user, reader)
if err != nil {
slog.Error("数据转发失败 client->user", "err", err)
}
}()
select {
case <-s.ctx.Done():
return nil
case <-utils.WgWait(&wg):
proxy := time.Now()
start, startOk := metrics.TimerStart.Load(user.Conn)
auth, authOk := metrics.TimerAuth.Load(user.Conn)
var authDuration time.Duration
if startOk && authOk {
authDuration = auth.(time.Time).Sub(start.(time.Time))
}
var dataDuration time.Duration
if authOk {
dataDuration = data.Sub(auth.(time.Time))
}
proxyDuration := proxy.Sub(data)
var totalDuration time.Duration
if startOk {
totalDuration = proxy.Sub(start.(time.Time))
}
debug.ConsumingCh <- debug.Consuming{
Auth: authDuration,
Data: dataDuration,
Proxy: proxyDuration,
Total: totalDuration,
}
return nil
}
}

170
gateway/fwd/dispatcher/dispatch.go Normal file
View File

@@ -0,0 +1,170 @@
package dispatcher
import (
"context"
"fmt"
"log/slog"
"net"
"proxy-server/gateway/core"
"proxy-server/gateway/fwd/http"
"proxy-server/gateway/fwd/metrics"
"proxy-server/gateway/fwd/socks"
"proxy-server/pkg/utils"
"strconv"
"strings"
"time"
"errors"
"github.com/soheilhy/cmux"
)
type Server struct {
ctx context.Context
cancel context.CancelFunc
readTimeout time.Duration
Port uint16
Conn chan *core.Conn
}
func New(port uint16, readTimeout time.Duration) (*Server, error) {
if port == 0 {
return nil, errors.New("port is required")
}
ctx, cancel := context.WithCancel(context.Background())
return &Server{
ctx,
cancel,
readTimeout,
port,
make(chan *core.Conn),
}, nil
}
func (s *Server) Close() {
s.cancel()
}
func (s *Server) Run() error {
port := strconv.Itoa(int(s.Port))
ls, err := net.Listen("tcp", ":"+port)
if err != nil {
return fmt.Errorf("dispatcher 监听失败: %w", err)
}
defer utils.Close(ls)
m := cmux.New(ls)
m.SetReadTimeout(s.readTimeout)
defer m.Close()
socksLs := m.Match(cmux.PrefixMatcher(string([]byte{0x05})))
go func() {
err = s.acceptSocks(socksLs)
if err != nil {
if strings.Contains(err.Error(), "mux: server closed") {
return
}
slog.Warn("dispatcher socks accept error", "err", err)
}
}()
httpLs := m.Match(cmux.HTTP1Fast("PATCH"))
go func() {
err = s.acceptHttp(httpLs)
if err != nil {
if strings.Contains(err.Error(), "mux: server closed") {
return
}
slog.Warn("dispatcher http accept error", "err", err)
}
}()
errCh := make(chan error, 1)
go func() {
defer close(errCh)
err = m.Serve()
if err != nil {
err = fmt.Errorf("dispatcher serve error: %w", err)
}
errCh <- err
}()
err = nil
select {
case <-s.ctx.Done():
case err = <-errCh:
}
close(s.Conn)
return err
}
func (s *Server) acceptHttp(ls net.Listener) error {
for {
conn, err := ls.Accept()
if err != nil {
if errors.Is(err, net.ErrClosed) {
return nil
}
var ne net.Error
if errors.As(err, &ne) && ne.Temporary() {
continue
}
return fmt.Errorf("dispatcher http accept error: %w", err)
}
metrics.TimerStart.Store(conn, time.Now())
go func() {
user, err := http.Process(s.ctx, conn)
if err != nil {
slog.Error("处理 http 连接失败", "err", err)
utils.Close(conn)
return
}
select {
case <-s.ctx.Done():
utils.Close(user)
case s.Conn <- user:
}
}()
}
}
func (s *Server) acceptSocks(ls net.Listener) error {
for {
conn, err := ls.Accept()
if err != nil {
if errors.Is(err, net.ErrClosed) {
return nil
}
var ne net.Error
if errors.As(err, &ne) && ne.Temporary() {
continue
}
return fmt.Errorf("dispatcher socks accept error: %w", err)
}
metrics.TimerStart.Store(conn, time.Now())
go func() {
user, err := socks.Process(s.ctx, conn)
if err != nil {
slog.Error("处理 socks 连接失败", "err", err)
utils.Close(conn)
return
}
select {
case <-s.ctx.Done():
utils.Close(user)
case s.Conn <- user:
}
}()
}
}
type Conn struct {
}

82
gateway/fwd/fwd.go Normal file
View File

@@ -0,0 +1,82 @@
package fwd
import (
"context"
"log/slog"
"proxy-server/gateway/core"
"proxy-server/pkg/utils"
"sync"
)
type Service struct {
ctx context.Context
cancel context.CancelFunc
userConnMap core.SyncMap[string, *core.Conn]
fwdLesWg utils.CountWaitGroup
ctrlConnWg utils.CountWaitGroup
dataConnWg utils.CountWaitGroup
userConnWg utils.CountWaitGroup
}
func New() *Service {
ctx, cancel := context.WithCancel(context.Background())
return &Service{
ctx: ctx,
cancel: cancel,
}
}
func (s *Service) Run() error {
slog.Debug("启动转发服务")
errQuit := make(chan struct{}, 2)
defer close(errQuit)
wg := sync.WaitGroup{}
// 控制通道
wg.Add(1)
go func() {
defer wg.Done()
err := s.listenCtrl()
if err != nil {
slog.Error("fwd 控制通道监听发生错误", "err", err)
errQuit <- struct{}{}
return
}
}()
// 数据通道
wg.Add(1)
go func() {
defer wg.Done()
err := s.listenData()
if err != nil {
slog.Error("fwd 数据通道监听发生错误", "err", err)
errQuit <- struct{}{}
return
}
}()
// 等待退出
select {
case <-s.ctx.Done():
case <-errQuit:
slog.Warn("fwd 服务异常退出")
s.Stop()
}
wg.Wait()
s.fwdLesWg.Wait()
s.ctrlConnWg.Wait()
s.userConnWg.Wait()
s.dataConnWg.Wait()
return nil
}
func (s *Service) Stop() {
s.cancel()
}

185
gateway/fwd/http/http.go Normal file
View File

@@ -0,0 +1,185 @@
package http
import (
"bufio"
"context"
"encoding/base64"
"fmt"
"github.com/google/uuid"
"io"
"net"
"net/textproto"
"net/url"
"proxy-server/gateway/core"
"proxy-server/gateway/fwd/auth"
"strings"
"errors"
)
type Request struct {
conn net.Conn
reader *bufio.Reader
method string
uri string
proto string
headers *textproto.MIMEHeader
auth *core.AuthContext
dest *core.FwdAddr
}
func Process(ctx context.Context, conn net.Conn) (*core.Conn, error) {
reader := bufio.NewReader(conn)
textReader := textproto.NewReader(reader)
// 首行
line, err := textReader.ReadLine()
if err != nil {
return nil, err
}
parts := strings.Fields(line)
if len(parts) != 3 {
return nil, errors.New("无效的 http 请求")
}
// 请求头
headers, err := textReader.ReadMIMEHeader()
if err != nil {
return nil, fmt.Errorf("解析请求头失败: %v", err)
}
// 验证账号
authInfo := headers.Get("Proxy-Authorization")
var username *string = nil
var password *string = nil
if authInfo != "" {
authParts := strings.Split(authInfo, " ")
if len(authParts) != 2 {
return nil, errors.New("无效的 Proxy-Authorization")
}
if authParts[0] != "Basic" {
return nil, errors.New("不支持的认证方式")
}
authBytes, err := base64.URLEncoding.DecodeString(authParts[1])
if err != nil {
return nil, fmt.Errorf("解码认证信息失败: %v", err)
}
authPair := strings.Split(string(authBytes), ":")
username = &authPair[0]
password = &authPair[1]
}
authCtx, err := auth.Protect(conn, auth.Http, username, password)
if err != nil {
_, err = conn.Write([]byte("HTTP/1.1 407 Proxy Authentication Required\r\n\r\n"))
if err != nil {
return nil, fmt.Errorf("响应 407 失败: %v", err)
}
return nil, fmt.Errorf("验证账号失败: %v", err)
}
// 获取 Host
host := headers.Get("Host")
if host == "" {
return nil, errors.New("无效的 Host")
}
if !strings.Contains(host, ":") {
host += ":80"
}
addr, err := net.ResolveTCPAddr("tcp", host)
if err != nil {
return nil, fmt.Errorf("解析 Host 失败: %v", err)
}
request := &Request{
conn: conn,
reader: reader,
method: parts[0],
uri: parts[1],
proto: parts[2],
headers: &headers,
dest: &core.FwdAddr{
IP: addr.IP,
Port: addr.Port,
Domain: host,
},
auth: authCtx,
}
var user *core.Conn
if parts[0] == "CONNECT" {
user, err = processHttps(ctx, request)
if err != nil {
return nil, err
}
} else {
user, err = processHttp(ctx, request)
if err != nil {
return nil, err
}
}
return user, nil
}
func processHttps(ctx context.Context, req *Request) (*core.Conn, error) {
// 响应 CONNECT
_, err := req.conn.Write([]byte("HTTP/1.1 200 Connection Established\r\n\r\n"))
if err != nil {
return nil, fmt.Errorf("响应 CONNECT 失败: %v", err)
}
return &core.Conn{
Conn: req.conn,
Reader: req.reader,
Tag: uuid.New(),
Protocol: "http",
Dest: req.dest,
Auth: req.auth,
}, nil
}
func processHttp(ctx context.Context, req *Request) (*core.Conn, error) {
// 修改请求头
rawUrl, err := url.Parse(req.uri)
if err != nil {
return nil, fmt.Errorf("解析请求地址失败: %v", err)
}
rawUrl.Scheme = ""
rawUrl.Host = ""
req.uri = rawUrl.String()
req.headers.Del("Proxy-Authorization")
// 构造请求
sb := strings.Builder{}
sb.WriteString(req.method)
sb.WriteString(" ")
sb.WriteString(req.uri)
sb.WriteString(" ")
sb.WriteString(req.proto)
sb.WriteString("\r\n")
for k, v := range *req.headers {
sb.WriteString(k)
sb.WriteString(": ")
sb.WriteString(strings.Join(v, ","))
sb.WriteString("\r\n")
}
sb.WriteString("\r\n")
mReader := io.MultiReader(strings.NewReader(sb.String()), req.conn)
newReader := bufio.NewReader(mReader)
return &core.Conn{
Conn: req.conn,
Reader: newReader,
Tag: uuid.New(),
Protocol: "http",
Dest: req.dest,
Auth: req.auth,
}, nil
}

6
gateway/fwd/metrics/debug.go Normal file
View File

@@ -0,0 +1,6 @@
package metrics
import "sync"
var TimerStart sync.Map
var TimerAuth sync.Map

374
gateway/fwd/socks/socks.go Normal file
View File

@@ -0,0 +1,374 @@
package socks
import (
"bufio"
"context"
"encoding/binary"
"errors"
"fmt"
"github.com/google/uuid"
"io"
"log/slog"
"net"
"proxy-server/gateway/core"
"proxy-server/gateway/fwd/auth"
"proxy-server/pkg/utils"
"slices"
)
const (
Version = byte(5)
AuthVersion = byte(1)
)
const (
NoAuth = byte(0)
UserPassAuth = byte(2)
NoAcceptable = byte(0xFF)
)
const (
AuthSuccess = byte(0)
AuthFailure = byte(1)
)
const (
ConnectCommand = byte(1)
BindCommand = byte(2)
AssociateCommand = byte(3)
)
const (
ipv4Address = byte(1)
fqdnAddress = byte(3)
ipv6Address = byte(4)
)
const (
successReply byte = iota
serverFailure
ruleFailure
networkUnreachable
hostUnreachable
connectionRefused
ttlExpired
commandNotSupported
addrTypeNotSupported
)
// Process 处理连接
func Process(ctx context.Context, conn net.Conn) (*core.Conn, error) {
reader := bufio.NewReader(conn)
// 认证
authCtx, err := authenticate(ctx, reader, conn)
if err != nil {
return nil, fmt.Errorf("认证失败: %w", err)
}
// 处理连接请求
request, err := request(ctx, reader, conn)
if err != nil {
return nil, fmt.Errorf("处理连接请求失败: %w", err)
}
// 代理连接
if request.Command != ConnectCommand {
return nil, fmt.Errorf("不支持的连接指令: %d", request.Command)
}
// 响应成功
err = sendReply(conn, successReply, request.DestAddr)
return &core.Conn{
Conn: conn,
Reader: reader,
Protocol: "socks5",
Tag: uuid.New(),
Dest: request.DestAddr,
Auth: authCtx,
}, nil
}
// checkVersion 检查客户端版本
func checkVersion(reader io.Reader) error {
version, err := utils.ReadByte(reader)
if err != nil {
return err
}
if version != Version {
return errors.New("客户端版本不兼容")
}
return nil
}
// authenticate 执行认证流程
func authenticate(ctx context.Context, reader *bufio.Reader, conn net.Conn) (authContext *core.AuthContext, err error) {
// 版本检查
err = checkVersion(reader)
if err != nil {
return nil, err
}
// 获取客户端认证方式
nAuth, err := utils.ReadByte(reader)
if err != nil {
return nil, err
}
methods, err := utils.ReadBuffer(reader, int(nAuth))
if err != nil {
return nil, err
}
if slices.Contains(methods, UserPassAuth) {
_, err := conn.Write([]byte{Version, byte(UserPassAuth)})
if err != nil {
return nil, fmt.Errorf("响应认证方式失败: %w", err)
}
// 检查认证版本
slog.Debug("验证认证版本")
v, err := utils.ReadByte(reader)
if err != nil {
return nil, fmt.Errorf("读取版本号失败: %w", err)
}
if v != AuthVersion {
_, err := conn.Write([]byte{Version, AuthFailure})
if err != nil {
return nil, fmt.Errorf("响应认证失败: %w", err)
}
return nil, fmt.Errorf("认证版本参数不正确: %w", err)
}
// 读取账号
slog.Debug("验证用户账号")
uLen, err := utils.ReadByte(reader)
if err != nil {
return nil, fmt.Errorf("读取用户名长度失败: %w", err)
}
usernameBuf, err := utils.ReadBuffer(reader, int(uLen))
if err != nil {
return nil, fmt.Errorf("读取用户名失败: %w", err)
}
username := string(usernameBuf)
// 读取密码
pLen, err := utils.ReadByte(reader)
if err != nil {
return nil, fmt.Errorf("读取密码长度失败: %w", err)
}
passwordBuf, err := utils.ReadBuffer(reader, int(pLen))
if err != nil {
return nil, fmt.Errorf("读取密码失败: %w", err)
}
password := string(passwordBuf)
// 检查权限
authContext, err = auth.Protect(conn, auth.Socks5, &username, &password)
if err != nil {
return nil, fmt.Errorf("权限检查失败: %w", err)
}
// 响应认证成功
_, err = conn.Write([]byte{AuthVersion, AuthSuccess})
if err != nil {
return nil, fmt.Errorf("响应认证成功失败: %w", err)
}
return authContext, nil
} else if slices.Contains(methods, NoAuth) {
_, err = conn.Write([]byte{Version, NoAuth})
if err != nil {
return nil, fmt.Errorf("响应认证方式失败: %w", err)
}
authContext, err = auth.Protect(conn, auth.Socks5, nil, nil)
if err != nil {
return nil, fmt.Errorf("权限检查失败: %w", err)
}
return authContext, nil
} else {
_, err = conn.Write([]byte{Version, NoAcceptable})
if err != nil {
return nil, err
}
return nil, errors.New("没有适用的认证方式")
}
}
type Request struct {
Command uint8
DestAddr *core.FwdAddr
}
// request 处理连接请求
func request(ctx context.Context, reader io.Reader, writer io.Writer) (*Request, error) {
// 检查版本
err := checkVersion(reader)
if err != nil {
return nil, err
}
// 检查连接命令
command, err := utils.ReadByte(reader)
if err != nil {
return nil, err
}
if command != ConnectCommand && command != BindCommand && command != AssociateCommand {
err = sendReply(writer, commandNotSupported, nil)
if err != nil {
return nil, err
}
return nil, errors.New("不支持该连接指令")
}
// 跳过保留字段 rsv
_, err = utils.ReadByte(reader)
if err != nil {
return nil, err
}
// 获取目标地址
dest, err := parseTarget(reader, writer)
if err != nil {
return nil, err
}
request := &Request{
Command: command,
DestAddr: dest,
}
return request, nil
}
func parseTarget(reader io.Reader, writer io.Writer) (*core.FwdAddr, error) {
dest := &core.FwdAddr{}
aTypeBuf, err := utils.ReadByte(reader)
if err != nil {
return nil, err
}
switch aTypeBuf {
case ipv4Address:
addr := make([]byte, 4)
_, err := io.ReadFull(reader, addr)
if err != nil {
return nil, err
}
dest.IP = addr
case ipv6Address:
addr := make([]byte, 16)
_, err := io.ReadFull(reader, addr)
if err != nil {
return nil, err
}
dest.IP = addr
case fqdnAddress:
aLenBuf := make([]byte, 1)
_, err := reader.Read(aLenBuf)
if err != nil {
return nil, err
}
fqdnBuff := make([]byte, int(aLenBuf[0]))
_, err = io.ReadFull(reader, fqdnBuff)
if err != nil {
return nil, err
}
dest.Domain = string(fqdnBuff)
// 域名解析
addr, err := net.ResolveIPAddr("ip", dest.Domain)
if err != nil {
err := sendReply(writer, hostUnreachable, nil)
if err != nil {
return nil, fmt.Errorf("failed to send reply: %v", err)
}
return nil, fmt.Errorf("failed to resolve destination '%v': %v", dest.Domain, err)
}
dest.IP = addr.IP
default:
err := sendReply(writer, addrTypeNotSupported, nil)
if err != nil {
return nil, err
}
return nil, fmt.Errorf("unrecognized address type")
}
portBuf := make([]byte, 2)
_, err = io.ReadFull(reader, portBuf)
if err != nil {
return nil, err
}
dest.Port = int(binary.BigEndian.Uint16(portBuf))
return dest, nil
}
func sendReply(w io.Writer, resp uint8, addr *core.FwdAddr) error {
var addrType uint8
var addrBody []byte
var addrPort uint16
switch {
case addr == nil:
addrType = ipv4Address
addrBody = []byte{0, 0, 0, 0}
addrPort = 0
case addr.Domain != "":
addrType = fqdnAddress
addrBody = append([]byte{byte(len(addr.Domain))}, addr.Domain...)
addrPort = uint16(addr.Port)
case addr.IP.To4() != nil:
addrType = ipv4Address
addrBody = addr.IP.To4()
addrPort = uint16(addr.Port)
case addr.IP.To16() != nil:
addrType = ipv6Address
addrBody = addr.IP.To16()
addrPort = uint16(addr.Port)
default:
return fmt.Errorf("failed to format address: %v", addr)
}
msg := make([]byte, 6+len(addrBody))
msg[0] = Version
msg[1] = resp
msg[2] = 0 // Reserved
msg[3] = addrType
copy(msg[4:], addrBody)
msg[4+len(addrBody)] = byte(addrPort >> 8)
msg[4+len(addrBody)+1] = byte(addrPort & 0xff)
_, err := w.Write(msg)
return err
}
func SendSuccess(user net.Conn, target net.Conn) error {
local := target.LocalAddr().(*net.TCPAddr)
bind := core.FwdAddr{IP: local.IP, Port: local.Port}
err := sendReply(user, successReply, &bind)
if err != nil {
return err
}
return nil
}

82
gateway/fwd/user.go Normal file
View File

@@ -0,0 +1,82 @@
package fwd
import (
"context"
"encoding/hex"
"errors"
"log/slog"
"net"
"proxy-server/gateway/core"
"proxy-server/gateway/env"
"proxy-server/gateway/fwd/dispatcher"
"proxy-server/gateway/fwd/metrics"
"proxy-server/pkg/utils"
"time"
)
func (s *Service) listenUser(port uint16, ctrl net.Conn) error {
dspt, err := dispatcher.New(port, time.Duration(env.AppUserTimeout)*time.Second)
if err != nil {
return err
}
defer dspt.Close()
go func() {
err := dspt.Run()
if err != nil {
slog.Error("代理服务运行失败", "err", err)
}
}()
// 处理连接
for {
select {
case <-s.ctx.Done():
return nil
case user := <-dspt.Conn:
metrics.TimerAuth.Store(user.Conn, time.Now())
s.userConnWg.Add(1)
go func() {
defer s.userConnWg.Done()
err := s.processUserConn(user, ctrl)
if err != nil {
slog.Error("处理用户连接失败", "err", err)
utils.Close(user)
}
}()
}
}
}
func (s *Service) processUserConn(user *core.Conn, ctrl net.Conn) (err error) {
// 发送代理命令
err = s.sendProxy(ctrl, user.Tag, user.Dest.String())
if err != nil {
return err
}
// 保存用户连接
s.userConnMap.Store(hex.EncodeToString(user.Tag[:]), user)
// 如果限定时间内没有建立数据通道,则关闭连接
var timeout, cancel = context.WithTimeout(context.Background(), time.Duration(env.AppDataTimeout)*time.Second)
defer cancel()
select {
case <-timeout.Done():
err = timeout.Err()
case <-s.ctx.Done():
err = s.ctx.Err()
}
_, ok := s.userConnMap.LoadAndDelete(hex.EncodeToString(user.Tag[:]))
if ok {
utils.Close(user)
if errors.Is(err, context.DeadlineExceeded) {
slog.Error("用户连接超时", "tag", hex.EncodeToString(user.Tag[:]), "addr", user.RemoteAddr().String())
}
}
return nil
}