重构代理解析流程，引入端口混合协议转发

2025-03-01 17:08:56 +08:00
parent b8a3dd93dc
commit 76139d28c4
24 changed files with 841 additions and 1042 deletions
--- a/server/fwd/socks/auth.go
+++ b/server/fwd/socks/auth.go
@@ -1,87 +0,0 @@
-package socks
-
-import (
-	"context"
-	"io"
-	"log/slog"
-	"proxy-server/pkg/utils"
-	"slices"
-
-	"github.com/pkg/errors"
-)
-
-type AuthMethod byte
-
-const (
-	AuthVersion  = byte(1)
-	AuthSuccess  = byte(0)
-	AuthFailure  = byte(1)
-	NoAuth       = AuthMethod(0)
-	UserPassAuth = AuthMethod(2)
-	NoAcceptable = byte(0xFF)
-)
-
-type Authenticator interface {
-	Method() AuthMethod
-	Authenticate(ctx context.Context, reader io.Reader, writer io.Writer) (*Authentication, error)
-}
-
-// authenticate 执行认证流程
-func (s *Server) authenticate(reader io.Reader, writer io.Writer) (*Authentication, error) {
-
-	// 版本检查
-	err := checkVersion(reader)
-	if err != nil {
-		return nil, err
-	}
-
-	// 获取客户端认证方式
-	nAuth, err := utils.ReadByte(reader)
-	if err != nil {
-		return nil, err
-	}
-	methods, err := utils.ReadBuffer(reader, int(nAuth))
-	if err != nil {
-		return nil, err
-	}
-
-	// 认证客户端连接
-	for _, authenticator := range s.config.AuthMethods {
-		method := authenticator.Method()
-		if slices.Contains(methods, byte(method)) {
-			slog.Debug("使用的认证方式", method)
-
-			_, err := writer.Write([]byte{Version, byte(method)})
-			if err != nil {
-				slog.Error("响应认证方式失败", err)
-				return nil, err
-			}
-
-			ctx := context.WithValue(context.Background(), "service", s)
-			authContext, err := authenticator.Authenticate(ctx, reader, writer)
-			if err != nil {
-				return nil, err
-			}
-			return authContext, nil
-		}
-	}
-
-	// 无适用的认证方式
-	_, err = writer.Write([]byte{Version, NoAcceptable})
-	if err != nil {
-		return nil, err
-	}
-
-	return nil, errors.New("没有适用的认证方式")
-}
-
-type Authentication struct {
-	Method  AuthMethod
-	Timeout uint
-	Payload Payload
-	Data    map[string]any
-}
-
-type Payload struct {
-	ID uint
-}
--- a/server/fwd/socks/error.go
+++ b/server/fwd/socks/error.go
@@ -1,7 +0,0 @@
-package socks
-
-type ConfigError string
-
-func (c ConfigError) Error() string {
-	return string(c)
-}
--- a/server/fwd/socks/request.go
+++ b/server/fwd/socks/request.go
@@ -1,353 +0,0 @@
-package socks
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"log/slog"
-	"net"
-	"proxy-server/pkg/utils"
-	"strconv"
-
-	"github.com/pkg/errors"
-)
-
-const (
-	ConnectCommand   = byte(1)
-	BindCommand      = byte(2)
-	AssociateCommand = byte(3)
-	ipv4Address      = byte(1)
-	fqdnAddress      = byte(3)
-	ipv6Address      = byte(4)
-)
-
-const (
-	successReply byte = iota
-	serverFailure
-	ruleFailure
-	networkUnreachable
-	hostUnreachable
-	connectionRefused
-	ttlExpired
-	commandNotSupported
-	addrTypeNotSupported
-)
-
-var (
-	unrecognizedAddrType = fmt.Errorf("unrecognized address type")
-)
-
-// AddressRewriter is used to rewrite a destination transparently
-type AddressRewriter interface {
-	Rewrite(ctx context.Context, request *Request) (context.Context, *AddrSpec)
-}
-
-// AddrSpec 地址
-type AddrSpec struct {
-	FQDN string
-	IP   net.IP
-	Port int
-}
-
-func (a AddrSpec) String() string {
-	if a.FQDN != "" {
-		return fmt.Sprintf("%s (%s):%d", a.FQDN, a.IP, a.Port)
-	}
-	return fmt.Sprintf("%s:%d", a.IP, a.Port)
-}
-
-// Address returns a string suitable to dial; prefer returning IP-based
-// address, fallback to FQDN
-func (a AddrSpec) Address() string {
-	if 0 != len(a.IP) {
-		return net.JoinHostPort(a.IP.String(), strconv.Itoa(a.Port))
-	}
-	return net.JoinHostPort(a.FQDN, strconv.Itoa(a.Port))
-}
-
-func (s *Server) request(reader io.Reader, writer io.Writer) (*Request, error) {
-
-	// 检查版本
-	err := checkVersion(reader)
-	if err != nil {
-		return nil, err
-	}
-
-	// 检查连接命令
-	command, err := utils.ReadByte(reader)
-	if err != nil {
-		return nil, err
-	}
-
-	slog.Debug("客户端使用的连接指令：%v", command)
-	if command != ConnectCommand && command != BindCommand && command != AssociateCommand {
-		err = sendReply(writer, commandNotSupported, nil)
-		if err != nil {
-			return nil, err
-		}
-		return nil, errors.New("不支持该连接指令")
-	}
-
-	// 跳过保留字段 rsv
-	_, err = utils.ReadByte(reader)
-	if err != nil {
-		return nil, err
-	}
-
-	// 获取目标地址
-	dest, err := s.parseTarget(reader, writer)
-	if err != nil {
-		return nil, err
-	}
-
-	request := &Request{
-		Version:  Version,
-		Command:  command,
-		DestAddr: dest,
-		bufConn:  reader,
-	}
-
-	return request, nil
-}
-
-func (s *Server) parseTarget(reader io.Reader, writer io.Writer) (*AddrSpec, error) {
-	dest := &AddrSpec{}
-
-	aTypeBuf := make([]byte, 1)
-	_, err := reader.Read(aTypeBuf)
-	if err != nil {
-		return nil, err
-	}
-
-	switch aTypeBuf[0] {
-
-	case ipv4Address:
-		addr := make([]byte, 4)
-		_, err := io.ReadFull(reader, addr)
-		if err != nil {
-			return nil, err
-		}
-		dest.IP = addr
-
-	case ipv6Address:
-		addr := make([]byte, 16)
-		_, err := io.ReadFull(reader, addr)
-		if err != nil {
-			return nil, err
-		}
-		dest.IP = addr
-
-	case fqdnAddress:
-		aLenBuf := make([]byte, 1)
-		_, err := reader.Read(aLenBuf)
-		if err != nil {
-			return nil, err
-		}
-
-		fqdnBuff := make([]byte, int(aLenBuf[0]))
-		_, err = io.ReadFull(reader, fqdnBuff)
-		if err != nil {
-			return nil, err
-		}
-		dest.FQDN = string(fqdnBuff)
-
-		// 域名解析
-		addr, err := s.config.Resolver.Resolve(dest.FQDN)
-		if err != nil {
-			err := sendReply(writer, hostUnreachable, nil)
-			if err != nil {
-				return nil, fmt.Errorf("failed to send reply: %v", err)
-			}
-			return nil, fmt.Errorf("failed to resolve destination '%v': %v", dest.FQDN, err)
-		}
-		dest.IP = addr
-
-	default:
-		err := sendReply(writer, addrTypeNotSupported, nil)
-		if err != nil {
-			return nil, err
-		}
-		return nil, unrecognizedAddrType
-	}
-
-	portBuf := make([]byte, 2)
-	_, err = io.ReadFull(reader, portBuf)
-	if err != nil {
-		return nil, err
-	}
-	dest.Port = (int(portBuf[0]) << 8) | int(portBuf[1])
-
-	return dest, nil
-}
-
-// A Request represents request received by a server
-type Request struct {
-	// Protocol version
-	Version uint8
-	// Requested command
-	Command uint8
-	// Authentication provided during negotiation
-	Authentication *Authentication
-	// AddrSpec of the  network that sent the request
-	RemoteAddr *AddrSpec
-	// AddrSpec of the desired destination
-	DestAddr *AddrSpec
-	// AddrSpec of the actual destination (might be affected by rewrite)
-	realDestAddr *AddrSpec
-	bufConn      io.Reader
-}
-
-func (s *Server) handle(req *Request, conn net.Conn) error {
-	ctx := context.Background()
-
-	// 目标地址重写
-	req.realDestAddr = req.DestAddr
-	if s.config.Rewriter != nil {
-		ctx, req.realDestAddr = s.config.Rewriter.Rewrite(ctx, req)
-	}
-
-	// 根据协商方法建立连接
-	switch req.Command {
-	case ConnectCommand:
-		return s.handleConnect(ctx, conn, req)
-	case BindCommand:
-		return s.handleBind(ctx, conn, req)
-	case AssociateCommand:
-		return s.handleAssociate(ctx, conn, req)
-	default:
-		return fmt.Errorf("unsupported command: %v", req.Command)
-	}
-}
-
-func (s *Server) handleConnect(ctx context.Context, conn net.Conn, req *Request) error {
-	// 检查规则集约束
-	s.config.Logger.Printf("检查约束规则\n")
-	if ctx_, ok := s.config.Rules.Allow(ctx, req); !ok {
-		if err := sendReply(conn, ruleFailure, nil); err != nil {
-			return fmt.Errorf("failed to send reply: %v", err)
-		}
-		return fmt.Errorf("request to %v blocked by rules", req.DestAddr)
-	} else {
-		ctx = ctx_
-	}
-
-	slog.Info("需要向 " + req.DestAddr.Address() + " 建立连接")
-	select {
-	case <-s.ctx.Done():
-		if conn != nil {
-			utils.Close(conn)
-		}
-	case s.Conn <- ProxyConn{
-		req.Authentication.Payload.ID,
-		conn,
-		req.realDestAddr.Address(),
-	}:
-	}
-	return nil
-}
-
-func (s *Server) handleBind(ctx context.Context, conn net.Conn, req *Request) error {
-	// Check if this is allowed
-	if ctx_, ok := s.config.Rules.Allow(ctx, req); !ok {
-		if err := sendReply(conn, ruleFailure, nil); err != nil {
-			return fmt.Errorf("failed to send reply: %v", err)
-		}
-		return fmt.Errorf("bind to %v blocked by rules", req.DestAddr)
-	} else {
-		ctx = ctx_
-	}
-
-	// TODO: Support bind
-	if err := sendReply(conn, commandNotSupported, nil); err != nil {
-		return fmt.Errorf("failed to send reply: %v", err)
-	}
-	return nil
-}
-
-func (s *Server) handleAssociate(ctx context.Context, conn net.Conn, req *Request) error {
-	// Check if this is allowed
-	if ctx_, ok := s.config.Rules.Allow(ctx, req); !ok {
-		if err := sendReply(conn, ruleFailure, nil); err != nil {
-			return fmt.Errorf("failed to send reply: %v", err)
-		}
-		return fmt.Errorf("associate to %v blocked by rules", req.DestAddr)
-	} else {
-		ctx = ctx_
-	}
-
-	// TODO: Support associate
-	if err := sendReply(conn, commandNotSupported, nil); err != nil {
-		return fmt.Errorf("failed to send reply: %v", err)
-	}
-	return nil
-}
-
-func sendReply(w io.Writer, resp uint8, addr *AddrSpec) error {
-	var addrType uint8
-	var addrBody []byte
-	var addrPort uint16
-	switch {
-	case addr == nil:
-		addrType = ipv4Address
-		addrBody = []byte{0, 0, 0, 0}
-		addrPort = 0
-
-	case addr.FQDN != "":
-		addrType = fqdnAddress
-		addrBody = append([]byte{byte(len(addr.FQDN))}, addr.FQDN...)
-		addrPort = uint16(addr.Port)
-
-	case addr.IP.To4() != nil:
-		addrType = ipv4Address
-		addrBody = addr.IP.To4()
-		addrPort = uint16(addr.Port)
-
-	case addr.IP.To16() != nil:
-		addrType = ipv6Address
-		addrBody = addr.IP.To16()
-		addrPort = uint16(addr.Port)
-
-	default:
-		return fmt.Errorf("failed to format address: %v", addr)
-	}
-
-	msg := make([]byte, 6+len(addrBody))
-	msg[0] = Version
-	msg[1] = resp
-	msg[2] = 0 // Reserved
-	msg[3] = addrType
-	copy(msg[4:], addrBody)
-	msg[4+len(addrBody)] = byte(addrPort >> 8)
-	msg[4+len(addrBody)+1] = byte(addrPort & 0xff)
-
-	_, err := w.Write(msg)
-	return err
-}
-
-func SendSuccess(user net.Conn, target net.Conn) error {
-	local := target.LocalAddr().(*net.TCPAddr)
-	bind := AddrSpec{IP: local.IP, Port: local.Port}
-	err := sendReply(user, successReply, &bind)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-type ProxyConn struct {
-	Uid uint
-	// 用户连入的连接
-	Conn net.Conn
-	// 用户目标地址
-	Dest string
-}
-
-func (d ProxyConn) Tag() string {
-	local := d.Conn.LocalAddr()
-	remote := d.Conn.RemoteAddr()
-	return fmt.Sprintf("%s-%s", remote, local)
-}
-
-func (d ProxyConn) Close() error {
-	return d.Conn.Close()
-}
--- a/server/fwd/socks/resolver.go
+++ b/server/fwd/socks/resolver.go
@@ -1,21 +0,0 @@
-package socks
-
-import (
-	"net"
-)
-
-// NameResolver 域名解析器
-type NameResolver interface {
-	Resolve(name string) (net.IP, error)
-}
-
-// DNSResolver 使用系统 dns 服务解析域名
-type DNSResolver struct{}
-
-func (d DNSResolver) Resolve(name string) (net.IP, error) {
-	addr, err := net.ResolveIPAddr("ip", name)
-	if err != nil {
-		return nil, err
-	}
-	return addr.IP, err
-}
--- a/server/fwd/socks/ruleset.go
+++ b/server/fwd/socks/ruleset.go
@@ -1,41 +0,0 @@
-package socks
-
-import (
-	"context"
-)
-
-// RuleSet is used to provide custom rules to allow or prohibit actions
-type RuleSet interface {
-	Allow(ctx context.Context, req *Request) (context.Context, bool)
-}
-
-// PermitAll returns a RuleSet which allows all types of connections
-func PermitAll() RuleSet {
-	return &PermitCommand{true, true, true}
-}
-
-// PermitNone returns a RuleSet which disallows all types of connections
-func PermitNone() RuleSet {
-	return &PermitCommand{false, false, false}
-}
-
-// PermitCommand is an implementation of the RuleSet which
-// enables filtering supported commands
-type PermitCommand struct {
-	EnableConnect   bool
-	EnableBind      bool
-	EnableAssociate bool
-}
-
-func (p *PermitCommand) Allow(ctx context.Context, req *Request) (context.Context, bool) {
-	switch req.Command {
-	case ConnectCommand:
-		return ctx, p.EnableConnect
-	case BindCommand:
-		return ctx, p.EnableBind
-	case AssociateCommand:
-		return ctx, p.EnableAssociate
-	}
-
-	return ctx, false
-}
--- a/server/fwd/socks/socks.go
+++ b/server/fwd/socks/socks.go
@@ -3,212 +3,90 @@ package socks
 import (
 	"bufio"
 	"context"
+	"encoding/binary"
 	"fmt"
 	"io"
-	"log"
 	"log/slog"
 	"net"
-	"os"
 	"proxy-server/pkg/utils"
-	"strconv"
-	"time"
+	"proxy-server/server/fwd/core"
+	"slices"

 	"github.com/pkg/errors"
 )

 const (
-	Version = byte(5)
+	Version     = byte(5)
+	AuthVersion = byte(1)
 )

-type Config struct {
-	Name string
+const (
+	NoAuth       = byte(0)
+	UserPassAuth = byte(2)
+	NoAcceptable = byte(0xFF)
+)

-	Host string
-	Port uint16
+const (
+	AuthSuccess = byte(0)
+	AuthFailure = byte(1)
+)

-	// 认证方法
-	AuthMethods []Authenticator
+const (
+	ConnectCommand   = byte(1)
+	BindCommand      = byte(2)
+	AssociateCommand = byte(3)
+)

-	// 域名解析
-	Resolver NameResolver
+const (
+	ipv4Address = byte(1)
+	fqdnAddress = byte(3)
+	ipv6Address = byte(4)
+)

-	// 自定义认证规则
-	Rules RuleSet
-
-	// 地址重写
-	Rewriter AddressRewriter
-
-	// 用于 bind 和 associate
-	BindIP net.IP
-
-	// Logger
-	Logger *log.Logger
-
-	// 自定义连接流程
-	Dial func(network, addr string) (net.Conn, error)
-}
-
-type Server struct {
-	config *Config
-	ctx    context.Context
-	cancel context.CancelFunc
-	wg     utils.CountWaitGroup
-	Name   string
-	Port   uint16
-	Conn   chan ProxyConn
-}
-
-// New 创建服务器
-func New(conf *Config) (*Server, error) {
-	if conf == nil {
-		conf = &Config{}
-	}
-
-	if len(conf.AuthMethods) == 0 {
-		return nil, ConfigError("认证方法不能为空")
-	}
-
-	if conf.Resolver == nil {
-		conf.Resolver = DNSResolver{}
-	}
-
-	if conf.Rules == nil {
-		conf.Rules = PermitAll()
-	}
-
-	if conf.Logger == nil {
-		conf.Logger = log.New(os.Stdout, "", log.LstdFlags)
-	}
-
-	if conf.Dial == nil {
-		conf.Dial = func(network, addr string) (net.Conn, error) {
-			return net.Dial(network, addr)
-		}
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	return &Server{
-		config: conf,
-		ctx:    ctx,
-		cancel: cancel,
-		wg:     utils.CountWaitGroup{},
-		Name:   conf.Name,
-		Port:   conf.Port,
-		Conn:   make(chan ProxyConn),
-	}, nil
-}
-
-// Run 监听端口
-func (s *Server) Run() error {
-	slog.Debug("启动 socks5 代理服务")
-
-	// 监听端口
-	host := s.config.Host
-	port := s.config.Port
-	addr := net.JoinHostPort(host, strconv.Itoa(int(port)))
-	ls, err := net.Listen("tcp", addr)
-	if err != nil {
-		return errors.Wrap(err, "监听端口失败")
-	}
-	defer utils.Close(ls)
-	slog.Debug("正在监听端口", slog.Uint64("port", uint64(port)))
-
-	// 处理连接
-	connCh := utils.ChanConnAccept(s.ctx, ls)
-	defer close(connCh)
-
-	err = nil
-	for loop := true; loop; {
-		select {
-		case <-s.ctx.Done():
-			slog.Debug("socks 服务主动停止")
-			loop = false
-		case conn, ok := <-connCh:
-			if !ok {
-				err = errors.New("意外错误，无法获取连接")
-				loop = false
-				s.Close()
-				break
-			}
-			s.wg.Add(1)
-			go func() {
-				defer s.wg.Done()
-				// 连接要传出，不能在这里关闭连接
-				err := s.process(conn)
-				if err != nil {
-					slog.Error("处理连接失败", err)
-				}
-			}()
-		}
-	}
-
-	// 关闭服务
-	timeout, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-	wgCh := utils.ChanWgWait(timeout, &s.wg)
-
-	err = nil
-	select {
-	case <-timeout.Done():
-		err = errors.New("关闭超时（强制关闭）")
-	case <-wgCh:
-	}
-
-	close(s.Conn)
-	return err
-}
-
-// Close 关闭服务
-func (s *Server) Close() {
-	s.cancel()
-}
-
-// process 建立连接
-func (s *Server) process(conn net.Conn) error {
-	slog.Info("收到来自" + conn.RemoteAddr().String() + "的连接")
+const (
+	successReply byte = iota
+	serverFailure
+	ruleFailure
+	networkUnreachable
+	hostUnreachable
+	connectionRefused
+	ttlExpired
+	commandNotSupported
+	addrTypeNotSupported
+)

+// Process 处理连接
+func Process(ctx context.Context, conn net.Conn) (*core.Conn, error) {
 	reader := bufio.NewReader(conn)

 	// 认证
-	slog.Debug("开始认证流程")
-	authContext, err := s.authenticate(reader, conn)
+	auth, err := authenticate(ctx, reader, conn)
 	if err != nil {
-		utils.Close(conn)
-		slog.Error("认证失败", err)
-		return err
-	} else {
-		slog.Debug("认证完成")
+		return nil, errors.Wrap(err, "认证失败")
 	}

 	// 处理连接请求
-	slog.Debug("处理连接请求")
-	request, err := s.request(reader, conn)
+	request, err := request(ctx, reader, conn)
 	if err != nil {
-		slog.Error("连接请求处理失败", err)
-		return err
-	} else {
-		slog.Debug("连接请求处理完成")
+		return nil, errors.Wrap(err, "处理连接请求失败")
 	}

-	request.Authentication = authContext
-	user, ok := conn.RemoteAddr().(*net.TCPAddr)
-	if !ok {
-		return fmt.Errorf("获取用户地址失败")
+	// 代理连接
+	if request.Command != ConnectCommand {
+		return nil, errors.New("不支持的连接指令")
 	}

-	request.RemoteAddr = &AddrSpec{
-		IP:   user.IP,
-		Port: user.Port,
-	}
+	// 响应成功
+	err = sendReply(conn, successReply, request.DestAddr)

-	// 处理请求
-	slog.Debug("开始代理流量")
-	err = s.handle(request, conn)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return &core.Conn{
+		Conn:     conn,
+		Reader:   reader,
+		Protocol: "socks5",
+		Tag:      conn.RemoteAddr().String() + "_" + conn.LocalAddr().String(),
+		Dest:     request.DestAddr,
+		Auth:     auth,
+	}, nil
 }

 // checkVersion 检查客户端版本
@@ -218,11 +96,280 @@ func checkVersion(reader io.Reader) error {
 		return err
 	}

-	slog.Debug("客户端请求版本", "version", version)
-
 	if version != Version {
 		return errors.New("客户端版本不兼容")
 	}

 	return nil
 }
+
+// authenticate 执行认证流程
+func authenticate(ctx context.Context, reader *bufio.Reader, conn net.Conn) (*core.AuthContext, error) {
+
+	// 版本检查
+	err := checkVersion(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	// 获取客户端认证方式
+	nAuth, err := utils.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	methods, err := utils.ReadBuffer(reader, int(nAuth))
+	if err != nil {
+		return nil, err
+	}
+
+	// 密码模式
+	if slices.Contains(methods, UserPassAuth) {
+		_, err := conn.Write([]byte{Version, byte(UserPassAuth)})
+		if err != nil {
+			return nil, errors.Wrap(err, "响应认证方式失败")
+		}
+
+		// 检查认证版本
+		slog.Debug("验证认证版本")
+		v, err := utils.ReadByte(reader)
+		if err != nil {
+			return nil, errors.Wrap(err, "读取版本号失败")
+		}
+		if v != AuthVersion {
+			_, err := conn.Write([]byte{Version, AuthFailure})
+			if err != nil {
+				return nil, errors.Wrap(err, "响应认证失败")
+			}
+			return nil, errors.New("认证版本参数不正确")
+		}
+
+		// 读取账号
+		slog.Debug("验证用户账号")
+		uLen, err := utils.ReadByte(reader)
+		if err != nil {
+			return nil, errors.Wrap(err, "读取用户名长度失败")
+		}
+		usernameBuf, err := utils.ReadBuffer(reader, int(uLen))
+		if err != nil {
+			return nil, errors.Wrap(err, "读取用户名失败")
+		}
+		username := string(usernameBuf)
+
+		// 读取密码
+		pLen, err := utils.ReadByte(reader)
+		if err != nil {
+			return nil, errors.Wrap(err, "读取密码长度失败")
+		}
+		passwordBuf, err := utils.ReadBuffer(reader, int(pLen))
+		if err != nil {
+			return nil, errors.Wrap(err, "读取密码失败")
+		}
+		password := string(passwordBuf)
+
+		// 检查权限
+		authContext, err := core.CheckPass(conn, username, password)
+		if err != nil {
+			return nil, errors.Wrap(err, "权限检查失败")
+		}
+
+		// 响应认证成功
+		_, err = conn.Write([]byte{AuthVersion, AuthSuccess})
+		if err != nil {
+			return nil, errors.Wrap(err, "响应认证成功失败")
+		}
+
+		return authContext, nil
+	}
+
+	// 无认证
+	if slices.Contains(methods, NoAuth) {
+		_, err = conn.Write([]byte{Version, NoAuth})
+		if err != nil {
+			return nil, errors.Wrap(err, "响应认证方式失败")
+		}
+
+		authContext, err := core.CheckIp(conn)
+		if err != nil {
+			return nil, errors.Wrap(err, "权限检查失败")
+		}
+
+		return authContext, nil
+	}
+
+	// 无适用的认证方式
+	_, err = conn.Write([]byte{Version, NoAcceptable})
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, errors.New("没有适用的认证方式")
+}
+
+type Request struct {
+	Command  uint8
+	DestAddr *core.FwdAddr
+}
+
+// request 处理连接请求
+func request(ctx context.Context, reader io.Reader, writer io.Writer) (*Request, error) {
+
+	// 检查版本
+	err := checkVersion(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	// 检查连接命令
+	command, err := utils.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	if command != ConnectCommand && command != BindCommand && command != AssociateCommand {
+		err = sendReply(writer, commandNotSupported, nil)
+		if err != nil {
+			return nil, err
+		}
+		return nil, errors.New("不支持该连接指令")
+	}
+
+	// 跳过保留字段 rsv
+	_, err = utils.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	// 获取目标地址
+	dest, err := parseTarget(reader, writer)
+	if err != nil {
+		return nil, err
+	}
+
+	request := &Request{
+		Command:  command,
+		DestAddr: dest,
+	}
+
+	return request, nil
+}
+
+func parseTarget(reader io.Reader, writer io.Writer) (*core.FwdAddr, error) {
+	dest := &core.FwdAddr{}
+
+	aTypeBuf, err := utils.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	switch aTypeBuf {
+
+	case ipv4Address:
+		addr := make([]byte, 4)
+		_, err := io.ReadFull(reader, addr)
+		if err != nil {
+			return nil, err
+		}
+		dest.IP = addr
+
+	case ipv6Address:
+		addr := make([]byte, 16)
+		_, err := io.ReadFull(reader, addr)
+		if err != nil {
+			return nil, err
+		}
+		dest.IP = addr
+
+	case fqdnAddress:
+		aLenBuf := make([]byte, 1)
+		_, err := reader.Read(aLenBuf)
+		if err != nil {
+			return nil, err
+		}
+
+		fqdnBuff := make([]byte, int(aLenBuf[0]))
+		_, err = io.ReadFull(reader, fqdnBuff)
+		if err != nil {
+			return nil, err
+		}
+		dest.Domain = string(fqdnBuff)
+
+		// 域名解析
+		addr, err := net.ResolveIPAddr("ip", dest.Domain)
+		if err != nil {
+			err := sendReply(writer, hostUnreachable, nil)
+			if err != nil {
+				return nil, fmt.Errorf("failed to send reply: %v", err)
+			}
+			return nil, fmt.Errorf("failed to resolve destination '%v': %v", dest.Domain, err)
+		}
+		dest.IP = addr.IP
+
+	default:
+		err := sendReply(writer, addrTypeNotSupported, nil)
+		if err != nil {
+			return nil, err
+		}
+		return nil, fmt.Errorf("unrecognized address type")
+	}
+
+	portBuf := make([]byte, 2)
+	_, err = io.ReadFull(reader, portBuf)
+	if err != nil {
+		return nil, err
+	}
+	dest.Port = int(binary.BigEndian.Uint16(portBuf))
+
+	return dest, nil
+}
+
+func sendReply(w io.Writer, resp uint8, addr *core.FwdAddr) error {
+	var addrType uint8
+	var addrBody []byte
+	var addrPort uint16
+	switch {
+	case addr == nil:
+		addrType = ipv4Address
+		addrBody = []byte{0, 0, 0, 0}
+		addrPort = 0
+
+	case addr.Domain != "":
+		addrType = fqdnAddress
+		addrBody = append([]byte{byte(len(addr.Domain))}, addr.Domain...)
+		addrPort = uint16(addr.Port)
+
+	case addr.IP.To4() != nil:
+		addrType = ipv4Address
+		addrBody = addr.IP.To4()
+		addrPort = uint16(addr.Port)
+
+	case addr.IP.To16() != nil:
+		addrType = ipv6Address
+		addrBody = addr.IP.To16()
+		addrPort = uint16(addr.Port)
+
+	default:
+		return fmt.Errorf("failed to format address: %v", addr)
+	}
+
+	msg := make([]byte, 6+len(addrBody))
+	msg[0] = Version
+	msg[1] = resp
+	msg[2] = 0 // Reserved
+	msg[3] = addrType
+	copy(msg[4:], addrBody)
+	msg[4+len(addrBody)] = byte(addrPort >> 8)
+	msg[4+len(addrBody)+1] = byte(addrPort & 0xff)
+
+	_, err := w.Write(msg)
+	return err
+}
+
+func SendSuccess(user net.Conn, target net.Conn) error {
+	local := target.LocalAddr().(*net.TCPAddr)
+	bind := core.FwdAddr{IP: local.IP, Port: local.Port}
+	err := sendReply(user, successReply, &bind)
+	if err != nil {
+		return err
+	}
+	return nil
+}