优化项目机构和服务端协程控制逻辑

2025-02-25 14:48:50 +08:00
parent 83fd749d50
commit 7f23e2741f
21 changed files with 732 additions and 440 deletions
--- a/server/fwd/service.go
+++ b/server/fwd/service.go
@@ -0,0 +1,501 @@
+package fwd
+
+import (
+	"bufio"
+	"context"
+	"encoding/binary"
+	"io"
+	"log/slog"
+	"net"
+	"proxy-server/pkg/utils"
+	"proxy-server/server/pkg/env"
+	"proxy-server/server/pkg/orm"
+	"proxy-server/server/pkg/socks5"
+	"proxy-server/server/web/app/models"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+type Config struct {
+}
+
+type Service struct {
+	Config     *Config
+	ConnMap    map[string]socks5.ProxyData
+	ctrlConnWg sync.WaitGroup
+	dataConnWg sync.WaitGroup
+}
+
+func New(config *Config) *Service {
+	_config := config
+	if _config == nil {
+		_config = &Config{}
+	}
+
+	return &Service{
+		Config:     _config,
+		ConnMap:    make(map[string]socks5.ProxyData),
+		ctrlConnWg: sync.WaitGroup{},
+		dataConnWg: sync.WaitGroup{},
+	}
+}
+
+func (s *Service) Run(ctx context.Context, errCh chan error) {
+	defer func() {
+		err := recover()
+		if err != nil {
+			slog.Error("服务由于意外的 panic 导致退出", err)
+		}
+	}()
+
+	slog.Info("启动 fwd 服务")
+
+	// 启动工作协程
+	subCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	goNum := 2
+	subErrCh := make(chan error, goNum)
+	defer close(subErrCh)
+
+	go s.startCtrlTun(subCtx, subErrCh)
+	go s.startDataTun(subCtx, subErrCh)
+
+	// 等待结束
+	var firstSubErr error = nil
+	for i := 0; i < goNum; i++ {
+		err := <-subErrCh
+		if err != nil {
+			slog.Error("隧道错误关闭", "err", err)
+			if firstSubErr == nil {
+				firstSubErr = err
+				cancel()
+			}
+		} else {
+			slog.Info("隧道关闭")
+		}
+	}
+
+	slog.Info("fwd 服务已结束")
+	errCh <- firstSubErr
+}
+
+func (s *Service) startCtrlTun(ctx context.Context, errCh chan error) {
+	ctrlPort := env.AppCtrlPort
+	slog.Debug("监听控制通道", slog.Uint64("port", uint64(ctrlPort)))
+
+	// 监听端口
+	ls, err := net.Listen("tcp", ":"+strconv.Itoa(int(ctrlPort)))
+	if err != nil {
+		slog.Error("监听控制通道失败", "err", err)
+		return
+	}
+	defer utils.Close(ls)
+
+	// 等待连接
+	connCh := utils.ConnChan(ctx, ls)
+	defer close(connCh)
+
+	// 处理连接
+loop:
+	for {
+		select {
+		case <-ctx.Done():
+			slog.Debug("结束处理连接，由于上下文取消")
+			break loop
+		case conn, ok := <-connCh:
+			if !ok {
+				slog.Debug("结束处理连接，由于获取连接失败")
+				break loop
+			}
+			go s.processCtrlConn(conn)
+		}
+	}
+
+	// 等待子协程结束 todo 可配置等待时间
+	timeout, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	procCh := utils.WaitChan(timeout, &s.ctrlConnWg)
+	defer close(procCh)
+
+	select {
+	case <-timeout.Done():
+		slog.Warn("等待控制通道子协程结束超时")
+	case <-procCh:
+		slog.Info("控制通道子协程结束")
+	}
+
+	slog.Debug("关闭控制通道")
+	errCh <- nil
+}
+
+func (s *Service) processCtrlConn(controller net.Conn) {
+	defer func() {
+		s.ctrlConnWg.Done()
+		utils.Close(controller)
+	}()
+
+	slog.Info("收到客户端控制连接 " + controller.RemoteAddr().String())
+
+	reader := bufio.NewReader(controller)
+
+	// 读取端口
+	portBuf := make([]byte, 2)
+	_, err := io.ReadFull(reader, portBuf)
+	if err != nil {
+		slog.Error("读取转发端口失败", "err", err)
+		return
+	}
+	port := binary.BigEndian.Uint16(portBuf)
+
+	// 新建代理服务
+	slog.Info("新建代理服务", "port", port)
+	proxy, err := socks5.New(&socks5.Config{
+		Name: strconv.Itoa(int(port)),
+		Port: port,
+		AuthMethods: []socks5.Authenticator{
+			&UserPassAuthenticator{},
+			&NoAuthAuthenticator{},
+		},
+	})
+	if err != nil {
+		slog.Error("代理服务创建失败", err)
+		return
+	}
+
+	go func() {
+		err := proxy.Run()
+		if err != nil {
+			slog.Error("代理服务建立失败", err)
+			return
+		}
+	}()
+
+	slog.Info("代理服务已建立", "port", port)
+	for {
+		user := <-proxy.Conn
+		tag := user.Tag()
+		_, err := controller.Write([]byte{byte(len(tag))})
+		if err != nil {
+			slog.Error("write error", err)
+			return
+		}
+		_, err = controller.Write([]byte(tag))
+		slog.Info("已通知客户端建立数据通道")
+		if err != nil {
+			slog.Error("write error", err)
+			return
+		}
+		s.ConnMap[tag] = user
+	}
+}
+
+func (s *Service) startDataTun(ctx context.Context, errCh chan error) {
+	dataPort := env.AppDataPort
+	slog.Debug("监听数据通道", slog.Uint64("port", uint64(dataPort)))
+
+	// 监听端口
+	lData, err := net.Listen("tcp", ":"+strconv.Itoa(int(dataPort)))
+	if err != nil {
+		slog.Error("listen error", err)
+		return
+	}
+	defer utils.Close(lData)
+
+	// 等待连接
+	connCh := utils.ConnChan(ctx, lData)
+	defer close(connCh)
+
+	// 处理连接
+loop:
+	for {
+		select {
+		case <-ctx.Done():
+			slog.Debug("结束处理连接，由于上下文取消")
+			break loop
+		case conn, ok := <-connCh:
+			if !ok {
+				slog.Debug("结束处理连接，由于获取连接失败")
+				break loop
+			}
+			go s.processDataConn(conn)
+		}
+	}
+
+	// 等待子协程结束 todo 可配置等待时间
+	timeout, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	procCh := utils.WaitChan(timeout, &s.dataConnWg)
+	defer close(procCh)
+
+	select {
+	case <-timeout.Done():
+		slog.Warn("等待数据通道子协程结束超时")
+	case <-procCh:
+		slog.Info("数据通道子协程结束")
+	}
+
+	slog.Debug("关闭数据通道")
+	errCh <- nil
+}
+
+func (s *Service) processDataConn(client net.Conn) {
+
+	slog.Info("已建立客户端数据通道 " + client.RemoteAddr().String())
+
+	// 读取 tag
+	tagLen, err := utils.ReadByte(client)
+	if err != nil {
+		slog.Error("read error", err)
+		return
+	}
+	tagBuf, err := utils.ReadBuffer(client, int(tagLen))
+	if err != nil {
+		slog.Error("read error", err)
+		return
+	}
+	tag := string(tagBuf)
+
+	// 找到用户连接
+	data, ok := s.ConnMap[tag]
+	if !ok {
+		slog.Error("no such connection")
+		return
+	}
+
+	// 响应用户
+	user := data.Conn
+	socks5.SendSuccess(user, client)
+
+	// 写入目标地址
+	_, err = client.Write([]byte{byte(len(data.Dest))})
+	if err != nil {
+		slog.Error("写入目标地址失败", err)
+		return
+	}
+	_, err = client.Write([]byte(data.Dest))
+	if err != nil {
+		slog.Error("写入目标地址失败", err)
+		return
+	}
+
+	// 数据转发
+	slog.Info("开始数据转发 " + client.RemoteAddr().String() + " <-> " + data.Dest)
+	errCh := make(chan error)
+	go func() {
+		_, err := io.Copy(client, user)
+		if err != nil {
+			slog.Error("processDataConn error c2u", err)
+		}
+		errCh <- err
+	}()
+	go func() {
+		_, err := io.Copy(user, client)
+		if err != nil {
+			slog.Error("processDataConn error u2c", err)
+		}
+		errCh <- err
+	}()
+	<-errCh
+	slog.Info("数据转发结束 " + client.RemoteAddr().String() + " <-> " + data.Dest)
+	defer func() {
+		err := user.Close()
+		if err != nil {
+			slog.Error("close error", err)
+		}
+		err = client.Close()
+		if err != nil {
+			slog.Error("close error", err)
+		}
+	}()
+}
+
+type NoAuthAuthenticator struct {
+}
+
+func (a *NoAuthAuthenticator) Method() socks5.AuthMethod {
+	return socks5.NoAuth
+}
+
+func (a *NoAuthAuthenticator) Authenticate(ctx context.Context, reader io.Reader, writer io.Writer) (*socks5.AuthContext, error) {
+
+	// 获取用户地址
+	conn, ok := writer.(net.Conn)
+	if !ok {
+		return nil, errors.New("noAuth 认证失败，无法获取连接信息")
+	}
+	addr := conn.RemoteAddr().String()
+	client, _, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, errors.Wrap(err, "noAuth 认证失败")
+	}
+	slog.Debug("用户的地址为 " + client)
+
+	// 获取服务
+	server, ok := ctx.Value("service").(*socks5.Server)
+	if !ok {
+		return nil, errors.New("noAuth 认证失败，无法获取服务信息")
+	}
+	node := server.Name
+	slog.Debug("服务的名称为 " + server.Name)
+
+	// 查询权限记录
+	slog.Info(" 客户端 " + client + " 请求连接到 " + node)
+	var channels []models.Channel
+	err = orm.DB.
+		Joins("INNER JOIN public.nodes n ON channels.node_id = n.id AND n.name = ?", node).
+		Joins("INNER JOIN public.users u ON channels.user_id = u.id").
+		Joins("INNER JOIN public.user_ips ip ON u.id = ip.user_id AND ip.ip_address = ?", client).
+		Where(&models.Channel{
+			AuthIp: true,
+		}).
+		Find(&channels).Error
+	if err != nil {
+		return nil, errors.New("noAuth 查询用户权限失败")
+	}
+
+	// 记录应该只有一条
+	channel, err := orm.MaySingle(channels)
+	if err != nil {
+		return nil, errors.Wrap(err, "noAuth 没有权限")
+	}
+
+	// 检查是否需要密码认证
+	if channel.AuthPass {
+		return nil, errors.New("noAuth 没有权限，需要密码认证")
+	}
+
+	// 检查权限是否过期
+	timeout := uint(channel.Expiration.Sub(time.Now()).Seconds())
+	if timeout <= 0 {
+		return nil, errors.New("noAuth 权限已过期")
+	}
+	slog.Debug("权限剩余时间", slog.Uint64("timeout", uint64(timeout)))
+
+	return &socks5.AuthContext{
+		Method:  socks5.NoAuth,
+		Timeout: timeout,
+		Payload: nil,
+	}, nil
+}
+
+type UserPassAuthenticator struct {
+}
+
+func (a *UserPassAuthenticator) Method() socks5.AuthMethod {
+	return socks5.UserPassAuth
+}
+
+func (a *UserPassAuthenticator) Authenticate(ctx context.Context, reader io.Reader, writer io.Writer) (*socks5.AuthContext, error) {
+
+	// 检查认证版本
+	slog.Debug("验证认证版本")
+	v, err := utils.ReadByte(reader)
+	if err != nil {
+		return nil, errors.Wrap(err, "读取版本号失败")
+	}
+	if v != socks5.AuthVersion {
+		_, err := writer.Write([]byte{socks5.SocksVersion, socks5.AuthFailure})
+		if err != nil {
+			return nil, errors.Wrap(err, "响应认证失败")
+		}
+		return nil, errors.New("认证版本参数不正确")
+	}
+
+	// 读取账号
+	slog.Debug("验证用户账号")
+	uLen, err := utils.ReadByte(reader)
+	if err != nil {
+		return nil, errors.Wrap(err, "读取用户名长度失败")
+	}
+	usernameBuf, err := utils.ReadBuffer(reader, int(uLen))
+	if err != nil {
+		return nil, errors.Wrap(err, "读取用户名失败")
+	}
+	username := string(usernameBuf)
+
+	// 读取密码
+	pLen, err := utils.ReadByte(reader)
+	if err != nil {
+		return nil, errors.Wrap(err, "读取密码长度失败")
+	}
+	passwordBuf, err := utils.ReadBuffer(reader, int(pLen))
+	if err != nil {
+		return nil, errors.Wrap(err, "读取密码失败")
+	}
+	password := string(passwordBuf)
+
+	// 查询通道配置
+	var channel models.Channel
+	err = orm.DB.
+		Where(&models.Channel{
+			Username: username,
+			AuthPass: true,
+		}).
+		First(&channel).Error
+	if err != nil {
+		return nil, errors.Wrap(err, "查询用户失败")
+	}
+
+	// 检查密码 todo 哈希
+	if channel.Password != password {
+		return nil, errors.New("密码错误")
+	}
+
+	// 检查权限是否过期
+	timeout := uint(channel.Expiration.Sub(time.Now()).Seconds())
+	if timeout <= 0 {
+		return nil, errors.New("权限已过期")
+	}
+
+	// 如果用户设置了双验证则检查 ip 是否在白名单中
+	if channel.AuthIp {
+		slog.Debug("验证用户 ip")
+
+		// 获取用户地址
+		conn, ok := writer.(net.Conn)
+		if !ok {
+			return nil, errors.New("无法获取连接信息")
+		}
+		addr := conn.RemoteAddr().String()
+		client, _, err := net.SplitHostPort(addr)
+		if err != nil {
+			return nil, errors.Wrap(err, "无法获取连接信息")
+		}
+
+		// 查询通道配置
+		var ips []models.UserIp
+		err = orm.DB.
+			Where(&models.UserIp{
+				UserId:    channel.UserId,
+				IpAddress: client,
+			}).
+			Find(&ips).Error
+		if err != nil {
+			return nil, errors.Wrap(err, "查询用户 ip 失败")
+		}
+
+		// 检查是否在白名单中
+		if len(ips) == 0 {
+			return nil, errors.New("没有权限")
+		}
+	}
+
+	// 响应认证成功
+	_, err = writer.Write([]byte{socks5.AuthVersion, socks5.AuthSuccess})
+	if err != nil {
+		slog.Error("响应认证失败", err)
+		return nil, err
+	}
+
+	return &socks5.AuthContext{
+		Method:  socks5.UserPassAuth,
+		Timeout: 300, // todo
+		Payload: nil,
+	}, nil
+}
--- a/server/monitor/monitor.go
+++ b/server/monitor/monitor.go
@@ -1,12 +1,13 @@
-package monitor
+package mnt

 import (
 	"context"
 	"encoding/hex"
+	"log/slog"
+
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/pcap"
 	"github.com/pkg/errors"
-	"log/slog"
 )

 func Start(ctx context.Context, errCh chan error) {
--- a/server/pkg/env/env.go
+++ b/server/pkg/env/env.go
@@ -0,0 +1,86 @@
+package env
+
+import (
+	"fmt"
+	"log/slog"
+	"os"
+	"strconv"
+
+	"github.com/joho/godotenv"
+)
+
+var (
+	AppCtrlPort uint16
+	AppDataPort uint16
+
+	DbHost     string
+	DbPort     uint16
+	DbDatabase string
+	DbUsername string
+	DbPassword string
+	DbTimezone string
+)
+
+func Init() {
+
+	// 加载 .env 文件
+	err := godotenv.Load()
+	if err != nil {
+		slog.Debug("没有本地环境变量文件")
+	}
+
+	appCtrlPortStr := os.Getenv("APP_CTRL_PORT")
+	if appCtrlPortStr == "" {
+		panic("环境变量 APP_CTRL_PORT 未设置")
+	}
+	appCtrlPort, err := strconv.ParseUint(appCtrlPortStr, 10, 16)
+	if err != nil {
+		panic(fmt.Sprintf("环境变量 APP_CTRL_PORT 格式错误: %v", err))
+	}
+	AppCtrlPort = uint16(appCtrlPort)
+
+	appDataPortStr := os.Getenv("APP_DATA_PORT")
+	if appDataPortStr == "" {
+		panic("环境变量 APP_DATA_PORT 未设置")
+	}
+	appDataPort, err := strconv.ParseUint(appDataPortStr, 10, 16)
+	if err != nil {
+		panic(fmt.Sprintf("环境变量 APP_DATA_PORT 格式错误: %v", err))
+	}
+	AppDataPort = uint16(appDataPort)
+
+	DbHost = os.Getenv("DB_HOST")
+	if DbHost == "" {
+		panic("环境变量 DB_HOST 未设置")
+	}
+
+	dbPortStr := os.Getenv("DB_PORT")
+	if dbPortStr == "" {
+		dbPortStr = "5432"
+	}
+	dbPort, err := strconv.ParseUint(dbPortStr, 10, 16)
+	if err != nil {
+		panic(fmt.Sprintf("环境变量 DB_PORT 格式错误: %v", err))
+	}
+	DbPort = uint16(dbPort)
+
+	DbDatabase = os.Getenv("DB_DATABASE")
+	if DbDatabase == "" {
+		panic("环境变量 DB_DATABASE 未设置")
+	}
+
+	DbUsername = os.Getenv("DB_USERNAME")
+	if DbUsername == "" {
+		panic("环境变量 DB_USERNAME 未设置")
+	}
+
+	DbPassword = os.Getenv("DB_PASSWORD")
+	if DbPassword == "" {
+		panic("环境变量 DB_PASSWORD 未设置")
+	}
+
+	DbTimezone = os.Getenv("DB_TIMEZONE")
+	if DbTimezone == "" {
+		DbTimezone = "Asia/Shanghai"
+	}
+}
--- a/server/pkg/orm/orm.go
+++ b/server/pkg/orm/orm.go
@@ -2,10 +2,13 @@ package orm

 import (
 	"fmt"
+	"log/slog"
+	"os"
+
+	"github.com/pkg/errors"
 	"gorm.io/driver/postgres"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
-	"os"
 )

 var DB *gorm.DB
@@ -32,3 +35,14 @@ func Init() {

 	DB = db
 }
+
+func MaySingle[T any](results []T) (*T, error) {
+	rsLen := len(results)
+	if rsLen == 0 {
+		return nil, errors.New("记录为空")
+	}
+	if rsLen > 1 {
+		slog.Warn("记录不唯一", "ids")
+	}
+	return &results[0], nil
+}
--- a/server/pkg/resp/resp.go
+++ b/server/pkg/resp/resp.go
@@ -0,0 +1,21 @@
+package resp
+
+type Data struct {
+	Error bool
+	Cause string
+	Data  interface{}
+}
+
+func Done(data interface{}) *Data {
+	return &Data{
+		Error: false,
+		Data:  data,
+	}
+}
+
+func Fail(cause string) *Data {
+	return &Data{
+		Error: true,
+		Cause: cause,
+	}
+}
--- a/server/pkg/socks5/auth.go
+++ b/server/pkg/socks5/auth.go
@@ -0,0 +1,82 @@
+package socks5
+
+import (
+	"context"
+	"io"
+	"log/slog"
+	"proxy-server/pkg/utils"
+	"slices"
+
+	"github.com/pkg/errors"
+)
+
+type AuthMethod byte
+
+const (
+	AuthVersion  = byte(1)
+	AuthSuccess  = byte(0)
+	AuthFailure  = byte(1)
+	NoAuth       = AuthMethod(0)
+	UserPassAuth = AuthMethod(2)
+	NoAcceptable = byte(0xFF)
+)
+
+type Authenticator interface {
+	Method() AuthMethod
+	Authenticate(ctx context.Context, reader io.Reader, writer io.Writer) (*AuthContext, error)
+}
+
+// authenticate 执行认证流程
+func (server *Server) authenticate(reader io.Reader, writer io.Writer) (*AuthContext, error) {
+
+	// 版本检查
+	err := checkVersion(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	// 获取客户端认证方式
+	nAuth, err := utils.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	methods, err := utils.ReadBuffer(reader, int(nAuth))
+	if err != nil {
+		return nil, err
+	}
+
+	// 认证客户端连接
+	for _, authenticator := range server.config.AuthMethods {
+		method := authenticator.Method()
+		if slices.Contains(methods, byte(method)) {
+			slog.Debug("使用的认证方式", method)
+
+			_, err := writer.Write([]byte{SocksVersion, byte(method)})
+			if err != nil {
+				slog.Error("响应认证方式失败", err)
+				return nil, err
+			}
+
+			ctx := context.WithValue(context.Background(), "service", server)
+			authContext, err := authenticator.Authenticate(ctx, reader, writer)
+			if err != nil {
+				return nil, err
+			}
+			return authContext, nil
+		}
+	}
+
+	// 无适用的认证方式
+	_, err = writer.Write([]byte{SocksVersion, NoAcceptable})
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, errors.New("没有适用的认证方式")
+}
+
+type AuthContext struct {
+	Method  AuthMethod
+	Timeout uint
+	Payload map[string]any
+}
--- a/server/pkg/socks5/error.go
+++ b/server/pkg/socks5/error.go
@@ -0,0 +1,7 @@
+package socks5
+
+type ConfigError string
+
+func (c ConfigError) Error() string {
+	return string(c)
+}
--- a/server/pkg/socks5/request.go
+++ b/server/pkg/socks5/request.go
@@ -0,0 +1,405 @@
+package socks5
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log/slog"
+	"net"
+	"proxy-server/pkg/utils"
+	"strconv"
+
+	"github.com/pkg/errors"
+)
+
+const (
+	ConnectCommand   = byte(1)
+	BindCommand      = byte(2)
+	AssociateCommand = byte(3)
+	ipv4Address      = byte(1)
+	fqdnAddress      = byte(3)
+	ipv6Address      = byte(4)
+)
+
+const (
+	successReply byte = iota
+	serverFailure
+	ruleFailure
+	networkUnreachable
+	hostUnreachable
+	connectionRefused
+	ttlExpired
+	commandNotSupported
+	addrTypeNotSupported
+)
+
+var (
+	unrecognizedAddrType = fmt.Errorf("Unrecognized address type")
+)
+
+// AddressRewriter is used to rewrite a destination transparently
+type AddressRewriter interface {
+	Rewrite(ctx context.Context, request *Request) (context.Context, *AddrSpec)
+}
+
+// AddrSpec 地址
+type AddrSpec struct {
+	FQDN string
+	IP   net.IP
+	Port int
+}
+
+func (a AddrSpec) String() string {
+	if a.FQDN != "" {
+		return fmt.Sprintf("%s (%s):%d", a.FQDN, a.IP, a.Port)
+	}
+	return fmt.Sprintf("%s:%d", a.IP, a.Port)
+}
+
+// Address returns a string suitable to dial; prefer returning IP-based
+// address, fallback to FQDN
+func (a AddrSpec) Address() string {
+	if 0 != len(a.IP) {
+		return net.JoinHostPort(a.IP.String(), strconv.Itoa(a.Port))
+	}
+	return net.JoinHostPort(a.FQDN, strconv.Itoa(a.Port))
+}
+
+func (server *Server) request(reader io.Reader, writer io.Writer) (*Request, error) {
+
+	// 检查版本
+	err := checkVersion(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	// 检查连接命令
+	command, err := utils.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	slog.Debug("客户端使用的连接指令：%v", command)
+	if command != ConnectCommand && command != BindCommand && command != AssociateCommand {
+		err = sendReply(writer, commandNotSupported, nil)
+		if err != nil {
+			return nil, err
+		}
+		return nil, errors.New("不支持该连接指令")
+	}
+
+	// 跳过保留字段 rsv
+	_, err = utils.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	// 获取目标地址
+	dest, err := server.parseTarget(reader, writer)
+	if err != nil {
+		return nil, err
+	}
+
+	request := &Request{
+		Version:  SocksVersion,
+		Command:  command,
+		DestAddr: dest,
+		bufConn:  reader,
+	}
+
+	return request, nil
+}
+
+func (server *Server) parseTarget(reader io.Reader, writer io.Writer) (*AddrSpec, error) {
+	dest := &AddrSpec{}
+
+	aTypeBuf := make([]byte, 1)
+	_, err := reader.Read(aTypeBuf)
+	if err != nil {
+		return nil, err
+	}
+
+	switch aTypeBuf[0] {
+
+	case ipv4Address:
+		addr := make([]byte, 4)
+		_, err := io.ReadFull(reader, addr)
+		if err != nil {
+			return nil, err
+		}
+		dest.IP = addr
+
+	case ipv6Address:
+		addr := make([]byte, 16)
+		_, err := io.ReadFull(reader, addr)
+		if err != nil {
+			return nil, err
+		}
+		dest.IP = addr
+
+	case fqdnAddress:
+		aLenBuf := make([]byte, 1)
+		_, err := reader.Read(aLenBuf)
+		if err != nil {
+			return nil, err
+		}
+
+		fqdnBuff := make([]byte, int(aLenBuf[0]))
+		_, err = io.ReadFull(reader, fqdnBuff)
+		if err != nil {
+			return nil, err
+		}
+		dest.FQDN = string(fqdnBuff)
+
+		// 域名解析
+		addr, err := server.config.Resolver.Resolve(dest.FQDN)
+		if err != nil {
+			err := sendReply(writer, hostUnreachable, nil)
+			if err != nil {
+				return nil, fmt.Errorf("Failed to send reply: %v", err)
+			}
+			return nil, fmt.Errorf("Failed to resolve destination '%v': %v", dest.FQDN, err)
+		}
+		dest.IP = addr
+
+	default:
+		err := sendReply(writer, addrTypeNotSupported, nil)
+		if err != nil {
+			return nil, err
+		}
+		return nil, unrecognizedAddrType
+	}
+
+	portBuf := make([]byte, 2)
+	_, err = io.ReadFull(reader, portBuf)
+	if err != nil {
+		return nil, err
+	}
+	dest.Port = (int(portBuf[0]) << 8) | int(portBuf[1])
+
+	return dest, nil
+}
+
+// A Request represents request received by a server
+type Request struct {
+	// Protocol version
+	Version uint8
+	// Requested command
+	Command uint8
+	// AuthContext provided during negotiation
+	AuthContext *AuthContext
+	// AddrSpec of the  network that sent the request
+	RemoteAddr *AddrSpec
+	// AddrSpec of the desired destination
+	DestAddr *AddrSpec
+	// AddrSpec of the actual destination (might be affected by rewrite)
+	realDestAddr *AddrSpec
+	bufConn      io.Reader
+}
+
+func (server *Server) handle(req *Request, conn net.Conn) error {
+	ctx := context.Background()
+
+	// 目标地址重写
+	req.realDestAddr = req.DestAddr
+	if server.config.Rewriter != nil {
+		ctx, req.realDestAddr = server.config.Rewriter.Rewrite(ctx, req)
+	}
+
+	// 根据协商方法建立连接
+	switch req.Command {
+	case ConnectCommand:
+		return server.handleConnect(ctx, conn, req)
+	case BindCommand:
+		return server.handleBind(ctx, conn, req)
+	case AssociateCommand:
+		return server.handleAssociate(ctx, conn, req)
+	default:
+		return fmt.Errorf("unsupported command: %v", req.Command)
+	}
+}
+
+func (server *Server) handleConnect(ctx context.Context, conn net.Conn, req *Request) error {
+
+	// 检查规则集约束
+	server.config.Logger.Printf("检查约束规则\n")
+	if ctx_, ok := server.config.Rules.Allow(ctx, req); !ok {
+		if err := sendReply(conn, ruleFailure, nil); err != nil {
+			return fmt.Errorf("failed to send reply: %v", err)
+		}
+		return fmt.Errorf("request to %v blocked by rules", req.DestAddr)
+	} else {
+		ctx = ctx_
+	}
+
+	slog.Info("需要向 " + req.DestAddr.Address() + " 建立连接")
+	server.Conn <- ProxyData{conn, req.realDestAddr.Address()}
+	return nil
+
+	// 与目标服务器建立连接
+	// server.config.Logger.Printf("与目标服务器建立连接\n")
+	// dial := server.config.Dial
+	// target, err := dial("tcp", req.realDestAddr.Address())
+	// if err != nil {
+	//	msg := err.Error()
+	//	resp := hostUnreachable
+	//	if strings.Contains(msg, "refused") {
+	//		resp = connectionRefused
+	//	} else if strings.Contains(msg, "network is unreachable") {
+	//		resp = networkUnreachable
+	//	}
+	//
+	//	err := sendReply(Conn, resp, nil)
+	//	if err != nil {
+	//		return fmt.Errorf("failed to send reply: %v", err)
+	//	}
+	//	return fmt.Errorf("request to %v failed: %v", req.DestAddr, err)
+	// }
+	// defer closeConnection(target)
+	//
+	// // 正常响应
+	// slog.Info("连接成功，开始代理流量")
+	//
+	// local := target.LocalAddr().(*net.TCPAddr)
+	// bind := AddrSpec{IP: local.IP, Port: local.Port}
+	// err = sendReply(Conn, successReply, &bind)
+	// if err != nil {
+	//	return fmt.Errorf("Failed to send reply: %v", err)
+	// }
+	//
+	// // 配置超时时间和行为
+	// timeout := req.AuthContext.Timeout
+	// slog.Debug("超时时间", "timeout", timeout)
+	//
+	// timeoutCtx, cancel := context.WithTimeout(ctx, time.Duration(timeout)*time.Second)
+	// defer cancel()
+	//
+	// // 代理流量
+	// errChan := make(chan error, 2)
+	// go func() {
+	//	_, err = io.Copy(target, req.bufConn)
+	//	errChan <- err
+	// }()
+	// go func() {
+	//	_, err = io.Copy(Conn, target)
+	//	errChan <- err
+	// }()
+	//
+	// for {
+	//	select {
+	//
+	//	case <-timeoutCtx.Done():
+	//		slog.Debug("超时断开连接")
+	//		// todo 根据 termination 执行不同的断开行为
+	//		return nil
+	//
+	//	case err := <-errChan:
+	//		slog.Debug("主动断开连接")
+	//		if err != nil {
+	//			return errors.Wrap(err, "代理流量出现错误")
+	//		}
+	//		return nil
+	//	}
+	// }
+
+}
+
+func (server *Server) handleBind(ctx context.Context, conn net.Conn, req *Request) error {
+	// Check if this is allowed
+	if ctx_, ok := server.config.Rules.Allow(ctx, req); !ok {
+		if err := sendReply(conn, ruleFailure, nil); err != nil {
+			return fmt.Errorf("Failed to send reply: %v", err)
+		}
+		return fmt.Errorf("Bind to %v blocked by rules", req.DestAddr)
+	} else {
+		ctx = ctx_
+	}
+
+	// TODO: Support bind
+	if err := sendReply(conn, commandNotSupported, nil); err != nil {
+		return fmt.Errorf("Failed to send reply: %v", err)
+	}
+	return nil
+}
+
+func (server *Server) handleAssociate(ctx context.Context, conn net.Conn, req *Request) error {
+	// Check if this is allowed
+	if ctx_, ok := server.config.Rules.Allow(ctx, req); !ok {
+		if err := sendReply(conn, ruleFailure, nil); err != nil {
+			return fmt.Errorf("Failed to send reply: %v", err)
+		}
+		return fmt.Errorf("Associate to %v blocked by rules", req.DestAddr)
+	} else {
+		ctx = ctx_
+	}
+
+	// TODO: Support associate
+	if err := sendReply(conn, commandNotSupported, nil); err != nil {
+		return fmt.Errorf("Failed to send reply: %v", err)
+	}
+	return nil
+}
+
+func sendReply(w io.Writer, resp uint8, addr *AddrSpec) error {
+	var addrType uint8
+	var addrBody []byte
+	var addrPort uint16
+	switch {
+	case addr == nil:
+		addrType = ipv4Address
+		addrBody = []byte{0, 0, 0, 0}
+		addrPort = 0
+
+	case addr.FQDN != "":
+		addrType = fqdnAddress
+		addrBody = append([]byte{byte(len(addr.FQDN))}, addr.FQDN...)
+		addrPort = uint16(addr.Port)
+
+	case addr.IP.To4() != nil:
+		addrType = ipv4Address
+		addrBody = addr.IP.To4()
+		addrPort = uint16(addr.Port)
+
+	case addr.IP.To16() != nil:
+		addrType = ipv6Address
+		addrBody = addr.IP.To16()
+		addrPort = uint16(addr.Port)
+
+	default:
+		return fmt.Errorf("failed to format address: %v", addr)
+	}
+
+	msg := make([]byte, 6+len(addrBody))
+	msg[0] = SocksVersion
+	msg[1] = resp
+	msg[2] = 0 // Reserved
+	msg[3] = addrType
+	copy(msg[4:], addrBody)
+	msg[4+len(addrBody)] = byte(addrPort >> 8)
+	msg[4+len(addrBody)+1] = byte(addrPort & 0xff)
+
+	_, err := w.Write(msg)
+	return err
+}
+
+func SendSuccess(user net.Conn, target net.Conn) {
+	local := target.LocalAddr().(*net.TCPAddr)
+	bind := AddrSpec{IP: local.IP, Port: local.Port}
+	err := sendReply(user, successReply, &bind)
+	if err != nil {
+		slog.Error("Failed to send reply", err)
+	}
+}
+
+type ProxyData struct {
+	// 用户连入的连接
+	Conn net.Conn
+	// 用户目标地址
+	Dest string
+}
+
+func (d ProxyData) Tag() string {
+	local := d.Conn.LocalAddr()
+	remote := d.Conn.RemoteAddr()
+	return fmt.Sprintf("%s-%s", remote, local)
+}
--- a/server/pkg/socks5/resolver.go
+++ b/server/pkg/socks5/resolver.go
@@ -0,0 +1,21 @@
+package socks5
+
+import (
+	"net"
+)
+
+// NameResolver 域名解析器
+type NameResolver interface {
+	Resolve(name string) (net.IP, error)
+}
+
+// DNSResolver 使用系统 dns 服务解析域名
+type DNSResolver struct{}
+
+func (d DNSResolver) Resolve(name string) (net.IP, error) {
+	addr, err := net.ResolveIPAddr("ip", name)
+	if err != nil {
+		return nil, err
+	}
+	return addr.IP, err
+}
--- a/server/pkg/socks5/ruleset.go
+++ b/server/pkg/socks5/ruleset.go
@@ -0,0 +1,41 @@
+package socks5
+
+import (
+	"context"
+)
+
+// RuleSet is used to provide custom rules to allow or prohibit actions
+type RuleSet interface {
+	Allow(ctx context.Context, req *Request) (context.Context, bool)
+}
+
+// PermitAll returns a RuleSet which allows all types of connections
+func PermitAll() RuleSet {
+	return &PermitCommand{true, true, true}
+}
+
+// PermitNone returns a RuleSet which disallows all types of connections
+func PermitNone() RuleSet {
+	return &PermitCommand{false, false, false}
+}
+
+// PermitCommand is an implementation of the RuleSet which
+// enables filtering supported commands
+type PermitCommand struct {
+	EnableConnect   bool
+	EnableBind      bool
+	EnableAssociate bool
+}
+
+func (p *PermitCommand) Allow(ctx context.Context, req *Request) (context.Context, bool) {
+	switch req.Command {
+	case ConnectCommand:
+		return ctx, p.EnableConnect
+	case BindCommand:
+		return ctx, p.EnableBind
+	case AssociateCommand:
+		return ctx, p.EnableAssociate
+	}
+
+	return ctx, false
+}
--- a/server/pkg/socks5/server.go
+++ b/server/pkg/socks5/server.go
@@ -0,0 +1,199 @@
+package socks5
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"log/slog"
+	"net"
+	"os"
+	"proxy-server/pkg/utils"
+	"strconv"
+)
+
+const (
+	SocksVersion = byte(5)
+)
+
+type Config struct {
+	Name string
+
+	Host string
+	Port uint16
+
+	// 认证方法
+	AuthMethods []Authenticator
+
+	// 域名解析
+	Resolver NameResolver
+
+	// 自定义认证规则
+	Rules RuleSet
+
+	// 地址重写
+	Rewriter AddressRewriter
+
+	// 用于 bind 和 associate
+	BindIP net.IP
+
+	// Logger
+	Logger *log.Logger
+
+	// 自定义连接流程
+	Dial func(network, addr string) (net.Conn, error)
+}
+
+type Server struct {
+	config *Config
+	Name   string
+	Port   uint16
+	Conn   chan ProxyData
+}
+
+// New 创建服务器
+func New(conf *Config) (*Server, error) {
+	if len(conf.AuthMethods) == 0 {
+		return nil, ConfigError("认证方法不能为空")
+	}
+
+	if conf.Resolver == nil {
+		conf.Resolver = DNSResolver{}
+	}
+
+	if conf.Rules == nil {
+		conf.Rules = PermitAll()
+	}
+
+	if conf.Logger == nil {
+		conf.Logger = log.New(os.Stdout, "", log.LstdFlags)
+	}
+
+	if conf.Dial == nil {
+		conf.Dial = func(network, addr string) (net.Conn, error) {
+			return net.Dial(network, addr)
+		}
+	}
+
+	return &Server{
+		config: conf,
+		Name:   conf.Name,
+		Port:   conf.Port,
+		Conn:   make(chan ProxyData, 100),
+	}, nil
+}
+
+// Run 监听端口
+func (server *Server) Run() error {
+	host := server.config.Host
+	port := server.config.Port
+	addr := net.JoinHostPort(host, strconv.Itoa(int(port)))
+
+	slog.Info("启动 socks5 代理服务")
+
+	listener, err := net.Listen("tcp", addr)
+	if err != nil {
+		return err
+	}
+	defer closeListener(listener)
+
+	slog.Info("代理服务已启动，正在监听端口 " + addr)
+
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			slog.Error("客户端连接失败", err)
+			continue
+		}
+
+		go func() {
+			err := server.serve(conn)
+			if err != nil {
+				slog.Error("连接异常退出", err)
+			}
+		}()
+	}
+}
+
+// serve 建立连接
+func (server *Server) serve(conn net.Conn) error {
+	slog.Info("收到来自" + conn.RemoteAddr().String() + "的连接")
+
+	reader := bufio.NewReader(conn)
+
+	// 认证
+	slog.Debug("开始认证流程")
+	authContext, err := server.authenticate(reader, conn)
+	if err != nil {
+		conn.Close()
+		slog.Error("认证失败", err)
+		return err
+	} else {
+		slog.Debug("认证完成")
+	}
+
+	// 处理连接请求
+	slog.Debug("处理连接请求")
+	request, err := server.request(reader, conn)
+	if err != nil {
+		slog.Error("连接请求处理失败", err)
+		return err
+	} else {
+		slog.Debug("连接请求处理完成")
+	}
+
+	request.AuthContext = authContext
+	client, ok := conn.RemoteAddr().(*net.TCPAddr)
+	if !ok {
+		return fmt.Errorf("获取客户端地址失败")
+	}
+
+	request.RemoteAddr = &AddrSpec{
+		IP:   client.IP,
+		Port: client.Port,
+	}
+
+	// 处理请求
+	slog.Debug("开始代理流量")
+	err = server.handle(request, conn)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// checkVersion 检查客户端版本
+func checkVersion(reader io.Reader) error {
+	version, err := utils.ReadByte(reader)
+	if err != nil {
+		return err
+	}
+
+	slog.Debug("客户端请求版本", "version", version)
+
+	if version != SocksVersion {
+		return errors.New("客户端版本不兼容")
+	}
+
+	return nil
+}
+
+// closeListener 关闭监听并处理可能的错误
+func closeListener(listener net.Listener) {
+	err := listener.Close()
+	if err != nil {
+		slog.Info("结束监听端口")
+	}
+}
+
+// closeConnection 关闭连接并处理可能的错误
+func closeConnection(conn net.Conn) {
+	err := conn.Close()
+	if err != nil {
+		slog.Error("连接异常关闭", err)
+	} else {
+		slog.Info("已关闭来自" + conn.RemoteAddr().String() + "的连接")
+	}
+}
--- a/server/service.go
+++ b/server/service.go
@@ -2,16 +2,34 @@ package server

 import (
 	"context"
+	"log/slog"
+	"os"
+	"proxy-server/server/fwd"
+	"proxy-server/server/pkg/env"
+	"proxy-server/server/pkg/orm"
+	"proxy-server/server/web"
+
 	"github.com/joho/godotenv"
 	"github.com/lmittmann/tint"
 	"github.com/mattn/go-colorable"
-	"log/slog"
-	"os"
-	"proxy-server/server/orm"
-	"proxy-server/server/web"
 )

 func Start() {
+
+	// 初始化
+	initLog()
+	env.Init()
+	orm.Init()
+
+	// 启动代理服务
+	fwd.New(nil).Run(context.Background(), make(chan error))
+}
+
+func initLog() {
+	slog.SetLogLoggerLevel(slog.LevelDebug)
+}
+
+func Start2() {
 	defer func() {
 		err := recover()
 		if err != nil {
@@ -51,7 +69,7 @@ func Start() {
 	defer cancel()

 	go web.Start(ctxC, errChan)
-	//go monitor.Start(ctxC, errChan)
+	// go monitor.Start2(ctxC, errChan)
 	slog.Info("服务启动成功")

 	// 监听异常
--- a/server/web/app/handlers/channel.go
+++ b/server/web/app/handlers/channel.go
@@ -1,14 +1,15 @@
 package handlers

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/pkg/errors"
 	"log/slog"
-	"proxy-server/pkg/resp"
-	"proxy-server/server/orm"
+	"proxy-server/server/pkg/orm"
+	"proxy-server/server/pkg/resp"
 	"proxy-server/server/web/app/models"
 	"strings"
 	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pkg/errors"
 )

 // region frp 接口
--- a/server/web/app/handlers/node.go
+++ b/server/web/app/handlers/node.go
@@ -1,12 +1,13 @@
 package handlers

 import (
+	"os"
+	"proxy-server/server/pkg/orm"
+	"proxy-server/server/web/app/models"
+
 	"github.com/gin-gonic/gin"
 	"github.com/pkg/errors"
 	"gorm.io/gorm"
-	"os"
-	"proxy-server/server/orm"
-	"proxy-server/server/web/app/models"
 )

 type NodeRegisterReq struct {
--- a/server/web/auth/middleware.go
+++ b/server/web/auth/middleware.go
@@ -2,14 +2,15 @@ package auth

 import (
 	"encoding/base64"
-	"github.com/gin-gonic/gin"
-	"github.com/pkg/errors"
 	"log/slog"
 	"net/http"
 	"os"
-	"proxy-server/pkg/resp"
+	"proxy-server/server/pkg/resp"
 	"slices"
 	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pkg/errors"
 )

 func middleware(c *gin.Context) {
--- a/server/web/service.go
+++ b/server/web/service.go
@@ -2,12 +2,13 @@ package web

 import (
 	"context"
-	"github.com/gin-gonic/gin"
 	"log/slog"
 	"net/http"
 	"os"
 	"proxy-server/server/web/auth"
 	"proxy-server/server/web/router"
+
+	"github.com/gin-gonic/gin"
 )

 var server *http.Server