客户端配置，端口白名单等

2025-09-02 11:56:53 +00:00 · 2019-02-13 03:54:00 +08:00
parent 59d789d253
commit 44d314515b
34 changed files with 1096 additions and 472 deletions
--- a/server/proxy/base.go
+++ b/server/proxy/base.go
@@ -0,0 +1,87 @@
+package proxy
+
+import (
+	"errors"
+	"github.com/cnlh/nps/bridge"
+	"github.com/cnlh/nps/lib/common"
+	"github.com/cnlh/nps/lib/conn"
+	"github.com/cnlh/nps/lib/file"
+	"github.com/cnlh/nps/lib/pool"
+	"net"
+	"net/http"
+	"sync"
+)
+
+//server base struct
+type server struct {
+	id           int
+	bridge       *bridge.Bridge
+	task         *file.Tunnel
+	errorContent []byte
+	sync.Mutex
+}
+
+func (s *server) FlowAdd(in, out int64) {
+	s.Lock()
+	defer s.Unlock()
+	s.task.Flow.ExportFlow += out
+	s.task.Flow.InletFlow += in
+}
+
+func (s *server) FlowAddHost(host *file.Host, in, out int64) {
+	s.Lock()
+	defer s.Unlock()
+	host.Flow.ExportFlow += out
+	host.Flow.InletFlow += in
+}
+
+func (s *server) linkCopy(link *conn.Link, c *conn.Conn, rb []byte, tunnel *conn.Conn, flow *file.Flow) {
+	if rb != nil {
+		if _, err := tunnel.SendMsg(rb, link); err != nil {
+			c.Close()
+			return
+		}
+		flow.Add(len(rb), 0)
+	}
+
+	buf := pool.BufPoolCopy.Get().([]byte)
+	for {
+		if err := s.checkFlow(); err != nil {
+			c.Close()
+			break
+		}
+		if n, err := c.Read(buf); err != nil {
+			tunnel.SendMsg([]byte(common.IO_EOF), link)
+			break
+		} else {
+			if _, err := tunnel.SendMsg(buf[:n], link); err != nil {
+				c.Close()
+				break
+			}
+			flow.Add(n, 0)
+		}
+	}
+	pool.PutBufPoolCopy(buf)
+}
+
+func (s *server) writeConnFail(c net.Conn) {
+	c.Write([]byte(common.ConnectionFailBytes))
+	c.Write(s.errorContent)
+}
+
+//权限认证
+func (s *server) auth(r *http.Request, c *conn.Conn, u, p string) error {
+	if u != "" && p != "" && !common.CheckAuth(r, u, p) {
+		c.Write([]byte(common.UnauthorizedBytes))
+		c.Close()
+		return errors.New("401 Unauthorized")
+	}
+	return nil
+}
+
+func (s *server) checkFlow() error {
+	if s.task.Client.Flow.FlowLimit > 0 && (s.task.Client.Flow.FlowLimit<<20) < (s.task.Client.Flow.ExportFlow+s.task.Client.Flow.InletFlow) {
+		return errors.New("Traffic exceeded")
+	}
+	return nil
+}
--- a/server/proxy/http.go
+++ b/server/proxy/http.go
@@ -0,0 +1,179 @@
+package proxy
+
+import (
+	"bufio"
+	"crypto/tls"
+	"github.com/cnlh/nps/bridge"
+	"github.com/cnlh/nps/lib/beego"
+	"github.com/cnlh/nps/lib/common"
+	"github.com/cnlh/nps/lib/conn"
+	"github.com/cnlh/nps/lib/file"
+	"github.com/cnlh/nps/lib/lg"
+	"log"
+	"net/http"
+	"net/http/httputil"
+	"path/filepath"
+	"strconv"
+	"sync"
+)
+
+type httpServer struct {
+	server
+	httpPort  int //http端口
+	httpsPort int //https监听端口
+	pemPath   string
+	keyPath   string
+	stop      chan bool
+}
+
+func NewHttp(bridge *bridge.Bridge, c *file.Tunnel) *httpServer {
+	httpPort, _ := beego.AppConfig.Int("httpProxyPort")
+	httpsPort, _ := beego.AppConfig.Int("httpsProxyPort")
+	pemPath := beego.AppConfig.String("pemPath")
+	keyPath := beego.AppConfig.String("keyPath")
+	return &httpServer{
+		server: server{
+			task:   c,
+			bridge: bridge,
+			Mutex:  sync.Mutex{},
+		},
+		httpPort:  httpPort,
+		httpsPort: httpsPort,
+		pemPath:   pemPath,
+		keyPath:   keyPath,
+		stop:      make(chan bool),
+	}
+}
+
+func (s *httpServer) Start() error {
+	var err error
+	var http, https *http.Server
+	if s.errorContent, err = common.ReadAllFromFile(filepath.Join(common.GetRunPath(), "web", "static", "page", "error.html")); err != nil {
+		s.errorContent = []byte("easyProxy 404")
+	}
+
+	if s.httpPort > 0 {
+		http = s.NewServer(s.httpPort)
+		go func() {
+			lg.Println("Start http listener, port is", s.httpPort)
+			err := http.ListenAndServe()
+			if err != nil {
+				lg.Fatalln(err)
+			}
+		}()
+	}
+	if s.httpsPort > 0 {
+		if !common.FileExists(s.pemPath) {
+			lg.Fatalf("ssl certFile %s is not exist", s.pemPath)
+		}
+		if !common.FileExists(s.keyPath) {
+			lg.Fatalf("ssl keyFile %s exist", s.keyPath)
+		}
+		https = s.NewServer(s.httpsPort)
+		go func() {
+			lg.Println("Start https listener, port is", s.httpsPort)
+			err := https.ListenAndServeTLS(s.pemPath, s.keyPath)
+			if err != nil {
+				lg.Fatalln(err)
+			}
+		}()
+	}
+	select {
+	case <-s.stop:
+		if http != nil {
+			http.Close()
+		}
+		if https != nil {
+			https.Close()
+		}
+	}
+	return nil
+}
+
+func (s *httpServer) Close() {
+	s.stop <- true
+}
+
+func (s *httpServer) handleTunneling(w http.ResponseWriter, r *http.Request) {
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
+		return
+	}
+	c, _, err := hijacker.Hijack()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+	}
+	s.process(conn.NewConn(c), r)
+}
+
+func (s *httpServer) process(c *conn.Conn, r *http.Request) {
+	//多客户端域名代理
+	var (
+		isConn = true
+		lk     *conn.Link
+		host   *file.Host
+		tunnel *conn.Conn
+		err    error
+	)
+	for {
+		//首次获取conn
+		if isConn {
+			if host, err = file.GetCsvDb().GetInfoByHost(r.Host); err != nil {
+				lg.Printf("the host %s is not found !", r.Host)
+				break
+			}
+			//流量限制
+			if host.Client.Flow.FlowLimit > 0 && (host.Client.Flow.FlowLimit<<20) < (host.Client.Flow.ExportFlow+host.Client.Flow.InletFlow) {
+				break
+			}
+			host.Client.Cnf.CompressDecode, host.Client.Cnf.CompressEncode = common.GetCompressType(host.Client.Cnf.Compress)
+			//权限控制
+			if err = s.auth(r, c, host.Client.Cnf.U, host.Client.Cnf.P); err != nil {
+				break
+			}
+			lk = conn.NewLink(host.Client.GetId(), common.CONN_TCP, host.GetRandomTarget(), host.Client.Cnf.CompressEncode, host.Client.Cnf.CompressDecode, host.Client.Cnf.Crypt, c, host.Flow, nil, host.Client.Rate, nil)
+			if tunnel, err = s.bridge.SendLinkInfo(host.Client.Id, lk); err != nil {
+				log.Println(err)
+				break
+			}
+			isConn = false
+		} else {
+			r, err = http.ReadRequest(bufio.NewReader(c))
+			if err != nil {
+				break
+			}
+		}
+		//根据设定，修改header和host
+		common.ChangeHostAndHeader(r, host.HostChange, host.HeaderChange, c.Conn.RemoteAddr().String())
+		b, err := httputil.DumpRequest(r, true)
+		if err != nil {
+			break
+		}
+		host.Flow.Add(len(b), 0)
+		if _, err := tunnel.SendMsg(b, lk); err != nil {
+			c.Close()
+			break
+		}
+	}
+
+	if isConn {
+		s.writeConnFail(c.Conn)
+	} else {
+		tunnel.SendMsg([]byte(common.IO_EOF), lk)
+	}
+
+	c.Close()
+
+}
+
+func (s *httpServer) NewServer(port int) *http.Server {
+	return &http.Server{
+		Addr: ":" + strconv.Itoa(port),
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			s.handleTunneling(w, r)
+		}),
+		// Disable HTTP/2.
+		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
+	}
+}
--- a/server/proxy/socks5.go
+++ b/server/proxy/socks5.go
@@ -0,0 +1,298 @@
+package proxy
+
+import (
+	"encoding/binary"
+	"errors"
+	"github.com/cnlh/nps/bridge"
+	"github.com/cnlh/nps/lib/common"
+	"github.com/cnlh/nps/lib/conn"
+	"github.com/cnlh/nps/lib/file"
+	"github.com/cnlh/nps/lib/lg"
+	"io"
+	"net"
+	"strconv"
+	"strings"
+)
+
+const (
+	ipV4            = 1
+	domainName      = 3
+	ipV6            = 4
+	connectMethod   = 1
+	bindMethod      = 2
+	associateMethod = 3
+	// The maximum packet size of any udp Associate packet, based on ethernet's max size,
+	// minus the IP and UDP headers. IPv4 has a 20 byte header, UDP adds an
+	// additional 4 bytes.  This is a total overhead of 24 bytes.  Ethernet's
+	// max packet size is 1500 bytes,  1500 - 24 = 1476.
+	maxUDPPacketSize = 1476
+)
+
+const (
+	succeeded uint8 = iota
+	serverFailure
+	notAllowed
+	networkUnreachable
+	hostUnreachable
+	connectionRefused
+	ttlExpired
+	commandNotSupported
+	addrTypeNotSupported
+)
+
+const (
+	UserPassAuth    = uint8(2)
+	userAuthVersion = uint8(1)
+	authSuccess     = uint8(0)
+	authFailure     = uint8(1)
+)
+
+type Sock5ModeServer struct {
+	server
+	isVerify bool
+	listener net.Listener
+}
+
+//req
+func (s *Sock5ModeServer) handleRequest(c net.Conn) {
+	/*
+		The SOCKS request is formed as follows:
+		+----+-----+-------+------+----------+----------+
+		|VER | CMD |  RSV  | ATYP | DST.ADDR | DST.PORT |
+		+----+-----+-------+------+----------+----------+
+		| 1  |  1  | X'00' |  1   | Variable |    2     |
+		+----+-----+-------+------+----------+----------+
+	*/
+	header := make([]byte, 3)
+
+	_, err := io.ReadFull(c, header)
+
+	if err != nil {
+		lg.Println("illegal request", err)
+		c.Close()
+		return
+	}
+
+	switch header[1] {
+	case connectMethod:
+		s.handleConnect(c)
+	case bindMethod:
+		s.handleBind(c)
+	case associateMethod:
+		s.handleUDP(c)
+	default:
+		s.sendReply(c, commandNotSupported)
+		c.Close()
+	}
+}
+
+//reply
+func (s *Sock5ModeServer) sendReply(c net.Conn, rep uint8) {
+	reply := []byte{
+		5,
+		rep,
+		0,
+		1,
+	}
+
+	localAddr := c.LocalAddr().String()
+	localHost, localPort, _ := net.SplitHostPort(localAddr)
+	ipBytes := net.ParseIP(localHost).To4()
+	nPort, _ := strconv.Atoi(localPort)
+	reply = append(reply, ipBytes...)
+	portBytes := make([]byte, 2)
+	binary.BigEndian.PutUint16(portBytes, uint16(nPort))
+	reply = append(reply, portBytes...)
+
+	c.Write(reply)
+}
+
+//do conn
+func (s *Sock5ModeServer) doConnect(c net.Conn, command uint8) {
+	addrType := make([]byte, 1)
+	c.Read(addrType)
+	var host string
+	switch addrType[0] {
+	case ipV4:
+		ipv4 := make(net.IP, net.IPv4len)
+		c.Read(ipv4)
+		host = ipv4.String()
+	case ipV6:
+		ipv6 := make(net.IP, net.IPv6len)
+		c.Read(ipv6)
+		host = ipv6.String()
+	case domainName:
+		var domainLen uint8
+		binary.Read(c, binary.BigEndian, &domainLen)
+		domain := make([]byte, domainLen)
+		c.Read(domain)
+		host = string(domain)
+	default:
+		s.sendReply(c, addrTypeNotSupported)
+		return
+	}
+
+	var port uint16
+	binary.Read(c, binary.BigEndian, &port)
+	// connect to host
+	addr := net.JoinHostPort(host, strconv.Itoa(int(port)))
+	var ltype string
+	if command == associateMethod {
+		ltype = common.CONN_UDP
+	} else {
+		ltype = common.CONN_TCP
+	}
+	link := conn.NewLink(s.task.Client.GetId(), ltype, addr, s.task.Client.Cnf.CompressEncode, s.task.Client.Cnf.CompressDecode, s.task.Client.Cnf.Crypt, conn.NewConn(c), s.task.Flow, nil, s.task.Client.Rate, nil)
+
+	if tunnel, err := s.bridge.SendLinkInfo(s.task.Client.Id, link); err != nil {
+		c.Close()
+		return
+	} else {
+		s.sendReply(c, succeeded)
+		s.linkCopy(link, conn.NewConn(c), nil, tunnel, s.task.Flow)
+	}
+	return
+}
+
+//conn
+func (s *Sock5ModeServer) handleConnect(c net.Conn) {
+	s.doConnect(c, connectMethod)
+}
+
+// passive mode
+func (s *Sock5ModeServer) handleBind(c net.Conn) {
+}
+
+//udp
+func (s *Sock5ModeServer) handleUDP(c net.Conn) {
+	lg.Println("UDP Associate")
+	/*
+	   +----+------+------+----------+----------+----------+
+	   |RSV | FRAG | ATYP | DST.ADDR | DST.PORT |   DATA   |
+	   +----+------+------+----------+----------+----------+
+	   | 2  |  1   |  1   | Variable |    2     | Variable |
+	   +----+------+------+----------+----------+----------+
+	*/
+	buf := make([]byte, 3)
+	c.Read(buf)
+	// relay udp datagram silently, without any notification to the requesting client
+	if buf[2] != 0 {
+		// does not support fragmentation, drop it
+		lg.Println("does not support fragmentation, drop")
+		dummy := make([]byte, maxUDPPacketSize)
+		c.Read(dummy)
+	}
+
+	s.doConnect(c, associateMethod)
+}
+
+//new conn
+func (s *Sock5ModeServer) handleConn(c net.Conn) {
+	buf := make([]byte, 2)
+	if _, err := io.ReadFull(c, buf); err != nil {
+		lg.Println("negotiation err", err)
+		c.Close()
+		return
+	}
+
+	if version := buf[0]; version != 5 {
+		lg.Println("only support socks5, request from: ", c.RemoteAddr())
+		c.Close()
+		return
+	}
+	nMethods := buf[1]
+
+	methods := make([]byte, nMethods)
+	if len, err := c.Read(methods); len != int(nMethods) || err != nil {
+		lg.Println("wrong method")
+		c.Close()
+		return
+	}
+	if s.isVerify {
+		buf[1] = UserPassAuth
+		c.Write(buf)
+		if err := s.Auth(c); err != nil {
+			c.Close()
+			lg.Println("验证失败：", err)
+			return
+		}
+	} else {
+		buf[1] = 0
+		c.Write(buf)
+	}
+	s.handleRequest(c)
+}
+
+//socks5 auth
+func (s *Sock5ModeServer) Auth(c net.Conn) error {
+	header := []byte{0, 0}
+	if _, err := io.ReadAtLeast(c, header, 2); err != nil {
+		return err
+	}
+	if header[0] != userAuthVersion {
+		return errors.New("验证方式不被支持")
+	}
+	userLen := int(header[1])
+	user := make([]byte, userLen)
+	if _, err := io.ReadAtLeast(c, user, userLen); err != nil {
+		return err
+	}
+	if _, err := c.Read(header[:1]); err != nil {
+		return errors.New("密码长度获取错误")
+	}
+	passLen := int(header[0])
+	pass := make([]byte, passLen)
+	if _, err := io.ReadAtLeast(c, pass, passLen); err != nil {
+		return err
+	}
+	if string(pass) == s.task.Client.Cnf.U && string(user) == s.task.Client.Cnf.P {
+		if _, err := c.Write([]byte{userAuthVersion, authSuccess}); err != nil {
+			return err
+		}
+		return nil
+	} else {
+		if _, err := c.Write([]byte{userAuthVersion, authFailure}); err != nil {
+			return err
+		}
+		return errors.New("验证不通过")
+	}
+	return errors.New("未知错误")
+}
+
+//start
+func (s *Sock5ModeServer) Start() error {
+	var err error
+	s.listener, err = net.Listen("tcp", ":"+strconv.Itoa(s.task.Port))
+	if err != nil {
+		return err
+	}
+	for {
+		conn, err := s.listener.Accept()
+		if err != nil {
+			if strings.Contains(err.Error(), "use of closed network connection") {
+				break
+			}
+			lg.Fatalln("accept error: ", err)
+		}
+		go s.handleConn(conn)
+	}
+	return nil
+}
+
+//close
+func (s *Sock5ModeServer) Close() error {
+	return s.listener.Close()
+}
+
+//new
+func NewSock5ModeServer(bridge *bridge.Bridge, task *file.Tunnel) *Sock5ModeServer {
+	s := new(Sock5ModeServer)
+	s.bridge = bridge
+	s.task = task
+	if s.task.Client.Cnf.U != "" && s.task.Client.Cnf.P != "" {
+		s.isVerify = true
+	} else {
+		s.isVerify = false
+	}
+	return s
+}
--- a/server/proxy/tcp.go
+++ b/server/proxy/tcp.go
@@ -0,0 +1,114 @@
+package proxy
+
+import (
+	"errors"
+	"github.com/cnlh/nps/bridge"
+	"github.com/cnlh/nps/lib/beego"
+	"github.com/cnlh/nps/lib/common"
+	"github.com/cnlh/nps/lib/conn"
+	"github.com/cnlh/nps/lib/file"
+	"github.com/cnlh/nps/lib/lg"
+	"net"
+	"path/filepath"
+	"strings"
+)
+
+type TunnelModeServer struct {
+	server
+	process  process
+	listener *net.TCPListener
+}
+
+//tcp|http|host
+func NewTunnelModeServer(process process, bridge *bridge.Bridge, task *file.Tunnel) *TunnelModeServer {
+	s := new(TunnelModeServer)
+	s.bridge = bridge
+	s.process = process
+	s.task = task
+	return s
+}
+
+//开始
+func (s *TunnelModeServer) Start() error {
+	var err error
+	s.listener, err = net.ListenTCP("tcp", &net.TCPAddr{net.ParseIP("0.0.0.0"), s.task.Port, ""})
+	if err != nil {
+		return err
+	}
+	for {
+		c, err := s.listener.AcceptTCP()
+		if err != nil {
+			if strings.Contains(err.Error(), "use of closed network connection") {
+				break
+			}
+			lg.Println(err)
+			continue
+		}
+		go s.process(conn.NewConn(c), s)
+	}
+	return nil
+}
+
+//与客户端建立通道
+func (s *TunnelModeServer) dealClient(c *conn.Conn, cnf *file.Config, addr string, method string, rb []byte) error {
+	link := conn.NewLink(s.task.Client.GetId(), common.CONN_TCP, addr, cnf.CompressEncode, cnf.CompressDecode, cnf.Crypt, c, s.task.Flow, nil, s.task.Client.Rate, nil)
+
+	if tunnel, err := s.bridge.SendLinkInfo(s.task.Client.Id, link); err != nil {
+		c.Close()
+		return err
+	} else {
+		s.linkCopy(link, c, rb, tunnel, s.task.Flow)
+	}
+	return nil
+}
+
+//close
+func (s *TunnelModeServer) Close() error {
+	return s.listener.Close()
+}
+
+//web管理方式
+type WebServer struct {
+	server
+}
+
+//开始
+func (s *WebServer) Start() error {
+	p, _ := beego.AppConfig.Int("httpport")
+	if !common.TestTcpPort(p) {
+		lg.Fatalf("Web management port %d is occupied", p)
+	}
+	beego.BConfig.WebConfig.Session.SessionOn = true
+	lg.Println("Web management start, access port is", p)
+	beego.SetStaticPath("/static", filepath.Join(common.GetRunPath(), "web", "static"))
+	beego.SetViewsPath(filepath.Join(common.GetRunPath(), "web", "views"))
+	beego.Run()
+	return errors.New("Web management startup failure")
+}
+
+//new
+func NewWebServer(bridge *bridge.Bridge) *WebServer {
+	s := new(WebServer)
+	s.bridge = bridge
+	return s
+}
+
+type process func(c *conn.Conn, s *TunnelModeServer) error
+
+//tcp隧道模式
+func ProcessTunnel(c *conn.Conn, s *TunnelModeServer) error {
+	return s.dealClient(c, s.task.Client.Cnf, s.task.Target, "", nil)
+}
+
+//http代理模式
+func ProcessHttp(c *conn.Conn, s *TunnelModeServer) error {
+	method, addr, rb, err, r := c.GetHost()
+	if err != nil {
+		c.Close()
+		return err
+	}
+	if err := s.auth(r, c, s.task.Client.Cnf.U, s.task.Client.Cnf.P); err != nil {
+		return err
+	}
+	return s.dealClient(c, s.task.Client.Cnf, addr, method, rb)
+}
--- a/server/proxy/udp.go
+++ b/server/proxy/udp.go
@@ -0,0 +1,64 @@
+package proxy
+
+import (
+	"github.com/cnlh/nps/bridge"
+	"github.com/cnlh/nps/lib/common"
+	"github.com/cnlh/nps/lib/conn"
+	"github.com/cnlh/nps/lib/file"
+	"github.com/cnlh/nps/lib/pool"
+	"net"
+	"strings"
+)
+
+type UdpModeServer struct {
+	server
+	listener *net.UDPConn
+	udpMap   map[string]*conn.Conn
+}
+
+func NewUdpModeServer(bridge *bridge.Bridge, task *file.Tunnel) *UdpModeServer {
+	s := new(UdpModeServer)
+	s.bridge = bridge
+	s.udpMap = make(map[string]*conn.Conn)
+	s.task = task
+	return s
+}
+
+//开始
+func (s *UdpModeServer) Start() error {
+	var err error
+	s.listener, err = net.ListenUDP("udp", &net.UDPAddr{net.ParseIP("0.0.0.0"), s.task.Port, ""})
+	if err != nil {
+		return err
+	}
+	buf := pool.BufPoolUdp.Get().([]byte)
+	for {
+		n, addr, err := s.listener.ReadFromUDP(buf)
+		if err != nil {
+			if strings.Contains(err.Error(), "use of closed network connection") {
+				break
+			}
+			continue
+		}
+		go s.process(addr, buf[:n])
+	}
+	return nil
+}
+
+func (s *UdpModeServer) process(addr *net.UDPAddr, data []byte) {
+	link := conn.NewLink(s.task.Client.GetId(), common.CONN_UDP, s.task.Target, s.task.Client.Cnf.CompressEncode, s.task.Client.Cnf.CompressDecode, s.task.Client.Cnf.Crypt, nil, s.task.Flow, s.listener, s.task.Client.Rate, addr)
+	if err := s.checkFlow(); err != nil {
+		return
+	}
+	if tunnel, err := s.bridge.SendLinkInfo(s.task.Client.Id, link); err != nil {
+		return
+	} else {
+		s.task.Flow.Add(len(data), 0)
+		tunnel.SendMsg(data, link)
+		pool.PutBufPoolUdp(data)
+	}
+}
+
+func (s *UdpModeServer) Close() error {
+	return s.listener.Close()
+}