From 518e9bdb0b5b46c5699365a7f3485e42547e85e2 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Sun, 25 Aug 2024 19:26:06 +0800 Subject: [PATCH] feat: socks5, http and mixed listeners support independence `users` --- docs/config.yaml | 9 +++++++++ listener/auth/auth.go | 2 ++ listener/http/proxy.go | 6 ++---- listener/http/server.go | 17 +++++++++++------ listener/inbound/auth.go | 31 +++++++++++++++++++++++++++++++ listener/inbound/http.go | 3 ++- listener/inbound/mixed.go | 5 +++-- listener/inbound/socks.go | 5 +++-- listener/mixed/mixed.go | 19 ++++++++++++++----- listener/socks/tcp.go | 31 +++++++++++++++++-------------- 10 files changed, 94 insertions(+), 34 deletions(-) create mode 100644 listener/inbound/auth.go diff --git a/docs/config.yaml b/docs/config.yaml index 647cf14c..b67880f7 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -1005,6 +1005,9 @@ listeners: # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 # udp: false # 默认 true + # users: # 如果不填写users项,则遵从全局authentication设置,如果填写会忽略全局设置, 如想跳过该入站的验证可填写 users: [] + # - username: aaa + # password: aaa - name: http-in-1 type: http @@ -1012,6 +1015,9 @@ listeners: listen: 0.0.0.0 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) + # users: # 如果不填写users项,则遵从全局authentication设置,如果填写会忽略全局设置, 如想跳过该入站的验证可填写 users: [] + # - username: aaa + # password: aaa - name: mixed-in-1 type: mixed # HTTP(S) 和 SOCKS 代理混合 @@ -1020,6 +1026,9 @@ listeners: # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) # udp: false # 默认 true + # users: # 如果不填写users项,则遵从全局authentication设置,如果填写会忽略全局设置, 如想跳过该入站的验证可填写 users: [] + # - username: aaa + # password: aaa - name: reidr-in-1 type: redir diff --git a/listener/auth/auth.go b/listener/auth/auth.go index 46f552b8..772be3bd 100644 --- a/listener/auth/auth.go +++ b/listener/auth/auth.go @@ -13,3 +13,5 @@ func Authenticator() auth.Authenticator { func SetAuthenticator(au auth.Authenticator) { authenticator = au } + +func Nil() auth.Authenticator { return nil } diff --git a/listener/http/proxy.go b/listener/http/proxy.go index b2f312a5..04ab98eb 100644 --- a/listener/http/proxy.go +++ b/listener/http/proxy.go @@ -30,7 +30,7 @@ func (b *bodyWrapper) Read(p []byte) (n int, err error) { return n, err } -func HandleConn(c net.Conn, tunnel C.Tunnel, authenticator auth.Authenticator, additions ...inbound.Addition) { +func HandleConn(c net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { additions = append(additions, inbound.Placeholder) // Add a placeholder for InUser inUserIdx := len(additions) - 1 client := newClient(c, tunnel, additions) @@ -41,6 +41,7 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, authenticator auth.Authenticator, a conn := N.NewBufferedConn(c) + authenticator := getAuth() keepAlive := true trusted := authenticator == nil // disable authenticate if lru is nil lastUser := "" @@ -146,9 +147,6 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, authenticator auth.Authenticator, a } func authenticate(request *http.Request, authenticator auth.Authenticator) (resp *http.Response, user string) { - if inbound.SkipAuthRemoteAddress(request.RemoteAddr) { - authenticator = nil - } credential := parseBasicProxyAuthorization(request) if credential == "" && authenticator != nil { resp = responseWith(request, http.StatusProxyAuthRequired) diff --git a/listener/http/server.go b/listener/http/server.go index f61dd036..74e117f2 100644 --- a/listener/http/server.go +++ b/listener/http/server.go @@ -33,20 +33,20 @@ func (l *Listener) Close() error { } func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { - return NewWithAuthenticator(addr, tunnel, authStore.Authenticator(), additions...) + return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...) } // NewWithAuthenticate // never change type traits because it's used in CFMA func NewWithAuthenticate(addr string, tunnel C.Tunnel, authenticate bool, additions ...inbound.Addition) (*Listener, error) { - authenticator := authStore.Authenticator() + getAuth := authStore.Authenticator if !authenticate { - authenticator = nil + getAuth = authStore.Nil } - return NewWithAuthenticator(addr, tunnel, authenticator, additions...) + return NewWithAuthenticator(addr, tunnel, getAuth, additions...) } -func NewWithAuthenticator(addr string, tunnel C.Tunnel, authenticator auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { +func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { isDefault := false if len(additions) == 0 { isDefault = true @@ -75,13 +75,18 @@ func NewWithAuthenticator(addr string, tunnel C.Tunnel, authenticator auth.Authe continue } N.TCPKeepAlive(conn) + + getAuth := getAuth if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(conn.RemoteAddr()) { _ = conn.Close() continue } + if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) { + getAuth = authStore.Nil + } } - go HandleConn(conn, tunnel, authenticator, additions...) + go HandleConn(conn, tunnel, getAuth, additions...) } }() diff --git a/listener/inbound/auth.go b/listener/inbound/auth.go new file mode 100644 index 00000000..41f18fc0 --- /dev/null +++ b/listener/inbound/auth.go @@ -0,0 +1,31 @@ +package inbound + +import ( + "github.com/metacubex/mihomo/component/auth" + authStore "github.com/metacubex/mihomo/listener/auth" +) + +type AuthUser struct { + Username string `inbound:"username"` + Password string `inbound:"password"` +} + +type AuthUsers []AuthUser + +func (a AuthUsers) GetAuth() func() auth.Authenticator { + if a != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array + if len(a) == 0 { + return authStore.Nil + } + users := make([]auth.AuthUser, len(a)) + for i, user := range a { + users[i] = auth.AuthUser{ + User: user.Username, + Pass: user.Password, + } + } + authenticator := auth.NewAuthenticator(users) + return func() auth.Authenticator { return authenticator } + } + return authStore.Authenticator +} diff --git a/listener/inbound/http.go b/listener/inbound/http.go index f5301f46..c78abefd 100644 --- a/listener/inbound/http.go +++ b/listener/inbound/http.go @@ -8,6 +8,7 @@ import ( type HTTPOption struct { BaseOption + Users AuthUsers `inbound:"users,omitempty"` } func (o HTTPOption) Equal(config C.InboundConfig) bool { @@ -44,7 +45,7 @@ func (h *HTTP) Address() string { // Listen implements constant.InboundListener func (h *HTTP) Listen(tunnel C.Tunnel) error { var err error - h.l, err = http.New(h.RawAddress(), tunnel, h.Additions()...) + h.l, err = http.NewWithAuthenticator(h.RawAddress(), tunnel, h.config.Users.GetAuth(), h.Additions()...) if err != nil { return err } diff --git a/listener/inbound/mixed.go b/listener/inbound/mixed.go index fc643821..443a2564 100644 --- a/listener/inbound/mixed.go +++ b/listener/inbound/mixed.go @@ -12,7 +12,8 @@ import ( type MixedOption struct { BaseOption - UDP bool `inbound:"udp,omitempty"` + Users AuthUsers `inbound:"users,omitempty"` + UDP bool `inbound:"udp,omitempty"` } func (o MixedOption) Equal(config C.InboundConfig) bool { @@ -52,7 +53,7 @@ func (m *Mixed) Address() string { // Listen implements constant.InboundListener func (m *Mixed) Listen(tunnel C.Tunnel) error { var err error - m.l, err = mixed.New(m.RawAddress(), tunnel, m.Additions()...) + m.l, err = mixed.NewWithAuthenticator(m.RawAddress(), tunnel, m.config.Users.GetAuth(), m.Additions()...) if err != nil { return err } diff --git a/listener/inbound/socks.go b/listener/inbound/socks.go index 7e10d93a..cf6d1ce4 100644 --- a/listener/inbound/socks.go +++ b/listener/inbound/socks.go @@ -9,7 +9,8 @@ import ( type SocksOption struct { BaseOption - UDP bool `inbound:"udp,omitempty"` + Users AuthUsers `inbound:"users,omitempty"` + UDP bool `inbound:"udp,omitempty"` } func (o SocksOption) Equal(config C.InboundConfig) bool { @@ -70,7 +71,7 @@ func (s *Socks) Address() string { // Listen implements constant.InboundListener func (s *Socks) Listen(tunnel C.Tunnel) error { var err error - if s.stl, err = socks.New(s.RawAddress(), tunnel, s.Additions()...); err != nil { + if s.stl, err = socks.NewWithAuthenticator(s.RawAddress(), tunnel, s.config.Users.GetAuth(), s.Additions()...); err != nil { return err } if s.udp { diff --git a/listener/mixed/mixed.go b/listener/mixed/mixed.go index 773cabe3..12390061 100644 --- a/listener/mixed/mixed.go +++ b/listener/mixed/mixed.go @@ -5,6 +5,7 @@ import ( "github.com/metacubex/mihomo/adapter/inbound" N "github.com/metacubex/mihomo/common/net" + "github.com/metacubex/mihomo/component/auth" C "github.com/metacubex/mihomo/constant" authStore "github.com/metacubex/mihomo/listener/auth" "github.com/metacubex/mihomo/listener/http" @@ -36,6 +37,10 @@ func (l *Listener) Close() error { } func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { + return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...) +} + +func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { isDefault := false if len(additions) == 0 { isDefault = true @@ -62,20 +67,24 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener } continue } + getAuth := getAuth if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) { _ = c.Close() continue } + if inbound.SkipAuthRemoteAddr(c.RemoteAddr()) { + getAuth = authStore.Nil + } } - go handleConn(c, tunnel, additions...) + go handleConn(c, tunnel, getAuth, additions...) } }() return ml, nil } -func handleConn(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { +func handleConn(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { N.TCPKeepAlive(conn) bufConn := N.NewBufferedConn(conn) @@ -86,10 +95,10 @@ func handleConn(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { switch head[0] { case socks4.Version: - socks.HandleSocks4(bufConn, tunnel, additions...) + socks.HandleSocks4(bufConn, tunnel, getAuth, additions...) case socks5.Version: - socks.HandleSocks5(bufConn, tunnel, additions...) + socks.HandleSocks5(bufConn, tunnel, getAuth, additions...) default: - http.HandleConn(bufConn, tunnel, authStore.Authenticator(), additions...) + http.HandleConn(bufConn, tunnel, getAuth, additions...) } } diff --git a/listener/socks/tcp.go b/listener/socks/tcp.go index f2696e3f..3e98a602 100644 --- a/listener/socks/tcp.go +++ b/listener/socks/tcp.go @@ -6,6 +6,7 @@ import ( "github.com/metacubex/mihomo/adapter/inbound" N "github.com/metacubex/mihomo/common/net" + "github.com/metacubex/mihomo/component/auth" C "github.com/metacubex/mihomo/constant" authStore "github.com/metacubex/mihomo/listener/auth" "github.com/metacubex/mihomo/transport/socks4" @@ -35,6 +36,10 @@ func (l *Listener) Close() error { } func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { + return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...) +} + +func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { isDefault := false if len(additions) == 0 { isDefault = true @@ -61,20 +66,24 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener } continue } + getAuth := getAuth if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) { _ = c.Close() continue } + if inbound.SkipAuthRemoteAddr(c.RemoteAddr()) { + getAuth = authStore.Nil + } } - go handleSocks(c, tunnel, additions...) + go handleSocks(c, tunnel, getAuth, additions...) } }() return sl, nil } -func handleSocks(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { +func handleSocks(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { N.TCPKeepAlive(conn) bufConn := N.NewBufferedConn(conn) head, err := bufConn.Peek(1) @@ -85,19 +94,16 @@ func handleSocks(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) switch head[0] { case socks4.Version: - HandleSocks4(bufConn, tunnel, additions...) + HandleSocks4(bufConn, tunnel, getAuth, additions...) case socks5.Version: - HandleSocks5(bufConn, tunnel, additions...) + HandleSocks5(bufConn, tunnel, getAuth, additions...) default: conn.Close() } } -func HandleSocks4(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { - authenticator := authStore.Authenticator() - if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) { - authenticator = nil - } +func HandleSocks4(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { + authenticator := getAuth() addr, _, user, err := socks4.ServerHandshake(conn, authenticator) if err != nil { conn.Close() @@ -107,11 +113,8 @@ func HandleSocks4(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) tunnel.HandleTCPConn(inbound.NewSocket(socks5.ParseAddr(addr), conn, C.SOCKS4, additions...)) } -func HandleSocks5(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { - authenticator := authStore.Authenticator() - if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) { - authenticator = nil - } +func HandleSocks5(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { + authenticator := getAuth() target, command, user, err := socks5.ServerHandshake(conn, authenticator) if err != nil { conn.Close()