glider/README.md

# [glider](https://github.com/nadoo/glider)

[![Go Report Card](https://goreportcard.com/badge/github.com/nadoo/glider?style=flat-square)](https://goreportcard.com/report/github.com/nadoo/glider)
[![GitHub release](https://img.shields.io/github/v/release/nadoo/glider.svg?style=flat-square&include_prereleases)](https://github.com/nadoo/glider/releases)
[![Actions Status](https://img.shields.io/github/workflow/status/nadoo/glider/Build?style=flat-square)](https://github.com/nadoo/glider/actions)

glider is a forward proxy with multiple protocols support, and also a dns forwarding server with ipset management features(like dnsmasq).

we can set up local listeners as proxy servers, and forward requests to internet via forwarders.

```bash
                |Forwarder ----------------->|
   Listener --> |                            | Internet
                |Forwarder --> Forwarder->...|
```

## Features
- Act as both proxy client and proxy server(protocol converter)
- Flexible proxy & protocol chains
- Load balancing with the following scheduling algorithm:
  - rr: round robin
  - ha: high availability 
  - lha: latency based high availability
  - dh: destination hashing
- Rule & priority based forwarder choosing: [Config Examples](config/examples)
- DNS forwarding server:
  - dns over proxy
  - force upstream querying by tcp
  - association rules between dns and forwarder choosing
  - association rules between dns and ipset
  - dns cache support
  - custom dns record
- IPSet management (linux kernel version >= 2.6.32):
  - add ip/cidrs from rule files on startup
  - add resolved ips for domains from rule files by dns forwarding server
- Serve http and socks5 on the same port
- Periodical availability checking for forwarders
- Send requests from specific local ip/interface

## Protocols
<details>
<summary>click to see details</summary>

|Protocol     | Listen/TCP |  Listen/UDP | Forward/TCP | Forward/UDP | Description
|:-:          |:-:|:-:|:-:|:-:|:-
|http         |√| |√| |client & server
|socks4       | | |√| |client only
|socks5       |√|√|√|√|client & server
|mixed        |√|√| | |http+socks5 server
|ss           |√|√|√|√|client & server
|ssr          | | |√| |client only
|ssh          | | |√| |client only
|trojan       | | |√|√|client only
|vmess        | | |√| |client only
|redir        |√| | | |linux only
|redir6        |√| | | |linux only(ipv6)
|tls          |√| |√| |transport client & server
|kcp          | |√|√| |transport client & server
|unix         |√| |√| |transport client & server
|websocket    | | |√| |transport client only
|simple-obfs  | | |√| |transport client only
|tcptun       |√| | | |transport server only
|udptun       | |√| | |transport server only
|uottun       | |√| | |transport server only
|reject       | | |√|√|reject all requests

</details>

## Install

Binary Download:
- [https://github.com/nadoo/glider/releases](https://github.com/nadoo/glider/releases)

Build from source code (requires **Go 1.15+** ):
```bash
git clone https://github.com/nadoo/glider
cd glider && go build
```

ArchLinux:
```bash
sudo pacman -S glider
```

## Usage

```bash
glider -h
```
<details>
<summary>click to see details</summary>

```bash
glider 0.10.2 usage:
  -checkdisabledonly
    	check disabled fowarders only
  -checkinterval int
    	proxy check interval(seconds) (default 30)
  -checktimeout int
    	proxy check timeout(seconds) (default 10)
  -checkwebsite string
    	proxy check HTTP(NOT HTTPS) website address, format: HOST[:PORT], default port: 80 (default "www.apple.com")
  -config string
    	config file path
  -dialtimeout int
    	dial timeout(seconds) (default 3)
  -dns string
    	local dns server listen address
  -dnsalwaystcp
    	always use tcp to query upstream dns servers no matter there is a forwarder or not
  -dnsmaxttl int
    	maximum TTL value for entries in the CACHE(seconds) (default 1800)
  -dnsminttl int
    	minimum TTL value for entries in the CACHE(seconds)
  -dnsrecord value
    	custom dns record, format: domain/ip
  -dnsserver value
    	remote dns server address
  -dnstimeout int
    	timeout value used in multiple dnsservers switch(seconds) (default 3)
  -forward value
    	forward url, format: SCHEME://[USER|METHOD:PASSWORD@][HOST]:PORT?PARAMS[,SCHEME://[USER|METHOD:PASSWORD@][HOST]:PORT?PARAMS]
  -include value
    	include file
  -interface string
    	source ip or source interface
  -listen value
    	listen url, format: SCHEME://[USER|METHOD:PASSWORD@][HOST]:PORT?PARAMS
  -maxfailures int
    	max failures to change forwarder status to disabled (default 3)
  -relaytimeout int
    	relay timeout(seconds)
  -rulefile value
    	rule file path
  -rules-dir string
    	rule file folder
  -strategy string
    	forward strategy, default: rr (default "rr")
  -verbose
    	verbose mode

Available schemes:
  listen: mixed ss socks5 http redir redir6 tcptun udptun uottun tls unix kcp
  forward: reject ss socks4 socks5 http ssr ssh vmess trojan tls ws unix kcp simple-obfs

SS scheme:
  ss://method:pass@host:port

Available methods for ss:
  AEAD Ciphers:
    AEAD_AES_128_GCM AEAD_AES_192_GCM AEAD_AES_256_GCM AEAD_CHACHA20_POLY1305 AEAD_XCHACHA20_POLY1305
  Stream Ciphers:
    AES-128-CFB AES-128-CTR AES-192-CFB AES-192-CTR AES-256-CFB AES-256-CTR CHACHA20-IETF XCHACHA20 CHACHA20 RC4-MD5
  Alias:
    chacha20-ietf-poly1305 = AEAD_CHACHA20_POLY1305, xchacha20-ietf-poly1305 = AEAD_XCHACHA20_POLY1305
  Plain: DUMMY

SSR scheme:
  ssr://method:pass@host:port?protocol=xxx&protocol_param=yyy&obfs=zzz&obfs_param=xyz

SSH scheme:
  ssh://user[:pass]@host:port[?key=keypath]

VMess scheme:
  vmess://[security:]uuid@host:port?alterID=num

Trojan scheme:
  trojan://pass@host:port[?skipVerify=true]

Available securities for vmess:
  none, aes-128-gcm, chacha20-poly1305

TLS client scheme:
  tls://host:port[?skipVerify=true][&serverName=SERVERNAME]

Proxy over tls client:
  tls://host:port[?skipVerify=true][&serverName=SERVERNAME],scheme://
  tls://host:port[?skipVerify=true],http://[user:pass@]
  tls://host:port[?skipVerify=true],socks5://[user:pass@]
  tls://host:port[?skipVerify=true],vmess://[security:]uuid@?alterID=num

TLS server scheme:
  tls://host:port?cert=PATH&key=PATH

Proxy over tls server:
  tls://host:port?cert=PATH&key=PATH,scheme://
  tls://host:port?cert=PATH&key=PATH,http://
  tls://host:port?cert=PATH&key=PATH,socks5://
  tls://host:port?cert=PATH&key=PATH,ss://method:pass@

Websocket scheme:
  ws://host:port[/path][?host=HOST]

Websocket with a specified proxy protocol:
  ws://host:port[/path][?host=HOST],scheme://
  ws://host:port[/path][?host=HOST],http://[user:pass@]
  ws://host:port[/path][?host=HOST],socks5://[user:pass@]
  ws://host:port[/path][?host=HOST],vmess://[security:]uuid@?alterID=num

TLS and Websocket with a specified proxy protocol:
  tls://host:port[?skipVerify=true][&serverName=SERVERNAME],ws://[@/path[?host=HOST]],scheme://
  tls://host:port[?skipVerify=true],ws://[@/path[?host=HOST]],http://[user:pass@]
  tls://host:port[?skipVerify=true],ws://[@/path[?host=HOST]],socks5://[user:pass@]
  tls://host:port[?skipVerify=true],ws://[@/path[?host=HOST]],vmess://[security:]uuid@?alterID=num

Unix domain socket scheme:
  unix://path

KCP scheme:
  kcp://CRYPT:KEY@host:port[?dataShards=NUM&parityShards=NUM]

Available crypt types for KCP:
  none, sm4, tea, xor, aes, aes-128, aes-192, blowfish, twofish, cast5, 3des, xtea, salsa20

Simple-Obfs scheme:
  simple-obfs://host:port[?type=TYPE&host=HOST&uri=URI&ua=UA]

Available types for simple-obfs:
  http, tls

DNS forwarding server:
  dns=:53
  dnsserver=8.8.8.8:53
  dnsserver=1.1.1.1:53
  dnsrecord=www.example.com/1.2.3.4
  dnsrecord=www.example.com/2606:2800:220:1:248:1893:25c8:1946

Available forward strategies:
  rr: Round Robin mode
  ha: High Availability mode
  lha: Latency based High Availability mode
  dh: Destination Hashing mode

Forwarder option scheme: FORWARD_URL#OPTIONS
  priority: set the priority of that forwarder, default:0
  interface: set local interface or ip address used to connect remote server
  -
  Examples:
    socks5://1.1.1.1:1080#priority=100
    vmess://[security:]uuid@host:port?alterID=num#priority=200
    vmess://[security:]uuid@host:port?alterID=num#priority=200&interface=192.168.1.99
    vmess://[security:]uuid@host:port?alterID=num#priority=200&interface=eth0

Config file format(see `./glider.conf.example` as an example):
  # COMMENT LINE
  KEY=VALUE
  KEY=VALUE
  # KEY equals to command line flag name: listen forward strategy...

Examples:
  ./glider -config glider.conf
    -run glider with specified config file.

  ./glider -listen :8443 -verbose
    -listen on :8443, serve as http/socks5 proxy on the same port, in verbose mode.

  ./glider -listen ss://AEAD_CHACHA20_POLY1305:pass@:8443 -verbose
    -listen on 0.0.0.0:8443 as a ss server.

  ./glider -listen socks5://user1:pass1@:1080 -verbose
    -listen on :1080 as a socks5 proxy server, enable authentication.

  ./glider -listen tls://:443?cert=crtFilePath&key=keyFilePath,http:// -verbose
    -listen on :443 as a https(http over tls) proxy server.

  ./glider -listen http://:8080 -forward socks5://127.0.0.1:1080
    -listen on :8080 as a http proxy server, forward all requests via socks5 server.

  ./glider -listen redir://:1081 -forward ss://method:pass@1.1.1.1:8443
    -listen on :1081 as a transparent redirect server, forward all requests via remote ss server.

  ./glider -listen redir://:1081 -forward "ssr://method:pass@1.1.1.1:8444?protocol=a&protocol_param=b&obfs=c&obfs_param=d"
    -listen on :1081 as a transparent redirect server, forward all requests via remote ssr server.

  ./glider -listen redir://:1081 -forward "tls://1.1.1.1:443,vmess://security:uuid@?alterID=10"
    -listen on :1081 as a transparent redirect server, forward all requests via remote tls+vmess server.

  ./glider -listen redir://:1081 -forward "ws://1.1.1.1:80,vmess://security:uuid@?alterID=10"
    -listen on :1081 as a transparent redirect server, forward all requests via remote ws+vmess server.

  ./glider -listen tcptun://:80=2.2.2.2:80 -forward ss://method:pass@1.1.1.1:8443
    -listen on :80 and forward all requests to 2.2.2.2:80 via remote ss server.

  ./glider -listen udptun://:53=8.8.8.8:53 -forward ss://method:pass@1.1.1.1:8443
    -listen on :53 and forward all udp requests to 8.8.8.8:53 via remote ss server.

  ./glider -listen uottun://:53=8.8.8.8:53 -forward ss://method:pass@1.1.1.1:8443
    -listen on :53 and forward all udp requests via udp over tcp tunnel.

  ./glider -listen socks5://:1080 -listen http://:8080 -forward ss://method:pass@1.1.1.1:8443
    -listen on :1080 as socks5 server, :8080 as http proxy server, forward all requests via remote ss server.

  ./glider -listen redir://:1081 -dns=:53 -dnsserver=8.8.8.8:53 -forward ss://method:pass@server1:port1,ss://method:pass@server2:port2
    -listen on :1081 as transparent redirect server, :53 as dns server, use forward chain: server1 -> server2.

  ./glider -listen socks5://:1080 -forward ss://method:pass@server1:port1 -forward ss://method:pass@server2:port2 -strategy rr
    -listen on :1080 as socks5 server, forward requests via server1 and server2 in round robin mode.

  ./glider -verbose -dns=:53 -dnsserver=8.8.8.8:53 -dnsrecord=www.example.com/1.2.3.4
    -listen on :53 as dns server, forward dns requests to 8.8.8.8:53, return 1.2.3.4 when resolving www.example.com.
```

</details>

run:
```bash
glider -verbose -listen :8443 -forward SCHEME://HOST:PORT
```
```bash
glider -config CONFIGPATH
```
```bash
glider -config CONFIGPATH -listen :8080 -verbose
```

## Config

- [ConfigFile](config)
  - [glider.conf.example](config/glider.conf.example)
  - [office.rule.example](config/rules.d/office.rule.example)
- [Examples](config/examples)
  - [transparent proxy with dnsmasq](config/examples/8.transparent_proxy_with_dnsmasq)
  - [transparent proxy without dnsmasq](config/examples/9.transparent_proxy_without_dnsmasq)

## Proxy & Protocol Chains
<details><summary>In glider, you can easily chain several proxy servers or protocols together (click to see details)</summary>

- Chain proxy servers:

  ```bash
  forward=http://1.1.1.1:80,socks5://2.2.2.2:1080,ss://method:pass@3.3.3.3:8443@
  ```

- Chain protocols: https proxy (http over tls)

  ```bash
  forward=tls://1.1.1.1:443,http://
  ```

- Chain protocols: vmess over ws over tls

  ```bash
  forward=tls://1.1.1.1:443,ws://,vmess://5a146038-0b56-4e95-b1dc-5c6f5a32cd98@?alterID=2
  ```

- Chain protocols and servers:

  ``` bash
  forward=socks5://1.1.1.1:1080,tls://2.2.2.2:443,vmess://5a146038-0b56-4e95-b1dc-5c6f5a32cd98@?alterID=2
  ```

- Chain protocols in listener: https proxy server

  ``` bash
  listen=tls://:443?cert=crtFilePath&key=keyFilePath,http://
  ```

</details>

## Service

- systemd: [https://github.com/nadoo/glider/blob/master/systemd/](https://github.com/nadoo/glider/blob/master/systemd/)

## Links

- [ipset](https://github.com/nadoo/ipset): ipset package for Go via netlink socket
- [conflag](https://github.com/nadoo/conflag): command line and config file parse support
- [ArchLinux](https://www.archlinux.org/packages/community/x86_64/glider): a great linux distribution with glider pre-built package
- [urlencode](https://www.w3schools.com/tags/ref_urlencode.asp): you should encode special characters in  scheme url. e.g: `@`->`%40`