From 44c30df001094d8901b2880a3bb976aceccc7bf4 Mon Sep 17 00:00:00 2001
From: nadoo <287492+nadoo@users.noreply.github.com>
Date: Wed, 28 Nov 2018 23:28:32 +0800
Subject: [PATCH] doc: update description for tls

---
 README.md                                     | 17 ++++--
 conf.go                                       | 19 ++++--
 config/README.md                              | 14 +++--
 .../README.md                                 |  6 +-
 config/glider.conf.example                    | 10 ++-
 proxy/redir/redir_linux.go                    | 61 +++++++++----------
 rule/rule.go                                  |  1 -
 7 files changed, 76 insertions(+), 52 deletions(-)

diff --git a/README.md b/README.md
index 0742ac3..83c0e1c 100644
--- a/README.md
+++ b/README.md
@@ -121,7 +121,7 @@ glider v0.6.9 usage:
   -config string
         config file path
   -dns string
-        dns forwarder server listen address
+        local dns server listen address
   -dnsalwaystcp
         always use tcp to query upstream dns servers no matter there is a forwarder or not
   -dnsmaxttl int
@@ -131,7 +131,7 @@ glider v0.6.9 usage:
   -dnsrecord value
         custom dns record, format: domain/ip
   -dnsserver value
-        remote dns server
+        remote dns server address
   -dnstimeout int
         timeout value used in multiple dnsservers switch(seconds) (default 3)
   -forward value
@@ -191,15 +191,24 @@ VMess scheme:
 Available securities for vmess:
   none, aes-128-gcm, chacha20-poly1305
 
-TLS scheme:
+TLS client scheme:
   tls://host:port[?skipVerify=true]
 
-TLS with a specified proxy protocol:
+Proxy over tls client:
   tls://host:port[?skipVerify=true],scheme://
   tls://host:port[?skipVerify=true],http://[user:pass@]
   tls://host:port[?skipVerify=true],socks5://[user:pass@]
   tls://host:port[?skipVerify=true],vmess://[security:]uuid@?alterID=num
 
+TLS server scheme:
+  tls://host:port?cert=PATH&key=PATH
+
+Proxy over tls server:
+  tls://host:port?cert=PATH&key=PATH,scheme://
+  tls://host:port?cert=PATH&key=PATH,http://
+  tls://host:port?cert=PATH&key=PATH,socks5://
+  tls://host:port?cert=PATH&key=PATH,ss://method:pass@
+
 Websocket scheme:
   ws://host:port[/path]
 
diff --git a/conf.go b/conf.go
index 68630e5..aa59f96 100644
--- a/conf.go
+++ b/conf.go
@@ -47,8 +47,8 @@ func confInit() {
 	flag.StringSliceUniqVar(&conf.RuleFile, "rulefile", nil, "rule file path")
 	flag.StringVar(&conf.RulesDir, "rules-dir", "", "rule file folder")
 
-	flag.StringVar(&conf.DNS, "dns", "", "dns forwarder server listen address")
-	flag.StringSliceUniqVar(&conf.DNSConfig.Servers, "dnsserver", []string{"8.8.8.8:53"}, "remote dns server")
+	flag.StringVar(&conf.DNS, "dns", "", "local dns server listen address")
+	flag.StringSliceUniqVar(&conf.DNSConfig.Servers, "dnsserver", []string{"8.8.8.8:53"}, "remote dns server address")
 	flag.BoolVar(&conf.DNSConfig.AlwaysTCP, "dnsalwaystcp", false, "always use tcp to query upstream dns servers no matter there is a forwarder or not")
 	flag.IntVar(&conf.DNSConfig.Timeout, "dnstimeout", 3, "timeout value used in multiple dnsservers switch(seconds)")
 	flag.IntVar(&conf.DNSConfig.MaxTTL, "dnsmaxttl", 1800, "maximum TTL value for entries in the CACHE(seconds)")
@@ -154,17 +154,28 @@ func usage() {
 	fmt.Fprintf(os.Stderr, "  none, aes-128-gcm, chacha20-poly1305\n")
 	fmt.Fprintf(os.Stderr, "\n")
 
-	fmt.Fprintf(os.Stderr, "TLS scheme:\n")
+	fmt.Fprintf(os.Stderr, "TLS client scheme:\n")
 	fmt.Fprintf(os.Stderr, "  tls://host:port[?skipVerify=true]\n")
 	fmt.Fprintf(os.Stderr, "\n")
 
-	fmt.Fprintf(os.Stderr, "TLS with a specified proxy protocol:\n")
+	fmt.Fprintf(os.Stderr, "Proxy over tls client:\n")
 	fmt.Fprintf(os.Stderr, "  tls://host:port[?skipVerify=true],scheme://\n")
 	fmt.Fprintf(os.Stderr, "  tls://host:port[?skipVerify=true],http://[user:pass@]\n")
 	fmt.Fprintf(os.Stderr, "  tls://host:port[?skipVerify=true],socks5://[user:pass@]\n")
 	fmt.Fprintf(os.Stderr, "  tls://host:port[?skipVerify=true],vmess://[security:]uuid@?alterID=num\n")
 	fmt.Fprintf(os.Stderr, "\n")
 
+	fmt.Fprintf(os.Stderr, "TLS server scheme:\n")
+	fmt.Fprintf(os.Stderr, "  tls://host:port?cert=PATH&key=PATH\n")
+	fmt.Fprintf(os.Stderr, "\n")
+
+	fmt.Fprintf(os.Stderr, "Proxy over tls server:\n")
+	fmt.Fprintf(os.Stderr, "  tls://host:port?cert=PATH&key=PATH,scheme://\n")
+	fmt.Fprintf(os.Stderr, "  tls://host:port?cert=PATH&key=PATH,http://\n")
+	fmt.Fprintf(os.Stderr, "  tls://host:port?cert=PATH&key=PATH,socks5://\n")
+	fmt.Fprintf(os.Stderr, "  tls://host:port?cert=PATH&key=PATH,ss://method:pass@\n")
+	fmt.Fprintf(os.Stderr, "\n")
+
 	fmt.Fprintf(os.Stderr, "Websocket scheme:\n")
 	fmt.Fprintf(os.Stderr, "  ws://host:port[/path]\n")
 	fmt.Fprintf(os.Stderr, "\n")
diff --git a/config/README.md b/config/README.md
index 0d67287..9796877 100644
--- a/config/README.md
+++ b/config/README.md
@@ -40,12 +40,6 @@ dns=:53
 # global remote dns server (you can specify different dns server in rule file)
 dnsserver=8.8.8.8:53
 
-# Create and manage ipset on linux based on destinations in rule files
-#   - add ip/cidrs in rule files on startup
-#   - add resolved ips for domains in rule files by dns forwarder server 
-# Usually used in transparent proxy mode on linux
-ipset=glider
-
 # RULE FILES
 rules-dir=rules.d
 #rulefile=office.rule
@@ -69,6 +63,14 @@ checkduration=30
 # DNS SERVER for domains in this rule file
 dnsserver=208.67.222.222:53
 
+# IPSET MANAGEMENT
+# ----------------
+# Create and mange ipset on linux based on destinations in rule files
+#   - add ip/cidrs in rule files on startup
+#   - add resolved ips for domains in rule files by dns forwarding server 
+# Usually used in transparent proxy mode on linux
+ipset=glider
+
 # YOU CAN SPECIFY DESTINATIONS TO USE THE ABOVE FORWARDERS
 # matches abc.com and *.abc.com
 domain=abc.com
diff --git a/config/examples/9.transparent_proxy_without_dnsmasq/README.md b/config/examples/9.transparent_proxy_without_dnsmasq/README.md
index 6304119..e730a64 100644
--- a/config/examples/9.transparent_proxy_without_dnsmasq/README.md
+++ b/config/examples/9.transparent_proxy_without_dnsmasq/README.md
@@ -27,9 +27,6 @@ listen=redir://:1081
 dns=:53
 dnsserver=8.8.8.8:53
 
-# as a ipset manager
-ipset=glider
-
 # specify rule files
 rules-dir=rules.d
 ```
@@ -46,6 +43,9 @@ checkduration=30
 # specify a different dns server(if need)
 dnsserver=208.67.222.222:53
 
+# as a ipset manager
+ipset=glider
+
 # specify destinations
 include=office.list
 
diff --git a/config/glider.conf.example b/config/glider.conf.example
index 55752b9..da7fe9b 100644
--- a/config/glider.conf.example
+++ b/config/glider.conf.example
@@ -55,10 +55,13 @@ listen=socks5://:1080
 # listen on 1084 as a udp over tcp tunnel, all requests to :1084 will be forward to 1.1.1.1:53
 # listen=uottun://:1084=1.1.1.1:53
 
-# listen on 443 with tls security layer and serve as http proxy server (HTTPS proxy)
+# http over tls (HTTPS proxy)
 # listen=tls://:443?cert=crtFilePath&key=keyFilePath,http://
 
-# listen on unix domain socket and serve as socks5 server
+# ss over tls
+# listen=tls://:443?cert=crtFilePath&key=keyFilePath,ss://AEAD_CHACHA20_POLY1305:pass@
+
+# socks5 over unix domain socket
 # listen=unix:///tmp/glider.socket,socks5://
 
 # FORWARDERS
@@ -107,6 +110,9 @@ listen=socks5://:1080
 # forward=tls://1.1.1.1:443,ws://,vmess://5a146038-0b56-4e95-b1dc-5c6f5a32cd98@?alterID=2
 # forward=tls://1.1.1.1:443,ws://@/path,vmess://5a146038-0b56-4e95-b1dc-5c6f5a32cd98@?alterID=2
 
+# ss over tls
+# forward=tls://1.1.1.1:443,ss://AEAD_CHACHA20_POLY1305:pass@
+
 # socks5 over unix domain socket
 # forward=unix:///tmp/glider.socket,socks5://
 
diff --git a/proxy/redir/redir_linux.go b/proxy/redir/redir_linux.go
index 4e1ffca..f216b3f 100644
--- a/proxy/redir/redir_linux.go
+++ b/proxy/redir/redir_linux.go
@@ -80,43 +80,40 @@ func (s *RedirProxy) ListenAndServe() {
 			continue
 		}
 
-		go func() {
-			defer c.Close()
-
-			if c, ok := c.(*net.TCPConn); ok {
-				c.SetKeepAlive(true)
-			}
-
-			tgt, err := getOrigDst(c, s.ipv6)
-			if err != nil {
-				log.F("[redir] failed to get target address: %v", err)
-				return
-			}
-
-			rc, err := s.dialer.Dial("tcp", tgt.String())
-			if err != nil {
-				log.F("[redir] failed to connect to target: %v", err)
-				return
-			}
-			defer rc.Close()
-
-			log.F("[redir] %s <-> %s", c.RemoteAddr(), tgt)
-
-			_, _, err = conn.Relay(c, rc)
-			if err != nil {
-				if err, ok := err.(net.Error); ok && err.Timeout() {
-					return // ignore i/o timeout
-				}
-				log.F("[redir] relay error: %v", err)
-			}
-
-		}()
+		go s.Serve(c)
 	}
 }
 
 // Serve .
 func (s *RedirProxy) Serve(c net.Conn) {
-	log.F("[redir] func Serve: can not be called directly")
+	defer c.Close()
+
+	if c, ok := c.(*net.TCPConn); ok {
+		c.SetKeepAlive(true)
+	}
+
+	tgt, err := getOrigDst(c, s.ipv6)
+	if err != nil {
+		log.F("[redir] failed to get target address: %v", err)
+		return
+	}
+
+	rc, err := s.dialer.Dial("tcp", tgt.String())
+	if err != nil {
+		log.F("[redir] failed to connect to target: %v", err)
+		return
+	}
+	defer rc.Close()
+
+	log.F("[redir] %s <-> %s", c.RemoteAddr(), tgt)
+
+	_, _, err = conn.Relay(c, rc)
+	if err != nil {
+		if err, ok := err.(net.Error); ok && err.Timeout() {
+			return // ignore i/o timeout
+		}
+		log.F("[redir] relay error: %v", err)
+	}
 }
 
 // Get the original destination of a TCP connection.
diff --git a/rule/rule.go b/rule/rule.go
index 55a29a3..521c59e 100644
--- a/rule/rule.go
+++ b/rule/rule.go
@@ -121,7 +121,6 @@ func (rd *Dialer) AddDomainIP(domain, ip string) error {
 				log.F("[rule] add ip=%s, based on rule: domain=%s & domain/ip: %s/%s\n", ip, pDomain, domain, ip)
 			}
 		}
-
 	}
 	return nil
 }