bughz/glider
1
0
Fork 0
mirror of https://github.com/nadoo/glider.git synced 2025-02-23 09:25:41 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

tls,wss,trojan: support certificate pinning (#275)

Browse Source
This commit is contained in:
nadoo 2021-08-20 18:47:15 +08:00
parent 5578b19f61
commit c86cadb4be
9 changed files with 63 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/stale.yml vendored
View File

@ -1,4 +1,4 @@
name: 'Close stale issues and PRs' name: 'Close stale issues'
on: on:
schedule: schedule:
- cron: '30 1 * * *' - cron: '30 1 * * *'
@ -7,7 +7,7 @@ jobs:
stale: stale:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/stale@v3 - uses: actions/stale@v4
with: with:
stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.' stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
days-before-stale: 90 days-before-stale: 90

6
README.md
View File

@ -215,7 +215,7 @@ VLESS scheme:
vless://uuid@host:port[?fallback=127.0.0.1:80] vless://uuid@host:port[?fallback=127.0.0.1:80]
Trojan client scheme: Trojan client scheme:
trojan://pass@host:port[?serverName=SERVERNAME][&skipVerify=true] trojan://pass@host:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH]
trojanc://pass@host:port (cleartext, without TLS) trojanc://pass@host:port (cleartext, without TLS)
Trojan server scheme: Trojan server scheme:
@ -226,7 +226,7 @@ Available securities for vmess:
none, aes-128-gcm, chacha20-poly1305 none, aes-128-gcm, chacha20-poly1305
TLS client scheme: TLS client scheme:
tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&alpn=proto1][&alpn=proto2] tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&alpn=proto1][&alpn=proto2]
Proxy over tls client: Proxy over tls client:
tls://host:port[?skipVerify=true][&serverName=SERVERNAME],scheme:// tls://host:port[?skipVerify=true][&serverName=SERVERNAME],scheme://
@ -245,7 +245,7 @@ Proxy over tls server:
Websocket client scheme: Websocket client scheme:
ws://host:port[/path][?host=HOST][&origin=ORIGIN] ws://host:port[/path][?host=HOST][&origin=ORIGIN]
wss://host:port[/path][?serverName=SERVERNAME][&skipVerify=true][&host=HOST][&origin=ORIGIN] wss://host:port[/path][?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&host=HOST][&origin=ORIGIN]
Websocket server scheme: Websocket server scheme:
ws://:port[/path][?host=HOST] ws://:port[/path][?host=HOST]

6
config.go
View File

@ -190,7 +190,7 @@ func usage() {
fmt.Fprintf(w, "\n") fmt.Fprintf(w, "\n")
fmt.Fprintf(w, "Trojan client scheme:\n") fmt.Fprintf(w, "Trojan client scheme:\n")
fmt.Fprintf(w, " trojan://pass@host:port[?serverName=SERVERNAME][&skipVerify=true]\n") fmt.Fprintf(w, " trojan://pass@host:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH]\n")
fmt.Fprintf(w, " trojanc://pass@host:port (cleartext, without TLS)\n") fmt.Fprintf(w, " trojanc://pass@host:port (cleartext, without TLS)\n")
fmt.Fprintf(w, "\n") fmt.Fprintf(w, "\n")
@ -204,7 +204,7 @@ func usage() {
fmt.Fprintf(w, "\n") fmt.Fprintf(w, "\n")
fmt.Fprintf(w, "TLS client scheme:\n") fmt.Fprintf(w, "TLS client scheme:\n")
fmt.Fprintf(w, " tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&alpn=proto1][&alpn=proto2]\n") fmt.Fprintf(w, " tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&alpn=proto1][&alpn=proto2]\n")
fmt.Fprintf(w, "\n") fmt.Fprintf(w, "\n")
fmt.Fprintf(w, "Proxy over tls client:\n") fmt.Fprintf(w, "Proxy over tls client:\n")
@ -227,7 +227,7 @@ func usage() {
fmt.Fprintf(w, "Websocket client scheme:\n") fmt.Fprintf(w, "Websocket client scheme:\n")
fmt.Fprintf(w, " ws://host:port[/path][?host=HOST][&origin=ORIGIN]\n") fmt.Fprintf(w, " ws://host:port[/path][?host=HOST][&origin=ORIGIN]\n")
fmt.Fprintf(w, " wss://host:port[/path][?serverName=SERVERNAME][&skipVerify=true][&host=HOST][&origin=ORIGIN]\n") fmt.Fprintf(w, " wss://host:port[/path][?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&host=HOST][&origin=ORIGIN]\n")
fmt.Fprintf(w, "\n") fmt.Fprintf(w, "\n")
fmt.Fprintf(w, "Websocket server scheme:\n") fmt.Fprintf(w, "Websocket server scheme:\n")

6
go.mod
View File

@ -7,12 +7,12 @@ require (
github.com/dgryski/go-camellia v0.0.0-20191119043421-69a8a13fb23d github.com/dgryski/go-camellia v0.0.0-20191119043421-69a8a13fb23d
github.com/dgryski/go-idea v0.0.0-20170306091226-d2fb45a411fb github.com/dgryski/go-idea v0.0.0-20170306091226-d2fb45a411fb
github.com/dgryski/go-rc2 v0.0.0-20150621095337-8a9021637152 github.com/dgryski/go-rc2 v0.0.0-20150621095337-8a9021637152
github.com/insomniacslk/dhcp v0.0.0-20210813103503-c143d771146e github.com/insomniacslk/dhcp v0.0.0-20210817203519-d82598001386
github.com/nadoo/conflag v0.2.3 github.com/nadoo/conflag v0.2.3
github.com/nadoo/ipset v0.3.0 github.com/nadoo/ipset v0.3.0
github.com/xtaci/kcp-go/v5 v5.6.1 github.com/xtaci/kcp-go/v5 v5.6.1
golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912 golang.org/x/sys v0.0.0-20210818153620-00dd8d7831e7
) )
require ( require (

12
go.sum
View File

@ -39,8 +39,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8= github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis= github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
github.com/insomniacslk/dhcp v0.0.0-20210813103503-c143d771146e h1:ttrVy1tKtnMySMy7pbVtMQSweHyLLQuLCcRj4lbGCBQ= github.com/insomniacslk/dhcp v0.0.0-20210817203519-d82598001386 h1:tVT6eeQjYk8cStFUlU7vfFpwUrzRHhC48VUhb2gbF9M=
github.com/insomniacslk/dhcp v0.0.0-20210813103503-c143d771146e/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E= github.com/insomniacslk/dhcp v0.0.0-20210817203519-d82598001386/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw= github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ= github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok= github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
@ -104,8 +104,8 @@ golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPh
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e h1:VvfwVmMH40bpMeizC9/K7ipM5Qjucuu16RWfneFPyhQ= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@ -156,8 +156,8 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912 h1:uCLL3g5wH2xjxVREVuAbP9JM5PPKjRbXKRa6IBjkzmU= golang.org/x/sys v0.0.0-20210818153620-00dd8d7831e7 h1:/bmDWM82ZX7TawqxuI8kVjKI0TXHdSY6pHJArewwHtU=
golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210818153620-00dd8d7831e7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

16
proxy/tls/tls.go
View File

@ -2,9 +2,12 @@ package tls
import ( import (
stdtls "crypto/tls" stdtls "crypto/tls"
"crypto/x509"
"errors" "errors"
"fmt"
"net" "net"
"net/url" "net/url"
"os"
"strings" "strings"
"github.com/nadoo/glider/log" "github.com/nadoo/glider/log"
@ -80,6 +83,19 @@ func NewTLSDialer(s string, d proxy.Dialer) (proxy.Dialer, error) {
MinVersion: stdtls.VersionTLS12, MinVersion: stdtls.VersionTLS12,
} }
if t.certFile != "" {
certData, err := os.ReadFile(t.certFile)
if err != nil {
return nil, fmt.Errorf("[tls] read cert file error: %s", err)
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(certData) {
return nil, fmt.Errorf("[tls] can not append cert file: %s", t.certFile)
}
t.config.RootCAs = certPool
}
return t, err return t, err
} }

15
proxy/trojan/client.go
View File

@ -2,8 +2,10 @@ package trojan
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509"
"fmt" "fmt"
"net" "net"
"os"
"github.com/nadoo/glider/log" "github.com/nadoo/glider/log"
"github.com/nadoo/glider/pool" "github.com/nadoo/glider/pool"
@ -34,6 +36,19 @@ func NewTrojanDialer(s string, d proxy.Dialer) (proxy.Dialer, error) {
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
} }
if t.certFile != "" {
certData, err := os.ReadFile(t.certFile)
if err != nil {
return nil, fmt.Errorf("[trojan] read cert file error: %s", err)
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(certData) {
return nil, fmt.Errorf("[trojan] can not append cert file: %s", t.certFile)
}
t.tlsConfig.RootCAs = certPool
}
return t, err return t, err
} }

1
proxy/vmess/user.go
View File

@ -73,7 +73,6 @@ func StrToUUID(s string) (uuid [16]byte, err error) {
return return
} }
// GetKey returns the key of AES-128-CFB encrypter. // GetKey returns the key of AES-128-CFB encrypter.
// KeyMD5(UUID + []byte('c48619fe-8f02-49e0-b9e9-edf763e17e21')) // KeyMD5(UUID + []byte('c48619fe-8f02-49e0-b9e9-edf763e17e21'))
func GetKey(uuid [16]byte) []byte { func GetKey(uuid [16]byte) []byte {

15
proxy/ws/client.go
View File

@ -2,11 +2,13 @@ package ws
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509"
"errors" "errors"
"fmt" "fmt"
"io" "io"
"net" "net"
"net/textproto" "net/textproto"
"os"
"github.com/nadoo/glider/pool" "github.com/nadoo/glider/pool"
"github.com/nadoo/glider/proxy" "github.com/nadoo/glider/proxy"
@ -34,6 +36,19 @@ func NewWSSDialer(s string, d proxy.Dialer) (proxy.Dialer, error) {
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
} }
if w.certFile != "" {
certData, err := os.ReadFile(w.certFile)
if err != nil {
return nil, fmt.Errorf("[wss] read cert file error: %s", err)
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(certData) {
return nil, fmt.Errorf("[wss] can not append cert file: %s", w.certFile)
}
w.tlsConfig.RootCAs = certPool
}
return w, err return w, err
} }