Chore: merge branch 'with-tun' into plus-pro
This commit is contained in:
yaling888
commit
d74dd69329
@ -62,7 +62,7 @@ func HandleConn(c net.Conn, in chan<- C.ConnContext, cache *cache.Cache[string,
|
||||
request.RequestURI = ""
|
||||
|
||||
if isUpgradeRequest(request) {
|
||||
if resp = HandleUpgrade(conn, conn.RemoteAddr(), request, in); resp == nil {
|
||||
if resp = HandleUpgrade(conn, nil, request, in); resp == nil {
|
||||
return // hijack connection
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,8 +1,6 @@
|
||||
package http
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"net"
|
||||
"net/http"
|
||||
"strings"
|
||||
@ -18,10 +16,11 @@ func isUpgradeRequest(req *http.Request) bool {
|
||||
return strings.EqualFold(req.Header.Get("Connection"), "Upgrade")
|
||||
}
|
||||
|
||||
func HandleUpgrade(localConn net.Conn, source net.Addr, request *http.Request, in chan<- C.ConnContext) (resp *http.Response) {
|
||||
func HandleUpgrade(localConn net.Conn, serverConn *N.BufferedConn, request *http.Request, in chan<- C.ConnContext) (resp *http.Response) {
|
||||
removeProxyHeaders(request.Header)
|
||||
RemoveExtraHTTPHostPort(request)
|
||||
|
||||
if serverConn == nil {
|
||||
address := request.Host
|
||||
if _, _, err := net.SplitHostPort(address); err != nil {
|
||||
port := "80"
|
||||
@ -38,38 +37,22 @@ func HandleUpgrade(localConn net.Conn, source net.Addr, request *http.Request, i
|
||||
|
||||
left, right := net.Pipe()
|
||||
|
||||
in <- inbound.NewMitm(dstAddr, source, request.Header.Get("User-Agent"), right)
|
||||
in <- inbound.NewHTTP(dstAddr, localConn.RemoteAddr(), right)
|
||||
|
||||
var remoteServer *N.BufferedConn
|
||||
if request.TLS != nil {
|
||||
tlsConn := tls.Client(left, &tls.Config{
|
||||
ServerName: request.URL.Hostname(),
|
||||
})
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
|
||||
defer cancel()
|
||||
if tlsConn.HandshakeContext(ctx) != nil {
|
||||
_ = localConn.Close()
|
||||
_ = left.Close()
|
||||
return
|
||||
}
|
||||
|
||||
remoteServer = N.NewBufferedConn(tlsConn)
|
||||
} else {
|
||||
remoteServer = N.NewBufferedConn(left)
|
||||
}
|
||||
serverConn = N.NewBufferedConn(left)
|
||||
|
||||
defer func() {
|
||||
_ = remoteServer.Close()
|
||||
_ = serverConn.Close()
|
||||
}()
|
||||
}
|
||||
|
||||
err := request.Write(remoteServer)
|
||||
err := request.Write(serverConn)
|
||||
if err != nil {
|
||||
_ = localConn.Close()
|
||||
return
|
||||
}
|
||||
|
||||
resp, err = http.ReadResponse(remoteServer.Reader(), request)
|
||||
resp, err = http.ReadResponse(serverConn.Reader(), request)
|
||||
if err != nil {
|
||||
_ = localConn.Close()
|
||||
return
|
||||
@ -88,7 +71,7 @@ func HandleUpgrade(localConn net.Conn, source net.Addr, request *http.Request, i
|
||||
return
|
||||
}
|
||||
|
||||
N.Relay(remoteServer, localConn) // blocking here
|
||||
N.Relay(serverConn, localConn) // blocking here
|
||||
_ = localConn.Close()
|
||||
resp = nil
|
||||
}
|
||||
|
||||
@ -3,36 +3,27 @@ package mitm
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"net"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/Dreamacro/clash/adapter/inbound"
|
||||
N "github.com/Dreamacro/clash/common/net"
|
||||
C "github.com/Dreamacro/clash/constant"
|
||||
"github.com/Dreamacro/clash/transport/socks5"
|
||||
)
|
||||
|
||||
func newClient(source net.Addr, userAgent string, in chan<- C.ConnContext) *http.Client {
|
||||
return &http.Client{
|
||||
Transport: &http.Transport{
|
||||
// excepted HTTP/2
|
||||
TLSNextProto: make(map[string]func(string, *tls.Conn) http.RoundTripper),
|
||||
// only needed 1 connection
|
||||
MaxIdleConns: 1,
|
||||
MaxIdleConnsPerHost: 1,
|
||||
MaxConnsPerHost: 1,
|
||||
IdleConnTimeout: 60 * time.Second,
|
||||
TLSHandshakeTimeout: 10 * time.Second,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
TLSClientConfig: &tls.Config{
|
||||
GetClientCertificate: func(info *tls.CertificateRequestInfo) (certificate *tls.Certificate, e error) {
|
||||
return nil, ErrCertUnsupported
|
||||
},
|
||||
},
|
||||
DialContext: func(context context.Context, network, address string) (net.Conn, error) {
|
||||
if network != "tcp" && network != "tcp4" && network != "tcp6" {
|
||||
return nil, errors.New("unsupported network " + network)
|
||||
func getServerConn(serverConn *N.BufferedConn, request *http.Request, srcAddr net.Addr, in chan<- C.ConnContext) (*N.BufferedConn, error) {
|
||||
if serverConn != nil {
|
||||
return serverConn, nil
|
||||
}
|
||||
|
||||
address := request.URL.Host
|
||||
if _, _, err := net.SplitHostPort(address); err != nil {
|
||||
port := "80"
|
||||
if request.TLS != nil {
|
||||
port = "443"
|
||||
}
|
||||
address = net.JoinHostPort(address, port)
|
||||
}
|
||||
|
||||
dstAddr := socks5.ParseAddr(address)
|
||||
@ -42,14 +33,23 @@ func newClient(source net.Addr, userAgent string, in chan<- C.ConnContext) *http
|
||||
|
||||
left, right := net.Pipe()
|
||||
|
||||
in <- inbound.NewMitm(dstAddr, source, userAgent, right)
|
||||
in <- inbound.NewMitm(dstAddr, srcAddr, request.Header.Get("User-Agent"), right)
|
||||
|
||||
return left, nil
|
||||
},
|
||||
},
|
||||
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
||||
return http.ErrUseLastResponse
|
||||
},
|
||||
Timeout: 120 * time.Second,
|
||||
if request.TLS != nil {
|
||||
tlsConn := tls.Client(left, &tls.Config{
|
||||
ServerName: request.TLS.ServerName,
|
||||
})
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
|
||||
defer cancel()
|
||||
if err := tlsConn.HandshakeContext(ctx); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
serverConn = N.NewBufferedConn(tlsConn)
|
||||
} else {
|
||||
serverConn = N.NewBufferedConn(left)
|
||||
}
|
||||
|
||||
return serverConn, nil
|
||||
}
|
||||
|
||||
9
listener/mitm/hack.go
Normal file
9
listener/mitm/hack.go
Normal file
@ -0,0 +1,9 @@
|
||||
package mitm
|
||||
|
||||
import (
|
||||
_ "net/http"
|
||||
_ "unsafe"
|
||||
)
|
||||
|
||||
//go:linkname validMethod net/http.validMethod
|
||||
func validMethod(method string) bool
|
||||
@ -1,15 +1,17 @@
|
||||
package mitm
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/netip"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@ -21,25 +23,24 @@ import (
|
||||
|
||||
func HandleConn(c net.Conn, opt *Option, in chan<- C.ConnContext, cache *cache.Cache[string, bool]) {
|
||||
var (
|
||||
source net.Addr
|
||||
client *http.Client
|
||||
clientIP = netip.MustParseAddrPort(c.RemoteAddr().String()).Addr()
|
||||
sourceAddr net.Addr
|
||||
serverConn *N.BufferedConn
|
||||
connState *tls.ConnectionState
|
||||
)
|
||||
|
||||
defer func() {
|
||||
if client != nil {
|
||||
client.CloseIdleConnections()
|
||||
if serverConn != nil {
|
||||
_ = serverConn.Close()
|
||||
}
|
||||
}()
|
||||
|
||||
startOver:
|
||||
var conn *N.BufferedConn
|
||||
if bufConn, ok := c.(*N.BufferedConn); ok {
|
||||
conn = bufConn
|
||||
} else {
|
||||
conn = N.NewBufferedConn(c)
|
||||
}
|
||||
conn := N.NewBufferedConn(c)
|
||||
|
||||
trusted := cache == nil // disable authenticate if cache is nil
|
||||
if !trusted {
|
||||
trusted = clientIP.IsLoopback() || clientIP.IsUnspecified()
|
||||
}
|
||||
|
||||
readLoop:
|
||||
for {
|
||||
@ -57,8 +58,8 @@ readLoop:
|
||||
|
||||
session := newSession(conn, request, response)
|
||||
|
||||
source = parseSourceAddress(session.request, c.RemoteAddr(), source)
|
||||
session.request.RemoteAddr = source.String()
|
||||
sourceAddr = parseSourceAddress(session.request, conn.RemoteAddr(), sourceAddr)
|
||||
session.request.RemoteAddr = sourceAddr.String()
|
||||
|
||||
if !trusted {
|
||||
session.response = H.Authenticate(session.request, cache)
|
||||
@ -68,6 +69,11 @@ readLoop:
|
||||
|
||||
if trusted {
|
||||
if session.request.Method == http.MethodConnect {
|
||||
if session.request.ProtoMajor > 1 {
|
||||
session.request.ProtoMajor = 1
|
||||
session.request.ProtoMinor = 1
|
||||
}
|
||||
|
||||
// Manual writing to support CONNECT for http 1.0 (workaround for uplay client)
|
||||
if _, err = fmt.Fprintf(session.conn, "HTTP/%d.%d %03d %s\r\n\r\n", session.request.ProtoMajor, session.request.ProtoMinor, http.StatusOK, "Connection established"); err != nil {
|
||||
handleError(opt, session, err)
|
||||
@ -78,9 +84,9 @@ readLoop:
|
||||
goto readLoop
|
||||
}
|
||||
|
||||
b, err := conn.Peek(1)
|
||||
if err != nil {
|
||||
handleError(opt, session, err)
|
||||
b, err1 := conn.Peek(1)
|
||||
if err1 != nil {
|
||||
handleError(opt, session, err1)
|
||||
break // close connection
|
||||
}
|
||||
|
||||
@ -88,22 +94,61 @@ readLoop:
|
||||
if b[0] == 0x16 {
|
||||
tlsConn := tls.Server(conn, opt.CertConfig.NewTLSConfigForHost(session.request.URL.Hostname()))
|
||||
|
||||
// Handshake with the local client
|
||||
if err = tlsConn.Handshake(); err != nil {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
|
||||
// handshake with the local client
|
||||
if err = tlsConn.HandshakeContext(ctx); err != nil {
|
||||
cancel()
|
||||
session.response = session.NewErrorResponse(fmt.Errorf("handshake failed: %w", err))
|
||||
_ = writeResponse(session, false)
|
||||
break // close connection
|
||||
}
|
||||
cancel()
|
||||
|
||||
c = tlsConn
|
||||
} else {
|
||||
c = conn
|
||||
cs := tlsConn.ConnectionState()
|
||||
connState = &cs
|
||||
|
||||
conn = N.NewBufferedConn(tlsConn)
|
||||
}
|
||||
|
||||
goto startOver
|
||||
if strings.HasSuffix(session.request.URL.Host, ":443") {
|
||||
goto readLoop
|
||||
}
|
||||
|
||||
prepareRequest(c, session.request)
|
||||
if conn.SetReadDeadline(time.Now().Add(time.Second)) != nil {
|
||||
break
|
||||
}
|
||||
|
||||
buf, err2 := conn.Peek(7)
|
||||
if err2 != nil {
|
||||
if err2 != bufio.ErrBufferFull && !os.IsTimeout(err2) {
|
||||
handleError(opt, session, err2)
|
||||
break // close connection
|
||||
}
|
||||
}
|
||||
|
||||
// others protocol over tcp
|
||||
if !isHTTPTraffic(buf) {
|
||||
if connState != nil {
|
||||
session.request.TLS = connState
|
||||
}
|
||||
|
||||
serverConn, err = getServerConn(serverConn, session.request, sourceAddr, in)
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
|
||||
if conn.SetReadDeadline(time.Time{}) != nil {
|
||||
break
|
||||
}
|
||||
|
||||
N.Relay(serverConn, conn)
|
||||
return // hijack connection
|
||||
}
|
||||
|
||||
goto readLoop
|
||||
}
|
||||
|
||||
prepareRequest(connState, session.request)
|
||||
|
||||
// hijack api
|
||||
if session.request.URL.Hostname() == opt.ApiHost {
|
||||
@ -115,17 +160,22 @@ readLoop:
|
||||
|
||||
// forward websocket
|
||||
if isWebsocketRequest(request) {
|
||||
serverConn, err = getServerConn(serverConn, session.request, sourceAddr, in)
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
|
||||
session.request.RequestURI = ""
|
||||
if session.response = H.HandleUpgrade(conn, source, request, in); session.response == nil {
|
||||
if session.response = H.HandleUpgrade(conn, serverConn, request, in); session.response == nil {
|
||||
return // hijack connection
|
||||
}
|
||||
}
|
||||
|
||||
if session.response == nil {
|
||||
H.RemoveHopByHopHeaders(session.request.Header)
|
||||
H.RemoveExtraHTTPHostPort(session.request)
|
||||
|
||||
// hijack custom request and write back custom response if necessary
|
||||
if opt.Handler != nil && session.response == nil {
|
||||
newReq, newRes := opt.Handler.HandleRequest(session)
|
||||
if newReq != nil {
|
||||
session.request = newReq
|
||||
@ -139,26 +189,26 @@ readLoop:
|
||||
}
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
if session.response == nil {
|
||||
session.request.RequestURI = ""
|
||||
|
||||
if session.request.URL.Host == "" {
|
||||
session.response = session.NewErrorResponse(ErrInvalidURL)
|
||||
} else {
|
||||
client = newClientBySourceAndUserAgentIfNil(client, session.request, source, in)
|
||||
|
||||
// send the request to remote server
|
||||
session.response, err = client.Do(session.request)
|
||||
|
||||
serverConn, err = getServerConn(serverConn, session.request, sourceAddr, in)
|
||||
if err != nil {
|
||||
handleError(opt, session, err)
|
||||
session.response = session.NewErrorResponse(fmt.Errorf("request failed: %w", err))
|
||||
if errors.Is(err, ErrCertUnsupported) || strings.Contains(err.Error(), "x509: ") {
|
||||
_ = writeResponse(session, false)
|
||||
break
|
||||
}
|
||||
|
||||
// send the request to remote server
|
||||
err = session.request.Write(serverConn)
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
|
||||
session.response, err = http.ReadResponse(serverConn.Reader(), request)
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -174,12 +224,10 @@ readLoop:
|
||||
}
|
||||
|
||||
func writeResponseWithHandler(session *Session, opt *Option) error {
|
||||
if opt.Handler != nil {
|
||||
res := opt.Handler.HandleResponse(session)
|
||||
if res != nil {
|
||||
session.response = res
|
||||
}
|
||||
}
|
||||
|
||||
return writeResponse(session, true)
|
||||
}
|
||||
@ -220,11 +268,9 @@ func handleApiRequest(session *Session, opt *Option) error {
|
||||
</body></html>
|
||||
`
|
||||
|
||||
if opt.Handler != nil {
|
||||
if opt.Handler.HandleApiRequest(session) {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
b = fmt.Sprintf(b, session.request.URL.Path)
|
||||
|
||||
@ -243,12 +289,10 @@ func handleError(opt *Option, session *Session, err error) {
|
||||
_ = session.response.Body.Close()
|
||||
}()
|
||||
}
|
||||
if opt.Handler != nil {
|
||||
opt.Handler.HandleError(session, err)
|
||||
}
|
||||
}
|
||||
|
||||
func prepareRequest(conn net.Conn, request *http.Request) {
|
||||
func prepareRequest(connState *tls.ConnectionState, request *http.Request) {
|
||||
host := request.Header.Get("Host")
|
||||
if host != "" {
|
||||
request.Host = host
|
||||
@ -262,10 +306,8 @@ func prepareRequest(conn net.Conn, request *http.Request) {
|
||||
request.URL.Scheme = "http"
|
||||
}
|
||||
|
||||
if tlsConn, ok := conn.(*tls.Conn); ok {
|
||||
cs := tlsConn.ConnectionState()
|
||||
request.TLS = &cs
|
||||
|
||||
if connState != nil {
|
||||
request.TLS = connState
|
||||
request.URL.Scheme = "https"
|
||||
}
|
||||
|
||||
@ -297,10 +339,11 @@ func parseSourceAddress(req *http.Request, connSource, source net.Addr) net.Addr
|
||||
}
|
||||
}
|
||||
|
||||
func newClientBySourceAndUserAgentIfNil(cli *http.Client, req *http.Request, source net.Addr, in chan<- C.ConnContext) *http.Client {
|
||||
if cli != nil {
|
||||
return cli
|
||||
}
|
||||
|
||||
return newClient(source, req.Header.Get("User-Agent"), in)
|
||||
func isWebsocketRequest(req *http.Request) bool {
|
||||
return strings.EqualFold(req.Header.Get("Connection"), "Upgrade") && strings.EqualFold(req.Header.Get("Upgrade"), "websocket")
|
||||
}
|
||||
|
||||
func isHTTPTraffic(buf []byte) bool {
|
||||
method, _, _ := strings.Cut(string(buf), " ")
|
||||
return validMethod(method)
|
||||
}
|
||||
|
||||
@ -54,7 +54,7 @@ func (l *Listener) Close() error {
|
||||
|
||||
// New the MITM proxy actually is a type of HTTP proxy
|
||||
func New(option *Option, in chan<- C.ConnContext) (*Listener, error) {
|
||||
return NewWithAuthenticate(option, in, false)
|
||||
return NewWithAuthenticate(option, in, true)
|
||||
}
|
||||
|
||||
func NewWithAuthenticate(option *Option, in chan<- C.ConnContext, authenticate bool) (*Listener, error) {
|
||||
@ -65,7 +65,7 @@ func NewWithAuthenticate(option *Option, in chan<- C.ConnContext, authenticate b
|
||||
|
||||
var c *cache.Cache[string, bool]
|
||||
if authenticate {
|
||||
c = cache.New[string, bool](time.Second * 30)
|
||||
c = cache.New[string, bool](time.Second * 90)
|
||||
}
|
||||
|
||||
hl := &Listener{
|
||||
|
||||
@ -15,15 +15,10 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
ErrCertUnsupported = errors.New("tls: client cert unsupported")
|
||||
ErrInvalidResponse = errors.New("invalid response")
|
||||
ErrInvalidURL = errors.New("invalid URL")
|
||||
)
|
||||
|
||||
func isWebsocketRequest(req *http.Request) bool {
|
||||
return req.Header.Get("Connection") == "Upgrade" && req.Header.Get("Upgrade") == "websocket"
|
||||
}
|
||||
|
||||
func NewResponse(code int, body io.Reader, req *http.Request) *http.Response {
|
||||
if body == nil {
|
||||
body = &bytes.Buffer{}
|
||||
|
||||
Reference in New Issue
Block a user