From 856d881659022df14c9fd74dce26b51b77e33335 Mon Sep 17 00:00:00 2001 From: ImmortalD <761006889@qq.com> Date: Sun, 2 Jan 2022 18:35:22 +0800 Subject: [PATCH 1/2] =?UTF-8?q?#789=20=E4=BF=AE=E5=A4=8DHttp=E4=BB=A3?= =?UTF-8?q?=E7=90=86,Socks5=E4=BB=A3=E7=90=86=E7=9A=84auth=E6=97=A0?= =?UTF-8?q?=E6=B3=95=E6=AD=A3=E5=B8=B8=E4=BD=BF=E7=94=A8,=E7=8E=B0?= =?UTF-8?q?=E5=9C=A8=E5=8F=AF=E4=BB=A5=E5=90=8C=E6=97=B6=E4=BD=BF=E7=94=A8?= =?UTF-8?q?=E5=85=A8=E5=B1=80=E7=94=A8=E6=88=B7=E5=92=8Cmutli=20user?= =?UTF-8?q?=E8=AE=A4=E8=AF=81=E4=BA=86,=E8=AE=A4=E8=AF=81=E5=A4=B1?= =?UTF-8?q?=E8=B4=A5,=E5=AE=A2=E6=88=B7=E7=AB=AF=E4=BC=9A=E6=8F=90?= =?UTF-8?q?=E7=A4=BA=E8=BE=93=E5=85=A5=E7=94=A8=E6=88=B7=E5=90=8D=E5=92=8C?= =?UTF-8?q?=E5=AF=86=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/common/const.go | 12 +++++++---- lib/common/util.go | 45 ++++++++++++++++++++++++++++++++++++++++-- server/proxy/base.go | 11 +++++++---- server/proxy/http.go | 2 +- server/proxy/https.go | 2 +- server/proxy/socks5.go | 16 +-------------- server/proxy/tcp.go | 15 +++++++++----- 7 files changed, 71 insertions(+), 32 deletions(-) diff --git a/lib/common/const.go b/lib/common/const.go index ffb2fa60..f7097e0b 100644 --- a/lib/common/const.go +++ b/lib/common/const.go @@ -27,11 +27,15 @@ const ( CONN_TCP = "tcp" CONN_UDP = "udp" CONN_TEST = "TST" - UnauthorizedBytes = `HTTP/1.1 401 Unauthorized -Content-Type: text/plain; charset=utf-8 -WWW-Authenticate: Basic realm="easyProxy" + UnauthorizedBytes = `HTTP/1.1 407 Proxy Authentication Required +Server: Proxy +Proxy-Authenticate: Basic realm="easyProxy Authentication" +Connection: Close +Proxy-Connection: Close +Content-Length: 0 + +` -401 Unauthorized` ConnectionFailBytes = `HTTP/1.1 404 Not Found ` diff --git a/lib/common/util.go b/lib/common/util.go index cb87daa1..d216588e 100755 --- a/lib/common/util.go +++ b/lib/common/util.go @@ -7,6 +7,7 @@ import ( "encoding/binary" "errors" "fmt" + "github.com/astaxie/beego/logs" "html/template" "io" "io/ioutil" @@ -49,8 +50,47 @@ func DomainCheck(domain string) bool { return match } +// CheckAuthWithAccountMap +// u current login user +// p current login passwd +// user global user +// passwd global passwd +// accountMap enable multi user auth +func checkAuthWithAccountMap(u, p, user, passwd string, accountMap map[string]string) bool { + // invalid user or passwd + if u == "" || p == "" { + return false + } + + // global user auth + if u == user && p == passwd { + return true + } + + // multi user auth + if accountMap == nil { + return false + } + + return accountMap[u] == p +} + +// CheckAuthWithAccountMap +// u current login user +// p current login passwd +// user global user +// passwd global passwd +// accountMap enable multi user auth +func CheckAuthWithAccountMap(u, p, user, passwd string, accountMap map[string]string) bool { + isValid := checkAuthWithAccountMap(u, p, user, passwd, accountMap) + if !isValid { + logs.Info("账号验证失败") + } + return isValid +} + //Check if the Request request is validated -func CheckAuth(r *http.Request, user, passwd string) bool { +func CheckAuth(r *http.Request, user, passwd string, accountMap map[string]string) bool { s := strings.SplitN(r.Header.Get("Authorization"), " ", 2) if len(s) != 2 { s = strings.SplitN(r.Header.Get("Proxy-Authorization"), " ", 2) @@ -68,7 +108,8 @@ func CheckAuth(r *http.Request, user, passwd string) bool { if len(pair) != 2 { return false } - return pair[0] == user && pair[1] == passwd + + return CheckAuthWithAccountMap(pair[0], pair[1], user, passwd, accountMap) } //get bool by str diff --git a/server/proxy/base.go b/server/proxy/base.go index 7df5921c..c51166a3 100644 --- a/server/proxy/base.go +++ b/server/proxy/base.go @@ -4,6 +4,7 @@ import ( "errors" "net" "net/http" + "strings" "sync" "ehang.io/nps/bridge" @@ -63,11 +64,13 @@ func (s *BaseServer) writeConnFail(c net.Conn) { } //auth check -func (s *BaseServer) auth(r *http.Request, c *conn.Conn, u, p string) error { - if u != "" && p != "" && !common.CheckAuth(r, u, p) { - c.Write([]byte(common.UnauthorizedBytes)) +func (s *BaseServer) auth(r *http.Request, c *conn.Conn, u, p string, AccountMap map[string]string) error { + if u != "" && p != "" && !common.CheckAuth(r, u, p, AccountMap) { + var resp = common.UnauthorizedBytes + resp = strings.ReplaceAll(resp, "\n", "\r\n") + c.Write([]byte(resp)) c.Close() - return errors.New("401 Unauthorized") + return errors.New("407 Unauthorized") } return nil } diff --git a/server/proxy/http.go b/server/proxy/http.go index 3bc1e6ed..b26aed7c 100644 --- a/server/proxy/http.go +++ b/server/proxy/http.go @@ -150,7 +150,7 @@ reset: if !isReset { defer host.Client.AddConn() } - if err = s.auth(r, c, host.Client.Cnf.U, host.Client.Cnf.P); err != nil { + if err = s.auth(r, c, host.Client.Cnf.U, host.Client.Cnf.P, s.task.MultiAccount.AccountMap); err != nil { logs.Warn("auth error", err, r.RemoteAddr) return } diff --git a/server/proxy/https.go b/server/proxy/https.go index 3f0be1d9..764e0e73 100644 --- a/server/proxy/https.go +++ b/server/proxy/https.go @@ -117,7 +117,7 @@ func (https *HttpsServer) handleHttps(c net.Conn) { return } defer host.Client.AddConn() - if err = https.auth(r, conn.NewConn(c), host.Client.Cnf.U, host.Client.Cnf.P); err != nil { + if err = https.auth(r, conn.NewConn(c), host.Client.Cnf.U, host.Client.Cnf.P, https.task.MultiAccount.AccountMap); err != nil { logs.Warn("auth error", err, r.RemoteAddr) return } diff --git a/server/proxy/socks5.go b/server/proxy/socks5.go index 3faefe54..795ff7e3 100755 --- a/server/proxy/socks5.go +++ b/server/proxy/socks5.go @@ -340,21 +340,7 @@ func (s *Sock5ModeServer) Auth(c net.Conn) error { return err } - var U, P string - if s.task.MultiAccount != nil { - // enable multi user auth - U = string(user) - var ok bool - P, ok = s.task.MultiAccount.AccountMap[U] - if !ok { - return errors.New("验证不通过") - } - } else { - U = s.task.Client.Cnf.U - P = s.task.Client.Cnf.P - } - - if string(user) == U && string(pass) == P { + if common.CheckAuthWithAccountMap(string(user), string(pass), s.task.Client.Cnf.U, s.task.Client.Cnf.P, s.task.MultiAccount.AccountMap) { if _, err := c.Write([]byte{userAuthVersion, authSuccess}); err != nil { return err } diff --git a/server/proxy/tcp.go b/server/proxy/tcp.go index 58ce3e0c..d7992017 100755 --- a/server/proxy/tcp.go +++ b/server/proxy/tcp.go @@ -40,8 +40,11 @@ func (s *TunnelModeServer) Start() error { return } logs.Trace("new tcp connection,local port %d,client %d,remote address %s", s.task.Port, s.task.Client.Id, c.RemoteAddr()) - s.process(conn.NewConn(c), s) - s.task.Client.AddConn() + err := s.process(conn.NewConn(c), s) + if err == nil { + s.task.Client.AddConn() + } + }, &s.listener) } @@ -114,12 +117,14 @@ func ProcessHttp(c *conn.Conn, s *TunnelModeServer) error { logs.Info(err) return err } + + if err := s.auth(r, c, s.task.Client.Cnf.U, s.task.Client.Cnf.P, s.task.MultiAccount.AccountMap); err != nil { + return err + } + if r.Method == "CONNECT" { c.Write([]byte("HTTP/1.1 200 Connection established\r\n\r\n")) rb = nil } - if err := s.auth(r, c, s.task.Client.Cnf.U, s.task.Client.Cnf.P); err != nil { - return err - } return s.DealClient(c, s.task.Client, addr, rb, common.CONN_TCP, nil, s.task.Flow, s.task.Target.LocalProxy) } From a58bec2efe1699e4ec5e1582f613caf9836b9a30 Mon Sep 17 00:00:00 2001 From: ImmortalD <761006889@qq.com> Date: Mon, 3 Jan 2022 00:55:47 +0800 Subject: [PATCH 2/2] =?UTF-8?q?fix=20socks=E6=B2=A1=E5=AF=86=E7=A0=81?= =?UTF-8?q?=E6=97=B6=E6=8F=90=E7=A4=BA=E5=AF=86=E7=A0=81=20#789?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/common/util.go | 32 ++++++++++++++++++++++++++++++++ server/proxy/base.go | 2 +- server/proxy/socks5.go | 8 +++++++- 3 files changed, 40 insertions(+), 2 deletions(-) diff --git a/lib/common/util.go b/lib/common/util.go index d216588e..895316fc 100755 --- a/lib/common/util.go +++ b/lib/common/util.go @@ -50,6 +50,28 @@ func DomainCheck(domain string) bool { return match } +// 判断是否有有效的账号 +func hasValidAccount(accountMap map[string]string) bool { + if accountMap == nil { + return false + } + + for u, p := range accountMap { + if u != "" && p != "" { + return true + } + } + return false +} + +// 判断是否需要验证 +// user global user +// passwd global passwd +// accountMap enable multi user auth +func HasValid(user, passwd string, accountMap map[string]string) bool { + return hasValidAccount(accountMap) || (user != "" && passwd != "") +} + // CheckAuthWithAccountMap // u current login user // p current login passwd @@ -57,6 +79,11 @@ func DomainCheck(domain string) bool { // passwd global passwd // accountMap enable multi user auth func checkAuthWithAccountMap(u, p, user, passwd string, accountMap map[string]string) bool { + // 是否需要验证 + if !HasValid(user, passwd, accountMap) { + return true + } + // invalid user or passwd if u == "" || p == "" { return false @@ -91,6 +118,11 @@ func CheckAuthWithAccountMap(u, p, user, passwd string, accountMap map[string]st //Check if the Request request is validated func CheckAuth(r *http.Request, user, passwd string, accountMap map[string]string) bool { + // 是否需要验证 + if !HasValid(user, passwd, accountMap) { + return true + } + s := strings.SplitN(r.Header.Get("Authorization"), " ", 2) if len(s) != 2 { s = strings.SplitN(r.Header.Get("Proxy-Authorization"), " ", 2) diff --git a/server/proxy/base.go b/server/proxy/base.go index c51166a3..58e240ff 100644 --- a/server/proxy/base.go +++ b/server/proxy/base.go @@ -65,7 +65,7 @@ func (s *BaseServer) writeConnFail(c net.Conn) { //auth check func (s *BaseServer) auth(r *http.Request, c *conn.Conn, u, p string, AccountMap map[string]string) error { - if u != "" && p != "" && !common.CheckAuth(r, u, p, AccountMap) { + if !common.CheckAuth(r, u, p, AccountMap) { var resp = common.UnauthorizedBytes resp = strings.ReplaceAll(resp, "\n", "\r\n") c.Write([]byte(resp)) diff --git a/server/proxy/socks5.go b/server/proxy/socks5.go index 795ff7e3..52d1c76c 100755 --- a/server/proxy/socks5.go +++ b/server/proxy/socks5.go @@ -302,7 +302,13 @@ func (s *Sock5ModeServer) handleConn(c net.Conn) { c.Close() return } - if (s.task.Client.Cnf.U != "" && s.task.Client.Cnf.P != "") || (s.task.MultiAccount != nil && len(s.task.MultiAccount.AccountMap) > 0) { + + var accountMap map[string]string = nil + if s.task.MultiAccount != nil { + accountMap = s.task.MultiAccount.AccountMap + } + + if common.HasValid(s.task.Client.Cnf.U, s.task.Client.Cnf.P, accountMap) { buf[1] = UserPassAuth c.Write(buf) if err := s.Auth(c); err != nil {