fea: tls for socks5

2025-10-05 16:47:11 +08:00 · 2025-03-22 10:18:20 +08:00
parent 269ed244c0
commit 2f2e20e46a
13 changed files with 53 additions and 32 deletions
--- a/pkg/api/utils.go
+++ b/pkg/api/utils.go
@@ -2,7 +2,7 @@ package api

 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http"

 	"github.com/luscis/openlan/pkg/libol"
@@ -40,7 +40,7 @@ func ResponseYaml(w http.ResponseWriter, v interface{}) {
 }

 func GetData(r *http.Request, v interface{}) error {
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		return err
 	}
--- a/pkg/cache/user.go
+++ b/pkg/cache/user.go
@@ -4,7 +4,7 @@ import (
 	"bufio"
 	"crypto/x509"
 	"encoding/pem"
-	"io/ioutil"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -174,7 +174,7 @@ func (w *user) Timeout(user *models.User) bool {

 func (w *user) Check(obj *models.User) (*models.User, error) {
 	if w.Cert != "" {
-		pemData, err := ioutil.ReadFile(w.Cert)
+		pemData, err := os.ReadFile(w.Cert)
 		if err != nil {
 			return nil, err
 		}
--- a/pkg/config/cert.go
+++ b/pkg/config/cert.go
@@ -4,8 +4,9 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"os"
+
 	"github.com/luscis/openlan/pkg/libol"
-	"io/ioutil"
 )

 type Crypt struct {
@@ -67,7 +68,7 @@ func (c *Cert) GetCertPool() *x509.CertPool {
 		libol.Debug("Cert.GetTlsCertPool: %s not such file", c.CaFile)
 		return nil
 	}
-	caCert, err := ioutil.ReadFile(c.CaFile)
+	caCert, err := os.ReadFile(c.CaFile)
 	if err != nil {
 		libol.Warn("Cert.GetTlsCertPool: %s", err)
 		return nil
--- a/pkg/config/proxy.go
+++ b/pkg/config/proxy.go
@@ -83,6 +83,7 @@ type SocksProxy struct {
 	Listen   string       `json:"listen,omitempty" yaml:"listen,omitempty"`
 	Auth     *Password    `json:"auth,omitempty" yaml:"auth,omitempty"`
 	Backends HttpBackends `json:"backends,omitempty" yaml:"backends,omitempty"`
+	Cert     *Cert        `json:"cert,omitempty" yaml:"cert,omitempty"`
 }

 func (s *SocksProxy) Initialize() error {
--- a/pkg/libol/websocket.go
+++ b/pkg/libol/websocket.go
@@ -3,9 +3,9 @@ package libol
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"io/ioutil"
 	"net"
 	"net/http"
+	"os"
 	"time"

 	"golang.org/x/net/websocket"
@@ -162,7 +162,7 @@ func NewWebClientFromConn(conn net.Conn, cfg *WebConfig) *WebClient {
 }

 func (t *WebClient) GetCertPool(ca string) *x509.CertPool {
-	caCert, err := ioutil.ReadFile(ca)
+	caCert, err := os.ReadFile(ca)
 	if err != nil {
 		Error("WebClient.GetCertPool: %s", err)
 		return nil
--- a/pkg/proxy/http.go
+++ b/pkg/proxy/http.go
@@ -458,7 +458,6 @@ func (t *HttpProxy) Start() {
 				return err
 			}
 		}
-		t.server.Shutdown(nil)
 		return nil
 	})
 }
--- a/pkg/proxy/socks.go
+++ b/pkg/proxy/socks.go
@@ -1,6 +1,7 @@
 package proxy

 import (
+	"crypto/tls"
 	"time"

 	"github.com/luscis/openlan/pkg/config"
@@ -36,6 +37,12 @@ func NewSocksProxy(cfg *config.SocksProxy) *SocksProxy {
 		AuthMethods: authMethods,
 		Logger:      s.out,
 	}
+	crt := cfg.Cert
+	if crt != nil && crt.KeyFile != "" {
+		conf.TlsConfig = &tls.Config{
+			RootCAs: crt.GetCertPool(),
+		}
+	}
 	server, err := socks5.New(conf)
 	if err != nil {
 		s.out.Error("NewSocksProxy %s", err)
@@ -50,7 +57,13 @@ func (s *SocksProxy) Start() {
 		return
 	}
 	addr := s.cfg.Listen
+
+	crt := s.cfg.Cert
+	if crt == nil || crt.KeyFile == "" {
 		s.out.Info("SocksProxy.Start: socks5://%s", s.cfg.Listen)
+	} else {
+		s.out.Info("SocksProxy.Start: sockss://%s", s.cfg.Listen)
+	}

 	promise := &libol.Promise{
 		First:  time.Second * 2,
--- a/pkg/proxy/ss/tcp.go
+++ b/pkg/proxy/ss/tcp.go
@@ -4,7 +4,6 @@ import (
 	"bufio"
 	"errors"
 	"io"
-	"io/ioutil"
 	"net"
 	"os"
 	"sync"
@@ -120,7 +119,7 @@ func tcpRemote(addr string, shadow func(net.Conn) net.Conn) {
 				logf("failed to get target address from %v: %v", c.RemoteAddr(), err)
 				// drain c to avoid leaking server behavioral features
 				// see https://www.ndss-symposium.org/ndss-paper/detecting-probe-resistant-proxies/
-				_, err = io.Copy(ioutil.Discard, c)
+				_, err = io.Copy(io.Discard, c)
 				if err != nil {
 					logf("discard error: %v", err)
 				}
--- a/pkg/socks5/socks5.go
+++ b/pkg/socks5/socks5.go
@@ -2,6 +2,7 @@ package socks5

 import (
 	"bufio"
+	"crypto/tls"
 	"encoding/binary"
 	"fmt"
 	"io"
@@ -54,6 +55,9 @@ type Config struct {

 	// Backends forwarding socks request
 	Backends co.FindBackend
+
+	// TLS Configurations
+	TlsConfig *tls.Config
 }

 // Server is reponsible for accepting connections and handling
@@ -104,10 +108,18 @@ func New(conf *Config) (*Server, error) {

 // ListenAndServe is used to create a listener and serve on it
 func (s *Server) ListenAndServe(network, addr string) error {
-	l, err := net.Listen(network, addr)
+	var l net.Listener
+	var err error
+
+	if s.config.TlsConfig != nil {
+		l, err = tls.Listen(network, addr, s.config.TlsConfig)
+	} else {
+		l, err = net.Listen(network, addr)
+	}
 	if err != nil {
 		return err
 	}
+
 	return s.Serve(l)
 }

--- a/pkg/switch/dhcp.go
+++ b/pkg/switch/dhcp.go
@@ -2,7 +2,6 @@ package cswitch

 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -85,7 +84,7 @@ func (d *Dhcp) SaveConf() {
 		cfg.Subnet.End,
 		d.LeaseFile(),
 	)
-	_ = ioutil.WriteFile(d.ConfFile(), []byte(data), 0600)
+	_ = os.WriteFile(d.ConfFile(), []byte(data), 0600)
 }

 func (d *Dhcp) Start() {
@@ -124,7 +123,7 @@ func (d *Dhcp) Clean() {
 }

 func (d *Dhcp) Stop() {
-	if data, err := ioutil.ReadFile(d.PidFile()); err != nil {
+	if data, err := os.ReadFile(d.PidFile()); err != nil {
 		d.out.Info("Dhcp.Stop %s", err)
 	} else {
 		pid := strings.TrimSpace(string(data))
--- a/pkg/switch/http.go
+++ b/pkg/switch/http.go
@@ -3,7 +3,6 @@ package cswitch
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"net/http/pprof"
 	"os"
@@ -145,7 +144,7 @@ func (h *Http) LoadToken() {
 	if _, err := os.Stat(h.adminFile); os.IsNotExist(err) {
 		libol.Info("Http.LoadToken: file:%s does not exist", h.adminFile)
 	} else {
-		contents, err := ioutil.ReadFile(h.adminFile)
+		contents, err := os.ReadFile(h.adminFile)
 		if err != nil {
 			libol.Error("Http.LoadToken: file:%s %s", h.adminFile, err)
 		} else {
@@ -235,7 +234,7 @@ func (h *Http) getFile(name string) string {

 func (h *Http) PubFile(w http.ResponseWriter, r *http.Request) {
 	realpath := h.getFile(r.URL.Path)
-	contents, err := ioutil.ReadFile(realpath)
+	contents, err := os.ReadFile(realpath)
 	if err != nil {
 		_, _ = fmt.Fprintf(w, "404")
 		return
--- a/pkg/switch/link.go
+++ b/pkg/switch/link.go
@@ -1,7 +1,6 @@
 package cswitch

 import (
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -117,7 +116,7 @@ func (l *Link) Clean() {
 }

 func (l *Link) Stop() error {
-	if data, err := ioutil.ReadFile(l.PidFile()); err != nil {
+	if data, err := os.ReadFile(l.PidFile()); err != nil {
 		l.out.Debug("Link.Stop %s", err)
 	} else {
 		pid := strings.TrimSpace(string(data))
--- a/pkg/switch/openvpn.go
+++ b/pkg/switch/openvpn.go
@@ -3,7 +3,6 @@ package cswitch
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
@@ -278,7 +277,7 @@ func (o *OpenVPN) ServerTmpl() string {
 		tmplStr = certConfTmpl
 	}
 	cfgTmpl := filepath.Join(o.Cfg.Directory, o.ID()+"server.tmpl")
-	_ = ioutil.WriteFile(cfgTmpl, []byte(tmplStr), 0600)
+	_ = os.WriteFile(cfgTmpl, []byte(tmplStr), 0600)
 	return tmplStr
 }

@@ -286,7 +285,7 @@ func (o *OpenVPN) ClientConnectScriptTmpl() string {
 	tmplStr := clientConnectScriptTmpl

 	cfgTmpl := filepath.Join(o.Cfg.Directory, o.ID()+"connectivplat.tmpl")
-	_ = ioutil.WriteFile(cfgTmpl, []byte(tmplStr), 0600)
+	_ = os.WriteFile(cfgTmpl, []byte(tmplStr), 0600)
 	return tmplStr
 }

@@ -294,7 +293,7 @@ func (o *OpenVPN) ClientDisConnectScriptTmpl() string {
 	tmplStr := clientDisConnectScriptTmpl

 	cfgTmpl := filepath.Join(o.Cfg.Directory, o.ID()+"disconnectivplat.tmpl")
-	_ = ioutil.WriteFile(cfgTmpl, []byte(tmplStr), 0600)
+	_ = os.WriteFile(cfgTmpl, []byte(tmplStr), 0600)
 	return tmplStr
 }

@@ -310,7 +309,7 @@ func (o *OpenVPN) FileIpp(full bool) string {
 }

 func (o *OpenVPN) Pid(full bool) string {
-	if data, err := ioutil.ReadFile(o.FilePid(true)); err != nil {
+	if data, err := os.ReadFile(o.FilePid(true)); err != nil {
 		o.out.Debug("OpenVPN.Stop %s", err)
 		return ""
 	} else {
@@ -369,7 +368,7 @@ func (o *OpenVPN) writeClientConfig() error {
 		}
 		ficFile := filepath.Join(ccd, fic.Name)
 		pushIP := fmt.Sprintf("ifconfig-push %s %s", fic.Address, fic.Netmask)
-		if err := ioutil.WriteFile(ficFile, []byte(pushIP), 0600); err != nil {
+		if err := os.WriteFile(ficFile, []byte(pushIP), 0600); err != nil {
 			o.out.Warn("OpenVPN.writeClientConfig %s", err)
 		}
 	}
@@ -464,7 +463,7 @@ func (o *OpenVPN) Initialize() {
 	}
 	if ctx, err := o.Profile(); err == nil {
 		file := o.FileClient(true)
-		if err := ioutil.WriteFile(file, ctx, 0600); err != nil {
+		if err := os.WriteFile(file, ctx, 0600); err != nil {
 			o.out.Warn("OpenVPN.Initialize %s", err)
 		}
 	} else {
@@ -511,7 +510,7 @@ func (o *OpenVPN) Stop() {
 	if !o.ValidConf() {
 		return
 	}
-	if data, err := ioutil.ReadFile(o.FilePid(true)); err != nil {
+	if data, err := os.ReadFile(o.FilePid(true)); err != nil {
 		o.out.Debug("OpenVPN.Stop %s", err)
 	} else {
 		killPath, err := exec.LookPath("kill")
@@ -569,7 +568,7 @@ func (o *OpenVPN) ProfileTmpl() string {
 	}

 	cfgTmpl := filepath.Join(o.Cfg.Directory, o.ID()+"client.tmpl")
-	_ = ioutil.WriteFile(cfgTmpl, []byte(tmplStr), 0600)
+	_ = os.WriteFile(cfgTmpl, []byte(tmplStr), 0600)
 	return tmplStr
 }

@@ -667,10 +666,10 @@ func NewOpenVPNProfileFromConf(obj *OpenVPN) *OpenVPNProfile {
 			data.Server = name
 		}
 	}
-	if ctx, err := ioutil.ReadFile(cfg.RootCa); err == nil {
+	if ctx, err := os.ReadFile(cfg.RootCa); err == nil {
 		data.Ca = string(ctx)
 	}
-	if ctx, err := ioutil.ReadFile(cfg.TlsAuth); err == nil {
+	if ctx, err := os.ReadFile(cfg.TlsAuth); err == nil {
 		data.TlsAuth = string(ctx)
 	}
 	return data