Improve tls dialer and listener

This commit is contained in:
世界
2022-07-25 08:14:09 +08:00
parent 32e2730ec6
commit 1f05420745
8 changed files with 265 additions and 28 deletions

View File

@@ -27,7 +27,7 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, o
case C.TypeSocks:
return NewSocks(ctx, router, logger, options.Tag, options.SocksOptions), nil
case C.TypeHTTP:
return NewHTTP(ctx, router, logger, options.Tag, options.HTTPOptions), nil
return NewHTTP(ctx, router, logger, options.Tag, options.HTTPOptions)
case C.TypeMixed:
return NewMixed(ctx, router, logger, options.Tag, options.MixedOptions), nil
case C.TypeShadowsocks:

View File

@@ -3,12 +3,14 @@ package inbound
import (
std_bufio "bufio"
"context"
"crypto/tls"
"net"
"github.com/sagernet/sing-box/adapter"
C "github.com/sagernet/sing-box/constant"
"github.com/sagernet/sing-box/log"
"github.com/sagernet/sing-box/option"
"github.com/sagernet/sing/common"
"github.com/sagernet/sing/common/auth"
M "github.com/sagernet/sing/common/metadata"
N "github.com/sagernet/sing/common/network"
@@ -20,11 +22,12 @@ var _ adapter.Inbound = (*HTTP)(nil)
type HTTP struct {
myInboundAdapter
authenticator auth.Authenticator
tlsConfig *tls.Config
}
func NewHTTP(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HTTPMixedInboundOptions) *HTTP {
func NewHTTP(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HTTPMixedInboundOptions) (*HTTP, error) {
inbound := &HTTP{
myInboundAdapter{
myInboundAdapter: myInboundAdapter{
protocol: C.TypeHTTP,
network: []string{C.NetworkTCP},
ctx: ctx,
@@ -34,13 +37,23 @@ func NewHTTP(ctx context.Context, router adapter.Router, logger log.ContextLogge
listenOptions: options.ListenOptions,
setSystemProxy: options.SetSystemProxy,
},
auth.NewAuthenticator(options.Users),
authenticator: auth.NewAuthenticator(options.Users),
}
if options.TLS != nil {
tlsConfig, err := NewTLSConfig(common.PtrValueOrDefault(options.TLS))
if err != nil {
return nil, err
}
inbound.tlsConfig = tlsConfig
}
inbound.connHandler = inbound
return inbound
return inbound, nil
}
func (h *HTTP) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
if h.tlsConfig != nil {
conn = tls.Server(conn, h.tlsConfig)
}
return http.HandleConnection(ctx, conn, std_bufio.NewReader(conn), h.authenticator, h.upstreamUserHandler(metadata), M.Metadata{})
}

80
inbound/tls.go Normal file
View File

@@ -0,0 +1,80 @@
package inbound
import (
"crypto/tls"
"os"
"github.com/sagernet/sing-box/option"
E "github.com/sagernet/sing/common/exceptions"
)
func NewTLSConfig(options option.InboundTLSOptions) (*tls.Config, error) {
if !options.Enabled {
return nil, nil
}
var tlsConfig tls.Config
if options.ServerName != "" {
tlsConfig.ServerName = options.ServerName
}
if len(options.ALPN) > 0 {
tlsConfig.NextProtos = options.ALPN
}
if options.MinVersion != "" {
minVersion, err := option.ParseTLSVersion(options.MinVersion)
if err != nil {
return nil, E.Cause(err, "parse min_version")
}
tlsConfig.MinVersion = minVersion
}
if options.MaxVersion != "" {
maxVersion, err := option.ParseTLSVersion(options.MaxVersion)
if err != nil {
return nil, E.Cause(err, "parse max_version")
}
tlsConfig.MaxVersion = maxVersion
}
if options.CipherSuites != nil {
find:
for _, cipherSuite := range options.CipherSuites {
for _, tlsCipherSuite := range tls.CipherSuites() {
if cipherSuite == tlsCipherSuite.Name {
tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
continue find
}
}
return nil, E.New("unknown cipher_suite: ", cipherSuite)
}
}
var certificate []byte
if options.Certificate != "" {
certificate = []byte(options.Certificate)
} else if options.CertificatePath != "" {
content, err := os.ReadFile(options.CertificatePath)
if err != nil {
return nil, E.Cause(err, "read certificate")
}
certificate = content
}
var key []byte
if options.Key != "" {
key = []byte(options.Key)
} else if options.KeyPath != "" {
content, err := os.ReadFile(options.KeyPath)
if err != nil {
return nil, E.Cause(err, "read key")
}
key = content
}
if certificate == nil {
return nil, E.New("missing certificate")
}
if key == nil {
return nil, E.New("missing key")
}
keyPair, err := tls.X509KeyPair(certificate, key)
if err != nil {
return nil, E.Cause(err, "parse x509 key pair")
}
tlsConfig.Certificates = []tls.Certificate{keyPair}
return &tlsConfig, nil
}

View File

@@ -2,6 +2,7 @@ package inbound
import (
"context"
"crypto/tls"
"net"
"os"
@@ -20,8 +21,9 @@ var _ adapter.Inbound = (*VMess)(nil)
type VMess struct {
myInboundAdapter
service *vmess.Service[int]
users []option.VMessUser
service *vmess.Service[int]
users []option.VMessUser
tlsConfig *tls.Config
}
func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.VMessInboundOptions) (*VMess, error) {
@@ -46,12 +48,21 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
if err != nil {
return nil, err
}
if options.TLS != nil {
inbound.tlsConfig, err = NewTLSConfig(common.PtrValueOrDefault(options.TLS))
if err != nil {
return nil, err
}
}
inbound.service = service
inbound.connHandler = inbound
return inbound, nil
}
func (h *VMess) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
if h.tlsConfig != nil {
conn = tls.Server(conn, h.tlsConfig)
}
return h.service.NewConnection(adapter.WithContext(log.ContextWithNewID(ctx), &metadata), conn, adapter.UpstreamMetadata(metadata))
}