icybear/sing-box
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add fake mysql

Browse Source
This commit is contained in:
n3t1zen
2026-02-12 17:44:11 +08:00
parent 58ccf82e0b
commit bab5784ce5
9 changed files with 615 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

255
protocol/mysql/inbound.go Normal file
View File

@@ -0,0 +1,255 @@
package mysql
import (
"context"
"net"
"os"
"github.com/sagernet/sing-box/adapter"
"github.com/sagernet/sing-box/adapter/inbound"
"github.com/sagernet/sing-box/common/listener"
"github.com/sagernet/sing-box/common/mux"
boxTLS "github.com/sagernet/sing-box/common/tls"
C "github.com/sagernet/sing-box/constant"
"github.com/sagernet/sing-box/log"
"github.com/sagernet/sing-box/option"
"github.com/sagernet/sing/common"
E "github.com/sagernet/sing/common/exceptions"
"github.com/sagernet/sing/common/logger"
M "github.com/sagernet/sing/common/metadata"
N "github.com/sagernet/sing/common/network"
"github.com/sagernet/sing/common/task"
"github.com/sagernet/smux"
gmysql "github.com/go-mysql-org/go-mysql/mysql"
"github.com/go-mysql-org/go-mysql/server"
)
func RegisterInbound(registry *inbound.Registry) {
inbound.Register[option.MySQLInboundOptions](registry, C.TypeMySQL, NewInbound)
}
var _ adapter.TCPInjectableInbound = (*Inbound)(nil)
type Inbound struct {
inbound.Adapter
router adapter.ConnectionRouterEx
logger logger.ContextLogger
listener *listener.Listener
tlsConfig boxTLS.ServerConfig
username string
password string
mysqlServer *server.Server
}
func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.MySQLInboundOptions) (adapter.Inbound, error) {
inbound := &Inbound{
Adapter: inbound.NewAdapter(C.TypeMySQL, tag),
router: router,
logger: logger,
username: options.Username,
password: options.Password,
}
if options.TLS == nil || !options.TLS.Enabled {
return nil, C.ErrTLSRequired
}
tlsConfig, err := boxTLS.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
if err != nil {
return nil, err
}
inbound.tlsConfig = tlsConfig
// Get the standard *tls.Config from our TLS config for go-mysql server
stdTLSConfig, err := tlsConfig.STDConfig()
if err != nil {
return nil, E.Cause(err, "get std tls config")
}
// Create a go-mysql server with our TLS config
inbound.mysqlServer = server.NewServer(
"8.0.12",
gmysql.DEFAULT_COLLATION_ID,
gmysql.AUTH_NATIVE_PASSWORD,
nil,
stdTLSConfig,
)
inbound.router, err = mux.NewRouterWithOptions(inbound.router, logger, common.PtrValueOrDefault(options.Multiplex))
if err != nil {
return nil, err
}
inbound.listener = listener.New(listener.Options{
Context: ctx,
Logger: logger,
Network: []string{N.NetworkTCP},
Listen: options.ListenOptions,
ConnectionHandler: inbound,
})
return inbound, nil
}
func (h *Inbound) Start(stage adapter.StartStage) error {
if stage != adapter.StartStateStart {
return nil
}
if h.tlsConfig != nil {
err := h.tlsConfig.Start()
if err != nil {
return E.Cause(err, "create TLS config")
}
}
return h.listener.Start()
}
func (h *Inbound) Close() error {
return common.Close(
h.listener,
h.tlsConfig,
)
}
func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
// Create credential provider for this connection
provider := server.NewInMemoryProvider()
provider.AddUser(h.username, h.password)
// Use go-mysql server to perform the MySQL handshake (which negotiates TLS)
mysqlConn, err := h.mysqlServer.NewCustomizedConn(conn, provider, &emptyHandler{})
if err != nil {
N.CloseOnHandshakeFailure(conn, onClose, err)
h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": MySQL handshake"))
return
}
// After MySQL handshake, the underlying connection is TLS-encrypted.
// Now get the underlying net.Conn (which is a *tls.Conn) and use smux on top of it.
tlsConn := mysqlConn.Conn.Conn
h.logger.InfoContext(ctx, "MySQL handshake completed from ", metadata.Source)
// Handle smux session over the TLS-encrypted connection
err = h.handleMuxSession(ctx, tlsConn, metadata.Source, onClose)
if err != nil && !E.IsClosed(err) {
h.logger.ErrorContext(ctx, E.Cause(err, "process mux session from ", metadata.Source))
}
}
func (h *Inbound) handleMuxSession(ctx context.Context, conn net.Conn, source M.Socksaddr, onClose N.CloseHandlerFunc) error {
session, err := smux.Server(conn, smuxConfig())
if err != nil {
if onClose != nil {
onClose(err)
}
return err
}
var group task.Group
group.Append0(func(_ context.Context) error {
for {
stream, sErr := session.AcceptStream()
if sErr != nil {
return sErr
}
go h.handleMuxStream(ctx, stream, source)
}
})
group.Cleanup(func() {
session.Close()
if onClose != nil {
onClose(os.ErrClosed)
}
})
return group.Run(ctx)
}
func (h *Inbound) handleMuxStream(ctx context.Context, conn net.Conn, source M.Socksaddr) {
err := h.handleMuxStream0(ctx, conn, source)
if err != nil {
h.logger.ErrorContext(ctx, E.Cause(err, "process mux stream"))
}
}
func (h *Inbound) handleMuxStream0(ctx context.Context, conn net.Conn, source M.Socksaddr) error {
// Read destination from the stream header:
// 1 byte command (0x01=TCP, 0x03=UDP)
// then socks address (using SocksaddrSerializer)
var cmdBuf [1]byte
_, err := conn.Read(cmdBuf[:])
if err != nil {
return E.Cause(err, "read command")
}
command := cmdBuf[0]
destination, err := M.SocksaddrSerializer.ReadAddrPort(conn)
if err != nil {
return E.Cause(err, "read destination")
}
var metadata adapter.InboundContext
metadata.Inbound = h.Tag()
metadata.InboundType = h.Type()
metadata.Source = source
switch command {
case commandTCP:
metadata.Destination = destination
h.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
h.router.RouteConnectionEx(ctx, conn, metadata, nil)
case commandUDP:
metadata.Destination = destination
h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
h.router.RouteConnectionEx(ctx, conn, metadata, nil)
default:
return E.New("unknown command ", command)
}
return nil
}
func smuxConfig() *smux.Config {
config := smux.DefaultConfig()
config.KeepAliveDisabled = true
return config
}
const (
commandTCP byte = 0x01
commandUDP byte = 0x03
)
// emptyHandler implements go-mysql server.Handler with no-op operations.
// It is used because we only need the MySQL handshake for TLS negotiation,
// not actual MySQL query handling.
type emptyHandler struct{}
func (h *emptyHandler) UseDB(dbName string) error {
return nil
}
func (h *emptyHandler) HandleQuery(query string) (*gmysql.Result, error) {
return nil, gmysql.NewError(gmysql.ER_UNKNOWN_ERROR, "not supported")
}
func (h *emptyHandler) HandleFieldList(table string, fieldWildcard string) ([]*gmysql.Field, error) {
return nil, gmysql.NewError(gmysql.ER_UNKNOWN_ERROR, "not supported")
}
func (h *emptyHandler) HandleStmtPrepare(query string) (int, int, interface{}, error) {
return 0, 0, nil, gmysql.NewError(gmysql.ER_UNKNOWN_ERROR, "not supported")
}
func (h *emptyHandler) HandleStmtExecute(context interface{}, query string, args []interface{}) (*gmysql.Result, error) {
return nil, gmysql.NewError(gmysql.ER_UNKNOWN_ERROR, "not supported")
}
func (h *emptyHandler) HandleStmtClose(context interface{}) error {
return nil
}
func (h *emptyHandler) HandleOtherCommand(cmd byte, data []byte) error {
return gmysql.NewError(gmysql.ER_UNKNOWN_ERROR, "not supported")
}
// compile-time check
var _ server.Handler = (*emptyHandler)(nil)

268
protocol/mysql/outbound.go Normal file
View File

@@ -0,0 +1,268 @@
package mysql
import (
"context"
"crypto/tls"
"net"
"os"
"sync"
"github.com/sagernet/sing-box/adapter"
"github.com/sagernet/sing-box/adapter/outbound"
"github.com/sagernet/sing-box/common/dialer"
C "github.com/sagernet/sing-box/constant"
"github.com/sagernet/sing-box/log"
"github.com/sagernet/sing-box/option"
"github.com/sagernet/sing/common"
"github.com/sagernet/sing/common/bufio"
E "github.com/sagernet/sing/common/exceptions"
"github.com/sagernet/sing/common/logger"
M "github.com/sagernet/sing/common/metadata"
N "github.com/sagernet/sing/common/network"
"github.com/sagernet/smux"
"github.com/go-mysql-org/go-mysql/client"
)
func RegisterOutbound(registry *outbound.Registry) {
outbound.Register[option.MySQLOutboundOptions](registry, C.TypeMySQL, NewOutbound)
}
var _ adapter.InterfaceUpdateListener = (*Outbound)(nil)
type Outbound struct {
outbound.Adapter
ctx context.Context
logger logger.ContextLogger
dialer N.Dialer
serverAddr M.Socksaddr
username string
password string
tlsConfig *tls.Config
sessionAccess sync.Mutex
session *smux.Session
sessionConn net.Conn
}
func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.MySQLOutboundOptions) (adapter.Outbound, error) {
outboundDialer, err := dialer.New(ctx, options.DialerOptions, options.ServerIsDomain())
if err != nil {
return nil, err
}
outbound := &Outbound{
Adapter: outbound.NewAdapterWithDialerOptions(C.TypeMySQL, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.DialerOptions),
ctx: ctx,
logger: logger,
dialer: outboundDialer,
serverAddr: options.ServerOptions.Build(),
username: options.Username,
password: options.Password,
}
if outbound.serverAddr.Port == 0 {
outbound.serverAddr.Port = 3306
}
if outbound.username == "" {
outbound.username = "root"
}
// Build TLS config for MySQL client handshake
if options.TLS != nil && options.TLS.Enabled {
outbound.tlsConfig = &tls.Config{
InsecureSkipVerify: options.TLS.Insecure,
ServerName: options.TLS.ServerName,
}
if outbound.tlsConfig.ServerName == "" {
outbound.tlsConfig.ServerName = options.Server
}
} else {
// Default: use insecure TLS (since this is for tunneling, not real MySQL)
outbound.tlsConfig = &tls.Config{
InsecureSkipVerify: true,
}
}
return outbound, nil
}
func (h *Outbound) getSession() (*smux.Session, error) {
h.sessionAccess.Lock()
defer h.sessionAccess.Unlock()
if h.session != nil && !h.session.IsClosed() {
return h.session, nil
}
// Dial TCP connection to server
conn, err := h.dialer.DialContext(h.ctx, N.NetworkTCP, h.serverAddr)
if err != nil {
return nil, E.Cause(err, "dial server")
}
// Perform MySQL handshake with TLS
mysqlConn, err := client.ConnectWithDialer(
h.ctx,
"tcp",
h.serverAddr.String(),
h.username,
h.password,
"",
func(ctx context.Context, network, address string) (net.Conn, error) {
// Return the already-established connection
return conn, nil
},
func(c *client.Conn) error {
c.SetTLSConfig(h.tlsConfig)
return nil
},
)
if err != nil {
conn.Close()
return nil, E.Cause(err, "MySQL handshake")
}
// After MySQL handshake, the underlying connection is TLS-encrypted.
// Get the underlying net.Conn.
tlsConn := mysqlConn.Conn.Conn
// Create smux session over the TLS connection
session, err := smux.Client(tlsConn, smuxConfig())
if err != nil {
tlsConn.Close()
return nil, E.Cause(err, "create mux session")
}
h.session = session
h.sessionConn = tlsConn
go func() {
// When session is closed, clean up
<-session.CloseChan()
h.sessionAccess.Lock()
if h.session == session {
h.session = nil
h.sessionConn = nil
}
h.sessionAccess.Unlock()
tlsConn.Close()
}()
return session, nil
}
func (h *Outbound) openStream(ctx context.Context, command byte, destination M.Socksaddr) (net.Conn, error) {
session, err := h.getSession()
if err != nil {
return nil, err
}
stream, err := session.OpenStream()
if err != nil {
// Session might be stale, try once more with a new session
h.sessionAccess.Lock()
if h.session == session {
h.session = nil
if h.sessionConn != nil {
h.sessionConn.Close()
h.sessionConn = nil
}
}
h.sessionAccess.Unlock()
session, err = h.getSession()
if err != nil {
return nil, err
}
stream, err = session.OpenStream()
if err != nil {
return nil, E.Cause(err, "open mux stream")
}
}
// Write stream header: command + destination
_, err = stream.Write([]byte{command})
if err != nil {
stream.Close()
return nil, E.Cause(err, "write stream header command")
}
err = M.SocksaddrSerializer.WriteAddrPort(stream, destination)
if err != nil {
stream.Close()
return nil, E.Cause(err, "write stream header destination")
}
return stream, nil
}
func (h *Outbound) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
switch N.NetworkName(network) {
case N.NetworkTCP:
h.logger.InfoContext(ctx, "outbound connection to ", destination)
return h.openStream(ctx, commandTCP, destination)
case N.NetworkUDP:
h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
conn, err := h.openStream(ctx, commandUDP, destination)
if err != nil {
return nil, err
}
return bufio.NewBindPacketConn(&packetConn{conn}, destination), nil
default:
return nil, E.New("unsupported network: ", network)
}
}
func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
conn, err := h.openStream(ctx, commandUDP, destination)
if err != nil {
return nil, err
}
return &packetConn{conn}, nil
}
func (h *Outbound) InterfaceUpdated() {
h.sessionAccess.Lock()
defer h.sessionAccess.Unlock()
if h.session != nil {
h.session.Close()
h.session = nil
}
if h.sessionConn != nil {
h.sessionConn.Close()
h.sessionConn = nil
}
}
func (h *Outbound) Close() error {
h.sessionAccess.Lock()
defer h.sessionAccess.Unlock()
var err error
if h.session != nil {
err = h.session.Close()
h.session = nil
}
if h.sessionConn != nil {
common.Close(h.sessionConn)
h.sessionConn = nil
}
return err
}
// packetConn wraps a net.Conn as a net.PacketConn for UDP-over-TCP
type packetConn struct {
net.Conn
}
func (c *packetConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
n, err = c.Conn.Read(p)
return
}
func (c *packetConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
return c.Conn.Write(p)
}
var _ = os.ErrInvalid // keep import