mirror of
https://gitclone.com/github.com/MetaCubeX/Clash.Meta
synced 2025-05-25 19:38:07 +08:00
Compare commits
23 Commits
266fb03838
...
fd959feff2
| Author | SHA1 | Date | |
|---|---|---|---|
|
fd959feff2 | ||
|
|
d5a03901d2 | ||
|
|
257fead538 | ||
|
|
c489c5260b | ||
|
|
8f92b1de13 | ||
|
|
9f7a2a36c1 | ||
|
|
a93479124c | ||
|
|
ed42c4feb8 | ||
|
|
608ddb1b44 | ||
|
|
d036d98128 | ||
|
|
d900c71214 | ||
|
|
1672750c47 | ||
|
|
41b57afb3f | ||
|
|
188372cb04 | ||
|
|
a1350d4985 | ||
|
|
dc958e6a39 | ||
|
|
8a5f3b8909 | ||
|
|
c6d7ef8cb8 | ||
|
|
bb8c47d83d | ||
|
|
5cf0f18c29 | ||
|
|
83213d493e | ||
|
|
90ed01ed53 | ||
|
|
f91a586da8 |
@ -28,19 +28,20 @@ type AnyTLS struct {
|
||||
|
||||
type AnyTLSOption struct {
|
||||
BasicOption
|
||||
Name string `proxy:"name"`
|
||||
Server string `proxy:"server"`
|
||||
Port int `proxy:"port"`
|
||||
Password string `proxy:"password"`
|
||||
ALPN []string `proxy:"alpn,omitempty"`
|
||||
SNI string `proxy:"sni,omitempty"`
|
||||
ClientFingerprint string `proxy:"client-fingerprint,omitempty"`
|
||||
SkipCertVerify bool `proxy:"skip-cert-verify,omitempty"`
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
UDP bool `proxy:"udp,omitempty"`
|
||||
IdleSessionCheckInterval int `proxy:"idle-session-check-interval,omitempty"`
|
||||
IdleSessionTimeout int `proxy:"idle-session-timeout,omitempty"`
|
||||
MinIdleSession int `proxy:"min-idle-session,omitempty"`
|
||||
Name string `proxy:"name"`
|
||||
Server string `proxy:"server"`
|
||||
Port int `proxy:"port"`
|
||||
Password string `proxy:"password"`
|
||||
ALPN []string `proxy:"alpn,omitempty"`
|
||||
SNI string `proxy:"sni,omitempty"`
|
||||
ECHOpts ECHOptions `proxy:"ech-opts,omitempty"`
|
||||
ClientFingerprint string `proxy:"client-fingerprint,omitempty"`
|
||||
SkipCertVerify bool `proxy:"skip-cert-verify,omitempty"`
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
UDP bool `proxy:"udp,omitempty"`
|
||||
IdleSessionCheckInterval int `proxy:"idle-session-check-interval,omitempty"`
|
||||
IdleSessionTimeout int `proxy:"idle-session-timeout,omitempty"`
|
||||
MinIdleSession int `proxy:"min-idle-session,omitempty"`
|
||||
}
|
||||
|
||||
func (t *AnyTLS) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
|
||||
@ -115,12 +116,17 @@ func NewAnyTLS(option AnyTLSOption) (*AnyTLS, error) {
|
||||
IdleSessionTimeout: time.Duration(option.IdleSessionTimeout) * time.Second,
|
||||
MinIdleSession: option.MinIdleSession,
|
||||
}
|
||||
echConfig, err := option.ECHOpts.Parse()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig := &vmess.TLSConfig{
|
||||
Host: option.SNI,
|
||||
SkipCertVerify: option.SkipCertVerify,
|
||||
NextProtos: option.ALPN,
|
||||
FingerPrint: option.Fingerprint,
|
||||
ClientFingerprint: option.ClientFingerprint,
|
||||
ECH: echConfig,
|
||||
}
|
||||
if tlsConfig.Host == "" {
|
||||
tlsConfig.Host = option.Server
|
||||
|
||||
28
adapter/outbound/ech.go
Normal file
28
adapter/outbound/ech.go
Normal file
@ -0,0 +1,28 @@
|
||||
package outbound
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
)
|
||||
|
||||
type ECHOptions struct {
|
||||
Enable bool `proxy:"enable,omitempty" obfs:"enable,omitempty"`
|
||||
Config string `proxy:"config,omitempty" obfs:"config,omitempty"`
|
||||
}
|
||||
|
||||
func (o ECHOptions) Parse() (*ech.Config, error) {
|
||||
if !o.Enable {
|
||||
return nil, nil
|
||||
}
|
||||
echConfig := &ech.Config{}
|
||||
if o.Config != "" {
|
||||
list, err := base64.StdEncoding.DecodeString(o.Config)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("base64 decode ech config string failed: %v", err)
|
||||
}
|
||||
echConfig.EncryptedClientHelloConfigList = list
|
||||
}
|
||||
return echConfig, nil
|
||||
}
|
||||
@ -12,6 +12,7 @@ import (
|
||||
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/dialer"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
"github.com/metacubex/mihomo/component/proxydialer"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
@ -44,6 +45,9 @@ type Hysteria struct {
|
||||
|
||||
option *HysteriaOption
|
||||
client *core.Client
|
||||
|
||||
tlsConfig *tlsC.Config
|
||||
echConfig *ech.Config
|
||||
}
|
||||
|
||||
func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
|
||||
@ -79,7 +83,15 @@ func (h *Hysteria) genHdc(ctx context.Context) utils.PacketDialer {
|
||||
return cDialer.ListenPacket(ctx, network, "", rAddrPort)
|
||||
},
|
||||
remoteAddr: func(addr string) (net.Addr, error) {
|
||||
return resolveUDPAddr(ctx, "udp", addr, h.prefer)
|
||||
udpAddr, err := resolveUDPAddr(ctx, "udp", addr, h.prefer)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
err = h.echConfig.ClientHandle(ctx, h.tlsConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return udpAddr, nil
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -93,30 +105,31 @@ func (h *Hysteria) ProxyInfo() C.ProxyInfo {
|
||||
|
||||
type HysteriaOption struct {
|
||||
BasicOption
|
||||
Name string `proxy:"name"`
|
||||
Server string `proxy:"server"`
|
||||
Port int `proxy:"port,omitempty"`
|
||||
Ports string `proxy:"ports,omitempty"`
|
||||
Protocol string `proxy:"protocol,omitempty"`
|
||||
ObfsProtocol string `proxy:"obfs-protocol,omitempty"` // compatible with Stash
|
||||
Up string `proxy:"up"`
|
||||
UpSpeed int `proxy:"up-speed,omitempty"` // compatible with Stash
|
||||
Down string `proxy:"down"`
|
||||
DownSpeed int `proxy:"down-speed,omitempty"` // compatible with Stash
|
||||
Auth string `proxy:"auth,omitempty"`
|
||||
AuthString string `proxy:"auth-str,omitempty"`
|
||||
Obfs string `proxy:"obfs,omitempty"`
|
||||
SNI string `proxy:"sni,omitempty"`
|
||||
SkipCertVerify bool `proxy:"skip-cert-verify,omitempty"`
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
ALPN []string `proxy:"alpn,omitempty"`
|
||||
CustomCA string `proxy:"ca,omitempty"`
|
||||
CustomCAString string `proxy:"ca-str,omitempty"`
|
||||
ReceiveWindowConn int `proxy:"recv-window-conn,omitempty"`
|
||||
ReceiveWindow int `proxy:"recv-window,omitempty"`
|
||||
DisableMTUDiscovery bool `proxy:"disable-mtu-discovery,omitempty"`
|
||||
FastOpen bool `proxy:"fast-open,omitempty"`
|
||||
HopInterval int `proxy:"hop-interval,omitempty"`
|
||||
Name string `proxy:"name"`
|
||||
Server string `proxy:"server"`
|
||||
Port int `proxy:"port,omitempty"`
|
||||
Ports string `proxy:"ports,omitempty"`
|
||||
Protocol string `proxy:"protocol,omitempty"`
|
||||
ObfsProtocol string `proxy:"obfs-protocol,omitempty"` // compatible with Stash
|
||||
Up string `proxy:"up"`
|
||||
UpSpeed int `proxy:"up-speed,omitempty"` // compatible with Stash
|
||||
Down string `proxy:"down"`
|
||||
DownSpeed int `proxy:"down-speed,omitempty"` // compatible with Stash
|
||||
Auth string `proxy:"auth,omitempty"`
|
||||
AuthString string `proxy:"auth-str,omitempty"`
|
||||
Obfs string `proxy:"obfs,omitempty"`
|
||||
SNI string `proxy:"sni,omitempty"`
|
||||
ECHOpts ECHOptions `proxy:"ech-opts,omitempty"`
|
||||
SkipCertVerify bool `proxy:"skip-cert-verify,omitempty"`
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
ALPN []string `proxy:"alpn,omitempty"`
|
||||
CustomCA string `proxy:"ca,omitempty"`
|
||||
CustomCAString string `proxy:"ca-str,omitempty"`
|
||||
ReceiveWindowConn int `proxy:"recv-window-conn,omitempty"`
|
||||
ReceiveWindow int `proxy:"recv-window,omitempty"`
|
||||
DisableMTUDiscovery bool `proxy:"disable-mtu-discovery,omitempty"`
|
||||
FastOpen bool `proxy:"fast-open,omitempty"`
|
||||
HopInterval int `proxy:"hop-interval,omitempty"`
|
||||
}
|
||||
|
||||
func (c *HysteriaOption) Speed() (uint64, uint64, error) {
|
||||
@ -161,6 +174,13 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
|
||||
} else {
|
||||
tlsConfig.NextProtos = []string{DefaultALPN}
|
||||
}
|
||||
|
||||
echConfig, err := option.ECHOpts.Parse()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsClientConfig := tlsC.UConfig(tlsConfig)
|
||||
|
||||
quicConfig := &quic.Config{
|
||||
InitialStreamReceiveWindow: uint64(option.ReceiveWindowConn),
|
||||
MaxStreamReceiveWindow: uint64(option.ReceiveWindowConn),
|
||||
@ -215,7 +235,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
|
||||
down = uint64(option.DownSpeed * mbpsToBps)
|
||||
}
|
||||
client, err := core.NewClient(
|
||||
addr, ports, option.Protocol, auth, tlsC.UConfig(tlsConfig), quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
|
||||
addr, ports, option.Protocol, auth, tlsClientConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
|
||||
return hyCongestion.NewBrutalSender(congestion.ByteCount(refBPS))
|
||||
}, obfuscator, hopInterval, option.FastOpen,
|
||||
)
|
||||
@ -233,8 +253,10 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
|
||||
rmark: option.RoutingMark,
|
||||
prefer: C.NewDNSPrefer(option.IPVersion),
|
||||
},
|
||||
option: &option,
|
||||
client: client,
|
||||
option: &option,
|
||||
client: client,
|
||||
tlsConfig: tlsClientConfig,
|
||||
echConfig: echConfig,
|
||||
}
|
||||
|
||||
return outbound, nil
|
||||
|
||||
@ -20,7 +20,6 @@ import (
|
||||
tuicCommon "github.com/metacubex/mihomo/transport/tuic/common"
|
||||
|
||||
"github.com/metacubex/quic-go"
|
||||
"github.com/metacubex/randv2"
|
||||
"github.com/metacubex/sing-quic/hysteria2"
|
||||
M "github.com/metacubex/sing/common/metadata"
|
||||
)
|
||||
@ -42,24 +41,25 @@ type Hysteria2 struct {
|
||||
|
||||
type Hysteria2Option struct {
|
||||
BasicOption
|
||||
Name string `proxy:"name"`
|
||||
Server string `proxy:"server"`
|
||||
Port int `proxy:"port,omitempty"`
|
||||
Ports string `proxy:"ports,omitempty"`
|
||||
HopInterval int `proxy:"hop-interval,omitempty"`
|
||||
Up string `proxy:"up,omitempty"`
|
||||
Down string `proxy:"down,omitempty"`
|
||||
Password string `proxy:"password,omitempty"`
|
||||
Obfs string `proxy:"obfs,omitempty"`
|
||||
ObfsPassword string `proxy:"obfs-password,omitempty"`
|
||||
SNI string `proxy:"sni,omitempty"`
|
||||
SkipCertVerify bool `proxy:"skip-cert-verify,omitempty"`
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
ALPN []string `proxy:"alpn,omitempty"`
|
||||
CustomCA string `proxy:"ca,omitempty"`
|
||||
CustomCAString string `proxy:"ca-str,omitempty"`
|
||||
CWND int `proxy:"cwnd,omitempty"`
|
||||
UdpMTU int `proxy:"udp-mtu,omitempty"`
|
||||
Name string `proxy:"name"`
|
||||
Server string `proxy:"server"`
|
||||
Port int `proxy:"port,omitempty"`
|
||||
Ports string `proxy:"ports,omitempty"`
|
||||
HopInterval int `proxy:"hop-interval,omitempty"`
|
||||
Up string `proxy:"up,omitempty"`
|
||||
Down string `proxy:"down,omitempty"`
|
||||
Password string `proxy:"password,omitempty"`
|
||||
Obfs string `proxy:"obfs,omitempty"`
|
||||
ObfsPassword string `proxy:"obfs-password,omitempty"`
|
||||
SNI string `proxy:"sni,omitempty"`
|
||||
ECHOpts ECHOptions `proxy:"ech-opts,omitempty"`
|
||||
SkipCertVerify bool `proxy:"skip-cert-verify,omitempty"`
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
ALPN []string `proxy:"alpn,omitempty"`
|
||||
CustomCA string `proxy:"ca,omitempty"`
|
||||
CustomCAString string `proxy:"ca-str,omitempty"`
|
||||
CWND int `proxy:"cwnd,omitempty"`
|
||||
UdpMTU int `proxy:"udp-mtu,omitempty"`
|
||||
|
||||
// quic-go special config
|
||||
InitialStreamReceiveWindow uint64 `proxy:"initial-stream-receive-window,omitempty"`
|
||||
@ -154,6 +154,12 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
|
||||
tlsConfig.NextProtos = option.ALPN
|
||||
}
|
||||
|
||||
tlsClientConfig := tlsC.UConfig(tlsConfig)
|
||||
echConfig, err := option.ECHOpts.Parse()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if option.UdpMTU == 0 {
|
||||
// "1200" from quic-go's MaxDatagramSize
|
||||
// "-3" from quic-go's DatagramFrame.MaxDataLen
|
||||
@ -175,41 +181,46 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
|
||||
ReceiveBPS: StringToBps(option.Down),
|
||||
SalamanderPassword: salamanderPassword,
|
||||
Password: option.Password,
|
||||
TLSConfig: tlsC.UConfig(tlsConfig),
|
||||
TLSConfig: tlsClientConfig,
|
||||
QUICConfig: quicConfig,
|
||||
UDPDisabled: false,
|
||||
CWND: option.CWND,
|
||||
UdpMTU: option.UdpMTU,
|
||||
ServerAddress: func(ctx context.Context) (*net.UDPAddr, error) {
|
||||
return resolveUDPAddr(ctx, "udp", addr, C.NewDNSPrefer(option.IPVersion))
|
||||
udpAddr, err := resolveUDPAddr(ctx, "udp", addr, C.NewDNSPrefer(option.IPVersion))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
err = echConfig.ClientHandle(ctx, tlsClientConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return udpAddr, nil
|
||||
},
|
||||
}
|
||||
|
||||
var ranges utils.IntRanges[uint16]
|
||||
var serverAddress []string
|
||||
var serverPorts []uint16
|
||||
if option.Ports != "" {
|
||||
ranges, err = utils.NewUnsignedRanges[uint16](option.Ports)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ranges.Range(func(port uint16) bool {
|
||||
serverAddress = append(serverAddress, net.JoinHostPort(option.Server, strconv.Itoa(int(port))))
|
||||
serverPorts = append(serverPorts, port)
|
||||
return true
|
||||
})
|
||||
if len(serverAddress) > 0 {
|
||||
clientOptions.ServerAddress = func(ctx context.Context) (*net.UDPAddr, error) {
|
||||
return resolveUDPAddr(ctx, "udp", serverAddress[randv2.IntN(len(serverAddress))], C.NewDNSPrefer(option.IPVersion))
|
||||
}
|
||||
|
||||
if len(serverPorts) > 0 {
|
||||
if option.HopInterval == 0 {
|
||||
option.HopInterval = defaultHopInterval
|
||||
} else if option.HopInterval < minHopInterval {
|
||||
option.HopInterval = minHopInterval
|
||||
}
|
||||
clientOptions.HopInterval = time.Duration(option.HopInterval) * time.Second
|
||||
clientOptions.ServerPorts = serverPorts
|
||||
}
|
||||
}
|
||||
if option.Port == 0 && len(serverAddress) == 0 {
|
||||
if option.Port == 0 && len(serverPorts) == 0 {
|
||||
return nil, errors.New("invalid port")
|
||||
}
|
||||
|
||||
|
||||
@ -13,11 +13,14 @@ import (
|
||||
type RealityOptions struct {
|
||||
PublicKey string `proxy:"public-key"`
|
||||
ShortID string `proxy:"short-id"`
|
||||
|
||||
SupportX25519MLKEM768 bool `proxy:"support-x25519mlkem768"`
|
||||
}
|
||||
|
||||
func (o RealityOptions) Parse() (*tlsC.RealityConfig, error) {
|
||||
if o.PublicKey != "" {
|
||||
config := new(tlsC.RealityConfig)
|
||||
config.SupportX25519MLKEM768 = o.SupportX25519MLKEM768
|
||||
|
||||
const x25519ScalarSize = 32
|
||||
publicKey, err := base64.RawURLEncoding.DecodeString(o.PublicKey)
|
||||
|
||||
@ -64,6 +64,7 @@ type v2rayObfsOption struct {
|
||||
Host string `obfs:"host,omitempty"`
|
||||
Path string `obfs:"path,omitempty"`
|
||||
TLS bool `obfs:"tls,omitempty"`
|
||||
ECHOpts ECHOptions `obfs:"ech-opts,omitempty"`
|
||||
Fingerprint string `obfs:"fingerprint,omitempty"`
|
||||
Headers map[string]string `obfs:"headers,omitempty"`
|
||||
SkipCertVerify bool `obfs:"skip-cert-verify,omitempty"`
|
||||
@ -77,6 +78,7 @@ type gostObfsOption struct {
|
||||
Host string `obfs:"host,omitempty"`
|
||||
Path string `obfs:"path,omitempty"`
|
||||
TLS bool `obfs:"tls,omitempty"`
|
||||
ECHOpts ECHOptions `obfs:"ech-opts,omitempty"`
|
||||
Fingerprint string `obfs:"fingerprint,omitempty"`
|
||||
Headers map[string]string `obfs:"headers,omitempty"`
|
||||
SkipCertVerify bool `obfs:"skip-cert-verify,omitempty"`
|
||||
@ -303,6 +305,12 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
|
||||
v2rayOption.TLS = true
|
||||
v2rayOption.SkipCertVerify = opts.SkipCertVerify
|
||||
v2rayOption.Fingerprint = opts.Fingerprint
|
||||
|
||||
echConfig, err := opts.ECHOpts.Parse()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("ss %s initialize v2ray-plugin error: %w", addr, err)
|
||||
}
|
||||
v2rayOption.ECHConfig = echConfig
|
||||
}
|
||||
} else if option.Plugin == "gost-plugin" {
|
||||
opts := gostObfsOption{Host: "bing.com", Mux: true}
|
||||
@ -325,6 +333,12 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
|
||||
gostOption.TLS = true
|
||||
gostOption.SkipCertVerify = opts.SkipCertVerify
|
||||
gostOption.Fingerprint = opts.Fingerprint
|
||||
|
||||
echConfig, err := opts.ECHOpts.Parse()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("ss %s initialize gost-plugin error: %w", addr, err)
|
||||
}
|
||||
gostOption.ECHConfig = echConfig
|
||||
}
|
||||
} else if option.Plugin == shadowtls.Mode {
|
||||
obfsMode = shadowtls.Mode
|
||||
|
||||
@ -12,6 +12,7 @@ import (
|
||||
N "github.com/metacubex/mihomo/common/net"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/dialer"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
"github.com/metacubex/mihomo/component/proxydialer"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
@ -32,6 +33,7 @@ type Trojan struct {
|
||||
transport *gun.TransportWrap
|
||||
|
||||
realityConfig *tlsC.RealityConfig
|
||||
echConfig *ech.Config
|
||||
|
||||
ssCipher core.Cipher
|
||||
}
|
||||
@ -48,6 +50,7 @@ type TrojanOption struct {
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
UDP bool `proxy:"udp,omitempty"`
|
||||
Network string `proxy:"network,omitempty"`
|
||||
ECHOpts ECHOptions `proxy:"ech-opts,omitempty"`
|
||||
RealityOpts RealityOptions `proxy:"reality-opts,omitempty"`
|
||||
GrpcOpts GrpcOptions `proxy:"grpc-opts,omitempty"`
|
||||
WSOpts WSOptions `proxy:"ws-opts,omitempty"`
|
||||
@ -77,6 +80,7 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
|
||||
V2rayHttpUpgrade: t.option.WSOpts.V2rayHttpUpgrade,
|
||||
V2rayHttpUpgradeFastOpen: t.option.WSOpts.V2rayHttpUpgradeFastOpen,
|
||||
ClientFingerprint: t.option.ClientFingerprint,
|
||||
ECHConfig: t.echConfig,
|
||||
Headers: http.Header{},
|
||||
}
|
||||
|
||||
@ -110,7 +114,7 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
|
||||
|
||||
c, err = vmess.StreamWebsocketConn(ctx, c, wsOpts)
|
||||
case "grpc":
|
||||
c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.realityConfig)
|
||||
c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.echConfig, t.realityConfig)
|
||||
default:
|
||||
// default tcp network
|
||||
// handle TLS
|
||||
@ -124,6 +128,7 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
|
||||
FingerPrint: t.option.Fingerprint,
|
||||
ClientFingerprint: t.option.ClientFingerprint,
|
||||
NextProtos: alpn,
|
||||
ECH: t.echConfig,
|
||||
Reality: t.realityConfig,
|
||||
})
|
||||
}
|
||||
@ -321,6 +326,11 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
t.echConfig, err = option.ECHOpts.Parse()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if option.SSOpts.Enabled {
|
||||
if option.SSOpts.Password == "" {
|
||||
return nil, errors.New("empty password")
|
||||
@ -365,7 +375,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, option.ClientFingerprint, t.realityConfig)
|
||||
t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, option.ClientFingerprint, t.echConfig, t.realityConfig)
|
||||
|
||||
t.gunTLSConfig = tlsConfig
|
||||
t.gunConfig = &gun.Config{
|
||||
|
||||
@ -12,6 +12,7 @@ import (
|
||||
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/dialer"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
"github.com/metacubex/mihomo/component/proxydialer"
|
||||
"github.com/metacubex/mihomo/component/resolver"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
@ -28,6 +29,9 @@ type Tuic struct {
|
||||
*Base
|
||||
option *TuicOption
|
||||
client *tuic.PoolClient
|
||||
|
||||
tlsConfig *tlsC.Config
|
||||
echConfig *ech.Config
|
||||
}
|
||||
|
||||
type TuicOption struct {
|
||||
@ -48,18 +52,19 @@ type TuicOption struct {
|
||||
DisableSni bool `proxy:"disable-sni,omitempty"`
|
||||
MaxUdpRelayPacketSize int `proxy:"max-udp-relay-packet-size,omitempty"`
|
||||
|
||||
FastOpen bool `proxy:"fast-open,omitempty"`
|
||||
MaxOpenStreams int `proxy:"max-open-streams,omitempty"`
|
||||
CWND int `proxy:"cwnd,omitempty"`
|
||||
SkipCertVerify bool `proxy:"skip-cert-verify,omitempty"`
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
CustomCA string `proxy:"ca,omitempty"`
|
||||
CustomCAString string `proxy:"ca-str,omitempty"`
|
||||
ReceiveWindowConn int `proxy:"recv-window-conn,omitempty"`
|
||||
ReceiveWindow int `proxy:"recv-window,omitempty"`
|
||||
DisableMTUDiscovery bool `proxy:"disable-mtu-discovery,omitempty"`
|
||||
MaxDatagramFrameSize int `proxy:"max-datagram-frame-size,omitempty"`
|
||||
SNI string `proxy:"sni,omitempty"`
|
||||
FastOpen bool `proxy:"fast-open,omitempty"`
|
||||
MaxOpenStreams int `proxy:"max-open-streams,omitempty"`
|
||||
CWND int `proxy:"cwnd,omitempty"`
|
||||
SkipCertVerify bool `proxy:"skip-cert-verify,omitempty"`
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
CustomCA string `proxy:"ca,omitempty"`
|
||||
CustomCAString string `proxy:"ca-str,omitempty"`
|
||||
ReceiveWindowConn int `proxy:"recv-window-conn,omitempty"`
|
||||
ReceiveWindow int `proxy:"recv-window,omitempty"`
|
||||
DisableMTUDiscovery bool `proxy:"disable-mtu-discovery,omitempty"`
|
||||
MaxDatagramFrameSize int `proxy:"max-datagram-frame-size,omitempty"`
|
||||
SNI string `proxy:"sni,omitempty"`
|
||||
ECHOpts ECHOptions `proxy:"ech-opts,omitempty"`
|
||||
|
||||
UDPOverStream bool `proxy:"udp-over-stream,omitempty"`
|
||||
UDPOverStreamVersion int `proxy:"udp-over-stream-version,omitempty"`
|
||||
@ -135,6 +140,10 @@ func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (transport *
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
err = t.echConfig.ClientHandle(ctx, t.tlsConfig)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
addr = udpAddr
|
||||
var pc net.PacketConn
|
||||
pc, err = dialer.ListenPacket(ctx, "udp", "", udpAddr.AddrPort())
|
||||
@ -249,6 +258,12 @@ func NewTuic(option TuicOption) (*Tuic, error) {
|
||||
tlsConfig.InsecureSkipVerify = true // tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
|
||||
}
|
||||
|
||||
tlsClientConfig := tlsC.UConfig(tlsConfig)
|
||||
echConfig, err := option.ECHOpts.Parse()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
switch option.UDPOverStreamVersion {
|
||||
case uot.Version, uot.LegacyVersion:
|
||||
case 0:
|
||||
@ -268,7 +283,9 @@ func NewTuic(option TuicOption) (*Tuic, error) {
|
||||
rmark: option.RoutingMark,
|
||||
prefer: C.NewDNSPrefer(option.IPVersion),
|
||||
},
|
||||
option: &option,
|
||||
option: &option,
|
||||
tlsConfig: tlsClientConfig,
|
||||
echConfig: echConfig,
|
||||
}
|
||||
|
||||
clientMaxOpenStreams := int64(option.MaxOpenStreams)
|
||||
@ -285,7 +302,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
|
||||
if len(option.Token) > 0 {
|
||||
tkn := tuic.GenTKN(option.Token)
|
||||
clientOption := &tuic.ClientOptionV4{
|
||||
TlsConfig: tlsC.UConfig(tlsConfig),
|
||||
TlsConfig: tlsClientConfig,
|
||||
QuicConfig: quicConfig,
|
||||
Token: tkn,
|
||||
UdpRelayMode: udpRelayMode,
|
||||
@ -305,7 +322,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
|
||||
maxUdpRelayPacketSize = tuic.MaxFragSizeV5
|
||||
}
|
||||
clientOption := &tuic.ClientOptionV5{
|
||||
TlsConfig: tlsC.UConfig(tlsConfig),
|
||||
TlsConfig: tlsClientConfig,
|
||||
QuicConfig: quicConfig,
|
||||
Uuid: uuid.FromStringOrNil(option.UUID),
|
||||
Password: option.Password,
|
||||
|
||||
@ -17,6 +17,7 @@ import (
|
||||
"github.com/metacubex/mihomo/common/utils"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/dialer"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
"github.com/metacubex/mihomo/component/proxydialer"
|
||||
"github.com/metacubex/mihomo/component/resolver"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
@ -46,6 +47,7 @@ type Vless struct {
|
||||
transport *gun.TransportWrap
|
||||
|
||||
realityConfig *tlsC.RealityConfig
|
||||
echConfig *ech.Config
|
||||
}
|
||||
|
||||
type VlessOption struct {
|
||||
@ -62,6 +64,7 @@ type VlessOption struct {
|
||||
XUDP bool `proxy:"xudp,omitempty"`
|
||||
PacketEncoding string `proxy:"packet-encoding,omitempty"`
|
||||
Network string `proxy:"network,omitempty"`
|
||||
ECHOpts ECHOptions `proxy:"ech-opts,omitempty"`
|
||||
RealityOpts RealityOptions `proxy:"reality-opts,omitempty"`
|
||||
HTTPOpts HTTPOptions `proxy:"http-opts,omitempty"`
|
||||
HTTP2Opts HTTP2Options `proxy:"h2-opts,omitempty"`
|
||||
@ -88,6 +91,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
|
||||
V2rayHttpUpgrade: v.option.WSOpts.V2rayHttpUpgrade,
|
||||
V2rayHttpUpgradeFastOpen: v.option.WSOpts.V2rayHttpUpgradeFastOpen,
|
||||
ClientFingerprint: v.option.ClientFingerprint,
|
||||
ECHConfig: v.echConfig,
|
||||
Headers: http.Header{},
|
||||
}
|
||||
|
||||
@ -151,7 +155,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
|
||||
|
||||
c, err = vmess.StreamH2Conn(ctx, c, h2Opts)
|
||||
case "grpc":
|
||||
c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
|
||||
c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.echConfig, v.realityConfig)
|
||||
default:
|
||||
// default tcp network
|
||||
// handle TLS
|
||||
@ -206,6 +210,7 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
|
||||
SkipCertVerify: v.option.SkipCertVerify,
|
||||
FingerPrint: v.option.Fingerprint,
|
||||
ClientFingerprint: v.option.ClientFingerprint,
|
||||
ECH: v.echConfig,
|
||||
Reality: v.realityConfig,
|
||||
NextProtos: v.option.ALPN,
|
||||
}
|
||||
@ -563,6 +568,11 @@ func NewVless(option VlessOption) (*Vless, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
v.echConfig, err = v.option.ECHOpts.Parse()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
switch option.Network {
|
||||
case "h2":
|
||||
if len(option.HTTP2Opts.Host) == 0 {
|
||||
@ -611,7 +621,7 @@ func NewVless(option VlessOption) (*Vless, error) {
|
||||
v.gunTLSConfig = tlsConfig
|
||||
v.gunConfig = gunConfig
|
||||
|
||||
v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
|
||||
v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.echConfig, v.realityConfig)
|
||||
}
|
||||
|
||||
return v, nil
|
||||
|
||||
@ -15,6 +15,7 @@ import (
|
||||
"github.com/metacubex/mihomo/common/utils"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/dialer"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
"github.com/metacubex/mihomo/component/proxydialer"
|
||||
"github.com/metacubex/mihomo/component/resolver"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
@ -41,6 +42,7 @@ type Vmess struct {
|
||||
transport *gun.TransportWrap
|
||||
|
||||
realityConfig *tlsC.RealityConfig
|
||||
echConfig *ech.Config
|
||||
}
|
||||
|
||||
type VmessOption struct {
|
||||
@ -58,6 +60,7 @@ type VmessOption struct {
|
||||
SkipCertVerify bool `proxy:"skip-cert-verify,omitempty"`
|
||||
Fingerprint string `proxy:"fingerprint,omitempty"`
|
||||
ServerName string `proxy:"servername,omitempty"`
|
||||
ECHOpts ECHOptions `proxy:"ech-opts,omitempty"`
|
||||
RealityOpts RealityOptions `proxy:"reality-opts,omitempty"`
|
||||
HTTPOpts HTTPOptions `proxy:"http-opts,omitempty"`
|
||||
HTTP2Opts HTTP2Options `proxy:"h2-opts,omitempty"`
|
||||
@ -109,6 +112,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
|
||||
V2rayHttpUpgrade: v.option.WSOpts.V2rayHttpUpgrade,
|
||||
V2rayHttpUpgradeFastOpen: v.option.WSOpts.V2rayHttpUpgradeFastOpen,
|
||||
ClientFingerprint: v.option.ClientFingerprint,
|
||||
ECHConfig: v.echConfig,
|
||||
Headers: http.Header{},
|
||||
}
|
||||
|
||||
@ -146,6 +150,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
|
||||
Host: host,
|
||||
SkipCertVerify: v.option.SkipCertVerify,
|
||||
ClientFingerprint: v.option.ClientFingerprint,
|
||||
ECH: v.echConfig,
|
||||
Reality: v.realityConfig,
|
||||
NextProtos: v.option.ALPN,
|
||||
}
|
||||
@ -195,7 +200,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
|
||||
|
||||
c, err = mihomoVMess.StreamH2Conn(ctx, c, h2Opts)
|
||||
case "grpc":
|
||||
c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
|
||||
c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.echConfig, v.realityConfig)
|
||||
default:
|
||||
// handle TLS
|
||||
if v.option.TLS {
|
||||
@ -205,6 +210,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
|
||||
SkipCertVerify: v.option.SkipCertVerify,
|
||||
FingerPrint: v.option.Fingerprint,
|
||||
ClientFingerprint: v.option.ClientFingerprint,
|
||||
ECH: v.echConfig,
|
||||
Reality: v.realityConfig,
|
||||
NextProtos: v.option.ALPN,
|
||||
}
|
||||
@ -474,6 +480,11 @@ func NewVmess(option VmessOption) (*Vmess, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
v.echConfig, err = v.option.ECHOpts.Parse()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
switch option.Network {
|
||||
case "h2":
|
||||
if len(option.HTTP2Opts.Host) == 0 {
|
||||
@ -522,7 +533,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
|
||||
v.gunTLSConfig = tlsConfig
|
||||
v.gunConfig = gunConfig
|
||||
|
||||
v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
|
||||
v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.echConfig, v.realityConfig)
|
||||
}
|
||||
|
||||
return v, nil
|
||||
|
||||
@ -61,7 +61,7 @@ func (hc *HealthCheck) process() {
|
||||
}
|
||||
}
|
||||
|
||||
func (hc *HealthCheck) setProxy(proxies []C.Proxy) {
|
||||
func (hc *HealthCheck) setProxies(proxies []C.Proxy) {
|
||||
hc.proxies = proxies
|
||||
}
|
||||
|
||||
|
||||
@ -57,6 +57,13 @@ func (bp *baseProvider) Version() uint32 {
|
||||
return bp.version
|
||||
}
|
||||
|
||||
func (bp *baseProvider) Initial() error {
|
||||
if bp.healthCheck.auto() {
|
||||
go bp.healthCheck.process()
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (bp *baseProvider) HealthCheck() {
|
||||
bp.healthCheck.check()
|
||||
}
|
||||
@ -88,7 +95,7 @@ func (bp *baseProvider) RegisterHealthCheckTask(url string, expectedStatus utils
|
||||
func (bp *baseProvider) setProxies(proxies []C.Proxy) {
|
||||
bp.proxies = proxies
|
||||
bp.version += 1
|
||||
bp.healthCheck.setProxy(proxies)
|
||||
bp.healthCheck.setProxies(proxies)
|
||||
if bp.healthCheck.auto() {
|
||||
go bp.healthCheck.check()
|
||||
}
|
||||
@ -133,8 +140,8 @@ func (pp *proxySetProvider) Update() error {
|
||||
}
|
||||
|
||||
func (pp *proxySetProvider) Initial() error {
|
||||
if pp.healthCheck.auto() {
|
||||
go pp.healthCheck.process()
|
||||
if err := pp.baseProvider.Initial(); err != nil {
|
||||
return err
|
||||
}
|
||||
_, err := pp.Fetcher.Initial()
|
||||
if err != nil {
|
||||
@ -184,6 +191,8 @@ func NewProxySetProvider(name string, interval time.Duration, payload []map[stri
|
||||
return nil, err
|
||||
}
|
||||
pd.proxies = proxies
|
||||
// direct call setProxies on hc to avoid starting a health check process immediately, it should be done by Initial()
|
||||
hc.setProxies(proxies)
|
||||
}
|
||||
|
||||
fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, parser, pd.setProxies)
|
||||
@ -233,13 +242,6 @@ func (ip *inlineProvider) VehicleType() types.VehicleType {
|
||||
return types.Inline
|
||||
}
|
||||
|
||||
func (ip *inlineProvider) Initial() error {
|
||||
if ip.healthCheck.auto() {
|
||||
go ip.healthCheck.process()
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (ip *inlineProvider) Update() error {
|
||||
// make api update happy
|
||||
ip.updateAt = time.Now()
|
||||
@ -256,6 +258,8 @@ func NewInlineProvider(name string, payload []map[string]any, parser resource.Pa
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// direct call setProxies on hc to avoid starting a health check process immediately, it should be done by Initial()
|
||||
hc.setProxies(proxies)
|
||||
|
||||
ip := &inlineProvider{
|
||||
baseProvider: baseProvider{
|
||||
@ -299,13 +303,6 @@ func (cp *compatibleProvider) Update() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (cp *compatibleProvider) Initial() error {
|
||||
if cp.healthCheck.auto() {
|
||||
go cp.healthCheck.process()
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (cp *compatibleProvider) VehicleType() types.VehicleType {
|
||||
return types.Compatible
|
||||
}
|
||||
|
||||
35
component/ech/ech.go
Normal file
35
component/ech/ech.go
Normal file
@ -0,0 +1,35 @@
|
||||
package ech
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/metacubex/mihomo/component/resolver"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
)
|
||||
|
||||
type Config struct {
|
||||
EncryptedClientHelloConfigList []byte
|
||||
}
|
||||
|
||||
func (cfg *Config) ClientHandle(ctx context.Context, tlsConfig *tlsC.Config) (err error) {
|
||||
if cfg == nil {
|
||||
return nil
|
||||
}
|
||||
echConfigList := cfg.EncryptedClientHelloConfigList
|
||||
if len(echConfigList) == 0 {
|
||||
echConfigList, err = resolver.ResolveECH(ctx, tlsConfig.ServerName)
|
||||
if err != nil {
|
||||
return fmt.Errorf("resolve ECH config error: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
tlsConfig.EncryptedClientHelloConfigList = echConfigList
|
||||
if tlsConfig.MinVersion != 0 && tlsConfig.MinVersion < tlsC.VersionTLS13 {
|
||||
tlsConfig.MinVersion = tlsC.VersionTLS13
|
||||
}
|
||||
if tlsConfig.MaxVersion != 0 && tlsConfig.MaxVersion < tlsC.VersionTLS13 {
|
||||
tlsConfig.MaxVersion = tlsC.VersionTLS13
|
||||
}
|
||||
return nil
|
||||
}
|
||||
143
component/ech/key.go
Normal file
143
component/ech/key.go
Normal file
@ -0,0 +1,143 @@
|
||||
package ech
|
||||
|
||||
import (
|
||||
"crypto/ecdh"
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
|
||||
"golang.org/x/crypto/cryptobyte"
|
||||
)
|
||||
|
||||
const (
|
||||
AEAD_AES_128_GCM = 0x0001
|
||||
AEAD_AES_256_GCM = 0x0002
|
||||
AEAD_ChaCha20Poly1305 = 0x0003
|
||||
)
|
||||
|
||||
const extensionEncryptedClientHello = 0xfe0d
|
||||
const DHKEM_X25519_HKDF_SHA256 = 0x0020
|
||||
const KDF_HKDF_SHA256 = 0x0001
|
||||
|
||||
// sortedSupportedAEADs is just a sorted version of hpke.SupportedAEADS.
|
||||
// We need this so that when we insert them into ECHConfigs the ordering
|
||||
// is stable.
|
||||
var sortedSupportedAEADs = []uint16{AEAD_AES_128_GCM, AEAD_AES_256_GCM, AEAD_ChaCha20Poly1305}
|
||||
|
||||
func marshalECHConfig(id uint8, pubKey []byte, publicName string, maxNameLen uint8) []byte {
|
||||
builder := cryptobyte.NewBuilder(nil)
|
||||
|
||||
builder.AddUint16(extensionEncryptedClientHello)
|
||||
builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
|
||||
builder.AddUint8(id)
|
||||
|
||||
builder.AddUint16(DHKEM_X25519_HKDF_SHA256) // The only DHKEM we support
|
||||
builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
|
||||
builder.AddBytes(pubKey)
|
||||
})
|
||||
builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
|
||||
for _, aeadID := range sortedSupportedAEADs {
|
||||
builder.AddUint16(KDF_HKDF_SHA256) // The only KDF we support
|
||||
builder.AddUint16(aeadID)
|
||||
}
|
||||
})
|
||||
builder.AddUint8(maxNameLen)
|
||||
builder.AddUint8LengthPrefixed(func(builder *cryptobyte.Builder) {
|
||||
builder.AddBytes([]byte(publicName))
|
||||
})
|
||||
builder.AddUint16(0) // extensions
|
||||
})
|
||||
|
||||
return builder.BytesOrPanic()
|
||||
}
|
||||
|
||||
func GenECHConfig(publicName string) (configBase64 string, keyPem string, err error) {
|
||||
echKey, err := ecdh.X25519().GenerateKey(rand.Reader)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
echConfig := marshalECHConfig(0, echKey.PublicKey().Bytes(), publicName, 0)
|
||||
|
||||
builder := cryptobyte.NewBuilder(nil)
|
||||
builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
|
||||
builder.AddBytes(echConfig)
|
||||
})
|
||||
echConfigList := builder.BytesOrPanic()
|
||||
|
||||
builder2 := cryptobyte.NewBuilder(nil)
|
||||
builder2.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
|
||||
builder.AddBytes(echKey.Bytes())
|
||||
})
|
||||
builder2.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
|
||||
builder.AddBytes(echConfig)
|
||||
})
|
||||
echConfigKeys := builder2.BytesOrPanic()
|
||||
|
||||
configBase64 = base64.StdEncoding.EncodeToString(echConfigList)
|
||||
keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: echConfigKeys}))
|
||||
return
|
||||
}
|
||||
|
||||
func UnmarshalECHKeys(raw []byte) ([]tlsC.EncryptedClientHelloKey, error) {
|
||||
var keys []tlsC.EncryptedClientHelloKey
|
||||
rawString := cryptobyte.String(raw)
|
||||
for !rawString.Empty() {
|
||||
var key tlsC.EncryptedClientHelloKey
|
||||
if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.PrivateKey)) {
|
||||
return nil, errors.New("error parsing private key")
|
||||
}
|
||||
if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.Config)) {
|
||||
return nil, errors.New("error parsing config")
|
||||
}
|
||||
keys = append(keys, key)
|
||||
}
|
||||
if len(keys) == 0 {
|
||||
return nil, errors.New("empty ECH keys")
|
||||
}
|
||||
return keys, nil
|
||||
}
|
||||
|
||||
func LoadECHKey(key string, tlsConfig *tlsC.Config, path ca.Path) error {
|
||||
if key == "" {
|
||||
return nil
|
||||
}
|
||||
painTextErr := loadECHKey([]byte(key), tlsConfig)
|
||||
if painTextErr == nil {
|
||||
return nil
|
||||
}
|
||||
key = path.Resolve(key)
|
||||
var loadErr error
|
||||
if !path.IsSafePath(key) {
|
||||
loadErr = path.ErrNotSafePath(key)
|
||||
} else {
|
||||
var echKey []byte
|
||||
echKey, loadErr = os.ReadFile(key)
|
||||
if loadErr == nil {
|
||||
loadErr = loadECHKey(echKey, tlsConfig)
|
||||
}
|
||||
}
|
||||
if loadErr != nil {
|
||||
return fmt.Errorf("parse ECH keys failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func loadECHKey(echKey []byte, tlsConfig *tlsC.Config) error {
|
||||
block, rest := pem.Decode(echKey)
|
||||
if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
|
||||
return errors.New("invalid ECH keys pem")
|
||||
}
|
||||
echKeys, err := UnmarshalECHKeys(block.Bytes)
|
||||
if err != nil {
|
||||
return fmt.Errorf("parse ECH keys: %w", err)
|
||||
}
|
||||
tlsConfig.EncryptedClientHelloKeys = echKeys
|
||||
return nil
|
||||
}
|
||||
@ -4,12 +4,14 @@ import (
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
|
||||
"github.com/gofrs/uuid/v5"
|
||||
)
|
||||
|
||||
func Main(args []string) {
|
||||
if len(args) < 1 {
|
||||
panic("Using: generate uuid/reality-keypair/wg-keypair")
|
||||
panic("Using: generate uuid/reality-keypair/wg-keypair/ech-keypair")
|
||||
}
|
||||
switch args[0] {
|
||||
case "uuid":
|
||||
@ -33,5 +35,15 @@ func Main(args []string) {
|
||||
}
|
||||
fmt.Println("PrivateKey: " + privateKey.String())
|
||||
fmt.Println("PublicKey: " + privateKey.PublicKey().String())
|
||||
case "ech-keypair":
|
||||
if len(args) < 2 {
|
||||
panic("Using: generate ech-keypair <plain_server_name>")
|
||||
}
|
||||
configBase64, keyPem, err := ech.GenECHConfig(args[1])
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
fmt.Println("Config:", configBase64)
|
||||
fmt.Println("Key:", keyPem)
|
||||
}
|
||||
}
|
||||
|
||||
@ -49,6 +49,7 @@ type Resolver interface {
|
||||
LookupIP(ctx context.Context, host string) (ips []netip.Addr, err error)
|
||||
LookupIPv4(ctx context.Context, host string) (ips []netip.Addr, err error)
|
||||
LookupIPv6(ctx context.Context, host string) (ips []netip.Addr, err error)
|
||||
ResolveECH(ctx context.Context, host string) ([]byte, error)
|
||||
ExchangeContext(ctx context.Context, m *dns.Msg) (msg *dns.Msg, err error)
|
||||
Invalid() bool
|
||||
ClearCache()
|
||||
@ -216,6 +217,17 @@ func ResolveIPPrefer6(ctx context.Context, host string) (netip.Addr, error) {
|
||||
return ResolveIPPrefer6WithResolver(ctx, host, DefaultResolver)
|
||||
}
|
||||
|
||||
func ResolveECHWithResolver(ctx context.Context, host string, r Resolver) ([]byte, error) {
|
||||
if r != nil && r.Invalid() {
|
||||
return r.ResolveECH(ctx, host)
|
||||
}
|
||||
return SystemResolver.ResolveECH(ctx, host)
|
||||
}
|
||||
|
||||
func ResolveECH(ctx context.Context, host string) ([]byte, error) {
|
||||
return ResolveECHWithResolver(ctx, host, DefaultResolver)
|
||||
}
|
||||
|
||||
func ResetConnection() {
|
||||
if DefaultResolver != nil {
|
||||
go DefaultResolver.ResetConnection()
|
||||
|
||||
@ -105,6 +105,7 @@ func (f *Fetcher[V]) loadBuf(buf []byte, hash utils.HashType, updateFile bool) (
|
||||
_ = os.Chtimes(f.vehicle.Path(), now, now)
|
||||
}
|
||||
f.updatedAt = now
|
||||
f.backoff.Reset() // no error, reset backoff
|
||||
return lo.Empty[V](), true, nil
|
||||
}
|
||||
|
||||
@ -220,6 +221,10 @@ func (f *Fetcher[V]) updateWithLog() {
|
||||
|
||||
func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicle, parser Parser[V], onUpdate func(V)) *Fetcher[V] {
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
minBackoff := 10 * time.Second
|
||||
if interval < minBackoff {
|
||||
minBackoff = interval
|
||||
}
|
||||
return &Fetcher[V]{
|
||||
ctx: ctx,
|
||||
ctxCancel: cancel,
|
||||
@ -231,7 +236,7 @@ func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicl
|
||||
backoff: slowdown.Backoff{
|
||||
Factor: 2,
|
||||
Jitter: false,
|
||||
Min: time.Second,
|
||||
Min: minBackoff,
|
||||
Max: interval,
|
||||
},
|
||||
}
|
||||
|
||||
68
component/tls/httpserver.go
Normal file
68
component/tls/httpserver.go
Normal file
@ -0,0 +1,68 @@
|
||||
package tls
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
N "github.com/metacubex/mihomo/common/net"
|
||||
"github.com/metacubex/mihomo/log"
|
||||
|
||||
"golang.org/x/net/http2"
|
||||
)
|
||||
|
||||
func extractTlsHandshakeTimeoutFromServer(s *http.Server) time.Duration {
|
||||
var ret time.Duration
|
||||
for _, v := range [...]time.Duration{
|
||||
s.ReadHeaderTimeout,
|
||||
s.ReadTimeout,
|
||||
s.WriteTimeout,
|
||||
} {
|
||||
if v <= 0 {
|
||||
continue
|
||||
}
|
||||
if ret == 0 || v < ret {
|
||||
ret = v
|
||||
}
|
||||
}
|
||||
return ret
|
||||
}
|
||||
|
||||
// NewListenerForHttps returns a net.Listener for (*http.Server).Serve()
|
||||
// the "func (c *conn) serve(ctx context.Context)" in http\server.go
|
||||
// only do tls handshake and check NegotiatedProtocol with std's *tls.Conn
|
||||
// so we do the same logic to let http2 (not h2c) work fine
|
||||
func NewListenerForHttps(l net.Listener, httpServer *http.Server, tlsConfig *Config) net.Listener {
|
||||
http2Server := &http2.Server{}
|
||||
_ = http2.ConfigureServer(httpServer, http2Server)
|
||||
return N.NewHandleContextListener(context.Background(), l, func(ctx context.Context, conn net.Conn) (net.Conn, error) {
|
||||
c := Server(conn, tlsConfig)
|
||||
|
||||
tlsTO := extractTlsHandshakeTimeoutFromServer(httpServer)
|
||||
if tlsTO > 0 {
|
||||
dl := time.Now().Add(tlsTO)
|
||||
_ = conn.SetReadDeadline(dl)
|
||||
_ = conn.SetWriteDeadline(dl)
|
||||
}
|
||||
|
||||
err := c.HandshakeContext(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Restore Conn-level deadlines.
|
||||
if tlsTO > 0 {
|
||||
_ = conn.SetReadDeadline(time.Time{})
|
||||
_ = conn.SetWriteDeadline(time.Time{})
|
||||
}
|
||||
|
||||
if c.ConnectionState().NegotiatedProtocol == http2.NextProtoTLS {
|
||||
http2Server.ServeConn(c, &http2.ServeConnOpts{BaseConfig: httpServer})
|
||||
return nil, net.ErrClosed
|
||||
}
|
||||
return c, nil
|
||||
}, func(a any) {
|
||||
log.Errorln("https server panic: %s", a)
|
||||
})
|
||||
}
|
||||
@ -26,7 +26,6 @@ import (
|
||||
utls "github.com/metacubex/utls"
|
||||
"golang.org/x/crypto/chacha20poly1305"
|
||||
"golang.org/x/crypto/hkdf"
|
||||
"golang.org/x/exp/slices"
|
||||
"golang.org/x/net/http2"
|
||||
)
|
||||
|
||||
@ -35,9 +34,11 @@ const RealityMaxShortIDLen = 8
|
||||
type RealityConfig struct {
|
||||
PublicKey *ecdh.PublicKey
|
||||
ShortID [RealityMaxShortIDLen]byte
|
||||
|
||||
SupportX25519MLKEM768 bool
|
||||
}
|
||||
|
||||
func GetRealityConn(ctx context.Context, conn net.Conn, fingerprint UClientHelloID, tlsConfig *tls.Config, realityConfig *RealityConfig) (net.Conn, error) {
|
||||
func GetRealityConn(ctx context.Context, conn net.Conn, fingerprint UClientHelloID, tlsConfig *Config, realityConfig *RealityConfig) (net.Conn, error) {
|
||||
for retry := 0; ; retry++ {
|
||||
verifier := &realityVerifier{
|
||||
serverName: tlsConfig.ServerName,
|
||||
@ -48,39 +49,18 @@ func GetRealityConn(ctx context.Context, conn net.Conn, fingerprint UClientHello
|
||||
SessionTicketsDisabled: true,
|
||||
VerifyPeerCertificate: verifier.VerifyPeerCertificate,
|
||||
}
|
||||
clientID := utls.ClientHelloID{
|
||||
Client: fingerprint.Client,
|
||||
Version: fingerprint.Version,
|
||||
Seed: fingerprint.Seed,
|
||||
|
||||
if !realityConfig.SupportX25519MLKEM768 && fingerprint == HelloChrome_Auto {
|
||||
fingerprint = HelloChrome_120 // old reality server doesn't work with X25519MLKEM768
|
||||
}
|
||||
uConn := utls.UClient(conn, uConfig, clientID)
|
||||
|
||||
uConn := utls.UClient(conn, uConfig, fingerprint)
|
||||
verifier.UConn = uConn
|
||||
err := uConn.BuildHandshakeState()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// ------for X25519MLKEM768 does not work properly with reality-------
|
||||
// Iterate over extensions and check
|
||||
for _, extension := range uConn.Extensions {
|
||||
if ce, ok := extension.(*utls.SupportedCurvesExtension); ok {
|
||||
ce.Curves = slices.DeleteFunc(ce.Curves, func(curveID utls.CurveID) bool {
|
||||
return curveID == utls.X25519MLKEM768
|
||||
})
|
||||
}
|
||||
if ks, ok := extension.(*utls.KeyShareExtension); ok {
|
||||
ks.KeyShares = slices.DeleteFunc(ks.KeyShares, func(share utls.KeyShare) bool {
|
||||
return share.Group == utls.X25519MLKEM768
|
||||
})
|
||||
}
|
||||
}
|
||||
// Rebuild the client hello
|
||||
err = uConn.BuildHandshakeState()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// --------------------------------------------------------------------
|
||||
|
||||
hello := uConn.HandshakeState.Hello
|
||||
rawSessionID := hello.Raw[39 : 39+32] // the location of session ID
|
||||
for i := range rawSessionID { // https://github.com/golang/go/issues/5373
|
||||
@ -144,7 +124,7 @@ func GetRealityConn(ctx context.Context, conn net.Conn, fingerprint UClientHello
|
||||
log.Debugln("REALITY Authentication: %v, AEAD: %T", verifier.verified, aeadCipher)
|
||||
|
||||
if !verifier.verified {
|
||||
go realityClientFallback(uConn, uConfig.ServerName, clientID)
|
||||
go realityClientFallback(uConn, uConfig.ServerName, fingerprint)
|
||||
return nil, errors.New("REALITY authentication failed")
|
||||
}
|
||||
|
||||
|
||||
@ -16,6 +16,7 @@ type Conn = utls.Conn
|
||||
type UConn = utls.UConn
|
||||
type UClientHelloID = utls.ClientHelloID
|
||||
|
||||
const VersionTLS12 = utls.VersionTLS12
|
||||
const VersionTLS13 = utls.VersionTLS13
|
||||
|
||||
func Client(c net.Conn, config *utls.Config) *Conn {
|
||||
@ -26,6 +27,14 @@ func UClient(c net.Conn, config *utls.Config, fingerprint UClientHelloID) *UConn
|
||||
return utls.UClient(c, config, fingerprint)
|
||||
}
|
||||
|
||||
func Server(c net.Conn, config *utls.Config) *Conn {
|
||||
return utls.Server(c, config)
|
||||
}
|
||||
|
||||
func NewListener(inner net.Listener, config *Config) net.Listener {
|
||||
return utls.NewListener(inner, config)
|
||||
}
|
||||
|
||||
func GetFingerprint(clientFingerprint string) (UClientHelloID, bool) {
|
||||
if len(clientFingerprint) == 0 {
|
||||
clientFingerprint = globalFingerprint
|
||||
@ -65,21 +74,26 @@ var randomFingerprint = once.OnceValue(func() UClientHelloID {
|
||||
return fingerprint
|
||||
})
|
||||
|
||||
var HelloChrome_Auto = utls.HelloChrome_Auto
|
||||
var HelloChrome_120 = utls.HelloChrome_120 // special fingerprint for some old protocols doesn't work with HelloChrome_Auto
|
||||
|
||||
var fingerprints = map[string]UClientHelloID{
|
||||
"chrome": utls.HelloChrome_Auto,
|
||||
"chrome": utls.HelloChrome_Auto,
|
||||
"firefox": utls.HelloFirefox_Auto,
|
||||
"safari": utls.HelloSafari_Auto,
|
||||
"ios": utls.HelloIOS_Auto,
|
||||
"android": utls.HelloAndroid_11_OkHttp,
|
||||
"edge": utls.HelloEdge_Auto,
|
||||
"360": utls.Hello360_Auto,
|
||||
"qq": utls.HelloQQ_Auto,
|
||||
"random": {},
|
||||
|
||||
// deprecated fingerprints should not be used
|
||||
"chrome_psk": utls.HelloChrome_100_PSK,
|
||||
"chrome_psk_shuffle": utls.HelloChrome_106_Shuffle,
|
||||
"chrome_padding_psk_shuffle": utls.HelloChrome_114_Padding_PSK_Shuf,
|
||||
"chrome_pq": utls.HelloChrome_115_PQ,
|
||||
"chrome_pq_psk": utls.HelloChrome_115_PQ_PSK,
|
||||
"firefox": utls.HelloFirefox_Auto,
|
||||
"safari": utls.HelloSafari_Auto,
|
||||
"ios": utls.HelloIOS_Auto,
|
||||
"android": utls.HelloAndroid_11_OkHttp,
|
||||
"edge": utls.HelloEdge_Auto,
|
||||
"360": utls.Hello360_Auto,
|
||||
"qq": utls.HelloQQ_Auto,
|
||||
"random": {},
|
||||
"randomized": utls.HelloRandomized,
|
||||
}
|
||||
|
||||
@ -93,7 +107,9 @@ func init() {
|
||||
fingerprints["randomized"] = randomized
|
||||
}
|
||||
|
||||
func UCertificates(it tls.Certificate) utls.Certificate {
|
||||
type Certificate = utls.Certificate
|
||||
|
||||
func UCertificate(it tls.Certificate) utls.Certificate {
|
||||
return utls.Certificate{
|
||||
Certificate: it.Certificate,
|
||||
PrivateKey: it.PrivateKey,
|
||||
@ -106,13 +122,15 @@ func UCertificates(it tls.Certificate) utls.Certificate {
|
||||
}
|
||||
}
|
||||
|
||||
type EncryptedClientHelloKey = utls.EncryptedClientHelloKey
|
||||
|
||||
type Config = utls.Config
|
||||
|
||||
func UConfig(config *tls.Config) *utls.Config {
|
||||
return &utls.Config{
|
||||
Rand: config.Rand,
|
||||
Time: config.Time,
|
||||
Certificates: utils.Map(config.Certificates, UCertificates),
|
||||
Certificates: utils.Map(config.Certificates, UCertificate),
|
||||
VerifyPeerCertificate: config.VerifyPeerCertificate,
|
||||
RootCAs: config.RootCAs,
|
||||
NextProtos: config.NextProtos,
|
||||
|
||||
@ -3,6 +3,7 @@ package updater
|
||||
import (
|
||||
"archive/tar"
|
||||
"archive/zip"
|
||||
"bytes"
|
||||
"compress/gzip"
|
||||
"fmt"
|
||||
"io"
|
||||
@ -32,6 +33,17 @@ const (
|
||||
typeTarGzip
|
||||
)
|
||||
|
||||
func (t compressionType) String() string {
|
||||
switch t {
|
||||
case typeZip:
|
||||
return "zip"
|
||||
case typeTarGzip:
|
||||
return "tar.gz"
|
||||
default:
|
||||
return "unknown"
|
||||
}
|
||||
}
|
||||
|
||||
var DefaultUiUpdater = &UIUpdater{}
|
||||
|
||||
func NewUiUpdater(externalUI, externalUIURL, externalUIName string) *UIUpdater {
|
||||
@ -99,48 +111,38 @@ func detectFileType(data []byte) compressionType {
|
||||
}
|
||||
|
||||
func (u *UIUpdater) downloadUI() error {
|
||||
err := u.prepareUIPath()
|
||||
if err != nil {
|
||||
return fmt.Errorf("prepare UI path failed: %w", err)
|
||||
}
|
||||
|
||||
data, err := downloadForBytes(u.externalUIURL)
|
||||
if err != nil {
|
||||
return fmt.Errorf("can't download file: %w", err)
|
||||
}
|
||||
|
||||
fileType := detectFileType(data)
|
||||
if fileType == typeUnknown {
|
||||
return fmt.Errorf("unknown or unsupported file type")
|
||||
tmpDir := C.Path.Resolve("downloadUI.tmp")
|
||||
defer os.RemoveAll(tmpDir)
|
||||
|
||||
os.RemoveAll(tmpDir) // cleanup tmp dir before extract
|
||||
log.Debugln("extractedFolder: %s", tmpDir)
|
||||
err = extract(data, tmpDir)
|
||||
if err != nil {
|
||||
return fmt.Errorf("can't extract compressed file: %w", err)
|
||||
}
|
||||
|
||||
ext := ".zip"
|
||||
if fileType == typeTarGzip {
|
||||
ext = ".tgz"
|
||||
}
|
||||
|
||||
saved := path.Join(C.Path.HomeDir(), "download"+ext)
|
||||
log.Debugln("compression Type: %s", ext)
|
||||
if err = saveFile(data, saved); err != nil {
|
||||
return fmt.Errorf("can't save compressed file: %w", err)
|
||||
}
|
||||
defer os.Remove(saved)
|
||||
|
||||
err = cleanup(u.externalUIPath)
|
||||
log.Debugln("cleanupFolder: %s", u.externalUIPath)
|
||||
err = cleanup(u.externalUIPath) // cleanup files in dir don't remove dir itself
|
||||
if err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
return fmt.Errorf("cleanup exist file error: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
extractedFolder, err := extract(saved, C.Path.HomeDir())
|
||||
err = u.prepareUIPath()
|
||||
if err != nil {
|
||||
return fmt.Errorf("can't extract compressed file: %w", err)
|
||||
return fmt.Errorf("prepare UI path failed: %w", err)
|
||||
}
|
||||
|
||||
err = os.Rename(extractedFolder, u.externalUIPath)
|
||||
log.Debugln("moveFolder from %s to %s", tmpDir, u.externalUIPath)
|
||||
err = moveDir(tmpDir, u.externalUIPath) // move files from tmp to target
|
||||
if err != nil {
|
||||
return fmt.Errorf("rename UI folder failed: %w", err)
|
||||
return fmt.Errorf("move UI folder failed: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@ -155,228 +157,109 @@ func (u *UIUpdater) prepareUIPath() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func unzip(src, dest string) (string, error) {
|
||||
r, err := zip.OpenReader(src)
|
||||
func unzip(data []byte, dest string) error {
|
||||
r, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
|
||||
if err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
defer r.Close()
|
||||
|
||||
// check whether or not only exists singleRoot dir
|
||||
rootDir := ""
|
||||
isSingleRoot := true
|
||||
rootItemCount := 0
|
||||
for _, f := range r.File {
|
||||
parts := strings.Split(strings.Trim(f.Name, "/"), "/")
|
||||
if len(parts) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
if len(parts) == 1 {
|
||||
isDir := strings.HasSuffix(f.Name, "/")
|
||||
if !isDir {
|
||||
isSingleRoot = false
|
||||
break
|
||||
}
|
||||
|
||||
if rootDir == "" {
|
||||
rootDir = parts[0]
|
||||
}
|
||||
rootItemCount++
|
||||
}
|
||||
}
|
||||
|
||||
if rootItemCount != 1 {
|
||||
isSingleRoot = false
|
||||
}
|
||||
|
||||
// build the dir of extraction
|
||||
var extractedFolder string
|
||||
if isSingleRoot && rootDir != "" {
|
||||
// if the singleRoot, use it directly
|
||||
log.Debugln("Match the singleRoot")
|
||||
extractedFolder = filepath.Join(dest, rootDir)
|
||||
log.Debugln("extractedFolder: %s", extractedFolder)
|
||||
} else {
|
||||
log.Debugln("Match the multiRoot")
|
||||
// or put the files/dirs into new dir
|
||||
baseName := filepath.Base(src)
|
||||
baseName = strings.TrimSuffix(baseName, filepath.Ext(baseName))
|
||||
extractedFolder = filepath.Join(dest, baseName)
|
||||
|
||||
for i := 1; ; i++ {
|
||||
if _, err := os.Stat(extractedFolder); os.IsNotExist(err) {
|
||||
break
|
||||
}
|
||||
extractedFolder = filepath.Join(dest, fmt.Sprintf("%s_%d", baseName, i))
|
||||
}
|
||||
log.Debugln("extractedFolder: %s", extractedFolder)
|
||||
}
|
||||
|
||||
for _, f := range r.File {
|
||||
var fpath string
|
||||
if isSingleRoot && rootDir != "" {
|
||||
fpath = filepath.Join(dest, f.Name)
|
||||
} else {
|
||||
fpath = filepath.Join(extractedFolder, f.Name)
|
||||
}
|
||||
fpath := filepath.Join(dest, f.Name)
|
||||
|
||||
if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
|
||||
return "", fmt.Errorf("invalid file path: %s", fpath)
|
||||
if !inDest(fpath, dest) {
|
||||
return fmt.Errorf("invalid file path: %s", fpath)
|
||||
}
|
||||
if f.FileInfo().IsDir() {
|
||||
info := f.FileInfo()
|
||||
if info.IsDir() {
|
||||
os.MkdirAll(fpath, os.ModePerm)
|
||||
continue
|
||||
}
|
||||
if info.Mode()&os.ModeSymlink != 0 {
|
||||
continue // disallow symlink
|
||||
}
|
||||
if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
|
||||
if err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
rc, err := f.Open()
|
||||
if err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
_, err = io.Copy(outFile, rc)
|
||||
outFile.Close()
|
||||
rc.Close()
|
||||
if err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
}
|
||||
return extractedFolder, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
func untgz(src, dest string) (string, error) {
|
||||
file, err := os.Open(src)
|
||||
func untgz(data []byte, dest string) error {
|
||||
gzr, err := gzip.NewReader(bytes.NewReader(data))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
defer file.Close()
|
||||
|
||||
gzr, err := gzip.NewReader(file)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
defer gzr.Close()
|
||||
|
||||
tr := tar.NewReader(gzr)
|
||||
|
||||
rootDir := ""
|
||||
isSingleRoot := true
|
||||
rootItemCount := 0
|
||||
for {
|
||||
header, err := tr.Next()
|
||||
if err == io.EOF {
|
||||
break
|
||||
}
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
parts := strings.Split(cleanTarPath(header.Name), string(os.PathSeparator))
|
||||
if len(parts) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
if len(parts) == 1 {
|
||||
isDir := header.Typeflag == tar.TypeDir
|
||||
if !isDir {
|
||||
isSingleRoot = false
|
||||
break
|
||||
}
|
||||
|
||||
if rootDir == "" {
|
||||
rootDir = parts[0]
|
||||
}
|
||||
rootItemCount++
|
||||
}
|
||||
}
|
||||
|
||||
if rootItemCount != 1 {
|
||||
isSingleRoot = false
|
||||
}
|
||||
|
||||
file.Seek(0, 0)
|
||||
gzr, _ = gzip.NewReader(file)
|
||||
_ = gzr.Reset(bytes.NewReader(data))
|
||||
tr = tar.NewReader(gzr)
|
||||
|
||||
var extractedFolder string
|
||||
if isSingleRoot && rootDir != "" {
|
||||
log.Debugln("Match the singleRoot")
|
||||
extractedFolder = filepath.Join(dest, rootDir)
|
||||
log.Debugln("extractedFolder: %s", extractedFolder)
|
||||
} else {
|
||||
log.Debugln("Match the multiRoot")
|
||||
baseName := filepath.Base(src)
|
||||
baseName = strings.TrimSuffix(baseName, filepath.Ext(baseName))
|
||||
baseName = strings.TrimSuffix(baseName, ".tar")
|
||||
extractedFolder = filepath.Join(dest, baseName)
|
||||
|
||||
for i := 1; ; i++ {
|
||||
if _, err := os.Stat(extractedFolder); os.IsNotExist(err) {
|
||||
break
|
||||
}
|
||||
extractedFolder = filepath.Join(dest, fmt.Sprintf("%s_%d", baseName, i))
|
||||
}
|
||||
log.Debugln("extractedFolder: %s", extractedFolder)
|
||||
}
|
||||
|
||||
for {
|
||||
header, err := tr.Next()
|
||||
if err == io.EOF {
|
||||
break
|
||||
}
|
||||
if err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
|
||||
var fpath string
|
||||
if isSingleRoot && rootDir != "" {
|
||||
fpath = filepath.Join(dest, cleanTarPath(header.Name))
|
||||
} else {
|
||||
fpath = filepath.Join(extractedFolder, cleanTarPath(header.Name))
|
||||
}
|
||||
fpath := filepath.Join(dest, header.Name)
|
||||
|
||||
if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
|
||||
return "", fmt.Errorf("invalid file path: %s", fpath)
|
||||
if !inDest(fpath, dest) {
|
||||
return fmt.Errorf("invalid file path: %s", fpath)
|
||||
}
|
||||
|
||||
switch header.Typeflag {
|
||||
case tar.TypeDir:
|
||||
if err = os.MkdirAll(fpath, os.FileMode(header.Mode)); err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
case tar.TypeReg:
|
||||
if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, os.FileMode(header.Mode))
|
||||
if err != nil {
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
if _, err := io.Copy(outFile, tr); err != nil {
|
||||
outFile.Close()
|
||||
return "", err
|
||||
return err
|
||||
}
|
||||
outFile.Close()
|
||||
}
|
||||
}
|
||||
return extractedFolder, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
func extract(src, dest string) (string, error) {
|
||||
srcLower := strings.ToLower(src)
|
||||
switch {
|
||||
case strings.HasSuffix(srcLower, ".tar.gz") ||
|
||||
strings.HasSuffix(srcLower, ".tgz"):
|
||||
return untgz(src, dest)
|
||||
case strings.HasSuffix(srcLower, ".zip"):
|
||||
return unzip(src, dest)
|
||||
func extract(data []byte, dest string) error {
|
||||
fileType := detectFileType(data)
|
||||
log.Debugln("compression Type: %s", fileType)
|
||||
switch fileType {
|
||||
case typeZip:
|
||||
return unzip(data, dest)
|
||||
case typeTarGzip:
|
||||
return untgz(data, dest)
|
||||
default:
|
||||
return "", fmt.Errorf("unsupported file format: %s", src)
|
||||
return fmt.Errorf("unknown or unsupported file type")
|
||||
}
|
||||
}
|
||||
|
||||
@ -398,22 +281,49 @@ func cleanTarPath(path string) string {
|
||||
}
|
||||
|
||||
func cleanup(root string) error {
|
||||
if _, err := os.Stat(root); os.IsNotExist(err) {
|
||||
return nil
|
||||
dirEntryList, err := os.ReadDir(root)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
|
||||
|
||||
for _, dirEntry := range dirEntryList {
|
||||
err = os.RemoveAll(filepath.Join(root, dirEntry.Name()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if info.IsDir() {
|
||||
if err := os.RemoveAll(path); err != nil {
|
||||
return err
|
||||
}
|
||||
} else {
|
||||
if err := os.Remove(path); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
})
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func moveDir(src string, dst string) error {
|
||||
dirEntryList, err := os.ReadDir(src)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if len(dirEntryList) == 1 && dirEntryList[0].IsDir() {
|
||||
src = filepath.Join(src, dirEntryList[0].Name())
|
||||
log.Debugln("match the singleRoot: %s", src)
|
||||
dirEntryList, err = os.ReadDir(src)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
for _, dirEntry := range dirEntryList {
|
||||
err = os.Rename(filepath.Join(src, dirEntry.Name()), filepath.Join(dst, dirEntry.Name()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func inDest(fpath, dest string) bool {
|
||||
if rel, err := filepath.Rel(dest, fpath); err == nil {
|
||||
if filepath.IsLocal(rel) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
@ -7,6 +7,7 @@ import (
|
||||
"net"
|
||||
"net/netip"
|
||||
"net/url"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
_ "unsafe"
|
||||
@ -174,6 +175,7 @@ type Profile struct {
|
||||
type TLS struct {
|
||||
Certificate string
|
||||
PrivateKey string
|
||||
EchKey string
|
||||
CustomTrustCert []string
|
||||
}
|
||||
|
||||
@ -360,6 +362,7 @@ type RawSniffingConfig struct {
|
||||
type RawTLS struct {
|
||||
Certificate string `yaml:"certificate" json:"certificate"`
|
||||
PrivateKey string `yaml:"private-key" json:"private-key"`
|
||||
EchKey string `yaml:"ech-key" json:"ech-key"`
|
||||
CustomTrustCert []string `yaml:"custom-certifactes" json:"custom-certifactes"`
|
||||
}
|
||||
|
||||
@ -757,6 +760,9 @@ func parseController(cfg *RawConfig) (*Controller, error) {
|
||||
if path := cfg.ExternalUI; path != "" && !C.Path.IsSafePath(path) {
|
||||
return nil, C.Path.ErrNotSafePath(path)
|
||||
}
|
||||
if uiName := cfg.ExternalUIName; uiName != "" && !filepath.IsLocal(uiName) {
|
||||
return nil, fmt.Errorf("external UI name is not local: %s", uiName)
|
||||
}
|
||||
return &Controller{
|
||||
ExternalController: cfg.ExternalController,
|
||||
ExternalUI: cfg.ExternalUI,
|
||||
@ -814,6 +820,7 @@ func parseTLS(cfg *RawConfig) (*TLS, error) {
|
||||
return &TLS{
|
||||
Certificate: cfg.TLS.Certificate,
|
||||
PrivateKey: cfg.TLS.PrivateKey,
|
||||
EchKey: cfg.TLS.EchKey,
|
||||
CustomTrustCert: cfg.TLS.CustomTrustCert,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@ -127,6 +127,28 @@ func (r *Resolver) shouldIPFallback(ip netip.Addr) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func (r *Resolver) ResolveECH(ctx context.Context, host string) ([]byte, error) {
|
||||
query := &D.Msg{}
|
||||
query.SetQuestion(D.Fqdn(host), D.TypeHTTPS)
|
||||
|
||||
msg, err := r.ExchangeContext(ctx, query)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for _, rr := range msg.Answer {
|
||||
switch resource := rr.(type) {
|
||||
case *D.HTTPS:
|
||||
for _, value := range resource.Value {
|
||||
if echConfig, ok := value.(*D.SVCBECHConfig); ok {
|
||||
return echConfig.ECH, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil, errors.New("no ECH config found in DNS records")
|
||||
}
|
||||
|
||||
// ExchangeContext a batch of dns request with context.Context, and it use cache
|
||||
func (r *Resolver) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
|
||||
if len(m.Question) == 0 {
|
||||
|
||||
100
docs/config.yaml
100
docs/config.yaml
@ -48,6 +48,13 @@ ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS
|
||||
tls:
|
||||
certificate: string # 证书 PEM 格式,或者 证书的路径
|
||||
private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
custom-certifactes:
|
||||
- |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
@ -427,6 +434,10 @@ proxies: # socks5
|
||||
# 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
|
||||
# 配置指纹将实现 SSL Pining 效果
|
||||
# fingerprint: xxxx
|
||||
# ech-opts:
|
||||
# enable: true # 必须手动开启
|
||||
# # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev)
|
||||
# config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
|
||||
# skip-cert-verify: true
|
||||
# host: bing.com
|
||||
# path: "/"
|
||||
@ -527,6 +538,10 @@ proxies: # socks5
|
||||
# skip-cert-verify: true
|
||||
# servername: example.com # priority over wss host
|
||||
# network: ws
|
||||
# ech-opts:
|
||||
# enable: true # 必须手动开启
|
||||
# # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev)
|
||||
# config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
|
||||
# ws-opts:
|
||||
# path: /path
|
||||
# headers:
|
||||
@ -599,6 +614,10 @@ proxies: # socks5
|
||||
# skip-cert-verify: true
|
||||
# fingerprint: xxxx
|
||||
# client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
|
||||
# ech-opts:
|
||||
# enable: true # 必须手动开启
|
||||
# # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev)
|
||||
# config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
|
||||
|
||||
- name: "vless-vision"
|
||||
type: vless
|
||||
@ -626,6 +645,7 @@ proxies: # socks5
|
||||
reality-opts:
|
||||
public-key: xxx
|
||||
short-id: xxx # optional
|
||||
support-x25519mlkem768: false # 如果服务端支持可手动设置为true
|
||||
client-fingerprint: chrome # cannot be empty
|
||||
|
||||
- name: "vless-reality-grpc"
|
||||
@ -645,6 +665,7 @@ proxies: # socks5
|
||||
reality-opts:
|
||||
public-key: CrrQSjAG_YkHLwvM2M-7XkKJilgL5upBKCp0od0tLhE
|
||||
short-id: 10f897e26c4b9478
|
||||
support-x25519mlkem768: false # 如果服务端支持可手动设置为true
|
||||
|
||||
- name: "vless-ws"
|
||||
type: vless
|
||||
@ -683,6 +704,10 @@ proxies: # socks5
|
||||
# enabled: false
|
||||
# method: aes-128-gcm # aes-128-gcm/aes-256-gcm/chacha20-ietf-poly1305
|
||||
# password: "example"
|
||||
# ech-opts:
|
||||
# enable: true # 必须手动开启
|
||||
# # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev)
|
||||
# config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
|
||||
|
||||
- name: trojan-grpc
|
||||
server: server
|
||||
@ -740,6 +765,10 @@ proxies: # socks5
|
||||
up: "30 Mbps" # 若不写单位,默认为 Mbps
|
||||
down: "200 Mbps" # 若不写单位,默认为 Mbps
|
||||
# sni: server.com
|
||||
# ech-opts:
|
||||
# enable: true # 必须手动开启
|
||||
# # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev)
|
||||
# config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
|
||||
# skip-cert-verify: false
|
||||
# recv-window-conn: 12582912
|
||||
# recv-window: 52428800
|
||||
@ -763,6 +792,10 @@ proxies: # socks5
|
||||
# obfs: salamander # 默认为空,如果填写则开启 obfs,目前仅支持 salamander
|
||||
# obfs-password: yourpassword
|
||||
# sni: server.com
|
||||
# ech-opts:
|
||||
# enable: true # 必须手动开启
|
||||
# # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev)
|
||||
# config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
|
||||
# skip-cert-verify: false
|
||||
# fingerprint: xxxx
|
||||
# alpn:
|
||||
@ -838,6 +871,10 @@ proxies: # socks5
|
||||
# skip-cert-verify: true
|
||||
# max-open-streams: 20 # default 100, too many open streams may hurt performance
|
||||
# sni: example.com
|
||||
# ech-opts:
|
||||
# enable: true # 必须手动开启
|
||||
# # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev)
|
||||
# config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
|
||||
#
|
||||
# meta 和 sing-box 私有扩展,将 ss-uot 用于 udp 中继,开启此选项后 udp-relay-mode 将失效
|
||||
# 警告,与原版 tuic 不兼容!!!
|
||||
@ -1127,6 +1164,13 @@ listeners:
|
||||
# 下面两项如果填写则开启 tls(需要同时填写)
|
||||
# certificate: ./server.crt
|
||||
# private-key: ./server.key
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
|
||||
- name: http-in-1
|
||||
type: http
|
||||
@ -1140,6 +1184,13 @@ listeners:
|
||||
# 下面两项如果填写则开启 tls(需要同时填写)
|
||||
# certificate: ./server.crt
|
||||
# private-key: ./server.key
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
|
||||
- name: mixed-in-1
|
||||
type: mixed # HTTP(S) 和 SOCKS 代理混合
|
||||
@ -1154,6 +1205,13 @@ listeners:
|
||||
# 下面两项如果填写则开启 tls(需要同时填写)
|
||||
# certificate: ./server.crt
|
||||
# private-key: ./server.key
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
|
||||
- name: reidr-in-1
|
||||
type: redir
|
||||
@ -1203,6 +1261,13 @@ listeners:
|
||||
# 下面两项如果填写则开启 tls(需要同时填写)
|
||||
# certificate: ./server.crt
|
||||
# private-key: ./server.key
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
# 如果填写reality-config则开启reality(注意不可与certificate和private-key同时填写)
|
||||
# reality-config:
|
||||
# dest: test.com:443
|
||||
@ -1225,6 +1290,13 @@ listeners:
|
||||
# 00000000-0000-0000-0000-000000000001: PASSWORD_1
|
||||
# certificate: ./server.crt
|
||||
# private-key: ./server.key
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
# congestion-controller: bbr
|
||||
# max-idle-time: 15000
|
||||
# authentication-timeout: 1000
|
||||
@ -1256,6 +1328,13 @@ listeners:
|
||||
# 下面两项如果填写则开启 tls(需要同时填写)
|
||||
# certificate: ./server.crt
|
||||
# private-key: ./server.key
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
# 如果填写reality-config则开启reality(注意不可与certificate和private-key同时填写)
|
||||
reality-config:
|
||||
dest: test.com:443
|
||||
@ -1276,6 +1355,13 @@ listeners:
|
||||
# "certificate" and "private-key" are required
|
||||
certificate: ./server.crt
|
||||
private-key: ./server.key
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
# padding-scheme: "" # https://github.com/anytls/anytls-go/blob/main/docs/protocol.md#cmdupdatepaddingscheme
|
||||
|
||||
- name: trojan-in-1
|
||||
@ -1292,6 +1378,13 @@ listeners:
|
||||
# 下面两项如果填写则开启 tls(需要同时填写)
|
||||
certificate: ./server.crt
|
||||
private-key: ./server.key
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
# 如果填写reality-config则开启reality(注意不可与certificate和private-key同时填写)
|
||||
# reality-config:
|
||||
# dest: test.com:443
|
||||
@ -1317,6 +1410,13 @@ listeners:
|
||||
00000000-0000-0000-0000-000000000001: PASSWORD_1
|
||||
# certificate: ./server.crt
|
||||
# private-key: ./server.key
|
||||
# 如果填写则开启ech(可由 mihomo generate ech-keypair <明文域名> 生成)
|
||||
# ech-key: |
|
||||
# -----BEGIN ECH KEYS-----
|
||||
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
|
||||
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
|
||||
# dC5jb20AAA==
|
||||
# -----END ECH KEYS-----
|
||||
## up 和 down 均不写或为 0 则使用 BBR 流控
|
||||
# up: "30 Mbps" # 若不写单位,默认为 Mbps
|
||||
# down: "200 Mbps" # 若不写单位,默认为 Mbps
|
||||
|
||||
10
go.mod
10
go.mod
@ -18,7 +18,7 @@ require (
|
||||
github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
|
||||
github.com/mdlayher/netlink v1.7.2
|
||||
github.com/metacubex/amneziawg-go v0.0.0-20240922133038-fdf3a4d5a4ab
|
||||
github.com/metacubex/bart v0.19.0
|
||||
github.com/metacubex/bart v0.20.5
|
||||
github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399
|
||||
github.com/metacubex/chacha v0.1.2
|
||||
github.com/metacubex/fswatch v0.1.1
|
||||
@ -27,7 +27,7 @@ require (
|
||||
github.com/metacubex/randv2 v0.2.0
|
||||
github.com/metacubex/sing v0.5.3-0.20250504031621-1f99e54c15b7
|
||||
github.com/metacubex/sing-mux v0.3.2
|
||||
github.com/metacubex/sing-quic v0.0.0-20250511034158-b46e0e3e81b2
|
||||
github.com/metacubex/sing-quic v0.0.0-20250520025433-6e556a6bef7a
|
||||
github.com/metacubex/sing-shadowsocks v0.2.9
|
||||
github.com/metacubex/sing-shadowsocks2 v0.2.3
|
||||
github.com/metacubex/sing-shadowtls v0.0.0-20250503063515-5d9f966d17a2
|
||||
@ -35,8 +35,8 @@ require (
|
||||
github.com/metacubex/sing-vmess v0.2.1
|
||||
github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f
|
||||
github.com/metacubex/smux v0.0.0-20250503055512-501391591dee
|
||||
github.com/metacubex/tfo-go v0.0.0-20250503140532-decbcfccbfdf
|
||||
github.com/metacubex/utls v1.7.0-alpha.3
|
||||
github.com/metacubex/tfo-go v0.0.0-20250516165257-e29c16ae41d4
|
||||
github.com/metacubex/utls v1.7.3
|
||||
github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181
|
||||
github.com/miekg/dns v1.1.63 // lastest version compatible with golang1.20
|
||||
github.com/mroth/weightedrand/v2 v2.1.0
|
||||
@ -72,7 +72,7 @@ require (
|
||||
github.com/buger/jsonparser v1.1.1 // indirect
|
||||
github.com/cloudflare/circl v1.3.7 // indirect
|
||||
github.com/davecgh/go-spew v1.1.1 // indirect
|
||||
github.com/ebitengine/purego v0.8.3-0.20250507171810-1638563e3615 // indirect
|
||||
github.com/ebitengine/purego v0.8.3 // indirect
|
||||
github.com/ericlagergren/aegis v0.0.0-20250325060835-cd0defd64358 // indirect
|
||||
github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 // indirect
|
||||
github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1 // indirect
|
||||
|
||||
20
go.sum
20
go.sum
@ -26,8 +26,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
|
||||
github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
|
||||
github.com/ebitengine/purego v0.8.3-0.20250507171810-1638563e3615 h1:W7mpP4uiOAbBOdDnRXT9EUdauFv7bz+ERT5rPIord00=
|
||||
github.com/ebitengine/purego v0.8.3-0.20250507171810-1638563e3615/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
|
||||
github.com/ebitengine/purego v0.8.3 h1:K+0AjQp63JEZTEMZiwsI9g0+hAMNohwUOtY0RPGexmc=
|
||||
github.com/ebitengine/purego v0.8.3/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
|
||||
github.com/enfein/mieru/v3 v3.13.0 h1:eGyxLGkb+lut9ebmx+BGwLJ5UMbEc/wGIYO0AXEKy98=
|
||||
github.com/enfein/mieru/v3 v3.13.0/go.mod h1:zJBUCsi5rxyvHM8fjFf+GLaEl4OEjjBXr1s5F6Qd3hM=
|
||||
github.com/ericlagergren/aegis v0.0.0-20250325060835-cd0defd64358 h1:kXYqH/sL8dS/FdoFjr12ePjnLPorPo2FsnrHNuXSDyo=
|
||||
@ -97,8 +97,8 @@ github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U
|
||||
github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
|
||||
github.com/metacubex/amneziawg-go v0.0.0-20240922133038-fdf3a4d5a4ab h1:Chbw+/31UC14YFNr78pESt5Vowlc62zziw05JCUqoL4=
|
||||
github.com/metacubex/amneziawg-go v0.0.0-20240922133038-fdf3a4d5a4ab/go.mod h1:xVKK8jC5Sd3hfh7WjmCq+HorehIbrBijaUWmcuKjPcI=
|
||||
github.com/metacubex/bart v0.19.0 h1:XQ9AJeI+WO+phRPkUOoflAFwlqDJnm5BPQpixciJQBY=
|
||||
github.com/metacubex/bart v0.19.0/go.mod h1:DCcyfP4MC+Zy7sLK7XeGuMw+P5K9mIRsYOBgiE8icsI=
|
||||
github.com/metacubex/bart v0.20.5 h1:XkgLZ17QxfxkqKdGsojoM2Zu01mmHyyQSFzt2/calTM=
|
||||
github.com/metacubex/bart v0.20.5/go.mod h1:DCcyfP4MC+Zy7sLK7XeGuMw+P5K9mIRsYOBgiE8icsI=
|
||||
github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399 h1:oBowHVKZycNtAFbZ6avaCSZJYeme2Nrj+4RpV2cNJig=
|
||||
github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399/go.mod h1:4xcieuIK+M4bGQmQYZVqEaIYqjS1ahO4kXG7EmDgEro=
|
||||
github.com/metacubex/chacha v0.1.2 h1:QulCq3eVm3TO6+4nVIWJtmSe7BT2GMrgVHuAoqRQnlc=
|
||||
@ -120,8 +120,8 @@ github.com/metacubex/sing v0.5.3-0.20250504031621-1f99e54c15b7 h1:m4nSxvw46JEgxM
|
||||
github.com/metacubex/sing v0.5.3-0.20250504031621-1f99e54c15b7/go.mod h1:ypf0mjwlZm0sKdQSY+yQvmsbWa0hNPtkeqyRMGgoN+w=
|
||||
github.com/metacubex/sing-mux v0.3.2 h1:nJv52pyRivHcaZJKk2JgxpaVvj1GAXG81scSa9N7ncw=
|
||||
github.com/metacubex/sing-mux v0.3.2/go.mod h1:3rt1soewn0O6j89GCLmwAQFsq257u0jf2zQSPhTL3Bw=
|
||||
github.com/metacubex/sing-quic v0.0.0-20250511034158-b46e0e3e81b2 h1:wfmYgtECbEYo1slMtyo+2kMqscYYDSjU/TVgS3018F4=
|
||||
github.com/metacubex/sing-quic v0.0.0-20250511034158-b46e0e3e81b2/go.mod h1:P1kd57U6XXmXv9PbwWdznUGT0k9bKgFJXF0fEORbIlk=
|
||||
github.com/metacubex/sing-quic v0.0.0-20250520025433-6e556a6bef7a h1:Ho73vGiB94LmtK5T+tKVwtCNEi/YiHmPjlqpHSAmAVs=
|
||||
github.com/metacubex/sing-quic v0.0.0-20250520025433-6e556a6bef7a/go.mod h1:JPTpf7fpnojsSuwRJExhSZSy63pVbp3VM39+zj+sAJM=
|
||||
github.com/metacubex/sing-shadowsocks v0.2.9 h1:2e++13WNN7EGjGtvrGLUzW1xrCdQbW2gIFpgw5GEw00=
|
||||
github.com/metacubex/sing-shadowsocks v0.2.9/go.mod h1:CJSEGO4FWQAWe+ZiLZxCweGdjRR60A61SIoVjdjQeBA=
|
||||
github.com/metacubex/sing-shadowsocks2 v0.2.3 h1:v3rNS/5Ywh0NIZ6VU/NmdERQIN5RePzyxCFeQsU4Cx0=
|
||||
@ -136,10 +136,10 @@ github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f h1:Sr/DYK
|
||||
github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f/go.mod h1:jpAkVLPnCpGSfNyVmj6Cq4YbuZsFepm/Dc+9BAOcR80=
|
||||
github.com/metacubex/smux v0.0.0-20250503055512-501391591dee h1:lp6hJ+4wCLZu113awp7P6odM2okB5s60HUyF0FMqKmo=
|
||||
github.com/metacubex/smux v0.0.0-20250503055512-501391591dee/go.mod h1:4bPD8HWx9jPJ9aE4uadgyN7D1/Wz3KmPy+vale8sKLE=
|
||||
github.com/metacubex/tfo-go v0.0.0-20250503140532-decbcfccbfdf h1:LwID1wz4tzypidd412dd4dC1H0m1TgRCQ/XvRvMJDFM=
|
||||
github.com/metacubex/tfo-go v0.0.0-20250503140532-decbcfccbfdf/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw=
|
||||
github.com/metacubex/utls v1.7.0-alpha.3 h1:cp1cEMUnoifiWrGHRzo+nCwPRveN9yPD8QaRFmfcYxA=
|
||||
github.com/metacubex/utls v1.7.0-alpha.3/go.mod h1:oknYT0qTOwE4hjPmZOEpzVdefnW7bAdGLvZcqmk4TLU=
|
||||
github.com/metacubex/tfo-go v0.0.0-20250516165257-e29c16ae41d4 h1:j1VRTiC9JLR4nUbSikx9OGdu/3AgFDqgcLj4GoqyQkc=
|
||||
github.com/metacubex/tfo-go v0.0.0-20250516165257-e29c16ae41d4/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw=
|
||||
github.com/metacubex/utls v1.7.3 h1:yDcMEWojFh+t8rU9X0HPcZDPAoFze/rIIyssqivzj8A=
|
||||
github.com/metacubex/utls v1.7.3/go.mod h1:oknYT0qTOwE4hjPmZOEpzVdefnW7bAdGLvZcqmk4TLU=
|
||||
github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181 h1:hJLQviGySBuaynlCwf/oYgIxbVbGRUIKZCxdya9YrbQ=
|
||||
github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181/go.mod h1:phewKljNYiTVT31Gcif8RiCKnTUOgVWFJjccqYM8s+Y=
|
||||
github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
|
||||
|
||||
@ -57,6 +57,7 @@ func applyRoute(cfg *config.Config) {
|
||||
Secret: cfg.Controller.Secret,
|
||||
Certificate: cfg.TLS.Certificate,
|
||||
PrivateKey: cfg.TLS.PrivateKey,
|
||||
EchKey: cfg.TLS.EchKey,
|
||||
DohServer: cfg.Controller.ExternalDohServer,
|
||||
IsDebug: cfg.General.LogLevel == log.DEBUG,
|
||||
Cors: route.Cors{
|
||||
|
||||
@ -3,7 +3,6 @@ package route
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/subtle"
|
||||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"net"
|
||||
"net/http"
|
||||
@ -17,6 +16,8 @@ import (
|
||||
"github.com/metacubex/mihomo/adapter/inbound"
|
||||
"github.com/metacubex/mihomo/common/utils"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
"github.com/metacubex/mihomo/log"
|
||||
"github.com/metacubex/mihomo/tunnel/statistic"
|
||||
@ -62,6 +63,7 @@ type Config struct {
|
||||
Secret string
|
||||
Certificate string
|
||||
PrivateKey string
|
||||
EchKey string
|
||||
DohServer string
|
||||
IsDebug bool
|
||||
Cors Cors
|
||||
@ -186,7 +188,7 @@ func startTLS(cfg *Config) {
|
||||
|
||||
// handle tlsAddr
|
||||
if len(cfg.TLSAddr) > 0 {
|
||||
c, err := ca.LoadTLSKeyPair(cfg.Certificate, cfg.PrivateKey, C.Path)
|
||||
cert, err := ca.LoadTLSKeyPair(cfg.Certificate, cfg.PrivateKey, C.Path)
|
||||
if err != nil {
|
||||
log.Errorln("External controller tls listen error: %s", err)
|
||||
return
|
||||
@ -199,14 +201,22 @@ func startTLS(cfg *Config) {
|
||||
}
|
||||
|
||||
log.Infoln("RESTful API tls listening at: %s", l.Addr().String())
|
||||
tlsConfig := &tlsC.Config{}
|
||||
tlsConfig.NextProtos = []string{"h2", "http/1.1"}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if cfg.EchKey != "" {
|
||||
err = ech.LoadECHKey(cfg.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
log.Errorln("External controller tls serve error: %s", err)
|
||||
return
|
||||
}
|
||||
}
|
||||
server := &http.Server{
|
||||
Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer, cfg.Cors),
|
||||
TLSConfig: &tls.Config{
|
||||
Certificates: []tls.Certificate{c},
|
||||
},
|
||||
}
|
||||
tlsServer = server
|
||||
if err = server.ServeTLS(l, "", ""); err != nil {
|
||||
if err = server.Serve(tlsC.NewListenerForHttps(l, server, tlsConfig)); err != nil {
|
||||
log.Errorln("External controller tls serve error: %s", err)
|
||||
}
|
||||
}
|
||||
|
||||
@ -3,7 +3,6 @@ package anytls
|
||||
import (
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"crypto/tls"
|
||||
"encoding/binary"
|
||||
"errors"
|
||||
"net"
|
||||
@ -13,6 +12,8 @@ import (
|
||||
"github.com/metacubex/mihomo/common/atomic"
|
||||
"github.com/metacubex/mihomo/common/buf"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
LC "github.com/metacubex/mihomo/listener/config"
|
||||
"github.com/metacubex/mihomo/listener/sing"
|
||||
@ -28,7 +29,7 @@ type Listener struct {
|
||||
closed bool
|
||||
config LC.AnyTLSServer
|
||||
listeners []net.Listener
|
||||
tlsConfig *tls.Config
|
||||
tlsConfig *tlsC.Config
|
||||
userMap map[[32]byte]string
|
||||
padding atomic.TypedValue[*padding.PaddingFactory]
|
||||
}
|
||||
@ -41,13 +42,20 @@ func New(config LC.AnyTLSServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
}
|
||||
}
|
||||
|
||||
tlsConfig := &tls.Config{}
|
||||
tlsConfig := &tlsC.Config{}
|
||||
if config.Certificate != "" && config.PrivateKey != "" {
|
||||
cert, err := ca.LoadTLSKeyPair(config.Certificate, config.PrivateKey, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig.Certificates = []tls.Certificate{cert}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if config.EchKey != "" {
|
||||
err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sl = &Listener{
|
||||
@ -87,7 +95,7 @@ func New(config LC.AnyTLSServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
return nil, err
|
||||
}
|
||||
if len(tlsConfig.Certificates) > 0 {
|
||||
l = tls.NewListener(l, tlsConfig)
|
||||
l = tlsC.NewListener(l, tlsConfig)
|
||||
} else {
|
||||
return nil, errors.New("disallow using AnyTLS without certificates config")
|
||||
}
|
||||
|
||||
@ -10,6 +10,7 @@ type AnyTLSServer struct {
|
||||
Users map[string]string `yaml:"users" json:"users,omitempty"`
|
||||
Certificate string `yaml:"certificate" json:"certificate"`
|
||||
PrivateKey string `yaml:"private-key" json:"private-key"`
|
||||
EchKey string `yaml:"ech-key" json:"ech-key"`
|
||||
PaddingScheme string `yaml:"padding-scheme" json:"padding-scheme,omitempty"`
|
||||
}
|
||||
|
||||
|
||||
@ -12,5 +12,6 @@ type AuthServer struct {
|
||||
AuthStore auth.AuthStore
|
||||
Certificate string
|
||||
PrivateKey string
|
||||
EchKey string
|
||||
RealityConfig reality.Config
|
||||
}
|
||||
|
||||
@ -14,6 +14,7 @@ type Hysteria2Server struct {
|
||||
ObfsPassword string `yaml:"obfs-password" json:"obfs-password,omitempty"`
|
||||
Certificate string `yaml:"certificate" json:"certificate"`
|
||||
PrivateKey string `yaml:"private-key" json:"private-key"`
|
||||
EchKey string `yaml:"ech-key" json:"ech-key,omitempty"`
|
||||
MaxIdleTime int `yaml:"max-idle-time" json:"max-idle-time,omitempty"`
|
||||
ALPN []string `yaml:"alpn" json:"alpn,omitempty"`
|
||||
Up string `yaml:"up" json:"up,omitempty"`
|
||||
|
||||
@ -20,6 +20,7 @@ type TrojanServer struct {
|
||||
GrpcServiceName string
|
||||
Certificate string
|
||||
PrivateKey string
|
||||
EchKey string
|
||||
RealityConfig reality.Config
|
||||
MuxOption sing.MuxOption
|
||||
TrojanSSOption TrojanSSOption
|
||||
|
||||
@ -13,6 +13,7 @@ type TuicServer struct {
|
||||
Users map[string]string `yaml:"users" json:"users,omitempty"`
|
||||
Certificate string `yaml:"certificate" json:"certificate"`
|
||||
PrivateKey string `yaml:"private-key" json:"private-key"`
|
||||
EchKey string `yaml:"ech-key" json:"ech-key"`
|
||||
CongestionController string `yaml:"congestion-controller" json:"congestion-controller,omitempty"`
|
||||
MaxIdleTime int `yaml:"max-idle-time" json:"max-idle-time,omitempty"`
|
||||
AuthenticationTimeout int `yaml:"authentication-timeout" json:"authentication-timeout,omitempty"`
|
||||
|
||||
@ -21,6 +21,7 @@ type VlessServer struct {
|
||||
GrpcServiceName string
|
||||
Certificate string
|
||||
PrivateKey string
|
||||
EchKey string
|
||||
RealityConfig reality.Config
|
||||
MuxOption sing.MuxOption `yaml:"mux-option" json:"mux-option,omitempty"`
|
||||
}
|
||||
|
||||
@ -21,6 +21,7 @@ type VmessServer struct {
|
||||
GrpcServiceName string
|
||||
Certificate string
|
||||
PrivateKey string
|
||||
EchKey string
|
||||
RealityConfig reality.Config
|
||||
MuxOption sing.MuxOption `yaml:"mux-option" json:"mux-option,omitempty"`
|
||||
}
|
||||
|
||||
@ -1,12 +1,13 @@
|
||||
package http
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"net"
|
||||
|
||||
"github.com/metacubex/mihomo/adapter/inbound"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
authStore "github.com/metacubex/mihomo/listener/auth"
|
||||
LC "github.com/metacubex/mihomo/listener/config"
|
||||
@ -64,7 +65,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A
|
||||
return nil, err
|
||||
}
|
||||
|
||||
tlsConfig := &tls.Config{}
|
||||
tlsConfig := &tlsC.Config{}
|
||||
var realityBuilder *reality.Builder
|
||||
|
||||
if config.Certificate != "" && config.PrivateKey != "" {
|
||||
@ -72,7 +73,14 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig.Certificates = []tls.Certificate{cert}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if config.EchKey != "" {
|
||||
err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
if config.RealityConfig.PrivateKey != "" {
|
||||
if tlsConfig.Certificates != nil {
|
||||
@ -87,7 +95,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A
|
||||
if realityBuilder != nil {
|
||||
l = realityBuilder.NewListener(l)
|
||||
} else if len(tlsConfig.Certificates) > 0 {
|
||||
l = tls.NewListener(l, tlsConfig)
|
||||
l = tlsC.NewListener(l, tlsConfig)
|
||||
}
|
||||
|
||||
hl := &Listener{
|
||||
|
||||
@ -14,6 +14,7 @@ type AnyTLSOption struct {
|
||||
Users map[string]string `inbound:"users,omitempty"`
|
||||
Certificate string `inbound:"certificate"`
|
||||
PrivateKey string `inbound:"private-key"`
|
||||
EchKey string `inbound:"ech-key,omitempty"`
|
||||
PaddingScheme string `inbound:"padding-scheme,omitempty"`
|
||||
}
|
||||
|
||||
@ -42,6 +43,7 @@ func NewAnyTLS(options *AnyTLSOption) (*AnyTLS, error) {
|
||||
Users: options.Users,
|
||||
Certificate: options.Certificate,
|
||||
PrivateKey: options.PrivateKey,
|
||||
EchKey: options.EchKey,
|
||||
PaddingScheme: options.PaddingScheme,
|
||||
},
|
||||
}, nil
|
||||
|
||||
@ -60,4 +60,14 @@ func TestInboundAnyTLS_TLS(t *testing.T) {
|
||||
Fingerprint: tlsFingerprint,
|
||||
}
|
||||
testInboundAnyTLS(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundAnyTLS(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
@ -18,12 +18,15 @@ import (
|
||||
"github.com/metacubex/mihomo/common/utils"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/dialer"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
"github.com/metacubex/mihomo/component/generater"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
"github.com/go-chi/render"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"golang.org/x/net/http2"
|
||||
)
|
||||
|
||||
var httpPath = "/inbound_test"
|
||||
@ -38,6 +41,8 @@ var realityPrivateKey, realityPublickey string
|
||||
var realityDest = "itunes.apple.com"
|
||||
var realityShortid = "10f897e26c4b9478"
|
||||
var realityRealDial = false
|
||||
var echPublicSni = "public.sni"
|
||||
var echConfigBase64, echKeyPem, _ = ech.GenECHConfig(echPublicSni)
|
||||
|
||||
func init() {
|
||||
rand.Read(httpData)
|
||||
@ -131,7 +136,10 @@ func NewHttpTestTunnel() *TestTunnel {
|
||||
r.Get(httpPath, func(w http.ResponseWriter, r *http.Request) {
|
||||
render.Data(w, r, httpData)
|
||||
})
|
||||
go http.Serve(ln, r)
|
||||
h2Server := &http2.Server{}
|
||||
server := http.Server{Handler: r}
|
||||
_ = http2.ConfigureServer(&server, h2Server)
|
||||
go server.Serve(ln)
|
||||
testFn := func(t *testing.T, proxy C.ProxyAdapter, proto string) {
|
||||
req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s://%s%s", proto, remoteAddr, httpPath), nil)
|
||||
if !assert.NoError(t, err) {
|
||||
@ -205,23 +213,27 @@ func NewHttpTestTunnel() *TestTunnel {
|
||||
ch: make(chan struct{}),
|
||||
}
|
||||
if metadata.DstPort == 443 {
|
||||
tlsConn := tls.Server(c, tlsConfig.Clone())
|
||||
tlsConn := tlsC.Server(c, tlsC.UConfig(tlsConfig))
|
||||
if metadata.Host == realityDest { // ignore the tls handshake error for realityDest
|
||||
if realityRealDial {
|
||||
rconn, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress())
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
N.Relay(rconn, tlsConn)
|
||||
return
|
||||
}
|
||||
ctx, cancel := context.WithTimeout(ctx, C.DefaultTLSTimeout)
|
||||
defer cancel()
|
||||
if err := tlsConn.HandshakeContext(ctx); err != nil {
|
||||
N.Relay(rconn, conn)
|
||||
return
|
||||
}
|
||||
}
|
||||
ln.ch <- tlsConn
|
||||
ctx, cancel := context.WithTimeout(ctx, C.DefaultTLSTimeout)
|
||||
defer cancel()
|
||||
if err := tlsConn.HandshakeContext(ctx); err != nil {
|
||||
return
|
||||
}
|
||||
if tlsConn.ConnectionState().NegotiatedProtocol == http2.NextProtoTLS {
|
||||
h2Server.ServeConn(tlsConn, &http2.ServeConnOpts{BaseConfig: &server})
|
||||
} else {
|
||||
ln.ch <- tlsConn
|
||||
}
|
||||
} else {
|
||||
ln.ch <- c
|
||||
}
|
||||
|
||||
@ -16,6 +16,7 @@ type HTTPOption struct {
|
||||
Users AuthUsers `inbound:"users,omitempty"`
|
||||
Certificate string `inbound:"certificate,omitempty"`
|
||||
PrivateKey string `inbound:"private-key,omitempty"`
|
||||
EchKey string `inbound:"ech-key,omitempty"`
|
||||
RealityConfig RealityConfig `inbound:"reality-config,omitempty"`
|
||||
}
|
||||
|
||||
@ -64,6 +65,7 @@ func (h *HTTP) Listen(tunnel C.Tunnel) error {
|
||||
AuthStore: h.config.Users.GetAuthStore(),
|
||||
Certificate: h.config.Certificate,
|
||||
PrivateKey: h.config.PrivateKey,
|
||||
EchKey: h.config.EchKey,
|
||||
RealityConfig: h.config.RealityConfig.Build(),
|
||||
},
|
||||
tunnel,
|
||||
|
||||
@ -16,6 +16,7 @@ type Hysteria2Option struct {
|
||||
ObfsPassword string `inbound:"obfs-password,omitempty"`
|
||||
Certificate string `inbound:"certificate"`
|
||||
PrivateKey string `inbound:"private-key"`
|
||||
EchKey string `inbound:"ech-key,omitempty"`
|
||||
MaxIdleTime int `inbound:"max-idle-time,omitempty"`
|
||||
ALPN []string `inbound:"alpn,omitempty"`
|
||||
Up string `inbound:"up,omitempty"`
|
||||
@ -60,6 +61,7 @@ func NewHysteria2(options *Hysteria2Option) (*Hysteria2, error) {
|
||||
ObfsPassword: options.ObfsPassword,
|
||||
Certificate: options.Certificate,
|
||||
PrivateKey: options.PrivateKey,
|
||||
EchKey: options.EchKey,
|
||||
MaxIdleTime: options.MaxIdleTime,
|
||||
ALPN: options.ALPN,
|
||||
Up: options.Up,
|
||||
|
||||
@ -60,6 +60,16 @@ func TestInboundHysteria2_TLS(t *testing.T) {
|
||||
Fingerprint: tlsFingerprint,
|
||||
}
|
||||
testInboundHysteria2(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundHysteria2(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundHysteria2_Salamander(t *testing.T) {
|
||||
@ -75,6 +85,16 @@ func TestInboundHysteria2_Salamander(t *testing.T) {
|
||||
ObfsPassword: userUUID,
|
||||
}
|
||||
testInboundHysteria2(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundHysteria2(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundHysteria2_Brutal(t *testing.T) {
|
||||
@ -90,4 +110,14 @@ func TestInboundHysteria2_Brutal(t *testing.T) {
|
||||
Down: "200 Mbps",
|
||||
}
|
||||
testInboundHysteria2(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundHysteria2(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
@ -18,6 +18,7 @@ type MixedOption struct {
|
||||
UDP bool `inbound:"udp,omitempty"`
|
||||
Certificate string `inbound:"certificate,omitempty"`
|
||||
PrivateKey string `inbound:"private-key,omitempty"`
|
||||
EchKey string `inbound:"ech-key,omitempty"`
|
||||
RealityConfig RealityConfig `inbound:"reality-config,omitempty"`
|
||||
}
|
||||
|
||||
@ -69,6 +70,7 @@ func (m *Mixed) Listen(tunnel C.Tunnel) error {
|
||||
AuthStore: m.config.Users.GetAuthStore(),
|
||||
Certificate: m.config.Certificate,
|
||||
PrivateKey: m.config.PrivateKey,
|
||||
EchKey: m.config.EchKey,
|
||||
RealityConfig: m.config.RealityConfig.Build(),
|
||||
},
|
||||
tunnel,
|
||||
|
||||
@ -17,6 +17,7 @@ type SocksOption struct {
|
||||
UDP bool `inbound:"udp,omitempty"`
|
||||
Certificate string `inbound:"certificate,omitempty"`
|
||||
PrivateKey string `inbound:"private-key,omitempty"`
|
||||
EchKey string `inbound:"ech-key,omitempty"`
|
||||
RealityConfig RealityConfig `inbound:"reality-config,omitempty"`
|
||||
}
|
||||
|
||||
@ -89,6 +90,7 @@ func (s *Socks) Listen(tunnel C.Tunnel) error {
|
||||
AuthStore: s.config.Users.GetAuthStore(),
|
||||
Certificate: s.config.Certificate,
|
||||
PrivateKey: s.config.PrivateKey,
|
||||
EchKey: s.config.EchKey,
|
||||
RealityConfig: s.config.RealityConfig.Build(),
|
||||
},
|
||||
tunnel,
|
||||
|
||||
@ -16,6 +16,7 @@ type TrojanOption struct {
|
||||
GrpcServiceName string `inbound:"grpc-service-name,omitempty"`
|
||||
Certificate string `inbound:"certificate,omitempty"`
|
||||
PrivateKey string `inbound:"private-key,omitempty"`
|
||||
EchKey string `inbound:"ech-key,omitempty"`
|
||||
RealityConfig RealityConfig `inbound:"reality-config,omitempty"`
|
||||
MuxOption MuxOption `inbound:"mux-option,omitempty"`
|
||||
SSOption TrojanSSOption `inbound:"ss-option,omitempty"`
|
||||
@ -67,6 +68,7 @@ func NewTrojan(options *TrojanOption) (*Trojan, error) {
|
||||
GrpcServiceName: options.GrpcServiceName,
|
||||
Certificate: options.Certificate,
|
||||
PrivateKey: options.PrivateKey,
|
||||
EchKey: options.EchKey,
|
||||
RealityConfig: options.RealityConfig.Build(),
|
||||
MuxOption: options.MuxOption.Build(),
|
||||
TrojanSSOption: LC.TrojanSSOption{
|
||||
|
||||
@ -64,6 +64,16 @@ func TestInboundTrojan_TLS(t *testing.T) {
|
||||
Fingerprint: tlsFingerprint,
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundTrojan_Wss1(t *testing.T) {
|
||||
@ -80,6 +90,16 @@ func TestInboundTrojan_Wss1(t *testing.T) {
|
||||
},
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundTrojan_Wss2(t *testing.T) {
|
||||
@ -97,6 +117,16 @@ func TestInboundTrojan_Wss2(t *testing.T) {
|
||||
},
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundTrojan_Grpc1(t *testing.T) {
|
||||
@ -111,6 +141,16 @@ func TestInboundTrojan_Grpc1(t *testing.T) {
|
||||
GrpcOpts: outbound.GrpcOptions{GrpcServiceName: "GunService"},
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundTrojan_Grpc2(t *testing.T) {
|
||||
@ -126,6 +166,16 @@ func TestInboundTrojan_Grpc2(t *testing.T) {
|
||||
GrpcOpts: outbound.GrpcOptions{GrpcServiceName: "GunService"},
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundTrojan_Reality(t *testing.T) {
|
||||
@ -190,6 +240,16 @@ func TestInboundTrojan_TLS_TrojanSS(t *testing.T) {
|
||||
},
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundTrojan_Wss_TrojanSS(t *testing.T) {
|
||||
@ -216,4 +276,14 @@ func TestInboundTrojan_Wss_TrojanSS(t *testing.T) {
|
||||
},
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundTrojan(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
@ -15,6 +15,7 @@ type TuicOption struct {
|
||||
Users map[string]string `inbound:"users,omitempty"`
|
||||
Certificate string `inbound:"certificate"`
|
||||
PrivateKey string `inbound:"private-key"`
|
||||
EchKey string `inbound:"ech-key,omitempty"`
|
||||
CongestionController string `inbound:"congestion-controller,omitempty"`
|
||||
MaxIdleTime int `inbound:"max-idle-time,omitempty"`
|
||||
AuthenticationTimeout int `inbound:"authentication-timeout,omitempty"`
|
||||
@ -50,6 +51,7 @@ func NewTuic(options *TuicOption) (*Tuic, error) {
|
||||
Users: options.Users,
|
||||
Certificate: options.Certificate,
|
||||
PrivateKey: options.PrivateKey,
|
||||
EchKey: options.EchKey,
|
||||
CongestionController: options.CongestionController,
|
||||
MaxIdleTime: options.MaxIdleTime,
|
||||
AuthenticationTimeout: options.AuthenticationTimeout,
|
||||
|
||||
@ -89,4 +89,14 @@ func TestInboundTuic_TLS(t *testing.T) {
|
||||
Fingerprint: tlsFingerprint,
|
||||
}
|
||||
testInboundTuic(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundTuic(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
@ -16,6 +16,7 @@ type VlessOption struct {
|
||||
GrpcServiceName string `inbound:"grpc-service-name,omitempty"`
|
||||
Certificate string `inbound:"certificate,omitempty"`
|
||||
PrivateKey string `inbound:"private-key,omitempty"`
|
||||
EchKey string `inbound:"ech-key,omitempty"`
|
||||
RealityConfig RealityConfig `inbound:"reality-config,omitempty"`
|
||||
MuxOption MuxOption `inbound:"mux-option,omitempty"`
|
||||
}
|
||||
@ -61,6 +62,7 @@ func NewVless(options *VlessOption) (*Vless, error) {
|
||||
GrpcServiceName: options.GrpcServiceName,
|
||||
Certificate: options.Certificate,
|
||||
PrivateKey: options.PrivateKey,
|
||||
EchKey: options.EchKey,
|
||||
RealityConfig: options.RealityConfig.Build(),
|
||||
MuxOption: options.MuxOption.Build(),
|
||||
},
|
||||
|
||||
@ -66,9 +66,25 @@ func TestInboundVless_TLS(t *testing.T) {
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("xtls-rprx-vision", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.Flow = "xtls-rprx-vision"
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("xtls-rprx-vision", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.Flow = "xtls-rprx-vision"
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVless_Wss1(t *testing.T) {
|
||||
@ -87,9 +103,25 @@ func TestInboundVless_Wss1(t *testing.T) {
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("xtls-rprx-vision", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.Flow = "xtls-rprx-vision"
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("xtls-rprx-vision", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.Flow = "xtls-rprx-vision"
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVless_Wss2(t *testing.T) {
|
||||
@ -109,9 +141,25 @@ func TestInboundVless_Wss2(t *testing.T) {
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("xtls-rprx-vision", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.Flow = "xtls-rprx-vision"
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("xtls-rprx-vision", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.Flow = "xtls-rprx-vision"
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVless_Grpc1(t *testing.T) {
|
||||
@ -127,6 +175,16 @@ func TestInboundVless_Grpc1(t *testing.T) {
|
||||
GrpcOpts: outbound.GrpcOptions{GrpcServiceName: "GunService"},
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVless_Grpc2(t *testing.T) {
|
||||
@ -143,6 +201,16 @@ func TestInboundVless_Grpc2(t *testing.T) {
|
||||
GrpcOpts: outbound.GrpcOptions{GrpcServiceName: "GunService"},
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVless_Reality(t *testing.T) {
|
||||
@ -165,9 +233,20 @@ func TestInboundVless_Reality(t *testing.T) {
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("xtls-rprx-vision", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.Flow = "xtls-rprx-vision"
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
t.Run("X25519MLKEM768", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.RealityOpts.SupportX25519MLKEM768 = true
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("xtls-rprx-vision", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.Flow = "xtls-rprx-vision"
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVless_Reality_Grpc(t *testing.T) {
|
||||
@ -192,4 +271,9 @@ func TestInboundVless_Reality_Grpc(t *testing.T) {
|
||||
GrpcOpts: outbound.GrpcOptions{GrpcServiceName: "GunService"},
|
||||
}
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
t.Run("X25519MLKEM768", func(t *testing.T) {
|
||||
outboundOptions := outboundOptions
|
||||
outboundOptions.RealityOpts.SupportX25519MLKEM768 = true
|
||||
testInboundVless(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
@ -16,6 +16,7 @@ type VmessOption struct {
|
||||
GrpcServiceName string `inbound:"grpc-service-name,omitempty"`
|
||||
Certificate string `inbound:"certificate,omitempty"`
|
||||
PrivateKey string `inbound:"private-key,omitempty"`
|
||||
EchKey string `inbound:"ech-key,omitempty"`
|
||||
RealityConfig RealityConfig `inbound:"reality-config,omitempty"`
|
||||
MuxOption MuxOption `inbound:"mux-option,omitempty"`
|
||||
}
|
||||
@ -61,6 +62,7 @@ func NewVmess(options *VmessOption) (*Vmess, error) {
|
||||
GrpcServiceName: options.GrpcServiceName,
|
||||
Certificate: options.Certificate,
|
||||
PrivateKey: options.PrivateKey,
|
||||
EchKey: options.EchKey,
|
||||
RealityConfig: options.RealityConfig.Build(),
|
||||
MuxOption: options.MuxOption.Build(),
|
||||
},
|
||||
|
||||
@ -73,6 +73,16 @@ func TestInboundVMess_TLS(t *testing.T) {
|
||||
Fingerprint: tlsFingerprint,
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVMess_Ws(t *testing.T) {
|
||||
@ -160,6 +170,16 @@ func TestInboundVMess_Wss1(t *testing.T) {
|
||||
},
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVMess_Wss2(t *testing.T) {
|
||||
@ -178,6 +198,16 @@ func TestInboundVMess_Wss2(t *testing.T) {
|
||||
},
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVMess_Grpc1(t *testing.T) {
|
||||
@ -193,6 +223,16 @@ func TestInboundVMess_Grpc1(t *testing.T) {
|
||||
GrpcOpts: outbound.GrpcOptions{GrpcServiceName: "GunService"},
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVMess_Grpc2(t *testing.T) {
|
||||
@ -209,6 +249,16 @@ func TestInboundVMess_Grpc2(t *testing.T) {
|
||||
GrpcOpts: outbound.GrpcOptions{GrpcServiceName: "GunService"},
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
t.Run("ECH", func(t *testing.T) {
|
||||
inboundOptions := inboundOptions
|
||||
outboundOptions := outboundOptions
|
||||
inboundOptions.EchKey = echKeyPem
|
||||
outboundOptions.ECHOpts = outbound.ECHOptions{
|
||||
Enable: true,
|
||||
Config: echConfigBase64,
|
||||
}
|
||||
testInboundVMess(t, inboundOptions, outboundOptions)
|
||||
})
|
||||
}
|
||||
|
||||
func TestInboundVMess_Reality(t *testing.T) {
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
package mixed
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"net"
|
||||
|
||||
@ -9,6 +8,8 @@ import (
|
||||
N "github.com/metacubex/mihomo/common/net"
|
||||
"github.com/metacubex/mihomo/component/auth"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
authStore "github.com/metacubex/mihomo/listener/auth"
|
||||
LC "github.com/metacubex/mihomo/listener/config"
|
||||
@ -60,7 +61,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A
|
||||
return nil, err
|
||||
}
|
||||
|
||||
tlsConfig := &tls.Config{}
|
||||
tlsConfig := &tlsC.Config{}
|
||||
var realityBuilder *reality.Builder
|
||||
|
||||
if config.Certificate != "" && config.PrivateKey != "" {
|
||||
@ -68,7 +69,14 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig.Certificates = []tls.Certificate{cert}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if config.EchKey != "" {
|
||||
err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
if config.RealityConfig.PrivateKey != "" {
|
||||
if tlsConfig.Certificates != nil {
|
||||
@ -83,7 +91,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A
|
||||
if realityBuilder != nil {
|
||||
l = realityBuilder.NewListener(l)
|
||||
} else if len(tlsConfig.Certificates) > 0 {
|
||||
l = tls.NewListener(l, tlsConfig)
|
||||
l = tlsC.NewListener(l, tlsConfig)
|
||||
}
|
||||
|
||||
ml := &Listener{
|
||||
|
||||
@ -2,7 +2,6 @@ package sing_hysteria2
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
@ -15,6 +14,7 @@ import (
|
||||
"github.com/metacubex/mihomo/adapter/outbound"
|
||||
"github.com/metacubex/mihomo/common/sockopt"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
LC "github.com/metacubex/mihomo/listener/config"
|
||||
@ -60,9 +60,16 @@ func New(config LC.Hysteria2Server, tunnel C.Tunnel, additions ...inbound.Additi
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig := &tls.Config{
|
||||
MinVersion: tls.VersionTLS13,
|
||||
Certificates: []tls.Certificate{cert},
|
||||
tlsConfig := &tlsC.Config{
|
||||
MinVersion: tlsC.VersionTLS13,
|
||||
}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if config.EchKey != "" {
|
||||
err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
if len(config.ALPN) > 0 {
|
||||
tlsConfig.NextProtos = config.ALPN
|
||||
@ -125,7 +132,7 @@ func New(config LC.Hysteria2Server, tunnel C.Tunnel, additions ...inbound.Additi
|
||||
SendBPS: outbound.StringToBps(config.Up),
|
||||
ReceiveBPS: outbound.StringToBps(config.Down),
|
||||
SalamanderPassword: salamanderPassword,
|
||||
TLSConfig: tlsC.UConfig(tlsConfig),
|
||||
TLSConfig: tlsConfig,
|
||||
QUICConfig: quicConfig,
|
||||
IgnoreClientBandwidth: config.IgnoreClientBandwidth,
|
||||
UDPTimeout: sing.UDPTimeout,
|
||||
|
||||
@ -2,7 +2,6 @@ package sing_vless
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"net"
|
||||
"net/http"
|
||||
@ -12,6 +11,7 @@ import (
|
||||
|
||||
"github.com/metacubex/mihomo/adapter/inbound"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
LC "github.com/metacubex/mihomo/listener/config"
|
||||
@ -82,16 +82,23 @@ func New(config LC.VlessServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
|
||||
sl = &Listener{false, config, nil, service}
|
||||
|
||||
tlsConfig := &tls.Config{}
|
||||
tlsConfig := &tlsC.Config{}
|
||||
var realityBuilder *reality.Builder
|
||||
var httpHandler http.Handler
|
||||
var httpServer http.Server
|
||||
|
||||
if config.Certificate != "" && config.PrivateKey != "" {
|
||||
cert, err := ca.LoadTLSKeyPair(config.Certificate, config.PrivateKey, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig.Certificates = []tls.Certificate{cert}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if config.EchKey != "" {
|
||||
err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
if config.RealityConfig.PrivateKey != "" {
|
||||
if tlsConfig.Certificates != nil {
|
||||
@ -112,16 +119,16 @@ func New(config LC.VlessServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
}
|
||||
sl.HandleConn(conn, tunnel, additions...)
|
||||
})
|
||||
httpHandler = httpMux
|
||||
httpServer.Handler = httpMux
|
||||
tlsConfig.NextProtos = append(tlsConfig.NextProtos, "http/1.1")
|
||||
}
|
||||
if config.GrpcServiceName != "" {
|
||||
httpHandler = gun.NewServerHandler(gun.ServerOption{
|
||||
httpServer.Handler = gun.NewServerHandler(gun.ServerOption{
|
||||
ServiceName: config.GrpcServiceName,
|
||||
ConnHandler: func(conn net.Conn) {
|
||||
sl.HandleConn(conn, tunnel, additions...)
|
||||
},
|
||||
HttpHandler: httpHandler,
|
||||
HttpHandler: httpServer.Handler,
|
||||
})
|
||||
tlsConfig.NextProtos = append([]string{"h2"}, tlsConfig.NextProtos...) // h2 must before http/1.1
|
||||
}
|
||||
@ -137,15 +144,19 @@ func New(config LC.VlessServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
if realityBuilder != nil {
|
||||
l = realityBuilder.NewListener(l)
|
||||
} else if len(tlsConfig.Certificates) > 0 {
|
||||
l = tls.NewListener(l, tlsConfig)
|
||||
if httpServer.Handler != nil {
|
||||
l = tlsC.NewListenerForHttps(l, &httpServer, tlsConfig)
|
||||
} else {
|
||||
l = tlsC.NewListener(l, tlsConfig)
|
||||
}
|
||||
} else {
|
||||
return nil, errors.New("disallow using Vless without both certificates/reality config")
|
||||
}
|
||||
sl.listeners = append(sl.listeners, l)
|
||||
|
||||
go func() {
|
||||
if httpHandler != nil {
|
||||
_ = http.Serve(l, httpHandler)
|
||||
if httpServer.Handler != nil {
|
||||
_ = httpServer.Serve(l)
|
||||
return
|
||||
}
|
||||
for {
|
||||
|
||||
@ -2,7 +2,6 @@ package sing_vmess
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"net"
|
||||
"net/http"
|
||||
@ -11,6 +10,8 @@ import (
|
||||
|
||||
"github.com/metacubex/mihomo/adapter/inbound"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
LC "github.com/metacubex/mihomo/listener/config"
|
||||
"github.com/metacubex/mihomo/listener/reality"
|
||||
@ -75,16 +76,23 @@ func New(config LC.VmessServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
|
||||
sl = &Listener{false, config, nil, service}
|
||||
|
||||
tlsConfig := &tls.Config{}
|
||||
tlsConfig := &tlsC.Config{}
|
||||
var realityBuilder *reality.Builder
|
||||
var httpHandler http.Handler
|
||||
var httpServer http.Server
|
||||
|
||||
if config.Certificate != "" && config.PrivateKey != "" {
|
||||
cert, err := ca.LoadTLSKeyPair(config.Certificate, config.PrivateKey, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig.Certificates = []tls.Certificate{cert}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if config.EchKey != "" {
|
||||
err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
if config.RealityConfig.PrivateKey != "" {
|
||||
if tlsConfig.Certificates != nil {
|
||||
@ -105,16 +113,16 @@ func New(config LC.VmessServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
}
|
||||
sl.HandleConn(conn, tunnel, additions...)
|
||||
})
|
||||
httpHandler = httpMux
|
||||
httpServer.Handler = httpMux
|
||||
tlsConfig.NextProtos = append(tlsConfig.NextProtos, "http/1.1")
|
||||
}
|
||||
if config.GrpcServiceName != "" {
|
||||
httpHandler = gun.NewServerHandler(gun.ServerOption{
|
||||
httpServer.Handler = gun.NewServerHandler(gun.ServerOption{
|
||||
ServiceName: config.GrpcServiceName,
|
||||
ConnHandler: func(conn net.Conn) {
|
||||
sl.HandleConn(conn, tunnel, additions...)
|
||||
},
|
||||
HttpHandler: httpHandler,
|
||||
HttpHandler: httpServer.Handler,
|
||||
})
|
||||
tlsConfig.NextProtos = append([]string{"h2"}, tlsConfig.NextProtos...) // h2 must before http/1.1
|
||||
}
|
||||
@ -130,13 +138,17 @@ func New(config LC.VmessServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
if realityBuilder != nil {
|
||||
l = realityBuilder.NewListener(l)
|
||||
} else if len(tlsConfig.Certificates) > 0 {
|
||||
l = tls.NewListener(l, tlsConfig)
|
||||
if httpServer.Handler != nil {
|
||||
l = tlsC.NewListenerForHttps(l, &httpServer, tlsConfig)
|
||||
} else {
|
||||
l = tlsC.NewListener(l, tlsConfig)
|
||||
}
|
||||
}
|
||||
sl.listeners = append(sl.listeners, l)
|
||||
|
||||
go func() {
|
||||
if httpHandler != nil {
|
||||
_ = http.Serve(l, httpHandler)
|
||||
if httpServer.Handler != nil {
|
||||
_ = httpServer.Serve(l)
|
||||
return
|
||||
}
|
||||
for {
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
package socks
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"io"
|
||||
"net"
|
||||
@ -10,6 +9,8 @@ import (
|
||||
N "github.com/metacubex/mihomo/common/net"
|
||||
"github.com/metacubex/mihomo/component/auth"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
authStore "github.com/metacubex/mihomo/listener/auth"
|
||||
LC "github.com/metacubex/mihomo/listener/config"
|
||||
@ -59,7 +60,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A
|
||||
return nil, err
|
||||
}
|
||||
|
||||
tlsConfig := &tls.Config{}
|
||||
tlsConfig := &tlsC.Config{}
|
||||
var realityBuilder *reality.Builder
|
||||
|
||||
if config.Certificate != "" && config.PrivateKey != "" {
|
||||
@ -67,7 +68,14 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig.Certificates = []tls.Certificate{cert}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if config.EchKey != "" {
|
||||
err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
if config.RealityConfig.PrivateKey != "" {
|
||||
if tlsConfig.Certificates != nil {
|
||||
@ -82,7 +90,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A
|
||||
if realityBuilder != nil {
|
||||
l = realityBuilder.NewListener(l)
|
||||
} else if len(tlsConfig.Certificates) > 0 {
|
||||
l = tls.NewListener(l, tlsConfig)
|
||||
l = tlsC.NewListener(l, tlsConfig)
|
||||
}
|
||||
|
||||
sl := &Listener{
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
package trojan
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"io"
|
||||
"net"
|
||||
@ -10,6 +9,8 @@ import (
|
||||
|
||||
"github.com/metacubex/mihomo/adapter/inbound"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
LC "github.com/metacubex/mihomo/listener/config"
|
||||
"github.com/metacubex/mihomo/listener/reality"
|
||||
@ -69,16 +70,23 @@ func New(config LC.TrojanServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
}
|
||||
sl = &Listener{false, config, nil, keys, pickCipher, h}
|
||||
|
||||
tlsConfig := &tls.Config{}
|
||||
tlsConfig := &tlsC.Config{}
|
||||
var realityBuilder *reality.Builder
|
||||
var httpHandler http.Handler
|
||||
var httpServer http.Server
|
||||
|
||||
if config.Certificate != "" && config.PrivateKey != "" {
|
||||
cert, err := ca.LoadTLSKeyPair(config.Certificate, config.PrivateKey, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig.Certificates = []tls.Certificate{cert}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if config.EchKey != "" {
|
||||
err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
if config.RealityConfig.PrivateKey != "" {
|
||||
if tlsConfig.Certificates != nil {
|
||||
@ -99,16 +107,16 @@ func New(config LC.TrojanServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
}
|
||||
sl.HandleConn(conn, tunnel, additions...)
|
||||
})
|
||||
httpHandler = httpMux
|
||||
httpServer.Handler = httpMux
|
||||
tlsConfig.NextProtos = append(tlsConfig.NextProtos, "http/1.1")
|
||||
}
|
||||
if config.GrpcServiceName != "" {
|
||||
httpHandler = gun.NewServerHandler(gun.ServerOption{
|
||||
httpServer.Handler = gun.NewServerHandler(gun.ServerOption{
|
||||
ServiceName: config.GrpcServiceName,
|
||||
ConnHandler: func(conn net.Conn) {
|
||||
sl.HandleConn(conn, tunnel, additions...)
|
||||
},
|
||||
HttpHandler: httpHandler,
|
||||
HttpHandler: httpServer.Handler,
|
||||
})
|
||||
tlsConfig.NextProtos = append([]string{"h2"}, tlsConfig.NextProtos...) // h2 must before http/1.1
|
||||
}
|
||||
@ -124,15 +132,19 @@ func New(config LC.TrojanServer, tunnel C.Tunnel, additions ...inbound.Addition)
|
||||
if realityBuilder != nil {
|
||||
l = realityBuilder.NewListener(l)
|
||||
} else if len(tlsConfig.Certificates) > 0 {
|
||||
l = tls.NewListener(l, tlsConfig)
|
||||
if httpServer.Handler != nil {
|
||||
l = tlsC.NewListenerForHttps(l, &httpServer, tlsConfig)
|
||||
} else {
|
||||
l = tlsC.NewListener(l, tlsConfig)
|
||||
}
|
||||
} else if !config.TrojanSSOption.Enabled {
|
||||
return nil, errors.New("disallow using Trojan without both certificates/reality/ss config")
|
||||
}
|
||||
sl.listeners = append(sl.listeners, l)
|
||||
|
||||
go func() {
|
||||
if httpHandler != nil {
|
||||
_ = http.Serve(l, httpHandler)
|
||||
if httpServer.Handler != nil {
|
||||
_ = httpServer.Serve(l)
|
||||
return
|
||||
}
|
||||
for {
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
package tuic
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"net"
|
||||
"strings"
|
||||
"time"
|
||||
@ -9,6 +8,7 @@ import (
|
||||
"github.com/metacubex/mihomo/adapter/inbound"
|
||||
"github.com/metacubex/mihomo/common/sockopt"
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
LC "github.com/metacubex/mihomo/listener/config"
|
||||
@ -52,9 +52,16 @@ func New(config LC.TuicServer, tunnel C.Tunnel, additions ...inbound.Addition) (
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig := &tls.Config{
|
||||
MinVersion: tls.VersionTLS13,
|
||||
Certificates: []tls.Certificate{cert},
|
||||
tlsConfig := &tlsC.Config{
|
||||
MinVersion: tlsC.VersionTLS13,
|
||||
}
|
||||
tlsConfig.Certificates = []tlsC.Certificate{tlsC.UCertificate(cert)}
|
||||
|
||||
if config.EchKey != "" {
|
||||
err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
if len(config.ALPN) > 0 {
|
||||
tlsConfig.NextProtos = config.ALPN
|
||||
@ -125,7 +132,7 @@ func New(config LC.TuicServer, tunnel C.Tunnel, additions ...inbound.Addition) (
|
||||
option := &tuic.ServerOption{
|
||||
HandleTcpFn: handleTcpFn,
|
||||
HandleUdpFn: handleUdpFn,
|
||||
TlsConfig: tlsC.UConfig(tlsConfig),
|
||||
TlsConfig: tlsConfig,
|
||||
QuicConfig: quicConfig,
|
||||
CongestionController: config.CongestionController,
|
||||
AuthenticationTimeout: time.Duration(config.AuthenticationTimeout) * time.Millisecond,
|
||||
|
||||
@ -31,7 +31,7 @@ func (l *LogLevel) UnmarshalYAML(unmarshal func(any) error) error {
|
||||
unmarshal(&tp)
|
||||
level, exist := LogLevelMapping[strings.ToLower(tp)]
|
||||
if !exist {
|
||||
return errors.New("invalid mode")
|
||||
return errors.New("invalid log-level")
|
||||
}
|
||||
*l = level
|
||||
return nil
|
||||
@ -43,7 +43,7 @@ func (l *LogLevel) UnmarshalJSON(data []byte) error {
|
||||
json.Unmarshal(data, &tp)
|
||||
level, exist := LogLevelMapping[strings.ToLower(tp)]
|
||||
if !exist {
|
||||
return errors.New("invalid mode")
|
||||
return errors.New("invalid log-level")
|
||||
}
|
||||
*l = level
|
||||
return nil
|
||||
@ -53,7 +53,7 @@ func (l *LogLevel) UnmarshalJSON(data []byte) error {
|
||||
func (l *LogLevel) UnmarshalText(data []byte) error {
|
||||
level, exist := LogLevelMapping[strings.ToLower(string(data))]
|
||||
if !exist {
|
||||
return errors.New("invalid mode")
|
||||
return errors.New("invalid log-level")
|
||||
}
|
||||
*l = level
|
||||
return nil
|
||||
|
||||
@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
"github.com/metacubex/mihomo/transport/vmess"
|
||||
smux "github.com/metacubex/smux"
|
||||
)
|
||||
@ -18,6 +19,7 @@ type Option struct {
|
||||
Path string
|
||||
Headers map[string]string
|
||||
TLS bool
|
||||
ECHConfig *ech.Config
|
||||
SkipCertVerify bool
|
||||
Fingerprint string
|
||||
Mux bool
|
||||
@ -48,10 +50,11 @@ func NewGostWebsocket(ctx context.Context, conn net.Conn, option *Option) (net.C
|
||||
}
|
||||
|
||||
config := &vmess.WebsocketConfig{
|
||||
Host: option.Host,
|
||||
Port: option.Port,
|
||||
Path: option.Path,
|
||||
Headers: header,
|
||||
Host: option.Host,
|
||||
Port: option.Port,
|
||||
Path: option.Path,
|
||||
ECHConfig: option.ECHConfig,
|
||||
Headers: header,
|
||||
}
|
||||
|
||||
if option.TLS {
|
||||
|
||||
@ -18,9 +18,9 @@ import (
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/metacubex/mihomo/common/atomic"
|
||||
"github.com/metacubex/mihomo/common/buf"
|
||||
"github.com/metacubex/mihomo/common/pool"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
C "github.com/metacubex/mihomo/constant"
|
||||
|
||||
@ -41,16 +41,19 @@ type DialFn = func(ctx context.Context, network, addr string) (net.Conn, error)
|
||||
|
||||
type Conn struct {
|
||||
initFn func() (io.ReadCloser, netAddr, error)
|
||||
writer io.Writer
|
||||
writer io.Writer // writer must not nil
|
||||
closer io.Closer
|
||||
netAddr
|
||||
|
||||
reader io.ReadCloser
|
||||
once sync.Once
|
||||
closed atomic.Bool
|
||||
err error
|
||||
remain int
|
||||
br *bufio.Reader
|
||||
initOnce sync.Once
|
||||
initErr error
|
||||
reader io.ReadCloser
|
||||
br *bufio.Reader
|
||||
remain int
|
||||
|
||||
closeMutex sync.Mutex
|
||||
closed bool
|
||||
|
||||
// deadlines
|
||||
deadline *time.Timer
|
||||
}
|
||||
@ -64,7 +67,7 @@ type Config struct {
|
||||
func (g *Conn) initReader() {
|
||||
reader, addr, err := g.initFn()
|
||||
if err != nil {
|
||||
g.err = err
|
||||
g.initErr = err
|
||||
if closer, ok := g.writer.(io.Closer); ok {
|
||||
closer.Close()
|
||||
}
|
||||
@ -72,17 +75,21 @@ func (g *Conn) initReader() {
|
||||
}
|
||||
g.netAddr = addr
|
||||
|
||||
if !g.closed.Load() {
|
||||
g.reader = reader
|
||||
g.br = bufio.NewReader(reader)
|
||||
} else {
|
||||
reader.Close()
|
||||
g.closeMutex.Lock()
|
||||
defer g.closeMutex.Unlock()
|
||||
if g.closed { // if g.Close() be called between g.initFn(), direct close the initFn returned reader
|
||||
_ = reader.Close()
|
||||
g.initErr = net.ErrClosed
|
||||
return
|
||||
}
|
||||
|
||||
g.reader = reader
|
||||
g.br = bufio.NewReader(reader)
|
||||
}
|
||||
|
||||
func (g *Conn) Init() error {
|
||||
g.once.Do(g.initReader)
|
||||
return g.err
|
||||
g.initOnce.Do(g.initReader)
|
||||
return g.initErr
|
||||
}
|
||||
|
||||
func (g *Conn) Read(b []byte) (n int, err error) {
|
||||
@ -99,8 +106,6 @@ func (g *Conn) Read(b []byte) (n int, err error) {
|
||||
n, err = io.ReadFull(g.br, b[:size])
|
||||
g.remain -= n
|
||||
return
|
||||
} else if g.reader == nil {
|
||||
return 0, net.ErrClosed
|
||||
}
|
||||
|
||||
// 0x00 grpclength(uint32) 0x0A uleb128 payload
|
||||
@ -146,8 +151,8 @@ func (g *Conn) Write(b []byte) (n int, err error) {
|
||||
buf.Write(b)
|
||||
|
||||
_, err = g.writer.Write(buf.Bytes())
|
||||
if err == io.ErrClosedPipe && g.err != nil {
|
||||
err = g.err
|
||||
if err == io.ErrClosedPipe && g.initErr != nil {
|
||||
err = g.initErr
|
||||
}
|
||||
|
||||
if flusher, ok := g.writer.(http.Flusher); ok {
|
||||
@ -169,8 +174,8 @@ func (g *Conn) WriteBuffer(buffer *buf.Buffer) error {
|
||||
binary.PutUvarint(header[6:], uint64(dataLen))
|
||||
_, err := g.writer.Write(buffer.Bytes())
|
||||
|
||||
if err == io.ErrClosedPipe && g.err != nil {
|
||||
err = g.err
|
||||
if err == io.ErrClosedPipe && g.initErr != nil {
|
||||
err = g.initErr
|
||||
}
|
||||
|
||||
if flusher, ok := g.writer.(http.Flusher); ok {
|
||||
@ -185,7 +190,17 @@ func (g *Conn) FrontHeadroom() int {
|
||||
}
|
||||
|
||||
func (g *Conn) Close() error {
|
||||
g.closed.Store(true)
|
||||
g.initOnce.Do(func() { // if initReader not called, it should not be run anymore
|
||||
g.initErr = net.ErrClosed
|
||||
})
|
||||
|
||||
g.closeMutex.Lock()
|
||||
defer g.closeMutex.Unlock()
|
||||
if g.closed {
|
||||
return nil
|
||||
}
|
||||
g.closed = true
|
||||
|
||||
var errorArr []error
|
||||
|
||||
if reader := g.reader; reader != nil {
|
||||
@ -213,6 +228,13 @@ func (g *Conn) SetReadDeadline(t time.Time) error { return g.SetDeadline(t) }
|
||||
func (g *Conn) SetWriteDeadline(t time.Time) error { return g.SetDeadline(t) }
|
||||
|
||||
func (g *Conn) SetDeadline(t time.Time) error {
|
||||
if t.IsZero() {
|
||||
if g.deadline != nil {
|
||||
g.deadline.Stop()
|
||||
g.deadline = nil
|
||||
}
|
||||
return nil
|
||||
}
|
||||
d := time.Until(t)
|
||||
if g.deadline != nil {
|
||||
g.deadline.Reset(d)
|
||||
@ -224,7 +246,7 @@ func (g *Conn) SetDeadline(t time.Time) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func NewHTTP2Client(dialFn DialFn, tlsConfig *tls.Config, clientFingerprint string, realityConfig *tlsC.RealityConfig) *TransportWrap {
|
||||
func NewHTTP2Client(dialFn DialFn, tlsConfig *tls.Config, clientFingerprint string, echConfig *ech.Config, realityConfig *tlsC.RealityConfig) *TransportWrap {
|
||||
dialFunc := func(ctx context.Context, network, addr string, cfg *tls.Config) (net.Conn, error) {
|
||||
ctx, cancel := context.WithTimeout(ctx, C.DefaultTLSTimeout)
|
||||
defer cancel()
|
||||
@ -238,8 +260,15 @@ func NewHTTP2Client(dialFn DialFn, tlsConfig *tls.Config, clientFingerprint stri
|
||||
}
|
||||
|
||||
if clientFingerprint, ok := tlsC.GetFingerprint(clientFingerprint); ok {
|
||||
tlsConfig := tlsC.UConfig(cfg)
|
||||
err := echConfig.ClientHandle(ctx, tlsConfig)
|
||||
if err != nil {
|
||||
pconn.Close()
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if realityConfig == nil {
|
||||
tlsConn := tlsC.UClient(pconn, tlsC.UConfig(cfg), clientFingerprint)
|
||||
tlsConn := tlsC.UClient(pconn, tlsConfig, clientFingerprint)
|
||||
if err := tlsConn.HandshakeContext(ctx); err != nil {
|
||||
pconn.Close()
|
||||
return nil, err
|
||||
@ -251,7 +280,7 @@ func NewHTTP2Client(dialFn DialFn, tlsConfig *tls.Config, clientFingerprint stri
|
||||
}
|
||||
return tlsConn, nil
|
||||
} else {
|
||||
realityConn, err := tlsC.GetRealityConn(ctx, pconn, clientFingerprint, cfg, realityConfig)
|
||||
realityConn, err := tlsC.GetRealityConn(ctx, pconn, clientFingerprint, tlsConfig, realityConfig)
|
||||
if err != nil {
|
||||
pconn.Close()
|
||||
return nil, err
|
||||
@ -268,6 +297,27 @@ func NewHTTP2Client(dialFn DialFn, tlsConfig *tls.Config, clientFingerprint stri
|
||||
return nil, errors.New("REALITY is based on uTLS, please set a client-fingerprint")
|
||||
}
|
||||
|
||||
if echConfig != nil {
|
||||
tlsConfig := tlsC.UConfig(cfg)
|
||||
err := echConfig.ClientHandle(ctx, tlsConfig)
|
||||
if err != nil {
|
||||
pconn.Close()
|
||||
return nil, err
|
||||
}
|
||||
|
||||
conn := tlsC.Client(pconn, tlsConfig)
|
||||
if err := conn.HandshakeContext(ctx); err != nil {
|
||||
pconn.Close()
|
||||
return nil, err
|
||||
}
|
||||
state := conn.ConnectionState()
|
||||
if p := state.NegotiatedProtocol; p != http2.NextProtoTLS {
|
||||
conn.Close()
|
||||
return nil, fmt.Errorf("http2: unexpected ALPN protocol %s, want %s", p, http2.NextProtoTLS)
|
||||
}
|
||||
return conn, nil
|
||||
}
|
||||
|
||||
conn := tls.Client(pconn, cfg)
|
||||
if err := conn.HandshakeContext(ctx); err != nil {
|
||||
pconn.Close()
|
||||
@ -345,12 +395,12 @@ func StreamGunWithTransport(transport *TransportWrap, cfg *Config) (net.Conn, er
|
||||
return conn, nil
|
||||
}
|
||||
|
||||
func StreamGunWithConn(conn net.Conn, tlsConfig *tls.Config, cfg *Config, realityConfig *tlsC.RealityConfig) (net.Conn, error) {
|
||||
func StreamGunWithConn(conn net.Conn, tlsConfig *tls.Config, cfg *Config, echConfig *ech.Config, realityConfig *tlsC.RealityConfig) (net.Conn, error) {
|
||||
dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return conn, nil
|
||||
}
|
||||
|
||||
transport := NewHTTP2Client(dialFn, tlsConfig, cfg.ClientFingerprint, realityConfig)
|
||||
transport := NewHTTP2Client(dialFn, tlsConfig, cfg.ClientFingerprint, echConfig, realityConfig)
|
||||
c, err := StreamGunWithTransport(transport, cfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
||||
@ -49,7 +49,7 @@ func NewShadowTLS(ctx context.Context, conn net.Conn, option *ShadowTLSOption) (
|
||||
return nil, err
|
||||
}
|
||||
|
||||
tlsHandshake := uTLSHandshakeFunc(tlsConfig, option.ClientFingerprint)
|
||||
tlsHandshake := uTLSHandshakeFunc(tlsConfig, option.ClientFingerprint, option.Version)
|
||||
client, err := shadowtls.NewClient(shadowtls.ClientConfig{
|
||||
Version: option.Version,
|
||||
Password: option.Password,
|
||||
@ -62,15 +62,19 @@ func NewShadowTLS(ctx context.Context, conn net.Conn, option *ShadowTLSOption) (
|
||||
return client.DialContextConn(ctx, conn)
|
||||
}
|
||||
|
||||
func uTLSHandshakeFunc(config *tls.Config, clientFingerprint string) shadowtls.TLSHandshakeFunc {
|
||||
func uTLSHandshakeFunc(config *tls.Config, clientFingerprint string, version int) shadowtls.TLSHandshakeFunc {
|
||||
return func(ctx context.Context, conn net.Conn, sessionIDGenerator shadowtls.TLSSessionIDGeneratorFunc) error {
|
||||
tlsConfig := tlsC.UConfig(config)
|
||||
tlsConfig.SessionIDGenerator = sessionIDGenerator
|
||||
if config.MaxVersion == tls.VersionTLS12 { // for ShadowTLS v1
|
||||
if version == 1 {
|
||||
tlsConfig.MaxVersion = tlsC.VersionTLS12 // ShadowTLS v1 only support TLS 1.2
|
||||
tlsConn := tlsC.Client(conn, tlsConfig)
|
||||
return tlsConn.HandshakeContext(ctx)
|
||||
}
|
||||
if clientFingerprint, ok := tlsC.GetFingerprint(clientFingerprint); ok {
|
||||
if version == 2 && clientFingerprint == tlsC.HelloChrome_Auto {
|
||||
clientFingerprint = tlsC.HelloChrome_120 // ShadowTLS v2 not work with X25519MLKEM768
|
||||
}
|
||||
tlsConn := tlsC.UClient(conn, tlsConfig, clientFingerprint)
|
||||
if slices.Equal(tlsConfig.NextProtos, WsALPN) {
|
||||
err := tlsC.BuildWebsocketHandshakeState(tlsConn)
|
||||
|
||||
@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
"github.com/metacubex/mihomo/transport/vmess"
|
||||
)
|
||||
|
||||
@ -17,6 +18,7 @@ type Option struct {
|
||||
Path string
|
||||
Headers map[string]string
|
||||
TLS bool
|
||||
ECHConfig *ech.Config
|
||||
SkipCertVerify bool
|
||||
Fingerprint string
|
||||
Mux bool
|
||||
@ -37,6 +39,7 @@ func NewV2rayObfs(ctx context.Context, conn net.Conn, option *Option) (net.Conn,
|
||||
Path: option.Path,
|
||||
V2rayHttpUpgrade: option.V2rayHttpUpgrade,
|
||||
V2rayHttpUpgradeFastOpen: option.V2rayHttpUpgradeFastOpen,
|
||||
ECHConfig: option.ECHConfig,
|
||||
Headers: header,
|
||||
}
|
||||
|
||||
|
||||
@ -45,6 +45,12 @@ func NewConn(conn connWithUpstream, userUUID *uuid.UUID) (*Conn, error) {
|
||||
c.tlsConn = underlying
|
||||
t = reflect.TypeOf(underlying).Elem()
|
||||
p = unsafe.Pointer(underlying)
|
||||
case *tlsC.Conn:
|
||||
//log.Debugln("type *tlsC.Conn")
|
||||
c.Conn = underlying.NetConn()
|
||||
c.tlsConn = underlying
|
||||
t = reflect.TypeOf(underlying).Elem()
|
||||
p = unsafe.Pointer(underlying)
|
||||
case *tlsC.UConn:
|
||||
//log.Debugln("type *tlsC.UConn")
|
||||
c.Conn = underlying.NetConn()
|
||||
|
||||
@ -7,6 +7,7 @@ import (
|
||||
"net"
|
||||
|
||||
"github.com/metacubex/mihomo/component/ca"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
)
|
||||
|
||||
@ -16,9 +17,14 @@ type TLSConfig struct {
|
||||
FingerPrint string
|
||||
ClientFingerprint string
|
||||
NextProtos []string
|
||||
ECH *ech.Config
|
||||
Reality *tlsC.RealityConfig
|
||||
}
|
||||
|
||||
type ECHConfig struct {
|
||||
Enable bool
|
||||
}
|
||||
|
||||
func StreamTLSConn(ctx context.Context, conn net.Conn, cfg *TLSConfig) (net.Conn, error) {
|
||||
tlsConfig := &tls.Config{
|
||||
ServerName: cfg.Host,
|
||||
@ -33,8 +39,14 @@ func StreamTLSConn(ctx context.Context, conn net.Conn, cfg *TLSConfig) (net.Conn
|
||||
}
|
||||
|
||||
if clientFingerprint, ok := tlsC.GetFingerprint(cfg.ClientFingerprint); ok {
|
||||
tlsConfig := tlsC.UConfig(tlsConfig)
|
||||
err = cfg.ECH.ClientHandle(ctx, tlsConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if cfg.Reality == nil {
|
||||
tlsConn := tlsC.UClient(conn, tlsC.UConfig(tlsConfig), clientFingerprint)
|
||||
tlsConn := tlsC.UClient(conn, tlsConfig, clientFingerprint)
|
||||
err = tlsConn.HandshakeContext(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@ -48,6 +60,19 @@ func StreamTLSConn(ctx context.Context, conn net.Conn, cfg *TLSConfig) (net.Conn
|
||||
return nil, errors.New("REALITY is based on uTLS, please set a client-fingerprint")
|
||||
}
|
||||
|
||||
if cfg.ECH != nil {
|
||||
tlsConfig := tlsC.UConfig(tlsConfig)
|
||||
err = cfg.ECH.ClientHandle(ctx, tlsConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
tlsConn := tlsC.Client(conn, tlsConfig)
|
||||
|
||||
err = tlsConn.HandshakeContext(ctx)
|
||||
return tlsConn, err
|
||||
}
|
||||
|
||||
tlsConn := tls.Client(conn, tlsConfig)
|
||||
|
||||
err = tlsConn.HandshakeContext(ctx)
|
||||
|
||||
@ -21,6 +21,7 @@ import (
|
||||
|
||||
"github.com/metacubex/mihomo/common/buf"
|
||||
N "github.com/metacubex/mihomo/common/net"
|
||||
"github.com/metacubex/mihomo/component/ech"
|
||||
tlsC "github.com/metacubex/mihomo/component/tls"
|
||||
"github.com/metacubex/mihomo/log"
|
||||
|
||||
@ -56,6 +57,7 @@ type WebsocketConfig struct {
|
||||
Headers http.Header
|
||||
TLS bool
|
||||
TLSConfig *tls.Config
|
||||
ECHConfig *ech.Config
|
||||
MaxEarlyData int
|
||||
EarlyDataHeaderName string
|
||||
ClientFingerprint string
|
||||
@ -355,6 +357,11 @@ func streamWebsocketConn(ctx context.Context, conn net.Conn, c *WebsocketConfig,
|
||||
}
|
||||
|
||||
if clientFingerprint, ok := tlsC.GetFingerprint(c.ClientFingerprint); ok {
|
||||
tlsConfig := tlsC.UConfig(config)
|
||||
err = c.ECHConfig.ClientHandle(ctx, tlsConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConn := tlsC.UClient(conn, tlsC.UConfig(config), clientFingerprint)
|
||||
if err = tlsC.BuildWebsocketHandshakeState(tlsConn); err != nil {
|
||||
return nil, fmt.Errorf("parse url %s error: %w", c.Path, err)
|
||||
@ -364,6 +371,16 @@ func streamWebsocketConn(ctx context.Context, conn net.Conn, c *WebsocketConfig,
|
||||
return nil, err
|
||||
}
|
||||
conn = tlsConn
|
||||
} else if c.ECHConfig != nil {
|
||||
tlsConfig := tlsC.UConfig(config)
|
||||
err = c.ECHConfig.ClientHandle(ctx, tlsConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConn := tlsC.Client(conn, tlsConfig)
|
||||
|
||||
err = tlsConn.HandshakeContext(ctx)
|
||||
conn = tlsConn
|
||||
} else {
|
||||
tlsConn := tls.Client(conn, config)
|
||||
err = tlsConn.HandshakeContext(ctx)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user