From 594fde1ff8a96d7e8a1ce0f2efac313135c62d0c Mon Sep 17 00:00:00 2001 From: Toby Date: Wed, 11 Oct 2023 19:54:47 -0700 Subject: [PATCH] feat: HTTP/HTTPS proxy outbound --- app/cmd/server.go | 15 +++ app/cmd/server_test.go | 8 ++ app/cmd/server_test.yaml | 5 + extras/outbounds/ob_http.go | 190 ++++++++++++++++++++++++++++++++++++ 4 files changed, 218 insertions(+) create mode 100644 extras/outbounds/ob_http.go diff --git a/app/cmd/server.go b/app/cmd/server.go index 6221cc6..df56403 100644 --- a/app/cmd/server.go +++ b/app/cmd/server.go @@ -161,11 +161,17 @@ type serverConfigOutboundSOCKS5 struct { Password string `mapstructure:"password"` } +type serverConfigOutboundHTTP struct { + URL string `mapstructure:"url"` + Insecure bool `mapstructure:"insecure"` +} + type serverConfigOutboundEntry struct { Name string `mapstructure:"name"` Type string `mapstructure:"type"` Direct serverConfigOutboundDirect `mapstructure:"direct"` SOCKS5 serverConfigOutboundSOCKS5 `mapstructure:"socks5"` + HTTP serverConfigOutboundHTTP `mapstructure:"http"` } type serverConfigTrafficStats struct { @@ -395,6 +401,13 @@ func serverConfigOutboundSOCKS5ToOutbound(c serverConfigOutboundSOCKS5) (outboun return outbounds.NewSOCKS5Outbound(c.Addr, c.Username, c.Password), nil } +func serverConfigOutboundHTTPToOutbound(c serverConfigOutboundHTTP) (outbounds.PluggableOutbound, error) { + if c.URL == "" { + return nil, configError{Field: "outbounds.http.url", Err: errors.New("empty http address")} + } + return outbounds.NewHTTPOutbound(c.URL, c.Insecure) +} + func (c *serverConfig) fillOutboundConfig(hyConfig *server.Config) error { // Resolver, ACL, actual outbound are all implemented through the Outbound interface. // Depending on the config, we build a chain like this: @@ -421,6 +434,8 @@ func (c *serverConfig) fillOutboundConfig(hyConfig *server.Config) error { ob, err = serverConfigOutboundDirectToOutbound(entry.Direct) case "socks5": ob, err = serverConfigOutboundSOCKS5ToOutbound(entry.SOCKS5) + case "http": + ob, err = serverConfigOutboundHTTPToOutbound(entry.HTTP) default: err = configError{Field: "outbounds.type", Err: errors.New("unsupported outbound type")} } diff --git a/app/cmd/server_test.go b/app/cmd/server_test.go index 73bce1c..09bde78 100644 --- a/app/cmd/server_test.go +++ b/app/cmd/server_test.go @@ -123,6 +123,14 @@ func TestServerConfig(t *testing.T) { Password: "Elliot Alderson", }, }, + { + Name: "weirdstuff", + Type: "http", + HTTP: serverConfigOutboundHTTP{ + URL: "https://eyy.lmao:4443/goofy", + Insecure: true, + }, + }, }, TrafficStats: serverConfigTrafficStats{ Listen: ":9999", diff --git a/app/cmd/server_test.yaml b/app/cmd/server_test.yaml index 27e09f0..03c9df2 100644 --- a/app/cmd/server_test.yaml +++ b/app/cmd/server_test.yaml @@ -91,6 +91,11 @@ outbounds: addr: shady.proxy.ru:1080 username: hackerman password: Elliot Alderson + - name: weirdstuff + type: http + http: + url: https://eyy.lmao:4443/goofy + insecure: true trafficStats: listen: :9999 diff --git a/extras/outbounds/ob_http.go b/extras/outbounds/ob_http.go new file mode 100644 index 0000000..48d5aac --- /dev/null +++ b/extras/outbounds/ob_http.go @@ -0,0 +1,190 @@ +package outbounds + +import ( + "bufio" + "bytes" + "crypto/tls" + "encoding/base64" + "errors" + "fmt" + "io" + "net" + "net/http" + "net/url" + "strconv" + "time" +) + +const ( + httpRequestTimeout = 10 * time.Second +) + +var ( + errHTTPUDPNotSupported = errors.New("UDP not supported by HTTP proxy") + errHTTPUnsupportedScheme = errors.New("unsupported scheme for HTTP proxy (use http:// or https://)") +) + +type errHTTPRequestFailed struct { + Status int +} + +func (e errHTTPRequestFailed) Error() string { + return fmt.Sprintf("HTTP request failed: %d", e.Status) +} + +// httpOutbound is a PluggableOutbound that connects to the target using +// an HTTP/HTTPS proxy server (that supports the CONNECT method). +// HTTP proxies don't support UDP by design, so this outbound will reject +// any UDP request with errHTTPUDPNotSupported. +// Since HTTP proxies support using either IP or domain name as the target +// address, it will ignore ResolveInfo in AddrEx and always only use Host. +type httpOutbound struct { + Dialer *net.Dialer + Addr string + HTTPS bool + Insecure bool + ServerName string + BasicAuth string // This is after Base64 encoding +} + +func NewHTTPOutbound(proxyURL string, insecure bool) (PluggableOutbound, error) { + u, err := url.Parse(proxyURL) + if err != nil { + return nil, err + } + if u.Scheme != "http" && u.Scheme != "https" { + return nil, errHTTPUnsupportedScheme + } + addr := u.Host + if u.Port() == "" { + if u.Scheme == "http" { + addr = net.JoinHostPort(u.Host, "80") + } else { + addr = net.JoinHostPort(u.Host, "443") + } + } + var basicAuth string + if u.User != nil { + username := u.User.Username() + password, _ := u.User.Password() + basicAuth = "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password)) + } + return &httpOutbound{ + Dialer: &net.Dialer{Timeout: defaultDialerTimeout}, + Addr: addr, + HTTPS: u.Scheme == "https", + Insecure: insecure, + ServerName: u.Hostname(), + BasicAuth: basicAuth, + }, nil +} + +func (o *httpOutbound) dial() (net.Conn, error) { + conn, err := o.Dialer.Dial("tcp", o.Addr) + if err != nil { + return nil, err + } + if o.HTTPS { + // Wrap the connection with TLS if the proxy is HTTPS. + conn = tls.Client(conn, &tls.Config{ + InsecureSkipVerify: o.Insecure, + ServerName: o.Addr, + }) + } + return conn, nil +} + +func (o *httpOutbound) addrExToRequest(reqAddr *AddrEx) (*http.Request, error) { + req := &http.Request{ + Method: http.MethodConnect, + URL: &url.URL{ + Host: net.JoinHostPort(reqAddr.Host, strconv.Itoa(int(reqAddr.Port))), + }, + Header: http.Header{ + "Proxy-Connection": []string{"Keep-Alive"}, + }, + } + if o.BasicAuth != "" { + req.Header.Add("Proxy-Authorization", o.BasicAuth) + } + return req, nil +} + +func (o *httpOutbound) TCP(reqAddr *AddrEx) (net.Conn, error) { + req, err := o.addrExToRequest(reqAddr) + if err != nil { + return nil, err + } + conn, err := o.dial() + if err != nil { + return nil, err + } + if err := req.Write(conn); err != nil { + _ = conn.Close() + return nil, err + } + if err := conn.SetDeadline(time.Now().Add(httpRequestTimeout)); err != nil { + _ = conn.Close() + return nil, err + } + bufReader := bufio.NewReader(conn) + resp, err := http.ReadResponse(bufReader, req) + if resp != nil { + // Don't need response body here. + _ = resp.Body.Close() + } + if err != nil { + _ = conn.Close() + return nil, err + } + if resp.StatusCode != http.StatusOK { + _ = conn.Close() + return nil, errHTTPRequestFailed{resp.StatusCode} + } + if err := conn.SetDeadline(time.Time{}); err != nil { + _ = conn.Close() + return nil, err + } + if bufReader.Buffered() > 0 { + // There is still data in the buffered reader. + // We need to get it out and put it into a cachedConn, + // so that handleConnect can read it. + data := make([]byte, bufReader.Buffered()) + _, err := io.ReadFull(bufReader, data) + if err != nil { + // Read from buffer failed, is this possible? + _ = conn.Close() + return nil, err + } + cachedConn := &cachedConn{ + Conn: conn, + Buffer: *bytes.NewBuffer(data), + } + return cachedConn, nil + } else { + return conn, nil + } +} + +func (o *httpOutbound) UDP(reqAddr *AddrEx) (UDPConn, error) { + return nil, errHTTPUDPNotSupported +} + +// cachedConn is a net.Conn wrapper that first Read()s from a buffer, +// and then from the underlying net.Conn when the buffer is drained. +type cachedConn struct { + net.Conn + Buffer bytes.Buffer +} + +func (c *cachedConn) Read(b []byte) (int, error) { + if c.Buffer.Len() > 0 { + n, err := c.Buffer.Read(b) + if err == io.EOF { + // Buffer is drained, hide it from the caller + err = nil + } + return n, err + } + return c.Conn.Read(b) +}