ei
/
mtg
镜像自地址 https://github.com/9seconds/mtg
关注 1
点赞 0
派生 0
代码 工单 0 版本发布 48 百科 动态
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
638 提交
4 分支
目录树: 4c38ea2b11
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '4c38ea2b11'
${ noResults }
mtg/mtglib/proxy.go

proxy.go 7.2KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305 
  1. package mtglib

  2. 

  3. import (

  4. 	"context"

  5. 	"errors"

  6. 	"fmt"

  7. 	"net"

  8. 	"strconv"

  9. 	"sync"

  10. 	"time"

  11. 

  12. 	"github.com/9seconds/mtg/v2/mtglib/internal/faketls"

  13. 	"github.com/9seconds/mtg/v2/mtglib/internal/faketls/record"

  14. 	"github.com/9seconds/mtg/v2/mtglib/internal/obfuscated2"

  15. 	"github.com/9seconds/mtg/v2/mtglib/internal/relay"

  16. 	"github.com/9seconds/mtg/v2/mtglib/internal/telegram"

  17. 	"github.com/panjf2000/ants/v2"

  18. )

  19. 

  20. type Proxy struct {

  21. 	ctx             context.Context

  22. 	ctxCancel       context.CancelFunc

  23. 	streamWaitGroup sync.WaitGroup

  24. 

  25. 	idleTimeout        time.Duration

  26. 	bufferSize         int

  27. 	domainFrontingPort int

  28. 	workerPool         *ants.PoolWithFunc

  29. 	telegram           *telegram.Telegram

  30. 

  31. 	secret             Secret

  32. 	network            Network

  33. 	antiReplayCache    AntiReplayCache

  34. 	timeAttackDetector TimeAttackDetector

  35. 	ipBlocklist        IPBlocklist

  36. 	eventStream        EventStream

  37. 	logger             Logger

  38. }

  39. 

  40. func (p *Proxy) DomainFrontingAddress() string {

  41. 	return net.JoinHostPort(p.secret.Host, strconv.Itoa(p.domainFrontingPort))

  42. }

  43. 

  44. func (p *Proxy) ServeConn(conn net.Conn) {

  45. 	p.streamWaitGroup.Add(1)

  46. 	defer p.streamWaitGroup.Done()

  47. 

  48. 	ctx := newStreamContext(p.ctx, p.logger, conn)

  49. 	defer ctx.Close()

  50. 

  51. 	go func() {

  52. 		<-ctx.Done()

  53. 		ctx.Close()

  54. 	}()

  55. 

  56. 	p.eventStream.Send(ctx, NewEventStart(ctx.streamID, ctx.ClientIP()))

  57. 	ctx.logger.Info("Stream has been started")

  58. 

  59. 	defer func() {

  60. 		p.eventStream.Send(ctx, NewEventFinish(ctx.streamID))

  61. 		ctx.logger.Info("Stream has been finished")

  62. 	}()

  63. 

  64. 	if !p.doFakeTLSHandshake(ctx) {

  65. 		return

  66. 	}

  67. 

  68. 	if err := p.doObfuscated2Handshake(ctx); err != nil {

  69. 		p.logger.InfoError("obfuscated2 handshake is failed", err)

  70. 

  71. 		return

  72. 	}

  73. 

  74. 	if err := p.doTelegramCall(ctx); err != nil {

  75. 		p.logger.WarningError("cannot dial to telegram", err)

  76. 

  77. 		return

  78. 	}

  79. 

  80. 	rel := relay.AcquireRelay(ctx,

  81. 		p.logger.Named("relay"), p.bufferSize, p.idleTimeout)

  82. 	defer relay.ReleaseRelay(rel)

  83. 

  84. 	if err := rel.Process(ctx.clientConn, ctx.telegramConn); err != nil {

  85. 		p.logger.DebugError("relay has been finished", err)

  86. 	}

  87. }

  88. 

  89. func (p *Proxy) Serve(listener net.Listener) error {

  90. 	p.streamWaitGroup.Add(1)

  91. 	defer p.streamWaitGroup.Done()

  92. 

  93. 	for {

  94. 		conn, err := listener.Accept()

  95. 		if err != nil {

  96. 			return fmt.Errorf("cannot accept a new connection: %w", err)

  97. 		}

  98. 

  99. 		ipAddr := conn.RemoteAddr().(*net.TCPAddr).IP

  100. 		logger := p.logger.BindStr("ip", ipAddr.String())

  101. 

  102. 		if p.ipBlocklist.Contains(ipAddr) {

  103. 			conn.Close()

  104. 			logger.Info("ip was blacklisted")

  105. 			p.eventStream.Send(p.ctx, NewEventIPBlocklisted(ipAddr))

  106. 

  107. 			continue

  108. 		}

  109. 

  110. 		err = p.workerPool.Invoke(conn)

  111. 

  112. 		switch {

  113. 		case err == nil:

  114. 		case errors.Is(err, ants.ErrPoolClosed):

  115. 			return nil

  116. 		case errors.Is(err, ants.ErrPoolOverload):

  117. 			logger.Info("connection was concurrency limited")

  118. 			p.eventStream.Send(p.ctx, NewEventConcurrencyLimited())

  119. 		}

  120. 

  121. 		select {

  122. 		case <-p.ctx.Done():

  123. 			return p.ctx.Err()

  124. 		default:

  125. 		}

  126. 	}

  127. }

  128. 

  129. func (p *Proxy) Shutdown() {

  130. 	p.ctxCancel()

  131. 	p.streamWaitGroup.Wait()

  132. 	p.workerPool.Release()

  133. }

  134. 

  135. func (p *Proxy) doFakeTLSHandshake(ctx *streamContext) bool {

  136. 	rec := record.AcquireRecord()

  137. 	defer record.ReleaseRecord(rec)

  138. 

  139. 	rewind := newConnRewind(ctx.clientConn)

  140. 

  141. 	if err := rec.Read(rewind); err != nil {

  142. 		p.logger.InfoError("cannot read client hello", err)

  143. 		p.doDomainFronting(ctx, rewind)

  144. 

  145. 		return false

  146. 	}

  147. 

  148. 	hello, err := faketls.ParseClientHello(p.secret.Key[:], rec.Payload.Bytes())

  149. 	if err != nil {

  150. 		p.logger.InfoError("cannot parse client hello", err)

  151. 		p.doDomainFronting(ctx, rewind)

  152. 

  153. 		return false

  154. 	}

  155. 

  156. 	if hello.Host != "" && hello.Host != p.secret.Host {

  157. 		p.logger.BindStr("hostname", hello.Host).Info("incorrect domain was found in SNI")

  158. 		p.doDomainFronting(ctx, rewind)

  159. 

  160. 		return false

  161. 	}

  162. 

  163. 	if err := p.timeAttackDetector.Valid(hello.Time); err != nil {

  164. 		p.logger.InfoError("invalid faketls time", err)

  165. 		p.doDomainFronting(ctx, rewind)

  166. 

  167. 		return false

  168. 	}

  169. 

  170. 	if p.antiReplayCache.SeenBefore(hello.SessionID) {

  171. 		p.logger.Warning("replay attack has been detected!")

  172. 		p.eventStream.Send(p.ctx, NewEventReplayAttack(ctx.streamID))

  173. 		p.doDomainFronting(ctx, rewind)

  174. 

  175. 		return false

  176. 	}

  177. 

  178. 	if err := faketls.SendWelcomePacket(rewind, p.secret.Key[:], hello); err != nil {

  179. 		p.logger.InfoError("cannot send welcome packet", err)

  180. 

  181. 		return false

  182. 	}

  183. 

  184. 	ctx.clientConn = &faketls.Conn{

  185. 		Conn: ctx.clientConn,

  186. 	}

  187. 

  188. 	return true

  189. }

  190. 

  191. func (p *Proxy) doObfuscated2Handshake(ctx *streamContext) error {

  192. 	dc, encryptor, decryptor, err := obfuscated2.ClientHandshake(p.secret.Key[:], ctx.clientConn)

  193. 	if err != nil {

  194. 		return fmt.Errorf("cannot process client handshake: %w", err)

  195. 	}

  196. 

  197. 	ctx.dc = dc

  198. 	ctx.logger = ctx.logger.BindInt("dc", dc)

  199. 	ctx.clientConn = obfuscated2.Conn{

  200. 		Conn:      ctx.clientConn,

  201. 		Encryptor: encryptor,

  202. 		Decryptor: decryptor,

  203. 	}

  204. 

  205. 	return nil

  206. }

  207. 

  208. func (p *Proxy) doTelegramCall(ctx *streamContext) error {

  209. 	conn, err := p.telegram.Dial(ctx, ctx.dc)

  210. 	if err != nil {

  211. 		return fmt.Errorf("cannot dial to Telegram: %w", err)

  212. 	}

  213. 

  214. 	encryptor, decryptor, err := obfuscated2.ServerHandshake(conn)

  215. 	if err != nil {

  216. 		conn.Close()

  217. 

  218. 		return fmt.Errorf("cannot perform obfuscated2 handshake: %w", err)

  219. 	}

  220. 

  221. 	ctx.telegramConn = obfuscated2.Conn{

  222. 		Conn: connTraffic{

  223. 			Conn:     conn,

  224. 			streamID: ctx.streamID,

  225. 			stream:   p.eventStream,

  226. 			ctx:      ctx,

  227. 		},

  228. 		Encryptor: encryptor,

  229. 		Decryptor: decryptor,

  230. 	}

  231. 

  232. 	p.eventStream.Send(ctx,

  233. 		NewEventConnectedToDC(ctx.streamID, conn.RemoteAddr().(*net.TCPAddr).IP, ctx.dc))

  234. 

  235. 	return nil

  236. }

  237. 

  238. func (p *Proxy) doDomainFronting(ctx *streamContext, conn *connRewind) {

  239. 	p.eventStream.Send(p.ctx, NewEventDomainFronting(ctx.streamID))

  240. 	conn.Rewind()

  241. 

  242. 	frontConn, err := p.network.DialContext(ctx, "tcp", p.DomainFrontingAddress())

  243. 	if err != nil {

  244. 		p.logger.WarningError("cannot dial to the fronting domain", err)

  245. 

  246. 		return

  247. 	}

  248. 

  249. 	frontConn = connTraffic{

  250. 		Conn:     frontConn,

  251. 		ctx:      ctx,

  252. 		streamID: ctx.streamID,

  253. 		stream:   p.eventStream,

  254. 	}

  255. 

  256. 	rel := relay.AcquireRelay(ctx,

  257. 		p.logger.Named("domain-fronting"), p.bufferSize, p.idleTimeout)

  258. 	defer relay.ReleaseRelay(rel)

  259. 

  260. 	if err := rel.Process(conn, frontConn); err != nil {

  261. 		p.logger.DebugError("domain fronting relay has been finished", err)

  262. 	}

  263. }

  264. 

  265. func NewProxy(opts ProxyOpts) (*Proxy, error) {

  266. 	if err := opts.valid(); err != nil {

  267. 		return nil, fmt.Errorf("invalid settings: %w", err)

  268. 	}

  269. 

  270. 	tg, err := telegram.New(opts.Network, opts.getPreferIP())

  271. 	if err != nil {

  272. 		return nil, fmt.Errorf("cannot build telegram dialer: %w", err)

  273. 	}

  274. 

  275. 	ctx, cancel := context.WithCancel(context.Background())

  276. 	proxy := &Proxy{

  277. 		ctx:                ctx,

  278. 		ctxCancel:          cancel,

  279. 		secret:             opts.Secret,

  280. 		network:            opts.Network,

  281. 		antiReplayCache:    opts.AntiReplayCache,

  282. 		timeAttackDetector: opts.TimeAttackDetector,

  283. 		ipBlocklist:        opts.IPBlocklist,

  284. 		eventStream:        opts.EventStream,

  285. 		logger:             opts.getLogger("proxy"),

  286. 		domainFrontingPort: opts.getDomainFrontingPort(),

  287. 		idleTimeout:        opts.getIdleTimeout(),

  288. 		bufferSize:         opts.getBufferSize(),

  289. 		telegram:           tg,

  290. 	}

  291. 

  292. 	pool, err := ants.NewPoolWithFunc(opts.getConcurrency(),

  293. 		func(arg interface{}) {

  294. 			proxy.ServeConn(arg.(net.Conn))

  295. 		},

  296. 		ants.WithLogger(opts.getLogger("ants")),

  297. 		ants.WithNonblocking(true))

  298. 	if err != nil {

  299. 		panic(err)

  300. 	}

  301. 

  302. 	proxy.workerPool = pool

  303. 

  304. 	return proxy, nil

  305. }