ei
/
mtg
ミラー元 https://github.com/9seconds/mtg
ウォッチ 1
スター 0
フォーク 0
コード 課題 0 リリース 48 Wiki アクティビティ
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
1166 コミット
9 ブランチ
ツリー: 5c4843f6ee
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'5c4843f6ee' から
${ noResults }
mtg/internal/cli/run_proxy.go

run_proxy.go 11KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422 
  1. package cli

  2. 

  3. import (

  4. 	"context"

  5. 	"fmt"

  6. 	"net"

  7. 	"os"

  8. 	"strings"

  9. 	"time"

  10. 

  11. 	"github.com/9seconds/mtg/v2/antireplay"

  12. 	"github.com/9seconds/mtg/v2/events"

  13. 	"github.com/9seconds/mtg/v2/internal/config"

  14. 	"github.com/9seconds/mtg/v2/internal/proxyprotocol"

  15. 	"github.com/9seconds/mtg/v2/internal/utils"

  16. 	"github.com/9seconds/mtg/v2/ipblocklist"

  17. 	"github.com/9seconds/mtg/v2/ipblocklist/files"

  18. 	"github.com/9seconds/mtg/v2/logger"

  19. 	"github.com/9seconds/mtg/v2/mtglib"

  20. 	"github.com/9seconds/mtg/v2/network/v2"

  21. 	"github.com/9seconds/mtg/v2/stats"

  22. 	"github.com/pires/go-proxyproto"

  23. 	"github.com/rs/zerolog"

  24. 	"github.com/yl2chen/cidranger"

  25. )

  26. 

  27. func makeLogger(conf *config.Config) mtglib.Logger {

  28. 	zerolog.TimeFieldFormat = logTimeFormat(conf.LogTimeFormat)

  29. 	zerolog.TimestampFieldName = "timestamp"

  30. 	zerolog.LevelFieldName = "level"

  31. 

  32. 	if conf.Debug.Get(false) {

  33. 		zerolog.SetGlobalLevel(zerolog.DebugLevel)

  34. 	} else {

  35. 		zerolog.SetGlobalLevel(zerolog.WarnLevel)

  36. 	}

  37. 

  38. 	baseLogger := zerolog.New(os.Stdout).With().Timestamp().Logger()

  39. 

  40. 	return logger.NewZeroLogger(baseLogger)

  41. }

  42. 

  43. func logTimeFormat(value string) string {

  44. 	switch strings.ToLower(strings.TrimSpace(value)) {

  45. 	case "", "unix-ms":

  46. 		return zerolog.TimeFormatUnixMs

  47. 	case "unix":

  48. 		return zerolog.TimeFormatUnix

  49. 	case "unix-micro":

  50. 		return zerolog.TimeFormatUnixMicro

  51. 	case "unix-nano":

  52. 		return zerolog.TimeFormatUnixNano

  53. 	case "rfc3339":

  54. 		return time.RFC3339

  55. 	case "rfc3339-nano":

  56. 		return time.RFC3339Nano

  57. 	default:

  58. 		return value

  59. 	}

  60. }

  61. 

  62. func makeNetwork(conf *config.Config, version string) (mtglib.Network, error) {

  63. 	resolver, err := network.GetDNS(conf.GetDNS())

  64. 	if err != nil {

  65. 		return nil, fmt.Errorf("cannot create DNS resolver: %w", err)

  66. 	}

  67. 

  68. 	base := network.New(

  69. 		resolver,

  70. 		"",

  71. 		conf.Network.Timeout.TCP.Get(0),

  72. 		conf.Network.Timeout.HTTP.Get(0),

  73. 		conf.Network.Timeout.Idle.Get(0),

  74. 		net.KeepAliveConfig{

  75. 			Enable:   !conf.Network.KeepAlive.Disabled.Get(false),

  76. 			Idle:     conf.Network.KeepAlive.Idle.Get(0),

  77. 			Interval: conf.Network.KeepAlive.Interval.Get(0),

  78. 			Count:    int(conf.Network.KeepAlive.Count.Get(0)),

  79. 		},

  80. 		int(conf.Network.TCPNotSentLowat.Get(network.DefaultTCPNotSentLowat)),

  81. 	)

  82. 

  83. 	proxyDialers := make([]mtglib.Network, len(conf.Network.Proxies))

  84. 	for idx, v := range conf.Network.Proxies {

  85. 		value, err := network.NewProxyNetwork(base, v.Get(nil))

  86. 		if err != nil {

  87. 			return nil, fmt.Errorf("cannot use %v for proxy url: %w", v.Get(nil), err)

  88. 		}

  89. 		proxyDialers[idx] = value

  90. 	}

  91. 

  92. 	switch len(proxyDialers) {

  93. 	case 0:

  94. 		return base, nil

  95. 	case 1:

  96. 		return proxyDialers[0], nil

  97. 	}

  98. 

  99. 	value, err := network.Join(proxyDialers...)

  100. 	if err != nil {

  101. 		panic(err)

  102. 	}

  103. 

  104. 	return value, nil

  105. }

  106. 

  107. func makeAntiReplayCache(conf *config.Config) mtglib.AntiReplayCache {

  108. 	if !conf.Defense.AntiReplay.Enabled.Get(false) {

  109. 		return antireplay.NewNoop()

  110. 	}

  111. 

  112. 	return antireplay.NewStableBloomFilter(

  113. 		conf.Defense.AntiReplay.MaxSize.Get(antireplay.DefaultStableBloomFilterMaxSize),

  114. 		conf.Defense.AntiReplay.ErrorRate.Get(antireplay.DefaultStableBloomFilterErrorRate),

  115. 	)

  116. }

  117. 

  118. func makeIPBlocklist(conf config.ListConfig,

  119. 	logger mtglib.Logger,

  120. 	ntw mtglib.Network,

  121. 	updateCallback ipblocklist.FireholUpdateCallback,

  122. ) (mtglib.IPBlocklist, error) {

  123. 	if !conf.Enabled.Get(false) {

  124. 		return ipblocklist.NewNoop(), nil

  125. 	}

  126. 

  127. 	remoteURLs := []string{}

  128. 	localFiles := []string{}

  129. 

  130. 	for _, v := range conf.URLs {

  131. 		if v.IsRemote() {

  132. 			remoteURLs = append(remoteURLs, v.String())

  133. 		} else {

  134. 			localFiles = append(localFiles, v.String())

  135. 		}

  136. 	}

  137. 

  138. 	blocklist, err := ipblocklist.NewFirehol(logger.Named("ipblockist"),

  139. 		ntw,

  140. 		conf.DownloadConcurrency.Get(1),

  141. 		remoteURLs,

  142. 		localFiles,

  143. 		updateCallback)

  144. 	if err != nil {

  145. 		return nil, fmt.Errorf("incorrect parameters for firehol: %w", err)

  146. 	}

  147. 

  148. 	go blocklist.Run(conf.UpdateEach.Get(ipblocklist.DefaultFireholUpdateEach))

  149. 

  150. 	return blocklist, nil

  151. }

  152. 

  153. func makeIPAllowlist(conf config.ListConfig,

  154. 	logger mtglib.Logger,

  155. 	ntw mtglib.Network,

  156. 	updateCallback ipblocklist.FireholUpdateCallback,

  157. ) (mtglib.IPBlocklist, error) {

  158. 	var (

  159. 		allowlist mtglib.IPBlocklist

  160. 		err       error

  161. 	)

  162. 

  163. 	if !conf.Enabled.Get(false) {

  164. 		allowlist, err = ipblocklist.NewFireholFromFiles(

  165. 			logger.Named("ipblocklist"),

  166. 			1,

  167. 			[]files.File{

  168. 				files.NewMem([]*net.IPNet{

  169. 					cidranger.AllIPv4,

  170. 					cidranger.AllIPv6,

  171. 				}),

  172. 			},

  173. 			updateCallback,

  174. 		)

  175. 

  176. 		go allowlist.Run(conf.UpdateEach.Get(ipblocklist.DefaultFireholUpdateEach))

  177. 	} else {

  178. 		allowlist, err = makeIPBlocklist(

  179. 			conf,

  180. 			logger,

  181. 			ntw,

  182. 			updateCallback,

  183. 		)

  184. 	}

  185. 

  186. 	if err != nil {

  187. 		return nil, fmt.Errorf("cannot build allowlist: %w", err)

  188. 	}

  189. 

  190. 	return allowlist, nil

  191. }

  192. 

  193. func makeEventStream(conf *config.Config, logger mtglib.Logger) (mtglib.EventStream, error) {

  194. 	factories := make([]events.ObserverFactory, 0, 2)

  195. 

  196. 	if conf.Stats.StatsD.Enabled.Get(false) {

  197. 		statsdFactory, err := stats.NewStatsd(

  198. 			conf.Stats.StatsD.Address.Get(""),

  199. 			logger.Named("statsd"),

  200. 			conf.Stats.StatsD.MetricPrefix.Get(stats.DefaultStatsdMetricPrefix),

  201. 			conf.Stats.StatsD.TagFormat.Get(stats.DefaultStatsdTagFormat))

  202. 		if err != nil {

  203. 			return nil, fmt.Errorf("cannot build statsd observer: %w", err)

  204. 		}

  205. 

  206. 		factories = append(factories, statsdFactory.Make)

  207. 	}

  208. 

  209. 	if conf.Stats.Prometheus.Enabled.Get(false) {

  210. 		prometheus := stats.NewPrometheus(

  211. 			conf.Stats.Prometheus.MetricPrefix.Get(stats.DefaultMetricPrefix),

  212. 			conf.Stats.Prometheus.HTTPPath.Get("/"),

  213. 		)

  214. 

  215. 		listener, err := net.Listen("tcp", conf.Stats.Prometheus.BindTo.Get(""))

  216. 		if err != nil {

  217. 			return nil, fmt.Errorf("cannot start a listener for prometheus: %w", err)

  218. 		}

  219. 

  220. 		go prometheus.Serve(listener) //nolint: errcheck

  221. 

  222. 		factories = append(factories, prometheus.Make)

  223. 	}

  224. 

  225. 	if len(factories) > 0 {

  226. 		return events.NewEventStream(factories), nil

  227. 	}

  228. 

  229. 	return events.NewNoopStream(), nil

  230. }

  231. 

  232. func warnSNIMismatch(conf *config.Config, ntw mtglib.Network, log mtglib.Logger) {

  233. 	host := conf.Secret.Host

  234. 	if host == "" {

  235. 		return

  236. 	}

  237. 

  238. 	addresses, err := net.DefaultResolver.LookupIPAddr(context.Background(), host)

  239. 	if err != nil {

  240. 		log.BindStr("hostname", host).

  241. 			WarningError("SNI-DNS check: cannot resolve secret hostname", err)

  242. 		return

  243. 	}

  244. 

  245. 	ourIP4 := conf.PublicIPv4.Get(nil)

  246. 	if ourIP4 == nil {

  247. 		ourIP4 = getIP(ntw, "tcp4")

  248. 	}

  249. 

  250. 	ourIP6 := conf.PublicIPv6.Get(nil)

  251. 	if ourIP6 == nil {

  252. 		ourIP6 = getIP(ntw, "tcp6")

  253. 	}

  254. 

  255. 	if ourIP4 == nil && ourIP6 == nil {

  256. 		log.Warning("SNI-DNS check: cannot detect public IP address; set public-ipv4/public-ipv6 in config or run 'mtg doctor'")

  257. 		return

  258. 	}

  259. 

  260. 	v4Match := ourIP4 == nil

  261. 	v6Match := ourIP6 == nil

  262. 

  263. 	for _, addr := range addresses {

  264. 		if ourIP4 != nil && addr.IP.String() == ourIP4.String() {

  265. 			v4Match = true

  266. 		}

  267. 

  268. 		if ourIP6 != nil && addr.IP.String() == ourIP6.String() {

  269. 			v6Match = true

  270. 		}

  271. 	}

  272. 

  273. 	if v4Match && v6Match {

  274. 		return

  275. 	}

  276. 

  277. 	resolved := make([]string, 0, len(addresses))

  278. 	for _, addr := range addresses {

  279. 		resolved = append(resolved, addr.IP.String())

  280. 	}

  281. 

  282. 	our := ""

  283. 	if ourIP4 != nil {

  284. 		our = ourIP4.String()

  285. 	}

  286. 

  287. 	if ourIP6 != nil {

  288. 		if our != "" {

  289. 			our += "/"

  290. 		}

  291. 

  292. 		our += ourIP6.String()

  293. 	}

  294. 

  295. 	entry := log.BindStr("hostname", host).

  296. 		BindStr("resolved", strings.Join(resolved, ", ")).

  297. 		BindStr("public_ip", our)

  298. 

  299. 	if ourIP4 != nil {

  300. 		entry = entry.BindStr("ipv4_match", fmt.Sprintf("%t", v4Match))

  301. 	}

  302. 

  303. 	if ourIP6 != nil {

  304. 		entry = entry.BindStr("ipv6_match", fmt.Sprintf("%t", v6Match))

  305. 	}

  306. 

  307. 	entry.Warning("SNI-DNS mismatch: secret hostname does not resolve to this server's public IP. " +

  308. 		"DPI may detect and block the proxy. See 'mtg doctor' for details")

  309. }

  310. 

  311. func warnDeprecatedDomainFronting(conf *config.Config, log mtglib.Logger) {

  312. 	if conf.DomainFrontingIP.Value != nil {

  313. 		log.Warning(`config option "domain-fronting-ip" is deprecated and ignored; use "host" in [domain-fronting] instead`)

  314. 	}

  315. 

  316. 	if conf.DomainFronting.IP.Value != nil {

  317. 		log.Warning(`config option "ip" in [domain-fronting] is deprecated and ignored; use "host" instead`)

  318. 	}

  319. }

  320. 

  321. func runProxy(conf *config.Config, version string) error { //nolint: funlen, cyclop

  322. 	logger := makeLogger(conf)

  323. 

  324. 	logger.BindJSON("configuration", conf.String()).Debug("configuration")

  325. 

  326. 	warnDeprecatedDomainFronting(conf, logger)

  327. 

  328. 	eventStream, err := makeEventStream(conf, logger)

  329. 	if err != nil {

  330. 		return fmt.Errorf("cannot build event stream: %w", err)

  331. 	}

  332. 

  333. 	ntw, err := makeNetwork(conf, version)

  334. 	if err != nil {

  335. 		return fmt.Errorf("cannot build network: %w", err)

  336. 	}

  337. 

  338. 	warnSNIMismatch(conf, ntw, logger)

  339. 

  340. 	blocklist, err := makeIPBlocklist(

  341. 		conf.Defense.Blocklist,

  342. 		logger.Named("blocklist"),

  343. 		ntw,

  344. 		func(ctx context.Context, size int) {

  345. 			eventStream.Send(ctx, mtglib.NewEventIPListSize(size, true))

  346. 		})

  347. 	if err != nil {

  348. 		return fmt.Errorf("cannot build ip blocklist: %w", err)

  349. 	}

  350. 

  351. 	allowlist, err := makeIPAllowlist(

  352. 		conf.Defense.Allowlist,

  353. 		logger.Named("allowlist"),

  354. 		ntw,

  355. 		func(ctx context.Context, size int) {

  356. 			eventStream.Send(ctx, mtglib.NewEventIPListSize(size, false))

  357. 		},

  358. 	)

  359. 	if err != nil {

  360. 		return fmt.Errorf("cannot build ip allowlist: %w", err)

  361. 	}

  362. 

  363. 	doppelGangerURLs := make([]string, len(conf.Defense.Doppelganger.URLs))

  364. 	for i, v := range conf.Defense.Doppelganger.URLs {

  365. 		doppelGangerURLs[i] = v.String()

  366. 	}

  367. 

  368. 	opts := mtglib.ProxyOpts{

  369. 		Logger:          logger,

  370. 		Network:         ntw,

  371. 		AntiReplayCache: makeAntiReplayCache(conf),

  372. 		IPBlocklist:     blocklist,

  373. 		IPAllowlist:     allowlist,

  374. 		EventStream:     eventStream,

  375. 

  376. 		Secret:                      conf.Secret,

  377. 		Concurrency:                 conf.GetConcurrency(mtglib.DefaultConcurrency),

  378. 		DomainFrontingPort:          conf.GetDomainFrontingPort(mtglib.DefaultDomainFrontingPort),

  379. 		DomainFrontingHost:          conf.GetDomainFrontingHost(),

  380. 		DomainFrontingProxyProtocol: conf.GetDomainFrontingProxyProtocol(false),

  381. 		PreferIP:                    conf.PreferIP.Get(mtglib.DefaultPreferIP),

  382. 		AutoUpdate:                  conf.AutoUpdate.Get(false),

  383. 

  384. 		AllowFallbackOnUnknownDC: conf.AllowFallbackOnUnknownDC.Get(false),

  385. 		TolerateTimeSkewness:     conf.TolerateTimeSkewness.Value,

  386. 		IdleTimeout:              conf.Network.Timeout.Idle.Get(mtglib.DefaultIdleTimeout),

  387. 		HandshakeTimeout:         conf.Network.Timeout.Handshake.Get(mtglib.DefaultHandshakeTimeout),

  388. 

  389. 		DoppelGangerURLs:    doppelGangerURLs,

  390. 		DoppelGangerPerRaid: conf.Defense.Doppelganger.Repeats.Get(mtglib.DoppelGangerPerRaid),

  391. 		DoppelGangerEach:    conf.Defense.Doppelganger.UpdateEach.Get(mtglib.DoppelGangerEach),

  392. 		DoppelGangerDRS:     conf.Defense.Doppelganger.DRS.Get(false),

  393. 	}

  394. 

  395. 	proxy, err := mtglib.NewProxy(opts)

  396. 	if err != nil {

  397. 		return fmt.Errorf("cannot create a proxy: %w", err)

  398. 	}

  399. 

  400. 	listener, err := utils.NewListener(conf.BindTo.Get(""), 0)

  401. 	if err != nil {

  402. 		return fmt.Errorf("cannot start proxy: %w", err)

  403. 	}

  404. 

  405. 	if conf.ProxyProtocolListener.Get(false) {

  406. 		listener = &proxyprotocol.ListenerAdapter{

  407. 			Listener: proxyproto.Listener{

  408. 				Listener: listener,

  409. 			},

  410. 		}

  411. 	}

  412. 

  413. 	ctx := utils.RootContext()

  414. 

  415. 	go proxy.Serve(listener) //nolint: errcheck

  416. 

  417. 	<-ctx.Done()

  418. 	listener.Close() //nolint: errcheck

  419. 	proxy.Shutdown()

  420. 

  421. 	return nil

  422. }