ei
/
mtg
зеркало из https://github.com/9seconds/mtg
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Релизы 48 Вики Активность
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
1113 коммитов
4 Ветки
Дерево: 81e5a5ac82
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из '81e5a5ac82'
${ noResults }
mtg/internal/cli/run_proxy.go

run_proxy.go 9.5KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366 
  1. package cli

  2. 

  3. import (

  4. 	"context"

  5. 	"fmt"

  6. 	"net"

  7. 	"os"

  8. 	"strings"

  9. 

  10. 	"github.com/9seconds/mtg/v2/antireplay"

  11. 	"github.com/9seconds/mtg/v2/events"

  12. 	"github.com/9seconds/mtg/v2/internal/config"

  13. 	"github.com/9seconds/mtg/v2/internal/proxyprotocol"

  14. 	"github.com/9seconds/mtg/v2/internal/utils"

  15. 	"github.com/9seconds/mtg/v2/ipblocklist"

  16. 	"github.com/9seconds/mtg/v2/ipblocklist/files"

  17. 	"github.com/9seconds/mtg/v2/logger"

  18. 	"github.com/9seconds/mtg/v2/mtglib"

  19. 	"github.com/9seconds/mtg/v2/network/v2"

  20. 	"github.com/9seconds/mtg/v2/stats"

  21. 	"github.com/pires/go-proxyproto"

  22. 	"github.com/rs/zerolog"

  23. 	"github.com/yl2chen/cidranger"

  24. )

  25. 

  26. func makeLogger(conf *config.Config) mtglib.Logger {

  27. 	zerolog.TimeFieldFormat = zerolog.TimeFormatUnixMs

  28. 	zerolog.TimestampFieldName = "timestamp"

  29. 	zerolog.LevelFieldName = "level"

  30. 

  31. 	if conf.Debug.Get(false) {

  32. 		zerolog.SetGlobalLevel(zerolog.DebugLevel)

  33. 	} else {

  34. 		zerolog.SetGlobalLevel(zerolog.WarnLevel)

  35. 	}

  36. 

  37. 	baseLogger := zerolog.New(os.Stdout).With().Timestamp().Logger()

  38. 

  39. 	return logger.NewZeroLogger(baseLogger)

  40. }

  41. 

  42. func makeNetwork(conf *config.Config, version string) (mtglib.Network, error) {

  43. 	resolver, err := network.GetDNS(conf.GetDNS())

  44. 	if err != nil {

  45. 		return nil, fmt.Errorf("cannot create DNS resolver: %w", err)

  46. 	}

  47. 

  48. 	base := network.New(

  49. 		resolver,

  50. 		"",

  51. 		conf.Network.Timeout.TCP.Get(0),

  52. 		conf.Network.Timeout.HTTP.Get(0),

  53. 		conf.Network.Timeout.Idle.Get(0),

  54. 		net.KeepAliveConfig{

  55. 			Enable:   !conf.Network.KeepAlive.Disabled.Get(false),

  56. 			Idle:     conf.Network.KeepAlive.Idle.Get(0),

  57. 			Interval: conf.Network.KeepAlive.Interval.Get(0),

  58. 			Count:    int(conf.Network.KeepAlive.Count.Get(0)),

  59. 		},

  60. 	)

  61. 

  62. 	proxyDialers := make([]mtglib.Network, len(conf.Network.Proxies))

  63. 	for idx, v := range conf.Network.Proxies {

  64. 		value, err := network.NewProxyNetwork(base, v.Get(nil))

  65. 		if err != nil {

  66. 			return nil, fmt.Errorf("cannot use %v for proxy url: %w", v.Get(nil), err)

  67. 		}

  68. 		proxyDialers[idx] = value

  69. 	}

  70. 

  71. 	switch len(proxyDialers) {

  72. 	case 0:

  73. 		return base, nil

  74. 	case 1:

  75. 		return proxyDialers[0], nil

  76. 	}

  77. 

  78. 	value, err := network.Join(proxyDialers...)

  79. 	if err != nil {

  80. 		panic(err)

  81. 	}

  82. 

  83. 	return value, nil

  84. }

  85. 

  86. func makeAntiReplayCache(conf *config.Config) mtglib.AntiReplayCache {

  87. 	if !conf.Defense.AntiReplay.Enabled.Get(false) {

  88. 		return antireplay.NewNoop()

  89. 	}

  90. 

  91. 	return antireplay.NewStableBloomFilter(

  92. 		conf.Defense.AntiReplay.MaxSize.Get(antireplay.DefaultStableBloomFilterMaxSize),

  93. 		conf.Defense.AntiReplay.ErrorRate.Get(antireplay.DefaultStableBloomFilterErrorRate),

  94. 	)

  95. }

  96. 

  97. func makeIPBlocklist(conf config.ListConfig,

  98. 	logger mtglib.Logger,

  99. 	ntw mtglib.Network,

  100. 	updateCallback ipblocklist.FireholUpdateCallback,

  101. ) (mtglib.IPBlocklist, error) {

  102. 	if !conf.Enabled.Get(false) {

  103. 		return ipblocklist.NewNoop(), nil

  104. 	}

  105. 

  106. 	remoteURLs := []string{}

  107. 	localFiles := []string{}

  108. 

  109. 	for _, v := range conf.URLs {

  110. 		if v.IsRemote() {

  111. 			remoteURLs = append(remoteURLs, v.String())

  112. 		} else {

  113. 			localFiles = append(localFiles, v.String())

  114. 		}

  115. 	}

  116. 

  117. 	blocklist, err := ipblocklist.NewFirehol(logger.Named("ipblockist"),

  118. 		ntw,

  119. 		conf.DownloadConcurrency.Get(1),

  120. 		remoteURLs,

  121. 		localFiles,

  122. 		updateCallback)

  123. 	if err != nil {

  124. 		return nil, fmt.Errorf("incorrect parameters for firehol: %w", err)

  125. 	}

  126. 

  127. 	go blocklist.Run(conf.UpdateEach.Get(ipblocklist.DefaultFireholUpdateEach))

  128. 

  129. 	return blocklist, nil

  130. }

  131. 

  132. func makeIPAllowlist(conf config.ListConfig,

  133. 	logger mtglib.Logger,

  134. 	ntw mtglib.Network,

  135. 	updateCallback ipblocklist.FireholUpdateCallback,

  136. ) (mtglib.IPBlocklist, error) {

  137. 	var (

  138. 		allowlist mtglib.IPBlocklist

  139. 		err       error

  140. 	)

  141. 

  142. 	if !conf.Enabled.Get(false) {

  143. 		allowlist, err = ipblocklist.NewFireholFromFiles(

  144. 			logger.Named("ipblocklist"),

  145. 			1,

  146. 			[]files.File{

  147. 				files.NewMem([]*net.IPNet{

  148. 					cidranger.AllIPv4,

  149. 					cidranger.AllIPv6,

  150. 				}),

  151. 			},

  152. 			updateCallback,

  153. 		)

  154. 

  155. 		go allowlist.Run(conf.UpdateEach.Get(ipblocklist.DefaultFireholUpdateEach))

  156. 	} else {

  157. 		allowlist, err = makeIPBlocklist(

  158. 			conf,

  159. 			logger,

  160. 			ntw,

  161. 			updateCallback,

  162. 		)

  163. 	}

  164. 

  165. 	if err != nil {

  166. 		return nil, fmt.Errorf("cannot build allowlist: %w", err)

  167. 	}

  168. 

  169. 	return allowlist, nil

  170. }

  171. 

  172. func makeEventStream(conf *config.Config, logger mtglib.Logger) (mtglib.EventStream, error) {

  173. 	factories := make([]events.ObserverFactory, 0, 2)

  174. 

  175. 	if conf.Stats.StatsD.Enabled.Get(false) {

  176. 		statsdFactory, err := stats.NewStatsd(

  177. 			conf.Stats.StatsD.Address.Get(""),

  178. 			logger.Named("statsd"),

  179. 			conf.Stats.StatsD.MetricPrefix.Get(stats.DefaultStatsdMetricPrefix),

  180. 			conf.Stats.StatsD.TagFormat.Get(stats.DefaultStatsdTagFormat))

  181. 		if err != nil {

  182. 			return nil, fmt.Errorf("cannot build statsd observer: %w", err)

  183. 		}

  184. 

  185. 		factories = append(factories, statsdFactory.Make)

  186. 	}

  187. 

  188. 	if conf.Stats.Prometheus.Enabled.Get(false) {

  189. 		prometheus := stats.NewPrometheus(

  190. 			conf.Stats.Prometheus.MetricPrefix.Get(stats.DefaultMetricPrefix),

  191. 			conf.Stats.Prometheus.HTTPPath.Get("/"),

  192. 		)

  193. 

  194. 		listener, err := net.Listen("tcp", conf.Stats.Prometheus.BindTo.Get(""))

  195. 		if err != nil {

  196. 			return nil, fmt.Errorf("cannot start a listener for prometheus: %w", err)

  197. 		}

  198. 

  199. 		go prometheus.Serve(listener) //nolint: errcheck

  200. 

  201. 		factories = append(factories, prometheus.Make)

  202. 	}

  203. 

  204. 	if len(factories) > 0 {

  205. 		return events.NewEventStream(factories), nil

  206. 	}

  207. 

  208. 	return events.NewNoopStream(), nil

  209. }

  210. 

  211. func warnSNIMismatch(conf *config.Config, ntw mtglib.Network, log mtglib.Logger) {

  212. 	if conf.Secret.Host == "" {

  213. 		return

  214. 	}

  215. 

  216. 	res := runSNICheck(context.Background(), net.DefaultResolver, conf, ntw)

  217. 

  218. 	if res.ResolveErr != nil {

  219. 		log.BindStr("hostname", res.Host).

  220. 			WarningError("SNI-DNS check: cannot resolve secret hostname", res.ResolveErr)

  221. 		return

  222. 	}

  223. 

  224. 	if !res.Known() {

  225. 		log.Warning("SNI-DNS check: cannot detect public IP address; set public-ipv4/public-ipv6 in config or run 'mtg doctor'")

  226. 		return

  227. 	}

  228. 

  229. 	if res.OK() {

  230. 		return

  231. 	}

  232. 

  233. 	resolved := make([]string, 0, len(res.Resolved))

  234. 	for _, ip := range res.Resolved {

  235. 		resolved = append(resolved, ip.String())

  236. 	}

  237. 

  238. 	our := ""

  239. 	if res.OurIPv4 != nil {

  240. 		our = res.OurIPv4.String()

  241. 	}

  242. 

  243. 	if res.OurIPv6 != nil {

  244. 		if our != "" {

  245. 			our += "/"

  246. 		}

  247. 

  248. 		our += res.OurIPv6.String()

  249. 	}

  250. 

  251. 	entry := log.BindStr("hostname", res.Host).

  252. 		BindStr("resolved", strings.Join(resolved, ", ")).

  253. 		BindStr("public_ip", our)

  254. 

  255. 	if res.OurIPv4 != nil {

  256. 		entry = entry.BindStr("ipv4_match", fmt.Sprintf("%t", res.IPv4Match))

  257. 	}

  258. 

  259. 	if res.OurIPv6 != nil {

  260. 		entry = entry.BindStr("ipv6_match", fmt.Sprintf("%t", res.IPv6Match))

  261. 	}

  262. 

  263. 	entry.Warning("SNI-DNS mismatch: secret hostname does not resolve to this server's public IP. " +

  264. 		"DPI may detect and block the proxy. See 'mtg doctor' for details")

  265. }

  266. 

  267. func runProxy(conf *config.Config, version string) error { //nolint: funlen, cyclop

  268. 	logger := makeLogger(conf)

  269. 

  270. 	logger.BindJSON("configuration", conf.String()).Debug("configuration")

  271. 

  272. 	eventStream, err := makeEventStream(conf, logger)

  273. 	if err != nil {

  274. 		return fmt.Errorf("cannot build event stream: %w", err)

  275. 	}

  276. 

  277. 	ntw, err := makeNetwork(conf, version)

  278. 	if err != nil {

  279. 		return fmt.Errorf("cannot build network: %w", err)

  280. 	}

  281. 

  282. 	warnSNIMismatch(conf, ntw, logger)

  283. 

  284. 	blocklist, err := makeIPBlocklist(

  285. 		conf.Defense.Blocklist,

  286. 		logger.Named("blocklist"),

  287. 		ntw,

  288. 		func(ctx context.Context, size int) {

  289. 			eventStream.Send(ctx, mtglib.NewEventIPListSize(size, true))

  290. 		})

  291. 	if err != nil {

  292. 		return fmt.Errorf("cannot build ip blocklist: %w", err)

  293. 	}

  294. 

  295. 	allowlist, err := makeIPAllowlist(

  296. 		conf.Defense.Allowlist,

  297. 		logger.Named("allowlist"),

  298. 		ntw,

  299. 		func(ctx context.Context, size int) {

  300. 			eventStream.Send(ctx, mtglib.NewEventIPListSize(size, false))

  301. 		},

  302. 	)

  303. 	if err != nil {

  304. 		return fmt.Errorf("cannot build ip allowlist: %w", err)

  305. 	}

  306. 

  307. 	doppelGangerURLs := make([]string, len(conf.Defense.Doppelganger.URLs))

  308. 	for i, v := range conf.Defense.Doppelganger.URLs {

  309. 		doppelGangerURLs[i] = v.String()

  310. 	}

  311. 

  312. 	opts := mtglib.ProxyOpts{

  313. 		Logger:          logger,

  314. 		Network:         ntw,

  315. 		AntiReplayCache: makeAntiReplayCache(conf),

  316. 		IPBlocklist:     blocklist,

  317. 		IPAllowlist:     allowlist,

  318. 		EventStream:     eventStream,

  319. 

  320. 		Secret:                      conf.Secret,

  321. 		Concurrency:                 conf.GetConcurrency(mtglib.DefaultConcurrency),

  322. 		DomainFrontingPort:          conf.GetDomainFrontingPort(mtglib.DefaultDomainFrontingPort),

  323. 		DomainFrontingIP:            conf.GetDomainFrontingIP(nil),

  324. 		DomainFrontingProxyProtocol: conf.GetDomainFrontingProxyProtocol(false),

  325. 		PreferIP:                    conf.PreferIP.Get(mtglib.DefaultPreferIP),

  326. 		AutoUpdate:                  conf.AutoUpdate.Get(false),

  327. 

  328. 		AllowFallbackOnUnknownDC: conf.AllowFallbackOnUnknownDC.Get(false),

  329. 		TolerateTimeSkewness:     conf.TolerateTimeSkewness.Value,

  330. 		IdleTimeout:              conf.Network.Timeout.Idle.Get(mtglib.DefaultIdleTimeout),

  331. 		HandshakeTimeout:         conf.Network.Timeout.Handshake.Get(mtglib.DefaultHandshakeTimeout),

  332. 

  333. 		DoppelGangerURLs:    doppelGangerURLs,

  334. 		DoppelGangerPerRaid: conf.Defense.Doppelganger.Repeats.Get(mtglib.DoppelGangerPerRaid),

  335. 		DoppelGangerEach:    conf.Defense.Doppelganger.UpdateEach.Get(mtglib.DoppelGangerEach),

  336. 		DoppelGangerDRS:     conf.Defense.Doppelganger.DRS.Get(false),

  337. 	}

  338. 

  339. 	proxy, err := mtglib.NewProxy(opts)

  340. 	if err != nil {

  341. 		return fmt.Errorf("cannot create a proxy: %w", err)

  342. 	}

  343. 

  344. 	listener, err := utils.NewListener(conf.BindTo.Get(""), 0)

  345. 	if err != nil {

  346. 		return fmt.Errorf("cannot start proxy: %w", err)

  347. 	}

  348. 

  349. 	if conf.ProxyProtocolListener.Get(false) {

  350. 		listener = &proxyprotocol.ListenerAdapter{

  351. 			Listener: proxyproto.Listener{

  352. 				Listener: listener,

  353. 			},

  354. 		}

  355. 	}

  356. 

  357. 	ctx := utils.RootContext()

  358. 

  359. 	go proxy.Serve(listener) //nolint: errcheck

  360. 

  361. 	<-ctx.Done()

  362. 	listener.Close() //nolint: errcheck

  363. 	proxy.Shutdown()

  364. 

  365. 	return nil

  366. }