ei
/
mtg
ミラー元 https://github.com/9seconds/mtg
ウォッチ 1
スター 0
フォーク 0
コード 課題 0 リリース 48 Wiki アクティビティ
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
1188 コミット
9 ブランチ
ツリー: 9c49759382
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'9c49759382' から
${ noResults }
mtg/internal/cli/run_proxy.go

run_proxy.go 10KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380 
  1. package cli

  2. 

  3. import (

  4. 	"context"

  5. 	"fmt"

  6. 	"net"

  7. 	"os"

  8. 	"slices"

  9. 	"strings"

  10. 

  11. 	"github.com/9seconds/mtg/v2/antireplay"

  12. 	"github.com/9seconds/mtg/v2/events"

  13. 	"github.com/9seconds/mtg/v2/internal/config"

  14. 	"github.com/9seconds/mtg/v2/internal/desync"

  15. 	"github.com/9seconds/mtg/v2/internal/proxyprotocol"

  16. 	"github.com/9seconds/mtg/v2/internal/utils"

  17. 	"github.com/9seconds/mtg/v2/ipblocklist"

  18. 	"github.com/9seconds/mtg/v2/ipblocklist/files"

  19. 	"github.com/9seconds/mtg/v2/logger"

  20. 	"github.com/9seconds/mtg/v2/mtglib"

  21. 	"github.com/9seconds/mtg/v2/network/v2"

  22. 	"github.com/9seconds/mtg/v2/stats"

  23. 	"github.com/pires/go-proxyproto"

  24. 	"github.com/rs/zerolog"

  25. 	"github.com/yl2chen/cidranger"

  26. )

  27. 

  28. func makeLogger(conf *config.Config) mtglib.Logger {

  29. 	zerolog.TimeFieldFormat = zerolog.TimeFormatUnixMs

  30. 	zerolog.TimestampFieldName = "timestamp"

  31. 	zerolog.LevelFieldName = "level"

  32. 

  33. 	if conf.Debug.Get(false) {

  34. 		zerolog.SetGlobalLevel(zerolog.DebugLevel)

  35. 	} else {

  36. 		zerolog.SetGlobalLevel(zerolog.WarnLevel)

  37. 	}

  38. 

  39. 	baseLogger := zerolog.New(os.Stdout).With().Timestamp().Logger()

  40. 

  41. 	return logger.NewZeroLogger(baseLogger)

  42. }

  43. 

  44. func makeNetwork(conf *config.Config, version string) (mtglib.Network, error) {

  45. 	resolver, err := network.GetDNS(conf.GetDNS())

  46. 	if err != nil {

  47. 		return nil, fmt.Errorf("cannot create DNS resolver: %w", err)

  48. 	}

  49. 

  50. 	base := network.New(

  51. 		resolver,

  52. 		"",

  53. 		conf.Network.Timeout.TCP.Get(0),

  54. 		conf.Network.Timeout.HTTP.Get(0),

  55. 		conf.Network.Timeout.Idle.Get(0),

  56. 		net.KeepAliveConfig{

  57. 			Enable:   !conf.Network.KeepAlive.Disabled.Get(false),

  58. 			Idle:     conf.Network.KeepAlive.Idle.Get(0),

  59. 			Interval: conf.Network.KeepAlive.Interval.Get(0),

  60. 			Count:    int(conf.Network.KeepAlive.Count.Get(0)),

  61. 		},

  62. 		int(conf.Network.TCPNotSentLowat.Get(network.DefaultTCPNotSentLowat)),

  63. 	)

  64. 

  65. 	proxyDialers := make([]mtglib.Network, len(conf.Network.Proxies))

  66. 	for idx, v := range conf.Network.Proxies {

  67. 		value, err := network.NewProxyNetwork(base, v.Get(nil))

  68. 		if err != nil {

  69. 			return nil, fmt.Errorf("cannot use %v for proxy url: %w", v.Get(nil), err)

  70. 		}

  71. 		proxyDialers[idx] = value

  72. 	}

  73. 

  74. 	switch len(proxyDialers) {

  75. 	case 0:

  76. 		return base, nil

  77. 	case 1:

  78. 		return proxyDialers[0], nil

  79. 	}

  80. 

  81. 	value, err := network.Join(proxyDialers...)

  82. 	if err != nil {

  83. 		panic(err)

  84. 	}

  85. 

  86. 	return value, nil

  87. }

  88. 

  89. func makeAntiReplayCache(conf *config.Config) mtglib.AntiReplayCache {

  90. 	if !conf.Defense.AntiReplay.Enabled.Get(false) {

  91. 		return antireplay.NewNoop()

  92. 	}

  93. 

  94. 	return antireplay.NewStableBloomFilter(

  95. 		conf.Defense.AntiReplay.MaxSize.Get(antireplay.DefaultStableBloomFilterMaxSize),

  96. 		conf.Defense.AntiReplay.ErrorRate.Get(antireplay.DefaultStableBloomFilterErrorRate),

  97. 	)

  98. }

  99. 

  100. func makeIPBlocklist(conf config.ListConfig,

  101. 	logger mtglib.Logger,

  102. 	ntw mtglib.Network,

  103. 	updateCallback ipblocklist.FireholUpdateCallback,

  104. ) (mtglib.IPBlocklist, error) {

  105. 	if !conf.Enabled.Get(false) {

  106. 		return ipblocklist.NewNoop(), nil

  107. 	}

  108. 

  109. 	remoteURLs := []string{}

  110. 	localFiles := []string{}

  111. 

  112. 	for _, v := range conf.URLs {

  113. 		if v.IsRemote() {

  114. 			remoteURLs = append(remoteURLs, v.String())

  115. 		} else {

  116. 			localFiles = append(localFiles, v.String())

  117. 		}

  118. 	}

  119. 

  120. 	blocklist, err := ipblocklist.NewFirehol(logger.Named("ipblockist"),

  121. 		ntw,

  122. 		conf.DownloadConcurrency.Get(1),

  123. 		remoteURLs,

  124. 		localFiles,

  125. 		updateCallback)

  126. 	if err != nil {

  127. 		return nil, fmt.Errorf("incorrect parameters for firehol: %w", err)

  128. 	}

  129. 

  130. 	go blocklist.Run(conf.UpdateEach.Get(ipblocklist.DefaultFireholUpdateEach))

  131. 

  132. 	return blocklist, nil

  133. }

  134. 

  135. func makeIPAllowlist(conf config.ListConfig,

  136. 	logger mtglib.Logger,

  137. 	ntw mtglib.Network,

  138. 	updateCallback ipblocklist.FireholUpdateCallback,

  139. ) (mtglib.IPBlocklist, error) {

  140. 	var (

  141. 		allowlist mtglib.IPBlocklist

  142. 		err       error

  143. 	)

  144. 

  145. 	if !conf.Enabled.Get(false) {

  146. 		allowlist, err = ipblocklist.NewFireholFromFiles(

  147. 			logger.Named("ipblocklist"),

  148. 			1,

  149. 			[]files.File{

  150. 				files.NewMem([]*net.IPNet{

  151. 					cidranger.AllIPv4,

  152. 					cidranger.AllIPv6,

  153. 				}),

  154. 			},

  155. 			updateCallback,

  156. 		)

  157. 

  158. 		go allowlist.Run(conf.UpdateEach.Get(ipblocklist.DefaultFireholUpdateEach))

  159. 	} else {

  160. 		allowlist, err = makeIPBlocklist(

  161. 			conf,

  162. 			logger,

  163. 			ntw,

  164. 			updateCallback,

  165. 		)

  166. 	}

  167. 

  168. 	if err != nil {

  169. 		return nil, fmt.Errorf("cannot build allowlist: %w", err)

  170. 	}

  171. 

  172. 	return allowlist, nil

  173. }

  174. 

  175. func makeEventStream(conf *config.Config, logger mtglib.Logger) (mtglib.EventStream, error) {

  176. 	factories := make([]events.ObserverFactory, 0, 2)

  177. 

  178. 	if conf.Stats.StatsD.Enabled.Get(false) {

  179. 		statsdFactory, err := stats.NewStatsd(

  180. 			conf.Stats.StatsD.Address.Get(""),

  181. 			logger.Named("statsd"),

  182. 			conf.Stats.StatsD.MetricPrefix.Get(stats.DefaultStatsdMetricPrefix),

  183. 			conf.Stats.StatsD.TagFormat.Get(stats.DefaultStatsdTagFormat),

  184. 		)

  185. 		if err != nil {

  186. 			return nil, fmt.Errorf("cannot build statsd observer: %w", err)

  187. 		}

  188. 

  189. 		factories = append(factories, statsdFactory.Make)

  190. 	}

  191. 

  192. 	if conf.Stats.Prometheus.Enabled.Get(false) {

  193. 		prometheus := stats.NewPrometheus(

  194. 			conf.Stats.Prometheus.MetricPrefix.Get(stats.DefaultMetricPrefix),

  195. 			conf.Stats.Prometheus.HTTPPath.Get("/"),

  196. 		)

  197. 

  198. 		listener, err := net.Listen("tcp", conf.Stats.Prometheus.BindTo.Get(""))

  199. 		if err != nil {

  200. 			return nil, fmt.Errorf("cannot start a listener for prometheus: %w", err)

  201. 		}

  202. 

  203. 		go prometheus.Serve(listener) //nolint: errcheck

  204. 

  205. 		factories = append(factories, prometheus.Make)

  206. 	}

  207. 

  208. 	if len(factories) > 0 {

  209. 		return events.NewEventStream(factories), nil

  210. 	}

  211. 

  212. 	return events.NewNoopStream(), nil

  213. }

  214. 

  215. func warnSNIMismatch(conf *config.Config, ntw mtglib.Network, log mtglib.Logger) {

  216. 	host := conf.Secret.Host

  217. 	if host == "" {

  218. 		return

  219. 	}

  220. 

  221. 	log = log.BindStr("hostname", host)

  222. 

  223. 	res, err := runSNICheck(context.Background(), conf, net.DefaultResolver, ntw)

  224. 	if err != nil {

  225. 		log.WarningError("SNI-DNS check: cannot resolve secret hostname", err)

  226. 		return

  227. 	}

  228. 

  229. 	if res.OurIP4 == "" && res.OurIP6 == "" {

  230. 		log.Warning("SNI-DNS check: cannot detect public IP address; set public-ipv4/public-ipv6 in config or run 'mtg doctor'")

  231. 		return

  232. 	}

  233. 

  234. 	if len(res.ResolvedIP4) > 0 && !slices.Contains(res.ResolvedIP4, res.OurIP4) {

  235. 		log.

  236. 			BindStr("public_ip", res.OurIP4).

  237. 			BindStr("resolved", strings.Join(res.ResolvedIP4, ",")).

  238. 			Warning("SNI-DNS check: address mismatch")

  239. 	}

  240. 

  241. 	if len(res.ResolvedIP6) > 0 && !slices.Contains(res.ResolvedIP6, res.OurIP6) {

  242. 		log.

  243. 			BindStr("public_ip", res.OurIP6).

  244. 			BindStr("resolved", strings.Join(res.ResolvedIP6, ",")).

  245. 			Warning("SNI-DNS check: address mismatch")

  246. 	}

  247. }

  248. 

  249. func warnDeprecatedDomainFronting(conf *config.Config, log mtglib.Logger) {

  250. 	if conf.DomainFrontingIP.Value != nil {

  251. 		log.Warning(`config option "domain-fronting-ip" is deprecated and ignored; use "host" in [domain-fronting] instead`)

  252. 	}

  253. 

  254. 	if conf.DomainFronting.IP.Value != nil {

  255. 		log.Warning(`config option "ip" in [domain-fronting] is deprecated and ignored; use "host" instead`)

  256. 	}

  257. }

  258. 

  259. const dpiDesyncHandshakeWindowClamp = 256

  260. 

  261. func runProxy(conf *config.Config, version string) error { //nolint: funlen, cyclop

  262. 	logger := makeLogger(conf)

  263. 

  264. 	logger.BindJSON("configuration", conf.String()).Debug("configuration")

  265. 

  266. 	warnDeprecatedDomainFronting(conf, logger)

  267. 

  268. 	eventStream, err := makeEventStream(conf, logger)

  269. 	if err != nil {

  270. 		return fmt.Errorf("cannot build event stream: %w", err)

  271. 	}

  272. 

  273. 	ntw, err := makeNetwork(conf, version)

  274. 	if err != nil {

  275. 		return fmt.Errorf("cannot build network: %w", err)

  276. 	}

  277. 

  278. 	warnSNIMismatch(conf, ntw, logger)

  279. 

  280. 	blocklist, err := makeIPBlocklist(

  281. 		conf.Defense.Blocklist,

  282. 		logger.Named("blocklist"),

  283. 		ntw,

  284. 		func(ctx context.Context, size int) {

  285. 			eventStream.Send(ctx, mtglib.NewEventIPListSize(size, true))

  286. 		},

  287. 	)

  288. 	if err != nil {

  289. 		return fmt.Errorf("cannot build ip blocklist: %w", err)

  290. 	}

  291. 

  292. 	allowlist, err := makeIPAllowlist(

  293. 		conf.Defense.Allowlist,

  294. 		logger.Named("allowlist"),

  295. 		ntw,

  296. 		func(ctx context.Context, size int) {

  297. 			eventStream.Send(ctx, mtglib.NewEventIPListSize(size, false))

  298. 		},

  299. 	)

  300. 	if err != nil {

  301. 		return fmt.Errorf("cannot build ip allowlist: %w", err)

  302. 	}

  303. 

  304. 	windowClamp := 0

  305. 	if conf.DPIDesync.Get(false) {

  306. 		// Empirically chosen: small enough for Linux IPv4 DPI desync, but still

  307. 		// large enough for Telegram media after the post-handshake clamp restore.

  308. 		windowClamp = dpiDesyncHandshakeWindowClamp

  309. 	}

  310. 

  311. 	doppelGangerURLs := make([]string, len(conf.Defense.Doppelganger.URLs))

  312. 	for i, v := range conf.Defense.Doppelganger.URLs {

  313. 		doppelGangerURLs[i] = v.String()

  314. 	}

  315. 

  316. 	opts := mtglib.ProxyOpts{

  317. 		Logger:          logger,

  318. 		Network:         ntw,

  319. 		AntiReplayCache: makeAntiReplayCache(conf),

  320. 		IPBlocklist:     blocklist,

  321. 		IPAllowlist:     allowlist,

  322. 		EventStream:     eventStream,

  323. 

  324. 		Secret:                      conf.Secret,

  325. 		Concurrency:                 conf.GetConcurrency(mtglib.DefaultConcurrency),

  326. 		DomainFrontingPort:          conf.GetDomainFrontingPort(mtglib.DefaultDomainFrontingPort),

  327. 		DomainFrontingHost:          conf.GetDomainFrontingHost(),

  328. 		DomainFrontingProxyProtocol: conf.GetDomainFrontingProxyProtocol(false),

  329. 		PreferIP:                    conf.PreferIP.Get(mtglib.DefaultPreferIP),

  330. 		AutoUpdate:                  conf.AutoUpdate.Get(false),

  331. 

  332. 		AllowFallbackOnUnknownDC: conf.AllowFallbackOnUnknownDC.Get(false),

  333. 		TolerateTimeSkewness:     conf.TolerateTimeSkewness.Value,

  334. 		IdleTimeout:              conf.Network.Timeout.Idle.Get(mtglib.DefaultIdleTimeout),

  335. 		HandshakeTimeout:         conf.Network.Timeout.Handshake.Get(mtglib.DefaultHandshakeTimeout),

  336. 

  337. 		DoppelGangerURLs:    doppelGangerURLs,

  338. 		DoppelGangerPerRaid: conf.Defense.Doppelganger.Repeats.Get(mtglib.DoppelGangerPerRaid),

  339. 		DoppelGangerEach:    conf.Defense.Doppelganger.UpdateEach.Get(mtglib.DoppelGangerEach),

  340. 		DoppelGangerDRS:     conf.Defense.Doppelganger.DRS.Get(false),

  341. 

  342. 		DPIDesync: windowClamp > 0,

  343. 	}

  344. 

  345. 	proxy, err := mtglib.NewProxy(opts)

  346. 	if err != nil {

  347. 		return fmt.Errorf("cannot create a proxy: %w", err)

  348. 	}

  349. 

  350. 	listener, err := utils.NewListener(conf.BindTo.Get(""), windowClamp)

  351. 	if err != nil {

  352. 		return fmt.Errorf("cannot start proxy: %w", err)

  353. 	}

  354. 

  355. 	if conf.ProxyProtocolListener.Get(false) {

  356. 		listener = &proxyprotocol.ListenerAdapter{

  357. 			Listener: proxyproto.Listener{

  358. 				Listener: listener,

  359. 			},

  360. 		}

  361. 	}

  362. 

  363. 	ctx := utils.RootContext()

  364. 

  365. 	if windowClamp > 0 {

  366. 		desyncSvc, err := desync.Start(int(conf.BindTo.Port))

  367. 		if err != nil {

  368. 			return fmt.Errorf("cannot start raw desync: %w", err)

  369. 		}

  370. 		defer desyncSvc.Close() //nolint: errcheck

  371. 	}

  372. 

  373. 	go proxy.Serve(listener) //nolint: errcheck

  374. 

  375. 	<-ctx.Done()

  376. 	listener.Close() //nolint: errcheck

  377. 	proxy.Shutdown()

  378. 

  379. 	return nil

  380. }