ei
/
mtg
kopie van https://github.com/9seconds/mtg
Volgen 1
Ster 0
Vork 0
Code Kwesties 0 Publicaties 48 Wiki Activiteit
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1188 Commits
9 Branches
Tree: 9c49759382
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '9c49759382'
${ noResults }
mtg/mtglib/proxy.go

proxy.go 11KB
Geschiedenis Ruw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420 
  1. package mtglib

  2. 

  3. import (

  4. 	"context"

  5. 	"errors"

  6. 	"fmt"

  7. 	"net"

  8. 	"strconv"

  9. 	"sync"

  10. 	"time"

  11. 

  12. 	"github.com/9seconds/mtg/v2/essentials"

  13. 	"github.com/9seconds/mtg/v2/mtglib/internal/dc"

  14. 	"github.com/9seconds/mtg/v2/mtglib/internal/doppel"

  15. 	"github.com/9seconds/mtg/v2/mtglib/internal/relay"

  16. 	"github.com/9seconds/mtg/v2/mtglib/internal/tls"

  17. 	"github.com/9seconds/mtg/v2/mtglib/internal/tls/fake"

  18. 	"github.com/9seconds/mtg/v2/mtglib/obfuscation"

  19. 	"github.com/panjf2000/ants/v2"

  20. )

  21. 

  22. // Restore a large receive window after the tiny pre-handshake DPI desync clamp.

  23. const dpiDesyncPostHandshakeWindowClamp = 1 << 30

  24. 

  25. // Proxy is an MTPROTO proxy structure.

  26. type Proxy struct {

  27. 	ctx             context.Context

  28. 	ctxCancel       context.CancelFunc

  29. 	streamWaitGroup sync.WaitGroup

  30. 

  31. 	allowFallbackOnUnknownDC    bool

  32. 	tolerateTimeSkewness        time.Duration

  33. 	idleTimeout                 time.Duration

  34. 	handshakeTimeout            time.Duration

  35. 	domainFrontingPort          int

  36. 	domainFrontingHost          string

  37. 	domainFrontingProxyProtocol bool

  38. 	dpiDesync                   bool

  39. 	workerPool                  *ants.PoolWithFunc

  40. 	telegram                    *dc.Telegram

  41. 	configUpdater               *dc.PublicConfigUpdater

  42. 	doppelGanger                *doppel.Ganger

  43. 	clientObfuscatror           obfuscation.Obfuscator

  44. 

  45. 	secret          Secret

  46. 	network         Network

  47. 	antiReplayCache AntiReplayCache

  48. 	blocklist       IPBlocklist

  49. 	allowlist       IPBlocklist

  50. 	eventStream     EventStream

  51. 	logger          Logger

  52. }

  53. 

  54. // DomainFrontingAddress returns a host:port pair for a fronting domain.

  55. // If a fronting host (literal IP or hostname) is configured, it is used

  56. // instead of resolving the secret's hostname.

  57. func (p *Proxy) DomainFrontingAddress() string {

  58. 	host := p.secret.Host

  59. 	if p.domainFrontingHost != "" {

  60. 		host = p.domainFrontingHost

  61. 	}

  62. 

  63. 	return net.JoinHostPort(host, strconv.Itoa(p.domainFrontingPort))

  64. }

  65. 

  66. // ServeConn serves a connection. We do not check IP blocklist and concurrency

  67. // limit here.

  68. func (p *Proxy) ServeConn(conn essentials.Conn) {

  69. 	p.streamWaitGroup.Add(1)

  70. 	defer p.streamWaitGroup.Done()

  71. 

  72. 	ctx := newStreamContext(p.ctx, p.logger, conn)

  73. 	defer ctx.Close()

  74. 

  75. 	if err := ctx.clientConn.SetDeadline(time.Now().Add(p.handshakeTimeout)); err != nil {

  76. 		ctx.logger.WarningError("cannot set handshake timeout", err)

  77. 		return

  78. 	}

  79. 

  80. 	stop := context.AfterFunc(ctx, func() {

  81. 		ctx.Close()

  82. 	})

  83. 	defer stop()

  84. 

  85. 	p.eventStream.Send(ctx, NewEventStart(ctx.streamID, ctx.ClientIP()))

  86. 	ctx.logger.Info("Stream has been started")

  87. 

  88. 	defer func() {

  89. 		p.eventStream.Send(ctx, NewEventFinish(ctx.streamID))

  90. 		ctx.logger.Info("Stream has been finished")

  91. 	}()

  92. 

  93. 	if !p.doFakeTLSHandshake(ctx) {

  94. 		return

  95. 	}

  96. 

  97. 	clientConn, err := p.doppelGanger.NewConn(ctx.clientConn)

  98. 	if err != nil {

  99. 		ctx.logger.InfoError("cannot wrap into doppelganger connection", err)

  100. 		return

  101. 	}

  102. 	defer clientConn.Stop()

  103. 

  104. 	ctx.clientConn = clientConn

  105. 

  106. 	if err := p.doObfuscatedHandshake(ctx); err != nil {

  107. 		ctx.logger.InfoError("obfuscated handshake is failed", err)

  108. 		return

  109. 	}

  110. 

  111. 	if err := ctx.clientConn.SetDeadline(time.Time{}); err != nil {

  112. 		ctx.logger.WarningError("cannot set deadline", err)

  113. 		return

  114. 	}

  115. 

  116. 	if err := p.doTelegramCall(ctx); err != nil {

  117. 		ctx.logger.WarningError("cannot dial to telegram", err)

  118. 		return

  119. 	}

  120. 

  121. 	tracker := newIdleTracker(p.idleTimeout)

  122. 

  123. 	relay.Relay(

  124. 		ctx,

  125. 		ctx.logger.Named("relay"),

  126. 		connIdleTimeout{Conn: ctx.telegramConn, tracker: tracker},

  127. 		connIdleTimeout{Conn: ctx.clientConn, tracker: tracker},

  128. 	)

  129. }

  130. 

  131. // Serve starts a proxy on a given listener.

  132. func (p *Proxy) Serve(listener net.Listener) error {

  133. 	p.streamWaitGroup.Add(1)

  134. 	defer p.streamWaitGroup.Done()

  135. 

  136. 	for {

  137. 		conn, err := listener.Accept()

  138. 		if err != nil {

  139. 			select {

  140. 			case <-p.ctx.Done():

  141. 				return nil

  142. 			default:

  143. 				return fmt.Errorf("cannot accept a new connection: %w", err)

  144. 			}

  145. 		}

  146. 

  147. 		ipAddr := conn.RemoteAddr().(*net.TCPAddr).IP //nolint: forcetypeassert

  148. 		logger := p.logger.BindStr("ip", ipAddr.String())

  149. 

  150. 		if !p.allowlist.Contains(ipAddr) {

  151. 			conn.Close() //nolint: errcheck

  152. 			logger.Info("ip was rejected by allowlist")

  153. 			p.eventStream.Send(p.ctx, NewEventIPAllowlisted(ipAddr))

  154. 

  155. 			continue

  156. 		}

  157. 

  158. 		if p.blocklist.Contains(ipAddr) {

  159. 			conn.Close() //nolint: errcheck

  160. 			logger.Info("ip was blacklisted")

  161. 			p.eventStream.Send(p.ctx, NewEventIPBlocklisted(ipAddr))

  162. 

  163. 			continue

  164. 		}

  165. 

  166. 		err = p.workerPool.Invoke(conn)

  167. 

  168. 		switch {

  169. 		case err == nil:

  170. 		case errors.Is(err, ants.ErrPoolClosed):

  171. 			return nil

  172. 		case errors.Is(err, ants.ErrPoolOverload):

  173. 			conn.Close() //nolint: errcheck

  174. 			logger.Info("connection was concurrency limited")

  175. 			p.eventStream.Send(p.ctx, NewEventConcurrencyLimited())

  176. 		}

  177. 	}

  178. }

  179. 

  180. // Shutdown 'gracefully' shutdowns all connections. Please remember that it

  181. // does not close an underlying listener.

  182. func (p *Proxy) Shutdown() {

  183. 	p.ctxCancel()

  184. 	p.streamWaitGroup.Wait()

  185. 	p.workerPool.Release()

  186. 	p.configUpdater.Wait()

  187. 	p.doppelGanger.Shutdown()

  188. 

  189. 	p.allowlist.Shutdown()

  190. 	p.blocklist.Shutdown()

  191. }

  192. 

  193. func (p *Proxy) doFakeTLSHandshake(ctx *streamContext) bool {

  194. 	rewind := newConnRewind(ctx.clientConn)

  195. 

  196. 	clientHello, err := fake.ReadClientHello(

  197. 		rewind,

  198. 		p.secret.Key[:],

  199. 		p.secret.Host,

  200. 		p.tolerateTimeSkewness,

  201. 	)

  202. 	if err != nil {

  203. 		p.logger.InfoError("cannot read client hello", err)

  204. 		p.doDomainFronting(ctx, rewind)

  205. 		return false

  206. 	}

  207. 

  208. 	if p.antiReplayCache.SeenBefore(clientHello.SessionID) {

  209. 		p.logger.Warning("replay attack has been detected!")

  210. 		p.eventStream.Send(p.ctx, NewEventReplayAttack(ctx.streamID))

  211. 		p.doDomainFronting(ctx, rewind)

  212. 		return false

  213. 	}

  214. 

  215. 	gangerNoise := p.doppelGanger.NoiseParams()

  216. 	noiseParams := fake.NoiseParams{Mean: gangerNoise.Mean, Jitter: gangerNoise.Jitter}

  217. 

  218. 	if err := fake.SendServerHello(ctx.clientConn, p.secret.Key[:], clientHello, noiseParams); err != nil {

  219. 		p.logger.InfoError("cannot send welcome packet", err)

  220. 		return false

  221. 	}

  222. 

  223. 	if p.dpiDesync {

  224. 		if err := essentials.SetTCPWindowClamp(ctx.clientConn, dpiDesyncPostHandshakeWindowClamp); err != nil {

  225. 			ctx.logger.DebugError("cannot restore TCP window clamp after handshake", err)

  226. 		}

  227. 	}

  228. 

  229. 	ctx.clientConn = tls.New(ctx.clientConn, true, false)

  230. 

  231. 	return true

  232. }

  233. 

  234. func (p *Proxy) doObfuscatedHandshake(ctx *streamContext) error {

  235. 	dc, conn, err := p.clientObfuscatror.ReadHandshake(ctx.clientConn)

  236. 	if err != nil {

  237. 		return fmt.Errorf("cannot process client handshake: %w", err)

  238. 	}

  239. 

  240. 	ctx.dc = dc

  241. 	ctx.clientConn = conn

  242. 	ctx.logger = ctx.logger.BindInt("dc", dc)

  243. 

  244. 	return nil

  245. }

  246. 

  247. func (p *Proxy) doTelegramCall(ctx *streamContext) error {

  248. 	dcid := ctx.dc

  249. 

  250. 	addresses := p.telegram.GetAddresses(dcid)

  251. 	if len(addresses) == 0 && p.allowFallbackOnUnknownDC {

  252. 		ctx.logger = ctx.logger.BindInt("original_dc", dcid)

  253. 		ctx.logger.Warning("unknown DC, fallbacks")

  254. 		ctx.dc = dc.DefaultDC

  255. 		addresses = p.telegram.GetAddresses(dc.DefaultDC)

  256. 	}

  257. 

  258. 	var (

  259. 		conn      essentials.Conn

  260. 		err       error

  261. 		foundAddr dc.Addr

  262. 	)

  263. 

  264. 	for _, addr := range addresses {

  265. 		conn, err = p.network.Dial(addr.Network, addr.Address)

  266. 		if err == nil {

  267. 			foundAddr = addr

  268. 			break

  269. 		}

  270. 	}

  271. 	if err != nil {

  272. 		return fmt.Errorf("no addresses to call: %w", err)

  273. 	}

  274. 	if conn == nil {

  275. 		return fmt.Errorf("no available addresses for DC %d", ctx.dc)

  276. 	}

  277. 

  278. 	tgConn, err := foundAddr.Obfuscator.SendHandshake(conn, ctx.dc)

  279. 	if err != nil {

  280. 		conn.Close() // nolint: errcheck

  281. 		return fmt.Errorf("cannot perform server handshake: %w", err)

  282. 	}

  283. 

  284. 	ctx.telegramConn = connTraffic{

  285. 		Conn:     tgConn,

  286. 		streamID: ctx.streamID,

  287. 		stream:   p.eventStream,

  288. 		ctx:      ctx,

  289. 	}

  290. 

  291. 	telegramHost, _, err := net.SplitHostPort(foundAddr.Address)

  292. 	if err != nil {

  293. 		conn.Close() //nolint: errcheck

  294. 

  295. 		return fmt.Errorf("cannot parse telegram address %s: %w", foundAddr.Address, err)

  296. 	}

  297. 

  298. 	p.eventStream.Send(

  299. 		ctx,

  300. 		NewEventConnectedToDC(ctx.streamID,

  301. 			net.ParseIP(telegramHost),

  302. 			ctx.dc),

  303. 	)

  304. 

  305. 	return nil

  306. }

  307. 

  308. func (p *Proxy) doDomainFronting(ctx *streamContext, conn *connRewind) {

  309. 	p.eventStream.Send(p.ctx, NewEventDomainFronting(ctx.streamID))

  310. 	conn.Rewind()

  311. 

  312. 	nativeDialer := p.network.NativeDialer()

  313. 	fConn, err := nativeDialer.DialContext(ctx, "tcp", p.DomainFrontingAddress())

  314. 	if err != nil {

  315. 		p.logger.WarningError("cannot dial to the fronting domain", err)

  316. 

  317. 		return

  318. 	}

  319. 

  320. 	frontConn := essentials.WrapNetConn(fConn)

  321. 

  322. 	if p.domainFrontingProxyProtocol {

  323. 		frontConn = newConnProxyProtocol(ctx.clientConn, frontConn)

  324. 	}

  325. 

  326. 	frontConn = connTraffic{

  327. 		Conn:     frontConn,

  328. 		ctx:      ctx,

  329. 		streamID: ctx.streamID,

  330. 		stream:   p.eventStream,

  331. 	}

  332. 

  333. 	tracker := newIdleTracker(p.idleTimeout)

  334. 

  335. 	relay.Relay(

  336. 		ctx,

  337. 		ctx.logger.Named("domain-fronting"),

  338. 		connIdleTimeout{Conn: frontConn, tracker: tracker},

  339. 		connIdleTimeout{Conn: conn, tracker: tracker},

  340. 	)

  341. }

  342. 

  343. // NewProxy makes a new proxy instance.

  344. func NewProxy(opts ProxyOpts) (*Proxy, error) {

  345. 	if err := opts.valid(); err != nil {

  346. 		return nil, fmt.Errorf("invalid settings: %w", err)

  347. 	}

  348. 

  349. 	tg, err := dc.New(opts.getPreferIP())

  350. 	if err != nil {

  351. 		return nil, fmt.Errorf("cannot build telegram dc fetcher: %w", err)

  352. 	}

  353. 

  354. 	ctx, cancel := context.WithCancel(context.Background())

  355. 	logger := opts.getLogger("proxy")

  356. 	updatersLogger := logger.Named("telegram-updaters")

  357. 

  358. 	if opts.DomainFrontingIP != "" {

  359. 		logger.Warning("mtglib.ProxyOpts.DomainFrontingIP is deprecated and ignored; use DomainFrontingHost instead")

  360. 	}

  361. 

  362. 	proxy := &Proxy{

  363. 		ctx:                      ctx,

  364. 		ctxCancel:                cancel,

  365. 		secret:                   opts.Secret,

  366. 		network:                  opts.Network,

  367. 		antiReplayCache:          opts.AntiReplayCache,

  368. 		blocklist:                opts.IPBlocklist,

  369. 		allowlist:                opts.IPAllowlist,

  370. 		eventStream:              opts.EventStream,

  371. 		logger:                   logger,

  372. 		domainFrontingPort:       opts.getDomainFrontingPort(),

  373. 		domainFrontingHost:       opts.DomainFrontingHost,

  374. 		dpiDesync:                opts.DPIDesync,

  375. 		tolerateTimeSkewness:     opts.getTolerateTimeSkewness(),

  376. 		idleTimeout:              opts.getIdleTimeout(),

  377. 		handshakeTimeout:         opts.getHandshakeTimeout(),

  378. 		allowFallbackOnUnknownDC: opts.AllowFallbackOnUnknownDC,

  379. 		telegram:                 tg,

  380. 		doppelGanger: doppel.NewGanger(

  381. 			ctx,

  382. 			opts.Network,

  383. 			logger.Named("doppelganger"),

  384. 			opts.DoppelGangerEach,

  385. 			int(opts.DoppelGangerPerRaid),

  386. 			opts.DoppelGangerURLs,

  387. 			opts.DoppelGangerDRS,

  388. 		),

  389. 		configUpdater: dc.NewPublicConfigUpdater(

  390. 			tg,

  391. 			updatersLogger.Named("public-config"),

  392. 			opts.Network.MakeHTTPClient(nil),

  393. 		),

  394. 		clientObfuscatror: obfuscation.Obfuscator{

  395. 			Secret: opts.Secret.Key[:],

  396. 		},

  397. 		domainFrontingProxyProtocol: opts.DomainFrontingProxyProtocol,

  398. 	}

  399. 

  400. 	proxy.doppelGanger.Run()

  401. 

  402. 	if opts.AutoUpdate {

  403. 		proxy.configUpdater.Run(ctx, dc.PublicConfigUpdateURLv4, "tcp4")

  404. 		proxy.configUpdater.Run(ctx, dc.PublicConfigUpdateURLv6, "tcp6")

  405. 	}

  406. 

  407. 	pool, err := ants.NewPoolWithFunc(opts.getConcurrency(),

  408. 		func(arg any) {

  409. 			proxy.ServeConn(arg.(essentials.Conn)) //nolint: forcetypeassert

  410. 		},

  411. 		ants.WithLogger(opts.getLogger("ants")),

  412. 		ants.WithNonblocking(true))

  413. 	if err != nil {

  414. 		panic(err)

  415. 	}

  416. 

  417. 	proxy.workerPool = pool

  418. 

  419. 	return proxy, nil

  420. }