ei
/
mtg
镜像自地址 https://github.com/9seconds/mtg
关注 1
点赞 0
派生 0
代码 工单 0 版本发布 48 百科 动态
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
802 提交
4 分支
目录树: a27facaa16
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'a27facaa16'
${ noResults }
mtg/mtglib/proxy.go

proxy.go 7.8KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330 
  1. package mtglib

  2. 

  3. import (

  4. 	"context"

  5. 	"errors"

  6. 	"fmt"

  7. 	"net"

  8. 	"strconv"

  9. 	"sync"

  10. 	"time"

  11. 

  12. 	"github.com/9seconds/mtg/v2/essentials"

  13. 	"github.com/9seconds/mtg/v2/mtglib/internal/faketls"

  14. 	"github.com/9seconds/mtg/v2/mtglib/internal/faketls/record"

  15. 	"github.com/9seconds/mtg/v2/mtglib/internal/obfuscated2"

  16. 	"github.com/9seconds/mtg/v2/mtglib/internal/relay"

  17. 	"github.com/9seconds/mtg/v2/mtglib/internal/telegram"

  18. 	"github.com/panjf2000/ants/v2"

  19. )

  20. 

  21. // Proxy is an MTPROTO proxy structure.

  22. type Proxy struct {

  23. 	ctx             context.Context

  24. 	ctxCancel       context.CancelFunc

  25. 	streamWaitGroup sync.WaitGroup

  26. 

  27. 	allowFallbackOnUnknownDC bool

  28. 	tolerateTimeSkewness     time.Duration

  29. 	domainFrontingPort       int

  30. 	workerPool               *ants.PoolWithFunc

  31. 	telegram                 *telegram.Telegram

  32. 

  33. 	secret          Secret

  34. 	network         Network

  35. 	antiReplayCache AntiReplayCache

  36. 	blocklist       IPBlocklist

  37. 	allowlist       IPBlocklist

  38. 	eventStream     EventStream

  39. 	logger          Logger

  40. }

  41. 

  42. // DomainFrontingAddress returns a host:port pair for a fronting domain.

  43. func (p *Proxy) DomainFrontingAddress() string {

  44. 	return net.JoinHostPort(p.secret.Host, strconv.Itoa(p.domainFrontingPort))

  45. }

  46. 

  47. // ServeConn serves a connection. We do not check IP blocklist and

  48. // concurrency limit here.

  49. func (p *Proxy) ServeConn(conn essentials.Conn) {

  50. 	p.streamWaitGroup.Add(1)

  51. 	defer p.streamWaitGroup.Done()

  52. 

  53. 	ctx := newStreamContext(p.ctx, p.logger, conn)

  54. 	defer ctx.Close()

  55. 

  56. 	go func() {

  57. 		<-ctx.Done()

  58. 		ctx.Close()

  59. 	}()

  60. 

  61. 	p.eventStream.Send(ctx, NewEventStart(ctx.streamID, ctx.ClientIP()))

  62. 	ctx.logger.Info("Stream has been started")

  63. 

  64. 	defer func() {

  65. 		p.eventStream.Send(ctx, NewEventFinish(ctx.streamID))

  66. 		ctx.logger.Info("Stream has been finished")

  67. 	}()

  68. 

  69. 	if !p.doFakeTLSHandshake(ctx) {

  70. 		return

  71. 	}

  72. 

  73. 	if err := p.doObfuscated2Handshake(ctx); err != nil {

  74. 		p.logger.InfoError("obfuscated2 handshake is failed", err)

  75. 

  76. 		return

  77. 	}

  78. 

  79. 	if err := p.doTelegramCall(ctx); err != nil {

  80. 		p.logger.WarningError("cannot dial to telegram", err)

  81. 

  82. 		return

  83. 	}

  84. 

  85. 	relay.Relay(

  86. 		ctx,

  87. 		ctx.logger.Named("relay"),

  88. 		ctx.telegramConn,

  89. 		ctx.clientConn,

  90. 	)

  91. }

  92. 

  93. // Serve starts a proxy on a given listener.

  94. func (p *Proxy) Serve(listener net.Listener) error {

  95. 	p.streamWaitGroup.Add(1)

  96. 	defer p.streamWaitGroup.Done()

  97. 

  98. 	for {

  99. 		conn, err := listener.Accept()

  100. 		if err != nil {

  101. 			select {

  102. 			case <-p.ctx.Done():

  103. 				return nil

  104. 			default:

  105. 				return fmt.Errorf("cannot accept a new connection: %w", err)

  106. 			}

  107. 		}

  108. 

  109. 		ipAddr := conn.RemoteAddr().(*net.TCPAddr).IP // nolint: forcetypeassert

  110. 		logger := p.logger.BindStr("ip", ipAddr.String())

  111. 

  112. 		if !p.allowlist.Contains(ipAddr) {

  113. 			conn.Close()

  114. 			logger.Info("ip was rejected by allowlist")

  115. 			p.eventStream.Send(p.ctx, NewEventIPBlocklisted(ipAddr))

  116. 

  117. 			continue

  118. 		}

  119. 

  120. 		if p.blocklist.Contains(ipAddr) {

  121. 			conn.Close()

  122. 			logger.Info("ip was blacklisted")

  123. 			p.eventStream.Send(p.ctx, NewEventIPBlocklisted(ipAddr))

  124. 

  125. 			continue

  126. 		}

  127. 

  128. 		err = p.workerPool.Invoke(conn)

  129. 

  130. 		switch {

  131. 		case err == nil:

  132. 		case errors.Is(err, ants.ErrPoolClosed):

  133. 			return nil

  134. 		case errors.Is(err, ants.ErrPoolOverload):

  135. 			logger.Info("connection was concurrency limited")

  136. 			p.eventStream.Send(p.ctx, NewEventConcurrencyLimited())

  137. 		}

  138. 	}

  139. }

  140. 

  141. // Shutdown 'gracefully' shutdowns all connections. Please remember that

  142. // it does not close an underlying listener.

  143. func (p *Proxy) Shutdown() {

  144. 	p.ctxCancel()

  145. 	p.streamWaitGroup.Wait()

  146. 	p.workerPool.Release()

  147. 

  148. 	p.allowlist.Shutdown()

  149. 	p.blocklist.Shutdown()

  150. }

  151. 

  152. func (p *Proxy) doFakeTLSHandshake(ctx *streamContext) bool {

  153. 	rec := record.AcquireRecord()

  154. 	defer record.ReleaseRecord(rec)

  155. 

  156. 	rewind := newConnRewind(ctx.clientConn)

  157. 

  158. 	if err := rec.Read(rewind); err != nil {

  159. 		p.logger.InfoError("cannot read client hello", err)

  160. 		p.doDomainFronting(ctx, rewind)

  161. 

  162. 		return false

  163. 	}

  164. 

  165. 	hello, err := faketls.ParseClientHello(p.secret.Key[:], rec.Payload.Bytes())

  166. 	if err != nil {

  167. 		p.logger.InfoError("cannot parse client hello", err)

  168. 		p.doDomainFronting(ctx, rewind)

  169. 

  170. 		return false

  171. 	}

  172. 

  173. 	if err := hello.Valid(p.secret.Host, p.tolerateTimeSkewness); err != nil {

  174. 		p.logger.

  175. 			BindStr("hostname", hello.Host).

  176. 			BindStr("hello-time", hello.Time.String()).

  177. 			InfoError("invalid faketls client hello", err)

  178. 		p.doDomainFronting(ctx, rewind)

  179. 

  180. 		return false

  181. 	}

  182. 

  183. 	if p.antiReplayCache.SeenBefore(hello.SessionID) {

  184. 		p.logger.Warning("replay attack has been detected!")

  185. 		p.eventStream.Send(p.ctx, NewEventReplayAttack(ctx.streamID))

  186. 		p.doDomainFronting(ctx, rewind)

  187. 

  188. 		return false

  189. 	}

  190. 

  191. 	if err := faketls.SendWelcomePacket(rewind, p.secret.Key[:], hello); err != nil {

  192. 		p.logger.InfoError("cannot send welcome packet", err)

  193. 

  194. 		return false

  195. 	}

  196. 

  197. 	ctx.clientConn = &faketls.Conn{

  198. 		Conn: ctx.clientConn,

  199. 	}

  200. 

  201. 	return true

  202. }

  203. 

  204. func (p *Proxy) doObfuscated2Handshake(ctx *streamContext) error {

  205. 	dc, encryptor, decryptor, err := obfuscated2.ClientHandshake(p.secret.Key[:], ctx.clientConn)

  206. 	if err != nil {

  207. 		return fmt.Errorf("cannot process client handshake: %w", err)

  208. 	}

  209. 

  210. 	ctx.dc = dc

  211. 	ctx.logger = ctx.logger.BindInt("dc", dc)

  212. 	ctx.clientConn = obfuscated2.Conn{

  213. 		Conn:      ctx.clientConn,

  214. 		Encryptor: encryptor,

  215. 		Decryptor: decryptor,

  216. 	}

  217. 

  218. 	return nil

  219. }

  220. 

  221. func (p *Proxy) doTelegramCall(ctx *streamContext) error {

  222. 	dc := ctx.dc

  223. 

  224. 	if p.allowFallbackOnUnknownDC && !p.telegram.IsKnownDC(dc) {

  225. 		dc = p.telegram.GetFallbackDC()

  226. 		ctx.logger = ctx.logger.BindInt("fallback_dc", dc)

  227. 

  228. 		ctx.logger.Warning("unknown DC, fallbacks")

  229. 	}

  230. 

  231. 	conn, err := p.telegram.Dial(ctx, dc)

  232. 	if err != nil {

  233. 		return fmt.Errorf("cannot dial to Telegram: %w", err)

  234. 	}

  235. 

  236. 	encryptor, decryptor, err := obfuscated2.ServerHandshake(conn)

  237. 	if err != nil {

  238. 		conn.Close()

  239. 

  240. 		return fmt.Errorf("cannot perform obfuscated2 handshake: %w", err)

  241. 	}

  242. 

  243. 	ctx.telegramConn = obfuscated2.Conn{

  244. 		Conn: connTraffic{

  245. 			Conn:     conn,

  246. 			streamID: ctx.streamID,

  247. 			stream:   p.eventStream,

  248. 			ctx:      ctx,

  249. 		},

  250. 		Encryptor: encryptor,

  251. 		Decryptor: decryptor,

  252. 	}

  253. 

  254. 	p.eventStream.Send(ctx,

  255. 		NewEventConnectedToDC(ctx.streamID,

  256. 			conn.RemoteAddr().(*net.TCPAddr).IP, // nolint: forcetypeassert

  257. 			ctx.dc),

  258. 	)

  259. 

  260. 	return nil

  261. }

  262. 

  263. func (p *Proxy) doDomainFronting(ctx *streamContext, conn *connRewind) {

  264. 	p.eventStream.Send(p.ctx, NewEventDomainFronting(ctx.streamID))

  265. 	conn.Rewind()

  266. 

  267. 	frontConn, err := p.network.DialContext(ctx, "tcp", p.DomainFrontingAddress())

  268. 	if err != nil {

  269. 		p.logger.WarningError("cannot dial to the fronting domain", err)

  270. 

  271. 		return

  272. 	}

  273. 

  274. 	frontConn = connTraffic{

  275. 		Conn:     frontConn,

  276. 		ctx:      ctx,

  277. 		streamID: ctx.streamID,

  278. 		stream:   p.eventStream,

  279. 	}

  280. 

  281. 	relay.Relay(

  282. 		ctx,

  283. 		ctx.logger.Named("domain-fronting"),

  284. 		frontConn,

  285. 		conn,

  286. 	)

  287. }

  288. 

  289. // NewProxy makes a new proxy instance.

  290. func NewProxy(opts ProxyOpts) (*Proxy, error) {

  291. 	if err := opts.valid(); err != nil {

  292. 		return nil, fmt.Errorf("invalid settings: %w", err)

  293. 	}

  294. 

  295. 	tg, err := telegram.New(opts.Network, opts.getPreferIP(), opts.UseTestDCs)

  296. 	if err != nil {

  297. 		return nil, fmt.Errorf("cannot build telegram dialer: %w", err)

  298. 	}

  299. 

  300. 	ctx, cancel := context.WithCancel(context.Background())

  301. 	proxy := &Proxy{

  302. 		ctx:                      ctx,

  303. 		ctxCancel:                cancel,

  304. 		secret:                   opts.Secret,

  305. 		network:                  opts.Network,

  306. 		antiReplayCache:          opts.AntiReplayCache,

  307. 		blocklist:                opts.IPBlocklist,

  308. 		allowlist:                opts.IPAllowlist,

  309. 		eventStream:              opts.EventStream,

  310. 		logger:                   opts.getLogger("proxy"),

  311. 		domainFrontingPort:       opts.getDomainFrontingPort(),

  312. 		tolerateTimeSkewness:     opts.getTolerateTimeSkewness(),

  313. 		allowFallbackOnUnknownDC: opts.AllowFallbackOnUnknownDC,

  314. 		telegram:                 tg,

  315. 	}

  316. 

  317. 	pool, err := ants.NewPoolWithFunc(opts.getConcurrency(),

  318. 		func(arg interface{}) {

  319. 			proxy.ServeConn(arg.(essentials.Conn)) // nolint: forcetypeassert

  320. 		},

  321. 		ants.WithLogger(opts.getLogger("ants")),

  322. 		ants.WithNonblocking(true))

  323. 	if err != nil {

  324. 		panic(err)

  325. 	}

  326. 

  327. 	proxy.workerPool = pool

  328. 

  329. 	return proxy, nil

  330. }