ei
/
mtg
зеркало из https://github.com/9seconds/mtg
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Релизы 48 Вики Активность
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
942 коммитов
4 Ветки
Дерево: d43d6692d7
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'd43d6692d7'
${ noResults }
mtg/mtglib/proxy.go

proxy.go 9.0KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370 
  1. package mtglib

  2. 

  3. import (

  4. 	"context"

  5. 	"errors"

  6. 	"fmt"

  7. 	"net"

  8. 	"strconv"

  9. 	"sync"

  10. 	"time"

  11. 

  12. 	"github.com/9seconds/mtg/v2/essentials"

  13. 	"github.com/9seconds/mtg/v2/mtglib/internal/dc"

  14. 	"github.com/9seconds/mtg/v2/mtglib/internal/doppel"

  15. 	"github.com/9seconds/mtg/v2/mtglib/internal/obfuscation"

  16. 	"github.com/9seconds/mtg/v2/mtglib/internal/relay"

  17. 	"github.com/9seconds/mtg/v2/mtglib/internal/tls"

  18. 	"github.com/9seconds/mtg/v2/mtglib/internal/tls/fake"

  19. 	"github.com/panjf2000/ants/v2"

  20. )

  21. 

  22. // Proxy is an MTPROTO proxy structure.

  23. type Proxy struct {

  24. 	ctx             context.Context

  25. 	ctxCancel       context.CancelFunc

  26. 	streamWaitGroup sync.WaitGroup

  27. 

  28. 	allowFallbackOnUnknownDC    bool

  29. 	tolerateTimeSkewness        time.Duration

  30. 	domainFrontingPort          int

  31. 	domainFrontingIP            string

  32. 	domainFrontingProxyProtocol bool

  33. 	workerPool                  *ants.PoolWithFunc

  34. 	telegram                    *dc.Telegram

  35. 	configUpdater               *dc.PublicConfigUpdater

  36. 	doppelGanger                *doppel.Ganger

  37. 	clientObfuscatror           obfuscation.Obfuscator

  38. 

  39. 	secret          Secret

  40. 	network         Network

  41. 	antiReplayCache AntiReplayCache

  42. 	blocklist       IPBlocklist

  43. 	allowlist       IPBlocklist

  44. 	eventStream     EventStream

  45. 	logger          Logger

  46. }

  47. 

  48. // DomainFrontingAddress returns a host:port pair for a fronting domain.

  49. // If DomainFrontingIP is set, it is used instead of resolving the hostname.

  50. func (p *Proxy) DomainFrontingAddress() string {

  51. 	host := p.secret.Host

  52. 	if p.domainFrontingIP != "" {

  53. 		host = p.domainFrontingIP

  54. 	}

  55. 

  56. 	return net.JoinHostPort(host, strconv.Itoa(p.domainFrontingPort))

  57. }

  58. 

  59. // ServeConn serves a connection. We do not check IP blocklist and concurrency

  60. // limit here.

  61. func (p *Proxy) ServeConn(conn essentials.Conn) {

  62. 	p.streamWaitGroup.Add(1)

  63. 	defer p.streamWaitGroup.Done()

  64. 

  65. 	ctx := newStreamContext(p.ctx, p.logger, conn)

  66. 	defer ctx.Close()

  67. 

  68. 	go func() {

  69. 		<-ctx.Done()

  70. 		ctx.Close()

  71. 	}()

  72. 

  73. 	p.eventStream.Send(ctx, NewEventStart(ctx.streamID, ctx.ClientIP()))

  74. 	ctx.logger.Info("Stream has been started")

  75. 

  76. 	defer func() {

  77. 		p.eventStream.Send(ctx, NewEventFinish(ctx.streamID))

  78. 		ctx.logger.Info("Stream has been finished")

  79. 	}()

  80. 

  81. 	if !p.doFakeTLSHandshake(ctx) {

  82. 		return

  83. 	}

  84. 

  85. 	if err := p.doObfuscatedHandshake(ctx); err != nil {

  86. 		p.logger.InfoError("obfuscated handshake is failed", err)

  87. 

  88. 		return

  89. 	}

  90. 

  91. 	if err := p.doTelegramCall(ctx); err != nil {

  92. 		p.logger.WarningError("cannot dial to telegram", err)

  93. 

  94. 		return

  95. 	}

  96. 

  97. 	relay.Relay(

  98. 		ctx,

  99. 		ctx.logger.Named("relay"),

  100. 		ctx.telegramConn,

  101. 		ctx.clientConn,

  102. 	)

  103. }

  104. 

  105. // Serve starts a proxy on a given listener.

  106. func (p *Proxy) Serve(listener net.Listener) error {

  107. 	p.streamWaitGroup.Add(1)

  108. 	defer p.streamWaitGroup.Done()

  109. 

  110. 	for {

  111. 		conn, err := listener.Accept()

  112. 		if err != nil {

  113. 			select {

  114. 			case <-p.ctx.Done():

  115. 				return nil

  116. 			default:

  117. 				return fmt.Errorf("cannot accept a new connection: %w", err)

  118. 			}

  119. 		}

  120. 

  121. 		ipAddr := conn.RemoteAddr().(*net.TCPAddr).IP //nolint: forcetypeassert

  122. 		logger := p.logger.BindStr("ip", ipAddr.String())

  123. 

  124. 		if !p.allowlist.Contains(ipAddr) {

  125. 			conn.Close() //nolint: errcheck

  126. 			logger.Info("ip was rejected by allowlist")

  127. 			p.eventStream.Send(p.ctx, NewEventIPAllowlisted(ipAddr))

  128. 

  129. 			continue

  130. 		}

  131. 

  132. 		if p.blocklist.Contains(ipAddr) {

  133. 			conn.Close() //nolint: errcheck

  134. 			logger.Info("ip was blacklisted")

  135. 			p.eventStream.Send(p.ctx, NewEventIPBlocklisted(ipAddr))

  136. 

  137. 			continue

  138. 		}

  139. 

  140. 		err = p.workerPool.Invoke(conn)

  141. 

  142. 		switch {

  143. 		case err == nil:

  144. 		case errors.Is(err, ants.ErrPoolClosed):

  145. 			return nil

  146. 		case errors.Is(err, ants.ErrPoolOverload):

  147. 			logger.Info("connection was concurrency limited")

  148. 			p.eventStream.Send(p.ctx, NewEventConcurrencyLimited())

  149. 		}

  150. 	}

  151. }

  152. 

  153. // Shutdown 'gracefully' shutdowns all connections. Please remember that it

  154. // does not close an underlying listener.

  155. func (p *Proxy) Shutdown() {

  156. 	p.ctxCancel()

  157. 	p.streamWaitGroup.Wait()

  158. 	p.workerPool.Release()

  159. 	p.configUpdater.Wait()

  160. 	p.doppelGanger.Shutdown()

  161. 

  162. 	p.allowlist.Shutdown()

  163. 	p.blocklist.Shutdown()

  164. }

  165. 

  166. func (p *Proxy) doFakeTLSHandshake(ctx *streamContext) bool {

  167. 	rewind := newConnRewind(ctx.clientConn)

  168. 

  169. 	clientHello, err := fake.ReadClientHello(

  170. 		rewind,

  171. 		p.secret.Key[:],

  172. 		p.secret.Host,

  173. 		p.tolerateTimeSkewness,

  174. 	)

  175. 	if err != nil {

  176. 		p.logger.InfoError("cannot read client hello", err)

  177. 		p.doDomainFronting(ctx, rewind)

  178. 		return false

  179. 	}

  180. 

  181. 	if p.antiReplayCache.SeenBefore(clientHello.SessionID) {

  182. 		p.logger.Warning("replay attack has been detected!")

  183. 		p.eventStream.Send(p.ctx, NewEventReplayAttack(ctx.streamID))

  184. 		p.doDomainFronting(ctx, rewind)

  185. 		return false

  186. 	}

  187. 

  188. 	_, err = fake.SendServerHello(ctx.clientConn, p.secret.Key[:], clientHello)

  189. 	if err != nil {

  190. 		p.logger.InfoError("cannot send welcome packet", err)

  191. 		return false

  192. 	}

  193. 

  194. 	ctx.clientConn = tls.New(ctx.clientConn, true, true)

  195. 

  196. 	ctx.clientConn, err = p.doppelGanger.NewConn(ctx.clientConn)

  197. 	if err != nil {

  198. 		p.logger.WarningError("cannot create connection", err)

  199. 		return false

  200. 	}

  201. 

  202. 	return true

  203. }

  204. 

  205. func (p *Proxy) doObfuscatedHandshake(ctx *streamContext) error {

  206. 	dc, conn, err := p.clientObfuscatror.ReadHandshake(ctx.clientConn)

  207. 	if err != nil {

  208. 		return fmt.Errorf("cannot process client handshake: %w", err)

  209. 	}

  210. 

  211. 	ctx.dc = dc

  212. 	ctx.clientConn = conn

  213. 	ctx.logger = ctx.logger.BindInt("dc", dc)

  214. 

  215. 	return nil

  216. }

  217. 

  218. func (p *Proxy) doTelegramCall(ctx *streamContext) error {

  219. 	dcid := ctx.dc

  220. 

  221. 	addresses := p.telegram.GetAddresses(dcid)

  222. 	if len(addresses) == 0 && p.allowFallbackOnUnknownDC {

  223. 		ctx.logger = ctx.logger.BindInt("original_dc", dcid)

  224. 		ctx.logger.Warning("unknown DC, fallbacks")

  225. 		ctx.dc = dc.DefaultDC

  226. 		addresses = p.telegram.GetAddresses(dc.DefaultDC)

  227. 	}

  228. 

  229. 	var (

  230. 		conn      essentials.Conn

  231. 		err       error

  232. 		foundAddr dc.Addr

  233. 	)

  234. 

  235. 	for _, addr := range addresses {

  236. 		conn, err = p.network.Dial(addr.Network, addr.Address)

  237. 		if err == nil {

  238. 			foundAddr = addr

  239. 			break

  240. 		}

  241. 	}

  242. 	if err != nil {

  243. 		return fmt.Errorf("no addresses to call: %w", err)

  244. 	}

  245. 	if conn == nil {

  246. 		return fmt.Errorf("no available addresses for DC %d", ctx.dc)

  247. 	}

  248. 

  249. 	tgConn, err := foundAddr.Obfuscator.SendHandshake(conn, ctx.dc)

  250. 	if err != nil {

  251. 		conn.Close() // nolint: errcheck

  252. 		return fmt.Errorf("cannot perform server handshake: %w", err)

  253. 	}

  254. 

  255. 	ctx.telegramConn = connTraffic{

  256. 		Conn:     tgConn,

  257. 		streamID: ctx.streamID,

  258. 		stream:   p.eventStream,

  259. 		ctx:      ctx,

  260. 	}

  261. 

  262. 	p.eventStream.Send(ctx,

  263. 		NewEventConnectedToDC(ctx.streamID,

  264. 			conn.RemoteAddr().(*net.TCPAddr).IP, //nolint: forcetypeassert

  265. 			ctx.dc),

  266. 	)

  267. 

  268. 	return nil

  269. }

  270. 

  271. func (p *Proxy) doDomainFronting(ctx *streamContext, conn *connRewind) {

  272. 	p.eventStream.Send(p.ctx, NewEventDomainFronting(ctx.streamID))

  273. 	conn.Rewind()

  274. 

  275. 	frontConn, err := p.network.DialContext(ctx, "tcp", p.DomainFrontingAddress())

  276. 	if err != nil {

  277. 		p.logger.WarningError("cannot dial to the fronting domain", err)

  278. 

  279. 		return

  280. 	}

  281. 

  282. 	if p.domainFrontingProxyProtocol {

  283. 		frontConn = newConnProxyProtocol(ctx.clientConn, frontConn)

  284. 	}

  285. 

  286. 	frontConn = connTraffic{

  287. 		Conn:     frontConn,

  288. 		ctx:      ctx,

  289. 		streamID: ctx.streamID,

  290. 		stream:   p.eventStream,

  291. 	}

  292. 

  293. 	relay.Relay(

  294. 		ctx,

  295. 		ctx.logger.Named("domain-fronting"),

  296. 		frontConn,

  297. 		conn,

  298. 	)

  299. }

  300. 

  301. // NewProxy makes a new proxy instance.

  302. func NewProxy(opts ProxyOpts) (*Proxy, error) {

  303. 	if err := opts.valid(); err != nil {

  304. 		return nil, fmt.Errorf("invalid settings: %w", err)

  305. 	}

  306. 

  307. 	tg, err := dc.New(opts.getPreferIP())

  308. 	if err != nil {

  309. 		return nil, fmt.Errorf("cannot build telegram dc fetcher: %w", err)

  310. 	}

  311. 

  312. 	ctx, cancel := context.WithCancel(context.Background())

  313. 	logger := opts.getLogger("proxy")

  314. 	updatersLogger := logger.Named("telegram-updaters")

  315. 

  316. 	proxy := &Proxy{

  317. 		ctx:                      ctx,

  318. 		ctxCancel:                cancel,

  319. 		secret:                   opts.Secret,

  320. 		network:                  opts.Network,

  321. 		antiReplayCache:          opts.AntiReplayCache,

  322. 		blocklist:                opts.IPBlocklist,

  323. 		allowlist:                opts.IPAllowlist,

  324. 		eventStream:              opts.EventStream,

  325. 		logger:                   logger,

  326. 		domainFrontingPort:       opts.getDomainFrontingPort(),

  327. 		domainFrontingIP:         opts.DomainFrontingIP,

  328. 		tolerateTimeSkewness:     opts.getTolerateTimeSkewness(),

  329. 		allowFallbackOnUnknownDC: opts.AllowFallbackOnUnknownDC,

  330. 		telegram:                 tg,

  331. 		doppelGanger: doppel.NewGanger(

  332. 			ctx,

  333. 			opts.Network,

  334. 			logger.Named("doppelganger"),

  335. 			opts.DoppelGangerEach,

  336. 			int(opts.DoppelGangerPerRaid),

  337. 			opts.DoppelGangerURLs,

  338. 		),

  339. 		configUpdater: dc.NewPublicConfigUpdater(

  340. 			tg,

  341. 			updatersLogger.Named("public-config"),

  342. 			opts.Network.MakeHTTPClient(nil),

  343. 		),

  344. 		clientObfuscatror: obfuscation.Obfuscator{

  345. 			Secret: opts.Secret.Key[:],

  346. 		},

  347. 		domainFrontingProxyProtocol: opts.DomainFrontingProxyProtocol,

  348. 	}

  349. 

  350. 	proxy.doppelGanger.Run()

  351. 

  352. 	if opts.AutoUpdate {

  353. 		proxy.configUpdater.Run(ctx, dc.PublicConfigUpdateURLv4, "tcp4")

  354. 		proxy.configUpdater.Run(ctx, dc.PublicConfigUpdateURLv6, "tcp6")

  355. 	}

  356. 

  357. 	pool, err := ants.NewPoolWithFunc(opts.getConcurrency(),

  358. 		func(arg any) {

  359. 			proxy.ServeConn(arg.(essentials.Conn)) //nolint: forcetypeassert

  360. 		},

  361. 		ants.WithLogger(opts.getLogger("ants")),

  362. 		ants.WithNonblocking(true))

  363. 	if err != nil {

  364. 		panic(err)

  365. 	}

  366. 

  367. 	proxy.workerPool = pool

  368. 

  369. 	return proxy, nil

  370. }