├── .gitattributes
├── .github
├── FUNDING.yml
├── dependabot.yml
└── workflows
│ ├── release.yml
│ └── workflow_runs_clean_up.yml
├── .gitignore
├── LICENSE
├── README.md
├── all
└── all.go
├── api
├── api.go
├── model.go
└── sspanel
│ ├── model.go
│ └── sspanel.go
├── app
├── app.go
└── mydispatcher
│ ├── config.pb.go
│ ├── config.proto
│ ├── default.go
│ ├── dispatcher.go
│ ├── errors.generated.go
│ ├── fakednssniffer.go
│ ├── sniffer.go
│ └── stats.go
├── cmd
├── root.go
└── version.go
├── common
├── common.go
├── limiter
│ ├── limiter.go
│ ├── model.go
│ └── rate.go
├── mylego
│ ├── account.go
│ ├── accounts_storage.go
│ ├── certs_storage.go
│ ├── model.go
│ ├── mylego.go
│ ├── renew.go
│ ├── run.go
│ └── setup.go
└── rule
│ └── rule.go
├── default.pgo
├── go.mod
├── go.sum
├── main.go
├── panel
├── default.go
├── model.go
└── panel.go
├── profile.go
├── release
└── config
│ ├── config.yml.example
│ ├── custom_inbound.json
│ ├── custom_outbound.json
│ ├── dns.json
│ ├── route.json
│ └── rulelist
├── sentry.go
└── service
├── controller
├── controller.go
├── inbound.go
├── model.go
├── outbound.go
└── user.go
└── service.go
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | patreon: catdev
2 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 | updates:
3 | - package-ecosystem: "gomod"
4 | directory: "/"
5 | schedule:
6 | interval: "weekly"
7 |
8 | - package-ecosystem: "github-actions"
9 | directory: "/"
10 | schedule:
11 | interval: "weekly"
12 |
--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
1 | name: Test and Release
2 |
3 | on:
4 | workflow_dispatch:
5 | push:
6 | branches:
7 | - main
8 | paths:
9 | - "**/*.go"
10 | - "go.mod"
11 | - "go.sum"
12 | - ".github/workflows/*.yml"
13 | pull_request:
14 | types: [ opened, synchronize, reopened ]
15 | paths:
16 | - "**/*.go"
17 | - "go.mod"
18 | - "go.sum"
19 | - ".github/workflows/*.yml"
20 | release:
21 | types: [ published ]
22 |
23 | jobs:
24 | build:
25 | strategy:
26 | matrix:
27 | build-tag: [ 'none' ]
28 | goos: [ linux ]
29 | goarch: [ amd64 ]
30 | goamd64: [ v1, v3 ]
31 | include:
32 | - build-tag: none
33 | goos: linux
34 | goarch: arm64
35 | - build-tag: none
36 | goos: linux
37 | goarch: riscv64
38 | fail-fast: false
39 | runs-on: ubuntu-latest
40 | env:
41 | BUILD_TAG: ${{ matrix.build-tag }}
42 | GOOS: ${{ matrix.goos }}
43 | GOARCH: ${{ matrix.goarch }}
44 | GOAMD64: ${{ matrix.goamd64 }}
45 | CGO_ENABLED: 0
46 | steps:
47 | - name: Checkout
48 | uses: actions/checkout@v4
49 | - name: Generate build information
50 | id: get_filename
51 | run: |
52 | echo "BUILD_TAG: $BUILD_TAG, GOOS: $GOOS, GOARCH: $GOARCH, GOAMD64: $GOAMD64"
53 | if [ "$GOAMD64" == "v3" ]; then
54 | if [ "$BUILD_TAG" == "none" ]; then
55 | echo "ASSET_NAME=$GOOS-$GOARCH$GOAMD64" >> $GITHUB_OUTPUT
56 | echo "ASSET_NAME=$GOOS-$GOARCH$GOAMD64" >> $GITHUB_ENV
57 | else
58 | echo "ASSET_NAME=$GOOS-$GOARCH$GOAMD64-$BUILD_TAG" >> $GITHUB_OUTPUT
59 | echo "ASSET_NAME=$GOOS-$GOARCH$GOAMD64-$BUILD_TAG" >> $GITHUB_ENV
60 | fi
61 | else
62 | if [ "$BUILD_TAG" == "none" ]; then
63 | echo "ASSET_NAME=$GOOS-$GOARCH" >> $GITHUB_OUTPUT
64 | echo "ASSET_NAME=$GOOS-$GOARCH" >> $GITHUB_ENV
65 | else
66 | echo "ASSET_NAME=$GOOS-$GOARCH-$BUILD_TAG" >> $GITHUB_OUTPUT
67 | echo "ASSET_NAME=$GOOS-$GOARCH-$BUILD_TAG" >> $GITHUB_ENV
68 | fi
69 | fi
70 | - name: Set up Go
71 | uses: actions/setup-go@v5
72 | with:
73 | go-version: ^1.24
74 | - name: Get project dependencies
75 | run: go mod download
76 | - name: Build next-server
77 | run: |
78 | mkdir -p build_assets
79 | if [ $BUILD_TAG != "none" ]; then
80 | go build -v -o build_assets/next-server -trimpath -ldflags "-s -w -buildid=" -tags $BUILD_TAG
81 | else
82 | go build -v -o build_assets/next-server -trimpath -ldflags "-s -w -buildid="
83 | fi
84 | - name: Prepare config files
85 | run: |
86 | cp ${GITHUB_WORKSPACE}/README.md ./build_assets/README.md
87 | cp ${GITHUB_WORKSPACE}/LICENSE ./build_assets/LICENSE
88 | cp ${GITHUB_WORKSPACE}/release/config/dns.json ./build_assets/dns.json
89 | cp ${GITHUB_WORKSPACE}/release/config/route.json ./build_assets/route.json
90 | cp ${GITHUB_WORKSPACE}/release/config/custom_outbound.json ./build_assets/custom_outbound.json
91 | cp ${GITHUB_WORKSPACE}/release/config/custom_inbound.json ./build_assets/custom_inbound.json
92 | cp ${GITHUB_WORKSPACE}/release/config/rulelist ./build_assets/rulelist
93 | cp ${GITHUB_WORKSPACE}/release/config/config.yml.example ./build_assets/config.yml
94 | wget -O ./build_assets/geoip.dat https://raw.githubusercontent.com/v2fly/geoip/release/geoip.dat
95 | wget -O ./build_assets/geosite.dat https://raw.githubusercontent.com/v2fly/domain-list-community/release/dlc.dat
96 | - name: Create zip archive
97 | run: |
98 | pushd build_assets || exit 1
99 | zip -9vr ../next-server-$ASSET_NAME.zip .
100 | popd || exit 1
101 | FILE=./next-server-$ASSET_NAME.zip
102 | DGST=$FILE.hash.txt
103 | openssl dgst -sha256 $FILE | sed 's/([^)]*)//g' >>$DGST
104 | openssl dgst -sha3-256 $FILE | sed 's/([^)]*)//g' >>$DGST
105 | mv build_assets next-server-$ASSET_NAME
106 | - name: Upload files to artifacts
107 | uses: actions/upload-artifact@v4
108 | with:
109 | name: next-server-${{ steps.get_filename.outputs.ASSET_NAME }}
110 | path: |
111 | ./next-server-${{ steps.get_filename.outputs.ASSET_NAME }}/*
112 | - name: Upload files to release
113 | uses: svenstaro/upload-release-action@v2
114 | if: ${{ github.event_name == 'release' }}
115 | with:
116 | repo_token: ${{ secrets.GITHUB_TOKEN }}
117 | file: ./next-server-${{ steps.get_filename.outputs.ASSET_NAME }}.zip*
118 | tag: ${{ github.ref }}
119 | file_glob: true
120 |
--------------------------------------------------------------------------------
/.github/workflows/workflow_runs_clean_up.yml:
--------------------------------------------------------------------------------
1 | name: Delete old workflow runs
2 | on:
3 | workflow_dispatch:
4 | schedule:
5 | - cron: '0 0 * * *'
6 |
7 | jobs:
8 | del_runs:
9 | runs-on: ubuntu-latest
10 | permissions:
11 | actions: write
12 | contents: read
13 | steps:
14 | - name: Delete workflow runs
15 | uses: Mattraks/delete-workflow-runs@v2
16 | with:
17 | token: ${{ github.token }}
18 | repository: ${{ github.repository }}
19 | retain_days: 7
20 | keep_minimum_runs: 1
21 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # IDEs
2 | .idea/
3 | .vscode/
4 | vendor/
5 | # Bin
6 | *.exe
7 | uim-server*
8 | next-server*
9 | # Exclude release script
10 | !uim-server.sh
11 | !next-server.sh
12 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # NeXT-Server
2 |
3 | Next generation proxy server.
4 |
5 | ## License
6 |
7 | [GPL-3.0](./LICENSE)
8 |
--------------------------------------------------------------------------------
/all/all.go:
--------------------------------------------------------------------------------
1 | package all
2 |
3 | import (
4 | // The following are necessary as they register handlers in their init functions.
5 | _ "github.com/xtls/xray-core/app/proxyman/inbound"
6 | _ "github.com/xtls/xray-core/app/proxyman/outbound"
7 | // Required features. Can't remove unless there is replacements.
8 | _ "github.com/The-NeXT-Project/NeXT-Server/app/mydispatcher"
9 | // Default commander and all its services. This is an optional feature.
10 | _ "github.com/xtls/xray-core/app/commander"
11 | _ "github.com/xtls/xray-core/app/log/command"
12 | _ "github.com/xtls/xray-core/app/proxyman/command"
13 | _ "github.com/xtls/xray-core/app/stats/command"
14 | // Other optional features.
15 | _ "github.com/xtls/xray-core/app/dns"
16 | _ "github.com/xtls/xray-core/app/log"
17 | _ "github.com/xtls/xray-core/app/metrics"
18 | _ "github.com/xtls/xray-core/app/policy"
19 | _ "github.com/xtls/xray-core/app/reverse"
20 | _ "github.com/xtls/xray-core/app/router"
21 | _ "github.com/xtls/xray-core/app/stats"
22 | // Inbound and outbound proxies.
23 | _ "github.com/xtls/xray-core/proxy/blackhole"
24 | _ "github.com/xtls/xray-core/proxy/dns"
25 | _ "github.com/xtls/xray-core/proxy/freedom"
26 | _ "github.com/xtls/xray-core/proxy/http"
27 | _ "github.com/xtls/xray-core/proxy/shadowsocks"
28 | _ "github.com/xtls/xray-core/proxy/socks"
29 | _ "github.com/xtls/xray-core/proxy/trojan"
30 | _ "github.com/xtls/xray-core/proxy/vmess/inbound"
31 | _ "github.com/xtls/xray-core/proxy/vmess/outbound"
32 | // Transports
33 | _ "github.com/xtls/xray-core/transport/internet/domainsocket"
34 | _ "github.com/xtls/xray-core/transport/internet/grpc"
35 | _ "github.com/xtls/xray-core/transport/internet/http"
36 | _ "github.com/xtls/xray-core/transport/internet/httpupgrade"
37 | _ "github.com/xtls/xray-core/transport/internet/kcp"
38 | _ "github.com/xtls/xray-core/transport/internet/quic"
39 | _ "github.com/xtls/xray-core/transport/internet/splithttp"
40 | _ "github.com/xtls/xray-core/transport/internet/tcp"
41 | _ "github.com/xtls/xray-core/transport/internet/tls"
42 | _ "github.com/xtls/xray-core/transport/internet/udp"
43 | _ "github.com/xtls/xray-core/transport/internet/websocket"
44 | // Transport headers
45 | _ "github.com/xtls/xray-core/transport/internet/headers/http"
46 | _ "github.com/xtls/xray-core/transport/internet/headers/noop"
47 | _ "github.com/xtls/xray-core/transport/internet/headers/srtp"
48 | _ "github.com/xtls/xray-core/transport/internet/headers/tls"
49 | _ "github.com/xtls/xray-core/transport/internet/headers/utp"
50 | _ "github.com/xtls/xray-core/transport/internet/headers/wechat"
51 | _ "github.com/xtls/xray-core/transport/internet/headers/wireguard"
52 | // JSON & TOML & YAML
53 | _ "github.com/xtls/xray-core/main/json"
54 | _ "github.com/xtls/xray-core/main/toml"
55 | _ "github.com/xtls/xray-core/main/yaml"
56 | // Load config from file or http(s)
57 | _ "github.com/xtls/xray-core/main/confloader/external"
58 | // Commands
59 | _ "github.com/xtls/xray-core/main/commands/all"
60 | )
61 |
--------------------------------------------------------------------------------
/api/api.go:
--------------------------------------------------------------------------------
1 | package api
2 |
3 | // API is the interface for different panel's api.
4 | type API interface {
5 | GetNodeInfo() (nodeInfo *NodeInfo, err error)
6 | GetUserList() (userList *[]UserInfo, err error)
7 | ReportNodeOnlineUsers(onlineUser *[]OnlineUser) (err error)
8 | ReportUserTraffic(userTraffic *[]UserTraffic) (err error)
9 | Describe() ClientInfo
10 | GetNodeRule() (ruleList *[]DetectRule, err error)
11 | ReportIllegal(detectResultList *[]DetectResult) (err error)
12 | Debug()
13 | }
14 |
--------------------------------------------------------------------------------
/api/model.go:
--------------------------------------------------------------------------------
1 | package api
2 |
3 | import (
4 | "encoding/json"
5 | "regexp"
6 |
7 | "github.com/xtls/xray-core/infra/conf"
8 | )
9 |
10 | const (
11 | UserNotModified = "users not modified"
12 | NodeNotModified = "node not modified"
13 | RuleNotModified = "rules not modified"
14 | )
15 |
16 | // Config API config
17 | type Config struct {
18 | APIHost string `mapstructure:"ApiHost"`
19 | NodeID int `mapstructure:"NodeID"`
20 | Key string `mapstructure:"ApiKey"`
21 | NodeType string `mapstructure:"NodeType"`
22 | Timeout int `mapstructure:"Timeout"`
23 | SpeedLimit float64 `mapstructure:"SpeedLimit"`
24 | DeviceLimit int `mapstructure:"DeviceLimit"`
25 | RuleListPath string `mapstructure:"RuleListPath"`
26 | }
27 |
28 | type NodeInfo struct {
29 | NodeType string // Must be vmess, trojan, shadowsocks and shadowsocks2022
30 | NodeID int
31 | Port uint32
32 | SpeedLimit uint64 // Bps
33 | AlterID uint16
34 | TransportProtocol string
35 | FakeType string
36 | Host string
37 | Path string
38 | EnableTLS bool
39 | CipherMethod string
40 | ServerKey string
41 | ServiceName string
42 | Header json.RawMessage
43 | NameServerConfig []*conf.NameServerConfig
44 | }
45 |
46 | type UserInfo struct {
47 | UID int
48 | Email string
49 | UUID string
50 | Passwd string
51 | Port uint32
52 | AlterID uint16
53 | Method string
54 | SpeedLimit uint64 // Bps
55 | DeviceLimit int
56 | }
57 |
58 | type OnlineUser struct {
59 | UID int
60 | IP string
61 | }
62 |
63 | type UserTraffic struct {
64 | UID int
65 | Email string
66 | Upload int64
67 | Download int64
68 | }
69 |
70 | type ClientInfo struct {
71 | APIHost string
72 | NodeID int
73 | Key string
74 | NodeType string
75 | }
76 |
77 | type DetectRule struct {
78 | ID int
79 | Pattern *regexp.Regexp
80 | }
81 |
82 | type DetectResult struct {
83 | UID int
84 | RuleID int
85 | }
86 |
--------------------------------------------------------------------------------
/api/sspanel/model.go:
--------------------------------------------------------------------------------
1 | package sspanel
2 |
3 | import "encoding/json"
4 |
5 | // NodeInfoResponse is the response of node
6 | type NodeInfoResponse struct {
7 | SpeedLimit float64 `json:"node_speedlimit"`
8 | Sort int `json:"sort"`
9 | RawServerString string `json:"server"`
10 | CustomConfig json.RawMessage `json:"custom_config"`
11 | Type string `json:"type"`
12 | Version string `json:"version"`
13 | }
14 |
15 | type CustomConfig struct {
16 | OffsetPortNode string `json:"offset_port_node"`
17 | Host string `json:"host"`
18 | Method string `json:"method"`
19 | TLS string `json:"tls"`
20 | Network string `json:"network"`
21 | Security string `json:"security"`
22 | Path string `json:"path"`
23 | VerifyCert bool `json:"verify_cert"`
24 | Header json.RawMessage `json:"header"`
25 | AllowInsecure string `json:"allow_insecure"`
26 | ServerKey string `json:"server_key"`
27 | ServiceName string `json:"servicename"`
28 | }
29 |
30 | // UserResponse is the response of user
31 | type UserResponse struct {
32 | ID int `json:"id"`
33 | Passwd string `json:"passwd"`
34 | Port uint32 `json:"port"`
35 | Method string `json:"method"`
36 | SpeedLimit float64 `json:"node_speedlimit"`
37 | UUID string `json:"uuid"`
38 | }
39 |
40 | // Response is the common response
41 | type Response struct {
42 | Ret uint `json:"ret"`
43 | Data json.RawMessage `json:"data"`
44 | Msg string `json:"msg"`
45 | }
46 |
47 | // PostData is the data structure of post data
48 | type PostData struct {
49 | Data interface{} `json:"data"`
50 | }
51 |
52 | // OnlineUser is the data structure of online user
53 | type OnlineUser struct {
54 | UID int `json:"user_id"`
55 | IP string `json:"ip"`
56 | }
57 |
58 | // UserTraffic is the data structure of traffic
59 | type UserTraffic struct {
60 | UID int `json:"user_id"`
61 | Upload int64 `json:"u"`
62 | Download int64 `json:"d"`
63 | }
64 |
65 | type RuleItem struct {
66 | ID int `json:"id"`
67 | Content string `json:"regex"`
68 | }
69 |
70 | type IllegalItem struct {
71 | ID int `json:"list_id"`
72 | UID int `json:"user_id"`
73 | }
74 |
--------------------------------------------------------------------------------
/api/sspanel/sspanel.go:
--------------------------------------------------------------------------------
1 | package sspanel
2 |
3 | import (
4 | "bufio"
5 | "encoding/json"
6 | "errors"
7 | "fmt"
8 | "log"
9 | "os"
10 | "reflect"
11 | "regexp"
12 | "strconv"
13 | "sync"
14 | "time"
15 |
16 | "github.com/go-resty/resty/v2"
17 |
18 | "github.com/The-NeXT-Project/NeXT-Server/api"
19 | )
20 |
21 | // APIClient create an api client to the panel.
22 | type APIClient struct {
23 | client *resty.Client
24 | APIHost string
25 | NodeID int
26 | Key string
27 | NodeType string
28 | SpeedLimit float64
29 | DeviceLimit int
30 | LocalRuleList []api.DetectRule
31 | LastReportOnline map[int]int
32 | access sync.Mutex
33 | version string
34 | eTags map[string]string
35 | }
36 |
37 | // New create api instance
38 | func New(apiConfig *api.Config) *APIClient {
39 | client := resty.New()
40 | client.SetRetryCount(3)
41 |
42 | if apiConfig.Timeout > 0 {
43 | client.SetTimeout(time.Duration(apiConfig.Timeout) * time.Second)
44 | } else {
45 | client.SetTimeout(5 * time.Second)
46 | }
47 |
48 | client.OnError(func(req *resty.Request, err error) {
49 | var v *resty.ResponseError
50 | if errors.As(err, &v) {
51 | // v.Response contains the last response from the server
52 | // v.Err contains the original error
53 | log.Print(v.Err)
54 | }
55 | })
56 |
57 | client.SetBaseURL(apiConfig.APIHost)
58 | // Create Key for each requests
59 | client.SetQueryParam("key", apiConfig.Key)
60 | // Add support for muKey
61 | client.SetQueryParam("muKey", apiConfig.Key)
62 | // Read local rule list
63 | localRuleList := readLocalRuleList(apiConfig.RuleListPath)
64 |
65 | return &APIClient{
66 | client: client,
67 | NodeID: apiConfig.NodeID,
68 | Key: apiConfig.Key,
69 | APIHost: apiConfig.APIHost,
70 | NodeType: apiConfig.NodeType,
71 | SpeedLimit: apiConfig.SpeedLimit,
72 | DeviceLimit: apiConfig.DeviceLimit,
73 | LocalRuleList: localRuleList,
74 | LastReportOnline: make(map[int]int),
75 | eTags: make(map[string]string),
76 | }
77 | }
78 |
79 | // readLocalRuleList reads the local rule list file
80 | func readLocalRuleList(path string) (LocalRuleList []api.DetectRule) {
81 | LocalRuleList = make([]api.DetectRule, 0)
82 |
83 | if path != "" {
84 | // open the file
85 | file, err := os.Open(path)
86 |
87 | defer func(file *os.File) {
88 | err := file.Close()
89 | if err != nil {
90 | log.Printf("Error when closing file: %s", err)
91 | }
92 | }(file)
93 | // handle errors while opening
94 | if err != nil {
95 | log.Printf("Error when opening file: %s", err)
96 | return LocalRuleList
97 | }
98 |
99 | fileScanner := bufio.NewScanner(file)
100 | // read line by line
101 | for fileScanner.Scan() {
102 | LocalRuleList = append(LocalRuleList, api.DetectRule{
103 | ID: -1,
104 | Pattern: regexp.MustCompile(fileScanner.Text()),
105 | })
106 | }
107 | // handle first encountered error while reading
108 | if err := fileScanner.Err(); err != nil {
109 | log.Fatalf("Error while reading file: %s", err)
110 | return
111 | }
112 | }
113 |
114 | return LocalRuleList
115 | }
116 |
117 | // Describe return a description of the client
118 | func (c *APIClient) Describe() api.ClientInfo {
119 | return api.ClientInfo{APIHost: c.APIHost, NodeID: c.NodeID, Key: c.Key, NodeType: c.NodeType}
120 | }
121 |
122 | // Debug set the client debug for client
123 | func (c *APIClient) Debug() {
124 | c.client.SetDebug(true)
125 | }
126 |
127 | func (c *APIClient) assembleURL(path string) string {
128 | return c.APIHost + path
129 | }
130 |
131 | func (c *APIClient) parseResponse(res *resty.Response, path string, err error) (*Response, error) {
132 | if err != nil {
133 | return nil, fmt.Errorf("request %s failed: %s", c.assembleURL(path), err)
134 | }
135 |
136 | if res.StatusCode() > 399 {
137 | body := res.Body()
138 | return nil, fmt.Errorf("request %s failed: %s, %v", c.assembleURL(path), string(body), err)
139 | }
140 |
141 | response := res.Result().(*Response)
142 |
143 | if response.Ret != 1 {
144 | res, _ := json.Marshal(&response)
145 | return nil, fmt.Errorf("ret %s invalid", string(res))
146 | }
147 |
148 | return response, nil
149 | }
150 |
151 | // GetNodeInfo will pull NodeInfo Config from ssPanel
152 | func (c *APIClient) GetNodeInfo() (nodeInfo *api.NodeInfo, err error) {
153 | path := fmt.Sprintf("/mod_mu/nodes/%d/info", c.NodeID)
154 | res, err := c.client.R().
155 | SetResult(&Response{}).
156 | SetHeader("If-None-Match", c.eTags["node"]).
157 | ForceContentType("application/json").
158 | Get(path)
159 | // Etag identifier for a specific version of a resource. StatusCode = 304 means no changed
160 | if res != nil {
161 | if res.StatusCode() == 304 {
162 | return nil, errors.New(api.NodeNotModified)
163 | }
164 |
165 | if res.Header().Get("ETag") != "" && res.Header().Get("ETag") != c.eTags["node"] {
166 | c.eTags["node"] = res.Header().Get("ETag")
167 | }
168 | }
169 |
170 | response, err := c.parseResponse(res, path, err)
171 | if err != nil {
172 | return nil, err
173 | }
174 |
175 | nodeInfoResponse := new(NodeInfoResponse)
176 |
177 | if err := json.Unmarshal(response.Data, nodeInfoResponse); err != nil {
178 | return nil, fmt.Errorf("unmarshal %s failed: %s", reflect.TypeOf(nodeInfoResponse), err)
179 | }
180 |
181 | nodeInfo, err = c.ParseSSPanelNodeInfo(nodeInfoResponse)
182 | if err != nil {
183 | res, _ := json.Marshal(nodeInfoResponse)
184 | return nil, fmt.Errorf(
185 | "parse node info failed: %s, \n"+
186 | "Error: %s, \nPlease check the doc of custom_config for help:"+
187 | " https://nextpanel.dev/docs/configuration/custom-config",
188 | string(res), err)
189 | }
190 |
191 | return nodeInfo, nil
192 | }
193 |
194 | // GetUserList will pull user form SSPanel
195 | func (c *APIClient) GetUserList() (UserList *[]api.UserInfo, err error) {
196 | path := "/mod_mu/users"
197 | res, err := c.client.R().
198 | SetQueryParam("node_id", strconv.Itoa(c.NodeID)).
199 | SetHeader("If-None-Match", c.eTags["users"]).
200 | SetResult(&Response{}).
201 | ForceContentType("application/json").
202 | Get(path)
203 | // Etag identifier for a specific version of a resource. StatusCode = 304 means no changed
204 | if res != nil {
205 | if res.StatusCode() == 304 {
206 | return nil, errors.New(api.UserNotModified)
207 | }
208 |
209 | if res.Header().Get("ETag") != "" && res.Header().Get("ETag") != c.eTags["users"] {
210 | c.eTags["users"] = res.Header().Get("ETag")
211 | }
212 | }
213 |
214 | response, err := c.parseResponse(res, path, err)
215 | if err != nil {
216 | return nil, err
217 | }
218 |
219 | userListResponse := new([]UserResponse)
220 |
221 | if err := json.Unmarshal(response.Data, userListResponse); err != nil {
222 | return nil, fmt.Errorf("unmarshal %s failed: %s", reflect.TypeOf(userListResponse), err)
223 | }
224 |
225 | userList, err := c.ParseUserListResponse(userListResponse)
226 | if err != nil {
227 | res, _ := json.Marshal(userListResponse)
228 | return nil, fmt.Errorf("parse user list failed: %s", string(res))
229 | }
230 |
231 | return userList, nil
232 | }
233 |
234 | // ReportNodeOnlineUsers reports online user ip
235 | func (c *APIClient) ReportNodeOnlineUsers(onlineUserList *[]api.OnlineUser) error {
236 | c.access.Lock()
237 | defer c.access.Unlock()
238 | reportOnline := make(map[int]int)
239 | data := make([]OnlineUser, len(*onlineUserList))
240 |
241 | for i, user := range *onlineUserList {
242 | data[i] = OnlineUser{UID: user.UID, IP: user.IP}
243 | reportOnline[user.UID]++ // will start from 1 if key doesn't exist
244 | }
245 |
246 | c.LastReportOnline = reportOnline // Update LastReportOnline
247 |
248 | postData := &PostData{Data: data}
249 | path := "/mod_mu/users/aliveip"
250 |
251 | res, err := c.client.R().
252 | SetQueryParam("node_id", strconv.Itoa(c.NodeID)).
253 | SetBody(postData).
254 | SetResult(&Response{}).
255 | ForceContentType("application/json").
256 | Post(path)
257 |
258 | _, err = c.parseResponse(res, path, err)
259 | if err != nil {
260 | return err
261 | }
262 |
263 | return nil
264 | }
265 |
266 | // ReportUserTraffic reports the user traffic
267 | func (c *APIClient) ReportUserTraffic(userTraffic *[]api.UserTraffic) error {
268 | data := make([]UserTraffic, len(*userTraffic))
269 |
270 | for i, traffic := range *userTraffic {
271 | data[i] = UserTraffic{
272 | UID: traffic.UID,
273 | Upload: traffic.Upload,
274 | Download: traffic.Download}
275 | }
276 |
277 | postData := &PostData{Data: data}
278 | path := "/mod_mu/users/traffic"
279 |
280 | res, err := c.client.R().
281 | SetQueryParam("node_id", strconv.Itoa(c.NodeID)).
282 | SetBody(postData).
283 | SetResult(&Response{}).
284 | ForceContentType("application/json").
285 | Post(path)
286 |
287 | _, err = c.parseResponse(res, path, err)
288 | if err != nil {
289 | return err
290 | }
291 |
292 | return nil
293 | }
294 |
295 | // GetNodeRule will pull the audit rule form SSPanel
296 | func (c *APIClient) GetNodeRule() (*[]api.DetectRule, error) {
297 | ruleList := c.LocalRuleList
298 | path := "/mod_mu/func/detect_rules"
299 |
300 | res, err := c.client.R().
301 | SetResult(&Response{}).
302 | SetHeader("If-None-Match", c.eTags["rules"]).
303 | ForceContentType("application/json").
304 | Get(path)
305 | // Etag identifier for a specific version of a resource. StatusCode = 304 means no changed
306 | if res != nil {
307 | if res.StatusCode() == 304 {
308 | return nil, errors.New(api.RuleNotModified)
309 | }
310 |
311 | if res.Header().Get("ETag") != "" && res.Header().Get("ETag") != c.eTags["rules"] {
312 | c.eTags["rules"] = res.Header().Get("ETag")
313 | }
314 | }
315 |
316 | response, err := c.parseResponse(res, path, err)
317 | if err != nil {
318 | return nil, err
319 | }
320 |
321 | ruleListResponse := new([]RuleItem)
322 |
323 | if err := json.Unmarshal(response.Data, ruleListResponse); err != nil {
324 | return nil, fmt.Errorf("unmarshal %s failed: %s", reflect.TypeOf(ruleListResponse), err)
325 | }
326 |
327 | for _, r := range *ruleListResponse {
328 | ruleList = append(ruleList, api.DetectRule{
329 | ID: r.ID,
330 | Pattern: regexp.MustCompile(r.Content),
331 | })
332 | }
333 |
334 | return &ruleList, nil
335 | }
336 |
337 | // ReportIllegal reports the user illegal behaviors
338 | func (c *APIClient) ReportIllegal(detectResultList *[]api.DetectResult) error {
339 |
340 | data := make([]IllegalItem, len(*detectResultList))
341 |
342 | for i, r := range *detectResultList {
343 | data[i] = IllegalItem{
344 | ID: r.RuleID,
345 | UID: r.UID,
346 | }
347 | }
348 |
349 | postData := &PostData{Data: data}
350 | path := "/mod_mu/users/detectlog"
351 |
352 | res, err := c.client.R().
353 | SetQueryParam("node_id", strconv.Itoa(c.NodeID)).
354 | SetBody(postData).
355 | SetResult(&Response{}).
356 | ForceContentType("application/json").
357 | Post(path)
358 |
359 | _, err = c.parseResponse(res, path, err)
360 | if err != nil {
361 | return err
362 | }
363 |
364 | return nil
365 | }
366 |
367 | // ParseUserListResponse parse the response for the given node info format
368 | func (c *APIClient) ParseUserListResponse(userInfoResponse *[]UserResponse) (*[]api.UserInfo, error) {
369 | c.access.Lock()
370 | // Clear Last report log
371 | defer func() {
372 | c.LastReportOnline = make(map[int]int)
373 | c.access.Unlock()
374 | }()
375 |
376 | var speedLimit uint64 = 0
377 | var userList []api.UserInfo
378 |
379 | for _, user := range *userInfoResponse {
380 | if c.SpeedLimit > 0 {
381 | speedLimit = uint64((c.SpeedLimit * 1000000) / 8)
382 | } else {
383 | speedLimit = uint64((user.SpeedLimit * 1000000) / 8)
384 | }
385 |
386 | userList = append(userList, api.UserInfo{
387 | UID: user.ID,
388 | UUID: user.UUID,
389 | Passwd: user.Passwd,
390 | SpeedLimit: speedLimit,
391 | Port: user.Port,
392 | Method: user.Method,
393 | })
394 | }
395 |
396 | return &userList, nil
397 | }
398 |
399 | // ParseSSPanelNodeInfo parse the response for the given node info format
400 | func (c *APIClient) ParseSSPanelNodeInfo(nodeInfoResponse *NodeInfoResponse) (*api.NodeInfo, error) {
401 | var (
402 | speedLimit uint64 = 0
403 | enableTLS bool
404 | alterID uint16 = 0
405 | transportProtocol string
406 | )
407 |
408 | // Check if custom_config is null
409 | if len(nodeInfoResponse.CustomConfig) == 0 {
410 | return nil, errors.New("custom_config is empty, disable custom config")
411 | }
412 |
413 | nodeConfig := new(CustomConfig)
414 |
415 | err := json.Unmarshal(nodeInfoResponse.CustomConfig, nodeConfig)
416 | if err != nil {
417 | return nil, fmt.Errorf("custom_config format error: %v", err)
418 | }
419 |
420 | if c.SpeedLimit > 0 {
421 | speedLimit = uint64((c.SpeedLimit * 1000000) / 8)
422 | } else {
423 | speedLimit = uint64((nodeInfoResponse.SpeedLimit * 1000000) / 8)
424 | }
425 |
426 | parsedPort, err := strconv.ParseInt(nodeConfig.OffsetPortNode, 10, 32)
427 | if err != nil {
428 | return nil, err
429 | }
430 |
431 | port := uint32(parsedPort)
432 |
433 | switch c.NodeType {
434 | case "shadowsocks", "shadowsocks2022":
435 | transportProtocol = "tcp"
436 | case "vmess":
437 | transportProtocol = nodeConfig.Network
438 |
439 | tlsType := nodeConfig.Security
440 | if tlsType == "tls" {
441 | enableTLS = true
442 | }
443 | case "trojan":
444 | enableTLS = true
445 | transportProtocol = "tcp"
446 |
447 | // Select transport protocol
448 | if nodeConfig.Network != "" {
449 | transportProtocol = nodeConfig.Network // try to read transport protocol from config
450 | }
451 | }
452 |
453 | // Create GeneralNodeInfo
454 | nodeInfo := &api.NodeInfo{
455 | NodeType: c.NodeType,
456 | NodeID: c.NodeID,
457 | Port: port,
458 | SpeedLimit: speedLimit,
459 | AlterID: alterID,
460 | TransportProtocol: transportProtocol,
461 | Host: nodeConfig.Host,
462 | Path: nodeConfig.Path,
463 | EnableTLS: enableTLS,
464 | CipherMethod: nodeConfig.Method,
465 | ServerKey: nodeConfig.ServerKey,
466 | ServiceName: nodeConfig.ServiceName,
467 | Header: nodeConfig.Header,
468 | }
469 |
470 | return nodeInfo, nil
471 | }
472 |
--------------------------------------------------------------------------------
/app/app.go:
--------------------------------------------------------------------------------
1 | // Package app contains the third-party app used to replace the default app in xray-core
2 | package app
3 |
--------------------------------------------------------------------------------
/app/mydispatcher/config.pb.go:
--------------------------------------------------------------------------------
1 | // Code generated by protoc-gen-go. DO NOT EDIT.
2 | // versions:
3 | // protoc-gen-go v1.28.0
4 | // protoc v3.19.4
5 | // source: app/mydispatcher/config.proto
6 |
7 | package mydispatcher
8 |
9 | import (
10 | protoreflect "google.golang.org/protobuf/reflect/protoreflect"
11 | protoimpl "google.golang.org/protobuf/runtime/protoimpl"
12 | reflect "reflect"
13 | sync "sync"
14 | )
15 |
16 | const (
17 | // Verify that this generated code is sufficiently up-to-date.
18 | _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
19 | // Verify that runtime/protoimpl is sufficiently up-to-date.
20 | _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
21 | )
22 |
23 | type SessionConfig struct {
24 | state protoimpl.MessageState
25 | sizeCache protoimpl.SizeCache
26 | unknownFields protoimpl.UnknownFields
27 | }
28 |
29 | func (x *SessionConfig) Reset() {
30 | *x = SessionConfig{}
31 | if protoimpl.UnsafeEnabled {
32 | mi := &file_app_mydispatcher_config_proto_msgTypes[0]
33 | ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
34 | ms.StoreMessageInfo(mi)
35 | }
36 | }
37 |
38 | func (x *SessionConfig) String() string {
39 | return protoimpl.X.MessageStringOf(x)
40 | }
41 |
42 | func (*SessionConfig) ProtoMessage() {}
43 |
44 | func (x *SessionConfig) ProtoReflect() protoreflect.Message {
45 | mi := &file_app_mydispatcher_config_proto_msgTypes[0]
46 | if protoimpl.UnsafeEnabled && x != nil {
47 | ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
48 | if ms.LoadMessageInfo() == nil {
49 | ms.StoreMessageInfo(mi)
50 | }
51 | return ms
52 | }
53 | return mi.MessageOf(x)
54 | }
55 |
56 | // Deprecated: Use SessionConfig.ProtoReflect.Descriptor instead.
57 | func (*SessionConfig) Descriptor() ([]byte, []int) {
58 | return file_app_mydispatcher_config_proto_rawDescGZIP(), []int{0}
59 | }
60 |
61 | type Config struct {
62 | state protoimpl.MessageState
63 | sizeCache protoimpl.SizeCache
64 | unknownFields protoimpl.UnknownFields
65 |
66 | Settings *SessionConfig `protobuf:"bytes,1,opt,name=settings,proto3" json:"settings,omitempty"`
67 | }
68 |
69 | func (x *Config) Reset() {
70 | *x = Config{}
71 | if protoimpl.UnsafeEnabled {
72 | mi := &file_app_mydispatcher_config_proto_msgTypes[1]
73 | ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
74 | ms.StoreMessageInfo(mi)
75 | }
76 | }
77 |
78 | func (x *Config) String() string {
79 | return protoimpl.X.MessageStringOf(x)
80 | }
81 |
82 | func (*Config) ProtoMessage() {}
83 |
84 | func (x *Config) ProtoReflect() protoreflect.Message {
85 | mi := &file_app_mydispatcher_config_proto_msgTypes[1]
86 | if protoimpl.UnsafeEnabled && x != nil {
87 | ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
88 | if ms.LoadMessageInfo() == nil {
89 | ms.StoreMessageInfo(mi)
90 | }
91 | return ms
92 | }
93 | return mi.MessageOf(x)
94 | }
95 |
96 | // Deprecated: Use Config.ProtoReflect.Descriptor instead.
97 | func (*Config) Descriptor() ([]byte, []int) {
98 | return file_app_mydispatcher_config_proto_rawDescGZIP(), []int{1}
99 | }
100 |
101 | func (x *Config) GetSettings() *SessionConfig {
102 | if x != nil {
103 | return x.Settings
104 | }
105 | return nil
106 | }
107 |
108 | var File_app_mydispatcher_config_proto protoreflect.FileDescriptor
109 |
110 | var file_app_mydispatcher_config_proto_rawDesc = []byte{
111 | 0x0a, 0x1d, 0x61, 0x70, 0x70, 0x2f, 0x6d, 0x79, 0x64, 0x69, 0x73, 0x70, 0x61, 0x74, 0x63, 0x68,
112 | 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
113 | 0x16, 0x78, 0x72, 0x61, 0x79, 0x72, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x6d, 0x79, 0x64, 0x69, 0x73,
114 | 0x70, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x22, 0x15, 0x0a, 0x0d, 0x53, 0x65, 0x73, 0x73, 0x69,
115 | 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x22, 0x4b,
116 | 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x41, 0x0a, 0x08, 0x73, 0x65, 0x74, 0x74,
117 | 0x69, 0x6e, 0x67, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x78, 0x72, 0x61,
118 | 0x79, 0x72, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x6d, 0x79, 0x64, 0x69, 0x73, 0x70, 0x61, 0x74, 0x63,
119 | 0x68, 0x65, 0x72, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69,
120 | 0x67, 0x52, 0x08, 0x73, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x42, 0x67, 0x0a, 0x1a, 0x63,
121 | 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x72, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x6d, 0x79, 0x64,
122 | 0x69, 0x73, 0x70, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x50, 0x01, 0x5a, 0x2f, 0x67, 0x69, 0x74,
123 | 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x58, 0x72, 0x61, 0x79, 0x52, 0x2d, 0x70, 0x72,
124 | 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x2f, 0x58, 0x72, 0x61, 0x79, 0x52, 0x2f, 0x61, 0x70, 0x70, 0x2f,
125 | 0x6d, 0x79, 0x64, 0x69, 0x73, 0x70, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0xaa, 0x02, 0x15, 0x58,
126 | 0x72, 0x61, 0x79, 0x52, 0x2e, 0x41, 0x70, 0x70, 0x2e, 0x4d, 0x79, 0x69, 0x73, 0x70, 0x61, 0x74,
127 | 0x63, 0x68, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
128 | }
129 |
130 | var (
131 | file_app_mydispatcher_config_proto_rawDescOnce sync.Once
132 | file_app_mydispatcher_config_proto_rawDescData = file_app_mydispatcher_config_proto_rawDesc
133 | )
134 |
135 | func file_app_mydispatcher_config_proto_rawDescGZIP() []byte {
136 | file_app_mydispatcher_config_proto_rawDescOnce.Do(func() {
137 | file_app_mydispatcher_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_app_mydispatcher_config_proto_rawDescData)
138 | })
139 | return file_app_mydispatcher_config_proto_rawDescData
140 | }
141 |
142 | var file_app_mydispatcher_config_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
143 | var file_app_mydispatcher_config_proto_goTypes = []interface{}{
144 | (*SessionConfig)(nil), // 0: nextserver.app.mydispatcher.SessionConfig
145 | (*Config)(nil), // 1: nextserver.app.mydispatcher.Config
146 | }
147 | var file_app_mydispatcher_config_proto_depIdxs = []int32{
148 | 0, // 0: nextserver.app.mydispatcher.Config.settings:type_name -> nextserver.app.mydispatcher.SessionConfig
149 | 1, // [1:1] is the sub-list for method output_type
150 | 1, // [1:1] is the sub-list for method input_type
151 | 1, // [1:1] is the sub-list for extension type_name
152 | 1, // [1:1] is the sub-list for extension extendee
153 | 0, // [0:1] is the sub-list for field type_name
154 | }
155 |
156 | func init() { file_app_mydispatcher_config_proto_init() }
157 | func file_app_mydispatcher_config_proto_init() {
158 | if File_app_mydispatcher_config_proto != nil {
159 | return
160 | }
161 | if !protoimpl.UnsafeEnabled {
162 | file_app_mydispatcher_config_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
163 | switch v := v.(*SessionConfig); i {
164 | case 0:
165 | return &v.state
166 | case 1:
167 | return &v.sizeCache
168 | case 2:
169 | return &v.unknownFields
170 | default:
171 | return nil
172 | }
173 | }
174 | file_app_mydispatcher_config_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
175 | switch v := v.(*Config); i {
176 | case 0:
177 | return &v.state
178 | case 1:
179 | return &v.sizeCache
180 | case 2:
181 | return &v.unknownFields
182 | default:
183 | return nil
184 | }
185 | }
186 | }
187 | type x struct{}
188 | out := protoimpl.TypeBuilder{
189 | File: protoimpl.DescBuilder{
190 | GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
191 | RawDescriptor: file_app_mydispatcher_config_proto_rawDesc,
192 | NumEnums: 0,
193 | NumMessages: 2,
194 | NumExtensions: 0,
195 | NumServices: 0,
196 | },
197 | GoTypes: file_app_mydispatcher_config_proto_goTypes,
198 | DependencyIndexes: file_app_mydispatcher_config_proto_depIdxs,
199 | MessageInfos: file_app_mydispatcher_config_proto_msgTypes,
200 | }.Build()
201 | File_app_mydispatcher_config_proto = out.File
202 | file_app_mydispatcher_config_proto_rawDesc = nil
203 | file_app_mydispatcher_config_proto_goTypes = nil
204 | file_app_mydispatcher_config_proto_depIdxs = nil
205 | }
206 |
--------------------------------------------------------------------------------
/app/mydispatcher/config.proto:
--------------------------------------------------------------------------------
1 | syntax = "proto3";
2 |
3 | package nextserver.app.mydispatcher;
4 | option csharp_namespace = "NeXT-Server.App.Mydispatcher";
5 | option go_package = "github.com/The-NeXT-Project/NeXT-Server/app/mydispatcher";
6 | option java_package = "com.next-server.app.mydispatcher";
7 | option java_multiple_files = true;
8 |
9 | message SessionConfig {
10 | reserved 1;
11 | }
12 |
13 | message Config {
14 | SessionConfig settings = 1;
15 | }
16 |
--------------------------------------------------------------------------------
/app/mydispatcher/default.go:
--------------------------------------------------------------------------------
1 | package mydispatcher
2 |
3 | //go:generate go run github.com/xtls/xray-core/common/errors/errorgen
4 |
5 | import (
6 | "context"
7 | "errors"
8 | "strings"
9 | "sync"
10 | "time"
11 |
12 | "github.com/xtls/xray-core/common"
13 | "github.com/xtls/xray-core/common/buf"
14 | "github.com/xtls/xray-core/common/log"
15 | "github.com/xtls/xray-core/common/net"
16 | "github.com/xtls/xray-core/common/protocol"
17 | "github.com/xtls/xray-core/common/session"
18 | "github.com/xtls/xray-core/core"
19 | "github.com/xtls/xray-core/features/dns"
20 | "github.com/xtls/xray-core/features/outbound"
21 | "github.com/xtls/xray-core/features/policy"
22 | "github.com/xtls/xray-core/features/routing"
23 | routingSession "github.com/xtls/xray-core/features/routing/session"
24 | "github.com/xtls/xray-core/features/stats"
25 | "github.com/xtls/xray-core/transport"
26 | "github.com/xtls/xray-core/transport/pipe"
27 |
28 | "github.com/The-NeXT-Project/NeXT-Server/common/limiter"
29 | "github.com/The-NeXT-Project/NeXT-Server/common/rule"
30 | )
31 |
32 | var errSniffingTimeout = newError("timeout on sniffing")
33 |
34 | type cachedReader struct {
35 | sync.Mutex
36 | reader *pipe.Reader
37 | cache buf.MultiBuffer
38 | }
39 |
40 | func (r *cachedReader) Cache(b *buf.Buffer) {
41 | mb, _ := r.reader.ReadMultiBufferTimeout(time.Millisecond * 100)
42 | r.Lock()
43 | if !mb.IsEmpty() {
44 | r.cache, _ = buf.MergeMulti(r.cache, mb)
45 | }
46 | b.Clear()
47 | rawBytes := b.Extend(buf.Size)
48 | n := r.cache.Copy(rawBytes)
49 | b.Resize(0, int32(n))
50 | r.Unlock()
51 | }
52 |
53 | func (r *cachedReader) readInternal() buf.MultiBuffer {
54 | r.Lock()
55 | defer r.Unlock()
56 |
57 | if r.cache != nil && !r.cache.IsEmpty() {
58 | mb := r.cache
59 | r.cache = nil
60 | return mb
61 | }
62 |
63 | return nil
64 | }
65 |
66 | func (r *cachedReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
67 | mb := r.readInternal()
68 | if mb != nil {
69 | return mb, nil
70 | }
71 |
72 | return r.reader.ReadMultiBuffer()
73 | }
74 |
75 | func (r *cachedReader) ReadMultiBufferTimeout(timeout time.Duration) (buf.MultiBuffer, error) {
76 | mb := r.readInternal()
77 | if mb != nil {
78 | return mb, nil
79 | }
80 |
81 | return r.reader.ReadMultiBufferTimeout(timeout)
82 | }
83 |
84 | func (r *cachedReader) Interrupt() {
85 | r.Lock()
86 |
87 | if r.cache != nil {
88 | r.cache = buf.ReleaseMulti(r.cache)
89 | }
90 |
91 | r.Unlock()
92 | r.reader.Interrupt()
93 | }
94 |
95 | // DefaultDispatcher is a default implementation of Dispatcher.
96 | type DefaultDispatcher struct {
97 | ohm outbound.Manager
98 | router routing.Router
99 | policy policy.Manager
100 | stats stats.Manager
101 | dns dns.Client
102 | fdns dns.FakeDNSEngine
103 | Limiter *limiter.Limiter
104 | RuleManager *rule.Manager
105 | }
106 |
107 | func init() {
108 | common.Must(common.RegisterConfig((*Config)(nil), func(ctx context.Context, config interface{}) (interface{}, error) {
109 | d := new(DefaultDispatcher)
110 |
111 | if err := core.RequireFeatures(ctx, func(om outbound.Manager, router routing.Router, pm policy.Manager, sm stats.Manager, dc dns.Client) error {
112 | _ = core.RequireFeatures(ctx, func(fdns dns.FakeDNSEngine) {
113 | d.fdns = fdns
114 | })
115 | return d.Init(om, router, pm, sm, dc)
116 | }); err != nil {
117 | return nil, err
118 | }
119 |
120 | return d, nil
121 | }))
122 | }
123 |
124 | // Init initializes DefaultDispatcher.
125 | func (d *DefaultDispatcher) Init(om outbound.Manager, router routing.Router, pm policy.Manager, sm stats.Manager, dns dns.Client) error {
126 | d.ohm = om
127 | d.router = router
128 | d.policy = pm
129 | d.stats = sm
130 | d.Limiter = limiter.New()
131 | d.RuleManager = rule.New()
132 | d.dns = dns
133 |
134 | return nil
135 | }
136 |
137 | // Type implements common.HasType.
138 | func (*DefaultDispatcher) Type() interface{} {
139 | return routing.DispatcherType()
140 | }
141 |
142 | // Start implements common.Runnable.
143 | func (*DefaultDispatcher) Start() error {
144 | return nil
145 | }
146 |
147 | // Close implements common.Closable.
148 | func (*DefaultDispatcher) Close() error {
149 | return nil
150 | }
151 |
152 | func (d *DefaultDispatcher) getLink(ctx context.Context) (*transport.Link, *transport.Link, error) {
153 | opt := pipe.OptionsFromContext(ctx)
154 | uplinkReader, uplinkWriter := pipe.New(opt...)
155 | downlinkReader, downlinkWriter := pipe.New(opt...)
156 |
157 | inboundLink := &transport.Link{
158 | Reader: downlinkReader,
159 | Writer: uplinkWriter,
160 | }
161 |
162 | outboundLink := &transport.Link{
163 | Reader: uplinkReader,
164 | Writer: downlinkWriter,
165 | }
166 |
167 | sessionInbound := session.InboundFromContext(ctx)
168 |
169 | var user *protocol.MemoryUser
170 | if sessionInbound != nil {
171 | user = sessionInbound.User
172 | }
173 |
174 | if user != nil && len(user.Email) > 0 {
175 | // Speed Limit and Device Limit
176 | bucket, ok, reject := d.Limiter.GetUserBucket(sessionInbound.Tag, user.Email, sessionInbound.Source.Address.IP().String())
177 | if reject {
178 | _ = common.Close(outboundLink.Writer)
179 | _ = common.Close(inboundLink.Writer)
180 | _ = common.Interrupt(outboundLink.Reader)
181 | _ = common.Interrupt(inboundLink.Reader)
182 | return nil, nil, newError("Devices reach the limit: ", user.Email)
183 | }
184 | if ok {
185 | inboundLink.Writer = d.Limiter.RateWriter(inboundLink.Writer, bucket)
186 | outboundLink.Writer = d.Limiter.RateWriter(outboundLink.Writer, bucket)
187 | }
188 |
189 | p := d.policy.ForLevel(user.Level)
190 | if p.Stats.UserUplink {
191 | name := "user>>>" + user.Email + ">>>traffic>>>uplink"
192 | if c, _ := stats.GetOrRegisterCounter(d.stats, name); c != nil {
193 | inboundLink.Writer = &SizeStatWriter{
194 | Counter: c,
195 | Writer: inboundLink.Writer,
196 | }
197 | }
198 | }
199 | if p.Stats.UserDownlink {
200 | name := "user>>>" + user.Email + ">>>traffic>>>downlink"
201 | if c, _ := stats.GetOrRegisterCounter(d.stats, name); c != nil {
202 | outboundLink.Writer = &SizeStatWriter{
203 | Counter: c,
204 | Writer: outboundLink.Writer,
205 | }
206 | }
207 | }
208 | }
209 |
210 | return inboundLink, outboundLink, nil
211 | }
212 |
213 | func (d *DefaultDispatcher) shouldOverride(ctx context.Context, result SniffResult, request session.SniffingRequest, destination net.Destination) bool {
214 | domain := result.Domain()
215 |
216 | for _, d := range request.ExcludeForDomain {
217 | if strings.ToLower(domain) == d {
218 | return false
219 | }
220 | }
221 |
222 | protocolString := result.Protocol()
223 |
224 | if resComp, ok := result.(SnifferResultComposite); ok {
225 | protocolString = resComp.ProtocolForDomainResult()
226 | }
227 |
228 | for _, p := range request.OverrideDestinationForProtocol {
229 | if strings.HasPrefix(protocolString, p) {
230 | return true
231 | }
232 | if fkr0, ok := d.fdns.(dns.FakeDNSEngineRev0); ok && protocolString != "bittorrent" && p == "fakedns" &&
233 | destination.Address.Family().IsIP() && fkr0.IsIPInIPPool(destination.Address) {
234 | return true
235 | }
236 | if resultSubset, ok := result.(SnifferIsProtoSubsetOf); ok {
237 | if resultSubset.IsProtoSubsetOf(p) {
238 | return true
239 | }
240 | }
241 | }
242 |
243 | return false
244 | }
245 |
246 | // Dispatch implements routing.Dispatcher.
247 | func (d *DefaultDispatcher) Dispatch(ctx context.Context, destination net.Destination) (*transport.Link, error) {
248 | if !destination.IsValid() {
249 | panic("Dispatcher: Invalid destination.")
250 | }
251 |
252 | ob := []*session.Outbound{
253 | {
254 | Target: destination,
255 | },
256 | }
257 |
258 | ctx = session.ContextWithOutbounds(ctx, ob)
259 |
260 | content := session.ContentFromContext(ctx)
261 | if content == nil {
262 | content = new(session.Content)
263 | ctx = session.ContextWithContent(ctx, content)
264 | }
265 |
266 | sniffingRequest := content.SniffingRequest
267 |
268 | inboundLink, outboundLink, err := d.getLink(ctx)
269 | if err != nil {
270 | return nil, err
271 | }
272 |
273 | if !sniffingRequest.Enabled {
274 | go d.routedDispatch(ctx, outboundLink, destination)
275 | } else {
276 | go func() {
277 | cReader := &cachedReader{
278 | reader: outboundLink.Reader.(*pipe.Reader),
279 | }
280 | outboundLink.Reader = cReader
281 | result, err := sniffer(ctx, cReader, sniffingRequest.MetadataOnly, destination.Network)
282 | if err == nil {
283 | content.Protocol = result.Protocol()
284 | }
285 | if err == nil && d.shouldOverride(ctx, result, sniffingRequest, destination) {
286 | domain := result.Domain()
287 | destination.Address = net.ParseAddress(domain)
288 | if sniffingRequest.RouteOnly && result.Protocol() != "fakedns" {
289 | ob[0].RouteTarget = destination
290 | } else {
291 | ob[0].Target = destination
292 | }
293 | }
294 | d.routedDispatch(ctx, outboundLink, destination)
295 | }()
296 | }
297 |
298 | return inboundLink, nil
299 | }
300 |
301 | // DispatchLink implements routing.Dispatcher.
302 | func (d *DefaultDispatcher) DispatchLink(ctx context.Context, destination net.Destination, outbound *transport.Link) error {
303 | if !destination.IsValid() {
304 | return newError("Dispatcher: Invalid destination.")
305 | }
306 |
307 | ob := []*session.Outbound{
308 | {
309 | Target: destination,
310 | },
311 | }
312 |
313 | ctx = session.ContextWithOutbounds(ctx, ob)
314 |
315 | content := session.ContentFromContext(ctx)
316 | if content == nil {
317 | content = new(session.Content)
318 | ctx = session.ContextWithContent(ctx, content)
319 | }
320 |
321 | sniffingRequest := content.SniffingRequest
322 | if !sniffingRequest.Enabled {
323 | go d.routedDispatch(ctx, outbound, destination)
324 | } else {
325 | go func() {
326 | cReader := &cachedReader{
327 | reader: outbound.Reader.(*pipe.Reader),
328 | }
329 | outbound.Reader = cReader
330 | result, err := sniffer(ctx, cReader, sniffingRequest.MetadataOnly, destination.Network)
331 | if err == nil {
332 | content.Protocol = result.Protocol()
333 | }
334 | if err == nil && d.shouldOverride(ctx, result, sniffingRequest, destination) {
335 | domain := result.Domain()
336 | destination.Address = net.ParseAddress(domain)
337 | if sniffingRequest.RouteOnly && result.Protocol() != "fakedns" {
338 | ob[0].RouteTarget = destination
339 | } else {
340 | ob[0].Target = destination
341 | }
342 | }
343 | d.routedDispatch(ctx, outbound, destination)
344 | }()
345 | }
346 |
347 | return nil
348 | }
349 |
350 | func sniffer(ctx context.Context, cReader *cachedReader, metadataOnly bool, network net.Network) (SniffResult, error) {
351 | payload := buf.New()
352 | defer payload.Release()
353 |
354 | sniffer := NewSniffer(ctx)
355 |
356 | sniffResult, metadataErr := sniffer.SniffMetadata(ctx)
357 |
358 | if metadataOnly {
359 | return sniffResult, metadataErr
360 | }
361 |
362 | contentResult, contentErr := func() (SniffResult, error) {
363 | totalAttempt := 0
364 | for {
365 | select {
366 | case <-ctx.Done():
367 | return nil, ctx.Err()
368 | default:
369 | totalAttempt++
370 | if totalAttempt > 2 {
371 | return nil, errSniffingTimeout
372 | }
373 |
374 | cReader.Cache(payload)
375 | if !payload.IsEmpty() {
376 | result, err := sniffer.Sniff(ctx, payload.Bytes(), network)
377 | if !errors.Is(err, common.ErrNoClue) {
378 | return result, err
379 | }
380 | }
381 | if payload.IsFull() {
382 | return nil, errUnknownContent
383 | }
384 | }
385 | }
386 | }()
387 | if contentErr != nil && metadataErr == nil {
388 | return sniffResult, nil
389 | }
390 | if contentErr == nil && metadataErr == nil {
391 | return CompositeResult(sniffResult, contentResult), nil
392 | }
393 |
394 | return contentResult, contentErr
395 | }
396 |
397 | func (d *DefaultDispatcher) routedDispatch(ctx context.Context, link *transport.Link, destination net.Destination) {
398 | ob := session.OutboundsFromContext(ctx)
399 |
400 | if hosts, ok := d.dns.(dns.HostsLookup); ok && destination.Address.Family().IsDomain() {
401 | proxied := hosts.LookupHosts(ob[0].Target.String())
402 | if proxied != nil {
403 | ro := ob[0].RouteTarget == destination
404 | destination.Address = *proxied
405 | if ro {
406 | ob[0].RouteTarget = destination
407 | } else {
408 | ob[0].Target = destination
409 | }
410 | }
411 | }
412 |
413 | var handler outbound.Handler
414 | // Check if domain and protocol hit the rule
415 | sessionInbound := session.InboundFromContext(ctx)
416 | // Whether the inbound connection contains a user
417 | if sessionInbound.User != nil {
418 | if d.RuleManager.Detect(sessionInbound.Tag, destination.String(), sessionInbound.User.Email) {
419 | _ = common.Close(link.Writer)
420 | _ = common.Interrupt(link.Reader)
421 | return
422 | }
423 | }
424 |
425 | routingLink := routingSession.AsRoutingContext(ctx)
426 | inTag := routingLink.GetInboundTag()
427 | isPickRoute := 0
428 |
429 | if forcedOutboundTag := session.GetForcedOutboundTagFromContext(ctx); forcedOutboundTag != "" {
430 | ctx = session.SetForcedOutboundTagToContext(ctx, "")
431 | if h := d.ohm.GetHandler(forcedOutboundTag); h != nil {
432 | isPickRoute = 1
433 | handler = h
434 | } else {
435 | _ = common.Close(link.Writer)
436 | _ = common.Interrupt(link.Reader)
437 | return
438 | }
439 | } else if d.router != nil {
440 | if route, err := d.router.PickRoute(routingLink); err == nil {
441 | outTag := route.GetOutboundTag()
442 | if h := d.ohm.GetHandler(outTag); h != nil {
443 | isPickRoute = 2
444 | handler = h
445 | }
446 | }
447 | }
448 |
449 | if handler == nil {
450 | handler = d.ohm.GetHandler(inTag) // Default outbound handler tag should be as same as the inbound tag
451 | }
452 |
453 | // If there is no outbound with tag as same as the inbound tag
454 | if handler == nil {
455 | handler = d.ohm.GetDefaultHandler()
456 | }
457 |
458 | if handler == nil {
459 | _ = common.Close(link.Writer)
460 | _ = common.Interrupt(link.Reader)
461 | return
462 | }
463 |
464 | if accessMessage := log.AccessMessageFromContext(ctx); accessMessage != nil {
465 | if tag := handler.Tag(); tag != "" {
466 | if inTag == "" {
467 | accessMessage.Detour = tag
468 | } else if isPickRoute == 1 {
469 | accessMessage.Detour = inTag + " ==> " + tag
470 | } else if isPickRoute == 2 {
471 | accessMessage.Detour = inTag + " -> " + tag
472 | } else {
473 | accessMessage.Detour = inTag + " >> " + tag
474 | }
475 | }
476 | log.Record(accessMessage)
477 | }
478 |
479 | handler.Dispatch(ctx, link)
480 | }
481 |
--------------------------------------------------------------------------------
/app/mydispatcher/dispatcher.go:
--------------------------------------------------------------------------------
1 | // Package mydispatcher Package dispatcher implement the rate limiter and the online device counter
2 | package mydispatcher
3 |
4 | //go:generate go run github.com/xtls/xray-core/common/errors/errorgen
5 |
--------------------------------------------------------------------------------
/app/mydispatcher/errors.generated.go:
--------------------------------------------------------------------------------
1 | package mydispatcher
2 |
3 | import "github.com/xtls/xray-core/common/errors"
4 |
5 | func newError(values ...interface{}) *errors.Error {
6 | return errors.New(values...)
7 | }
8 |
--------------------------------------------------------------------------------
/app/mydispatcher/fakednssniffer.go:
--------------------------------------------------------------------------------
1 | package mydispatcher
2 |
3 | import (
4 | "context"
5 | "strings"
6 |
7 | "github.com/xtls/xray-core/common"
8 | "github.com/xtls/xray-core/common/net"
9 | "github.com/xtls/xray-core/common/session"
10 | "github.com/xtls/xray-core/core"
11 | "github.com/xtls/xray-core/features/dns"
12 | )
13 |
14 | // newFakeDNSSniffer Create a Fake DNS metadata sniffer
15 | func newFakeDNSSniffer(ctx context.Context) (protocolSnifferWithMetadata, error) {
16 | var fakeDNSEngine dns.FakeDNSEngine
17 | {
18 | fakeDNSEngineFeat := core.MustFromContext(ctx).GetFeature((*dns.FakeDNSEngine)(nil))
19 | if fakeDNSEngineFeat != nil {
20 | fakeDNSEngine = fakeDNSEngineFeat.(dns.FakeDNSEngine)
21 | }
22 | }
23 |
24 | if fakeDNSEngine == nil {
25 | errNotInit := newError("FakeDNSEngine is not initialized, but such a sniffer is used").AtError()
26 | return protocolSnifferWithMetadata{}, errNotInit
27 | }
28 |
29 | return protocolSnifferWithMetadata{protocolSniffer: func(ctx context.Context, bytes []byte) (SniffResult, error) {
30 | outbounds := session.OutboundsFromContext(ctx)
31 | if len(outbounds) > 0 {
32 | Target := outbounds[0].Target
33 | if Target.Network == net.Network_TCP || Target.Network == net.Network_UDP {
34 | domainFromFakeDNS := fakeDNSEngine.GetDomainFromFakeDNS(Target.Address)
35 | if domainFromFakeDNS != "" {
36 | return &fakeDNSSniffResult{domainName: domainFromFakeDNS}, nil
37 | }
38 | }
39 |
40 | if ipAddressInRangeValueI := ctx.Value(ipAddressInRange); ipAddressInRangeValueI != nil {
41 | ipAddressInRangeValue := ipAddressInRangeValueI.(*ipAddressInRangeOpt)
42 | if fkr0, ok := fakeDNSEngine.(dns.FakeDNSEngineRev0); ok {
43 | inPool := fkr0.IsIPInIPPool(Target.Address)
44 | ipAddressInRangeValue.addressInRange = &inPool
45 | }
46 | }
47 | }
48 |
49 | return nil, common.ErrNoClue
50 | }, metadataSniffer: true}, nil
51 | }
52 |
53 | type fakeDNSSniffResult struct {
54 | domainName string
55 | }
56 |
57 | func (fakeDNSSniffResult) Protocol() string {
58 | return "fakedns"
59 | }
60 |
61 | func (f fakeDNSSniffResult) Domain() string {
62 | return f.domainName
63 | }
64 |
65 | type fakeDNSExtraOpts int
66 |
67 | const ipAddressInRange fakeDNSExtraOpts = 1
68 |
69 | type ipAddressInRangeOpt struct {
70 | addressInRange *bool
71 | }
72 |
73 | type DNSThenOthersSniffResult struct {
74 | domainName string
75 | protocolOriginalName string
76 | }
77 |
78 | func (f DNSThenOthersSniffResult) IsProtoSubsetOf(protocolName string) bool {
79 | return strings.HasPrefix(protocolName, f.protocolOriginalName)
80 | }
81 |
82 | func (DNSThenOthersSniffResult) Protocol() string {
83 | return "fakedns+others"
84 | }
85 |
86 | func (f DNSThenOthersSniffResult) Domain() string {
87 | return f.domainName
88 | }
89 |
90 | func newFakeDNSThenOthers(ctx context.Context, fakeDNSSniffer protocolSnifferWithMetadata, others []protocolSnifferWithMetadata) (
91 | protocolSnifferWithMetadata, error) { // nolint: unparam
92 | // ctx may be used in the future
93 | _ = ctx
94 | return protocolSnifferWithMetadata{
95 | protocolSniffer: func(ctx context.Context, bytes []byte) (SniffResult, error) {
96 | ipAddressInRangeValue := &ipAddressInRangeOpt{}
97 | ctx = context.WithValue(ctx, ipAddressInRange, ipAddressInRangeValue)
98 | result, err := fakeDNSSniffer.protocolSniffer(ctx, bytes)
99 | if err == nil {
100 | return result, nil
101 | }
102 | if ipAddressInRangeValue.addressInRange != nil {
103 | if *ipAddressInRangeValue.addressInRange {
104 | for _, v := range others {
105 | if v.metadataSniffer || bytes != nil {
106 | if result, err := v.protocolSniffer(ctx, bytes); err == nil {
107 | return DNSThenOthersSniffResult{domainName: result.Domain(), protocolOriginalName: result.Protocol()}, nil
108 | }
109 | }
110 | }
111 | return nil, common.ErrNoClue
112 | }
113 | return nil, common.ErrNoClue
114 | }
115 | return nil, common.ErrNoClue
116 | },
117 | metadataSniffer: false,
118 | }, nil
119 | }
120 |
--------------------------------------------------------------------------------
/app/mydispatcher/sniffer.go:
--------------------------------------------------------------------------------
1 | package mydispatcher
2 |
3 | import (
4 | "context"
5 | "errors"
6 |
7 | "github.com/xtls/xray-core/common"
8 | "github.com/xtls/xray-core/common/net"
9 | "github.com/xtls/xray-core/common/protocol/bittorrent"
10 | "github.com/xtls/xray-core/common/protocol/http"
11 | "github.com/xtls/xray-core/common/protocol/quic"
12 | "github.com/xtls/xray-core/common/protocol/tls"
13 | )
14 |
15 | type SniffResult interface {
16 | Protocol() string
17 | Domain() string
18 | }
19 |
20 | type protocolSniffer func(context.Context, []byte) (SniffResult, error)
21 |
22 | type protocolSnifferWithMetadata struct {
23 | protocolSniffer protocolSniffer
24 | // A Metadata sniffer will be invoked on connection establishment only, with nil body,
25 | // for both TCP and UDP connections
26 | // It will not be shown as a traffic type for routing unless there is no other successful sniffing.
27 | metadataSniffer bool
28 | network net.Network
29 | }
30 |
31 | type Sniffer struct {
32 | sniffer []protocolSnifferWithMetadata
33 | }
34 |
35 | func NewSniffer(ctx context.Context) *Sniffer {
36 | ret := &Sniffer{
37 | sniffer: []protocolSnifferWithMetadata{
38 | {func(c context.Context, b []byte) (SniffResult, error) { return http.SniffHTTP(b) }, false, net.Network_TCP},
39 | {func(c context.Context, b []byte) (SniffResult, error) { return tls.SniffTLS(b) }, false, net.Network_TCP},
40 | {func(c context.Context, b []byte) (SniffResult, error) { return bittorrent.SniffBittorrent(b) }, false, net.Network_TCP},
41 | {func(c context.Context, b []byte) (SniffResult, error) { return quic.SniffQUIC(b) }, false, net.Network_UDP},
42 | {func(c context.Context, b []byte) (SniffResult, error) { return bittorrent.SniffUTP(b) }, false, net.Network_UDP},
43 | },
44 | }
45 | if sniffer, err := newFakeDNSSniffer(ctx); err == nil {
46 | others := ret.sniffer
47 | ret.sniffer = append(ret.sniffer, sniffer)
48 | fakeDNSThenOthers, err := newFakeDNSThenOthers(ctx, sniffer, others)
49 | if err == nil {
50 | ret.sniffer = append([]protocolSnifferWithMetadata{fakeDNSThenOthers}, ret.sniffer...)
51 | }
52 | }
53 | return ret
54 | }
55 |
56 | var errUnknownContent = newError("unknown content")
57 |
58 | func (s *Sniffer) Sniff(c context.Context, payload []byte, network net.Network) (SniffResult, error) {
59 | var pendingSniffer []protocolSnifferWithMetadata
60 | for _, si := range s.sniffer {
61 | s := si.protocolSniffer
62 | if si.metadataSniffer || si.network != network {
63 | continue
64 | }
65 | result, err := s(c, payload)
66 | if errors.Is(err, common.ErrNoClue) {
67 | pendingSniffer = append(pendingSniffer, si)
68 | continue
69 | }
70 |
71 | if err == nil && result != nil {
72 | return result, nil
73 | }
74 | }
75 |
76 | if len(pendingSniffer) > 0 {
77 | s.sniffer = pendingSniffer
78 | return nil, common.ErrNoClue
79 | }
80 |
81 | return nil, errUnknownContent
82 | }
83 |
84 | func (s *Sniffer) SniffMetadata(c context.Context) (SniffResult, error) {
85 | var pendingSniffer []protocolSnifferWithMetadata
86 | for _, si := range s.sniffer {
87 | s := si.protocolSniffer
88 | if !si.metadataSniffer {
89 | pendingSniffer = append(pendingSniffer, si)
90 | continue
91 | }
92 | result, err := s(c, nil)
93 | if errors.Is(err, common.ErrNoClue) {
94 | pendingSniffer = append(pendingSniffer, si)
95 | continue
96 | }
97 |
98 | if err == nil && result != nil {
99 | return result, nil
100 | }
101 | }
102 |
103 | if len(pendingSniffer) > 0 {
104 | s.sniffer = pendingSniffer
105 | return nil, common.ErrNoClue
106 | }
107 |
108 | return nil, errUnknownContent
109 | }
110 |
111 | func CompositeResult(domainResult SniffResult, protocolResult SniffResult) SniffResult {
112 | return &compositeResult{domainResult: domainResult, protocolResult: protocolResult}
113 | }
114 |
115 | type compositeResult struct {
116 | domainResult SniffResult
117 | protocolResult SniffResult
118 | }
119 |
120 | func (c compositeResult) Protocol() string {
121 | return c.protocolResult.Protocol()
122 | }
123 |
124 | func (c compositeResult) Domain() string {
125 | return c.domainResult.Domain()
126 | }
127 |
128 | func (c compositeResult) ProtocolForDomainResult() string {
129 | return c.domainResult.Protocol()
130 | }
131 |
132 | type SnifferResultComposite interface {
133 | ProtocolForDomainResult() string
134 | }
135 |
136 | type SnifferIsProtoSubsetOf interface {
137 | IsProtoSubsetOf(protocolName string) bool
138 | }
139 |
--------------------------------------------------------------------------------
/app/mydispatcher/stats.go:
--------------------------------------------------------------------------------
1 | package mydispatcher
2 |
3 | import (
4 | "github.com/xtls/xray-core/common"
5 | "github.com/xtls/xray-core/common/buf"
6 | "github.com/xtls/xray-core/features/stats"
7 | )
8 |
9 | type SizeStatWriter struct {
10 | Counter stats.Counter
11 | Writer buf.Writer
12 | }
13 |
14 | func (w *SizeStatWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
15 | w.Counter.Add(int64(mb.Len()))
16 | return w.Writer.WriteMultiBuffer(mb)
17 | }
18 |
19 | func (w *SizeStatWriter) Close() error {
20 | return common.Close(w.Writer)
21 | }
22 |
23 | func (w *SizeStatWriter) Interrupt() {
24 | err := common.Interrupt(w.Writer)
25 | if err != nil {
26 | return
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/cmd/root.go:
--------------------------------------------------------------------------------
1 | package cmd
2 |
3 | import (
4 | "fmt"
5 | "log"
6 | "os"
7 | "os/signal"
8 | "path"
9 | "runtime"
10 | "strings"
11 | "syscall"
12 | "time"
13 |
14 | "github.com/fsnotify/fsnotify"
15 | "github.com/spf13/cobra"
16 | "github.com/spf13/viper"
17 |
18 | "github.com/The-NeXT-Project/NeXT-Server/panel"
19 | )
20 |
21 | var (
22 | cfgFile string
23 | rootCmd = &cobra.Command{
24 | Use: "NeXT-Server",
25 | Run: func(cmd *cobra.Command, args []string) {
26 | if err := run(); err != nil {
27 | log.Fatal(err)
28 | }
29 | },
30 | }
31 | )
32 |
33 | func init() {
34 | rootCmd.PersistentFlags().StringVarP(&cfgFile,
35 | "config", "c", "", "Config file for NeXT-Server")
36 | }
37 |
38 | func getConfig() *viper.Viper {
39 | config := viper.New()
40 | // Set custom path and name
41 | if cfgFile != "" {
42 | configName := path.Base(cfgFile)
43 | configFileExt := path.Ext(cfgFile)
44 | configNameOnly := strings.TrimSuffix(configName, configFileExt)
45 | configPath := path.Dir(cfgFile)
46 | config.SetConfigName(configNameOnly)
47 | config.SetConfigType(strings.TrimPrefix(configFileExt, "."))
48 | config.AddConfigPath(configPath)
49 | // Set ASSET Path and Config Path
50 | _ = os.Setenv("XRAY_LOCATION_ASSET", configPath)
51 | _ = os.Setenv("XRAY_LOCATION_CONFIG", configPath)
52 | } else {
53 | // Set default config path
54 | config.SetConfigName("config")
55 | config.SetConfigType("yml")
56 | config.AddConfigPath(".")
57 |
58 | }
59 |
60 | if err := config.ReadInConfig(); err != nil {
61 | log.Panicf("Config file error: %s \n", err)
62 | }
63 |
64 | config.WatchConfig() // Watch the config
65 |
66 | return config
67 | }
68 |
69 | func run() error {
70 | showVersion()
71 | config := getConfig()
72 | panelConfig := &panel.Config{}
73 |
74 | if err := config.Unmarshal(panelConfig); err != nil {
75 | return fmt.Errorf("Parse config file %v failed: %s \n", cfgFile, err)
76 | }
77 |
78 | p := panel.New(panelConfig)
79 | lastTime := time.Now()
80 |
81 | config.OnConfigChange(func(e fsnotify.Event) {
82 | // Discarding event received within a short period of time after receiving an event.
83 | if time.Now().After(lastTime.Add(3 * time.Second)) {
84 | // Hot reload function
85 | fmt.Println("Config file changed:", e.Name)
86 | p.Close()
87 | // Delete old instance and trigger GC
88 | runtime.GC()
89 | if err := config.Unmarshal(panelConfig); err != nil {
90 | log.Panicf("Parse config file %v failed: %s \n", cfgFile, err)
91 | }
92 | p.Start()
93 | lastTime = time.Now()
94 | }
95 | })
96 |
97 | p.Start()
98 | defer p.Close()
99 |
100 | // Explicitly triggering GC to remove garbage from config loading.
101 | runtime.GC()
102 | // Running backend
103 | osSignals := make(chan os.Signal, 1)
104 | signal.Notify(osSignals, os.Interrupt, os.Kill, syscall.SIGTERM)
105 | <-osSignals
106 |
107 | return nil
108 | }
109 |
110 | func Execute() error {
111 | return rootCmd.Execute()
112 | }
113 |
--------------------------------------------------------------------------------
/cmd/version.go:
--------------------------------------------------------------------------------
1 | package cmd
2 |
3 | import (
4 | "fmt"
5 |
6 | "github.com/spf13/cobra"
7 | )
8 |
9 | var (
10 | version = "0.3.14"
11 | codename = "NeXT-Server"
12 | intro = "Next generation proxy server."
13 | )
14 |
15 | func init() {
16 | rootCmd.AddCommand(&cobra.Command{
17 | Use: "version",
18 | Short: "Print current version of NeXT-Server",
19 | Run: func(cmd *cobra.Command, args []string) {
20 | showVersion()
21 | },
22 | })
23 | }
24 |
25 | func showVersion() {
26 | fmt.Printf("%s %s (%s) \n", codename, version, intro)
27 | }
28 |
--------------------------------------------------------------------------------
/common/common.go:
--------------------------------------------------------------------------------
1 | // Package common contains common utilities that are shared among other packages.
2 | package common
3 |
--------------------------------------------------------------------------------
/common/limiter/limiter.go:
--------------------------------------------------------------------------------
1 | // Package limiter is to control the links that go into the dispatcher
2 | package limiter
3 |
4 | import (
5 | "fmt"
6 | "golang.org/x/time/rate"
7 | "sync"
8 |
9 | "github.com/The-NeXT-Project/NeXT-Server/api"
10 | )
11 |
12 | type UserInfo struct {
13 | UID int
14 | SpeedLimit uint64
15 | DeviceLimit int
16 | }
17 |
18 | type InboundInfo struct {
19 | Tag string
20 | NodeSpeedLimit uint64
21 | UserInfo *sync.Map // Key: Email value: UserInfo
22 | BucketHub *sync.Map // key: Email, value: *rate.Limiter
23 | UserOnlineIP *sync.Map // Key: Email, value: {Key: IP, value: UID}
24 | }
25 |
26 | type Limiter struct {
27 | InboundInfo *sync.Map // Key: Tag, Value: *InboundInfo
28 | }
29 |
30 | func New() *Limiter {
31 | return &Limiter{
32 | InboundInfo: new(sync.Map),
33 | }
34 | }
35 |
36 | func (l *Limiter) AddInboundLimiter(tag string, nodeSpeedLimit uint64, userList *[]api.UserInfo) error {
37 | inboundInfo := &InboundInfo{
38 | Tag: tag,
39 | NodeSpeedLimit: nodeSpeedLimit,
40 | BucketHub: new(sync.Map),
41 | UserOnlineIP: new(sync.Map),
42 | }
43 |
44 | userMap := new(sync.Map)
45 | for _, u := range *userList {
46 | userMap.Store(fmt.Sprintf("%s|%s|%d", tag, u.Email, u.UID), UserInfo{
47 | UID: u.UID,
48 | SpeedLimit: u.SpeedLimit,
49 | DeviceLimit: u.DeviceLimit,
50 | })
51 | }
52 | inboundInfo.UserInfo = userMap
53 | l.InboundInfo.Store(tag, inboundInfo) // Replace the old inbound info
54 | return nil
55 | }
56 |
57 | func (l *Limiter) UpdateInboundLimiter(tag string, updatedUserList *[]api.UserInfo) error {
58 | if value, ok := l.InboundInfo.Load(tag); ok {
59 | inboundInfo := value.(*InboundInfo)
60 | // Update User info
61 | for _, u := range *updatedUserList {
62 | inboundInfo.UserInfo.Store(fmt.Sprintf("%s|%s|%d", tag, u.Email, u.UID), UserInfo{
63 | UID: u.UID,
64 | SpeedLimit: u.SpeedLimit,
65 | DeviceLimit: u.DeviceLimit,
66 | })
67 | // Update old limiter bucket
68 | limit := determineRate(inboundInfo.NodeSpeedLimit, u.SpeedLimit)
69 | if limit > 0 {
70 | if bucket, ok := inboundInfo.BucketHub.Load(fmt.Sprintf("%s|%s|%d", tag, u.Email, u.UID)); ok {
71 | limiter := bucket.(*rate.Limiter)
72 | limiter.SetLimit(rate.Limit(limit))
73 | limiter.SetBurst(int(limit))
74 | }
75 | } else {
76 | inboundInfo.BucketHub.Delete(fmt.Sprintf("%s|%s|%d", tag, u.Email, u.UID))
77 | }
78 | }
79 | } else {
80 | return fmt.Errorf("no such inbound in limiter: %s", tag)
81 | }
82 | return nil
83 | }
84 |
85 | func (l *Limiter) DeleteInboundLimiter(tag string) error {
86 | l.InboundInfo.Delete(tag)
87 | return nil
88 | }
89 |
90 | func (l *Limiter) GetOnlineDevice(tag string) (*[]api.OnlineUser, error) {
91 | var onlineUser []api.OnlineUser
92 |
93 | if value, ok := l.InboundInfo.Load(tag); ok {
94 | inboundInfo := value.(*InboundInfo)
95 | // Clear Speed Limiter bucket for users who are not online
96 | inboundInfo.BucketHub.Range(func(key, value interface{}) bool {
97 | email := key.(string)
98 | if _, exists := inboundInfo.UserOnlineIP.Load(email); !exists {
99 | inboundInfo.BucketHub.Delete(email)
100 | }
101 | return true
102 | })
103 | inboundInfo.UserOnlineIP.Range(func(key, value interface{}) bool {
104 | email := key.(string)
105 | ipMap := value.(*sync.Map)
106 | ipMap.Range(func(key, value interface{}) bool {
107 | uid := value.(int)
108 | ip := key.(string)
109 | onlineUser = append(onlineUser, api.OnlineUser{UID: uid, IP: ip})
110 | return true
111 | })
112 | inboundInfo.UserOnlineIP.Delete(email) // Reset online device
113 | return true
114 | })
115 | } else {
116 | return nil, fmt.Errorf("no such inbound in limiter: %s", tag)
117 | }
118 |
119 | return &onlineUser, nil
120 | }
121 |
122 | func (l *Limiter) GetUserBucket(tag string, email string, ip string) (limiter *rate.Limiter, SpeedLimit bool, Reject bool) {
123 | if value, ok := l.InboundInfo.Load(tag); ok {
124 | var (
125 | userLimit uint64 = 0
126 | deviceLimit, uid int
127 | )
128 |
129 | inboundInfo := value.(*InboundInfo)
130 | nodeLimit := inboundInfo.NodeSpeedLimit
131 |
132 | if v, ok := inboundInfo.UserInfo.Load(email); ok {
133 | u := v.(UserInfo)
134 | uid = u.UID
135 | userLimit = u.SpeedLimit
136 | deviceLimit = u.DeviceLimit
137 | }
138 |
139 | // Local device limit
140 | ipMap := new(sync.Map)
141 | ipMap.Store(ip, uid)
142 | // If any device is online
143 | if v, ok := inboundInfo.UserOnlineIP.LoadOrStore(email, ipMap); ok {
144 | ipMap := v.(*sync.Map)
145 | // If this is a new ip
146 | if _, ok := ipMap.LoadOrStore(ip, uid); !ok {
147 | counter := 0
148 | ipMap.Range(func(key, value interface{}) bool {
149 | counter++
150 | return true
151 | })
152 | if counter > deviceLimit && deviceLimit > 0 {
153 | ipMap.Delete(ip)
154 | return nil, false, true
155 | }
156 | }
157 | }
158 |
159 | // Speed limit
160 | limit := determineRate(nodeLimit, userLimit) // Determine the speed limit rate
161 | if limit > 0 {
162 | limiter := rate.NewLimiter(rate.Limit(limit), int(limit)) // Byte/s
163 | if v, ok := inboundInfo.BucketHub.LoadOrStore(email, limiter); ok {
164 | bucket := v.(*rate.Limiter)
165 | return bucket, true, false
166 | } else {
167 | return limiter, true, false
168 | }
169 | } else {
170 | return nil, false, false
171 | }
172 | } else {
173 | return nil, false, false
174 | }
175 | }
176 |
177 | // determineRate returns the minimum non-zero rate
178 | func determineRate(nodeLimit, userLimit uint64) (limit uint64) {
179 | if nodeLimit == 0 || userLimit == 0 {
180 | if nodeLimit > userLimit {
181 | return nodeLimit
182 | } else if nodeLimit < userLimit {
183 | return userLimit
184 | } else {
185 | return 0
186 | }
187 | } else {
188 | if nodeLimit > userLimit {
189 | return userLimit
190 | } else if nodeLimit < userLimit {
191 | return nodeLimit
192 | } else {
193 | return nodeLimit
194 | }
195 | }
196 | }
197 |
--------------------------------------------------------------------------------
/common/limiter/model.go:
--------------------------------------------------------------------------------
1 | package limiter
2 |
--------------------------------------------------------------------------------
/common/limiter/rate.go:
--------------------------------------------------------------------------------
1 | package limiter
2 |
3 | import (
4 | "context"
5 | "io"
6 |
7 | "github.com/xtls/xray-core/common"
8 | "github.com/xtls/xray-core/common/buf"
9 | "golang.org/x/time/rate"
10 | )
11 |
12 | type Writer struct {
13 | writer buf.Writer
14 | limiter *rate.Limiter
15 | w io.Writer
16 | }
17 |
18 | func (l *Limiter) RateWriter(writer buf.Writer, limiter *rate.Limiter) buf.Writer {
19 | return &Writer{
20 | writer: writer,
21 | limiter: limiter,
22 | }
23 | }
24 |
25 | func (w *Writer) Close() error {
26 | return common.Close(w.writer)
27 | }
28 |
29 | func (w *Writer) WriteMultiBuffer(mb buf.MultiBuffer) error {
30 | ctx := context.Background()
31 | _ = w.limiter.WaitN(ctx, int(mb.Len()))
32 | return w.writer.WriteMultiBuffer(mb)
33 | }
34 |
--------------------------------------------------------------------------------
/common/mylego/account.go:
--------------------------------------------------------------------------------
1 | package mylego
2 |
3 | import (
4 | "crypto"
5 |
6 | "github.com/go-acme/lego/v4/registration"
7 | )
8 |
9 | // Account represents a users local saved credentials.
10 | type Account struct {
11 | Email string `json:"email"`
12 | Registration *registration.Resource `json:"registration"`
13 | key crypto.PrivateKey
14 | }
15 |
16 | /** Implementation of the registration.User interface **/
17 |
18 | // GetEmail returns the email address for the account.
19 | func (a *Account) GetEmail() string {
20 | return a.Email
21 | }
22 |
23 | // GetPrivateKey returns the private RSA account key.
24 | func (a *Account) GetPrivateKey() crypto.PrivateKey {
25 | return a.key
26 | }
27 |
28 | // GetRegistration returns the server registration.
29 | func (a *Account) GetRegistration() *registration.Resource {
30 | return a.Registration
31 | }
32 |
33 | /** End **/
34 |
--------------------------------------------------------------------------------
/common/mylego/accounts_storage.go:
--------------------------------------------------------------------------------
1 | package mylego
2 |
3 | import (
4 | "crypto"
5 | "crypto/x509"
6 | "encoding/json"
7 | "encoding/pem"
8 | "errors"
9 | "log"
10 | "net/url"
11 | "os"
12 | "path/filepath"
13 | "strings"
14 |
15 | "github.com/go-acme/lego/v4/certcrypto"
16 | "github.com/go-acme/lego/v4/lego"
17 | "github.com/go-acme/lego/v4/registration"
18 | "golang.org/x/crypto/acme"
19 | )
20 |
21 | const (
22 | baseAccountsRootFolderName = "accounts"
23 | baseKeysFolderName = "keys"
24 | accountFileName = "account.json"
25 | )
26 |
27 | // AccountsStorage A storage for account data.
28 | //
29 | // rootPath:
30 | //
31 | // ./.lego/accounts/
32 | // │ └── root accounts directory
33 | // └── "path" option
34 | //
35 | // rootUserPath:
36 | //
37 | // ./.lego/accounts/localhost_14000/hubert@hubert.com/
38 | // │ │ │ └── userID ("email" option)
39 | // │ │ └── CA server ("server" option)
40 | // │ └── root accounts directory
41 | // └── "path" option
42 | //
43 | // keysPath:
44 | //
45 | // ./.lego/accounts/localhost_14000/hubert@hubert.com/keys/
46 | // │ │ │ │ └── root keys directory
47 | // │ │ │ └── userID ("email" option)
48 | // │ │ └── CA server ("server" option)
49 | // │ └── root accounts directory
50 | // └── "path" option
51 | //
52 | // accountFilePath:
53 | //
54 | // ./.lego/accounts/localhost_14000/hubert@hubert.com/account.json
55 | // │ │ │ │ └── account file
56 | // │ │ │ └── userID ("email" option)
57 | // │ │ └── CA server ("server" option)
58 | // │ └── root accounts directory
59 | // └── "path" option
60 | type AccountsStorage struct {
61 | userID string
62 | rootPath string
63 | rootUserPath string
64 | keysPath string
65 | accountFilePath string
66 | }
67 |
68 | // NewAccountsStorage Creates a new AccountsStorage.
69 | func NewAccountsStorage(l *LegoCMD) *AccountsStorage {
70 | email := l.C.Email
71 |
72 | serverURL, err := url.Parse(acme.LetsEncryptURL)
73 | if err != nil {
74 | log.Panic(err)
75 | }
76 |
77 | rootPath := filepath.Join(l.path, baseAccountsRootFolderName)
78 | serverPath := strings.NewReplacer(":", "_", "/", string(os.PathSeparator)).Replace(serverURL.Host)
79 | accountsPath := filepath.Join(rootPath, serverPath)
80 | rootUserPath := filepath.Join(accountsPath, email)
81 |
82 | return &AccountsStorage{
83 | userID: email,
84 | rootPath: rootPath,
85 | rootUserPath: rootUserPath,
86 | keysPath: filepath.Join(rootUserPath, baseKeysFolderName),
87 | accountFilePath: filepath.Join(rootUserPath, accountFileName),
88 | }
89 | }
90 |
91 | func (s *AccountsStorage) ExistsAccountFilePath() bool {
92 | accountFile := filepath.Join(s.rootUserPath, accountFileName)
93 | if _, err := os.Stat(accountFile); os.IsNotExist(err) {
94 | return false
95 | } else if err != nil {
96 | log.Panic(err)
97 | }
98 | return true
99 | }
100 |
101 | func (s *AccountsStorage) GetRootPath() string {
102 | return s.rootPath
103 | }
104 |
105 | func (s *AccountsStorage) GetRootUserPath() string {
106 | return s.rootUserPath
107 | }
108 |
109 | func (s *AccountsStorage) GetUserID() string {
110 | return s.userID
111 | }
112 |
113 | func (s *AccountsStorage) Save(account *Account) error {
114 | jsonBytes, err := json.MarshalIndent(account, "", "\t")
115 | if err != nil {
116 | return err
117 | }
118 |
119 | return os.WriteFile(s.accountFilePath, jsonBytes, filePerm)
120 | }
121 |
122 | func (s *AccountsStorage) LoadAccount(privateKey crypto.PrivateKey) *Account {
123 | fileBytes, err := os.ReadFile(s.accountFilePath)
124 | if err != nil {
125 | log.Panicf("Could not load file for account %s: %v", s.userID, err)
126 | }
127 |
128 | var account Account
129 | err = json.Unmarshal(fileBytes, &account)
130 | if err != nil {
131 | log.Panicf("Could not parse file for account %s: %v", s.userID, err)
132 | }
133 |
134 | account.key = privateKey
135 |
136 | if account.Registration == nil || account.Registration.Body.Status == "" {
137 | reg, err := tryRecoverRegistration(privateKey)
138 | if err != nil {
139 | log.Panicf("Could not load account for %s. Registration is nil: %#v", s.userID, err)
140 | }
141 |
142 | account.Registration = reg
143 | err = s.Save(&account)
144 | if err != nil {
145 | log.Panicf("Could not save account for %s. Registration is nil: %#v", s.userID, err)
146 | }
147 | }
148 |
149 | return &account
150 | }
151 |
152 | func (s *AccountsStorage) GetPrivateKey(keyType certcrypto.KeyType) crypto.PrivateKey {
153 | accKeyPath := filepath.Join(s.keysPath, s.userID+".key")
154 |
155 | if _, err := os.Stat(accKeyPath); os.IsNotExist(err) {
156 | log.Printf("No key found for account %s. Generating a %s key.", s.userID, keyType)
157 | s.createKeysFolder()
158 |
159 | privateKey, err := generatePrivateKey(accKeyPath, keyType)
160 | if err != nil {
161 | log.Panicf("Could not generate RSA private account key for account %s: %v", s.userID, err)
162 | }
163 |
164 | log.Printf("Saved key to %s", accKeyPath)
165 | return privateKey
166 | }
167 |
168 | privateKey, err := loadPrivateKey(accKeyPath)
169 | if err != nil {
170 | log.Panicf("Could not load RSA private key from file %s: %v", accKeyPath, err)
171 | }
172 |
173 | return privateKey
174 | }
175 |
176 | func (s *AccountsStorage) createKeysFolder() {
177 | if err := createNonExistingFolder(s.keysPath); err != nil {
178 | log.Panicf("Could not check/create directory for account %s: %v", s.userID, err)
179 | }
180 | }
181 |
182 | func generatePrivateKey(file string, keyType certcrypto.KeyType) (crypto.PrivateKey, error) {
183 | privateKey, err := certcrypto.GeneratePrivateKey(keyType)
184 | if err != nil {
185 | return nil, err
186 | }
187 |
188 | certOut, err := os.Create(file)
189 | if err != nil {
190 | return nil, err
191 | }
192 |
193 | defer certOut.Close()
194 |
195 | pemKey := certcrypto.PEMBlock(privateKey)
196 | err = pem.Encode(certOut, pemKey)
197 | if err != nil {
198 | return nil, err
199 | }
200 |
201 | return privateKey, nil
202 | }
203 |
204 | func loadPrivateKey(file string) (crypto.PrivateKey, error) {
205 | keyBytes, err := os.ReadFile(file)
206 | if err != nil {
207 | return nil, err
208 | }
209 |
210 | keyBlock, _ := pem.Decode(keyBytes)
211 |
212 | switch keyBlock.Type {
213 | case "RSA PRIVATE KEY":
214 | return x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
215 | case "EC PRIVATE KEY":
216 | return x509.ParseECPrivateKey(keyBlock.Bytes)
217 | }
218 |
219 | return nil, errors.New("unknown private key type")
220 | }
221 |
222 | func tryRecoverRegistration(privateKey crypto.PrivateKey) (*registration.Resource, error) {
223 | // couldn't load account but got a key. Try to look the account up.
224 | config := lego.NewConfig(&Account{key: privateKey})
225 | config.CADirURL = acme.LetsEncryptURL
226 | config.UserAgent = "lego-cli/dev"
227 |
228 | client, err := lego.NewClient(config)
229 | if err != nil {
230 | return nil, err
231 | }
232 |
233 | reg, err := client.Registration.ResolveAccountByKey()
234 | if err != nil {
235 | return nil, err
236 | }
237 | return reg, nil
238 | }
239 |
--------------------------------------------------------------------------------
/common/mylego/certs_storage.go:
--------------------------------------------------------------------------------
1 | package mylego
2 |
3 | import (
4 | "bytes"
5 | "crypto/x509"
6 | "encoding/json"
7 | "log"
8 | "os"
9 | "path/filepath"
10 | "strings"
11 |
12 | "github.com/go-acme/lego/v4/certcrypto"
13 | "github.com/go-acme/lego/v4/certificate"
14 | "golang.org/x/net/idna"
15 | )
16 |
17 | const (
18 | baseCertificatesFolderName = "certificates"
19 | )
20 |
21 | // CertificatesStorage a certificates' storage.
22 | //
23 | // rootPath:
24 | //
25 | // ./.lego/certificates/
26 | // │ └── root certificates directory
27 | // └── "path" option
28 | //
29 | // archivePath:
30 | //
31 | // ./.lego/archives/
32 | // │ └── archived certificates directory
33 | // └── "path" option
34 | type CertificatesStorage struct {
35 | rootPath string
36 | pem bool
37 | }
38 |
39 | // NewCertificatesStorage create a new certificates storage.
40 | func NewCertificatesStorage(path string) *CertificatesStorage {
41 | return &CertificatesStorage{
42 | rootPath: filepath.Join(path, baseCertificatesFolderName),
43 | }
44 | }
45 |
46 | func (s *CertificatesStorage) CreateRootFolder() {
47 | err := createNonExistingFolder(s.rootPath)
48 | if err != nil {
49 | log.Panicf("Could not check/create path: %v", err)
50 | }
51 | }
52 |
53 | func (s *CertificatesStorage) GetRootPath() string {
54 | return s.rootPath
55 | }
56 |
57 | func (s *CertificatesStorage) SaveResource(certRes *certificate.Resource) {
58 | domain := certRes.Domain
59 |
60 | // We store the certificate, private key and metadata in different files
61 | // as web servers would not be able to work with a combined file.
62 | err := s.WriteFile(domain, ".crt", certRes.Certificate)
63 | if err != nil {
64 | log.Panicf("Unable to save Certificate for domain %s\n\t%v", domain, err)
65 | }
66 |
67 | if certRes.IssuerCertificate != nil {
68 | err = s.WriteFile(domain, ".issuer.crt", certRes.IssuerCertificate)
69 | if err != nil {
70 | log.Panicf("Unable to save IssuerCertificate for domain %s\n\t%v", domain, err)
71 | }
72 | }
73 |
74 | if certRes.PrivateKey != nil {
75 | // if we were given a CSR, we don't know the private key
76 | err = s.WriteFile(domain, ".key", certRes.PrivateKey)
77 | if err != nil {
78 | log.Panicf("Unable to save PrivateKey for domain %s\n\t%v", domain, err)
79 | }
80 |
81 | if s.pem {
82 | err = s.WriteFile(domain, ".pem", bytes.Join([][]byte{certRes.Certificate, certRes.PrivateKey}, nil))
83 | if err != nil {
84 | log.Panicf("Unable to save Certificate and PrivateKey in .pem for domain %s\n\t%v", domain, err)
85 | }
86 | }
87 | } else if s.pem {
88 | // we don't have the private key; can't write the .pem file
89 | log.Panicf("Unable to save pem without private key for domain %s\n\t%v; are you using a CSR?", domain, err)
90 | }
91 |
92 | jsonBytes, err := json.MarshalIndent(certRes, "", "\t")
93 | if err != nil {
94 | log.Panicf("Unable to marshal CertResource for domain %s\n\t%v", domain, err)
95 | }
96 |
97 | err = s.WriteFile(domain, ".json", jsonBytes)
98 | if err != nil {
99 | log.Panicf("Unable to save CertResource for domain %s\n\t%v", domain, err)
100 | }
101 | }
102 |
103 | func (s *CertificatesStorage) ReadResource(domain string) certificate.Resource {
104 | raw, err := s.ReadFile(domain, ".json")
105 | if err != nil {
106 | log.Panicf("Error while loading the meta data for domain %s\n\t%v", domain, err)
107 | }
108 |
109 | var resource certificate.Resource
110 | if err = json.Unmarshal(raw, &resource); err != nil {
111 | log.Panicf("Error while marshaling the meta data for domain %s\n\t%v", domain, err)
112 | }
113 |
114 | return resource
115 | }
116 |
117 | func (s *CertificatesStorage) ExistsFile(domain, extension string) bool {
118 | filePath := s.GetFileName(domain, extension)
119 |
120 | if _, err := os.Stat(filePath); os.IsNotExist(err) {
121 | return false
122 | } else if err != nil {
123 | log.Panic(err)
124 | }
125 | return true
126 | }
127 |
128 | func (s *CertificatesStorage) ReadFile(domain, extension string) ([]byte, error) {
129 | return os.ReadFile(s.GetFileName(domain, extension))
130 | }
131 |
132 | func (s *CertificatesStorage) GetFileName(domain, extension string) string {
133 | filename := sanitizedDomain(domain) + extension
134 | return filepath.Join(s.rootPath, filename)
135 | }
136 |
137 | func (s *CertificatesStorage) ReadCertificate(domain, extension string) ([]*x509.Certificate, error) {
138 | content, err := s.ReadFile(domain, extension)
139 | if err != nil {
140 | return nil, err
141 | }
142 |
143 | // The input may be a bundle or a single certificate.
144 | return certcrypto.ParsePEMBundle(content)
145 | }
146 |
147 | func (s *CertificatesStorage) WriteFile(domain, extension string, data []byte) error {
148 | var baseFileName = sanitizedDomain(domain)
149 |
150 | filePath := filepath.Join(s.rootPath, baseFileName+extension)
151 |
152 | return os.WriteFile(filePath, data, filePerm)
153 | }
154 |
155 | // sanitizedDomain Make sure no funny chars are in the cert names (like wildcards ;)).
156 | func sanitizedDomain(domain string) string {
157 | safe, err := idna.ToASCII(strings.ReplaceAll(domain, "*", "_"))
158 | if err != nil {
159 | log.Panic(err)
160 | }
161 | return safe
162 | }
163 |
--------------------------------------------------------------------------------
/common/mylego/model.go:
--------------------------------------------------------------------------------
1 | package mylego
2 |
3 | type CertConfig struct {
4 | CertMode string `mapstructure:"CertMode"` // none, file, http, dns
5 | CertDomain string `mapstructure:"CertDomain"`
6 | CertFile string `mapstructure:"CertFile"`
7 | KeyFile string `mapstructure:"KeyFile"`
8 | Provider string `mapstructure:"Provider"` // alidns, cloudflare, gandi, godaddy....
9 | Email string `mapstructure:"Email"`
10 | DNSEnv map[string]string `mapstructure:"DNSEnv"`
11 | RejectUnknownSni bool `mapstructure:"RejectUnknownSni"`
12 | }
13 |
14 | type LegoCMD struct {
15 | C *CertConfig
16 | path string
17 | }
18 |
--------------------------------------------------------------------------------
/common/mylego/mylego.go:
--------------------------------------------------------------------------------
1 | package mylego
2 |
3 | import (
4 | "errors"
5 | "fmt"
6 | "os"
7 | "path"
8 | "path/filepath"
9 | "strings"
10 | )
11 |
12 | var defaultPath string
13 |
14 | func New(certConf *CertConfig) (*LegoCMD, error) {
15 | // Set default path to configPath/cert
16 | var p = ""
17 | configPath := os.Getenv("XRAY_LOCATION_CONFIG")
18 | if configPath != "" {
19 | p = configPath
20 | } else if cwd, err := os.Getwd(); err == nil {
21 | p = cwd
22 | } else {
23 | p = "."
24 | }
25 |
26 | defaultPath = filepath.Join(p, "cert")
27 | lego := &LegoCMD{
28 | C: certConf,
29 | path: defaultPath,
30 | }
31 |
32 | return lego, nil
33 | }
34 |
35 | func (l *LegoCMD) getPath() string {
36 | return l.path
37 | }
38 |
39 | func (l *LegoCMD) getCertConfig() *CertConfig {
40 | return l.C
41 | }
42 |
43 | // DNSCert cert a domain using DNS API
44 | func (l *LegoCMD) DNSCert() (CertPath string, KeyPath string, err error) {
45 | defer func() (string, string, error) {
46 | // Handle any error
47 | if r := recover(); r != nil {
48 | switch x := r.(type) {
49 | case string:
50 | err = errors.New(x)
51 | case error:
52 | err = x
53 | default:
54 | err = errors.New("unknown panic")
55 | }
56 | return "", "", err
57 | }
58 | return CertPath, KeyPath, nil
59 | }()
60 |
61 | // Set Env for DNS configuration
62 | for key, value := range l.C.DNSEnv {
63 | _ = os.Setenv(strings.ToUpper(key), value)
64 | }
65 |
66 | // First check if the certificate exists
67 | CertPath, KeyPath, err = checkCertFile(l.C.CertDomain)
68 | if err == nil {
69 | return CertPath, KeyPath, err
70 | }
71 |
72 | err = l.Run()
73 | if err != nil {
74 | return "", "", err
75 | }
76 | CertPath, KeyPath, err = checkCertFile(l.C.CertDomain)
77 | if err != nil {
78 | return "", "", err
79 | }
80 | return CertPath, KeyPath, nil
81 | }
82 |
83 | // HTTPCert cert a domain using http methods
84 | func (l *LegoCMD) HTTPCert() (CertPath string, KeyPath string, err error) {
85 | defer func() (string, string, error) {
86 | // Handle any error
87 | if r := recover(); r != nil {
88 | switch x := r.(type) {
89 | case string:
90 | err = errors.New(x)
91 | case error:
92 | err = x
93 | default:
94 | err = errors.New("unknown panic")
95 | }
96 | return "", "", err
97 | }
98 | return CertPath, KeyPath, nil
99 | }()
100 |
101 | // First check if the certificate exists
102 | CertPath, KeyPath, err = checkCertFile(l.C.CertDomain)
103 | if err == nil {
104 | return CertPath, KeyPath, err
105 | }
106 |
107 | err = l.Run()
108 | if err != nil {
109 | return "", "", err
110 | }
111 |
112 | CertPath, KeyPath, err = checkCertFile(l.C.CertDomain)
113 | if err != nil {
114 | return "", "", err
115 | }
116 |
117 | return CertPath, KeyPath, nil
118 | }
119 |
120 | // RenewCert renew a domain cert
121 | func (l *LegoCMD) RenewCert() (CertPath string, KeyPath string, ok bool, err error) {
122 | defer func() (string, string, bool, error) {
123 | // Handle any error
124 | if r := recover(); r != nil {
125 | switch x := r.(type) {
126 | case string:
127 | err = errors.New(x)
128 | case error:
129 | err = x
130 | default:
131 | err = errors.New("unknown panic")
132 | }
133 | return "", "", false, err
134 | }
135 | return CertPath, KeyPath, ok, nil
136 | }()
137 |
138 | ok, err = l.Renew()
139 | if err != nil {
140 | return
141 | }
142 |
143 | CertPath, KeyPath, err = checkCertFile(l.C.CertDomain)
144 | if err != nil {
145 | return
146 | }
147 |
148 | return
149 | }
150 |
151 | func checkCertFile(domain string) (string, string, error) {
152 | keyPath := path.Join(defaultPath, "certificates", fmt.Sprintf("%s.key", domain))
153 | certPath := path.Join(defaultPath, "certificates", fmt.Sprintf("%s.crt", domain))
154 | if _, err := os.Stat(keyPath); os.IsNotExist(err) {
155 | return "", "", fmt.Errorf("cert key failed: %s", domain)
156 | }
157 | if _, err := os.Stat(certPath); os.IsNotExist(err) {
158 | return "", "", fmt.Errorf("cert cert failed: %s", domain)
159 | }
160 | absKeyPath, _ := filepath.Abs(keyPath)
161 | absCertPath, _ := filepath.Abs(certPath)
162 | return absCertPath, absKeyPath, nil
163 | }
164 |
--------------------------------------------------------------------------------
/common/mylego/renew.go:
--------------------------------------------------------------------------------
1 | package mylego
2 |
3 | import (
4 | "crypto"
5 | "crypto/x509"
6 | "log"
7 | "time"
8 |
9 | "github.com/go-acme/lego/v4/certcrypto"
10 | "github.com/go-acme/lego/v4/certificate"
11 | "github.com/go-acme/lego/v4/lego"
12 | )
13 |
14 | func (l *LegoCMD) Renew() (bool, error) {
15 | account, client := setup(NewAccountsStorage(l))
16 | setupChallenges(l, client)
17 |
18 | if account.Registration == nil {
19 | log.Panicf("Account %s is not registered. Use 'run' to register a new account.\n", account.Email)
20 | }
21 |
22 | return renewForDomains(l.C.CertDomain, client, NewCertificatesStorage(l.path))
23 | }
24 |
25 | func renewForDomains(domain string, client *lego.Client, certsStorage *CertificatesStorage) (bool, error) {
26 | // load the cert resource from files.
27 | // We store the certificate, private key and metadata in different files
28 | // as web servers would not be able to work with a combined file.
29 | certificates, err := certsStorage.ReadCertificate(domain, ".crt")
30 | if err != nil {
31 | log.Panicf("Error while loading the certificate for domain %s\n\t%v", domain, err)
32 | }
33 |
34 | cert := certificates[0]
35 |
36 | if !needRenewal(cert, domain, 30) {
37 | return false, nil
38 | }
39 |
40 | // This is just meant to be informal for the user.
41 | timeLeft := cert.NotAfter.Sub(time.Now().UTC())
42 | log.Printf("[%s] acme: Trying renewal with %d hours remaining", domain, int(timeLeft.Hours()))
43 |
44 | certDomains := certcrypto.ExtractDomains(cert)
45 |
46 | var privateKey crypto.PrivateKey
47 | request := certificate.ObtainRequest{
48 | Domains: certDomains,
49 | Bundle: true,
50 | PrivateKey: privateKey,
51 | }
52 | certRes, err := client.Certificate.Obtain(request)
53 | if err != nil {
54 | log.Panic(err)
55 | }
56 |
57 | certsStorage.SaveResource(certRes)
58 |
59 | return true, nil
60 | }
61 |
62 | func needRenewal(x509Cert *x509.Certificate, domain string, days int) bool {
63 | if x509Cert.IsCA {
64 | log.Panicf("[%s] Certificate bundle starts with a CA certificate", domain)
65 | }
66 |
67 | if days >= 0 {
68 | notAfter := int(time.Until(x509Cert.NotAfter).Hours() / 24.0)
69 | if notAfter > days {
70 | log.Printf("[%s] The certificate expires in %d days, the number of days defined to perform the renewal is %d: no renewal.",
71 | domain, notAfter, days)
72 | return false
73 | }
74 | }
75 |
76 | return true
77 | }
78 |
--------------------------------------------------------------------------------
/common/mylego/run.go:
--------------------------------------------------------------------------------
1 | package mylego
2 |
3 | import (
4 | "fmt"
5 | "log"
6 |
7 | "github.com/go-acme/lego/v4/certificate"
8 | "github.com/go-acme/lego/v4/lego"
9 | "github.com/go-acme/lego/v4/registration"
10 | )
11 |
12 | const rootPathWarningMessage = `!!!! HEADS UP !!!!
13 |
14 | Your account credentials have been saved in your Let's Encrypt
15 | configuration directory at "%s".
16 |
17 | You should make a secure backup of this folder now. This
18 | configuration directory will also contain certificates and
19 | private keys obtained from Let's Encrypt so making regular
20 | backups of this folder is ideal.
21 | `
22 |
23 | func (l *LegoCMD) Run() error {
24 | accountsStorage := NewAccountsStorage(l)
25 |
26 | account, client := setup(accountsStorage)
27 | setupChallenges(l, client)
28 |
29 | if account.Registration == nil {
30 | reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
31 | if err != nil {
32 | log.Panicf("Could not complete registration\n\t%v", err)
33 | }
34 |
35 | account.Registration = reg
36 | if err = accountsStorage.Save(account); err != nil {
37 | log.Panic(err)
38 | }
39 |
40 | fmt.Printf(rootPathWarningMessage, accountsStorage.GetRootPath())
41 | }
42 |
43 | certsStorage := NewCertificatesStorage(l.path)
44 | certsStorage.CreateRootFolder()
45 |
46 | cert, err := obtainCertificate([]string{l.C.CertDomain}, client)
47 | if err != nil {
48 | // Make sure to return a non-zero exit code if ObtainSANCertificate returned at least one error.
49 | // Due to us not returning partial certificate we can just exit here instead of at the end.
50 | log.Panicf("Could not obtain certificates:\n\t%v", err)
51 | }
52 |
53 | certsStorage.SaveResource(cert)
54 |
55 | return nil
56 | }
57 |
58 | func obtainCertificate(domains []string, client *lego.Client) (*certificate.Resource, error) {
59 | if len(domains) > 0 {
60 | // obtain a certificate, generating a new private key
61 | request := certificate.ObtainRequest{
62 | Domains: domains,
63 | Bundle: true,
64 | }
65 | return client.Certificate.Obtain(request)
66 | }
67 | return nil, fmt.Errorf("not a valid domain")
68 | }
69 |
--------------------------------------------------------------------------------
/common/mylego/setup.go:
--------------------------------------------------------------------------------
1 | package mylego
2 |
3 | import (
4 | "log"
5 | "os"
6 | "time"
7 |
8 | "github.com/go-acme/lego/v4/certcrypto"
9 | "github.com/go-acme/lego/v4/challenge/dns01"
10 | "github.com/go-acme/lego/v4/challenge/http01"
11 | "github.com/go-acme/lego/v4/challenge/tlsalpn01"
12 | "github.com/go-acme/lego/v4/lego"
13 | "github.com/go-acme/lego/v4/providers/dns"
14 | "github.com/go-acme/lego/v4/registration"
15 | "golang.org/x/crypto/acme"
16 | )
17 |
18 | const filePerm os.FileMode = 0o600
19 |
20 | func setup(accountsStorage *AccountsStorage) (*Account, *lego.Client) {
21 | keyType := certcrypto.EC256
22 | privateKey := accountsStorage.GetPrivateKey(keyType)
23 |
24 | var account *Account
25 | if accountsStorage.ExistsAccountFilePath() {
26 | account = accountsStorage.LoadAccount(privateKey)
27 | } else {
28 | account = &Account{Email: accountsStorage.GetUserID(), key: privateKey}
29 | }
30 |
31 | client := newClient(account, keyType)
32 |
33 | return account, client
34 | }
35 |
36 | func newClient(acc registration.User, keyType certcrypto.KeyType) *lego.Client {
37 | config := lego.NewConfig(acc)
38 | config.CADirURL = acme.LetsEncryptURL
39 |
40 | config.Certificate = lego.CertificateConfig{
41 | KeyType: keyType,
42 | Timeout: 30 * time.Second,
43 | }
44 | config.UserAgent = "lego-cli/dev"
45 |
46 | client, err := lego.NewClient(config)
47 | if err != nil {
48 | log.Panicf("Could not create client: %v", err)
49 | }
50 |
51 | return client
52 | }
53 |
54 | func createNonExistingFolder(path string) error {
55 | if _, err := os.Stat(path); os.IsNotExist(err) {
56 | return os.MkdirAll(path, 0o700)
57 | } else if err != nil {
58 | return err
59 | }
60 | return nil
61 | }
62 |
63 | func setupChallenges(l *LegoCMD, client *lego.Client) {
64 | switch l.C.CertMode {
65 | case "http":
66 | err := client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", ""))
67 | if err != nil {
68 | log.Panic(err)
69 | }
70 | case "tls":
71 | err := client.Challenge.SetTLSALPN01Provider(tlsalpn01.NewProviderServer("", ""))
72 | if err != nil {
73 | log.Panic(err)
74 | }
75 | case "dns":
76 | setupDNS(l.C.Provider, client)
77 | default:
78 | log.Panic("No challenge selected. You must specify at least one challenge: `http`, `tls`, `dns`.")
79 | }
80 | }
81 |
82 | func setupDNS(p string, client *lego.Client) {
83 | provider, err := dns.NewDNSChallengeProviderByName(p)
84 | if err != nil {
85 | log.Panic(err)
86 | }
87 |
88 | err = client.Challenge.SetDNS01Provider(
89 | provider,
90 | dns01.CondOption(true, dns01.AddDNSTimeout(10*time.Second)),
91 | )
92 | if err != nil {
93 | log.Panic(err)
94 | }
95 | }
96 |
--------------------------------------------------------------------------------
/common/rule/rule.go:
--------------------------------------------------------------------------------
1 | // Package rule is to control the audit rule behaviors
2 | package rule
3 |
4 | import (
5 | "reflect"
6 | "strconv"
7 | "strings"
8 | "sync"
9 |
10 | mapset "github.com/deckarep/golang-set"
11 |
12 | "github.com/The-NeXT-Project/NeXT-Server/api"
13 | )
14 |
15 | type Manager struct {
16 | InboundRule *sync.Map // Key: Tag, Value: []api.DetectRule
17 | InboundDetectResult *sync.Map // key: Tag, Value: mapset.NewSet []api.DetectResult
18 | }
19 |
20 | func New() *Manager {
21 | return &Manager{
22 | InboundRule: new(sync.Map),
23 | InboundDetectResult: new(sync.Map),
24 | }
25 | }
26 |
27 | func (r *Manager) UpdateRule(tag string, newRuleList []api.DetectRule) error {
28 | if value, ok := r.InboundRule.LoadOrStore(tag, newRuleList); ok {
29 | oldRuleList := value.([]api.DetectRule)
30 | if !reflect.DeepEqual(oldRuleList, newRuleList) {
31 | r.InboundRule.Store(tag, newRuleList)
32 | }
33 | }
34 | return nil
35 | }
36 |
37 | func (r *Manager) GetDetectResult(tag string) (*[]api.DetectResult, error) {
38 | detectResult := make([]api.DetectResult, 0)
39 | if value, ok := r.InboundDetectResult.LoadAndDelete(tag); ok {
40 | resultSet := value.(mapset.Set)
41 | it := resultSet.Iterator()
42 | for result := range it.C {
43 | detectResult = append(detectResult, result.(api.DetectResult))
44 | }
45 | }
46 | return &detectResult, nil
47 | }
48 |
49 | func (r *Manager) Detect(tag string, destination string, email string) (reject bool) {
50 | reject = false
51 | var hitRuleID = -1
52 | // If we have some rule for this inbound
53 | if value, ok := r.InboundRule.Load(tag); ok {
54 | ruleList := value.([]api.DetectRule)
55 | for _, r := range ruleList {
56 | if r.Pattern.Match([]byte(destination)) {
57 | hitRuleID = r.ID
58 | reject = true
59 | break
60 | }
61 | }
62 | // If we hit some rule
63 | if reject && hitRuleID != -1 {
64 | l := strings.Split(email, "|")
65 | uid, err := strconv.Atoi(l[len(l)-1])
66 | if err != nil {
67 | return reject
68 | }
69 | newSet := mapset.NewSetWith(api.DetectResult{UID: uid, RuleID: hitRuleID})
70 | // If there are any hit history
71 | if v, ok := r.InboundDetectResult.LoadOrStore(tag, newSet); ok {
72 | resultSet := v.(mapset.Set)
73 | // If this is a new record
74 | if resultSet.Add(api.DetectResult{UID: uid, RuleID: hitRuleID}) {
75 | r.InboundDetectResult.Store(tag, resultSet)
76 | }
77 | }
78 | }
79 | }
80 | return reject
81 | }
82 |
--------------------------------------------------------------------------------
/default.pgo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/The-NeXT-Project/NeXT-Server/743bc887e13d7ad55d79c3e60c9407127048d9c6/default.pgo
--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/The-NeXT-Project/NeXT-Server
2 |
3 | go 1.24.2
4 |
5 | require (
6 | dario.cat/mergo v1.0.1
7 | github.com/deckarep/golang-set v1.8.0
8 | github.com/fsnotify/fsnotify v1.9.0
9 | github.com/getsentry/sentry-go v0.32.0
10 | github.com/go-acme/lego/v4 v4.23.1
11 | github.com/go-resty/resty/v2 v2.16.5
12 | github.com/pkg/profile v1.7.0
13 | github.com/r3labs/diff/v2 v2.15.1
14 | github.com/spf13/cobra v1.9.1
15 | github.com/spf13/viper v1.20.1
16 | github.com/xtls/xray-core v1.8.24
17 | golang.org/x/crypto v0.37.0
18 | golang.org/x/net v0.39.0
19 | golang.org/x/time v0.11.0
20 | google.golang.org/protobuf v1.36.6
21 | )
22 |
23 | require (
24 | cloud.google.com/go/auth v0.15.0 // indirect
25 | cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
26 | cloud.google.com/go/compute/metadata v0.6.0 // indirect
27 | github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
28 | github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
29 | github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.1 // indirect
30 | github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 // indirect
31 | github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
32 | github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
33 | github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
34 | github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
35 | github.com/Azure/go-autorest v14.2.0+incompatible // indirect
36 | github.com/Azure/go-autorest/autorest v0.11.30 // indirect
37 | github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
38 | github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
39 | github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
40 | github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
41 | github.com/Azure/go-autorest/autorest/to v0.4.1 // indirect
42 | github.com/Azure/go-autorest/logger v0.2.1 // indirect
43 | github.com/Azure/go-autorest/tracing v0.6.0 // indirect
44 | github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
45 | github.com/OmarTariq612/goech v0.0.0-20240405204721-8e2e1dafd3a0 // indirect
46 | github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
47 | github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
48 | github.com/aliyun/alibaba-cloud-sdk-go v1.63.100 // indirect
49 | github.com/andybalholm/brotli v1.1.0 // indirect
50 | github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
51 | github.com/aws/aws-sdk-go-v2/config v1.29.9 // indirect
52 | github.com/aws/aws-sdk-go-v2/credentials v1.17.62 // indirect
53 | github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
54 | github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
55 | github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
56 | github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
57 | github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
58 | github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
59 | github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.1 // indirect
60 | github.com/aws/aws-sdk-go-v2/service/route53 v1.50.0 // indirect
61 | github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
62 | github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
63 | github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
64 | github.com/aws/smithy-go v1.22.2 // indirect
65 | github.com/baidubce/bce-sdk-go v0.9.223 // indirect
66 | github.com/benbjohnson/clock v1.3.0 // indirect
67 | github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
68 | github.com/cenkalti/backoff/v4 v4.3.0 // indirect
69 | github.com/civo/civogo v0.3.11 // indirect
70 | github.com/cloudflare/circl v1.4.0 // indirect
71 | github.com/cloudflare/cloudflare-go v0.115.0 // indirect
72 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
73 | github.com/dgryski/go-metro v0.0.0-20211217172704-adc40b04c140 // indirect
74 | github.com/dimchansky/utfbom v1.1.1 // indirect
75 | github.com/dnsimple/dnsimple-go v1.7.0 // indirect
76 | github.com/exoscale/egoscale/v3 v3.1.13 // indirect
77 | github.com/fatih/structs v1.1.0 // indirect
78 | github.com/felixge/fgprof v0.9.5 // indirect
79 | github.com/felixge/httpsnoop v1.0.4 // indirect
80 | github.com/francoispqt/gojay v1.2.13 // indirect
81 | github.com/gabriel-vasile/mimetype v1.4.2 // indirect
82 | github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344 // indirect
83 | github.com/go-errors/errors v1.4.2 // indirect
84 | github.com/go-jose/go-jose/v4 v4.0.5 // indirect
85 | github.com/go-logr/logr v1.4.2 // indirect
86 | github.com/go-logr/stdr v1.2.2 // indirect
87 | github.com/go-playground/locales v0.14.1 // indirect
88 | github.com/go-playground/universal-translator v0.18.1 // indirect
89 | github.com/go-playground/validator/v10 v10.16.0 // indirect
90 | github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
91 | github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
92 | github.com/goccy/go-json v0.10.5 // indirect
93 | github.com/gofrs/flock v0.12.1 // indirect
94 | github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
95 | github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
96 | github.com/golang/protobuf v1.5.4 // indirect
97 | github.com/google/btree v1.1.2 // indirect
98 | github.com/google/go-querystring v1.1.0 // indirect
99 | github.com/google/pprof v0.0.0-20250202011525-fc3143867406 // indirect
100 | github.com/google/s2a-go v0.1.9 // indirect
101 | github.com/google/uuid v1.6.0 // indirect
102 | github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
103 | github.com/googleapis/gax-go/v2 v2.14.1 // indirect
104 | github.com/gophercloud/gophercloud v1.14.1 // indirect
105 | github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
106 | github.com/gorilla/websocket v1.5.3 // indirect
107 | github.com/hashicorp/errwrap v1.1.0 // indirect
108 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
109 | github.com/hashicorp/go-multierror v1.1.1 // indirect
110 | github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
111 | github.com/hashicorp/go-uuid v1.0.3 // indirect
112 | github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.141 // indirect
113 | github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
114 | github.com/inconshreveable/mousetrap v1.1.0 // indirect
115 | github.com/infobloxopen/infoblox-go-client/v2 v2.9.0 // indirect
116 | github.com/jmespath/go-jmespath v0.4.0 // indirect
117 | github.com/json-iterator/go v1.1.12 // indirect
118 | github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
119 | github.com/klauspost/compress v1.17.8 // indirect
120 | github.com/klauspost/cpuid/v2 v2.2.7 // indirect
121 | github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
122 | github.com/kylelemons/godebug v1.1.0 // indirect
123 | github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
124 | github.com/labbsr0x/goh v1.0.1 // indirect
125 | github.com/leodido/go-urn v1.2.4 // indirect
126 | github.com/linode/linodego v1.48.1 // indirect
127 | github.com/liquidweb/liquidweb-cli v0.6.9 // indirect
128 | github.com/liquidweb/liquidweb-go v1.6.4 // indirect
129 | github.com/mattn/go-isatty v0.0.20 // indirect
130 | github.com/miekg/dns v1.1.64 // indirect
131 | github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
132 | github.com/mitchellh/go-homedir v1.1.0 // indirect
133 | github.com/mitchellh/mapstructure v1.5.0 // indirect
134 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
135 | github.com/modern-go/reflect2 v1.0.2 // indirect
136 | github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
137 | github.com/nrdcg/auroradns v1.1.0 // indirect
138 | github.com/nrdcg/bunny-go v0.0.0-20240207213615-dde5bf4577a3 // indirect
139 | github.com/nrdcg/desec v0.10.0 // indirect
140 | github.com/nrdcg/dnspod-go v0.4.0 // indirect
141 | github.com/nrdcg/freemyip v0.3.0 // indirect
142 | github.com/nrdcg/goacmedns v0.2.0 // indirect
143 | github.com/nrdcg/goinwx v0.10.0 // indirect
144 | github.com/nrdcg/mailinabox v0.2.0 // indirect
145 | github.com/nrdcg/namesilo v0.2.1 // indirect
146 | github.com/nrdcg/nodion v0.1.0 // indirect
147 | github.com/nrdcg/porkbun v0.4.0 // indirect
148 | github.com/nzdjb/go-metaname v1.0.0 // indirect
149 | github.com/onsi/ginkgo/v2 v2.20.1 // indirect
150 | github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
151 | github.com/oracle/oci-go-sdk/v65 v65.87.0 // indirect
152 | github.com/ovh/go-ovh v1.7.0 // indirect
153 | github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
154 | github.com/pelletier/go-toml v1.9.5 // indirect
155 | github.com/pelletier/go-toml/v2 v2.2.3 // indirect
156 | github.com/peterhellberg/link v1.2.0 // indirect
157 | github.com/pires/go-proxyproto v0.7.0 // indirect
158 | github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
159 | github.com/pkg/errors v0.9.1 // indirect
160 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
161 | github.com/pquerna/otp v1.4.0 // indirect
162 | github.com/quic-go/qpack v0.4.0 // indirect
163 | github.com/quic-go/quic-go v0.46.0 // indirect
164 | github.com/refraction-networking/utls v1.6.7 // indirect
165 | github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
166 | github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
167 | github.com/sacloud/api-client-go v0.2.10 // indirect
168 | github.com/sacloud/go-http v0.1.8 // indirect
169 | github.com/sacloud/iaas-api-go v1.14.0 // indirect
170 | github.com/sacloud/packages-go v0.0.10 // indirect
171 | github.com/sagernet/sing v0.4.1 // indirect
172 | github.com/sagernet/sing-shadowsocks v0.2.7 // indirect
173 | github.com/sagikazarmark/locafero v0.7.0 // indirect
174 | github.com/scaleway/scaleway-sdk-go v1.0.0-beta.32 // indirect
175 | github.com/seiflotfy/cuckoofilter v0.0.0-20240715131351-a2f2c23f1771 // indirect
176 | github.com/selectel/domains-go v1.1.0 // indirect
177 | github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
178 | github.com/shopspring/decimal v1.3.1 // indirect
179 | github.com/sirupsen/logrus v1.9.3 // indirect
180 | github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
181 | github.com/softlayer/softlayer-go v1.1.7 // indirect
182 | github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
183 | github.com/sony/gobreaker v0.5.0 // indirect
184 | github.com/sourcegraph/conc v0.3.0 // indirect
185 | github.com/spf13/afero v1.12.0 // indirect
186 | github.com/spf13/cast v1.7.1 // indirect
187 | github.com/spf13/pflag v1.0.6 // indirect
188 | github.com/stretchr/testify v1.10.0 // indirect
189 | github.com/subosito/gotenv v1.6.0 // indirect
190 | github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1128 // indirect
191 | github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1128 // indirect
192 | github.com/tjfoc/gmsm v1.4.1 // indirect
193 | github.com/transip/gotransip/v6 v6.26.0 // indirect
194 | github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
195 | github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e // indirect
196 | github.com/vinyldns/go-vinyldns v0.9.16 // indirect
197 | github.com/vishvananda/netlink v1.3.0 // indirect
198 | github.com/vishvananda/netns v0.0.4 // indirect
199 | github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
200 | github.com/volcengine/volc-sdk-golang v1.0.199 // indirect
201 | github.com/vultr/govultr/v3 v3.17.0 // indirect
202 | github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d // indirect
203 | github.com/yandex-cloud/go-genproto v0.0.0-20250319153614-fb9d3e5eb01a // indirect
204 | github.com/yandex-cloud/go-sdk v0.0.0-20250320143332-9cbcfc5de4ae // indirect
205 | go.mongodb.org/mongo-driver v1.13.1 // indirect
206 | go.opentelemetry.io/auto/sdk v1.1.0 // indirect
207 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
208 | go.opentelemetry.io/otel v1.34.0 // indirect
209 | go.opentelemetry.io/otel/metric v1.34.0 // indirect
210 | go.opentelemetry.io/otel/trace v1.34.0 // indirect
211 | go.uber.org/atomic v1.11.0 // indirect
212 | go.uber.org/mock v0.4.0 // indirect
213 | go.uber.org/multierr v1.11.0 // indirect
214 | go.uber.org/ratelimit v0.3.0 // indirect
215 | go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
216 | golang.org/x/exp v0.0.0-20250207012021-f9890c6ad9f3 // indirect
217 | golang.org/x/mod v0.23.0 // indirect
218 | golang.org/x/oauth2 v0.28.0 // indirect
219 | golang.org/x/sync v0.13.0 // indirect
220 | golang.org/x/sys v0.32.0 // indirect
221 | golang.org/x/text v0.24.0 // indirect
222 | golang.org/x/tools v0.30.0 // indirect
223 | golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
224 | golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 // indirect
225 | google.golang.org/api v0.227.0 // indirect
226 | google.golang.org/appengine v1.6.8 // indirect
227 | google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
228 | google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect
229 | google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
230 | google.golang.org/grpc v1.71.0 // indirect
231 | gopkg.in/ini.v1 v1.67.0 // indirect
232 | gopkg.in/ns1/ns1-go.v2 v2.13.0 // indirect
233 | gopkg.in/yaml.v2 v2.4.0 // indirect
234 | gopkg.in/yaml.v3 v3.0.1 // indirect
235 | gvisor.dev/gvisor v0.0.0-20231202080848-1f7806d17489 // indirect
236 | lukechampine.com/blake3 v1.3.0 // indirect
237 | )
238 |
239 | replace github.com/exoscale/egoscale => github.com/exoscale/egoscale v0.102.0
240 |
--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "github.com/getsentry/sentry-go"
5 | "github.com/pkg/profile"
6 | "log"
7 | "os"
8 | "time"
9 |
10 | "github.com/The-NeXT-Project/NeXT-Server/cmd"
11 | )
12 |
13 | var enableProfile bool
14 | var enableSentry bool
15 |
16 | func main() {
17 | if enableProfile {
18 | defer profile.Start(profile.CPUProfile, profile.ProfilePath(".")).Stop()
19 | }
20 |
21 | if enableSentry {
22 | err := sentry.Init(sentry.ClientOptions{
23 | Dsn: os.Getenv("SENTRY_DSN"),
24 | })
25 | if err != nil {
26 | log.Fatal(err)
27 | }
28 |
29 | defer sentry.Flush(2 * time.Second)
30 | }
31 |
32 | err := cmd.Execute()
33 | if err != nil {
34 | log.Fatal(err)
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/panel/default.go:
--------------------------------------------------------------------------------
1 | package panel
2 |
3 | import "github.com/The-NeXT-Project/NeXT-Server/service/controller"
4 |
5 | func getDefaultLogConfig() *LogConfig {
6 | return &LogConfig{
7 | Level: "none",
8 | AccessPath: "",
9 | ErrorPath: "",
10 | }
11 | }
12 |
13 | func getDefaultConnectionConfig() *ConnectionConfig {
14 | return &ConnectionConfig{
15 | Handshake: 4,
16 | ConnIdle: 30,
17 | UplinkOnly: 2,
18 | DownlinkOnly: 4,
19 | BufferSize: 64,
20 | }
21 | }
22 |
23 | func getDefaultControllerConfig() *controller.Config {
24 | return &controller.Config{
25 | ListenIP: "0.0.0.0",
26 | SendIP: "0.0.0.0",
27 | UpdatePeriodic: 60,
28 | DNSType: "AsIs",
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/panel/model.go:
--------------------------------------------------------------------------------
1 | package panel
2 |
3 | import (
4 | "github.com/The-NeXT-Project/NeXT-Server/api"
5 | "github.com/The-NeXT-Project/NeXT-Server/service/controller"
6 | )
7 |
8 | type Config struct {
9 | LogConfig *LogConfig `mapstructure:"Log"`
10 | DnsConfigPath string `mapstructure:"DnsConfigPath"`
11 | InboundConfigPath string `mapstructure:"InboundConfigPath"`
12 | OutboundConfigPath string `mapstructure:"OutboundConfigPath"`
13 | RouteConfigPath string `mapstructure:"RouteConfigPath"`
14 | ConnectionConfig *ConnectionConfig `mapstructure:"ConnectionConfig"`
15 | NodesConfig []*NodesConfig `mapstructure:"Nodes"`
16 | }
17 |
18 | type NodesConfig struct {
19 | PanelType string `mapstructure:"PanelType"`
20 | ApiConfig *api.Config `mapstructure:"ApiConfig"`
21 | ControllerConfig *controller.Config `mapstructure:"ControllerConfig"`
22 | }
23 |
24 | type LogConfig struct {
25 | Level string `mapstructure:"Level"`
26 | AccessPath string `mapstructure:"AccessPath"`
27 | ErrorPath string `mapstructure:"ErrorPath"`
28 | }
29 |
30 | type ConnectionConfig struct {
31 | Handshake uint32 `mapstructure:"handshake"`
32 | ConnIdle uint32 `mapstructure:"connIdle"`
33 | UplinkOnly uint32 `mapstructure:"uplinkOnly"`
34 | DownlinkOnly uint32 `mapstructure:"downlinkOnly"`
35 | BufferSize int32 `mapstructure:"bufferSize"`
36 | }
37 |
--------------------------------------------------------------------------------
/panel/panel.go:
--------------------------------------------------------------------------------
1 | package panel
2 |
3 | import (
4 | "encoding/json"
5 | "log"
6 | "os"
7 | "sync"
8 |
9 | "github.com/The-NeXT-Project/NeXT-Server/app/mydispatcher"
10 |
11 | "dario.cat/mergo"
12 | "github.com/r3labs/diff/v2"
13 | "github.com/xtls/xray-core/app/proxyman"
14 | "github.com/xtls/xray-core/app/stats"
15 | "github.com/xtls/xray-core/common/serial"
16 | "github.com/xtls/xray-core/core"
17 | "github.com/xtls/xray-core/infra/conf"
18 |
19 | _ "github.com/The-NeXT-Project/NeXT-Server/all"
20 | "github.com/The-NeXT-Project/NeXT-Server/api"
21 | "github.com/The-NeXT-Project/NeXT-Server/api/sspanel"
22 | "github.com/The-NeXT-Project/NeXT-Server/service"
23 | "github.com/The-NeXT-Project/NeXT-Server/service/controller"
24 | )
25 |
26 | // Panel Structure
27 | type Panel struct {
28 | access sync.Mutex
29 | panelConfig *Config
30 | Server *core.Instance
31 | Service []service.Service
32 | Running bool
33 | }
34 |
35 | func New(panelConfig *Config) *Panel {
36 | p := &Panel{panelConfig: panelConfig}
37 | return p
38 | }
39 |
40 | func (p *Panel) loadCore(panelConfig *Config) *core.Instance {
41 | // Log Config
42 | coreLogConfig := &conf.LogConfig{}
43 |
44 | logConfig := getDefaultLogConfig()
45 |
46 | if panelConfig.LogConfig != nil {
47 | if _, err := diff.Merge(logConfig, panelConfig.LogConfig, logConfig); err != nil {
48 | log.Panicf("Read Log config failed: %s", err)
49 | }
50 | }
51 |
52 | coreLogConfig.LogLevel = logConfig.Level
53 | coreLogConfig.AccessLog = logConfig.AccessPath
54 | coreLogConfig.ErrorLog = logConfig.ErrorPath
55 | // DNS config
56 | coreDnsConfig := &conf.DNSConfig{}
57 |
58 | if panelConfig.DnsConfigPath != "" {
59 | if data, err := os.ReadFile(panelConfig.DnsConfigPath); err != nil {
60 | log.Panicf("Failed to read DNS config file at: %s", panelConfig.DnsConfigPath)
61 | } else {
62 | if err = json.Unmarshal(data, coreDnsConfig); err != nil {
63 | log.Panicf("DNS config is not a valid json file: %s", panelConfig.DnsConfigPath)
64 | }
65 | }
66 | }
67 |
68 | dnsConfig, err := coreDnsConfig.Build()
69 | if err != nil {
70 | log.Panicf("DNS config syntax error: %s", err)
71 | }
72 |
73 | // Routing config
74 | coreRouterConfig := &conf.RouterConfig{}
75 |
76 | if panelConfig.RouteConfigPath != "" {
77 | if data, err := os.ReadFile(panelConfig.RouteConfigPath); err != nil {
78 | log.Panicf("Failed to read Routing config file at: %s", panelConfig.RouteConfigPath)
79 | } else {
80 | if err = json.Unmarshal(data, coreRouterConfig); err != nil {
81 | log.Panicf("Routing config is not a valid json file: %s", panelConfig.RouteConfigPath)
82 | }
83 | }
84 | }
85 |
86 | routeConfig, err := coreRouterConfig.Build()
87 | if err != nil {
88 | log.Panicf("Routing config syntax error: %s", err)
89 | }
90 | // Custom Inbound config
91 | var coreCustomInboundConfig []conf.InboundDetourConfig
92 |
93 | if panelConfig.InboundConfigPath != "" {
94 | if data, err := os.ReadFile(panelConfig.InboundConfigPath); err != nil {
95 | log.Panicf("Failed to read Custom Inbound config file at: %s", panelConfig.OutboundConfigPath)
96 | } else {
97 | if err = json.Unmarshal(data, &coreCustomInboundConfig); err != nil {
98 | log.Panicf("Custom Inbound config is not a valid json file: %s", panelConfig.OutboundConfigPath)
99 | }
100 | }
101 | }
102 |
103 | var inBoundConfig []*core.InboundHandlerConfig
104 |
105 | for _, config := range coreCustomInboundConfig {
106 | oc, err := config.Build()
107 | if err != nil {
108 | log.Panicf("Inbound config syntax error: %s", err)
109 | }
110 | inBoundConfig = append(inBoundConfig, oc)
111 | }
112 | // Custom Outbound config
113 | var coreCustomOutboundConfig []conf.OutboundDetourConfig
114 |
115 | if panelConfig.OutboundConfigPath != "" {
116 | if data, err := os.ReadFile(panelConfig.OutboundConfigPath); err != nil {
117 | log.Panicf("Failed to read Custom Outbound config file at: %s", panelConfig.OutboundConfigPath)
118 | } else {
119 | if err = json.Unmarshal(data, &coreCustomOutboundConfig); err != nil {
120 | log.Panicf("Custom Outbound config is not a valid json file: %s", panelConfig.OutboundConfigPath)
121 | }
122 | }
123 | }
124 |
125 | var outBoundConfig []*core.OutboundHandlerConfig
126 |
127 | for _, config := range coreCustomOutboundConfig {
128 | oc, err := config.Build()
129 | if err != nil {
130 | log.Panicf("Outbound config syntax error: %s", err)
131 | }
132 | outBoundConfig = append(outBoundConfig, oc)
133 | }
134 | // Policy config
135 | levelPolicyConfig := parseConnectionConfig(panelConfig.ConnectionConfig)
136 | corePolicyConfig := &conf.PolicyConfig{}
137 | corePolicyConfig.Levels = map[uint32]*conf.Policy{0: levelPolicyConfig}
138 | policyConfig, _ := corePolicyConfig.Build()
139 | // Build Core Config
140 | config := &core.Config{
141 | App: []*serial.TypedMessage{
142 | serial.ToTypedMessage(coreLogConfig.Build()),
143 | serial.ToTypedMessage(&mydispatcher.Config{}),
144 | serial.ToTypedMessage(&stats.Config{}),
145 | serial.ToTypedMessage(&proxyman.InboundConfig{}),
146 | serial.ToTypedMessage(&proxyman.OutboundConfig{}),
147 | serial.ToTypedMessage(policyConfig),
148 | serial.ToTypedMessage(dnsConfig),
149 | serial.ToTypedMessage(routeConfig),
150 | },
151 | Inbound: inBoundConfig,
152 | Outbound: outBoundConfig,
153 | }
154 |
155 | server, err := core.New(config)
156 | if err != nil {
157 | log.Panicf("failed to create instance: %s", err)
158 | }
159 |
160 | log.Printf("Xray Core Version: %s", core.Version())
161 |
162 | return server
163 | }
164 |
165 | // Start the panel
166 | func (p *Panel) Start() {
167 | p.access.Lock()
168 | defer p.access.Unlock()
169 | log.Print("Start the panel..")
170 | // Load Core
171 | server := p.loadCore(p.panelConfig)
172 | if err := server.Start(); err != nil {
173 | log.Panicf("Failed to start instance: %s", err)
174 | }
175 |
176 | p.Server = server
177 |
178 | // Load Nodes config
179 | for _, nodeConfig := range p.panelConfig.NodesConfig {
180 | var apiClient api.API
181 |
182 | switch nodeConfig.PanelType {
183 | case "sspanel-old":
184 | apiClient = sspanel.New(nodeConfig.ApiConfig)
185 | default:
186 | log.Panicf("Unsupported panel type: %s", nodeConfig.PanelType)
187 | }
188 |
189 | var controllerService service.Service
190 | // Register controller service
191 | controllerConfig := getDefaultControllerConfig()
192 |
193 | if nodeConfig.ControllerConfig != nil {
194 | if err := mergo.Merge(controllerConfig, nodeConfig.ControllerConfig, mergo.WithOverride); err != nil {
195 | log.Panicf("Read Controller Config Failed")
196 | }
197 | }
198 |
199 | controllerService = controller.New(server, apiClient, controllerConfig, nodeConfig.PanelType)
200 | p.Service = append(p.Service, controllerService)
201 | }
202 |
203 | // Start all the service
204 | for _, s := range p.Service {
205 | err := s.Start()
206 | if err != nil {
207 | log.Panicf("Panel Start failed: %s", err)
208 | }
209 | }
210 |
211 | p.Running = true
212 |
213 | return
214 | }
215 |
216 | // Close the panel
217 | func (p *Panel) Close() {
218 | p.access.Lock()
219 | defer p.access.Unlock()
220 |
221 | for _, s := range p.Service {
222 | err := s.Close()
223 | if err != nil {
224 | log.Panicf("Panel Close failed: %s", err)
225 | }
226 | }
227 |
228 | p.Service = nil
229 | p.Server.Close()
230 | p.Running = false
231 |
232 | return
233 | }
234 |
235 | func parseConnectionConfig(c *ConnectionConfig) (policy *conf.Policy) {
236 | connectionConfig := getDefaultConnectionConfig()
237 |
238 | if c != nil {
239 | if _, err := diff.Merge(connectionConfig, c, connectionConfig); err != nil {
240 | log.Panicf("Read ConnectionConfig failed: %s", err)
241 | }
242 | }
243 |
244 | policy = &conf.Policy{
245 | StatsUserUplink: true,
246 | StatsUserDownlink: true,
247 | Handshake: &connectionConfig.Handshake,
248 | ConnectionIdle: &connectionConfig.ConnIdle,
249 | UplinkOnly: &connectionConfig.UplinkOnly,
250 | DownlinkOnly: &connectionConfig.DownlinkOnly,
251 | BufferSize: &connectionConfig.BufferSize,
252 | }
253 |
254 | return
255 | }
256 |
--------------------------------------------------------------------------------
/profile.go:
--------------------------------------------------------------------------------
1 | //go:build enable_profile
2 |
3 | package main
4 |
5 | func init() {
6 | enableProfile = true
7 | }
8 |
--------------------------------------------------------------------------------
/release/config/config.yml.example:
--------------------------------------------------------------------------------
1 | Log:
2 | Level: warning # Log level: none, error, warning, info, debug
3 | AccessPath: # /etc/next-server/access.Log
4 | ErrorPath: # /etc/next-server/error.log
5 | DnsConfigPath: # /etc/next-server/dns.json
6 | RouteConfigPath: # /etc/next-server/route.json
7 | InboundConfigPath: # /etc/next-server/custom_inbound.json
8 | OutboundConfigPath: # /etc/next-server/custom_outbound.json
9 | ConnectionConfig:
10 | Handshake: 4 # Handshake time limit, Second
11 | ConnIdle: 30 # Connection idle time limit, Second
12 | UplinkOnly: 2 # Time limit when the connection downstream is closed, Second
13 | DownlinkOnly: 4 # Time limit when the connection is closed after the uplink is closed, Second
14 | BufferSize: 64 # The internal cache size of each connection, kB
15 | Nodes:
16 | - PanelType: "sspanel-old" # Panel type: sspanel-old, nextpanel-v1(wip)
17 | ApiConfig:
18 | ApiHost: "https://example.com"
19 | ApiKey: "xxx"
20 | NodeID: 1
21 | NodeType: vmess # Node type: vmess, trojan, shadowsocks, shadowsocks2022
22 | Timeout: 30 # Timeout for the api request
23 | SpeedLimit: 0 # Mbps, Local settings will replace remote settings, 0 means disable
24 | DeviceLimit: 0 # Local settings will replace remote settings, 0 means disable
25 | RuleListPath: # /etc/next-server/rulelist Path to local rulelist file
26 | ControllerConfig:
27 | ListenIP: 0.0.0.0 # IP address you want to listen
28 | SendIP: 0.0.0.0 # IP address you want to send pacakage
29 | UpdatePeriodic: 60 # Time to update the nodeinfo, how many sec.
30 | CertConfig:
31 | CertMode: dns # Option about how to get certificate: none, file, http, tls, dns. Choose "none" will forcedly disable the tls config.
32 | CertDomain: "node1.test.com" # Domain to cert
33 | CertFile: /etc/next-server/cert/node1.test.com.cert # Provided if the CertMode is file
34 | KeyFile: /etc/next-server/cert/node1.test.com.key
35 | Provider: # alidns # cloudflare # DNS cert provider, Get the full support list here: https://go-acme.github.io/lego/dns/
36 | Email: xxx@xxx.com
37 | DNSEnv: # DNS ENV option used by DNS provider
38 | # ALICLOUD_ACCESS_KEY: aaa
39 | # ALICLOUD_SECRET_KEY: bbb
40 | # CF_DNS_API_TOKEN: xxx
41 | EnableDNS: false # Use custom DNS config, Please ensure that you set the dns.json well
42 | DNSType: AsIs # AsIs, UseIP, UseIPv4, UseIPv6, DNS strategy
43 | DisableUploadTraffic: false # Disable upload traffic to API
44 | DisableGetRule: false # Disable get rule
45 | EnableProxyProtocol: false # Only works for WebSocket and TCP
46 | DisableIVCheck: false # Disable IV check
47 | DisableSniffing: false # Disable sniffing
48 | AutoSpeedLimitConfig:
49 | Limit: 0 # Warned speed. Set to 0 to disable AutoSpeedLimit (mbps)
50 | WarnTimes: 0 # After (WarnTimes) consecutive warnings, the user will be limited. Set to 0 to punish overspeed user immediately.
51 | LimitSpeed: 0 # The speedlimit of a limited user (unit: mbps)
52 | LimitDuration: 0 # How many minutes will the limiting last (unit: minute)
53 |
--------------------------------------------------------------------------------
/release/config/custom_inbound.json:
--------------------------------------------------------------------------------
1 | []
--------------------------------------------------------------------------------
/release/config/custom_outbound.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "tag": "IPv4_out",
4 | "protocol": "freedom",
5 | "settings": {}
6 | },
7 | {
8 | "tag": "IPv6_out",
9 | "protocol": "freedom",
10 | "settings": {
11 | "domainStrategy": "UseIPv6"
12 | }
13 | },
14 | {
15 | "protocol": "blackhole",
16 | "tag": "block"
17 | }
18 | ]
--------------------------------------------------------------------------------
/release/config/dns.json:
--------------------------------------------------------------------------------
1 | {
2 | "servers": [
3 | "1.1.1.1",
4 | "1.0.0.1",
5 | "localhost"
6 | ],
7 | "tag": "dns_inbound"
8 | }
--------------------------------------------------------------------------------
/release/config/route.json:
--------------------------------------------------------------------------------
1 | {
2 | "domainStrategy": "IPOnDemand",
3 | "rules": [
4 | {
5 | "type": "field",
6 | "outboundTag": "block",
7 | "ip": [
8 | "geoip:private"
9 | ]
10 | },
11 | {
12 | "type": "field",
13 | "outboundTag": "block",
14 | "protocol": [
15 | "bittorrent"
16 | ]
17 | },
18 | {
19 | "type": "field",
20 | "outboundTag": "IPv6_out",
21 | "domain": [
22 | "geosite:netflix"
23 | ]
24 | },
25 | {
26 | "type": "field",
27 | "outboundTag": "IPv4_out",
28 | "network": "udp,tcp"
29 | }
30 | ]
31 | }
--------------------------------------------------------------------------------
/release/config/rulelist:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/The-NeXT-Project/NeXT-Server/743bc887e13d7ad55d79c3e60c9407127048d9c6/release/config/rulelist
--------------------------------------------------------------------------------
/sentry.go:
--------------------------------------------------------------------------------
1 | //go:build enable_sentry
2 |
3 | package main
4 |
5 | func init() {
6 | enableSentry = true
7 | }
8 |
--------------------------------------------------------------------------------
/service/controller/controller.go:
--------------------------------------------------------------------------------
1 | package controller
2 |
3 | import (
4 | "context"
5 | "errors"
6 | "fmt"
7 | "github.com/xtls/xray-core/proxy"
8 | "log"
9 | "reflect"
10 | "time"
11 |
12 | "github.com/xtls/xray-core/common/protocol"
13 | "github.com/xtls/xray-core/common/task"
14 | "github.com/xtls/xray-core/core"
15 | "github.com/xtls/xray-core/features/inbound"
16 | "github.com/xtls/xray-core/features/outbound"
17 | "github.com/xtls/xray-core/features/routing"
18 | "github.com/xtls/xray-core/features/stats"
19 |
20 | "github.com/The-NeXT-Project/NeXT-Server/api"
21 | "github.com/The-NeXT-Project/NeXT-Server/app/mydispatcher"
22 | "github.com/The-NeXT-Project/NeXT-Server/common/mylego"
23 | )
24 |
25 | type LimitInfo struct {
26 | end int64
27 | currentSpeedLimit int
28 | originSpeedLimit uint64
29 | }
30 |
31 | type Controller struct {
32 | server *core.Instance
33 | config *Config
34 | clientInfo api.ClientInfo
35 | apiClient api.API
36 | nodeInfo *api.NodeInfo
37 | Tag string
38 | userList *[]api.UserInfo
39 | tasks []periodicTask
40 | limitedUsers map[api.UserInfo]LimitInfo
41 | warnedUsers map[api.UserInfo]int
42 | panelType string
43 | ibm inbound.Manager
44 | obm outbound.Manager
45 | stm stats.Manager
46 | dispatcher *mydispatcher.DefaultDispatcher
47 | startAt time.Time
48 | }
49 |
50 | type periodicTask struct {
51 | tag string
52 | *task.Periodic
53 | }
54 |
55 | // New return a Controller service with default parameters.
56 | func New(server *core.Instance, api api.API, config *Config, panelType string) *Controller {
57 | controller := &Controller{
58 | server: server,
59 | config: config,
60 | apiClient: api,
61 | panelType: panelType,
62 | ibm: server.GetFeature(inbound.ManagerType()).(inbound.Manager),
63 | obm: server.GetFeature(outbound.ManagerType()).(outbound.Manager),
64 | stm: server.GetFeature(stats.ManagerType()).(stats.Manager),
65 | dispatcher: server.GetFeature(routing.DispatcherType()).(*mydispatcher.DefaultDispatcher),
66 | startAt: time.Now(),
67 | }
68 |
69 | return controller
70 | }
71 |
72 | // Start implement the Start() function of the service interface
73 | func (c *Controller) Start() error {
74 | c.clientInfo = c.apiClient.Describe()
75 | // First fetch Node Info
76 | newNodeInfo, err := c.apiClient.GetNodeInfo()
77 | if err != nil {
78 | return err
79 | }
80 | if newNodeInfo.Port == 0 {
81 | return errors.New("server port must > 0")
82 | }
83 | c.nodeInfo = newNodeInfo
84 | c.Tag = c.buildNodeTag()
85 |
86 | // Add new tag
87 | err = c.addNewTag(newNodeInfo)
88 | if err != nil {
89 | log.Panic(err)
90 | return err
91 | }
92 | // Update user
93 | userInfo, err := c.apiClient.GetUserList()
94 | if err != nil {
95 | return err
96 | }
97 |
98 | // sync controller userList
99 | c.userList = userInfo
100 |
101 | err = c.addNewUser(userInfo, newNodeInfo)
102 | if err != nil {
103 | return err
104 | }
105 |
106 | // Add Limiter
107 | if err := c.AddInboundLimiter(c.Tag, newNodeInfo.SpeedLimit, userInfo); err != nil {
108 | log.Print(err)
109 | }
110 |
111 | // Add Rule Manager
112 | if !c.config.DisableGetRule {
113 | if ruleList, err := c.apiClient.GetNodeRule(); err != nil {
114 | log.Printf("Get rule list filed: %s", err)
115 | } else if len(*ruleList) > 0 {
116 | if err := c.UpdateRule(c.Tag, *ruleList); err != nil {
117 | log.Print(err)
118 | }
119 | }
120 | }
121 |
122 | // Init AutoSpeedLimitConfig
123 | if c.config.AutoSpeedLimitConfig == nil {
124 | c.config.AutoSpeedLimitConfig = &AutoSpeedLimitConfig{0, 0, 0, 0}
125 | }
126 | if c.config.AutoSpeedLimitConfig.Limit > 0 {
127 | c.limitedUsers = make(map[api.UserInfo]LimitInfo)
128 | c.warnedUsers = make(map[api.UserInfo]int)
129 | }
130 |
131 | // Add periodic tasks
132 | c.tasks = append(c.tasks,
133 | periodicTask{
134 | tag: "node monitor",
135 | Periodic: &task.Periodic{
136 | Interval: time.Duration(c.config.UpdatePeriodic) * time.Second,
137 | Execute: c.nodeInfoMonitor,
138 | }},
139 | periodicTask{
140 | tag: "user monitor",
141 | Periodic: &task.Periodic{
142 | Interval: time.Duration(c.config.UpdatePeriodic) * time.Second,
143 | Execute: c.userInfoMonitor,
144 | }},
145 | )
146 |
147 | // Check cert service in need
148 | if c.nodeInfo.EnableTLS {
149 | c.tasks = append(c.tasks, periodicTask{
150 | tag: "cert monitor",
151 | Periodic: &task.Periodic{
152 | Interval: time.Duration(c.config.UpdatePeriodic) * time.Second * 60,
153 | Execute: c.certMonitor,
154 | }})
155 | }
156 |
157 | // Start periodic tasks
158 | for i := range c.tasks {
159 | log.Printf("%s Start %s periodic task", c.logPrefix(), c.tasks[i].tag)
160 | go c.tasks[i].Start()
161 | }
162 |
163 | return nil
164 | }
165 |
166 | // Close implement the Close() function of the service interface
167 | func (c *Controller) Close() error {
168 | for i := range c.tasks {
169 | if c.tasks[i].Periodic != nil {
170 | if err := c.tasks[i].Periodic.Close(); err != nil {
171 | log.Panicf("%s %s periodic task close failed: %s", c.logPrefix(), c.tasks[i].tag, err)
172 | }
173 | }
174 | }
175 |
176 | return nil
177 | }
178 |
179 | func (c *Controller) nodeInfoMonitor() (err error) {
180 | // delay to start
181 | if time.Since(c.startAt) < time.Duration(c.config.UpdatePeriodic)*time.Second {
182 | return nil
183 | }
184 |
185 | // First fetch Node Info
186 | var nodeInfoChanged = true
187 | newNodeInfo, err := c.apiClient.GetNodeInfo()
188 | if err != nil {
189 | if err.Error() == api.NodeNotModified {
190 | nodeInfoChanged = false
191 | newNodeInfo = c.nodeInfo
192 | } else {
193 | log.Print(err)
194 | return nil
195 | }
196 | }
197 |
198 | if newNodeInfo.Port == 0 {
199 | return errors.New("server port must > 0")
200 | }
201 |
202 | // Update User
203 | var usersChanged = true
204 | newUserInfo, err := c.apiClient.GetUserList()
205 | if err != nil {
206 | if err.Error() == api.UserNotModified {
207 | usersChanged = false
208 | newUserInfo = c.userList
209 | } else {
210 | log.Print(err)
211 | return nil
212 | }
213 | }
214 |
215 | // If nodeInfo changed
216 | if nodeInfoChanged {
217 | if !reflect.DeepEqual(c.nodeInfo, newNodeInfo) {
218 | // Remove old tag
219 | oldTag := c.Tag
220 | err := c.removeOldTag(oldTag)
221 | if err != nil {
222 | log.Print(err)
223 | return nil
224 | }
225 | // Add new tag
226 | c.nodeInfo = newNodeInfo
227 | c.Tag = c.buildNodeTag()
228 | err = c.addNewTag(newNodeInfo)
229 | if err != nil {
230 | log.Print(err)
231 | return nil
232 | }
233 | nodeInfoChanged = true
234 | // Remove Old limiter
235 | if err = c.DeleteInboundLimiter(oldTag); err != nil {
236 | log.Print(err)
237 | return nil
238 | }
239 | } else {
240 | nodeInfoChanged = false
241 | }
242 | }
243 |
244 | // Check Rule
245 | if !c.config.DisableGetRule {
246 | if ruleList, err := c.apiClient.GetNodeRule(); err != nil {
247 | if err.Error() != api.RuleNotModified {
248 | log.Printf("Get rule list filed: %s", err)
249 | }
250 | } else if len(*ruleList) > 0 {
251 | if err := c.UpdateRule(c.Tag, *ruleList); err != nil {
252 | log.Print(err)
253 | }
254 | }
255 | }
256 |
257 | if nodeInfoChanged {
258 | err = c.addNewUser(newUserInfo, newNodeInfo)
259 | if err != nil {
260 | log.Print(err)
261 | return nil
262 | }
263 |
264 | // Add Limiter
265 | if err := c.AddInboundLimiter(c.Tag, newNodeInfo.SpeedLimit, newUserInfo); err != nil {
266 | log.Print(err)
267 | return nil
268 | }
269 |
270 | } else {
271 | var deleted, added []api.UserInfo
272 |
273 | if usersChanged {
274 | deleted, added = compareUserList(c.userList, newUserInfo)
275 |
276 | if len(deleted) > 0 {
277 | deletedEmail := make([]string, len(deleted))
278 | for i, u := range deleted {
279 | deletedEmail[i] = fmt.Sprintf("%s|%s|%d", c.Tag, u.Email, u.UID)
280 | }
281 | err := c.removeUsers(deletedEmail, c.Tag)
282 | if err != nil {
283 | log.Print(err)
284 | }
285 | }
286 | if len(added) > 0 {
287 | err = c.addNewUser(&added, c.nodeInfo)
288 | if err != nil {
289 | log.Print(err)
290 | }
291 | // Update Limiter
292 | if err := c.UpdateInboundLimiter(c.Tag, &added); err != nil {
293 | log.Print(err)
294 | }
295 | }
296 | }
297 |
298 | log.Printf("%s %d user deleted, %d user added", c.logPrefix(), len(deleted), len(added))
299 | }
300 |
301 | c.userList = newUserInfo
302 |
303 | return nil
304 | }
305 |
306 | func (c *Controller) removeOldTag(oldTag string) (err error) {
307 | err = c.removeInbound(oldTag)
308 | if err != nil {
309 | return err
310 | }
311 |
312 | err = c.removeOutbound(oldTag)
313 | if err != nil {
314 | return err
315 | }
316 |
317 | return nil
318 | }
319 |
320 | func (c *Controller) addNewTag(newNodeInfo *api.NodeInfo) (err error) {
321 | inboundConfig, err := InboundBuilder(c.config, newNodeInfo, c.Tag)
322 | if err != nil {
323 | return err
324 | }
325 |
326 | err = c.addInbound(inboundConfig)
327 | if err != nil {
328 |
329 | return err
330 | }
331 |
332 | outBoundConfig, err := OutboundBuilder(c.config, newNodeInfo, c.Tag)
333 | if err != nil {
334 |
335 | return err
336 | }
337 |
338 | err = c.addOutbound(outBoundConfig)
339 | if err != nil {
340 |
341 | return err
342 | }
343 |
344 | return nil
345 | }
346 |
347 | func (c *Controller) addNewUser(userInfo *[]api.UserInfo, nodeInfo *api.NodeInfo) (err error) {
348 | users := make([]*protocol.User, 0)
349 |
350 | switch nodeInfo.NodeType {
351 | case "vmess":
352 | users = c.buildVmessUser(userInfo)
353 | case "trojan":
354 | users = c.buildTrojanUser(userInfo)
355 | case "shadowsocks":
356 | users = c.buildSSUser(userInfo)
357 | case "shadowsocks2022":
358 | users = c.buildSS2022User(userInfo)
359 | default:
360 | return fmt.Errorf("unsupported node type: %s", nodeInfo.NodeType)
361 | }
362 |
363 | err = c.addUsers(users, c.Tag)
364 | if err != nil {
365 | return err
366 | }
367 | log.Printf("%s Added %d new users", c.logPrefix(), len(*userInfo))
368 |
369 | return nil
370 | }
371 |
372 | func compareUserList(old, new *[]api.UserInfo) (deleted, added []api.UserInfo) {
373 | mSrc := make(map[api.UserInfo]byte) // 按源数组建索引
374 | mAll := make(map[api.UserInfo]byte) // 源+目所有元素建索引
375 |
376 | var set []api.UserInfo // 交集
377 |
378 | // 1.源数组建立map
379 | for _, v := range *old {
380 | mSrc[v] = 0
381 | mAll[v] = 0
382 | }
383 | // 2.目数组中,存不进去,即重复元素,所有存不进去的集合就是并集
384 | for _, v := range *new {
385 | l := len(mAll)
386 | mAll[v] = 1
387 | if l != len(mAll) { // 长度变化,即可以存
388 | l = len(mAll)
389 | } else { // 存不了,进并集
390 | set = append(set, v)
391 | }
392 | }
393 | // 3.遍历交集,在并集中找,找到就从并集中删,删完后就是补集(即并-交=所有变化的元素)
394 | for _, v := range set {
395 | delete(mAll, v)
396 | }
397 | // 4.此时,mall是补集,所有元素去源中找,找到就是删除的,找不到的必定能在目数组中找到,即新加的
398 | for v := range mAll {
399 | _, exist := mSrc[v]
400 | if exist {
401 | deleted = append(deleted, v)
402 | } else {
403 | added = append(added, v)
404 | }
405 | }
406 |
407 | return deleted, added
408 | }
409 |
410 | func limitUser(c *Controller, user api.UserInfo, silentUsers *[]api.UserInfo) {
411 | c.limitedUsers[user] = LimitInfo{
412 | end: time.Now().Unix() + int64(c.config.AutoSpeedLimitConfig.LimitDuration*60),
413 | currentSpeedLimit: c.config.AutoSpeedLimitConfig.LimitSpeed,
414 | originSpeedLimit: user.SpeedLimit,
415 | }
416 |
417 | log.Printf("Limit User: %s Speed: %d End: %s", c.buildUserTag(&user), c.config.AutoSpeedLimitConfig.LimitSpeed, time.Unix(c.limitedUsers[user].end, 0).Format("01-02 15:04:05"))
418 | user.SpeedLimit = uint64((c.config.AutoSpeedLimitConfig.LimitSpeed * 1000000) / 8)
419 | *silentUsers = append(*silentUsers, user)
420 | }
421 |
422 | func (c *Controller) userInfoMonitor() (err error) {
423 | // delay to start
424 | if time.Since(c.startAt) < time.Duration(c.config.UpdatePeriodic)*time.Second {
425 | return nil
426 | }
427 | // Unlock users
428 | if c.config.AutoSpeedLimitConfig.Limit > 0 && len(c.limitedUsers) > 0 {
429 | log.Printf("%s Limited users:", c.logPrefix())
430 | toReleaseUsers := make([]api.UserInfo, 0)
431 |
432 | for user, limitInfo := range c.limitedUsers {
433 | if time.Now().Unix() > limitInfo.end {
434 | user.SpeedLimit = limitInfo.originSpeedLimit
435 | toReleaseUsers = append(toReleaseUsers, user)
436 | log.Printf("User: %s Speed: %d End: nil (Unlimit)", c.buildUserTag(&user), user.SpeedLimit)
437 | delete(c.limitedUsers, user)
438 | } else {
439 | log.Printf("User: %s Speed: %d End: %s", c.buildUserTag(&user), limitInfo.currentSpeedLimit, time.Unix(c.limitedUsers[user].end, 0).Format("01-02 15:04:05"))
440 | }
441 | }
442 |
443 | if len(toReleaseUsers) > 0 {
444 | if err := c.UpdateInboundLimiter(c.Tag, &toReleaseUsers); err != nil {
445 | log.Print(err)
446 | }
447 | }
448 | }
449 |
450 | // Get User traffic
451 | var userTraffic []api.UserTraffic
452 | var upCounterList []stats.Counter
453 | var downCounterList []stats.Counter
454 | AutoSpeedLimit := int64(c.config.AutoSpeedLimitConfig.Limit)
455 | UpdatePeriodic := int64(c.config.UpdatePeriodic)
456 | limitedUsers := make([]api.UserInfo, 0)
457 |
458 | for _, user := range *c.userList {
459 | up, down, upCounter, downCounter := c.getTraffic(c.buildUserTag(&user))
460 | if up > 0 || down > 0 {
461 | // Over speed users
462 | if AutoSpeedLimit > 0 {
463 | if down > AutoSpeedLimit*1000000*UpdatePeriodic/8 || up > AutoSpeedLimit*1000000*UpdatePeriodic/8 {
464 | if _, ok := c.limitedUsers[user]; !ok {
465 | if c.config.AutoSpeedLimitConfig.WarnTimes == 0 {
466 | limitUser(c, user, &limitedUsers)
467 | } else {
468 | c.warnedUsers[user] += 1
469 | if c.warnedUsers[user] > c.config.AutoSpeedLimitConfig.WarnTimes {
470 | limitUser(c, user, &limitedUsers)
471 | delete(c.warnedUsers, user)
472 | }
473 | }
474 | }
475 | } else {
476 | delete(c.warnedUsers, user)
477 | }
478 | }
479 | userTraffic = append(userTraffic, api.UserTraffic{
480 | UID: user.UID,
481 | Email: user.Email,
482 | Upload: up,
483 | Download: down})
484 |
485 | if upCounter != nil {
486 | upCounterList = append(upCounterList, upCounter)
487 | }
488 |
489 | if downCounter != nil {
490 | downCounterList = append(downCounterList, downCounter)
491 | }
492 | } else {
493 | delete(c.warnedUsers, user)
494 | }
495 | }
496 |
497 | if len(limitedUsers) > 0 {
498 | if err := c.UpdateInboundLimiter(c.Tag, &limitedUsers); err != nil {
499 | log.Print(err)
500 | }
501 | }
502 |
503 | if len(userTraffic) > 0 {
504 | var err error // Define an empty error
505 | if !c.config.DisableUploadTraffic {
506 | err = c.apiClient.ReportUserTraffic(&userTraffic)
507 | }
508 | // If report traffic error, not clear the traffic
509 | if err != nil {
510 | log.Print(err)
511 | } else {
512 | c.resetTraffic(&upCounterList, &downCounterList)
513 | }
514 | }
515 |
516 | // Report Online info
517 | if onlineDevice, err := c.GetOnlineDevice(c.Tag); err != nil {
518 | log.Print(err)
519 | } else if len(*onlineDevice) > 0 {
520 | if err = c.apiClient.ReportNodeOnlineUsers(onlineDevice); err != nil {
521 | log.Print(err)
522 | } else {
523 | log.Printf("%s Report %d online users", c.logPrefix(), len(*onlineDevice))
524 | }
525 | }
526 |
527 | // Report Illegal user
528 | if detectResult, err := c.GetDetectResult(c.Tag); err != nil {
529 | log.Print(err)
530 | } else if len(*detectResult) > 0 {
531 | if err = c.apiClient.ReportIllegal(detectResult); err != nil {
532 | log.Print(err)
533 | } else {
534 | log.Printf("%s Report %d illegal behaviors", c.logPrefix(), len(*detectResult))
535 | }
536 |
537 | }
538 |
539 | return nil
540 | }
541 |
542 | func (c *Controller) buildNodeTag() string {
543 | return fmt.Sprintf("%s_%s_%d", c.nodeInfo.NodeType, c.config.ListenIP, c.nodeInfo.Port)
544 | }
545 |
546 | func (c *Controller) logPrefix() string {
547 | return fmt.Sprintf("[%s] %s(ID=%d)", c.clientInfo.APIHost, c.nodeInfo.NodeType, c.nodeInfo.NodeID)
548 | }
549 |
550 | // Check Cert
551 | func (c *Controller) certMonitor() error {
552 | if c.nodeInfo.EnableTLS {
553 | switch c.config.CertConfig.CertMode {
554 | case "dns", "http", "tls":
555 | lego, err := mylego.New(c.config.CertConfig)
556 | if err != nil {
557 | log.Print(err)
558 | }
559 | // Xray-core supports the OcspStapling certification hot renew
560 | _, _, _, err = lego.RenewCert()
561 | if err != nil {
562 | log.Print(err)
563 | }
564 | }
565 | }
566 |
567 | return nil
568 | }
569 |
570 | func (c *Controller) removeInbound(tag string) error {
571 | err := c.ibm.RemoveHandler(context.Background(), tag)
572 | return err
573 | }
574 |
575 | func (c *Controller) removeOutbound(tag string) error {
576 | err := c.obm.RemoveHandler(context.Background(), tag)
577 | return err
578 | }
579 |
580 | func (c *Controller) addInbound(config *core.InboundHandlerConfig) error {
581 | rawHandler, err := core.CreateObject(c.server, config)
582 | if err != nil {
583 | return err
584 | }
585 |
586 | handler, ok := rawHandler.(inbound.Handler)
587 | if !ok {
588 | return fmt.Errorf("not an InboundHandler: %s", err)
589 | }
590 | if err := c.ibm.AddHandler(context.Background(), handler); err != nil {
591 | return err
592 | }
593 |
594 | return nil
595 | }
596 |
597 | func (c *Controller) addOutbound(config *core.OutboundHandlerConfig) error {
598 | rawHandler, err := core.CreateObject(c.server, config)
599 | if err != nil {
600 | return err
601 | }
602 |
603 | handler, ok := rawHandler.(outbound.Handler)
604 | if !ok {
605 | return fmt.Errorf("not an InboundHandler: %s", err)
606 | }
607 | if err := c.obm.AddHandler(context.Background(), handler); err != nil {
608 | return err
609 | }
610 |
611 | return nil
612 | }
613 |
614 | func (c *Controller) addUsers(users []*protocol.User, tag string) error {
615 | handler, err := c.ibm.GetHandler(context.Background(), tag)
616 | if err != nil {
617 | return fmt.Errorf("no such inbound tag: %s", err)
618 | }
619 |
620 | inboundInstance, ok := handler.(proxy.GetInbound)
621 | if !ok {
622 | return fmt.Errorf("handler %s has not implemented proxy.GetInbound", tag)
623 | }
624 |
625 | userManager, ok := inboundInstance.GetInbound().(proxy.UserManager)
626 | if !ok {
627 | return fmt.Errorf("handler %s has not implemented proxy.UserManager", tag)
628 | }
629 |
630 | for _, item := range users {
631 | mUser, err := item.ToMemoryUser()
632 | if err != nil {
633 | return err
634 | }
635 | err = userManager.AddUser(context.Background(), mUser)
636 | if err != nil {
637 | return err
638 | }
639 | }
640 |
641 | return nil
642 | }
643 |
644 | func (c *Controller) removeUsers(users []string, tag string) error {
645 | handler, err := c.ibm.GetHandler(context.Background(), tag)
646 | if err != nil {
647 | return fmt.Errorf("no such inbound tag: %s", err)
648 | }
649 |
650 | inboundInstance, ok := handler.(proxy.GetInbound)
651 | if !ok {
652 | return fmt.Errorf("handler %s is not implement proxy.GetInbound", tag)
653 | }
654 |
655 | userManager, ok := inboundInstance.GetInbound().(proxy.UserManager)
656 | if !ok {
657 | return fmt.Errorf("handler %s is not implement proxy.UserManager", err)
658 | }
659 |
660 | for _, email := range users {
661 | err = userManager.RemoveUser(context.Background(), email)
662 | if err != nil {
663 | return err
664 | }
665 | }
666 |
667 | return nil
668 | }
669 |
670 | func (c *Controller) getTraffic(email string) (up int64, down int64, upCounter stats.Counter, downCounter stats.Counter) {
671 | upName := "user>>>" + email + ">>>traffic>>>uplink"
672 | downName := "user>>>" + email + ">>>traffic>>>downlink"
673 | upCounter = c.stm.GetCounter(upName)
674 | downCounter = c.stm.GetCounter(downName)
675 |
676 | if upCounter != nil && upCounter.Value() != 0 {
677 | up = upCounter.Value()
678 | } else {
679 | upCounter = nil
680 | }
681 |
682 | if downCounter != nil && downCounter.Value() != 0 {
683 | down = downCounter.Value()
684 | } else {
685 | downCounter = nil
686 | }
687 |
688 | return up, down, upCounter, downCounter
689 | }
690 |
691 | func (c *Controller) resetTraffic(upCounterList *[]stats.Counter, downCounterList *[]stats.Counter) {
692 | for _, upCounter := range *upCounterList {
693 | upCounter.Set(0)
694 | }
695 |
696 | for _, downCounter := range *downCounterList {
697 | downCounter.Set(0)
698 | }
699 | }
700 |
701 | func (c *Controller) AddInboundLimiter(tag string, nodeSpeedLimit uint64, userList *[]api.UserInfo) error {
702 | err := c.dispatcher.Limiter.AddInboundLimiter(tag, nodeSpeedLimit, userList)
703 | return err
704 | }
705 |
706 | func (c *Controller) UpdateInboundLimiter(tag string, updatedUserList *[]api.UserInfo) error {
707 | err := c.dispatcher.Limiter.UpdateInboundLimiter(tag, updatedUserList)
708 | return err
709 | }
710 |
711 | func (c *Controller) DeleteInboundLimiter(tag string) error {
712 | err := c.dispatcher.Limiter.DeleteInboundLimiter(tag)
713 | return err
714 | }
715 |
716 | func (c *Controller) GetOnlineDevice(tag string) (*[]api.OnlineUser, error) {
717 | return c.dispatcher.Limiter.GetOnlineDevice(tag)
718 | }
719 |
720 | func (c *Controller) UpdateRule(tag string, newRuleList []api.DetectRule) error {
721 | err := c.dispatcher.RuleManager.UpdateRule(tag, newRuleList)
722 | return err
723 | }
724 |
725 | func (c *Controller) GetDetectResult(tag string) (*[]api.DetectResult, error) {
726 | return c.dispatcher.RuleManager.GetDetectResult(tag)
727 | }
728 |
--------------------------------------------------------------------------------
/service/controller/inbound.go:
--------------------------------------------------------------------------------
1 | // Package controller Package generate the InboundConfig used by add inbound
2 | package controller
3 |
4 | import (
5 | "crypto/rand"
6 | "encoding/base64"
7 | "encoding/hex"
8 | "encoding/json"
9 | "fmt"
10 | "strings"
11 |
12 | "github.com/xtls/xray-core/common/net"
13 | "github.com/xtls/xray-core/core"
14 | "github.com/xtls/xray-core/infra/conf"
15 |
16 | "github.com/The-NeXT-Project/NeXT-Server/api"
17 | "github.com/The-NeXT-Project/NeXT-Server/common/mylego"
18 | )
19 |
20 | // InboundBuilder build Inbound config for different protocol
21 | func InboundBuilder(config *Config, nodeInfo *api.NodeInfo, tag string) (*core.InboundHandlerConfig, error) {
22 | inboundDetourConfig := &conf.InboundDetourConfig{}
23 | // Build Listen IP address
24 | if config.ListenIP != "" {
25 | ipAddress := net.ParseAddress(config.ListenIP)
26 | inboundDetourConfig.ListenOn = &conf.Address{Address: ipAddress}
27 | }
28 | // Build Port
29 | portList := &conf.PortList{
30 | Range: []conf.PortRange{{From: nodeInfo.Port, To: nodeInfo.Port}},
31 | }
32 |
33 | inboundDetourConfig.PortList = portList
34 | // Build Tag
35 | inboundDetourConfig.Tag = tag
36 | // SniffingConfig
37 | sniffingConfig := &conf.SniffingConfig{
38 | Enabled: true,
39 | DestOverride: &conf.StringList{"http", "tls"},
40 | RouteOnly: true,
41 | }
42 |
43 | if config.DisableSniffing {
44 | sniffingConfig.Enabled = false
45 | }
46 |
47 | inboundDetourConfig.SniffingConfig = sniffingConfig
48 |
49 | var (
50 | protocol string
51 | streamSetting *conf.StreamConfig
52 | setting json.RawMessage
53 | proxySetting any
54 | )
55 | // Build Protocol and Protocol setting
56 | switch nodeInfo.NodeType {
57 | case "vmess":
58 | protocol = "vmess"
59 | proxySetting = &conf.VMessInboundConfig{}
60 | case "trojan":
61 | protocol = "trojan"
62 | proxySetting = &conf.TrojanServerConfig{}
63 | case "shadowsocks":
64 | protocol = "shadowsocks"
65 | ssSetting := &conf.ShadowsocksServerConfig{}
66 | // shadowsocks must have a random password
67 | b := make([]byte, 32)
68 | _, _ = rand.Read(b)
69 | ssSetting.Password = hex.EncodeToString(b)
70 | ssSetting.NetworkList = &conf.NetworkList{"tcp", "udp"}
71 | ssSetting.IVCheck = !config.DisableIVCheck
72 |
73 | proxySetting = ssSetting
74 | case "shadowsocks2022":
75 | protocol = "shadowsocks"
76 | ss2022Setting := &conf.ShadowsocksServerConfig{}
77 | ss2022Setting.Cipher = strings.ToLower(nodeInfo.CipherMethod)
78 | ss2022Setting.Password = nodeInfo.ServerKey // shadowsocks2022 shareKey
79 | // shadowsocks2022's password == user PSK, thus should a length of string >= 32 and base64 encoder
80 | b := make([]byte, 32)
81 | _, _ = rand.Read(b)
82 |
83 | ss2022Setting.Users = append(ss2022Setting.Users, &conf.ShadowsocksUserConfig{
84 | Password: base64.StdEncoding.EncodeToString(b),
85 | })
86 |
87 | ss2022Setting.NetworkList = &conf.NetworkList{"tcp", "udp"}
88 | ss2022Setting.IVCheck = !config.DisableIVCheck
89 |
90 | proxySetting = ss2022Setting
91 | default:
92 | return nil, fmt.Errorf("unsupported node type:"+
93 | " %s, Only support: vmess, trojan, shadowsocks and shadowsocks2022", nodeInfo.NodeType)
94 | }
95 |
96 | setting, err := json.Marshal(proxySetting)
97 | if err != nil {
98 | return nil, fmt.Errorf("marshal proxy %s config failed: %s", nodeInfo.NodeType, err)
99 | }
100 |
101 | inboundDetourConfig.Protocol = protocol
102 | inboundDetourConfig.Settings = &setting
103 | // Build streamSettings
104 | streamSetting = new(conf.StreamConfig)
105 | transportProtocol := conf.TransportProtocol(nodeInfo.TransportProtocol)
106 |
107 | networkType, err := transportProtocol.Build()
108 | if err != nil {
109 | return nil, fmt.Errorf("convert TransportProtocol failed: %s", err)
110 | }
111 |
112 | hosts := conf.StringList{nodeInfo.Host}
113 |
114 | switch networkType {
115 | case "tcp":
116 | tcpSetting := &conf.TCPConfig{
117 | AcceptProxyProtocol: config.EnableProxyProtocol,
118 | HeaderConfig: nodeInfo.Header,
119 | }
120 |
121 | streamSetting.TCPSettings = tcpSetting
122 | case "websocket":
123 | headers := make(map[string]string)
124 | headers["Host"] = nodeInfo.Host
125 |
126 | wsSettings := &conf.WebSocketConfig{
127 | AcceptProxyProtocol: config.EnableProxyProtocol,
128 | Path: nodeInfo.Path,
129 | Headers: headers,
130 | }
131 |
132 | streamSetting.WSSettings = wsSettings
133 | case "http":
134 | httpSettings := &conf.HTTPConfig{
135 | Host: &hosts,
136 | Path: nodeInfo.Path,
137 | }
138 |
139 | streamSetting.HTTPSettings = httpSettings
140 | case "httpupgrade":
141 | httpSettings := &conf.HTTPConfig{
142 | Host: &hosts,
143 | Path: nodeInfo.Path,
144 | }
145 |
146 | streamSetting.HTTPSettings = httpSettings
147 | case "splithttp":
148 | var headers map[string]string
149 | _ = json.Unmarshal(nodeInfo.Header, &headers)
150 |
151 | splitHttpSettings := &conf.SplitHTTPConfig{
152 | Host: nodeInfo.Host,
153 | Path: nodeInfo.Path,
154 | Headers: headers,
155 | }
156 |
157 | streamSetting.SplitHTTPSettings = splitHttpSettings
158 | case "grpc":
159 | grpcSettings := &conf.GRPCConfig{
160 | ServiceName: nodeInfo.ServiceName,
161 | }
162 |
163 | streamSetting.GRPCConfig = grpcSettings
164 | case "quic":
165 | quicSettings := &conf.QUICConfig{
166 | Security: "none",
167 | }
168 |
169 | streamSetting.QUICSettings = quicSettings
170 | case "kcp":
171 | mtu := uint32(1350)
172 | upCap := uint32(100)
173 | downCap := uint32(100)
174 | congestion := true
175 |
176 | kcpSettings := &conf.KCPConfig{
177 | Mtu: &mtu,
178 | UpCap: &upCap,
179 | DownCap: &downCap,
180 | Congestion: &congestion,
181 | }
182 |
183 | streamSetting.KCPSettings = kcpSettings
184 | }
185 |
186 | streamSetting.Network = &transportProtocol
187 |
188 | if nodeInfo.EnableTLS && config.CertConfig.CertMode != "none" {
189 | streamSetting.Security = "tls"
190 |
191 | certFile, keyFile, err := getCertFile(config.CertConfig)
192 | if err != nil {
193 | return nil, err
194 | }
195 |
196 | tlsSettings := &conf.TLSConfig{
197 | RejectUnknownSNI: config.CertConfig.RejectUnknownSni,
198 | }
199 |
200 | tlsSettings.Certs = append(tlsSettings.Certs, &conf.TLSCertConfig{CertFile: certFile, KeyFile: keyFile, OcspStapling: 3600})
201 | streamSetting.TLSSettings = tlsSettings
202 | }
203 | // Support ProxyProtocol for any transport protocol
204 | if networkType != "tcp" && networkType != "ws" && config.EnableProxyProtocol {
205 | sockoptConfig := &conf.SocketConfig{
206 | AcceptProxyProtocol: config.EnableProxyProtocol,
207 | }
208 |
209 | streamSetting.SocketSettings = sockoptConfig
210 | }
211 |
212 | inboundDetourConfig.StreamSetting = streamSetting
213 |
214 | return inboundDetourConfig.Build()
215 | }
216 |
217 | func getCertFile(certConfig *mylego.CertConfig) (certFile string, keyFile string, err error) {
218 | switch certConfig.CertMode {
219 | case "file":
220 | if certConfig.CertFile == "" || certConfig.KeyFile == "" {
221 | return "", "", fmt.Errorf("cert file path or key file path not exist")
222 | }
223 |
224 | return certConfig.CertFile, certConfig.KeyFile, nil
225 | case "dns":
226 | lego, err := mylego.New(certConfig)
227 | if err != nil {
228 | return "", "", err
229 | }
230 |
231 | certPath, keyPath, err := lego.DNSCert()
232 | if err != nil {
233 | return "", "", err
234 | }
235 |
236 | return certPath, keyPath, err
237 | case "http", "tls":
238 | lego, err := mylego.New(certConfig)
239 | if err != nil {
240 | return "", "", err
241 | }
242 |
243 | certPath, keyPath, err := lego.HTTPCert()
244 | if err != nil {
245 | return "", "", err
246 | }
247 |
248 | return certPath, keyPath, err
249 | default:
250 | return "", "", fmt.Errorf("unsupported certmode: %s", certConfig.CertMode)
251 | }
252 | }
253 |
--------------------------------------------------------------------------------
/service/controller/model.go:
--------------------------------------------------------------------------------
1 | package controller
2 |
3 | import (
4 | "github.com/The-NeXT-Project/NeXT-Server/common/mylego"
5 | )
6 |
7 | type Config struct {
8 | ListenIP string `mapstructure:"ListenIP"`
9 | SendIP string `mapstructure:"SendIP"`
10 | UpdatePeriodic int `mapstructure:"UpdatePeriodic"`
11 | CertConfig *mylego.CertConfig `mapstructure:"CertConfig"`
12 | EnableDNS bool `mapstructure:"EnableDNS"`
13 | DNSType string `mapstructure:"DNSType"`
14 | DisableUploadTraffic bool `mapstructure:"DisableUploadTraffic"`
15 | DisableGetRule bool `mapstructure:"DisableGetRule"`
16 | EnableProxyProtocol bool `mapstructure:"EnableProxyProtocol"`
17 | DisableIVCheck bool `mapstructure:"DisableIVCheck"`
18 | DisableSniffing bool `mapstructure:"DisableSniffing"`
19 | AutoSpeedLimitConfig *AutoSpeedLimitConfig `mapstructure:"AutoSpeedLimitConfig"`
20 | }
21 |
22 | type AutoSpeedLimitConfig struct {
23 | Limit int `mapstructure:"Limit"` // mbps
24 | WarnTimes int `mapstructure:"WarnTimes"`
25 | LimitSpeed int `mapstructure:"LimitSpeed"` // mbps
26 | LimitDuration int `mapstructure:"LimitDuration"` // minute
27 | }
28 |
--------------------------------------------------------------------------------
/service/controller/outbound.go:
--------------------------------------------------------------------------------
1 | package controller
2 |
3 | import (
4 | "encoding/json"
5 | "fmt"
6 |
7 | "github.com/xtls/xray-core/common/net"
8 | "github.com/xtls/xray-core/core"
9 | "github.com/xtls/xray-core/infra/conf"
10 |
11 | "github.com/The-NeXT-Project/NeXT-Server/api"
12 | )
13 |
14 | // OutboundBuilder build freedom outbound config for addOutbound
15 | func OutboundBuilder(config *Config, nodeInfo *api.NodeInfo, tag string) (*core.OutboundHandlerConfig, error) {
16 | outboundDetourConfig := &conf.OutboundDetourConfig{}
17 | outboundDetourConfig.Protocol = "freedom"
18 | outboundDetourConfig.Tag = tag
19 |
20 | // Build Send IP address
21 | if config.SendIP != "" {
22 | ipAddress := net.ParseAddress(config.SendIP).String()
23 | outboundDetourConfig.SendThrough = &ipAddress
24 | }
25 |
26 | // Freedom Protocol setting
27 | var domainStrategy = "Asis"
28 |
29 | if config.EnableDNS {
30 | if config.DNSType != "" {
31 | domainStrategy = config.DNSType
32 | } else {
33 | domainStrategy = "UseIP"
34 | }
35 | }
36 |
37 | proxySetting := &conf.FreedomConfig{
38 | DomainStrategy: domainStrategy,
39 | }
40 |
41 | var setting json.RawMessage
42 |
43 | setting, err := json.Marshal(proxySetting)
44 | if err != nil {
45 | return nil, fmt.Errorf("marshal proxy %s config failed: %s", nodeInfo.NodeType, err)
46 | }
47 |
48 | outboundDetourConfig.Settings = &setting
49 |
50 | return outboundDetourConfig.Build()
51 | }
52 |
--------------------------------------------------------------------------------
/service/controller/user.go:
--------------------------------------------------------------------------------
1 | package controller
2 |
3 | import (
4 | "fmt"
5 | "github.com/xtls/xray-core/proxy/shadowsocks_2022"
6 | "strings"
7 |
8 | "github.com/The-NeXT-Project/NeXT-Server/api"
9 | "github.com/xtls/xray-core/common/protocol"
10 | "github.com/xtls/xray-core/common/serial"
11 | "github.com/xtls/xray-core/infra/conf"
12 | "github.com/xtls/xray-core/proxy/shadowsocks"
13 | "github.com/xtls/xray-core/proxy/trojan"
14 | )
15 |
16 | func (c *Controller) buildVmessUser(userInfo *[]api.UserInfo) (users []*protocol.User) {
17 | users = make([]*protocol.User, len(*userInfo))
18 |
19 | for i, user := range *userInfo {
20 | vmessAccount := &conf.VMessAccount{
21 | ID: user.UUID,
22 | Security: "auto",
23 | }
24 |
25 | users[i] = &protocol.User{
26 | Level: 0,
27 | Email: c.buildUserTag(&user), // Email: InboundTag|email|uid
28 | Account: serial.ToTypedMessage(vmessAccount.Build()),
29 | }
30 | }
31 |
32 | return users
33 | }
34 |
35 | func (c *Controller) buildTrojanUser(userInfo *[]api.UserInfo) (users []*protocol.User) {
36 | users = make([]*protocol.User, len(*userInfo))
37 |
38 | for i, user := range *userInfo {
39 | trojanAccount := &trojan.Account{
40 | Password: user.UUID,
41 | }
42 |
43 | users[i] = &protocol.User{
44 | Level: 0,
45 | Email: c.buildUserTag(&user),
46 | Account: serial.ToTypedMessage(trojanAccount),
47 | }
48 | }
49 |
50 | return users
51 | }
52 |
53 | func (c *Controller) buildSSUser(userInfo *[]api.UserInfo) (users []*protocol.User) {
54 | users = make([]*protocol.User, len(*userInfo))
55 |
56 | for i, user := range *userInfo {
57 | users[i] = &protocol.User{
58 | Level: 0,
59 | Email: c.buildUserTag(&user),
60 | Account: serial.ToTypedMessage(&shadowsocks.Account{
61 | Password: user.Passwd,
62 | CipherType: cipherFromString(user.Method),
63 | }),
64 | }
65 | }
66 |
67 | return users
68 | }
69 |
70 | func (c *Controller) buildSS2022User(userInfo *[]api.UserInfo) (users []*protocol.User) {
71 | users = make([]*protocol.User, len(*userInfo))
72 |
73 | for i, user := range *userInfo {
74 | email := c.buildUserTag(&user)
75 |
76 | users[i] = &protocol.User{
77 | Level: 0,
78 | Email: email,
79 | Account: serial.ToTypedMessage(&shadowsocks_2022.User{
80 | Key: user.Passwd,
81 | Email: email,
82 | Level: 0,
83 | }),
84 | }
85 | }
86 |
87 | return users
88 | }
89 |
90 | func cipherFromString(c string) shadowsocks.CipherType {
91 | switch strings.ToLower(c) {
92 | case "aes-128-gcm", "aead_aes_128_gcm":
93 | return shadowsocks.CipherType_AES_128_GCM
94 | case "aes-256-gcm", "aead_aes_256_gcm":
95 | return shadowsocks.CipherType_AES_256_GCM
96 | case "chacha20-poly1305", "aead_chacha20_poly1305", "chacha20-ietf-poly1305":
97 | return shadowsocks.CipherType_CHACHA20_POLY1305
98 | case "none", "plain":
99 | return shadowsocks.CipherType_NONE
100 | default:
101 | return shadowsocks.CipherType_UNKNOWN
102 | }
103 | }
104 |
105 | func (c *Controller) buildUserTag(user *api.UserInfo) string {
106 | return fmt.Sprintf("%s|%s|%d", c.Tag, user.Email, user.UID)
107 | }
108 |
--------------------------------------------------------------------------------
/service/service.go:
--------------------------------------------------------------------------------
1 | package service
2 |
3 | // Service is the interface of all the services running in the panel
4 | type Service interface {
5 | Start() error
6 | Close() error
7 | Restart
8 | }
9 |
10 | // Restart the service
11 | type Restart interface {
12 | Start() error
13 | Close() error
14 | }
15 |
--------------------------------------------------------------------------------