06470512f6
### 严重修复 1. 跨服务器无法登录 - 新增SESSION_COOKIE_DOMAIN/SECURE/NAME配置 2. SOCKS5用户密码明文存储→bcrypt哈希(兼容自动迁移) 3. 仪表盘审计日志不显示→替换为空循环为真实API加载 4. 管理员登录防爆破未生效→auth.py集成check_fail2ban ### 中等问题修复 5. 流量趋势图表无数据→新增record_traffic_snapshot后台线程 6. 网络流量累计值跳变→新增基线差值机制 7. asyncio连接计数非线程安全→加锁保护 ### 优化改进 8. API密钥页面截断文本修复 9. 新增gunicorn/bcrypt依赖 10. 更新README环境变量文档和生产建议 11. 登录密码常量时间对比防时序攻击 12. 仪表盘图表添加animation:false防卡顿
425 lines
15 KiB
Python
425 lines
15 KiB
Python
"""SOCKS5 异步服务器引擎 (asyncio)。"""
|
|
import asyncio
|
|
import logging
|
|
import struct
|
|
import time
|
|
import uuid
|
|
import ipaddress
|
|
from datetime import datetime, timezone
|
|
|
|
import models
|
|
from services.user_service import UserService
|
|
|
|
log = logging.getLogger("socks.engine")
|
|
|
|
# ── SOCKS5 协议常量 ─────────────────────────────────────────────
|
|
SOCKS_VERSION = 5
|
|
METHOD_NO_AUTH = 0x00
|
|
METHOD_USERPASS = 0x02
|
|
METHOD_NOT_ACCEPTED = 0xFF
|
|
|
|
CMD_CONNECT = 0x01
|
|
CMD_BIND = 0x02
|
|
CMD_UDP_ASSOCIATE = 0x03
|
|
|
|
ATYP_IPV4 = 0x01
|
|
ATYP_DOMAIN = 0x03
|
|
ATYP_IPV6 = 0x04
|
|
|
|
REP_SUCCEEDED = 0x00
|
|
REP_GENERAL_FAILURE = 0x01
|
|
REP_CONN_FORBIDDEN = 0x02
|
|
REP_NETWORK_UNREACHABLE = 0x03
|
|
REP_HOST_UNREACHABLE = 0x04
|
|
REP_CONN_REFUSED = 0x05
|
|
REP_TTL_EXPIRED = 0x06
|
|
REP_CMD_NOT_SUPPORTED = 0x07
|
|
REP_ADDR_NOT_SUPPORTED = 0x08
|
|
|
|
TUNNEL_CHUNK = 65536
|
|
|
|
|
|
class ConnectionHandler:
|
|
"""单个 SOCKS5 连接的处理器。"""
|
|
|
|
def __init__(self, reader, writer, instance_config, user_service,
|
|
flask_app=None, on_close_cb=None):
|
|
self.reader = reader
|
|
self.writer = writer
|
|
self.config = instance_config
|
|
self.user_service = user_service
|
|
self.flask_app = flask_app
|
|
self.on_close = on_close_cb
|
|
|
|
self.username = None
|
|
self.src_ip = None
|
|
self.src_port = None
|
|
self.dst_addr = None
|
|
self.dst_port = None
|
|
self.conn_id = str(uuid.uuid4())[:16]
|
|
|
|
self.bytes_in = 0
|
|
self.bytes_out = 0
|
|
self.start_time = time.time()
|
|
self._closed = False
|
|
|
|
# 限速节流器
|
|
self._throttle_writer_in = None # client->dst 方向
|
|
self._throttle_writer_out = None # dst->client 方向
|
|
self._speed_semaphore_in = None
|
|
self._speed_semaphore_out = None
|
|
|
|
# 上游代理
|
|
self.upstream = None
|
|
|
|
async def handle(self):
|
|
"""主入口:处理完整的 SOCKS5 会话。"""
|
|
try:
|
|
self.src_ip, self.src_port = self._peer_info()
|
|
|
|
# 1. 方法协商
|
|
if not await self._negotiate_method():
|
|
return
|
|
|
|
# 2. 认证(如果需要)
|
|
if not await self._authenticate():
|
|
return
|
|
|
|
# 3. 解析命令请求
|
|
cmd, atyp, addr, port = await self._read_request()
|
|
if cmd is None:
|
|
return
|
|
|
|
# 4. 记录连接
|
|
await self._record_connection("active")
|
|
|
|
# 5. 处理命令(目前只支持 CONNECT)
|
|
if cmd == CMD_CONNECT:
|
|
await self._handle_connect(addr, port)
|
|
else:
|
|
await self._reply(REP_CMD_NOT_SUPPORTED)
|
|
return
|
|
|
|
except asyncio.TimeoutError:
|
|
log.debug("[%s] 超时", self.conn_id)
|
|
except ConnectionError:
|
|
log.debug("[%s] 连接错误", self.conn_id)
|
|
except Exception as e:
|
|
log.exception("[%s] 异常: %s", self.conn_id, e)
|
|
finally:
|
|
if not self._closed:
|
|
self._close()
|
|
|
|
def _peer_info(self):
|
|
extra = self.writer.get_extra_info("peername")
|
|
return extra
|
|
|
|
async def _negotiate_method(self):
|
|
"""方法协商。"""
|
|
header = await asyncio.wait_for(self.reader.read(256),
|
|
timeout=self.config.timeout)
|
|
if len(header) < 2:
|
|
return False
|
|
|
|
ver, n_methods = struct.unpack("!BB", header[:2])
|
|
if ver != SOCKS_VERSION:
|
|
log.debug("协议版本错误: %d", ver)
|
|
return False
|
|
|
|
methods = header[2:2 + n_methods]
|
|
# 检查是否支持
|
|
if METHOD_USERPASS in methods and self.config.auth_method == "userpass":
|
|
self.writer.write(bytes([SOCKS_VERSION, METHOD_USERPASS]))
|
|
elif METHOD_NO_AUTH in methods:
|
|
self.writer.write(bytes([SOCKS_VERSION, METHOD_NO_AUTH]))
|
|
else:
|
|
self.writer.write(bytes([SOCKS_VERSION, METHOD_NOT_ACCEPTED]))
|
|
return False
|
|
await self.writer.drain()
|
|
return True
|
|
|
|
async def _authenticate(self):
|
|
"""USERPASS 认证。"""
|
|
if self.config.auth_method != "userpass":
|
|
return True
|
|
|
|
# 读认证请求头
|
|
header = await asyncio.wait_for(self.reader.read(256),
|
|
timeout=self.config.timeout)
|
|
if len(header) < 2:
|
|
return False
|
|
ver, ulen = struct.unpack("!BB", header[:2])
|
|
if ver != 1:
|
|
return False
|
|
|
|
# 读用户名
|
|
username = await asyncio.wait_for(self.reader.read(ulen),
|
|
timeout=self.config.timeout)
|
|
if len(username) != ulen:
|
|
return False
|
|
username = username.decode("utf-8", errors="replace")
|
|
|
|
# 读密码长度
|
|
plen_byte = await asyncio.wait_for(self.reader.read(1),
|
|
timeout=self.config.timeout)
|
|
if not plen_byte:
|
|
return False
|
|
plen = plen_byte[0]
|
|
|
|
# 读密码
|
|
passwd = await asyncio.wait_for(self.reader.read(plen),
|
|
timeout=self.config.timeout)
|
|
if len(passwd) != plen:
|
|
return False
|
|
passwd = passwd.decode("utf-8", errors="replace")
|
|
|
|
# 验证(使用 bcrypt 兼容验证)
|
|
user = self.user_service.get_user(username)
|
|
if user is None or not user.check_password(passwd) or not user.is_active():
|
|
log.warning("认证失败: %s (user=%s)", self.src_ip, username)
|
|
await self.user_service.log_event("auth_fail", username,
|
|
self.src_ip, "密码错误或账号不可用")
|
|
self.writer.write(bytes([1, 0x01])) # auth fail
|
|
await self.writer.drain()
|
|
return False
|
|
|
|
self.username = username
|
|
log.info("[%s] 认证成功: %s (from %s)", self.conn_id, username, self.src_ip)
|
|
await self.user_service.log_event("auth_success", username, self.src_ip)
|
|
self.writer.write(bytes([1, 0x00])) # auth ok
|
|
await self.writer.drain()
|
|
return True
|
|
|
|
async def _read_request(self):
|
|
"""解析 SOCKS5 命令请求。"""
|
|
req = await asyncio.wait_for(self.reader.read(512),
|
|
timeout=self.config.timeout)
|
|
if len(req) < 8:
|
|
return None, None, None, None
|
|
|
|
ver, cmd, rsv, atyp = struct.unpack("!BBBB", req[:4])
|
|
if ver != SOCKS_VERSION:
|
|
return None, None, None, None
|
|
|
|
offset = 4
|
|
if atyp == ATYP_IPV4:
|
|
addr_bytes = req[offset:offset + 4]
|
|
addr = ".".join(str(b) for b in addr_bytes)
|
|
port = struct.unpack("!H", req[offset + 4:offset + 6])[0]
|
|
return cmd, atyp, addr, port
|
|
elif atyp == ATYP_IPV6:
|
|
addr_bytes = req[offset:offset + 16]
|
|
addr = str(ipaddress.IPv6Address(addr_bytes))
|
|
port = struct.unpack("!H", req[offset + 16:offset + 18])[0]
|
|
return cmd, atyp, addr, port
|
|
elif atyp == ATYP_DOMAIN:
|
|
dlen = req[offset]
|
|
addr = req[offset + 1:offset + 1 + dlen].decode("utf-8", errors="replace")
|
|
port = struct.unpack("!H", req[offset + 1 + dlen:offset + 3 + dlen])[0]
|
|
return cmd, atyp, addr, port
|
|
|
|
return None, None, None, None
|
|
|
|
async def _reply(self, rep, bnd_addr="0.0.0.0", bnd_port=0):
|
|
"""发送 SOCKS5 响应。"""
|
|
addr_bytes = b"\x00\x00\x00\x00"
|
|
if bnd_addr and "." not in str(bnd_addr):
|
|
# IPv6
|
|
try:
|
|
addr_bytes = ipaddress.IPv6Address(str(bnd_addr)).packed
|
|
except Exception:
|
|
pass
|
|
|
|
self.writer.write(struct.pack(
|
|
"!BBBB5sH",
|
|
SOCKS_VERSION, rep, 0x00, ATYP_IPV4,
|
|
addr_bytes, bnd_port
|
|
))
|
|
await self.writer.drain()
|
|
|
|
async def _handle_connect(self, addr, port):
|
|
"""处理 CONNECT 命令。"""
|
|
self.dst_addr = addr
|
|
self.dst_port = port
|
|
|
|
# IP 白名单/黑名单检查
|
|
if self.username:
|
|
user = self.user_service.get_user(self.username)
|
|
if user and user.ip_blacklist:
|
|
black = {x.strip() for x in user.ip_blacklist.split(",") if x.strip()}
|
|
if self.src_ip in black:
|
|
log.info("[%s] 源IP在黑名单: %s", self.conn_id, self.src_ip)
|
|
await self._reply(REP_CONN_FORBIDDEN)
|
|
await self.user_service.log_event("connect_reject", self.username,
|
|
self.src_ip, f"源IP黑名单 {self.src_ip}")
|
|
return
|
|
if user and user.ip_whitelist:
|
|
white = {x.strip() for x in user.ip_whitelist.split(",") if x.strip()}
|
|
if self.src_ip not in white:
|
|
log.info("[%s] 源IP不在白名单: %s", self.conn_id, self.src_ip)
|
|
await self._reply(REP_CONN_FORBIDDEN)
|
|
await self.user_service.log_event("connect_reject", self.username,
|
|
self.src_ip, f"源IP不在白名单 {self.src_ip}")
|
|
return
|
|
|
|
# 并发连接检查
|
|
if self.username:
|
|
cur_conns = self.user_service.get_active_connections(self.username)
|
|
if self.username:
|
|
user = self.user_service.get_user(self.username)
|
|
if user and cur_conns >= user.max_concurrent:
|
|
log.info("[%s] 并发超限: %s (当前 %d >= %d)",
|
|
self.conn_id, self.username, cur_conns, user.max_concurrent)
|
|
await self._reply(REP_CONN_FORBIDDEN)
|
|
return
|
|
|
|
# 连接目标
|
|
try:
|
|
# 直接用 open_connection,不预连接 socket
|
|
# 在子线程事件循环中 asyncio.wait_for 会导致读取被取消
|
|
reader, writer = await asyncio.open_connection(addr, port)
|
|
except (OSError, Exception) as e:
|
|
log.warning("[%s] 无法连接 %s:%d: %s", self.conn_id, addr, port, e)
|
|
rep = REP_CONN_REFUSED if "refused" in str(e).lower() else REP_HOST_UNREACHABLE
|
|
await self._reply(rep)
|
|
await self.user_service.log_event("connect_reject", self.username,
|
|
self.src_ip, f"连接失败 {addr}:{port}: {e}")
|
|
return
|
|
|
|
# 成功响应
|
|
await self._reply(REP_SUCCEEDED)
|
|
|
|
# 开始隧道
|
|
log.info("[%s] 隧道建立: %s -> %s:%d", self.conn_id,
|
|
self.src_ip, addr, port)
|
|
await self.user_service.log_event("connect_success", self.username,
|
|
self.src_ip, f"{addr}:{port}")
|
|
|
|
await self._tunnel(reader, writer)
|
|
|
|
async def _tunnel(self, dst_reader, dst_writer):
|
|
"""双向隧道转发。"""
|
|
try:
|
|
# 获取限速参数
|
|
user = None
|
|
bw_down = self.config.bandwidth_down
|
|
bw_up = self.config.bandwidth_up
|
|
if self.username:
|
|
user = self.user_service.get_user(self.username)
|
|
if user and user.bandwidth_down:
|
|
bw_down = user.bandwidth_down
|
|
if user and user.bandwidth_up:
|
|
bw_up = user.bandwidth_up
|
|
|
|
# 启动双向转发
|
|
f1 = asyncio.create_task(self._forward(dst_reader, self.writer,
|
|
"dst->client", bw_down, user))
|
|
f2 = asyncio.create_task(self._forward(self.reader, dst_writer,
|
|
"client->dst", bw_up, user))
|
|
await asyncio.gather(f1, f2, return_exceptions=True)
|
|
|
|
except asyncio.CancelledError:
|
|
pass
|
|
except Exception as e:
|
|
log.exception("[%s] 隧道异常: %s", self.conn_id, e)
|
|
finally:
|
|
self._close_streams(dst_reader, dst_writer)
|
|
# 记录最终统计
|
|
await self._record_stats()
|
|
|
|
async def _forward(self, src, dst, direction, speed_limit_mbps, user):
|
|
"""单向转发,带限速。"""
|
|
total_transferred = 0
|
|
try:
|
|
while True:
|
|
data = await src.read(TUNNEL_CHUNK)
|
|
if not data:
|
|
break
|
|
|
|
# 限速:如果设置了,则节流
|
|
if speed_limit_mbps and speed_limit_mbps > 0:
|
|
bytes_per_sec = speed_limit_mbps * 1000000 / 8
|
|
sleep_time = len(data) / bytes_per_sec
|
|
if sleep_time > 0.001: # 小于 1ms 不节流
|
|
await asyncio.sleep(min(sleep_time, 1.0))
|
|
|
|
await dst.write(data)
|
|
await dst.drain()
|
|
total_transferred += len(data)
|
|
|
|
if direction == "dst->client":
|
|
self.bytes_in += len(data)
|
|
else:
|
|
self.bytes_out += len(data)
|
|
|
|
except (ConnectionError, BrokenPipeError):
|
|
pass
|
|
except asyncio.CancelledError:
|
|
pass
|
|
|
|
def _close_streams(self, dst_reader, dst_writer):
|
|
try:
|
|
dst_writer.close()
|
|
try:
|
|
dst_reader.feed_eof()
|
|
except Exception:
|
|
pass
|
|
except Exception:
|
|
pass
|
|
|
|
async def _record_connection(self, state="active"):
|
|
"""记录连接到数据库(异步)。"""
|
|
try:
|
|
ctx = self.flask_app.app_context() if self.flask_app else None
|
|
with ctx:
|
|
models.db.session.add(models.Connection(
|
|
id=self.conn_id,
|
|
instance_id=self.config.instance_id,
|
|
username=self.username,
|
|
src_ip=self.src_ip,
|
|
src_port=self.src_port,
|
|
dst_addr=self.dst_addr,
|
|
dst_port=self.dst_port,
|
|
protocol="SOCKS5",
|
|
state=state,
|
|
started_at=datetime.now(timezone.utc),
|
|
))
|
|
models.db.session.commit()
|
|
except Exception as e:
|
|
log.error("记录连接失败: %s", e)
|
|
|
|
async def _record_stats(self):
|
|
"""记录最终连接统计。"""
|
|
duration = time.time() - self.start_time
|
|
try:
|
|
ctx = self.flask_app.app_context() if self.flask_app else None
|
|
with ctx:
|
|
conn = models.db.session.query(models.Connection).filter_by(id=self.conn_id).first()
|
|
if conn:
|
|
conn.state = "closed"
|
|
conn.ended_at = datetime.now(timezone.utc)
|
|
conn.bytes_in = self.bytes_in
|
|
conn.bytes_out = self.bytes_out
|
|
models.db.session.commit()
|
|
|
|
# 更新用户流量
|
|
if self.username and (self.bytes_in or self.bytes_out):
|
|
await self.user_service.add_traffic(self.username, self.bytes_in, self.bytes_out)
|
|
except Exception as e:
|
|
log.error("记录统计失败: %s", e)
|
|
|
|
def _close(self):
|
|
"""关闭连接。"""
|
|
if self._closed:
|
|
return
|
|
self._closed = True
|
|
try:
|
|
self.writer.close()
|
|
except Exception:
|
|
pass
|
|
if self.on_close:
|
|
try:
|
|
self.on_close(self)
|
|
except Exception:
|
|
pass
|