Merge pull request #23 from ptjhuang/restrict-dest

Added Regex destination matching
This commit is contained in:
Sergey Bogatyrets 2023-03-12 20:22:36 +03:00 committed by GitHub
commit 84b9c49bc8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 44 additions and 8 deletions

View File

@ -7,7 +7,13 @@ Simple socks5 server using go-socks5 with authentication options
## Start container with proxy ## Start container with proxy
```docker run -d --name socks5 -p 1080:1080 -e PROXY_USER=<PROXY_USER> -e PROXY_PASSWORD=<PROXY_PASSWORD> serjs/go-socks5-proxy``` ```
docker run -d --name socks5 -p 1080:1080 \
-e PROXY_USER=<PROXY_USER> \
-e PROXY_PASSWORD=<PROXY_PASSWORD> \
-e ALLOWED_DEST_FQDN=<REGEX_PATTERN> \
serjs/go-socks5-proxy
```
Leave `PROXY_USER` and `PROXY_PASSWORD` empty for skip authentication options while running socks5 server. Leave `PROXY_USER` and `PROXY_PASSWORD` empty for skip authentication options while running socks5 server.
@ -18,6 +24,7 @@ Leave `PROXY_USER` and `PROXY_PASSWORD` empty for skip authentication options wh
|PROXY_USER|String|EMPTY|Set proxy user (also required existed PROXY_PASS)| |PROXY_USER|String|EMPTY|Set proxy user (also required existed PROXY_PASS)|
|PROXY_PASSWORD|String|EMPTY|Set proxy password for auth, used with PROXY_USER| |PROXY_PASSWORD|String|EMPTY|Set proxy password for auth, used with PROXY_USER|
|PROXY_PORT|String|1080|Set listen port for application inside docker container| |PROXY_PORT|String|1080|Set listen port for application inside docker container|
|ALLOWED_DEST_FQDN|String|EMPTY|Allowed destination address regular expression pattern. Default allows all.|
|TZ|String|UTC|Set Timezone like in many common Operation Systems| |TZ|String|UTC|Set Timezone like in many common Operation Systems|
|ALLOWED_IPS|String|Empty|Set allowed IP's that can connect to proxy, separator `,`| |ALLOWED_IPS|String|Empty|Set allowed IP's that can connect to proxy, separator `,`|

24
ruleset.go Normal file
View File

@ -0,0 +1,24 @@
package main
import (
"regexp"
"github.com/armon/go-socks5"
"golang.org/x/net/context"
)
// PermitDestAddrPattern returns a RuleSet which selectively allows addresses
func PermitDestAddrPattern(pattern string) socks5.RuleSet {
return &PermitDestAddrPatternRuleSet{pattern}
}
// PermitDestAddrPatternRuleSet is an implementation of the RuleSet which
// enables filtering supported destination address
type PermitDestAddrPatternRuleSet struct {
AllowedFqdnPattern string
}
func (p *PermitDestAddrPatternRuleSet) Allow(ctx context.Context, req *socks5.Request) (context.Context, bool) {
match, _ := regexp.MatchString(p.AllowedFqdnPattern, req.DestAddr.FQDN)
return ctx, match
}

View File

@ -13,6 +13,7 @@ type params struct {
User string `env:"PROXY_USER" envDefault:""` User string `env:"PROXY_USER" envDefault:""`
Password string `env:"PROXY_PASSWORD" envDefault:""` Password string `env:"PROXY_PASSWORD" envDefault:""`
Port string `env:"PROXY_PORT" envDefault:"1080"` Port string `env:"PROXY_PORT" envDefault:"1080"`
AllowedDestFqdn string `env:"ALLOWED_DEST_FQDN" envDefault:""`
AllowedIPs []string `env:"ALLOWED_IPS" envSeparator:"," envDefault:""` AllowedIPs []string `env:"ALLOWED_IPS" envSeparator:"," envDefault:""`
} }
@ -25,7 +26,7 @@ func main() {
} }
//Initialize socks5 config //Initialize socks5 config
socsk5conf := &socks5.Config{ socks5conf := &socks5.Config{
Logger: log.New(os.Stdout, "", log.LstdFlags), Logger: log.New(os.Stdout, "", log.LstdFlags),
} }
@ -34,10 +35,14 @@ func main() {
os.Getenv("PROXY_USER"): os.Getenv("PROXY_PASSWORD"), os.Getenv("PROXY_USER"): os.Getenv("PROXY_PASSWORD"),
} }
cator := socks5.UserPassAuthenticator{Credentials: creds} cator := socks5.UserPassAuthenticator{Credentials: creds}
socsk5conf.AuthMethods = []socks5.Authenticator{cator} socks5conf.AuthMethods = []socks5.Authenticator{cator}
} }
server, err := socks5.New(socsk5conf) if cfg.AllowedDestFqdn != "" {
socks5conf.Rules = PermitDestAddrPattern(cfg.AllowedDestFqdn)
}
server, err := socks5.New(socks5conf)
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }