feat: remove unused plugin version comparison and types, refactor proxy server to support authentication

- Deleted version comparison logic from `pkg/plugin/sign/version.go`. - Removed unused types and constants from `pkg/plugin/types.go`. - Updated `pkg/protocol/message.go` to remove plugin-related message types. - Enhanced `pkg/proxy/http.go` and `pkg/proxy/socks5.go` to include username/password authentication for HTTP and SOCKS5 proxies. - Modified `pkg/proxy/server.go` to pass authentication parameters to server constructors. - Added new API endpoint to generate installation commands with a token for clients. - Created database functions to manage installation tokens in `internal/server/db/install_token.go`. - Implemented the installation command generation logic in `internal/server/router/handler/install.go`. - Updated web frontend to support installation command generation and display in `web/src/views/ClientsView.vue`.
2026-03-17 23:16:30 +08:00
parent dcfd2f4466
commit 5a03d9e1f1
42 changed files with 638 additions and 6161 deletions
--- a/pkg/proxy/http.go
+++ b/pkg/proxy/http.go
@@ -2,6 +2,8 @@ package proxy

 import (
 	"bufio"
+	"encoding/base64"
+	"errors"
 	"io"
 	"net"
 	"net/http"
@@ -12,13 +14,15 @@ import (

 // HTTPServer HTTP 代理服务
 type HTTPServer struct {
-	dialer  Dialer
-	onStats func(in, out int64) // 流量统计回调
+	dialer   Dialer
+	onStats  func(in, out int64) // 流量统计回调
+	username string
+	password string
 }

 // NewHTTPServer 创建 HTTP 代理服务
-func NewHTTPServer(dialer Dialer, onStats func(in, out int64)) *HTTPServer {
-	return &HTTPServer{dialer: dialer, onStats: onStats}
+func NewHTTPServer(dialer Dialer, onStats func(in, out int64), username, password string) *HTTPServer {
+	return &HTTPServer{dialer: dialer, onStats: onStats, username: username, password: password}
 }

 // HandleConn 处理 HTTP 代理连接
@@ -31,12 +35,45 @@ func (h *HTTPServer) HandleConn(conn net.Conn) error {
 		return err
 	}

+	// 检查认证
+	if h.username != "" && h.password != "" {
+		if !h.checkAuth(req) {
+			conn.Write([]byte("HTTP/1.1 407 Proxy Authentication Required\r\nProxy-Authenticate: Basic realm=\"proxy\"\r\n\r\n"))
+			return errors.New("authentication required")
+		}
+	}
+
 	if req.Method == http.MethodConnect {
 		return h.handleConnect(conn, req)
 	}
 	return h.handleHTTP(conn, req, reader)
 }

+// checkAuth 检查 Proxy-Authorization 头
+func (h *HTTPServer) checkAuth(req *http.Request) bool {
+	auth := req.Header.Get("Proxy-Authorization")
+	if auth == "" {
+		return false
+	}
+
+	const prefix = "Basic "
+	if !strings.HasPrefix(auth, prefix) {
+		return false
+	}
+
+	decoded, err := base64.StdEncoding.DecodeString(auth[len(prefix):])
+	if err != nil {
+		return false
+	}
+
+	credentials := strings.SplitN(string(decoded), ":", 2)
+	if len(credentials) != 2 {
+		return false
+	}
+
+	return credentials[0] == h.username && credentials[1] == h.password
+}
+
 // handleConnect 处理 CONNECT 方法 (HTTPS)
 func (h *HTTPServer) handleConnect(conn net.Conn, req *http.Request) error {
 	target := req.Host
--- a/pkg/proxy/server.go
+++ b/pkg/proxy/server.go
@@ -14,10 +14,10 @@ type Server struct {
 }

 // NewServer 创建代理服务器
-func NewServer(typ string, dialer Dialer, onStats func(in, out int64)) *Server {
+func NewServer(typ string, dialer Dialer, onStats func(in, out int64), username, password string) *Server {
 	return &Server{
-		socks5: NewSOCKS5Server(dialer, onStats),
-		http:   NewHTTPServer(dialer, onStats),
+		socks5: NewSOCKS5Server(dialer, onStats, username, password),
+		http:   NewHTTPServer(dialer, onStats, username, password),
 		typ:    typ,
 	}
 }
--- a/pkg/proxy/socks5.go
+++ b/pkg/proxy/socks5.go
@@ -13,6 +13,7 @@ import (
 const (
 	socks5Version = 0x05
 	noAuth        = 0x00
+	userPassAuth  = 0x02
 	cmdConnect    = 0x01
 	atypIPv4      = 0x01
 	atypDomain    = 0x03
@@ -21,8 +22,10 @@ const (

 // SOCKS5Server SOCKS5 代理服务
 type SOCKS5Server struct {
-	dialer  Dialer
-	onStats func(in, out int64) // 流量统计回调
+	dialer   Dialer
+	onStats  func(in, out int64) // 流量统计回调
+	username string
+	password string
 }

 // Dialer 连接拨号器接口
@@ -31,8 +34,8 @@ type Dialer interface {
 }

 // NewSOCKS5Server 创建 SOCKS5 服务
-func NewSOCKS5Server(dialer Dialer, onStats func(in, out int64)) *SOCKS5Server {
-	return &SOCKS5Server{dialer: dialer, onStats: onStats}
+func NewSOCKS5Server(dialer Dialer, onStats func(in, out int64), username, password string) *SOCKS5Server {
+	return &SOCKS5Server{dialer: dialer, onStats: onStats, username: username, password: password}
 }

 // HandleConn 处理 SOCKS5 连接
@@ -85,11 +88,54 @@ func (s *SOCKS5Server) handshake(conn net.Conn) error {
 		return err
 	}

-	// 响应：使用无认证
+	// 如果配置了用户名密码，要求认证
+	if s.username != "" && s.password != "" {
+		_, err := conn.Write([]byte{socks5Version, userPassAuth})
+		if err != nil {
+			return err
+		}
+		return s.authenticate(conn)
+	}
+
+	// 无认证
 	_, err := conn.Write([]byte{socks5Version, noAuth})
 	return err
 }

+// authenticate 处理用户名密码认证
+func (s *SOCKS5Server) authenticate(conn net.Conn) error {
+	buf := make([]byte, 2)
+	if _, err := io.ReadFull(conn, buf); err != nil {
+		return err
+	}
+	if buf[0] != 0x01 {
+		return errors.New("unsupported auth version")
+	}
+
+	ulen := int(buf[1])
+	username := make([]byte, ulen)
+	if _, err := io.ReadFull(conn, username); err != nil {
+		return err
+	}
+
+	plen := make([]byte, 1)
+	if _, err := io.ReadFull(conn, plen); err != nil {
+		return err
+	}
+	password := make([]byte, plen[0])
+	if _, err := io.ReadFull(conn, password); err != nil {
+		return err
+	}
+
+	if string(username) == s.username && string(password) == s.password {
+		conn.Write([]byte{0x01, 0x00}) // 认证成功
+		return nil
+	}
+
+	conn.Write([]byte{0x01, 0x01}) // 认证失败
+	return errors.New("authentication failed")
+}
+
 // readRequest 读取请求
 func (s *SOCKS5Server) readRequest(conn net.Conn) (string, error) {
 	buf := make([]byte, 4)