Merge pull request #304 from bjdgyc/dev

Dev

README.md

@@ -108,21 +108,27 @@ sudo ./anylink
 - [x] 兼容 AnyConnect
 - [x] 兼容 OpenConnect
 - [x] 基于 tun 设备的 nat 访问模式
-- [x] 基于 tap 设备的桥接访问模式
+- [x] 基于 tun 设备的桥接访问模式
 - [x] 基于 macvtap 设备的桥接访问模式
 - [x] 支持 [proxy protocol v1&v2](http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 协议
 - [x] 用户组支持
+- [x] 用户组策略支持
 - [x] 多用户支持
 - [x] 用户策略支持
 - [x] TOTP 令牌支持
 - [x] TOTP 令牌开关
 - [x] 流量速率限制
 - [x] 后台管理界面
 - [x] 访问权限管理
+- [x] 用户活动审计功能
 - [x] IP 访问审计功能
 - [x] 域名动态拆分隧道（域名路由功能）
 - [x] radius认证支持
 - [x] LDAP认证支持
+- [x] 空闲链接超时自动断开
+- [x] 流量压缩功能
+- [x] 出口 IP 自动放行
+- [x] 支持多服务的配置区分
 - [ ] 基于 ipvtap 设备的桥接访问模式
 
 ## Config

build.sh

@@ -1,74 +1,21 @@
 #!/bin/bash
 
-#github action release.sh
-
-set -x
-function RETVAL() {
-  rt=$1
-  if [ $rt != 0 ]; then
-    echo $rt
-    exit 1
-  fi
-}
-
 #当前目录
 cpath=$(pwd)
 
 ver=$(cat version)
 echo $ver
 
-echo "copy二进制文件"
-cd $cpath/server
-# -tags osusergo,netgo,sqlite_omit_load_extension
-flags="-trimpath"
-ldflags="-s -w -extldflags '-static' -X main.appVer=$ver -X main.commitId=$(git rev-parse HEAD) -X main.buildDate=$(date --iso-8601=seconds)"
-#github action
-gopath=/go
-
-dockercmd=$(
-  cat <<EOF
-sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
-apk add gcc g++ musl musl-dev tzdata
-export GOPROXY=https://goproxy.cn
-go mod tidy
-echo "build:"
-export CGO_ENABLED=1
-go build -v -o anylink_amd64 $flags -ldflags "$ldflags"
-./anylink_amd64 -v
-EOF
-)
+#前端编译 仅需要执行一次
+bash ./build_web.sh
 
-#使用 musl-dev 编译
-docker run -q --rm -v $PWD:/app -v $gopath:/go -w /app --platform=linux/amd64 \
-  golang:1.20-alpine3.19 sh -c "$dockercmd"
-
-exit 0
-
-#arm64编译
-docker run -q --rm -v $PWD:/app -v $gopath:/go -w /app --platform=linux/arm64 \
-  golang:1.20-alpine3.19 go build -o anylink_arm64 $flags -ldflags "$ldflags"
-./anylink_arm64 -v
-
-exit 0
+cd $cpath/server
 
-cd $cpath
+go build -v -o anylink
 
-echo "整理部署文件"
-deploy="anylink-deploy"
-rm -rf $deploy ${deploy}.tar.gz
-mkdir $deploy
-mkdir $deploy/log
+./anylink -v
 
-cp -r server/anylink $deploy
-cp -r server/bridge-init.sh $deploy
-cp -r server/conf $deploy
 
-cp -r systemd $deploy
-cp -r LICENSE $deploy
-cp -r home $deploy
+echo "anylink 编译完成，目录: $cpath/server/anylink"
 
-tar zcvf ${deploy}.tar.gz $deploy
 
-#注意使用root权限运行
-#cd anylink-deploy
-#sudo ./anylink --conf="conf/server.toml"

build_test.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+
+#github action release.sh
+
+set -x
+function RETVAL() {
+  rt=$1
+  if [ $rt != 0 ]; then
+    echo $rt
+    exit 1
+  fi
+}
+
+#当前目录
+cpath=$(pwd)
+
+ver=$(cat version)
+echo $ver
+
+#前端编译 仅需要执行一次
+#bash ./build_web.sh
+
+echo "copy二进制文件"
+
+# -tags osusergo,netgo,sqlite_omit_load_extension
+flags="-trimpath"
+ldflags="-s -w -extldflags '-static' -X main.appVer=$ver -X main.commitId=$(git rev-parse HEAD) -X main.buildDate=$(date --iso-8601=seconds)"
+#github action
+gopath=/go
+
+dockercmd=$(
+  cat <<EOF
+sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+apk add gcc g++ musl musl-dev tzdata
+export GOPROXY=https://goproxy.cn
+go mod tidy
+echo "build:"
+rm anylink
+export CGO_ENABLED=1
+go build -v -o anylink $flags -ldflags "$ldflags"
+./anylink -v
+EOF
+)
+
+#使用 musl-dev 编译
+docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/amd64 \
+  golang:1.20-alpine3.19 sh -c "$dockercmd"
+
+#arm64编译
+#docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/arm64 \
+#  golang:1.20-alpine3.19 go build -o anylink_arm64 $flags -ldflags "$ldflags"
+#exit 0
+
+#cd $cpath
+
+echo "整理部署文件"
+rm -rf anylink-deploy anylink-deploy.tar.gz
+mkdir anylink-deploy
+mkdir anylink-deploy/log
+
+cp -r server/anylink anylink-deploy
+cp -r server/conf anylink-deploy
+
+cp -r index_template anylink-deploy
+cp -r deploy anylink-deploy
+cp -r LICENSE anylink-deploy
+
+tar zcvf anylink-deploy.tar.gz anylink-deploy
+
+#注意使用root权限运行
+#cd anylink-deploy
+#sudo ./anylink --conf="conf/server.toml"

server/base/config.go

@@ -22,7 +22,7 @@ type config struct {
 var configs = []config{
 	{Typ: cfgStr, Name: "conf", Usage: "config file", ValStr: "./conf/server.toml", Short: "c"},
 	{Typ: cfgStr, Name: "profile", Usage: "profile.xml file", ValStr: "./conf/profile.xml"},
-	{Typ: cfgStr, Name: "profile_name", Usage: "profile name(用于区分不同网站的配置)", ValStr: "anylink"},
+	{Typ: cfgStr, Name: "profile_name", Usage: "profile name(用于区分不同服务端的配置)", ValStr: "anylink"},
 	{Typ: cfgStr, Name: "server_addr", Usage: "TCP服务监听地址(任意端口)", ValStr: ":443"},
 	{Typ: cfgBool, Name: "server_dtls", Usage: "开启DTLS", ValBool: false},
 	{Typ: cfgStr, Name: "server_dtls_addr", Usage: "DTLS监听地址(任意端口)", ValStr: ":443"},
@@ -59,7 +59,7 @@ var configs = []config{
 	{Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 40},
 	{Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 60},
 	{Typ: cfgInt, Name: "mtu", Usage: "最大传输单元MTU", ValInt: 1460},
-	{Typ: cfgInt, Name: "idle_timeout", Usage: "空闲链接超时时间(秒)-超时后断开链接，0关闭此功能", ValInt: 1800},
+	{Typ: cfgInt, Name: "idle_timeout", Usage: "空闲链接超时时间(秒)-超时后断开链接，0关闭此功能", ValInt: 0},
 	{Typ: cfgInt, Name: "session_timeout", Usage: "session过期时间(秒)-用于断线重连，0永不过期", ValInt: 3600},
 	// {Typ: cfgInt, Name: "auth_timeout", Usage: "auth_timeout", ValInt: 0},
 	{Typ: cfgInt, Name: "audit_interval", Usage: "审计去重间隔(秒),-1关闭", ValInt: 600},

server/conf/server-sample.toml

@@ -11,7 +11,7 @@ cert_file = "./conf/vpn_cert.pem"
 cert_key = "./conf/vpn_cert.key"
 files_path = "./conf/files"
 profile = "./conf/profile.xml"
-#profile name(用于区分不同网站的配置)
+#profile name(用于区分不同服务端的配置)
 #客户端存放位置 C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile
 profile_name = "anylink"
 #日志目录,为空写入标准输出
@@ -82,10 +82,10 @@ default_domain = "example.com"
 #default_domain = "example.com abc.example.com"
 
 #空闲链接超时时间(秒)-超时后断开链接，0关闭此功能
-idle_timeout = 1800
+idle_timeout = 0
 #session过期时间，用于断线重连，0永不过期
 session_timeout = 3600
-auth_timeout = 0
+#auth_timeout = 0
 audit_interval = 600
 
 show_sql = false

server/handler/link_auth.go

@@ -46,10 +46,11 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	cr := ClientRequest{}
 	err = xml.Unmarshal(body, &cr)
 	if err != nil {
+		base.Error(err)
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
-	// fmt.Printf("%+v \n", cr)
+	base.Trace(fmt.Sprintf("%+v \n", cr))
 	// setCommonHeader(w)
 	if cr.Type == "logout" {
 		// 退出删除session信息
@@ -140,7 +141,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash}
 	w.WriteHeader(http.StatusOK)
 	tplRequest(tpl_complete, w, rd)
-	base.Debug("login", cr.Auth.Username, userAgent)
+	base.Info("login", cr.Auth.Username, userAgent)
 }
 
 const (

server/handler/link_cstp.go

@@ -37,14 +37,14 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
 		// 设置超时限制
 		err = conn.SetReadDeadline(utils.NowSec().Add(dead))
 		if err != nil {
-			base.Error("SetDeadline: ", cSess.Username, err)
+			base.Error("SetDeadline: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}
 		// hdata := make([]byte, BufferSize)
 		pl := getPayload()
 		n, err = bufRW.Read(pl.Data)
 		if err != nil {
-			base.Error("read hdata: ", cSess.Username, err)
+			base.Warn("read hdata: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}
 
@@ -69,7 +69,7 @@ func LinkCstp(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessio
 			}
 		case 0x05: // DISCONNECT
 			cSess.UserLogoutCode = dbdata.UserLogoutClient
-			base.Debug("DISCONNECT", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, string(pl.Data[9:n]))
+			base.Info("DISCONNECT", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, string(pl.Data[9:n]))
 			sessdata.CloseSess(cSess.Sess.Token, dbdata.UserLogoutClient)
 			return
 		case 0x03: // DPD-REQ
@@ -176,7 +176,7 @@ func cstpWrite(conn net.Conn, bufRW *bufio.ReadWriter, cSess *sessdata.ConnSessi
 
 		n, err = conn.Write(pl.Data)
 		if err != nil {
-			base.Error("write err", cSess.Username, err)
+			base.Warn("write err", cSess.Username, cSess.IpAddr, err)
 			return
 		}
 

server/handler/link_dtls.go

@@ -36,14 +36,14 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
 	for {
 		err = conn.SetReadDeadline(utils.NowSec().Add(dead))
 		if err != nil {
-			base.Error("SetDeadline: ", cSess.Username, err)
+			base.Error("SetDeadline: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}
 
 		pl := getPayload()
 		n, err = conn.Read(pl.Data)
 		if err != nil {
-			base.Error("read hdata: ", cSess.Username, err)
+			base.Warn("read hdata: ", cSess.Username, cSess.IpAddr, err)
 			return
 		}
 
@@ -59,10 +59,10 @@ func LinkDtls(conn net.Conn, cSess *sessdata.ConnSession) {
 			base.Trace("recv LinkDtls Keepalive", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
 		case 0x05: // DISCONNECT
 			cSess.UserLogoutCode = dbdata.UserLogoutClient
-			base.Debug("DISCONNECT DTLS", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
+			base.Info("DISCONNECT DTLS", cSess.Username, cSess.IpAddr, conn.RemoteAddr())
 			return
 		case 0x03: // DPD-REQ
-			base.Trace("recv LinkDtls DPD-REQ", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n, pl.Data[:n])
+			base.Trace("recv LinkDtls DPD-REQ", cSess.Username, cSess.IpAddr, conn.RemoteAddr(), n)
 			pl.PType = 0x04
 			// 从零开始 可以直接赋值
 			pl.Data = pl.Data[:n]
@@ -151,12 +151,15 @@ func dtlsWrite(conn net.Conn, dSess *sessdata.DtlsSession, cSess *sessdata.ConnS
 			}
 		} else {
 			// 设置头类型
-			// pl.Data = append(pl.Data[:0], pl.PType)
-			pl.Data[0] = pl.PType
+			if pl.PType == 0x04 {
+				pl.Data[0] = pl.PType
+			} else {
+				pl.Data = append(pl.Data[:0], pl.PType)
+			}
 		}
 		n, err := conn.Write(pl.Data)
 		if err != nil {
-			base.Error("write err", cSess.Username, err)
+			base.Warn("write err", cSess.Username, cSess.IpAddr, err)
 			return
 		}
 

server/handler/link_tun.go

@@ -46,6 +46,7 @@ func checkTun() {
 		// 修复 rockyos nat 不生效
 		base.CheckModOrLoad("iptable_filter")
 		base.CheckModOrLoad("iptable_nat")
+		// base.CheckModOrLoad("xt_comment")
 
 		// 添加注释
 		natRule := []string{"-s", base.Cfg.Ipv4CIDR, "-o", base.Cfg.Ipv4Master, "-m", "comment",

server/handler/link_tunnel.go

@@ -92,7 +92,7 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 		dtlsPort = ss[1]
 	}
 
-	base.Debug(cSess.IpAddr, cSess.MacHw, sess.Username, mobile)
+	base.Info(sess.Username, cSess.IpAddr, cSess.MacHw, cSess.Client, mobile)
 
 	// 检测密码套件
 	dtlsCiphersuite := checkDtls12Ciphersuite(r.Header.Get("X-Dtls12-Ciphersuite"))