Merge pull request #148 from SenseUnit/socks

SOCKS5 server

Author: Snawoot

README.md

@@ -3,14 +3,15 @@ dumbproxy
 
 [![dumbproxy](https://snapcraft.io//dumbproxy/badge.svg)](https://snapcraft.io/dumbproxy)
 
-Simple, scriptable, secure forward proxy.
+Simple, scriptable, secure HTTP/SOCKS5 forward proxy.
 
 ## Features
 
+* Multiple protocol support: both HTTP and SOCKS5 are supported
 * Cross-platform (Windows/Mac OS/Linux/Android (via shell)/\*BSD)
 * Deployment with a single self-contained binary
 * Zero-configuration
-* Supports CONNECT method and forwarding of HTTPS connections
+* Seamless forwarding of all kinds of TCP connections in addition to regular web-traffic forwarding
 * Supports `Basic` proxy authentication
   * Via auto-reloaded NCSA httpd-style passwords file
   * Via static login and password
@@ -527,6 +528,8 @@ Usage of /home/user/go/bin/dumbproxy:
     	maximum TLS version accepted by server (default TLS13)
   -min-tls-version value
     	minimum TLS version accepted by server (default TLS12)
+  -mode value
+    	proxy operation mode (http/socks5) (default http)
   -passwd string
     	update given htpasswd file and add/set password for username. Username and password can be passed as positional arguments or requested interactively
   -passwd-cost int

auth/basic.go

@@ -115,6 +115,11 @@ func (auth *BasicAuth) reloadLoop(interval time.Duration) {
 	}
 }
 
+func (auth *BasicAuth) Valid(user, password, userAddr string) bool {
+	pwFile := auth.pw.Load().file
+	return pwFile.Match(user, password)
+}
+
 func (auth *BasicAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {

auth/hmac.go

@@ -84,6 +84,10 @@ func VerifyHMACLoginAndPassword(secret []byte, login, password string) bool {
 	return hmac.Equal(token.Signature[:], expectedMAC)
 }
 
+func (auth *HMACAuth) Valid(user, password, userAddr string) bool {
+	return VerifyHMACLoginAndPassword(auth.secret, user, password)
+}
+
 func (auth *HMACAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {

auth/redis.go

@@ -7,6 +7,7 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+	"time"
 
 	clog "github.com/SenseUnit/dumbproxy/log"
 
@@ -46,6 +47,23 @@ func NewRedisAuth(param_url *url.URL, cluster bool, logger *clog.CondLogger) (*R
 	return auth, nil
 }
 
+func (auth *RedisAuth) Valid(user, password, userAddr string) bool {
+	ctx, cl := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cl()
+	encodedPasswd, err := auth.r.Get(ctx, auth.keyPrefix+user).Result()
+	if err != nil {
+		auth.logger.Debug("error fetching key %q from Redis: %v", auth.keyPrefix+user, err)
+		return false
+	}
+	matcher, err := makePasswdMatcher(encodedPasswd)
+	if err != nil {
+		auth.logger.Debug("can't create password matcher from Redis key %q: %v", auth.keyPrefix+user, err)
+		return false
+	}
+
+	return matcher.MatchesPassword(password)
+}
+
 func (auth *RedisAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/redis/go-redis/v9 v9.13.0
 	github.com/refraction-networking/utls v1.8.0
 	github.com/tg123/go-htpasswd v1.2.4
+	github.com/things-go/go-socks5 v0.1.0
 	github.com/zeebo/xxh3 v1.0.2
 	golang.org/x/crypto v0.41.0
 	golang.org/x/crypto/x509roots/fallback v0.0.0-20250826074233-8f580defa01d

go.sum

@@ -51,10 +51,12 @@ github.com/redis/go-redis/v9 v9.13.0 h1:PpmlVykE0ODh8P43U0HqC+2NXHXwG+GUtQyz+MPK
 github.com/redis/go-redis/v9 v9.13.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/refraction-networking/utls v1.8.0 h1:L38krhiTAyj9EeiQQa2sg+hYb4qwLCqdMcpZrRfbONE=
 github.com/refraction-networking/utls v1.8.0/go.mod h1:jkSOEkLqn+S/jtpEHPOsVv/4V4EVnelwbMQl4vCWXAM=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.0 h1:ib4sjIrwZKxE5u/Japgo/7SJV3PvgjGiRNAvTVGqQl8=
+github.com/stretchr/testify v1.11.0/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tg123/go-htpasswd v1.2.4 h1:HgH8KKCjdmo7jjXWN9k1nefPBd7Be3tFCTjc2jPraPU=
 github.com/tg123/go-htpasswd v1.2.4/go.mod h1:EKThQok9xHkun6NBMynNv6Jmu24A33XdZzzl4Q7H1+0=
+github.com/things-go/go-socks5 v0.1.0 h1:4f5dz0iMQ6cA4wseFmyLmCHmg3SWJTW92ndrKS6oERg=
+github.com/things-go/go-socks5 v0.1.0/go.mod h1:Riabiyu52kLsla0YmJqunt1c1JEl6iXSr4bRd7swFEA=
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=

handler/adapter.go

@@ -134,3 +134,30 @@ func (w wrappedH1RespWriter) Close() error {
 }
 
 var _ io.ReadWriteCloser = wrappedH1RespWriter{}
+
+type wrappedSOCKS struct {
+	r io.Reader
+	w io.Writer
+}
+
+func wrapSOCKS(r io.Reader, w io.Writer) wrappedSOCKS {
+	return wrappedSOCKS{
+		r: r,
+		w: w,
+	}
+}
+
+func (w wrappedSOCKS) Read(p []byte) (n int, err error) {
+	return w.r.Read(p)
+}
+
+func (w wrappedSOCKS) Write(p []byte) (n int, err error) {
+	return w.w.Write(p)
+}
+
+func (w wrappedSOCKS) Close() error {
+	// can't really close SOCKS reader or writer
+	return nil
+}
+
+var _ io.ReadWriteCloser = wrappedSOCKS{}

handler/handler.go

@@ -28,11 +28,13 @@ type HandlerDialer interface {
 	DialContext(ctx context.Context, net, address string) (net.Conn, error)
 }
 
+type ForwardFunc = func(ctx context.Context, username string, incoming, outgoing io.ReadWriteCloser) error
+
 type ProxyHandler struct {
 	auth          auth.Auth
 	logger        *clog.CondLogger
 	dialer        HandlerDialer
-	forward       func(ctx context.Context, username string, incoming, outgoing io.ReadWriteCloser) error
+	forward       ForwardFunc
 	httptransport http.RoundTripper
 	outbound      map[string]string
 	outboundMux   sync.RWMutex

handler/socks.go

@@ -0,0 +1,74 @@
+package handler
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+	"sync"
+
+	ddto "github.com/SenseUnit/dumbproxy/dialer/dto"
+	clog "github.com/SenseUnit/dumbproxy/log"
+	"github.com/things-go/go-socks5"
+	"github.com/things-go/go-socks5/statute"
+)
+
+func SOCKSHandler(dialer HandlerDialer, logger *clog.CondLogger, forward ForwardFunc) func(ctx context.Context, writer io.Writer, request *socks5.Request) error {
+	var (
+		outboundMux sync.RWMutex
+	)
+	outbound := make(map[string]string)
+	isLoopback := func(addr string) (string, bool) {
+		outboundMux.RLock()
+		defer outboundMux.RUnlock()
+		originator, ok := outbound[addr]
+		return originator, ok
+	}
+	return func(ctx context.Context, writer io.Writer, request *socks5.Request) error {
+		if originator, isLoopback := isLoopback(request.RemoteAddr.String()); isLoopback {
+			logger.Critical("Loopback tunnel detected: %s is an outbound "+
+				"address for another request from %s", request.RemoteAddr.String(), originator)
+			socks5.SendReply(writer, statute.RepConnectionRefused, nil)
+			return fmt.Errorf("Loopback tunnel detected: %s is an outbound "+
+				"address for another request from %s", request.RemoteAddr.String(), originator)
+		}
+		username := ""
+		if request.AuthContext != nil {
+			username = request.AuthContext.Payload["username"]
+		}
+		localAddr := request.LocalAddr.String()
+		ctx = ddto.BoundDialerParamsToContext(ctx, nil, trimAddrPort(localAddr))
+		ctx = ddto.FilterParamsToContext(ctx, nil, username)
+		logger.Info("Request: %v => %v %q %v %v %v", request.RemoteAddr, localAddr, username, "SOCKS5", "CONNECT", request.DestAddr)
+		target, err := dialer.DialContext(ctx, "tcp", request.DestAddr.String())
+		if err != nil {
+			msg := err.Error()
+			resp := statute.RepHostUnreachable
+			if strings.Contains(msg, "refused") {
+				resp = statute.RepConnectionRefused
+			} else if strings.Contains(msg, "network is unreachable") {
+				resp = statute.RepNetworkUnreachable
+			}
+			if err := socks5.SendReply(writer, resp, nil); err != nil {
+				return fmt.Errorf("failed to send reply: %w", err)
+			}
+			return fmt.Errorf("connect to %v failed: %w", request.RawDestAddr, err)
+		}
+		outboundMux.Lock()
+		outbound[target.LocalAddr().String()] = request.RemoteAddr.String()
+		outboundMux.Unlock()
+		defer func() {
+			target.Close() // nolint: errcheck
+			outboundMux.Lock()
+			delete(outbound, localAddr)
+			outboundMux.Unlock()
+		}()
+
+		// Send success
+		if err := socks5.SendReply(writer, statute.RepSuccess, target.LocalAddr()); err != nil {
+			return fmt.Errorf("failed to send reply, %v", err)
+		}
+
+		return forward(ctx, username, wrapSOCKS(request.Reader, writer), target)
+	}
+}

jsext/dto.go

@@ -24,6 +24,9 @@ type JSRequestInfo struct {
 }
 
 func JSRequestInfoFromRequest(req *http.Request) *JSRequestInfo {
+	if req == nil {
+		return nil
+	}
 	return &JSRequestInfo{
 		Method:           req.Method,
 		URL:              req.URL.String(),