go-gost / gost Goto Github PK

使用场景：
1.需要根据转发的服务统计流量使用情况。
2.创建service后，通过查看日志的output和input进行统计。

3.发现通过API调用移除service后，查看日志依旧存在service。但是通过获取配置文件，发现已经被移除了。

请求使用utls增加指纹模拟功能

I downloaded https://github.com/ginuerzh/gost/releases/download/v2.11.2/gost-windows-386-2.11.2.zip and Windows Defender warns it contains "Program:Win32/Uwamson.A!ml", they don't really give any info: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3aWin32%2fUwamson.A!ml&threatid=250070

it might be related to this malware: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Uwamson&ThreatID=2147734168

or maybe a false positive?

服务端和客户端都指定ca后，使用rtcp会显示未提供有效证书。而其他情况，双向证书检验可以正常运行

@ginuerzh 看下是不是？

故障配置：

services:
- name: service-0
  handler:
    type: ss
    chain: chain-0

chains:
- name: chain-0
  hops:
  - name: hop-0
    nodes:
    - name: node-0
      addr: AAAA:8118
      connector:
        type: ss
        auth:
          username: aes-128-gcm
          password: "xxxx"
  - name: hop-1
    nodes:
        - name: node-0
      addr: BBBB:8119
      connector:
        type: ss
        auth:
          username: aes-128-gcm
          password: "xxxx"

此时，该service-0 报错：msg="cipher: message authentication failed"

将Hop1 的SS服务器换成 Socks5服务器，
故障消失。

./gost -L socks5://username:password@:8080?interface=eh0

我是用上面命令启动 socks5 的，但是使用软件测试后 发现无法进行UDP转发 请问要怎么配置

websocket添加ping pongs，实现双向心跳，
http2同理，
不然在nat层，没有数据传输，常常会被断开连接，
还有添加限流，针对单连接限制最大上行，下行速率，

我想咨询一下，如果使用了secrets=secrets.txt来进行账户密码认证，要修改哪些文件，可以使得把用户使用流量的情况写入日志中。

类似下面这样的配置可以在服务器端转发数据吗？还是必须"socks5+icmp"或承载其它协议?

服务端：./gost -L=icmp://:0?keepAlive=1

客户端：./gost -L=:1111 -F=icmp://22.22.22.22:0?keepAlive=1

谢谢！

v3版本尚未正式发布，所以我用的docker v3版本，版本号是gost 3.0.0-alpha (go1.17.6 linux/amd64)
我定义了resolver-0，期望chains—hops—nodes—node—addr中的域名，能到我定义的resolver-0中去解析
实际运行结果是，gost并没有去resolver-0进行域名解析，反而是直接调用操作系统dns地址去解析

我的配置文件如下：

resolvers:
- name: **my-resolver**
  nameservers:
  - addr: udp://114.114.114.114:53
    prefer: ipv4
    timeout: 3s
services:
- name: service-0
  addr: ":1080"
  handler:
    type: socks5
    **resolver: my-resolver**
    chain: chain-0
  listener:
    type: tcp
chains:
- name: chain-0
  hops:
  - name: hop-0
    nodes:
    - name: node-0
      **resolver: my-resolver**
      addr: **gost.myserver.com**:443
      connector:
        type: relay
      dialer:
        type: wss

我希望域名gost.myserver.com去my-resolver解析，实际上并不生效

VPS单个网卡同时包含多个IPV4和一个IPV6
GOST指定出口IPV4后IPV6网站无法访问，当不指定interface时IPV6网站可以访问
IP已用本地IP代替，VPS环境上都是公网IP
GOST配置如下

services:
- name: service-0
  addr: "127.0.0.1:80"
  interface: 127.0.0.1
  handler:
    type: http
    auther: auther-0
  listener:
    type: tcp
- name: service-1
  addr: "127.0.0.2:80"
  interface: 127.0.0.2
  handler:
    type: http
    auther: auther-0
  listener:
    type: tcp
- name: service-2
  addr: "127.0.0.3:80"
  interface: 127.0.0.3
  handler:
    type: http
    auther: auther-0
  listener:
    type: tcp
authers:
- name: auther-0
  auths:
  - username: admin
    password: admin

v3, tun客户端，Windows平台。

服务起来后，无法直接连通其他客户端。
在本地ping一下远程服务器端网关即可解决这个问题。

是否能够增加服务启动后自动和远端网关心跳通讯一下。

想把B机器6688端口转发到A机器2222端口，命令如下

A机器 docker run -d --net=host gogost/gost -L socks5://:1080
B机器 docker run -d --net=host gogost/gost -L rtcp://:2222/:6688 -F socks5://A机器IP:1080

A机器日志如下：
{"cmd":"mbind","dst":":2222/tcp","handler":"socks5","kind":"handler","level":"info","listener":"tcp","local":"10.0.0.4:1080","msg":"B机器IP:42326 >> :2222","remote":"B机器IP:42326","service":"service-0","time":"2022-04-01T05:39:06Z"}
{"cmd":"mbind","dst":":2222/tcp","handler":"socks5","kind":"handler","level":"error","listener":"tcp","local":"10.0.0.4:1080","msg":"socks5: BIND is disabled","remote":"B机器IP:42326","service":"service-0","time":"2022-04-01T05:39:06Z"}
{"duration":142945638,"handler":"socks5","kind":"handler","level":"info","listener":"tcp","local":"10.0.0.4:1080","msg":"B机器IP:42326 >< 10.0.0.4:1080","remote":"B机器IP:42326","service":"service-0","time":"2022-04-01T05:39:06Z"}
{"handler":"socks5","kind":"handler","level":"info","listener":"tcp","local":"10.0.0.4:1080","msg":"B机器IP:42328 <> 10.0.0.4:1080","remote":"B机器IP:42328","service":"service-0","time":"2022-04-01T05:39:07Z"}

使用相同的命令 在v2版本的gost可以正常运行

A机器 docker run -d --net=host ginuerzh/gost -L socks5://:1080
B机器 docker run -d --net=host ginuerzh/gost -L rtcp://:2222/:6688 -F socks5://A机器IP:1080

请问v3版本配置是否需要额外参数？有哪里配置不正确？
谢谢耐心阅读解答

服务端用grpc的话，是否支持自定义tls证书？
比如：gost -L "grpc://:2333?certFile=/root/XXX.pem&keyFile=/root/XXX.key"

大大gost v2 v3中 能否增加限制用户的“并发连接数和连接请求数” 支持热更新

版本：3.0.0beta2
客户端（windows）：-L :1089 -F "socks5+icmp://xxx:yyy@zzz:0"
服务端（linux）：-L socks5+icmp://xxx:yyy@:0?keepAlive=1
服务端运行正常
客户端可以正常输出info的监听成功提示
但是一旦有任何包传上去就会报错退出
客户端日志：
``{"level":"warning","msg":"load TLS certificate files failed, use random generated certificate","time":"2022-04-08T20:32:25+08:00"}
{"handler":"auto","kind":"service","level":"info","listener":"tcp","msg":"listening on [::]:1089/tcp","service":"service-0","time":"2022-04-08T20:32:25+08:00"}
{"handler":"auto","kind":"handler","level":"info","listener":"tcp","local":"127.0.0.1:1089","msg":"127.0.0.1:49254 <> 127.0.0.1:1089","remote":"127.0.0.1:49254","service":"service-0","time":"2022-04-08T20:32:26+08:00"}
{"handler":"auto","kind":"handler","level":"info","listener":"tcp","local":"127.0.0.1:1089","msg":"127.0.0.1:49254 <> 127.0.0.1:1089","remote":"127.0.0.1:49254","service":"service-0","time":"2022-04-08T20:32:26+08:00","type":"socks5"}
{"cmd":"connect","dst":"bgp.he.net:443/tcp","handler":"auto","kind":"handler","level":"info","listener":"tcp","local":"127.0.0.1:1089","msg":"127.0.0.1:49254 >> bgp.he.net:443","remote":"127.0.0.1:49254","service":"service-0","time":"2022-04-08T20:32:26+08:00","type":"socks5"}
2022/04/08 20:32:26 connection doesn't allow setting of receive buffer size. Not a *net.UDPConn?. See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
{"handler":"auto","kind":"handler","level":"info","listener":"tcp","local":"127.0.0.1:1089","msg":"127.0.0.1:49255 <> 127.0.0.1:1089","remote":"127.0.0.1:49255","service":"service-0","time":"2022-04-08T20:32:26+08:00"}
{"handler":"auto","kind":"handler","level":"info","listener":"tcp","local":"127.0.0.1:1089","msg":"127.0.0.1:49255 <> 127.0.0.1:1089","remote":"127.0.0.1:49255","service":"service-0","time":"2022-04-08T20:32:26+08:00","type":"socks5"}
{"cmd":"connect","dst":"bgp.he.net:443/tcp","handler":"auto","kind":"handler","level":"info","listener":"tcp","local":"127.0.0.1:1089","msg":"127.0.0.1:49255 >> bgp.he.net:443","remote":"127.0.0.1:49255","service":"service-0","time":"2022-04-08T20:32:26+08:00","type":"socks5"}
{"duration":590762400,"handler":"auto","kind":"handler","level":"info","listener":"tcp","local":"127.0.0.1:1089","msg":"127.0.0.1:49254 >< 127.0.0.1:1089","remote":"127.0.0.1:49254","service":"service-0","time":"2022-04-08T20:32:27+08:00","type":"socks5"}
{"duration":591278000,"handler":"auto","kind":"handler","level":"info","listener":"tcp","local":"127.0.0.1:1089","msg":"127.0.0.1:49254 >< 127.0.0.1:1089","remote":"127.0.0.1:49254","service":"service-0","time":"2022-04-08T20:32:27+08:00"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x9d40cd]

goroutine 10 [running]:
github.com/go-gost/core/chain.(*Route).connect(0xc000589140, {0x1325ab8, 0xc00003c110})
C:/Users/10330/go/pkg/mod/github.com/go-gost/[email protected]/chain/route.go:123 +0x26d
github.com/go-gost/core/chain.(*Route).Dial(0xc000589140, {0x1325ab8, 0xc00003c110}, {0x1188799, 0x3}, {0xc00040a240, 0xe}, {0xc00052f938, 0x2, 0x2})
C:/Users/10330/go/pkg/mod/github.com/go-gost/[email protected]/chain/route.go:52 +0x237
github.com/go-gost/core/chain.(*Router).dial(0xc00042c770, {0x1325ab8, 0xc00003c110}, {0x1188799, 0x3}, {0xc00040a240, 0xe})
C:/Users/10330/go/pkg/mod/github.com/go-gost/[email protected]/chain/router.go:123 +0x46c
github.com/go-gost/core/chain.(*Router).Dial(0xc00040a240?, {0x1325ab8?, 0xc00003c110?}, {0x1188799, 0x3}, {0xc00040a240?, 0x3?})
C:/Users/10330/go/pkg/mod/github.com/go-gost/[email protected]/chain/router.go:79 +0x3f
github.com/go-gost/x/handler/socks/v5.(*socks5Handler).handleConnect(0xc00037a600, {0x1325ab8, 0xc00003c110}, {0x132ac30, 0xc000480180}, {0x1188799, 0x3}, {0xc00040a240, 0xe}, {0x132eea0, ...})
C:/Users/10330/go/pkg/mod/github.com/go-gost/[email protected]/handler/socks/v5/connect.go:28 +0x4bb
github.com/go-gost/x/handler/socks/v5.(*socks5Handler).Handle(0xc00037a600, {0x1325ab8, 0xc00003c110}, {0x132ac30, 0xc000480180}, {0xb?, 0xc00013dd78?, 0x23e4042c413?})
C:/Users/10330/go/pkg/mod/github.com/go-gost/[email protected]/handler/socks/v5/handler.go:98 +0x7b4
github.com/go-gost/x/handler/auto.(*autoHandler).Handle(0xc00037a580, {0x1325ab8, 0xc00003c110}, {0x132b260, 0xc00010a060}, {0x0?, 0x0?, 0x0?})
C:/Users/10330/go/pkg/mod/github.com/go-gost/[email protected]/handler/auto/handler.go:107 +0x754
github.com/go-gost/core/service.(*service).Serve.func1()
C:/Users/10330/go/pkg/mod/github.com/go-gost/[email protected]/service/service.go:124 +0x394
created by github.com/go-gost/core/service.(*service).Serve
C:/Users/10330/go/pkg/mod/github.com/go-gost/[email protected]/service/service.go:104 +0x20a``

能整合下clash那种通过不同IP端口不同域名什么的走不同节点或者直连的功能不..现有的那个白名单黑名单做不到类似的功能呀..

自从上次说开发3.0版本, 现在一个多月都没更新了

配置片段如下：
hosts:

• name: hosts-0
  mappings:
  • ip: 104.16.77.107
    hostname: my.server.com

chains:

• name: chain-0
  hops:
  • name: hop-0
    nodes:
    • name: node-0
      hosts: hosts-0
      addr: "my.server.com:443"
      connector:
      type: relay
      auth:
      username: dkaxnu9ng1KvOslo
      password: dyHJop3wATGb4VMW
      dialer:
      type: http3
      metadata:
      authorizePath: /authorize
      pullPath: /pull
      pushPath: /push

日志一直刷这个错误：
{"handler":"socks5","kind":"handler","level":"error","listener":"tcp","msg":"route(retry=0) Get "https://104.16.77.107:443/authorize\": CRYPTO_ERROR (0x128): tls: handshake failure","service":"service-0","time":"2022-02-18T23:29:27+08:00"}

怀疑是dialer在请求http3之前，直接先把域名替换成了ip，然后才发起http3请求

是有这个可能吗？

我手头没有可以测试http3的工具，所以只能忙猜了，如有理解错误，还望海涵

【这样配置，不通】

- name: service-1
  addr: ":10053"
  handler:
    type: dns
    chain: chain-0
  listener:
    type: dns
    metadata:
      mode: tls
      dns: 1.1.1.1:853

【这样配置，还是不通】

- name: service-1
  addr: ":10053"
  handler:
    type: dns
  listener:
    type: dns
    chain: chain-0
    metadata:
      mode: tls
      dns: 1.1.1.1:853

【目前只能这么用着】

- name: service-1
  addr: :10053
  handler:
    type: udp
    chain: chain-0
  listener:
    type: udp
  forwarder:
    targets:
    - 1.1.1.1:53

{
  "services": [
    {
      "name": "proxy1",
      "addr": "10.1.0.6:8080",
      "handler": {
        "type": "socks5",
        "auth": {
          "username": "123456",
          "password": "123456"
        },
        "udp": true,
        "metadata": {
          "udp": true
        }
      },
      "listener": {
        "type": "tcp"
      },
      "interface": "10.1.0.6"
    }

这是配置文件

gost-v3 -L=redirect://:1090 -F=relay+quic://aaa:[email protected]:5555
iptable -t nat -A OUTPUT -d 8.8.8.8/32 -p tcp -j REDIRECT --to-ports 1090

启动可以，但只要一执行下面的命令就报错退出
dig youtube.com @8.8.8.8 +tcp

报错信息：
{"handler":"redirect","kind":"handler","level":"info","listener":"tcp","local":"127.0.0.1:1090","msg":"192.168.2.1:55699 <> 127.0.0.1:1090","remote":"192.168.2.1:55699","service":"service-0","time":"2022-03-19T14:05:28+08:00"}
{"handler":"redirect","kind":"handler","level":"error","listener":"tcp","local":"127.0.0.1:1090","msg":"wrong connection type, must be TCP","remote":"192.168.2.1:55699","service":"service-0","time":"2022-03-19T14:05:28+08:00"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0xdfbaeb]

如果没有计划，过几天我推个pr？

其实在2020年就反馈过：
ginuerzh/gost#627
只是一直没解决，看大佬在开发3.0，希望大佬顺便解决了。
简单说就是断流问题，v2.3-2.6.1版本不断流，后面到2.11.1全部断流

具体重现方法：
环境：amd64或arm64都可以，都试过
服务端：kcp模式
客户端：redirect+kcp模式
kcp参数默认就可以
测试方法：iptables将vps的ssh端口redirect到gost的端口，然后ssh连接vps（此时就是走的gost通道连到vps服务器上了），连接成功后，保持不动就可以了，大概1-10分钟不等这个ssh连接就被断开了

另外我测试过：
ss+kcptun+udp2raw，不会断
gost(<=2.6.1) redirect+kcp+udp2raw，不会断
gost(>2.6.1) redirect+kcp+udp2raw，会断
gost redirect+relay+kcp+udp2raw，会断

yaml配置

services:
- name: socks5
  addr: ":21080"
  # bypass: bypass01
  handler:
    type: socks5
    # chain: chain-ss
    metadata:
      auths:
       - gost:gost
      readTimeout: 5s
      notls: true
      bind: true
      udp: true
      # udpBufferSize: 4096 # range [512, 66560]
  listener:
    type: tcp
    metadata:
      keepAlive: 15s

yaml命令行转json后的配置

{
  "services": [
    {
      "name": "socks5",
      "addr": ":21080",
      "handler": {
        "type": "socks",
        "metadata": {
          "auths": [
            "gost:gost"
          ],
          "bind": true,
          "notls": true,
          "readTimeout": "5s",
          "udp": true
        }
      },
      "listener": {
        "type": "tcp",
        "metadata": {
          "keepAlive": "15s"
        }
      }
    }
  ]
}

无法连接，等我回家给log

作者你好，我想请问一下项目里的api接口的swagger是用go-swagger生成的吗？初接触go，能否大致讲一下写了注释后如何生成swagger.yaml
十分感谢

问题1，通过API交互进行的配置变更在进程结束后均全部失效，如果保存变更后的配置？
问题2，当前文档显示API已添加身份认证，这个认证信息如何提交？是在header里还是在url里或者其它地方？

https://github.com/Qv2ray/gun

grpc基于http2，

https://support.cloudflare.com/hc/zh-cn/articles/360050483011-%E4%BA%86%E8%A7%A3-Cloudflare-gRPC-%E6%94%AF%E6%8C%81

这样可以穿cdn

./gost -L=:2301/远程目标主机IP:远程目标主机端口

目前我是用上面命令启动的中转，本机通过SOCKS5客户端连接到中转机，TCP转发测试没有问题，但是UDP转发测试就一直失败，请问是否还需要添加什么参数？

环境
本机：SOCKS5客户端，只能连接到中转机
中转机：通过 ./gost -L=:2301/远程目标主机IP:远程目标主机端口 命令启动，可以连接到远程目标主机
远程目标主机：通过 ./gost -L socks5 命令启动了socks5代理

你好，客户端ip白名单列表支持热更新吗？
https://latest.gost.run/concepts/admission/

如题，如果条件允许，希望gost能够自定义header，
作者大大评估一下看看

主要是为了改host，因为在内网用gost，流量需要过nginx(nginx指定了server_name)

我测试的过程中，拦截百度的访问：
./gost -api :9000 -L http://:1080 -F http://用户名:密码@168.158.199.186:12323?bypass=*.baidu.com
以这样的方式运行命令，但是无法拦截百度的访问

分流或者其他跟区域ip有关的，更加方便。

ipv4 only单栈主机有两个interface，eth0 ipv4，wgcf (cloudflare warp) ipv4+ipv6
请问gost能否支持dns解析优先级和interface优先级？
比如：dns解析返回ipv4+ipv6，配置ipv6优先时，走wgcf的ipv6，dns解析返回ipv4，走eth0的ipv4

而对于ipv6 only单栈主机，dns解析返回ipv4+ipv6，配置ipv6优先时，走eth0的ipv6，dns解析返回ipv4，走wgcf的ipv4

例如：服务器有多个公网ip(ipv4或ipv6)，能够设定走指定ip出去，实现多ip利用

gost -L=ws://:80?out=500k&in=500k

gost -L=:1080 -F=ws://:80?out=500k&in=500k

针对单连接进行最大带宽限制，使用iperf3进行测速，如果限制不超过某个值，传输非常平稳，
如果超过某个值之后，会被Qos惩戒，然后当前连接速率就为0，只能断开，重新发起连接，才有速率。

客户端限制或者服务端限制，同时有效。

希望大大能增加这个功能，例如把ip存入redis并设置有效期，gost定时读取redis里的ip

能够对每个来源ip进行限速

服务端运行同样一条规则命令，WINDOWS版做服务端监听端口转发数据，客户端直连这个端口传数据是失败的，换作linux版做服务端就没事。。。如果WIN上没有特别设置，那这算不算一个BUG。 2.0和3.0都试了，都有这问题。 WIN版本做服务端会有如下提示

最新版gost tun在Android上用不了(无法ping通)。
服务端命令:
gost -L tun://:8888?net=192.168.10.1/24
客户端命令(在Android上):
gost -L tun://:8888/服务端ip:8888?net=192.168.10.2/24
在客户端ping 192.168.10.1失败。

https://latest.gost.run/reference/connectors/sni/
名称： ssu
应该为
名称： sni

希望增加故障转移功能

ssserver -k "" -m "none" -s "127.0.0.1:9000"

https://github.com/shadowsocks/shadowsocks-rust

不支持此模式。

抓包后发现，gost ws path有/path?ffff=yyy&y=r时，?被错误的编成像%2F这样的内容。 @ginuerzh

请问icmp可以加tls吗
类似于
客户端：./gost -L :1111/66.66.66.66:2141 -F icmp+tls://66.77.77.77:0
服务端：./gost -L icmp+tls://:0?keepAlive=1

请教下，gost V3，监控指标处能够只获取type=counter的内容吗？
ip:9000/speedlog?type=counter，以这种方式无法获取