Add an optional config entry ssl.alpn_port_override

WillyPillow · WillyPillow · commit 27e82f7a5247 · 2020-03-21T23:22:10.000+08:00
that changes the remote port according to the ALPN. Fixes trojan-gfw#171 and trojan-gfw#226.
diff --git a/docs/config.md b/docs/config.md
@@ -174,6 +174,9 @@ The NAT config is for transparent proxy. You'll need to [setup iptables rules](h
         "alpn": [
             "http/1.1"
         ],
+        "alpn_port_override" : {
+            "h2": 81
+        },
         "reuse_session": true,
         "session_ticket": false,
         "session_timeout": 600,
@@ -215,6 +218,7 @@ The NAT config is for transparent proxy. You'll need to [setup iptables rules](h
     - `cipher_tls13`: a cipher list for TLS 1.3 to use
     - `prefer_server_cipher`: whether to prefer server cipher list in a connection
     - `alpn`: a list of `ALPN` protocols to reply
+    - alpn_port_override: overrides the remote port to the specified value if an ALPN is matched. Useful for running nginx http1.1 and http2 on different ports (#226).
     - `reuse_session`: whether to reuse `SSL` session
     - `session_ticket`: whether to use session tickets for session resumption
     - `session_timeout`: if `reuse_session` is set to `true`, specify `SSL` session timeout
diff --git a/examples/server.json-example b/examples/server.json-example
@@ -19,6 +19,9 @@
         "alpn": [
             "http/1.1"
         ],
+        "alpn_port_override" : {
+            "h2": 81
+        },
         "reuse_session": true,
         "session_ticket": false,
         "session_timeout": 600,
diff --git a/src/core/config.cpp b/src/core/config.cpp
@@ -65,6 +65,7 @@ void Config::populate(const ptree &tree) {
     }
     udp_timeout = tree.get("udp_timeout", 60);
     log_level = static_cast<Log::Level>(tree.get("log_level", 1));
+    map<string, uint16_t>().swap(alpn_port);
     ssl.verify = tree.get("ssl.verify", true);
     ssl.verify_hostname = tree.get("ssl.verify_hostname", true);
     ssl.cert = tree.get("ssl.cert", string());
@@ -75,10 +76,15 @@ void Config::populate(const ptree &tree) {
     ssl.prefer_server_cipher = tree.get("ssl.prefer_server_cipher", true);
     ssl.sni = tree.get("ssl.sni", string());
     ssl.alpn = "";
+    auto alpn_port_override = tree.get_child_optional("ssl.alpn_port_override");
     for (auto& item: tree.get_child("ssl.alpn")) {
         string proto = item.second.get_value<string>();
         ssl.alpn += (char)((unsigned char)(proto.length()));
         ssl.alpn += proto;
+        if (alpn_port_override) {
+            auto it = alpn_port_override->find(proto);
+            alpn_port[proto] = it != alpn_port_override->not_found() ? it->second.get_value<uint16_t>() : remote_port;
+        }
     }
     ssl.reuse_session = tree.get("ssl.reuse_session", true);
     ssl.session_ticket = tree.get("ssl.session_ticket", false);
diff --git a/src/core/config.h b/src/core/config.h
@@ -42,6 +42,7 @@ class Config {
     std::map<std::string, std::string> password;
     int udp_timeout;
     Log::Level log_level;
+    std::map<std::string, uint16_t> alpn_port;
     class SSLConfig {
     public:
         bool verify;
diff --git a/src/session/serversession.cpp b/src/session/serversession.cpp
@@ -31,7 +31,8 @@ ServerSession::ServerSession(const Config &config, boost::asio::io_context &io_c
     out_socket(io_context),
     udp_resolver(io_context),
     auth(auth),
-    plain_http_response(plain_http_response) {}
+    plain_http_response(plain_http_response),
+    remote_port(0) {}
 
 tcp::socket& ServerSession::accept_socket() {
     return (tcp::socket&)in_socket.next_layer();
@@ -59,6 +60,11 @@ void ServerSession::start() {
             destroy();
             return;
         }
+        const unsigned char *alpn_out = nullptr;
+        unsigned int alpn_len = 0;
+        SSL_get0_alpn_selected(in_socket.native_handle(), &alpn_out, &alpn_len);
+        auto it = config.alpn_port.find(std::string(alpn_out, alpn_out + alpn_len));
+        remote_port = (it != config.alpn_port.end()) ? it->second : config.remote_port;
         in_async_read();
     });
 }
@@ -153,7 +159,7 @@ void ServerSession::in_recv(const string &data) {
             }
         }
         string query_addr = valid ? req.address.address : config.remote_addr;
-        string query_port = to_string(valid ? req.address.port : config.remote_port);
+        string query_port = to_string(valid ? req.address.port : remote_port);
         if (valid) {
             out_write_buf = req.payload;
             if (req.command == TrojanRequest::UDP_ASSOCIATE) {
@@ -166,7 +172,7 @@ void ServerSession::in_recv(const string &data) {
                 Log::log_with_endpoint(in_endpoint, "requested connection to " + req.address.address + ':' + to_string(req.address.port), Log::INFO);
             }
         } else {
-            Log::log_with_endpoint(in_endpoint, "not trojan request, connecting to " + config.remote_addr + ':' + to_string(config.remote_port), Log::WARN);
+            Log::log_with_endpoint(in_endpoint, "not trojan request, connecting to " + config.remote_addr + ':' + to_string(remote_port), Log::WARN);
             out_write_buf = data;
         }
         sent_len += out_write_buf.length();
diff --git a/src/session/serversession.h b/src/session/serversession.h
@@ -38,6 +38,7 @@ class ServerSession : public Session {
     Authenticator *auth;
     std::string auth_password;
     const std::string &plain_http_response;
+    uint16_t remote_port;
     void destroy();
     void in_async_read();
     void in_async_write(const std::string &data);
