feat: add comprehensive HTTP e2e tests covering connector, TLS, probeResist, idleTimeout, and UDP relay
Adds 12 new HTTP handler test scenarios: HTTP connector (no-auth, auth, TLS upstream), CONNECT tunnel (no-sniffing, bypass-403), probeResist (host, web, file, knock), idleTimeout, and UDP relay over HTTP. Introduces RunGostContainerWithFiles helper for mounting extra files into test containers.
This commit is contained in:
@@ -0,0 +1,276 @@
|
|||||||
|
# 执行计划:HTTP Handler E2E 测试 + utils.go 重构
|
||||||
|
|
||||||
|
## 背景
|
||||||
|
|
||||||
|
从 PLAN.md 的 Step 0 和 Step 1A 开始实施。HTTP proxy 是 gost 最基础的协议,目前 e2e 测试仅覆盖 shadowsocks 和 parallel selector。本计划先重构 utils.go 提取公共 helper,然后用 helper 写 HTTP handler 测试套件,最后同步重构 shadowsocks_test.go。
|
||||||
|
|
||||||
|
## 变更文件清单
|
||||||
|
|
||||||
|
| 文件 | 操作 | 说明 |
|
||||||
|
|------|------|------|
|
||||||
|
| `tests/e2e/utils.go` | 修改 | 新增 `RunTCPCase` / `RunUDPCase` |
|
||||||
|
| `tests/e2e/http_test.go` | 新建 | HTTP proxy 测试套件 |
|
||||||
|
| `tests/e2e/testdata/http/server.yaml` | 新建 | 无 auth 的 HTTP proxy 服务器 |
|
||||||
|
| `tests/e2e/testdata/http/server_auth.yaml` | 新建 | 带 auth 的 HTTP proxy 服务器 |
|
||||||
|
| `tests/e2e/shadowsocks_test.go` | 修改 | 重构为使用 `RunTCPCase` / `RunUDPCase` |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 1: 修改 `utils.go` — 提取 RunTCPCase / RunUDPCase
|
||||||
|
|
||||||
|
从 `shadowsocks_test.go` 的 `runTCPCase` 和 `runUDPCase` 提取为包级函数。关键差异:参数需要传入 echo container IP 和 echo container 本身(用于 dump logs)。
|
||||||
|
|
||||||
|
### RunTCPCase 签名与逻辑
|
||||||
|
|
||||||
|
```go
|
||||||
|
// RunTCPCase runs a full TCP proxy test case:
|
||||||
|
// start server → render client config → start client → curl assertion → cleanup.
|
||||||
|
func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP string,
|
||||||
|
name, serverConfig, clientConfig string)
|
||||||
|
```
|
||||||
|
|
||||||
|
逻辑(从 shadowsocks_test.go:132-160 提取,一字不差):
|
||||||
|
1. 生成 serverAlias = `name + "-server"`
|
||||||
|
2. `RunGostContainerWithOptions(ctx, networkName, serverConfig, [serverAlias], ["8388/tcp"])`
|
||||||
|
3. `defer serverC.Terminate(ctx)`
|
||||||
|
4. `RenderConfig(clientConfig, {ServerAddr: serverAlias + ":8388"})`
|
||||||
|
5. `defer os.Remove(rendered)`
|
||||||
|
6. `RunGostContainerWithPorts(ctx, networkName, rendered, "8080/tcp")`
|
||||||
|
7. `defer clientC.Terminate(ctx)`
|
||||||
|
8. `clientC.Exec(ctx, ["curl", "-v", "-s", "-x", "http://127.0.0.1:8080", "http://<echoIP>:5678"])`
|
||||||
|
9. 断言 exitCode==0 且 body 包含 `"hello-gost"`,失败时 DumpLogs
|
||||||
|
|
||||||
|
**问题:端口硬编码**。shadowsocks 用 8388 作为服务端口,但其他协议可能用不同端口。需要参数化。
|
||||||
|
|
||||||
|
### 修正设计 — 参数化端口
|
||||||
|
|
||||||
|
```go
|
||||||
|
type TCPOptions struct {
|
||||||
|
ServerPort string // 容器内服务端口,默认 "8388/tcp"
|
||||||
|
ClientPort string // 客户端代理端口,默认 "8080/tcp"
|
||||||
|
}
|
||||||
|
|
||||||
|
func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP string,
|
||||||
|
name, serverConfig, clientConfig string, opts ...TCPOptions)
|
||||||
|
```
|
||||||
|
|
||||||
|
当 `opts` 为空时使用默认值 `{ServerPort: "8388/tcp", ClientPort: "8080/tcp"}`。这样 shadowsocks 测试无需任何改动,而 HTTP 测试可传 `TCPOptions{ServerPort: "8080/tcp", ClientPort: "8080/tcp"}`。
|
||||||
|
|
||||||
|
等一下 — 仔细看 shadowsocks 的 server 容器暴露的是 `8388/tcp`,HTTP proxy 场景下只有一个 gost 容器(不做 server→client 链路),直接暴露 proxy 端口。
|
||||||
|
|
||||||
|
**重新思考:HTTP proxy 不需要 server+client 两容器模式。**
|
||||||
|
|
||||||
|
HTTP proxy 测试是最简单的模式 — 只需一个 gost 容器运行 HTTP proxy,然后容器内 curl 通过它访问 echo server。这和 parallel_selector_test.go 的模式一致。但为了统一框架和后续协议(SOCKS5、relay 等都需要 server+client 模式),我们应该:
|
||||||
|
|
||||||
|
- HTTP 的"无 auth"用例:**单容器模式**(同 parallel_selector)
|
||||||
|
- HTTP 的"带 auth"用例:**也可以单容器**,只需在 curl 加 `--proxy-user`
|
||||||
|
|
||||||
|
所以 HTTP proxy 不需要 server/client 分离,但 RunTCPCase helper 仍然服务于 SOCKS5/relay 等需要链路的协议。
|
||||||
|
|
||||||
|
### 最终 RunTCPCase 设计
|
||||||
|
|
||||||
|
```go
|
||||||
|
func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP, name string,
|
||||||
|
serverConfig, clientConfig string, serverPort, clientPort string)
|
||||||
|
```
|
||||||
|
|
||||||
|
- `serverPort`: 服务端容器暴露端口,如 `"8388/tcp"`
|
||||||
|
- `clientPort`: 客户端容器暴露端口,如 `"8080/tcp"`
|
||||||
|
- 渲染模板时用 `ServerAddr: serverAlias + ":" + strings.TrimSuffix(serverPort, "/tcp")`
|
||||||
|
|
||||||
|
### RunUDPCase 设计
|
||||||
|
|
||||||
|
```go
|
||||||
|
func RunUDPCase(t *testing.T, ctx context.Context, networkName, name string,
|
||||||
|
serverConfig, clientConfig string, serverPort, clientPort string)
|
||||||
|
```
|
||||||
|
|
||||||
|
逻辑从 shadowsocks_test.go:76-126 提取。
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 2: 新建 `testdata/http/` 配置文件
|
||||||
|
|
||||||
|
### `testdata/http/server.yaml` — 无 auth 的 HTTP proxy
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
```
|
||||||
|
|
||||||
|
单容器即可测试:gost 启动后在 :8080 提供 HTTP proxy 服务。
|
||||||
|
|
||||||
|
### `testdata/http/server_auth.yaml` — 带 auth 的 HTTP proxy
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
- name: http-proxy-auth
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 3: 新建 `http_test.go`
|
||||||
|
|
||||||
|
### 套件结构
|
||||||
|
|
||||||
|
```go
|
||||||
|
type HTTPSuite struct {
|
||||||
|
suite.Suite
|
||||||
|
ctx context.Context
|
||||||
|
echoC testcontainers.Container
|
||||||
|
echoIP string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HTTPSuite) SetupSuite() // 启动 TCP echo
|
||||||
|
func (s *HTTPSuite) TearDownSuite() // 关闭 echo
|
||||||
|
|
||||||
|
func (s *HTTPSuite) TestHTTPProxy() // 无 auth
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyAuth() // 带 auth
|
||||||
|
|
||||||
|
func TestHTTPSuite(t *testing.T) {
|
||||||
|
suite.Run(t, new(HTTPSuite))
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### TestHTTPProxy — 单容器模式(同 parallel_selector)
|
||||||
|
|
||||||
|
```go
|
||||||
|
func (s *HTTPSuite) TestHTTPProxy() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-proxy logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### TestHTTPProxyAuth — 带 auth 验证
|
||||||
|
|
||||||
|
```go
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyAuth() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_auth.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// 测试1:无 auth 应失败(407)
|
||||||
|
s.T().Run("no-auth-should-fail", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"-x", "http://127.0.0.1:8080", fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
// curl exit code 非 0 或 HTTP status 是 407
|
||||||
|
// 注意:gost HTTP proxy 在无 auth 时返回 407,curl 不会自动重试
|
||||||
|
// 所以这里验证返回码是 407 或 curl 返回非零
|
||||||
|
httpStatus := strings.TrimSpace(string(body))
|
||||||
|
s.Assert().True(code != 0 || httpStatus == "407",
|
||||||
|
"expected auth failure, got status: %s, exit code: %d", httpStatus, code)
|
||||||
|
})
|
||||||
|
|
||||||
|
// 测试2:正确 auth 应成功
|
||||||
|
s.T().Run("with-auth-should-succeed", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x",
|
||||||
|
"http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-proxy-auth logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### 注意事项
|
||||||
|
- HTTP proxy 是**单容器模式**,不需要 server/client 分离(不像 shadowsocks 需要解密/加密链路)
|
||||||
|
- auth 测试分两步:先验证无 auth 被拒(407),再验证正确 auth 成功
|
||||||
|
- curl 使用 `http://user:pass@host:port` 格式传递 proxy auth
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 4: 重构 `shadowsocks_test.go`
|
||||||
|
|
||||||
|
将 `runTCPCase` 和 `runUDPCase` 方法替换为调用 `utils.go` 中的 `RunTCPCase` / `RunUDPCase`:
|
||||||
|
|
||||||
|
**Before**:
|
||||||
|
```go
|
||||||
|
func (s *ShadowsocksSuite) TestShadowsocksTCP() {
|
||||||
|
s.runTCPCase("aes256gcm", "testdata/shadowsocks/tcp_server_aes256gcm.yaml", "testdata/shadowsocks/tcp_client_aes256gcm.yaml")
|
||||||
|
s.runTCPCase("chacha20", "testdata/shadowsocks/tcp_server_chacha20.yaml", "testdata/shadowsocks/tcp_client_chacha20.yaml")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
**After**:
|
||||||
|
```go
|
||||||
|
func (s *ShadowsocksSuite) TestShadowsocksTCP() {
|
||||||
|
RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "aes256gcm",
|
||||||
|
"testdata/shadowsocks/tcp_server_aes256gcm.yaml",
|
||||||
|
"testdata/shadowsocks/tcp_client_aes256gcm.yaml",
|
||||||
|
"8388/tcp", "8080/tcp")
|
||||||
|
RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "chacha20",
|
||||||
|
"testdata/shadowsocks/tcp_server_chacha20.yaml",
|
||||||
|
"testdata/shadowsocks/tcp_client_chacha20.yaml",
|
||||||
|
"8388/tcp", "8080/tcp")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
删除 `runTCPCase` 和 `runUDPCase` 方法。UDP 测试同理。
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 实施顺序
|
||||||
|
|
||||||
|
1. **`utils.go`** — 添加 `RunTCPCase` + `RunUDPCase`(不删除任何现有函数)
|
||||||
|
2. **`testdata/http/`** — 创建 `server.yaml` + `server_auth.yaml`
|
||||||
|
3. **`http_test.go`** — 创建 HTTP 套件
|
||||||
|
4. **编译验证** — `cd gost && go build ./... && go vet ./tests/e2e/...`
|
||||||
|
5. **`shadowsocks_test.go`** — 重构为使用新 helper
|
||||||
|
6. **最终编译验证** — `go build ./... && go vet ./tests/e2e/...`
|
||||||
|
7. **运行测试** — `go test ./tests/e2e/ -v -run TestHTTPSuite -timeout 5m`
|
||||||
|
8. **回归测试** — `go test ./tests/e2e/ -v -run TestShadowsocksSuite -timeout 5m`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 验证
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd /config/workspace/go-gost/gost
|
||||||
|
go build ./...
|
||||||
|
go vet ./tests/e2e/...
|
||||||
|
go test ./tests/e2e/ -v -run TestHTTPSuite -timeout 5m
|
||||||
|
go test ./tests/e2e/ -v -run TestShadowsocksSuite -timeout 5m
|
||||||
|
```
|
||||||
@@ -0,0 +1,183 @@
|
|||||||
|
# Plan: Expand E2E Test Suite
|
||||||
|
|
||||||
|
## Context
|
||||||
|
|
||||||
|
The e2e test framework (`tests/e2e/`) currently covers only **2 protocols** (Shadowsocks, parallel selector) out of **~30+ registered protocols** in gost. This plan systematically adds test coverage for all major protocols, following the existing Docker-based testcontainers pattern exactly.
|
||||||
|
|
||||||
|
**Key insight**: gost auto-generates self-signed TLS certs when none are provided (`x/config/parsing/tls.go` — `BuildDefaultTLSConfig`), and clients with default config skip cert verification. This means TLS-based protocols (ws→wss, h2c→h2, quic, etc.) can be tested **without mounting cert files**.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 0: Refactor `utils.go` — Add Reusable Test Helpers
|
||||||
|
|
||||||
|
**File**: `tests/e2e/utils.go`
|
||||||
|
|
||||||
|
Extract the repeated patterns from `shadowsocks_test.go` into reusable helpers:
|
||||||
|
|
||||||
|
1. **`RunTCPCase(t, ctx, networkName, echoIP, name, serverConfig, clientConfig string)`** — Full lifecycle: start server → render client config → start client → curl assertion → cleanup. Extracts the logic from `ShadowsocksSuite.runTCPCase`.
|
||||||
|
|
||||||
|
2. **`RunUDPCase(t, ctx, networkName, name, serverConfig, clientConfig string)`** — Same for UDP: start server → render client → start client → dial UDP → retry loop → assertion → cleanup. Extracts from `runUDPCase`.
|
||||||
|
|
||||||
|
These eliminate ~40 lines of boilerplate per suite. Each suite's test methods become one-liners:
|
||||||
|
```go
|
||||||
|
func (s *SOCKS5Suite) TestSOCKS5TCP() {
|
||||||
|
RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "socks5-tcp",
|
||||||
|
"testdata/socks5/tcp_server.yaml", "testdata/socks5/tcp_client.yaml")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 1: Tier 1 — Core Protocols (Plain TCP, No Special Infrastructure)
|
||||||
|
|
||||||
|
Each suite follows the exact pattern: suite struct → `SetupSuite` (echo containers) → `TearDownSuite` → test methods calling `RunTCPCase`/`RunUDPCase` → `suite.Run()` entry point.
|
||||||
|
|
||||||
|
### 1A. HTTP Proxy Suite
|
||||||
|
- **Files**: `http_test.go`, `testdata/http/` (2 configs)
|
||||||
|
- **Configs**: `server.yaml` (handler `http`, listener `tcp`), `server_auth.yaml` (+ basic auth)
|
||||||
|
- **Tests**: `TestHTTPProxy`, `TestHTTPProxyAuth` (curl with `--proxy-user`)
|
||||||
|
- **Note**: Simplest test — single gost container acts as HTTP proxy
|
||||||
|
|
||||||
|
### 1B. SOCKS5 Suite
|
||||||
|
- **Files**: `socks5_test.go`, `testdata/socks5/` (4 configs)
|
||||||
|
- **Configs**: `tcp_server.yaml` (handler `socks5`), `tcp_client.yaml` (connector `socks5`, dialer `tcp`), + auth variants
|
||||||
|
- **Tests**: `TestSOCKS5TCP`, `TestSOCKS5TCPAuth`
|
||||||
|
|
||||||
|
### 1C. SOCKS4 Suite
|
||||||
|
- **Files**: `socks4_test.go`, `testdata/socks4/` (4 configs)
|
||||||
|
- **Configs**: `tcp_server.yaml` (handler `socks4`), `tcp_client.yaml` (connector `socks4`), + socks4a variants
|
||||||
|
- **Tests**: `TestSOCKS4TCP`, `TestSOCKS4aTCP`
|
||||||
|
|
||||||
|
### 1D. HTTP2 Cleartext Suite
|
||||||
|
- **Files**: `http2_test.go`, `testdata/http2/` (2 configs)
|
||||||
|
- **Configs**: `tcp_server.yaml` (handler `http2`, listener `http2`), `tcp_client.yaml` (connector `http2`, dialer `http2`)
|
||||||
|
- **Tests**: `TestHTTP2TCP`
|
||||||
|
|
||||||
|
### 1E. Relay Suite
|
||||||
|
- **Files**: `relay_test.go`, `testdata/relay/` (4 configs)
|
||||||
|
- **Configs**: `tcp_server.yaml` (handler `relay`, listener `tcp`), `tcp_client.yaml` (connector `relay`, dialer `tcp`), + auth variants
|
||||||
|
- **Tests**: `TestRelayTCP`, `TestRelayTCPAuth`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 2: Tier 2 — TLS/Transport Protocols
|
||||||
|
|
||||||
|
Same pattern but using TLS listeners/dialers. No explicit cert files needed — gost auto-generates them.
|
||||||
|
|
||||||
|
### 2A. TLS Suite
|
||||||
|
- **Files**: `tls_test.go`, `testdata/tls/` (4 configs)
|
||||||
|
- **Tests**: `TestTLSHTTPProxy` (handler `http` + listener `tls`), `TestTLSSOCKS5` (handler `socks5` + listener `tls`)
|
||||||
|
|
||||||
|
### 2B. WebSocket Suite
|
||||||
|
- **Files**: `ws_test.go`, `testdata/ws/` (4 configs)
|
||||||
|
- **Tests**: `TestWSSOCKS5` (dialer `ws`), `TestWSSSOCKS5` (dialer `wss`)
|
||||||
|
|
||||||
|
### 2C. gRPC Suite
|
||||||
|
- **Files**: `grpc_test.go`, `testdata/grpc/` (2 configs)
|
||||||
|
- **Tests**: `TestGRPCSOCKS5` (listener `grpc`, metadata `insecure: true`)
|
||||||
|
|
||||||
|
### 2D. HTTP/2 TLS (h2) Suite
|
||||||
|
- **Files**: `h2_test.go`, `testdata/h2/` (2 configs)
|
||||||
|
- **Tests**: `TestH2HTTP2Proxy` (listener `h2`, dialer `h2`)
|
||||||
|
|
||||||
|
### 2E. QUIC Suite
|
||||||
|
- **Files**: `quic_test.go`, `testdata/quic/` (2 configs)
|
||||||
|
- **Tests**: `TestQUICHTTP` (listener `quic`, handler `http` — uses UDP ports)
|
||||||
|
|
||||||
|
### 2F. KCP Suite
|
||||||
|
- **Files**: `kcp_test.go`, `testdata/kcp/` (2 configs)
|
||||||
|
- **Tests**: `TestKCPSOCKS5` (listener `kcp`, handler `socks5` — uses UDP)
|
||||||
|
|
||||||
|
### 2G. Multiplex Variants (mws/mwss/mtls/mtcp)
|
||||||
|
- **Files**: `mux_test.go`, `testdata/mux/` (6 configs)
|
||||||
|
- **Tests**: `TestMWSSOCKS5`, `TestMWSSSOCKS5`, `TestMtlSSOCKS5`, `TestMtcpSOCKS5`
|
||||||
|
|
||||||
|
### 2H. Obfuscation (ohttp/otls)
|
||||||
|
- **Files**: `obfs_test.go`, `testdata/obfs/` (4 configs)
|
||||||
|
- **Tests**: `TestOHTTP`, `TestOTLS`
|
||||||
|
|
||||||
|
### 2I. PHT (HTTP Pipe)
|
||||||
|
- **Files**: `pht_test.go`, `testdata/pht/` (4 configs)
|
||||||
|
- **Tests**: `TestPHT`, `TestPHTS`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 3: Tier 3 — Special Infrastructure (Deferred)
|
||||||
|
|
||||||
|
These require Docker capabilities (`NET_ADMIN`, `NET_RAW`), SSH key generation, or iptables setup. Implemented after Tiers 1-2 are stable.
|
||||||
|
|
||||||
|
| Protocol | Challenge | Approach |
|
||||||
|
|----------|-----------|----------|
|
||||||
|
| SSH/sshd | Host key generation | Generate SSH key at test time, mount into container |
|
||||||
|
| HTTP/3/WebTransport | QUIC+UDP, TLS | Uses UDP like QUIC suite; auto certs work |
|
||||||
|
| TUN/TAP | `CAP_NET_ADMIN`, `/dev/net/tun` | Privileged container + routing setup |
|
||||||
|
| Tungo/MASQUE | Same as TUN | Same approach |
|
||||||
|
| ICMP | `CAP_NET_RAW`, raw sockets | Privileged container |
|
||||||
|
| Redirect (red/redu) | iptables rules | Privileged + iptables setup in container |
|
||||||
|
| DTLS | UDP + TLS | Auto certs; UDP port mapping |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Files to Create/Modify
|
||||||
|
|
||||||
|
### New files (per suite):
|
||||||
|
- `tests/e2e/<protocol>_test.go` — Suite struct + test methods
|
||||||
|
- `tests/e2e/testdata/<protocol>/` — Server + client YAML configs
|
||||||
|
|
||||||
|
### Modified files:
|
||||||
|
- `tests/e2e/utils.go` — Add `RunTCPCase`, `RunUDPCase` helpers
|
||||||
|
- `tests/e2e/shadowsocks_test.go` — Refactor to use new helpers (optional, reduces duplication)
|
||||||
|
- `tests/e2e/README.md` — Document new suites
|
||||||
|
|
||||||
|
### Reference files (read-only):
|
||||||
|
- `tests/e2e/shadowsocks_test.go` — Pattern template for all suites
|
||||||
|
- `tests/e2e/testdata/shadowsocks/tcp_server_aes256gcm.yaml` — Server config template
|
||||||
|
- `tests/e2e/testdata/shadowsocks/tcp_client_aes256gcm.yaml` — Client config template
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Config Pattern Reference
|
||||||
|
|
||||||
|
**Server** (all protocols):
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
- name: <proto>-server
|
||||||
|
addr: :<port>
|
||||||
|
handler:
|
||||||
|
type: <handler-type>
|
||||||
|
listener:
|
||||||
|
type: <listener-type>
|
||||||
|
```
|
||||||
|
|
||||||
|
**Client** (all protocols):
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: <proto>-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
chains:
|
||||||
|
- name: <proto>-chain
|
||||||
|
hops:
|
||||||
|
- name: <proto>-hop
|
||||||
|
nodes:
|
||||||
|
- name: <proto>-node
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: <connector-type>
|
||||||
|
dialer:
|
||||||
|
type: <dialer-type>
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Verification
|
||||||
|
|
||||||
|
After each suite is implemented:
|
||||||
|
1. `cd gost && go build ./...` — Ensure compilation
|
||||||
|
2. `go vet ./tests/e2e/` — Static analysis
|
||||||
|
3. `go test ./tests/e2e/ -v -run TestXxxSuite -timeout 5m` — Run individual suite
|
||||||
|
4. `go test ./tests/e2e/ -v -timeout 10m` — Run all suites together
|
||||||
@@ -0,0 +1,605 @@
|
|||||||
|
package e2e
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"os"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/suite"
|
||||||
|
"github.com/testcontainers/testcontainers-go"
|
||||||
|
)
|
||||||
|
|
||||||
|
type HTTPSuite struct {
|
||||||
|
suite.Suite
|
||||||
|
ctx context.Context
|
||||||
|
echoC testcontainers.Container
|
||||||
|
echoIP string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HTTPSuite) SetupSuite() {
|
||||||
|
s.ctx = context.Background()
|
||||||
|
|
||||||
|
s.T().Logf("start tcp echo container...")
|
||||||
|
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoC = echoC
|
||||||
|
|
||||||
|
echoIP, err := echoC.ContainerIP(s.ctx)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoIP = echoIP
|
||||||
|
}
|
||||||
|
|
||||||
|
// sendRaw sends a raw HTTP request via netcat and returns the response.
|
||||||
|
// Uses base64 to avoid shell quoting issues with CRLF bytes.
|
||||||
|
func (s *HTTPSuite) sendRaw(gostC testcontainers.Container, host, port, data string) string {
|
||||||
|
encoded := base64.StdEncoding.EncodeToString([]byte(data))
|
||||||
|
cmd := []string{"sh", "-c",
|
||||||
|
fmt.Sprintf("echo %s | base64 -d | nc -w 5 %s %s", encoded, host, port)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
b, _ := io.ReadAll(out)
|
||||||
|
return string(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HTTPSuite) TearDownSuite() {
|
||||||
|
if s.echoC != nil {
|
||||||
|
s.echoC.Terminate(s.ctx)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxy verifies basic HTTP forward proxy (no auth, no metadata).
|
||||||
|
// Covers: handler type http, listener type tcp, basic GET via proxy.
|
||||||
|
func (s *HTTPSuite) TestHTTPProxy() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// curl -x uses HTTP forward proxy (GET with absolute URL)
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-proxy logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyAuth verifies proxy authentication and the authBasicRealm
|
||||||
|
// metadata parameter.
|
||||||
|
//
|
||||||
|
// Covers:
|
||||||
|
// - auther: basic auth on HTTP proxy
|
||||||
|
// - authBasicRealm: custom realm string in 407 Proxy-Authenticate header
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyAuth() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_auth.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("no-auth-407", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||||
|
"-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
output := string(body)
|
||||||
|
s.Assert().Contains(output, "407",
|
||||||
|
"no auth should return 407")
|
||||||
|
s.Assert().Contains(output, "gost-e2e-realm",
|
||||||
|
"authBasicRealm should appear in 407 Proxy-Authenticate")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("wrong-auth-407", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"-x", "http://wrong:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
s.Assert().Contains(string(body), "407",
|
||||||
|
"wrong password should return 407")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-proxy-auth logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyMetadata verifies:
|
||||||
|
// - probeResist: code:404 — unauthorised clients see 404 instead of 407
|
||||||
|
// - keepalive: config parsing (applied at Init time)
|
||||||
|
// - compression: config parsing (applied at Init time)
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyMetadata() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_metadata.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("probe-resist-404", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
output := string(body)
|
||||||
|
s.Assert().NotContains(output, "407",
|
||||||
|
"probeResist should hide 407 status")
|
||||||
|
s.Assert().Contains(output, "404",
|
||||||
|
"probeResist should return configured decoy code")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-metadata logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyHeaders verifies:
|
||||||
|
// - header: custom response headers (X-Proxy-Info, X-Custom) on
|
||||||
|
// proxy-originated error responses. The header metadata is set on
|
||||||
|
// the skeleton response used for error paths after authentication.
|
||||||
|
// - proxyAgent: custom Proxy-Agent header in proxy responses.
|
||||||
|
//
|
||||||
|
// Uses a bypass matcher (0.0.0.0/0) that blocks all traffic after auth
|
||||||
|
// succeeds → requests hit 403 Forbidden path which carries custom headers.
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyHeaders() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_headers.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Auth succeeds, but target is bypassed → 403 Forbidden
|
||||||
|
// The 403 response is built from the skeleton resp which
|
||||||
|
// carries h.md.header (custom headers) and h.md.proxyAgent.
|
||||||
|
s.T().Log("bypass: expect 403 with custom headers")
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||||
|
"-x", "http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
headers, _ := io.ReadAll(out)
|
||||||
|
output := string(headers)
|
||||||
|
|
||||||
|
// Bypass → 403 Forbidden
|
||||||
|
s.Assert().Contains(output, "403",
|
||||||
|
"bypass should return 403")
|
||||||
|
// header: custom X-Proxy-Info header on error response
|
||||||
|
s.Assert().Contains(output, "X-Proxy-Info: gost-e2e",
|
||||||
|
"custom header should appear in 403 response")
|
||||||
|
// header: custom X-Custom header on error response
|
||||||
|
s.Assert().Contains(output, "X-Custom: test-value",
|
||||||
|
"custom header should appear in 403 response")
|
||||||
|
// proxyAgent: custom Proxy-Agent header on error response
|
||||||
|
s.Assert().Contains(output, "Proxy-Agent: gost-e2e/1.0",
|
||||||
|
"proxyAgent should appear in 403 response")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnect verifies HTTP CONNECT tunnel:
|
||||||
|
// - sniffing-enabled: sniffing:true + sniffing.timeout:2s
|
||||||
|
// - no-sniffing: plain CONNECT (default, no metadata)
|
||||||
|
// - bypass-403: CONNECT blocked by (0.0.0.0/0) bypass
|
||||||
|
//
|
||||||
|
// Uses curl --proxytunnel (-p) to force CONNECT method instead of GET.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnect() {
|
||||||
|
s.T().Run("sniffing-enabled", func(t *testing.T) {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_connect.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connect sniffing logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("no-sniffing", func(t *testing.T) {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connect no-sniffing logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("bypass-403", func(t *testing.T) {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_connect_bypass.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||||
|
"-p", "-x", "http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
output := string(body)
|
||||||
|
s.Assert().Contains(output, "403",
|
||||||
|
"CONNECT bypass should return 403")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyDirectRequest verifies that a non-proxy-form HTTP request
|
||||||
|
// (raw GET / sent to the proxy port) is rejected with 400 Bad Request.
|
||||||
|
// A raw request with empty Host header has no valid scheme to infer,
|
||||||
|
// so the handler returns 400.
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyDirectRequest() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET / HTTP/1.0\r\nHost: bad!\r\n\r\n")
|
||||||
|
s.Assert().Contains(resp, "400",
|
||||||
|
"non-proxy GET should return 400")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyPOST verifies that POST method forwarding works through
|
||||||
|
// the HTTP forward proxy. The echo server only handles GET, so the proxy
|
||||||
|
// should forward the POST request and return whatever the upstream sends
|
||||||
|
// back (501 Not Implemented from the echo server — not a proxy error).
|
||||||
|
// 501 is the real upstream response, proving the proxy forwarded it.
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyPOST() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"-X", "POST", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678/", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
output := string(body)
|
||||||
|
// The echo server's BaseHTTPRequestHandler defaults to 501 for POST.
|
||||||
|
// If we get 501 through the proxy, it means the method was forwarded.
|
||||||
|
s.Assert().Contains(output, "501",
|
||||||
|
"POST through proxy should be forwarded, echo server returns 501")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnectUnreachable verifies that CONNECT to an unreachable target
|
||||||
|
// returns 503 Service Unavailable.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnectUnreachable() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_connect.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Send a raw CONNECT request to a port where nothing is listening.
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
fmt.Sprintf("CONNECT %s:1 HTTP/1.0\r\nHost: %s:1\r\n\r\n", s.echoIP, s.echoIP))
|
||||||
|
s.Assert().Contains(resp, "503",
|
||||||
|
"CONNECT to unreachable target should return 503")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnector verifies HTTP connector type: a gost client uses an HTTP
|
||||||
|
// connector to forward through an upstream HTTP proxy (no auth), reaching the
|
||||||
|
// target via the proxy chain. This covers the server+client two-container
|
||||||
|
// pattern where the client connects to the server via connector type: http.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnector() {
|
||||||
|
// Start upstream HTTP proxy server (no auth).
|
||||||
|
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", []string{"http-server"}, []string{"8080/tcp"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Render client config that chains through the upstream server.
|
||||||
|
rendered, err := RenderConfig("testdata/http/client_connector.yaml",
|
||||||
|
ConfigData{ServerAddr: "http-server:8080"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer os.Remove(rendered)
|
||||||
|
|
||||||
|
// Start client with the rendered config.
|
||||||
|
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
rendered, "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Request through client proxy → HTTP connector → upstream HTTP server → target.
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := clientC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector client logs", clientC)
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector server logs", serverC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnectorAuth verifies HTTP connector with authentication:
|
||||||
|
// no-auth → 407, correct auth → success.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnectorAuth() {
|
||||||
|
// Start upstream HTTP proxy with auth and network alias.
|
||||||
|
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_auth.yaml", []string{"http-server"}, []string{"8080/tcp"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("no-auth-407", func(t *testing.T) {
|
||||||
|
// Send raw request directly to server container (no auth) → 407.
|
||||||
|
resp := s.sendRaw(serverC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().Contains(resp, "407",
|
||||||
|
"no auth via upstream should return 407")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("correct-auth-success", func(t *testing.T) {
|
||||||
|
rendered, err := RenderConfig("testdata/http/client_connector_auth.yaml",
|
||||||
|
ConfigData{ServerAddr: "http-server:8080"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer os.Remove(rendered)
|
||||||
|
|
||||||
|
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
rendered, "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := clientC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector-auth client logs", clientC)
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector-auth server logs", serverC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProbeResistHost verifies probeResist host type.
|
||||||
|
// When auth fails, the handler pipes the raw request to
|
||||||
|
// the decoy host (tcp-echo:5678). The TCP echo server echoes
|
||||||
|
// back the request bytes rather than returning a 407.
|
||||||
|
func (s *HTTPSuite) TestHTTPProbeResistHost() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_proberesist_host.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Without auth, probeResist host pipes the raw request to tcp-echo:5678.
|
||||||
|
// The HTTP echo server returns 200 OK with "hello-gost", proving the
|
||||||
|
// request reached the decoy host rather than getting a 407 response.
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().NotContains(resp, "407",
|
||||||
|
"probeResist host should hide 407 response")
|
||||||
|
s.Assert().Contains(resp, "hello-gost",
|
||||||
|
"probeResist host should pipe request to decoy host")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProbeResistKnock verifies probeResist knock mechanism.
|
||||||
|
// Clients that connect with a recognized knock Host header
|
||||||
|
// get a normal 407 auth challenge instead of the decoy response.
|
||||||
|
//
|
||||||
|
// Uses server_proberesist_knock.yaml:
|
||||||
|
// - probeResist: code:404 (decoy 404 for unknown hosts)
|
||||||
|
// - knock: secret.example.com (known hosts get normal 407)
|
||||||
|
func (s *HTTPSuite) TestHTTPProbeResistKnock() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_proberesist_knock.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("unknown-host-decoy", func(t *testing.T) {
|
||||||
|
// URL hostname doesn't match knock list → probeResist fires → 404
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().Contains(resp, "404",
|
||||||
|
"unknown host should get decoy 404")
|
||||||
|
s.Assert().NotContains(resp, "407",
|
||||||
|
"unknown host should NOT get 407")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("knock-host-407", func(t *testing.T) {
|
||||||
|
// URL hostname matches knock list → normal 407 auth challenge.
|
||||||
|
// Note: knock checks req.URL.Hostname(), not the Host header.
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://secret.example.com:5678/ HTTP/1.0\r\nHost: secret.example.com\r\n\r\n")
|
||||||
|
s.Assert().Contains(resp, "407",
|
||||||
|
"knock host should get normal 407")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnectorTLS verifies HTTP connector using TLS dialer
|
||||||
|
// to upstream HTTPS proxy (listener type: tls).
|
||||||
|
// The TLS listener auto-generates a self-signed cert;
|
||||||
|
// the TLS dialer defaults to InsecureSkipVerify=true, so
|
||||||
|
// handshake succeeds without explicit cert configuration.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnectorTLS() {
|
||||||
|
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_tls.yaml", []string{"tls-server"}, []string{"8443/tcp"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
rendered, err := RenderConfig("testdata/http/client_connector_tls.yaml",
|
||||||
|
ConfigData{ServerAddr: "tls-server:8443"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer os.Remove(rendered)
|
||||||
|
|
||||||
|
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
rendered, "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := clientC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector-tls client logs", clientC)
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector-tls server logs", serverC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProbeResistWeb verifies probeResist web type.
|
||||||
|
// On auth failure, the handler fetches the decoy URL
|
||||||
|
// (tcp-echo:5678) and returns its response body.
|
||||||
|
func (s *HTTPSuite) TestHTTPProbeResistWeb() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_proberesist_web.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Without auth, probeResist web fetches http://tcp-echo:5678
|
||||||
|
// and returns the echo server's response ("hello-gost").
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().NotContains(resp, "407",
|
||||||
|
"probeResist web should hide 407 response")
|
||||||
|
s.Assert().Contains(resp, "hello-gost",
|
||||||
|
"probeResist web should return decoy response body")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProbeResistFile verifies probeResist file type.
|
||||||
|
// On auth failure, the handler reads a local file and
|
||||||
|
// returns its contents as the HTTP response body.
|
||||||
|
func (s *HTTPSuite) TestHTTPProbeResistFile() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_proberesist_file.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "testdata/http/decoy.html", ContainerFilePath: "/tmp/decoy.html", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Without auth, probeResist file reads /tmp/decoy.html and
|
||||||
|
// returns "decoy-response" rather than a 407.
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().NotContains(resp, "407",
|
||||||
|
"probeResist file should hide 407 response")
|
||||||
|
s.Assert().Contains(resp, "decoy-response",
|
||||||
|
"probeResist file should return decoy file content")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPIdleTimeout verifies idleTimeout on CONNECT tunnels.
|
||||||
|
// After the configured idle timeout, the pipe between client
|
||||||
|
// and target should close.
|
||||||
|
func (s *HTTPSuite) TestHTTPIdleTimeout() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_idle_timeout.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/http_idle_timeout.py", ContainerFilePath: "/scripts/http_idle_timeout.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// The Python script:
|
||||||
|
// 1. Opens a CONNECT tunnel to tcp-echo:5678
|
||||||
|
// 2. Sends and receives data (confirm tunnel is alive)
|
||||||
|
// 3. Waits > idleTimeout (3s + 2s buffer)
|
||||||
|
// 4. Sends more data — expects connection to be closed
|
||||||
|
code, out, err := gostC.Exec(s.ctx, []string{
|
||||||
|
"python3", "/scripts/http_idle_timeout.py",
|
||||||
|
"127.0.0.1", "8080", "3",
|
||||||
|
})
|
||||||
|
output, _ := io.ReadAll(out)
|
||||||
|
s.T().Logf("idle timeout output:\n%s", string(output))
|
||||||
|
if code != 0 {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-idle-timeout logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code, "idle timeout test script should exit 0")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPUDPRelay verifies UDP relay over HTTP. Uses
|
||||||
|
// X-Gost-Protocol: udp in the CONNECT request to establish
|
||||||
|
// a SOCKS5 UDP tunnel through the HTTP handler.
|
||||||
|
func (s *HTTPSuite) TestHTTPUDPRelay() {
|
||||||
|
// Start UDP echo container on the shared network.
|
||||||
|
udpC, err := RunUDPEchoContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer udpC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_udp.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/http_udp_relay.py", ContainerFilePath: "/scripts/http_udp_relay.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// The Python script:
|
||||||
|
// 1. Connects to gost HTTP proxy
|
||||||
|
// 2. Sends CONNECT with X-Gost-Protocol: udp
|
||||||
|
// 3. After 200 OK, sends a SOCKS5 UDP frame targeting udp-echo:5679
|
||||||
|
// 4. Reads back the echoed frame
|
||||||
|
code, out, err := gostC.Exec(s.ctx, []string{
|
||||||
|
"python3", "/scripts/http_udp_relay.py",
|
||||||
|
"127.0.0.1", "8080",
|
||||||
|
})
|
||||||
|
output, _ := io.ReadAll(out)
|
||||||
|
s.T().Logf("udp relay output:\n%s", string(output))
|
||||||
|
if code != 0 {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-udp logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code, "udp relay test script should exit 0")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestHTTPSuite(t *testing.T) {
|
||||||
|
suite.Run(t, new(HTTPSuite))
|
||||||
|
}
|
||||||
@@ -0,0 +1,60 @@
|
|||||||
|
import socket
|
||||||
|
import sys
|
||||||
|
import time
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||||
|
port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080
|
||||||
|
idle_timeout = int(sys.argv[3]) if len(sys.argv) > 3 else 3
|
||||||
|
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
s.settimeout(10)
|
||||||
|
s.connect((host, port))
|
||||||
|
|
||||||
|
# CONNECT to echo server
|
||||||
|
req = b"CONNECT tcp-echo:5678 HTTP/1.1\r\nHost: tcp-echo:5678\r\n\r\n"
|
||||||
|
s.sendall(req)
|
||||||
|
|
||||||
|
# Read 200 OK response
|
||||||
|
resp = b""
|
||||||
|
while b"\r\n\r\n" not in resp:
|
||||||
|
chunk = s.recv(4096)
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
resp += chunk
|
||||||
|
|
||||||
|
if b"200" not in resp:
|
||||||
|
print(f"FAIL: expected 200, got {resp.decode(errors='replace')}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
# Send request through the CONNECT tunnel
|
||||||
|
s.sendall(b"ping-1\n")
|
||||||
|
data = s.recv(4096)
|
||||||
|
if b"ping-1" not in data:
|
||||||
|
print(f"FAIL: expected ping-1 echo, got {data!r}")
|
||||||
|
sys.exit(1)
|
||||||
|
print(f"PASS: first request through tunnel succeeded")
|
||||||
|
|
||||||
|
# Wait longer than idleTimeout
|
||||||
|
wait = idle_timeout + 2
|
||||||
|
print(f"Waiting {wait}s for idle timeout...")
|
||||||
|
time.sleep(wait)
|
||||||
|
|
||||||
|
# Try to send more data — idle timeout should have closed the pipe
|
||||||
|
try:
|
||||||
|
s.sendall(b"ping-2\n")
|
||||||
|
data = s.recv(4096)
|
||||||
|
if not data:
|
||||||
|
print("PASS: connection closed after idle timeout (empty recv)")
|
||||||
|
sys.exit(0)
|
||||||
|
# Got data means the pipe is still alive
|
||||||
|
print(f"FAIL: connection still alive after idle timeout, got {data!r}")
|
||||||
|
sys.exit(1)
|
||||||
|
except (socket.timeout, ConnectionResetError, BrokenPipeError, OSError) as e:
|
||||||
|
print(f"PASS: connection closed after idle timeout: {e}")
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
@@ -0,0 +1,135 @@
|
|||||||
|
import socket
|
||||||
|
import struct
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
UDP_ECHO_HOST = "udp-echo"
|
||||||
|
UDP_ECHO_PORT = 5679
|
||||||
|
|
||||||
|
|
||||||
|
def encode_socks5_addr(host, port):
|
||||||
|
"""Encode (host, port) as SOCKS5 ADDRESS + PORT.
|
||||||
|
|
||||||
|
Uses ATYP=3 (domain name) so Docker DNS resolves the host.
|
||||||
|
Returns (atyp, address_bytes, port_bytes).
|
||||||
|
"""
|
||||||
|
host_bytes = host.encode()
|
||||||
|
addr_bytes = struct.pack("!B", len(host_bytes)) + host_bytes
|
||||||
|
port_bytes = struct.pack("!H", port)
|
||||||
|
return 0x03, addr_bytes, port_bytes
|
||||||
|
|
||||||
|
|
||||||
|
def build_udp_frame(payload, host, port):
|
||||||
|
"""Build a SOCKS5 UDP relay frame over TCP.
|
||||||
|
|
||||||
|
gost HTTP UDP relay uses RSV=data-length and FRAG=0xff.
|
||||||
|
Frame: [RSV:2][FRAG:1][ATYP:1][DST.ADDR][DST.PORT:2][DATA]
|
||||||
|
"""
|
||||||
|
atyp, addr_bytes, port_bytes = encode_socks5_addr(host, port)
|
||||||
|
rsv = struct.pack("!H", len(payload))
|
||||||
|
frag = b"\xff"
|
||||||
|
atyp_byte = struct.pack("!B", atyp)
|
||||||
|
return rsv + frag + atyp_byte + addr_bytes + port_bytes + payload
|
||||||
|
|
||||||
|
|
||||||
|
def recvn(sock, n):
|
||||||
|
"""Receive exactly n bytes from socket."""
|
||||||
|
buf = b""
|
||||||
|
while len(buf) < n:
|
||||||
|
chunk = sock.recv(n - len(buf))
|
||||||
|
if not chunk:
|
||||||
|
raise ConnectionError("connection closed while reading")
|
||||||
|
buf += chunk
|
||||||
|
return buf
|
||||||
|
|
||||||
|
|
||||||
|
def read_socks5_frame(sock):
|
||||||
|
"""Read one SOCKS5 UDP relay frame from the TCP connection.
|
||||||
|
|
||||||
|
Returns (addr, port, data).
|
||||||
|
"""
|
||||||
|
# Read header: RSV(2) + FRAG(1) + ATYP(1)
|
||||||
|
header = recvn(sock, 4)
|
||||||
|
rsv = struct.unpack("!H", header[:2])[0]
|
||||||
|
frag = header[2]
|
||||||
|
atyp = header[3]
|
||||||
|
|
||||||
|
# Read address based on ATYP
|
||||||
|
if atyp == 1: # IPv4
|
||||||
|
addr_bytes = recvn(sock, 4)
|
||||||
|
addr = socket.inet_ntoa(addr_bytes)
|
||||||
|
elif atyp == 3: # Domain name
|
||||||
|
domain_len = recvn(sock, 1)
|
||||||
|
addr = recvn(sock, domain_len[0]).decode()
|
||||||
|
elif atyp == 4: # IPv6
|
||||||
|
addr_bytes = recvn(sock, 16)
|
||||||
|
addr = socket.inet_ntop(socket.AF_INET6, addr_bytes)
|
||||||
|
else:
|
||||||
|
raise ValueError(f"unknown ATYP: {atyp}")
|
||||||
|
|
||||||
|
port_bytes = recvn(sock, 2)
|
||||||
|
port = struct.unpack("!H", port_bytes)[0]
|
||||||
|
|
||||||
|
# Read data
|
||||||
|
if rsv > 0:
|
||||||
|
data = recvn(sock, rsv)
|
||||||
|
else:
|
||||||
|
# Standard SOCKS5 UDP: read remaining
|
||||||
|
data = b""
|
||||||
|
while True:
|
||||||
|
chunk = sock.recv(4096)
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
data += chunk
|
||||||
|
|
||||||
|
return addr, port, data
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||||
|
port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080
|
||||||
|
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
s.settimeout(10)
|
||||||
|
s.connect((host, port))
|
||||||
|
|
||||||
|
# Send CONNECT with X-Gost-Protocol: udp
|
||||||
|
req = (
|
||||||
|
b"CONNECT 0.0.0.0:0 HTTP/1.1\r\n"
|
||||||
|
b"Host: 0.0.0.0:0\r\n"
|
||||||
|
b"X-Gost-Protocol: udp\r\n"
|
||||||
|
b"Proxy-Connection: keep-alive\r\n"
|
||||||
|
b"\r\n"
|
||||||
|
)
|
||||||
|
s.sendall(req)
|
||||||
|
|
||||||
|
# Read 200 OK
|
||||||
|
resp = b""
|
||||||
|
while b"\r\n\r\n" not in resp:
|
||||||
|
chunk = s.recv(4096)
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
resp += chunk
|
||||||
|
|
||||||
|
if b"200" not in resp:
|
||||||
|
print(f"FAIL: expected 200, got {resp.decode(errors='replace')}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
# Build and send UDP relay frame
|
||||||
|
payload = b"hello-gost"
|
||||||
|
frame = build_udp_frame(payload, UDP_ECHO_HOST, UDP_ECHO_PORT)
|
||||||
|
s.sendall(frame)
|
||||||
|
|
||||||
|
# Read response frame
|
||||||
|
addr, rport, data = read_socks5_frame(s)
|
||||||
|
|
||||||
|
if b"hello-gost" in data:
|
||||||
|
print(f"PASS: received expected data from {addr}:{rport}")
|
||||||
|
sys.exit(0)
|
||||||
|
else:
|
||||||
|
print(f"FAIL: expected hello-gost in response, got {data!r}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
+20
@@ -0,0 +1,20 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: http-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
chains:
|
||||||
|
- name: http-chain
|
||||||
|
hops:
|
||||||
|
- name: hop-0
|
||||||
|
nodes:
|
||||||
|
- name: node-0
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: http
|
||||||
|
dialer:
|
||||||
|
type: tcp
|
||||||
@@ -0,0 +1,23 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: http-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
chains:
|
||||||
|
- name: http-chain
|
||||||
|
hops:
|
||||||
|
- name: hop-0
|
||||||
|
nodes:
|
||||||
|
- name: node-0
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: http
|
||||||
|
auth:
|
||||||
|
username: user
|
||||||
|
password: pass
|
||||||
|
dialer:
|
||||||
|
type: tcp
|
||||||
@@ -0,0 +1,20 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: https-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
chains:
|
||||||
|
- name: https-chain
|
||||||
|
hops:
|
||||||
|
- name: hop-0
|
||||||
|
nodes:
|
||||||
|
- name: node-0
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: http
|
||||||
|
dialer:
|
||||||
|
type: tls
|
||||||
Vendored
+1
@@ -0,0 +1 @@
|
|||||||
|
<html><body>decoy-response</body></html>
|
||||||
Vendored
+7
@@ -0,0 +1,7 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
+16
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy-auth
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
# authBasicRealm: custom realm in 407 Proxy-Authenticate header
|
||||||
|
authBasicRealm: gost-e2e-realm
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
+12
@@ -0,0 +1,12 @@
|
|||||||
|
services:
|
||||||
|
- name: http-connect
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
metadata:
|
||||||
|
# sniffing: enable protocol sniffing on CONNECT tunnels
|
||||||
|
sniffing: true
|
||||||
|
# sniffing.timeout: timeout for initial sniff read (2s)
|
||||||
|
sniffing.timeout: 2s
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
@@ -0,0 +1,20 @@
|
|||||||
|
bypasses:
|
||||||
|
- name: bypass-0
|
||||||
|
matchers:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
|
||||||
|
services:
|
||||||
|
- name: http-connect-bypass
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
bypass: bypass-0
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
+25
@@ -0,0 +1,25 @@
|
|||||||
|
bypasses:
|
||||||
|
- name: bypass-0
|
||||||
|
matchers:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
|
||||||
|
services:
|
||||||
|
- name: http-headers
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
header:
|
||||||
|
X-Proxy-Info: gost-e2e
|
||||||
|
X-Custom: test-value
|
||||||
|
proxyAgent: gost-e2e/1.0
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
bypass: bypass-0
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
services:
|
||||||
|
- name: http-idle
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
metadata:
|
||||||
|
idleTimeout: 3s
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
+20
@@ -0,0 +1,20 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy-meta
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
# probeResist: decoy response on auth failure (code:404 hides the proxy)
|
||||||
|
probeResist: code:404
|
||||||
|
# keepalive: enable HTTP keep-alive on upstream transport (parse test)
|
||||||
|
keepalive: true
|
||||||
|
# compression: enable HTTP compression on upstream transport (parse test)
|
||||||
|
compression: true
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
probeResist: file:/tmp/decoy.html
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
probeResist: host:tcp-echo:5678
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
probeResist: code:404
|
||||||
|
knock: secret.example.com
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
probeResist: web:tcp-echo:5678
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
+7
@@ -0,0 +1,7 @@
|
|||||||
|
services:
|
||||||
|
- name: https-server
|
||||||
|
addr: :8443
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
listener:
|
||||||
|
type: tls
|
||||||
+9
@@ -0,0 +1,9 @@
|
|||||||
|
services:
|
||||||
|
- name: http-udp
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
metadata:
|
||||||
|
udp: true
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
+18
-10
@@ -129,18 +129,29 @@ func udpEchoContainerRequest(_ context.Context, networkName string) testcontaine
|
|||||||
}
|
}
|
||||||
|
|
||||||
func RunGostContainer(ctx context.Context, networkName, yamlPath string) (testcontainers.Container, error) {
|
func RunGostContainer(ctx context.Context, networkName, yamlPath string) (testcontainers.Container, error) {
|
||||||
return runGostContainer(ctx, networkName, yamlPath, nil, nil)
|
return runGostContainer(ctx, networkName, yamlPath, nil, nil, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func RunGostContainerWithPorts(ctx context.Context, networkName, yamlPath string, exposedPorts ...string) (testcontainers.Container, error) {
|
func RunGostContainerWithPorts(ctx context.Context, networkName, yamlPath string, exposedPorts ...string) (testcontainers.Container, error) {
|
||||||
return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts)
|
return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func RunGostContainerWithOptions(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) {
|
func RunGostContainerWithOptions(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) {
|
||||||
return runGostContainer(ctx, networkName, yamlPath, aliases, exposedPorts)
|
return runGostContainer(ctx, networkName, yamlPath, aliases, exposedPorts, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) {
|
// RunGostContainerWithFiles starts a gost container with extra files mounted.
|
||||||
|
func RunGostContainerWithFiles(ctx context.Context, networkName, yamlPath string, extraFiles []testcontainers.ContainerFile, exposedPorts ...string) (testcontainers.Container, error) {
|
||||||
|
return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts, extraFiles)
|
||||||
|
}
|
||||||
|
|
||||||
|
func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string, extraFiles []testcontainers.ContainerFile) (testcontainers.Container, error) {
|
||||||
|
files := []testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: GostBinPath, ContainerFilePath: "/bin/gost", FileMode: 0755},
|
||||||
|
{HostFilePath: yamlPath, ContainerFilePath: "/config.yaml", FileMode: 0644},
|
||||||
|
}
|
||||||
|
files = append(files, extraFiles...)
|
||||||
|
|
||||||
req := testcontainers.ContainerRequest{
|
req := testcontainers.ContainerRequest{
|
||||||
FromDockerfile: testcontainers.FromDockerfile{
|
FromDockerfile: testcontainers.FromDockerfile{
|
||||||
Context: ".",
|
Context: ".",
|
||||||
@@ -153,17 +164,14 @@ func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
ExposedPorts: exposedPorts,
|
ExposedPorts: exposedPorts,
|
||||||
// interal check for udp ports will be failed
|
// internal check for udp ports will be failed
|
||||||
WaitingFor: wait.ForExposedPort().SkipInternalCheck(),
|
WaitingFor: wait.ForExposedPort().SkipInternalCheck(),
|
||||||
Networks: []string{networkName},
|
Networks: []string{networkName},
|
||||||
NetworkAliases: map[string][]string{
|
NetworkAliases: map[string][]string{
|
||||||
networkName: aliases,
|
networkName: aliases,
|
||||||
},
|
},
|
||||||
Files: []testcontainers.ContainerFile{
|
Files: files,
|
||||||
{HostFilePath: GostBinPath, ContainerFilePath: "/bin/gost", FileMode: 0755},
|
Cmd: []string{"/bin/gost", "-C", "/config.yaml"},
|
||||||
{HostFilePath: yamlPath, ContainerFilePath: "/config.yaml", FileMode: 0644},
|
|
||||||
},
|
|
||||||
Cmd: []string{"/bin/gost", "-C", "/config.yaml"},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
|
return testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
|
||||||
|
|||||||
Reference in New Issue
Block a user