3246b39c93
Extract the 1024-line handler.go into concern-focused files:
util.go — 5 pure functions (decodeServerName, basicProxyAuth, upgradeType,
normalizeHostPort, buildConnectResponse) — 100% coverage
auth.go — authenticate (5 probe-resistance strategies + knock) + checkRateLimit
connect.go — handleConnect, sniffAndHandle, dial, setupTrafficLimiter
proxy.go — handleProxy keep-alive loop, proxyRoundTrip, handleUpgradeResponse
websocket.go — WebSocket frame sniffing/recording with rate-limited sampling
udp.go — UDP-over-HTTP relay with SOCKS5 tunnel
metadata.go — metadata struct, parseMetadata, probeResistance type
Key improvements:
- Transport injection (http.RoundTripper field) enables testing without real network
- Nil Router guards in dial, handleUDP, and nil Addr guard in checkRateLimit
- Pure functions converted from methods to package-level (no state dependency)
- setupTrafficLimiter returns cleanup closure to preserve defer lifetime
- handleConnect accepts caller's resp for correct recorder status capture
- Comprehensive package doc with full request-flow documentation
96 tests: 100% on pure functions, 86% on metadata parsing, 55% overall (integration
paths verified by e2e tests).
87 lines
2.5 KiB
Go
87 lines
2.5 KiB
Go
package http
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"encoding/binary"
|
|
"errors"
|
|
"hash/crc32"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"golang.org/x/net/http/httpguts"
|
|
)
|
|
|
|
// decodeServerName decodes a GOST v2 Gost-Target / X-Gost-Target header
|
|
// value. The encoding is: base64(CRC32(hostname) + base64(hostname)).
|
|
// It verifies the CRC32 checksum before returning the decoded hostname.
|
|
func decodeServerName(s string) (string, error) {
|
|
b, err := base64.RawURLEncoding.DecodeString(s)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if len(b) < 4 {
|
|
return "", errors.New("invalid name")
|
|
}
|
|
v, err := base64.RawURLEncoding.DecodeString(string(b[4:]))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if crc32.ChecksumIEEE(v) != binary.BigEndian.Uint32(b[:4]) {
|
|
return "", errors.New("invalid name")
|
|
}
|
|
return string(v), nil
|
|
}
|
|
|
|
// basicProxyAuth extracts the username and password from an HTTP Basic
|
|
// authentication Proxy-Authorization header value. It returns ok=false
|
|
// if the value is empty, not a Basic scheme, or not valid base64.
|
|
func basicProxyAuth(proxyAuth string) (username, password string, ok bool) {
|
|
if proxyAuth == "" {
|
|
return
|
|
}
|
|
|
|
if !strings.HasPrefix(proxyAuth, "Basic ") {
|
|
return
|
|
}
|
|
c, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(proxyAuth, "Basic "))
|
|
if err != nil {
|
|
return
|
|
}
|
|
cs := string(c)
|
|
username, password, ok = strings.Cut(cs, ":")
|
|
if !ok {
|
|
return
|
|
}
|
|
return username, password, true
|
|
}
|
|
|
|
// upgradeType returns the upgrade protocol token from an HTTP header.
|
|
// It returns "" if the Connection header does not include an "Upgrade"
|
|
// token or if the Upgrade header is absent.
|
|
func upgradeType(h http.Header) string {
|
|
if !httpguts.HeaderValuesContainsToken(h["Connection"], "Upgrade") {
|
|
return ""
|
|
}
|
|
return h.Get("Upgrade")
|
|
}
|
|
|
|
// normalizeHostPort ensures a host string includes a port. If the host
|
|
// already contains a port, it is returned unchanged. Otherwise the
|
|
// defaultPort is appended. IPv6 addresses are correctly handled: bare
|
|
// addresses get bracketed by net.JoinHostPort, and bracketed addresses
|
|
// are stripped of brackets before re-joining.
|
|
func normalizeHostPort(host, defaultPort string) string {
|
|
if _, port, _ := net.SplitHostPort(host); port == "" {
|
|
return net.JoinHostPort(strings.Trim(host, "[]"), defaultPort)
|
|
}
|
|
return host
|
|
}
|
|
|
|
// buildConnectResponse returns the raw bytes of an HTTP 200 Connection
|
|
// established response with the given Proxy-Agent header.
|
|
func buildConnectResponse(proxyAgent string) []byte {
|
|
return []byte("HTTP/1.1 200 Connection established\r\n" +
|
|
"Proxy-Agent: " + proxyAgent + "\r\n\r\n")
|
|
}
|