merge 2.4 branch

.gitignore

@@ -25,3 +25,5 @@ _testmain.go
 *.test
 
 *.bak
+
+cmd/gost
\ No newline at end of file

.travis.yml

-language: go
-
-go:
-  1.6
-  1.7
\ No newline at end of file

client.go

+package gost
+
+import (
+	"crypto/tls"
+	"net"
+	"net/url"
+	"time"
+)
+
+// Client is a proxy client.
+// A client is divided into two layers: connector and transporter.
+// Connector is responsible for connecting to the destination address through this proxy.
+// Transporter performs a handshake with this proxy.
+type Client struct {
+	Connector   Connector
+	Transporter Transporter
+}
+
+// Dial connects to the target address.
+func (c *Client) Dial(addr string, options ...DialOption) (net.Conn, error) {
+	return c.Transporter.Dial(addr, options...)
+}
+
+// Handshake performs a handshake with the proxy over connection conn.
+func (c *Client) Handshake(conn net.Conn, options ...HandshakeOption) (net.Conn, error) {
+	return c.Transporter.Handshake(conn, options...)
+}
+
+// Connect connects to the address addr via the proxy over connection conn.
+func (c *Client) Connect(conn net.Conn, addr string) (net.Conn, error) {
+	return c.Connector.Connect(conn, addr)
+}
+
+// DefaultClient is a standard HTTP proxy client.
+var DefaultClient = &Client{Connector: HTTPConnector(nil), Transporter: TCPTransporter()}
+
+// Dial connects to the address addr via the DefaultClient.
+func Dial(addr string, options ...DialOption) (net.Conn, error) {
+	return DefaultClient.Dial(addr, options...)
+}
+
+// Handshake performs a handshake via the DefaultClient.
+func Handshake(conn net.Conn, options ...HandshakeOption) (net.Conn, error) {
+	return DefaultClient.Handshake(conn, options...)
+}
+
+// Connect connects to the address addr via the DefaultClient.
+func Connect(conn net.Conn, addr string) (net.Conn, error) {
+	return DefaultClient.Connect(conn, addr)
+}
+
+// Connector is responsible for connecting to the destination address.
+type Connector interface {
+	Connect(conn net.Conn, addr string) (net.Conn, error)
+}
+
+// Transporter is responsible for handshaking with the proxy server.
+type Transporter interface {
+	Dial(addr string, options ...DialOption) (net.Conn, error)
+	Handshake(conn net.Conn, options ...HandshakeOption) (net.Conn, error)
+	// Indicate that the Transporter supports multiplex
+	Multiplex() bool
+}
+
+type tcpTransporter struct {
+}
+
+// TCPTransporter creates a transporter for TCP proxy client.
+func TCPTransporter() Transporter {
+	return &tcpTransporter{}
+}
+
+func (tr *tcpTransporter) Dial(addr string, options ...DialOption) (net.Conn, error) {
+	opts := &DialOptions{}
+	for _, option := range options {
+		option(opts)
+	}
+	if opts.Chain == nil {
+		return net.DialTimeout("tcp", addr, opts.Timeout)
+	}
+	return opts.Chain.Dial(addr)
+}
+
+func (tr *tcpTransporter) Handshake(conn net.Conn, options ...HandshakeOption) (net.Conn, error) {
+	return conn, nil
+}
+
+func (tr *tcpTransporter) Multiplex() bool {
+	return false
+}
+
+// DialOptions describes the options for dialing.
+type DialOptions struct {
+	Timeout time.Duration
+	Chain   *Chain
+}
+
+// DialOption allows a common way to set dial options.
+type DialOption func(opts *DialOptions)
+
+func TimeoutDialOption(timeout time.Duration) DialOption {
+	return func(opts *DialOptions) {
+		opts.Timeout = timeout
+	}
+}
+
+func ChainDialOption(chain *Chain) DialOption {
+	return func(opts *DialOptions) {
+		opts.Chain = chain
+	}
+}
+
+// HandshakeOptions describes the options for handshake.
+type HandshakeOptions struct {
+	Addr       string
+	User       *url.Userinfo
+	Timeout    time.Duration
+	Interval   time.Duration
+	TLSConfig  *tls.Config
+	WSOptions  *WSOptions
+	KCPConfig  *KCPConfig
+	QUICConfig *QUICConfig
+}
+
+// HandshakeOption allows a common way to set handshake options.
+type HandshakeOption func(opts *HandshakeOptions)
+
+func AddrHandshakeOption(addr string) HandshakeOption {
+	return func(opts *HandshakeOptions) {
+		opts.Addr = addr
+	}
+}
+
+func UserHandshakeOption(user *url.Userinfo) HandshakeOption {
+	return func(opts *HandshakeOptions) {
+		opts.User = user
+	}
+}
+
+func TimeoutHandshakeOption(timeout time.Duration) HandshakeOption {
+	return func(opts *HandshakeOptions) {
+		opts.Timeout = timeout
+	}
+}
+
+func IntervalHandshakeOption(interval time.Duration) HandshakeOption {
+	return func(opts *HandshakeOptions) {
+		opts.Interval = interval
+	}
+}
+
+func TLSConfigHandshakeOption(config *tls.Config) HandshakeOption {
+	return func(opts *HandshakeOptions) {
+		opts.TLSConfig = config
+	}
+}
+
+func WSOptionsHandshakeOption(options *WSOptions) HandshakeOption {
+	return func(opts *HandshakeOptions) {
+		opts.WSOptions = options
+	}
+}
+
+func KCPConfigHandshakeOption(config *KCPConfig) HandshakeOption {
+	return func(opts *HandshakeOptions) {
+		opts.KCPConfig = config
+	}
+}
+
+func QUICConfigHandshakeOption(config *QUICConfig) HandshakeOption {
+	return func(opts *HandshakeOptions) {
+		opts.QUICConfig = config
+	}
+}

cmd/gost/kcp.json

@@ -15,5 +15,7 @@
 	"resend": 0,
 	"nc": 0,
 	"sockbuf": 4194304,
-	"keepalive": 10
+	"keepalive": 10,
+	"snmplog": "",
+	"snmpperiod": 60
 }
\ No newline at end of file

cmd/gost/secrets.txt

 # username password
 
+test\admin 123456
+$test 123456
 test001 123456
 test002 12345678
\ No newline at end of file

cmd/gost/vendor/github.com/codahale/chacha20/LICENSE

-The MIT License (MIT)
-
-Copyright (c) 2014 Coda Hale
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

cmd/gost/vendor/github.com/codahale/chacha20/README.md

-chacha20
-========
-
-[![Build Status](https://travis-ci.org/codahale/chacha20.png?branch=master)](https://travis-ci.org/codahale/chacha20)
-
-A pure Go implementation of the ChaCha20 stream cipher.
-
-For documentation, check [godoc](http://godoc.org/github.com/codahale/chacha20).

cmd/gost/vendor/github.com/codahale/chacha20/chacha20.go

-// Package chacha20 provides a pure Go implementation of ChaCha20, a fast,
-// secure stream cipher.
-//
-// From Bernstein, Daniel J. "ChaCha, a variant of Salsa20." Workshop Record of
-// SASC. 2008. (http://cr.yp.to/chacha/chacha-20080128.pdf):
-//
-//	ChaCha8 is a 256-bit stream cipher based on the 8-round cipher Salsa20/8.
-//	The changes from Salsa20/8 to ChaCha8 are designed to improve diffusion per
-//	round, conjecturally increasing resistance to cryptanalysis, while
-//	preserving -- and often improving -- time per round. ChaCha12 and ChaCha20
-//	are analogous modifications of the 12-round and 20-round ciphers Salsa20/12
-//	and Salsa20/20. This paper presents the ChaCha family and explains the
-//	differences between Salsa20 and ChaCha.
-//
-// For more information, see http://cr.yp.to/chacha.html
-package chacha20
-
-import (
-	"crypto/cipher"
-	"encoding/binary"
-	"errors"
-	"unsafe"
-)
-
-const (
-	// KeySize is the length of ChaCha20 keys, in bytes.
-	KeySize = 32
-	// NonceSize is the length of ChaCha20 nonces, in bytes.
-	NonceSize = 8
-	// XNonceSize is the length of XChaCha20 nonces, in bytes.
-	XNonceSize = 24
-)
-
-var (
-	// ErrInvalidKey is returned when the provided key is not 256 bits long.
-	ErrInvalidKey = errors.New("invalid key length (must be 256 bits)")
-	// ErrInvalidNonce is returned when the provided nonce is not 64 bits long.
-	ErrInvalidNonce = errors.New("invalid nonce length (must be 64 bits)")
-	// ErrInvalidXNonce is returned when the provided nonce is not 192 bits
-	// long.
-	ErrInvalidXNonce = errors.New("invalid nonce length (must be 192 bits)")
-	// ErrInvalidRounds is returned when the provided rounds is not
-	// 8, 12, or 20.
-	ErrInvalidRounds = errors.New("invalid rounds number (must be 8, 12, or 20)")
-)
-
-// New creates and returns a new cipher.Stream. The key argument must be 256
-// bits long, and the nonce argument must be 64 bits long. The nonce must be
-// randomly generated or used only once. This Stream instance must not be used
-// to encrypt more than 2^70 bytes (~1 zettabyte).
-func New(key []byte, nonce []byte) (cipher.Stream, error) {
-	return NewWithRounds(key, nonce, 20)
-}
-
-// NewWithRounds creates and returns a new cipher.Stream just like New but
-// the rounds number of 8, 12, or 20 can be specified.
-func NewWithRounds(key []byte, nonce []byte, rounds uint8) (cipher.Stream, error) {
-	if len(key) != KeySize {
-		return nil, ErrInvalidKey
-	}
-
-	if len(nonce) != NonceSize {
-		return nil, ErrInvalidNonce
-	}
-
-	if (rounds != 8) && (rounds != 12) && (rounds != 20) {
-		return nil, ErrInvalidRounds
-	}
-
-	s := new(stream)
-	s.init(key, nonce, rounds)
-	s.advance()
-
-	return s, nil
-}
-
-// NewXChaCha creates and returns a new cipher.Stream. The key argument must be
-// 256 bits long, and the nonce argument must be 192 bits long. The nonce must
-// be randomly generated or only used once. This Stream instance must not be
-// used to encrypt more than 2^70 bytes (~1 zetta byte).
-func NewXChaCha(key []byte, nonce []byte) (cipher.Stream, error) {
-	return NewXChaChaWithRounds(key, nonce, 20)
-}
-
-// NewXChaChaWithRounds creates and returns a new cipher.Stream just like
-// NewXChaCha but the rounds number of 8, 12, or 20 can be specified.
-func NewXChaChaWithRounds(key []byte, nonce []byte, rounds uint8) (cipher.Stream, error) {
-	if len(key) != KeySize {
-		return nil, ErrInvalidKey
-	}
-
-	if len(nonce) != XNonceSize {
-		return nil, ErrInvalidXNonce
-	}
-
-	if (rounds != 8) && (rounds != 12) && (rounds != 20) {
-		return nil, ErrInvalidRounds
-	}
-
-	s := new(stream)
-	s.init(key, nonce, rounds)
-
-	// Call HChaCha to derive the subkey using the key and the first 16 bytes
-	// of the nonce, and re-initialize the state using the subkey and the
-	// remaining nonce.
-	blockArr := (*[stateSize]uint32)(unsafe.Pointer(&s.block))
-	core(&s.state, blockArr, s.rounds, true)
-	copy(s.state[4:8], blockArr[0:4])
-	copy(s.state[8:12], blockArr[12:16])
-	s.state[12] = 0
-	s.state[13] = 0
-	s.state[14] = binary.LittleEndian.Uint32(nonce[16:])
-	s.state[15] = binary.LittleEndian.Uint32(nonce[20:])
-
-	s.advance()
-
-	return s, nil
-}
-
-type stream struct {
-	state  [stateSize]uint32 // the state as an array of 16 32-bit words
-	block  [blockSize]byte   // the keystream as an array of 64 bytes
-	offset int               // the offset of used bytes in block
-	rounds uint8
-}
-
-func (s *stream) XORKeyStream(dst, src []byte) {
-	// Stride over the input in 64-byte blocks, minus the amount of keystream
-	// previously used. This will produce best results when processing blocks
-	// of a size evenly divisible by 64.
-	i := 0
-	max := len(src)
-	for i < max {
-		gap := blockSize - s.offset
-
-		limit := i + gap
-		if limit > max {
-			limit = max
-		}
-
-		o := s.offset
-		for j := i; j < limit; j++ {
-			dst[j] = src[j] ^ s.block[o]
-			o++
-		}
-
-		i += gap
-		s.offset = o
-
-		if o == blockSize {
-			s.advance()
-		}
-	}
-}
-
-func (s *stream) init(key []byte, nonce []byte, rounds uint8) {
-	// the magic constants for 256-bit keys
-	s.state[0] = 0x61707865
-	s.state[1] = 0x3320646e
-	s.state[2] = 0x79622d32
-	s.state[3] = 0x6b206574
-
-	s.state[4] = binary.LittleEndian.Uint32(key[0:])
-	s.state[5] = binary.LittleEndian.Uint32(key[4:])
-	s.state[6] = binary.LittleEndian.Uint32(key[8:])
-	s.state[7] = binary.LittleEndian.Uint32(key[12:])
-	s.state[8] = binary.LittleEndian.Uint32(key[16:])
-	s.state[9] = binary.LittleEndian.Uint32(key[20:])
-	s.state[10] = binary.LittleEndian.Uint32(key[24:])
-	s.state[11] = binary.LittleEndian.Uint32(key[28:])
-
-	switch len(nonce) {
-	case NonceSize:
-		// ChaCha20 uses 8 byte nonces.
-		s.state[12] = 0
-		s.state[13] = 0
-		s.state[14] = binary.LittleEndian.Uint32(nonce[0:])
-		s.state[15] = binary.LittleEndian.Uint32(nonce[4:])
-	case XNonceSize:
-		// XChaCha20 derives the subkey via HChaCha initialized
-		// with the first 16 bytes of the nonce.
-		s.state[12] = binary.LittleEndian.Uint32(nonce[0:])
-		s.state[13] = binary.LittleEndian.Uint32(nonce[4:])
-		s.state[14] = binary.LittleEndian.Uint32(nonce[8:])
-		s.state[15] = binary.LittleEndian.Uint32(nonce[12:])
-	default:
-		// Never happens, both ctors validate the nonce length.
-		panic("invalid nonce size")
-	}
-
-	s.rounds = rounds
-}
-
-// BUG(codahale): Totally untested on big-endian CPUs. Would very much
-// appreciate someone with an ARM device giving this a swing.
-
-// advances the keystream
-func (s *stream) advance() {
-	core(&s.state, (*[stateSize]uint32)(unsafe.Pointer(&s.block)), s.rounds, false)
-
-	if bigEndian {
-		j := blockSize - 1
-		for i := 0; i < blockSize/2; i++ {
-			s.block[j], s.block[i] = s.block[i], s.block[j]
-			j--
-		}
-	}
-
-	s.offset = 0
-	i := s.state[12] + 1
-	s.state[12] = i
-	if i == 0 {
-		s.state[13]++
-	}
-}
-
-const (
-	wordSize  = 4                    // the size of ChaCha20's words
-	stateSize = 16                   // the size of ChaCha20's state, in words
-	blockSize = stateSize * wordSize // the size of ChaCha20's block, in bytes
-)
-
-var (
-	bigEndian bool // whether or not we're running on a bigEndian CPU
-)
-
-// Do some up-front bookkeeping on what sort of CPU we're using. ChaCha20 treats
-// its state as a little-endian byte array when it comes to generating the
-// keystream, which allows for a zero-copy approach to the core transform. On
-// big-endian architectures, we have to take a hit to reverse the bytes.
-func init() {
-	x := uint32(0x04030201)
-	y := [4]byte{0x1, 0x2, 0x3, 0x4}
-	bigEndian = *(*[4]byte)(unsafe.Pointer(&x)) != y
-}

cmd/gost/vendor/github.com/codahale/chacha20/core_ref.go

-// The ChaCha20 core transform.
-// An unrolled and inlined implementation in pure Go.
-
-package chacha20
-
-func core(input, output *[stateSize]uint32, rounds uint8, hchacha bool) {
-	var (
-		x00 = input[0]
-		x01 = input[1]
-		x02 = input[2]
-		x03 = input[3]
-		x04 = input[4]
-		x05 = input[5]
-		x06 = input[6]
-		x07 = input[7]
-		x08 = input[8]
-		x09 = input[9]
-		x10 = input[10]
-		x11 = input[11]
-		x12 = input[12]
-		x13 = input[13]
-		x14 = input[14]
-		x15 = input[15]
-	)
-
-	var x uint32
-
-	// Unrolling all 20 rounds kills performance on modern Intel processors
-	// (Tested on a i5 Haswell, likely applies to Sandy Bridge+), due to uop
-	// cache thrashing.  The straight forward 2 rounds per loop implementation
-	// of this has double the performance of the fully unrolled version.
-	for i := uint8(0); i < rounds; i += 2 {
-		x00 += x04
-		x = x12 ^ x00
-		x12 = (x << 16) | (x >> 16)
-		x08 += x12
-		x = x04 ^ x08
-		x04 = (x << 12) | (x >> 20)
-		x00 += x04
-		x = x12 ^ x00
-		x12 = (x << 8) | (x >> 24)
-		x08 += x12
-		x = x04 ^ x08
-		x04 = (x << 7) | (x >> 25)
-		x01 += x05
-		x = x13 ^ x01
-		x13 = (x << 16) | (x >> 16)
-		x09 += x13
-		x = x05 ^ x09
-		x05 = (x << 12) | (x >> 20)
-		x01 += x05
-		x = x13 ^ x01
-		x13 = (x << 8) | (x >> 24)
-		x09 += x13
-		x = x05 ^ x09
-		x05 = (x << 7) | (x >> 25)
-		x02 += x06
-		x = x14 ^ x02
-		x14 = (x << 16) | (x >> 16)
-		x10 += x14
-		x = x06 ^ x10
-		x06 = (x << 12) | (x >> 20)
-		x02 += x06
-		x = x14 ^ x02
-		x14 = (x << 8) | (x >> 24)
-		x10 += x14
-		x = x06 ^ x10
-		x06 = (x << 7) | (x >> 25)
-		x03 += x07
-		x = x15 ^ x03
-		x15 = (x << 16) | (x >> 16)
-		x11 += x15
-		x = x07 ^ x11
-		x07 = (x << 12) | (x >> 20)
-		x03 += x07
-		x = x15 ^ x03
-		x15 = (x << 8) | (x >> 24)
-		x11 += x15
-		x = x07 ^ x11
-		x07 = (x << 7) | (x >> 25)
-		x00 += x05
-		x = x15 ^ x00
-		x15 = (x << 16) | (x >> 16)
-		x10 += x15
-		x = x05 ^ x10
-		x05 = (x << 12) | (x >> 20)
-		x00 += x05
-		x = x15 ^ x00
-		x15 = (x << 8) | (x >> 24)
-		x10 += x15
-		x = x05 ^ x10
-		x05 = (x << 7) | (x >> 25)
-		x01 += x06
-		x = x12 ^ x01
-		x12 = (x << 16) | (x >> 16)
-		x11 += x12
-		x = x06 ^ x11
-		x06 = (x << 12) | (x >> 20)
-		x01 += x06
-		x = x12 ^ x01
-		x12 = (x << 8) | (x >> 24)
-		x11 += x12
-		x = x06 ^ x11
-		x06 = (x << 7) | (x >> 25)
-		x02 += x07
-		x = x13 ^ x02
-		x13 = (x << 16) | (x >> 16)
-		x08 += x13
-		x = x07 ^ x08
-		x07 = (x << 12) | (x >> 20)
-		x02 += x07
-		x = x13 ^ x02
-		x13 = (x << 8) | (x >> 24)
-		x08 += x13
-		x = x07 ^ x08
-		x07 = (x << 7) | (x >> 25)
-		x03 += x04
-		x = x14 ^ x03
-		x14 = (x << 16) | (x >> 16)
-		x09 += x14
-		x = x04 ^ x09
-		x04 = (x << 12) | (x >> 20)
-		x03 += x04
-		x = x14 ^ x03
-		x14 = (x << 8) | (x >> 24)
-		x09 += x14
-		x = x04 ^ x09
-		x04 = (x << 7) | (x >> 25)
-	}
-
-	if !hchacha {
-		output[0] = x00 + input[0]
-		output[1] = x01 + input[1]
-		output[2] = x02 + input[2]
-		output[3] = x03 + input[3]
-		output[4] = x04 + input[4]
-		output[5] = x05 + input[5]
-		output[6] = x06 + input[6]
-		output[7] = x07 + input[7]
-		output[8] = x08 + input[8]
-		output[9] = x09 + input[9]
-		output[10] = x10 + input[10]
-		output[11] = x11 + input[11]
-		output[12] = x12 + input[12]
-		output[13] = x13 + input[13]
-		output[14] = x14 + input[14]
-		output[15] = x15 + input[15]
-	} else {
-		output[0] = x00
-		output[1] = x01
-		output[2] = x02
-		output[3] = x03
-		output[4] = x04
-		output[5] = x05
-		output[6] = x06
-		output[7] = x07
-		output[8] = x08
-		output[9] = x09
-		output[10] = x10
-		output[11] = x11
-		output[12] = x12
-		output[13] = x13
-		output[14] = x14
-		output[15] = x15
-	}
-}

cmd/gost/vendor/github.com/ginuerzh/gost/README.md

-gost - GO Simple Tunnel
-======
-
-### GO语言实现的安全隧道
-
-[English README](README_en.md)
-
-特性
-------
-* 可同时监听多端口
-* 可设置转发代理，支持多级转发(代理链)
-* 支持标准HTTP/HTTPS/SOCKS5代理协议
-* SOCKS5代理支持TLS协商加密
-* Tunnel UDP over TCP
-* 支持Shadowsocks协议 (OTA: 2.2+，UDP: 2.4+)
-* 支持本地/远程端口转发 (2.1+)
-* 支持HTTP 2.0 (2.2+)
-* 实验性支持QUIC (2.3+)
-* 支持KCP协议 (2.3+)
-* 透明代理 (2.3+)
-
-二进制文件下载：https://github.com/ginuerzh/gost/releases
-
-Google讨论组: https://groups.google.com/d/forum/go-gost
-
-在gost中，gost与其他代理服务都被看作是代理节点，gost可以自己处理请求，或者将请求转发给任意一个或多个代理节点。
-
-参数说明
-------
-#### 代理及代理链
-
-适用于-L和-F参数
-
-```bash
-[scheme://][user:pass@host]:port
-```
-scheme分为两部分: protocol+transport
-
-protocol: 代理协议类型(http, socks5, shadowsocks), transport: 数据传输方式(ws, wss, tls, http2, quic, kcp), 二者可以任意组合，或单独使用:
-
-> http - HTTP代理: http://:8080
-
-> http+tls - HTTPS代理(可能需要提供受信任的证书): http+tls://:443或https://:443
-
-> http2 - HTTP2代理并向下兼容HTTPS代理: http2://:443
-
-> socks - 标准SOCKS5代理(支持tls协商加密): socks://:1080
-
-> socks+wss - SOCKS5代理，使用websocket传输数据: socks+wss://:1080
-
-> tls - HTTPS/SOCKS5代理，使用tls传输数据: tls://:443
-
-> ss - Shadowsocks代理，ss://chacha20:123456@:8338
-
-> ssu - Shadowsocks UDP relay，ssu://chacha20:123456@:8338
-
-> quic - QUIC代理，quic://:6121
-
-> kcp - KCP代理，kcp://:8388或kcp://aes:123456@:8388
-
-> redirect - 透明代理，redirect://:12345
-
-#### 端口转发
-
-适用于-L参数
-
-```bash
-scheme://[bind_address]:port/[host]:hostport
-```	
-> scheme - 端口转发模式, 本地端口转发: tcp, udp; 远程端口转发: rtcp, rudp
-
-> bind_address:port - 本地/远程绑定地址
-
-> host:hostport - 目标访问地址
-
-#### 配置文件
-
-> -C : 指定配置文件路径
-
-配置文件为标准json格式：
-```json
-{
-    "ServeNodes": [
-        ":8080",
-        "ss://chacha20:12345678@:8338"
-    ],
-    "ChainNodes": [
-        "http://192.168.1.1:8080",
-        "https://10.0.2.1:443"
-    ]
-}
-```
-
-ServeNodes等同于-L参数，ChainNodes等同于-F参数
-
-#### 开启日志
-
-> -logtostderr : 输出到控制台
-
-> -v=3 : 日志级别(1-5)，级别越高，日志越详细(级别5将开启http2 debug)
-
-> -log_dir=/log/dir/path : 输出到目录/log/dir/path
-
-
-使用方法
-------
-#### 不设置转发代理
-
-<img src="https://ginuerzh.github.io/images/gost_01.png" />
-
-* 作为标准HTTP/SOCKS5代理
-```bash
-gost -L=:8080
-```
-
-* 设置代理认证信息
-```bash
-gost -L=admin:123456@localhost:8080
-```
-
-* 多组认证信息
-```bash
-gost -L=localhost:8080?secrets=secrets.txt
-```
-
-通过secrets参数可以为HTTP/SOCKS5代理设置多组认证信息，格式为：
-```plain
-# username password
-
-test001 123456
-test002 12345678
-```
-
-* 多端口监听
-```bash
-gost -L=http2://:443 -L=socks://:1080 -L=ss://aes-128-cfb:123456@:8338
-```
-
-#### 设置转发代理
-
-<img src="https://ginuerzh.github.io/images/gost_02.png" />
-```bash
-gost -L=:8080 -F=192.168.1.1:8081
-```
-
-* 转发代理认证
-```bash
-gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081
-```
-
-#### 设置多级转发代理(代理链)
-
-<img src="https://ginuerzh.github.io/images/gost_03.png" />
-```bash
-gost -L=:8080 -F=http+tls://192.168.1.1:443 -F=socks+ws://192.168.1.2:1080 -F=ss://aes-128-cfb:123456@192.168.1.3:8338 -F=a.b.c.d:NNNN
-```
-gost按照-F设置的顺序通过代理链将请求最终转发给a.b.c.d:NNNN处理，每一个转发代理可以是任意HTTP/HTTPS/HTTP2/SOCKS5/Shadowsocks类型代理。
-
-#### 本地端口转发(TCP)
-
-```bash
-gost -L=tcp://:2222/192.168.1.1:22 -F=...
-```
-将本地TCP端口2222上的数据(通过代理链)转发到192.168.1.1:22上。
-
-#### 本地端口转发(UDP)
-
-```bash
-gost -L=udp://:5353/192.168.1.1:53?ttl=60 -F=...
-```
-将本地UDP端口5353上的数据(通过代理链)转发到192.168.1.1:53上。
-每条转发通道都有超时时间，当超过此时间，且在此时间段内无任何数据交互，则此通道将关闭。可以通过`ttl`参数来设置超时时间，默认值为60秒。
-
-**注:** 转发UDP数据时，如果有代理链，则代理链的末端(最后一个-F参数)必须是gost SOCKS5类型代理。
-
-#### 远程端口转发(TCP)
-
-```bash
-gost -L=rtcp://:2222/192.168.1.1:22 -F=... -F=socks://172.24.10.1:1080
-```
-将172.24.10.1:2222上的数据(通过代理链)转发到192.168.1.1:22上。
-
-#### 远程端口转发(UDP)
-
-```bash
-gost -L=rudp://:5353/192.168.1.1:53 -F=... -F=socks://172.24.10.1:1080
-```
-将172.24.10.1:5353上的数据(通过代理链)转发到192.168.1.1:53上。
-
-**注：** 若要使用远程端口转发功能，代理链不能为空(至少要设置一个-F参数)，且代理链的末端(最后一个-F参数)必须是gost SOCKS5类型代理。
-
-#### HTTP2
-gost的HTTP2支持两种模式并自适应：
-* 作为标准的HTTP2代理，并向下兼容HTTPS代理。
-* 作为transport(类似于wss)，传输其他协议。
-
-服务端:
-```bash
-gost -L=http2://:443
-```
-客户端:
-```bash
-gost -L=:8080 -F=http2://server_ip:443?ping=30
-```
-
-客户端支持`ping`参数开启心跳检测(默认不开启)，参数值代表心跳间隔秒数。
-
-**注：** gost的代理链仅支持一个HTTP2代理节点，采用就近原则，会将第一个遇到的HTTP2代理节点视为HTTP2代理，其他HTTP2代理节点则被视为HTTPS代理。
-
-#### QUIC
-gost对QUIC的支持是基于[quic-go](https://github.com/lucas-clemente/quic-go)库。
-
-服务端:
-```bash
-gost -L=quic://:6121
-```
-
-客户端(Chrome):
-```bash
-chrome --enable-quic --proxy-server=quic://server_ip:6121
-```
-
-**注：** 由于Chrome自身的限制，目前只能通过QUIC访问HTTP网站，无法访问HTTPS网站。
-
-#### KCP
-gost对KCP的支持是基于[kcp-go](https://github.com/xtaci/kcp-go)和[kcptun](https://github.com/xtaci/kcptun)库。
-
-服务端:
-```bash
-gost -L=kcp://:8388
-```
-
-客户端:
-```bash
-gost -L=:8080 -F=kcp://server_ip:8388
-```
-
-或者手动指定加密方法和密码(手动指定的加密方法和密码会覆盖配置文件中的相应值)
-
-服务端:
-```bash
-gost -L=kcp://aes:123456@:8388
-```
-
-客户端:
-```bash
-gost -L=:8080 -F=kcp://aes:123456@server_ip:8388
-```
-
-gost会自动加载当前工作目录中的kcp.json(如果存在)配置文件，或者可以手动通过参数指定配置文件路径：
-```bash
-gost -L=kcp://:8388?c=/path/to/conf/file
-```
-
-**注：** 客户端若要开启KCP转发，当且仅当代理链不为空且首个代理节点(第一个-F参数)为kcp类型。
-
-#### 透明代理
-基于iptables的透明代理。
-
-```bash
-gost -L=redirect://:12345 -F=http2://server_ip:443
-```
-
-加密机制
-------
-#### HTTP
-对于HTTP可以使用TLS加密整个通讯过程，即HTTPS代理：
-
-服务端:
-```bash
-gost -L=http+tls://:443
-```
-客户端:
-```bash
-gost -L=:8080 -F=http+tls://server_ip:443
-```
-
-#### HTTP2
-gost仅支持使用TLS加密的HTTP2协议，不支持明文HTTP2传输。
-
-
-#### SOCKS5
-gost支持标准SOCKS5协议的no-auth(0x00)和user/pass(0x02)方法，并在此基础上扩展了两个：tls(0x80)和tls-auth(0x82)，用于数据加密。
-
-服务端:
-```bash
-gost -L=socks://:1080
-```
-客户端:
-```bash
-gost -L=:8080 -F=socks://server_ip:1080
-```
-
-如果两端都是gost(如上)则数据传输会被加密(协商使用tls或tls-auth方法)，否则使用标准SOCKS5进行通讯(no-auth或user/pass方法)。
-
-**注：** 如果transport已经支持加密(wss, tls, http2, kcp)，则SOCKS5不会再使用加密方法，防止不必要的双重加密。
-
-#### Shadowsocks
-gost对shadowsocks的支持是基于[shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go)库。
-
-服务端(可以通过ota参数开启OTA强制模式，开启后客户端必须使用OTA模式):
-```bash
-gost -L=ss://aes-128-cfb:123456@:8338?ota=1
-```
-客户端(可以通过ota参数开启OTA模式):
-```bash
-gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338?ota=1
-```
-
-##### Shadowsocks UDP relay
-
-目前仅服务端支持UDP，且仅支持OTA模式。
-
-服务端:
-```bash
-gost -L=ssu://aes-128-cfb:123456@:8338
-```
-
-#### TLS
-gost内置了TLS证书，如果需要使用其他TLS证书，有两种方法：
-* 在gost运行目录放置cert.pem(公钥)和key.pem(私钥)两个文件即可，gost会自动加载运行目录下的cert.pem和key.pem文件。
-* 使用参数指定证书文件路径：
-```bash
-gost -L="http2://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file"
-```
-
-SOCKS5 UDP数据处理
-------
-#### 不设置转发代理
-
-<img src="https://ginuerzh.github.io/images/udp01.png" height=100 />
-
-gost作为标准SOCKS5代理处理UDP数据
-
-#### 设置转发代理
-
-<img src="https://ginuerzh.github.io/images/udp02.png" height=100 />
-
-#### 设置多个转发代理(代理链)
-
-<img src="https://ginuerzh.github.io/images/udp03.png" height=200 />
-
-当设置转发代理时，gost会使用UDP-over-TCP方式转发UDP数据。proxy1 - proxyN可以为任意HTTP/HTTPS/HTTP2/SOCKS5/Shadowsocks类型代理。
-
-限制条件
-------
-代理链中的HTTP代理节点必须支持CONNECT方法。
-
-如果要转发SOCKS5的BIND和UDP请求，代理链的末端(最后一个-F参数)必须支持gost SOCKS5类型代理。
-
-
-

cmd/gost/vendor/github.com/ginuerzh/gost/chain.go

-package gost
-
-import (
-	"crypto/rand"
-	"crypto/tls"
-	"encoding/base64"
-	"errors"
-	"github.com/golang/glog"
-	"golang.org/x/net/http2"
-	"io"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-)
-
-// Proxy chain holds a list of proxy nodes
-type ProxyChain struct {
-	nodes          []ProxyNode
-	lastNode       *ProxyNode
-	http2NodeIndex int
-	http2Enabled   bool
-	http2Client    *http.Client
-	kcpEnabled     bool
-	kcpConfig      *KCPConfig
-	kcpSession     *KCPSession
-	kcpMutex       sync.Mutex
-}
-
-func NewProxyChain(nodes ...ProxyNode) *ProxyChain {
-	chain := &ProxyChain{nodes: nodes, http2NodeIndex: -1}
-	return chain
-}
-
-func (c *ProxyChain) AddProxyNode(node ...ProxyNode) {
-	c.nodes = append(c.nodes, node...)
-}
-
-func (c *ProxyChain) AddProxyNodeString(snode ...string) error {
-	for _, sn := range snode {
-		node, err := ParseProxyNode(sn)
-		if err != nil {
-			return err
-		}
-		c.AddProxyNode(node)
-	}
-	return nil
-}
-
-func (c *ProxyChain) Nodes() []ProxyNode {
-	return c.nodes
-}
-
-func (c *ProxyChain) GetNode(index int) *ProxyNode {
-	if index < len(c.nodes) {
-		return &c.nodes[index]
-	}
-	return nil
-}
-
-func (c *ProxyChain) SetNode(index int, node ProxyNode) {
-	if index < len(c.nodes) {
-		c.nodes[index] = node
-	}
-}
-
-// Init initialize the proxy chain.
-// KCP will be enabled if the first proxy node is KCP proxy (transport == kcp).
-// HTTP2 will be enabled when at least one HTTP2 proxy node (scheme == http2) is present.
-//
-// NOTE: Should be called immediately when proxy nodes are ready.
-func (c *ProxyChain) Init() {
-	length := len(c.nodes)
-	if length == 0 {
-		return
-	}
-
-	c.lastNode = &c.nodes[length-1]
-
-	// HTTP2 restrict: HTTP2 will be enabled when at least one HTTP2 proxy node is present.
-	for i, node := range c.nodes {
-		if node.Transport == "http2" {
-			glog.V(LINFO).Infoln("HTTP2 is enabled")
-			cfg := &tls.Config{
-				InsecureSkipVerify: node.insecureSkipVerify(),
-				ServerName:         node.serverName,
-			}
-			c.http2NodeIndex = i
-			c.initHttp2Client(cfg, c.nodes[:i]...)
-			break // shortest chain for HTTP2
-		}
-	}
-
-	for i, node := range c.nodes {
-		if node.Transport == "kcp" && i > 0 {
-			glog.Fatal("KCP must be the first node in the proxy chain")
-		}
-	}
-
-	if c.nodes[0].Transport == "kcp" {
-		glog.V(LINFO).Infoln("KCP is enabled")
-		c.kcpEnabled = true
-		config, err := ParseKCPConfig(c.nodes[0].Get("c"))
-		if err != nil {
-			glog.V(LWARNING).Infoln("[kcp]", err)
-		}
-		if config == nil {
-			config = DefaultKCPConfig
-		}
-		if c.nodes[0].Users != nil {
-			config.Crypt = c.nodes[0].Users[0].Username()
-			config.Key, _ = c.nodes[0].Users[0].Password()
-		}
-		c.kcpConfig = config
-		return
-	}
-}
-
-func (c *ProxyChain) KCPEnabled() bool {
-	return c.kcpEnabled
-}
-
-func (c *ProxyChain) Http2Enabled() bool {
-	return c.http2Enabled
-}
-
-func (c *ProxyChain) initHttp2Client(config *tls.Config, nodes ...ProxyNode) {
-	if c.http2NodeIndex < 0 || c.http2NodeIndex >= len(c.nodes) {
-		return
-	}
-	http2Node := c.nodes[c.http2NodeIndex]
-
-	tr := http2.Transport{
-		TLSClientConfig: config,
-		DialTLS: func(network, addr string, cfg *tls.Config) (net.Conn, error) {
-			// replace the default dialer with our proxy chain.
-			conn, err := c.dialWithNodes(false, http2Node.Addr, nodes...)
-			if err != nil {
-				return conn, err
-			}
-			conn = tls.Client(conn, cfg)
-
-			// enable HTTP2 ping-pong
-			pingIntvl, _ := strconv.Atoi(http2Node.Get("ping"))
-			if pingIntvl > 0 {
-				enablePing(conn, time.Duration(pingIntvl)*time.Second)
-			}
-
-			return conn, nil
-		},
-	}
-	c.http2Client = &http.Client{Transport: &tr}
-	c.http2Enabled = true
-
-}
-
-func enablePing(conn net.Conn, interval time.Duration) {
-	if conn == nil || interval == 0 {
-		return
-	}
-
-	glog.V(LINFO).Infoln("[http2] ping enabled, interval:", interval)
-	go func() {
-		t := time.NewTicker(interval)
-		var framer *http2.Framer
-		for {
-			select {
-			case <-t.C:
-				if framer == nil {
-					framer = http2.NewFramer(conn, conn)
-				}
-
-				var p [8]byte
-				rand.Read(p[:])
-				err := framer.WritePing(false, p)
-				if err != nil {
-					t.Stop()
-					framer = nil
-					glog.V(LWARNING).Infoln("[http2] ping:", err)
-					return
-				}
-			}
-		}
-	}()
-}
-
-// Connect to addr through proxy chain
-func (c *ProxyChain) Dial(addr string) (net.Conn, error) {
-	if !strings.Contains(addr, ":") {
-		addr += ":80"
-	}
-	return c.dialWithNodes(true, addr, c.nodes...)
-}
-
-// GetConn initializes a proxy chain connection,
-// if no proxy nodes on this chain, it will return error
-func (c *ProxyChain) GetConn() (net.Conn, error) {
-	nodes := c.nodes
-	if len(nodes) == 0 {
-		return nil, ErrEmptyChain
-	}
-
-	if c.Http2Enabled() {
-		nodes = nodes[c.http2NodeIndex+1:]
-		if len(nodes) == 0 {
-			header := make(http.Header)
-			header.Set("Proxy-Switch", "gost") // Flag header to indicate server to switch to HTTP2 transport mode
-			conn, err := c.getHttp2Conn(header)
-			if err != nil {
-				return nil, err
-			}
-			http2Node := c.nodes[c.http2NodeIndex]
-			if http2Node.Transport == "http2" {
-				http2Node.Transport = "h2"
-			}
-			if http2Node.Protocol == "http2" {
-				http2Node.Protocol = "socks5" // assume it as socks5 protocol, so we can do much more things.
-			}
-			pc := NewProxyConn(conn, http2Node)
-			if err := pc.Handshake(); err != nil {
-				conn.Close()
-				return nil, err
-			}
-			return pc, nil
-		}
-	}
-	return c.travelNodes(true, nodes...)
-}
-
-func (c *ProxyChain) dialWithNodes(withHttp2 bool, addr string, nodes ...ProxyNode) (conn net.Conn, err error) {
-	if len(nodes) == 0 {
-		return net.DialTimeout("tcp", addr, DialTimeout)
-	}
-
-	if withHttp2 && c.Http2Enabled() {
-		nodes = nodes[c.http2NodeIndex+1:]
-		if len(nodes) == 0 {
-			return c.http2Connect(addr)
-		}
-	}
-	pc, err := c.travelNodes(withHttp2, nodes...)
-	if err != nil {
-		return
-	}
-	if err = pc.Connect(addr); err != nil {
-		pc.Close()
-		return
-	}
-	conn = pc
-	return
-}
-
-func (c *ProxyChain) travelNodes(withHttp2 bool, nodes ...ProxyNode) (conn *ProxyConn, err error) {
-	defer func() {
-		if err != nil && conn != nil {
-			conn.Close()
-			conn = nil
-		}
-	}()
-
-	var cc net.Conn
-	node := nodes[0]
-
-	if withHttp2 && c.Http2Enabled() {
-		cc, err = c.http2Connect(node.Addr)
-	} else if node.Transport == "kcp" {
-		cc, err = c.getKCPConn()
-	} else {
-		cc, err = net.DialTimeout("tcp", node.Addr, DialTimeout)
-	}
-	if err != nil {
-		return
-	}
-	setKeepAlive(cc, KeepAliveTime)
-
-	pc := NewProxyConn(cc, node)
-	conn = pc
-	if err = pc.Handshake(); err != nil {
-		return
-	}
-
-	for _, node := range nodes[1:] {
-		if err = conn.Connect(node.Addr); err != nil {
-			return
-		}
-		pc := NewProxyConn(conn, node)
-		conn = pc
-		if err = pc.Handshake(); err != nil {
-			return
-		}
-	}
-	return
-}
-
-func (c *ProxyChain) initKCPSession() (err error) {
-	c.kcpMutex.Lock()
-	defer c.kcpMutex.Unlock()
-
-	if c.kcpSession == nil || c.kcpSession.IsClosed() {
-		glog.V(LINFO).Infoln("[kcp] new kcp session")
-		c.kcpSession, err = DialKCP(c.nodes[0].Addr, c.kcpConfig)
-	}
-	return
-}
-
-func (c *ProxyChain) getKCPConn() (conn net.Conn, err error) {
-	if !c.KCPEnabled() {
-		return nil, errors.New("KCP is not enabled")
-	}
-
-	if err = c.initKCPSession(); err != nil {
-		return nil, err
-	}
-	return c.kcpSession.GetConn()
-}
-
-// Initialize an HTTP2 transport if HTTP2 is enabled.
-func (c *ProxyChain) getHttp2Conn(header http.Header) (net.Conn, error) {
-	if !c.Http2Enabled() {
-		return nil, errors.New("HTTP2 is not enabled")
-	}
-	http2Node := c.nodes[c.http2NodeIndex]
-	pr, pw := io.Pipe()
-
-	if header == nil {
-		header = make(http.Header)
-	}
-
-	req := http.Request{
-		Method:        http.MethodConnect,
-		URL:           &url.URL{Scheme: "https", Host: http2Node.Addr},
-		Header:        header,
-		Proto:         "HTTP/2.0",
-		ProtoMajor:    2,
-		ProtoMinor:    0,
-		Body:          pr,
-		Host:          http2Node.Addr,
-		ContentLength: -1,
-	}
-	if glog.V(LDEBUG) {
-		dump, _ := httputil.DumpRequest(&req, false)
-		glog.Infoln(string(dump))
-	}
-	resp, err := c.http2Client.Do(&req)
-	if err != nil {
-		return nil, err
-	}
-	if glog.V(LDEBUG) {
-		dump, _ := httputil.DumpResponse(resp, false)
-		glog.Infoln(string(dump))
-	}
-	if resp.StatusCode != http.StatusOK {
-		resp.Body.Close()
-		return nil, errors.New(resp.Status)
-	}
-	conn := &http2Conn{r: resp.Body, w: pw}
-	conn.remoteAddr, _ = net.ResolveTCPAddr("tcp", http2Node.Addr)
-	return conn, nil
-}
-
-// Use HTTP2 as transport to connect target addr.
-//
-// BUG: SOCKS5 is ignored, only HTTP supported
-func (c *ProxyChain) http2Connect(addr string) (net.Conn, error) {
-	if !c.Http2Enabled() {
-		return nil, errors.New("HTTP2 is not enabled")
-	}
-	http2Node := c.nodes[c.http2NodeIndex]
-
-	header := make(http.Header)
-	header.Set("Gost-Target", addr) // Flag header to indicate the address that server connected to
-	if http2Node.Users != nil {
-		header.Set("Proxy-Authorization",
-			"Basic "+base64.StdEncoding.EncodeToString([]byte(http2Node.Users[0].String())))
-	}
-	return c.getHttp2Conn(header)
-}

cmd/gost/vendor/github.com/ginuerzh/gost/conn.go

-package gost
-
-import (
-	"bufio"
-	"crypto/tls"
-	"encoding/base64"
-	"errors"
-	"github.com/ginuerzh/gosocks5"
-	"github.com/golang/glog"
-	ss "github.com/shadowsocks/shadowsocks-go/shadowsocks"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-)
-
-type ProxyConn struct {
-	conn           net.Conn
-	Node           ProxyNode
-	handshaked     bool
-	handshakeMutex sync.Mutex
-	handshakeErr   error
-}
-
-func NewProxyConn(conn net.Conn, node ProxyNode) *ProxyConn {
-	return &ProxyConn{
-		conn: conn,
-		Node: node,
-	}
-}
-
-// Handshake handshake with this proxy node based on the proxy node info: transport, protocol, authentication, etc.
-//
-// NOTE: any HTTP2 scheme will be treated as http (for protocol) or tls (for transport).
-func (c *ProxyConn) Handshake() error {
-	c.handshakeMutex.Lock()
-	defer c.handshakeMutex.Unlock()
-
-	if err := c.handshakeErr; err != nil {
-		return err
-	}
-	if c.handshaked {
-		return nil
-	}
-	c.handshakeErr = c.handshake()
-	return c.handshakeErr
-}
-
-func (c *ProxyConn) handshake() error {
-	var tlsUsed bool
-
-	switch c.Node.Transport {
-	case "ws": // websocket connection
-		u := url.URL{Scheme: "ws", Host: c.Node.Addr, Path: "/ws"}
-		conn, err := WebsocketClientConn(u.String(), c.conn, nil)
-		if err != nil {
-			return err
-		}
-		c.conn = conn
-	case "wss": // websocket security
-		tlsUsed = true
-		u := url.URL{Scheme: "wss", Host: c.Node.Addr, Path: "/ws"}
-		config := &tls.Config{
-			InsecureSkipVerify: c.Node.insecureSkipVerify(),
-			ServerName:         c.Node.serverName,
-		}
-		conn, err := WebsocketClientConn(u.String(), c.conn, config)
-		if err != nil {
-			return err
-		}
-		c.conn = conn
-	case "tls", "http2": // tls connection
-		tlsUsed = true
-		cfg := &tls.Config{
-			InsecureSkipVerify: c.Node.insecureSkipVerify(),
-			ServerName:         c.Node.serverName,
-		}
-		c.conn = tls.Client(c.conn, cfg)
-	case "h2": // same as http2, but just set a flag for later using.
-		tlsUsed = true
-	case "kcp": // kcp connection
-		tlsUsed = true
-	default:
-	}
-
-	switch c.Node.Protocol {
-	case "socks", "socks5": // socks5 handshake with auth and tls supported
-		selector := &clientSelector{
-			methods: []uint8{
-				gosocks5.MethodNoAuth,
-				gosocks5.MethodUserPass,
-				//MethodTLS,
-			},
-		}
-
-		if len(c.Node.Users) > 0 {
-			selector.user = c.Node.Users[0]
-		}
-
-		if !tlsUsed { // if transport is not security, enable security socks5
-			selector.methods = append(selector.methods, MethodTLS)
-			selector.tlsConfig = &tls.Config{
-				InsecureSkipVerify: c.Node.insecureSkipVerify(),
-				ServerName:         c.Node.serverName,
-			}
-		}
-
-		conn := gosocks5.ClientConn(c.conn, selector)
-		if err := conn.Handleshake(); err != nil {
-			return err
-		}
-		c.conn = conn
-	case "ss": // shadowsocks
-		// nothing to do
-	case "http", "http2":
-		fallthrough
-	default:
-	}
-
-	c.handshaked = true
-
-	return nil
-}
-
-// Connect connect to addr through this proxy node
-func (c *ProxyConn) Connect(addr string) error {
-	switch c.Node.Protocol {
-	case "ss": // shadowsocks
-		rawaddr, err := ss.RawAddr(addr)
-		if err != nil {
-			return err
-		}
-
-		var method, password string
-		if len(c.Node.Users) > 0 {
-			method = c.Node.Users[0].Username()
-			password, _ = c.Node.Users[0].Password()
-		}
-		if c.Node.getBool("ota") && !strings.HasSuffix(method, "-auth") {
-			method += "-auth"
-		}
-
-		cipher, err := ss.NewCipher(method, password)
-		if err != nil {
-			return err
-		}
-
-		ssc, err := ss.DialWithRawAddrConn(rawaddr, c.conn, cipher)
-		if err != nil {
-			return err
-		}
-		c.conn = &shadowConn{conn: ssc}
-		return nil
-	case "socks", "socks5":
-		host, port, err := net.SplitHostPort(addr)
-		if err != nil {
-			return err
-		}
-		p, _ := strconv.Atoi(port)
-		req := gosocks5.NewRequest(gosocks5.CmdConnect, &gosocks5.Addr{
-			Type: gosocks5.AddrDomain,
-			Host: host,
-			Port: uint16(p),
-		})
-		if err := req.Write(c); err != nil {
-			return err
-		}
-		glog.V(LDEBUG).Infoln("[socks5]", req)
-
-		reply, err := gosocks5.ReadReply(c)
-		if err != nil {
-			return err
-		}
-		glog.V(LDEBUG).Infoln("[socks5]", reply)
-		if reply.Rep != gosocks5.Succeeded {
-			return errors.New("Service unavailable")
-		}
-	case "http":
-		fallthrough
-	default:
-		req := &http.Request{
-			Method:     http.MethodConnect,
-			URL:        &url.URL{Host: addr},
-			Host:       addr,
-			ProtoMajor: 1,
-			ProtoMinor: 1,
-			Header:     make(http.Header),
-		}
-		req.Header.Set("Proxy-Connection", "keep-alive")
-		if len(c.Node.Users) > 0 {
-			user := c.Node.Users[0]
-			s := user.String()
-			if _, set := user.Password(); !set {
-				s += ":"
-			}
-			req.Header.Set("Proxy-Authorization",
-				"Basic "+base64.StdEncoding.EncodeToString([]byte(s)))
-		}
-		if err := req.Write(c); err != nil {
-			return err
-		}
-		if glog.V(LDEBUG) {
-			dump, _ := httputil.DumpRequest(req, false)
-			glog.Infoln(string(dump))
-		}
-
-		resp, err := http.ReadResponse(bufio.NewReader(c), req)
-		if err != nil {
-			return err
-		}
-		if glog.V(LDEBUG) {
-			dump, _ := httputil.DumpResponse(resp, false)
-			glog.Infoln(string(dump))
-		}
-		if resp.StatusCode != http.StatusOK {
-			return errors.New(resp.Status)
-		}
-	}
-
-	return nil
-}
-
-func (c *ProxyConn) Read(b []byte) (n int, err error) {
-	return c.conn.Read(b)
-}
-
-func (c *ProxyConn) Write(b []byte) (n int, err error) {
-	return c.conn.Write(b)
-}
-
-func (c *ProxyConn) Close() error {
-	return c.conn.Close()
-}
-
-func (c *ProxyConn) LocalAddr() net.Addr {
-	return c.conn.LocalAddr()
-}
-
-func (c *ProxyConn) RemoteAddr() net.Addr {
-	return c.conn.RemoteAddr()
-}
-
-func (c *ProxyConn) SetDeadline(t time.Time) error {
-	return c.conn.SetDeadline(t)
-}
-
-func (c *ProxyConn) SetReadDeadline(t time.Time) error {
-	return c.conn.SetReadDeadline(t)
-}
-
-func (c *ProxyConn) SetWriteDeadline(t time.Time) error {
-	return c.conn.SetWriteDeadline(t)
-}

cmd/gost/vendor/github.com/ginuerzh/gost/gost.go

-package gost
-
-import (
-	"crypto/tls"
-	"encoding/base64"
-	"errors"
-	"github.com/golang/glog"
-	"net"
-	"strings"
-	"time"
-)
-
-const (
-	Version = "2.4-dev"
-)
-
-// Log level for glog
-const (
-	LFATAL = iota
-	LERROR
-	LWARNING
-	LINFO
-	LDEBUG
-)
-
-var (
-	KeepAliveTime = 180 * time.Second
-	DialTimeout   = 30 * time.Second
-	ReadTimeout   = 90 * time.Second
-	WriteTimeout  = 90 * time.Second
-
-	DefaultTTL = 60 // default udp node TTL in second for udp port forwarding
-)
-
-var (
-	SmallBufferSize  = 1 * 1024  // 1KB small buffer
-	MediumBufferSize = 8 * 1024  // 8KB medium buffer
-	LargeBufferSize  = 32 * 1024 // 32KB large buffer
-)
-
-var (
-	DefaultCertFile = "cert.pem"
-	DefaultKeyFile  = "key.pem"
-
-	// This is the default cert and key data for convenience, providing your own cert is recommended.
-	defaultRawCert = []byte(`-----BEGIN CERTIFICATE-----
-MIIC5jCCAdCgAwIBAgIBADALBgkqhkiG9w0BAQUwEjEQMA4GA1UEChMHQWNtZSBD
-bzAeFw0xNDAzMTcwNjIwNTFaFw0xNTAzMTcwNjIwNTFaMBIxEDAOBgNVBAoTB0Fj
-bWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDccNO1xmd4lWSf
-d/0/QS3E93cYIWHw831i/IKxigdRD/XMZonLdEHywW6lOiXazaP8e6CqPGSmnl0x
-5k/3dvGCMj2JCVxM6+z7NpL+AiwvXmvkj/TOciCgwqssCwYS2CiVwjfazRjx1ZUJ
-VDC5qiyRsfktQ2fVHrpnJGVSRagmiQgwGWBilVG9B8QvRtpQKN/GQGq17oIQm8aK
-kOdPt93g93ojMIg7YJpgDgOirvVz/hDn7YD4ryrtPos9CMafFkJprymKpRHyvz7P
-8a3+OkuPjFjPnwOHQ5u1U3+8vC44vfb1ExWzDLoT8Xp8Gndx39k0f7MVOol3GnYu
-MN/dvNUdAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIAoDATBgNVHSUEDDAKBggrBgEF
-BQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDALBgkqhkiG
-9w0BAQUDggEBAIG8CJqvTIgJnNOK+i5/IUc/3yF/mSCWuG8qP+Fmo2t6T0PVOtc0
-8wiWH5iWtCAhjn0MRY9l/hIjWm6gUZGHCGuEgsOPpJDYGoNLjH9Xwokm4y3LFNRK
-UBrrrDbKRNibApBHCapPf6gC5sXcjOwx7P2/kiHDgY7YH47jfcRhtAPNsM4gjsEO
-RmwENY+hRUFHIRfQTyalqND+x6PWhRo3K6hpHs4DQEYPq4P2kFPqUqSBymH+Ny5/
-BcQ3wdMNmC6Bm/oiL1QV0M+/InOsAgQk/EDd0kmoU1ZT2lYHQduGmP099bOlHNpS
-uqO3vXF3q8SPPr/A9TqSs7BKkBQbe0+cdsA=
------END CERTIFICATE-----`)
-	defaultRawKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA3HDTtcZneJVkn3f9P0EtxPd3GCFh8PN9YvyCsYoHUQ/1zGaJ
-y3RB8sFupTol2s2j/Hugqjxkpp5dMeZP93bxgjI9iQlcTOvs+zaS/gIsL15r5I/0
-znIgoMKrLAsGEtgolcI32s0Y8dWVCVQwuaoskbH5LUNn1R66ZyRlUkWoJokIMBlg
-YpVRvQfEL0baUCjfxkBqte6CEJvGipDnT7fd4Pd6IzCIO2CaYA4Doq71c/4Q5+2A
-+K8q7T6LPQjGnxZCaa8piqUR8r8+z/Gt/jpLj4xYz58Dh0ObtVN/vLwuOL329RMV
-swy6E/F6fBp3cd/ZNH+zFTqJdxp2LjDf3bzVHQIDAQABAoIBAHal26147nQ+pHwY
-jxwers3XDCjWvup7g79lfcqlKi79UiUEA6KYHm7UogMYewt7p4nb2KwH+XycvDiB
-aAUf5flXpTs+6IkWauUDiLZi4PlV7uiEexUq5FjirlL0U/6MjbudX4bK4WQ4uxDc
-WaV07Kw2iJFOOHLDKT0en9JaX5jtJNc4ZnE9efFoQ5jfypPWtRw65G1rULEg6nvc
-GDh+1ce+4foCkpLRC9c24xAwJONZG6x3UqrSS9qfAsb73nWRQrTfUcO3nhoN8VvL
-kL9skn1+S06NyUN0KoEtyRBp+RcpXSsBWAo6qZmo/WqhB/gjzWrxVwn20+yJSm35
-ZsMc6QECgYEA8GS+Mp9xfB2szWHz6YTOO1Uu4lHM1ccZMwS1G+dL0KO3uGAiPdvp
-woVot6v6w88t7onXsLo5pgz7SYug0CpkF3K/MRd1Ar4lH7PK7IBQ6rFr9ppVxDbx
-AEWRswUoPbKCr7W6HU8LbQHDavsDlEIwc6+DiwnL4BzlKjb7RpgQEz0CgYEA6sB5
-uHvx3Y5FDcGk1n73leQSAcq14l3ZLNpjrs8msoREDil/j5WmuSN58/7PGMiMgHEi
-1vLm3H796JmvGr9OBvspOjHyk07ui2/We/j9Hoxm1VWhyi8HkLNDj70HKalTTFMz
-RHO4O+0xCva+h9mKZrRMVktXr2jjdFn/0MYIZ2ECgYAIIsC1IeRLWQ3CHbCNlKsO
-IwHlMvOFwKk/qsceXKOaOhA7szU1dr3gkXdL0Aw6mEZrrkqYdpUA46uVf54/rU+Z
-445I8QxKvXiwK/uQKX+TkdGflPWWIG3jnnch4ejMvb/ihnn4B/bRB6A/fKNQXzUY
-lTYUfI5j1VaEKTwz1W2l2QKBgByFCcSp+jZqhGUpc3dDsZyaOr3Q/Mvlju7uEVI5
-hIAHpaT60a6GBd1UPAqymEJwivFHzW3D0NxU6VAK68UaHMaoWNfjHY9b9YsnKS2i
-kE3XzN56Ks+/avHfdYPO+UHMenw5V28nh+hv5pdoZrlmanQTz3pkaOC8o3WNQZEB
-nh/BAoGBAMY5z2f1pmMhrvtPDSlEVjgjELbaInxFaxPLR4Pdyzn83gtIIU14+R8X
-2LPs6PPwrNjWnIgrUSVXncIFL3pa45B+Mx1pYCpOAB1+nCZjIBQmpeo4Y0dwA/XH
-85EthKPvoszm+OPbyI16OcePV5ocX7lupRYuAo0pek7bomhmHWHz
------END RSA PRIVATE KEY-----`)
-)
-
-var (
-	ErrEmptyChain = errors.New("empty chain")
-)
-
-func setKeepAlive(conn net.Conn, d time.Duration) error {
-	c, ok := conn.(*net.TCPConn)
-	if !ok {
-		return errors.New("Not a TCP connection")
-	}
-	if err := c.SetKeepAlive(true); err != nil {
-		return err
-	}
-	if err := c.SetKeepAlivePeriod(d); err != nil {
-		return err
-	}
-	return nil
-}
-
-// Load the certificate from cert and key files, will use the default certificate if the provided info are invalid.
-func LoadCertificate(certFile, keyFile string) (tls.Certificate, error) {
-	tlsCert, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err == nil {
-		return tlsCert, nil
-	}
-	glog.V(LWARNING).Infoln(err)
-	return tls.X509KeyPair(defaultRawCert, defaultRawKey)
-}
-
-// Replace the default certificate by your own
-func SetDefaultCertificate(rawCert, rawKey []byte) {
-	defaultRawCert = rawCert
-	defaultRawKey = rawKey
-}
-
-func basicProxyAuth(proxyAuth string) (username, password string, ok bool) {
-	if proxyAuth == "" {
-		return
-	}
-
-	if !strings.HasPrefix(proxyAuth, "Basic ") {
-		return
-	}
-	c, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(proxyAuth, "Basic "))
-	if err != nil {
-		return
-	}
-	cs := string(c)
-	s := strings.IndexByte(cs, ':')
-	if s < 0 {
-		return
-	}
-
-	return cs[:s], cs[s+1:], true
-}

cmd/gost/vendor/github.com/ginuerzh/gost/node.go

-package gost
-
-import (
-	"bufio"
-	"fmt"
-	"github.com/golang/glog"
-	"net"
-	"net/url"
-	"os"
-	"strconv"
-	"strings"
-)
-
-// Proxy node represent a proxy
-type ProxyNode struct {
-	Addr       string          // [host]:port
-	Protocol   string          // protocol: http/socks5/ss
-	Transport  string          // transport: ws/wss/tls/http2/tcp/udp/rtcp/rudp
-	Remote     string          // remote address, used by tcp/udp port forwarding
-	Users      []*url.Userinfo // authentication for proxy
-	values     url.Values
-	serverName string
-	conn       net.Conn
-}
-
-// The proxy node string pattern is [scheme://][user:pass@host]:port.
-//
-// Scheme can be devided into two parts by character '+', such as: http+tls.
-func ParseProxyNode(s string) (node ProxyNode, err error) {
-	if !strings.Contains(s, "://") {
-		s = "gost://" + s
-	}
-	u, err := url.Parse(s)
-	if err != nil {
-		return
-	}
-
-	node = ProxyNode{
-		Addr:       u.Host,
-		values:     u.Query(),
-		serverName: u.Host,
-	}
-
-	if u.User != nil {
-		node.Users = append(node.Users, u.User)
-	}
-
-	users, er := parseUsers(node.Get("secrets"))
-	if users != nil {
-		node.Users = append(node.Users, users...)
-	}
-	if er != nil {
-		glog.V(LWARNING).Infoln("secrets:", er)
-	}
-
-	if strings.Contains(u.Host, ":") {
-		node.serverName, _, _ = net.SplitHostPort(u.Host)
-		if node.serverName == "" {
-			node.serverName = "localhost" // default server name
-		}
-	}
-
-	schemes := strings.Split(u.Scheme, "+")
-	if len(schemes) == 1 {
-		node.Protocol = schemes[0]
-		node.Transport = schemes[0]
-	}
-	if len(schemes) == 2 {
-		node.Protocol = schemes[0]
-		node.Transport = schemes[1]
-	}
-
-	switch node.Transport {
-	case "ws", "wss", "tls", "http2", "quic", "kcp", "redirect", "ssu":
-	case "https":
-		node.Protocol = "http"
-		node.Transport = "tls"
-	case "tcp", "udp": // started from v2.1, tcp and udp are for local port forwarding
-		node.Remote = strings.Trim(u.EscapedPath(), "/")
-	case "rtcp", "rudp": // started from v2.1, rtcp and rudp are for remote port forwarding
-		node.Remote = strings.Trim(u.EscapedPath(), "/")
-	default:
-		node.Transport = ""
-	}
-
-	switch node.Protocol {
-	case "http", "http2", "socks", "socks5", "ss":
-	default:
-		node.Protocol = ""
-	}
-
-	return
-}
-
-func parseUsers(authFile string) (users []*url.Userinfo, err error) {
-	if authFile == "" {
-		return
-	}
-
-	file, err := os.Open(authFile)
-	if err != nil {
-		return
-	}
-	scanner := bufio.NewScanner(file)
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-		if line == "" || strings.HasPrefix(line, "#") {
-			continue
-		}
-
-		s := strings.SplitN(line, " ", 2)
-		if len(s) == 1 {
-			users = append(users, url.User(strings.TrimSpace(s[0])))
-		} else if len(s) == 2 {
-			users = append(users, url.UserPassword(strings.TrimSpace(s[0]), strings.TrimSpace(s[1])))
-		}
-	}
-
-	err = scanner.Err()
-	return
-}
-
-// Get get node parameter by key
-func (node *ProxyNode) Get(key string) string {
-	return node.values.Get(key)
-}
-
-func (node *ProxyNode) getBool(key string) bool {
-	s := node.Get(key)
-	if b, _ := strconv.ParseBool(s); b {
-		return b
-	}
-	n, _ := strconv.Atoi(s)
-	return n > 0
-}
-
-func (node *ProxyNode) Set(key, value string) {
-	node.values.Set(key, value)
-}
-
-func (node *ProxyNode) insecureSkipVerify() bool {
-	return !node.getBool("secure")
-}
-
-func (node *ProxyNode) certFile() string {
-	if cert := node.Get("cert"); cert != "" {
-		return cert
-	}
-	return DefaultCertFile
-}
-
-func (node *ProxyNode) keyFile() string {
-	if key := node.Get("key"); key != "" {
-		return key
-	}
-	return DefaultKeyFile
-}
-
-func (node ProxyNode) String() string {
-	return fmt.Sprintf("transport: %s, protocol: %s, addr: %s", node.Transport, node.Protocol, node.Addr)
-}

cmd/gost/vendor/github.com/ginuerzh/gost/redirect_win.go

-// +build windows
-
-package gost
-
-import (
-	"errors"
-)
-
-type RedsocksTCPServer struct{}
-
-func NewRedsocksTCPServer(base *ProxyServer) *RedsocksTCPServer {
-	return &RedsocksTCPServer{}
-}
-
-func (s *RedsocksTCPServer) ListenAndServe() error {
-	return errors.New("Not supported")
-}

cmd/gost/vendor/github.com/klauspost/crc32/crc32_amd64p32.go

-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !appengine,!gccgo
-
-package crc32
-
-// This file contains the code to call the SSE 4.2 version of the Castagnoli
-// CRC.
-
-// haveSSE42 is defined in crc32_amd64p32.s and uses CPUID to test for SSE 4.2
-// support.
-func haveSSE42() bool
-
-// castagnoliSSE42 is defined in crc32_amd64p32.s and uses the SSE4.2 CRC32
-// instruction.
-//go:noescape
-func castagnoliSSE42(crc uint32, p []byte) uint32
-
-var sse42 = haveSSE42()
-
-func archAvailableCastagnoli() bool {
-	return sse42
-}
-
-func archInitCastagnoli() {
-	if !sse42 {
-		panic("not available")
-	}
-	// No initialization necessary.
-}
-
-func archUpdateCastagnoli(crc uint32, p []byte) uint32 {
-	if !sse42 {
-		panic("not available")
-	}
-	return castagnoliSSE42(crc, p)
-}
-
-func archAvailableIEEE() bool                    { return false }
-func archInitIEEE()                              { panic("not available") }
-func archUpdateIEEE(crc uint32, p []byte) uint32 { panic("not available") }

cmd/gost/vendor/github.com/lucas-clemente/quic-go/crypto/signer.go

-package crypto
-
-// A Signer holds a certificate and a private key
-type Signer interface {
-	SignServerProof(sni string, chlo []byte, serverConfigData []byte) ([]byte, error)
-	GetCertsCompressed(sni string, commonSetHashes, cachedHashes []byte) ([]byte, error)
-	GetLeafCert(sni string) ([]byte, error)
-}