Skip to content

G
gost
Commit d11b16c7 authored by rui.zheng's avatar rui.zheng
Browse files
Options

update README

parent 64b5f628
Hide whitespace changes
Inline Side-by-side
Showing with 96 additions and 174 deletions
README.md
View file @ d11b16c7
...@@ -18,9 +18,9 @@ gost - GO Simple Tunnel ...@@ -18,9 +18,9 @@ gost - GO Simple Tunnel
* 可设置转发代理,支持多级转发(代理链) * 可设置转发代理,支持多级转发(代理链)
* 支持标准HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5代理协议 * 支持标准HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5代理协议
* [支持多种隧道类型](https://docs.ginuerzh.xyz/gost/configuration/) * [支持多种隧道类型](https://docs.ginuerzh.xyz/gost/configuration/)
* SOCKS5代理支持TLS协商加密 * [SOCKS5代理支持TLS协商加密](https://docs.ginuerzh.xyz/gost/socks/)
* Tunnel UDP over TCP * [Tunnel UDP over TCP](https://docs.ginuerzh.xyz/gost/socks/)
* TCP透明代理 * [TCP透明代理](https://docs.ginuerzh.xyz/gost/redirect/)
* [本地/远程TCP/UDP端口转发](https://docs.ginuerzh.xyz/gost/port-forwarding/) * [本地/远程TCP/UDP端口转发](https://docs.ginuerzh.xyz/gost/port-forwarding/)
* [支持Shadowsocks(TCP/UDP)协议](https://docs.ginuerzh.xyz/gost/ss/) * [支持Shadowsocks(TCP/UDP)协议](https://docs.ginuerzh.xyz/gost/ss/)
* [支持SNI代理](https://docs.ginuerzh.xyz/gost/sni/) * [支持SNI代理](https://docs.ginuerzh.xyz/gost/sni/)
...@@ -241,31 +241,40 @@ gost -L=:8888 -F='obfs4://server_ip:443?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdV ...@@ -241,31 +241,40 @@ gost -L=:8888 -F='obfs4://server_ip:443?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdV
加密机制 加密机制
------ ------
#### HTTP #### HTTP
对于HTTP可以使用TLS加密整个通讯过程,即HTTPS代理: 对于HTTP可以使用TLS加密整个通讯过程,即HTTPS代理:
服务端: 服务端:
```bash ```bash
gost -L=https://:443 gost -L=https://:443
``` ```
客户端: 客户端:
```bash ```bash
gost -L=:8080 -F=http+tls://server_ip:443 gost -L=:8080 -F=http+tls://server_ip:443
``` ```
#### HTTP2 #### HTTP2
gost的HTTP2代理模式仅支持使用TLS加密的HTTP2协议,不支持明文HTTP2传输。 gost的HTTP2代理模式仅支持使用TLS加密的HTTP2协议,不支持明文HTTP2传输。
gost的HTTP2通道模式支持加密(h2)和明文(h2c)两种模式。 gost的HTTP2通道模式支持加密(h2)和明文(h2c)两种模式。
#### SOCKS5 #### SOCKS5
gost支持标准SOCKS5协议的no-auth(0x00)和user/pass(0x02)方法,并在此基础上扩展了两个:tls(0x80)和tls-auth(0x82),用于数据加密。 gost支持标准SOCKS5协议的no-auth(0x00)和user/pass(0x02)方法,并在此基础上扩展了两个:tls(0x80)和tls-auth(0x82),用于数据加密。
服务端: 服务端:
```bash ```bash
gost -L=socks5://:1080 gost -L=socks5://:1080
``` ```
客户端: 客户端:
```bash ```bash
gost -L=:8080 -F=socks5://server_ip:1080 gost -L=:8080 -F=socks5://server_ip:1080
``` ```
...@@ -276,10 +285,12 @@ gost -L=:8080 -F=socks5://server_ip:1080 ...@@ -276,10 +285,12 @@ gost -L=:8080 -F=socks5://server_ip:1080
gost对shadowsocks的支持是基于[shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go)库。 gost对shadowsocks的支持是基于[shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go)库。
服务端: 服务端:
```bash ```bash
gost -L=ss://chacha20:123456@:8338 gost -L=ss://chacha20:123456@:8338
``` ```
客户端: 客户端:
```bash ```bash
gost -L=:8080 -F=ss://chacha20:123456@server_ip:8338 gost -L=:8080 -F=ss://chacha20:123456@server_ip:8338
``` ```
...@@ -289,6 +300,7 @@ gost -L=:8080 -F=ss://chacha20:123456@server_ip:8338 ...@@ -289,6 +300,7 @@ gost -L=:8080 -F=ss://chacha20:123456@server_ip:8338
目前仅服务端支持UDP Relay。 目前仅服务端支持UDP Relay。
服务端: 服务端:
```bash ```bash
gost -L=ssu://chacha20:123456@:8338 gost -L=ssu://chacha20:123456@:8338
``` ```
......
README_en.md
View file @ d11b16c7
...@@ -6,146 +6,55 @@ gost - GO Simple Tunnel ...@@ -6,146 +6,55 @@ gost - GO Simple Tunnel
[![GoDoc](https://godoc.org/github.com/ginuerzh/gost?status.svg)](https://godoc.org/github.com/ginuerzh/gost) [![GoDoc](https://godoc.org/github.com/ginuerzh/gost?status.svg)](https://godoc.org/github.com/ginuerzh/gost)
[![Build Status](https://travis-ci.org/ginuerzh/gost.svg?branch=master)](https://travis-ci.org/ginuerzh/gost) [![Build Status](https://travis-ci.org/ginuerzh/gost.svg?branch=master)](https://travis-ci.org/ginuerzh/gost)
[![Go Report Card](https://goreportcard.com/badge/github.com/ginuerzh/gost)](https://goreportcard.com/report/github.com/ginuerzh/gost) [![Go Report Card](https://goreportcard.com/badge/github.com/ginuerzh/gost)](https://goreportcard.com/report/github.com/ginuerzh/gost)
[![Snap Status](https://build.snapcraft.io/badge/ginuerzh/gost.svg)](https://build.snapcraft.io/user/ginuerzh/gost) [![GitHub release](https://img.shields.io/github/release/ginuerzh/gost.svg)](https://github.com/ginuerzh/gost/releases/latest)
[![Snap Status](https://build.snapcraft.io/badge/ginuerzh/gost.svg)](https://build.snapcraft.io/user/ginuerzh/gost)
Features Features
------ ------
* Listening on multiple ports * Listening on multiple ports
* Multi-level forward proxy - proxy chain * Multi-level forward proxy - proxy chain
* Standard HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5 proxy protocols support * Standard HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5 proxy protocols support
* TLS encryption via negotiation support for SOCKS5 proxy * [Support multiple tunnel types](https://docs.ginuerzh.xyz/gost/en/configuration/)
* Tunnel UDP over TCP * [TLS encryption via negotiation support for SOCKS5 proxy](https://docs.ginuerzh.xyz/gost/en/socks/)
* Permission control * [Tunnel UDP over TCP](https://docs.ginuerzh.xyz/gost/en/socks/)
* Local/remote TCP/UDP port forwarding (2.1+) * [Transparent TCP proxy](https://docs.ginuerzh.xyz/gost/en/redirect/)
* Shadowsocks protocol (UDP: 2.4+) * [Local/remote TCP/UDP port forwarding](https://docs.ginuerzh.xyz/gost/en/port-forwarding/)
* KCP protocol (2.3+) * [Shadowsocks protocol](https://docs.ginuerzh.xyz/gost/en/ss/)
* Transparent TCP proxy (2.3+) * [SNI proxy](https://docs.ginuerzh.xyz/gost/en/sni/)
* HTTP2 tunnel (2.4+) * [Permission control](https://docs.ginuerzh.xyz/gost/en/permission/)
* SSH tunnel (2.4+) * [Load balancing](https://docs.ginuerzh.xyz/gost/en/load-balancing/)
* QUIC tunnel (2.4+)
* obfs4 tunnel (2.4+) Wiki: https://docs.ginuerzh.xyz/gost/en/
Binary file download:https://github.com/ginuerzh/gost/releases
Google group: https://groups.google.com/d/forum/go-gost Google group: https://groups.google.com/d/forum/go-gost
Gost and other proxy services are considered to be proxy nodes, Getting started
gost can handle the request itself, or forward the request to any one or more proxy nodes.
Ubuntu Store
------
Gost has been released in ubuntu store, and can be installed directly through the `snap` in ubuntu 16.04:
```bash
$ sudo snap install gost
```
Parameter Description
------ ------
#### Proxy and proxy chain
Effective for the -L and -F parameters
```bash
[scheme://][user:pass@host]:port
```
scheme can be divided into two parts: protocol+transport
protocol: proxy protocol types (http, socks4(a), socks5, ss),
transport: data transmission mode (ws, wss, tls, quic, kcp, ssh, h2, h2c, obfs4), may be used in any combination or individually:
> http - standard HTTP proxy: http://:8080
> https - standard HTTPS proxy (may need to provide a trusted certificate): http+tls://:443 or https://:443
> http2 - HTTP2 proxy and backwards-compatible with HTTPS proxy: http2://:443
> h2 - HTTP2 h2 tunnel: h2://:443
> h2c - HTTP2 h2c tunnel: h2c://:443
> socks4(a) - standard SOCKS4(A) proxy: socks4://:1080 or socks4a://:1080
> socks5 - standard SOCKS5 proxy: socks5://:1080
> socks5+wss - SOCKS5 over websocket: socks5+wss://:1080
> tls - HTTPS/SOCKS5 over TLS: tls://:443
> ss - standard shadowsocks proxy: ss://chacha20:123456@:8338
> ssu - shadowsocks UDP relay server: ssu://chacha20:123456@:8338
> quic - QUIC tunnel: quic://:6121
> kcp - KCP tunnel: kcp://:8388
> redirect - transparent proxy: redirect://:12345
> ssh - SSH proxy tunnel: ssh://:2222, SSH forward tunnel: forward+ssh://:2222
> obfs4 - obfs4 tunnel: obfs4://:8080
#### Port forwarding
Effective for the -L parameter
```bash
scheme://[bind_address]:port/[host]:hostport
```
> scheme - forward mode, local: tcp, udp; remote: rtcp, rudp
> bind_address:port - local/remote binding address
> host:hostport - target address
#### Configuration file
Contributed by [@septs](https://github.com/septs).
> -C : specifies the configuration file path
The configuration file is in standard JSON format:
```json
{
"ServeNodes": [
":8080",
"ss://chacha20:12345678@:8338"
],
"ChainNodes": [
"http://192.168.1.1:8080",
"https://10.0.2.1:443"
],
"Debug": true
}
```
`ServeNodes` is equivalent to the `-L` parameter, `ChainNodes` is equivalent to the `-F` parameter, `Debug` is equivalent to the `-D` parameter.
Usage
------
#### No forward proxy #### No forward proxy
<img src="https://ginuerzh.github.io/images/gost_01.png" /> <img src="https://ginuerzh.github.io/images/gost_01.png" />
* Standard HTTP/SOCKS5 proxy * Standard HTTP/SOCKS5 proxy
```bash ```bash
gost -L=:8080 gost -L=:8080
``` ```
* Proxy authentication * Proxy authentication
```bash ```bash
gost -L=admin:123456@localhost:8080 gost -L=admin:123456@localhost:8080
``` ```
* Multiple sets of authentication information * Multiple sets of authentication information
```bash ```bash
gost -L=localhost:8080?secrets=secrets.txt gost -L=localhost:8080?secrets=secrets.txt
``` ```
The secrets parameter allows you to set multiple authentication information for HTTP/SOCKS5 proxies, the format is: The secrets parameter allows you to set multiple authentication information for HTTP/SOCKS5 proxies, the format is:
```plain ```plain
# username password # username password
...@@ -154,6 +63,7 @@ test002 12345678 ...@@ -154,6 +63,7 @@ test002 12345678
``` ```
* Listen on multiple ports * Listen on multiple ports
```bash ```bash
gost -L=http2://:443 -L=socks5://:1080 -L=ss://aes-128-cfb:123456@:8338 gost -L=http2://:443 -L=socks5://:1080 -L=ss://aes-128-cfb:123456@:8338
``` ```
...@@ -167,6 +77,7 @@ gost -L=:8080 -F=192.168.1.1:8081 ...@@ -167,6 +77,7 @@ gost -L=:8080 -F=192.168.1.1:8081
``` ```
* Forward proxy authentication * Forward proxy authentication
```bash ```bash
gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081 gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081
``` ```
...@@ -178,6 +89,7 @@ gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081 ...@@ -178,6 +89,7 @@ gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081
```bash ```bash
gost -L=:8080 -F=quic://192.168.1.1:6121 -F=socks5+wss://192.168.1.2:1080 -F=http2://192.168.1.3:443 ... -F=a.b.c.d:NNNN gost -L=:8080 -F=quic://192.168.1.1:6121 -F=socks5+wss://192.168.1.2:1080 -F=http2://192.168.1.3:443 ... -F=a.b.c.d:NNNN
``` ```
Gost forwards the request to a.b.c.d:NNNN through the proxy chain in the order set by -F, Gost forwards the request to a.b.c.d:NNNN through the proxy chain in the order set by -F,
each forward proxy can be any HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks type. each forward proxy can be any HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks type.
...@@ -186,6 +98,7 @@ each forward proxy can be any HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks type. ...@@ -186,6 +98,7 @@ each forward proxy can be any HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks type.
```bash ```bash
gost -L=tcp://:2222/192.168.1.1:22 [-F=...] gost -L=tcp://:2222/192.168.1.1:22 [-F=...]
``` ```
The data on the local TCP port 2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH forwad tunnel, then gost will use the local port forwarding function of SSH directly: The data on the local TCP port 2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH forwad tunnel, then gost will use the local port forwarding function of SSH directly:
```bash ```bash
...@@ -197,6 +110,7 @@ gost -L=tcp://:2222/192.168.1.1:22 -F forward+ssh://:2222 ...@@ -197,6 +110,7 @@ gost -L=tcp://:2222/192.168.1.1:22 -F forward+ssh://:2222
```bash ```bash
gost -L=udp://:5353/192.168.1.1:53?ttl=60 [-F=...] gost -L=udp://:5353/192.168.1.1:53?ttl=60 [-F=...]
``` ```
The data on the local UDP port 5353 is forwarded to 192.168.1.1:53 (through the proxy chain). The data on the local UDP port 5353 is forwarded to 192.168.1.1:53 (through the proxy chain).
Each forwarding channel has a timeout period. When this time is exceeded and there is no data interaction during this time period, the channel will be closed. The timeout value can be set by the `ttl` parameter. The default value is 60 seconds. Each forwarding channel has a timeout period. When this time is exceeded and there is no data interaction during this time period, the channel will be closed. The timeout value can be set by the `ttl` parameter. The default value is 60 seconds.
...@@ -207,6 +121,7 @@ Each forwarding channel has a timeout period. When this time is exceeded and the ...@@ -207,6 +121,7 @@ Each forwarding channel has a timeout period. When this time is exceeded and the
```bash ```bash
gost -L=rtcp://:2222/192.168.1.1:22 [-F=... -F=socks5://172.24.10.1:1080] gost -L=rtcp://:2222/192.168.1.1:22 [-F=... -F=socks5://172.24.10.1:1080]
``` ```
The data on 172.24.10.1:2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH tunnel, then gost will use the remote port forwarding function of SSH directly: The data on 172.24.10.1:2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH tunnel, then gost will use the remote port forwarding function of SSH directly:
```bash ```bash
...@@ -218,44 +133,60 @@ gost -L=rtcp://:2222/192.168.1.1:22 -F forward+ssh://:2222 ...@@ -218,44 +133,60 @@ gost -L=rtcp://:2222/192.168.1.1:22 -F forward+ssh://:2222
```bash ```bash
gost -L=rudp://:5353/192.168.1.1:53?ttl=60 [-F=... -F=socks5://172.24.10.1:1080] gost -L=rudp://:5353/192.168.1.1:53?ttl=60 [-F=... -F=socks5://172.24.10.1:1080]
``` ```
The data on 172.24.10.1:5353 is forwarded to 192.168.1.1:53 (through the proxy chain). The data on 172.24.10.1:5353 is forwarded to 192.168.1.1:53 (through the proxy chain).
Each forwarding channel has a timeout period. When this time is exceeded and there is no data interaction during this time period, the channel will be closed. The timeout value can be set by the `ttl` parameter. The default value is 60 seconds. Each forwarding channel has a timeout period. When this time is exceeded and there is no data interaction during this time period, the channel will be closed. The timeout value can be set by the `ttl` parameter. The default value is 60 seconds.
**NOTE:** When forwarding UDP data, if there is a proxy chain, the end of the chain (the last -F parameter) must be gost SOCKS5 proxy, gost will use UDP-over-TCP to forward data. **NOTE:** When forwarding UDP data, if there is a proxy chain, the end of the chain (the last -F parameter) must be gost SOCKS5 proxy, gost will use UDP-over-TCP to forward data.
#### HTTP2 #### HTTP2
Gost HTTP2 supports two modes: Gost HTTP2 supports two modes:
* As a standard HTTP2 proxy, and backwards-compatible with the HTTPS proxy. * As a standard HTTP2 proxy, and backwards-compatible with the HTTPS proxy.
* As a transport tunnel. * As a transport tunnel.
##### Standard proxy ##### Standard proxy
Server: Server:
```bash ```bash
gost -L=http2://:443 gost -L=http2://:443
``` ```
Client: Client:
```bash ```bash
gost -L=:8080 -F=http2://server_ip:443?ping=30 gost -L=:8080 -F=http2://server_ip:443?ping=30
``` ```
##### Tunnel ##### Tunnel
服务端:
Server:
```bash ```bash
gost -L=h2://:443 gost -L=h2://:443
``` ```
客户端:
Client:
```bash ```bash
gost -L=:8080 -F=h2://server_ip:443 gost -L=:8080 -F=h2://server_ip:443
``` ```
#### QUIC #### QUIC
Support for QUIC is based on library [quic-go](https://github.com/lucas-clemente/quic-go). Support for QUIC is based on library [quic-go](https://github.com/lucas-clemente/quic-go).
Server: Server:
```bash ```bash
gost -L=quic://:6121 gost -L=quic://:6121
``` ```
Client: Client:
```bash ```bash
gost -L=:8080 -F=quic://server_ip:6121 gost -L=:8080 -F=quic://server_ip:6121
``` ```
...@@ -266,16 +197,20 @@ gost -L=:8080 -F=quic://server_ip:6121 ...@@ -266,16 +197,20 @@ gost -L=:8080 -F=quic://server_ip:6121
Support for KCP is based on libraries [kcp-go](https://github.com/xtaci/kcp-go) and [kcptun](https://github.com/xtaci/kcptun). Support for KCP is based on libraries [kcp-go](https://github.com/xtaci/kcp-go) and [kcptun](https://github.com/xtaci/kcptun).
Server: Server:
```bash ```bash
gost -L=kcp://:8388 gost -L=kcp://:8388
``` ```
Client: Client:
```bash ```bash
gost -L=:8080 -F=kcp://server_ip:8388 gost -L=:8080 -F=kcp://server_ip:8388
``` ```
Gost will automatically load kcp.json configuration file from current working directory if exists, Gost will automatically load kcp.json configuration file from current working directory if exists,
or you can use the parameter to specify the path to the file. or you can use the parameter to specify the path to the file.
```bash ```bash
gost -L=kcp://:8388?c=/path/to/conf/file gost -L=kcp://:8388?c=/path/to/conf/file
``` ```
...@@ -283,27 +218,36 @@ gost -L=kcp://:8388?c=/path/to/conf/file ...@@ -283,27 +218,36 @@ gost -L=kcp://:8388?c=/path/to/conf/file
**NOTE:** KCP node can only be used as the first node of the proxy chain. **NOTE:** KCP node can only be used as the first node of the proxy chain.
#### SSH #### SSH
Gost SSH supports two modes: Gost SSH supports two modes:
* As a forward tunnel, used by local/remote TCP port forwarding. * As a forward tunnel, used by local/remote TCP port forwarding.
* As a transport tunnel. * As a transport tunnel.
##### Forward tunnel ##### Forward tunnel
Server: Server:
```bash ```bash
gost -L=forward+ssh://:2222 gost -L=forward+ssh://:2222
``` ```
Client: Client:
```bash ```bash
gost -L=rtcp://:1222/:22 -F=forward+ssh://server_ip:2222 gost -L=rtcp://:1222/:22 -F=forward+ssh://server_ip:2222
``` ```
##### Transport tunnel ##### Transport tunnel
Server: Server:
```bash ```bash
gost -L=ssh://:2222 gost -L=ssh://:2222
``` ```
Client: Client:
```bash ```bash
gost -L=:8080 -F=ssh://server_ip:2222?ping=60 gost -L=:8080 -F=ssh://server_ip:2222?ping=60
``` ```
...@@ -322,48 +266,61 @@ gost -L=redirect://:12345 -F=http2://server_ip:443 ...@@ -322,48 +266,61 @@ gost -L=redirect://:12345 -F=http2://server_ip:443
Contributed by [@isofew](https://github.com/isofew). Contributed by [@isofew](https://github.com/isofew).
Server: Server:
```bash ```bash
gost -L=obfs4://:443 gost -L=obfs4://:443
``` ```
When the server is running normally, the console prints out the connection address for the client to use: When the server is running normally, the console prints out the connection address for the client to use:
```
```bash
obfs4://:443/?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0 obfs4://:443/?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0
``` ```
Client: Client:
```
```bash
gost -L=:8888 -F='obfs4://server_ip:443?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0' gost -L=:8888 -F='obfs4://server_ip:443?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0'
``` ```
Encryption Mechanism Encryption Mechanism
------ ------
#### HTTP #### HTTP
For HTTP, you can use TLS to encrypt the entire communication process, the HTTPS proxy: For HTTP, you can use TLS to encrypt the entire communication process, the HTTPS proxy:
Server: Server:
```bash ```bash
gost -L=http+tls://:443 gost -L=http+tls://:443
``` ```
Client: Client:
```bash ```bash
gost -L=:8080 -F=http+tls://server_ip:443 gost -L=:8080 -F=http+tls://server_ip:443
``` ```
#### HTTP2 #### HTTP2
Gost HTTP2 proxy mode only supports the use of TLS encrypted HTTP2 protocol, does not support plaintext HTTP2. Gost HTTP2 proxy mode only supports the use of TLS encrypted HTTP2 protocol, does not support plaintext HTTP2.
Gost HTTP2 tunnel mode supports both encryption (h2) and plaintext (h2c) modes. Gost HTTP2 tunnel mode supports both encryption (h2) and plaintext (h2c) modes.
#### SOCKS5 #### SOCKS5
Gost supports the standard SOCKS5 protocol methods: no-auth (0x00) and user/pass (0x02), Gost supports the standard SOCKS5 protocol methods: no-auth (0x00) and user/pass (0x02),
and extends two methods for data encryption: tls(0x80) and tls-auth(0x82). and extends two methods for data encryption: tls(0x80) and tls-auth(0x82).
Server: Server:
```bash ```bash
gost -L=socks://:1080 gost -L=socks://:1080
``` ```
Client: Client:
```bash ```bash
gost -L=:8080 -F=socks://server_ip:1080 gost -L=:8080 -F=socks://server_ip:1080
``` ```
...@@ -375,95 +332,48 @@ Otherwise, use standard SOCKS5 for communication (no-auth or user/pass). ...@@ -375,95 +332,48 @@ Otherwise, use standard SOCKS5 for communication (no-auth or user/pass).
Support for shadowsocks is based on library [shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go). Support for shadowsocks is based on library [shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go).
Server: Server:
```bash ```bash
gost -L=ss://aes-128-cfb:123456@:8338 gost -L=ss://aes-128-cfb:123456@:8338
``` ```
Client: Client:
```bash ```bash
gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338 gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338
``` ```
##### Shadowsocks UDP relay ##### Shadowsocks UDP relay
Currently, only the server supports UDP Relay. Currently, only the server supports UDP Relay.
Server: Server:
```bash ```bash
gost -L=ssu://aes-128-cfb:123456@:8338 gost -L=ssu://aes-128-cfb:123456@:8338
``` ```
#### TLS #### TLS
There is built-in TLS certificate in gost, if you need to use other TLS certificate, there are two ways: There is built-in TLS certificate in gost, if you need to use other TLS certificate, there are two ways:
* Place two files cert.pem (public key) and key.pem (private key) in the current working directory, gost will automatically load them. * Place two files cert.pem (public key) and key.pem (private key) in the current working directory, gost will automatically load them.
* Use the parameter to specify the path to the certificate file: * Use the parameter to specify the path to the certificate file:
```bash ```bash
gost -L="http2://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file" gost -L="http2://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file"
``` ```
Client can specify `secure` parameter to perform server's certificate chain and host name verification: Client can specify `secure` parameter to perform server's certificate chain and host name verification:
```bash ```bash
gost -L=:8080 -F="http2://server_domain_name:443?secure=true" gost -L=:8080 -F="http2://server_domain_name:443?secure=true"
``` ```
Client can specify a CA certificate to allow for [Certificate Pinning](https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning): Client can specify a CA certificate to allow for [Certificate Pinning](https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning):
```bash
gost -L=:8080 -F="http2://:443?ca=ca.pem"
```
Certificate Pinning is contributed by [@sheerun](https://github.com/sheerun).
SOCKS5 UDP Data Processing
------
#### No forward proxy
<img src="https://ginuerzh.github.io/images/udp01.png" height=100 />
Gost acts as the standard SOCKS5 proxy for UDP relay.
#### Forward proxy
<img src="https://ginuerzh.github.io/images/udp02.png" height=100 />
#### Multi-level forward proxy
<img src="https://ginuerzh.github.io/images/udp03.png" height=200 />
When forward proxies are set, gost uses UDP-over-TCP to forward UDP data, proxy1 to proxyN can be any HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks type.
Permission control
------
Contributed by [@sheerun](https://github.com/sheerun).
One can pass available permissions with `whitelist` and `blacklist` values when starting a socks and ssh server. The format for each rule is as follows: `[actions]:[hosts]:[ports]`.
`[actions]` are comma-separted list of allowed actions: `rtcp`, `rudp`, `tcp`, `udp`. can be `*` to encompass all actions.
`[hosts]` are comma-separated list of allowed hosts that one can bind on (in case of `rtcp` and `rudp`), or forward to (incase of `tcp` and `udp`). hosts support globs, like `*.google.com`. can be `*` to encompass all hosts.
`[ports]` are comma-separated list of ports that one can bind to (in case of `rtcp` and `rudp`), or forward to (incase of `tcp` and `udp`), can be `*` to encompass all ports.
Multiple permissions can be passed if seperated with `+`:
`rtcp,rudp:localhost,127.0.0.1:2222,8000-9000+udp:8.8.8.8,8.8.4.4:53` (allow for reverse tcp and udp binding on localhost and 127.0.0.1 on ports 2222 and 8000-9000 port range, plus allow for udp forwarding to 8.8.8.8 and 8.8.4.4 on port 53)
SSH remote port forwarding can only bind on 127.0.0.1:8000
```bash
gost -L=forward+ssh://localhost:8389?whitelist=rtcp:127.0.0.1:8000
```
SOCKS5 TCP/UDP remote port forwarding can only bind on ports greater than 1000
```bash
gost -L=socks://localhost:8389?blacklist=rtcp,rudp:*:0-1000
```
SOCKS5 UDP forwading can only forward to 8.8.8.8:53
```bash ```bash
gost -L=socks://localhost:8389?whitelist=udp:8.8.8.8:53 gost -L=:8080 -F="http2://:443?ca=ca.pem"
``` ```
Limitation Certificate Pinning is contributed by [@sheerun](https://github.com/sheerun).
------
The HTTP proxy node in the proxy chain must support the CONNECT method.
If the BIND and UDP requests for SOCKS5 are to be forwarded, the end of the chain (the last -F parameter) must be the gost SOCKS5 proxy.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment