Review-only: naive vs klzgrad/forwardproxy#2
Closed
aUsernameWoW wants to merge 26 commits into
Closed
Conversation
This backward compatibility is no longer necessary after one year. This reverts commit 9b4a5a2.
The paddings sent by naive forwardproxy are not initialized and contain garbage. Make it zeros.
Fixes caddyserver#170 - Update `dial_timeout` example to use duration unit (30s) - Change parameter type from [integer] to [Duration] to match Go type - Update description to clarify duration unit requirement This change makes the documentation more accurate and consistent with Go's time.Duration type usage.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
…nflicts in forwardproxy.go\n- Synced code with upstream naive branch where possible\n- Fixed UoT (UDP over TCP) functionality to be compatible with the latest version of github.com/sagernet/sing/common/uot\n - Replaced uot.UOTMagicAddress with uot.MagicAddress and uot.LegacyMagicAddress\n - Updated uot.NewServerConn call to match the new API\n- Added github.com/sagernet/sing/common/uot as a dependency Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/golang/glog](https://github.com/golang/glog) from 1.2.0 to 1.2.4. - [Release notes](https://github.com/golang/glog/releases) - [Commits](golang/glog@v1.2.0...v1.2.4) --- updated-dependencies: - dependency-name: github.com/golang/glog dependency-version: 1.2.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
The UoT short-circuit at the top of dialContextCheckACL was unconditional, so even when an upstream proxy was set the resulting UDP packets always came out of this process's local socket — silently bypassing whatever filtering / auditing the upstream was meant to provide. Now: socks5 upstream uses sing's UDP ASSOCIATE client; HTTP CONNECT upstream returns 502 since CONNECT cannot tunnel UDP; no upstream keeps the original direct net.ListenUDP path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v5...v6) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 5a37bef)
Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.44.0 to 0.49.1. - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.44.0...v0.49.1) --- updated-dependencies: - dependency-name: github.com/quic-go/quic-go dependency-version: 0.49.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit bb364cc)
(cherry picked from commit 0aab84d)
The server hardcoded uot.Version (= 2) regardless of which magic the client connected with, so v1 clients hitting LegacyMagicAddress would desync — sing's v2 server reads a request header up front, while v1 has no such header. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adapted from f92c1a3 ("add UDP in HTTP"), reverted by e212ae9 in favour of sing UoT. Brought back as a standalone handler in masque_udp.go so MASQUE coexists with UoT instead of replacing it. - ServeHTTP dispatches connect-udp via tryUDPoverHTTP before the regular CONNECT path; non-MASQUE requests fall through unchanged. - Supports HTTP/1.1 Upgrade, HTTP/2 extended CONNECT, and HTTP/3 with native QUIC DATAGRAM per RFC 9298 sec. 5. - Caddyfile: new optional `udp_uri_template` directive (default `.well-known/masque/udp/{target_host}/{target_port}/`). - New dep: github.com/dunglas/httpsfv (Capsule-Protocol header). - API drift fixed: quic-go http3.HTTPStream() now returns Stream (interface), not *Stream. Also un-breaks forwardproxy_udp_test.go / mock_stream_test.go that were left orphaned by the e212ae9 revert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
quic-go v0.54 changed http3.Stream from an interface to a struct with pointer-receiver Read, breaking xcaddy builds that resolve caddy/v2 >= 2.10 transitively. Replace the by-value http3.Stream parameters in HandlePacket/HandlePacketBind with a focused http3UDPStream interface (io.Reader + SendDatagram + ReceiveDatagram), which both *http3.Stream and the gomock MockStream satisfy. Bumps caddy/v2 0.8.4 -> 2.10.2 and quic-go 0.49.1 -> 0.54.0 so local go build/vet/tests run against the same API. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When the SOCKS5 upstream is itself UoT-aware (in practice: sing-box and other sing-based tools), the default decode-locally-then-UDP-ASSOCIATE round-trip is wasted work — the magic-address framing only has to be parsed at one end of the chain. The new `passthrough_uot` Caddyfile directive (`PassthroughUoT` JSON field) opts out of the local decode so the sing magic-address CONNECT is forwarded to the upstream as-is. - Gated on a socks/socks5 upstream; Provision rejects the combo with any other scheme, or with no upstream at all. - When enabled, the socks UDP client isn't built at provision time and the dialContextCheckACL magic-address branch is skipped — the request falls through to the regular upstream dial. - Defaults to off, so existing setups are unaffected. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous commit let the magic-address CONNECT (sp.v2.udp-over-tcp.arpa:0) fall through to h.dialContext, which is the stdlib golang.org/x/net SOCKS5 dialer. That dialer enforces 1 <= port <= 0xffff, so naive's port-0 UoT target was rejected with "socks connect tcp: port number out of range 0" and the proxy returned 502. Route the passthrough CONNECT through sing's socks.Client (which doesn't validate port range) instead. The client is now built unconditionally when the upstream is socks/socks5, since it carries both UDP ASSOCIATE and the new passthrough TCP CONNECT. Field renamed socksUDPClient -> socksClient to match its expanded role. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Temporary draft PR opened solely to give /ultrareview a diff base.
Base (
klzgrad-base): snapshot of klzgrad/forwardproxy HEAD at the time of opening (commit d62c80d).Head (
naive): this fork's working branch.Contents: the 26 commits this fork carries on top of klzgrad/forwardproxy — historical merges from SagerNet/upstream, dependabot bumps, UoT/MASQUE work, and the recent passthrough_uot toggle.
Not intended to be merged. Will be closed and the base branch deleted after review.