update v0.7.4 for anylink

2022-04-07 16:33:16 +08:00 · 2022-04-07 16:33:16 +08:00 · 91da95b99f
parent 7ec38db0ef
commit 91da95b99f
10 changed files with 8707 additions and 12229 deletions
--- a/anylink/Dockerfile
+++ b/anylink/Dockerfile
@ -1,14 +1,14 @@
 # web
 FROM node:lts-alpine as builder_node
-ENV VERSION 0.7.3
+ENV VERSION 0.7.4
 WORKDIR /web
 COPY ./web /web
-RUN npm install --registry=https://registry.npm.taobao.org \
-    && npm run build \
+RUN yarn install \
+    && yarn run build \
    && ls /web/ui

 # server
-FROM golang:1.16-alpine as builder_golang
+FROM golang:1.17-alpine as builder_golang
 #TODO 本地打包时使用镜像
 ENV GOPROXY=https://goproxy.io
 ENV GOOS=linux
--- a/anylink/README.md
+++ b/anylink/README.md
@ -8,6 +8,7 @@ Docker [stilleshan/anylink](https://hub.docker.com/r/stilleshan/anylink)
 基于 [bjdgyc/anylink](https://github.com/bjdgyc/anylink) 项目的 docker 镜像.

 ## 更新
+- **2022-04-07** 更新`0.7.4`版 docker 镜像.
 - **2022-02-16** 更新`0.7.3`版 docker 镜像.
 - **2021-12-31** 更新`0.7.2`版 docker 镜像.
 - **2021-12-29** 更新`0.7.1`版 docker 镜像.
--- a/anylink/build.sh
+++ b/anylink/build.sh
@ -16,9 +16,13 @@ echo "编译前端项目"
 cd $cpath/web
 #国内可替换源加快速度
 #npx browserslist@latest --update-db
-npm install --registry=https://registry.npm.taobao.org
+#npm install --registry=https://registry.npm.taobao.org
 #npm install
-npm run build
+#npm run build
+
+yarn install
+yarn run build
+
 RETVAL $?

 echo "编译二进制文件"
--- a/anylink/server/admin/server.go
+++ b/anylink/server/admin/server.go
@ -2,6 +2,7 @@
 package admin

 import (
+	"crypto/tls"
 	"embed"
 	"net/http"
 	"net/http/pprof"
@ -69,7 +70,25 @@ func StartAdmin() {
 	}

 	base.Info("Listen admin", base.Cfg.AdminAddr)
-	err := http.ListenAndServeTLS(base.Cfg.AdminAddr, base.Cfg.CertFile, base.Cfg.CertKey, r)
+
+	// 修复 CVE-2016-2183
+	cipherSuites := tls.CipherSuites()
+	selectedCipherSuites := make([]uint16, 0, len(cipherSuites))
+	for _, s := range cipherSuites {
+		selectedCipherSuites = append(selectedCipherSuites, s.ID)
+	}
+	// 设置tls信息
+	tlsConfig := &tls.Config{
+		NextProtos:   []string{"http/1.1"},
+		MinVersion:   tls.VersionTLS12,
+		CipherSuites: selectedCipherSuites,
+	}
+	srv := &http.Server{
+		Addr:      base.Cfg.AdminAddr,
+		Handler:   r,
+		TLSConfig: tlsConfig,
+	}
+	err := srv.ListenAndServeTLS(base.Cfg.CertFile, base.Cfg.CertKey)
 	if err != nil {
 		base.Fatal(err)
 	}
--- a/anylink/server/base/app_ver.go
+++ b/anylink/server/base/app_ver.go
@ -2,6 +2,6 @@ package base

 const (
 	APP_NAME = "AnyLink"
-	// 修复前端bug
-	APP_VER = "0.7.3"
+	// 修复 CVE-2016-2183
+	APP_VER = "0.7.4"
 )
--- a/anylink/server/dbdata/db.go
+++ b/anylink/server/dbdata/db.go
@ -111,7 +111,7 @@ func addInitData() error {
 		Name:         "ops",
 		AllowLan:     true,
 		ClientDns:    []ValData{{Val: "114.114.114.114"}},
-		RouteInclude: []ValData{{Val: "10.0.0.0/8"}},
+		RouteInclude: []ValData{{Val: All}},
 	}
 	err = SetGroup(&g1)
 	if err != nil {
--- a/anylink/server/handler/server.go
+++ b/anylink/server/handler/server.go
@ -19,11 +19,8 @@ func startTls() {
 	var (
 		err error

-		addr     = base.Cfg.ServerAddr
-		certFile = base.Cfg.CertFile
-		keyFile  = base.Cfg.CertKey
-		certs    = make([]tls.Certificate, 1)
-		ln       net.Listener
+		addr = base.Cfg.ServerAddr
+		ln   net.Listener
 	)

 	// 判断证书文件
@ -36,16 +33,20 @@ func startTls() {
 	//	certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
 	// }

-	certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		panic(err)
+	// 修复 CVE-2016-2183
+	// https://segmentfault.com/a/1190000038486901
+	// nmap -sV --script ssl-enum-ciphers -p 443 www.example.com
+	cipherSuites := tls.CipherSuites()
+	selectedCipherSuites := make([]uint16, 0, len(cipherSuites))
+	for _, s := range cipherSuites {
+		selectedCipherSuites = append(selectedCipherSuites, s.ID)
 	}

 	// 设置tls信息
 	tlsConfig := &tls.Config{
 		NextProtos:   []string{"http/1.1"},
 		MinVersion:   tls.VersionTLS12,
-		Certificates: certs,
+		CipherSuites: selectedCipherSuites,
 		// InsecureSkipVerify: true,
 	}
 	srv := &http.Server{
@ -66,7 +67,7 @@ func startTls() {
 	}

 	base.Info("listen server", addr)
-	err = srv.ServeTLS(ln, "", "")
+	err = srv.ServeTLS(ln, base.Cfg.CertFile, base.Cfg.CertKey)
 	if err != nil {
 		base.Fatal(err)
 	}
--- a/anylink/server/sessdata/protocol.go
+++ b/anylink/server/sessdata/protocol.go
@ -14,7 +14,7 @@ type Payload struct {
 }

 /*
-   var header = []byte{'S', 'T', 'F', 0x01, 0, 0, 0x00, 0}
+   var header = []byte{'S', 'T', 'F', 0x01, 0, 0, 0x07, 0}
   https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-02#section-2.2

   +---------------------+---------------------------------------------+
--- a/anylink/web/package-lock.json
+++ b/anylink/web/package-lock.json
--- a/anylink/web/yarn.lock
+++ b/anylink/web/yarn.lock