From 233242d3604a6809aba168a42b205d37fe505ef9 Mon Sep 17 00:00:00 2001 From: ginuerzh Date: Sat, 18 Nov 2023 19:30:02 +0800 Subject: [PATCH] add limiter plugin --- docs/concepts/auth.md | 2 +- docs/concepts/bypass.md | 5 +- docs/concepts/limiter.md | 89 ++++++++++++++++++++++++++++++++++-- docs/tutorials/tuntap.md | 89 ++++++++++++++++++------------------ en/docs/concepts/bypass.md | 4 ++ en/docs/concepts/limiter.md | 91 +++++++++++++++++++++++++++++++++++-- en/docs/tutorials/tuntap.md | 88 +++++++++++++++++------------------ 7 files changed, 273 insertions(+), 95 deletions(-) diff --git a/docs/concepts/auth.md b/docs/concepts/auth.md index 34aa6a3..93a2cbc 100644 --- a/docs/concepts/auth.md +++ b/docs/concepts/auth.md @@ -318,4 +318,4 @@ curl -XPOST http://127.0.0.1:8000/auth -d '{"username":"gost", "password":"gost" : 客户端地址 `id` (string) -: 插件服务可选择性返回的用户ID标识,此信息会传递给后续的其他插件服务(分流器,主机IP映射器,域名解析器)用于用户身份标识。 \ No newline at end of file +: 插件服务可选择性返回的用户ID标识,此信息会传递给后续的其他插件服务(分流器,主机IP映射器,域名解析器,限制器等)用于用户身份标识。 \ No newline at end of file diff --git a/docs/concepts/bypass.md b/docs/concepts/bypass.md index 086289b..b913d41 100644 --- a/docs/concepts/bypass.md +++ b/docs/concepts/bypass.md @@ -493,4 +493,7 @@ curl -XPOST http://127.0.0.1:8000/bypass -d '{"addr": "example.com:80", "client" ``` `client` (string) -: 用户身份标识,此信息由认证器插件服务生成。 \ No newline at end of file +: 用户身份标识,此信息由认证器插件服务生成。 + +!!! tip "基于用户标识的分流" + GOST内部的分流器逻辑未处理针对特定用户的分流逻辑,如果需要实现此功能需要组合使用认证器插件和分流器插件。认证器插件在认证成功后返回用户标识,GOST会将此用户标识信息再次传递给分流器插件服务,分流器插件服务就可以根据用户标识来做不同的分流策略。 \ No newline at end of file diff --git a/docs/concepts/limiter.md b/docs/concepts/limiter.md index 9d2ccc4..c138a2a 100644 --- a/docs/concepts/limiter.md +++ b/docs/concepts/limiter.md @@ -13,7 +13,7 @@ === "命令行" - ``` + ```bash gost -L ":8080?limiter.in=100MB&limiter.out=100MB&limiter.conn.in=10MB&limiter.conn.out=10MB" ``` @@ -55,7 +55,7 @@ === "命令行" - ``` + ```bash gost -L ":8080?rlimiter=10" ``` @@ -95,7 +95,7 @@ === "命令行" - ``` + ```bash gost -L ":8080?climiter=1000" ``` @@ -390,3 +390,86 @@ limiters: url: http://127.0.0.1:8000 timeout: 10s ``` + +## 插件 + +对于流量速率限制器可以配置为使用外部[插件](/concepts/plugin/)服务,限制器会将查询请求转发给插件服务处理。当使用插件时其他参数无效。 + +```yaml +limiters: +- name: limiter-0 + plugin: + type: grpc + # type: http + addr: 127.0.0.1:8000 + tls: + secure: false + serverName: example.com +``` + +`addr` (string, required) +: 插件服务地址 + +`tls` (duration, default=null) +: 设置后将使用TLS加密传输,默认不使用TLS加密。 + +### HTTP插件 + +```yaml +ingresses: +- name: limiter-0 + plugin: + type: http + addr: http://127.0.0.1:8000/limiter +``` + +#### 请求示例 + +```bash +curl -XPOST http://127.0.0.1:8000/limiter \ +-d'{"network":"tcp","addr":"example.com:443","client":"gost","src":"192.168.1.1:12345"}' +``` + +```json +{"in":1048576, "out":524288} +``` + +`network` (string, default=ip4) +: 网络地址类型:`tcp`,`udp`. + +`addr` (string) +: 请求目标地址 + +`client` (string) +: 用户身份标识,此信息由认证器插件服务生成。 + +`src` (string) +: 客户端地址 + +`in` (int64) +: 入站速率(bytes/s) + +`out` (int64) +: 出站速率(bytes/s) + +## 处理器(Handler)上的限制器 + +对于代理服务(HTTP,HTTP2,SOCKS4,SOCKS5,Relay),流量速率限制器也可以用处理器上。 + +```yaml hl_lines="6" +services: +- name: service-0 + addr: ":8080" + handler: + type: http + limiter: limiter-0 + listener: + type: tcp +limiters: +- name: limiter-0 + plugin: + addr: 127.0.0.1:8000 +``` + +!!! tip "基于用户标识的限流" + GOST内部的限制器逻辑未处理针对特定用户的流量限制,如果需要实现此功能需要组合使用认证器插件和处理器上的限制器插件。认证器插件在认证成功后返回用户标识,GOST会将此用户标识信息再次传递给限制器插件服务,限制器插件服务就可以根据用户标识来做不同的限流配置。 \ No newline at end of file diff --git a/docs/tutorials/tuntap.md b/docs/tutorials/tuntap.md index 3b5b20e..78a042c 100644 --- a/docs/tutorials/tuntap.md +++ b/docs/tutorials/tuntap.md @@ -11,7 +11,7 @@ TUN的实现依赖于[wireguard-go](https://git.zx2c4.com/wireguard-go)。 ### 使用说明 -``` +```bash gost -L="tun://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tun0&mtu=1350&route=10.100.0.0/16&gw=192.168.123.1" ``` @@ -42,10 +42,10 @@ gost -L="tun://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tun0&m `peer` (string) : 对端IP地址,仅MacOS系统有效 -`bufferSize` (int) +`buffersize` (int) : 数据读缓存区大小,默认1500字节 -`keepAlive` (bool) +`keepalive` (bool) : 开启心跳,仅客户端有效 `ttl` (duration) @@ -56,11 +56,11 @@ gost -L="tun://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tun0&m ### 使用示例 -#### 服务端 +**服务端** === "命令行" - ``` + ```bash gost -L=tun://:8421?net=192.168.123.1/24 ``` @@ -82,17 +82,17 @@ gost -L="tun://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tun0&m mtu: 1350 ``` -#### 客户端 +**客户端** === "命令行(Linux/Windows)" - ``` + ```bash gost -L=tun://:0/SERVER_IP:8421?net=192.168.123.2/24/64 ``` === "命令行(MacOS)" - ``` + ```bash gost -L="tun://:0/SERVER_IP:8421?net=192.168.123.2/24&peer=192.168.123.1" ``` @@ -129,9 +129,10 @@ gost -L="tun://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tun0&m === "命令行" - ``` + ```bash gost -L="tun://:8421?net=192.168.123.1/24&gw=192.168.123.2&route=172.10.0.0/16,10.138.0.0/16" ``` + === "配置文件" ```yaml @@ -167,7 +168,7 @@ gost -L="tun://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tun0&m metadata: net: 192.168.123.1/24 routes: - - 72.10.0.0/16 192.168.123.2 + - 172.10.0.0/16 192.168.123.2 - 10.138.0.0/16 192.168.123.3 ``` @@ -178,7 +179,7 @@ gost -L="tun://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tun0&m 服务端可以使用[认证器](/concepts/auth/)来对客户端进行认证。 -#### 服务端 +**服务端** ```yaml hl_lines="6" services: @@ -203,11 +204,11 @@ authers: 认证器的用户名为给客户端分配的IP。 -#### 客户端 +**客户端** === "命令行" - ``` + ```bash gost -L "tun://:0/SERVER_IP:8421?net=192.168.123.2/24&passphrase=userpass1" ``` @@ -256,11 +257,11 @@ authers: #### 创建TUN设备并建立UDP隧道 -##### 服务端 +**服务端** === "命令行" - ``` + ```bash gost -L=tun://:8421?net=192.168.123.1/24 ``` @@ -278,11 +279,11 @@ authers: net: 192.168.123.1/24 ``` -##### 客户端 +**客户端** === "命令行" - ``` + ```bash gost -L=tun://:0/SERVER_IP:8421?net=192.168.123.2/24 ``` @@ -330,45 +331,45 @@ $ ping 192.168.123.1 #### iperf3测试 -##### 服务端 +**服务端** -``` -$ iperf3 -s +```bash +iperf3 -s ``` -##### 客户端 +**客户端** -``` -$ iperf3 -c 192.168.123.1 +```bash +iperf3 -c 192.168.123.1 ``` #### 路由规则和防火墙设置 如果想让客户端访问到服务端的网络,还需要根据需求设置相应的路由和防火墙规则。例如可以将客户端的所有外网流量转发给服务端处理 -##### 服务端 +**服务端** 开启IP转发并设置防火墙规则 -``` -$ sysctl -w net.ipv4.ip_forward=1 +```bash +sysctl -w net.ipv4.ip_forward=1 -$ iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -o tun0 -j MASQUERADE -$ iptables -A FORWARD -i tun0 ! -o tun0 -j ACCEPT -$ iptables -A FORWARD -o tun0 -j ACCEPT +iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -o tun0 -j MASQUERADE +iptables -A FORWARD -i tun0 ! -o tun0 -j ACCEPT +iptables -A FORWARD -o tun0 -j ACCEPT ``` -##### 客户端 +**客户端** 设置路由规则 !!! caution "谨慎操作" 以下操作会更改客户端的网络环境,除非你知道自己在做什么,请谨慎操作! -``` -$ ip route add SERVER_IP/32 dev eth0 # 请根据实际情况替换SERVER_IP和eth0 -$ ip route del default # 删除默认的路由 -$ ip route add default via 192.168.123.2 # 使用新的默认路由 +```bash +ip route add SERVER_IP/32 dev eth0 # 请根据实际情况替换SERVER_IP和eth0 +ip route del default # 删除默认的路由 +ip route add default via 192.168.123.2 # 使用新的默认路由 ``` ## TAP @@ -383,7 +384,7 @@ TAP的实现依赖于[songgao/water](https://github.com/songgao/water)库。 ### 使用说明 -``` +```bash gost -L="tap://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tap0&mtu=1350&route=10.100.0.0/16&gw=192.168.123.1" ``` @@ -411,17 +412,17 @@ gost -L="tap://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tap0&m `routes` (list) : 特定网关路由列表,列表每一项为空格分割的CIDR地址和网关,例如:`10.100.0.0/16 192.168.123.2` -`bufferSize` (int) +`buffersize` (int) : 数据读缓存区大小,默认1500字节 ### 使用示例 -#### 服务端 +**服务端** === "命令行" - ``` + ```bash gost -L=tap://:8421?net=192.168.123.1/24 ``` @@ -443,11 +444,11 @@ gost -L="tap://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tap0&m mtu: 1350 ``` -#### 客户端 +**客户端** === "命令行" - ``` + ```bash gost -L=tap://:0/SERVER_IP:8421?net=192.168.123.2/24 ``` @@ -483,11 +484,11 @@ GOST中的TUN/TAP隧道默认是基于UDP协议进行数据传输。 此方式比较灵活通用,推荐使用。 -#### 服务端 +**服务端** === "命令行" - ``` + ```bash gost -L=tun://:8421?net=192.168.123.1/24 -L relay+wss://:8443?bind=true ``` @@ -513,11 +514,11 @@ GOST中的TUN/TAP隧道默认是基于UDP协议进行数据传输。 type: wss ``` -#### 客户端 +**客户端** === "命令行" - ``` + ```bash gost -L=tun://:0/:8421?net=192.168.123.2/24 -F relay+wss://SERVER_IP:8443 ``` diff --git a/en/docs/concepts/bypass.md b/en/docs/concepts/bypass.md index 642d348..215727a 100644 --- a/en/docs/concepts/bypass.md +++ b/en/docs/concepts/bypass.md @@ -483,3 +483,7 @@ curl -XPOST http://127.0.0.1:8000/bypass -d '{"addr": "example.com:80", "client" `client` (string) : user ID, generated by Authenticator plugin. + +!!! tip "Bypass Based On Client ID" + The GOST internal Bypass does not handle the logic for specific clients. If you need to implement this function, you can use an Authenticator plugin and a Bypass plugin in combination. The Authenticator plugin returns the client ID after successful authentication. GOST will pass this client ID information to the Bypass plugin service again, and the Bypass plugin server can implement different strategies based on the client ID. + \ No newline at end of file diff --git a/en/docs/concepts/limiter.md b/en/docs/concepts/limiter.md index a919695..c8e76dd 100644 --- a/en/docs/concepts/limiter.md +++ b/en/docs/concepts/limiter.md @@ -13,7 +13,7 @@ This type of limiter includes three levels: service, connection and IP, the thre === "CLI" - ``` + ```bash gost -L ":8080?limiter.in=100MB&limiter.out=100MB&limiter.conn.in=10MB&limiter.conn.out=10MB" ``` @@ -55,7 +55,7 @@ This type of limiter includes two levels: service and IP, the two levels can be === "CLI" - ``` + ```bash gost -L ":8080?rlimiter=10" ``` @@ -95,7 +95,7 @@ This type of limiter includes two levels: service and IP, the two levels can be === "CLI" - ``` + ```bash gost -L ":8080?climiter=1000" ``` @@ -349,3 +349,88 @@ limiters: password: 123456 key: gost:limiters:limiter-0 ``` + +## Plugin + +对于流量速率限制器可以配置为使用外部[插件](/concepts/plugin/)服务,限制器会将查询请求转发给插件服务处理。当使用插件时其他参数无效。 +Traffic limiter can be configured to use an external [plugin](/en/concepts/plugin/) service, and it will forward the request to the plugin server for processing. Other parameters are ignored when using plugin. + +```yaml +limiters: +- name: limiter-0 + plugin: + type: grpc + # type: http + addr: 127.0.0.1:8000 + tls: + secure: false + serverName: example.com +``` + +`addr` (string, required) +: plugin server address. + +`tls` (duration, default=null) +: TLS encryption will be used for transmission, TLS encryption is not used by default. + +### HTTP Plugin + +```yaml +ingresses: +- name: limiter-0 + plugin: + type: http + addr: http://127.0.0.1:8000/limiter +``` + +#### Example + +```bash +curl -XPOST http://127.0.0.1:8000/limiter \ +-d'{"network":"tcp","addr":"example.com:443","client":"gost","src":"192.168.1.1:12345"}' +``` + +```json +{"in":1048576, "out":524288} +``` + +`network` (string, default=ip4) +: network types: `tcp`,`udp`. + +`addr` (string) +: target request address + +`client` (string) +: user ID, generated by Authenticator plugin. + +`src` (string) +: client source address + +`in` (int64) +: Input rate(bytes/s) + +`out` (int64) +: Output rate(bytes/s) + +## Limiter In Service Handler + +For proxy services (HTTP, HTTP2, SOCKS4, SOCKS5, Relay), traffic limiter is also available to the Handler. + +```yaml hl_lines="6" +services: +- name: service-0 + addr: ":8080" + handler: + type: http + limiter: limiter-0 + listener: + type: tcp +limiters: +- name: limiter-0 + plugin: + addr: 127.0.0.1:8000 +``` + +!!! tip "Limiter Based On Client ID" + The GOST internal Limiter does not handle the logic for specific clients. If you need to implement this function, you can use an Authenticator plugin and a Handler Limiter plugin in combination. The Authenticator plugin returns the client ID after successful authentication. GOST will pass this client ID information to the Limiter plugin server again, and the Limiter plugin server can implement different strategies based on the client ID. + \ No newline at end of file diff --git a/en/docs/tutorials/tuntap.md b/en/docs/tutorials/tuntap.md index 302ade2..11a1632 100644 --- a/en/docs/tutorials/tuntap.md +++ b/en/docs/tutorials/tuntap.md @@ -9,7 +9,7 @@ TUN is based on [wireguard-go](https://git.zx2c4.com/wireguard-go). ### Usage -``` +```bash gost -L="tun://[method:password@][local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tun0&mtu=1350&route=10.100.0.0/16&gw=192.168.123.1" ``` @@ -40,10 +40,10 @@ gost -L="tun://[method:password@][local_ip]:port[/remote_ip:port]?net=192.168.12 `peer` (string) : Peer IP address,MacOS only -`bufferSize` (int, default=1500) +`buffersize` (int, default=1500) : read buffer size in byte. -`keepAlive` (bool, default=false) +`keepalive` (bool, default=false) : enable keepalive, valid for client. `ttl` (duration, default=10s) @@ -55,11 +55,11 @@ gost -L="tun://[method:password@][local_ip]:port[/remote_ip:port]?net=192.168.12 ### Example -#### Server +**Server** === "CLI" - ``` + ```bash gost -L=tun://:8421?net=192.168.123.1/24 ``` @@ -80,17 +80,17 @@ gost -L="tun://[method:password@][local_ip]:port[/remote_ip:port]?net=192.168.12 net: 192.168.123.1/24 mtu: 1350 ``` -#### Client +**Client** === "CLI (Linux/Windows)" - ``` + ```bash gost -L=tun://:0/SERVER_IP:8421?net=192.168.123.2/24 ``` === "CLI (MacOS)" - ``` + ```bash gost -L="tun://:0/SERVER_IP:8421?net=192.168.123.2/24&peer=192.168.123.1" ``` @@ -124,7 +124,7 @@ The server can access the client network by setting up routing table and gateway The server can set the default gateway through the `gw` option to specify the gateway of the routes in route parameter. -``` +```bash gost -L="tun://:8421?net=192.168.123.1/24&gw=192.168.123.2&route=172.10.0.0/16,10.138.0.0/16" ``` @@ -158,7 +158,7 @@ Packets send to network 10.138.0.0/16 will be forwarded to the client with the I The server can use [Auther](/en/concepts/auth/) to authenticate the client. -#### Server +**Server** ```yaml hl_lines="6" services: @@ -184,11 +184,11 @@ authers: The username of the auther is the IP assigned to the client. -#### Client +**Client** === "CLI" - ``` + ```bash gost -L "tun://:0/SERVER_IP:8421?net=192.168.123.2/24&passphrase=userpass1" ``` @@ -236,11 +236,11 @@ The client specifies the authentication code via the `passphrase` option. #### Create a TUN Device and Establish a UDP Tunnel -##### Server +**Server** === "CLI" - ``` + ```bash gost -L=tun://:8421?net=192.168.123.1/24 ``` @@ -257,11 +257,11 @@ The client specifies the authentication code via the `passphrase` option. metadata: net: 192.168.123.1/24 ``` -##### Client +**Client** === "CLI" - ``` + ```bash gost -L=tun://:0/SERVER_IP:8421?net=192.168.123.2/24 ``` @@ -307,45 +307,45 @@ $ ping 192.168.123.1 #### iperf3 Testing -##### Server +**Server** -``` -$ iperf3 -s +```bash +iperf3 -s ``` -##### Client +**Client** -``` -$ iperf3 -c 192.168.123.1 +```bash +iperf3 -c 192.168.123.1 ``` #### IP Routing and Firewall Rules If you want the client to access the server network, you need to set the corresponding routing table and firewall rules according to your needs. For example, all the client external network traffic can be forwarded to the server. -##### Server +**Server** Enable IP forwarding and set up firewall rules -``` -$ sysctl -w net.ipv4.ip_forward=1 +```bash +sysctl -w net.ipv4.ip_forward=1 -$ iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -o tun0 -j MASQUERADE -$ iptables -A FORWARD -i tun0 ! -o tun0 -j ACCEPT -$ iptables -A FORWARD -o tun0 -j ACCEPT +iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -o tun0 -j MASQUERADE +iptables -A FORWARD -i tun0 ! -o tun0 -j ACCEPT +iptables -A FORWARD -o tun0 -j ACCEPT ``` -##### Client +**Client** Set up firewall rules !!! caution The following operations will change the client's network environment, unless you know what you are doing, please be careful! -``` -$ ip route add SERVER_IP/32 dev eth0 # replace the SERVER_IP and eth0 -$ ip route del default # delete the default route -$ ip route add default via 192.168.123.2 # add new default route +```bash +ip route add SERVER_IP/32 dev eth0 # replace the SERVER_IP and eth0 +ip route del default # delete the default route +ip route add default via 192.168.123.2 # add new default route ``` ## TAP @@ -361,7 +361,7 @@ TAP is based on [songgao/water](https://github.com/songgao/water). ### Usage -``` +```bash gost -L="tap://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tap0&mtu=1350&route=10.100.0.0/16&gw=192.168.123.1" ``` @@ -389,16 +389,16 @@ gost -L="tap://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tap0&m `routes` (list) : Gateway-specific routing, Each entry in the list is a space-separated CIDR address and gateway, such as `10.100.0.0/16 192.168.123.2` -`bufferSize` (int, default=1500) +`buffersize` (int, default=1500) : read buffer size in byte. ### Example -#### Server +**Server** === "CLI" - ``` + ```bash gost -L=tap://:8421?net=192.168.123.1/24 ``` @@ -419,11 +419,12 @@ gost -L="tap://[local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tap0&m net: 192.168.123.1/24 mtu: 1350 ``` -#### Client + +**Client** === "CLI" - ``` + ```bash gost -L=tap://:0/SERVER_IP:8421?net=192.168.123.2/24 ``` @@ -459,11 +460,11 @@ You can use chain to forward UDP data, analogous to UDP port forwarding. This method is more flexible and general, and is recommended. -#### Server +**Server** === "CLI" - ``` + ```bash gost -L=tun://:8421?net=192.168.123.1/24 -L relay+wss://:8443?bind=true ``` @@ -488,11 +489,12 @@ This method is more flexible and general, and is recommended. listener: type: wss ``` -#### Client + +**Client** === "CLI" - ``` + ```bash gost -L=tun://:0/:8421?net=192.168.123.2/24 -F relay+wss://SERVER_IP:8443 ```