Add new admin panel, failover, dns fallback, providers, limiters. Update XHTTP

2026-05-19 11:00:38 +03:00 · 2026-05-11 00:59:35 +03:00
parent 652e0baf57
commit 3bd162ed6f
241 changed files with 36409 additions and 4086 deletions
--- a/service/node_manager_api/server/node.go
+++ b/service/node_manager_api/server/node.go
@@ -0,0 +1,303 @@
+package server
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/log"
+	CS "github.com/sagernet/sing-box/service/manager/constant"
+	pb "github.com/sagernet/sing-box/service/node_manager_api/manager"
+	E "github.com/sagernet/sing/common/exceptions"
+	"google.golang.org/grpc"
+)
+
+type RemoteNode struct {
+	ctx    context.Context
+	logger log.ContextLogger
+	stream grpc.ServerStreamingServer[pb.NodeData]
+
+	err     error
+	errChan chan error
+
+	mtx sync.Mutex
+}
+
+func NewRemoteNode(ctx context.Context, logger log.ContextLogger, stream grpc.ServerStreamingServer[pb.NodeData]) (*RemoteNode, chan error) {
+	errChan := make(chan error)
+	return &RemoteNode{
+		ctx:     ctx,
+		logger:  logger,
+		stream:  stream,
+		errChan: errChan,
+	}, errChan
+}
+
+func (s *RemoteNode) UpdateUser(user CS.User) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateUser,
+		Data: &pb.NodeData_User{User: s.convertUser(user)},
+	})
+}
+
+func (s *RemoteNode) UpdateUsers(users []CS.User) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	pbUsers := make([]*pb.User, len(users))
+	for i, user := range users {
+		pbUsers[i] = s.convertUser(user)
+	}
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateUsers,
+		Data: &pb.NodeData_Users{Users: &pb.UserList{Values: pbUsers}},
+	})
+}
+
+func (s *RemoteNode) DeleteUser(user CS.User) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_deleteUser,
+		Data: &pb.NodeData_User{User: s.convertUser(user)},
+	})
+}
+
+func (s *RemoteNode) UpdateConnectionLimiter(limiter CS.ConnectionLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateConnectionLimiter,
+		Data: &pb.NodeData_ConnectionLimiter{ConnectionLimiter: s.convertConnectionLimiter(limiter)},
+	})
+}
+
+func (s *RemoteNode) UpdateConnectionLimiters(limiters []CS.ConnectionLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	pbLimiters := make([]*pb.ConnectionLimiter, len(limiters))
+	for i, limiters := range limiters {
+		pbLimiters[i] = s.convertConnectionLimiter(limiters)
+	}
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateConnectionLimiters,
+		Data: &pb.NodeData_ConnectionLimiters{ConnectionLimiters: &pb.ConnectionLimiterList{Values: pbLimiters}},
+	})
+}
+
+func (s *RemoteNode) DeleteConnectionLimiter(limiter CS.ConnectionLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_deleteConnectionLimiter,
+		Data: &pb.NodeData_ConnectionLimiter{ConnectionLimiter: s.convertConnectionLimiter(limiter)},
+	})
+}
+
+func (s *RemoteNode) UpdateBandwidthLimiter(limiter CS.BandwidthLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateBandwidthLimiter,
+		Data: &pb.NodeData_BandwidthLimiter{BandwidthLimiter: s.convertBandwidthLimiter(limiter)},
+	})
+}
+
+func (s *RemoteNode) UpdateBandwidthLimiters(limiters []CS.BandwidthLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	pbLimiters := make([]*pb.BandwidthLimiter, len(limiters))
+	for i, limiters := range limiters {
+		pbLimiters[i] = s.convertBandwidthLimiter(limiters)
+	}
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateBandwidthLimiters,
+		Data: &pb.NodeData_BandwidthLimiters{BandwidthLimiters: &pb.BandwidthLimiterList{Values: pbLimiters}},
+	})
+}
+
+func (s *RemoteNode) DeleteBandwidthLimiter(limiter CS.BandwidthLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_deleteBandwidthLimiter,
+		Data: &pb.NodeData_BandwidthLimiter{BandwidthLimiter: s.convertBandwidthLimiter(limiter)},
+	})
+}
+
+func (s *RemoteNode) UpdateTrafficLimiter(limiter CS.TrafficLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateTrafficLimiter,
+		Data: &pb.NodeData_TrafficLimiter{TrafficLimiter: s.convertTrafficLimiter(limiter)},
+	})
+}
+
+func (s *RemoteNode) UpdateTrafficLimiters(limiters []CS.TrafficLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	pbLimiters := make([]*pb.TrafficLimiter, len(limiters))
+	for i, limiters := range limiters {
+		pbLimiters[i] = s.convertTrafficLimiter(limiters)
+	}
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateTrafficLimiters,
+		Data: &pb.NodeData_TrafficLimiters{TrafficLimiters: &pb.TrafficLimiterList{Values: pbLimiters}},
+	})
+}
+
+func (s *RemoteNode) DeleteTrafficLimiter(limiter CS.TrafficLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_deleteTrafficLimiter,
+		Data: &pb.NodeData_TrafficLimiter{TrafficLimiter: s.convertTrafficLimiter(limiter)},
+	})
+}
+
+func (s *RemoteNode) UpdateRateLimiter(limiter CS.RateLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateRateLimiter,
+		Data: &pb.NodeData_RateLimiter{RateLimiter: s.convertRateLimiter(limiter)},
+	})
+}
+
+func (s *RemoteNode) UpdateRateLimiters(limiters []CS.RateLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	pbLimiters := make([]*pb.RateLimiter, len(limiters))
+	for i, limiters := range limiters {
+		pbLimiters[i] = s.convertRateLimiter(limiters)
+	}
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_updateRateLimiters,
+		Data: &pb.NodeData_RateLimiters{RateLimiters: &pb.RateLimiterList{Values: pbLimiters}},
+	})
+}
+
+func (s *RemoteNode) DeleteRateLimiter(limiter CS.RateLimiter) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.send(&pb.NodeData{
+		Op:   pb.OpType_deleteRateLimiter,
+		Data: &pb.NodeData_RateLimiter{RateLimiter: s.convertRateLimiter(limiter)},
+	})
+}
+
+func (s *RemoteNode) IsLocal() bool {
+	return false
+}
+
+func (s *RemoteNode) IsOnline() bool {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	select {
+	case <-s.stream.Context().Done():
+		return false
+	default:
+		return true
+	}
+}
+
+func (s *RemoteNode) Close() error {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.close(E.New("server connection is closed"))
+	return nil
+}
+
+func (s *RemoteNode) send(data *pb.NodeData) {
+	if s.err != nil {
+		return
+	}
+	select {
+	case <-s.ctx.Done():
+		s.close(E.New("server connection is closed"))
+		return
+	case <-s.stream.Context().Done():
+		s.close(E.New("client connection is closed"))
+		return
+	default:
+	}
+	err := s.stream.Send(data)
+	if err != nil {
+		s.close(err)
+	}
+}
+
+func (s *RemoteNode) close(err error) {
+	if err != nil {
+		return
+	}
+	s.err = err
+	s.errChan <- err
+	close(s.errChan)
+}
+
+func (s *RemoteNode) convertUser(user CS.User) *pb.User {
+	return &pb.User{
+		Id:       int32(user.ID),
+		Username: user.Username,
+		Inbound:  user.Inbound,
+		Type:     user.Type,
+		Uuid:     user.UUID,
+		Password: user.Password,
+		Secret:   user.Secret,
+		Flow:     user.Flow,
+		AlterId:  int32(user.AlterID),
+	}
+}
+
+func (s *RemoteNode) convertConnectionLimiter(limiter CS.ConnectionLimiter) *pb.ConnectionLimiter {
+	return &pb.ConnectionLimiter{
+		Id:             int32(limiter.ID),
+		Username:       limiter.Username,
+		Outbound:       limiter.Outbound,
+		Strategy:       limiter.Strategy,
+		ConnectionType: limiter.ConnectionType,
+		LockType:       limiter.LockType,
+		Count:          limiter.Count,
+	}
+}
+
+func (s *RemoteNode) convertBandwidthLimiter(limiter CS.BandwidthLimiter) *pb.BandwidthLimiter {
+	return &pb.BandwidthLimiter{
+		Id:             int32(limiter.ID),
+		Username:       limiter.Username,
+		Outbound:       limiter.Outbound,
+		Strategy:       limiter.Strategy,
+		ConnectionType: limiter.ConnectionType,
+		Mode:           limiter.Mode,
+		FlowKeys:       limiter.FlowKeys,
+		Speed:          limiter.Speed,
+		RawSpeed:       limiter.RawSpeed,
+	}
+}
+
+func (s *RemoteNode) convertTrafficLimiter(limiter CS.TrafficLimiter) *pb.TrafficLimiter {
+	return &pb.TrafficLimiter{
+		Id:       int32(limiter.ID),
+		Username: limiter.Username,
+		Outbound: limiter.Outbound,
+		Strategy: limiter.Strategy,
+		Mode:     limiter.Mode,
+		RawUsed:  limiter.RawUsed,
+		Quota:    limiter.Quota,
+		RawQuota: limiter.RawQuota,
+	}
+}
+
+func (s *RemoteNode) convertRateLimiter(limiter CS.RateLimiter) *pb.RateLimiter {
+	return &pb.RateLimiter{
+		Id:             int32(limiter.ID),
+		Username:       limiter.Username,
+		Outbound:       limiter.Outbound,
+		Strategy:       limiter.Strategy,
+		ConnectionType: limiter.ConnectionType,
+		Count:          limiter.Count,
+		Interval:       limiter.Interval,
+	}
+}
--- a/service/node_manager_api/server/server.go
+++ b/service/node_manager_api/server/server.go
@@ -0,0 +1,182 @@
+package server
+
+import (
+	"context"
+	"crypto/subtle"
+	"errors"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	boxService "github.com/sagernet/sing-box/adapter/service"
+	"github.com/sagernet/sing-box/common/listener"
+	"github.com/sagernet/sing-box/common/tls"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	CM "github.com/sagernet/sing-box/service/manager/constant"
+	pb "github.com/sagernet/sing-box/service/node_manager_api/manager"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	N "github.com/sagernet/sing/common/network"
+	aTLS "github.com/sagernet/sing/common/tls"
+	"github.com/sagernet/sing/service"
+	"golang.org/x/net/http2"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+)
+
+type APIServer struct {
+	pb.UnimplementedManagerServer
+	boxService.Adapter
+
+	ctx        context.Context
+	logger     log.ContextLogger
+	listener   *listener.Listener
+	tlsConfig  tls.ServerConfig
+	grpcServer *grpc.Server
+	manager    CM.NodeManager
+	options    option.NodeManagerAPIServerOptions
+
+	mtx sync.Mutex
+}
+
+func NewAPIServer(ctx context.Context, logger log.ContextLogger, tag string, options option.NodeManagerAPIServerOptions) (*APIServer, error) {
+	if options.APIKey == "" {
+		return nil, E.New("missing api key")
+	}
+	return &APIServer{
+		Adapter: boxService.NewAdapter(C.TypeManager, tag),
+		ctx:     ctx,
+		logger:  logger,
+		listener: listener.New(listener.Options{
+			Context: ctx,
+			Logger:  logger,
+			Network: []string{N.NetworkTCP},
+			Listen:  options.ListenOptions,
+		}),
+		options: options,
+	}, nil
+}
+
+func (s *APIServer) AddNode(node *pb.Node, stream grpc.ServerStreamingServer[pb.NodeData]) error {
+	remoteNode, errChan := NewRemoteNode(s.ctx, s.logger, stream)
+	err := s.manager.AddNode(node.Uuid, remoteNode)
+	if err != nil {
+		if err == CM.ErrNotFound {
+			return err
+		} else {
+			s.logger.Error(err)
+			return E.New("internal error")
+		}
+	}
+	return <-errChan
+}
+
+func (s *APIServer) AcquireLock(ctx context.Context, request *pb.AcquireLockRequest) (*pb.LockData, error) {
+	handleId, err := s.manager.AcquireLock(int(request.LimiterId), request.Id)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.LockData{HandleId: handleId}, nil
+}
+
+func (s *APIServer) RefreshLock(ctx context.Context, data *pb.LockData) (*pb.Empty, error) {
+	return nil, s.manager.RefreshLock(int(data.LimiterId), data.Id, data.HandleId)
+}
+
+func (s *APIServer) ReleaseLock(ctx context.Context, data *pb.LockData) (*pb.Empty, error) {
+	return nil, s.manager.ReleaseLock(int(data.LimiterId), data.Id, data.HandleId)
+}
+
+func (s *APIServer) AddTrafficUsage(ctx context.Context, request *pb.TrafficUsageRequest) (*pb.TrafficUsageReply, error) {
+	remaining, err := s.manager.AddTrafficUsage(int(request.LimiterId), request.N)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.TrafficUsageReply{Remaining: remaining}, nil
+}
+
+func (s *APIServer) Start(stage adapter.StartStage) error {
+	if stage != adapter.StartStateStart {
+		return nil
+	}
+	boxManager := service.FromContext[adapter.ServiceManager](s.ctx)
+	service, ok := boxManager.Get(s.options.Manager)
+	if !ok {
+		return E.New("manager ", s.options.Manager, " not found")
+	}
+	s.manager, ok = service.(CM.NodeManager)
+	if !ok {
+		return E.New("invalid", s.options.Manager, " manager")
+	}
+	if s.options.TLS != nil {
+		tlsConfig, err := tls.NewServer(s.ctx, s.logger, common.PtrValueOrDefault(s.options.TLS))
+		if err != nil {
+			return err
+		}
+		s.tlsConfig = tlsConfig
+	}
+	if s.tlsConfig != nil {
+		err := s.tlsConfig.Start()
+		if err != nil {
+			return E.Cause(err, "create TLS config")
+		}
+	}
+	tcpListener, err := s.listener.ListenTCP()
+	if err != nil {
+		return err
+	}
+	if s.tlsConfig != nil {
+		if !common.Contains(s.tlsConfig.NextProtos(), http2.NextProtoTLS) {
+			s.tlsConfig.SetNextProtos(append([]string{"h2"}, s.tlsConfig.NextProtos()...))
+		}
+		tcpListener = aTLS.NewListener(tcpListener, s.tlsConfig)
+	}
+	s.grpcServer = grpc.NewServer(
+		grpc.ChainUnaryInterceptor(s.unaryAuthInterceptor),
+		grpc.StreamInterceptor(s.streamAuthInterceptor),
+	)
+	pb.RegisterManagerServer(s.grpcServer, s)
+	go func() {
+		err = s.grpcServer.Serve(tcpListener)
+		if err != nil && !errors.Is(err, grpc.ErrServerStopped) {
+			s.logger.Error("serve error: ", err)
+		}
+	}()
+	return nil
+}
+
+func (s *APIServer) Close() error {
+	return nil
+}
+
+func (s *APIServer) unaryAuthInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
+	if err := s.authorize(ctx); err != nil {
+		return nil, err
+	}
+	return handler(ctx, req)
+}
+
+func (s *APIServer) streamAuthInterceptor(srv any, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+	if err := s.authorize(ss.Context()); err != nil {
+		return err
+	}
+	return handler(srv, ss)
+}
+
+func (s *APIServer) authorize(ctx context.Context) error {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return status.Error(codes.Unauthenticated, "missing api key")
+	}
+	values := md.Get("authorization")
+	if len(values) == 0 {
+		return status.Error(codes.Unauthenticated, "missing api key")
+	}
+	if subtle.ConstantTimeCompare([]byte(values[0]), []byte(s.options.APIKey)) == 0 {
+		return status.Error(codes.Unauthenticated, "invalid api key")
+	}
+	return nil
+}