From 3729bced931fd93af95dcd9156b0a1c8643a7143 Mon Sep 17 00:00:00 2001 From: Artem Russkikh Date: Wed, 4 Sep 2024 01:08:20 +0500 Subject: [PATCH 1/3] Update README (#137) --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 06da167..9e36158 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,8 @@ and configured my browser to use wireproxy for certain sites. It's pretty useful wireproxy is completely isolated from my network interfaces, and I don't need root to configure anything. -Users who want something similar but for Amnezia VPN can use [this fork](https://github.com/juev/wireproxy/tree/feature/amnezia-go) -of wireproxy by [@juev](https://github.com/juev). +Users who want something similar but for Amnezia VPN can use [this fork](https://github.com/artem-russkikh/wireproxy-awg) +of wireproxy by [@artem-russkikh](https://github.com/artem-russkikh). # Feature - TCP static routing for client and server From 5b7f822f176e2358aa51460cd8dc3fee259200f2 Mon Sep 17 00:00:00 2001 From: Niko Date: Tue, 3 Sep 2024 20:08:52 +0000 Subject: [PATCH 2/3] Fix broken sandboxing resulting in SIGABRT (#136) --- systemd/wireproxy.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/wireproxy.service b/systemd/wireproxy.service index 832f813..0ecc551 100644 --- a/systemd/wireproxy.service +++ b/systemd/wireproxy.service @@ -40,7 +40,7 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=true RestrictRealtime=true SystemCallArchitectures=native -SystemCallFilter=@system-service +SystemCallFilter=@system-service @sandbox [Install] WantedBy=multi-user.target From 4a564b5ea2fa32caef9aae482a2df679fb6a7cf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luiz=20Henrique=20Gomes=20Pal=C3=A1cio?= Date: Tue, 3 Sep 2024 17:21:40 -0300 Subject: [PATCH 3/3] Fix HTTP proxy authentication to support both preemptive and challenge-response auth (#134) --- http.go | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/http.go b/http.go index 9fa7932..ebaa822 100644 --- a/http.go +++ b/http.go @@ -31,23 +31,23 @@ func (s *HTTPServer) authenticate(req *http.Request) (int, error) { } auth := req.Header.Get(proxyAuthHeaderKey) - if auth != "" { - enc := strings.TrimPrefix(auth, "Basic ") - str, err := base64.StdEncoding.DecodeString(enc) - if err != nil { - return http.StatusNotAcceptable, fmt.Errorf("decode username and password failed: %w", err) - } - pairs := bytes.SplitN(str, []byte(":"), 2) - if len(pairs) != 2 { - return http.StatusLengthRequired, fmt.Errorf("username and password format invalid") - } - if s.auth.Valid(string(pairs[0]), string(pairs[1])) { - return 0, nil - } - return http.StatusUnauthorized, fmt.Errorf("username and password not matching") + if auth == "" { + return http.StatusProxyAuthRequired, fmt.Errorf(http.StatusText(http.StatusProxyAuthRequired)) } - return http.StatusProxyAuthRequired, fmt.Errorf(http.StatusText(http.StatusProxyAuthRequired)) + enc := strings.TrimPrefix(auth, "Basic ") + str, err := base64.StdEncoding.DecodeString(enc) + if err != nil { + return http.StatusNotAcceptable, fmt.Errorf("decode username and password failed: %w", err) + } + pairs := bytes.SplitN(str, []byte(":"), 2) + if len(pairs) != 2 { + return http.StatusLengthRequired, fmt.Errorf("username and password format invalid") + } + if s.auth.Valid(string(pairs[0]), string(pairs[1])) { + return 0, nil + } + return http.StatusUnauthorized, fmt.Errorf("username and password not matching") } func (s *HTTPServer) handleConn(req *http.Request, conn net.Conn) (peer net.Conn, err error) { @@ -103,7 +103,11 @@ func (s *HTTPServer) serve(conn net.Conn) { code, err := s.authenticate(req) if err != nil { - _ = responseWith(req, code).Write(conn) + resp := responseWith(req, code) + if code == http.StatusProxyAuthRequired { + resp.Header.Set("Proxy-Authenticate", "Basic realm=\"Proxy\"") + } + _ = resp.Write(conn) log.Println(err) return }