代理服务器编程,如何实现socks代理!!!!(200分)

  • 主题发起人 主题发起人 yousoft
  • 开始时间 开始时间
Y

yousoft

Unregistered / Unconfirmed
GUEST, unregistred user!
代理服务器编程,如何实现socks代理!!!!
解决问题必出高分!
Proxy Socks5 的协议
注:不是http代理,就是QQ上用的socks代理
 
不会没有理我吧?只是想做个代理服务器
 
就是,咋没人回答,很难吗?
 
照说是不难。拦截进来的包,转发出去。
但我不想作这样的东东,会累死人的,用别人的吧
 
现成的东西大把。用linux吧,省时省事
 
以前我做了个简单的,后来一直想做个完善的,却没时间了。以下是我当初翻译的协议。你可以先看看。
具体代码你就自己想办法解决吧!

SOCKS Protocol Version 5
(Socks5协议,摘自RFC1928,翻译:杨浩)
1. Introduction
1.介绍
The use of network firewalls, systems that effectively isolate an organizations internal network structure from an exterior network, such as the INTERNET is becoming increasingly popular.
作为一套隔离外部网和团体内部网的系统,网络防火墙同internet一起已经变得越来越流行
These firewall systems typically act as application-layer gateways between networks, usually offering controlled TELNET, FTP, and SMTP access.
这些防火墙系统代表性的扮演了一种在应用层上的网关的角色,通常提供受约束的telnet,ftp,和smtp连接
With the emergence of more sophisticated application layer protocols designed to facilitate global information discovery,
随着更多能促进全球信息发展的应用层协议的制定
there exists a need to provide a general framework for these protocols to transparently and securely traverse a firewall.
现在有必要为这些协议提供一种通用的方法去有效和安全的穿过防火墙。
There exists, also, a need for strong authentication of such traversal in as fine-grained a manner as is practical.
同时也有必要严密的鉴别在应用中传输的数据。
This requirement stems from the realization that client-server relationships emerge between the networks of various organizations,
这些客户/服务器关系的现实需求在网络和各种团体中出现了,
and that such relationships need to be controlled and often strongly authenticated.
同样这种关系需要控制和严密的鉴别。
The protocol described here is designed to provide a framework for client-server applications in both the TCP and UDP domains to conveniently and securely use the services of a network firewall.
在这里描述的协议是为了提供一种无论是在tcp还是udp的客户/服务器领域中都可以使用的构架来方便的和安全的使用网络防火墙的服务
The protocol is conceptually a "shim-layer" between the application layer and the transport layer, and as such does not provide network-layer gateway services, such as forwarding of ICMP messages.
这个协议可以理解为应用层和传输层中间的一层同时不提供网络层网关服务,如不传递icmp消息。
2. Existing practice
2.现有的应用
There currently exists a protocol, SOCKS Version 4, that provides for unsecured firewall traversal for TCP-based client-server applications, including TELNET, FTP and the popular information-discovery protocols such as HTTP, WAIS and GOPHER.
现有的socks4协议提供了一种不可靠的防火墙传输给基于tcp的客户/服务器应用使用,包括telnet,ftp和一些流行的信息检索协议如http,wais和gopher
This new protocol extends the SOCKS Version 4 model to include UDP, and extends the framework to include provisions for generalized strong authentication schemes, and extends the addressing scheme to encompass domain-name and V6 IP addresses.
新的协议扩展socks4模型使其包括udp协议,扩展了结构去提供了不适应特殊需要的验证方案,并且扩展了地址方案使其能够使用域名和v6 ip地址
The implementation of the SOCKS protocol typically involves the recompilation or relinking of TCP-based client applications to use the appropriate encapsulation routines in the SOCKS library.
Socks协议的执行可以概括的描述为用socks库以合适的封装方法重新编译和连接基于tcp的客户应用
Note:
注:
Unless otherwise noted, the decimal numbers appearing in packet-format diagrams represent the length of the corresponding field, in octets.
除非特别的注明,否则在包装格式表中出现的十进制数表示的是相应的在八位二进制(等于1字节)数据区域的长度,
Where a given octet must take on a specific value, the syntax X'hh' is used to denote the value of the single octet in that field.
当给定的1字节有特定值时,用X’hh’表示这一个字节的确定值
When the word 'Variable' is used, it indicates that the corresponding field has a variable length defined either by an associated (one or two octet) length field, or by a data type field.
当用‘变体’时,表明相应的区域有变长的数据,定义为联合长度区域(1或2个字节)或一种数据格式区域。

3. Procedure for TCP-based clients
基于tcp客户的手续
When a TCP-based client wishes to establish a connection to an object that is reachable only via a firewall (such determination is left up to the implementation), it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system.
当基于tcp的客户希望建立一个只能经过防火墙才能到达的连接对象时(这个决定需要保留直到执行),就必须建立一个tcp连接到适当的socks服务系统的socks端口
The SOCKS service is conventionally located on TCP port 1080.
Socks服务通常定位在tcp的1080端口
If the connection request succeeds, the client enters a negotiation for the authentication method to be used, authenticates with the chosen method, then sends a relay request.
如果连接请求被通过,那么客户开始依据应用的鉴定方法和服务器开始协商,根据选定的方法,向服务器发送回应的请求。
The SOCKS server evaluates the request, and either establishes the appropriate connection or denies it.
Socks服务器检验这个请求,软后建立适当的连接或是拒绝它。
The client connects to the server, and sends a version identifier/method selection message:
客户端连接服务器,并且发送一个 版本标识/方法选择 消息
VER NMETHODS METHODS
1 1 1 to 255



The VER field is set to X'05' for this version of the protocol.
版本区域应该设置为 X’05’ 对应目前版本的协议
The NMETHODS field contains the number of method identifier octets that appear in the METHODS field.
NMETHODS 区域包含了出现在METHODS区域中的方法标识符字节的数量。
The server selects from one of the methods given in METHODS, and sends a METHOD selection message:
服务器从methods区域中选择一种方法,并且返回方法选择的消息
VER METHOD
1 1
If the selected METHOD is X'FF', none of the methods listed by the client are acceptable, and the client MUST close the connection.
如果选择的方法是X’FF’,那么在客户所列出的方法中没有一个能被接受,客户必须关闭这个连接
The values currently defined for METHOD are:
目前定义的方法值为
 X'00' NO AUTHENTICATION REQUIRED
X’00’不需验证
 X'01' GSSAPI
X’01’用GSSAPI
 X'02' USERNAME/PASSWORD
X'02'使用用户名/密码
 X'03' to X'7F' IANA ASSIGNED
X'03' 到 X'7F' IANA 指定
 X'80' to X'FE' RESERVED FOR PRIVATE METHODS
X'80' 到 X'FE' 保留为自定义方法
 X'FF' NO ACCEPTABLE METHODS
X’FF’没有能够接受的方法

The client and server then enter a method-specific sub-negotiation.
客户和服务器进入详细的方法商议阶段
Descriptions of the method-dependent sub-negotiations appear in separate memos.
依靠方法的描述在分开的备忘录中
Developers of new METHOD support for this protocol should contact IANA for a METHOD number.
支持本协议的新方法的开发者应该从IANA得到方法号
The ASSIGNED NUMBERS document should be referred to for a current list of METHOD numbers and their corresponding protocols.
指派号码的文档应该指向目前的方法号列表和他们相应的协议
Compliant implementations MUST support GSSAPI and SHOULD support USERNAME / PASSWORD authentication methods.
允许的执行必须支持GSSAPI并且应该支持 用户名/密码 验证方法
4. Requests
4.请求
Once the method-dependent subnegotiation has completed, the client sends the request details.
当基于方法的协商完成后,客户就可以发送请求的详细资料了
If the negotiated method includes encapsulation for purposes of integrity checking and/or confidentiality, these requests MUST be encapsulated in the method-dependent encapsulation.
如果协定的方法包括有有完整性检查 或/和 保证机密性的目的封包方式的话,那么请求必须以方法限定的封包方式封装。
The SOCKS request is formed as follows:
Socks 请求结构如下
VER CMD RSV ATYP DST.ADDR DST.PORT
1 1 |X'00' 1 Variable 2
Where:
在这里:
 VER protocol version: X'05'
版本 协议版本:x’05’
 CMD
连接方法
CONNECT X'01'
连接 x’01’
BIND X'02'
绑定x’02’
UDP ASSOCIATE X'03'
Udp连接 x’03’
 RSV RESERVED
保留 保留
 ATYP address type of following address
地址表示形势
IP V4 address: X'01'
DOMAINNAME: X'03'
IP V6 address: X'04'
 DST.ADDR desired destination address
期望目的地址
 DST.PORT desired destination port in network octet order
期望目的端口(用双字节表示)

The SOCKS server will typically evaluate the request based on source and destination addresses, and return one or more reply messages, as appropriate for the request type.
Socks服务器将依据来源和目标地址代表性的检验请求,并且依照请求的方式返回一或多条回应信息,
5. Addressing
地址
In an address field (DST.ADDR, BND.ADDR), the ATYP field specifies the type of address contained within the field:
在地址区中,ATYP区域指定了本区地址的类型
 X'01'
the address is a version-4 IP address, with a length of 4 octets
这个地址是一个 ip v4地址,长度为4字节
 X'03'
the address field contains a fully-qualified domain name.
地址区包含了一个完整的域名
The first octet of the address field contains the number of octets of name that follow, there is no terminating NUL octet.
第一个字节包含了所包括域名的字节长度,不包括最终的nul字节(在c中为x’00’)
 X'04'
the address is a version-6 IP address, with a length of 16 octets.
这个地址是一个 ip v6地址,长度为16字节
6. Replies
应答
The SOCKS request information is sent by the client as soon as it has established a connection to the SOCKS server, and completed the authentication negotiations.
一旦客户确认连接上了socks服务器并且通过了验证,就会马上发出Socks请求信息
The server evaluates the request, and returns a reply formed as follows:
服务器检查请求,并且以如下格式返回请求
VER REP RSV ATYP BND.ADDR BND.PORT
1 1 X'00' 1 Variable 2
Where:
在这里
 VER protocol version: X'05' 协议版本:x’05’
 REP Reply field:应答区
o X'00' succeeded 成功
o X'01' general SOCKS server failure 错误
o X'02' connection not allowed by ruleset 连接不被规则设置所接受
o X'03' Network unreachable 网络不可到达
o X'04' Host unreachable 主机不可到达
o X'05' Connection refused 连接被拒绝
o X'06' TTL expired TTL过期
o X'07' Command not supported 命令不被接受
o X'08' Address type not supported 地址格式不被接受
o X'09' to X'FF' unassigned 没有被指派
o RSV RESERVED 保留
o ATYP address type of following address 地址类型
o IP V4 address: X'01'
o DOMAINNAME: X'03'
o IP V6 address: X'04'
o BND.ADDR server bound address 服务器地址
o BND.PORT server bound port in network octet order 服务器端口
Fields marked RESERVED (RSV) must be set to X'00'.
保留区必须被设置为x’00’
If the chosen method includes encapsulation for purposes of authentication, integrity and/or confidentiality, the replies are encapsulated in the method-dependent encapsulation.
如果被选择的方法包括了完整而机密的验证的封包,回应将依靠方法来封包
CONNECT
连接
In the reply to a CONNECT, BND.PORT contains the port number that the server assigned to connect to the target host, while BND.ADDR contains the associated IP address.
在对于一个连接的回应中,绑定的端口包括了服务器连接目标的端口号,并且绑定地址包含了关联的地址。
The supplied BND.ADDR is often different from the IP address that the client uses to reach the SOCKS server, since such servers are often multi-homed.
被提供的绑定地址通常不同于客户端使用来连接socks服务器的,因为服务器经常是多地址的
It is expected that the SOCKS server will use DST.ADDR and DST.PORT, and the client-side source address and port in evaluating the CONNECT request.
我们期望socks服务器会使用终端地址、终端端口,并且在评测连接请求时使用客户端源地址和端口,
BIND
绑定
The BIND request is used in protocols which require the client to accept connections from the server.
绑定请求在需要客户端接受服务端的连接请求的协议中应用。
FTP is a well-known example, which uses the primary client-to-server connection for commands and status reports, but may use a server-to-client connection for transferring data on demand (e.g. LS, GET, PUT).
FTP是一个很好的例子,它使用一个主要的 客户端到服务端 的连接传输命令和状态报告,但是可以使用一个 服务端到客户端 的连接来依据请求传输数据。
It is expected that the client side of an application protocol will use the BIND request only to establish secondary connections after a primary connection is established using CONNECT.
一般期望客户端应用协议使用绑定请求仅仅建立第二连接在主连接用connect建立之后。
It is expected that a SOCKS server will use DST.ADDR and DST.PORT in evaluating the BIND request.
期望socks服务器在评测绑定请求时使用DST.ADDR 和 DST.PORT

Two replies are sent from the SOCKS server to the client during a BIND operation.
在一个绑定过程中服务器会给客户端两个应答。
The first is sent after the server creates and binds a new socket.
第一个在服务端建立并且绑定了一个新的端口之后。
The BND.PORT field contains the port number that the SOCKS server assigned to listen for an incoming connection.
BND.PORT区包含了服务器指派的监听端口号。
The BND.ADDR field contains the associated IP address.
BND.ADDR区包含了关联的ip地址。
The client will typically use these pieces of information to notify (via the primary or control connection) the application server of the rendezvous address.
客户端将特别的使用这些信息来通知(经过主要或者控制连接)集合地址的应用服务器
The second reply occurs only after the anticipated incoming connection succeeds or fails.
第二个回应只在期望的连接成功或失败之后出现。
In the second reply, the BND.PORT and BND.ADDR fields contain the address and port number of the connecting host.
在第二个回应中,BND.PORT 和 BND.ADDR包含了连接主机的地址和端口号。
UDP ASSOCIATE
UDP关联
The UDP ASSOCIATE request is used to establish an association within the UDP relay process to handle UDP datagrams.
UDP关联请求被用在建立一个UDP传递过程中的关联来传递UDP数据包。
The DST.ADDR and DST.PORT fields contain the address and port that the client expects to use to send UDP datagrams on for the association.
DST.ADDR 和 DST.PORT 区域包含了在这个关联中客户端期望的目的地址和端口来发送UDP数据包
The server MAY use this information to limit access to the association.
服务端可以用这些信息来限制访问这个关联。
If the client is not in possession of the information at the time of the UDP ASSOCIATE, the client MUST use a port number and address of all zeros.
如果客户在这次udp关联中不是信息的占有者,那么客户端必须将端口和地址全置零。
A UDP association terminates when the TCP connection that the UDP ASSOCIATE request arrived on terminates.
当UDP关联的请求TCP连接终止时本关联终止。
In the reply to a UDP ASSOCIATE request, the BND.PORT and BND.ADDR fields indicate the port number/address where the client MUST send UDP request messages to be relayed.
在一个关联请求(tcp的)的回应中,BND.PORT 和BND.ADDR指出了客户端需要发送请求消息(udp的)的转发端口/地址
Reply Processing
应答处理
When a reply (REP value other than X'00') indicates a failure, the SOCKS server MUST terminate the TCP connection shortly after sending the reply.
当一个回应(REP的值除了x00)指示一个错误,那么SOCKS服务器必须在发送这个回应后马上关闭TCP连接
This must be no more than 10 seconds after detecting the condition that caused a failure.
这必须在出现错误后少于10秒
If the reply code (REP value of X'00') indicates a success, and the request was either a BIND or a CONNECT, the client may now start passing data.
如果回应代码(REP的值为x00)指示成功,并且请求是绑定或者连接,那么客户端就可以开始传送数据了。
If the selected authentication method supports encapsulation for the purposes of integrity, authentication and/or confidentiality, the data are encapsulated using the method-dependent encapsulation.
如果选定的鉴定方法支持数据完整、可靠和/或机密的封装,数据将被用方法选定的方式来封装。
Similarly, when data arrives at the SOCKS server for the client, the server MUST encapsulate the data as appropriate for the authentication method in use.
同样的,当需要到达客户端的数据到达socks服务器时,服务器必须封装数据来适应目前应用的鉴定方法。
7. Procedure for UDP-based clients
基于UDP客户连接的过程
A UDP-based client MUST send its datagrams to the UDP relay server at the UDP port indicated by BND.PORT in the reply to the UDP ASSOCIATE request.
基于UDP连接的客户必须发送它的数据包到udp代理服务器的由关联请求的回应中BND.PORT指示的端口。
If the selected authentication method provides encapsulation for the purposes of authenticity, integrity, and/or confidentiality, the datagram MUST be encapsulated using the appropriate encapsulation.
如果选定的鉴定方法提供可靠性、完整和/或机密的封装,数据包必须被用适合和封装方式封装
Each UDP datagram carries a UDP request header with it:
每个UDP包带一个如下的UDP请求包头
RSV FRAG ATYP DST.ADDR DST.PORT DATA
2 1 1 Variable 2 Variable
The fields in the UDP request header are:
这些区域是
o RSV Reserved X'0000' 保留的
o FRAG Current fragment number 当前的段序号
o ATYP address type of following addresses: 地址表示方法
o IP V4 address: X'01' IPV4地址
o DOMAINNAME: X'03' 域名
o IP V6 address: X'04' IPV6地址
o DST.ADDR desired destination address 目的地址
o DST.PORT desired destination port 目的端口
o DATA user data 用户数据

When a UDP relay server decides to relay a UDP datagram, it does so silently, without any notification to the requesting client.
当udp转发服务器决定转发一个udp数据包,他不会向请求方发送任何消息。
Similarly, it will drop datagrams it cannot or will not relay.
同样它将不管那些它不能或不愿转发的数据包。
When a UDP relay server receives a reply datagram from a remote host, it MUST encapsulate that datagram using the above UDP request header, and any authentication-method-dependent encapsulation.
当udp转发服务器接收到从远程主机发来的应答数据包时,它必须用上面的udp请求包头封装数据包,并且还要用鉴定方法决定的封装方式封装。
The UDP relay server MUST acquire from the SOCKS server the expected IP address of the client that will send datagrams to the BND.PORT given in the reply to UDP ASSOCIATE.
Udp转发服务器必须从socks服务器取得客户端的ip地址并且向udp关联回应中的bnd.port发送数据包。
It MUST drop any datagrams arriving from any source IP address other than the one recorded for the particular association.
他将不管任何除了特定关联地址以外的数据包。
The FRAG field indicates whether or not this datagram is one of a number of fragments.
FRAG区域指示是否这个数据包是片断序列中的一个。
If implemented, the high-order bit indicates end-of-fragment sequence, while a value of X'00' indicates that this datagram is standalone.
如果执行,高位的字节指示片断结束序列,当为x00时表示这个数据包是独立的。
Values between 1 and 127 indicate the fragment position within a fragment sequence.
1到127指示本片断在片断序列中的位置
Each receiver will have a REASSEMBLY QUEUE and a REASSEMBLY TIMER associated with these fragments.
每个接收者将有一个重组列队和重组技术器与片断关联
The reassembly queue must be reinitialized and the associated fragments abandoned whenever the REASSEMBLY TIMER expires, or a new datagram arrives carrying a FRAG field whose value is less than the highest FRAG value processed for this fragment sequence.
当重组计数器超时重组列队必须被重新初始化并且关联的片段被抛弃,或者新到达的数据包包含一个值小于当前最大的FRAG值的FRAG区域
The reassembly timer MUST be no less than 5 seconds.
重组计数时间不少于5秒。
It is recommended that fragmentation be avoided by applications wherever possible.
推荐在应用中只要可能就避免使用重组。
Implementation of fragmentation is optional; an implementation that does not support fragmentation MUST drop any datagram whose FRAG field is other than X'00'.
分段的执行是可选择的,一个不支持分段的执行必须忽略任何FRAG区域不为x00的数据包
The programming interface for a SOCKS-aware UDP MUST report an available buffer space for UDP datagrams that is smaller than the actual space provided by the operating system:
设计接口中服务端必须使用一个小于操作系统中提供的真实的缓冲区域来存放udp数据包
o if ATYP is X'01' - 10+method_dependent octets smaller
o if ATYP is X'03' - 262+method_dependent octets smaller
o if ATYP is X'04' - 20+method_dependent octets smaller

8. Security Considerations
安全考虑
This document describes a protocol for the application-layer traversal of IP network firewalls.
本文档描述了一个应用层上的ip网络防火墙协议。
The security of such traversal is highly dependent on the particular authentication and encapsulation methods provided in a particular implementation, and selected during negotiation between SOCKS client and SOCKS server.
这个历程的安全高度依赖特殊执行提供的鉴定及封装方法,并且由socks客户端和socks服务端商议选择。
Careful consideration should be given by the administrator to the selection of authentication methods.
管理员应该仔细的考虑鉴定方法的选择。
9. References
[1] Koblas, D., "SOCKS", Proceedings: 1992 Usenix Security Symposium.
 
看看以前的贴子,已经有答案了。
TO  timerri 那有RFC的中文文档?
 
没见过中文的!要就自己翻译吧!
 
http://www.delphibbs.com/delphibbs/dispq.asp?lid=539966

也在讨论这个问题,一起看看吧。
 
我狗屁理论不懂
但是SOCKET5代理服务器的代码我还是有的,XIXI
 
我有一个问题
是不是用不支持sock5代理的udp控件,两台都是通过局域网上网的机器不能互相通讯?
是不是用支持sock5代理的udp控件,这个问题就能解决?
哪有支持sock5代理的udp控件?
请高手指教!
 
HOHO,刚刚做了一个简单的QQ proxy,功能单一,只能无用户、密码访问
 
妈哟,这么复杂!!我还是不看了。走人!!!
 
我已经写了一个实现http,socks代理的小程序了,用它上QQ的感觉真好呀。
 
TO zxy888zxy:
能发个给我吗?
源代码有吗?(是DELPHH写的吗?)
如是DELPHI写的源码我愿意要(交换代码)!
BEST REAGARD!
 
to zxy888zxy:
你的程序是不是实时将通过PROXY的数据都显示出来?
我的程序显示的时候,如果出现数据量大的情况,那么因为重画太频繁(用RICHEDIT显示),
以至主线程占用CPU100%,我不得不只显示大数据量的数据的前1/3
否则的话就只能将数据均保存下来,只显示包,通过点击包来显示具体数据。。。
如果你做了,你是如何解决的呢?
 
xiao_min兄:你的socks代理能给我一份辕马吗 xtsls@163.net
 
后退
顶部