feat(local-http): support HTTP Basic auth (#1994)

Author: zonyitoo

Cargo.lock

@@ -614,7 +614,10 @@ Example configuration:
             "local_address": "127.0.0.1",
             "local_port": 3128,
             // OPTIONAL. macOS launchd activate socket
-            "launchd_tcp_socket_name": "TCPListener"
+            "launchd_tcp_socket_name": "TCPListener",
+            // OPTIONAL. Authentication configuration file
+            // Configuration file document could be found in the next section.
+            "http_auth_config_path": "/path/to/auth.json",
         },
         {
             // DNS local server (feature = "local-dns")
@@ -955,6 +958,24 @@ The configuration file is set by `socks5_auth_config_path` in `locals`.
 }
 ```
 
+### HTTP Authentication Configuration
+
+The configuration file is set by `http_auth_config_path` in `locals`.
+
+```jsonc
+{
+    // Basic Authentication (RFC9110)
+    "basic": {
+        "users": [
+            {
+                "user_name": "USERNAME in UTF-8",
+                "password": "PASSWORD in UTF-8"
+            }
+        ]
+    }
+}
+```
+
 ### Environment Variables
 
 - `SS_SERVER_PASSWORD`: A default password for servers that created from command line argument (`--server-addr`)

README.md

@@ -19,14 +19,15 @@ fn main() -> ExitCode {
 
     // Allow running `ssservice` as symlink of `sslocal`, `ssserver` and `ssmanager`
     if let Some(program_path) = env::args().next()
-        && let Some(program_name) = Path::new(&program_path).file_name() {
-            match program_name.to_str() {
-                Some("sslocal") => return local::main(&local::define_command_line_options(app).get_matches()),
-                Some("ssserver") => return server::main(&server::define_command_line_options(app).get_matches()),
-                Some("ssmanager") => return manager::main(&manager::define_command_line_options(app).get_matches()),
-                _ => {}
-            }
+        && let Some(program_name) = Path::new(&program_path).file_name()
+    {
+        match program_name.to_str() {
+            Some("sslocal") => return local::main(&local::define_command_line_options(app).get_matches()),
+            Some("ssserver") => return server::main(&server::define_command_line_options(app).get_matches()),
+            Some("ssmanager") => return manager::main(&manager::define_command_line_options(app).get_matches()),
+            _ => {}
         }
+    }
 
     let matches = app
         .subcommand_required(true)

bin/ssservice.rs

@@ -60,7 +60,7 @@ local-dns-relay = ["local-dns"]
 # Currently is only used in Android
 local-flow-stat = ["local"]
 # Enable HTTP protocol for sslocal
-local-http = ["local", "hyper", "http", "http-body-util"]
+local-http = ["local", "hyper", "http", "http-body-util", "base64"]
 local-http-native-tls = ["local-http", "tokio-native-tls", "native-tls"]
 local-http-native-tls-vendored = [
     "local-http-native-tls",
@@ -179,6 +179,7 @@ mime = { version = "0.3", optional = true }
 flate2 = { version = "1.0", optional = true }
 brotli = { version = "8.0", optional = true }
 zstd = { version = "0.13", optional = true }
+base64 = { version = "0.22", optional = true }
 
 etherparse = { version = "0.19", optional = true }
 smoltcp = { version = "0.12", optional = true, default-features = false, features = [

crates/shadowsocks-service/Cargo.toml

@@ -209,13 +209,14 @@ impl ParsingRules {
                     }
                 }
             } else if let Some(set_rule) = caps.get(2)
-                && let Ok(set_rule) = str::from_utf8(set_rule.as_bytes()) {
-                    let set_rule = set_rule.replace("\\.", ".");
-                    if self.add_set_rule_inner(&set_rule).is_ok() {
-                        trace!("REGEX-RULE {} => SET-RULE {}", rule, set_rule);
-                        return;
-                    }
+                && let Ok(set_rule) = str::from_utf8(set_rule.as_bytes())
+            {
+                let set_rule = set_rule.replace("\\.", ".");
+                if self.add_set_rule_inner(&set_rule).is_ok() {
+                    trace!("REGEX-RULE {} => SET-RULE {}", rule, set_rule);
+                    return;
                 }
+            }
         }
 
         trace!("REGEX-RULE {}", rule);

crates/shadowsocks-service/src/acl/mod.rs

@@ -80,6 +80,8 @@ use shadowsocks::{
 use crate::acl::AccessControl;
 #[cfg(feature = "local-dns")]
 use crate::local::dns::NameServerAddr;
+#[cfg(feature = "local-http")]
+use crate::local::http::config::HttpAuthConfig;
 #[cfg(feature = "local")]
 use crate::local::socks::config::Socks5AuthConfig;
 
@@ -323,6 +325,11 @@ struct SSLocalExtConfig {
     #[serde(skip_serializing_if = "Option::is_none")]
     socks5_auth_config_path: Option<String>,
 
+    /// HTTP
+    #[cfg(feature = "local")]
+    #[serde(skip_serializing_if = "Option::is_none")]
+    http_auth_config_path: Option<String>,
+
     /// Fake DNS
     #[cfg(feature = "local-fake-dns")]
     #[serde(skip_serializing_if = "Option::is_none")]
@@ -1038,6 +1045,10 @@ pub struct LocalConfig {
     #[cfg(feature = "local")]
     pub socks5_auth: Socks5AuthConfig,
 
+    /// HTTP Authentication configuration
+    #[cfg(feature = "local")]
+    pub http_auth: HttpAuthConfig,
+
     /// Fake DNS record expire seconds
     #[cfg(feature = "local-fake-dns")]
     pub fake_dns_record_expire_duration: Option<Duration>,
@@ -1108,6 +1119,9 @@ impl LocalConfig {
             #[cfg(feature = "local")]
             socks5_auth: Socks5AuthConfig::default(),
 
+            #[cfg(feature = "local-http")]
+            http_auth: HttpAuthConfig::default(),
+
             #[cfg(feature = "local-fake-dns")]
             fake_dns_record_expire_duration: None,
             #[cfg(feature = "local-fake-dns")]
@@ -1832,6 +1846,11 @@ impl Config {
                             local_config.socks5_auth = Socks5AuthConfig::load_from_file(&socks5_auth_config_path)?;
                         }
 
+                        #[cfg(feature = "local-http")]
+                        if let Some(http_auth_config_path) = local.http_auth_config_path {
+                            local_config.http_auth = HttpAuthConfig::load_from_file(&http_auth_config_path)?;
+                        }
+
                         #[cfg(feature = "local-fake-dns")]
                         {
                             if let Some(d) = local.fake_dns_record_expire_duration {
@@ -2390,15 +2409,16 @@ impl Config {
         // Security
         if let Some(sec) = config.security
             && let Some(replay_attack) = sec.replay_attack
-                && let Some(policy) = replay_attack.policy {
-                    match policy.parse::<ReplayAttackPolicy>() {
-                        Ok(p) => nconfig.security.replay_attack.policy = p,
-                        Err(..) => {
-                            let err = Error::new(ErrorKind::Invalid, "invalid replay attack policy", None);
-                            return Err(err);
-                        }
-                    }
+            && let Some(policy) = replay_attack.policy
+        {
+            match policy.parse::<ReplayAttackPolicy>() {
+                Ok(p) => nconfig.security.replay_attack.policy = p,
+                Err(..) => {
+                    let err = Error::new(ErrorKind::Invalid, "invalid replay attack policy", None);
+                    return Err(err);
                 }
+            }
+        }
 
         if let Some(balancer) = config.balancer {
             nconfig.balancer = BalancerConfig {
@@ -2619,16 +2639,18 @@ impl Config {
 
             // Balancer related checks
             if let Some(rtt) = self.balancer.max_server_rtt
-                && rtt.as_secs() == 0 {
-                    let err = Error::new(ErrorKind::Invalid, "balancer.max_server_rtt must be > 0", None);
-                    return Err(err);
-                }
+                && rtt.as_secs() == 0
+            {
+                let err = Error::new(ErrorKind::Invalid, "balancer.max_server_rtt must be > 0", None);
+                return Err(err);
+            }
 
             if let Some(intv) = self.balancer.check_interval
-                && intv.as_secs() == 0 {
-                    let err = Error::new(ErrorKind::Invalid, "balancer.check_interval must be > 0", None);
-                    return Err(err);
-                }
+                && intv.as_secs() == 0
+            {
+                let err = Error::new(ErrorKind::Invalid, "balancer.check_interval must be > 0", None);
+                return Err(err);
+            }
         }
 
         if self.config_type.is_server() && self.server.is_empty() {
@@ -2664,10 +2686,11 @@ impl Config {
 
             // Plugin shouldn't be an empty string
             if let Some(plugin) = server.plugin()
-                && plugin.plugin.trim().is_empty() {
-                    let err = Error::new(ErrorKind::Malformed, "`plugin` shouldn't be an empty string", None);
-                    return Err(err);
-                }
+                && plugin.plugin.trim().is_empty()
+            {
+                let err = Error::new(ErrorKind::Malformed, "`plugin` shouldn't be an empty string", None);
+                return Err(err);
+            }
 
             // Server's domain name shouldn't be an empty string
             match server.addr() {
@@ -2899,6 +2922,9 @@ impl fmt::Display for Config {
                         #[cfg(feature = "local")]
                         socks5_auth_config_path: None,
 
+                        #[cfg(feature = "local-http")]
+                        http_auth_config_path: None,
+
                         #[cfg(feature = "local-fake-dns")]
                         fake_dns_record_expire_duration: local.fake_dns_record_expire_duration.map(|d| d.as_secs()),
                         #[cfg(feature = "local-fake-dns")]
@@ -3068,20 +3094,22 @@ impl fmt::Display for Config {
             }
 
             if jconf.method.is_none()
-                && let Some(ref m) = m.method {
-                    jconf.method = Some(m.to_string());
-                }
+                && let Some(ref m) = m.method
+            {
+                jconf.method = Some(m.to_string());
+            }
 
             if jconf.plugin.is_none()
-                && let Some(ref p) = m.plugin {
-                    jconf.plugin = Some(p.plugin.clone());
-                    if let Some(ref o) = p.plugin_opts {
-                        jconf.plugin_opts = Some(o.clone());
-                    }
-                    if !p.plugin_args.is_empty() {
-                        jconf.plugin_args = Some(p.plugin_args.clone());
-                    }
+                && let Some(ref p) = m.plugin
+            {
+                jconf.plugin = Some(p.plugin.clone());
+                if let Some(ref o) = p.plugin_opts {
+                    jconf.plugin_opts = Some(o.clone());
                 }
+                if !p.plugin_args.is_empty() {
+                    jconf.plugin_args = Some(p.plugin_args.clone());
+                }
+            }
         }
 
         if self.no_delay {
@@ -3188,17 +3216,18 @@ impl fmt::Display for Config {
 /// It will return the original value if fails to read `${VAR_NAME}`.
 pub fn read_variable_field_value(value: &str) -> Cow<'_, str> {
     if let Some(left_over) = value.strip_prefix("${")
-        && let Some(var_name) = left_over.strip_suffix('}') {
-            match env::var(var_name) {
-                Ok(value) => return value.into(),
-                Err(err) => {
-                    warn!(
-                        "couldn't read password from environment variable {}, error: {}",
-                        var_name, err
-                    );
-                }
+        && let Some(var_name) = left_over.strip_suffix('}')
+    {
+        match env::var(var_name) {
+            Ok(value) => return value.into(),
+            Err(err) => {
+                warn!(
+                    "couldn't read password from environment variable {}, error: {}",
+                    var_name, err
+                );
             }
         }
+    }
 
     value.into()
 }