add ssh tunnel feature

qwj · qwj · commit 7134d6809c27 · 2019-03-27T13:59:18.000+08:00
diff --git a/README.rst b/README.rst
@@ -12,7 +12,7 @@ python-proxy
 .. |Downloads| image:: https://pepy.tech/badge/pproxy
    :target: https://pepy.tech/project/pproxy
 
-HTTP/Socks4/Socks5/Shadowsocks/ShadowsocksR/Redirect/Pf TCP/UDP asynchronous tunnel proxy implemented in Python3 asyncio.
+HTTP/Socks4/Socks5/Shadowsocks/ShadowsocksR/SSH/Redirect/Pf TCP/UDP asynchronous tunnel proxy implemented in Python3 asyncio.
 
 QuickStart
 ----------
@@ -112,6 +112,8 @@ Protocols
 +-------------------+------------+------------+------------+------------+--------------+
 | shadowsocksR      | ✔          | ✔          |            |            | ssr://       |
 +-------------------+------------+------------+------------+------------+--------------+
+| ssh tunnel        |            | ✔          |            |            | ssh://       |
++-------------------+------------+------------+------------+------------+--------------+
 | iptables nat      | ✔          |            |            |            | redir://     |
 +-------------------+------------+------------+------------+------------+--------------+
 | pfctl nat (macos) | ✔          |            |            |            | pf://        |
@@ -149,6 +151,8 @@ Requirement
 
 pycryptodome_ is an optional library to enable faster (C version) cipher. **pproxy** has many built-in pure python ciphers. They are lightweight and stable, but slower than C ciphers. After speedup with PyPy_, pure python ciphers can get similar performance as C version. If the performance is important and don't have PyPy_, install pycryptodome_ instead.
 
+asyncssh_ is an optional library to enable ssh tunnel client support.
+
 These are some performance benchmarks between Python and C ciphers (dataset: 8M):
 
 +---------------------+----------------+
@@ -167,6 +171,7 @@ PyPy3 Quickstart:
   $ pypy3 -m pip install asyncio pproxy
 
 .. _pycryptodome: https://pycryptodome.readthedocs.io/en/latest/src/introduction.html
+.. _asyncssh: https://asyncssh.readthedocs.io/en/latest/
 .. _PyPy: http://pypy.org
 
 Usage
@@ -225,6 +230,8 @@ URI Syntax
     +----------+-----------------------------+
     | ssr      | shadowsocksr (SSR) protocol |
     +----------+-----------------------------+
+    | ssh      | ssh client tunnel           |
+    +----------+-----------------------------+
     | redir    | redirect (iptables nat)     |
     +----------+-----------------------------+
     | pf       | pfctl (macos pf nat)        |
@@ -644,7 +651,24 @@ Examples
 
     $ pproxy -l http+in://client_ip:8081
 
-  Server connects to client_ip:8081 and waits for client proxy requests. The protocol http specified is just an example. It can be any protocol and cipher **pproxy** supports. The scheme **in** should exist in URI to inform **pproxy** that it is a backward proxy.
+  Server connects to client_ip:8081 and waits for client proxy requests. The protocol http specified is just an example. It can be any protocol and cipher **pproxy** supports. The scheme "**in**" should exist in URI to inform **pproxy** that it is a backward proxy.
+
+- SSH client tunnel
+
+  SSH client tunnel support is enabled by installing additional library asyncssh_. After "pip3 install asyncssh", you can specify "**ssh**" as scheme to proxy via ssh client tunnel.
+
+  .. code:: rst
+
+    $ pproxy -l http://:8080 -r ssh://remote_server.com/#login:password
+
+  If a client private key is used to authenticate, put double colon "::" between login and private key path.
+
+  .. code:: rst
+
+    $ pproxy -l http://:8080 -r ssh://remote_server.com/#login::private_key_path
+
+  SSH connection known_hosts feature is disabled by default.
+
 
 Projects
 --------
diff --git a/pproxy/__doc__.py b/pproxy/__doc__.py
@@ -1,5 +1,5 @@
 __title__       = "pproxy"
-__version__     = "2.0.9"
+__version__     = "2.1.0"
 __license__     = "MIT"
 __description__ = "Proxy server that can tunnel among remote servers by regex rules."
 __keywords__    = "proxy socks http shadowsocks shadowsocksr ssr redirect pf tunnel cipher ssl udp"
diff --git a/pproxy/proto.py b/pproxy/proto.py
@@ -308,6 +308,10 @@ def write(data, o=writer_remote.write):
                 return o(data)
         writer_remote.write = write
 
+class SSH(BaseProtocol):
+    async def connect(self, reader_remote, writer_remote, rauth, host_name, port, myhost, **kw):
+        pass
+
 class Transparent(BaseProtocol):
     def correct_header(self, header, auth, sock, **kw):
         remote = self.query_remote(sock)
@@ -558,7 +562,7 @@ def udp_parse(protos, data, **kw):
             return (proto,) + ret
     raise Exception(f'Unsupported protocol {data[:10]}')
 
-MAPPINGS = dict(direct=Direct, http=HTTP, httponly=HTTPOnly, socks5=Socks5, socks4=Socks4, socks=Socks5, ss=SS, ssr=SSR, redir=Redir, pf=Pf, tunnel=Tunnel, echo=Echo, pack=Pack, ws=WS, ssl='', secure='')
+MAPPINGS = dict(direct=Direct, http=HTTP, httponly=HTTPOnly, ssh=SSH, socks5=Socks5, socks4=Socks4, socks=Socks5, ss=SS, ssr=SSR, redir=Redir, pf=Pf, tunnel=Tunnel, echo=Echo, pack=Pack, ws=WS, ssl='', secure='')
 MAPPINGS['in'] = ''
 
 def get_protos(rawprotos):
diff --git a/pproxy/server.py b/pproxy/server.py
@@ -309,7 +309,7 @@ def datagram_received(prot, data, addr):
                 asyncio.ensure_future(datagram_handler(prot.transport, data, addr, **vars(self), **args))
         return asyncio.get_event_loop().create_datagram_endpoint(Protocol, local_addr=(self.host_name, self.port))
     async def open_connection(self, host, port, local_addr, lbind):
-        if self.reuse:
+        if self.reuse or self.ssh:
             if self.streams is None or self.streams.done() and not self.handler:
                 self.streams = asyncio.get_event_loop().create_future()
             else:
@@ -323,6 +323,25 @@ async def open_connection(self, host, port, local_addr, lbind):
                 local_addr = local_addr if lbind == 'in' else (lbind, 0) if lbind else None
                 family = 0 if local_addr is None else 30 if ':' in local_addr[0] else 2
                 wait = asyncio.open_connection(host=host, port=port, local_addr=local_addr, family=family)
+            elif self.ssh:
+                try:
+                    import asyncssh
+                    for s in ('read_', 'read_n', 'read_until'):
+                        setattr(asyncssh.SSHReader, s, getattr(asyncio.StreamReader, s))
+                except Exception:
+                    raise Exception('Missing library: "pip3 install asyncssh"')
+                username, password = self.auth.decode().split(':', 1)
+                if password.startswith(':'):
+                    client_keys = [password[1:]]
+                    password = None
+                else:
+                    client_keys = None
+                local_addr = local_addr if self.lbind == 'in' else (self.lbind, 0) if self.lbind else None
+                family = 0 if local_addr is None else 30 if ':' in local_addr[0] else 2
+                conn = await asyncssh.connect(host=self.host_name, port=self.port, local_addr=local_addr, family=family, x509_trusted_certs=None, known_hosts=None, username=username, password=password, client_keys=client_keys)
+                if not self.streams.done():
+                    self.streams.set_result((conn, None))
+                return conn, None
             elif self.backward:
                 wait = self.backward.open_connection()
             elif self.unix:
@@ -353,6 +372,8 @@ async def prepare_ciphers_and_headers(self, reader_remote, writer_remote, host,
                 if not self.streams.done():
                     self.streams.set_result((reader_remote, writer_remote))
                 reader_remote, writer_remote = handler.connect(whost, wport)
+            elif self.ssh:
+                reader_remote, writer_remote = await reader_remote.open_connection(whost, wport)
             else:
                 await self.rproto.connect(reader_remote=reader_remote, writer_remote=writer_remote, rauth=self.auth, host_name=whost, port=wport, writer_cipher_r=writer_cipher_r, myhost=self.host_name, sock=writer_remote.get_extra_info('socket'))
             return await self.relay.prepare_ciphers_and_headers(reader_remote, writer_remote, host, port, handler)
@@ -435,14 +456,15 @@ def compile(cls, uri, relay=None):
         match = cls.compile_rule(url.query) if url.query else None
         if loc:
             host_name, _, port = loc.partition(':')
-            port = int(port) if port else 8080
+            port = int(port) if port else (22 if 'ssh' in rawprotos else 8080)
         else:
             host_name = port = None
         return ProxyURI(protos=protos, rproto=protos[0], cipher=cipher, auth=url.fragment.encode(), \
                         match=match, bind=loc or urlpath, host_name=host_name, port=port, \
                         unix=not loc, lbind=lbind, sslclient=sslclient, sslserver=sslserver, \
                         alive=True, direct='direct' in protonames, tunnel='tunnel' in protonames, \
-                        reuse='pack' in protonames or relay and relay.reuse, backward='in' in rawprotos, relay=relay)
+                        reuse='pack' in protonames or relay and relay.reuse, backward='in' in rawprotos, \
+                        ssh='ssh' in rawprotos, relay=relay)
 ProxyURI.DIRECT = ProxyURI(direct=True, tunnel=False, reuse=False, relay=None, alive=True, match=None, cipher=None, backward=None)
 
 async def test_url(url, rserver):
