Chore: signature wildcard certificates

listener/listener.go

@@ -395,13 +395,12 @@ func ReCreateMitm(port int, tcpIn chan<- C.ConnContext) {
 	certOption, err = cert.NewConfig(
 		x509c,
 		privateKey,
-		cert.NewAutoGCCertsStorage(),
 	)
 	if err != nil {
 		return
 	}
 
-	certOption.SetValidity(time.Hour * 24 * 90)
+	certOption.SetValidity(time.Hour * 24 * 365 * 2) // 2 years
 	certOption.SetOrganization("Clash ManInTheMiddle Proxy Services")
 
 	opt := &mitm.Option{

listener/mitm/client.go

@@ -18,9 +18,11 @@ func newClient(source net.Addr, userAgent string, in chan<- C.ConnContext) *http
 		Transport: &http.Transport{
 			// excepted HTTP/2
 			TLSNextProto: make(map[string]func(string, *tls.Conn) http.RoundTripper),
-			// from http.DefaultTransport
-			MaxIdleConns:          100,
-			IdleConnTimeout:       90 * time.Second,
+			// only needed 1 connection
+			MaxIdleConns:          1,
+			MaxIdleConnsPerHost:   1,
+			MaxConnsPerHost:       1,
+			IdleConnTimeout:       60 * time.Second,
 			TLSHandshakeTimeout:   10 * time.Second,
 			ExpectContinueTimeout: 1 * time.Second,
 			TLSClientConfig: &tls.Config{

listener/mitm/proxy.go

@@ -44,7 +44,7 @@ startOver:
 readLoop:
 	for {
 		// use SetReadDeadline instead of Proxy-Connection keep-alive
-		if err := conn.SetReadDeadline(time.Now().Add(95 * time.Second)); err != nil {
+		if err := conn.SetReadDeadline(time.Now().Add(65 * time.Second)); err != nil {
 			break readLoop
 		}
 
@@ -86,7 +86,7 @@ readLoop:
 
 				// TLS handshake.
 				if b[0] == 0x16 {
-					tlsConn := tls.Server(conn, opt.CertConfig.NewTLSConfigForHost(session.request.URL.Host))
+					tlsConn := tls.Server(conn, opt.CertConfig.NewTLSConfigForHost(session.request.URL.Hostname()))
 
 					// Handshake with the local client
 					if err = tlsConn.Handshake(); err != nil {
@@ -167,13 +167,7 @@ readLoop:
 func writeResponseWithHandler(session *Session, opt *Option) error {
 	if opt.Handler != nil {
 		res := opt.Handler.HandleResponse(session)
-
 		if res != nil {
-			body := res.Body
-			defer func(body io.ReadCloser) {
-				_ = body.Close()
-			}(body)
-
 			session.response = res
 		}
 	}
@@ -186,7 +180,7 @@ func writeResponse(session *Session, keepAlive bool) error {
 
 	if keepAlive {
 		session.response.Header.Set("Connection", "keep-alive")
-		session.response.Header.Set("Keep-Alive", "timeout=90")
+		session.response.Header.Set("Keep-Alive", "timeout=60")
 	}
 
 	return session.writeResponse()
@@ -201,10 +195,6 @@ func handleApiRequest(session *Session, opt *Option) error {
 
 		session.response = session.NewResponse(http.StatusOK, bytes.NewReader(b))
 
-		defer func(body io.ReadCloser) {
-			_ = body.Close()
-		}(session.response.Body)
-
 		session.response.Close = true
 		session.response.Header.Set("Content-Type", "application/x-x509-ca-cert")
 		session.response.ContentLength = int64(len(b))
@@ -230,11 +220,6 @@ func handleApiRequest(session *Session, opt *Option) error {
 	b = fmt.Sprintf(b, session.request.URL.Path)
 
 	session.response = session.NewResponse(http.StatusNotFound, bytes.NewReader([]byte(b)))
-
-	defer func(body io.ReadCloser) {
-		_ = body.Close()
-	}(session.response.Body)
-
 	session.response.Close = true
 	session.response.Header.Set("Content-Type", "text/html;charset=utf-8")
 	session.response.ContentLength = int64(len(b))
@@ -243,6 +228,12 @@ func handleApiRequest(session *Session, opt *Option) error {
 }
 
 func handleError(opt *Option, session *Session, err error) {
+	if session.response != nil {
+		defer func() {
+			_, _ = io.Copy(io.Discard, session.response.Body)
+			_ = session.response.Body.Close()
+		}()
+	}
 	if opt.Handler != nil {
 		opt.Handler.HandleError(session, err)
 	}

listener/mitm/session.go

@@ -43,6 +43,9 @@ func (s *Session) writeResponse() error {
 	if s.response == nil {
 		return ErrInvalidResponse
 	}
+	defer func(resp *http.Response) {
+		_ = resp.Body.Close()
+	}(s.response)
 	return s.response.Write(s.conn)
 }
 

listener/tun/tun_adapter.go

@@ -145,6 +145,7 @@ func setAtLatest(stackType C.TUNStack, devName string) {
 	case "darwin":
 		// _, _ = cmd.ExecCmd("sysctl -w net.inet.ip.forwarding=1")
 		// _, _ = cmd.ExecCmd("sysctl -w net.inet6.ip6.forwarding=1")
+		_, _ = cmd.ExecCmd("sudo launchctl limit maxfiles 10240 unlimited")
 	case "windows":
 		_, _ = cmd.ExecCmd("ipconfig /renew")
 	case "linux":