Feature: add force-cert-verify to general config

force verify TLS Certificate, prevent machine-in-the-middle attacks.
2022-05-19 02:32:37 +08:00
parent 03499fcea6
commit d11d28c358
5 changed files with 56 additions and 31 deletions
--- a/adapter/parser.go
+++ b/adapter/parser.go
@@ -8,7 +8,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 )

-func ParseProxy(mapping map[string]any) (C.Proxy, error) {
+func ParseProxy(mapping map[string]any, forceCertVerify bool) (C.Proxy, error) {
 	decoder := structure.NewDecoder(structure.Option{TagName: "proxy", WeaklyTypedInput: true})
 	proxyType, existType := mapping["type"].(string)
 	if !existType {
@@ -40,6 +40,9 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			socksOption.SkipCertVerify = false
+		}
 		proxy = outbound.NewSocks5(*socksOption)
 	case "http":
 		httpOption := &outbound.HttpOption{}
@@ -47,6 +50,9 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			httpOption.SkipCertVerify = false
+		}
 		proxy = outbound.NewHttp(*httpOption)
 	case "vmess":
 		vmessOption := &outbound.VmessOption{
@@ -59,6 +65,9 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			vmessOption.SkipCertVerify = false
+		}
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
 		vlessOption := &outbound.VlessOption{}
@@ -66,6 +75,9 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			vlessOption.SkipCertVerify = false
+		}
 		proxy, err = outbound.NewVless(*vlessOption)
 	case "snell":
 		snellOption := &outbound.SnellOption{}
@@ -80,6 +92,9 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			trojanOption.SkipCertVerify = false
+		}
 		proxy, err = outbound.NewTrojan(*trojanOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@@ -20,15 +20,16 @@ type healthCheckSchema struct {
 }

 type proxyProviderSchema struct {
-	Type        string            `provider:"type"`
-	Path        string            `provider:"path"`
-	URL         string            `provider:"url,omitempty"`
-	Interval    int               `provider:"interval,omitempty"`
-	Filter      string            `provider:"filter,omitempty"`
-	HealthCheck healthCheckSchema `provider:"health-check,omitempty"`
+	Type            string            `provider:"type"`
+	Path            string            `provider:"path"`
+	URL             string            `provider:"url,omitempty"`
+	Interval        int               `provider:"interval,omitempty"`
+	Filter          string            `provider:"filter,omitempty"`
+	HealthCheck     healthCheckSchema `provider:"health-check,omitempty"`
+	ForceCertVerify bool              `provider:"force-cert-verify,omitempty"`
 }

-func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvider, error) {
+func ParseProxyProvider(name string, mapping map[string]any, forceCertVerify bool) (types.ProxyProvider, error) {
 	decoder := structure.NewDecoder(structure.Option{TagName: "provider", WeaklyTypedInput: true})

 	schema := &proxyProviderSchema{
@@ -36,6 +37,11 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 			Lazy: true,
 		},
 	}
+
+	if forceCertVerify {
+		schema.ForceCertVerify = true
+	}
+
 	if err := decoder.Decode(mapping, schema); err != nil {
 		return nil, err
 	}
@@ -60,5 +66,5 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide

 	interval := time.Duration(uint(schema.Interval)) * time.Second
 	filter := schema.Filter
-	return NewProxySetProvider(name, interval, filter, vehicle, hc)
+	return NewProxySetProvider(name, interval, filter, vehicle, hc, schema.ForceCertVerify)
 }
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@@ -96,7 +96,7 @@ func stopProxyProvider(pd *ProxySetProvider) {
 	_ = pd.fetcher.Destroy()
 }

-func NewProxySetProvider(name string, interval time.Duration, filter string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+func NewProxySetProvider(name string, interval time.Duration, filter string, vehicle types.Vehicle, hc *HealthCheck, forceCertVerify bool) (*ProxySetProvider, error) {
 	filterReg, err := regexp.Compile(filter)
 	if err != nil {
 		return nil, fmt.Errorf("invalid filter regex: %w", err)
@@ -111,7 +111,7 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, veh
 		healthCheck: hc,
 	}

-	fetcher := newFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, filterReg), proxiesOnUpdate(pd))
+	fetcher := newFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, filterReg, forceCertVerify), proxiesOnUpdate(pd))
 	pd.fetcher = fetcher

 	wrapper := &ProxySetProvider{pd}
@@ -202,7 +202,7 @@ func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	}
 }

-func proxiesParseAndFilter(filter string, filterReg *regexp.Regexp) parser[[]C.Proxy] {
+func proxiesParseAndFilter(filter string, filterReg *regexp.Regexp, forceCertVerify bool) parser[[]C.Proxy] {
 	return func(buf []byte) ([]C.Proxy, error) {
 		schema := &ProxySchema{}

@@ -219,7 +219,7 @@ func proxiesParseAndFilter(filter string, filterReg *regexp.Regexp) parser[[]C.P
 			if name, ok := mapping["name"]; ok && len(filter) > 0 && !filterReg.MatchString(name.(string)) {
 				continue
 			}
-			proxy, err := adapter.ParseProxy(mapping)
+			proxy, err := adapter.ParseProxy(mapping, forceCertVerify)
 			if err != nil {
 				return nil, fmt.Errorf("proxy %d error: %w", idx, err)
 			}