-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c90851b
commit 2247793
Showing
6 changed files
with
294 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| # `withoutBrookProtocol` Protocol | ||
|
|
||
| ## Terminology | ||
|
|
||
| - **`DST Address`**: The address that the application actually wants to request, address contains IP/domain and port | ||
|
|
||
| ``` | ||
| ATYP + IP/Domain + PORT | ||
| ``` | ||
| - `ATYP`: 1 byte | ||
| - 0x01: IPv4 | ||
| - 0x03: Domain | ||
| - 0x04: IPv6 | ||
| - `IP/Domain`: 4/n/16 bytes | ||
| - If ATYP is 0x01, then this is IPv4, 4 bytes | ||
| - If ATYP is 0x03, then this is domain, n bytes, and the first byte is the domain length | ||
| - If ATYP is 0x04, then this is IPv6, 16 bytes | ||
| - `Port`: 2 bytes | ||
| - Big Endian 16-bit unsigned integer | ||
| - **`Password`**: User-defined password | ||
| - **`SHA256`**: Defined in FIPS 180-4 | ||
| ## Client --TCP--> Server | ||
| ``` | ||
| [Standard WebSocket Protocol Header] + [SHA256(Password) + (DST Address Length+4) + Unix Timestamp + DST Address] + [DATA]... | ||
| ``` | ||
| > The maximum length of `[SHA256(Password) + (DST Address Length+4) + Unix Timestamp + DST Address]` is 2048 bytes | ||
| - `DST Address Length+4`: Big Endian 16-bit unsigned integer | ||
| - [`Unix Timestamp`](https://en.wikipedia.org/wiki/Unix_time): If it is not even, it should be increased by 1. Big Endian 32-bit unsigned integer | ||
| - `DATA`: Actual data being proxied | ||
| ## Server --TCP--> Client | ||
| ``` | ||
| [Standard WebSocket Protocol Header] + [DATA]... | ||
| ``` | ||
| ## Client --UDP(UDP over TCP)--> Server | ||
| ``` | ||
| [Standard WebSocket Protocol Header] + [SHA256(Password) + (DST Address Length+4) + Unix Timestamp + DST Address] + [Fragment Length + Fragment]... | ||
| ``` | ||
| > The maximum length of `[SHA256(Password) + (DST Address Length+4) + Unix Timestamp + DST Address]` is 2048 bytes<br/> | ||
| > The maximum length of `[Fragment Length + Fragment]` is 65507 bytes<br/> | ||
| - `DST Address Length+4`: Big Endian 16-bit unsigned integer | ||
| - `Fragment Length`: Big Endian 16-bit unsigned integer | ||
| - `Fragment`: Actual data being proxied | ||
| - [`Unix Timestamp`](https://en.wikipedia.org/wiki/Unix_time): If it is not odd, it should be increased by 1. Big Endian 32-bit unsigned integer | ||
| ## Server --UDP(UDP over TCP)--> Client | ||
| ``` | ||
| [Standard WebSocket Protocol Header] + [Fragment Length + Fragment]... | ||
| ``` | ||
| > The maximum length of `[Fragment Length + Fragment]` is 65507 bytes<br/> | ||
| - `Fragment Length`: Big Endian 16-bit unsigned integer | ||
| - `Fragment`: Actual data being proxied | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| ## --withoutBrookProtocol | ||
|
|
||
| --withoutBrookProtocol is the same as brook wsserver and brook wssserver, but without brook protocol encryption.<br/> | ||
| So it is not recommended to use --withoutBrookProtocol together with --insecure.<br/> | ||
|
|
||
| ## Case 1: Run brook wsserver --withoutBrookProtocol + nico with trusted certificate | ||
|
|
||
| - Assume your domain is `domain.com`, nico default requires port `443` and `80`, `80` for issuing certificates, with password `hello` | ||
| - If there is a firewall, remember to open **TCP on port 80, 443** | ||
| - Make sure your `domain.com` has been resolved to your server IP successfully | ||
|
|
||
| ``` | ||
| brook wsserver --listen 127.0.0.1:9999 --password hello --withoutBrookProtocol | ||
| ``` | ||
| ``` | ||
| nico domain.com http://127.0.0.1:9999 | ||
| ``` | ||
|
|
||
| #### How to connect on the client side | ||
|
|
||
| ``` | ||
| brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol | ||
| ``` | ||
|
|
||
| > Connect with CLI: `brook connect --link 'brook://...' --socks5 127.0.0.1:1080`. More parameters: `brook connect -h`<br> | ||
| > Connect with GUI: add the brook link | ||
| ## Case 2: Run brook wssserver --withoutBrookProtocol with custom certificate with [your own domain] | ||
|
|
||
| - Assume your domain is `domain.com`, with port `443`, with password `hello` | ||
| - If there is a firewall, remember to open **TCP on port 443** | ||
| - The cert is `/root/cert.pem`, your cert key is `/root/certkey.pem`. [How to issue a certificate yourself](https://github.com/txthinking/mad) | ||
| - Make sure your `domain.com` has been resolved to your server IP successfully | ||
|
|
||
| ``` | ||
| brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol | ||
| ``` | ||
|
|
||
| #### How to connect on the client side | ||
|
|
||
| **if your certificate is issued by a trusted authority** | ||
|
|
||
| ``` | ||
| brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol | ||
| ``` | ||
|
|
||
| > Connect with CLI: `brook connect --link 'brook://...' --socks5 127.0.0.1:1080`. More parameters: `brook connect -h`<br> | ||
| > Connect with GUI: add the brook link | ||
| **if your certificate is issued by yourself** | ||
|
|
||
| ``` | ||
| brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol --ca /path/to/ca.pem | ||
| ``` | ||
|
|
||
| > Connect with CLI: `brook connect --link 'brook://...' --socks5 127.0.0.1:1080`. More parameters: `brook connect -h`<br> | ||
| > Connect with GUI: add the brook link | ||
| ## Case 3: Run brook wssserver --withoutBrookProtocol with custom certificate with [not your own domain] | ||
|
|
||
| - Assume the domain is `domain.com`, with port `443`, with password `hello` | ||
| - The cert is `/root/cert.pem`, your cert key is `/root/certkey.pem`. [How to issue a certificate yourself](https://github.com/txthinking/mad) | ||
| - If there is a firewall, remember to open **TCP on port 443** | ||
|
|
||
| ``` | ||
| brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol | ||
| ``` | ||
|
|
||
| #### How to connect on the client side | ||
|
|
||
| Assume your server IP is `1.2.3.4` | ||
|
|
||
| ``` | ||
| brook link --server wss://domain.com:443 --password hello --address 1.2.3.4:443 --withoutBrookProtocol --ca /path/to/ca.pem | ||
| ``` | ||
|
|
||
| > Connect with CLI: `brook connect --link 'brook://...' --socks5 127.0.0.1:1080`. More parameters: `brook connect -h`<br> | ||
| > Connect with GUI: add the brook link result | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| # `withoutBrookProtocol` Protocol | ||
|
|
||
| ## Terminology | ||
|
|
||
| - **`DST Address`**: The address that the application actually wants to request, address contains IP/domain and port | ||
|
|
||
| ``` | ||
| ATYP + IP/Domain + PORT | ||
| ``` | ||
| - `ATYP`: 1 byte | ||
| - 0x01: IPv4 | ||
| - 0x03: Domain | ||
| - 0x04: IPv6 | ||
| - `IP/Domain`: 4/n/16 bytes | ||
| - If ATYP is 0x01, then this is IPv4, 4 bytes | ||
| - If ATYP is 0x03, then this is domain, n bytes, and the first byte is the domain length | ||
| - If ATYP is 0x04, then this is IPv6, 16 bytes | ||
| - `Port`: 2 bytes | ||
| - Big Endian 16-bit unsigned integer | ||
| - **`Password`**: User-defined password | ||
| - **`SHA256`**: Defined in FIPS 180-4 | ||
| ## Client --TCP--> Server | ||
| ``` | ||
| [Standard WebSocket Protocol Header] + [SHA256(Password) + (DST Address Length+4) + Unix Timestamp + DST Address] + [DATA]... | ||
| ``` | ||
| > The maximum length of `[SHA256(Password) + (DST Address Length+4) + Unix Timestamp + DST Address]` is 2048 bytes | ||
| - `DST Address Length+4`: Big Endian 16-bit unsigned integer | ||
| - [`Unix Timestamp`](https://en.wikipedia.org/wiki/Unix_time): If it is not even, it should be increased by 1. Big Endian 32-bit unsigned integer | ||
| - `DATA`: Actual data being proxied | ||
| ## Server --TCP--> Client | ||
| ``` | ||
| [Standard WebSocket Protocol Header] + [DATA]... | ||
| ``` | ||
| ## Client --UDP(UDP over TCP)--> Server | ||
| ``` | ||
| [Standard WebSocket Protocol Header] + [SHA256(Password) + (DST Address Length+4) + Unix Timestamp + DST Address] + [Fragment Length + Fragment]... | ||
| ``` | ||
| > The maximum length of `[SHA256(Password) + (DST Address Length+4) + Unix Timestamp + DST Address]` is 2048 bytes<br/> | ||
| > The maximum length of `[Fragment Length + Fragment]` is 65507 bytes<br/> | ||
| - `DST Address Length+4`: Big Endian 16-bit unsigned integer | ||
| - `Fragment Length`: Big Endian 16-bit unsigned integer | ||
| - `Fragment`: Actual data being proxied | ||
| - [`Unix Timestamp`](https://en.wikipedia.org/wiki/Unix_time): If it is not odd, it should be increased by 1. Big Endian 32-bit unsigned integer | ||
| ## Server --UDP(UDP over TCP)--> Client | ||
| ``` | ||
| [Standard WebSocket Protocol Header] + [Fragment Length + Fragment]... | ||
| ``` | ||
| > The maximum length of `[Fragment Length + Fragment]` is 65507 bytes<br/> | ||
| - `Fragment Length`: Big Endian 16-bit unsigned integer | ||
| - `Fragment`: Actual data being proxied | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| ## --withoutBrookProtocol | ||
|
|
||
| --withoutBrookProtocol 与brook wsserver 和 brook wssserver 一样, 但是不使用 brook 协议加密.<br/> | ||
| 所以不建议--withoutBrookProtocol和--insecure一起使用. | ||
|
|
||
| ## 第一种场景: 运行 brook wsserver --withoutBrookProtocol 和 nico 自动签发证书 | ||
|
|
||
| - 假设你的域名是 `domain.com`, nico 需要 `443` and `80`, `80` 用于签发证书, 密码 `hello` | ||
| - 防火墙记得开放 **TCP 80, 443** | ||
| - 确保你的域名 `domain.com` 已成功解析到你服务器的 IP | ||
|
|
||
| ``` | ||
| brook wsserver --listen 127.0.0.1:9999 --password hello --withoutBrookProtocol | ||
| ``` | ||
| ``` | ||
| nico domain.com http://127.0.0.1:9999 | ||
| ``` | ||
|
|
||
| #### 在客户端如何连接 | ||
|
|
||
| ``` | ||
| brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol | ||
| ``` | ||
|
|
||
| > 用 CLI 连接: `brook connect --link 'brook://...' --socks5 127.0.0.1:1080`. More parameters: `brook connect -h`<br> | ||
| > 用 GUI 连接: 添加 brook link | ||
| ## 第二种场景: 运行 brook wssserver --withoutBrookProtocol 使用指定证书 [你自己拥有的域名] | ||
|
|
||
| - 假设你的域名是 `domain.com`, 选择端口 `443`, 密码 `hello` | ||
| - 防火墙记得开放 **TCP 443** | ||
| - The cert is `/root/cert.pem`, your cert key is `/root/certkey.pem`. [如何自己签发证书](https://github.com/txthinking/mad) | ||
| - 确保你的域名 `domain.com` 已成功解析到你服务器的 IP | ||
|
|
||
| ``` | ||
| brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol | ||
| ``` | ||
|
|
||
| #### 在客户端如何连接 | ||
|
|
||
| **如果你的证书是信任机构签发** | ||
|
|
||
| ``` | ||
| brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol | ||
| ``` | ||
|
|
||
| > 用 CLI 连接: `brook connect --link 'brook://...' --socks5 127.0.0.1:1080`. More parameters: `brook connect -h`<br> | ||
| > 用 GUI 连接: add the brook link | ||
| **如果你的证书是你自己签发的** | ||
|
|
||
| ``` | ||
| brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol --ca /path/to/ca.pem | ||
| ``` | ||
|
|
||
| > 用 CLI 连接: `brook connect --link 'brook://...' --socks5 127.0.0.1:1080`. More parameters: `brook connect -h`<br> | ||
| > 用 GUI 连接: add the brook link | ||
| ## 第三种场景: 运行 brook wssserver --withoutBrookProtocol 使用指定证书 [你自己不拥有的域名] | ||
|
|
||
| - 假设域名是 `domain.com`, 选择端口 `443`, 密码 `hello` | ||
| - 防火墙记得开放 **TCP 443** | ||
| - The cert is `/root/cert.pem`, your cert key is `/root/certkey.pem`. [如何自己签发证书](https://github.com/txthinking/mad) | ||
|
|
||
| ``` | ||
| brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol | ||
| ``` | ||
|
|
||
| #### 在客户端如何连接 | ||
|
|
||
| 假设你的服务器的 IP 是 `1.2.3.4` | ||
|
|
||
| ``` | ||
| brook link --server wss://domain.com:443 --password hello --address 1.2.3.4:443 --withoutBrookProtocol --ca /path/to/ca.pem | ||
| ``` | ||
|
|
||
| > 用 CLI 连接: `brook connect --link 'brook://...' --socks5 127.0.0.1:1080`. More parameters: `brook connect -h`<br> | ||
| > 用 GUI 连接: add the brook link | ||