Server listen on 0.0.0.0 fixed, server -redirect host added. Client proxy support.

Author: doxx

README.md

@@ -115,6 +115,8 @@ I used 8080 with a Cloudflare proxy via HTTP for the firs test. Less overhead.
 - **TLS Security**: Because we're sneaky, not reckless
 - **Client-controlled destination addressing**: The destination (-d) is now specified on the client side and securely transmitted to the server
 - **Base64 encoded destination transmission**: The server no longer requires a destination parameter (-d has been removed)
+- **Reverse Proxy Support**: The client now supports SOCKS5 and HTTP(s) proxies.
+- **Custom 302**: Server now has defined 302 redirects for non-auth users.
 
 ## 🚀 Quick Start
 

bin/checksums.txt

@@ -1,14 +1,14 @@
 # DarkFlare Binary Checksums
-# Generated: Sun Dec 22 18:06:43 UTC 2024
+# Generated: Sun Dec 22 18:20:29 UTC 2024
 
-7aca8ba2f3424a8fc7bd5b318ea64b065e2025c04b3bf56b75a580054485b65d  checksums.txt
-b5b99d41710c1fa7c5972c16e2569e9669a5f33b3a47a43637b3c759a0b7c37e  darkflare-client-darwin-amd64
-5fddf0bdeb8edbad23480667c52d0e80589796bd296cf0ddfde9687977af54c2  darkflare-client-darwin-arm64
-701ca0f8d425df0b081335d85209e3888835738d607b5595077fe53cf10ece80  darkflare-client-linux-amd64
-0c0576ade0937f2f5ff6999afcf22e2513f91f48aeaa0234552b7c2b9e1b509a  darkflare-client-linux-arm64
-6d581afcdd58545577f6fe37f984237e8ceafb3a9e279128cb729e5d2507ceae  darkflare-client-windows-amd64.exe
-047ea2e4b7adce407464ab539325d95e9258c25a83639384cea715641c6f5ca5  darkflare-server-darwin-amd64
-448c05be509e93de7f6dbf61121b52487654732b2b4424966715d27867df8a77  darkflare-server-darwin-arm64
-100ad4b1cf6f141616235be265620cf51eb12deae4c230516e6c55d28e643558  darkflare-server-linux-amd64
-59ec518896201dae5057710a89c4b909d558676d99c4f2e6c476509a19fc3bb0  darkflare-server-linux-arm64
-05799be76456dbe49c4424ca66c100077c31a811873694bbda92dc8cb8f984b5  darkflare-server-windows-amd64.exe
+e5e585abb6b5fc87f823cd1c916ed28591b0460ff352b51feb7426e69fb96aab  checksums.txt
+4782d0a3f953355847561fda6a0ed0970c01cb4e46d3bd1f1590c24be409391e  darkflare-client-darwin-amd64
+a7050875bb463ef5389f08522fe12613049f8ac29e078f654dac77745b93b2cf  darkflare-client-darwin-arm64
+10abd137dfe6d1e62d5c01dc11fa5caa5dcc90ab931504a06b14a488b4a396d4  darkflare-client-linux-amd64
+43a26f48d61b3ee8f92e333922d4c39ee880ac576f2eb29233ce2d7d6b944eac  darkflare-client-linux-arm64
+1d05cfeb741c6165acf4dc9829c146cdf850bae2bb7a0b5aa554770e5ee0bade  darkflare-client-windows-amd64.exe
+f893a0498fd10517c54a3348d2aac33ccf04f8691bad3cf6b4f6631115127446  darkflare-server-darwin-amd64
+120c9b485a6b6102096800367d3e2c4f2dc4c0799881c4911e394e3bd53e0f9f  darkflare-server-darwin-arm64
+1ed50cbc44075712642b3572f424789024451d750afe5142efdb9184d7450e18  darkflare-server-linux-amd64
+b43e3282bc3560f93012a9be1a9fd3d88eca7d7ae7d7bfeca47cf057c3bf4c1d  darkflare-server-linux-arm64
+1cc5e59478c644020a7a197002dca56db497260288628603c40e8b74b5d37fab  darkflare-server-windows-amd64.exe

bin/darkflare-client-darwin-amd64

@@ -137,24 +137,58 @@ func NewClient(cloudflareHost string, destPort int, scheme string, destAddr stri
 
 	// Configure proxy support
 	if proxyURL != "" {
-		if strings.HasPrefix(proxyURL, "socks") {
-			// Handle SOCKS proxy
-			dialer, err := proxy.SOCKS5("tcp", proxyURL[strings.Index(proxyURL, "//")+2:], nil, proxy.Direct)
-			if err != nil {
-				log.Printf("Error creating SOCKS5 dialer: %v", err)
-			} else {
-				transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
-					return dialer.Dial(network, addr)
+		if client.debug {
+			client.debugLog("Configuring proxy: %s", proxyURL)
+		}
+
+		proxyURLParsed, err := url.Parse(proxyURL)
+		if err != nil {
+			log.Printf("Invalid proxy URL: %v", err)
+			return nil
+		}
+
+		switch proxyURLParsed.Scheme {
+		case "socks5", "socks5h":
+			// Extract auth if present
+			var auth *proxy.Auth
+			if proxyURLParsed.User != nil {
+				auth = &proxy.Auth{
+					User: proxyURLParsed.User.Username(),
+				}
+				if password, ok := proxyURLParsed.User.Password(); ok {
+					auth.Password = password
 				}
 			}
-		} else {
-			// Handle HTTP/HTTPS proxy
-			proxyURLParsed, err := url.Parse(proxyURL)
+
+			// Create SOCKS5 dialer
+			dialer, err := proxy.SOCKS5("tcp", proxyURLParsed.Host, auth, proxy.Direct)
 			if err != nil {
-				log.Printf("Error parsing proxy URL: %v", err)
-			} else {
-				transport.Proxy = http.ProxyURL(proxyURLParsed)
+				log.Printf("Failed to create SOCKS5 dialer: %v", err)
+				return nil
 			}
+
+			transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+				if client.debug {
+					client.debugLog("SOCKS5 dialing %s via %s", addr, proxyURLParsed.Host)
+				}
+				return dialer.Dial(network, addr)
+			}
+
+		case "http", "https":
+			transport.Proxy = http.ProxyURL(proxyURLParsed)
+
+			// Add proxy authentication if present
+			if proxyURLParsed.User != nil {
+				basicAuth := "Basic " + base64.StdEncoding.EncodeToString(
+					[]byte(proxyURLParsed.User.String()))
+				transport.ProxyConnectHeader = http.Header{
+					"Proxy-Authorization": []string{basicAuth},
+				}
+			}
+
+		default:
+			log.Printf("Unsupported proxy scheme: %s", proxyURLParsed.Scheme)
+			return nil
 		}
 	}
 
@@ -494,17 +528,27 @@ func main() {
 		fmt.Fprintf(os.Stderr, "  -debug    Enable detailed debug logging\n")
 		fmt.Fprintf(os.Stderr, "            Shows connection details, data transfer, and errors\n\n")
 		fmt.Fprintf(os.Stderr, "  -p        Proxy URL for outbound connections\n")
-		fmt.Fprintf(os.Stderr, "            Format: http://host:port or socks5://host:port\n\n")
+		fmt.Fprintf(os.Stderr, "            Format: scheme://[user:pass@]host:port\n")
+		fmt.Fprintf(os.Stderr, "            Supported schemes: http, https, socks5, socks5h\n\n")
 		fmt.Fprintf(os.Stderr, "Examples:\n")
 		fmt.Fprintf(os.Stderr, "  Basic SSH tunnel:\n")
-		fmt.Fprintf(os.Stderr, "    %s -l 2222 -t https://cdn.miami.us.doxx.net -d ssh.destination.com:22\n\n", os.Args[0])
-		fmt.Fprintf(os.Stderr, "  Custom port with debugging:\n")
-		fmt.Fprintf(os.Stderr, "    %s -l 8080 -t https://tunnel.example.com:8443 -d internal.service:80 -debug\n\n", os.Args[0])
-		fmt.Fprintf(os.Stderr, "  HTTP proxy tunnel:\n")
-		fmt.Fprintf(os.Stderr, "    %s -l 8080 -t http://proxy.example.com -d target.site.com:80\n\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "    %s -l 2222 -t cdn.example.com -d ssh.target.com:22\n\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "  With HTTP proxy:\n")
+		fmt.Fprintf(os.Stderr, "    %s -l 2222 -t cdn.example.com -d ssh.target.com:22 \\\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "      -p http://proxy.example.com:8080\n\n")
+		fmt.Fprintf(os.Stderr, "  With authenticated SOCKS5 proxy:\n")
+		fmt.Fprintf(os.Stderr, "    %s -l 2222 -t cdn.example.com -d ssh.target.com:22 \\\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "      -p socks5://user:pass@proxy.example.com:1080\n\n")
+		fmt.Fprintf(os.Stderr, "  Debug mode with HTTPS proxy:\n")
+		fmt.Fprintf(os.Stderr, "    %s -l 8080 -t cdn.example.com -d internal.service:80 \\\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "      -p https://proxy.company.com:443 -debug\n\n")
 		fmt.Fprintf(os.Stderr, "Usage with SSH:\n")
-		fmt.Fprintf(os.Stderr, "  1. Start the client: %s -l 2222 -t tunnel.example.com -d ssh.target.com:22\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "  1. Start the client: %s -l 2222 -t cdn.example.com -d ssh.target.com:22\n", os.Args[0])
 		fmt.Fprintf(os.Stderr, "  2. Connect via: ssh -p 2222 user@localhost\n\n")
+		fmt.Fprintf(os.Stderr, "Notes:\n")
+		fmt.Fprintf(os.Stderr, "  - Proxy authentication is supported via URL format user:pass@host\n")
+		fmt.Fprintf(os.Stderr, "  - SOCKS5h variant will resolve hostnames through the proxy\n")
+		fmt.Fprintf(os.Stderr, "  - Debug mode will show proxy connection details and errors\n\n")
 		fmt.Fprintf(os.Stderr, "For more information: https://github.com/blyon/darkflare\n")
 	}
 

bin/darkflare-client-darwin-arm64

@@ -36,9 +36,10 @@ type Server struct {
 	isAppMode   bool
 	allowDirect bool
 	silent      bool
+	redirect    string
 }
 
-func NewServer(destHost, destPort string, appCommand string, debug bool, allowDirect bool, silent bool) *Server {
+func NewServer(destHost, destPort string, appCommand string, debug bool, allowDirect bool, silent bool, redirect string) *Server {
 	s := &Server{
 		destHost:    destHost,
 		destPort:    destPort,
@@ -47,6 +48,7 @@ func NewServer(destHost, destPort string, appCommand string, debug bool, allowDi
 		isAppMode:   appCommand != "",
 		allowDirect: allowDirect,
 		silent:      silent,
+		redirect:    redirect,
 	}
 
 	if s.isAppMode && s.debug && !s.silent {
@@ -174,8 +176,12 @@ func (s *Server) handleRequest(w http.ResponseWriter, r *http.Request) {
 	// Get and decode destination early
 	encodedDest := r.Header.Get("X-Requested-With")
 	if encodedDest == "" {
-		log.Printf("Redirect: %s → https://github.com/doxx/darkflare", clientIP)
-		http.Redirect(w, r, "https://github.com/doxx/darkflare", http.StatusFound)
+		redirectURL := s.redirect
+		if redirectURL == "" {
+			redirectURL = "https://github.com/doxx/darkflare"
+		}
+		log.Printf("Redirect: %s → %s", clientIP, redirectURL)
+		http.Redirect(w, r, redirectURL, http.StatusFound)
 		return
 	}
 
@@ -421,6 +427,7 @@ func main() {
 	var allowDirect bool
 	var appCommand string
 	var silent bool
+	var redirect string
 
 	flag.Usage = func() {
 		fmt.Fprintf(os.Stderr, "DarkFlare Server - TCP-over-CDN tunnel server component\n")
@@ -442,6 +449,8 @@ func main() {
 		fmt.Fprintf(os.Stderr, "            Shows connection details and errors\n\n")
 		fmt.Fprintf(os.Stderr, "  -s        Silent mode\n")
 		fmt.Fprintf(os.Stderr, "            Suppresses all non-error output\n\n")
+		fmt.Fprintf(os.Stderr, "  -redirect Custom URL to redirect unauthorized requests\n")
+		fmt.Fprintf(os.Stderr, "            Default: GitHub project page\n\n")
 		fmt.Fprintf(os.Stderr, "Examples:\n")
 		fmt.Fprintf(os.Stderr, "  Basic setup:\n")
 		fmt.Fprintf(os.Stderr, "    %s -o http://0.0.0.0:8080\n\n", os.Args[0])
@@ -463,6 +472,7 @@ func main() {
 	flag.BoolVar(&debug, "debug", false, "")
 	flag.BoolVar(&allowDirect, "allow-direct", false, "")
 	flag.BoolVar(&silent, "s", false, "")
+	flag.StringVar(&redirect, "redirect", "", "Custom URL to redirect unauthorized requests (default: GitHub project page)")
 	flag.Parse()
 
 	// Parse origin URL
@@ -491,7 +501,7 @@ func main() {
 		log.Printf("DarkFlare server listening on %s", origin)
 	}
 
-	server := NewServer(originHost, originPort, appCommand, debug, allowDirect, silent)
+	server := NewServer(originHost, originPort, appCommand, debug, allowDirect, silent, redirect)
 
 	log.Printf("DarkFlare server running on %s://%s:%s", originURL.Scheme, originHost, originPort)
 	if allowDirect {
@@ -585,11 +595,22 @@ func main() {
 }
 
 func isLocalIP(ip string) bool {
+	// Allow 0.0.0.0 as a valid binding address
+	if ip == "0.0.0.0" {
+		return true
+	}
+
 	ipAddr := net.ParseIP(ip)
 	if ipAddr == nil {
 		return false
 	}
 
+	// Check if it's a loopback address
+	if ipAddr.IsLoopback() {
+		return true
+	}
+
+	// Get all network interfaces
 	interfaces, err := net.Interfaces()
 	if err != nil {
 		log.Printf("Error getting network interfaces: %v", err)
@@ -604,16 +625,15 @@ func isLocalIP(ip string) bool {
 		}
 
 		for _, addr := range addrs {
-			var localIP net.IP
 			switch v := addr.(type) {
 			case *net.IPNet:
-				localIP = v.IP
+				if v.IP.Equal(ipAddr) {
+					return true
+				}
 			case *net.IPAddr:
-				localIP = v.IP
-			}
-
-			if localIP.Equal(ipAddr) {
-				return true
+				if v.IP.Equal(ipAddr) {
+					return true
+				}
 			}
 		}
 	}