From 2b580067a27683fa39bd35746804bbbe3fd0bd0a Mon Sep 17 00:00:00 2001 From: bjdgyc Date: Thu, 7 Apr 2022 15:11:14 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20CVE-2016-2183?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 23 ++++++++++++----------- server/admin/server.go | 21 ++++++++++++++++++++- server/handler/server.go | 19 +++++++++---------- 3 files changed, 41 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index ce4ead7..fda050b 100644 --- a/README.md +++ b/README.md @@ -30,16 +30,6 @@ AnyLink 服务端仅在 CentOS 7、Ubuntu 18.04 测试通过,如需要安装 ![online](doc/screenshot/online.jpg) -## Donate - -> 如果您觉得 anylink 对你有帮助,欢迎给我们打赏,也是帮助 anylink 更好的发展。 -> -> [查看打赏列表](doc/README.md) - -

- -

- ## Installation > 没有编程基础的同学建议直接下载 release 包,从下面的地址下载 anylink-deploy.tar.gz @@ -250,14 +240,15 @@ sh bridge-init.sh 5. 启动容器 ```bash + # -e IPV4_CIDR=192.168.10.0/24 这个参数要与配置文件内的网段一致 docker run -itd --name anylink --privileged \ + -e IPV4_CIDR=192.168.10.0/24 -p 443:443 -p 8800:8800 \ --restart=always \ bjdgyc/anylink ``` 6. 使用自定义参数启动容器 - ```bash # 参数可以参考 -h 命令 docker run -itd --name anylink --privileged \ @@ -277,6 +268,16 @@ sh bridge-init.sh docker build -t anylink . ``` +## Donate + +> 如果您觉得 anylink 对你有帮助,欢迎给我们打赏,也是帮助 anylink 更好的发展。 +> +> [查看打赏列表](doc/README.md) + +

+ +

+ ## 常见问题 请前往 [问题地址](doc/question.md) 查看具体信息 diff --git a/server/admin/server.go b/server/admin/server.go index 65d6033..98f3b20 100644 --- a/server/admin/server.go +++ b/server/admin/server.go @@ -2,6 +2,7 @@ package admin import ( + "crypto/tls" "embed" "net/http" "net/http/pprof" @@ -69,7 +70,25 @@ func StartAdmin() { } base.Info("Listen admin", base.Cfg.AdminAddr) - err := http.ListenAndServeTLS(base.Cfg.AdminAddr, base.Cfg.CertFile, base.Cfg.CertKey, r) + + // 修复 CVE-2016-2183 + cipherSuites := tls.CipherSuites() + selectedCipherSuites := make([]uint16, 0, len(cipherSuites)) + for _, s := range cipherSuites { + selectedCipherSuites = append(selectedCipherSuites, s.ID) + } + // 设置tls信息 + tlsConfig := &tls.Config{ + NextProtos: []string{"http/1.1"}, + MinVersion: tls.VersionTLS12, + CipherSuites: selectedCipherSuites, + } + srv := &http.Server{ + Addr: base.Cfg.AdminAddr, + Handler: r, + TLSConfig: tlsConfig, + } + err := srv.ListenAndServeTLS(base.Cfg.CertFile, base.Cfg.CertKey) if err != nil { base.Fatal(err) } diff --git a/server/handler/server.go b/server/handler/server.go index 0168c98..616db0f 100644 --- a/server/handler/server.go +++ b/server/handler/server.go @@ -19,11 +19,8 @@ func startTls() { var ( err error - addr = base.Cfg.ServerAddr - certFile = base.Cfg.CertFile - keyFile = base.Cfg.CertKey - certs = make([]tls.Certificate, 1) - ln net.Listener + addr = base.Cfg.ServerAddr + ln net.Listener ) // 判断证书文件 @@ -36,16 +33,18 @@ func startTls() { // certs[0], err = tls.LoadX509KeyPair(certFile, keyFile) // } - certs[0], err = tls.LoadX509KeyPair(certFile, keyFile) - if err != nil { - panic(err) + // 修复 CVE-2016-2183 + cipherSuites := tls.CipherSuites() + selectedCipherSuites := make([]uint16, 0, len(cipherSuites)) + for _, s := range cipherSuites { + selectedCipherSuites = append(selectedCipherSuites, s.ID) } // 设置tls信息 tlsConfig := &tls.Config{ NextProtos: []string{"http/1.1"}, MinVersion: tls.VersionTLS12, - Certificates: certs, + CipherSuites: selectedCipherSuites, // InsecureSkipVerify: true, } srv := &http.Server{ @@ -66,7 +65,7 @@ func startTls() { } base.Info("listen server", addr) - err = srv.ServeTLS(ln, "", "") + err = srv.ServeTLS(ln, base.Cfg.CertFile, base.Cfg.CertKey) if err != nil { base.Fatal(err) }