7x31
/
anylink
mirror of https://github.com/bjdgyc/anylink.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

修复 CVE-2016-2183

This commit is contained in:
bjdgyc 2022-04-07 15:11:14 +08:00
parent 500a11612c
commit 2b580067a2
3 changed files with 41 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@ -30,16 +30,6 @@ AnyLink 服务端仅在 CentOS 7、Ubuntu 18.04 测试通过,如需要安装
![online](doc/screenshot/online.jpg) ![online](doc/screenshot/online.jpg)
## Donate
> 如果您觉得 anylink 对你有帮助,欢迎给我们打赏,也是帮助 anylink 更好的发展。
>
> [查看打赏列表](doc/README.md)
<p>
<img src="doc/screenshot/wxpay2.png" width="400" />
</p>
## Installation ## Installation
> 没有编程基础的同学建议直接下载 release 包,从下面的地址下载 anylink-deploy.tar.gz > 没有编程基础的同学建议直接下载 release 包,从下面的地址下载 anylink-deploy.tar.gz
@ -250,14 +240,15 @@ sh bridge-init.sh
5. 启动容器 5. 启动容器
```bash ```bash
# -e IPV4_CIDR=192.168.10.0/24 这个参数要与配置文件内的网段一致
docker run -itd --name anylink --privileged \ docker run -itd --name anylink --privileged \
-e IPV4_CIDR=192.168.10.0/24
-p 443:443 -p 8800:8800 \ -p 443:443 -p 8800:8800 \
--restart=always \ --restart=always \
bjdgyc/anylink bjdgyc/anylink
``` ```
6. 使用自定义参数启动容器 6. 使用自定义参数启动容器
```bash ```bash
# 参数可以参考 -h 命令 # 参数可以参考 -h 命令
docker run -itd --name anylink --privileged \ docker run -itd --name anylink --privileged \
@ -277,6 +268,16 @@ sh bridge-init.sh
docker build -t anylink . docker build -t anylink .
``` ```
## Donate
> 如果您觉得 anylink 对你有帮助,欢迎给我们打赏,也是帮助 anylink 更好的发展。
>
> [查看打赏列表](doc/README.md)
<p>
<img src="doc/screenshot/wxpay2.png" width="400" />
</p>
## 常见问题 ## 常见问题
请前往 [问题地址](doc/question.md) 查看具体信息 请前往 [问题地址](doc/question.md) 查看具体信息

21
server/admin/server.go
View File

@ -2,6 +2,7 @@
package admin package admin
import ( import (
"crypto/tls"
"embed" "embed"
"net/http" "net/http"
"net/http/pprof" "net/http/pprof"
@ -69,7 +70,25 @@ func StartAdmin() {
} }
base.Info("Listen admin", base.Cfg.AdminAddr) base.Info("Listen admin", base.Cfg.AdminAddr)
err := http.ListenAndServeTLS(base.Cfg.AdminAddr, base.Cfg.CertFile, base.Cfg.CertKey, r)
// 修复 CVE-2016-2183
cipherSuites := tls.CipherSuites()
selectedCipherSuites := make([]uint16, 0, len(cipherSuites))
for _, s := range cipherSuites {
selectedCipherSuites = append(selectedCipherSuites, s.ID)
}
// 设置tls信息
tlsConfig := &tls.Config{
NextProtos: []string{"http/1.1"},
MinVersion: tls.VersionTLS12,
CipherSuites: selectedCipherSuites,
}
srv := &http.Server{
Addr: base.Cfg.AdminAddr,
Handler: r,
TLSConfig: tlsConfig,
}
err := srv.ListenAndServeTLS(base.Cfg.CertFile, base.Cfg.CertKey)
if err != nil { if err != nil {
base.Fatal(err) base.Fatal(err)
} }

19
server/handler/server.go
View File

@ -19,11 +19,8 @@ func startTls() {
var ( var (
err error err error
addr = base.Cfg.ServerAddr addr = base.Cfg.ServerAddr
certFile = base.Cfg.CertFile ln net.Listener
keyFile = base.Cfg.CertKey
certs = make([]tls.Certificate, 1)
ln net.Listener
) )
// 判断证书文件 // 判断证书文件
@ -36,16 +33,18 @@ func startTls() {
// certs[0], err = tls.LoadX509KeyPair(certFile, keyFile) // certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
// } // }
certs[0], err = tls.LoadX509KeyPair(certFile, keyFile) // 修复 CVE-2016-2183
if err != nil { cipherSuites := tls.CipherSuites()
panic(err) selectedCipherSuites := make([]uint16, 0, len(cipherSuites))
for _, s := range cipherSuites {
selectedCipherSuites = append(selectedCipherSuites, s.ID)
} }
// 设置tls信息 // 设置tls信息
tlsConfig := &tls.Config{ tlsConfig := &tls.Config{
NextProtos: []string{"http/1.1"}, NextProtos: []string{"http/1.1"},
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
Certificates: certs, CipherSuites: selectedCipherSuites,
// InsecureSkipVerify: true, // InsecureSkipVerify: true,
} }
srv := &http.Server{ srv := &http.Server{
@ -66,7 +65,7 @@ func startTls() {
} }
base.Info("listen server", addr) base.Info("listen server", addr)
err = srv.ServeTLS(ln, "", "") err = srv.ServeTLS(ln, base.Cfg.CertFile, base.Cfg.CertKey)
if err != nil { if err != nil {
base.Fatal(err) base.Fatal(err)
} }