Merge pull request #308 from bjdgyc/dev

Dev

.gitignore

@@ -2,6 +2,7 @@
 .idea/
 anylink-deploy
 anylink-deploy.tar.gz
+anylink-deploy-*
 anylink
 anylink.db
 

README.md

@@ -26,7 +26,7 @@ AnyLink 基于 [ietf-openconnect](https://tools.ietf.org/html/draft-mavrogiannop
 AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以通过 Let's Encrypt 和 TrustAsia 申请免费的 SSL 证书。
 
 AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试通过，如需要安装在其他系统，需要服务端支持 tun/tap
-功能、ip 设置命令。
+功能、ip 设置命令、iptables命令。
 
 ## Screenshot
 
@@ -74,18 +74,22 @@ AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试
 
 ### 自行编译安装
 
-> 需要提前安装好 golang >= 1.20 和 nodejs = 16.x 和 yarn >= v1.22.x
+> 需要提前安装好 docker
 
 ```shell
 git clone https://github.com/bjdgyc/anylink.git
 
-# 编译参考软件版本
+# docker编译 参考软件版本(不需要安装)
 # go 1.20.12
 # node v16.20.2
 # yarn 1.22.19
 
 
 cd anylink
+
+# 编译前端
+bash build_web.sh
+# 编译 anylink-deploy 发布文件
 bash build.sh
 
 # 注意使用root权限运行

build.sh

@@ -7,15 +7,22 @@ ver=$(cat version)
 echo $ver
 
 #前端编译 仅需要执行一次
-bash ./build_web.sh
+#bash ./build_web.sh
 
-cd $cpath/server
+bash build_docker.sh
 
-go build -v -o anylink
-
-./anylink -v
+deploy="anylink-deploy-$ver"
+docker container rm $deploy
+docker container create --name $deploy bjdgyc/anylink:$ver
+rm -rf anylink-deploy anylink-deploy.tar.gz
+docker cp -a $deploy:/app ./anylink-deploy
+tar zcf ${deploy}.tar.gz anylink-deploy
 
 
-echo "anylink 编译完成，目录: $cpath/server/anylink"
+./anylink-deploy/anylink -v
+
+
+echo "anylink 编译完成，目录: anylink-deploy"
+ls -lh anylink-deploy
 
 

build_docker.sh

@@ -11,8 +11,9 @@ echo $ver
 #bash ./build_web.sh
 
 # docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 本地不生成镜像
-docker build -t bjdgyc/anylink:latest --no-cache --progress=plain --platform linux/amd64 \
-  --build-arg CN="yes" --build-arg appVer=$ver --build-arg commitId=$(git rev-parse HEAD) -f docker/Dockerfile .
+docker build -t bjdgyc/anylink:latest --no-cache --progress=plain \
+  --build-arg CN="yes" --build-arg appVer=$ver --build-arg commitId=$(git rev-parse HEAD) \
+  -f docker/Dockerfile .
 
 echo "docker tag latest $ver"
 docker tag bjdgyc/anylink:latest bjdgyc/anylink:$ver

doc/question.md

@@ -10,6 +10,10 @@
 
 > 请使用手机安装 freeotp ，然后扫描otp二维码，生成的数字即是动态码
 
+### 用户策略问题
+
+> 只要有用户策略，组策略就不生效，相当于覆盖了组策略的配置
+
 ### 远程桌面连接
 
 > 本软件已经支持远程桌面里面连接anyconnect。

server/admin/api_user.go

@@ -17,6 +17,7 @@ import (
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/sessdata"
 	"github.com/skip2/go-qrcode"
+	mail "github.com/xhit/go-simple-mail/v2"
 )
 
 func UserList(w http.ResponseWriter, r *http.Request) {
@@ -272,5 +273,13 @@ func userAccountMail(user *dbdata.User) error {
 		return err
 	}
 	// fmt.Println(w.String())
-	return SendMail(base.Cfg.Issuer+"平台通知", user.Email, w.String())
+	imgData, _ := userOtpQr(user.Id, false)
+	attach := &mail.File{
+		MimeType: "image/png",
+		Name:     "userOtpQr.png",
+		Data:     []byte(imgData),
+		Inline:   true,
+	}
+
+	return SendMail(base.Cfg.Issuer, user.Email, w.String(), attach)
 }

server/admin/common.go

@@ -43,7 +43,7 @@ func GetJwtData(jwtToken string) (map[string]interface{}, error) {
 	return claims, nil
 }
 
-func SendMail(subject, to, htmlBody string) error {
+func SendMail(subject, to, htmlBody string, attach *mail.File) error {
 
 	dataSmtp := &dbdata.SettingSmtp{}
 	err := dbdata.SettingGet(dataSmtp)
@@ -102,6 +102,10 @@ func SendMail(subject, to, htmlBody string) error {
 		AddTo(to).
 		SetSubject(subject)
 
+	if attach != nil {
+		email.Attach(attach)
+	}
+
 	email.SetBody(mail.TextHTML, htmlBody)
 
 	// Call Send and pass the client

server/base/config.go

@@ -55,9 +55,9 @@ var configs = []config{
 	{Typ: cfgInt, Name: "max_client", Usage: "最大用户连接", ValInt: 200},
 	{Typ: cfgInt, Name: "max_user_client", Usage: "最大单用户连接", ValInt: 3},
 	{Typ: cfgInt, Name: "cstp_keepalive", Usage: "keepalive时间(秒)", ValInt: 3},
-	{Typ: cfgInt, Name: "cstp_dpd", Usage: "死链接检测时间(秒)", ValInt: 10},
+	{Typ: cfgInt, Name: "cstp_dpd", Usage: "死链接检测时间(秒)", ValInt: 20},
 	{Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 4},
-	{Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 15},
+	{Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 60},
 	{Typ: cfgInt, Name: "mtu", Usage: "最大传输单元MTU", ValInt: 1460},
 	{Typ: cfgInt, Name: "idle_timeout", Usage: "空闲链接超时时间(秒)-超时后断开链接，0关闭此功能", ValInt: 0},
 	{Typ: cfgInt, Name: "session_timeout", Usage: "session过期时间(秒)-用于断线重连，0永不过期", ValInt: 3600},

server/conf/server-sample.toml

@@ -12,9 +12,15 @@ cert_key = "./conf/vpn_cert.key"
 files_path = "./conf/files"
 profile = "./conf/profile.xml"
 #profile name(用于区分不同服务端的配置)
-#客户端存放位置 C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile
+#客户端存放位置
+#Windows 10
+#%ProgramData%Cisco\Cisco AnyConnect Secure Mobility Client\Profile
+#Mac Os X
+#/opt/cisco/anyconnect/profile
+#Linux
+#/opt/cisco/anyconnect/profile
 profile_name = "anylink"
-#日志目录,为空写入标准输出
+#日志目录,默认为空写入标准输出
 #log_path = "./log"
 log_path = ""
 log_level = "debug"
@@ -66,9 +72,9 @@ default_group = "one"
 
 #客户端失效检测时间(秒) dpd > keepalive
 cstp_keepalive = 3
-cstp_dpd = 10
+cstp_dpd = 20
 mobile_keepalive = 4
-mobile_dpd = 15
+mobile_dpd = 60
 
 # 根据实际情况修改
 #cstp_keepalive = 20

server/conf/server.toml

@@ -10,6 +10,9 @@ db_source = "./conf/anylink.db"
 cert_file = "./conf/vpn_cert.pem"
 cert_key = "./conf/vpn_cert.key"
 files_path = "./conf/files"
+
+#日志目录,默认为空写入标准输出
+#log_path = "./log"
 log_level = "debug"
 
 #系统名称

server/dbdata/db.go

@@ -183,10 +183,15 @@ const accountMail = `<p>您好:</p>
     用户PIN码: <b>{{.PinCode}}</b> <br/>
     <!-- 
     用户动态码(3天后失效):<br/>
-    <img src="{{.OtpImg}}"/>
+    <img src="{{.OtpImg}}"/><br/>
+
+    用户动态码(请妥善保存):<br/>
+    <img src="{{.OtpImgBase64}}"/><br/>
+
+    下面是兼容 gmail 的写法
     -->
     用户动态码(请妥善保存):<br/>
-    <img src="{{.OtpImgBase64}}"/>
+    <img src="cid:userOtpQr.png" alt="userOtpQr" /><br/>
 </p>
 <div>
     使用说明:

server/handler/start.go

@@ -17,6 +17,12 @@ func Start() {
 	sessdata.Start()
 	cron.Start()
 
+	// 开启服务器转发
+	err := execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"})
+	if err != nil {
+		base.Fatal(err)
+	}
+
 	switch base.Cfg.LinkMode {
 	case base.LinkModeTUN:
 		checkTun()

web/src/pages/group/List.vue

@@ -197,10 +197,14 @@
                 </el-input>
                 </el-form-item>
                 <el-form-item label="排除本地网络" prop="allow_lan">
-                <el-switch
-                    v-model="ruleForm.allow_lan"
-                    active-text="开启后 用户本地所在网段将不通过anylink加密传输">
-                </el-switch>
+                <!--  active-text="开启后 用户本地所在网段将不通过anylink加密传输" -->
+                <el-switch v-model="ruleForm.allow_lan"></el-switch>
+                <div class="msg-info">
+                 注：本地网络 指的是：
+                 运行 anyconnect 客户端的PC 所在的的网络，既本地路由网段。
+                 开启后，PC本地路由网段的数据就不会走隧道链路转发数据了。
+                 同时 anyconnect 客户端需要勾选本地网络(Local Lan)的开关，功能才能生效。
+                 </div>
                 </el-form-item>
 
                 <el-form-item label="客户端DNS" prop="client_dns">
@@ -377,7 +381,7 @@
                 </el-form-item>                
                 <el-form-item label="排除域名" prop="ds_exclude_domains">
                     <el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains" placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
-                    <div class="msg-info">注：域名拆分隧道，仅支持AnyConnect的桌面客户端，不支持移动端.</div>
+                    <div class="msg-info">注：域名拆分隧道，仅支持AnyConnect的windows和MacOS桌面客户端，不支持移动端.</div>
                 </el-form-item>
             </el-tab-pane>
             <el-form-item>