内网域名

支持分割DNS功能

README.md

@@ -23,7 +23,7 @@ AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同
 AnyLink 基于 [ietf-openconnect](https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-02)
 协议开发，并且借鉴了 [ocserv](http://ocserv.gitlab.io/www/index.html) 的开发思路，使其可以同时兼容 AnyConnect 客户端。
 
-AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以通过 Let's Encrypt 和 TrustAsia 申请免费的 SSL 证书。
+AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以使用私有自签证书，可以通过 Let's Encrypt 和 TrustAsia 申请免费的 SSL 证书。
 
 AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试通过，如需要安装在其他系统，需要服务端支持 tun/tap
 功能、ip 设置命令、iptables命令。
@@ -60,9 +60,9 @@ AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试
 
 ### 使用问题
 
-> 对于测试环境，可以使用 vpn.test.vqilu.cn 绑定host进行测试
+> 对于测试环境，可以直接进行测试，需要客户端取消勾选【阻止不受信任的服务器(Block connections to untrusted servers)】
 >
-> 对于线上环境，必须申请安全的https证书(跟nginx使用的证书类型一致)，不支持私有证书连接
+> 对于线上环境，尽量申请安全的https证书(跟nginx使用的pem证书类型一致)
 >
 > 群共享文件有相关客户端软件下载，其他版本没有测试过，不保证使用正常
 > 
@@ -133,6 +133,7 @@ sudo ./anylink
 - [x] 流量压缩功能
 - [x] 出口 IP 自动放行
 - [x] 支持多服务的配置区分
+- [x] 支持私有自签证书
 - [ ] 基于 ipvtap 设备的桥接访问模式
 
 ## Config

server/admin/api_group.go

@@ -75,6 +75,10 @@ func GroupDetail(w http.ResponseWriter, r *http.Request) {
 	if len(data.Auth) == 0 {
 		data.Auth["type"] = "local"
 	}
+	// 兼容旧数据
+	if data.SplitDns == nil {
+		data.SplitDns = []dbdata.ValData{}
+	}
 	RespSucess(w, data)
 }
 

server/admin/api_user.go

@@ -214,6 +214,7 @@ type userAccountMailData struct {
 	PinCode      string
 	OtpImg       string
 	OtpImgBase64 string
+	DisableOtp   bool
 }
 
 func userAccountMail(user *dbdata.User) error {
@@ -265,6 +266,7 @@ func userAccountMail(user *dbdata.User) error {
 		PinCode:      user.PinCode,
 		OtpImg:       fmt.Sprintf("https://%s/otp_qr?id=%d&jwt=%s", setting.LinkAddr, user.Id, tokenString),
 		OtpImgBase64: "data:image/png;base64," + otpData,
+		DisableOtp:   user.DisableOtp,
 	}
 	w := bytes.NewBufferString("")
 	t, _ := template.New("auth_complete").Parse(htmlBody)
@@ -273,13 +275,19 @@ func userAccountMail(user *dbdata.User) error {
 		return err
 	}
 	// fmt.Println(w.String())
+
+	var attach *mail.File
+	if user.DisableOtp {
+		attach = nil
+	} else {
 		imgData, _ := userOtpQr(user.Id, false)
-	attach := &mail.File{
+		attach = &mail.File{
 			MimeType: "image/png",
 			Name:     "userOtpQr.png",
 			Data:     []byte(imgData),
 			Inline:   true,
 		}
+	}
 
 	return SendMail(base.Cfg.Issuer, user.Email, w.String(), attach)
 }

server/admin/server.go

@@ -111,12 +111,6 @@ func StartAdmin() {
 		selectedCipherSuites = append(selectedCipherSuites, s.ID)
 	}
 
-	if tlscert, _, err := dbdata.ParseCert(); err != nil {
-		base.Fatal("证书加载失败", err)
-	} else {
-		dbdata.LoadCertificate(tlscert)
-	}
-
 	// 设置tls信息
 	tlsConfig := &tls.Config{
 		NextProtos:   []string{"http/1.1"},

server/conf/profile.xml

@@ -9,6 +9,7 @@
         <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
         <BypassDownloader>true</BypassDownloader>
         <AutoUpdate UserControllable="false">false</AutoUpdate>
+        <LocalLanAccess UserControllable="true">true</LocalLanAccess>
         <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
         <LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
         <CertEnrollmentPin>pinAllowed</CertEnrollmentPin>

server/dbdata/db.go

@@ -174,6 +174,9 @@ func CheckErrNotFound(err error) bool {
 	return err == ErrNotFound
 }
 
+// base64 图片
+// 用户动态码(请妥善保存):<br/>
+// <img src="{{.OtpImgBase64}}"/><br/>
 const accountMail = `<p>您好:</p>
 <p>&nbsp;&nbsp;您的{{.Issuer}}账号已经审核开通。</p>
 <p>
@@ -181,17 +184,18 @@ const accountMail = `<p>您好:</p>
     用户组: <b>{{.Group}}</b> <br/>
     用户名: <b>{{.Username}}</b> <br/>
     用户PIN码: <b>{{.PinCode}}</b> <br/>
+    {{if .DisableOtp}}
+    <!-- nothing -->
+    {{else}}
+	
     <!-- 
     用户动态码(3天后失效):<br/>
     <img src="{{.OtpImg}}"/><br/>
-
-    用户动态码(请妥善保存):<br/>
-    <img src="{{.OtpImgBase64}}"/><br/>
-
-    下面是兼容 gmail 的写法
     -->
     用户动态码(请妥善保存):<br/>
     <img src="cid:userOtpQr.png" alt="userOtpQr" /><br/>
+
+    {{end}}
 </p>
 <div>
     使用说明:

server/dbdata/group.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"
 
@@ -26,7 +27,8 @@ type GroupLinkAcl struct {
 	// 自上而下匹配 默认 allow * *
 	Action string          `json:"action"` // allow、deny
 	Val    string          `json:"val"`
-	Port   uint16     `json:"port"`
+	Port   string          `json:"port"` // 兼容单端口历史数据类型uint16
+	Ports  map[uint16]int8 `json:"ports"`
 	IpNet  *net.IPNet      `json:"ip_net"`
 	Note   string          `json:"note"`
 }
@@ -161,14 +163,59 @@ func SetGroup(g *Group) error {
 				return errors.New("GroupLinkAcl 错误" + err.Error())
 			}
 			v.IpNet = ipNet
+
+			portsStr := v.Port
+			v.Port = strings.TrimSpace(portsStr)
+			// switch vp := v.Port.(type) {
+			// case float64:
+			// 	portsStr = strconv.Itoa(int(vp))
+			// case string:
+			// 	portsStr = vp
+			// }
+
+			if regexp.MustCompile(`^\d{1,5}(-\d{1,5})?(,\d{1,5}(-\d{1,5})?)*$`).MatchString(portsStr) {
+				ports := map[uint16]int8{}
+				for _, p := range strings.Split(portsStr, ",") {
+					if p == "" {
+						continue
+					}
+					if regexp.MustCompile(`^\d{1,5}-\d{1,5}$`).MatchString(p) {
+						rp := strings.Split(p, "-")
+						portfrom, err := strconv.Atoi(rp[0])
+						if err != nil {
+							return errors.New("端口:" + rp[0] + " 格式错误, " + err.Error())
+						}
+						portto, err := strconv.Atoi(rp[1])
+						if err != nil {
+							return errors.New("端口:" + rp[1] + " 格式错误, " + err.Error())
+						}
+						for i := portfrom; i <= portto; i++ {
+							ports[uint16(i)] = 1
+						}
+
+					} else {
+						port, err := strconv.Atoi(p)
+						if err != nil {
+							return errors.New("端口:" + p + " 格式错误, " + err.Error())
+						}
+						ports[uint16(port)] = 1
+					}
+				}
+				v.Ports = ports
 				linkAcl = append(linkAcl, v)
+			} else {
+				return errors.New("端口: " + portsStr + " 格式错误,请用逗号分隔的端口,比如: 22,80,443 连续端口用-,比如:1234-5678")
+			}
+
 		}
 	}
+
 	g.LinkAcl = linkAcl
 
 	// DNS 判断
 	clientDns := []ValData{}
 	for _, v := range g.ClientDns {
+		v.Val = strings.TrimSpace(v.Val)
 		if v.Val != "" {
 			ip := net.ParseIP(v.Val)
 			if ip.String() != v.Val {
@@ -183,6 +230,20 @@ func SetGroup(g *Group) error {
 		return errors.New("默认路由，必须设置一个DNS")
 	}
 	g.ClientDns = clientDns
+
+	splitDns := []ValData{}
+	for _, v := range g.SplitDns {
+		v.Val = strings.TrimSpace(v.Val)
+		if v.Val != "" {
+			ValidateDomainName(v.Val)
+			if !ValidateDomainName(v.Val) {
+				return errors.New("域名 错误")
+			}
+			splitDns = append(splitDns, v)
+		}
+	}
+	g.SplitDns = splitDns
+
 	// 域名拆分隧道，不能同时填写
 	g.DsIncludeDomains = strings.TrimSpace(g.DsIncludeDomains)
 	g.DsExcludeDomains = strings.TrimSpace(g.DsExcludeDomains)
@@ -238,6 +299,15 @@ func SetGroup(g *Group) error {
 	return err
 }
 
+func ContainsInPorts(ports map[uint16]int8, port uint16) bool {
+	_, ok := ports[port]
+	if ok {
+		return true
+	} else {
+		return false
+	}
+}
+
 func GroupAuthLogin(name, pwd string, authData map[string]interface{}) error {
 	g := &Group{Auth: authData}
 	authType := g.Auth["type"].(string)

server/dbdata/tables.go

@@ -11,6 +11,7 @@ type Group struct {
 	Note             string                 `json:"note" xorm:"varchar(255)"`
 	AllowLan         bool                   `json:"allow_lan" xorm:"Bool"`
 	ClientDns        []ValData              `json:"client_dns" xorm:"Text"`
+	SplitDns         []ValData              `json:"split_dns" xorm:"Text"`
 	RouteInclude     []ValData              `json:"route_include" xorm:"Text"`
 	RouteExclude     []ValData              `json:"route_exclude" xorm:"Text"`
 	DsExcludeDomains string                 `json:"ds_exclude_domains" xorm:"Text"`

server/handler/link_auth.go

@@ -17,7 +17,10 @@ import (
 	"github.com/bjdgyc/anylink/sessdata"
 )
 
-var profileHash = ""
+var (
+	profileHash = ""
+	certHash    = ""
+)
 
 func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	// TODO 调试信息输出
@@ -138,7 +141,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	other := &dbdata.SettingOther{}
 	_ = dbdata.SettingGet(other)
 	rd := RequestData{SessionId: sess.Sid, SessionToken: sess.Sid + "@" + sess.Token,
-		Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash}
+		Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash, CertHash: certHash}
 	w.WriteHeader(http.StatusOK)
 	tplRequest(tpl_complete, w, rd)
 	base.Info("login", cr.Auth.Username, userAgent)
@@ -178,6 +181,7 @@ type RequestData struct {
 	Banner       string
 	ProfileName  string
 	ProfileHash  string
+	CertHash     string
 }
 
 var auth_request = `<?xml version="1.0" encoding="UTF-8"?>
@@ -223,7 +227,7 @@ var auth_complete = `<?xml version="1.0" encoding="UTF-8"?>
     </capabilities>
     <config client="vpn" type="private">
         <vpn-base-config>
-            <server-cert-hash>240B97A685B2BFA66AD699B90AAC49EA66495D69</server-cert-hash>
+            <server-cert-hash>{{.CertHash}}</server-cert-hash>
         </vpn-base-config>
         <opaque is-for="vpn-client"></opaque>
         <vpn-profile-manifest>

server/handler/link_tunnel.go

@@ -86,7 +86,7 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	}
 	cSess.CstpDpd = cstpDpd
 
-	dtlsPort := "4433"
+	dtlsPort := "443"
 	if strings.Contains(base.Cfg.ServerDTLSAddr, ":") {
 		ss := strings.Split(base.Cfg.ServerDTLSAddr, ":")
 		dtlsPort = ss[1]
@@ -131,6 +131,11 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	for _, v := range cSess.Group.ClientDns {
 		HttpAddHeader(w, "X-CSTP-DNS", v.Val)
 	}
+	// 分割dns
+	for _, v := range cSess.Group.SplitDns {
+		HttpAddHeader(w, "X-CSTP-Split-DNS", v.Val)
+	}
+
 	// 允许的路由
 	for _, v := range cSess.Group.RouteInclude {
 		if strings.ToLower(v.Val) == dbdata.All {
@@ -156,9 +161,9 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	HttpSetHeader(w, "X-CSTP-Keep", "true")
 	HttpSetHeader(w, "X-CSTP-Tunnel-All-DNS", "false")
 
-	HttpSetHeader(w, "X-CSTP-Rekey-Time", "43200") // 172800
+	HttpSetHeader(w, "X-CSTP-Rekey-Time", "86400") // 172800
 	HttpSetHeader(w, "X-CSTP-Rekey-Method", "new-tunnel")
-	HttpSetHeader(w, "X-DTLS-Rekey-Time", "43200")
+	HttpSetHeader(w, "X-DTLS-Rekey-Time", "86400")
 	HttpSetHeader(w, "X-DTLS-Rekey-Method", "new-tunnel")
 
 	HttpSetHeader(w, "X-CSTP-DPD", fmt.Sprintf("%d", cstpDpd))
@@ -180,7 +185,7 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	HttpSetHeader(w, "X-CSTP-Routing-Filtering-Ignore", "false")
 	HttpSetHeader(w, "X-CSTP-Quarantine", "false")
 	HttpSetHeader(w, "X-CSTP-Disable-Always-On-VPN", "false")
-	HttpSetHeader(w, "X-CSTP-Client-Bypass-Protocol", "false")
+	HttpSetHeader(w, "X-CSTP-Client-Bypass-Protocol", "true")
 	HttpSetHeader(w, "X-CSTP-TCP-Keepalive", "false")
 	// 设置域名拆分隧道（移动端不支持）
 	if mobile != "mobile" {

server/handler/payload.go

@@ -88,8 +88,21 @@ func checkLinkAcl(group *dbdata.Group, pl *sessdata.Payload) bool {
 	for _, v := range group.LinkAcl {
 		// 循环判断ip和端口
 		if v.IpNet.Contains(ipDst) {
+
 			// 放行允许ip的ping
-			if v.Port == ipPort || v.Port == 0 || ipProto == waterutil.ICMP {
+			// if v.Ports == nil || len(v.Ports) == 0 {
+			// 	//单端口历史数据兼容
+			// 	port := uint16(v.Port.(float64))
+			// 	if port == ipPort || port == 0 || ipProto == waterutil.ICMP {
+			// 		if v.Action == dbdata.Allow {
+			// 			return true
+			// 		} else {
+			// 			return false
+			// 		}
+			// 	}
+			// } else {
+
+			if dbdata.ContainsInPorts(v.Ports, ipPort) || dbdata.ContainsInPorts(v.Ports, 0) || ipProto == waterutil.ICMP {
 				if v.Action == dbdata.Allow {
 					return true
 				} else {

server/handler/server.go

@@ -1,13 +1,16 @@
 package handler
 
 import (
+	"crypto/sha1"
 	"crypto/tls"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/bjdgyc/anylink/base"
@@ -36,6 +39,19 @@ func startTls() {
 	//	certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
 	// }
 
+	tlscert, _, err := dbdata.ParseCert()
+	if err != nil {
+		base.Fatal("证书加载失败", err)
+	}
+	dbdata.LoadCertificate(tlscert)
+
+	// 计算证书hash值
+	s1 := sha1.New()
+	s1.Write(tlscert.Certificate[0])
+	h2s := hex.EncodeToString(s1.Sum(nil))
+	certHash = strings.ToUpper(h2s)
+	base.Info("certHash", certHash)
+
 	// 修复 CVE-2016-2183
 	// https://segmentfault.com/a/1190000038486901
 	// nmap -sV --script ssl-enum-ciphers -p 443 www.example.com

version

@@ -1 +1 @@
-0.11.4
+0.12.1

web/src/pages/group/List.vue

@@ -50,7 +50,8 @@
             label="带宽限制"
             width="90">
           <template slot-scope="scope">
-                <el-row v-if="scope.row.bandwidth > 0">{{ convertBandwidth(scope.row.bandwidth, 'BYTE', 'Mbps') }} Mbps</el-row>
+            <el-row v-if="scope.row.bandwidth > 0">{{ convertBandwidth(scope.row.bandwidth, 'BYTE', 'Mbps') }} Mbps
+            </el-row>
             <el-row v-else>不限</el-row>
           </template>
         </el-table-column>
@@ -69,12 +70,20 @@
             label="路由包含"
             width="180">
           <template slot-scope="scope">
-            <el-row v-for="(item,inx) in scope.row.route_include.slice(0, readMinRows)" :key="inx">{{ item.val }}</el-row>
+            <el-row v-for="(item,inx) in scope.row.route_include.slice(0, readMinRows)" :key="inx">{{
+                item.val
+              }}
+            </el-row>
             <div v-if="scope.row.route_include.length > readMinRows">
               <div v-if="readMore[`ri_${ scope.row.id }`]">
-                <el-row v-for="(item,inx) in scope.row.route_include.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>              
+                <el-row v-for="(item,inx) in scope.row.route_include.slice(readMinRows)" :key="inx">{{
+                    item.val
+                  }}
+                </el-row>
               </div>
-              <el-button size="mini" type="text" @click="toggleMore(`ri_${ scope.row.id }`)">{{ readMore[`ri_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>              
+              <el-button size="mini" type="text" @click="toggleMore(`ri_${ scope.row.id }`)">
+                {{ readMore[`ri_${scope.row.id}`] ? "▲ 收起" : "▼ 更多" }}
+              </el-button>
             </div>
           </template>
         </el-table-column>
@@ -84,12 +93,20 @@
             label="路由排除"
             width="180">
           <template slot-scope="scope">
-            <el-row v-for="(item,inx) in scope.row.route_exclude.slice(0, readMinRows)" :key="inx">{{ item.val }}</el-row>
+            <el-row v-for="(item,inx) in scope.row.route_exclude.slice(0, readMinRows)" :key="inx">{{
+                item.val
+              }}
+            </el-row>
             <div v-if="scope.row.route_exclude.length > readMinRows">
               <div v-if="readMore[`re_${ scope.row.id }`]">
-                <el-row v-for="(item,inx) in scope.row.route_exclude.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>              
+                <el-row v-for="(item,inx) in scope.row.route_exclude.slice(readMinRows)" :key="inx">{{
+                    item.val
+                  }}
+                </el-row>
               </div>
-              <el-button size="mini" type="text" @click="toggleMore(`re_${ scope.row.id }`)">{{ readMore[`re_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>              
+              <el-button size="mini" type="text" @click="toggleMore(`re_${ scope.row.id }`)">
+                {{ readMore[`re_${scope.row.id}`] ? "▲ 收起" : "▼ 更多" }}
+              </el-button>
             </div>
           </template>
         </el-table-column>
@@ -108,7 +125,9 @@
                   {{ item.action }} => {{ item.val }} : {{ item.port }}
                 </el-row>
               </div>
-              <el-button size="mini" type="text" @click="toggleMore(`la_${ scope.row.id }`)">{{ readMore[`la_${ scope.row.id }`] ? "▲ 收起" : "▼ 更多" }}</el-button>              
+              <el-button size="mini" type="text" @click="toggleMore(`la_${ scope.row.id }`)">
+                {{ readMore[`la_${scope.row.id}`] ? "▲ 收起" : "▼ 更多" }}
+              </el-button>
             </div>
           </template>
         </el-table-column>
@@ -192,7 +211,8 @@
             </el-form-item>
 
             <el-form-item label="带宽限制" prop="bandwidth_format" style="width:260px;">
-                <el-input v-model="ruleForm.bandwidth_format" oninput="value= value.match(/\d+(\.\d{0,2})?/) ? value.match(/\d+(\.\d{0,2})?/)[0] : ''">
+              <el-input v-model="ruleForm.bandwidth_format"
+                        oninput="value= value.match(/\d+(\.\d{0,2})?/) ? value.match(/\d+(\.\d{0,2})?/)[0] : ''">
                 <template slot="append">Mbps</template>
               </el-input>
             </el-form-item>
@@ -201,9 +221,9 @@
               <el-switch v-model="ruleForm.allow_lan"></el-switch>
               <div class="msg-info">
                 注：本地网络 指的是：
-                 运行 anyconnect 客户端的PC 所在的的网络，既本地路由网段。
+                运行 anyconnect 客户端的PC 所在的的网络，即本地路由网段。
                 开启后，PC本地路由网段的数据就不会走隧道链路转发数据了。
-                 同时 anyconnect 客户端需要勾选本地网络(Local Lan)的开关，功能才能生效。
+                同时 anyconnect 客户端需要勾选本地网络(Allow Local Lan)的开关，功能才能生效。
               </div>
             </el-form-item>
 
@@ -229,6 +249,30 @@
                 </el-col>
               </el-row>
             </el-form-item>
+
+            <el-form-item label="内网域名" prop="split_dns">
+              <el-row class="msg-info">
+                <el-col :span="20">(分割DNS)一般留空。如果输入域名，只有配置的域名(包含子域名)走配置的dns</el-col>
+                <el-col :span="4">
+                  <el-button size="mini" type="success" icon="el-icon-plus" circle
+                             @click.prevent="addDomain(ruleForm.split_dns)"></el-button>
+                </el-col>
+              </el-row>
+              <el-row v-for="(item,index) in ruleForm.split_dns"
+                      :key="index" style="margin-bottom: 5px" :gutter="10">
+                <el-col :span="10">
+                  <el-input v-model="item.val"></el-input>
+                </el-col>
+                <el-col :span="12">
+                  <el-input v-model="item.note" placeholder="备注"></el-input>
+                </el-col>
+                <el-col :span="2">
+                  <el-button size="mini" type="danger" icon="el-icon-minus" circle
+                             @click.prevent="removeDomain(ruleForm.split_dns,index)"></el-button>
+                </el-col>
+              </el-row>
+            </el-form-item>
+
             <el-form-item label="状态" prop="status">
               <el-radio-group v-model="ruleForm.status">
                 <el-radio :label="1" border>启用</el-radio>
@@ -246,38 +290,50 @@
               </el-radio-group>
             </el-form-item>
             <template v-if="ruleForm.auth.type == 'radius'">
-                  <el-form-item label="服务器地址" prop="auth.radius.addr" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.addr'] : [{ required: false }]">
+              <el-form-item label="服务器地址" prop="auth.radius.addr"
+                            :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.addr'] : [{ required: false }]">
                 <el-input v-model="ruleForm.auth.radius.addr" placeholder="例如 ip:1812"></el-input>
               </el-form-item>
-                  <el-form-item label="密钥" prop="auth.radius.secret" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.secret'] : [{ required: false }]">
+              <el-form-item label="密钥" prop="auth.radius.secret"
+                            :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.secret'] : [{ required: false }]">
                 <el-input v-model="ruleForm.auth.radius.secret" placeholder=""></el-input>
               </el-form-item>
             </template>
 
             <template v-if="ruleForm.auth.type == 'ldap'">
-                  <el-form-item label="服务器地址" prop="auth.ldap.addr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.addr'] : [{ required: false }]">
+              <el-form-item label="服务器地址" prop="auth.ldap.addr"
+                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.addr'] : [{ required: false }]">
                 <el-input v-model="ruleForm.auth.ldap.addr" placeholder="例如 ip:389 / 域名:389"></el-input>
               </el-form-item>
               <el-form-item label="开启TLS" prop="auth.ldap.tls">
                 <el-switch v-model="ruleForm.auth.ldap.tls"></el-switch>
               </el-form-item>
-                  <el-form-item label="管理员 DN" prop="auth.ldap.bind_name" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_name'] : [{ required: false }]">
+              <el-form-item label="管理员 DN" prop="auth.ldap.bind_name"
-                    <el-input v-model="ruleForm.auth.ldap.bind_name" placeholder="例如 CN=bindadmin,DC=abc,DC=COM"></el-input>
+                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_name'] : [{ required: false }]">
+                <el-input v-model="ruleForm.auth.ldap.bind_name"
+                          placeholder="例如 CN=bindadmin,DC=abc,DC=COM"></el-input>
               </el-form-item>
-                  <el-form-item label="管理员密码" prop="auth.ldap.bind_pwd" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_pwd'] : [{ required: false }]">
+              <el-form-item label="管理员密码" prop="auth.ldap.bind_pwd"
+                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_pwd'] : [{ required: false }]">
                 <el-input type="password" v-model="ruleForm.auth.ldap.bind_pwd" placeholder=""></el-input>
               </el-form-item>
-                  <el-form-item label="Base DN" prop="auth.ldap.base_dn" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.base_dn'] : [{ required: false }]">
+              <el-form-item label="Base DN" prop="auth.ldap.base_dn"
+                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.base_dn'] : [{ required: false }]">
                 <el-input v-model="ruleForm.auth.ldap.base_dn" placeholder="例如 DC=abc,DC=com"></el-input>
               </el-form-item>
-                  <el-form-item label="用户对象类" prop="auth.ldap.object_class" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.object_class'] : [{ required: false }]">
+              <el-form-item label="用户对象类" prop="auth.ldap.object_class"
-                    <el-input v-model="ruleForm.auth.ldap.object_class" placeholder="例如 person / user / posixAccount"></el-input>
+                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.object_class'] : [{ required: false }]">
+                <el-input v-model="ruleForm.auth.ldap.object_class"
+                          placeholder="例如 person / user / posixAccount"></el-input>
               </el-form-item>
-                  <el-form-item label="用户唯一ID" prop="auth.ldap.search_attr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.search_attr'] : [{ required: false }]">
+              <el-form-item label="用户唯一ID" prop="auth.ldap.search_attr"
-                    <el-input v-model="ruleForm.auth.ldap.search_attr" placeholder="例如 sAMAccountName / uid / cn"></el-input>
+                            :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.search_attr'] : [{ required: false }]">
+                <el-input v-model="ruleForm.auth.ldap.search_attr"
+                          placeholder="例如 sAMAccountName / uid / cn"></el-input>
               </el-form-item>
               <el-form-item label="受限用户组" prop="auth.ldap.member_of">
-                    <el-input v-model="ruleForm.auth.ldap.member_of" placeholder="选填, 只允许指定组登入, 例如 CN=HomeWork,DC=abc,DC=com"></el-input>
+                <el-input v-model="ruleForm.auth.ldap.member_of"
+                          placeholder="选填, 只允许指定组登入, 例如 CN=HomeWork,DC=abc,DC=com"></el-input>
               </el-form-item>
             </template>
           </el-tab-pane>
@@ -344,16 +400,18 @@
           <el-tab-pane label="权限控制" name="link_acl">
             <el-form-item label="权限控制" prop="link_acl">
               <el-row class="msg-info">
-                    <el-col :span="20">输入CIDR格式如: 192.168.3.0/24 端口0表示所有端口</el-col>
+                <el-col :span="22">输入CIDR格式如: 192.168.3.0/24
-                    <el-col :span="4">
+                  端口0表示所有端口,多个端口用','号分隔,连续端口:1234-5678
+                </el-col>
+                <el-col :span="2">
                   <el-button size="mini" type="success" icon="el-icon-plus" circle
                              @click.prevent="addDomain(ruleForm.link_acl)"></el-button>
                 </el-col>
               </el-row>
 
               <el-row v-for="(item,index) in ruleForm.link_acl"
-                        :key="index" style="margin-bottom: 5px" :gutter="5">
+                      :key="index" style="margin-bottom: 5px" :gutter="1">
-                    <el-col :span="11">
+                <el-col :span="10">
                   <el-input placeholder="请输入CIDR地址" v-model="item.val">
                     <el-select v-model="item.action" slot="prepend">
                       <el-option label="允许" value="allow"></el-option>
@@ -361,10 +419,11 @@
                     </el-select>
                   </el-input>
                 </el-col>
-                    <el-col :span="3">
-                    <el-input v-model.number="item.port" placeholder="端口"></el-input>
-                    </el-col>
                 <el-col :span="8">
+                  <!--  type="textarea" :autosize="{ minRows: 1, maxRows: 2}"  -->
+                  <el-input v-model="item.port" placeholder="多端口,号分隔"></el-input>
+                </el-col>
+                <el-col :span="4">
                   <el-input v-model="item.note" placeholder="备注"></el-input>
                 </el-col>
                 <el-col :span="2">
@@ -377,10 +436,12 @@
 
           <el-tab-pane label="域名拆分隧道" name="ds_domains">
             <el-form-item label="包含域名" prop="ds_include_domains">
-                    <el-input type="textarea" :rows="5" v-model="ruleForm.ds_include_domains" placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
+              <el-input type="textarea" :rows="5" v-model="ruleForm.ds_include_domains"
+                        placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
             </el-form-item>
             <el-form-item label="排除域名" prop="ds_exclude_domains">
-                    <el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains" placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
+              <el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains"
+                        placeholder="输入域名用,号分隔，默认匹配所有子域名, 如baidu.com,163.com"></el-input>
               <div class="msg-info">注：域名拆分隧道，仅支持AnyConnect的windows和MacOS桌面客户端，不支持移动端.</div>
             </el-form-item>
           </el-tab-pane>
@@ -404,7 +465,8 @@
         center>
       <el-form :model="authLoginForm" :rules="authLoginRules" ref="authLoginForm" label-width="100px">
         <el-form-item label="账号" prop="name">
-                <el-input v-model="authLoginForm.name" ref="authLoginFormName" @keydown.enter.native="testAuthLogin"></el-input>
+          <el-input v-model="authLoginForm.name" ref="authLoginFormName"
+                    @keydown.enter.native="testAuthLogin"></el-input>
         </el-form-item>
         <el-form-item label="密码" prop="pwd">
           <el-input type="password" v-model="authLoginForm.pwd" @keydown.enter.native="testAuthLogin"></el-input>
@@ -425,8 +487,12 @@
         center>
       <el-form ref="ipEditForm" label-width="80px">
         <el-form-item label="路由表" prop="ip_list">
-              <el-input type="textarea" :rows="10" v-model="ipEditForm.ip_list" placeholder="每行一条路由，例：192.168.1.0/24,备注 或 192.168.1.0/24"></el-input>
+          <el-input type="textarea" :rows="10" v-model="ipEditForm.ip_list"
-              <div class="msg-info">当前共 {{ ipEditForm.ip_list.trim() === '' ? 0 : ipEditForm.ip_list.trim().split("\n").length }} 条（注：AnyConnect客户端最多支持{{ this.maxRouteRows }}条路由）</div>
+                    placeholder="每行一条路由，例：192.168.1.0/24,备注 或 192.168.1.0/24"></el-input>
+          <div class="msg-info">当前共
+            {{ ipEditForm.ip_list.trim() === '' ? 0 : ipEditForm.ip_list.trim().split("\n").length }}
+            条（注：AnyConnect客户端最多支持{{ this.maxRouteRows }}条路由）
+          </div>
         </el-form-item>
         <el-form-item>
           <el-button type="primary" @click="ipEdit()" :loading="ipEditLoading">更新</el-button>
@@ -480,7 +546,8 @@ export default {
         bandwidth_format: '0',
         status: 1,
         allow_lan: true,
-        client_dns: [{val: '114.114.114.114'}],
+        client_dns: [{val: '114.114.114.114', note: '默认dns'}],
+        split_dns: [],
         route_include: [{val: 'all', note: '默认全局代理'}],
         route_exclude: [],
         link_acl: [],
@@ -624,7 +691,8 @@ export default {
       // arr.pop()
     },
     addDomain(arr) {
-      arr.push({val: "", action: "allow", port: 0});
+      console.log("arr", arr)
+      arr.push({val: "", action: "allow", port: "0", note: ""});
     },
     submitForm(formName) {
       this.$refs[formName].validate((valid) => {
@@ -656,9 +724,11 @@ export default {
           return false;
         }
         this.authLoginLoading = true;
-            axios.post('/group/auth_login', {name:this.authLoginForm.name,
+        axios.post('/group/auth_login', {
+          name: this.authLoginForm.name,
           pwd: this.authLoginForm.pwd,
-                                            auth:this.ruleForm.auth}).then(resp => {
+          auth: this.ruleForm.auth
+        }).then(resp => {
           const rdata = resp.data;
           if (rdata.code === 0) {
             this.$message.success("登录成功");
@@ -824,6 +894,7 @@ export default {
   max-height: calc(100% - 30px);
   max-width: calc(100% - 30px);
 }
+
 ::v-deep .valgin-dialog .el-dialog__body {
   flex: 1;
   overflow: auto;