7x31/anylink
1
0
Fork 0
mirror of https://github.com/bjdgyc/anylink.git synced 2025-09-28 16:15:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: 7x31:v0.11.4
Branches Tags
7x31:main
7x31:v0.13.1 7x31:v0.12.2 7x31:v0.12.1 7x31:v0.11.4 7x31:v0.11.3 7x31:v0.11.2 7x31:v0.11.1 7x31:v0.10.1 7x31:v0.9.4 7x31:v0.9.3 7x31:v0.9.2-beta2 7x31:v0.9.2-beta1 7x31:v0.9.1-beta1 7x31:v0.8.1 7x31:v0.7.4 7x31:v0.7.3 7x31:v0.7.2 7x31:v0.7.1 7x31:v0.6.2 7x31:v0.6.1 7x31:v0.5.1 7x31:v0.4.2 7x31:v0.4.1 7x31:v0.3.3 7x31:v0.3.1 7x31:v0.2.1 7x31:v0.1.8 7x31:v0.1.7 7x31:v0.1.6 7x31:v0.1.0 7x31:v0.0.8 7x31:v0.0.6
...
compare: 7x31:v0.12.1
Branches Tags
7x31:main
7x31:v0.13.1 7x31:v0.12.2 7x31:v0.12.1 7x31:v0.11.4 7x31:v0.11.3 7x31:v0.11.2 7x31:v0.11.1 7x31:v0.10.1 7x31:v0.9.4 7x31:v0.9.3 7x31:v0.9.2-beta2 7x31:v0.9.2-beta1 7x31:v0.9.1-beta1 7x31:v0.8.1 7x31:v0.7.4 7x31:v0.7.3 7x31:v0.7.2 7x31:v0.7.1 7x31:v0.6.2 7x31:v0.6.1 7x31:v0.5.1 7x31:v0.4.2 7x31:v0.4.1 7x31:v0.3.3 7x31:v0.3.1 7x31:v0.2.1 7x31:v0.1.8 7x31:v0.1.7 7x31:v0.1.6 7x31:v0.1.0 7x31:v0.0.8 7x31:v0.0.6

23 Commits
v0.11.4 ... v0.12.1

Author SHA1 Message Date
bjdgyc
9d926edabb 内网域名 2024-04-25 10:18:40 +08:00
bjdgyc
7329603c47 Merge pull request #314 from bjdgyc/dev 
支持分割DNS功能
 2024-04-24 17:56:18 +08:00
bjdgyc
a7c6791c1e 支持分割DNS功能 2024-04-24 17:39:50 +08:00
bjdgyc
96c95bb6cd 更新版本 2024-04-24 15:27:53 +08:00
bjdgyc
6d3dab6798 Client-Bypass 2024-04-23 16:59:52 +08:00
bjdgyc
b313c6fa00 Client-Bypass 2024-04-23 16:59:14 +08:00
bjdgyc
75b138a7a8 Client-Bypass 2024-04-23 16:56:40 +08:00
bjdgyc
641d6127ba 修复acl样式 2024-04-22 17:41:18 +08:00
bjdgyc
2828d1038d Merge pull request #313 from bjdgyc/dev 
修复acl表结构
 2024-04-22 17:04:37 +08:00
bjdgyc
cb902a6b9b 修复acl表结构 2024-04-22 16:47:06 +08:00
bjdgyc
1b066ef602 Merge pull request #312 from bjdgyc/dev 
支持 私有自签证书
 2024-04-22 14:42:06 +08:00
bjdgyc
5e804a3483 支持 私有自签证书 2024-04-22 14:40:03 +08:00
bjdgyc
6e0c0efa85 Merge pull request #310 from imhun/main 
acl支持逗号分隔多端口号配置
 2024-04-11 11:40:39 +08:00
imhun
8f196cb4e2 Merge branch 'main' of https://github.com/imhun/anylink 2024-04-09 11:25:34 +08:00
imhun
9182ccfba2 兼容历史单端口配置 2024-04-09 11:23:13 +08:00
huweishan
39d89b8c84 兼容历史单端口配置 2024-04-09 10:33:30 +08:00
huweishan
24e30509e4 兼容历史单端口配置 2024-04-09 10:29:54 +08:00
huweishan
4f56ea49c3 ports保存为map 
兼容老的配置数据
 2024-04-08 19:34:11 +08:00
huweishan
e55b2b6f0a 支持连续端口 2024-04-08 16:16:45 +08:00
huweishan
15573a6ef3 支持连续端口,比如1234-5678 2024-04-08 16:13:52 +08:00
huweishan
38b8f0b2aa ports初始化 2024-04-08 15:12:47 +08:00
huweishan
8df34428dd acl支持逗号分隔多端口号配置 2024-04-08 14:54:09 +08:00
bjdgyc
26483533a9 修复 关闭otp时,发送邮件附件的问题 2024-03-29 10:04:15 +08:00
14 changed files with 624 additions and 432 deletions
Expand all files Collapse all files

7
README.md
View File

@@ -23,7 +23,7 @@ AnyLink 是一个企业级远程办公 sslvpn 的软件,可以支持多人同
AnyLink 基于 [ietf-openconnect](https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-02)
协议开发,并且借鉴了 [ocserv](http://ocserv.gitlab.io/www/index.html) 的开发思路,使其可以同时兼容 AnyConnect 客户端。
AnyLink 使用 TLS/DTLS 进行数据加密,因此需要 RSA 或 ECC 证书,可以通过 Let's Encrypt 和 TrustAsia 申请免费的 SSL 证书。
AnyLink 使用 TLS/DTLS 进行数据加密,因此需要 RSA 或 ECC 证书,可以使用私有自签证书,可以通过 Let's Encrypt 和 TrustAsia 申请免费的 SSL 证书。
AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试通过,如需要安装在其他系统,需要服务端支持 tun/tap
功能、ip 设置命令、iptables命令。
@@ -60,9 +60,9 @@ AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试
### 使用问题
> 对于测试环境,可以使用 vpn.test.vqilu.cn 绑定host进行测试
> 对于测试环境,可以直接进行测试,需要客户端取消勾选【阻止不受信任的服务器(Block connections to untrusted servers)】
>
> 对于线上环境,必须申请安全的https证书(跟nginx使用的证书类型一致),不支持私有证书连接
> 对于线上环境,尽量申请安全的https证书(跟nginx使用的pem证书类型一致)
>
> 群共享文件有相关客户端软件下载,其他版本没有测试过,不保证使用正常
>
@@ -133,6 +133,7 @@ sudo ./anylink
- [x] 流量压缩功能
- [x] 出口 IP 自动放行
- [x] 支持多服务的配置区分
- [x] 支持私有自签证书
- [ ] 基于 ipvtap 设备的桥接访问模式
## Config

4
server/admin/api_group.go
View File

@@ -75,6 +75,10 @@ func GroupDetail(w http.ResponseWriter, r *http.Request) {
if len(data.Auth) == 0 {
data.Auth["type"] = "local"
}
// 兼容旧数据
if data.SplitDns == nil {
data.SplitDns = []dbdata.ValData{}
}
RespSucess(w, data)
}

10
server/admin/api_user.go
View File

@@ -214,6 +214,7 @@ type userAccountMailData struct {
PinCode string
OtpImg string
OtpImgBase64 string
DisableOtp bool
}
func userAccountMail(user *dbdata.User) error {
@@ -265,6 +266,7 @@ func userAccountMail(user *dbdata.User) error {
PinCode: user.PinCode,
OtpImg: fmt.Sprintf("https://%s/otp_qr?id=%d&jwt=%s", setting.LinkAddr, user.Id, tokenString),
OtpImgBase64: "data:image/png;base64," + otpData,
DisableOtp: user.DisableOtp,
}
w := bytes.NewBufferString("")
t, _ := template.New("auth_complete").Parse(htmlBody)
@@ -273,13 +275,19 @@ func userAccountMail(user *dbdata.User) error {
return err
}
// fmt.Println(w.String())
var attach *mail.File
if user.DisableOtp {
attach = nil
} else {
imgData, _ := userOtpQr(user.Id, false)
attach := &mail.File{
attach = &mail.File{
MimeType: "image/png",
Name: "userOtpQr.png",
Data: []byte(imgData),
Inline: true,
}
}
return SendMail(base.Cfg.Issuer, user.Email, w.String(), attach)
}

6
server/admin/server.go
View File

@@ -111,12 +111,6 @@ func StartAdmin() {
selectedCipherSuites = append(selectedCipherSuites, s.ID)
}
if tlscert, _, err := dbdata.ParseCert(); err != nil {
base.Fatal("证书加载失败", err)
} else {
dbdata.LoadCertificate(tlscert)
}
// 设置tls信息
tlsConfig := &tls.Config{
NextProtos: []string{"http/1.1"},

1
server/conf/profile.xml
View File

@@ -9,6 +9,7 @@
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
<BypassDownloader>true</BypassDownloader>
<AutoUpdate UserControllable="false">false</AutoUpdate>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>

14
server/dbdata/db.go
View File

@@ -174,6 +174,9 @@ func CheckErrNotFound(err error) bool {
return err == ErrNotFound
}
// base64 图片
// 用户动态码(请妥善保存):<br/>
// <img src="{{.OtpImgBase64}}"/><br/>
const accountMail = `<p>您好:</p>
<p>&nbsp;&nbsp;您的{{.Issuer}}账号已经审核开通。</p>
<p>
@@ -181,17 +184,18 @@ const accountMail = `<p>您好:</p>
用户组: <b>{{.Group}}</b> <br/>
用户名: <b>{{.Username}}</b> <br/>
用户PIN码: <b>{{.PinCode}}</b> <br/>
{{if .DisableOtp}}
<!-- nothing -->
{{else}}
<!--
用户动态码(3天后失效):<br/>
<img src="{{.OtpImg}}"/><br/>
用户动态码(请妥善保存):<br/>
<img src="{{.OtpImgBase64}}"/><br/>
下面是兼容 gmail 的写法
-->
用户动态码(请妥善保存):<br/>
<img src="cid:userOtpQr.png" alt="userOtpQr" /><br/>
{{end}}
</p>
<div>
使用说明:

72
server/dbdata/group.go
View File

@@ -5,6 +5,7 @@ import (
"fmt"
"net"
"regexp"
"strconv"
"strings"
"time"
@@ -26,7 +27,8 @@ type GroupLinkAcl struct {
// 自上而下匹配 默认 allow * *
Action string `json:"action"` // allow、deny
Val string `json:"val"`
Port uint16 `json:"port"`
Port string `json:"port"` // 兼容单端口历史数据类型uint16
Ports map[uint16]int8 `json:"ports"`
IpNet *net.IPNet `json:"ip_net"`
Note string `json:"note"`
}
@@ -161,14 +163,59 @@ func SetGroup(g *Group) error {
return errors.New("GroupLinkAcl 错误" + err.Error())
}
v.IpNet = ipNet
portsStr := v.Port
v.Port = strings.TrimSpace(portsStr)
// switch vp := v.Port.(type) {
// case float64:
// portsStr = strconv.Itoa(int(vp))
// case string:
// portsStr = vp
// }
if regexp.MustCompile(`^\d{1,5}(-\d{1,5})?(,\d{1,5}(-\d{1,5})?)*$`).MatchString(portsStr) {
ports := map[uint16]int8{}
for _, p := range strings.Split(portsStr, ",") {
if p == "" {
continue
}
if regexp.MustCompile(`^\d{1,5}-\d{1,5}$`).MatchString(p) {
rp := strings.Split(p, "-")
portfrom, err := strconv.Atoi(rp[0])
if err != nil {
return errors.New("端口:" + rp[0] + " 格式错误, " + err.Error())
}
portto, err := strconv.Atoi(rp[1])
if err != nil {
return errors.New("端口:" + rp[1] + " 格式错误, " + err.Error())
}
for i := portfrom; i <= portto; i++ {
ports[uint16(i)] = 1
}
} else {
port, err := strconv.Atoi(p)
if err != nil {
return errors.New("端口:" + p + " 格式错误, " + err.Error())
}
ports[uint16(port)] = 1
}
}
v.Ports = ports
linkAcl = append(linkAcl, v)
} else {
return errors.New("端口: " + portsStr + " 格式错误,请用逗号分隔的端口,比如: 22,80,443 连续端口用-,比如:1234-5678")
}
}
}
g.LinkAcl = linkAcl
// DNS 判断
clientDns := []ValData{}
for _, v := range g.ClientDns {
v.Val = strings.TrimSpace(v.Val)
if v.Val != "" {
ip := net.ParseIP(v.Val)
if ip.String() != v.Val {
@@ -183,6 +230,20 @@ func SetGroup(g *Group) error {
return errors.New("默认路由必须设置一个DNS")
}
g.ClientDns = clientDns
splitDns := []ValData{}
for _, v := range g.SplitDns {
v.Val = strings.TrimSpace(v.Val)
if v.Val != "" {
ValidateDomainName(v.Val)
if !ValidateDomainName(v.Val) {
return errors.New("域名 错误")
}
splitDns = append(splitDns, v)
}
}
g.SplitDns = splitDns
// 域名拆分隧道,不能同时填写
g.DsIncludeDomains = strings.TrimSpace(g.DsIncludeDomains)
g.DsExcludeDomains = strings.TrimSpace(g.DsExcludeDomains)
@@ -238,6 +299,15 @@ func SetGroup(g *Group) error {
return err
}
func ContainsInPorts(ports map[uint16]int8, port uint16) bool {
_, ok := ports[port]
if ok {
return true
} else {
return false
}
}
func GroupAuthLogin(name, pwd string, authData map[string]interface{}) error {
g := &Group{Auth: authData}
authType := g.Auth["type"].(string)

1
server/dbdata/tables.go
View File

@@ -11,6 +11,7 @@ type Group struct {
Note string `json:"note" xorm:"varchar(255)"`
AllowLan bool `json:"allow_lan" xorm:"Bool"`
ClientDns []ValData `json:"client_dns" xorm:"Text"`
SplitDns []ValData `json:"split_dns" xorm:"Text"`
RouteInclude []ValData `json:"route_include" xorm:"Text"`
RouteExclude []ValData `json:"route_exclude" xorm:"Text"`
DsExcludeDomains string `json:"ds_exclude_domains" xorm:"Text"`

10
server/handler/link_auth.go
View File

@@ -17,7 +17,10 @@ import (
"github.com/bjdgyc/anylink/sessdata"
)
var profileHash = ""
var (
profileHash = ""
certHash = ""
)
func LinkAuth(w http.ResponseWriter, r *http.Request) {
// TODO 调试信息输出
@@ -138,7 +141,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
other := &dbdata.SettingOther{}
_ = dbdata.SettingGet(other)
rd := RequestData{SessionId: sess.Sid, SessionToken: sess.Sid + "@" + sess.Token,
Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash}
Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash, CertHash: certHash}
w.WriteHeader(http.StatusOK)
tplRequest(tpl_complete, w, rd)
base.Info("login", cr.Auth.Username, userAgent)
@@ -178,6 +181,7 @@ type RequestData struct {
Banner string
ProfileName string
ProfileHash string
CertHash string
}
var auth_request = `<?xml version="1.0" encoding="UTF-8"?>
@@ -223,7 +227,7 @@ var auth_complete = `<?xml version="1.0" encoding="UTF-8"?>
</capabilities>
<config client="vpn" type="private">
<vpn-base-config>
<server-cert-hash>240B97A685B2BFA66AD699B90AAC49EA66495D69</server-cert-hash>
<server-cert-hash>{{.CertHash}}</server-cert-hash>
</vpn-base-config>
<opaque is-for="vpn-client"></opaque>
<vpn-profile-manifest>

13
server/handler/link_tunnel.go
View File

@@ -86,7 +86,7 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
}
cSess.CstpDpd = cstpDpd
dtlsPort := "4433"
dtlsPort := "443"
if strings.Contains(base.Cfg.ServerDTLSAddr, ":") {
ss := strings.Split(base.Cfg.ServerDTLSAddr, ":")
dtlsPort = ss[1]
@@ -131,6 +131,11 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
for _, v := range cSess.Group.ClientDns {
HttpAddHeader(w, "X-CSTP-DNS", v.Val)
}
// 分割dns
for _, v := range cSess.Group.SplitDns {
HttpAddHeader(w, "X-CSTP-Split-DNS", v.Val)
}
// 允许的路由
for _, v := range cSess.Group.RouteInclude {
if strings.ToLower(v.Val) == dbdata.All {
@@ -156,9 +161,9 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
HttpSetHeader(w, "X-CSTP-Keep", "true")
HttpSetHeader(w, "X-CSTP-Tunnel-All-DNS", "false")
HttpSetHeader(w, "X-CSTP-Rekey-Time", "43200") // 172800
HttpSetHeader(w, "X-CSTP-Rekey-Time", "86400") // 172800
HttpSetHeader(w, "X-CSTP-Rekey-Method", "new-tunnel")
HttpSetHeader(w, "X-DTLS-Rekey-Time", "43200")
HttpSetHeader(w, "X-DTLS-Rekey-Time", "86400")
HttpSetHeader(w, "X-DTLS-Rekey-Method", "new-tunnel")
HttpSetHeader(w, "X-CSTP-DPD", fmt.Sprintf("%d", cstpDpd))
@@ -180,7 +185,7 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
HttpSetHeader(w, "X-CSTP-Routing-Filtering-Ignore", "false")
HttpSetHeader(w, "X-CSTP-Quarantine", "false")
HttpSetHeader(w, "X-CSTP-Disable-Always-On-VPN", "false")
HttpSetHeader(w, "X-CSTP-Client-Bypass-Protocol", "false")
HttpSetHeader(w, "X-CSTP-Client-Bypass-Protocol", "true")
HttpSetHeader(w, "X-CSTP-TCP-Keepalive", "false")
// 设置域名拆分隧道(移动端不支持)
if mobile != "mobile" {

15
server/handler/payload.go
View File

@@ -88,8 +88,21 @@ func checkLinkAcl(group *dbdata.Group, pl *sessdata.Payload) bool {
for _, v := range group.LinkAcl {
// 循环判断ip和端口
if v.IpNet.Contains(ipDst) {
// 放行允许ip的ping
if v.Port == ipPort || v.Port == 0 || ipProto == waterutil.ICMP {
// if v.Ports == nil || len(v.Ports) == 0 {
// //单端口历史数据兼容
// port := uint16(v.Port.(float64))
// if port == ipPort || port == 0 || ipProto == waterutil.ICMP {
// if v.Action == dbdata.Allow {
// return true
// } else {
// return false
// }
// }
// } else {
if dbdata.ContainsInPorts(v.Ports, ipPort) || dbdata.ContainsInPorts(v.Ports, 0) || ipProto == waterutil.ICMP {
if v.Action == dbdata.Allow {
return true
} else {

16
server/handler/server.go
View File

@@ -1,13 +1,16 @@
package handler
import (
"crypto/sha1"
"crypto/tls"
"encoding/hex"
"fmt"
"io"
"net"
"net/http"
"net/http/httputil"
"os"
"strings"
"time"
"github.com/bjdgyc/anylink/base"
@@ -36,6 +39,19 @@ func startTls() {
// certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
// }
tlscert, _, err := dbdata.ParseCert()
if err != nil {
base.Fatal("证书加载失败", err)
}
dbdata.LoadCertificate(tlscert)
// 计算证书hash值
s1 := sha1.New()
s1.Write(tlscert.Certificate[0])
h2s := hex.EncodeToString(s1.Sum(nil))
certHash = strings.ToUpper(h2s)
base.Info("certHash", certHash)
// 修复 CVE-2016-2183
// https://segmentfault.com/a/1190000038486901
// nmap -sV --script ssl-enum-ciphers -p 443 www.example.com

2
version
View File

@@ -1 +1 @@
0.11.4
0.12.1

233
web/src/pages/group/List.vue
View File

@@ -50,7 +50,8 @@
label="带宽限制"
width="90">
<template slot-scope="scope">
<el-row v-if="scope.row.bandwidth > 0">{{ convertBandwidth(scope.row.bandwidth, 'BYTE', 'Mbps') }} Mbps</el-row>
<el-row v-if="scope.row.bandwidth > 0">{{ convertBandwidth(scope.row.bandwidth, 'BYTE', 'Mbps') }} Mbps
</el-row>
<el-row v-else>不限</el-row>
</template>
</el-table-column>
@@ -69,12 +70,20 @@
label="路由包含"
width="180">
<template slot-scope="scope">
<el-row v-for="(item,inx) in scope.row.route_include.slice(0, readMinRows)" :key="inx">{{ item.val }}</el-row>
<el-row v-for="(item,inx) in scope.row.route_include.slice(0, readMinRows)" :key="inx">{{
item.val
}}
</el-row>
<div v-if="scope.row.route_include.length > readMinRows">
<div v-if="readMore[`ri_${ scope.row.id }`]">
<el-row v-for="(item,inx) in scope.row.route_include.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>
<el-row v-for="(item,inx) in scope.row.route_include.slice(readMinRows)" :key="inx">{{
item.val
}}
</el-row>
</div>
<el-button size="mini" type="text" @click="toggleMore(`ri_${ scope.row.id }`)">{{ readMore[`ri_${ scope.row.id }`] ? " 收起" : " 更多" }}</el-button>
<el-button size="mini" type="text" @click="toggleMore(`ri_${ scope.row.id }`)">
{{ readMore[`ri_${scope.row.id}`] ? " 收起" : " 更多" }}
</el-button>
</div>
</template>
</el-table-column>
@@ -84,12 +93,20 @@
label="路由排除"
width="180">
<template slot-scope="scope">
<el-row v-for="(item,inx) in scope.row.route_exclude.slice(0, readMinRows)" :key="inx">{{ item.val }}</el-row>
<el-row v-for="(item,inx) in scope.row.route_exclude.slice(0, readMinRows)" :key="inx">{{
item.val
}}
</el-row>
<div v-if="scope.row.route_exclude.length > readMinRows">
<div v-if="readMore[`re_${ scope.row.id }`]">
<el-row v-for="(item,inx) in scope.row.route_exclude.slice(readMinRows)" :key="inx">{{ item.val }}</el-row>
<el-row v-for="(item,inx) in scope.row.route_exclude.slice(readMinRows)" :key="inx">{{
item.val
}}
</el-row>
</div>
<el-button size="mini" type="text" @click="toggleMore(`re_${ scope.row.id }`)">{{ readMore[`re_${ scope.row.id }`] ? " 收起" : " 更多" }}</el-button>
<el-button size="mini" type="text" @click="toggleMore(`re_${ scope.row.id }`)">
{{ readMore[`re_${scope.row.id}`] ? " 收起" : " 更多" }}
</el-button>
</div>
</template>
</el-table-column>
@@ -108,7 +125,9 @@
{{ item.action }} => {{ item.val }} : {{ item.port }}
</el-row>
</div>
<el-button size="mini" type="text" @click="toggleMore(`la_${ scope.row.id }`)">{{ readMore[`la_${ scope.row.id }`] ? " 收起" : " 更多" }}</el-button>
<el-button size="mini" type="text" @click="toggleMore(`la_${ scope.row.id }`)">
{{ readMore[`la_${scope.row.id}`] ? " 收起" : " 更多" }}
</el-button>
</div>
</template>
</el-table-column>
@@ -192,7 +211,8 @@
</el-form-item>
<el-form-item label="带宽限制" prop="bandwidth_format" style="width:260px;">
<el-input v-model="ruleForm.bandwidth_format" oninput="value= value.match(/\d+(\.\d{0,2})?/) ? value.match(/\d+(\.\d{0,2})?/)[0] : ''">
<el-input v-model="ruleForm.bandwidth_format"
oninput="value= value.match(/\d+(\.\d{0,2})?/) ? value.match(/\d+(\.\d{0,2})?/)[0] : ''">
<template slot="append">Mbps</template>
</el-input>
</el-form-item>
@@ -201,9 +221,9 @@
<el-switch v-model="ruleForm.allow_lan"></el-switch>
<div class="msg-info">
本地网络 指的是
运行 anyconnect 客户端的PC 所在的的网络本地路由网段
运行 anyconnect 客户端的PC 所在的的网络本地路由网段
开启后PC本地路由网段的数据就不会走隧道链路转发数据了
同时 anyconnect 客户端需要勾选本地网络(Local Lan)的开关功能才能生效
同时 anyconnect 客户端需要勾选本地网络(Allow Local Lan)的开关功能才能生效
</div>
</el-form-item>
@@ -229,6 +249,30 @@
</el-col>
</el-row>
</el-form-item>
<el-form-item label="内网域名" prop="split_dns">
<el-row class="msg-info">
<el-col :span="20">(分割DNS)一般留空如果输入域名只有配置的域名(包含子域名)走配置的dns</el-col>
<el-col :span="4">
<el-button size="mini" type="success" icon="el-icon-plus" circle
@click.prevent="addDomain(ruleForm.split_dns)"></el-button>
</el-col>
</el-row>
<el-row v-for="(item,index) in ruleForm.split_dns"
:key="index" style="margin-bottom: 5px" :gutter="10">
<el-col :span="10">
<el-input v-model="item.val"></el-input>
</el-col>
<el-col :span="12">
<el-input v-model="item.note" placeholder="备注"></el-input>
</el-col>
<el-col :span="2">
<el-button size="mini" type="danger" icon="el-icon-minus" circle
@click.prevent="removeDomain(ruleForm.split_dns,index)"></el-button>
</el-col>
</el-row>
</el-form-item>
<el-form-item label="状态" prop="status">
<el-radio-group v-model="ruleForm.status">
<el-radio :label="1" border>启用</el-radio>
@@ -246,38 +290,50 @@
</el-radio-group>
</el-form-item>
<template v-if="ruleForm.auth.type == 'radius'">
<el-form-item label="服务器地址" prop="auth.radius.addr" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.addr'] : [{ required: false }]">
<el-form-item label="服务器地址" prop="auth.radius.addr"
:rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.addr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.radius.addr" placeholder="例如 ip:1812"></el-input>
</el-form-item>
<el-form-item label="密钥" prop="auth.radius.secret" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.secret'] : [{ required: false }]">
<el-form-item label="密钥" prop="auth.radius.secret"
:rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.secret'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.radius.secret" placeholder=""></el-input>
</el-form-item>
</template>
<template v-if="ruleForm.auth.type == 'ldap'">
<el-form-item label="服务器地址" prop="auth.ldap.addr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.addr'] : [{ required: false }]">
<el-form-item label="服务器地址" prop="auth.ldap.addr"
:rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.addr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.addr" placeholder="例如 ip:389 / 域名:389"></el-input>
</el-form-item>
<el-form-item label="开启TLS" prop="auth.ldap.tls">
<el-switch v-model="ruleForm.auth.ldap.tls"></el-switch>
</el-form-item>
<el-form-item label="管理员 DN" prop="auth.ldap.bind_name" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_name'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.bind_name" placeholder="例如 CN=bindadmin,DC=abc,DC=COM"></el-input>
<el-form-item label="管理员 DN" prop="auth.ldap.bind_name"
:rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_name'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.bind_name"
placeholder="例如 CN=bindadmin,DC=abc,DC=COM"></el-input>
</el-form-item>
<el-form-item label="管理员密码" prop="auth.ldap.bind_pwd" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_pwd'] : [{ required: false }]">
<el-form-item label="管理员密码" prop="auth.ldap.bind_pwd"
:rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_pwd'] : [{ required: false }]">
<el-input type="password" v-model="ruleForm.auth.ldap.bind_pwd" placeholder=""></el-input>
</el-form-item>
<el-form-item label="Base DN" prop="auth.ldap.base_dn" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.base_dn'] : [{ required: false }]">
<el-form-item label="Base DN" prop="auth.ldap.base_dn"
:rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.base_dn'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.base_dn" placeholder="例如 DC=abc,DC=com"></el-input>
</el-form-item>
<el-form-item label="用户对象类" prop="auth.ldap.object_class" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.object_class'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.object_class" placeholder="例如 person / user / posixAccount"></el-input>
<el-form-item label="用户对象类" prop="auth.ldap.object_class"
:rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.object_class'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.object_class"
placeholder="例如 person / user / posixAccount"></el-input>
</el-form-item>
<el-form-item label="用户唯一ID" prop="auth.ldap.search_attr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.search_attr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.search_attr" placeholder="例如 sAMAccountName / uid / cn"></el-input>
<el-form-item label="用户唯一ID" prop="auth.ldap.search_attr"
:rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.search_attr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.search_attr"
placeholder="例如 sAMAccountName / uid / cn"></el-input>
</el-form-item>
<el-form-item label="受限用户组" prop="auth.ldap.member_of">
<el-input v-model="ruleForm.auth.ldap.member_of" placeholder="选填, 只允许指定组登入, 例如 CN=HomeWork,DC=abc,DC=com"></el-input>
<el-input v-model="ruleForm.auth.ldap.member_of"
placeholder="选填, 只允许指定组登入, 例如 CN=HomeWork,DC=abc,DC=com"></el-input>
</el-form-item>
</template>
</el-tab-pane>
@@ -344,16 +400,18 @@
<el-tab-pane label="权限控制" name="link_acl">
<el-form-item label="权限控制" prop="link_acl">
<el-row class="msg-info">
<el-col :span="20">输入CIDR格式如: 192.168.3.0/24 端口0表示所有端口</el-col>
<el-col :span="4">
<el-col :span="22">输入CIDR格式如: 192.168.3.0/24
端口0表示所有端口,多个端口用','号分隔,连续端口:1234-5678
</el-col>
<el-col :span="2">
<el-button size="mini" type="success" icon="el-icon-plus" circle
@click.prevent="addDomain(ruleForm.link_acl)"></el-button>
</el-col>
</el-row>
<el-row v-for="(item,index) in ruleForm.link_acl"
:key="index" style="margin-bottom: 5px" :gutter="5">
<el-col :span="11">
:key="index" style="margin-bottom: 5px" :gutter="1">
<el-col :span="10">
<el-input placeholder="请输入CIDR地址" v-model="item.val">
<el-select v-model="item.action" slot="prepend">
<el-option label="允许" value="allow"></el-option>
@@ -361,10 +419,11 @@
</el-select>
</el-input>
</el-col>
<el-col :span="3">
<el-input v-model.number="item.port" placeholder="端口"></el-input>
</el-col>
<el-col :span="8">
<!-- type="textarea" :autosize="{ minRows: 1, maxRows: 2}" -->
<el-input v-model="item.port" placeholder="多端口,号分隔"></el-input>
</el-col>
<el-col :span="4">
<el-input v-model="item.note" placeholder="备注"></el-input>
</el-col>
<el-col :span="2">
@@ -377,10 +436,12 @@
<el-tab-pane label="域名拆分隧道" name="ds_domains">
<el-form-item label="包含域名" prop="ds_include_domains">
<el-input type="textarea" :rows="5" v-model="ruleForm.ds_include_domains" placeholder="输入域名用,号分隔,默认匹配所有子域名, 如baidu.com,163.com"></el-input>
<el-input type="textarea" :rows="5" v-model="ruleForm.ds_include_domains"
placeholder="输入域名用,号分隔,默认匹配所有子域名, 如baidu.com,163.com"></el-input>
</el-form-item>
<el-form-item label="排除域名" prop="ds_exclude_domains">
<el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains" placeholder="输入域名用,号分隔,默认匹配所有子域名, 如baidu.com,163.com"></el-input>
<el-input type="textarea" :rows="5" v-model="ruleForm.ds_exclude_domains"
placeholder="输入域名用,号分隔,默认匹配所有子域名, 如baidu.com,163.com"></el-input>
<div class="msg-info">域名拆分隧道仅支持AnyConnect的windows和MacOS桌面客户端不支持移动端.</div>
</el-form-item>
</el-tab-pane>
@@ -404,7 +465,8 @@
center>
<el-form :model="authLoginForm" :rules="authLoginRules" ref="authLoginForm" label-width="100px">
<el-form-item label="账号" prop="name">
<el-input v-model="authLoginForm.name" ref="authLoginFormName" @keydown.enter.native="testAuthLogin"></el-input>
<el-input v-model="authLoginForm.name" ref="authLoginFormName"
@keydown.enter.native="testAuthLogin"></el-input>
</el-form-item>
<el-form-item label="密码" prop="pwd">
<el-input type="password" v-model="authLoginForm.pwd" @keydown.enter.native="testAuthLogin"></el-input>
@@ -425,8 +487,12 @@
center>
<el-form ref="ipEditForm" label-width="80px">
<el-form-item label="路由表" prop="ip_list">
<el-input type="textarea" :rows="10" v-model="ipEditForm.ip_list" placeholder="每行一条路由192.168.1.0/24,备注 或 192.168.1.0/24"></el-input>
<div class="msg-info">当前共 {{ ipEditForm.ip_list.trim() === '' ? 0 : ipEditForm.ip_list.trim().split("\n").length }} AnyConnect客户端最多支持{{ this.maxRouteRows }}条路由</div>
<el-input type="textarea" :rows="10" v-model="ipEditForm.ip_list"
placeholder="每行一条路由192.168.1.0/24,备注 或 192.168.1.0/24"></el-input>
<div class="msg-info">当前共
{{ ipEditForm.ip_list.trim() === '' ? 0 : ipEditForm.ip_list.trim().split("\n").length }}
AnyConnect客户端最多支持{{ this.maxRouteRows }}条路由
</div>
</el-form-item>
<el-form-item>
<el-button type="primary" @click="ipEdit()" :loading="ipEditLoading">更新</el-button>
@@ -457,22 +523,22 @@ export default {
page: 1,
tableData: [],
count: 10,
activeTab : "general",
activeTab: "general",
readMore: {},
readMinRows : 5,
maxRouteRows : 2500,
defAuth : {
type:'local',
radius:{addr:"", secret:""},
ldap:{
addr:"",
tls:false,
base_dn:"",
object_class:"person",
search_attr:"sAMAccountName",
member_of:"",
bind_name:"",
bind_pwd:"",
readMinRows: 5,
maxRouteRows: 2500,
defAuth: {
type: 'local',
radius: {addr: "", secret: ""},
ldap: {
addr: "",
tls: false,
base_dn: "",
object_class: "person",
search_attr: "sAMAccountName",
member_of: "",
bind_name: "",
bind_pwd: "",
},
},
ruleForm: {
@@ -480,24 +546,25 @@ export default {
bandwidth_format: '0',
status: 1,
allow_lan: true,
client_dns: [{val: '114.114.114.114'}],
client_dns: [{val: '114.114.114.114', note: '默认dns'}],
split_dns: [],
route_include: [{val: 'all', note: '默认全局代理'}],
route_exclude: [],
link_acl: [],
auth : {},
auth: {},
},
authLoginDialog : false,
ipListDialog : false,
authLoginLoading : false,
authLoginForm : {
name : "",
pwd : "",
authLoginDialog: false,
ipListDialog: false,
authLoginLoading: false,
authLoginForm: {
name: "",
pwd: "",
},
ipEditForm: {
ip_list: "",
type : "",
type: "",
},
ipEditLoading : false,
ipEditLoading: false,
authLoginRules: {
name: [
{required: true, message: '请输入账号', trigger: 'blur'},
@@ -548,11 +615,11 @@ export default {
},
methods: {
setAuthData(row) {
if (! row) {
if (!row) {
this.ruleForm.auth = JSON.parse(JSON.stringify(this.defAuth));
return ;
return;
}
if (row.auth.type == "ldap" && ! row.auth.ldap.object_class) {
if (row.auth.type == "ldap" && !row.auth.ldap.object_class) {
row.auth.ldap.object_class = this.defAuth.ldap.object_class;
}
this.ruleForm.auth = Object.assign(JSON.parse(JSON.stringify(this.defAuth)), row.auth);
@@ -624,7 +691,8 @@ export default {
// arr.pop()
},
addDomain(arr) {
arr.push({val: "", action: "allow", port: 0});
console.log("arr", arr)
arr.push({val: "", action: "allow", port: "0", note: ""});
},
submitForm(formName) {
this.$refs[formName].validate((valid) => {
@@ -656,9 +724,11 @@ export default {
return false;
}
this.authLoginLoading = true;
axios.post('/group/auth_login', {name:this.authLoginForm.name,
pwd:this.authLoginForm.pwd,
auth:this.ruleForm.auth}).then(resp => {
axios.post('/group/auth_login', {
name: this.authLoginForm.name,
pwd: this.authLoginForm.pwd,
auth: this.ruleForm.auth
}).then(resp => {
const rdata = resp.data;
if (rdata.code === 0) {
this.$message.success("登录成功");
@@ -731,7 +801,7 @@ export default {
isValidCIDR(input) {
const cidrRegex = /^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)\/([12]?\d|3[0-2])$/;
if (!cidrRegex.test(input)) {
return { valid: false, suggestion: null };
return {valid: false, suggestion: null};
}
const [ip, mask] = input.split('/');
const maskNum = parseInt(mask);
@@ -746,10 +816,10 @@ export default {
networkIPParts.push(parseInt(octet, 2));
}
const suggestedIP = networkIPParts.join('.');
return { valid: false, suggestion: `${suggestedIP}/${mask}` };
return {valid: false, suggestion: `${suggestedIP}/${mask}`};
}
}
return { valid: true, suggestion: null };
return {valid: true, suggestion: null};
},
resetForm(formName) {
this.$refs[formName].resetFields();
@@ -766,7 +836,7 @@ export default {
},
beforeTabLeave() {
var isSwitch = true
if (! this.user_edit_dialog) {
if (!this.user_edit_dialog) {
return isSwitch;
}
this.$refs['ruleForm'].validate((valid) => {
@@ -813,19 +883,20 @@ export default {
width: 80px;
}
::v-deep .valgin-dialog{
::v-deep .valgin-dialog {
display: flex;
flex-direction: column;
margin:0 !important;
position:absolute;
top:50%;
left:50%;
transform:translate(-50%,-50%);
max-height:calc(100% - 30px);
max-width:calc(100% - 30px);
margin: 0 !important;
position: absolute;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
max-height: calc(100% - 30px);
max-width: calc(100% - 30px);
}
::v-deep .valgin-dialog .el-dialog__body{
flex:1;
::v-deep .valgin-dialog .el-dialog__body {
flex: 1;
overflow: auto;
}
</style>