Merge pull request #305 from bjdgyc/dev

修复心跳时间

.codecov.yml

@@ -1,5 +1,7 @@
 ignore:
-  - "screenshot"
+  - "^doc"
-  - "web"
+  - "^home"
-  - "server/conf"
+  - "^web"
-  - "server/files"
+  - "^server/conf"
+  - "^server/files"
+

.github/FUNDING.yml

@@ -0,0 +1,13 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+custom: [ 'https://github.com/bjdgyc/anylink/blob/main/doc/README.md' ] # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

.github/ISSUE_TEMPLATE/00-question.md

@@ -0,0 +1,35 @@
+---
+name: 问题描述
+about: 问题描述
+title: "affected/package: "
+---
+
+<!--
+请先填写下面的问题，再填写具体遇到的问题，感谢！
+-->
+
+### 使用的anylink版本 ?
+
+<pre>
+./anylink tool -v
+管理后台也可以查看
+</pre>
+
+
+### 使用操作系统的类型和版本?
+如： centos 7.9
+<pre>
+cat /etc/issue
+cat /etc/redhat-release
+
+</pre>
+
+### 使用linux 内核版本?
+<pre>
+uname -a
+
+</pre>
+
+### 具体遇到的问题，可上传截图
+
+

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,73 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '32 5 * * 1'
+#  push:
+#    branches: [ "main", "dev" ]
+#  pull_request:
+#    branches: [ "main", "dev" ]
+
+
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go', 'javascript' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
+
+      #- run: |
+      #   make bootstrap
+      #   make release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/go-update.yml

@@ -0,0 +1,48 @@
+name: go-update
+on:
+  workflow_dispatch:
+#  schedule:
+#    - cron: "1 2 * * 5"
+
+jobs:
+  go:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup Go 1.x.y
+        uses: actions/setup-go@main
+        with:
+          go-version: '1.20'
+          stable: true
+
+      - name: Checkout codebase
+        uses: actions/checkout@main
+
+      - name: go
+        run: |
+          cd ./server
+          go mod tidy -compat=1.20
+          #gofmt -w -r 'interface{} -> any' .
+          go get -u
+          go mod download
+          go get -u
+          go mod download
+
+      - name: Git push
+        run: |
+          git init
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git remote rm origin
+          git remote add origin "https://${{ github.actor }}:${{ secrets.GITHUBTOKEN }}@github.com/${{ github.repository }}"
+          git gc --aggressive
+          git add --all
+          git commit -m "update go.mod $(date +%Y.%m.%d.%H.%M)"
+          #git push -f -u origin _autoaction
+          git push -u origin _autoaction
+
+      # 删除无用 workflow runs;
+      - name: Delete workflow runs
+        uses: GitRML/delete-workflow-runs@main
+        with:
+          retain_days: 0.1
+          keep_minimum_runs: 1

.github/workflows/go.yml

@@ -1,6 +1,8 @@
 name: Go
 
 on:
+  workflow_dispatch:
+
   push:
     branches: [ "main", "dev" ]
   pull_request:
@@ -12,15 +14,15 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4
 
       - name: Set up Go 1.x
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
-          go-version: 1.15
+          go-version: '1.20'
-        id: go
+          go-version-file: 'server/go.mod'
-
+          cache-dependency-path: 'server/go.sum'
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
 
       - name: Get dependencies
         run: |
@@ -30,15 +32,18 @@ jobs:
       - name: Build
         run: |
           cd server
-          go build -v -o anylink -ldflags "-X main.COMMIT_ID=`git rev-parse HEAD`"
+          mkdir ui
+          touch ui/index.html
+          go build -v -o anylink -trimpath -ldflags "-X main.CommitId=`git rev-parse HEAD`"
           ./anylink tool -v
 
       - name: Test coverage
         run: |
           cd server
+          go test ./...
           go test -race -coverprofile=coverage.txt -covermode=atomic -v ./...
 
-      - name: Upload coverage to Codecov
+      - name: Upload coverage reports to Codecov
-        run: |
+        uses: codecov/codecov-action@v3
-          cd server
+        env:
-          bash <(curl -s https://codecov.io/bash)
+          CODECOV_TOKEN: 28d52fb0-8fc9-460f-95b9-fb84f9138e58

.github/workflows/release.yml

@@ -0,0 +1,98 @@
+name: release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "v0.*"
+      - "v1.*"
+
+jobs:
+  Build:
+    name: build-binary
+    runs-on: ubuntu-latest
+    env:
+      TZ: Asia/Shanghai
+    steps:
+      - name: Hello world
+        run: uname -a
+
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '16'
+          cache: 'yarn'
+          cache-dependency-path: 'web/yarn.lock'
+      - name: Build web
+        working-directory: web
+        run: |
+          yarn install
+          yarn run build
+      #      - uses: actions/setup-go@v4
+      #        with:
+      #          go-version: '1.20'
+      #          cache-dependency-path: 'server/go.sum'
+
+      - name: Set up QEMU
+        # https://github.com/docker/setup-qemu-action
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: bjdgyc
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          logout: true
+
+      - name: Pre bash
+        shell: bash
+        run: |
+          appVer=`cat version`
+          commitId=`git rev-parse HEAD`
+          echo "APP_VER=$appVer" >> $GITHUB_ENV
+          echo "commitId=$commitId" >> $GITHUB_ENV
+          
+          echo $appVer > version_info
+          echo $commitId >> version_info
+          echo $GITHUB_REF >> version_info
+          echo $GITHUB_REF_NAME >> version_info
+          
+          #cd server;go mod tidy
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          cache-from: type=gha,scope=anylink
+          cache-to: type=gha,mode=max,scope=anylink
+          context: .
+          file: ./docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          #platforms: linux/amd64
+          build-args: |
+            appVer=${{ env.APP_VER }}
+            commitId=${{ env.commitId }}
+          tags: bjdgyc/anylink:${{ env.APP_VER }},bjdgyc/anylink:latest
+          #tags: bjdgyc/anylink:${{ env.APP_VER }}
+
+      - name: Build deploy binary
+        shell: bash
+        run: bash release.sh
+
+      - name: Release
+        # https://github.com/ncipollo/release-action
+        # artifacts: bin/release/*
+        # generateReleaseNotes: true
+        # draft: true
+        # https://github.com/softprops/action-gh-release
+        uses: softprops/action-gh-release@v1
+        #if: startsWith(github.ref, 'refs/tags/')
+        with:
+          tag_name: v${{ env.APP_VER }}
+          files: artifact-dist/*
+
+#  Docker:
+#    name: build-docker

.gitignore

@@ -1,5 +1,12 @@
 # Binaries for programs and plugins
 .idea/
 anylink-deploy
-ui
+anylink-deploy.tar.gz
+anylink
+anylink.db
 
+dist
+artifact-dist
+
+anylink_amd64
+anylink_arm64

.goreleaser.yaml

@@ -0,0 +1,104 @@
+#https://goreleaser.com/static/schema.json
+
+# release --skip=publish
+
+# goreleaser build --skip=validate --clean --debug
+
+# GOPROXY=https://goproxy.cn
+
+# docker run -it --rm -v $PWD:/app -v /go:/go -w /app --platform=linux/arm64 golang:alpine3.19
+
+# docker run -it --rm -v $PWD:/app -v /go:/go -w /app goreleaser/goreleaser-cross build --skip=validate --clean --debug
+
+# docker run -it --rm -v $PWD:/app -v /go:/go -w /app bjdgyc/dcross goreleaser build --skip=validate --clean --debug
+
+version: 1
+
+dist: dist
+
+before:
+  hooks:
+    - pwd
+#    - cmd: go mod tidy
+#      dir:
+#        "{{ dir .Dist}}"
+#      output: true
+#    - cmd: go generate
+#      dir:
+#        "{{ dir .Dist}}"
+#      output: true
+
+builds:
+  - id: "build"
+    #main: .
+    dir: ./server
+    hooks:
+      pre:
+        - cmd: go mod tidy
+          dir: ./server
+          output: true
+        - cmd: go generate
+          dir: ./server
+          output: true
+    # {{- if eq .Arch "amd64" }}CC=x86_64-linux-gnu-gcc CXX=x86_64-linux-gnu-g++{{- end }}
+    env:
+      - CGO_ENABLED=1
+      - >-
+        {{- if eq .Os "linux" }}
+          {{- if eq .Arch "amd64" }}CC=x86_64-linux-musl-gcc{{- end }}
+        
+          {{- if eq .Arch "arm64" }}CC=aarch64-linux-gnu-gcc{{- end }}
+        {{- end }}
+        {{- if eq .Os "darwin" }}
+          {{- if eq .Arch "amd64"}}CC=o64-clang{{- end }}
+          {{- if eq .Arch "arm64"}}CC=oa64-clang{{- end }}
+        {{- end }}
+        {{- if eq .Os "windows" }}
+          {{- if eq .Arch "amd64"}}CC=x86_64-w64-mingw32-gcc{{- end }}
+          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
+        {{- end }}
+    goos:
+      - linux
+      #- darwin
+      #- windows
+    goarch:
+      - amd64
+      #- arm64
+    # https://go.dev/wiki/MinimumRequirements
+    goamd64:
+      - v1
+    command: build
+    flags:
+      - -trimpath
+      - -tags osusergo,netgo,sqlite_omit_load_extension
+    ldflags:
+      # go tool link -help
+      # go tool compile -help
+      # -linkmode external
+      # -extld=$CC
+      # -fpic 作为动态链接库的时候 需要添加
+
+      - -s -w -extldflags '-static' -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -X main.builtBy=dcross
+
+archives:
+  - id: "archive1"
+    format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"

Dockerfile

@@ -1,48 +0,0 @@
-# web
-FROM node:lts-alpine as builder_node
-WORKDIR /web
-COPY ./web /web
-RUN npx browserslist@latest --update-db \
-    && npm install \
-    && npm run build \
-    && ls /web/ui
-
-# server
-FROM golang:alpine as builder_golang
-#TODO 本地打包时使用镜像
-#ENV GOPROXY=https://goproxy.io
-ENV GOOS=linux
-WORKDIR /anylink
-COPY . /anylink
-COPY --from=builder_node /web/ui  /anylink/server/ui
-
-#TODO 本地打包时使用镜像
-#RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
-RUN apk add --no-cache git
-RUN cd /anylink/server;go build -o anylink -ldflags "-X main.COMMIT_ID=$(git rev-parse HEAD)" \
-    && /anylink/server/anylink tool -v
-
-# anylink
-FROM alpine
-LABEL maintainer="github.com/bjdgyc"
-
-ENV IPV4_CIDR="192.168.10.0/24"
-
-WORKDIR /app
-COPY --from=builder_node /web/ui  /app/ui
-COPY --from=builder_golang /anylink/server/anylink  /app/
-COPY ./server/conf  /app/conf
-COPY ./server/files  /app/files
-COPY docker_entrypoint.sh  /app/
-
-#TODO 本地打包时使用镜像
-#RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
-RUN apk add --no-cache bash iptables \
-    && chmod +x /app/docker_entrypoint.sh \
-    && ls /app
-
-EXPOSE 443 8800
-
-#CMD ["/app/anylink"]
-ENTRYPOINT ["/app/docker_entrypoint.sh"]
-

LICENSE

@@ -1,21 +1,661 @@
-MIT License
+GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
 
-Copyright (c) 2020 bjdgyc
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
+                            Preamble
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all
+  The GNU Affero General Public License is a free, copyleft license for
-copies or substantial portions of the Software.
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  The licenses for most software and other practical works are designed
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+to take away your freedom to share and change the works.  By contrast,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+our General Public Licenses are intended to guarantee your freedom to
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+share and change all versions of a program--to make sure it remains free
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+software for all its users.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

README.md

@@ -1,11 +1,16 @@
 # AnyLink
 
-[![Go](https://github.com/bjdgyc/anylink/workflows/Go/badge.svg?branch=master)](https://github.com/bjdgyc/anylink/actions)
+[![Go](https://github.com/bjdgyc/anylink/workflows/Go/badge.svg?branch=main)](https://github.com/bjdgyc/anylink/actions)
 [![PkgGoDev](https://pkg.go.dev/badge/github.com/bjdgyc/anylink)](https://pkg.go.dev/github.com/bjdgyc/anylink)
 [![Go Report Card](https://goreportcard.com/badge/github.com/bjdgyc/anylink)](https://goreportcard.com/report/github.com/bjdgyc/anylink)
-[![codecov](https://codecov.io/gh/bjdgyc/anylink/branch/master/graph/badge.svg?token=JTFLIIIBQ0)](https://codecov.io/gh/bjdgyc/anylink)
+[![codecov](https://codecov.io/gh/bjdgyc/anylink/graph/badge.svg?token=JTFLIIIBQ0)](https://codecov.io/gh/bjdgyc/anylink)
+![GitHub release](https://img.shields.io/github/v/release/bjdgyc/anylink)
+![GitHub downloads total)](https://img.shields.io/github/downloads/bjdgyc/anylink/total)
+![GitHub Downloads (all assets, latest release)](https://img.shields.io/github/downloads/bjdgyc/anylink/latest/total)
+[![Docker pulls)](https://img.shields.io/docker/pulls/bjdgyc/anylink.svg)](https://hub.docker.com/r/bjdgyc/anylink)
+![LICENSE](https://img.shields.io/github/license/bjdgyc/anylink)
 
-AnyLink 是一个企业级远程办公sslvpn的软件，可以支持多人同时在线使用。
+AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同时在线使用。
 
 ## Repo
 
@@ -18,231 +23,449 @@ AnyLink 是一个企业级远程办公sslvpn的软件，可以支持多人同时
 AnyLink 基于 [ietf-openconnect](https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-02)
 协议开发，并且借鉴了 [ocserv](http://ocserv.gitlab.io/www/index.html) 的开发思路，使其可以同时兼容 AnyConnect 客户端。
 
-AnyLink 使用TLS/DTLS进行数据加密，因此需要RSA或ECC证书，可以通过 Let's Encrypt 和 TrustAsia 申请免费的SSL证书。
+AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以通过 Let's Encrypt 和 TrustAsia 申请免费的 SSL 证书。
 
-AnyLink 服务端仅在CentOS 7、Ubuntu 18.04测试通过，如需要安装在其他系统，需要服务端支持tun/tap功能、ip设置命令。
+AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试通过，如需要安装在其他系统，需要服务端支持 tun/tap
+功能、ip 设置命令。
 
 ## Screenshot
 
-![online](screenshot/online.jpg)
+![online](doc/screenshot/online.jpg)
+
+## Donate
+
+> 如果您觉得 anylink 对你有帮助，欢迎给我们打赏，也是帮助 anylink 更好的发展。
+>
+> [查看打赏列表](doc/README.md)
+
+<p>
+    <img src="doc/screenshot/wxpay2.png" width="400" />
+</p>
 
 ## Installation
 
-> 没有编程基础的同学建议直接下载release包，从下面的地址下载 anylink-deploy.tar.gz
+> 没有编程基础的同学建议直接下载 release 包，从下面的地址下载 anylink-deploy.tar.gz
 >
 > https://github.com/bjdgyc/anylink/releases
-
-> 升级 go version = 1.15
 > 
-> 需要提前安装好 golang 和 nodejs
+> https://gitee.com/bjdgyc/anylink/releases
+>
+> 如果不会安装，可以提供有偿远程协助服务(200 CNY)。添加QQ(68492170)联系我
+> 
+> 也可以添加QQ群 咨询群内大佬
+> 
+> 添加QQ群①(已满): 567510628
+> 
+> 添加QQ群②: 739072205
+
+### 使用问题
+
+> 对于测试环境，可以使用 vpn.test.vqilu.cn 绑定host进行测试
+>
+> 对于线上环境，必须申请安全的https证书(跟nginx使用的证书类型一致)，不支持私有证书连接
+>
+> 群共享文件有相关客户端软件下载，其他版本没有测试过，不保证使用正常
+> 
+> 其他问题 [前往查看](doc/question.md)
+>
+> 默认管理后台访问地址  https://host:8800 或 https://域名:8800 默认账号密码 admin 123456
+>
+> 首次使用，请在浏览器访问  https://域名:443   浏览器提示安全后，在客户端输入 【域名:443】 即可
+
+### 自行编译安装
+
+> 需要提前安装好 golang >= 1.20 和 nodejs = 16.x 和 yarn >= v1.22.x
 
 ```shell
 git clone https://github.com/bjdgyc/anylink.git
 
+# 编译参考软件版本
+# go 1.20.12
+# node v16.20.2
+# yarn 1.22.19
+
+
 cd anylink
-sh build.sh
+bash build.sh
 
 # 注意使用root权限运行
 cd anylink-deploy
-sudo ./anylink -conf="conf/server.toml"
+sudo ./anylink
 
 # 默认管理后台访问地址
-# http://host:8800
+# https://host:8800
-# 默认账号密码
+# 默认账号 密码
 # admin 123456
 
+
 ```
 
 ## Feature
 
-- [x] IP分配(实现IP、MAC映射信息的持久化)
+- [x] IP 分配(实现 IP、MAC 映射信息的持久化)
-- [x] TLS-TCP通道
+- [x] TLS-TCP 通道
-- [x] 兼容AnyConnect
+- [x] DTLS-UDP 通道
-- [x] 基于tun设备的nat访问模式
+- [x] 兼容 AnyConnect
-- [x] 基于tap设备的桥接访问模式
+- [x] 兼容 OpenConnect
-- [x] 支持 [proxy protocol v1](http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 协议
+- [x] 基于 tun 设备的 nat 访问模式
+- [x] 基于 tun 设备的桥接访问模式
+- [x] 基于 macvtap 设备的桥接访问模式
+- [x] 支持 [proxy protocol v1&v2](http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 协议
 - [x] 用户组支持
+- [x] 用户组策略支持
 - [x] 多用户支持
-- [x] TOTP令牌支持
+- [x] 用户策略支持
-- [x] TOTP令牌开关
+- [x] TOTP 令牌支持
-- [x] 流量控制
+- [x] TOTP 令牌开关
+- [x] 流量速率限制
 - [x] 后台管理界面
 - [x] 访问权限管理
-
+- [x] 用户活动审计功能
-- [ ] DTLS-UDP通道
+- [x] IP 访问审计功能
+- [x] 域名动态拆分隧道（域名路由功能）
+- [x] radius认证支持
+- [x] LDAP认证支持
+- [x] 空闲链接超时自动断开
+- [x] 流量压缩功能
+- [x] 出口 IP 自动放行
+- [x] 支持多服务的配置区分
+- [ ] 基于 ipvtap 设备的桥接访问模式
 
 ## Config
 
-默认配置文件内有详细的注释，根据注释填写配置即可。
+> 示例配置文件内有详细的注释，根据注释填写配置即可。
 
 ```shell
+# 查看帮助信息
+./anylink -h
+
 # 生成后台密码
 ./anylink tool -p 123456
 
 # 生成jwt密钥
 ./anylink tool -s
+
+# 查看所有配置项
+./anylink tool -d
 ```
 
-[conf/server.toml](server/conf/server.toml)
+> 数据库配置示例
+>
+> 数据库表结构自动生成，无需手动导入(请赋予 DDL 权限)
 
-## Systemd
+| db_type  | db_source                                              |
+|----------|--------------------------------------------------------|
+| sqlite3  | ./conf/anylink.db                                      |
+| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8 |
+| postgres | user:password@localhost/anylink?sslmode=verify-full    |
 
-添加 systemd脚本
+> 示例配置文件
+>
+> [conf/server-sample.toml](server/conf/server-sample.toml)
 
-* anylink 程序目录放入 `/usr/local/anylink-deploy`
+## Upgrade
 
-systemd 脚本放入：
+> 升级前请备份配置文件`conf`目录 和 数据库，并停止服务
+>
+> 使用新版的 `anylink` 二进制文件替换旧版
+>
+> 重启服务后，即可完成升级
 
-* centos: `/usr/lib/systemd/system/`
+## Setting
-* ubuntu: `/lib/systemd/system/`
 
-操作命令:
+### 依赖设置
 
-* 启动: `systemctl start anylink`
+> 服务端依赖安装:
-* 停止: `systemctl stop anylink`
+>
-* 开机自启: `systemctl enable anylink`
+> centos: yum install iptables iproute
+>
+> ubuntu: apt-get install iptables iproute2
+
+
+### link_mode 设置
+
+> 以下参数必须设置其中之一
+
+网络模式选择，需要配置 `link_mode` 参数，如 `link_mode="tun"`,`link_mode="macvtap"`,`link_mode="tap"(不推荐)` 等参数。
+不同的参数需要对服务器做相应的设置。
+
+建议优先选择 tun 模式，其次选择 macvtap 模式，因客户端传输的是 IP 层数据，无须进行数据转换。 tap 模式是在用户态做的链路层到
+IP 层的数据互相转换，性能会有所下降。 如果需要在虚拟机内开启 tap
+模式，请确认虚拟机的网卡开启混杂模式。
+
+#### tun 设置
+
+1. 开启服务器转发
+
+```shell
+# 新版本支持自动设置ip转发
+
+# file: /etc/sysctl.conf
+net.ipv4.ip_forward = 1
+
+#执行如下命令
+sysctl -w net.ipv4.ip_forward=1
+
+# 查看设置是否生效
+cat /proc/sys/net/ipv4/ip_forward
+```
+
+2.1 设置 nat 转发规则(二选一)
+
+```shell
+systemctl stop firewalld.service
+systemctl disable firewalld.service
+
+# 新版本支持自动设置nat转发，如有其他需求可以参考下面的命令配置
+
+# 请根据服务器内网网卡替换 eth0
+# iptables -t nat -A POSTROUTING -s 192.168.90.0/24 -o eth0 -j MASQUERADE
+# 如果执行第一个命令不生效，可以继续执行下面的命令
+# iptables -A FORWARD -i eth0 -s 192.168.90.0/24 -j ACCEPT
+# 查看设置是否生效
+# iptables -nL -t nat
+```
+
+2.2 使用全局路由转发(二选一)
+
+```shell
+# 假设anylink所在服务器的内网ip: 10.1.2.10
+
+# 首先关闭nat转发功能
+iptables_nat = false
+
+# 传统网络架构，在华三交换机添加以下静态路由规则
+ip route-static 192.168.90.0 255.255.255.0 10.1.2.10
+# 其他品牌的交换机命令，请参考以下地址
+https://cloud.tencent.com/document/product/216/62007
+
+# 公有云环境下，需设置vpc下的路由表，添加以下路由策略
+目的端: 192.168.90.0/24
+下一跳类型: 云服务器
+下一跳: 10.1.2.10
+
+```
+
+3. 使用 AnyConnect 客户端连接即可
+
+#### 桥接设置
+
+1. 设置配置文件
+
+> macvtap 设置相对比较简单，只需要配置相应的参数即可。
+> 
+> 网络要求：需要网络支持 ARP 传输，可通过 ARP 宣告普通内网 IP。
+> 
+> 网络限制：云环境下不能使用，网卡mac加白环境不能使用，802.1x认证网络不能使用
+> 
+> 以下参数可以通过执行 `ip a` 查看
+
+
+1.1 arp_proxy
+
+```
+
+# file: /etc/sysctl.conf
+net.ipv4.conf.all.proxy_arp = 1
+
+#执行如下命令
+sysctl -w net.ipv4.conf.all.proxy_arp=1
+
+
+配置文件修改:
+
+# 首先关闭nat转发功能
+iptables_nat = false
+
+
+link_mode = "tun"
+#内网主网卡名称
+ipv4_master = "eth0"
+#以下网段需要跟ipv4_master网卡设置成一样
+ipv4_cidr = "10.1.2.0/24"
+ipv4_gateway = "10.1.2.99"
+ipv4_start = "10.1.2.100"
+ipv4_end = "10.1.2.200"
+
+```
+
+1.2 macvtap
+
+```
+
+# 命令行执行 master网卡需要打开混杂模式
+ip link set dev eth0 promisc on
+
+#=====================#
+
+# 配置文件修改
+# 首先关闭nat转发功能
+iptables_nat = false
+
+link_mode = "macvtap"
+#内网主网卡名称
+ipv4_master = "eth0"
+#以下网段需要跟ipv4_master网卡设置成一样
+ipv4_cidr = "10.1.2.0/24"
+ipv4_gateway = "10.1.2.1"
+ipv4_start = "10.1.2.100"
+ipv4_end = "10.1.2.200"
+```
+
+## Deploy
+
+> 部署配置文件放在 `deploy` 目录下，请根据实际情况修改配置文件
+
+### Systemd
+
+1. 添加 anylink 程序
+    - 首先把 `anylink-deploy` 文件夹放入 `/usr/local/anylink-deploy`
+    - 添加执行权限 `chmod +x /usr/local/anylink-deploy/anylink`
+2. 把 `anylink.service` 脚本放入：
+    - centos: `/usr/lib/systemd/system/`
+    - ubuntu: `/lib/systemd/system/`
+3. 操作命令:
+    - 启动: `systemctl start anylink`
+    - 停止: `systemctl stop anylink`
+    - 开机自启: `systemctl enable anylink`
+
+### Docker Compose
+
+1. 进入 `deploy` 目录
+2. 执行脚本 `docker-compose up`
+
+### k8s
+
+1. 进入 `deploy` 目录
+2. 执行脚本 `kubectl apply -f deployment.yaml`
 
 ## Docker
 
 1. 获取镜像
-
    ```bash
+   # 具体tag可以从docker hub获取
+   # https://hub.docker.com/r/bjdgyc/anylink/tags
    docker pull bjdgyc/anylink:latest
    ```
 
-2. 生成密码
+2. 查看命令信息
+   ```bash
+   docker run -it --rm bjdgyc/anylink -h
+   ```
 
+3. 生成密码
    ```bash
    docker run -it --rm bjdgyc/anylink tool -p 123456
    #Passwd:$2a$10$lCWTCcGmQdE/4Kb1wabbLelu4vY/cUwBwN64xIzvXcihFgRzUvH2a
    ```
 
-3. 生成jwt secret
+4. 生成 jwt secret
-
    ```bash
    docker run -it --rm bjdgyc/anylink tool -s
    #Secret:9qXoIhY01jqhWIeIluGliOS4O_rhcXGGGu422uRZ1JjZxIZmh17WwzW36woEbA
    ```
 
-4. 启动容器
+5. 查看所有配置项
-
    ```bash
-   docker run -itd --name anylink --privileged \
+   docker run -it --rm bjdgyc/anylink tool -d
-   -p 443:443 -p 8800:8800 \
-   --restart=always \
-   bjdgyc/anylink
    ```
 
-5. 使用自定义参数启动容器
+6. 启动容器
-   
    ```bash
+   # 默认启动
    docker run -itd --name anylink --privileged \
-   -e IPV4_CIDR=192.168.10.0/24 \
+       -p 443:443 -p 8800:8800 -p 443:443/udp \
-   -p 443:443 -p 8800:8800 \
+       --restart=always \
-   --restart=always \
+       bjdgyc/anylink
-   bjdgyc/anylink \
+   
-   -c=/etc/server.toml --admin_addr=:8080
+   # 自定义配置目录
+   # 首次启动会自动创建配置文件
+   # 配置文件初始化完成后，容器会强制退出，请重新启动容器
+   docker run -itd --name anylink --privileged \
+       -p 443:443 -p 8800:8800 -p 443:443/udp \
+       -v /home/myconf:/app/conf \
+       --restart=always \
+       bjdgyc/anylink
+   
+   docker restart anylink
    ```
 
-6. 构建镜像
+6. 使用自定义参数启动容器
+   ```bash
+   # 参数可以参考 ./anylink tool -d
+   # 可以使用命令行参数 或者 环境变量 配置
+   docker run -itd --name anylink --privileged \
+       -e LINK_LOG_LEVEL=info \
+       -p 443:443 -p 8800:8800 -p 443:443/udp \
+       -v /home/myconf:/app/conf \
+       --restart=always \
+       bjdgyc/anylink \
+       --ip_lease=1209600 # IP地址租约时长
+   ```
 
+7. 构建镜像 (非必需)
    ```bash
    #获取仓库源码
    git clone https://github.com/bjdgyc/anylink.git
    # 构建镜像
-   docker build -t anylink .
+   sh build_docker.sh
+   或
+   docker build -t anylink -f docker/Dockerfile .
    ```
 
-## Setting
+## 常见问题
 
-网络模式选择，需要配置 `link_mode` 参数，如 `link_mode="tun"`,`link_mode="tap"` 两种参数。 不同的参数需要对服务器做相应的设置。
+请前往 [问题地址](doc/question.md) 查看具体信息
-
-建议优先选择tun模式，因客户端传输的是IP层数据，无须进行数据转换。 tap模式是在用户态做的链路层到IP层的数据互相转换，性能会有所下降。 如果需要在虚拟机内开启tap模式，请确认虚拟机的网卡开启混杂模式。
-
-### tun设置
-
-1. 开启服务器转发
-
- ```shell
- # flie: /etc/sysctl.conf
- net.ipv4.ip_forward = 1
-
- #执行如下命令
- sysctl -w net.ipv4.ip_forward=1
- ```
-
-2. 设置nat转发规则
-
-```shell
-# eth0为服务器内网网卡
-iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
-```
-
-3. 使用AnyConnect客户端连接即可
-
-### tap设置
-
-1. 创建桥接网卡
-
-```
-注意 server.toml 的ip参数，需要与 bridge-init.sh 的配置参数一致
-```
-
-2. 修改 bridge-init.sh 内的参数
-
-```
-eth="eth0"
-eth_ip="192.168.1.4"
-eth_netmask="255.255.255.0"
-eth_broadcast="192.168.1.255"
-eth_gateway="192.168.1.1"
-```
-
-3. 执行 bridge-init.sh 文件
-
-```
-sh bridge-init.sh
-```
-
-## Soft
-
-相关软件下载： QQ群共享文件: 567510628
 
+<!--
 ## Discussion
 
-![qq.png](screenshot/qq.png)
+群共享文件有相关软件下载
+
+添加微信群: 群共享文件有相关软件下载
+
+![contact_me_qr](doc/screenshot/contact_me_qr.png)
+-->
+
+## Support Document
+
+- [三方文档-男孩的天职](https://note.youdao.com/s/X4AxyWfL)
+- [三方文档-issues](https://github.com/bjdgyc/anylink/issues)
+- [三方文档-思有云](https://www.ioiox.com/archives/128.html)
+
+## Support Client
+
+- [AnyConnect Secure Client](https://www.cisco.com/) (可通过群文件下载: Windows/macOS/Linux/Android/iOS)
+- [OpenConnect](https://gitlab.com/openconnect/openconnect) (Windows/macOS/Linux)
+- [三方 AnyLink Secure Client](https://github.com/tlslink/anylink-client) (Windows/macOS/Linux)
+- [三方客户端下载地址](https://cisco.yangpin.link) (Windows/macOS/Linux/Android/iOS)
 
-添加QQ群: 567510628
 
 ## Contribution
 
-欢迎提交 PR、Issues，感谢为AnyLink做出贡献。 
+欢迎提交 PR、Issues，感谢为 AnyLink 做出贡献。
 
-注意新建PR，需要提交到dev分支，其他分支暂不会合并。
+注意新建 PR，需要提交到 dev 分支，其他分支暂不会合并。
 
 ## Other Screenshot
 
 <details>
 <summary>展开查看</summary>
 
-![system.jpg](screenshot/system.jpg)
+![system.jpg](doc/screenshot/system.jpg)
-![setting.jpg](screenshot/setting.jpg)
+![setting.jpg](doc/screenshot/setting.jpg)
-![users.jpg](screenshot/users.jpg)
+![users.jpg](doc/screenshot/users.jpg)
-![ip_map.jpg](screenshot/ip_map.jpg)
+![ip_map.jpg](doc/screenshot/ip_map.jpg)
-![group.jpg](screenshot/group.jpg)
+![group.jpg](doc/screenshot/group.jpg)
 
 </details>
 
 ## License
 
-本项目采用 MIT 开源授权许可证，完整的授权说明已放置在 LICENSE 文件中。
+本项目采用 AGPL-3.0 开源授权许可证，完整的授权说明已放置在 LICENSE 文件中。
 
 ## Thank
 
 <a href="https://www.jetbrains.com">
-    <img src="screenshot/jetbrains.png" width="200" height="200" alt="jetbrains.png" />
+    <img src="doc/screenshot/jetbrains.png" width="200" alt="jetbrains.png" />
 </a>
-
-
-
-

build.sh

@@ -1,47 +1,21 @@
-#!/bin/env bash
+#!/bin/bash
-
-set -x
-function RETVAL() {
-  rt=$1
-  if [ $rt != 0 ]; then
-    echo $rt
-    exit 1
-  fi
-}
 
 #当前目录
 cpath=$(pwd)
 
-echo "编译二进制文件"
+ver=$(cat version)
+echo $ver
+
+#前端编译 仅需要执行一次
+bash ./build_web.sh
+
 cd $cpath/server
-go build -o anylink -ldflags "-X main.COMMIT_ID=$(git rev-parse HEAD)"
-RETVAL $?
 
-echo "编译前端项目"
+go build -v -o anylink
-cd $cpath/web
-#国内可替换源加快速度
-npm install --registry=https://registry.npm.taobao.org
-npm run build --registry=https://registry.npm.taobao.org
-#npm install
-#npm run build
-RETVAL $?
 
-cd $cpath
+./anylink -v
 
-echo "整理部署文件"
-deploy="anylink-deploy"
-rm -rf $deploy
-mkdir $deploy
-mkdir $deploy/log
 
-cp -r server/anylink $deploy
+echo "anylink 编译完成，目录: $cpath/server/anylink"
-cp -r server/conf $deploy
-cp -r server/files $deploy
-cp -r server/bridge-init.sh $deploy
 
-cp -r systemd $deploy
-cp -r web/ui $deploy
 
-#注意使用root权限运行
-#cd anylink-deploy
-#sudo ./anylink -conf="conf/server.toml"

build_docker.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+ver=$(cat version)
+echo $ver
+
+# docker login -u bjdgyc
+
+# 生成时间 2024-01-30T21:41:27+08:00
+# date -Iseconds
+
+#bash ./build_web.sh
+
+# docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 本地不生成镜像
+docker build -t bjdgyc/anylink:latest --no-cache --progress=plain --platform linux/amd64 \
+  --build-arg CN="yes" --build-arg appVer=$ver --build-arg commitId=$(git rev-parse HEAD) -f docker/Dockerfile .
+
+echo "docker tag latest $ver"
+docker tag bjdgyc/anylink:latest bjdgyc/anylink:$ver
+
+exit 0
+
+docker tag bjdgyc/anylink:latest registry.cn-qingdao.aliyuncs.com/bjdgyc/anylink:latest
+
+docker push registry.cn-qingdao.aliyuncs.com/bjdgyc/anylink:latest

build_test.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+
+#github action release.sh
+
+set -x
+function RETVAL() {
+  rt=$1
+  if [ $rt != 0 ]; then
+    echo $rt
+    exit 1
+  fi
+}
+
+#当前目录
+cpath=$(pwd)
+
+ver=$(cat version)
+echo $ver
+
+#前端编译 仅需要执行一次
+#bash ./build_web.sh
+
+echo "copy二进制文件"
+
+# -tags osusergo,netgo,sqlite_omit_load_extension
+flags="-trimpath"
+ldflags="-s -w -extldflags '-static' -X main.appVer=$ver -X main.commitId=$(git rev-parse HEAD) -X main.buildDate=$(date --iso-8601=seconds)"
+#github action
+gopath=/go
+
+dockercmd=$(
+  cat <<EOF
+sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+apk add gcc g++ musl musl-dev tzdata
+export GOPROXY=https://goproxy.cn
+go mod tidy
+echo "build:"
+rm anylink
+export CGO_ENABLED=1
+go build -v -o anylink $flags -ldflags "$ldflags"
+./anylink -v
+EOF
+)
+
+#使用 musl-dev 编译
+docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/amd64 \
+  golang:1.20-alpine3.19 sh -c "$dockercmd"
+
+#arm64编译
+#docker run -q --rm -v $PWD/server:/app -v $gopath:/go -w /app --platform=linux/arm64 \
+#  golang:1.20-alpine3.19 go build -o anylink_arm64 $flags -ldflags "$ldflags"
+#exit 0
+
+#cd $cpath
+
+echo "整理部署文件"
+rm -rf anylink-deploy anylink-deploy.tar.gz
+mkdir anylink-deploy
+mkdir anylink-deploy/log
+
+cp -r server/anylink anylink-deploy
+cp -r server/conf anylink-deploy
+
+cp -r index_template anylink-deploy
+cp -r deploy anylink-deploy
+cp -r LICENSE anylink-deploy
+
+tar zcvf anylink-deploy.tar.gz anylink-deploy
+
+#注意使用root权限运行
+#cd anylink-deploy
+#sudo ./anylink --conf="conf/server.toml"

build_web.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+docker run -it --rm -v $PWD/web:/app -w /app node:16-alpine \
+  sh -c "yarn install --registry=https://registry.npmmirror.com && yarn run build"
+
+rm -rf server/ui
+cp -r web/ui server/ui

deploy/anylink.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=AnyLink Server Service
+Documentation=https://github.com/bjdgyc/anylink
+After=network-online.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/usr/local/anylink-deploy
+Restart=on-failure
+RestartSec=5s
+ExecStart=/usr/local/anylink-deploy/anylink --conf=/usr/local/anylink-deploy/conf/server.toml
+
+# systemctl --version
+
+# systemd older than v236
+# ExecStart=/bin/bash -c 'exec /usr/local/anylink-deploy/anylink --conf=/usr/local/anylink-deploy/conf/server.toml >> /usr/local/anylink-deploy/log/anylink.log 2>&1'
+
+# systemd new than v236
+# StandardOutput=file:/usr/local/anylink-deploy/log/anylink-systemd.log
+# StandardError=file:/usr/local/anylink-deploy/log/anylink-systemd.log
+
+[Install]
+WantedBy=multi-user.target

deploy/deployment.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: anylink
+  namespace: default
+  labels:
+    link-app: anylink
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      link-app: anylink
+  template:
+    metadata:
+      labels:
+        link-app: anylink
+    spec:
+      #hostNetwork: true
+      dnsPolicy: ClusterFirst
+      containers:
+        - name: anylink
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+            - name: POD_CPU_LIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+            - name: POD_MEMORY_LIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: TZ
+              value: "Asia/Shanghai"
+          image: bjdgyc/anylink:latest
+          imagePullPolicy: Always
+          args:
+            - --conf=/app/conf/server.toml
+          ports:
+            - name: https
+              containerPort: 443
+              protocol: TCP
+            - name: https-admin
+              containerPort: 8800
+              protocol: TCP
+            - name: dtls
+              containerPort: 443
+              protocol: UDP
+          # 设置资源
+          resources:
+            limits:
+              cpu: "2"
+              memory: 4Gi
+              ephemeral-storage: "2Gi"
+          securityContext:
+            privileged: true
+      # 禁用自动注入 service 信息到环境变量
+      enableServiceLinks: false
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      nodeSelector:
+        kubernetes.io/os: linux
+      securityContext: { }
+      tolerations:
+        - operator: Exists
+      #设置优先级
+      priorityClassName: system-cluster-critical
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: anylink
+  namespace: default
+  labels:
+    link-app: anylink
+spec:
+  ports:
+    - name: https
+      port: 443
+      targetPort: 443
+      protocol: TCP
+    - name: https-admin
+      port: 8800
+      targetPort: 8800
+      protocol: TCP
+    - name: dtls
+      port: 443
+      targetPort: 443
+      protocol: UDP
+  selector:
+    link-app: anylink
+  sessionAffinity: ClientIP
+  type: ClusterIP

deploy/docker-compose.yaml

@@ -0,0 +1,19 @@
+services:
+  anylink:
+    image: bjdgyc/anylink:latest
+    container_name: anylink
+    restart: always
+    privileged: true
+    #cpus: 2
+    #mem_limit: 4g
+    ports:
+      - 443:443
+      - 8800:8800
+      - 443:443/udp
+    environment:
+      LINK_LOG_LEVEL: info
+    command:
+      - --conf=/app/conf/server.toml
+    #volumes:
+    #  - /home/myconf:/app/conf
+    dns_search: .

doc/README.md

@@ -0,0 +1,50 @@
+## Donate
+
+> 如果您觉得 AnyLink 对你有帮助，欢迎给我们打赏，也是帮助 AnyLink 更好的发展。
+
+<p>
+    <img src="screenshot/wxpay2.png" width="435" alt="anylink捐赠二维码" />
+</p>
+
+## Donator
+
+> 感谢以下同学的打赏，AnyLink 有你更美好！
+>
+> 需要展示主页的同学，可以在QQ群 直接联系我添加。
+
+| 昵称        | 主页 / 联系方式                    |
+|-----------|------------------------------|
+| 代码 oo8    |                              |
+| 甘磊        | https://github.com/ganlei333 |
+| Oo@       | https://github.com/chooop    |
+| 虚极静笃      |                              |
+| 请喝可乐      |                              |
+| 加油加油      |                              |
+| 李建        |                              |
+| lanbin    |                              |
+| 乐在东途      |                              |
+| 孤鸿        |                              |
+| 刘国华       |                              |
+| 改名好无聊     |                              |
+| 全能互联网专家   |                              |
+| JCM       |                              |
+| Eh...     |                              |
+| 沉         |                              |
+| 刘国华       |                              |
+| 忧郁的豚骨拉面   |                              |
+| 张小旋当爹地    |                              |
+| 对方正在输入    |                              |
+| Ronny     |                              |
+| 奔跑的少年     |                              |
+| ZBW       |                              |
+| 悲鸣        |                              |
+| 谢谢        |                              |
+| 云思科技      |                              |
+| 哆啦A伟(张佳伟) |                              |
+| 人类的悲欢并不相通 |                              |
+| 做人要低调     |                              |
+| 洛洛        |                              |
+
+
+
+

doc/question.md

@@ -0,0 +1,115 @@
+## 常见问题
+
+### anyconnect 客户端问题
+
+> 客户端请使用群共享文件的版本，其他版本没有测试过，不保证使用正常
+>
+> 添加QQ群: 567510628
+
+### OTP 动态码
+
+> 请使用手机安装 freeotp ，然后扫描otp二维码，生成的数字即是动态码
+
+### 远程桌面连接
+
+> 本软件已经支持远程桌面里面连接anyconnect。
+
+### 私有证书问题
+
+> anylink 默认不支持私有证书
+>
+> 其他使用私有证书的问题，请自行解决
+
+### 客户端连接名称
+
+> 客户端连接名称需要修改 [profile.xml](../server/conf/profile.xml) 文件
+
+```xml
+
+<HostEntry>
+    <HostName>VPN</HostName>
+    <HostAddress>localhost</HostAddress>
+</HostEntry>
+```
+
+### dpd timeout 设置问题
+
+```yaml
+#客户端失效检测时间(秒) dpd > keepalive
+cstp_keepalive = 4
+cstp_dpd = 9
+mobile_keepalive = 7
+mobile_dpd = 15
+```
+
+> 以上dpd参数为客户端的超时检测时间, 如一段时间内，没有数据传输，防火墙会主动关闭连接
+>
+> 如经常出现 timeout 的错误信息，应根据当前防火墙的设置，适当减小dpd数值
+
+### 关于审计日志 audit_interval 参数
+
+> 默认值 `audit_interval = 600` 表示相同日志600秒内只记录一次，不同日志首次出现立即记录
+>
+> 去重key的格式: 16字节源IP地址 + 16字节目的IP地址 + 2字节目的端口 + 1字节协议类型 + 16字节域名MD5
+
+### 反向代理问题
+
+> anylink 仅支持四层反向代理，不支持七层反向代理
+>
+> 如Nginx请使用 stream模块
+
+```conf
+stream {
+    upstream anylink_server {
+        server 127.0.0.1:8443;
+    }
+    server {
+        listen 443 tcp;
+        proxy_timeout 30s;
+        proxy_pass anylink_server;
+    }
+}
+```
+
+> nginx实现 共用443端口 示例
+
+```conf
+stream {
+    map $ssl_preread_server_name $name {
+        vpn.xx.com        myvpn;
+        default     defaultpage;
+    }
+    
+    # upstream pool
+    upstream myvpn {
+        server 127.0.0.1:8443;
+    }
+    upstream defaultpage {
+        server 127.0.0.1:8080;
+    }
+    
+    server {
+        listen 443 so_keepalive=on;
+        ssl_preread on;
+        #接收端也需要设置 proxy_protocol
+        #proxy_protocol on;
+        proxy_pass $name;
+    }
+}
+
+```
+
+### 性能问题
+
+```
+内网环境测试数据
+虚拟服务器：  centos7 4C8G
+anylink:    tun模式 tcp传输
+客户端文件下载速度：240Mb/s
+客户端网卡下载速度：270Mb/s
+服务端网卡上传速度：280Mb/s
+```
+
+> 客户端tls加密协议、隧道header头都会占用一定带宽
+
+

docker/Dockerfile

@@ -1,6 +1,59 @@
-FROM ubuntu:18.04
+#node:16-bullseye
-WORKDIR /
+#golang:1.20-bullseye
-COPY docker_entrypoint.sh docker_entrypoint.sh
+#debian:bullseye-slim
-RUN mkdir /anylink && apt update && apt install -y wget iptables tar iproute2
+#bullseye
-ENTRYPOINT ["/docker_entrypoint.sh"]
+# sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
-#CMD ["/anylink/anylink","-conf=/anylink/conf/server.toml"]
+#bookworm
+# sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list.d/debian.sources
+
+# sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
+
+
+# 配合 github action 使用
+# 需要先编译出ui文件后 再执行docker编译
+
+# server
+FROM golang:1.20-alpine3.19 as builder_golang
+
+ARG CN="no"
+ARG appVer="appVer"
+ARG commitId="commitId"
+
+ENV TZ=Asia/Shanghai
+
+WORKDIR /server
+COPY docker/init_build.sh /tmp/
+COPY server/ /server/
+COPY web/ui  /server/ui
+
+#RUN apk add gcc musl-dev bash
+RUN sh /tmp/init_build.sh
+
+
+# anylink
+FROM alpine:3.19
+LABEL maintainer="github.com/bjdgyc"
+
+ARG CN="no"
+
+ENV TZ=Asia/Shanghai
+ENV ANYLINK_IN_CONTAINER=true
+
+WORKDIR /app
+COPY docker/init_release.sh /tmp/
+
+COPY --from=builder_golang /server/anylink  /app/
+COPY docker/docker_entrypoint.sh server/bridge-init.sh ./README.md ./LICENSE version_info /app/
+COPY ./deploy /app/deploy
+COPY ./index_template  /app/index_template
+COPY ./server/conf  /app/conf
+
+#TODO 本地打包时使用镜像
+RUN sh /tmp/init_release.sh
+
+
+EXPOSE 443 8800 443/udp
+
+#CMD ["/app/anylink"]
+ENTRYPOINT ["/app/docker_entrypoint.sh"]
+

docker/docker_entrypoint.sh

@@ -1,41 +1,31 @@
 #!/bin/sh
-USER="admin"
+var1=$1
-MM=$(pwgen -1s)
-CREATE_USER=1
-CONFIG_FILE='/app/conf/server.toml'
 
-if [ $CREATE_USER -eq 1 ]; then
+#set -x
-  if [ ! -e $CREATE_USER ]; then
+
-	    MM=$(pwgen -1s)
+case $var1 in
-            touch $CREATE_USER
+"bash" | "sh")
-	    bash /app/generate-certs.sh
+  echo $var1
-            cd /app/conf/ && cp *.crt  /usr/local/share/ca-certificates/
+  exec "$@"
-	    update-ca-certificates --fresh
+  ;;
-            userpass=$(/app/anylink -passwd "${MM}"| cut -d : -f2)
+
-	    echo "${userpass}"
+"tool")
-            jwttoken=$(/app/anylink -secret | cut -d : -f2)
+  /app/anylink "$@"
-            echo "-- First container startup --user:${USER} pwd:${MM}"
+  ;;
-            sed -i "s/admin/${USER}/g" /app/server-example.toml
+
-            sed -i "s/123456/${MM}/g" /app/server-example.toml
+*)
-            sed -i "s#usertoken#${userpass}#g" /app/server-example.toml
+  #sysctl -w net.ipv4.ip_forward=1
-            sed -i "s/jwttoken/${jwttoken}/g" /app/server-example.toml
+  #iptables -t nat -A POSTROUTING -s "${IPV4_CIDR}" -o eth0+ -j MASQUERADE
-            else
+  #iptables -nL -t nat
-                        echo "-- Not first container startup --"
+
+  # 启动服务 先判断配置文件是否存在
+  if [ ! -f /app/conf/profile.xml ]; then
+    /bin/cp -r /home/conf-bak/* /app/conf/
+    echo "After the configuration file is initialized, the container will be forcibly exited. Restart the container."
+    echo "配置文件初始化完成后，容器会强制退出，请重新启动容器。"
+    exit 1
   fi
 
-else
+  exec /app/anylink "$@"
-                echo "user switch not create"
+  ;;
-
+esac
-fi
-
-if [ ! -f $CONFIG_FILE ]; then
-echo "#####Generating configuration file#####"
-cp /app/server-example.toml /app/conf/server.toml
-else
-        echo "#####Configuration file already exists#####"
-fi
-
-rtaddr=$(grep "cidr" /app/conf/server.toml |awk -F \" '{print $2}')
-sysctl -w net.ipv4.ip_forward=1
-iptables -t nat -A POSTROUTING -s "${rtaddr}" -o eth0+ -j MASQUERADE
-/app/anylink -conf="/app/conf/server.toml"

docker/docker_entrypoint_fix.sh

@@ -1,37 +0,0 @@
-#! /bin/bash
-version=(`wget -qO- -t1 -T2 "https://api.github.com/repos/bjdgyc/anylink/releases/latest" | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g'`)
-count=(`ls anylink | wc -w `)
-wget https://github.com/bjdgyc/anylink/releases/download/${version}/anylink-deploy.tar.gz
-tar xf anylink-deploy.tar.gz
-rm -rf anylink-deploy.tar.gz
-if [ ${count} -eq 0 ]; then
-	echo "init anylink"
-	mv anylink-deploy/* anylink/
-else
-	if [ ! -d "/anylink/log" ]; then
-		mv anylink-deploy/log anylink/
-	fi
-	if [ ! -d "/anylink/conf" ]; then
-                mv anylink-deploy/conf anylink/
-        fi
-	echo "update anylink"
-	rm -rf anylink/ui anylink/anylink anylink/files
-	mv anylink-deploy/ui anylink/
-	mv anylink-deploy/anylink anylink/
-	mv anylink-deploy/files anylink/
-fi
-rm -rf anylink-deploy
-sysctl -w net.ipv4.ip_forward=1
-if [[ ${mode} == pro ]];then
-	iptables -t nat -A POSTROUTING -s ${iproute} -o eth0 -j MASQUERADE
-	iptables -L -n -t nat
-	/anylink/anylink -conf=/anylink/conf/server.toml
-elif [[ ${mode} == password ]];then
-	if [ -z ${password} ];then
-		echo "invalid password"
-	else
-		/anylink/anylink -passwd ${password}
-	fi
-elif [[ ${mode} -eq jwt ]];then
-	/anylink/anylink -secret
-fi

docker/init_build.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+set -x
+
+#TODO 本地打包时使用镜像
+if [[ $CN == "yes" ]]; then
+  #sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
+  sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+  export GOPROXY=https://goproxy.cn
+fi
+
+apk add build-base tzdata gcc g++ musl musl-dev upx
+
+uname -a
+env
+date
+
+cd /server
+
+go mod tidy
+
+echo "start build"
+
+ldflags="-s -w -X main.appVer=$appVer -X main.commitId=$commitId -X main.buildDate=$(date -Iseconds) -extldflags \"-static\" "
+
+export CGO_ENABLED=1
+go build -v -o anylink -trimpath -ldflags "$ldflags"
+
+ls -lh /server/
+
+# 压缩文件
+upx -9 -k anylink
+
+/server/anylink -v

docker/init_release.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -x
+
+#TODO 本地打包时使用镜像
+if [[ $CN == "yes" ]]; then
+  #sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories
+  sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+  export GOPROXY=https://goproxy.cn
+fi
+
+# alpine:3.19 兼容老版 iptables
+apk add --no-cache iptables iptables-legacy
+rm /sbin/iptables
+ln -s /sbin/iptables-legacy /sbin/iptables
+
+apk add --no-cache ca-certificates bash iproute2 tzdata
+chmod +x /app/docker_entrypoint.sh
+mkdir /app/log
+
+#备份配置文件
+cp -r /app/conf /home/conf-bak
+
+tree /app
+
+uname -a
+date -Iseconds

docker_entrypoint.sh

@@ -1,23 +0,0 @@
-#!/bin/sh
-var1=$1
-
-#set -x
-
-case $var1 in
-"bash" | "sh")
-  echo $var1
-  exec "$@"
-  ;;
-
-"tool")
-  /app/anylink "$@"
-  ;;
-
-*)
-  sysctl -w net.ipv4.ip_forward=1
-  iptables -t nat -A POSTROUTING -s "${IPV4_CIDR}" -o eth0+ -j MASQUERADE
-  #  iptables -nL -t nat
-
-  /app/anylink "$@"
-  ;;
-esac

index_template/自定义首页1.html

@@ -0,0 +1,101 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>AnyLink - 企业级远程办公 SSL VPN</title>
+  <style>
+    /* CSS样式表 */
+    body {
+      font-family: Arial, sans-serif;
+      margin: 0;
+      padding: 0;
+    }
+    
+    header {
+      background-color: #333;
+      color: #fff;
+      padding: 20px;
+      text-align: center;
+    }
+    
+    h1 {
+      margin: 0;
+      font-size: 32px;
+    }
+    
+    main {
+      max-width: 960px;
+      margin: 20px auto;
+      padding: 0 20px;
+	  margin-bottom: 100px;
+    }
+    
+    p {
+      line-height: 1.5;
+    }
+    
+	/* 设置页脚固定在底部，并且占满横向宽度 */
+	footer {
+		position: fixed;
+		bottom: 0;
+		left: 0;
+		width: 100%;
+	}
+	
+    footer {
+      background-color: #f2f2f2;
+      padding: 20px;
+      text-align: center;
+    }
+	
+    
+    .cta-button {
+      display: inline-block;
+      background-color: #007bff;
+      color: #fff;
+      padding: 10px 20px;
+      text-decoration: none;
+      border-radius: 4px;
+      font-weight: bold;
+      margin-right: 10px;
+    }
+  </style>
+</head>
+<body>
+  <header>
+    <h1>欢迎使用 AnyLink</h1>
+  </header>
+
+  <main>
+    <h2>什么是 AnyLink？</h2>
+    <p>AnyLink 是一款面向企业级的远程办公 SSL VPN 软件，支持多人同时在线使用。它提供安全、便捷的访问内部网络资源的方式，使远程工作者能够有效协作。</p>
+
+    <h2>核心功能</h2>
+    <ul>
+      <li>安全远程访问：AnyLink 使用 SSL/TLS 加密技术，确保远程用户与企业网络之间的连接安全可靠。</li>
+      <li>多用户支持：多个用户可以同时连接 VPN，实现不同地点团队的无缝协作。</li>
+      <li>灵活网络访问：AnyLink 能够安全地让远程工作者访问内部资源，如文件、应用程序和数据库。</li>
+      <li>集中化管理：该 VPN 解决方案提供集中化管理控制台，便于用户管理、访问控制和监控。</li>
+    </ul>
+
+    <h2>开始使用 AnyLink</h2>
+    <p>体验 AnyLink 为您的企业远程办公需求所带来的便利和安全。</p>
+
+    <h2>下载客户端</h2>
+    <a href="/files/anyconnect-win-4.10.05111.msi" class="cta-button">Windows 客户端</a>
+    <a href="/files/anyconnect-macos-4.10.05111.dmg" class="cta-button">Mac 客户端</a>
+
+    <a href="https://apps.apple.com/cn/app/cisco-secure-client/id1135064690" class="cta-button">iOS 客户端</a>
+    <a href="/files/CiscoSecureClientAnyConnect_v5.0.00247.apk" class="cta-button">Android 客户端</a>
+
+    <a href="/files/freeotp.apk" class="cta-button">Android FreeOTP客户端</a>
+    <a href="https://apps.apple.com/cn/app/freeotp-authenticator/id872559395" class="cta-button">iOS FreeOTP客户端</a>
+    <h2>使用手册</h2>
+    <a href="/files/anylink_doc.pdf" class="cta-button">使用手册(Windows)</a>
+  </main>
+
+  <footer>
+    &copy; 2023 AnyLink. 保留所有权利。
+  </footer>
+</body>
+</html>

release.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+#github action release.sh
+
+set -x
+function RETVAL() {
+  rt=$1
+  if [ $rt != 0 ]; then
+    echo $rt
+    exit 1
+  fi
+}
+
+#当前目录
+cpath=$(pwd)
+
+ver=$(cat version)
+echo "当前版本 $ver"
+
+rm -rf artifact-dist
+mkdir artifact-dist
+
+function archive() {
+  arch=$1
+  #echo "整理部署文件 $arch"
+  arch_name=${arch//\//-}
+  echo $arch_name
+
+  deploy="anylink-$ver-$arch_name"
+  docker container rm $deploy
+  docker container create --platform $arch --name $deploy bjdgyc/anylink:$ver
+  rm -rf anylink-deploy
+  docker cp -a $deploy:/app ./anylink-deploy
+
+  ls -lh anylink-deploy
+
+  tar zcf ${deploy}.tar.gz anylink-deploy
+  mv ${deploy}.tar.gz artifact-dist/
+}
+
+echo "copy二进制文件"
+
+archive "linux/amd64"
+archive "linux/arm64"
+
+ls -lh artifact-dist
+
+#注意使用root权限运行
+#cd anylink-deploy
+#sudo ./anylink --conf="conf/server.toml"

server/.gitignore

@@ -18,3 +18,4 @@ ui/
 .idea/
 anylink
 data.db
+conf/*.db

server/admin/api_base.go

@@ -8,6 +8,7 @@ import (
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/gorilla/mux"
+	"github.com/xlzd/gotp"
 )
 
 // Login 登陆接口
@@ -20,10 +21,35 @@ func Login(w http.ResponseWriter, r *http.Request) {
 	adminUser := r.PostFormValue("admin_user")
 	adminPass := r.PostFormValue("admin_pass")
 
+	// 启用otp验证
+	if base.Cfg.AdminOtp != "" {
+		pwd := adminPass
+		pl := len(pwd)
+		if pl < 6 {
+			RespError(w, RespUserOrPassErr)
+			base.Error(adminUser, "管理员otp错误")
+			return
+		}
+		// 判断otp信息
+		adminPass = pwd[:pl-6]
+		otp := pwd[pl-6:]
+
+		totp := gotp.NewDefaultTOTP(base.Cfg.AdminOtp)
+		unix := time.Now().Unix()
+		verify := totp.Verify(otp, unix)
+
+		if !verify {
+			RespError(w, RespUserOrPassErr)
+			base.Error(adminUser, "管理员otp错误")
+			return
+		}
+	}
+
 	// 认证错误
 	if !(adminUser == base.Cfg.AdminUser &&
 		utils.PasswordVerify(adminPass, base.Cfg.AdminPass)) {
 		RespError(w, RespUserOrPassErr)
+		base.Error(adminUser, "管理员用户名或密码错误")
 		return
 	}
 
@@ -41,6 +67,14 @@ func Login(w http.ResponseWriter, r *http.Request) {
 	data["admin_user"] = adminUser
 	data["expires_at"] = expiresAt
 
+	ck := &http.Cookie{
+		Name:     "jwt",
+		Value:    tokenString,
+		Path:     "/",
+		HttpOnly: true,
+	}
+	http.SetCookie(w, ck)
+
 	RespSucess(w, data)
 }
 
@@ -50,6 +84,9 @@ func authMiddleware(next http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Allow-Methods", "GET,POST,OPTIONS")
 		w.Header().Set("Access-Control-Allow-Headers", "*")
 		if r.Method == http.MethodOptions {
+			// w.WriteHeader(http.StatusOK)
+			// 正式环境不支持 OPTIONS
+			w.WriteHeader(http.StatusForbidden)
 			return
 		}
 
@@ -67,6 +104,12 @@ func authMiddleware(next http.Handler) http.Handler {
 		if jwtToken == "" {
 			jwtToken = r.FormValue("jwt")
 		}
+		if jwtToken == "" {
+			cc, err := r.Cookie("jwt")
+			if err == nil {
+				jwtToken = cc.Value
+			}
+		}
 		data, err := GetJwtData(jwtToken)
 		if err != nil || base.Cfg.AdminUser != fmt.Sprint(data["admin_user"]) {
 			w.WriteHeader(http.StatusUnauthorized)

server/admin/api_cert.go

@@ -0,0 +1,99 @@
+package admin
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+
+	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+)
+
+func CustomCert(w http.ResponseWriter, r *http.Request) {
+	cert, _, err := r.FormFile("cert")
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	key, _, err := r.FormFile("key")
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	certFile, err := os.OpenFile(base.Cfg.CertFile, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0600)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer certFile.Close()
+	if _, err := io.Copy(certFile, cert); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	keyFile, err := os.OpenFile(base.Cfg.CertKey, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0600)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer keyFile.Close()
+	if _, err := io.Copy(keyFile, key); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	if tlscert, _, err := dbdata.ParseCert(); err != nil {
+		RespError(w, RespInternalErr, fmt.Sprintf("证书不合法，请重新上传:%v", err))
+		return
+	} else {
+		dbdata.LoadCertificate(tlscert)
+	}
+	RespSucess(w, "上传成功")
+}
+func GetCertSetting(w http.ResponseWriter, r *http.Request) {
+	sess := dbdata.GetXdb().NewSession()
+	defer sess.Close()
+	data := &dbdata.SettingLetsEncrypt{}
+	if err := dbdata.SettingGet(data); err != nil {
+		dbdata.SettingSessAdd(sess, data)
+		RespError(w, RespInternalErr, err)
+	}
+	userData := &dbdata.LegoUserData{}
+	if err := dbdata.SettingGet(userData); err != nil {
+		dbdata.SettingSessAdd(sess, userData)
+	}
+	RespSucess(w, data)
+}
+func CreatCert(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer r.Body.Close()
+	config := &dbdata.SettingLetsEncrypt{}
+	if err := json.Unmarshal(body, config); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	if err := dbdata.SettingSet(config); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	client := dbdata.LeGoClient{}
+	if err := client.NewClient(config); err != nil {
+		base.Error(err)
+		RespError(w, RespInternalErr, fmt.Sprintf("获取证书失败:%v", err))
+		return
+	}
+	if err := client.GetCert(config.Domain); err != nil {
+		base.Error(err)
+		RespError(w, RespInternalErr, fmt.Sprintf("获取证书失败:%v", err))
+		return
+	}
+	RespSucess(w, "生成证书成功")
+}

server/admin/api_group.go

@@ -2,7 +2,7 @@ package admin
 
 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strconv"
 
@@ -22,7 +22,7 @@ func GroupList(w http.ResponseWriter, r *http.Request) {
 	count := dbdata.CountAll(&dbdata.Group{})
 
 	var datas []dbdata.Group
-	err := dbdata.All(&datas, pageSize, page)
+	err := dbdata.Find(&datas, pageSize, page)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -47,6 +47,16 @@ func GroupNames(w http.ResponseWriter, r *http.Request) {
 	RespSucess(w, data)
 }
 
+func GroupNamesIds(w http.ResponseWriter, r *http.Request) {
+	var names = dbdata.GetGroupNamesIds()
+	data := map[string]interface{}{
+		"count":     len(names),
+		"page_size": 0,
+		"datas":     names,
+	}
+	RespSucess(w, data)
+}
+
 func GroupDetail(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
 	idS := r.FormValue("id")
@@ -62,12 +72,14 @@ func GroupDetail(w http.ResponseWriter, r *http.Request) {
 		RespError(w, RespInternalErr, err)
 		return
 	}
-
+	if len(data.Auth) == 0 {
+		data.Auth["type"] = "local"
+	}
 	RespSucess(w, data)
 }
 
 func GroupSet(w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -106,3 +118,30 @@ func GroupDel(w http.ResponseWriter, r *http.Request) {
 	}
 	RespSucess(w, nil)
 }
+
+func GroupAuthLogin(w http.ResponseWriter, r *http.Request) {
+	type AuthLoginData struct {
+		Name string                 `json:"name"`
+		Pwd  string                 `json:"pwd"`
+		Auth map[string]interface{} `json:"auth"`
+	}
+
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer r.Body.Close()
+	v := &AuthLoginData{}
+	err = json.Unmarshal(body, &v)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	err = dbdata.GroupAuthLogin(v.Name, v.Pwd, v.Auth)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	RespSucess(w, "ok")
+}

server/admin/api_ip_map.go

@@ -2,10 +2,9 @@ package admin
 
 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strconv"
-	"time"
 
 	"github.com/bjdgyc/anylink/dbdata"
 )
@@ -23,7 +22,7 @@ func UserIpMapList(w http.ResponseWriter, r *http.Request) {
 	count := dbdata.CountAll(&dbdata.IpMap{})
 
 	var datas []dbdata.IpMap
-	err := dbdata.All(&datas, pageSize, page)
+	err := dbdata.Find(&datas, pageSize, page)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -60,7 +59,7 @@ func UserIpMapDetail(w http.ResponseWriter, r *http.Request) {
 func UserIpMapSet(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
 
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -75,19 +74,14 @@ func UserIpMapSet(w http.ResponseWriter, r *http.Request) {
 
 	// fmt.Println(v, len(v.Ip), len(v.MacAddr))
 
-	if len(v.IpAddr) < 4 || len(v.MacAddr) < 6 {
+	err = dbdata.SetIpMap(v)
-		RespError(w, RespParamErr, "IP或MAC错误")
-		return
-	}
-
-	v.UpdatedAt = time.Now()
-	err = dbdata.Save(v)
-
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
 	}
 
+	// sessdata.IpAllSet(v)
+
 	RespSucess(w, nil)
 }
 
@@ -101,11 +95,20 @@ func UserIpMapDel(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	data := dbdata.IpMap{Id: id}
+	var data dbdata.IpMap
-	err := dbdata.Del(&data)
+	err := dbdata.One("Id", id, &data)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
 	}
+
+	err = dbdata.Del(&data)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	// sessdata.IpAllDel(&data)
+
 	RespSucess(w, nil)
 }

server/admin/api_other.go

@@ -2,9 +2,12 @@ package admin
 
 import (
 	"encoding/json"
-	"io/ioutil"
+	"errors"
+	"io"
 	"net/http"
+	"regexp"
 
+	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 )
 
@@ -14,11 +17,16 @@ func setOtherGet(data interface{}, w http.ResponseWriter) {
 		RespError(w, RespInternalErr, err)
 		return
 	}
+	// 不明文输出SMTP的密码
+	switch dbdata.StructName(data) {
+	case "SettingSmtp":
+		data.(*dbdata.SettingSmtp).Password = ""
+	}
 	RespSucess(w, data)
 }
 
 func setOtherEdit(data interface{}, w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -32,7 +40,15 @@ func setOtherEdit(data interface{}, w http.ResponseWriter, r *http.Request) {
 	}
 
 	// fmt.Println(data)
-
+	switch dbdata.StructName(data) {
+	case "SettingSmtp":
+		// 密码为空时则不修改
+		smtp := &dbdata.SettingSmtp{}
+		err := dbdata.SettingGet(smtp)
+		if err == nil && data.(*dbdata.SettingSmtp).Password == "" {
+			data.(*dbdata.SettingSmtp).Password = smtp.Password
+		}
+	}
 	err = dbdata.SettingSet(data)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
@@ -60,3 +76,43 @@ func SetOtherEdit(w http.ResponseWriter, r *http.Request) {
 	data := &dbdata.SettingOther{}
 	setOtherEdit(data, w, r)
 }
+
+func SetOtherAuditLog(w http.ResponseWriter, r *http.Request) {
+	data, err := dbdata.SettingGetAuditLog()
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	data.AuditInterval = base.Cfg.AuditInterval
+	RespSucess(w, data)
+}
+
+func SetOtherAuditLogEdit(w http.ResponseWriter, r *http.Request) {
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer r.Body.Close()
+	data := &dbdata.SettingAuditLog{}
+	err = json.Unmarshal(body, data)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	if data.LifeDay < 0 || data.LifeDay > 365 {
+		RespError(w, RespParamErr, errors.New("日志存储时长范围在 0 ~ 365"))
+		return
+	}
+	ok, _ := regexp.Match("^([0-9]|0[0-9]|1[0-9]|2[0-3]):([0][0])$", []byte(data.ClearTime))
+	if !ok {
+		RespError(w, RespParamErr, errors.New("每天清理时间填写有误"))
+		return
+	}
+	err = dbdata.SettingSet(data)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	RespSucess(w, data)
+}

server/admin/api_policy.go

@@ -0,0 +1,98 @@
+package admin
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"strconv"
+
+	"github.com/bjdgyc/anylink/dbdata"
+)
+
+func PolicyList(w http.ResponseWriter, r *http.Request) {
+	_ = r.ParseForm()
+	pageS := r.FormValue("page")
+	page, _ := strconv.Atoi(pageS)
+	if page < 1 {
+		page = 1
+	}
+
+	var pageSize = dbdata.PageSize
+
+	count := dbdata.CountAll(&dbdata.Policy{})
+
+	var datas []dbdata.Policy
+	err := dbdata.Find(&datas, pageSize, page)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	data := map[string]interface{}{
+		"count":     count,
+		"page_size": pageSize,
+		"datas":     datas,
+	}
+
+	RespSucess(w, data)
+}
+
+func PolicyDetail(w http.ResponseWriter, r *http.Request) {
+	_ = r.ParseForm()
+	idS := r.FormValue("id")
+	id, _ := strconv.Atoi(idS)
+	if id < 1 {
+		RespError(w, RespParamErr, "Id错误")
+		return
+	}
+
+	var data dbdata.Policy
+	err := dbdata.One("Id", id, &data)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	RespSucess(w, data)
+}
+
+func PolicySet(w http.ResponseWriter, r *http.Request) {
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer r.Body.Close()
+	v := &dbdata.Policy{}
+	err = json.Unmarshal(body, v)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	err = dbdata.SetPolicy(v)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	RespSucess(w, nil)
+}
+
+func PolicyDel(w http.ResponseWriter, r *http.Request) {
+	_ = r.ParseForm()
+	idS := r.FormValue("id")
+	id, _ := strconv.Atoi(idS)
+	if id < 1 {
+		RespError(w, RespParamErr, "Id错误")
+		return
+	}
+
+	data := dbdata.Policy{Id: id}
+	err := dbdata.Del(&data)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	RespSucess(w, nil)
+}

server/admin/api_set.go

@@ -5,11 +5,10 @@ import (
 	"net/http"
 	"runtime"
 
-	"github.com/bjdgyc/anylink/dbdata"
-	"github.com/bjdgyc/anylink/sessdata"
-
 	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
+	"github.com/bjdgyc/anylink/sessdata"
 	"github.com/shirou/gopsutil/cpu"
 	"github.com/shirou/gopsutil/disk"
 	"github.com/shirou/gopsutil/host"
@@ -67,10 +66,13 @@ func SetSystem(w http.ResponseWriter, r *http.Request) {
 	hi, _ := host.Info()
 	l, _ := load.Avg()
 	data["sys"] = map[string]interface{}{
-		"goOs":      runtime.GOOS,
+		"goOs":         runtime.GOOS,
-		"goArch":    runtime.GOARCH,
+		"goArch":       runtime.GOARCH,
-		"goVersion": runtime.Version(),
+		"goVersion":    runtime.Version(),
-		"goroutine": runtime.NumGoroutine(),
+		"goroutine":    runtime.NumGoroutine(),
+		"appVersion":   "v" + base.APP_VER,
+		"appCommitId":  base.CommitId,
+		"appBuildDate": base.BuildDate,
 
 		"hostname": hi.Hostname,
 		"platform": fmt.Sprintf("%v %v %v", hi.Platform, hi.PlatformFamily, hi.PlatformVersion),

server/admin/api_set_audit.go

@@ -0,0 +1,79 @@
+package admin
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/gocarina/gocsv"
+)
+
+func SetAuditList(w http.ResponseWriter, r *http.Request) {
+	_ = r.ParseForm()
+	pageS := r.FormValue("page")
+	page, _ := strconv.Atoi(pageS)
+	if page < 1 {
+		page = 1
+	}
+	var datas []dbdata.AccessAudit
+	session := dbdata.GetAuditSession(r.FormValue("search"))
+	count, err := dbdata.FindAndCount(session, &datas, dbdata.PageSize, page)
+	if err != nil && !dbdata.CheckErrNotFound(err) {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	data := map[string]interface{}{
+		"count":     count,
+		"page_size": dbdata.PageSize,
+		"datas":     datas,
+	}
+
+	RespSucess(w, data)
+}
+
+func SetAuditExport(w http.ResponseWriter, r *http.Request) {
+	var datas []dbdata.AccessAudit
+	maxNum := 1000000
+	session := dbdata.GetAuditSession(r.FormValue("search"))
+	count, err := dbdata.FindAndCount(session, &datas, maxNum, 0)
+	if err != nil && !dbdata.CheckErrNotFound(err) {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	if count == 0 {
+		RespError(w, RespParamErr, "你导出的总数量为0条，请调整搜索条件，再导出")
+		return
+	}
+	if count > int64(maxNum) {
+		RespError(w, RespParamErr, "你导出的数据量超过100万条，请调整搜索条件，再导出")
+		return
+	}
+	gocsv.Marshal(datas, w)
+
+}
+
+func UserActLogList(w http.ResponseWriter, r *http.Request) {
+	_ = r.ParseForm()
+	pageS := r.FormValue("page")
+	page, _ := strconv.Atoi(pageS)
+	if page < 1 {
+		page = 1
+	}
+	var datas []dbdata.UserActLog
+	session := dbdata.UserActLogIns.GetSession(r.Form)
+	count, err := dbdata.FindAndCount(session, &datas, dbdata.PageSize, page)
+	if err != nil && !dbdata.CheckErrNotFound(err) {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	data := map[string]interface{}{
+		"count":     count,
+		"page_size": dbdata.PageSize,
+		"datas":     datas,
+		"statusOps": dbdata.UserActLogIns.GetStatusOpsWithTag(),
+		"osOps":     dbdata.UserActLogIns.OsOps,
+		"clientOps": dbdata.UserActLogIns.ClientOps,
+	}
+
+	RespSucess(w, data)
+}

server/admin/api_statsinfo.go

@@ -0,0 +1,33 @@
+package admin
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/bjdgyc/anylink/dbdata"
+)
+
+func StatsInfoList(w http.ResponseWriter, r *http.Request) {
+	var ok bool
+	_ = r.ParseForm()
+	action := r.FormValue("action")
+	scope := r.FormValue("scope")
+	ok = dbdata.StatsInfoIns.ValidAction(action)
+	if !ok {
+		RespError(w, RespParamErr, errors.New("不存在的图表类别"))
+		return
+	}
+	ok = dbdata.StatsInfoIns.ValidScope(scope)
+	if !ok {
+		RespError(w, RespParamErr, errors.New("不存在的日期范围"))
+		return
+	}
+	datas, err := dbdata.StatsInfoIns.GetData(action, scope)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	data := make(map[string]interface{})
+	data["datas"] = datas
+	RespSucess(w, data)
+}

server/admin/api_uploaduser.go

@@ -0,0 +1,120 @@
+package admin
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
+	mapset "github.com/deckarep/golang-set"
+	"github.com/spf13/cast"
+	"github.com/xuri/excelize/v2"
+)
+
+func UserUpload(w http.ResponseWriter, r *http.Request) {
+	r.ParseMultipartForm(8 << 20)
+	file, header, err := r.FormFile("file")
+	if err != nil || !strings.Contains(header.Filename, ".xlsx") || !strings.Contains(header.Filename, ".xls") {
+		RespError(w, RespInternalErr, "文件解析失败:仅支持xlsx或xls文件")
+		return
+	}
+	defer file.Close()
+
+	// go/path-injection
+	// base.Cfg.FilesPath 可以直接对外访问，不能上传文件到此
+	fileName := path.Join(os.TempDir(), utils.RandomRunes(10))
+	newFile, err := os.Create(fileName)
+	if err != nil {
+		RespError(w, RespInternalErr, "创建文件失败:", err)
+		return
+	}
+	defer newFile.Close()
+
+	io.Copy(newFile, file)
+	if err = UploadUser(newFile.Name()); err != nil {
+		RespError(w, RespInternalErr, err)
+		os.Remove(fileName)
+		return
+	}
+	os.Remove(fileName)
+	RespSucess(w, "批量添加成功")
+}
+
+func UploadUser(file string) error {
+	f, err := excelize.OpenFile(file)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := f.Close(); err != nil {
+			return
+		}
+	}()
+	rows, err := f.GetRows("Sheet1")
+	if err != nil {
+		return err
+	}
+	if rows[0][0] != "id" || rows[0][1] != "username" || rows[0][2] != "nickname" || rows[0][3] != "email" || rows[0][4] != "pin_code" || rows[0][5] != "limittime" || rows[0][6] != "otp_secret" || rows[0][7] != "disable_otp" || rows[0][8] != "groups" || rows[0][9] != "status" || rows[0][10] != "send_email" {
+		return fmt.Errorf("批量添加失败，表格格式不正确")
+	}
+	var k []interface{}
+	for _, v := range dbdata.GetGroupNames() {
+		k = append(k, v)
+	}
+	for index, row := range rows {
+		if index == 0 {
+			continue
+		}
+		id, _ := strconv.Atoi(row[0])
+		if len(row[4]) < 6 {
+			row[4] = utils.RandomRunes(8)
+		}
+		limittime, _ := time.ParseInLocation("2006-01-02 15:04:05", row[5], time.Local)
+		disableOtp, _ := strconv.ParseBool(row[7])
+		var group []string
+		if row[8] == "" {
+			return fmt.Errorf("第%d行数据错误，用户组不允许为空", index)
+		}
+		for _, v := range strings.Split(row[8], ",") {
+			if s := mapset.NewSetFromSlice(k); s.Contains(v) {
+				group = append(group, v)
+			} else {
+				return fmt.Errorf("用户组【%s】不存在,请检查第%d行数据", v, index)
+			}
+		}
+		status := cast.ToInt8(row[9])
+		sendmail, _ := strconv.ParseBool(row[10])
+		// createdAt, _ := time.ParseInLocation("2006-01-02 15:04:05", row[11], time.Local)
+		// updatedAt, _ := time.ParseInLocation("2006-01-02 15:04:05", row[12], time.Local)
+		user := &dbdata.User{
+			Id:         id,
+			Username:   row[1],
+			Nickname:   row[2],
+			Email:      row[3],
+			PinCode:    row[4],
+			LimitTime:  &limittime,
+			OtpSecret:  row[6],
+			DisableOtp: disableOtp,
+			Groups:     group,
+			Status:     status,
+			SendEmail:  sendmail,
+			// CreatedAt:  createdAt,
+			// UpdatedAt:  updatedAt,
+		}
+		if err := dbdata.AddBatch(user); err != nil {
+			return fmt.Errorf("请检查第%d行数据是否导入有重复用户", index)
+		}
+		if user.SendEmail {
+			if err := userAccountMail(user); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}

server/admin/api_user.go

@@ -5,8 +5,9 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
+	"net/url"
 	"strconv"
 	"strings"
 	"text/template"
@@ -21,6 +22,7 @@ import (
 func UserList(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
 	prefix := r.FormValue("prefix")
+	prefix = strings.TrimSpace(prefix)
 	pageS := r.FormValue("page")
 	page, _ := strconv.Atoi(pageS)
 	if page < 1 {
@@ -36,11 +38,14 @@ func UserList(w http.ResponseWriter, r *http.Request) {
 
 	// 查询前缀匹配
 	if len(prefix) > 0 {
-		count = pageSize
+		fuzzy := "%" + prefix + "%"
-		err = dbdata.Prefix("Username", prefix, &datas, pageSize, 1)
+		where := "username LIKE ? OR nickname LIKE ? OR email LIKE ?"
+
+		count = dbdata.FindWhereCount(&dbdata.User{}, where, fuzzy, fuzzy, fuzzy)
+		err = dbdata.FindWhere(&datas, pageSize, page, where, fuzzy, fuzzy, fuzzy)
 	} else {
 		count = dbdata.CountAll(&dbdata.User{})
-		err = dbdata.All(&datas, pageSize, page)
+		err = dbdata.Find(&datas, pageSize, page)
 	}
 
 	if err != nil && !dbdata.CheckErrNotFound(err) {
@@ -79,7 +84,7 @@ func UserDetail(w http.ResponseWriter, r *http.Request) {
 func UserSet(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
 
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		RespError(w, RespInternalErr, err)
 		return
@@ -106,7 +111,8 @@ func UserSet(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-
+	// 修改用户资料后执行过期用户检测
+	sessdata.CloseUserLimittimeSession()
 	RespSucess(w, nil)
 }
 
@@ -131,33 +137,44 @@ func UserDel(w http.ResponseWriter, r *http.Request) {
 
 func UserOtpQr(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
-	b64 := r.FormValue("b64")
+	b64S := r.FormValue("b64")
 	idS := r.FormValue("id")
 	id, _ := strconv.Atoi(idS)
-	var user dbdata.User
-	err := dbdata.One("Id", id, &user)
-	if err != nil {
-		RespError(w, RespInternalErr, err)
-		return
-	}
 
-	issuer := base.Cfg.Issuer
+	var b64 bool
-	qrstr := fmt.Sprintf("otpauth://totp/%s:%s?issuer=%s&secret=%s", issuer, user.Email, issuer, user.OtpSecret)
+	if b64S == "1" {
-	qr, _ := qrcode.New(qrstr, qrcode.High)
+		b64 = true
-
-	if b64 == "1" {
-		data, _ := qr.PNG(300)
-		s := base64.StdEncoding.EncodeToString(data)
-		_, err = fmt.Fprint(w, s)
-		if err != nil {
-			base.Error(err)
-		}
-		return
 	}
-	err = qr.Write(300, w)
+	data, err := userOtpQr(id, b64)
 	if err != nil {
 		base.Error(err)
 	}
+	io.WriteString(w, data)
+}
+
+func userOtpQr(uid int, b64 bool) (string, error) {
+	var user dbdata.User
+	err := dbdata.One("Id", uid, &user)
+	if err != nil {
+		return "", err
+	}
+
+	issuer := url.QueryEscape(base.Cfg.Issuer)
+	qrstr := fmt.Sprintf("otpauth://totp/%s:%s?issuer=%s&secret=%s", issuer, user.Email, issuer, user.OtpSecret)
+	qr, _ := qrcode.New(qrstr, qrcode.High)
+
+	if b64 {
+		data, err := qr.PNG(300)
+		if err != nil {
+			return "", err
+		}
+		s := base64.StdEncoding.EncodeToString(data)
+		return s, nil
+	}
+
+	buf := bytes.NewBuffer(nil)
+	err = qr.Write(300, buf)
+	return buf.String(), err
 }
 
 // 在线用户
@@ -176,7 +193,7 @@ func UserOnline(w http.ResponseWriter, r *http.Request) {
 func UserOffline(w http.ResponseWriter, r *http.Request) {
 	_ = r.ParseForm()
 	token := r.FormValue("token")
-	sessdata.CloseSess(token)
+	sessdata.CloseSess(token, dbdata.UserLogoutAdmin)
 	RespSucess(w, nil)
 }
 
@@ -188,12 +205,14 @@ func UserReline(w http.ResponseWriter, r *http.Request) {
 }
 
 type userAccountMailData struct {
-	Issuer   string
+	Issuer       string
-	LinkAddr string
+	LinkAddr     string
-	Group    string
+	Group        string
-	Username string
+	Username     string
-	PinCode  string
+	Nickname     string
-	OtpImg   string
+	PinCode      string
+	OtpImg       string
+	OtpImgBase64 string
 }
 
 func userAccountMail(user *dbdata.User) error {
@@ -227,12 +246,24 @@ func userAccountMail(user *dbdata.User) error {
 		return err
 	}
 
+	setting := &dbdata.SettingOther{}
+	err = dbdata.SettingGet(setting)
+	if err != nil {
+		base.Error(err)
+		return err
+	}
+
+	otpData, _ := userOtpQr(user.Id, true)
+
 	data := userAccountMailData{
-		LinkAddr: base.Cfg.LinkAddr,
+		Issuer:       base.Cfg.Issuer,
-		Group:    strings.Join(user.Groups, ","),
+		LinkAddr:     setting.LinkAddr,
-		Username: user.Username,
+		Group:        strings.Join(user.Groups, ","),
-		PinCode:  user.PinCode,
+		Username:     user.Username,
-		OtpImg:   fmt.Sprintf("https://%s/otp_qr?id=%d&jwt=%s", base.Cfg.LinkAddr, user.Id, tokenString),
+		Nickname:     user.Nickname,
+		PinCode:      user.PinCode,
+		OtpImg:       fmt.Sprintf("https://%s/otp_qr?id=%d&jwt=%s", setting.LinkAddr, user.Id, tokenString),
+		OtpImgBase64: "data:image/png;base64," + otpData,
 	}
 	w := bytes.NewBufferString("")
 	t, _ := template.New("auth_complete").Parse(htmlBody)

server/admin/common.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 	mail "github.com/xhit/go-simple-mail/v2"
 	// "github.com/mojocn/base64Captcha"
 )
@@ -59,15 +59,21 @@ func SendMail(subject, to, htmlBody string) error {
 	server.Port = dataSmtp.Port
 	server.Username = dataSmtp.Username
 	server.Password = dataSmtp.Password
-	if dataSmtp.UseSSl {
+
-		server.Encryption = mail.EncryptionSSL
+	switch dataSmtp.Encryption {
+	case "SSLTLS":
+		server.Encryption = mail.EncryptionSSLTLS
+	case "STARTTLS":
+		server.Encryption = mail.EncryptionSTARTTLS
+	default:
+		server.Encryption = mail.EncryptionNone
 	}
 
 	// Since v2.3.0 you can specified authentication type:
 	// - PLAIN (default)
 	// - LOGIN
 	// - CRAM-MD5
-	server.Authentication = mail.AuthPlain
+	server.Authentication = mail.AuthAuto
 
 	// Variable to keep alive connection
 	server.KeepAlive = false

server/admin/resp_test.go

@@ -2,7 +2,7 @@ package admin
 
 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http/httptest"
 	"testing"
 
@@ -15,7 +15,7 @@ func TestRespSucess(t *testing.T) {
 	RespSucess(w, "data")
 	// fmt.Println(w)
 	assert.Equal(w.Code, 200)
-	body, _ := ioutil.ReadAll(w.Body)
+	body, _ := io.ReadAll(w.Body)
 	res := Resp{}
 	err := json.Unmarshal(body, &res)
 	assert.Nil(err)
@@ -30,7 +30,7 @@ func TestRespError(t *testing.T) {
 	RespError(w, 10, "err-msg")
 	// fmt.Println(w)
 	assert.Equal(w.Code, 200)
-	body, _ := ioutil.ReadAll(w.Body)
+	body, _ := io.ReadAll(w.Body)
 	res := Resp{}
 	err := json.Unmarshal(body, &res)
 	assert.Nil(err)

server/admin/server.go

@@ -2,22 +2,45 @@
 package admin
 
 import (
+	"crypto/tls"
+	"embed"
 	"net/http"
 	"net/http/pprof"
 
+	"github.com/arl/statsviz"
 	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
+	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
 )
 
-// 开启服务
+var UiData embed.FS
+
+// StartAdmin 开启服务
 func StartAdmin() {
 
 	r := mux.NewRouter()
+	// 所有路由添加安全头
+	r.Use(func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			utils.SetSecureHeader(w)
+			w.Header().Set("Server", "AnyLinkAdminOpenSource")
+			next.ServeHTTP(w, req)
+		})
+	})
 	r.Use(authMiddleware)
+	r.Use(handlers.CompressHandler)
+
+	// 监控检测
+	r.HandleFunc("/status.html", func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("ok"))
+	}).Name("index")
 
 	r.Handle("/", http.RedirectHandler("/ui/", http.StatusFound)).Name("index")
 	r.PathPrefix("/ui/").Handler(
-		http.StripPrefix("/ui/", http.FileServer(http.Dir(base.Cfg.UiPath))),
+		// http.StripPrefix("/ui/", http.FileServer(http.Dir(base.Cfg.UiPath))),
+		http.FileServer(http.FS(UiData)),
 	).Name("static")
 	r.HandleFunc("/base/login", Login).Name("login")
 
@@ -28,10 +51,19 @@ func StartAdmin() {
 	r.HandleFunc("/set/other/edit", SetOtherEdit)
 	r.HandleFunc("/set/other/smtp", SetOtherSmtp)
 	r.HandleFunc("/set/other/smtp/edit", SetOtherSmtpEdit)
+	r.HandleFunc("/set/other/audit_log", SetOtherAuditLog)
+	r.HandleFunc("/set/other/audit_log/edit", SetOtherAuditLogEdit)
+	r.HandleFunc("/set/audit/list", SetAuditList)
+	r.HandleFunc("/set/audit/export", SetAuditExport)
+	r.HandleFunc("/set/audit/act_log_list", UserActLogList)
+	r.HandleFunc("/set/other/createcert", CreatCert)
+	r.HandleFunc("/set/other/getcertset", GetCertSetting)
+	r.HandleFunc("/set/other/customcert", CustomCert)
 
 	r.HandleFunc("/user/list", UserList)
 	r.HandleFunc("/user/detail", UserDetail)
 	r.HandleFunc("/user/set", UserSet)
+	r.HandleFunc("/user/uploaduser", UserUpload).Methods(http.MethodPost)
 	r.HandleFunc("/user/del", UserDel)
 	r.HandleFunc("/user/online", UserOnline)
 	r.HandleFunc("/user/offline", UserOffline)
@@ -41,23 +73,66 @@ func StartAdmin() {
 	r.HandleFunc("/user/ip_map/detail", UserIpMapDetail)
 	r.HandleFunc("/user/ip_map/set", UserIpMapSet)
 	r.HandleFunc("/user/ip_map/del", UserIpMapDel)
+	r.HandleFunc("/user/policy/list", PolicyList)
+	r.HandleFunc("/user/policy/detail", PolicyDetail)
+	r.HandleFunc("/user/policy/set", PolicySet)
+	r.HandleFunc("/user/policy/del", PolicyDel)
 
 	r.HandleFunc("/group/list", GroupList)
 	r.HandleFunc("/group/names", GroupNames)
+	r.HandleFunc("/group/names_ids", GroupNamesIds)
 	r.HandleFunc("/group/detail", GroupDetail)
 	r.HandleFunc("/group/set", GroupSet)
 	r.HandleFunc("/group/del", GroupDel)
+	r.HandleFunc("/group/auth_login", GroupAuthLogin)
+
+	r.HandleFunc("/statsinfo/list", StatsInfoList)
 
 	// pprof
-	r.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+	if base.Cfg.Pprof {
-	r.HandleFunc("/debug/pprof/profile", pprof.Profile)
+		r.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline).Name("debug")
-	r.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+		r.HandleFunc("/debug/pprof/profile", pprof.Profile).Name("debug")
-	r.HandleFunc("/debug/pprof/trace", pprof.Trace)
+		r.HandleFunc("/debug/pprof/symbol", pprof.Symbol).Name("debug")
-	r.HandleFunc("/debug/pprof", location("/debug/pprof/"))
+		r.HandleFunc("/debug/pprof/trace", pprof.Trace).Name("debug")
-	r.PathPrefix("/debug/pprof/").HandlerFunc(pprof.Index)
+		r.HandleFunc("/debug/pprof", location("/debug/pprof/")).Name("debug")
+		r.PathPrefix("/debug/pprof/").HandlerFunc(pprof.Index).Name("debug")
+		// statsviz
+		srv, _ := statsviz.NewServer() // Create server or handle error
+		r.Path("/debug/statsviz/ws").Name("debug").HandlerFunc(srv.Ws())
+		r.PathPrefix("/debug/statsviz/").Name("debug").Handler(srv.Index())
+	}
 
 	base.Info("Listen admin", base.Cfg.AdminAddr)
-	err := http.ListenAndServe(base.Cfg.AdminAddr, r)
+
+	// 修复 CVE-2016-2183
+	cipherSuites := tls.CipherSuites()
+	selectedCipherSuites := make([]uint16, 0, len(cipherSuites))
+	for _, s := range cipherSuites {
+		selectedCipherSuites = append(selectedCipherSuites, s.ID)
+	}
+
+	if tlscert, _, err := dbdata.ParseCert(); err != nil {
+		base.Fatal("证书加载失败", err)
+	} else {
+		dbdata.LoadCertificate(tlscert)
+	}
+
+	// 设置tls信息
+	tlsConfig := &tls.Config{
+		NextProtos:   []string{"http/1.1"},
+		MinVersion:   tls.VersionTLS12,
+		CipherSuites: selectedCipherSuites,
+		GetCertificate: func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			return dbdata.GetCertificateBySNI(chi.ServerName)
+		},
+	}
+	srv := &http.Server{
+		Addr:      base.Cfg.AdminAddr,
+		Handler:   r,
+		TLSConfig: tlsConfig,
+		ErrorLog:  base.GetServerLog(),
+	}
+	err := srv.ListenAndServeTLS("", "")
 	if err != nil {
 		base.Fatal(err)
 	}

server/base/app_ver.go

@@ -2,5 +2,12 @@ package base
 
 const (
 	APP_NAME = "AnyLink"
-	APP_VER  = "0.2.1"
+)
+
+var (
+	// APP_VER app版本号
+	APP_VER = "0.0.1"
+	// 提交id
+	CommitId  string
+	BuildDate string
 )

server/base/cfg.go

@@ -5,13 +5,13 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
-
-	"github.com/spf13/viper"
 )
 
 const (
-	LinkModeTUN = "tun"
+	LinkModeTUN     = "tun"
-	LinkModeTAP = "tap"
+	LinkModeTAP     = "tap"
+	LinkModeMacvtap = "macvtap"
+	LinkModeIpvtap  = "ipvtap"
 )
 
 var (
@@ -30,27 +30,36 @@ var (
 // rekey-method = ssl
 
 type ServerConfig struct {
-	LinkAddr      string `json:"link_addr"`
+	// LinkAddr      string `json:"link_addr"`
-	ServerAddr    string `json:"server_addr"`
+	Conf           string `json:"conf"`
-	AdminAddr     string `json:"admin_addr"`
+	Profile        string `json:"profile"`
-	ProxyProtocol bool   `json:"proxy_protocol"`
+	ProfileName    string `json:"profile_name"`
-	DbFile        string `json:"db_file"`
+	ServerAddr     string `json:"server_addr"`
-	CertFile      string `json:"cert_file"`
+	ServerDTLSAddr string `json:"server_dtls_addr"`
-	CertKey       string `json:"cert_key"`
+	ServerDTLS     bool   `json:"server_dtls"`
-	UiPath        string `json:"ui_path"`
+	AdminAddr      string `json:"admin_addr"`
-	FilesPath     string `json:"files_path"`
+	ProxyProtocol  bool   `json:"proxy_protocol"`
-	LogPath       string `json:"log_path"`
+	DbType         string `json:"db_type"`
-	LogLevel      string `json:"log_level"`
+	DbSource       string `json:"db_source"`
-	Issuer        string `json:"issuer"`
+	CertFile       string `json:"cert_file"`
-	AdminUser     string `json:"admin_user"`
+	CertKey        string `json:"cert_key"`
-	AdminPass     string `json:"admin_pass"`
+	FilesPath      string `json:"files_path"`
-	JwtSecret     string `json:"jwt_secret"`
+	LogPath        string `json:"log_path"`
+	LogLevel       string `json:"log_level"`
+	HttpServerLog  bool   `json:"http_server_log"`
+	Pprof          bool   `json:"pprof"`
+	Issuer         string `json:"issuer"`
+	AdminUser      string `json:"admin_user"`
+	AdminPass      string `json:"admin_pass"`
+	AdminOtp       string `json:"admin_otp"`
+	JwtSecret      string `json:"jwt_secret"`
 
-	LinkMode    string `json:"link_mode"` // tun tap
+	LinkMode    string `json:"link_mode"`    // tun tap macvtap ipvtap
-	Ipv4CIDR    string `json:"ipv4_cidr"` // 192.168.1.0/24
+	Ipv4Master  string `json:"ipv4_master"`  // eth0
-	Ipv4Gateway string `json:"ipv4_gateway"`
+	Ipv4CIDR    string `json:"ipv4_cidr"`    // 192.168.10.0/24
-	Ipv4Start   string `json:"ipv4_start"` // 192.168.1.100
+	Ipv4Gateway string `json:"ipv4_gateway"` // 192.168.10.1
-	Ipv4End     string `json:"ipv4_end"`   // 192.168.1.200
+	Ipv4Start   string `json:"ipv4_start"`   // 192.168.10.100
+	Ipv4End     string `json:"ipv4_end"`     // 192.168.10.200
 	IpLease     int    `json:"ip_lease"`
 
 	MaxClient       int    `json:"max_client"`
@@ -60,27 +69,43 @@ type ServerConfig struct {
 	CstpDpd         int    `json:"cstp_dpd"`       // Dead peer detection in seconds
 	MobileKeepalive int    `json:"mobile_keepalive"`
 	MobileDpd       int    `json:"mobile_dpd"`
+	Mtu             int    `json:"mtu"`
+	DefaultDomain   string `json:"default_domain"`
 
+	IdleTimeout    int `json:"idle_timeout"`    // in seconds
 	SessionTimeout int `json:"session_timeout"` // in seconds
-	AuthTimeout    int `json:"auth_timeout"`    // in seconds
+	// AuthTimeout    int `json:"auth_timeout"`    // in seconds
+	AuditInterval int `json:"audit_interval"` // in seconds
+
+	ShowSQL         bool `json:"show_sql"` // bool
+	IptablesNat     bool `json:"iptables_nat"`
+	Compression     bool `json:"compression"`       // bool
+	NoCompressLimit int  `json:"no_compress_limit"` // int
+
+	DisplayError    bool `json:"display_error"`
+	ExcludeExportIp bool `json:"exclude_export_ip"`
 }
 
 func initServerCfg() {
 
-	sf, _ := filepath.Abs(cfgFile)
+	// TODO 取消绝对地址转换
-	base := filepath.Dir(sf)
+	// sf, _ := filepath.Abs(cfgFile)
+	// base := filepath.Dir(sf)
 
 	// 转换成绝对路径
-	Cfg.DbFile = getAbsPath(base, Cfg.DbFile)
+	// Cfg.DbFile = getAbsPath(base, Cfg.DbFile)
-	Cfg.CertFile = getAbsPath(base, Cfg.CertFile)
+	// Cfg.CertFile = getAbsPath(base, Cfg.CertFile)
-	Cfg.CertKey = getAbsPath(base, Cfg.CertKey)
+	// Cfg.CertKey = getAbsPath(base, Cfg.CertKey)
-	Cfg.UiPath = getAbsPath(base, Cfg.UiPath)
+	// Cfg.UiPath = getAbsPath(base, Cfg.UiPath)
-	Cfg.FilesPath = getAbsPath(base, Cfg.FilesPath)
+	// Cfg.FilesPath = getAbsPath(base, Cfg.FilesPath)
-	Cfg.LogPath = getAbsPath(base, Cfg.LogPath)
+	// Cfg.LogPath = getAbsPath(base, Cfg.LogPath)
 
-	if len(Cfg.JwtSecret) < 20 {
+	if Cfg.AdminPass == defaultPwd {
-		fmt.Println("请设置 jwt_secret 长度20位以上")
+		fmt.Fprintln(os.Stderr, "=== 使用默认的admin_pass有安全风险，请设置新的admin_pass ===")
-		os.Exit(0)
+	}
+
+	if Cfg.JwtSecret == defaultJwt {
+		fmt.Fprintln(os.Stderr, "=== 使用默认的jwt_secret有安全风险，请设置新的jwt_secret ===")
 	}
 
 	fmt.Printf("ServerCfg: %+v \n", Cfg)
@@ -112,13 +137,13 @@ func initCfg() {
 		for _, v := range configs {
 			if v.Name == tag {
 				if v.Typ == cfgStr {
-					value.SetString(viper.GetString(v.Name))
+					value.SetString(linkViper.GetString(v.Name))
 				}
 				if v.Typ == cfgInt {
-					value.SetInt(int64(viper.GetInt(v.Name)))
+					value.SetInt(int64(linkViper.GetInt(v.Name)))
 				}
 				if v.Typ == cfgBool {
-					value.SetBool(viper.GetBool(v.Name))
+					value.SetBool(linkViper.GetBool(v.Name))
 				}
 			}
 		}
@@ -132,6 +157,7 @@ type SCfg struct {
 	Env  string      `json:"env"`
 	Info string      `json:"info"`
 	Data interface{} `json:"data"`
+	Val  interface{} `json:"default"`
 }
 
 func ServerCfg2Slice() []SCfg {
@@ -146,21 +172,27 @@ func ServerCfg2Slice() []SCfg {
 		field := typ.Field(i)
 		value := s.Field(i)
 		tag := field.Tag.Get("json")
-		usage, env := getUsageEnv(tag)
+		usage, env, val := getUsageEnv(tag)
-		if usage == "" {
-			continue
-		}
 
-		datas = append(datas, SCfg{Name: tag, Env: env, Info: usage, Data: value.Interface()})
+		datas = append(datas, SCfg{Name: tag, Env: env, Info: usage, Data: value.Interface(), Val: val})
 	}
 
 	return datas
 }
 
-func getUsageEnv(name string) (usage, env string) {
+func getUsageEnv(name string) (usage, env string, val interface{}) {
 	for _, v := range configs {
 		if v.Name == name {
 			usage = v.Usage
+			if v.Typ == cfgStr {
+				val = v.ValStr
+			}
+			if v.Typ == cfgInt {
+				val = v.ValInt
+			}
+			if v.Typ == cfgBool {
+				val = v.ValBool
+			}
 		}
 	}
 

server/base/cmd.go

@@ -2,39 +2,42 @@ package base
 
 import (
 	"fmt"
-	"math/rand"
+	"io"
 	"os"
+	"reflect"
 	"runtime"
 	"strings"
-	"time"
 
 	"github.com/bjdgyc/anylink/pkg/utils"
+	"github.com/skip2/go-qrcode"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"github.com/xlzd/gotp"
 )
 
 var (
-	// 提交id
-	CommitId string
-	// 配置文件
-	cfgFile string
 	// pass明文
 	passwd string
+	// 生成otp
+	otp bool
 	// 生成密钥
 	secret bool
 	// 显示版本信息
 	rev bool
-	// 获取env名称
+	// 输出debug信息
-	env bool
+	debug bool
 
 	// Used for flags.
 	runSrv bool
 
-	rootCmd *cobra.Command
+	linkViper *viper.Viper
+	rootCmd   *cobra.Command
 )
 
 // Execute executes the root command.
 func execute() {
+	initCmd()
+
 	err := rootCmd.Execute()
 	if err != nil {
 		fmt.Println(err)
@@ -42,13 +45,45 @@ func execute() {
 	}
 
 	// viper.Debug()
+	ref := reflect.ValueOf(linkViper)
+	s := ref.Elem()
+	ee := s.FieldByName("env")
+	if ee.Kind() != reflect.Map {
+		panic("Viper env is err")
+	}
+	rr := ee.MapRange()
+	for rr.Next() {
+		// fmt.Println(rr.Key(), rr.Value().Index(0))
+		envs[rr.Key().String()] = rr.Value().Index(0).String()
+	}
 
 	if !runSrv {
+		if debug {
+			scfgData := ServerCfg2Slice()
+			fmtStr := "%-18v %-23v %-20v %v\n"
+			fmt.Printf(fmtStr, "Name", "Env", "Value", "Info")
+			for _, v := range scfgData {
+				if v.Name == "admin_pass" || v.Name == "jwt_secret" {
+					v.Val = "******"
+				}
+				fmt.Printf(fmtStr, v.Name, v.Env, v.Val, v.Info)
+			}
+		}
 		os.Exit(0)
 	}
+
+	// 移动配置解析代码
+	conf := linkViper.GetString("conf")
+	linkViper.SetConfigFile(conf)
+	err = linkViper.ReadInConfig()
+	if err != nil {
+		// 没有配置文件，直接报错
+		panic("config file err:" + err.Error())
+	}
 }
 
-func init() {
+func initCmd() {
+	linkViper = viper.New()
 	rootCmd = &cobra.Command{
 		Use:   "anylink",
 		Short: "AnyLink VPN Server",
@@ -56,41 +91,39 @@ func init() {
 		Run: func(cmd *cobra.Command, args []string) {
 			// fmt.Println("cmd：", cmd.Use, args)
 			runSrv = true
+
+			if rev {
+				printVersion()
+				os.Exit(0)
+			}
 		},
 	}
 
-	cobra.OnInitialize(func() {
+	linkViper.SetEnvPrefix("link")
-		viper.SetConfigFile(cfgFile)
-		viper.AutomaticEnv()
-
-		err := viper.ReadInConfig()
-		if err != nil {
-			fmt.Println("Using config file:", err)
-		}
-	})
-
-	viper.SetEnvPrefix("link")
 
 	// 基础配置
-	rootCmd.Flags().StringVarP(&cfgFile, "config", "c", "./conf/server.toml", "config file")
-
 	for _, v := range configs {
 		if v.Typ == cfgStr {
-			rootCmd.Flags().String(v.Name, v.ValStr, v.Usage)
+			rootCmd.Flags().StringP(v.Name, v.Short, v.ValStr, v.Usage)
 		}
 		if v.Typ == cfgInt {
-			rootCmd.Flags().Int(v.Name, v.ValInt, v.Usage)
+			rootCmd.Flags().IntP(v.Name, v.Short, v.ValInt, v.Usage)
 		}
 		if v.Typ == cfgBool {
-			rootCmd.Flags().Bool(v.Name, v.ValBool, v.Usage)
+			rootCmd.Flags().BoolP(v.Name, v.Short, v.ValBool, v.Usage)
 		}
 
-		_ = viper.BindPFlag(v.Name, rootCmd.Flags().Lookup(v.Name))
+		_ = linkViper.BindPFlag(v.Name, rootCmd.Flags().Lookup(v.Name))
-		_ = viper.BindEnv(v.Name)
+		_ = linkViper.BindEnv(v.Name)
 		// viper.SetDefault(v.Name, v.Value)
 	}
 
+	rootCmd.Flags().BoolVarP(&rev, "version", "v", false, "display version info")
 	rootCmd.AddCommand(initToolCmd())
+
+	cobra.OnInitialize(func() {
+		linkViper.AutomaticEnv()
+	})
 }
 
 func initToolCmd() *cobra.Command {
@@ -103,25 +136,31 @@ func initToolCmd() *cobra.Command {
 	toolCmd.Flags().BoolVarP(&rev, "version", "v", false, "display version info")
 	toolCmd.Flags().BoolVarP(&secret, "secret", "s", false, "generate a random jwt secret")
 	toolCmd.Flags().StringVarP(&passwd, "passwd", "p", "", "convert the password plaintext")
-	toolCmd.Flags().BoolVarP(&env, "env", "e", false, "list the config name and env key")
+	toolCmd.Flags().BoolVarP(&otp, "otp", "o", false, "generate a random otp secret")
+	toolCmd.Flags().BoolVarP(&debug, "debug", "d", false, "list the config viper.Debug() info")
 
 	toolCmd.Run = func(cmd *cobra.Command, args []string) {
+		runSrv = false
+
 		switch {
 		case rev:
-			fmt.Printf("%s v%s build on %s [%s, %s] commit_id(%s) \n",
+			printVersion()
-				APP_NAME, APP_VER, runtime.Version(), runtime.GOOS, runtime.GOARCH, CommitId)
 		case secret:
-			rand.Seed(time.Now().UnixNano())
 			s, _ := utils.RandSecret(40, 60)
 			s = strings.Trim(s, "=")
 			fmt.Printf("Secret:%s\n", s)
+		case otp:
+			s := gotp.RandomSecret(32)
+			fmt.Printf("Otp:%s\n\n", s)
+			qrstr := fmt.Sprintf("otpauth://totp/%s:%s?issuer=%s&secret=%s", "anylink_admin", "admin@anylink", "anylink_admin", s)
+			qr, _ := qrcode.New(qrstr, qrcode.High)
+			ss := qr.ToSmallString(false)
+			io.WriteString(os.Stderr, ss)
 		case passwd != "":
 			pass, _ := utils.PasswordHash(passwd)
 			fmt.Printf("Passwd:%s\n", pass)
-		case env:
+		case debug:
-			for k, v := range envs {
+			// linkViper.Debug()
-				fmt.Printf("%s => %s\n", k, v)
-			}
 		default:
 			fmt.Println("Using [anylink tool -h] for help")
 		}
@@ -129,3 +168,8 @@ func initToolCmd() *cobra.Command {
 
 	return toolCmd
 }
+
+func printVersion() {
+	fmt.Printf("%s v%s build on %s [%s, %s] date:%s commit_id(%s)\n",
+		APP_NAME, APP_VER, runtime.Version(), runtime.GOOS, runtime.GOARCH, BuildDate, CommitId)
+}

server/base/config.go

@@ -4,11 +4,15 @@ const (
 	cfgStr = iota
 	cfgInt
 	cfgBool
+
+	defaultJwt = "abcdef.0123456789.abcdef"
+	defaultPwd = "$2a$10$UQ7C.EoPifDeJh6d8.31TeSPQU7hM/NOM2nixmBucJpAuXDQNqNke"
 )
 
 type config struct {
 	Typ     int
 	Name    string
+	Short   string
 	Usage   string
 	ValStr  string
 	ValInt  int
@@ -16,37 +20,57 @@ type config struct {
 }
 
 var configs = []config{
-	{Typ: cfgStr, Name: "link_addr", Usage: "vpn服务对外地址", ValStr: "vpn.xx.com"},
+	{Typ: cfgStr, Name: "conf", Usage: "config file", ValStr: "./conf/server.toml", Short: "c"},
-	{Typ: cfgStr, Name: "server_addr", Usage: "前台服务监听地址", ValStr: ":443"},
+	{Typ: cfgStr, Name: "profile", Usage: "profile.xml file", ValStr: "./conf/profile.xml"},
+	{Typ: cfgStr, Name: "profile_name", Usage: "profile name(用于区分不同服务端的配置)", ValStr: "anylink"},
+	{Typ: cfgStr, Name: "server_addr", Usage: "TCP服务监听地址(任意端口)", ValStr: ":443"},
+	{Typ: cfgBool, Name: "server_dtls", Usage: "开启DTLS", ValBool: false},
+	{Typ: cfgStr, Name: "server_dtls_addr", Usage: "DTLS监听地址(任意端口)", ValStr: ":443"},
 	{Typ: cfgStr, Name: "admin_addr", Usage: "后台服务监听地址", ValStr: ":8800"},
 	{Typ: cfgBool, Name: "proxy_protocol", Usage: "TCP代理协议", ValBool: false},
-	{Typ: cfgStr, Name: "db_file", Usage: "数据库地址", ValStr: "./conf/data.db"},
+	{Typ: cfgStr, Name: "db_type", Usage: "数据库类型 [sqlite3 mysql postgres]", ValStr: "sqlite3"},
+	{Typ: cfgStr, Name: "db_source", Usage: "数据库source", ValStr: "./conf/anylink.db"},
 	{Typ: cfgStr, Name: "cert_file", Usage: "证书文件", ValStr: "./conf/vpn_cert.pem"},
 	{Typ: cfgStr, Name: "cert_key", Usage: "证书密钥", ValStr: "./conf/vpn_cert.key"},
-	{Typ: cfgStr, Name: "ui_path", Usage: "ui文件路径", ValStr: "./ui"},
 	{Typ: cfgStr, Name: "files_path", Usage: "外部下载文件路径", ValStr: "./conf/files"},
-	{Typ: cfgStr, Name: "log_path", Usage: "日志文件路径", ValStr: ""},
+	{Typ: cfgStr, Name: "log_path", Usage: "日志文件路径,默认标准输出", ValStr: ""},
-	{Typ: cfgStr, Name: "log_level", Usage: "日志等级", ValStr: "info"},
+	{Typ: cfgStr, Name: "log_level", Usage: "日志等级 [debug info warn error]", ValStr: "debug"},
+	{Typ: cfgBool, Name: "http_server_log", Usage: "开启go标准库http.Server的日志", ValBool: false},
+	{Typ: cfgBool, Name: "pprof", Usage: "开启pprof", ValBool: true},
 	{Typ: cfgStr, Name: "issuer", Usage: "系统名称", ValStr: "XX公司VPN"},
 	{Typ: cfgStr, Name: "admin_user", Usage: "管理用户名", ValStr: "admin"},
-	{Typ: cfgStr, Name: "admin_pass", Usage: "管理用户密码", ValStr: ""},
+	{Typ: cfgStr, Name: "admin_pass", Usage: "管理用户密码", ValStr: defaultPwd},
-	{Typ: cfgStr, Name: "jwt_secret", Usage: "JWT密钥", ValStr: ""},
+	{Typ: cfgStr, Name: "admin_otp", Usage: "管理用户otp,生成命令 ./anylink tool -o", ValStr: ""},
-	{Typ: cfgStr, Name: "link_mode", Usage: "虚拟网络类型", ValStr: "tun"},
+	{Typ: cfgStr, Name: "jwt_secret", Usage: "JWT密钥", ValStr: defaultJwt},
-	{Typ: cfgStr, Name: "ipv4_cidr", Usage: "ip地址网段", ValStr: "192.168.10.0/24"},
+	{Typ: cfgStr, Name: "link_mode", Usage: "虚拟网络类型[tun tap macvtap ipvtap]", ValStr: "tun"},
-	{Typ: cfgStr, Name: "ipv4_gateway", Usage: "ipv4_gateway", ValStr: "192.168.10.1"},
+	{Typ: cfgStr, Name: "ipv4_master", Usage: "ipv4主网卡名称", ValStr: "eth0"},
-	{Typ: cfgStr, Name: "ipv4_start", Usage: "IPV4开始地址", ValStr: "192.168.10.100"},
+	{Typ: cfgStr, Name: "ipv4_cidr", Usage: "ip地址网段", ValStr: "192.168.90.0/24"},
-	{Typ: cfgStr, Name: "ipv4_end", Usage: "IPV4结束", ValStr: "192.168.10.200"},
+	{Typ: cfgStr, Name: "ipv4_gateway", Usage: "ipv4_gateway", ValStr: "192.168.90.1"},
+	{Typ: cfgStr, Name: "ipv4_start", Usage: "IPV4开始地址", ValStr: "192.168.90.100"},
+	{Typ: cfgStr, Name: "ipv4_end", Usage: "IPV4结束", ValStr: "192.168.90.200"},
 	{Typ: cfgStr, Name: "default_group", Usage: "默认用户组", ValStr: "one"},
+	{Typ: cfgStr, Name: "default_domain", Usage: "客户端dns的默认搜索域", ValStr: ""},
 
-	{Typ: cfgInt, Name: "ip_lease", Usage: "IP租期(秒)", ValInt: 1209600},
+	{Typ: cfgInt, Name: "ip_lease", Usage: "IP租期(秒)", ValInt: 86400},
-	{Typ: cfgInt, Name: "max_client", Usage: "最大用户连接", ValInt: 100},
+	{Typ: cfgInt, Name: "max_client", Usage: "最大用户连接", ValInt: 200},
 	{Typ: cfgInt, Name: "max_user_client", Usage: "最大单用户连接", ValInt: 3},
-	{Typ: cfgInt, Name: "cstp_keepalive", Usage: "keepalive时间(秒)", ValInt: 20},
+	{Typ: cfgInt, Name: "cstp_keepalive", Usage: "keepalive时间(秒)", ValInt: 3},
-	{Typ: cfgInt, Name: "cstp_dpd", Usage: "死链接检测时间(秒)", ValInt: 30},
+	{Typ: cfgInt, Name: "cstp_dpd", Usage: "死链接检测时间(秒)", ValInt: 10},
-	{Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 50},
+	{Typ: cfgInt, Name: "mobile_keepalive", Usage: "移动端keepalive接检测时间(秒)", ValInt: 4},
-	{Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 60},
+	{Typ: cfgInt, Name: "mobile_dpd", Usage: "移动端死链接检测时间(秒)", ValInt: 15},
-	{Typ: cfgInt, Name: "session_timeout", Usage: "session过期时间(秒)", ValInt: 3600},
+	{Typ: cfgInt, Name: "mtu", Usage: "最大传输单元MTU", ValInt: 1460},
+	{Typ: cfgInt, Name: "idle_timeout", Usage: "空闲链接超时时间(秒)-超时后断开链接，0关闭此功能", ValInt: 0},
+	{Typ: cfgInt, Name: "session_timeout", Usage: "session过期时间(秒)-用于断线重连，0永不过期", ValInt: 3600},
 	// {Typ: cfgInt, Name: "auth_timeout", Usage: "auth_timeout", ValInt: 0},
+	{Typ: cfgInt, Name: "audit_interval", Usage: "审计去重间隔(秒),-1关闭", ValInt: 600},
+
+	{Typ: cfgBool, Name: "show_sql", Usage: "显示sql语句，用于调试", ValBool: false},
+	{Typ: cfgBool, Name: "iptables_nat", Usage: "是否自动添加NAT", ValBool: true},
+	{Typ: cfgBool, Name: "compression", Usage: "启用压缩", ValBool: false},
+	{Typ: cfgInt, Name: "no_compress_limit", Usage: "低于及等于多少字节不压缩", ValInt: 256},
+
+	{Typ: cfgBool, Name: "display_error", Usage: "客户端显示详细错误信息(线上环境慎开启)", ValBool: false},
+	{Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true},
 }
 
-var envs = map[string]string{"admin_addr": "LINK_ADMIN_ADDR", "admin_pass": "LINK_ADMIN_PASS", "admin_user": "LINK_ADMIN_USER", "cert_file": "LINK_CERT_FILE", "cert_key": "LINK_CERT_KEY", "cstp_dpd": "LINK_CSTP_DPD", "cstp_keepalive": "LINK_CSTP_KEEPALIVE", "db_file": "LINK_DB_FILE", "default_group": "LINK_DEFAULT_GROUP", "files_path": "LINK_FILES_PATH", "ip_lease": "LINK_IP_LEASE", "ipv4_cidr": "LINK_IPV4_CIDR", "ipv4_end": "LINK_IPV4_END", "ipv4_gateway": "LINK_IPV4_GATEWAY", "ipv4_start": "LINK_IPV4_START", "issuer": "LINK_ISSUER", "jwt_secret": "LINK_JWT_SECRET", "link_addr": "LINK_LINK_ADDR", "link_mode": "LINK_LINK_MODE", "log_level": "LINK_LOG_LEVEL", "log_path": "LINK_LOG_PATH", "max_client": "LINK_MAX_CLIENT", "max_user_client": "LINK_MAX_USER_CLIENT", "mobile_dpd": "LINK_MOBILE_DPD", "mobile_keepalive": "LINK_MOBILE_KEEPALIVE", "proxy_protocol": "LINK_PROXY_PROTOCOL", "server_addr": "LINK_SERVER_ADDR", "session_timeout": "LINK_SESSION_TIMEOUT", "ui_path": "LINK_UI_PATH"}
+var envs = map[string]string{}

server/base/log.go

@@ -10,14 +10,16 @@ import (
 )
 
 const (
-	_Debug = iota
+	LogLevelTrace = iota
-	_Info
+	LogLevelDebug
-	_Warn
+	LogLevelInfo
-	_Error
+	LogLevelWarn
-	_Fatal
+	LogLevelError
+	LogLevelFatal
 )
 
 var (
+	baseLw    *logWriter
 	baseLog   *log.Logger
 	baseLevel int
 	levels    map[int]string
@@ -26,6 +28,10 @@ var (
 	logName    = "anylink.log"
 )
 
+func init() {
+	log.SetFlags(log.LstdFlags | log.Lshortfile)
+}
+
 // 实现 os.Writer 接口
 type logWriter struct {
 	UseStdout bool
@@ -66,7 +72,7 @@ func (lw *logWriter) newFile() {
 
 func initLog() {
 	// 初始化 baseLog
-	baseLw := &logWriter{
+	baseLw = &logWriter{
 		UseStdout: Cfg.LogPath == "",
 		FileName:  path.Join(Cfg.LogPath, logName),
 		NowDate:   time.Now().Format(dateFormat),
@@ -75,24 +81,46 @@ func initLog() {
 	baseLw.newFile()
 	baseLevel = logLevel2Int(Cfg.LogLevel)
 	baseLog = log.New(baseLw, "", log.LstdFlags|log.Lshortfile)
+
+	serverLog = log.New(&sLogWriter{}, "[http_server]", log.LstdFlags|log.Lshortfile)
+}
+
+func GetBaseLw() *logWriter {
+	return baseLw
+}
+
+var serverLog *log.Logger
+
+type sLogWriter struct{}
+
+func (w *sLogWriter) Write(p []byte) (n int, err error) {
+	if Cfg.HttpServerLog {
+		return os.Stderr.Write(p)
+	}
+	return 0, nil
 }
 
 // 获取 log.Logger
-func GetBaseLog() *log.Logger {
+func GetServerLog() *log.Logger {
-	return baseLog
+	return serverLog
+}
+
+func GetLogLevel() int {
+	return baseLevel
 }
 
 func logLevel2Int(l string) int {
 	levels = map[int]string{
-		_Debug: "Debug",
+		LogLevelTrace: "Trace",
-		_Info:  "Info",
+		LogLevelDebug: "Debug",
-		_Warn:  "Warn",
+		LogLevelInfo:  "Info",
-		_Error: "Error",
+		LogLevelWarn:  "Warn",
-		_Fatal: "Fatal",
+		LogLevelError: "Error",
+		LogLevelFatal: "Fatal",
 	}
-	lvl := _Info
+	lvl := LogLevelInfo
 	for k, v := range levels {
-		if strings.EqualFold(strings.ToLower(l), strings.ToLower(v)) {
+		if strings.ToLower(l) == strings.ToLower(v) {
 			lvl = k
 		}
 	}
@@ -104,8 +132,16 @@ func output(l int, s ...interface{}) {
 	_ = baseLog.Output(3, lvl+fmt.Sprintln(s...))
 }
 
+func Trace(v ...interface{}) {
+	l := LogLevelTrace
+	if baseLevel > l {
+		return
+	}
+	output(l, v...)
+}
+
 func Debug(v ...interface{}) {
-	l := _Debug
+	l := LogLevelDebug
 	if baseLevel > l {
 		return
 	}
@@ -113,7 +149,7 @@ func Debug(v ...interface{}) {
 }
 
 func Info(v ...interface{}) {
-	l := _Info
+	l := LogLevelInfo
 	if baseLevel > l {
 		return
 	}
@@ -121,7 +157,7 @@ func Info(v ...interface{}) {
 }
 
 func Warn(v ...interface{}) {
-	l := _Warn
+	l := LogLevelWarn
 	if baseLevel > l {
 		return
 	}
@@ -129,7 +165,7 @@ func Warn(v ...interface{}) {
 }
 
 func Error(v ...interface{}) {
-	l := _Error
+	l := LogLevelError
 	if baseLevel > l {
 		return
 	}
@@ -137,7 +173,7 @@ func Error(v ...interface{}) {
 }
 
 func Fatal(v ...interface{}) {
-	l := _Fatal
+	l := LogLevelFatal
 	if baseLevel > l {
 		return
 	}

server/base/mod.go

@@ -0,0 +1,81 @@
+package base
+
+import (
+	"bufio"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+const (
+	procModulesPath = "/proc/modules"
+	inContainerKey  = "ANYLINK_IN_CONTAINER"
+	tunPath         = "/dev/net/tun"
+)
+
+var (
+	InContainer = false
+	modMap      = map[string]struct{}{}
+)
+
+func initMod() {
+	container := os.Getenv(inContainerKey)
+	if container == "true" {
+		InContainer = true
+	}
+	log.Println("InContainer", InContainer)
+
+	file, err := os.Open(procModulesPath)
+	if err != nil {
+		err = fmt.Errorf("[ERROR] Problem with open file: %s", err)
+		panic(err)
+	}
+	defer file.Close()
+	scanner := bufio.NewScanner(file)
+	scanner.Split(bufio.ScanLines)
+	for scanner.Scan() {
+		splited := strings.Split(scanner.Text(), " ")
+		if len(splited[0]) > 0 {
+			modMap[splited[0]] = struct{}{}
+		}
+	}
+}
+
+func CheckModOrLoad(mod string) {
+	log.Println("CheckModOrLoad", mod)
+
+	if _, ok := modMap[mod]; ok {
+		return
+	}
+
+	var err error
+
+	if mod == "tun" || mod == "tap" {
+		_, err = os.Stat(tunPath)
+		if err == nil {
+			// 文件存在
+			return
+		}
+		// err = fmt.Errorf("[error] Linux tunFile is null %s", tunPath)
+		// log.Println(err)
+		// return
+	}
+
+	if InContainer {
+		err = fmt.Errorf("[error] Linux module %s is not loaded, please run `modprobe %s`", mod, mod)
+		log.Println(err)
+		return
+		// panic(err)
+	}
+
+	cmdstr := fmt.Sprintln("modprobe", mod)
+
+	cmd := exec.Command("sh", "-c", cmdstr)
+	b, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Println(mod, string(b))
+		panic(err)
+	}
+}

server/base/start.go

@@ -4,6 +4,7 @@ func Start() {
 	execute()
 	initCfg()
 	initLog()
+	initMod()
 }
 
 func Test() {

server/bridge-init.sh

@@ -1,19 +1,13 @@
 #!/bin/bash
 
-#################################
+#yum install bridge-utils
-# Set up Ethernet bridge on Linux
-# Requires: bridge-utils
-#################################
 
 # Define Bridge Interface
 br="anylink0"
 
-# Define physical ethernet interface to be bridged
+# 请根据sever服务器信息，更新下面的信息
-# with TAP interface(s) above.
-
 eth="eth0"
-eth_ip="192.168.10.4"
+eth_ip="192.168.10.4/24"
-eth_netmask="255.255.255.0"
 eth_broadcast="192.168.10.255"
 eth_gateway="192.168.10.1"
 
@@ -21,11 +15,14 @@ eth_gateway="192.168.10.1"
 brctl addbr $br
 brctl addif $br $eth
 
-ifconfig $eth 0.0.0.0 up
+ip addr del $eth_ip dev $eth
+ip addr add 0.0.0.0 dev $eth
+ip link set dev $eth up promisc on
 
 mac=`cat /sys/class/net/$eth/address`
-ifconfig $br hw ether $mac
+ip link set dev $br up address $mac promisc on
-ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
+ip addr add $eth_ip broadcast $eth_broadcast dev $br
+
 
 route add default gateway $eth_gateway
 

server/conf/files/info.txt

@@ -0,0 +1,2 @@
+客户端软件需放置在files目录内，
+如需要帮助请加QQ群：567510628 、739072205

server/conf/profile.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
+
+    <ClientInitialization>
+        <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
+        <StrictCertificateTrust>false</StrictCertificateTrust>
+        <RestrictPreferenceCaching>false</RestrictPreferenceCaching>
+        <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
+        <BypassDownloader>true</BypassDownloader>
+        <AutoUpdate UserControllable="false">false</AutoUpdate>
+        <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
+        <LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
+        <CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
+        <CertificateMatch>
+            <KeyUsage>
+                <MatchKey>Digital_Signature</MatchKey>
+            </KeyUsage>
+            <ExtendedKeyUsage>
+                <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
+            </ExtendedKeyUsage>
+        </CertificateMatch>
+
+    </ClientInitialization>
+
+    <ServerList>
+
+        <HostEntry>
+            <HostName>VPN</HostName>
+            <HostAddress>localhost</HostAddress>
+        </HostEntry>
+
+        <HostEntry>
+            <HostName>VPN2</HostName>
+            <HostAddress>localhost2</HostAddress>
+        </HostEntry>
+
+    </ServerList>
+</AnyConnectProfile>

server/conf/server-sample.toml

@@ -0,0 +1,107 @@
+#示例配置信息
+
+#其他配置文件,可以使用绝对路径
+#或者相对于 anylink 二进制文件的路径
+
+#数据文件
+db_type = "sqlite3"
+db_source = "./conf/anylink.db"
+#证书文件 使用跟nginx一样的证书即可
+cert_file = "./conf/vpn_cert.pem"
+cert_key = "./conf/vpn_cert.key"
+files_path = "./conf/files"
+profile = "./conf/profile.xml"
+#profile name(用于区分不同服务端的配置)
+#客户端存放位置 C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile
+profile_name = "anylink"
+#日志目录,为空写入标准输出
+#log_path = "./log"
+log_path = ""
+log_level = "debug"
+pprof = true
+
+#系统名称
+issuer = "XX公司VPN"
+#后台管理用户
+admin_user = "admin"
+#pass 123456
+admin_pass = "$2a$10$UQ7C.EoPifDeJh6d8.31TeSPQU7hM/NOM2nixmBucJpAuXDQNqNke"
+# 留空表示不开启 otp, 开启otp后密码为  pass + 6位otp
+# 生成 ./anylink tool -o
+admin_otp = ""
+jwt_secret = "abcdef.0123456789.abcdef"
+
+
+#TCP服务监听地址(任意端口)
+server_addr = ":443"
+#开启 DTLS
+server_dtls = false
+#UDP监听地址(任意端口)
+server_dtls_addr = ":443"
+#后台服务监听地址
+admin_addr = ":8800"
+#开启tcp proxy protocol协议
+proxy_protocol = false
+
+#虚拟网络类型[tun macvtap tap]
+link_mode = "tun"
+
+#客户端分配的ip地址池
+#docker环境一般默认 eth0，其他情况根据实际网卡信息填写
+ipv4_master = "eth0"
+ipv4_cidr = "192.168.90.0/24"
+ipv4_gateway = "192.168.90.1"
+ipv4_start = "192.168.90.100"
+ipv4_end = "192.168.90.200"
+
+#最大客户端数量
+max_client = 200
+#单个用户同时在线数量
+max_user_client = 3
+#IP租期(秒)
+ip_lease = 86400
+
+#默认选择的组
+default_group = "one"
+
+#客户端失效检测时间(秒) dpd > keepalive
+cstp_keepalive = 3
+cstp_dpd = 10
+mobile_keepalive = 4
+mobile_dpd = 15
+
+# 根据实际情况修改
+#cstp_keepalive = 20
+#cstp_dpd = 30
+#mobile_keepalive = 40
+#mobile_dpd = 60
+
+#设置最大传输单元
+mtu = 1460
+
+# 客户端dns的默认搜索域
+default_domain = "example.com"
+#default_domain = "example.com abc.example.com"
+
+#空闲链接超时时间(秒)-超时后断开链接，0关闭此功能
+idle_timeout = 0
+#session过期时间，用于断线重连，0永不过期
+session_timeout = 3600
+#auth_timeout = 0
+audit_interval = 600
+
+show_sql = false
+
+#是否自动添加nat
+iptables_nat = true
+
+#启用压缩
+compression = false
+#低于及等于多少字节不压缩
+no_compress_limit = 256
+
+#客户端显示详细错误信息(线上环境慎开启)
+display_error = false
+
+#排除出口ip路由(出口ip不加密传输)
+exclude_export_ip = true

server/conf/server.toml

@@ -1,19 +1,16 @@
-#服务配置信息
+#示例配置信息
 
 #其他配置文件,可以使用绝对路径
-#或者相对于server.toml的路径
+#或者相对于 anylink 二进制文件的路径
 
 #数据文件
-db_file = "./data.db"
+db_type = "sqlite3"
+db_source = "./conf/anylink.db"
 #证书文件
-cert_file = "./test_vpn_cert.pem"
+cert_file = "./conf/vpn_cert.pem"
-cert_key = "./test_vpn_key.pem"
+cert_key = "./conf/vpn_cert.key"
-ui_path = "../ui"
+files_path = "./conf/files"
-files_path = "../files"
+log_level = "debug"
-#日志目录,为空写入标准输出
-#log_path = "../log"
-log_path = ""
-log_level = "info"
 
 #系统名称
 issuer = "XX公司VPN"
@@ -21,47 +18,40 @@ issuer = "XX公司VPN"
 admin_user = "admin"
 #pass 123456
 admin_pass = "$2a$10$UQ7C.EoPifDeJh6d8.31TeSPQU7hM/NOM2nixmBucJpAuXDQNqNke"
-jwt_secret = "iLmspvOiz*%ovfcs*wersdf#^heR8pNU^4XxBm&mW$aPCjSRMbYH#&"
+# 留空表示不开启 otp, 开启otp后密码为  pass + 6位otp
+# 生成 ./anylink tool -o
+admin_otp = ""
+jwt_secret = "abcdef.0123456789.abcdef"
 
-
+#TCP服务监听地址(任意端口)
-#vpn服务对外地址,影响开通邮件二维码
-link_addr = "vpn.xx.com"
-
-#前台服务监听地址
 server_addr = ":443"
+#开启 DTLS
+server_dtls = false
+#UDP监听地址(任意端口)
+server_dtls_addr = ":443"
 #后台服务监听地址
 admin_addr = ":8800"
-#开启tcp proxy protocol协议
-proxy_protocol = false
-
-link_mode = "tun"
-
-#客户端分配的ip地址池
-ipv4_cidr = "192.168.10.0/24"
-ipv4_gateway = "192.168.10.1"
-ipv4_start = "192.168.10.100"
-ipv4_end = "192.168.10.200"
 
 #最大客户端数量
-max_client = 100
+max_client = 200
 #单个用户同时在线数量
 max_user_client = 3
-#IP租期(秒)
-ip_lease = 1209600
 
-#默认选择的组
+#虚拟网络类型[tun macvtap]
-default_group = "one"
+link_mode = "tun"
-
+#客户端分配的ip地址池
-#客户端失效检测时间(秒) dpd > keepalive
+#docker环境一般默认 eth0，其他情况根据实际网卡信息填写
-cstp_keepalive = 20
+ipv4_master = "eth0"
-cstp_dpd = 30
+ipv4_cidr = "192.168.90.0/24"
-mobile_keepalive = 50
+ipv4_gateway = "192.168.90.1"
-mobile_dpd = 60
+ipv4_start = "192.168.90.100"
-#session过期时间，用于断线重连，0永不过期
+ipv4_end = "192.168.90.200"
-session_timeout = 3600
-auth_timeout = 0
 
+#是否自动添加nat
+iptables_nat = true
 
 
+#客户端显示详细错误信息(线上环境慎开启)
+display_error = true
 
 

server/conf/test_vpn_cert.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDGDCCAgACCQCecQDpy/8hRTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJD
-TjELMAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQswCQYDVQQKDAJCRDELMAkGA1UE
-CwwCQkQxCzAJBgNVBAMMAkNTMB4XDTIxMDMyNjA5MTkwNloXDTMxMDMyNDA5MTkw
-NlowTjELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNIMQswCQYDVQQHDAJTSDELMAkG
-A1UECgwCVE0xCzAJBgNVBAsMAlRNMQswCQYDVQQDDAJDUzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAJtDxHduS8gjI0P6txHS+cODxKjyjNiCBa7tFgSc
-d9hRrzCvK4Q4M5StKJoSczmHl0C3HVoq92Gv1vENxq4irYdCrwLeOZGyt7urUlbs
-PkvEoVXxfAkPpue+JewG/CvGArJeP7UGsP5IrD0Dt5X1DP677K6qf5igzyaJqYJu
-RDJ5wR84BoDvY66Zc578N9tK9XusdJ63gQ5jGcG4Dneu1UX3g8lQkJ6P0xLXTh7W
-u5Sjx8axbDcFxbDLxNGL1yPgAjhIRgMfaWLwuQQg4WKFsdMljv1Flz8/h91z2xo+
-+E/B4YF0UFWTcWQ2TQ8w8noDqnnXVVQyOvuI3aajodml/f0CAwEAATANBgkqhkiG
-9w0BAQsFAAOCAQEAd89n0eWXgO1lqMciWmS9xY8Sj/U840bPo/4Kclsm1vFNvIXu
-I50PeaNiU2E5+CMk8AwXaJ5gDO7vsRxvLLRAUWZeuxSror2a0RkViEFW+UKcBuuB
-Izl9giXUhB/P85+We1ma5jizqj7OpzgMkzkcTZL2M6Gw6IWY4jopvLQjiCooSiYF
-wtLZjuFKfpLrPw5RgpWI4L8Hftbkmh6Q8nqcoQvgwm7rLrD5VqiTu7Rk1SXTFuXn
-uuazXasWIWRVGFuFcYP1rwyOfp9HhCFKngi0w8IRnbOcaPdXydtbKMcKt5z9zQX5
-BqrZ3ZfPp5HeklG7L8eQrnp4ines6YDshPnaRQ==
------END CERTIFICATE-----

server/conf/test_vpn_key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAm0PEd25LyCMjQ/q3EdL5w4PEqPKM2IIFru0WBJx32FGvMK8r
-hDgzlK0omhJzOYeXQLcdWir3Ya/W8Q3GriKth0KvAt45kbK3u6tSVuw+S8ShVfF8
-CQ+m574l7Ab8K8YCsl4/tQaw/kisPQO3lfUM/rvsrqp/mKDPJompgm5EMnnBHzgG
-gO9jrplznvw320r1e6x0nreBDmMZwbgOd67VRfeDyVCQno/TEtdOHta7lKPHxrFs
-NwXFsMvE0YvXI+ACOEhGAx9pYvC5BCDhYoWx0yWO/UWXPz+H3XPbGj74T8HhgXRQ
-VZNxZDZNDzDyegOqeddVVDI6+4jdpqOh2aX9/QIDAQABAoIBADWT2fz4g5AJiAbS
-QlAVRHjSRI+kOzQPEhT93SY0NCribRjYqaSTnEEGy8b27OoCPxBm3+sYfosoGXzP
-Kys17jmJqkjMFIORb1OEWAKEvS56KM42aX3a99ZqSD29X1Ffn9ibK1K1f2gP/deE
-K9rEV/qjMJZJYYRyoWkEAglvMXtU/NMRoTuFYtrJPr9sFEfpBFq97WpWiyMdLKTG
-MmlN+T1CXFQj/+mpv+DDSXcwLPBxAttDYE2GeqlhntId0I6cgaEGMO42D6fnqrKi
-PDilA/D6zos4o/bpRGvVBdXHqOXvX2stNHK+PvEX46GRd+OZhLh0KEcrWAx8cXs9
-ZhugTyECgYEAyffRPd98acL0OhXJR9mZTgDdotl7iYq+RTZbmEvAFst3mL3LA6Ba
-BTrwRLh9x8lzxoTQHHFaJL63kIrN6QAR9e3+pR0e8IX3vYCVGIlRCYB5CrE/O3Pi
-B9R17tCI5dFrFXYiST38sjwrWG9+geKarbUH5AZrZEO5uw0q7+4F3TkCgYEAxM1h
-Xo+xRt8RXoWZ6Cl66HhZKIvDcxkBtoNh54YLzrVpv0D+RvAWNDzRVXbbIUUpBGPN
-pHrwU8G0qWr4Q/Zx+vnckqotGMTNCB7vcmB/qwF9grNW9E0rCyIYLXtJcEiclJIF
-Oe406YXl7mSG1I6QjAADz8PNb4++Ct1+hVS56uUCgYAx9g/Y0nQgZY2s4L7N+1Il
-LammI06gE6ZF0NCPuA1oliSbsDeMShp6uL2/AjR7O6ZcMXaZ0qCN/m/CXdPaE55d
-y+X2SmHg9gL26dv4Gd/mDdXjgz01I9GCRlh2Hzf+QfPPd027+I2OObwvQEV3M+s3
-lVTCX6QpRWeokfVRLPxeYQKBgDIYPVK+rNdnbJps05JfDKQkDj3d5bBkiyUUKFWw
-r0y8rOA8AP25m01MtdRVXs4HNruhU/UsPgRz6DK/wdY64ySJeXXzz2rgnXgVt8mb
-eqPiyzn7wISLKAu7cAATw8vLD+BZku7+DYXryW13NULhzzVzw4SdSKu/IRbO7qet
-u21pAoGAd2mBJ+PWKnUkARS8gQ3Y3cagA/qGGr094P9relglRDBv/Pm7kTUt6K8B
-NnpqWydcVtcrXmNzGRx4ftm18SzmTJEohF14nF9424q4aiWoNZyG8adxaI0Yqv3G
-LnH8n2fzC+pf31LijBRM8DRnepah64mLF+OM/SxgVg1nP9jVUG4=
------END RSA PRIVATE KEY-----

server/conf/vpn_cert.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDRVjwa+YPKcvKD
+2YZJUMPcwXCL32hF9gFTyMFuojpvo/L9C710xkJBNW2ceEcAdYyohBhtylbCFKUy
+QpDRJsAmRiWL5zSjfeds4bVEInmXvF+Ga9FuN/o/R27/kyrejBVd7u9AKzg9k5vI
+/4FhXFMivZgwghaSiJkVHJG6ehmCVGR11A5LUIjrub+iYJfaS2dl4WVxn9kyYRuO
+NU0nDMInWE6F+dVa57HEUEOolDEmr9R+N5XIXYfXwE4W4Xj/5CL+mBLME+OaADK8
+RE9dPomgk3Vqc/s8thllyztqR/TfQIwCwmQNf+UB5DIWr5iYDsX4rU3hswJQUCTQ
+CLNEcdStAgMBAAECgf97UHp7u8+x4lz6BQB8/c0xHWdAw1clIveZbEVl0hNoVUN/
+EKku+q/1Sf+CuhnbgLjT1bkVnnotmVcGeWH2DeCnkMJqHVMOBRb/dso2fw+pCTzY
+VofQpmbPy1xCXb6chqrpT3MTaJdI7IrBCNEQ54cOxsojwzp0MfejS/NI41q8iuCS
+hVry+VEbmtA22vjwMvsF6NsRKlfc1DUyC/ZoHB91gzKmvLdXBREwBXtdiJfMlu9G
+EKH3ORxbcanmdsXWIG84t5M9Sf9L5FZe6tlL4FdoKv25Vxv2z+PVM8Y/0B3IBTCb
+yqMK8579PTlHl40WRjSgzpijGvMxuIpgm5KaXQECgYEA7U6lBhRWmPsJRaK0jyAv
+qnaC5AbnM8OjIbsDtnQxn0BWvx7aZznxOE4jL0QejUD/gov6yYkNhIu797LzO8Mq
+fEqEX7Bp23PfLvybqkyhJWFz26v0erU5q8Rlt648bK7Ul1j8FkmsEN3qu+64c8Fu
+pzN081bqOGjEcaCjsHswvkMCgYEA4dOPvYYu8wBfrH3Gn94XHWWVvFMnWErXEOzK
+eL0dFg3Ae+y8Sg5x9YTz3XjwyzwcTbrD0zg4huWwmD64BgPcliG7XKA093ea2JIs
+Mah5/KTQmltcIut7qUvzwwbQVfN3xTwWzd7eDtEIAeFZ8r/HzJM6X21b/LaQIXUY
+Gb7dik8CgYAaaUxYlt7ke9wWUfuCinSDplj/A/2rdzSqxmOtZNU5AjIlZ0urfXlp
+aNjlo9E6q2dEokuxLn3AqMSs1s/XcOtDlg+RjtLZR9YpJpg0pf6xaF06r7KwDYdz
+pJIllVDIT9T9WzwDRwPNhMVhUTpaN8cW+NUlWCENUiu68cQGGk/cfQKBgEmvRk+I
+4PjZPl6CC7VOOiyVYO46E7RzdwlGuin7SupPQmctL6LaY8TAxPGW7LrjujiCoDLj
+PU6G08BZdqI/0FIMX54xiBbXJ+dSiqkJWARfotE6zi12uLrc1YTlTEU/U+0/VhGG
+jt42xm4WocrbWM4fnARXIpSq3QyNsHd2F8NxAoGBAMEcT0mFQ0J7HCQ+zL36ogGv
+Bc/N6WR0xSEBQVG9D4iysxX4XyJukCuUCvMIbsBj5IVAVBlMNxfDtL/kD6tgy0L7
+tdN7nOaYgnqTyZfQItz92cQ6oiIqW7GPJA5ATJe1fxXINjcP6EkRDAfACBW7/l85
+Cd/yRpaOSMPbqKO1OOSn
+-----END PRIVATE KEY-----

server/conf/vpn_cert.pem

@@ -0,0 +1,67 @@
+-----BEGIN CERTIFICATE-----
+MIIGbTCCBNWgAwIBAgIQIodwqN03+Y3aYpdvfq2qKTANBgkqhkiG9w0BAQwFADBZ
+MQswCQYDVQQGEwJDTjElMCMGA1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywg
+SW5jLjEjMCEGA1UEAxMaVHJ1c3RBc2lhIFJTQSBEViBUTFMgQ0EgRzIwHhcNMjQw
+MTIyMDAwMDAwWhcNMjUwMTIxMjM1OTU5WjAcMRowGAYDVQQDExF2cG4udGVzdC52
+cWlsdS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFWPBr5g8py
+8oPZhklQw9zBcIvfaEX2AVPIwW6iOm+j8v0LvXTGQkE1bZx4RwB1jKiEGG3KVsIU
+pTJCkNEmwCZGJYvnNKN952zhtUQieZe8X4Zr0W43+j9Hbv+TKt6MFV3u70ArOD2T
+m8j/gWFcUyK9mDCCFpKImRUckbp6GYJUZHXUDktQiOu5v6Jgl9pLZ2XhZXGf2TJh
+G441TScMwidYToX51VrnscRQQ6iUMSav1H43lchdh9fAThbheP/kIv6YEswT45oA
+MrxET10+iaCTdWpz+zy2GWXLO2pH9N9AjALCZA1/5QHkMhavmJgOxfitTeGzAlBQ
+JNAIs0Rx1K0CAwEAAaOCAuwwggLoMB8GA1UdIwQYMBaAFF86fBEQfgxncWHci6O1
+AANn9VccMB0GA1UdDgQWBBRDRfNBNYRlLb4V1MRTnU+bUVnvnDAOBgNVHQ8BAf8E
+BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICMTAlMCMGCCsGAQUFBwIBFhdodHRw
+czovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwfQYIKwYBBQUHAQEEcTBvMEIG
+CCsGAQUFBzAChjZodHRwOi8vY3J0LnRydXN0LXByb3ZpZGVyLmNuL1RydXN0QXNp
+YVJTQURWVExTQ0FHMi5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnRydXN0
+LXByb3ZpZGVyLmNuMBwGA1UdEQQVMBOCEXZwbi50ZXN0LnZxaWx1LmNuMIIBfwYK
+KwYBBAHWeQIEAgSCAW8EggFrAWkAdgDPEVbu1S58r/OHW9lpLpvpGnFnSrAX7KwB
+0lt3zsw7CAAAAY0v95Z6AAAEAwBHMEUCIDbFVgzV1DDvqTq6UnYisMqAEJn1cR+d
+mc+agwaOuRbrAiEAz3W2HooNcKqADX9QyK8xQQ8r9BQKVCQzF76g9AZKeDoAdwCi
+4wrkRe+9rZt+OO1HZ3dT14JbhJTXK14bLMS5UKRH5wAAAY0v95ZkAAAEAwBIMEYC
+IQCWVxDjciJ/KMbwbqMbEZdsDq0nCrotlPhIBb5wFBurVgIhAOgnw3nqSqFYRm8y
+OL3nz8rop0V5IEtgiNarOqMfLf33AHYATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnA
+sfpksWKaOd8AAAGNL/eWFwAABAMARzBFAiBB+V0NBebuCniZVuin5OaMYvWyNvRd
+NJ6hRmLbSKQAwwIhAKrPRrAP3An/9HSrFN/70eEK5DHT8+q8m0L5tc0+TckmMA0G
+CSqGSIb3DQEBDAUAA4IBgQCB65Q0V6Mewca0iVCxLJxczu6XYCCwsUzJiTWYjao3
+XZVe8yB4RhAimsUY+U3nXIL3RivkJydqfOO9N5APWndDgbtS4r55TFdscDUDmzsR
+S5kYCoEudbDWT89U+tHMOxzUKkb3nDA0WvJEN52CAanYO3blihnX3eX7enQMGtsM
+gfDrArcQyS+WMKUkyOlNysqGtj3XWYKssBPrX/0GqMimoeYkg+B4daBTbOVB6sKs
++USnmhI2MF3QUxn0+fC207HbSDj7s4a6npjg5KsL0zUsFrNZlMH30Tx2L0WuI1T7
+65lKHaKt8CyuL/YTjD5lAGYtJ+K9ypl5sBUFCXeW1lazTocjDa2CKv3WV+kVBhyO
+2nA2Lo4e643YXwXw98+ufU2U9yUjn1OrhsUXo3qaxETGVMumRwubtX4O2dUKnYGF
+xBxfHzXJKhZjX+U2ENIwsrm7pp3dcpIZqKxPCeowU5Ma9tvYpM7kgDhploMfsVic
+H7pWcFY99X5nMwJoDDBYomY=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFBzCCA++gAwIBAgIRALIM7VUuMaC/NDp1KHQ76aswDQYJKoZIhvcNAQELBQAw
+ezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+A1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNV
+BAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0yMjAxMTAwMDAwMDBaFw0y
+ODEyMzEyMzU5NTlaMFkxCzAJBgNVBAYTAkNOMSUwIwYDVQQKExxUcnVzdEFzaWEg
+VGVjaG5vbG9naWVzLCBJbmMuMSMwIQYDVQQDExpUcnVzdEFzaWEgUlNBIERWIFRM
+UyBDQSBHMjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKjGDe0GSaBs
+Yl/VhMaTM6GhfR1TAt4mrhN8zfAMwEfLZth+N2ie5ULbW8YvSGzhqkDhGgSBlafm
+qq05oeESrIJQyz24j7icGeGyIZ/jIChOOvjt4M8EVi3O0Se7E6RAgVYcX+QWVp5c
+Sy+l7XrrtL/pDDL9Bngnq/DVfjCzm5ZYUb1PpyvYTP7trsV+yYOCNmmwQvB4yVjf
+IIpHC1OcsPBntMUGeH1Eja4D+qJYhGOxX9kpa+2wTCW06L8T6OhkpJWYn5JYiht5
+8exjAR7b8Zi3DeG9oZO5o6Qvhl3f8uGU8lK1j9jCUN/18mI/5vZJ76i+hsgdlfZB
+Rh5lmAQjD80M9TY+oD4MYUqB5XrigPfFAUwXFGehhlwCVw7y6+5kpbq/NpvM5Ba8
+SeQYUUuMA8RXpTtGlrrTPqJryfa55hTuX/ThhX4gcCVkbyujo0CYr+Uuc14IOyNY
+1fD0/qORbllbgV41wiy/2ZUWZQUodqHWkjT1CwIMbQOY5jmrSYGBwwIDAQABo4IB
+JjCCASIwHwYDVR0jBBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYE
+FF86fBEQfgxncWHci6O1AANn9VccMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8E
+CDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAiBgNVHSAE
+GzAZMA0GCysGAQQBsjEBAgIxMAgGBmeBDAECATBDBgNVHR8EPDA6MDigNqA0hjJo
+dHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNy
+bDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9k
+b2NhLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAHMUom5cxIje2IiFU7mOCsBr2F6CY
+eU5cyfQ/Aep9kAXYUDuWsaT85721JxeXFYkf4D/cgNd9+hxT8ZeDOJrn+ysqR7NO
+2K9AdqTdIY2uZPKmvgHOkvH2gQD6jc05eSPOwdY/10IPvmpgUKaGOa/tyygL8Og4
+3tYyoHipMMnS4OiYKakDJny0XVuchIP7ZMKiP07Q3FIuSS4omzR77kmc75/6Q9dP
+v4wa90UCOn1j6r7WhMmX3eT3Gsdj3WMe9bYD0AFuqa6MDyjIeXq08mVGraXiw73s
+Zale8OMckn/BU3O/3aFNLHLfET2H2hT6Wb3nwxjpLIfXmSVcVd8A58XH0g==
+-----END CERTIFICATE-----

server/cron/clear_audit.go

@@ -0,0 +1,20 @@
+package cron
+
+import (
+	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+)
+
+// 清除访问审计日志
+func ClearAudit() {
+	lifeDay, timesUp := isClearTime()
+	if !timesUp {
+		return
+	}
+	// 当审计日志永久保存，则退出
+	if lifeDay <= 0 {
+		return
+	}
+	affected, err := dbdata.ClearAccessAudit(getTimeAgo(lifeDay))
+	base.Info("Cron ClearAudit: ", affected, err)
+}

server/cron/clear_statsinfo.go

@@ -0,0 +1,47 @@
+package cron
+
+import (
+	"time"
+
+	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+)
+
+const siLifeDay = 30
+
+// 清除图表数据
+func ClearStatsInfo() {
+	_, timesUp := isClearTime()
+	if !timesUp {
+		return
+	}
+	ts := getTimeAgo(siLifeDay)
+	for _, item := range dbdata.StatsInfoIns.Actions {
+		affected, err := dbdata.StatsInfoIns.ClearStatsInfo(item, ts)
+		base.Info("Cron ClearStatsInfo  "+item+": ", affected, err)
+	}
+}
+
+// 是否到了"清理时间"
+func isClearTime() (int, bool) {
+	dataLog, err := dbdata.SettingGetAuditLog()
+	if err != nil {
+		base.Error("Cron SettingGetLog: ", err)
+		return -1, false
+	}
+	currentTime := time.Now().Format("15:04")
+	// 未到"清理时间"时, 则返回
+	if dataLog.ClearTime != currentTime {
+		return -1, false
+	}
+	return dataLog.LifeDay, true
+}
+
+// 根据存储时长，获取清理日期
+func getTimeAgo(days int) string {
+	var timeS string
+	ts := time.Now().AddDate(0, 0, -days)
+	tsZero := time.Date(ts.Year(), ts.Month(), ts.Day(), 0, 0, 0, 0, time.Local)
+	timeS = tsZero.Format(dbdata.LayoutTimeFormat)
+	return timeS
+}

server/cron/clear_user_act_log.go

@@ -0,0 +1,20 @@
+package cron
+
+import (
+	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+)
+
+// 清除用户活动日志
+func ClearUserActLog() {
+	lifeDay, timesUp := isClearTime()
+	if !timesUp {
+		return
+	}
+	// 当审计日志永久保存时，则退出
+	if lifeDay <= 0 {
+		return
+	}
+	affected, err := dbdata.UserActLogIns.ClearUserActLog(getTimeAgo(lifeDay))
+	base.Info("Cron ClearUserActLog: ", affected, err)
+}

server/cron/start.go

@@ -0,0 +1,19 @@
+package cron
+
+import (
+	"time"
+
+	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/sessdata"
+	"github.com/go-co-op/gocron"
+)
+
+func Start() {
+	s := gocron.NewScheduler(time.Local)
+	s.Cron("0 * * * *").Do(ClearAudit)
+	s.Cron("0 * * * *").Do(ClearStatsInfo)
+	s.Cron("0 * * * *").Do(ClearUserActLog)
+	s.Every(1).Day().At("00:00").Do(sessdata.CloseUserLimittimeSession)
+	s.Every(1).Day().At("00:00").Do(dbdata.ReNewCert)
+	s.StartAsync()
+}

server/dbdata/audit.go

@@ -0,0 +1,62 @@
+package dbdata
+
+import (
+	"encoding/json"
+
+	"xorm.io/xorm"
+)
+
+type SearchCon struct {
+	Username    string   `json:"username"`
+	Src         string   `json:"src"`
+	Dst         string   `json:"dst"`
+	DstPort     string   `json:"dst_port"`
+	AccessProto string   `json:"access_proto"`
+	Date        []string `json:"date"`
+	Info        string   `json:"info"`
+	Sort        int      `json:"sort"`
+}
+
+func GetAuditSession(search string) *xorm.Session {
+	session := xdb.Where("1=1")
+	if search == "" {
+		return session
+	}
+	var searchData SearchCon
+	err := json.Unmarshal([]byte(search), &searchData)
+	if err != nil {
+		return session
+	}
+	if searchData.Username != "" {
+		session.And("username = ?", searchData.Username)
+	}
+	if searchData.Src != "" {
+		session.And("src = ?", searchData.Src)
+	}
+	if searchData.Dst != "" {
+		session.And("dst = ?", searchData.Dst)
+	}
+	if searchData.DstPort != "" {
+		session.And("dst_port = ?", searchData.DstPort)
+	}
+	if searchData.AccessProto != "" {
+		session.And("access_proto = ?", searchData.AccessProto)
+	}
+	if len(searchData.Date) > 0 && searchData.Date[0] != "" {
+		session.And("created_at BETWEEN ? AND ?", searchData.Date[0], searchData.Date[1])
+	}
+	if searchData.Info != "" {
+		session.And("info LIKE ?", "%"+searchData.Info+"%")
+	}
+	if searchData.Sort == 1 {
+		session.OrderBy("id desc")
+	} else {
+		session.OrderBy("id asc")
+	}
+	return session
+}
+
+func ClearAccessAudit(ts string) (int64, error) {
+	affected, err := xdb.Where("created_at < '" + ts + "'").Delete(&AccessAudit{})
+	return affected, err
+}

server/dbdata/audit_test.go

@@ -0,0 +1,43 @@
+package dbdata
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSearchAudit(t *testing.T) {
+	ast := assert.New(t)
+
+	preIpData()
+	defer closeIpdata()
+
+	currDateVal := "2022-07-24 00:00:00"
+	CreatedAt, _ := time.ParseInLocation("2006-01-02 15:04:05", currDateVal, time.Local)
+
+	dataTest := AccessAudit{
+		Username:    "Test",
+		Protocol:    6,
+		Src:         "10.10.1.5",
+		SrcPort:     0,
+		Dst:         "172.217.160.68",
+		DstPort:     80,
+		AccessProto: 4,
+		Info:        "www.google.com",
+		CreatedAt:   CreatedAt,
+	}
+	err := Add(dataTest)
+	ast.Nil(err)
+
+	var datas []AccessAudit
+	searchFormat := `{"username": "%s", "src":"%s", "dst": "%s", "dst_port":"%d","access_proto":"%d","info":"%s","date":["%s","%s"]}`
+	search := fmt.Sprintf(searchFormat, dataTest.Username, dataTest.Src, dataTest.Dst, dataTest.DstPort, dataTest.AccessProto, dataTest.Info, currDateVal, currDateVal)
+
+	session := GetAuditSession(search)
+	count, _ := FindAndCount(session, &datas, PageSize, 0)
+	ast.Equal(count, int64(1))
+	ast.Equal(datas[0].Username, dataTest.Username)
+	ast.Equal(datas[0].Dst, dataTest.Dst)
+}

server/dbdata/cert.go

@@ -0,0 +1,411 @@
+package dbdata
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"math/big"
+	"net"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/pion/dtls/v2/pkg/crypto/selfsign"
+
+	"github.com/bjdgyc/anylink/base"
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/providers/dns/alidns"
+	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
+	"github.com/go-acme/lego/v4/providers/dns/tencentcloud"
+	"github.com/go-acme/lego/v4/registration"
+)
+
+var (
+	// nameToCertificate mutex
+	ntcMux            sync.RWMutex
+	nameToCertificate = make(map[string]*tls.Certificate)
+	tempCert          *tls.Certificate
+)
+
+func init() {
+	c, _ := selfsign.GenerateSelfSignedWithDNS("localhost")
+	tempCert = &c
+}
+
+type SettingLetsEncrypt struct {
+	Domain   string `json:"domain"`
+	Legomail string `json:"legomail"`
+	Name     string `json:"name"`
+	Renew    bool   `json:"renew"`
+	DNSProvider
+}
+
+type DNSProvider struct {
+	AliYun struct {
+		APIKey    string `json:"apiKey"`
+		SecretKey string `json:"secretKey"`
+	} `json:"aliyun"`
+
+	TXCloud struct {
+		SecretID  string `json:"secretId"`
+		SecretKey string `json:"secretKey"`
+	} `json:"txcloud"`
+	CfCloud struct {
+		AuthToken string `json:"authToken"`
+	} `json:"cfcloud"`
+}
+type LegoUserData struct {
+	Email        string                 `json:"email"`
+	Registration *registration.Resource `json:"registration"`
+	Key          []byte                 `json:"key"`
+}
+type LegoUser struct {
+	Email        string
+	Registration *registration.Resource
+	Key          *ecdsa.PrivateKey
+}
+
+type LeGoClient struct {
+	mutex  sync.Mutex
+	Client *lego.Client
+	Cert   *certificate.Resource
+	LegoUserData
+}
+
+func GetDNSProvider(l *SettingLetsEncrypt) (Provider challenge.Provider, err error) {
+	switch l.Name {
+	case "aliyun":
+		if Provider, err = alidns.NewDNSProviderConfig(&alidns.Config{APIKey: l.DNSProvider.AliYun.APIKey, SecretKey: l.DNSProvider.AliYun.SecretKey, PropagationTimeout: 60 * time.Second, PollingInterval: 2 * time.Second, TTL: 600}); err != nil {
+			return
+		}
+	case "txcloud":
+		if Provider, err = tencentcloud.NewDNSProviderConfig(&tencentcloud.Config{SecretID: l.DNSProvider.TXCloud.SecretID, SecretKey: l.DNSProvider.TXCloud.SecretKey, PropagationTimeout: 60 * time.Second, PollingInterval: 2 * time.Second, TTL: 600}); err != nil {
+			return
+		}
+	case "cfcloud":
+		if Provider, err = cloudflare.NewDNSProviderConfig(&cloudflare.Config{AuthToken: l.DNSProvider.CfCloud.AuthToken, PropagationTimeout: 60 * time.Second, PollingInterval: 2 * time.Second, TTL: 600}); err != nil {
+			return
+		}
+	}
+	return
+}
+func (u *LegoUser) GetEmail() string {
+	return u.Email
+}
+func (u LegoUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+func (u *LegoUser) GetPrivateKey() crypto.PrivateKey {
+	return u.Key
+}
+
+func (l *LegoUserData) SaveUserData(u *LegoUser) error {
+	key, err := x509.MarshalECPrivateKey(u.Key)
+	if err != nil {
+		return err
+	}
+	l.Email = u.Email
+	l.Registration = u.Registration
+	l.Key = key
+	if err := SettingSet(l); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (l *LegoUserData) GetUserData(d *SettingLetsEncrypt) (*LegoUser, error) {
+	if err := SettingGet(l); err != nil {
+		return nil, err
+	}
+	if l.Email != "" {
+		key, err := x509.ParseECPrivateKey(l.Key)
+		if err != nil {
+			return nil, err
+		}
+		return &LegoUser{
+			Email:        l.Email,
+			Registration: l.Registration,
+			Key:          key,
+		}, nil
+	}
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return &LegoUser{
+		Email: d.Legomail,
+		Key:   privateKey,
+	}, nil
+}
+func ReNewCert() {
+	_, certtime, err := ParseCert()
+	if err != nil {
+		base.Error(err)
+		return
+	}
+	if certtime.AddDate(0, 0, -7).Before(time.Now()) {
+		config := &SettingLetsEncrypt{}
+		if err := SettingGet(config); err != nil {
+			base.Error(err)
+			return
+		}
+		if config.Renew {
+			client := &LeGoClient{}
+			if err := client.NewClient(config); err != nil {
+				base.Error(err)
+				return
+			}
+			if err := client.RenewCert(base.Cfg.CertFile, base.Cfg.CertKey); err != nil {
+				base.Error(err)
+				return
+			}
+			base.Info("证书续期成功")
+		}
+	} else {
+		base.Info(fmt.Sprintf("证书过期时间：%s", certtime.Local().Format("2006-1-2 15:04:05")))
+	}
+}
+
+func (c *LeGoClient) NewClient(l *SettingLetsEncrypt) error {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+	legouser, err := c.GetUserData(l)
+	if err != nil {
+		return err
+	}
+	config := lego.NewConfig(legouser)
+	config.CADirURL = lego.LEDirectoryProduction
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		return err
+	}
+	Provider, err := GetDNSProvider(l)
+	if err != nil {
+		return err
+	}
+	if err := client.Challenge.SetDNS01Provider(Provider, dns01.AddRecursiveNameservers([]string{"223.6.6.6", "223.5.5.5"})); err != nil {
+		return err
+	}
+	if legouser.Registration == nil {
+		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return err
+		}
+		legouser.Registration = reg
+		c.SaveUserData(legouser)
+	}
+	c.Client = client
+	return nil
+}
+
+func (c *LeGoClient) GetCert(domain string) error {
+	// 申请证书
+	certificates, err := c.Client.Certificate.Obtain(
+		certificate.ObtainRequest{
+			Domains: []string{domain},
+			Bundle:  true,
+		})
+	if err != nil {
+		return err
+	}
+	c.Cert = certificates
+	// 保存证书
+	if err := c.SaveCert(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *LeGoClient) RenewCert(certFile, keyFile string) error {
+	cert, err := os.ReadFile(certFile)
+	if err != nil {
+		return err
+	}
+	key, err := os.ReadFile(keyFile)
+	if err != nil {
+		return err
+	}
+	// 续期证书
+	renewcert, err := c.Client.Certificate.Renew(certificate.Resource{
+		Certificate: cert,
+		PrivateKey:  key,
+	}, true, false, "")
+	if err != nil {
+		return err
+	}
+	c.Cert = renewcert
+	// 保存更新证书
+	if err := c.SaveCert(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *LeGoClient) SaveCert() error {
+	err := os.WriteFile(base.Cfg.CertFile, c.Cert.Certificate, 0600)
+	if err != nil {
+		return err
+	}
+	err = os.WriteFile(base.Cfg.CertKey, c.Cert.PrivateKey, 0600)
+	if err != nil {
+		return err
+	}
+	if tlscert, _, err := ParseCert(); err != nil {
+		return err
+	} else {
+		LoadCertificate(tlscert)
+	}
+	return nil
+}
+
+func ParseCert() (*tls.Certificate, *time.Time, error) {
+	_, errCert := os.Stat(base.Cfg.CertFile)
+	_, errKey := os.Stat(base.Cfg.CertKey)
+	if os.IsNotExist(errCert) || os.IsNotExist(errKey) {
+		err := PrivateCert()
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+	cert, err := tls.LoadX509KeyPair(base.Cfg.CertFile, base.Cfg.CertKey)
+	if err != nil || errors.Is(err, os.ErrNotExist) {
+		PrivateCert()
+		return nil, nil, err
+	}
+	parseCert, err := x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		return nil, nil, err
+	}
+	return &cert, &parseCert.NotAfter, nil
+}
+
+func PrivateCert() error {
+	// 创建一个RSA密钥对
+	priv, _ := rsa.GenerateKey(rand.Reader, 2048)
+	pub := &priv.PublicKey
+
+	// 生成一个自签名证书
+	template := x509.Certificate{
+		SerialNumber:          big.NewInt(1658),
+		Subject:               pkix.Name{CommonName: "localhost"},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(time.Hour * 24 * 365),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           []net.IP{},
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+	if err != nil {
+		return err
+	}
+
+	// 将证书编码为PEM格式并将其写入文件
+	certOut, _ := os.OpenFile(base.Cfg.CertFile, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0600)
+	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	certOut.Close()
+
+	// 将私钥编码为PEM格式并将其写入文件
+	keyOut, _ := os.OpenFile(base.Cfg.CertKey, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
+	keyOut.Close()
+	cert, err := tls.LoadX509KeyPair(base.Cfg.CertFile, base.Cfg.CertKey)
+	if err != nil {
+		return err
+	}
+	LoadCertificate(&cert)
+	return nil
+}
+
+func getTempCertificate() (*tls.Certificate, error) {
+	var err error
+	var cert tls.Certificate
+	if tempCert == nil {
+		cert, err = selfsign.GenerateSelfSignedWithDNS("localhost")
+		tempCert = &cert
+	}
+	return tempCert, err
+}
+
+func GetCertificateBySNI(commonName string) (*tls.Certificate, error) {
+	ntcMux.RLock()
+	defer ntcMux.RUnlock()
+
+	// Copy from tls.Config getCertificate()
+	name := strings.ToLower(commonName)
+	if cert, ok := nameToCertificate[name]; ok {
+		return cert, nil
+	}
+	if len(name) > 0 {
+		labels := strings.Split(name, ".")
+		labels[0] = "*"
+		wildcardName := strings.Join(labels, ".")
+		if cert, ok := nameToCertificate[wildcardName]; ok {
+			return cert, nil
+		}
+	}
+	// TODO 默认证书 兼容不支持 SNI 的客户端
+	if cert, ok := nameToCertificate["default"]; ok {
+		return cert, nil
+	}
+
+	return getTempCertificate()
+}
+
+func LoadCertificate(cert *tls.Certificate) {
+	buildNameToCertificate(cert)
+}
+
+// Copy from tls.Config BuildNameToCertificate()
+func buildNameToCertificate(cert *tls.Certificate) {
+	ntcMux.Lock()
+	defer ntcMux.Unlock()
+
+	// TODO 设置默认证书
+	nameToCertificate["default"] = cert
+
+	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		return
+	}
+	startTime := x509Cert.NotBefore.String()
+	expiredTime := x509Cert.NotAfter.String()
+	if x509Cert.Subject.CommonName != "" && len(x509Cert.DNSNames) == 0 {
+		commonName := x509Cert.Subject.CommonName
+		fmt.Printf("┏ Load Certificate: %s\n", commonName)
+		fmt.Printf("┠╌╌ Start Time:     %s\n", startTime)
+		fmt.Printf("┖╌╌ Expired Time:   %s\n", expiredTime)
+		nameToCertificate[commonName] = cert
+	}
+	for _, san := range x509Cert.DNSNames {
+		fmt.Printf("┏ Load Certificate: %s\n", san)
+		fmt.Printf("┠╌╌ Start Time:     %s\n", startTime)
+		fmt.Printf("┖╌╌ Expired Time:   %s\n", expiredTime)
+		nameToCertificate[san] = cert
+	}
+}
+
+// func Scrypt(passwd string) string {
+// 	salt := []byte{0xc8, 0x28, 0xf2, 0x58, 0xa7, 0x6a, 0xad, 0x7b}
+// 	hashPasswd, err := scrypt.Key([]byte(passwd), salt, 1<<15, 8, 1, 32)
+// 	if err != nil {
+// 		return err.Error()
+// 	}
+// 	return base64.StdEncoding.EncodeToString(hashPasswd)
+// }

server/dbdata/db.go

@@ -3,67 +3,173 @@ package dbdata
 import (
 	"time"
 
-	"github.com/asdine/storm/v3"
-	"github.com/asdine/storm/v3/codec/json"
 	"github.com/bjdgyc/anylink/base"
-	bolt "go.etcd.io/bbolt"
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/lib/pq"
+	_ "github.com/mattn/go-sqlite3"
+	"xorm.io/xorm"
 )
 
 var (
-	sdb *storm.DB
+	xdb *xorm.Engine
 )
 
+func GetXdb() *xorm.Engine {
+	return xdb
+}
+
 func initDb() {
 	var err error
-	sdb, err = storm.Open(base.Cfg.DbFile, storm.Codec(json.Codec),
+	xdb, err = xorm.NewEngine(base.Cfg.DbType, base.Cfg.DbSource)
-		storm.BoltOptions(0600, &bolt.Options{Timeout: 10 * time.Second}))
+	// 初始化xorm时区
+	xdb.DatabaseTZ = time.Local
+	xdb.TZLocation = time.Local
 	if err != nil {
 		base.Fatal(err)
 	}
 
+	if base.Cfg.ShowSQL {
+		xdb.ShowSQL(true)
+	}
+
 	// 初始化数据库
-	err = sdb.Init(&User{})
+	err = xdb.Sync2(&User{}, &Setting{}, &Group{}, &IpMap{}, &AccessAudit{}, &Policy{}, &StatsNetwork{}, &StatsCpu{}, &StatsMem{}, &StatsOnline{}, &UserActLog{})
 	if err != nil {
 		base.Fatal(err)
 	}
 
-	// fmt.Println("s1")
+	// fmt.Println("s1=============", err)
 }
 
 func initData() {
 	var (
-		err     error
+		err error
-		install bool
 	)
 
 	// 判断是否初次使用
-	err = Get(SettingBucket, Installed, &install)
+	install := &SettingInstall{}
-	if err == nil && install {
+	err = SettingGet(install)
+
+	if err == nil && install.Installed {
 		// 已经安装过
 		return
 	}
 
-	defer func() {
+	// 发生错误
-		_ = Set(SettingBucket, Installed, true)
+	if err != ErrNotFound {
-	}()
+		base.Fatal(err)
-
-	smtp := &SettingSmtp{
-		Host: "127.0.0.1",
-		Port: 25,
-		From: "vpn@xx.com",
 	}
-	_ = SettingSet(smtp)
 
-	other := &SettingOther{
+	err = addInitData()
-		Banner:      "您已接入公司网络，请按照公司规定使用。\n请勿进行非工作下载及视频行为！",
+	if err != nil {
-		AccountMail: accountMail,
+		base.Fatal(err)
 	}
-	_ = SettingSet(other)
 
 }
 
+func addInitData() error {
+	var (
+		err error
+	)
+
+	sess := xdb.NewSession()
+	defer sess.Close()
+
+	err = sess.Begin()
+	if err != nil {
+		return err
+	}
+
+	// SettingSmtp
+	smtp := &SettingSmtp{
+		Host:       "127.0.0.1",
+		Port:       25,
+		From:       "vpn@xx.com",
+		Encryption: "None",
+	}
+	err = SettingSessAdd(sess, smtp)
+	if err != nil {
+		return err
+	}
+
+	// SettingAuditLog
+	auditLog := SettingGetAuditLogDefault()
+	err = SettingSessAdd(sess, auditLog)
+	if err != nil {
+		return err
+	}
+
+	// SettingDnsProvider
+	provider := &SettingLetsEncrypt{
+		Domain:      "vpn.xxx.com",
+		Legomail:    "legomail",
+		Name:        "aliyun",
+		Renew:       false,
+		DNSProvider: DNSProvider{},
+	}
+	err = SettingSessAdd(sess, provider)
+	if err != nil {
+		return err
+	}
+	// LegoUser
+	legouser := &LegoUserData{}
+	err = SettingSessAdd(sess, legouser)
+	if err != nil {
+		return err
+	}
+	// SettingOther
+	other := &SettingOther{
+		LinkAddr:    "vpn.xx.com",
+		Banner:      "您已接入公司网络，请按照公司规定使用。\n请勿进行非工作下载及视频行为！",
+		Homeindex:   "AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同时在线使用。",
+		AccountMail: accountMail,
+	}
+	err = SettingSessAdd(sess, other)
+	if err != nil {
+		return err
+	}
+
+	// Install
+	install := &SettingInstall{Installed: true}
+	err = SettingSessAdd(sess, install)
+	if err != nil {
+		return err
+	}
+
+	err = sess.Commit()
+	if err != nil {
+		return err
+	}
+
+	g1 := Group{
+		Name:         "all",
+		AllowLan:     true,
+		ClientDns:    []ValData{{Val: "114.114.114.114"}},
+		RouteInclude: []ValData{{Val: All}},
+		Status:       1,
+	}
+	err = SetGroup(&g1)
+	if err != nil {
+		return err
+	}
+
+	g2 := Group{
+		Name:         "ops",
+		AllowLan:     true,
+		ClientDns:    []ValData{{Val: "114.114.114.114"}},
+		RouteInclude: []ValData{{Val: "10.0.0.0/8"}},
+		Status:       1,
+	}
+	err = SetGroup(&g2)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func CheckErrNotFound(err error) bool {
-	return err == storm.ErrNotFound
+	return err == ErrNotFound
 }
 
 const accountMail = `<p>您好:</p>
@@ -73,15 +179,19 @@ const accountMail = `<p>您好:</p>
     用户组: <b>{{.Group}}</b> <br/>
     用户名: <b>{{.Username}}</b> <br/>
     用户PIN码: <b>{{.PinCode}}</b> <br/>
+    <!-- 
     用户动态码(3天后失效):<br/>
     <img src="{{.OtpImg}}"/>
+    -->
+    用户动态码(请妥善保存):<br/>
+    <img src="{{.OtpImgBase64}}"/>
 </p>
 <div>
     使用说明:
     <ul>
         <li>请使用OTP软件扫描动态码二维码</li>
         <li>然后使用anyconnect客户端进行登陆</li>
-        <li>登陆密码为 【PIN码+动态码】</li>
+        <li>登陆密码为 【PIN码+动态码】(中间没有+号)</li>
     </ul>
 </div>
 <p>

server/dbdata/db_orm.go

@@ -1,66 +1,114 @@
 package dbdata
 
-import "github.com/asdine/storm/v3/index"
+import (
+	"errors"
+	"reflect"
+
+	"xorm.io/xorm"
+)
 
 const PageSize = 10
 
-func Save(data interface{}) error {
+var ErrNotFound = errors.New("ErrNotFound")
-	return sdb.Save(data)
+
+func Add(data interface{}) error {
+	_, err := xdb.InsertOne(data)
+	return err
 }
 
-func Update(data interface{}) error {
+func AddBatch(data interface{}) error {
-	return sdb.Update(data)
+	_, err := xdb.Insert(data)
+	return err
 }
 
-func UpdateField(data interface{}, fieldName string, value interface{}) error {
+func Update(fieldName string, value interface{}, data interface{}) error {
-	return sdb.UpdateField(data, fieldName, value)
+	_, err := xdb.Where(fieldName+"=?", value).Update(data)
+	return err
 }
 
 func Del(data interface{}) error {
-	return sdb.DeleteStruct(data)
+	_, err := xdb.Delete(data)
+	return err
 }
 
-func Set(bucket, key string, data interface{}) error {
+func extract(data interface{}, fieldName string) interface{} {
-	return sdb.Set(bucket, key, data)
+	ref := reflect.ValueOf(data)
+	r := &ref
+	if r.Kind() == reflect.Ptr {
+		e := r.Elem()
+		r = &e
+	}
+	field := r.FieldByName(fieldName).Interface()
+	return field
 }
 
-func Get(bucket, key string, data interface{}) error {
+// 更新全部字段
-	return sdb.Get(bucket, key, data)
+func Set(data interface{}) error {
+	id := extract(data, "Id")
+	_, err := xdb.ID(id).AllCols().Update(data)
+	return err
+}
+
+func One(fieldName string, value interface{}, data interface{}) error {
+	has, err := xdb.Where(fieldName+"=?", value).Get(data)
+	if err != nil {
+		return err
+	}
+	if !has {
+		return ErrNotFound
+	}
+
+	return nil
 }
 
 func CountAll(data interface{}) int {
-	n, _ := sdb.Count(data)
+	n, _ := xdb.Count(data)
-	return n
+	return int(n)
 }
 
-func One(fieldName string, value interface{}, to interface{}) error {
+func Find(data interface{}, limit, page int) error {
-	return sdb.One(fieldName, value, to)
+	if limit == 0 {
-}
+		return xdb.Find(data)
-
-func Find(fieldName string, value interface{}, to interface{}, options ...func(q *index.Options)) error {
-	return sdb.Find(fieldName, value, to, options...)
-}
-
-func All(to interface{}, limit, page int) error {
-	opt := getOpt(limit, page)
-	return sdb.All(to, opt)
-}
-
-func Prefix(fieldName string, prefix string, to interface{}, limit, page int) error {
-	opt := getOpt(limit, page)
-	return sdb.Prefix(fieldName, prefix, to, opt)
-}
-
-func getOpt(limit, page int) func(*index.Options) {
-	skip := (page - 1) * limit
-	opt := func(opt *index.Options) {
-		opt.Reverse = true
-		if limit > 0 {
-			opt.Limit = limit
-		}
-		if skip > 0 {
-			opt.Skip = skip
-		}
 	}
-	return opt
+
+	start := (page - 1) * limit
+	return xdb.Limit(limit, start).Find(data)
+}
+
+func FindWhereCount(data interface{}, where string, args ...interface{}) int {
+	n, _ := xdb.Where(where, args...).Count(data)
+	return int(n)
+}
+
+func FindWhere(data interface{}, limit int, page int, where string, args ...interface{}) error {
+	if limit == 0 {
+		return xdb.Where(where, args...).Find(data)
+	}
+
+	start := (page - 1) * limit
+	return xdb.Where(where, args...).Limit(limit, start).Find(data)
+}
+
+func CountPrefix(fieldName string, prefix string, data interface{}) int {
+	n, _ := xdb.Where(fieldName+" like ?", prefix+"%").Count(data)
+	return int(n)
+}
+
+func Prefix(fieldName string, prefix string, data interface{}, limit, page int) error {
+	where := xdb.Where(fieldName+" like ?", prefix+"%")
+	if limit == 0 {
+		return where.Find(data)
+	}
+
+	start := (page - 1) * limit
+	return where.Limit(limit, start).Find(data)
+}
+
+func FindAndCount(session *xorm.Session, data interface{}, limit, page int) (int64, error) {
+	if limit == 0 {
+		return session.FindAndCount(data)
+	}
+	start := (page - 1) * limit
+	totalCount, err := session.Limit(limit, start).FindAndCount(data)
+	return totalCount, err
 }

server/dbdata/db_test.go

@@ -11,12 +11,13 @@ import (
 
 func preIpData() {
 	tmpDb := path.Join(os.TempDir(), "anylink_test.db")
-	base.Cfg.DbFile = tmpDb
+	base.Cfg.DbType = "sqlite3"
+	base.Cfg.DbSource = tmpDb
 	initDb()
 }
 
 func closeIpdata() {
-	sdb.Close()
+	xdb.Close()
 	tmpDb := path.Join(os.TempDir(), "anylink_test.db")
 	os.Remove(tmpDb)
 }
@@ -27,7 +28,7 @@ func TestDb(t *testing.T) {
 	defer closeIpdata()
 
 	u := User{Username: "a"}
-	err := Save(&u)
+	err := Add(&u)
 	ast.Nil(err)
 
 	ast.Equal(u.Id, 1)

server/dbdata/group.go

@@ -4,16 +4,24 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"regexp"
+	"strings"
 	"time"
 
 	"github.com/bjdgyc/anylink/base"
+	"golang.org/x/text/language"
+	"golang.org/x/text/message"
 )
 
 const (
 	Allow = "allow"
 	Deny  = "deny"
+	All   = "all"
 )
 
+// 域名分流最大字符2万
+const DsMaxLen = 20000
+
 type GroupLinkAcl struct {
 	// 自上而下匹配 默认 allow * *
 	Action string     `json:"action"` // allow、deny
@@ -29,24 +37,32 @@ type ValData struct {
 	Note   string `json:"note"`
 }
 
-type Group struct {
+type GroupNameId struct {
-	Id           int            `json:"id" storm:"id,increment"`
+	Id   int    `json:"id"`
-	Name         string         `json:"name" storm:"unique"`
+	Name string `json:"name"`
-	Note         string         `json:"note"`
-	AllowLan     bool           `json:"allow_lan"`
-	ClientDns    []ValData      `json:"client_dns"`
-	RouteInclude []ValData      `json:"route_include"`
-	RouteExclude []ValData      `json:"route_exclude"`
-	LinkAcl      []GroupLinkAcl `json:"link_acl"`
-	Bandwidth    int            `json:"bandwidth"` // 带宽限制
-	Status       int8           `json:"status"`    // 1正常
-	CreatedAt    time.Time      `json:"created_at"`
-	UpdatedAt    time.Time      `json:"updated_at"`
 }
 
+// type Group struct {
+// 	Id               int                    `json:"id" xorm:"pk autoincr not null"`
+// 	Name             string                 `json:"name" xorm:"varchar(60) not null unique"`
+// 	Note             string                 `json:"note" xorm:"varchar(255)"`
+// 	AllowLan         bool                   `json:"allow_lan" xorm:"Bool"`
+// 	ClientDns        []ValData              `json:"client_dns" xorm:"Text"`
+// 	RouteInclude     []ValData              `json:"route_include" xorm:"Text"`
+// 	RouteExclude     []ValData              `json:"route_exclude" xorm:"Text"`
+// 	DsExcludeDomains string                 `json:"ds_exclude_domains" xorm:"Text"`
+// 	DsIncludeDomains string                 `json:"ds_include_domains" xorm:"Text"`
+// 	LinkAcl          []GroupLinkAcl         `json:"link_acl" xorm:"Text"`
+// 	Bandwidth        int                    `json:"bandwidth" xorm:"Int"`                           // 带宽限制
+// 	Auth             map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(255)"` // 认证方式
+// 	Status           int8                   `json:"status" xorm:"Int"`                              // 1正常
+// 	CreatedAt        time.Time              `json:"created_at" xorm:"DateTime created"`
+// 	UpdatedAt        time.Time              `json:"updated_at" xorm:"DateTime updated"`
+// }
+
 func GetGroupNames() []string {
 	var datas []Group
-	err := All(&datas, 0, 0)
+	err := Find(&datas, 0, 0)
 	if err != nil {
 		base.Error(err)
 		return nil
@@ -58,6 +74,34 @@ func GetGroupNames() []string {
 	return names
 }
 
+func GetGroupNamesNormal() []string {
+	var datas []Group
+	err := FindWhere(&datas, 0, 0, "status=1")
+	if err != nil {
+		base.Error(err)
+		return nil
+	}
+	var names []string
+	for _, v := range datas {
+		names = append(names, v.Name)
+	}
+	return names
+}
+
+func GetGroupNamesIds() []GroupNameId {
+	var datas []Group
+	err := Find(&datas, 0, 0)
+	if err != nil {
+		base.Error(err)
+		return nil
+	}
+	var names []GroupNameId
+	for _, v := range datas {
+		names = append(names, GroupNameId{Id: v.Id, Name: v.Name})
+	}
+	return names
+}
+
 func SetGroup(g *Group) error {
 	var err error
 	if g.Name == "" {
@@ -65,25 +109,26 @@ func SetGroup(g *Group) error {
 	}
 
 	// 判断数据
-	clientDns := []ValData{}
-	for _, v := range g.ClientDns {
-		if v.Val != "" {
-			clientDns = append(clientDns, v)
-		}
-	}
-	if len(clientDns) == 0 {
-		return errors.New("DNS 错误")
-	}
-	g.ClientDns = clientDns
-
 	routeInclude := []ValData{}
 	for _, v := range g.RouteInclude {
 		if v.Val != "" {
-			ipMask, _, err := parseIpNet(v.Val)
+			if v.Val == All {
+				routeInclude = append(routeInclude, v)
+				continue
+			}
+
+			ipMask, ipNet, err := parseIpNet(v.Val)
+
 			if err != nil {
 				return errors.New("RouteInclude 错误" + err.Error())
 			}
 
+			// 给Mac系统下发路由时，必须是标准的网络地址
+			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
+				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
+				return errors.New(errMsg)
+			}
+
 			v.IpMask = ipMask
 			routeInclude = append(routeInclude, v)
 		}
@@ -92,10 +137,16 @@ func SetGroup(g *Group) error {
 	routeExclude := []ValData{}
 	for _, v := range g.RouteExclude {
 		if v.Val != "" {
-			ipMask, _, err := parseIpNet(v.Val)
+			ipMask, ipNet, err := parseIpNet(v.Val)
 			if err != nil {
 				return errors.New("RouteExclude 错误" + err.Error())
 			}
+
+			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
+				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
+				return errors.New(errMsg)
+			}
+
 			v.IpMask = ipMask
 			routeExclude = append(routeExclude, v)
 		}
@@ -115,9 +166,90 @@ func SetGroup(g *Group) error {
 	}
 	g.LinkAcl = linkAcl
 
-	g.UpdatedAt = time.Now()
+	// DNS 判断
-	err = Save(g)
+	clientDns := []ValData{}
+	for _, v := range g.ClientDns {
+		if v.Val != "" {
+			ip := net.ParseIP(v.Val)
+			if ip.String() != v.Val {
+				return errors.New("DNS IP 错误")
+			}
+			clientDns = append(clientDns, v)
+		}
+	}
+	// 是否默认路由
+	isDefRoute := len(routeInclude) == 0 || (len(routeInclude) == 1 && routeInclude[0].Val == "all")
+	if isDefRoute && len(clientDns) == 0 {
+		return errors.New("默认路由，必须设置一个DNS")
+	}
+	g.ClientDns = clientDns
+	// 域名拆分隧道，不能同时填写
+	g.DsIncludeDomains = strings.TrimSpace(g.DsIncludeDomains)
+	g.DsExcludeDomains = strings.TrimSpace(g.DsExcludeDomains)
+	if g.DsIncludeDomains != "" && g.DsExcludeDomains != "" {
+		return errors.New("包含/排除域名不能同时填写")
+	}
+	// 校验包含域名的格式
+	err = CheckDomainNames(g.DsIncludeDomains)
+	if err != nil {
+		return errors.New("包含域名有误：" + err.Error())
+	}
+	// 校验排除域名的格式
+	err = CheckDomainNames(g.DsExcludeDomains)
+	if err != nil {
+		return errors.New("排除域名有误：" + err.Error())
+	}
+	if isDefRoute && g.DsIncludeDomains != "" {
+		return errors.New("默认路由, 不允许设置\"包含域名\", 请重新配置")
+	}
+	// 处理登入方式的逻辑
+	defAuth := map[string]interface{}{
+		"type": "local",
+	}
+	if len(g.Auth) == 0 {
+		g.Auth = defAuth
+	}
+	authType := g.Auth["type"].(string)
+	if authType == "local" {
+		g.Auth = defAuth
+	} else {
+		if _, ok := authRegistry[authType]; !ok {
+			return errors.New("未知的认证方式: " + authType)
+		}
+		auth := makeInstance(authType).(IUserAuth)
+		err = auth.checkData(g.Auth)
+		if err != nil {
+			return err
+		}
+		// 重置Auth， 删除多余的key
+		g.Auth = map[string]interface{}{
+			"type":   authType,
+			authType: g.Auth[authType],
+		}
+	}
 
+	g.UpdatedAt = time.Now()
+	if g.Id > 0 {
+		err = Set(g)
+	} else {
+		err = Add(g)
+	}
+
+	return err
+}
+
+func GroupAuthLogin(name, pwd string, authData map[string]interface{}) error {
+	g := &Group{Auth: authData}
+	authType := g.Auth["type"].(string)
+	if _, ok := authRegistry[authType]; !ok {
+		return errors.New("未知的认证方式: " + authType)
+	}
+	auth := makeInstance(authType).(IUserAuth)
+	err := auth.checkData(g.Auth)
+	if err != nil {
+		return err
+	}
+	err = auth.checkUser(name, pwd, g)
 	return err
 }
 
@@ -132,3 +264,30 @@ func parseIpNet(s string) (string, *net.IPNet, error) {
 
 	return ipMask, ipNet, nil
 }
+
+func CheckDomainNames(domains string) error {
+	if domains == "" {
+		return nil
+	}
+	strLen := 0
+	str_slice := strings.Split(domains, ",")
+	for _, val := range str_slice {
+		if val == "" {
+			return errors.New(val + " 请以逗号分隔域名")
+		}
+		if !ValidateDomainName(val) {
+			return errors.New(val + " 域名有误")
+		}
+		strLen += len(val)
+	}
+	if strLen > DsMaxLen {
+		p := message.NewPrinter(language.English)
+		return fmt.Errorf("字符长度超出限制，最大%s个(不包含逗号), 请删减一些域名", p.Sprintf("%d", DsMaxLen))
+	}
+	return nil
+}
+
+func ValidateDomainName(domain string) bool {
+	RegExp := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}$`)
+	return RegExp.MatchString(domain)
+}

server/dbdata/group_test.go

@@ -24,10 +24,52 @@ func TestGetGroupNames(t *testing.T) {
 	err = SetGroup(&g3)
 	ast.Nil(err)
 
+	authData := map[string]interface{}{
+		"type": "radius",
+		"radius": map[string]string{
+			"addr":   "192.168.8.12:1044",
+			"secret": "43214132",
+		},
+	}
+	g4 := Group{Name: "g4", ClientDns: []ValData{{Val: "114.114.114.114"}}, Auth: authData}
+	err = SetGroup(&g4)
+	ast.Nil(err)
+	g5 := Group{Name: "g5", ClientDns: []ValData{{Val: "114.114.114.114"}}, DsIncludeDomains: "baidu.com,163.com"}
+	err = SetGroup(&g5)
+	if ast.NotNil(err) {
+		ast.Equal("默认路由, 不允许设置\"包含域名\", 请重新配置", err.Error())
+	}
+	g6 := Group{Name: "g6", ClientDns: []ValData{{Val: "114.114.114.114"}}, DsExcludeDomains: "com.cn,qq.com"}
+	err = SetGroup(&g6)
+	ast.Nil(err)
+
+	authData = map[string]interface{}{
+		"type": "ldap",
+		"ldap": map[string]interface{}{
+			"addr":         "192.168.8.12:389",
+			"tls":          true,
+			"bind_name":    "userfind@abc.com",
+			"bind_pwd":     "afdbfdsafds",
+			"base_dn":      "dc=abc,dc=com",
+			"object_class": "person",
+			"search_attr":  "sAMAccountName",
+			"member_of":    "cn=vpn,cn=user,dc=abc,dc=com",
+		},
+	}
+	g7 := Group{Name: "g7", ClientDns: []ValData{{Val: "114.114.114.114"}}, Auth: authData}
+	err = SetGroup(&g7)
+	ast.Nil(err)
+
 	// 判断所有数据
-	gAll := []string{"g1", "g2", "g3"}
+	gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6", "g7"}
 	gs := GetGroupNames()
 	for _, v := range gs {
 		ast.Equal(true, utils.InArrStr(gAll, v))
 	}
+
+	gni := GetGroupNamesIds()
+	for _, v := range gni {
+		ast.NotEqual(0, v.Id)
+		ast.Equal(true, utils.InArrStr(gAll, v.Name))
+	}
 }

server/dbdata/ip_map.go

@@ -1,18 +1,43 @@
 package dbdata
 
 import (
+	"errors"
 	"net"
 	"time"
 )
 
 type IpMap struct {
-	Id        int       `json:"id" storm:"id,increment"`
+	Id        int       `json:"id" xorm:"pk autoincr not null"`
-	IpAddr    net.IP    `json:"ip_addr" storm:"unique"`
+	IpAddr    string    `json:"ip_addr" xorm:"varchar(32) not null unique"`
-	MacAddr   string    `json:"mac_addr" storm:"unique"`
+	MacAddr   string    `json:"mac_addr" xorm:"varchar(32) not null unique"`
-	Username  string    `json:"username"`
+	UniqueMac bool      `json:"unique_mac" xorm:"Bool index"`
-	Keep      bool      `json:"keep"` // 保留 ip-mac 绑定
+	Username  string    `json:"username" xorm:"varchar(60)"`
-	KeepTime  time.Time `json:"keep_time"`
+	Keep      bool      `json:"keep" xorm:"Bool"` // 保留 ip-mac 绑定
-	Note      string    `json:"note"` // 备注
+	KeepTime  time.Time `json:"keep_time" xorm:"DateTime"`
-	LastLogin time.Time `json:"last_login"`
+	Note      string    `json:"note" xorm:"varchar(255)"` // 备注
-	UpdatedAt time.Time `json:"updated_at"`
+	LastLogin time.Time `json:"last_login" xorm:"DateTime"`
+	UpdatedAt time.Time `json:"updated_at" xorm:"DateTime updated"`
+}
+
+func SetIpMap(v *IpMap) error {
+	var err error
+
+	if len(v.IpAddr) < 4 || len(v.MacAddr) < 6 {
+		return errors.New("IP或MAC错误")
+	}
+
+	macHw, err := net.ParseMAC(v.MacAddr)
+	if err != nil {
+		return errors.New("MAC错误")
+	}
+	// 统一macAddr的格式
+	v.MacAddr = macHw.String()
+
+	v.UpdatedAt = time.Now()
+	if v.Id > 0 {
+		err = Set(v)
+	} else {
+		err = Add(v)
+	}
+	return err
 }

server/dbdata/policy.go

@@ -0,0 +1,112 @@
+package dbdata
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+)
+
+func GetPolicy(Username string) *Policy {
+	policyData := &Policy{}
+	err := One("Username", Username, policyData)
+	if err != nil {
+		return policyData
+	}
+	return policyData
+}
+
+func SetPolicy(p *Policy) error {
+	var err error
+	if p.Username == "" {
+		return errors.New("用户名错误")
+	}
+
+	// 包含路由
+	routeInclude := []ValData{}
+	for _, v := range p.RouteInclude {
+		if v.Val != "" {
+			if v.Val == All {
+				routeInclude = append(routeInclude, v)
+				continue
+			}
+
+			ipMask, ipNet, err := parseIpNet(v.Val)
+			if err != nil {
+				return errors.New("RouteInclude 错误" + err.Error())
+			}
+
+			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
+				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
+				return errors.New(errMsg)
+			}
+
+			v.IpMask = ipMask
+			routeInclude = append(routeInclude, v)
+		}
+	}
+	p.RouteInclude = routeInclude
+	// 排除路由
+	routeExclude := []ValData{}
+	for _, v := range p.RouteExclude {
+		if v.Val != "" {
+			ipMask, ipNet, err := parseIpNet(v.Val)
+			if err != nil {
+				return errors.New("RouteExclude 错误" + err.Error())
+			}
+
+			if strings.Split(ipMask, "/")[0] != ipNet.IP.String() {
+				errMsg := fmt.Sprintf("RouteInclude 错误: 网络地址错误，建议： %s 改为 %s", v.Val, ipNet)
+				return errors.New(errMsg)
+			}
+			v.IpMask = ipMask
+			routeExclude = append(routeExclude, v)
+		}
+	}
+	p.RouteExclude = routeExclude
+
+	// DNS 判断
+	clientDns := []ValData{}
+	for _, v := range p.ClientDns {
+		if v.Val != "" {
+			ip := net.ParseIP(v.Val)
+			if ip.String() != v.Val {
+				return errors.New("DNS IP 错误")
+			}
+			clientDns = append(clientDns, v)
+		}
+	}
+	if len(routeInclude) == 0 || (len(routeInclude) == 1 && routeInclude[0].Val == "all") {
+		if len(clientDns) == 0 {
+			return errors.New("默认路由，必须设置一个DNS")
+		}
+	}
+	p.ClientDns = clientDns
+
+	// 域名拆分隧道，不能同时填写
+	p.DsIncludeDomains = strings.TrimSpace(p.DsIncludeDomains)
+	p.DsExcludeDomains = strings.TrimSpace(p.DsExcludeDomains)
+	if p.DsIncludeDomains != "" && p.DsExcludeDomains != "" {
+		return errors.New("包含/排除域名不能同时填写")
+	}
+	// 校验包含域名的格式
+	err = CheckDomainNames(p.DsIncludeDomains)
+	if err != nil {
+		return errors.New("包含域名有误：" + err.Error())
+	}
+	// 校验排除域名的格式
+	err = CheckDomainNames(p.DsExcludeDomains)
+	if err != nil {
+		return errors.New("排除域名有误：" + err.Error())
+	}
+
+	p.UpdatedAt = time.Now()
+	if p.Id > 0 {
+		err = Set(p)
+	} else {
+		err = Add(p)
+	}
+
+	return err
+}

server/dbdata/policy_test.go

@@ -0,0 +1,45 @@
+package dbdata
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetPolicy(t *testing.T) {
+	ast := assert.New(t)
+
+	preIpData()
+	defer closeIpdata()
+
+	// 添加 Policy
+	p1 := Policy{Username: "a1", ClientDns: []ValData{{Val: "114.114.114.114"}}, DsExcludeDomains: "baidu.com,163.com"}
+	err := SetPolicy(&p1)
+	ast.Nil(err)
+
+	p2 := Policy{Username: "a2", ClientDns: []ValData{{Val: "114.114.114.114"}}, DsExcludeDomains: "com.cn,qq.com"}
+	err = SetPolicy(&p2)
+	ast.Nil(err)
+
+	route := []ValData{{Val: "192.168.1.0/24"}}
+	p3 := Policy{Username: "a3", ClientDns: []ValData{{Val: "114.114.114.114"}}, RouteInclude: route, DsExcludeDomains: "com.cn,qq.com"}
+	err = SetPolicy(&p3)
+	ast.Nil(err)
+	// 判断 IpMask
+	ast.Equal(p3.RouteInclude[0].IpMask, "192.168.1.0/255.255.255.0")
+
+	route2 := []ValData{{Val: "192.168.2.0/24"}}
+	p4 := Policy{Username: "a4", ClientDns: []ValData{{Val: "114.114.114.114"}}, RouteExclude: route2, DsIncludeDomains: "com.cn,qq.com"}
+	err = SetPolicy(&p4)
+	ast.Nil(err)
+	// 判断 IpMask
+	ast.Equal(p4.RouteExclude[0].IpMask, "192.168.2.0/255.255.255.0")
+
+	// 判断所有数据
+	var userPolicy *Policy
+	pAll := []string{"a1", "a2", "a3", "a4"}
+	for _, v := range pAll {
+		userPolicy = GetPolicy(v)
+		ast.NotEqual(userPolicy.Id, 0, "user policy id is zero")
+	}
+}

server/dbdata/setting.go

@@ -1,13 +1,37 @@
 package dbdata
 
 import (
+	"encoding/json"
 	"reflect"
+
+	"xorm.io/xorm"
 )
 
-const (
+type SettingInstall struct {
-	SettingBucket = "SettingBucket"
+	Installed bool `json:"installed"`
-	Installed     = "Installed"
+}
-)
+
+type SettingSmtp struct {
+	Host       string `json:"host"`
+	Port       int    `json:"port"`
+	Username   string `json:"username"`
+	Password   string `json:"password"`
+	From       string `json:"from"`
+	Encryption string `json:"encryption"`
+}
+
+type SettingAuditLog struct {
+	AuditInterval int    `json:"audit_interval"`
+	LifeDay       int    `json:"life_day"`
+	ClearTime     string `json:"clear_time"`
+}
+
+type SettingOther struct {
+	LinkAddr    string `json:"link_addr"`
+	Banner      string `json:"banner"`
+	Homeindex   string `json:"homeindex"`
+	AccountMail string `json:"account_mail"`
+}
 
 func StructName(data interface{}) string {
 	ref := reflect.ValueOf(data)
@@ -20,28 +44,56 @@ func StructName(data interface{}) string {
 	return name
 }
 
+func SettingSessAdd(sess *xorm.Session, data interface{}) error {
+	name := StructName(data)
+	v, _ := json.Marshal(data)
+	s := &Setting{Name: name, Data: v}
+	_, err := sess.InsertOne(s)
+	return err
+}
+
 func SettingSet(data interface{}) error {
-	key := StructName(data)
+	name := StructName(data)
-	err := Set(SettingBucket, key, data)
+	v, _ := json.Marshal(data)
+	s := &Setting{Data: v}
+	err := Update("name", name, s)
 	return err
 }
 
 func SettingGet(data interface{}) error {
-	key := StructName(data)
+	name := StructName(data)
-	err := Get(SettingBucket, key, data)
+	s := &Setting{}
+	err := One("name", name, s)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(s.Data, data)
 	return err
 }
 
-type SettingSmtp struct {
+func SettingGetAuditLog() (SettingAuditLog, error) {
-	Host     string `json:"host"`
+	data := SettingAuditLog{}
-	Port     int    `json:"port"`
+	err := SettingGet(&data)
-	Username string `json:"username"`
+	if err == nil {
-	Password string `json:"password"`
+		return data, err
-	From     string `json:"from"`
+	}
-	UseSSl   bool   `json:"use_ssl"`
+	if !CheckErrNotFound(err) {
+		return data, err
+	}
+	sess := xdb.NewSession()
+	defer sess.Close()
+	auditLog := SettingGetAuditLogDefault()
+	err = SettingSessAdd(sess, auditLog)
+	if err != nil {
+		return data, err
+	}
+	return auditLog, nil
 }
 
-type SettingOther struct {
+func SettingGetAuditLogDefault() SettingAuditLog {
-	Banner      string `json:"banner"`
+	auditLog := SettingAuditLog{
-	AccountMail string `json:"account_mail"`
+		LifeDay:   0,
+		ClearTime: "05:00",
+	}
+	return auditLog
 }

server/dbdata/start.go

@@ -6,5 +6,5 @@ func Start() {
 }
 
 func Stop() error {
-	return sdb.Close()
+	return xdb.Close()
 }

server/dbdata/statsinfo.go

@@ -0,0 +1,247 @@
+package dbdata
+
+import (
+	"container/list"
+	"errors"
+	"fmt"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/bjdgyc/anylink/base"
+)
+
+const (
+	LayoutTimeFormat    = "2006-01-02 15:04:05"
+	LayoutTimeFormatMin = "2006-01-02 15:04"
+	RealTimeMaxSize     = 120 // 实时数据最大保存条数
+)
+
+type StatsInfo struct {
+	RealtimeData map[string]*list.List
+	Actions      []string
+	Scopes       []string
+	mux          sync.Mutex
+}
+
+type ScopeDetail struct {
+	sTime   time.Time
+	eTime   time.Time
+	minutes int
+	fsTime  string
+	feTime  string
+}
+
+var StatsInfoIns *StatsInfo
+
+func init() {
+	StatsInfoIns = &StatsInfo{
+		Actions:      []string{"online", "network", "cpu", "mem"},
+		Scopes:       []string{"rt", "1h", "24h", "3d", "7d", "30d"},
+		RealtimeData: make(map[string]*list.List),
+	}
+	for _, v := range StatsInfoIns.Actions {
+		StatsInfoIns.RealtimeData[v] = list.New()
+	}
+}
+
+// 校验统计类型值
+func (s *StatsInfo) ValidAction(action string) bool {
+	for _, item := range s.Actions {
+		if item == action {
+			return true
+		}
+	}
+	return false
+}
+
+// 校验日期范围值
+func (s *StatsInfo) ValidScope(scope string) bool {
+	for _, item := range s.Scopes {
+		if item == scope {
+			return true
+		}
+	}
+	return false
+}
+
+// 设置实时统计数据
+func (s *StatsInfo) SetRealTime(action string, val interface{}) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	if s.RealtimeData[action].Len() >= RealTimeMaxSize {
+		ele := s.RealtimeData[action].Front()
+		s.RealtimeData[action].Remove(ele)
+	}
+	s.RealtimeData[action].PushBack(val)
+}
+
+// 获取实时统计数据
+func (s *StatsInfo) GetRealTime(action string) (res []interface{}) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	for e := s.RealtimeData[action].Front(); e != nil; e = e.Next() {
+		res = append(res, e.Value)
+	}
+	return
+}
+
+// 保存数据至数据库
+func (s *StatsInfo) SaveStatsInfo(so StatsOnline, sn StatsNetwork, sc StatsCpu, sm StatsMem) {
+	if so.Num != 0 {
+		_ = Add(so)
+	}
+	if sn.Up != 0 || sn.Down != 0 {
+		_ = Add(sn)
+	}
+	if sc.Percent != 0 {
+		_ = Add(sc)
+	}
+	if sm.Percent != 0 {
+		_ = Add(sm)
+	}
+}
+
+// 获取统计数据
+func (s *StatsInfo) GetData(action string, scope string) (res []interface{}, err error) {
+	if scope == "rt" {
+		return s.GetRealTime(action), nil
+	}
+	statsMaps := make(map[string]interface{})
+	currSec := fmt.Sprintf("%02d", time.Now().Second())
+
+	// 获取时间段数据
+	sd := s.getScopeDetail(scope)
+	timeList := s.getTimeList(sd)
+	res = make([]interface{}, len(timeList))
+
+	// 获取数据库查询条件
+	where := s.getStatsWhere(sd)
+	if where == "" {
+		return nil, errors.New("不支持的数据库类型: " + base.Cfg.DbType)
+	}
+	// 查询数据表
+	switch action {
+	case "online":
+		statsRes := []StatsOnline{}
+		FindWhere(&statsRes, 0, 0, where, sd.fsTime, sd.feTime)
+		for _, v := range statsRes {
+			t := v.CreatedAt.Format(LayoutTimeFormatMin)
+			statsMaps[t] = v
+		}
+	case "network":
+		statsRes := []StatsNetwork{}
+		FindWhere(&statsRes, 0, 0, where, sd.fsTime, sd.feTime)
+		for _, v := range statsRes {
+			t := v.CreatedAt.Format(LayoutTimeFormatMin)
+			statsMaps[t] = v
+		}
+	case "cpu":
+		statsRes := []StatsCpu{}
+		FindWhere(&statsRes, 0, 0, where, sd.fsTime, sd.feTime)
+		for _, v := range statsRes {
+			t := v.CreatedAt.Format(LayoutTimeFormatMin)
+			statsMaps[t] = v
+		}
+	case "mem":
+		statsRes := []StatsMem{}
+		FindWhere(&statsRes, 0, 0, where, sd.fsTime, sd.feTime)
+		for _, v := range statsRes {
+			t := v.CreatedAt.Format(LayoutTimeFormatMin)
+			statsMaps[t] = v
+		}
+	}
+	// 整合数据
+	for i, v := range timeList {
+		if mv, ok := statsMaps[v]; ok {
+			res[i] = mv
+			continue
+		}
+		t, _ := time.ParseInLocation(LayoutTimeFormat, v+":"+currSec, time.Local)
+		switch action {
+		case "online":
+			res[i] = StatsOnline{CreatedAt: t}
+		case "network":
+			res[i] = StatsNetwork{CreatedAt: t}
+		case "cpu":
+			res[i] = StatsCpu{CreatedAt: t}
+		case "mem":
+			res[i] = StatsMem{CreatedAt: t}
+		}
+	}
+	return
+}
+
+// 获取日期范围的明细值
+func (s *StatsInfo) getScopeDetail(scope string) (sd *ScopeDetail) {
+	sd = &ScopeDetail{}
+	t := time.Now()
+	sd.eTime = time.Date(t.Year(), t.Month(), t.Day(), t.Hour(), t.Minute(), 59, t.Nanosecond(), time.Local)
+	sd.minutes = 0
+	switch scope {
+	case "1h":
+		sd.sTime = sd.eTime.Add(-time.Minute * 60)
+		sd.minutes = 1
+	case "24h":
+		sd.sTime = sd.eTime.AddDate(0, 0, -1)
+		sd.minutes = 5
+	case "7d":
+		sd.sTime = sd.eTime.AddDate(0, 0, -7)
+		sd.minutes = 30
+	case "30d":
+		sd.sTime = sd.eTime.AddDate(0, 0, -30)
+		sd.minutes = 150
+	}
+	if sd.minutes != 0 {
+		sd.sTime = sd.sTime.Add(-time.Minute * time.Duration(sd.minutes))
+	}
+	sd.fsTime = sd.sTime.Format(LayoutTimeFormat)
+	sd.feTime = sd.eTime.Format(LayoutTimeFormat)
+	return
+}
+
+// 针对日期范围进行拆解
+func (s *StatsInfo) getTimeList(sd *ScopeDetail) []string {
+	subSec := int64(60 * sd.minutes)
+	count := (sd.eTime.Unix()-sd.sTime.Unix())/subSec - 1
+	eTime := sd.eTime.Unix() - subSec
+	timeLists := make([]string, count)
+	for i := count - 1; i >= 0; i-- {
+		timeLists[i] = time.Unix(eTime, 0).Format(LayoutTimeFormatMin)
+		eTime = eTime - subSec
+	}
+	return timeLists
+}
+
+// 获取where条件
+func (s *StatsInfo) getStatsWhere(sd *ScopeDetail) (where string) {
+	where = "created_at BETWEEN ? AND ?"
+	min := strconv.Itoa(sd.minutes)
+	switch base.Cfg.DbType {
+	case "mysql":
+		where += " AND floor(TIMESTAMPDIFF(SECOND, created_at, '" + sd.feTime + "') / 60) % " + min + " = 0"
+	case "sqlite3":
+		where += " AND CAST(ROUND((JULIANDAY('" + sd.feTime + "') - JULIANDAY(created_at)) * 86400) / 60 as integer) % " + min + " = 0"
+	case "postgres":
+		where += " AND floor((EXTRACT(EPOCH FROM " + sd.feTime + ") - EXTRACT(EPOCH FROM created_at)) / 60) % " + min + " = 0"
+	default:
+		where = ""
+	}
+	return
+}
+
+func (s *StatsInfo) ClearStatsInfo(action string, ts string) (affected int64, err error) {
+	switch action {
+	case "online":
+		affected, err = xdb.Where("created_at < '" + ts + "'").Delete(&StatsOnline{})
+	case "network":
+		affected, err = xdb.Where("created_at < '" + ts + "'").Delete(&StatsNetwork{})
+	case "cpu":
+		affected, err = xdb.Where("created_at < '" + ts + "'").Delete(&StatsCpu{})
+	case "mem":
+		affected, err = xdb.Where("created_at < '" + ts + "'").Delete(&StatsMem{})
+	}
+	return affected, err
+}

server/dbdata/statsinfo_test.go

@@ -0,0 +1,55 @@
+package dbdata
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestStatsInfo(t *testing.T) {
+	ast := assert.New(t)
+
+	preIpData()
+	defer closeIpdata()
+
+	ast.True(StatsInfoIns.ValidAction("online"))
+	ast.False(StatsInfoIns.ValidAction("diskio"))
+	ast.True(StatsInfoIns.ValidScope("30d"))
+	ast.False(StatsInfoIns.ValidScope("60d"))
+
+	up := uint32(100)
+	down := uint32(300)
+	upGroups := map[int]uint32{1: up}
+	downGroups := map[int]uint32{1: down}
+	numGroups := map[int]int{1: 5}
+	// online
+	numData, _ := json.Marshal(numGroups)
+	so := StatsOnline{Num: 1, NumGroups: string(numData)}
+	// network
+	upData, _ := json.Marshal(upGroups)
+	downData, _ := json.Marshal(downGroups)
+	sn := StatsNetwork{Up: up, Down: down, UpGroups: string(upData), DownGroups: string(downData)}
+	// cpu
+	sc := StatsCpu{Percent: 0.3}
+	// mem
+	sm := StatsMem{Percent: 24.50}
+
+	StatsInfoIns.SetRealTime("online", so)
+	StatsInfoIns.GetRealTime("online")
+	StatsInfoIns.SaveStatsInfo(so, sn, sc, sm)
+
+	var err error
+	_, err = StatsInfoIns.GetData("online", "1h")
+	ast.Nil(err)
+
+	_, err = StatsInfoIns.GetData("network", "1h")
+	ast.Nil(err)
+
+	_, err = StatsInfoIns.GetData("cpu", "1h")
+	ast.Nil(err)
+
+	_, err = StatsInfoIns.GetData("mem", "1h")
+	ast.Nil(err)
+
+}

server/dbdata/tables.go

@@ -0,0 +1,119 @@
+package dbdata
+
+import (
+	"encoding/json"
+	"time"
+)
+
+type Group struct {
+	Id               int                    `json:"id" xorm:"pk autoincr not null"`
+	Name             string                 `json:"name" xorm:"varchar(60) not null unique"`
+	Note             string                 `json:"note" xorm:"varchar(255)"`
+	AllowLan         bool                   `json:"allow_lan" xorm:"Bool"`
+	ClientDns        []ValData              `json:"client_dns" xorm:"Text"`
+	RouteInclude     []ValData              `json:"route_include" xorm:"Text"`
+	RouteExclude     []ValData              `json:"route_exclude" xorm:"Text"`
+	DsExcludeDomains string                 `json:"ds_exclude_domains" xorm:"Text"`
+	DsIncludeDomains string                 `json:"ds_include_domains" xorm:"Text"`
+	LinkAcl          []GroupLinkAcl         `json:"link_acl" xorm:"Text"`
+	Bandwidth        int                    `json:"bandwidth" xorm:"Int"`                           // 带宽限制
+	Auth             map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(500)"` // 认证方式
+	Status           int8                   `json:"status" xorm:"Int"`                              // 1正常
+	CreatedAt        time.Time              `json:"created_at" xorm:"DateTime created"`
+	UpdatedAt        time.Time              `json:"updated_at" xorm:"DateTime updated"`
+}
+
+type User struct {
+	Id       int    `json:"id" xorm:"pk autoincr not null"`
+	Username string `json:"username" xorm:"varchar(60) not null unique"`
+	Nickname string `json:"nickname" xorm:"varchar(255)"`
+	Email    string `json:"email" xorm:"varchar(255)"`
+	// Password  string    `json:"password"`
+	PinCode    string     `json:"pin_code" xorm:"varchar(32)"`
+	LimitTime  *time.Time `json:"limittime,omitempty" xorm:"Datetime limittime"` // 值为null时，前端不显示
+	OtpSecret  string     `json:"otp_secret" xorm:"varchar(255)"`
+	DisableOtp bool       `json:"disable_otp" xorm:"Bool"` // 禁用otp
+	Groups     []string   `json:"groups" xorm:"Text"`
+	Status     int8       `json:"status" xorm:"Int"` // 1正常
+	SendEmail  bool       `json:"send_email" xorm:"Bool"`
+	CreatedAt  time.Time  `json:"created_at" xorm:"DateTime created"`
+	UpdatedAt  time.Time  `json:"updated_at" xorm:"DateTime updated"`
+}
+
+type UserActLog struct {
+	Id              int       `json:"id" xorm:"pk autoincr not null"`
+	Username        string    `json:"username" xorm:"varchar(60)"`
+	GroupName       string    `json:"group_name" xorm:"varchar(60)"`
+	IpAddr          string    `json:"ip_addr" xorm:"varchar(32)"`
+	RemoteAddr      string    `json:"remote_addr" xorm:"varchar(32)"`
+	Os              uint8     `json:"os" xorm:"not null default 0 Int"`
+	Client          uint8     `json:"client" xorm:"not null default 0 Int"`
+	Version         string    `json:"version" xorm:"varchar(15)"`
+	DeviceType      string    `json:"device_type" xorm:"varchar(128) not null default ''"`
+	PlatformVersion string    `json:"platform_version" xorm:"varchar(128) not null default ''"`
+	Status          uint8     `json:"status" xorm:"not null default 0 Int"`
+	Info            string    `json:"info" xorm:"varchar(255) not null default ''"` // 详情
+	CreatedAt       time.Time `json:"created_at" xorm:"DateTime created"`
+}
+
+type Setting struct {
+	Id        int             `json:"id" xorm:"pk autoincr not null"`
+	Name      string          `json:"name" xorm:"varchar(60) not null unique"`
+	Data      json.RawMessage `json:"data" xorm:"Text"`
+	UpdatedAt time.Time       `json:"updated_at" xorm:"DateTime updated"`
+}
+
+type AccessAudit struct {
+	Id          int       `json:"id" xorm:"pk autoincr not null"`
+	Username    string    `json:"username" xorm:"varchar(60) not null"`
+	Protocol    uint8     `json:"protocol" xorm:"not null"`
+	Src         string    `json:"src" xorm:"varchar(60) not null"`
+	SrcPort     uint16    `json:"src_port" xorm:"not null"`
+	Dst         string    `json:"dst" xorm:"varchar(60) not null"`
+	DstPort     uint16    `json:"dst_port" xorm:"not null"`
+	AccessProto uint8     `json:"access_proto" xorm:"default 0"`                // 访问协议
+	Info        string    `json:"info" xorm:"varchar(255) not null default ''"` // 详情
+	CreatedAt   time.Time `json:"created_at" xorm:"DateTime"`
+}
+
+type Policy struct {
+	Id               int       `json:"id" xorm:"pk autoincr not null"`
+	Username         string    `json:"username" xorm:"varchar(60) not null unique"`
+	AllowLan         bool      `json:"allow_lan" xorm:"Bool"`
+	ClientDns        []ValData `json:"client_dns" xorm:"Text"`
+	RouteInclude     []ValData `json:"route_include" xorm:"Text"`
+	RouteExclude     []ValData `json:"route_exclude" xorm:"Text"`
+	DsExcludeDomains string    `json:"ds_exclude_domains" xorm:"Text"`
+	DsIncludeDomains string    `json:"ds_include_domains" xorm:"Text"`
+	Status           int8      `json:"status" xorm:"Int"` // 1正常 0 禁用
+	CreatedAt        time.Time `json:"created_at" xorm:"DateTime created"`
+	UpdatedAt        time.Time `json:"updated_at" xorm:"DateTime updated"`
+}
+
+type StatsOnline struct {
+	Id        int       `json:"id" xorm:"pk autoincr not null"`
+	Num       int       `json:"num" xorm:"Int"`
+	NumGroups string    `json:"num_groups" xorm:"varchar(500) not null"`
+	CreatedAt time.Time `json:"created_at" xorm:"DateTime created index"`
+}
+
+type StatsNetwork struct {
+	Id         int       `json:"id" xorm:"pk autoincr not null"`
+	Up         uint32    `json:"up" xorm:"Int"`
+	Down       uint32    `json:"down" xorm:"Int"`
+	UpGroups   string    `json:"up_groups" xorm:"varchar(500) not null"`
+	DownGroups string    `json:"down_groups" xorm:"varchar(500) not null"`
+	CreatedAt  time.Time `json:"created_at" xorm:"DateTime created index"`
+}
+
+type StatsCpu struct {
+	Id        int       `json:"id" xorm:"pk autoincr not null"`
+	Percent   float64   `json:"percent" xorm:"Float"`
+	CreatedAt time.Time `json:"created_at" xorm:"DateTime created index"`
+}
+
+type StatsMem struct {
+	Id        int       `json:"id" xorm:"pk autoincr not null"`
+	Percent   float64   `json:"percent" xorm:"Float"`
+	CreatedAt time.Time `json:"created_at" xorm:"DateTime created index"`
+}

server/dbdata/user.go

@@ -10,21 +10,21 @@ import (
 	"github.com/xlzd/gotp"
 )
 
-type User struct {
+// type User struct {
-	Id       int    `json:"id" storm:"id,increment"`
+// 	Id       int    `json:"id"  xorm:"pk autoincr not null"`
-	Username string `json:"username" storm:"unique"`
+// 	Username string `json:"username" storm:"not null unique"`
-	Nickname string `json:"nickname"`
+// 	Nickname string `json:"nickname"`
-	Email    string `json:"email"`
+// 	Email    string `json:"email"`
-	// Password  string    `json:"password"`
+// 	// Password  string    `json:"password"`
-	PinCode    string    `json:"pin_code"`
+// 	PinCode    string    `json:"pin_code"`
-	OtpSecret  string    `json:"otp_secret"`
+// 	OtpSecret  string    `json:"otp_secret"`
-	DisableOtp bool      `json:"disable_otp"` // 禁用otp
+// 	DisableOtp bool      `json:"disable_otp"` // 禁用otp
-	Groups     []string  `json:"groups"`
+// 	Groups     []string  `json:"groups"`
-	Status     int8      `json:"status"` // 1正常
+// 	Status     int8      `json:"status"` // 1正常
-	SendEmail  bool      `json:"send_email"`
+// 	SendEmail  bool      `json:"send_email"`
-	CreatedAt  time.Time `json:"created_at"`
+// 	CreatedAt  time.Time `json:"created_at"`
-	UpdatedAt  time.Time `json:"updated_at"`
+// 	UpdatedAt  time.Time `json:"updated_at"`
-}
+// }
 
 func SetUser(v *User) error {
 	var err error
@@ -57,13 +57,44 @@ func SetUser(v *User) error {
 	v.Groups = ng
 
 	v.UpdatedAt = time.Now()
-	err = Save(v)
+	if v.Id > 0 {
+		err = Set(v)
+	} else {
+		err = Add(v)
+	}
 
 	return err
 }
 
-// 验证用户登陆信息
+// 验证用户登录信息
 func CheckUser(name, pwd, group string) error {
+	// 获取登入的group数据
+	groupData := &Group{}
+	err := One("Name", group, groupData)
+	if err != nil || groupData.Status != 1 {
+		return fmt.Errorf("%s - %s", name, "用户组错误")
+	}
+	// 初始化Auth
+	if len(groupData.Auth) == 0 {
+		groupData.Auth["type"] = "local"
+	}
+	authType := groupData.Auth["type"].(string)
+	// 本地认证方式
+	if authType == "local" {
+		return checkLocalUser(name, pwd, group)
+	}
+	// 其它认证方式, 支持自定义
+	_, ok := authRegistry[authType]
+	if !ok {
+		return fmt.Errorf("%s %s", "未知的认证方式: ", authType)
+	}
+	auth := makeInstance(authType).(IUserAuth)
+	return auth.checkUser(name, pwd, groupData)
+}
+
+// 验证本地用户登录信息
+func checkLocalUser(name, pwd, group string) error {
+	// TODO 严重问题
 	// return nil
 
 	pl := len(pwd)
@@ -73,18 +104,17 @@ func CheckUser(name, pwd, group string) error {
 	v := &User{}
 	err := One("Username", name, v)
 	if err != nil || v.Status != 1 {
-		return fmt.Errorf("%s %s", name, "用户名错误")
+		switch v.Status {
+		case 0:
+			return fmt.Errorf("%s %s", name, "用户不存在或用户已停用")
+		case 2:
+			return fmt.Errorf("%s %s", name, "用户已过期")
+		}
 	}
 	// 判断用户组信息
 	if !utils.InArrStr(v.Groups, group) {
 		return fmt.Errorf("%s %s", name, "用户组错误")
 	}
-	groupData := &Group{}
-	err = One("Name", group, groupData)
-	if err != nil || groupData.Status != 1 {
-		return fmt.Errorf("%s - %s", name, "用户组错误")
-	}
-
 	// 判断otp信息
 	pinCode := pwd
 	if !v.DisableOtp {
@@ -103,6 +133,21 @@ func CheckUser(name, pwd, group string) error {
 	return nil
 }
 
+// 用户过期时间到达后，更新用户状态，并返回一个状态为过期的用户切片
+func CheckUserlimittime() (limitUser []interface{}) {
+	if _, err := xdb.Where("limittime <= ?", time.Now()).And("status = ?", 1).Update(&User{Status: 2}); err != nil {
+		return
+	}
+	user := make(map[int64]User)
+	if err := xdb.Where("status != ?", 1).Find(user); err != nil {
+		return
+	}
+	for _, v := range user {
+		limitUser = append(limitUser, v.Username)
+	}
+	return
+}
+
 var (
 	userOtpMux = sync.Mutex{}
 	userOtp    = map[string]time.Time{}
@@ -141,7 +186,7 @@ func checkOtp(name, otp, secret string) bool {
 
 	totp := gotp.NewDefaultTOTP(secret)
 	unix := time.Now().Unix()
-	verify := totp.Verify(otp, int(unix))
+	verify := totp.Verify(otp, unix)
 
 	return verify
 }

server/dbdata/user_act_log.go

@@ -0,0 +1,218 @@
+package dbdata
+
+import (
+	"net/url"
+	"regexp"
+	"strings"
+
+	"github.com/bjdgyc/anylink/base"
+	"github.com/ivpusic/grpool"
+	"github.com/spf13/cast"
+	"xorm.io/xorm"
+)
+
+const (
+	UserAuthFail       = 0 // 认证失败
+	UserAuthSuccess    = 1 // 认证成功
+	UserConnected      = 2 // 连线成功
+	UserLogout         = 3 // 用户登出
+	UserLogoutLose     = 0 // 用户掉线
+	UserLogoutBanner   = 1 // 用户banner弹窗取消
+	UserLogoutClient   = 2 // 用户主动登出
+	UserLogoutTimeout  = 3 // 用户超时登出
+	UserLogoutAdmin    = 4 // 账号被管理员踢下线
+	UserLogoutExpire   = 5 // 账号过期被踢下线
+	UserIdleTimeout    = 6 // 用户空闲链接超时
+	UserLogoutOneAdmin = 7 // 账号被管理员一键下线
+
+)
+
+type UserActLogProcess struct {
+	Pool      *grpool.Pool
+	StatusOps []string
+	OsOps     []string
+	ClientOps []string
+	InfoOps   []string
+}
+
+var (
+	UserActLogIns = &UserActLogProcess{
+		Pool: grpool.NewPool(1, 100),
+		StatusOps: []string{ // 操作类型
+			UserAuthFail:    "认证失败",
+			UserAuthSuccess: "认证成功",
+			UserConnected:   "连接成功",
+			UserLogout:      "用户登出",
+		},
+		OsOps: []string{ // 操作系统
+			0: "Unknown",
+			1: "Windows",
+			2: "macOS",
+			3: "Linux",
+			4: "Android",
+			5: "iOS",
+		},
+		ClientOps: []string{ // 客户端
+			0: "Unknown",
+			1: "AnyConnect",
+			2: "OpenConnect",
+			3: "AnyLink",
+		},
+		InfoOps: []string{ // 信息
+			UserLogoutLose:     "用户掉线",
+			UserLogoutBanner:   "用户取消弹窗/客户端发起的logout",
+			UserLogoutClient:   "用户/客户端主动断开",
+			UserLogoutTimeout:  "Session过期被踢下线",
+			UserLogoutAdmin:    "账号被管理员踢下线",
+			UserLogoutExpire:   "账号过期被踢下线",
+			UserIdleTimeout:    "用户空闲链接超时",
+			UserLogoutOneAdmin: "账号被管理员一键下线",
+		},
+	}
+)
+
+// 异步写入用户操作日志
+func (ua *UserActLogProcess) Add(u UserActLog, userAgent string) {
+	// os, client, ver
+	os_idx, client_idx, ver := ua.ParseUserAgent(userAgent)
+	u.Os = os_idx
+	u.Client = client_idx
+	u.Version = ver
+	u.RemoteAddr = strings.Split(u.RemoteAddr, ":")[0]
+	// remove extra characters
+	infoSlice := strings.Split(u.Info, " ")
+	infoLen := len(infoSlice)
+	if infoLen > 1 {
+		if u.Username == infoSlice[0] {
+			u.Info = strings.Join(infoSlice[1:], " ")
+		}
+		// delete - char
+		if infoLen > 2 && infoSlice[1] == "-" {
+			u.Info = u.Info[2:]
+		}
+	}
+	// limit the max length of char
+	u.Version = substr(u.Version, 0, 15)
+	u.DeviceType = substr(u.DeviceType, 0, 128)
+	u.PlatformVersion = substr(u.PlatformVersion, 0, 128)
+	u.Info = substr(u.Info, 0, 255)
+
+	UserActLogIns.Pool.JobQueue <- func() {
+		err := Add(u)
+		if err != nil {
+			base.Error("Add UserActLog error: ", err)
+		}
+	}
+}
+
+// 转义操作类型, 方便vue显示
+func (ua *UserActLogProcess) GetStatusOpsWithTag() interface{} {
+	type StatusTag struct {
+		Key   int    `json:"key"`
+		Value string `json:"value"`
+		Tag   string `json:"tag"`
+	}
+	var res []StatusTag
+	for k, v := range ua.StatusOps {
+		tag := "info"
+		switch k {
+		case UserAuthFail:
+			tag = "danger"
+		case UserAuthSuccess:
+			tag = "success"
+		case UserConnected:
+			tag = ""
+		}
+		res = append(res, StatusTag{k, v, tag})
+	}
+	return res
+}
+
+func (ua *UserActLogProcess) GetInfoOpsById(id uint8) string {
+	if int(id) >= len(ua.InfoOps) {
+		return "未知的信息类型"
+	}
+	return ua.InfoOps[id]
+}
+
+// 解析user agent
+func (ua *UserActLogProcess) ParseUserAgent(userAgent string) (os_idx, client_idx uint8, ver string) {
+	// Unknown
+	if len(userAgent) == 0 {
+		return 0, 0, ""
+	}
+	// OS
+	os_idx = 0
+	if strings.Contains(userAgent, "windows") {
+		os_idx = 1
+	} else if strings.Contains(userAgent, "mac os") || strings.Contains(userAgent, "darwin_i386") || strings.Contains(userAgent, "darwin_amd64") || strings.Contains(userAgent, "darwin_arm64") {
+		os_idx = 2
+	} else if strings.Contains(userAgent, "darwin_arm") || strings.Contains(userAgent, "apple") {
+		os_idx = 5
+	} else if strings.Contains(userAgent, "android") {
+		os_idx = 4
+	} else if strings.Contains(userAgent, "linux") {
+		os_idx = 3
+	}
+	// Client
+	client_idx = 0
+	if strings.Contains(userAgent, "anyconnect") {
+		client_idx = 1
+	} else if strings.Contains(userAgent, "openconnect") {
+		client_idx = 2
+	} else if strings.Contains(userAgent, "anylink") {
+		client_idx = 3
+	}
+	// Version
+	uaSlice := strings.Split(userAgent, " ")
+	ver = uaSlice[len(uaSlice)-1]
+	if ver[0] == 'v' {
+		ver = ver[1:]
+	}
+	if !regexp.MustCompile(`^(\d+\.?)+$`).MatchString(ver) {
+		ver = ""
+	}
+	return
+}
+
+// 清除用户操作日志
+func (ua *UserActLogProcess) ClearUserActLog(ts string) (int64, error) {
+	affected, err := xdb.Where("created_at < '" + ts + "'").Delete(&UserActLog{})
+	return affected, err
+}
+
+// 后台筛选用户操作日志
+func (ua *UserActLogProcess) GetSession(values url.Values) *xorm.Session {
+	session := xdb.Where("1=1")
+	if values.Get("username") != "" {
+		session.And("username = ?", values.Get("username"))
+	}
+	if values.Get("sdate") != "" {
+		session.And("created_at >= ?", values.Get("sdate")+" 00:00:00'")
+	}
+	if values.Get("edate") != "" {
+		session.And("created_at <= ?", values.Get("edate")+" 23:59:59'")
+	}
+	if values.Get("status") != "" {
+		session.And("status = ?", cast.ToUint8(values.Get("status"))-1)
+	}
+	if values.Get("os") != "" {
+		session.And("os = ?", cast.ToUint8(values.Get("os"))-1)
+	}
+	if values.Get("sort") == "1" {
+		session.OrderBy("id desc")
+	} else {
+		session.OrderBy("id asc")
+	}
+	return session
+}
+
+// 截取字符串
+func substr(s string, pos, length int) string {
+	runes := []rune(s)
+	l := pos + length
+	if l > len(runes) {
+		l = len(runes)
+	}
+	return string(runes[pos:l])
+}

server/dbdata/user_act_log_test.go

@@ -0,0 +1,82 @@
+package dbdata
+
+import "testing"
+
+func TestParseUserAgent(t *testing.T) {
+	type args struct {
+		userAgent string
+	}
+	type res struct {
+		os_idx     uint8
+		client_idx uint8
+		ver        string
+	}
+	tests := []struct {
+		name string
+		args args
+		want res
+	}{
+		{
+			name: "mac os 1",
+			args: args{userAgent: "cisco anyconnect vpn agent for mac os x 4.10.05085"},
+			want: res{os_idx: 2, client_idx: 1, ver: "4.10.05085"},
+		},
+		{
+			name: "mac os 2",
+			args: args{userAgent: "anyconnect darwin_i386 4.10.05085"},
+			want: res{os_idx: 2, client_idx: 1, ver: "4.10.05085"},
+		},
+		{
+			name: "windows",
+			args: args{userAgent: "cisco anyconnect vpn agent for windows 4.8.02042"},
+			want: res{os_idx: 1, client_idx: 1, ver: "4.8.02042"},
+		},
+		{
+			name: "iPad",
+			args: args{userAgent: "anyconnect applesslvpn_darwin_arm (ipad) 4.10.04060"},
+			want: res{os_idx: 5, client_idx: 1, ver: "4.10.04060"},
+		},
+		{
+			name: "iPhone",
+			args: args{userAgent: "cisco anyconnect vpn agent for apple iphone 4.10.04060"},
+			want: res{os_idx: 5, client_idx: 1, ver: "4.10.04060"},
+		},
+		{
+			name: "android",
+			args: args{userAgent: "anyconnect android 4.10.05096"},
+			want: res{os_idx: 4, client_idx: 1, ver: "4.10.05096"},
+		},
+		{
+			name: "linux",
+			args: args{userAgent: "cisco anyconnect vpn agent for linux v7.08"},
+			want: res{os_idx: 3, client_idx: 1, ver: "7.08"},
+		},
+		{
+			name: "openconnect",
+			args: args{userAgent: "openconnect-gui 1.5.3 v7.08"},
+			want: res{os_idx: 0, client_idx: 2, ver: "7.08"},
+		},
+		{
+			name: "unknown",
+			args: args{userAgent: "unknown 1.4.3 aabcd"},
+			want: res{os_idx: 0, client_idx: 0, ver: ""},
+		},
+		{
+			name: "unknown 2",
+			args: args{userAgent: ""},
+			want: res{os_idx: 0, client_idx: 0, ver: ""},
+		},
+		{
+			name: "anylink",
+			args: args{userAgent: "anylink vpn agent for linux v1.0"},
+			want: res{os_idx: 3, client_idx: 3, ver: "1.0"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if os_idx, client_idx, ver := UserActLogIns.ParseUserAgent(tt.args.userAgent); os_idx != tt.want.os_idx || client_idx != tt.want.client_idx || ver != tt.want.ver {
+				t.Errorf("ParseUserAgent() = %v, %v, %v, want %v, %v, %v", os_idx, client_idx, ver, tt.want.os_idx, tt.want.client_idx, tt.want.ver)
+			}
+		})
+	}
+}

server/dbdata/user_test.go

@@ -17,12 +17,12 @@ func TestCheckUser(t *testing.T) {
 
 	// 添加一个组
 	dns := []ValData{{Val: "114.114.114.114"}}
-	route := []ValData{{Val: "192.168.1.1/24"}}
+	route := []ValData{{Val: "192.168.1.0/24"}}
 	g := Group{Name: group, Status: 1, ClientDns: dns, RouteInclude: route}
 	err := SetGroup(&g)
 	ast.Nil(err)
 	// 判断 IpMask
-	ast.Equal(g.RouteInclude[0].IpMask, "192.168.1.1/255.255.255.0")
+	ast.Equal(g.RouteInclude[0].IpMask, "192.168.1.0/255.255.255.0")
 
 	// 添加一个用户
 	u := User{Username: "aaa", Groups: []string{group}, Status: 1}
@@ -40,4 +40,51 @@ func TestCheckUser(t *testing.T) {
 	_ = SetUser(&u)
 	err = CheckUser("aaa", u.PinCode, group)
 	ast.Nil(err)
+
+	// 添加一个radius组
+	group2 := "group2"
+	authData := map[string]interface{}{
+		"type": "radius",
+		"radius": map[string]string{
+			"addr":   "192.168.1.12:1044",
+			"secret": "43214132",
+		},
+	}
+	g2 := Group{Name: group2, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
+	err = SetGroup(&g2)
+	ast.Nil(err)
+	err = CheckUser("aaa", "bbbbbbb", group2)
+	if ast.NotNil(err) {
+		ast.Equal("aaa Radius服务器连接异常, 请检测服务器和端口", err.Error())
+	}
+	// 添加用户策略
+	dns2 := []ValData{{Val: "8.8.8.8"}}
+	route2 := []ValData{{Val: "192.168.2.0/24"}}
+	p1 := Policy{Username: "aaa", Status: 1, ClientDns: dns2, RouteInclude: route2}
+	err = SetPolicy(&p1)
+	ast.Nil(err)
+	err = CheckUser("aaa", u.PinCode, group)
+	ast.Nil(err)
+	// 添加一个ldap组
+	group3 := "group3"
+	authData = map[string]interface{}{
+		"type": "ldap",
+		"ldap": map[string]interface{}{
+			"addr":         "192.168.8.12:389",
+			"tls":          true,
+			"bind_name":    "userfind@abc.com",
+			"bind_pwd":     "afdbfdsafds",
+			"base_dn":      "dc=abc,dc=com",
+			"object_class": "person",
+			"search_attr":  "sAMAccountName",
+			"member_of":    "cn=vpn,cn=user,dc=abc,dc=com",
+		},
+	}
+	g3 := Group{Name: group3, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
+	err = SetGroup(&g3)
+	ast.Nil(err)
+	err = CheckUser("aaa", "bbbbbbb", group3)
+	if ast.NotNil(err) {
+		ast.Equal("aaa LDAP服务器连接异常, 请检测服务器和端口", err.Error())
+	}
 }

server/dbdata/userauth.go

@@ -0,0 +1,23 @@
+package dbdata
+
+import (
+	"reflect"
+	"regexp"
+)
+
+var authRegistry = make(map[string]reflect.Type)
+
+type IUserAuth interface {
+	checkData(authData map[string]interface{}) error
+	checkUser(name, pwd string, g *Group) error
+}
+
+func makeInstance(name string) interface{} {
+	v := reflect.New(authRegistry[name]).Elem()
+	return v.Interface()
+}
+
+func ValidateIpPort(addr string) bool {
+	RegExp := regexp.MustCompile(`^(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$$`)
+	return RegExp.MatchString(addr)
+}

server/dbdata/userauth_ldap.go

@@ -0,0 +1,174 @@
+package dbdata
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"reflect"
+	"regexp"
+	"strconv"
+	"time"
+
+	"github.com/go-ldap/ldap"
+)
+
+type AuthLdap struct {
+	Addr        string `json:"addr"`
+	Tls         bool   `json:"tls"`
+	BindName    string `json:"bind_name"`
+	BindPwd     string `json:"bind_pwd"`
+	BaseDn      string `json:"base_dn"`
+	ObjectClass string `json:"object_class"`
+	SearchAttr  string `json:"search_attr"`
+	MemberOf    string `json:"member_of"`
+}
+
+func init() {
+	authRegistry["ldap"] = reflect.TypeOf(AuthLdap{})
+}
+
+func (auth AuthLdap) checkData(authData map[string]interface{}) error {
+	authType := authData["type"].(string)
+	bodyBytes, err := json.Marshal(authData[authType])
+	if err != nil {
+		return errors.New("LDAP配置填写有误")
+	}
+	json.Unmarshal(bodyBytes, &auth)
+	// 支持域名和IP, 必须填写端口
+	if !ValidateIpPort(auth.Addr) && !ValidateDomainPort(auth.Addr) {
+		return errors.New("LDAP的服务器地址(含端口)填写有误")
+	}
+	if auth.BindName == "" {
+		return errors.New("LDAP的管理员 DN不能为空")
+	}
+	if auth.BindPwd == "" {
+		return errors.New("LDAP的管理员密码不能为空")
+	}
+	if auth.BaseDn == "" || !ValidateDN(auth.BaseDn) {
+		return errors.New("LDAP的Base DN填写有误")
+	}
+	if auth.ObjectClass == "" {
+		return errors.New("LDAP的用户对象类填写有误")
+	}
+	if auth.SearchAttr == "" {
+		return errors.New("LDAP的用户唯一ID不能为空")
+	}
+	if auth.MemberOf != "" && !ValidateDN(auth.MemberOf) {
+		return errors.New("LDAP的受限用户组填写有误")
+	}
+	return nil
+}
+
+func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
+	pl := len(pwd)
+	if name == "" || pl < 1 {
+		return fmt.Errorf("%s %s", name, "密码错误")
+	}
+	authType := g.Auth["type"].(string)
+	if _, ok := g.Auth[authType]; !ok {
+		return fmt.Errorf("%s %s", name, "LDAP的ldap值不存在")
+	}
+	bodyBytes, err := json.Marshal(g.Auth[authType])
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "LDAP Marshal出现错误")
+	}
+	err = json.Unmarshal(bodyBytes, &auth)
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "LDAP Unmarshal出现错误")
+	}
+	// 检测服务器和端口的可用性
+	con, err := net.DialTimeout("tcp", auth.Addr, 3*time.Second)
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "LDAP服务器连接异常, 请检测服务器和端口")
+	}
+	defer con.Close()
+	// 连接LDAP
+	l, err := ldap.Dial("tcp", auth.Addr)
+	if err != nil {
+		return fmt.Errorf("LDAP连接失败 %s %s", auth.Addr, err.Error())
+	}
+	defer l.Close()
+	if auth.Tls {
+		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			return fmt.Errorf("%s LDAP TLS连接失败 %s", name, err.Error())
+		}
+	}
+	err = l.Bind(auth.BindName, auth.BindPwd)
+	if err != nil {
+		return fmt.Errorf("%s LDAP 管理员 DN或密码填写有误 %s", name, err.Error())
+	}
+	if auth.ObjectClass == "" {
+		auth.ObjectClass = "person"
+	}
+	filterAttr := "(objectClass=" + auth.ObjectClass + ")"
+	filterAttr += "(" + auth.SearchAttr + "=" + name + ")"
+	if auth.MemberOf != "" {
+		filterAttr += "(memberOf:=" + auth.MemberOf + ")"
+	}
+	searchRequest := ldap.NewSearchRequest(
+		auth.BaseDn,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 3, false,
+		fmt.Sprintf("(&%s)", filterAttr),
+		[]string{},
+		nil,
+	)
+	sr, err := l.Search(searchRequest)
+	if err != nil {
+		return fmt.Errorf("%s LDAP 查询失败 %s %s %s", name, auth.BaseDn, filterAttr, err.Error())
+	}
+	if len(sr.Entries) != 1 {
+		if len(sr.Entries) == 0 {
+			return fmt.Errorf("LDAP 找不到 %s 用户, 请检查用户或LDAP配置参数", name)
+		}
+		return fmt.Errorf("LDAP发现 %s 用户，存在多个账号", name)
+	}
+	err = parseEntries(sr)
+	if err != nil {
+		return fmt.Errorf("LDAP %s 用户 %s", name, err.Error())
+	}
+	userDN := sr.Entries[0].DN
+	err = l.Bind(userDN, pwd)
+	if err != nil {
+		return fmt.Errorf("%s LDAP 登入失败，请检查登入的账号或密码 %s", name, err.Error())
+	}
+	return nil
+}
+
+func parseEntries(sr *ldap.SearchResult) error {
+	for _, attr := range sr.Entries[0].Attributes {
+		switch attr.Name {
+		case "shadowExpire":
+			// -1 启用, 1 停用, >1 从1970-01-01至到期日的天数
+			val, _ := strconv.ParseInt(attr.Values[0], 10, 64)
+			if val == -1 {
+				return nil
+			}
+			if val == 1 {
+				return fmt.Errorf("账号已停用")
+			}
+			if val > 1 {
+				expireTime := time.Unix(val*86400, 0)
+				t := time.Date(expireTime.Year(), expireTime.Month(), expireTime.Day(), 23, 59, 59, 0, time.Local)
+				if t.Before(time.Now()) {
+					return fmt.Errorf("账号已过期(过期日期: %s)", t.Format("2006-01-02"))
+				}
+				return nil
+			}
+			return fmt.Errorf("账号shadowExpire值异常: %d", val)
+		}
+	}
+	return nil
+}
+
+func ValidateDomainPort(addr string) bool {
+	re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`)
+	return re.MatchString(addr)
+}
+
+func ValidateDN(dn string) bool {
+	re := regexp.MustCompile(`^(?:(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+,)*(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+$`)
+	return re.MatchString(dn)
+}

server/dbdata/userauth_radius.go

@@ -0,0 +1,72 @@
+package dbdata
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"reflect"
+	"time"
+
+	"layeh.com/radius"
+	"layeh.com/radius/rfc2865"
+)
+
+type AuthRadius struct {
+	Addr   string `json:"addr"`
+	Secret string `json:"secret"`
+}
+
+func init() {
+	authRegistry["radius"] = reflect.TypeOf(AuthRadius{})
+}
+
+func (auth AuthRadius) checkData(authData map[string]interface{}) error {
+	authType := authData["type"].(string)
+	bodyBytes, err := json.Marshal(authData[authType])
+	if err != nil {
+		return errors.New("Radius的密钥/服务器地址填写有误")
+	}
+	json.Unmarshal(bodyBytes, &auth)
+	if !ValidateIpPort(auth.Addr) {
+		return errors.New("Radius的服务器地址填写有误")
+	}
+	// freeradius官网最大8000字符, 这里限制200
+	if len(auth.Secret) < 8 || len(auth.Secret) > 200 {
+		return errors.New("Radius的密钥长度需在8～200个字符之间")
+	}
+	return nil
+}
+
+func (auth AuthRadius) checkUser(name, pwd string, g *Group) error {
+	pl := len(pwd)
+	if name == "" || pl < 1 {
+		return fmt.Errorf("%s %s", name, "密码错误")
+	}
+	authType := g.Auth["type"].(string)
+	if _, ok := g.Auth[authType]; !ok {
+		return fmt.Errorf("%s %s", name, "Radius的radius值不存在")
+	}
+	bodyBytes, err := json.Marshal(g.Auth[authType])
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "Radius Marshal出现错误")
+	}
+	err = json.Unmarshal(bodyBytes, &auth)
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "Radius Unmarshal出现错误")
+	}
+	// radius认证时，设置超时3秒
+	packet := radius.New(radius.CodeAccessRequest, []byte(auth.Secret))
+	rfc2865.UserName_SetString(packet, name)
+	rfc2865.UserPassword_SetString(packet, pwd)
+	ctx, done := context.WithTimeout(context.Background(), 3*time.Second)
+	defer done()
+	response, err := radius.Exchange(ctx, packet, auth.Addr)
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "Radius服务器连接异常, 请检测服务器和端口")
+	}
+	if response.Code != radius.CodeAccessAccept {
+		return fmt.Errorf("%s %s", name, "Radius：用户名或密码错误")
+	}
+	return nil
+}

server/files/info.txt

@@ -1,2 +0,0 @@
-客户端软件需放置在files目录内，
-如需要帮助请加QQ群：567510628

server/go.mod

@@ -1,40 +1,108 @@
 module github.com/bjdgyc/anylink
 
-go 1.15
+go 1.20
 
 require (
-	github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d // indirect
+	github.com/arl/statsviz v0.6.0
-	github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6 // indirect
+	github.com/deckarep/golang-set v1.8.0
-	github.com/asdine/storm/v3 v3.2.1
+	github.com/go-acme/lego/v4 v4.15.0
-	github.com/coreos/go-etcd v2.0.0+incompatible // indirect
+	github.com/go-co-op/gocron v1.37.0
-	github.com/cpuguy83/go-md2man v1.0.10 // indirect
+	github.com/go-ldap/ldap v3.0.3+incompatible
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/go-sql-driver/mysql v1.8.0
-	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/gocarina/gocsv v0.0.0-20231116093920-b87c2d0e983a
-	github.com/go-ole/go-ole v1.2.5 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/gopacket v1.1.19
-	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/handlers v1.5.2
-	github.com/magiconair/properties v1.8.4 // indirect
+	github.com/gorilla/mux v1.8.1
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
+	github.com/ivpusic/grpool v1.0.0
-	github.com/pelletier/go-toml v1.8.1
+	github.com/lanrenwo/lzsgo v0.0.2
-	github.com/shirou/gopsutil v3.21.1+incompatible
+	github.com/lib/pq v1.10.9
+	github.com/mattn/go-sqlite3 v1.14.22
+	github.com/orcaman/concurrent-map v1.0.0
+	github.com/pion/dtls/v2 v2.2.10
+	github.com/pion/logging v0.2.2
+	github.com/pires/go-proxyproto v0.7.0
+	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/songgao/packets v0.0.0-20160404182456-549a10cd4091
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
-	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/cast v1.6.0
-	github.com/spf13/cast v1.3.1 // indirect
+	github.com/spf13/cobra v1.8.0
-	github.com/spf13/cobra v1.1.3
+	github.com/spf13/viper v1.18.2
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/stretchr/testify v1.8.4
-	github.com/spf13/viper v1.7.1
+	github.com/xhit/go-simple-mail/v2 v2.16.0
-	github.com/stretchr/testify v1.7.0
+	github.com/xlzd/gotp v0.1.0
-	github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8 // indirect
+	github.com/xuri/excelize/v2 v2.8.1
-	github.com/xhit/go-simple-mail/v2 v2.8.0
+	golang.org/x/crypto v0.21.0
-	github.com/xlzd/gotp v0.0.0-20181030022105-c8557ba2c119
+	golang.org/x/net v0.22.0
-	github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77 // indirect
+	golang.org/x/text v0.14.0
-	go.etcd.io/bbolt v1.3.5
+	golang.org/x/time v0.5.0
-	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
+	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
-	golang.org/x/net v0.0.0-20210220033124-5f55cee0dc0d
+	xorm.io/xorm v1.3.8
-	golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4 // indirect
+)
-	golang.org/x/text v0.3.5 // indirect
+
-	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
+require (
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.62.690 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cloudflare/cloudflare-go v0.89.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-test/deep v1.1.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
+	github.com/pion/transport/v2 v2.2.4 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.873 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.873 // indirect
+	github.com/toorop/go-dkim v0.0.0-20240103092955-90b7d1423f92 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect
+	golang.org/x/mod v0.16.0 // indirect
+	golang.org/x/tools v0.19.0 // indirect
+)
+
+require (
+	github.com/coreos/go-iptables v0.7.0
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/gorilla/websocket v1.5.1 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/richardlehane/mscfb v1.0.4 // indirect
+	github.com/richardlehane/msoleps v1.0.3 // indirect
+	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/syndtr/goleveldb v1.0.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.13 // indirect
+	github.com/tklauser/numcpus v0.7.0 // indirect
+	github.com/xuri/efp v0.0.0-20231025114914-d1ff6096ae53 // indirect
+	github.com/xuri/nfp v0.0.0-20230919160717-d98342af3f05 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	xorm.io/builder v0.3.13 // indirect
 )