alknet

alkdev/alknet

Fork 0

Commit Graph

Author	SHA1	Message	Date
glm-5.1	7dcf7502b7	feat(server): implement stealth mode protocol multiplexing (ADR-017) Add stealth mode detection that peeks at the first bytes after TLS handshake to determine SSH vs HTTP protocol. SSH connections proceed to russh handler; non-SSH connections receive a fake nginx 404 response, making the server indistinguishable from an ordinary HTTPS site to scanners and DPI systems. - ProtocolDetection enum (Ssh, Http) for protocol classification - detect_protocol() uses BufReader::fill_buf() to peek without consuming bytes - send_fake_nginx_404() writes HTTP/1.1 404 + Server: nginx headers - validate_stealth_config() enforces TLS transport requirement for stealth - 17 unit tests covering SSH banner, HTTP, random data, and edge cases	2026-06-02 11:13:15 +00:00
glm-5.1	24b92227e7	Implement ServerHandler with auth delegation and channel dispatch Convert server.rs to directory module (server/mod.rs + server/handler.rs). ServerHandler implements russh::server::Handler with: - auth_publickey() delegating to ServerAuthConfig with structured logging - channel_open_direct_tcpip() routing wraith-* prefix to internal handler, stub for regular TCP proxy - ProxyConfig/ProxyMode types for outbound proxy configuration - Unit tests for auth delegation, reserved destination routing, and unknown channel type rejection	2026-06-02 10:40:05 +00:00

Author

SHA1

Message

Date

glm-5.1

7dcf7502b7

feat(server): implement stealth mode protocol multiplexing (ADR-017)

Add stealth mode detection that peeks at the first bytes after TLS handshake
to determine SSH vs HTTP protocol. SSH connections proceed to russh handler;
non-SSH connections receive a fake nginx 404 response, making the server
indistinguishable from an ordinary HTTPS site to scanners and DPI systems.

- ProtocolDetection enum (Ssh, Http) for protocol classification
- detect_protocol() uses BufReader::fill_buf() to peek without consuming bytes
- send_fake_nginx_404() writes HTTP/1.1 404 + Server: nginx headers
- validate_stealth_config() enforces TLS transport requirement for stealth
- 17 unit tests covering SSH banner, HTTP, random data, and edge cases

2026-06-02 11:13:15 +00:00

glm-5.1

24b92227e7

Implement ServerHandler with auth delegation and channel dispatch

Convert server.rs to directory module (server/mod.rs + server/handler.rs).
ServerHandler implements russh::server::Handler with:
- auth_publickey() delegating to ServerAuthConfig with structured logging
- channel_open_direct_tcpip() routing wraith-* prefix to internal handler,
  stub for regular TCP proxy
- ProxyConfig/ProxyMode types for outbound proxy configuration
- Unit tests for auth delegation, reserved destination routing, and
  unknown channel type rejection

2026-06-02 10:40:05 +00:00

2 Commits