alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
39 Commits 1 Branch 0 Tags
f13a1c985f39c92f696a2ff90aee3fd3894fb8a2
Commit Graph

8 Commits

Author SHA1 Message Date
glm-5.1
f13a1c985f Merge remote-tracking branch 'origin/feat/server/channel-proxy' 
# Conflicts:
#	crates/wraith-core/src/error.rs
#	crates/wraith-core/src/server/mod.rs
 2026-06-02 11:32:28 +00:00
glm-5.1
49fe2b699f Implement server channel proxy: direct, SOCKS5, and HTTP CONNECT outbound connections 
- Add channel_proxy.rs with connect_outbound() supporting Direct, Socks5, and HttpConnect proxy modes
- Implement proxy_channel() with bidirectional copy between SSH channel and outbound TCP
- Channel errors close individual channels without affecting SSH session (ADR-006)
- Remove destination logging from handler to comply with ADR-006
- Add ForwardError to error.rs (was missing, needed by forward.rs)
- Fix TcpListener type annotation in forward.rs
- Add 11 unit tests: direct, SOCKS5 handshake, HTTP CONNECT, proxy rejection, unreachable targets
 2026-06-02 11:24:32 +00:00
glm-5.1
365b11d19e Merge remote-tracking branch 'origin/feat/server/stealth-mode' 
# Conflicts:
#	crates/wraith-core/src/error.rs
#	crates/wraith-core/src/server/mod.rs
 2026-06-02 11:14:06 +00:00
glm-5.1
7dcf7502b7 feat(server): implement stealth mode protocol multiplexing (ADR-017) 
Add stealth mode detection that peeks at the first bytes after TLS handshake
to determine SSH vs HTTP protocol. SSH connections proceed to russh handler;
non-SSH connections receive a fake nginx 404 response, making the server
indistinguishable from an ordinary HTTPS site to scanners and DPI systems.

- ProtocolDetection enum (Ssh, Http) for protocol classification
- detect_protocol() uses BufReader::fill_buf() to peek without consuming bytes
- send_fake_nginx_404() writes HTTP/1.1 404 + Server: nginx headers
- validate_stealth_config() enforces TLS transport requirement for stealth
- 17 unit tests covering SSH banner, HTTP, random data, and edge cases
 2026-06-02 11:13:15 +00:00
glm-5.1
5a2b535605 Merge remote-tracking branch 'origin/feat/server/rate-limiting-and-logging' 
# Conflicts:
#	crates/wraith-core/src/error.rs
#	crates/wraith-core/src/server/handler.rs
#	crates/wraith-core/src/server/mod.rs
 2026-06-02 11:06:18 +00:00
glm-5.1
24b70f5651 Implement server rate limiting and fail2ban-friendly structured logging 
Add ConnectionRateLimiter (HashMap<IpAddr, usize>) and AuthAttemptLimiter
with check/on_connect/on_disconnect and check/on_failure methods.
Integrate into ServerHandler with structured tracing::info! logging for
auth attempts, connection opened/closed events. No logging of tunnel
destinations per ADR-006. Also add ForwardError type and fix type
annotation in forward.rs to unblock compilation.
 2026-06-02 11:02:55 +00:00
glm-5.1
f963898a05 Implement control channel routing for wraith-* reserved destinations (ADR-018) 
- Add control_channel.rs with WRAITH_CONTROL_DESTINATION, WRAITH_PREFIX constants
- Add ControlChannelHandler trait and ControlChannelRouter for routing logic
- Add DuplexStream supertrait for Box<dyn> compatibility
- Server handler rejects wraith-* destinations when no handler configured
- Add ForwardError type to fix pre-existing compilation error
- Unit tests: reserved detection, non-reserved pass-through, prefix matching
 2026-06-02 11:01:54 +00:00
glm-5.1
24b92227e7 Implement ServerHandler with auth delegation and channel dispatch 
Convert server.rs to directory module (server/mod.rs + server/handler.rs).
ServerHandler implements russh::server::Handler with:
- auth_publickey() delegating to ServerAuthConfig with structured logging
- channel_open_direct_tcpip() routing wraith-* prefix to internal handler,
  stub for regular TCP proxy
- ProxyConfig/ProxyMode types for outbound proxy configuration
- Unit tests for auth delegation, reserved destination routing, and
  unknown channel type rejection
 2026-06-02 10:40:05 +00:00