Socks代理

SOCKS performs at Layer 5 of the OSI model (the session layer, an intermediate layer between the presentation layer and the transport layer). SOCKS server accepts incoming client connection on TCP port 1080.

本地开启的是SOCKS5 Server,启用系统代理后,浏览器使用系统HTTP代理连接上SOCKS5 Server。

SOCKS5 Server支持的不止HTTP代理。

Comparison to HTTP proxying

SOCKS operates at a lower level than HTTP proxying: SOCKS uses a handshake protocol to inform the proxy software about the connection that the client is trying to make, and then acts as transparently as possible, whereas a regular proxy may interpret and rewrite headers (say, to employ another underlying protocol, such as FTP; however, an HTTP proxy simply forwards an HTTP request to the desired HTTP server). Though HTTP proxying has a different usage model in mind, the CONNECT method allows for forwarding TCP connections; however, SOCKS proxies can also forward UDP traffic and work in reverse, while HTTP proxies cannot. HTTP proxies are traditionally more aware of the HTTP protocol, performing higher-level filtering (though that usually only applies to GET and POST methods, not the CONNECT method). 

Browser

  • Chrome: support SOCKS4, SOCKS4a and SOCKS5.
  • Firefox: support SOCKS4, SOCKS4a and SOCKS5.
  • Internet Explorer and EdgeHTML-based Microsoft Edge: support SOCKS4 only.
  • Chromium-based Microsoft Edge: support SOCKS4, SOCKS4a and SOCKS5.
> curl.exe --proxy http://127.0.0.1:1080 https://ipinfo.io/
{
  "ip": "3.2.6.3",
  "hostname": "ec2-3-2-6-3.compute-1.amazonaws.com",
  "city": "Ashburn",
  "region": "Virginia",
  "country": "US",
  "loc": "39.0437,-77.4875",
  "org": "AS14618 Amazon.com, Inc.",
  "postal": "20147",
  "timezone": "America/New_York",
  "readme": "https://ipinfo.io/missingauth"
}

默认允许localhost连接,可以开启【允许来自局域网的连接】

> curl.exe --proxy http://127.0.0.1:1080/pac?t=202408162216102079 https://ipinfo.io/
{
  "ip": "3.2.6.3",
  "hostname": "ec2-3-2-6-3.compute-1.amazonaws.com",
  "city": "Ashburn",
  "region": "Virginia",
  "country": "US",
  "loc": "39.0437,-77.4875",
  "org": "AS14618 Amazon.com, Inc.",
  "postal": "20147",
  "timezone": "America/New_York",
  "readme": "https://ipinfo.io/missingauth"
}

socks5代理是HTTP代理的一种吗?

不是的,Socks5代理和HTTP代理是两种不同的代理类型,虽然它们都用于代理网络请求,工作原理和适用场景有很大的不同。

HTTP代理

  • 工作原理: 专门用于代理HTTP协议的请求,它可以对HTTP请求进行拦截、修改和转发。
  • 适用场景: 主要用于浏览网页,可以对HTTP请求进行缓存、压缩等优化,提高网页加载速度。
  • 局限性: 只能代理HTTP协议,对于其他协议(如FTP、SMTP等)无能为力。

Socks5代理

  • 工作原理: 是一种通用代理协议,可以代理任何TCP和UDP协议的请求。Socks5代理在网络层工作,对数据流不做任何修改,只是负责将数据转发到目标服务器
  • 适用场景: 适用范围更广,除了可以代理HTTP请求,还可以代理其他协议的请求,如FTP、SMTP、SSH等。
  • 优势: 更加灵活,适用于各种网络应用。

两者区别总结

特点HTTP代理Socks5代理
协议专门针对HTTP协议支持TCP和UDP协议
功能可以对HTTP请求进行修改和优化仅仅转发数据,不对数据内容进行修改
适用场景主要用于浏览网页适用范围更广,适用于各种网络应用

何时选择Socks5代理?

  • 需要代理多种协议: 如果需要代理HTTP、FTP、SMTP等多种协议,Socks5代理是更好的选择。
  • 需要更高灵活性: Socks5代理可以对任何TCP和UDP协议进行代理,具有更高的灵活性。
  • 需要避免数据被篡改: Socks5代理不对数据内容进行修改,可以确保数据的完整性。

何时选择HTTP代理?

  • 只需要代理HTTP请求: 如果只需要代理HTTP请求,HTTP代理可以提供更好的性能和一些额外的功能(如缓存、压缩)。

总结

Socks5代理和HTTP代理各有优缺点,选择哪种代理取决于具体的应用场景。如果需要一个通用且灵活的代理,Socks5代理是更好的选择;如果只需要代理HTTP请求,HTTP代理可以提供更好的性能。

希望这个解释对您有所帮助。如果您还有其他问题,欢迎随时提出。

> curl.exe -x socks5://127.0.0.1:1080/pac?t=202408162216102079 https://ipinfo.io/
{
  "ip": "3.2.6.3",
  "hostname": "ec2-3-2-6-3.compute-1.amazonaws.com",
  "city": "Ashburn",
  "region": "Virginia",
  "country": "US",
  "loc": "39.0437,-77.4875",
  "org": "AS14618 Amazon.com, Inc.",
  "postal": "20147",
  "timezone": "America/New_York",
  "readme": "https://ipinfo.io/missingauth"
}

如何搭建一个Socks5代理服务器

选择合适的软件

  • Dante: 一个经典的开源Socks5服务器,功能强大,配置灵活。
  • Shadowsocks: 另一个流行的开源代理软件,支持多种加密方式,安全性高。
Step 1 — Installing Dante
查看发行版:
root@vultr:~# cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
安装:
root@vultr:~# apt install dante-server
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  dante-server
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 368 kB of archives.
After this operation, 1,021 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/universe amd64 dante-server amd64 1.4.2+dfsg-7build1 [368 kB]
Fetched 368 kB in 1s (665 kB/s)  
Selecting previously unselected package dante-server.
(Reading database ... 82196 files and directories currently installed.)
Preparing to unpack .../dante-server_1.4.2+dfsg-7build1_amd64.deb ...
Unpacking dante-server (1.4.2+dfsg-7build1) ...........................................................................................................................] 
Setting up dante-server (1.4.2+dfsg-7build1) ...#############################..........................................................................................] 
Created symlink /etc/systemd/system/multi-user.target.wants/danted.service → /lib/systemd/system/danted.service.......................................................] 
Processing triggers for man-db (2.9.1-1) ...#############################################################################################..............................] 
Processing triggers for systemd (245.4-4ubuntu3.23) ...
复制配置文件:
root@vultr:~# cat /etc/danted.conf 
logoutput: syslog
user.privileged: root
user.unprivileged: nobody

# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: enp1s0

# socks-rules determine what is proxied through the external interface.
socksmethod: username

# client-rules determine who can connect to the internal interface.
clientmethod: none

client pass {
    from: 8.134.141.89/32 to: 0.0.0.0/0
}

socks pass {
    from: 8.134.141.89/32 to: 0.0.0.0/0
}
添加用于登录的用户:
root@vultr:~# useradd -r -s /bin/false vbird
root@vultr:~# passwd vbird
New password: 
Retype new password: 
passwd: password updated successfully
启动服务:
root@vultr:~# systemctl status danted.service
● danted.service - SOCKS (v4 and v5) proxy daemon (danted)
     Loaded: loaded (/lib/systemd/system/danted.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2024-08-17 08:12:35 UTC; 5s ago
       Docs: man:danted(8)
             man:danted.conf(5)
    Process: 2594 ExecStartPre=/bin/sh -c       uid=`sed -n -e "s/[[:space:]]//g" -e "s/#.*//" -e "/^user\.privileged/{s/[^:]*://p;q;}" /etc/danted.conf`;      if [ -n "$>
   Main PID: 2608 (danted)
      Tasks: 20 (limit: 1041)
     Memory: 8.2M
     CGroup: /system.slice/danted.service
             ├─2608 /usr/sbin/danted
             ├─2609 danted: monitor
             ├─2610 danted: negotia
             ├─2611 danted: request
             ├─2612 danted: request
在客户端测试:
[root@ali-ecs ~]# curl -v -x socks5://vbird:He*****28@144.202.98.58:1080 https://ipinfo.io
* Rebuilt URL to: https://ipinfo.io/
*   Trying 144.202.98.58...
* TCP_NODELAY set
* SOCKS5 communication to ipinfo.io:443
* SOCKS5 connect to IPv4 34.117.59.81 (locally resolved)
* SOCKS5 request granted.
* Connected to 144.202.98.58 (144.202.98.58) port 1080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=ipinfo.io
*  start date: Jul  3 16:04:01 2024 GMT
*  expire date: Oct  1 16:04:00 2024 GMT
*  subjectAltName: host "ipinfo.io" matched cert's "ipinfo.io"
*  issuer: C=US; O=Let's Encrypt; CN=R10
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x55e0d7b926f0)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/2
> Host: ipinfo.io
> User-Agent: curl/7.61.1
> Accept: */*
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 200 
< access-control-allow-origin: *
< content-length: 328
< content-type: application/json; charset=utf-8
< date: Sat, 17 Aug 2024 08:26:48 GMT
< referrer-policy: strict-origin-when-cross-origin
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< via: 1.1 google
< strict-transport-security: max-age=2592000; includeSubDomains
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
* TLSv1.3 (IN), TLS app data, [no content] (0):
{
  "ip": "144.202.98.58",
  "hostname": "144.202.98.58.vultrusercontent.com",
  "city": "Santa Clara",
  "region": "California",
  "country": "US",
  "loc": "37.3924,-121.9623",
  "org": "AS20473 The Constant Company, LLC",
  "postal": "95054",
  "timezone": "America/Los_Angeles",
  "readme": "https://ipinfo.io/missingauth"
* TLSv1.3 (IN), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Connection #0 to host 144.202.98.58 left intact
指定远程DNS解析:
$ curl -v -x socks5h://vbird:He***6428@144.202.98.58:1080 https://www.google.com
*   Trying 144.202.98.58:1080...
* SOCKS5 connect to www.google.com:443 (remotely resolved)
* SOCKS5 request granted.
* Connected to 144.202.98.58 (144.202.98.58) port 1080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Jul 30 12:50:13 2024 GMT
*  expire date: Oct 22 12:50:12 2024 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=WR2
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5638ecb826b0)
> GET / HTTP/2
> Host: www.google.com
> user-agent: curl/7.79.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200
< date: Sat, 17 Aug 2024 11:03:47 GMT
< expires: -1
< cache-control: private, max-age=0
< content-type: text/html; charset=ISO-8859-1
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-qjbk_s25mwMtul4Uqm0EsQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< server: gws
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< set-cookie: AEC=AVYB7cpcGUd2Sse2cTT--Ko50Q6IcjhAxB9tQ7c4ioO0_sPuQQRq7QRvLnQ; expires=Thu, 13-Feb-2025 11:03:47 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< set-cookie: NID=516=CfO37KrRg-dFuC6CRiPpdCi9tduUBfV5fbZGBttZE5uMdQfafSJGWv4QIWOKCoaUy-bsJwaOjWqGn9MKOKID_AMTBf6-AmiLfmH5z5w2yZdK1wFuM9fOC-eclTQmI_ipRMdMZE0YvavHCJRbidbedOmF0YSPZgNTaQYWI2F2UOQSJ-YoueL3-uSS; expires=Sun, 16-Feb-2025 11:03:47 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< accept-ranges: none
< vary: Accept-Encoding

SOCKS proxy

SOCKS is a protocol used for proxies and curl supports it. curl supports both SOCKS version 4 as well as version 5, and both versions come in two flavors.

You can select the specific SOCKS version to use by using the correct scheme part for the given proxy host with -x, or you can specify it with a separate option instead of -x.

SOCKS5 is for the version 5 and SOCKS5-hostname is for the version 5 without resolving the hostname locally:

curl -x socks5://proxy.example.com http://www.example.com/

curl --socks5 proxy.example.com http://www.example.com/

The SOCKS5-hostname versions. This sends the hostname to the proxy so there is no name resolving done by curl locally:

curl -x socks5h://proxy.example.com http://www.example.com/

curl --socks5-hostname proxy.example.com http://www.example.com/


评论

发表评论

此博客中的热门博文

码率单位

Feature Bandwidth Traffic Throughput Definition Maximum data transfer rate Actual data being transmitted Actual data transfer rate achieved Measure Capacity (bps) Data volume (bytes or packets) Transfer rate (bps) Static vs. Dynamic Static (connection property) Dynamic (varies over time) Dynamic (affected by network conditions) Impact on Performance Determines potential data transfer speed Affects network congestion and utilization Measures actual network performance 表格一览: 名称 符号 b/s B/s 示例 比特每秒 b/s 1 1/8 字节每秒 B/s 8 1 千比特每秒 kb/s 1000 = 10^3 125 = 10^3/8 二进制千比特每秒 Kib/s 1024 = 2^10 128 = 2^10/8 千字节每秒 kB/s 8000 = 8*10^3 1000 = 10^3 二进制千字节每秒 KiB/s 8192 = 8*2^10 1024 = 2^10 k 与 Ki k 与 Ki 分别表示 kilo-(千) 与 kibi-(二进制千) 。作为前缀使用时, k 表示 1,000,Ki 表示1,024 ,因为“Ki”来源于它在计算机方面 2^10 = 1,024 的使用。不幸的是,人们常常错误地用 K 代替 Ki。此外,不知晓其中微妙差别的广大公众,常常不加区别地使用“Kbps”与“Kibps”,造成了混乱。总之,使用“Kibps”通常是正确的。 The bit rate is expressed in the unit bit per second (symbol: bit/s), often in conjunction with an SI prefix such as kilo (1...
阅读全文

Process vs. Thread

图片
  A process is an executing instance of a program with its own memory and resources, while  a thread is the smallest unit of execution within a process that can run concurrently with other threads in the same process .  Processes are isolated with separate address spaces and require system-provided inter-process communication to share data, whereas threads share the process's memory and resources, allowing for faster communication and context switching.   Process vs. Thread Process: An independent program in execution.  Has its own separate memory address space.  Carries more state information and resources (like open files and system handles).  Data sharing requires Inter-Process Communication (IPC) mechanisms.  Considered a "heavyweight" unit of execution due to resource overhead for creation and context switching.  Thread: A subset of a process , executing within the process's context.  Shares the process's address space, memory, and ...
阅读全文

日志文件系统

图片
Journaling filesystem 基本原理 更新文件系统以反映文件和目录的更改通常需要许多单独的写入操作。这使得写入之间可能发生中断(例如电源故障或系统崩溃),从而使数据结构处于无效的中间状态。[1] 例如,删除 Unix 文件系统上的文件涉及三个步骤:[7] 删除其目录条目。(Removing its directory entry.) 将索引节点释放到空闲索引节点池中。(Releasing the inode to the pool of free inodes.) 将所有磁盘块返回到空闲磁盘块池。(Returning all disk blocks to the pool of free disk blocks.) 如果在步骤1之后和步骤2之前发生崩溃,就会出现孤立的inode,从而导致存储泄漏;如果在步骤2和步骤3之间发生崩溃,则该文件先前使用的块将无法用于新文件,从而有效地减少了文件系统的存储容量。重新安排步骤也无济于事。如果步骤 3 在步骤 1 之前,则它们之间的崩溃可能允许文件的块重新用于新文件,这意味着部分删除的文件将包含另一个文件的部分内容,并且对任一文件的修改都会显示在两个文件中。另一方面,如果步骤 2 在步骤 1 之前,则它们之间的崩溃将导致文件无法访问,尽管该文件看起来存在。 检测此类不一致并从中恢复通常需要完整地检查其数据结构,例如通过 fsck (文件系统检查器)等工具。[2] 这通常必须在下次安装文件系统以进行读写访问之前完成。如果文件系统很大并且 I/O 带宽相对较小,则这可能会花费很长时间,并且如果它阻止系统的其余部分恢复联机,则会导致更长的停机时间。 为了防止这种情况,日志文件系统分配一个特殊区域——日志——在其中记录它将提前进行的更改。崩溃后,恢复只需从文件系统读取日志并重播该日志中的更改,直到文件系统再次保持一致。因此,这些更改被认为是原子的(不可整除),因为它们要么成功(最初成功或在恢复期间完全重播),要么根本不重播(被跳过,因为它们在之前尚未完全写入日志)发生崩溃)。  JFS(1990)->NTFS(1993)->XFS(1994)->Apple HFS Plus(1998)->ext3(2001)->ext4(2008) ext和ext2文件系统不是日志文件系统 日誌式檔...
阅读全文