Merge pull request #3 from CHERTS/dev-0.11.4

Release v0.11.4

.codecov.yml

@@ -1,5 +1,6 @@
 ignore:
-  - "screenshot"
-  - "web"
-  - "server/conf"
-  - "server/files"
+  - "^doc"
+  - "^home"
+  - "^web"
+  - "^server/conf"
+  - "^server/files"

.gitignore

@@ -2,6 +2,7 @@
 .idea/
 anylink-deploy
 anylink-deploy.tar.gz
+anylink-deploy-*
 anylink
 anylink.db
 dist

.goreleaser.yaml

@@ -0,0 +1,74 @@
+version: 1
+
+dist: dist
+
+before:
+  hooks:
+    - pwd
+
+builds:
+  - id: "build"
+    dir: ./server
+    hooks:
+      pre:
+        - cmd: go mod tidy
+          dir: ./server
+          output: true
+        - cmd: go generate
+          dir: ./server
+          output: true
+    # {{- if eq .Arch "amd64" }}CC=x86_64-linux-gnu-gcc CXX=x86_64-linux-gnu-g++{{- end }}
+    env:
+      - CGO_ENABLED=1
+      - >-
+        {{- if eq .Os "linux" }}
+          {{- if eq .Arch "amd64" }}CC=x86_64-linux-musl-gcc{{- end }}
+        
+          {{- if eq .Arch "arm64" }}CC=aarch64-linux-gnu-gcc{{- end }}
+        {{- end }}
+        {{- if eq .Os "darwin" }}
+          {{- if eq .Arch "amd64"}}CC=o64-clang{{- end }}
+          {{- if eq .Arch "arm64"}}CC=oa64-clang{{- end }}
+        {{- end }}
+        {{- if eq .Os "windows" }}
+          {{- if eq .Arch "amd64"}}CC=x86_64-w64-mingw32-gcc{{- end }}
+          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
+        {{- end }}
+    goos:
+      - linux
+      #- darwin
+      #- windows
+    goarch:
+      - amd64
+      #- arm64
+    goamd64:
+      - v1
+    command: build
+    flags:
+      - -trimpath
+      - -tags osusergo,netgo,sqlite_omit_load_extension
+    ldflags:
+      - -s -w -extldflags '-static' -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -X main.builtBy=dcross
+
+archives:
+  - id: "archive1"
+    format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"

README.md

@@ -3,9 +3,10 @@
 [![Go](https://github.com/cherts/anylink/workflows/Go/badge.svg?branch=main)](https://github.com/cherts/anylink/actions)
 [![PkgGoDev](https://pkg.go.dev/badge/github.com/cherts/anylink)](https://pkg.go.dev/github.com/cherts/anylink)
 [![Go Report Card](https://goreportcard.com/badge/github.com/cherts/anylink)](https://goreportcard.com/report/github.com/cherts/anylink)
-[![codecov](https://codecov.io/gh/cherts/anylink/branch/master/graph/badge.svg?token=JTFLIIIBQ0)](https://codecov.io/gh/cherts/anylink)
+[![codecov](https://codecov.io/gh/cherts/anylink/graph/badge.svg?token=JTFLIIIBQ0)](https://codecov.io/gh/cherts/anylink)
 ![GitHub release](https://img.shields.io/github/v/release/cherts/anylink)
-![GitHub downloads)](https://img.shields.io/github/downloads/cherts/anylink/total)
+![GitHub downloads total)](https://img.shields.io/github/downloads/cherts/anylink/total)
+![GitHub Downloads (all assets, latest release)](https://img.shields.io/github/downloads/cherts/anylink/latest/total)
 [![Docker pulls)](https://img.shields.io/docker/pulls/cherts/anylink.svg)](https://hub.docker.com/r/cherts/anylink)
 ![LICENSE](https://img.shields.io/github/license/cherts/anylink)
 
@@ -22,7 +23,7 @@ Protocol development, and draws on the development ideas of [ocserv](http://ocse
 
 AnyLink uses TLS/DTLS for data encryption, so an RSA or ECC certificate is required. You can apply for a free SSL certificate through Let's Encrypt and TrustAsia.
 
-The AnyLink server is only tested on CentOS 7, CentOS 8, Ubuntu 18.04, Ubuntu 20.04 and Ubuntu 22.04. If it needs to be installed on other systems, the server needs to support the tun/tap function and ip setting command.
+The AnyLink server is only tested on CentOS 7, CentOS 8, Ubuntu 18.04, Ubuntu 20.04 and Ubuntu 22.04. If it needs to be installed on other systems, the server needs to support the tun/tap function and ip setting command, iptables command.
 
 ## Screenshot
 
@@ -50,17 +51,20 @@ The AnyLink server is only tested on CentOS 7, CentOS 8, Ubuntu 18.04, Ubuntu 20
 
 ### Compile and install by yourself
 
-> Golang >= 1.19 and nodejs >= 16.x and yarn >= v1.22.x need to be installed in advance.
+> Docker needs to be installed in advance
 
 ```shell
 git clone https://github.com/cherts/anylink.git
 
-# Compile reference software version
+# docker compilation reference software version (no installation required)
 # go 1.22
 # node v16.20.2
 # yarn 1.22.19
 
 cd anylink
+# Compile front-end
+bash build_web.sh
+# Compile anylink-deploy release files
 bash build.sh
 
 # Make sure to run with root privileges
@@ -82,21 +86,27 @@ sudo ./anylink
 - [x] Compatible with AnyConnect
 - [x] Compatible with OpenConnect
 - [x] Nat access mode based on tun device
-- [x] Tap device based bridge access mode
+- [x] Bridged access mode based on tun device
 - [x] Bridged access mode based on macvtap device
 - [x] Support [proxy protocol v1&v2](http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) protocol
 - [x] User group support
+- [x] User group policy support
 - [x] Multi-user support
 - [x] User policy support
 - [x] TOTP token support
 - [x] TOTP token switch
 - [x] Traffic rate limit
 - [x] Backend management interface
 - [x] Access rights management
+- [x] User activity audit function
 - [x] IP access audit function
 - [x] Domain name dynamic split tunnel (domain name routing function)
 - [x] radius authentication support
 - [x] LDAP authentication support
+- [x] Automatically disconnect when idle link times out
+- [x] Traffic compression function
+- [x] Automatic release of egress IP
+- [x] Support configuration differentiation of multiple services
 - [ ] Bridge access mode based on ipvtap device
 
 ## Config
@@ -118,6 +128,8 @@ sudo ./anylink
 ```
 
 > Database configuration example
+>
+> Database table structure is automatically generated, no need to manually import (please grant DDL permission)
 
 | db_type  | db_source                                              |
 |----------|--------------------------------------------------------|
@@ -140,6 +152,16 @@ sudo ./anylink
 
 ## Setting
 
+### Dependency settings
+
+> Server-side dependency installation:
+>
+> centos: yum install iptables iproute
+>
+> ubuntu: apt-get install iptables iproute2
+
+### link_mode setting
+
 > One of the following parameters must be set
 
 To select the network mode, you need to configure the `link_mode` parameter, such as `link_mode="tun"`, `link_mode="macvtap"`, `link_mode="tap"(not recommended)` and other parameters.
@@ -154,6 +176,7 @@ mode, please confirm that the virtual machine's network card is enabled in promi
 1. Enable server forwarding
 
 ```shell
+# The new version supports automatic setting of IP forwarding
 # file: /etc/sysctl.conf
 net.ipv4.ip_forward = 1
 
@@ -202,18 +225,50 @@ Next hop: 10.1.2.10
 
 3. Just connect using the AnyConnect client
 
-### macvtap settings
+#### Bridge settings
 
-1. Setup profile
+1. Set up the configuration file
 
 > macvtap setting is relatively simple, you only need to configure the corresponding parameters.
+>
+> Network requirements: The network needs to support ARP transmission, and ordinary intranet IP can be announced through ARP.
+>
+> Network restrictions: cannot be used in cloud environment, cannot be used in network card mac plus white environment, cannot be used in 802.1x certified network
+>
 > The following parameters can be viewed by executing `ip a`
 
+1.1 arp_proxy
+
 ```
+
+# file: /etc/sysctl.conf
+net.ipv4.conf.all.proxy_arp = 1
+
+#Execute the following command
+sysctl -w net.ipv4.conf.all.proxy_arp=1
+
+Configuration file modification:
+
 # First turn off the nat forwarding function
 iptables_nat = false
 
-# The master network card needs to turn on promiscuous mode
+
+link_mode = "tun"
+#Internal network main network card name
+ipv4_master = "eth0"
+#The following network segments need to be set the same as the ipv4_master network card
+ipv4_cidr = "10.1.2.0/24"
+ipv4_gateway = "10.1.2.99"
+ipv4_start = "10.1.2.100"
+ipv4_end = "10.1.2.200"
+
+```
+
+1.2 macvtap
+
+```
+
+# Command line execution master network card needs to turn on promiscuous mode
 ip link set dev eth0 promisc on
 
 #=====================#
@@ -223,10 +278,9 @@ ip link set dev eth0 promisc on
 iptables_nat = false
 
 link_mode = "macvtap"
-
-# Internal network main network card name
+#Internal network main network card name
 ipv4_master = "eth0"
-# The following network segments need to be set the same as the ipv4_master network card
+#The following network segments need to be set the same as the ipv4_master network card
 ipv4_cidr = "10.1.2.0/24"
 ipv4_gateway = "10.1.2.1"
 ipv4_start = "10.1.2.100"
@@ -365,6 +419,13 @@ Please go to [question address](doc/question.md) for detailed information
 
 Telegram: @cherts
 
+## Support Client
+
+- [AnyConnect Secure Client](https://www.cisco.com/) (Can be downloaded through group files: Windows/macOS/Linux/Android/iOS)
+- [OpenConnect](https://gitlab.com/openconnect/openconnect) (Windows/macOS/Linux)
+- [Mikata AnyLink Secure Client](https://github.com/tlslink/anylink-client) (Windows/macOS/Linux)
+- [Third-party client download address](https://cisco.yangpin.link) (Windows/macOS/Linux/Android/iOS)
+
 ## Contribution
 
 Welcome to submit PRs and Issues, and thank you for contributing to AnyLink.

build.sh

@@ -1,58 +1,19 @@
 #!/bin/bash
 
-set -x
-function RETVAL() {
-  rt=$1
-  if [ $rt != 0 ]; then
-    echo $rt
-    exit 1
-  fi
-}
-
+#Current directory
 cpath=$(pwd)
 ver=$(cat version)
-echo "Current version $ver"
-
-echo "Compile frontend project..."
-cd $cpath/web
-
-#npx browserslist@latest --update-db
-yarn install --registry=https://registry.npmmirror.com
-yarn run build
-RETVAL $?
-
-echo "Compile binaries..."
-cd $cpath/server
-rm -rf ui
-cp -rf $cpath/web/ui .
-
-# -tags osusergo,netgo,sqlite_omit_load_extension
-flags="-v -trimpath"
-
-# -extldflags '-static'
-ldflags="-s -w -X main.appVer=$ver -X main.commitId=$(git rev-parse HEAD) -X main.date=$(date -Iseconds)"
-
-export GOPROXY=https://goproxy.io
-go mod tidy
-go build -o anylink $flags -ldflags "$ldflags"
-
-cd $cpath
-
-exit 0
-
-echo "Build deployment files..."
-deploy="anylink-deploy"
-rm -rf $deploy ${deploy}.tar.gz
-mkdir $deploy
-mkdir $deploy/log
-cp -r server/anylink $deploy
-cp -r server/bridge-init.sh $deploy
-cp -r server/conf $deploy
-cp -r systemd $deploy
-cp -r LICENSE $deploy
-cp -r home $deploy
-tar zcvf ${deploy}.tar.gz $deploy
-
-# Make sure to run with root privileges
-#cd anylink-deploy
-#sudo ./anylink --conf="conf/server.toml"
+echo $ver
+#Front-end compilation only needs to be executed once
+#bash ./build_web.sh
+bash build_docker.sh
+
+deploy="anylink-deploy-$ver"
+docker container rm $deploy
+docker container create --name $deploy cherts/anylink:$ver
+rm -rf anylink-deploy anylink-deploy.tar.gz
+docker cp -a $deploy:/app ./anylink-deploy
+tar zcf ${deploy}.tar.gz anylink-deploy
+./anylink-deploy/anylink -v
+echo "anylink compilation completed, directory: anylink-deploy"
+ls -lh anylink-deploy

build_docker.sh

@@ -6,11 +6,14 @@ echo "Current version: $ver"
 #docker login -u cherts
 
 echo "Docker build..."
-docker build -t cherts/anylink:latest --progress=plain --build-arg appVer=$ver \
-  --build-arg commitId=$(git rev-parse HEAD) -f docker/Dockerfile .
+docker build -t cherts/anylink:latest --no-cache --progress=plain \
+  --build-arg appVer=$ver --build-arg commitId=$(git rev-parse HEAD) \
+  -f docker/Dockerfile .
 
 echo "Docker tag latest $ver"
 docker tag cherts/anylink:latest cherts/anylink:$ver
 
 #echo "Docker push..."
 #docker push cherts/anylink
+
+exit 0