add README_en.md

2016-10-22 10:15:29 +08:00 · 2016-10-22 10:15:29 +08:00 · 67a9b8d0ee
commit 67a9b8d0ee
parent a7f1bf34b7
2 changed files with 299 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -3,6 +3,8 @@ gost - GO Simple Tunnel

 ### GO语言实现的安全隧道

+[English README](README_en.md)
+
 特性
 ------
 * 可同时监听多端口
@ -10,9 +12,10 @@ gost - GO Simple Tunnel
 * 支持标准HTTP/HTTPS/SOCKS5代理协议
 * SOCKS5代理支持TLS协商加密
 * Tunnel UDP over TCP
-* 支持Shadowsocks协议，支持OTA (OTA功能需2.2及以上版本)
-* 支持端口转发 (2.1及以上版本)
-* 支持HTTP2.0 (2.2及以上版本)
+* 支持Shadowsocks协议，支持OTA (OTA: >=2.2)
+* 支持端口转发 (>=2.1)
+* 支持HTTP2.0 (>=2.2)
+* 实验性支持QUIC (>=2.3)

 二进制文件下载：https://github.com/ginuerzh/gost/releases

@ -31,21 +34,23 @@ Google讨论组: https://groups.google.com/d/forum/go-gost
 ```
 scheme分为两部分: protocol+transport

-protocol: 代理协议类型(http, socks5, shadowsocks), transport: 数据传输方式(ws, wss, tls, http2), 二者可以任意组合，或单独使用:
+protocol: 代理协议类型(http, socks5, shadowsocks), transport: 数据传输方式(ws, wss, tls, http2, quic), 二者可以任意组合，或单独使用:

 > http - 作为HTTP代理: http://:8080

-> http+tls - 作为HTTPS代理(可能需要提供受信任的证书): http+tls://:8080
+> http+tls - 作为HTTPS代理(可能需要提供受信任的证书): http+tls://:443

 > http2 - 作为HTTP2代理并向下兼容HTTPS代理: http2://:443

-> socks - 作为标准SOCKS5代理(支持tls协商加密): socks://:8080
+> socks - 作为标准SOCKS5代理(支持tls协商加密): socks://:1080

-> socks+ws - 作为SOCKS5代理，使用websocket传输数据: socks+ws://:8080
+> socks+wss - 作为SOCKS5代理，使用websocket传输数据: socks+wss://:1080

-> tls - 作为HTTPS/SOCKS5代理，使用tls传输数据: tls://:8080
+> tls - 作为HTTPS/SOCKS5代理，使用tls传输数据: tls://:443

-> ss - 作为Shadowsocks服务，ss://aes-256-cfb:123456@:8080
+> ss - 作为Shadowsocks服务，ss://aes-256-cfb:123456@:8338
+
+> quic - 作为QUIC代理，quic://:6121

 #### 端口转发

@ -66,7 +71,7 @@ scheme://[bind_address]:port/[host]:hostport

 > -v=4 : 日志级别(1-5)，级别越高，日志越详细(级别5将开启http2 debug)

-> -log_dir=. : 输出到目录
+> -log_dir=/log/dir/path : 输出到目录/log/dir/path


 使用方法
@ -108,7 +113,7 @@ gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081
 ```bash
 gost -L=:8080 -F=http+tls://192.168.1.1:443 -F=socks+ws://192.168.1.2:1080 -F=ss://aes-128-cfb:123456@192.168.1.3:8338 -F=a.b.c.d:NNNN
 ```
-gost按照-F设置顺序通过代理链将请求最终转发给a.b.c.d:NNNN处理，每一个转发代理可以是任意HTTP/HTTPS/HTTP2/SOCKS5/Shadowsocks类型代理。
+gost按照-F设置的顺序通过代理链将请求最终转发给a.b.c.d:NNNN处理，每一个转发代理可以是任意HTTP/HTTPS/HTTP2/SOCKS5/Shadowsocks类型代理。

 #### 本地端口转发(TCP)

@ -124,7 +129,7 @@ gost -L=udp://:5353/192.168.1.1:53 -F=...
 ```
 将本地UDP端口5353上的数据(通过代理链)转发到192.168.1.1:53上。

-**注: 转发UDP数据时，如果有代理链，则代理链的末端(最后一个-F参数)必须支持gost SOCKS5类型代理。**
+**注:** 转发UDP数据时，如果有代理链，则代理链的末端(最后一个-F参数)必须是gost SOCKS5类型代理。

 #### 远程端口转发(TCP)

@ -140,14 +145,29 @@ gost -L=rudp://:5353/192.168.1.1:53 -F=... -F=socks://172.24.10.1:1080
 ```
 将172.24.10.1:5353上的数据(通过代理链)转发到192.168.1.1:53上。

-**注: 若要使用远程端口转发功能，代理链不能为空(至少要设置一个-F参数)，且代理链的末端(最后一个-F参数)必须支持gost SOCKS5类型代理。**
+**注：** 若要使用远程端口转发功能，代理链不能为空(至少要设置一个-F参数)，且代理链的末端(最后一个-F参数)必须是gost SOCKS5类型代理。

 #### HTTP2
 gost的HTTP2支持两种模式并自适应：
 * 作为标准的HTTP2代理，并向下兼容HTTPS代理。
 * 作为transport(类似于wss)，传输其他协议。

-**注：gost的代理链仅支持一个HTTP2代理节点，采用就近原则，会将第一个遇到的HTTP2代理节点视为HTTP2代理，其他HTTP2代理节点则被视为HTTPS代理。**
+**注：** gost的代理链仅支持一个HTTP2代理节点，采用就近原则，会将第一个遇到的HTTP2代理节点视为HTTP2代理，其他HTTP2代理节点则被视为HTTPS代理。
+
+#### QUIC
+gost对QUIC的支持是基于[quic-go](https://github.com/lucas-clemente/quic-go)库。
+
+服务端:
+```bash
+gost -L=quic://:6121
+```
+
+客户端(Chrome):
+```bash
+chrome --enable-quic --proxy-server=quic://server_ip:6121
+```
+
+**注：** 由于Chrome自身的限制，目前只能通过QUIC访问HTTP网站，无法访问HTTPS网站。

 加密机制
 ------
@ -189,10 +209,10 @@ gost -L=:8080 -F=socks://server_ip:1080

 如果两端都是gost(如上)则数据传输会被加密(协商使用tls或tls-auth方法)，否则使用标准SOCKS5进行通讯(no-auth或user/pass方法)。

-注：如果transport已经支持加密(wss, tls, http2)，则SOCKS5不会再使用加密方法，防止不必要的双重加密。
+**注：** 如果transport已经支持加密(wss, tls, http2)，则SOCKS5不会再使用加密方法，防止不必要的双重加密。

 #### Shadowsocks
-gost对Shadowsocks加密方法的支持是基于[shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go)库。
+gost对shadowsocks的支持是基于[shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go)库。

 服务端(可以通过ota参数开启OTA模式):
 ```bash
--- a/README_en.md
+++ b/README_en.md
@ -0,0 +1,263 @@
+gost - GO Simple Tunnel
+======
+
+### A simple security tunnel written in Golang
+
+Features
+------
+* Listening on multiple ports
+* Multi-level forward proxy - proxy chain
+* Standard HTTP/HTTPS/SOCKS5 proxy protocols
+* TLS encryption via negotiation support for SOCKS5 proxy
+* Tunnel UDP over TCP
+* Shadowsocks protocol with OTA supported (OTA: >=2.2)
+* Local/remote port forwarding (>=2.1)
+* HTTP2.0 (>=2.2)
+* Experimental QUIC support (>=2.3)
+
+Binary file download：https://github.com/ginuerzh/gost/releases
+
+Google group: https://groups.google.com/d/forum/go-gost
+
+Gost and other proxy services are considered to be proxy nodes, 
+gost can handle the request itself, or forward the request to any one or more proxy nodes.
+
+Parameter Description
+------
+#### Proxy and proxy chain
+
+Effective for the -L and -F parameters
+
+```bash
+[scheme://][user:pass@host]:port
+```
+scheme can be divided into two parts: protocol+transport
+
+protocol: proxy protocol types(http, socks5, shadowsocks), 
+transport: data transmission mode(ws, wss, tls, http2, quic), may be used in any combination or individually:
+
+> http - standard HTTP proxy: http://:8080
+
+> http+tls - standard HTTPS proxy(may need to provide a trusted certificate): http+tls://:443
+
+> http2 - HTTP2 proxy and backwards-compatible with HTTPS proxy: http2://:443
+
+> socks - standard SOCKS5 proxy: socks://:1080
+
+> socks+wss - SOCKS5 over websocket: socks+wss://:1080
+
+> tls - HTTPS/SOCKS5 over tls: tls://:443
+
+> ss - standard shadowsocks proxy, ss://aes-256-cfb:123456@:8338
+
+> quic - standard QUIC proxy, quic://:6121
+
+#### Port forwarding
+
+Effective for the -L parameter
+
+```bash
+scheme://[bind_address]:port/[host]:hostport
+```	
+> scheme - forward mode, local: tcp, udp; remote: rtcp, rudp
+
+> bind_address:port - local/remote binding address
+
+> host:hostport - target address
+
+#### Logging
+
+> -logtostderr : log to console
+
+> -v=4 : log level(1-5)，The higher the level, the more detailed the log (level 5 will enable HTTP2 debug)
+
+> -log_dir=/log/dir/path : log to directory /log/dir/path
+
+Usage
+------
+#### No forward proxy
+
+<img src="https://ginuerzh.github.io/images/gost_01.png" />
+
+* Standard HTTP/SOCKS5 proxy
+```bash
+gost -L=:8080
+```
+
+* Proxy authentication
+```bash
+gost -L=admin:123456@localhost:8080
+```
+
+* Listen on multiple ports
+```bash
+gost -L=http2://:443 -L=socks://:1080 -L=ss://aes-128-cfb:123456@:8338
+```
+
+#### Forward proxy
+
+<img src="https://ginuerzh.github.io/images/gost_02.png" />
+```bash
+gost -L=:8080 -F=192.168.1.1:8081
+```
+
+* Forward proxy authentication
+```bash
+gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081
+```
+
+#### Multi-level forward proxy
+
+<img src="https://ginuerzh.github.io/images/gost_03.png" />
+```bash
+gost -L=:8080 -F=http+tls://192.168.1.1:443 -F=socks+ws://192.168.1.2:1080 -F=ss://aes-128-cfb:123456@192.168.1.3:8338 -F=a.b.c.d:NNNN
+```
+Gost forwards the request to a.b.c.d:NNNN through the proxy chain in the order set by -F, 
+each forward proxy can be any HTTP/HTTPS/HTTP2/SOCKS5/Shadowsocks type.
+
+#### Local TCP port forwarding
+
+```bash
+gost -L=tcp://:2222/192.168.1.1:22 -F=...
+```
+The data on the local TCP port 2222 is forwarded to 192.168.1.1:22 (through the proxy chain).
+
+#### Local UDP port forwarding
+
+```bash
+gost -L=udp://:5353/192.168.1.1:53 -F=...
+```
+The data on the local UDP port 5353 is forwarded to 192.168.1.1:53 (through the proxy chain).
+
+**NOTE:** When forwarding UDP data, if there is a proxy chain, the end of the chain (the last -F parameter) must be gost SOCKS5 proxy.
+
+#### Remote TCP port forwarding
+
+```bash
+gost -L=rtcp://:2222/192.168.1.1:22 -F=... -F=socks://172.24.10.1:1080
+```
+The data on 172.24.10.1:2222 is forwarded to 192.168.1.1:22 (through the proxy chain).
+
+#### Remote UDP port forwarding
+
+```bash
+gost -L=rudp://:5353/192.168.1.1:53 -F=... -F=socks://172.24.10.1:1080
+```
+The data on 172.24.10.1:5353 is forwarded to 192.168.1.1:53 (through the proxy chain).
+
+**NOTE:** To use the remote port forwarding feature, the proxy chain can not be empty (at least one -F parameter is set) 
+and the end of the chain (last -F parameter) must be gost SOCKS5 proxy.
+
+#### HTTP2
+Gost HTTP2 supports two modes and self-adapting:
+* As a standard HTTP2 proxy, and backwards-compatible with the HTTPS proxy.
+* As transport (similar to wss), tunnel other protocol.
+
+**NOTE:** The proxy chain of gost supports only one HTTP2 proxy node and the nearest rule applies, 
+the first HTTP2 proxy node is treated as an HTTP2 proxy, and the other HTTP2 proxy nodes are treated as HTTPS proxies.
+
+#### QUIC
+Support for QUIC is based on library [quic-go](https://github.com/lucas-clemente/quic-go).
+
+Server:
+```bash
+gost -L=quic://:6121
+```
+
+Client(Chrome):
+```bash
+chrome --enable-quic --proxy-server=quic://server_ip:6121
+```
+
+**NOTE:** Due to Chrome's limitations, it is currently only possible to access the HTTP (but not HTTPS) site through QUIC.
+
+Encryption Mechanism
+------
+#### HTTP
+For HTTP, you can use TLS to encrypt the entire communication process, the HTTPS proxy:
+
+Server:
+```bash
+gost -L=http+tls://:443
+```
+Client:
+```bash
+gost -L=:8080 -F=http+tls://server_ip:443
+```
+
+#### HTTP2
+Gost supports only the HTTP2 protocol that uses TLS encryption (h2) and does not support plaintext HTTP2 (h2c) transport.
+
+Server:
+```bash
+gost -L=http2://:443
+```
+Client:
+```bash
+gost -L=:8080 -F=http2://server_ip:443
+```
+
+#### SOCKS5
+Gost supports the standard SOCKS5 protocol methods: no-auth (0x00) and user/pass (0x02), 
+and extends two methods for data encryption: tls(0x80)和tls-auth(0x82).
+
+Server:
+```bash
+gost -L=socks://:1080
+```
+Client:
+```bash
+gost -L=:8080 -F=socks://server_ip:1080
+```
+
+If both ends are gosts (as example above), the data transfer will be encrypted (using tls or tls-auth). 
+Otherwise, use standard SOCKS5 for communication (no-auth or user/pass).
+
+**NOTE:** If transport already supports encryption (wss, tls, http2), SOCKS5 will no longer use the encryption method to prevent unnecessary double encryption.
+
+#### Shadowsocks
+Support for shadowsocks is based on library [shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go).
+
+Server (The OTA mode can be enabled by the ota parameter):
+```bash
+gost -L=ss://aes-128-cfb:123456@:8338?ota=1
+```
+Client:
+```bash
+gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338
+```
+
+#### TLS
+There is built-in TLS certificate in gost, if you need to use other TLS certificate, there are two ways:
+* Place two files cert.pem (public key) and key.pem (private key) in the current working directory, gost will automatically load them.
+* Use the parameter to specify the path to the certificate file：
+```bash
+gost -L="http2://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file"
+```
+
+SOCKS5 UDP Data Processing
+------
+#### No forward proxy
+
+<img src="https://ginuerzh.github.io/images/udp01.png" height=100 />
+
+Gost acts as the standard SOCKS5 proxy for UDP relay.
+
+#### Forward proxy
+
+<img src="https://ginuerzh.github.io/images/udp02.png" height=100 />
+
+#### Multi-level forward proxy
+
+<img src="https://ginuerzh.github.io/images/udp03.png" height=200 />
+
+When forward proxies are set, gost uses UDP-over-TCP to forward UDP data, proxy1 to proxyN can be any HTTP/HTTPS/HTTP2/SOCKS5/Shadowsocks type.
+
+Limitation
+------
+The HTTP proxy node in the proxy chain must support the CONNECT method.
+
+If the BIND and UDP requests for SOCKS5 are to be forwarded, the end of the chain (the last -F parameter) must be the gost SOCKS5 proxy.
+
+
+