glider is a forward proxy with multiple protocols support, and also a dns/dhcp server with ipset management features(like dnsmasq).
we can set up local listeners as proxy servers, and forward requests to internet via forwarders.
|Forwarder ----------------->| Listener --> | | Internet |Forwarder --> Forwarder->...|
Features
- Act as both proxy client and proxy server(protocol converter)
- Flexible proxy & protocol chains
- Load balancing with the following scheduling algorithm:
- rr: round robin
- ha: high availability
- lha: latency based high availability
- dh: destination hashing
- Rule & priority based forwarder choosing: Config Examples
- DNS forwarding server:
- dns over proxy
- force upstream querying by tcp
- association rules between dns and forwarder choosing
- association rules between dns and ipset
- dns cache support
- custom dns record
- IPSet management (linux kernel version >= 2.6.32):
- add ip/cidrs from rule files on startup
- add resolved ips for domains from rule files by dns forwarding server
- Serve http and socks5 on the same port
- Periodical availability checking for forwarders
- Send requests from specific local ip/interface
- Services:
- dhcpd: a simple dhcp server that can detect existing dhcp server and avoid conflicts
Protocols
click to see details
Protocol | Listen/TCP | Listen/UDP | Forward/TCP | Forward/UDP | Description |
---|---|---|---|---|---|
Mixed | √ | √ | http+socks5 server | ||
HTTP | √ | √ | client & server | ||
SOCKS5 | √ | √ | √ | √ | client & server |
SS | √ | √ | √ | √ | client & server |
Trojan | √ | √ | √ | √ | client & server |
Trojanc | √ | √ | √ | √ | trojan cleartext(without tls) |
VLESS | √ | √ | √ | √ | client & server |
VMess | √ | √ | client only | ||
SSR | √ | client only | |||
SSH | √ | client only | |||
SOCKS4 | √ | client only | |||
SOCKS4A | √ | client only | |||
TCP | √ | √ | tcp tunnel client & server | ||
UDP | √ | √ | udp tunnel client & server | ||
TLS | √ | √ | transport client & server | ||
KCP | √ | √ | transport client & server | ||
Unix | √ | √ | √ | √ | transport client & server |
Smux | √ | √ | transport client & server | ||
Websocket(WS) | √ | √ | transport client & server | ||
WS Secure | √ | √ | websocket secure (wss) | ||
Proxy Protocol | √ | version 1 server only | |||
Simple-Obfs | √ | transport client only | |||
Redir | √ | linux redirect proxy | |||
Redir6 | √ | linux redirect proxy(ipv6) | |||
Tproxy | √ | linux tproxy(udp only) | |||
Reject | √ | √ | reject all requests |
Install
Download:
Docker:
docker pull nadoo/glider
#docker pull ghcr.io/nadoo/glider
ArchLinux:
Usage
click to see details
glider 0.15.3 usage: -check string check=tcp[://HOST:PORT]: tcp port connect check check=http://HOST[:PORT][/URI][#expect=REGEX_MATCH_IN_RESP_LINE] check=https://HOST[:PORT][/URI][#expect=REGEX_MATCH_IN_RESP_LINE] check=file://SCRIPT_PATH: run a check script, healthy when exitcode=0, environment variables: FORWARDER_ADDR check=disable: disable health check (default "http://www.msftconnecttest.com/connecttest.txt#expect=200") -checkdisabledonly check disabled fowarders only -checkinterval int fowarder check interval(seconds) (default 30) -checktimeout int fowarder check timeout(seconds) (default 10) -checktolerance int fowarder check tolerance(ms), switch only when new_latency < old_latency - tolerance, only used in lha mode -config string config file path -dialtimeout int dial timeout(seconds) (default 3) -dns string local dns server listen address -dnsalwaystcp always use tcp to query upstream dns servers no matter there is a forwarder or not -dnscachelog show query log of dns cache -dnscachesize int size of CACHE (default 4096) -dnsmaxttl int maximum TTL value for entries in the CACHE(seconds) (default 1800) -dnsminttl int minimum TTL value for entries in the CACHE(seconds) -dnsrecord value custom dns record, format: domain/ip -dnsserver value remote dns server address -dnstimeout int timeout value used in multiple dnsservers switch(seconds) (default 3) -forward value forward url, format: SCHEME://[USER|METHOD:[email protected]][HOST]:PORT?PARAMS[,SCHEME://[USER|METHOD:[email protected]][HOST]:PORT?PARAMS] -include value include file -interface string source ip or source interface -listen value listen url, format: SCHEME://[USER|METHOD:[email protected]][HOST]:PORT?PARAMS -logflags int log flags, do not change it if you do not know what it is, ref: https://pkg.go.dev/log#pkg-constants (default 19) -maxfailures int max failures to change forwarder status to disabled (default 3) -relaytimeout int relay timeout(seconds) -rulefile value rule file path -rules-dir string rule file folder -service value run specified services, format: SERVICE_NAME[,SERVICE_CONFIG] -strategy string forward strategy, default: rr (default "rr") -tcpbufsize int tcp buffer size in Bytes (default 32768) -udpbufsize int udp buffer size in Bytes (default 2048) -verbose verbose mode
run:
glider -config CONFIGPATH
glider -verbose -listen :8443 -forward SCHEME://HOST:PORT
Schemes
click to see details
Available schemes: listen: mixed ss socks5 http vless trojan trojanc redir redir6 tproxy tcp udp tls ws wss unix smux kcp pxyproto forward: direct reject ss socks4 socks5 http ssr ssh vless vmess trojan trojanc tcp udp tls ws wss unix smux kcp simple-obfs Socks5 scheme: socks://[user:[email protected]]host:port SS scheme: ss://method:[email protected]:port Available methods for ss: AEAD Ciphers: AEAD_AES_128_GCM AEAD_AES_192_GCM AEAD_AES_256_GCM AEAD_CHACHA20_POLY1305 AEAD_XCHACHA20_POLY1305 Stream Ciphers: AES-128-CFB AES-128-CTR AES-192-CFB AES-192-CTR AES-256-CFB AES-256-CTR CHACHA20-IETF XCHACHA20 CHACHA20 RC4-MD5 Alias: chacha20-ietf-poly1305 = AEAD_CHACHA20_POLY1305, xchacha20-ietf-poly1305 = AEAD_XCHACHA20_POLY1305 Plain: NONE SSR scheme: ssr://method:[email protected]:port?protocol=xxx&protocol_param=yyy&obfs=zzz&obfs_param=xyz SSH scheme: ssh://user[:pass]@host:port[?key=keypath&timeout=SECONDS] timeout: timeout of ssh handshake and channel operation, default: 5 VMess scheme: vmess://[security:][email protected]:port[?alterID=num] if alterID=0 or not set, VMessAEAD will be enabled Available security for vmess: zero, none, aes-128-gcm, chacha20-poly1305 VLESS scheme: vless://[email protected]:port[?fallback=127.0.0.1:80] Trojan client scheme: trojan://[email protected]:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH] trojanc://[email protected]:port (cleartext, without TLS) Trojan server scheme: trojan://[email protected]:port?cert=PATH&key=PATH[&fallback=127.0.0.1] trojanc://[email protected]:port[?fallback=127.0.0.1] (cleartext, without TLS) TLS client scheme: tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&alpn=proto1][&alpn=proto2] Proxy over tls client: tls://host:port[?skipVerify=true][&serverName=SERVERNAME],scheme:// tls://host:port[?skipVerify=true],http://[user:[email protected]] tls://host:port[?skipVerify=true],socks5://[user:[email protected]] tls://host:port[?skipVerify=true],vmess://[security:][email protected]?alterID=num TLS server scheme: tls://host:port?cert=PATH&key=PATH[&alpn=proto1][&alpn=proto2] Proxy over tls server: tls://host:port?cert=PATH&key=PATH,scheme:// tls://host:port?cert=PATH&key=PATH,http:// tls://host:port?cert=PATH&key=PATH,socks5:// tls://host:port?cert=PATH&key=PATH,ss://method:[email protected] Websocket client scheme: ws://host:port[/path][?host=HOST][&origin=ORIGIN] wss://host:port[/path][?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&host=HOST][&origin=ORIGIN] Websocket server scheme: ws://:port[/path][?host=HOST] wss://:port[/path]?cert=PATH&key=PATH[?host=HOST] Websocket with a specified proxy protocol: ws://host:port[/path][?host=HOST],scheme:// ws://host:port[/path][?host=HOST],http://[user:[email protected]] ws://host:port[/path][?host=HOST],socks5://[user:[email protected]] TLS and Websocket with a specified proxy protocol: tls://host:port[?skipVerify=true][&serverName=SERVERNAME],ws://[@/path[?host=HOST]],scheme:// tls://host:port[?skipVerify=true],ws://[@/path[?host=HOST]],http://[user:[email protected]] tls://host:port[?skipVerify=true],ws://[@/path[?host=HOST]],socks5://[user:[email protected]] tls://host:port[?skipVerify=true],ws://[@/path[?host=HOST]],vmess://[security:][email protected]?alterID=num Unix domain socket scheme: unix://path Smux scheme: smux://host:port KCP scheme: kcp://CRYPT:[email protected]:port[?dataShards=NUM&parityShards=NUM&mode=MODE] Available crypt types for KCP: none, sm4, tea, xor, aes, aes-128, aes-192, blowfish, twofish, cast5, 3des, xtea, salsa20 Available modes for KCP: fast, fast2, fast3, normal, default: fast Simple-Obfs scheme: simple-obfs://host:port[?type=TYPE&host=HOST&uri=URI&ua=UA] Available types for simple-obfs: http, tls DNS forwarding server: dns=:53 dnsserver=8.8.8.8:53 dnsserver=1.1.1.1:53 dnsrecord=www.example.com/1.2.3.4 dnsrecord=www.example.com/2606:2800:220:1:248:1893:25c8:1946 Available forward strategies: rr: Round Robin mode ha: High Availability mode lha: Latency based High Availability mode dh: Destination Hashing mode Forwarder option scheme: FORWARD_URL#OPTIONS priority: set the priority of that forwarder, default:0 interface: set local interface or ip address used to connect remote server - Examples: socks5://1.1.1.1:1080#priority=100 vmess://[security:][email protected]:port?alterID=num#priority=200 vmess://[security:][email protected]:port?alterID=num#priority=200&interface=192.168.1.99 vmess://[security:][email protected]:port?alterID=num#priority=200&interface=eth0 Services: dhcpd: service=dhcpd,INTERFACE,START_IP,END_IP,LEASE_MINUTES[,MAC=IP,MAC=IP...] e.g.,service=dhcpd,eth1,192.168.1.100,192.168.1.199,720 Config file format(see `./glider.conf.example` as an example): # COMMENT LINE KEY=VALUE KEY=VALUE # KEY equals to command line flag name: listen forward strategy...
Examples
click to see details
Examples: glider -config glider.conf -run glider with specified config file. glider -listen :8443 -verbose -listen on :8443, serve as http/socks5 proxy on the same port, in verbose mode. glider -listen ss://AEAD_AES_128_GCM:[email protected]:8443 -verbose -listen on 0.0.0.0:8443 as a ss server. glider -listen tls://:443?cert=crtFilePath&key=keyFilePath,http:// -verbose -listen on :443 as a https(http over tls) proxy server. glider -listen http://:8080 -forward socks5://127.0.0.1:1080 -listen on :8080 as a http proxy server, forward all requests via socks5 server. glider -listen socks5://:1080 -forward "tls://abc.com:443,vmess://security:[email protected]?alterID=10" -listen on :1080 as a socks5 server, forward all requests via remote tls+vmess server. glider -listen socks5://:1080 -forward ss://method:[email protected]:port1 -forward ss://method:[email protected]:port2 -strategy rr -listen on :1080 as socks5 server, forward requests via server1 and server2 in round robin mode. glider -listen tcp://:80 -forward tcp://2.2.2.2:80 -tcp tunnel: listen on :80 and forward all requests to 2.2.2.2:80. glider -listen udp://:53 -forward ss://method:[email protected]:8443,udp://8.8.8.8:53 -listen on :53 and forward all udp requests to 8.8.8.8:53 via remote ss server. glider -listen socks5://:1080 -listen http://:8080 -forward ss://method:[email protected]:8443 -listen on :1080 as socks5 server, :8080 as http proxy server, forward all requests via remote ss server. glider -verbose -listen -dns=:53 -dnsserver=8.8.8.8:53 -forward ss://method:[email protected]:port -dnsrecord=www.example.com/1.2.3.4 -listen on :53 as dns server, forward to 8.8.8.8:53 via ss server.
Config
Service
- dhcpd:
- service=dhcpd,INTERFACE,START_IP,END_IP,LEASE_MINUTES[,MAC=IP,MAC=IP...]
- e.g.:
- service=dhcpd,eth1,192.168.1.100,192.168.1.199,720
- service=dhcpd,eth2,192.168.2.100,192.168.2.199,720,fc:23:34:9e:25:01=192.168.2.101
Linux Service
Customize Build
You can customize and build glider if you want a smaller binary (click to see details)
- Clone the source code:
git clone https://github.com/nadoo/glider && cd glider
- Customize features:
open `feature.go` & `feature_linux.go`, comment out the packages you don't need // _ "github.com/nadoo/glider/proxy/kcp"
- Build it(requires Go 1.17+ )
go build -v -ldflags "-s -w"
Proxy & Protocol Chains
In glider, you can easily chain several proxy servers or protocols together (click to see details)
-
Chain proxy servers:
-
Chain protocols: https proxy (http over tls)
forward=tls://server.com:443,http://
-
Chain protocols: vmess over ws over tls
-
Chain protocols and servers:
forward=socks5://1.1.1.1:1080,tls://server.com:443,vmess://[email protected]?alterID=2
-
Chain protocols in listener: https proxy server
listen=tls://:443?cert=crtFilePath&key=keyFilePath,http://
-
Chain protocols in listener: http over smux over websocket proxy server
listen=ws://:10000,smux://,http://