block-proxy 0.1.9 → 0.1.11

package/.claude/settings.local.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git add:*)",
+      "Bash(git commit:*)"
+    ]
+  }
+}

package/.claude/skills/commit/skill.md

@@ -0,0 +1,32 @@
+# Skill: Smart Git Commit
+
+Use this skill when the user runs `/commit` or asks to commit changes.
+
+## Instructions
+
+1.  **Analyze Context**:
+    - Run `git status` to identify modified, added, or deleted files.
+    - Run `git diff` to inspect the actual code changes in unstaged files.
+    - Run `git diff --cached` to inspect changes in staged files.
+
+2.  **Stage Changes**:
+    - If there are unstaged changes, run `git add -A` to stage all changes (unless the user specifically asked to partial commit).
+
+3.  **Generate Commit Message**:
+    - Analyze the diffs to understand the *intent* of the changes.
+    - Draft a commit message following the **Conventional Commits** specification:
+      ```
+      <type>(<scope>): <description>
+
+      [optional body]
+      ```
+    - **Types**: `feat`, `fix`, `docs`, `style`, `refactor`, `perf`, `test`, `build`, `ci`, `chore`.
+    - **Scope**: (Optional) The module or file affected (e.g., `proxy`, `ui`, `deps`).
+    - **Description**: Concise summary in imperative mood (e.g., "add support for...", not "added").
+
+4.  **Execute Commit**:
+    - Run `git commit -m "generated_message"`.
+    - If the message has a body, use multiple `-m` flags or a heredoc.
+
+5.  **Report**:
+    - Inform the user of the commit message used and the result.

package/.claude/skills/pcap-analyse/skill.md

@@ -0,0 +1,100 @@
+---
+model: default
+---
+
+# Pcap Analyse Skill
+
+## Description
+分析 pcap/pcapng 网络抓包文件，专注于代理服务器（Socks5 over TLS/HTTP）场景下的连接诊断、性能评估和异常检测。
+
+## Usage
+当用户请求分析 pcap 文件，或者提供一个抓包文件并询问网络连接质量、异常或性能问题时使用此 skill。
+
+## Instructions
+执行此 skill 时，请遵循以下步骤进行分析。如果用户没有提供 pcap 文件路径，请先询问。
+
+**重要**：你不能直接读取二进制 pcap 文件。你必须编写并执行 Python 脚本（推荐使用 `scapy` 库，如果环境没有则尝试使用 `tshark` 命令行工具）来提取信息。
+
+### 1. 编写分析脚本
+编写一个 Python 脚本来解析 pcap 文件，脚本需要提取并计算以下指标：
+
+#### A. 基础信息与抓包点推断
+- 统计源 IP 和目的 IP 的出现频率。
+- 分析 TCP SYN 包的 TTL (Time To Live) 和 MSS (Max Segment Size)。通常客户端发出的包 TTL 较大（如 64, 128），经过路由后会减少。如果抓到的入站包 TTL 接近默认值（未减少太多），可能是服务端抓包；如果出站包 TTL 是默认值，则是本地发出的。
+- 结合端口号（如 8001, 8002）判断流量方向。
+
+#### B. 连接异常分析
+- **重传率 (Retransmission Rate)**: 重传包数 / 总包数。
+- **复位连接 (RST)**: 统计 RST 包的数量及出现阶段（握手期、数据传输期、结束期）。
+- **握手失败**: 有 SYN 但无 SYN/ACK 的比例。
+- **TLS 错误**: 检查是否有 TLS Alert 消息。
+
+#### C. 性能分析
+- **TCP 握手延迟 (RTT)**: SYN 到 SYN/ACK 的时间差。
+- **TLS 握手延迟**: Client Hello 到 Handshake Finished 的时间。
+- **数据传输 RTT**: 数据包与对应 ACK 之间的时间差统计（平均值、最大值、最小值、抖动）。
+
+#### D. 连接复用情况
+- 统计每个 TCP 流 (Stream) 的持续时间。
+- 统计每个流的数据传输量。
+- 判断长连接 (Keep-Alive) 的使用情况：是否有长时间空闲但未断开的连接，或者单连接承载多次数据交互。
+
+#### E. 阻塞与拥塞分析
+- **Zero Window**: 统计 TCP Zero Window 通告次数（接收端缓冲区满，通知发送端暂停发送）。
+- **Window Full**: 统计发送端未收到 ACK 而导致发送窗口耗尽的情况。
+- **吞吐量波动**: 检查是否有明显的吞吐量骤降。
+
+#### F. 高并发与吞吐量评估
+- **并发连接数**: 统计每一秒内的活跃 TCP 连接数峰值。
+- **每秒请求数 (RPS)**: 如果是 HTTP，估算请求速率。
+- **峰值带宽**: 计算每秒传输的最大字节数。
+
+### 2. 执行分析与报告
+运行脚本获取输出，并生成一份详细的分析报告。报告必须包含以下章节：
+
+1.  **抓包环境推断**:
+    - 结论：是客户端抓包还是代理服务器端抓包？
+    - 依据：IP 分布、TTL 特征、端口方向。
+
+2.  **连接健康度与异常**:
+    - 异常连接比例。
+    - 具体的错误类型（重传、RST、超时等）及其对用户体验的潜在影响。
+
+3.  **性能指标**:
+    - 平均/P95 延迟数据。
+    - 握手耗时分析。
+
+4.  **连接复用分析**:
+    - 连接是否被有效复用（Socks5/HTTP Keep-Alive）。
+    - 是否存在频繁新建连接导致的开销。
+
+5.  **阻塞情况**:
+    - 是否发现 Zero Window 或流控阻塞。
+    - 是否有队头阻塞迹象。
+
+6.  **负载能力评估**:
+    - 当前并发峰值和吞吐峰值。
+    - 基于当前性能指标（如 RTT 抖动、丢包率随流量变化），预估系统在高并发下的抗压能力。
+
+### 3. 示例 Python 代码结构 (供参考)
+```python
+from scapy.all import *
+import collections
+
+# 读取 pcap
+packets = rdpcap("path/to/file.pcap")
+
+# 初始化统计变量
+# ...
+
+for pkt in packets:
+    if TCP in pkt:
+        # 统计逻辑
+        # ...
+
+# 输出结果
+```
+
+**注意**: 如果环境不支持 Python scapy，请尝试使用 `tshark` 命令：
+`tshark -r file.pcap -q -z io,stat,1 -z conv,tcp`
+以及 `tshark -r file.pcap -Y "tcp.analysis.flags"` 来分析异常。

package/CLAUDE.md

@@ -0,0 +1,114 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Common Commands
+
+### Development
+- `npm run dev` – Start development mode with BLOCK_PROXY_DEV=1 (starts all services)
+- `npm run craco` – Start React development server with CRACO (port 3000)
+- `npm run start` / `npm run express` – Start backend + proxy server for production
+- `npm run proxy` – Start proxy only (no admin interface)
+- `npm run socks5` – Start SOCKS5 server only
+
+### Build & Deployment
+- `npm run build` – Build React frontend
+- `npm run docker:build` – Build Docker image for current architecture
+- `npm run docker:build_arm` – Build ARM64 Docker image
+- `npm test` – Run React tests
+- `npm run eject` – Eject from Create React App (irreversible)
+
+### Global CLI
+- `block-proxy` – Start the proxy system (auto-restart on failure)
+- `block-proxy -c rule.js` – Start with external MITM rule configuration
+
+## Architecture Overview
+
+Block-Proxy is a MITM-based proxy filtering tool designed for parental control and ad blocking, built with Node.js, React, and a custom AnyProxy fork. It runs on OpenWRT routers or Docker containers.
+
+### Core Components
+
+1. **Proxy Engine** (`/proxy/`)
+   - `proxy.js` – Main AnyProxy integration with MITM logic
+   - `mitm/` – MITM rule implementations (YouTube ads, dictionary, etc.)
+   - `scan.js` – Network scanning for device discovery (every 2 hours)
+   - `fs.js` – Configuration file management
+
+2. **SOCKS5 Proxy** (`/socks5/`)
+   - `server.js` – SOCKS5 over TLS implementation (port 8002)
+   - `start.js` – SOCKS5 server entry point
+
+3. **Backend Server** (`/server/`)
+   - `express.js` – Express.js API server for admin interface (port 8004)
+   - `start.js` – Main server entry point (decides whether to start admin UI)
+
+4. **React Frontend** (`/src/`)
+   - `App.js` – Admin interface for managing blocking rules
+   - Built with Create React App, configured via CRACO
+
+5. **CLI Interface** (`/bin/`)
+   - `start.js` – Global CLI entry point with auto-restart capabilities and config cleanup
+
+6. **Configuration** (`config.json`)
+   - Runtime configuration: ports, blocked hosts, authentication
+   - Auto-saved from admin interface
+
+### Port Configuration
+- `8001` – HTTP proxy port (mandatory)
+- `8002` – SOCKS5 over TLS port (optional)
+- `8003` – AnyProxy monitoring interface (optional)
+- `8004` – Admin configuration interface (optional)
+- `3000` – React development server (dev only)
+
+### Entry Points
+- **Primary**: `bin/start.js` (CLI) → `server/start.js` → decides between proxy-only or full stack
+- **Proxy-only**: `proxy/start.js` → `proxy/proxy.js`
+- **Development**: `npm run dev` → starts everything with dev flag
+
+## Key Patterns
+
+### MITM Rule System
+- Host-based blocking with regex pattern matching
+- Time-based restrictions (start/end times, weekdays)
+- MAC address targeting for device-specific rules
+- YouTube ad blocking with predefined regex patterns
+- Custom rule injection via external `rule.js` configuration
+
+### Configuration Management
+- Configuration stored in `config.json` at runtime
+- Supports external rule files via `-c` flag
+- Network device scanning every 2 hours (stored in `config.json`)
+- Auto-clears global config file on exit/restart
+
+### Deployment Patterns
+- Designed for OpenWRT router deployment with host networking (`--network=host`)
+- Docker container with volume mounting for configuration
+- Multi-architecture support (ARM/X86)
+- Auto-restart on failure with config cleanup
+- Production vs. development modes controlled by `BLOCK_PROXY_DEV` env var
+
+### Development Workflow
+1. **Development**: `npm run dev` starts proxy + admin UI + SOCKS5 (if enabled)
+2. **Testing**: Proxy-only mode with `npm run proxy`
+3. **Building**: `npm run build` compiles React frontend to `/build/`
+4. **Docker**: Separate commands for x86 and ARM architectures
+
+### Dependencies
+- `@bachi/anyproxy` – Modified AnyProxy fork for MITM
+- `express` – Backend API server
+- `react`, `react-dom` – Frontend framework
+- `commander` – CLI argument parsing
+- `axios` – HTTP client for API calls
+- `qrcode` – Certificate QR code generation for MITM setup
+
+## Important Notes
+- SOCKS5 proxy does not support MAC address targeting (only HTTP proxy does)
+- Clients must install AnyProxy certificate for HTTPS MITM inspection
+- Service needs network scanning permissions (best deployed on OpenWRT gateway)
+- Admin interface allows real-time rule management with proxy restart
+- Docker builds use Chinese npm registry (registry.npmmirror.com) by default
+
+# Project Rules & Skills
+
+- **Import Skill**: 实时遵循 `.claude/skills/*/skill.md` 中的指令。
+

package/Dockerfile

@@ -49,3 +49,4 @@ EXPOSE 8001 8002 8003
 
 # 使用 node 启动脚本作为 CMD
 CMD ["npm", "run", "start"]
+

package/README.md

@@ -7,11 +7,12 @@
 
 > **Block-Proxy**
 
-基于 MITM 的代理和上网过滤工具
+基于 MITM 的代理和过滤工具，Socks5 套 TLS，用于公网
 
 主要是限制小朋友上网，依赖 anyproxy，用在 openwrt 里。特性：
 
-- HTTP/Socks5 代理
+- HTTP 代理
+- Socks5 over TLS 代理
 - 域名拦截
 - url 正则拦截
 - 指定拦截Mac地址

package/bin/start.js

@@ -122,4 +122,3 @@ process.on('SIGTERM', () => {
   // 启动
   startApp();
 })();
-

package/config.json

@@ -135,8 +135,8 @@
   "web_interface_port": 8003,
   "your_domain": "yui.cool",
   "vpn_proxy": "",
-  "auth_username": "lijing",
-  "auth_password": "lijing",
+  "auth_username": "",
+  "auth_password": "",
   "enable_express": "1",
   "enable_socks5": "1",
   "socks5_port": 8002,
@@ -147,4 +147,4 @@
       "mac": "FA:27:3C:E5:31:5F"
     }
   ]
-}
+}

package/example/rule.js

@@ -37,3 +37,4 @@ module.exports = {
     }
   ]
 };
+

package/hack-of-anyproxy/lib/requestHandler.js

@@ -46,6 +46,28 @@ function normalizeSocketKey(ip, port) {
   return ip + ":" + port
 }
 
+// 判断是否命中 responseRules
+function matchResponseRule(responseRules, userConfig) {
+  try {
+    var hostname = userConfig.requestOptions.hostname.split(":")[0].toLowerCase();
+    var pathname = userConfig.requestOptions.path; // 带query
+    var url = `${userConfig.protocol}://${hostname}${pathname}`
+    var matched = false;
+    for (const item of responseRules) {
+      if (hostname.endsWith(item["host"]) && new RegExp(item['regexp']).test(url)) {
+        matched = true;
+        break;
+      } else {
+        continue;
+      }
+    }
+    return matched;
+  } catch (e) {
+    console.log(e);
+    return false;
+  }
+}
+
 class CommonReadableStream extends Readable {
   constructor(config) {
     super({
@@ -467,6 +489,15 @@ function getUserReqHandler(userRule, recorder) {
 
       // route user config
       .then(co.wrap(function *(userConfig) {
+        // Modified 2026-1-15
+        // 增加了对 responseRules 的判断，如果需要对 BeforeResponse 进行拦截
+        // 则让 chunkSizeThreshold 为很大的值（默认20M），以便让 response 一次性返回，方便BeforeResponse处理
+        // 否则以 512k 为上线，只要返回的数据达到阈值，就直接返回给调用端，以提高性能
+        if (userRule.responseRules && matchResponseRule(userRule.responseRules, userConfig)) {
+          var _chunkSizeThreshold = chunkSizeThreshold;
+        } else {
+          var _chunkSizeThreshold = 0.5 * 1024 * 1024; // 512K
+        }
         if (userConfig.response) {
           // user-assigned local response
           userConfig._directlyPassToRespond = true;
@@ -474,7 +505,7 @@ function getUserReqHandler(userRule, recorder) {
         } else if (userConfig.requestOptions) {
           const remoteResponse = yield fetchRemoteResponse(userConfig.protocol, userConfig.requestOptions, userConfig.requestData, {
             dangerouslyIgnoreUnauthorized: reqHandlerCtx.dangerouslyIgnoreUnauthorized,
-            chunkSizeThreshold,
+            chunkSizeThreshold: _chunkSizeThreshold,
           });
           return {
             response: {
@@ -1026,3 +1057,4 @@ class RequestHandler {
 }
 
 module.exports = RequestHandler;
+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "block-proxy",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "description": "Small-scale network mitm proxy filter",
   "bin": {
     "block-proxy": "bin/start.js"
@@ -16,14 +16,15 @@
     "url": "git+https://github.com/jayli/block-proxy.git"
   },
   "scripts": {
-    "cp": "echo '---- program start ----'",
+    "cp": "echo '----- program start -----'",
+    "rm_bkconfig": "rm ./config_backup.json",
     "craco": "craco start",
     "dev": "BLOCK_PROXY_DEV=1 npm run express",
     "start": "npm run express",
     "socks5": "node ./socks5/start.js",
     "express": "npm run cp && node ./server/start.js",
     "proxy": "npm run cp && node ./proxy/start.js",
-    "build": "react-scripts build",
+    "build": "npm run rm_bkconfig && react-scripts build",
     "docker:build": "npm run build && docker build -t block-proxy .",
     "docker:build_arm": "npm run build && docker buildx build --platform linux/arm64/v8 -t block-proxy .",
     "test": "react-scripts test",

package/proxy/fs.js

@@ -4,6 +4,7 @@ const path = require('path');
 
 const configPath = path.join(__dirname, '../config.json');
 const CONFIG_FILE_PATH = configPath;
+const BACKUP_FILE_PATH = path.join(__dirname, '../config_backup.json');
 
 // 传入的是对象
 async function writeConfig(newData) {
@@ -16,20 +17,45 @@ async function writeConfig(newData) {
   }
 }
 
+async function backupConfig(newData) {
+  try {
+    await fs.writeFile(BACKUP_FILE_PATH, JSON.stringify(newData, null, 2), 'utf8');
+  } catch (error) {
+    console.error('Error writing backup config file:', error.message);
+  }
+}
+
 // 示例：读取配置
 // 返回的是对象
 async function readConfig() {
   try {
     const data = await fs.readFile(CONFIG_FILE_PATH, 'utf8');
     const config = JSON.parse(data);
+
+    // 第一次运行：如果备份不存在，则生成一个
+    try {
+      await fs.access(BACKUP_FILE_PATH);
+    } catch (e) {
+      await backupConfig(config);
+    }
+
     return config;
   } catch (error) {
     if (error.code === 'ENOENT') {
       console.error('Config file does not exist.');
       return {}; // 或返回一个默认配置对象
     } else if (error instanceof SyntaxError) {
-      console.error('Error parsing config file JSON:', error.message);
-      throw error;
+      console.error('Error parsing config file JSON, attempting to restore from backup:', error.message);
+      try {
+        const backupData = await fs.readFile(BACKUP_FILE_PATH, 'utf8');
+        const config = JSON.parse(backupData);
+        // 自动恢复主配置文件
+        await writeConfig(config);
+        return config;
+      } catch (backupError) {
+        console.error('Backup file also failed:', backupError.message);
+        throw error;
+      }
     } else {
       console.error('Error reading config file:', error.message);
       throw error;
@@ -63,6 +89,7 @@ async function clearGlobalConfigFile() {
 module.exports = {
   writeConfig,
   readConfig,
+  backupConfig,
   setGlobalConfigFile,
   getGlobalConfigFile,
   clearGlobalConfigFile

package/proxy/proxy.js

@@ -29,11 +29,12 @@ var   Rule = require("./mitm/rule.js");
 // 启用全局 keep-alive，使 AnyProxy 内部转发也复用连接
 http.globalAgent.keepAlive = true;
 https.globalAgent.keepAlive = true;
-http.globalAgent.maxSockets = 50;
-https.globalAgent.maxSockets = 50;
+// 连接上限 50 应该足够了，设置 100 留足 buffer
+http.globalAgent.maxSockets = 100;
+https.globalAgent.maxSockets = 100;
 
-const httpAgent = new http.Agent({ keepAlive: true, maxSockets: 50 });
-const httpsAgent = new https.Agent({ keepAlive: true, maxSockets: 50 });
+const httpAgent = new http.Agent({ keepAlive: true, maxSockets: 100 });
+const httpsAgent = new https.Agent({ keepAlive: true, maxSockets: 100 });
 
 // 全局参数
 const configPath = path.join(__dirname, '../config.json');
@@ -90,6 +91,8 @@ function authPass(protocol, host, url) {
     "weixin.qq.com",
     // xiaohongshu.com:443，小红书App和知乎 App 里发起带端口的请求，收到 407 后第二次
     "xiaohongshu.com:443",
+    "xiaohongshu.com",
+    "xhscdn.com",
     "zhihu.com:443",
     ...filtered_mitm_domains
   ];

package/proxy/scan.js

@@ -78,6 +78,46 @@ async function getScanStatus() {
   return loadedConfig.network_scanning_status;
 }
 
+// 并发控制器，限制同时进行的 ping 数量
+class ConcurrentPingController {
+  constructor(maxConcurrent = 32, batchDelay = 50) {
+    this.maxConcurrent = maxConcurrent;
+    this.batchDelay = batchDelay; // 批次之间的延迟（毫秒）
+  }
+
+  // 批量执行 ping，控制并发数（真正的批次并发）
+  async batchPing(ips, timeout = 1) {
+    const results = [];
+
+    // 将IP列表分成多个批次
+    for (let i = 0; i < ips.length; i += this.maxConcurrent) {
+      const batch = ips.slice(i, i + this.maxConcurrent);
+
+      // 并发执行当前批次的所有ping
+      const batchPromises = batch.map(ip =>
+        ping.promise.probe(ip, { timeout })
+      );
+
+      const batchResults = await Promise.allSettled(batchPromises);
+
+      // 将批次结果添加到总结果中
+      batch.forEach((ip, index) => {
+        results.push({
+          ip,
+          result: batchResults[index]
+        });
+      });
+
+      // 如果不是最后一个批次，则添加延迟
+      if (i + this.maxConcurrent < ips.length) {
+        await new Promise(resolve => setTimeout(resolve, this.batchDelay));
+      }
+    }
+
+    return results;
+  }
+}
+
 async function doScan() {
   const subnet = getLocalSubnet();
   // 如果是 30 网段，直接返回空
@@ -86,11 +126,17 @@ async function doScan() {
   }
   console.log(`正在扫描网段: ${subnet}.0/24`);
 
-  // Ping all IPs to populate ARP cache
+  // 创建并发控制器，限制同时进行32个ping，批次间延迟50ms
+  const controller = new ConcurrentPingController(32, 50);
+
+  // 生成所有IP地址
   const ips = Array.from({ length: 254 }, (_, i) => `${subnet}.${i + 1}`);
-  await Promise.allSettled(ips.map(ip => ping.promise.probe(ip, { timeout: 1 })));
 
-  // Read ARP table via system command
+  // 使用并发控制器分批ping所有IP
+  console.log(`开始并发ping扫描，最大并发数: 32，批次延迟: 50ms`);
+  await controller.batchPing(ips, 1); // 使用1秒超时，ping结果仅用于填充ARP缓存
+
+  // 读取ARP表以获取MAC地址
   const cmd = process.platform === 'win32' ? 'arp -a' : 'arp -a';
   const arpOutput = await new Promise((resolve, reject) => {
     exec(cmd, async (error, stdout) => {

package/server/express.js

@@ -96,6 +96,7 @@ app.post('/api/config', async (req, res) => {
         const configPath = path.join(__dirname, '../config.json');
         // fs.writeFileSync(configPath, JSON.stringify(newConfig, null, 2));
         _fs.writeConfig(newConfig);
+        _fs.backupConfig(newConfig);
         res.status(200).json({ message: 'Config updated successfully' });
       } catch (err) {
         res.status(400).json({ error: 'Invalid JSON or write error: ' + err.message });
@@ -232,3 +233,4 @@ module.exports = {
     });
   }
 };
+

package/socks5/test_tls_reuse.js

@@ -38,3 +38,4 @@ sock1.on('secureConnect', () => {
   };
   setTimeout(trySecond, 5);
 });
+

package/src/setupTests.js

@@ -3,3 +3,4 @@
 // expect(element).toHaveTextContent(/react/i)
 // learn more: https://github.com/testing-library/jest-dom
 import '@testing-library/jest-dom';
+

package/tools/speed_test.sh

@@ -119,3 +119,4 @@ if [ -n "$real_time" ]; then
 else
     echo "⚠️  无法获取耗时（shell 不支持 time 内置命令的格式）"
 fi
+