Merge pull request #728 from PassiveLemon/hardening

Docker changes

.github/workflows/docker.yml

@@ -2,7 +2,7 @@ name: Build and push Docker image
 
 on:
   release:
-    types: [ published ]
+    types: [ released, prereleased ]
 
 jobs:
   setup-build-push:
@@ -33,7 +33,8 @@ jobs:
         run: |
           cp -lr $GITHUB_WORKSPACE/src/ $GITHUB_WORKSPACE/docker/src/
 
-      - name: Build and push Docker image
+      - name: Build and push Docker image (Release)
+        if: "!github.event.release.prerelease"
         uses: docker/build-push-action@v6
         with:
           context: ./docker
@@ -45,3 +46,15 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Build and push Docker image (Prerelease)
+        if: "github.event.release.prerelease"
+        uses: docker/build-push-action@v6
+        with:
+          context: ./docker
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            zoraxydocker/zoraxy:${{ github.event.release.tag_name }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+

.gitignore

@@ -29,8 +29,6 @@ src/Zoraxy_*_*
 src/certs/*
 src/rules/*
 src/README.md
-docker/ContainerTester.sh
-docker/docker-compose.yaml
 src/mod/acme/test/stackoverflow.pem
 /tools/dns_challenge_update/code-gen/acmedns
 /tools/dns_challenge_update/code-gen/lego
@@ -41,11 +39,15 @@ src/sys.uuid
 src/zoraxy
 src/log/
 
-
 # dev-tags
 /Dockerfile
 /Entrypoint.sh
 
+# docker testing stuff
+docker/test/
+docker/container-builder.sh
+docker/docker-compose.yaml
+
 # plugins
 example/plugins/ztnc/ztnc.db
 example/plugins/ztnc/authtoken.secret
@@ -56,4 +58,6 @@ log
 tmp
 sys.*
 www/html/index.html
-*.exe
+*.exe
+/src/dist
+

CHANGELOG.md

@@ -1,3 +1,36 @@
+# v3.2.4 28 Jun 2025
+
+A big release since v3.1.9. Versions from 3.2.0 to 3.2.3 were prereleases.
+
+
++ Added Authentik support by [JokerQyou](https://github.com/tobychui/zoraxy/commits?author=JokerQyou)
++ Added pluginsystem and moved GAN and Zerotier to plugins
++ Add loopback detection [#573](https://github.com/tobychui/zoraxy/issues/573)
++ Fixed Dark theme not working with Advanced Option accordion [#591](https://github.com/tobychui/zoraxy/issues/591)
++ Update logger to include UserAgent by [Raithmir](https://github.com/Raithmir)
++ Fixed memory usage in UI [#600](https://github.com/tobychui/zoraxy/issues/600)
++ Added docker-compose.yml by [SamuelPalubaCZ](https://github.com/tobychui/zoraxy/commits?author=SamuelPalubaCZ)
++ Added more statistics for proxy hosts [#201](https://github.com/tobychui/zoraxy/issues/201) and [#608](https://github.com/tobychui/zoraxy/issues/608)
++ Fixed origin field in logs [#618](https://github.com/tobychui/zoraxy/issues/618)
++ Added FreeBSD support by Andreas Burri
++ Fixed HTTP proxy redirect [#626](https://github.com/tobychui/zoraxy/issues/626)
++ Fixed proxy handling #629](https://github.com/tobychui/zoraxy/issues/629)
++ Move Scope ID handling into CIDR check by [Nirostar](https://github.com/tobychui/zoraxy/commits?author=Nirostar)
++ Prevent the browser from filling the saved Zoraxy login account by [WHFo](https://github.com/tobychui/zoraxy/commits?author=WHFo)
++ Added port number and http proto to http proxy list link
++ Fixed headers for authelia by [james-d-elliott](https://github.com/tobychui/zoraxy/commits?author=james-d-elliott)
++ Refactored docker container list and UI improvements by [eyerrock](https://github.com/tobychui/zoraxy/commits?author=eyerrock)
++ Refactored Dockerfile by [PassiveLemon](https://github.com/tobychui/zoraxy/commits?author=PassiveLemon)
++ Added new HTTP proxy UI
++ Added inbound host name edit function
++ Added static web server option to disable listen to all interface
++ Merged SSO implementations (Oauth2) [#649](https://github.com/tobychui/zoraxy/pull/649)
++ Merged forward-auth optimization [#692(https://github.com/tobychui/zoraxy/pull/692)
++ Optimized SSO UI
++ Refactored docker image workflows by [PassiveLemon](https://github.com/tobychui/zoraxy/commits?author=PassiveLemon)
++ Added disable chunked transfer encoding checkbox (for upstreams that uses legacy HTTP implementations)
++ Bug fixes [#694](https://github.com/tobychui/zoraxy/issues/694), [#659](https://github.com/tobychui/zoraxy/issues/659) by [jemmy1794](https://github.com/tobychui/zoraxy/commits?author=jemmy1794), [#695](https://github.com/tobychui/zoraxy/issues/695)
+
 # v3.1.9 1 Mar 2025
 
 + Fixed netstat underflow bug

docker/Dockerfile

@@ -34,34 +34,18 @@ RUN curl -Lo ZeroTierOne.tar.gz https://codeload.github.com/zerotier/ZeroTierOne
     chmod 755 /usr/local/bin/zerotier-one
 
 
-## Fetch plugin
-FROM docker.io/golang:alpine AS fetch-plugin
-
-RUN mkdir -p /opt/zoraxy/zoraxy_plugin/
-
-RUN apk add --update --no-cache git
-
-WORKDIR /opt/zoraxy/
-
-RUN git clone https://github.com/aroz-online/zoraxy-official-plugins &&\
-    cp -r ./zoraxy-official-plugins/src/ztnc/mod/zoraxy_plugin/ /opt/zoraxy/zoraxy_plugin/
-
-
 ## Main
-FROM docker.io/golang:alpine
+FROM docker.io/alpine:latest
 
-# If you build it yourself, you will need to add the example directory into the docker directory.
+RUN apk add --update --no-cache python3 sudo netcat-openbsd libressl-dev openssh ca-certificates libc6-compat libstdc++ &&\
+    rm -rf /var/cache/apk/* /tmp/*
 
-COPY --chmod=700 ./entrypoint.sh /opt/zoraxy/
-COPY --chmod=700 ./build_plugins.sh /usr/local/bin/build_plugins
-
-COPY --from=fetch-plugin --chmod=700 /opt/zoraxy/zoraxy_plugin/ /opt/zoraxy/zoraxy_plugin/
+COPY --chmod=700 ./entrypoint.py /opt/zoraxy/
 
 COPY --from=build-zerotier /usr/local/bin/zerotier-one /usr/local/bin/zerotier-one
 COPY --from=build-zoraxy /usr/local/bin/zoraxy /usr/local/bin/zoraxy
 
-RUN apk add --update --no-cache bash sudo netcat-openbsd libressl-dev openssh ca-certificates libc6-compat libstdc++ &&\
-    mkdir -p /opt/zoraxy/plugin/ &&\
+RUN mkdir -p /opt/zoraxy/plugin/ &&\
     echo "tun" | tee -a /etc/modules
 
 WORKDIR /opt/zoraxy/config/
@@ -89,7 +73,7 @@ VOLUME [ "/opt/zoraxy/config/" ]
 
 LABEL com.imuslab.zoraxy.container-identifier="Zoraxy"
 
-ENTRYPOINT [ "/opt/zoraxy/entrypoint.sh" ]
+ENTRYPOINT [ "python3", "-u", "/opt/zoraxy/entrypoint.py" ]
 
 HEALTHCHECK --interval=15s --timeout=5s --start-period=10s --retries=3 CMD nc -vz 127.0.0.1 $PORT || exit 1
 

docker/README.md

@@ -119,18 +119,14 @@ Or for Docker Compose:
 
 ### Plugins
 
-You can find official plugins at https://github.com/aroz-online/zoraxy-official-plugins
-
-Place your plugins inside the volume `/path/to/zoraxy/plugin/:/opt/zoraxy/plugin/` (Adjust to your actual install location). Any plugins you have added will then be built and used on the next restart.
-
-> [!IMPORTANT]
-> Plugins are currently experimental.
+Zoraxy includes a (experimental) store to download and use official plugins right from inside Zoraxy, no preparation required.
+For those looking to use custom plugins, build your plugins and place them inside the volume `/path/to/zoraxy/plugin/:/opt/zoraxy/plugin/` (Adjust to your actual install location).
 
 ### Building
 
 To build the Docker image:
   - Check out the repository/branch.
-  - Copy the Zoraxy `src/` and `example/` directory into the `docker/` (here) directory.
+  - Copy the Zoraxy `src/` directory into the `docker/` (here) directory.
   - Run the build command with `docker build -t zoraxy_build .`
   - You can now use the image `zoraxy_build`
     - If you wish to change the image name, then modify`zoraxy_build` in the previous step and then build again.

docker/build_plugins.sh

@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-echo "Copying zoraxy_plugin to all mods..."
-for dir in "$1"/*; do
-  if [ -d "$dir" ]; then
-    cp -r "/opt/zoraxy/zoraxy_plugin/" "$dir/mod/"
-  fi
-done
-
-echo "Running go mod tidy and go build for all directories..."
-for dir in "$1"/*; do
-  if [ -d "$dir" ]; then
-    cd "$dir" || exit 1
-    go mod tidy
-    go build
-    cd "$1" || exit 1
-  fi
-done
-

docker/entrypoint.py

@@ -0,0 +1,128 @@
+#!/usr/bin/env python3
+
+import os
+import signal
+import subprocess
+import sys
+import time
+
+zoraxy_proc = None
+zerotier_proc = None
+
+def getenv(key, default=None):
+  return os.environ.get(key, default)
+
+def run(command):
+  try:
+    subprocess.run(command, check=True)
+  except subprocess.CalledProcessError as e:
+    print(f"Command failed: {command} - {e}")
+    sys.exit(1)
+
+def popen(command):
+  proc = subprocess.Popen(command)
+  time.sleep(1)
+  if proc.poll() is not None:
+    print(f"{command} exited early with code {proc.returncode}")
+    raise RuntimeError(f"Failed to start {command}")
+  return proc
+
+def cleanup(_signum, _frame):
+  print("Shutdown signal received. Cleaning up...")
+
+  global zoraxy_proc, zerotier_proc
+
+  if zoraxy_proc and zoraxy_proc.poll() is None:
+    print("Terminating Zoraxy...")
+    zoraxy_proc.terminate()
+
+  if zerotier_proc and zerotier_proc.poll() is None:
+    print("Terminating ZeroTier-One...")
+    zerotier_proc.terminate()
+
+  if zoraxy_proc:
+    try:
+      zoraxy_proc.wait(timeout=8)
+    except subprocess.TimeoutExpired:
+      zoraxy_proc.kill()
+      zoraxy_proc.wait()
+
+  if zerotier_proc:
+    try:
+      zerotier_proc.wait(timeout=8)
+    except subprocess.TimeoutExpired:
+      zerotier_proc.kill()
+      zerotier_proc.wait()
+
+  try:
+    os.unlink("/var/lib/zerotier-one")
+  except FileNotFoundError:
+    pass
+  except Exception as e:
+    print(f"Failed to unlink ZeroTier socket: {e}")
+
+  sys.exit(0)
+
+def start_zerotier():
+  print("Starting ZeroTier...")
+
+  global zerotier_proc
+
+  config_dir = "/opt/zoraxy/config/zerotier/"
+  zt_path = "/var/lib/zerotier-one"
+
+  os.makedirs(config_dir, exist_ok=True)
+
+  os.symlink(config_dir, zt_path, target_is_directory=True)
+
+  zerotier_proc = popen(["zerotier-one"])
+
+def start_zoraxy():
+  print("Starting Zoraxy...")
+
+  global zoraxy_proc
+
+  zoraxy_args = [
+    "zoraxy",
+    f"-autorenew={getenv('AUTORENEW', '86400')}",
+    f"-cfgupgrade={getenv('CFGUPGRADE', 'true')}",
+    f"-db={getenv('DB', 'auto')}",
+    f"-docker={getenv('DOCKER', 'true')}",
+    f"-earlyrenew={getenv('EARLYRENEW', '30')}",
+    f"-fastgeoip={getenv('FASTGEOIP', 'false')}",
+    f"-mdns={getenv('MDNS', 'true')}",
+    f"-mdnsname={getenv('MDNSNAME', "''")}",
+    f"-noauth={getenv('NOAUTH', 'false')}",
+    f"-plugin={getenv('PLUGIN', '/opt/zoraxy/plugin/')}",
+    f"-port=:{getenv('PORT', '8000')}",
+    f"-sshlb={getenv('SSHLB', 'false')}",
+    f"-update_geoip={getenv('UPDATE_GEOIP', 'false')}",
+    f"-version={getenv('VERSION', 'false')}",
+    f"-webfm={getenv('WEBFM', 'true')}",
+    f"-webroot={getenv('WEBROOT', './www')}",
+  ]
+
+  zoraxy_proc = popen(zoraxy_args)
+
+def main():
+  signal.signal(signal.SIGTERM, cleanup)
+  signal.signal(signal.SIGINT, cleanup)
+
+  print("Updating CA certificates...")
+  run(["update-ca-certificates"])
+
+  print("Updating GeoIP data...")
+  run(["zoraxy", "-update_geoip=true"])
+
+  os.chdir("/opt/zoraxy/config/")
+
+  if getenv("ZEROTIER", "false") == "true":
+    start_zerotier()
+
+  start_zoraxy()
+
+  signal.pause()
+
+if __name__ == "__main__":
+  main()
+

docker/entrypoint.sh

@@ -1,55 +0,0 @@
-#!/usr/bin/env bash
-
-cleanup() {
-  echo "Stop signal received. Shutting down..."
-  kill -TERM "$(pidof zoraxy)" &> /dev/null && echo "Zoraxy stopped."
-  kill -TERM "$(pidof zerotier-one)" &> /dev/null && echo "ZeroTier-One stopped."
-  unlink /var/lib/zerotier-one/zerotier/
-  exit 0
-}
-
-trap cleanup SIGTERM SIGINT TERM INT
-
-update-ca-certificates && echo "CA certificates updated."
-zoraxy -update_geoip=true && echo "GeoIP data updated ."
-
-echo "Building plugins..."
-cd /opt/zoraxy/plugin/ || exit 1
-build_plugins "$PWD"
-echo "Plugins built."
-cd /opt/zoraxy/config/ || exit 1
-
-if [ "$ZEROTIER" = "true" ]; then
-  if [ ! -d "/opt/zoraxy/config/zerotier/" ]; then
-    mkdir -p /opt/zoraxy/config/zerotier/
-  fi
-  ln -s /opt/zoraxy/config/zerotier/ /var/lib/zerotier-one
-  zerotier-one -d &
-  zerotierpid=$!
-  echo "ZeroTier daemon started."
-fi
-
-echo "Starting Zoraxy..."
-zoraxy \
-  -autorenew="$AUTORENEW" \
-  -cfgupgrade="$CFGUPGRADE" \
-  -db="$DB" \
-  -docker="$DOCKER" \
-  -earlyrenew="$EARLYRENEW" \
-  -fastgeoip="$FASTGEOIP" \
-  -mdns="$MDNS" \
-  -mdnsname="$MDNSNAME" \
-  -noauth="$NOAUTH" \
-  -plugin="$PLUGIN" \
-  -port=:"$PORT" \
-  -sshlb="$SSHLB" \
-  -update_geoip="$UPDATE_GEOIP" \
-  -version="$VERSION" \
-  -webfm="$WEBFM" \
-  -webroot="$WEBROOT" \
-  &
-
-zoraxypid=$!
-wait "$zoraxypid"
-wait "$zerotierpid"
-

src/def.go

@@ -44,7 +44,7 @@ import (
 const (
 	/* Build Constants */
 	SYSTEM_NAME       = "Zoraxy"
-	SYSTEM_VERSION    = "3.2.3"
+	SYSTEM_VERSION    = "3.2.4"
 	DEVELOPMENT_BUILD = false
 
 	/* System Constants */

src/mod/auth/sso/oauth2/oauth2.go

@@ -4,13 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"net/http"
+	"net/url"
+	"strings"
+
 	"golang.org/x/oauth2"
 	"imuslab.com/zoraxy/mod/database"
 	"imuslab.com/zoraxy/mod/info/logger"
 	"imuslab.com/zoraxy/mod/utils"
-	"net/http"
-	"net/url"
-	"strings"
 )
 
 type OAuth2RouterOptions struct {
@@ -250,7 +251,19 @@ func (ar *OAuth2Router) HandleOAuth2Auth(w http.ResponseWriter, r *http.Request)
 			cookie.SameSite = http.SameSiteLaxMode
 		}
 		w.Header().Add("Set-Cookie", cookie.String())
-		http.Redirect(w, r, state, http.StatusTemporaryRedirect)
+
+		//Fix for #695
+		location := strings.TrimPrefix(state, "/internal/")
+		//Check if the location starts with http:// or https://. if yes, this is full URL
+		decodedLocation, err := url.PathUnescape(location)
+		if err == nil && (strings.HasPrefix(decodedLocation, "http://") || strings.HasPrefix(decodedLocation, "https://")) {
+			//Redirect to the full URL
+			http.Redirect(w, r, decodedLocation, http.StatusTemporaryRedirect)
+		} else {
+			//Redirect to a relative path
+			http.Redirect(w, r, state, http.StatusTemporaryRedirect)
+		}
+
 		return errors.New("authorized")
 	}
 	unauthorized := false

src/mod/dynamicproxy/dpcore/dpcore.go

@@ -330,7 +330,10 @@ func (p *ReverseProxy) ProxyHTTP(rw http.ResponseWriter, req *http.Request, rrr
 		locationRewrite := res.Header.Get("Location")
 		originLocation := res.Header.Get("Location")
 		res.Header.Set("zr-origin-location", originLocation)
-
+		decodedOriginLocation, err := url.PathUnescape(originLocation)
+		if err == nil {
+			originLocation = decodedOriginLocation
+		}
 		if strings.HasPrefix(originLocation, "http://") || strings.HasPrefix(originLocation, "https://") {
 			//Full path
 			//Replace the forwarded target with expected Host

src/mod/streamproxy/udpprox.go

@@ -90,8 +90,8 @@ func (c *ProxyRelayConfig) ForwardUDP(address1, address2 string, stopChan chan b
 		address1 = ":" + address1
 	}
 	if strings.HasPrefix(address1, ":") {
-		//Prepend 127.0.0.1 to the address
-		address1 = "127.0.0.1" + address1
+		//Prepend 0.0.0.0 to the address
+		address1 = "0.0.0.0" + address1
 	}
 
 	lisener, targetAddr, err := initUDPConnections(address1, address2)

src/web/components/httprp.html

@@ -203,7 +203,7 @@
                     <th>Destination</th>
                     <th>Virtual Directory</th>
                     <th class="no-sort">Tags</th>
-                    <th class="no-sort" style="width:50px; cursor: default !important;"></th>
+                    <th class="no-sort" style="width:100px; cursor: default !important;"></th>
                 </tr>
             </thead>
             <tbody id="httpProxyList">
@@ -588,7 +588,7 @@
                         </td> -->
                         <td class="center aligned ignoremw" editable="true" datatype="action" data-label="">
                             <button title="Edit Proxy Rule" class="ui circular small basic icon button editBtn inlineEditActionBtn" onclick='editEndpoint("${(subd.RootOrMatchingDomain).hexEncode()}")'><i class="ellipsis vertical icon"></i></button>
-                            <!-- <button title="Remove Proxy Rule" class="ui circular mini red basic icon button inlineEditActionBtn" onclick='deleteEndpoint("${(subd.RootOrMatchingDomain).hexEncode()}")'><i class="trash icon"></i></button> -->
+                            <button title="Remove Proxy Rule" class="ui circular mini red basic icon button inlineEditActionBtn" onclick='deleteEndpoint("${(subd.RootOrMatchingDomain).hexEncode()}")'><i class="trash icon"></i></button>
                         </td>
                     </tr>`);
                 });

src/web/components/sso.html

@@ -3,18 +3,15 @@
         <h2>SSO</h2>
         <p>Single Sign-On (SSO) and authentication providers settings </p>
     </div>
-
-    <div class="ui basic segment">
-        <div class="ui yellow message">
-            <div class="header">
-                Experimental Feature
-            </div>
-            <p>Please note that this feature is still in development and may not work as expected.</p>
-        </div>
-    </div>
     <div class="ui divider"></div>
-    <div class="ui basic segment">
-        <h3>Forward Auth</h3>
+    <div class="ui top attached tabular menu ssoTabs">
+        <a class="item active" data-tab="forward_auth_tab">Forward Auth</a>
+        <a class="item" data-tab="oauth2_tab">Oauth2</a>
+        <!-- <a class="item" data-tab="zoraxy_sso_tab">Zoraxy SSO</a> -->
+        </div>
+        <div class="ui bottom attached tab segment active" data-tab="forward_auth_tab">
+        <!-- Forward Auth -->
+        <h2>Forward Auth</h2>
         <p>Configuration settings for the Forward Auth provider.</p>
         <p>The Forward Auth provider makes a subrequest to an authorization server that supports Forward Auth, then either:</p>
         <ul>
@@ -86,10 +83,10 @@
             </div>
             <button class="ui basic button" type="submit"><i class="green check icon"></i> Apply Change</button>
         </form>
-    </div>
-    <div class="ui divider"></div>
-    <div class="ui basic segment">
-        <h3>OAuth 2.0</h3>
+        </div>
+        <div class="ui bottom attached tab segment" data-tab="oauth2_tab">
+        <!-- Oauth 2 -->
+        <h2>OAuth 2.0</h2>
         <p>Configuration settings for OAuth 2.0 authentication provider.</p>
 
         <form class="ui form" action="#" id="oauth2Settings">
@@ -134,11 +131,18 @@
             </div>
             <button class="ui basic button" type="submit"><i class="green check icon"></i> Apply Change</button>
         </form>
-    </div>
-    <div class="ui divider"></div>
+        </div>
+        <div class="ui bottom attached tab segment" data-tab="zoraxy_sso_tab">
+            <!-- Zoraxy SSO -->
+            <h3>Zoraxy SSO</h3>
+            <p>Configuration settings for Zoraxy SSO provider.</p>
+            <p>Currently not implemented.</p>
+        </div>
 </div>
 
 <script>
+    $(".ssoTabs .item").tab();
+
     $(document).ready(function() {
         /* Load forward-auth settings from backend */
         $.cjax({

src/web/index.html

@@ -343,7 +343,9 @@
                     }
 
                     $(editorSideWrapper).each(function(){
-                        $(this)[0].contentWindow.setDarkTheme(false);
+                        if ($(this)[0].contentWindow.setDarkTheme){
+                            $(this)[0].contentWindow.setDarkTheme(false);
+                        }
                     })
 
                     if ($("#pluginContextLoader").is(":visible")){
@@ -356,7 +358,9 @@
                         $(".sideWrapper iframe")[0].contentWindow.setDarkTheme(true);
                     }
                     $(editorSideWrapper).each(function(){
-                        $(this)[0].contentWindow.setDarkTheme(true);
+                        if ($(this)[0].contentWindow.setDarkTheme){
+                            $(this)[0].contentWindow.setDarkTheme(true);
+                        }
                     })
                     if ($("#pluginContextLoader").is(":visible")){
                         $("#pluginContextLoader")[0].contentWindow.setDarkTheme(true);