ssmapi: Extend SSM API to all multi-user inbounds#4275
Open
alireza0 wants to merge 4 commits into
Open
Conversation
1eb1a6c to
1a8f5cd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The SSM API service currently manages users only for multi-user Shadowsocks
inbounds. Every other multi-user inbound requires a full instance restart to
apply a user change, which drops all active connections — even though the
underlying services (transport/trojan, sing-vmess, sing-quic, sing-anytls)
already support live user replacement, and the SSM API service itself is
written against a generic
adapter.ManagedSSMServerinterface rather thananything Shadowsocks-specific.
This PR implements
adapter.ManagedSSMServeron the remaining inbounds whoseuser model fits the SSM credential model (one user name + one key), so they
can be listed in the ssm-api
serversmap and managed at runtime:HTTP, Mixed, SOCKS, Naive, Trojan, VMess, AnyTLS, Hysteria, and Hysteria2.
What's changed
UpdateUsers/SetTracker, mirroring the existingShadowsocks
MultiInboundimplementation, and wraps authenticatedconnections with the SSM tracker for per-user traffic accounting.
Service.UpdateUsersof their protocol libraries; HTTP/Mixed/SOCKS/Naiverebuild their
auth.Authenticator.shrink while long-lived (QUIC) connections still resolve names with an old
index.
single-user/multi-user service split, so the
managedflag is not needed —referencing the inbound from ssm-api
serversis sufficient.Scope notes
alterId0.as a single credential (
flow, anduuid+passwordrespectively).Verification
Manually exercised against a running instance: users added/updated/deleted
via the REST endpoints take effect immediately on Trojan and Mixed inbounds
(new credentials authenticate, removed/replaced credentials are rejected),
and per-user traffic counters appear in
/server/v1/stats.