# -*- coding: utf-8 -*-

import socket
import threading
import select
import sys
import time
import itertools
import os
import ssl

# --- CONFIGURACIÓN BASE ---
LISTENING_PORT = int(sys.argv[1]) if len(sys.argv) > 1 else 443
SSH_HOST = '127.0.0.1'
SSH_PORT = 22  # Puerto de SSH local
LOG_FILE = "/root/proxy-ssl.log"
MAX_LOG_SIZE = 10 * 1024 * 1024

# --- CONFIGURACIÓN SSL/TLS ---
USE_SSL = True  
CERT_FILE = "/root/cert.pem"
KEY_FILE = "/root/key.pem"

# --- CONFIGURACIÓN DE SEGURIDAD AVANZADA ---
MAX_CONNECTIONS = 100
CONNECTION_COOLDOWN = 0.7
BUFLEN = 16384
AUTO_BAN_STRIKES = 3  
BAN_TIME = 3600       
banned_ips_memory = {} 
ip_strikes = {}
ALLOWED_IPS = [] 

# --- RESPUESTA FAKE WEB (ANTI ACTIVE PROBING) ---
FAKE_WEB_RESPONSE = (
    b"HTTP/1.1 200 OK\r\n"
    b"Server: nginx/1.21.0\r\n"
    b"Content-Type: text/html; charset=UTF-8\r\n"
    b"Connection: close\r\n\r\n"
    b"<!DOCTYPE html>\n<html>\n<head><title>Bienvenido</title></head>\n"
    b"<body style='text-align:center; padding:50px; font-family:sans-serif;'>\n"
    b"<h1>Hola</h1>\n<p>Servicio en funcionamiento.</p>\n"
    b"</body>\n</html>\n"
)

# --- CUSTOM HEADERS PARA VPN ---
CUSTOM_HEADERS = {
    "Server": "nginx/1.21.0",
    "X-Forwarded-For": "127.0.0.1",
    "Content-Type": "text/html; charset=UTF-8",
    "Proxy-Connection": "keep-alive",
    "Cache-Control": "no-cache",
    "X-Proxy-Agent": "Gemini-Ultra-Robust-v6-TLS",
    "X-Forwarded-For-Proxy": "True"
}

MENSAJES = [
    "🚀 CONEXION TLS ESTABLECIDA",
    "🛡️ CIFRADO MILITAR ACTIVO",
    "🔋 MODO SIGILO SSL OK",
    "Pfsense",
    "OPNsense",
    "VyOS",
    "Claro",
    "Windows Server",
    "BSD Free",
    "VyOS",
    "Altice",
    "Viva",
    "Google",
    "VyOS",
    "TNSR",
    "🌐 BYPASS DE FIREWALL OK"
]
mensaje_cycle = itertools.cycle(MENSAJES)
cycle_lock = threading.Lock()

def log(msg, addr=None):
    try:
        if os.path.exists(LOG_FILE) and os.path.getsize(LOG_FILE) > MAX_LOG_SIZE:
            with open(LOG_FILE, 'w') as f: f.write(f"[{time.strftime('%Y-%m-%d %H:%M:%S')}] LOG REINICIADO\n")
        timestamp = time.strftime("%Y-%m-%d %H:%M:%S")
        client_info = f" [{addr[0]}]" if addr else ""
        log_entry = f"[{timestamp}]{client_info} {msg}\n"
        with open(LOG_FILE, 'a') as f: f.write(log_entry)
        print(log_entry.strip())
    except: pass

active_connections = 0
conn_lock = threading.Lock()

class ConnectionHandler(threading.Thread):
    def __init__(self, client_socket, addr):
        super().__init__(daemon=True)
        self.client = client_socket
        self.addr = addr
        self.target = None
        self.tx_bytes = 0
        self.rx_bytes = 0

    def build_http_response(self, status_msg):
        headers_str = "".join([f"{k}: {v}\r\n" for k, v in CUSTOM_HEADERS.items()])
        return (f"HTTP/1.1 101 {status_msg}\r\n{headers_str}Connection: Upgrade\r\nUpgrade: websocket\r\n\r\n").encode('utf-8')

    def run(self):
        global active_connections
        client_ip = self.addr[0]
        
        try:
            if client_ip in banned_ips_memory:
                if time.time() > banned_ips_memory[client_ip]:
                    del banned_ips_memory[client_ip]
                    if client_ip in ip_strikes: del ip_strikes[client_ip]
                else: return
                
            now = time.time()
            if client_ip in ip_strikes and (now - ip_strikes.get('last_time', 0)) < CONNECTION_COOLDOWN:
                ip_strikes[client_ip] = ip_strikes.get(client_ip, 0) + 1
                if ip_strikes[client_ip] >= AUTO_BAN_STRIKES:
                    banned_ips_memory[client_ip] = time.time() + BAN_TIME
                    log(f"⛔ IP Baneada (Flood/Spam)", self.addr)
                return
                
            ip_strikes['last_time'] = now
            ip_strikes[client_ip] = 0

            self.client.settimeout(2.0)
            payload = b""
            try:
                payload = self.client.recv(BUFLEN)
            except socket.timeout:
                pass # NetMod en silencio (Modo Stunnel)
            except Exception:
                return

            try:
                self.target = socket.create_connection((SSH_HOST, SSH_PORT), timeout=10)
            except Exception as e:
                log(f"❌ Error interno destino: {e}", self.addr)
                return

            if payload:
                if payload.startswith(b"SSH-"):
                    log(f"✅ Túnel cifrado (Modo SSH Directo)", self.addr)
                    self.target.sendall(payload)
                elif b"HTTP/" in payload and b"Upgrade: websocket" not in payload:
                    # 🛡️ ACTIVE PROBING EVASION ACTIVADO
                    log(f"🕵️ Active Probing detectado (Navegador/Escáner). Respondiendo 200 OK Fake Web.", self.addr)
                    self.client.sendall(FAKE_WEB_RESPONSE)
                    return # Cierra conexión. El firewall queda engañado.
                else:
                    with cycle_lock: current_status = next(mensaje_cycle)
                    self.client.sendall(self.build_http_response(current_status))
                    log(f"✅ Túnel cifrado (Modo WebSocket HTTP): {current_status}", self.addr)
            else:
                log(f"✅ Túnel cifrado (Modo Stunnel Silencioso)", self.addr)

            self.tunnel()

        except Exception as e: log(f"❌ Error: {e}", self.addr)
        finally:
            with conn_lock: active_connections -= 1
            self.cleanup()

    def tunnel(self):
        self.client.settimeout(None)
        self.target.settimeout(None)
        sockets = [self.client, self.target]
        while True:
            readable, _, error = select.select(sockets, [], sockets, 300)
            if error or not readable: break
            for s in readable:
                try:
                    data = s.recv(BUFLEN)
                    if not data: return
                    if s is self.client:
                        self.target.sendall(data)
                        self.tx_bytes += len(data)
                    else:
                        self.client.sendall(data)
                        self.rx_bytes += len(data)
                except: return

    def cleanup(self):
        total_mb = (self.tx_bytes + self.rx_bytes) / (1024 * 1024)
        if total_mb > 0.01: log(f"[*] Conexión finalizada. Tráfico consumido: {total_mb:.2f} MB", self.addr)
        for s in [self.client, self.target]:
            if s:
                try: s.close()
                except: pass

def main():
    global active_connections
    ssl_context = None
    if USE_SSL:
        try:
            ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
            ssl_context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE)
        except Exception as e:
            log(f"❌ Error crítico cargando certificados SSL: {e}")
            sys.exit(1)

    try:
        addr_info = socket.getaddrinfo(None, LISTENING_PORT, socket.AF_UNSPEC, socket.SOCK_STREAM, 0, socket.AI_PASSIVE)
        addr_info.sort(key=lambda x: x[0] == socket.AF_INET6, reverse=True)
        af, socktype, proto, canonname, sa = addr_info[0]
        
        server = socket.socket(af, socktype, proto)
        server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        if af == socket.AF_INET6:
            try: server.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
            except: pass

        server.bind(sa)
        server.listen(200)
        
        log(f"=====================================================")
        log(f"🔥 Servidor Robusto Iniciado en Puerto {LISTENING_PORT}")
        log(f"🛡️ Motor SSL/TLS & Anti-Active Probing: ACTIVADO")
        log(f"🎯 Destino Interno: {SSH_HOST}:{SSH_PORT}")
        log(f"=====================================================")

        while True:
            client, addr = server.accept()
            if USE_SSL:
                try:
                    client = ssl_context.wrap_socket(client, server_side=True)
                except Exception:
                    client.close()
                    continue

            with conn_lock:
                if active_connections >= MAX_CONNECTIONS:
                    client.close()
                    continue
                active_connections += 1
                
            ConnectionHandler(client, addr).start()
            
    except Exception as e: log(f"❌ Error crítico en servidor: {e}")
    finally: server.close()

if __name__ == "__main__":
    main()