Multi_Script/C/proxy_dual.c

/*
 * =====================================================================================
 * PROXY VPN DUAL (TCP + TLS) - ULTIMATE BARE-METAL EDITION V9
 * Correcciones: 
 * 1. Bugfix de OpenSSL Internal Buffer (SSL_pending) para NetMod.
 * 2. Anti-Flood calibrado para evitar auto-baneos por hilos múltiples de VPN.
 * Compilación: gcc -O3 -o proxy_dual proxy_dual.c -lssl -lcrypto -lpthread
 * =====================================================================================
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <pthread.h>
#include <signal.h>
#include <time.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

// --- CONFIGURACIÓN BASE ---
#define DEFAULT_PORT_TCP 80
#define DEFAULT_PORT_TLS 443
#define SSH_HOST "127.0.0.1"
#define SSH_PORT 22
#define BUFLEN 16384
#define MAX_CONNECTIONS 500
#define LOG_FILE "/root/proxy-dual.log"
#define CERT_FILE "/root/cert.pem"
#define KEY_FILE "/root/key.pem"

// --- CONFIGURACIÓN DE SEGURIDAD (ANTI-FLOOD & BAN) ---
#define MAX_TRACKED_IPS 200
#define AUTO_BAN_STRIKES 15 // Aumentado a 15 para soportar los hilos de NetMod
#define BAN_TIME 3600 // 1 Hora
#define COOLDOWN_SEC 1 // Ventana de 1 segundo

typedef struct {
    char ip[INET6_ADDRSTRLEN];
    time_t last_connect;
    int strikes;
    time_t ban_until;
} ip_record_t;

ip_record_t ip_database[MAX_TRACKED_IPS];
pthread_mutex_t ip_db_mutex = PTHREAD_MUTEX_INITIALIZER;

// --- RESPUESTAS FAKE WEB ---
const char *FAKE_WEB_TCP = "HTTP/1.1 400 Bad Request\r\nServer: nginx/1.24.0\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n<html><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.24.0</center></body></html>\r\n";
const char *FAKE_WEB_TLS = "HTTP/1.1 400 OK\r\nServer: nginx/1.21.0\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n<html><body><center><h1>400 Bad Request</h1></center></body></html>\r\n";

// --- MENSAJES ROTATIVOS ---
const char *MENSAJES[] = {"🚀 CONEXION ESTABLECIDA", "🛡️ CIFRADO MILITAR ACTIVO", "🔋 MODO SIGILO SSL OK", "Pfsense", "OPNsense", "VyOS", "Claro", "Google", "TNSR", "🌐 BYPASS OK"};
#define NUM_MENSAJES (sizeof(MENSAJES) / sizeof(MENSAJES[0]))
int mensaje_idx = 0;
pthread_mutex_t msg_mutex = PTHREAD_MUTEX_INITIALIZER;

int active_connections = 0;
pthread_mutex_t conn_mutex = PTHREAD_MUTEX_INITIALIZER;
pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;

typedef struct {
    int client_fd;
    struct sockaddr_storage addr; 
    int is_tls; 
    SSL_CTX *ssl_ctx;
} client_data_t;

// --- FUNCIONES DE SOPORTE ---
void write_log(const char *ip, const char *proto, const char *msg) {
    pthread_mutex_lock(&log_mutex);
    FILE *f = fopen(LOG_FILE, "a");
    if (f) {
        time_t now = time(NULL);
        struct tm *t = localtime(&now);
        char ts[64];
        strftime(ts, sizeof(ts), "%Y-%m-%d %H:%M:%S", t);
        fprintf(f, "[%s] [%s] [%s] %s\n", ts, proto, ip ? ip : "SISTEMA", msg);
        printf("[%s] [%s] [%s] %s\n", ts, proto, ip ? ip : "SISTEMA", msg);
        fclose(f);
    }
    pthread_mutex_unlock(&log_mutex);
}

// --- MOTOR DE SEGURIDAD ---
int check_and_update_ip(const char *ip) {
    pthread_mutex_lock(&ip_db_mutex);
    time_t now = time(NULL);
    int empty_slot = -1;
    int found = 0;

    for (int i = 0; i < MAX_TRACKED_IPS; i++) {
        if (ip_database[i].ip[0] == '\0' && empty_slot == -1) empty_slot = i;
        else if (strcmp(ip_database[i].ip, ip) == 0) {
            found = 1;
            if (ip_database[i].ban_until > now) {
                pthread_mutex_unlock(&ip_db_mutex);
                return 0; // Sigue baneado
            }
            if (now - ip_database[i].last_connect <= COOLDOWN_SEC) {
                ip_database[i].strikes++;
                ip_database[i].last_connect = now;
                if (ip_database[i].strikes >= AUTO_BAN_STRIKES) {
                    ip_database[i].ban_until = now + BAN_TIME;
                    pthread_mutex_unlock(&ip_db_mutex);
                    return -1; // Acaba de ser baneado
                }
            } else {
                ip_database[i].strikes = 1;
                ip_database[i].last_connect = now;
            }
            break;
        }
    }
    if (!found && empty_slot != -1) {
        strcpy(ip_database[empty_slot].ip, ip);
        ip_database[empty_slot].last_connect = now;
        ip_database[empty_slot].strikes = 1;
        ip_database[empty_slot].ban_until = 0;
    }
    pthread_mutex_unlock(&ip_db_mutex);
    return 1;
}

SSL_CTX *create_ssl_context() {
    SSL_load_error_strings();
    OpenSSL_add_ssl_algorithms();
    SSL_CTX *ctx = SSL_CTX_new(TLS_server_method());
    if (!ctx) exit(1);
    SSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM);
    SSL_CTX_use_PrivateKey_file(ctx, KEY_FILE, SSL_FILETYPE_PEM);
    return ctx;
}

int create_server_socket(int port) {
    int s_sock = socket(AF_INET6, SOCK_STREAM, 0);
    if (s_sock < 0) return -1;
    int opt = 1; setsockopt(s_sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
    int no = 0; setsockopt(s_sock, IPPROTO_IPV6, IPV6_V6ONLY, &no, sizeof(no));

    struct sockaddr_in6 addr;
    memset(&addr, 0, sizeof(addr));
    addr.sin6_family = AF_INET6;
    addr.sin6_addr = in6addr_any;
    addr.sin6_port = htons(port);

    if (bind(s_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) return -1;
    listen(s_sock, 600);
    return s_sock;
}

void *connection_handler(void *arg) {
    client_data_t *data = (client_data_t *)arg;
    int client_sock = data->client_fd;
    int is_tls = data->is_tls;
    SSL_CTX *ctx = data->ssl_ctx;
    
    char client_ip[INET6_ADDRSTRLEN];
    if (data->addr.ss_family == AF_INET) {
        struct sockaddr_in *s = (struct sockaddr_in *)&data->addr;
        inet_ntop(AF_INET, &s->sin_addr, client_ip, sizeof(client_ip));
    } else { 
        struct sockaddr_in6 *s = (struct sockaddr_in6 *)&data->addr;
        inet_ntop(AF_INET6, &s->sin6_addr, client_ip, sizeof(client_ip));
    }
    free(data);

    const char *proto_name = is_tls ? "TLS" : "TCP";

    // --- FILTRO DE SEGURIDAD ---
    int sec_status = check_and_update_ip(client_ip);
    if (sec_status == 0) {
        close(client_sock);
        pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
        pthread_exit(NULL);
    } else if (sec_status == -1) {
        write_log(client_ip, proto_name, "⛔ IP Baneada (Flood/Spam detectado)");
        close(client_sock);
        pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
        pthread_exit(NULL);
    }

    SSL *ssl = NULL;
    if (is_tls) {
        ssl = SSL_new(ctx);
        SSL_set_fd(ssl, client_sock);
        if (SSL_accept(ssl) <= 0) {
            SSL_free(ssl); close(client_sock);
            pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
            pthread_exit(NULL);
        }
    }

    // =========================================================================
    // BUGFIX: REVISAR LA MEMORIA INTERNA DE OPENSSL ANTES DE ESPERAR EN EL CABLE
    // =========================================================================
    fd_set init_fds; FD_ZERO(&init_fds); FD_SET(client_sock, &init_fds);
    struct timeval init_tv = {3, 0}; 
    char buffer[BUFLEN];
    int bytes_read = 0;

    int ssl_has_data = is_tls ? SSL_pending(ssl) : 0;

    // Si SSL ya secuestró el paquete, lo leemos de inmediato. Si no, esperamos 3 seg.
    if (ssl_has_data > 0 || select(client_sock + 1, &init_fds, NULL, NULL, &init_tv) > 0) {
        if (is_tls) bytes_read = SSL_read(ssl, buffer, sizeof(buffer)-1);
        else bytes_read = recv(client_sock, buffer, sizeof(buffer)-1, 0);
    } 

    int target_sock = -1;
    long tx_bytes = 0, rx_bytes = 0;

    if (bytes_read > 0) {
        buffer[bytes_read] = '\0';
        struct sockaddr_in t_addr;
        target_sock = socket(AF_INET, SOCK_STREAM, 0);
        t_addr.sin_family = AF_INET;
        t_addr.sin_port = htons(SSH_PORT);
        inet_pton(AF_INET, SSH_HOST, &t_addr.sin_addr);

        if (connect(target_sock, (struct sockaddr *)&t_addr, sizeof(t_addr)) < 0) goto cleanup;

        if (strncmp(buffer, "SSH-", 4) == 0) {
            send(target_sock, buffer, bytes_read, 0);
        } else if (strstr(buffer, "HTTP/") != NULL && strstr(buffer, "Upgrade: websocket") == NULL) {
            write_log(client_ip, proto_name, "🕵️ Escáner detectado. Fake Web (400 OK).");
            if (is_tls) SSL_write(ssl, FAKE_WEB_TLS, strlen(FAKE_WEB_TLS));
            else send(client_sock, FAKE_WEB_TCP, strlen(FAKE_WEB_TCP), 0);
            goto cleanup;
        } else {
            // --- ENCABEZADOS EXTENDIDOS RECUPERADOS ---
            pthread_mutex_lock(&msg_mutex);
            const char *status_msg = MENSAJES[mensaje_idx];
            mensaje_idx = (mensaje_idx + 1) % NUM_MENSAJES;
            pthread_mutex_unlock(&msg_mutex);

            char response[1024];
            snprintf(response, sizeof(response),
                "HTTP/1.1 101 %s\r\n"
                "Server: nginx/1.24.0\r\n"
                "X-Forwarded-For: 127.0.0.1\r\n"
                "Content-Type: text/html; charset=UTF-8\r\n"
                "Proxy-Connection: keep-alive\r\n"
                "Cache-Control: no-cache\r\n"
                "X-Proxy-Agent: Gemini-Ultra-Dual-C\r\n"
                "Connection: Upgrade\r\n"
                "Upgrade: websocket\r\n\r\n", status_msg);

            if (is_tls) SSL_write(ssl, response, strlen(response));
            else send(client_sock, response, strlen(response), 0);
            
            write_log(client_ip, proto_name, "✅ Túnel Inyectado OK");
        }
    } else {
        struct sockaddr_in t_addr;
        target_sock = socket(AF_INET, SOCK_STREAM, 0);
        t_addr.sin_family = AF_INET;
        t_addr.sin_port = htons(SSH_PORT);
        inet_pton(AF_INET, SSH_HOST, &t_addr.sin_addr);
        if (connect(target_sock, (struct sockaddr *)&t_addr, sizeof(t_addr)) != 0) goto cleanup;
        write_log(client_ip, proto_name, "✅ Túnel Modo Silencioso");
    }

    int max_fd = (client_sock > target_sock) ? client_sock : target_sock;

    while (1) {
        fd_set readfds; FD_ZERO(&readfds); FD_SET(client_sock, &readfds); FD_SET(target_sock, &readfds);
        struct timeval select_tv = {300, 0};
        int pending = is_tls ? SSL_pending(ssl) : 0;
        
        if (pending == 0) {
            if (select(max_fd + 1, &readfds, NULL, NULL, &select_tv) <= 0) break;
        }

        if (pending > 0 || FD_ISSET(client_sock, &readfds)) {
            int b = is_tls ? SSL_read(ssl, buffer, BUFLEN) : recv(client_sock, buffer, BUFLEN, 0);
            if (b <= 0) break;
            send(target_sock, buffer, b, 0);
            rx_bytes += b;
        }
        if (FD_ISSET(target_sock, &readfds)) {
            int b = recv(target_sock, buffer, BUFLEN, 0);
            if (b <= 0) break;
            if (is_tls) SSL_write(ssl, buffer, b);
            else send(client_sock, buffer, b, 0);
            tx_bytes += b;
        }
    }

cleanup:
    if (target_sock != -1) close(target_sock);
    if (is_tls) { SSL_shutdown(ssl); SSL_free(ssl); }
    close(client_sock);
    pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
    pthread_exit(NULL);
}

int main(int argc, char **argv) {
    int port_tcp = DEFAULT_PORT_TCP, port_tls = DEFAULT_PORT_TLS;
    if (argc >= 3) { port_tcp = atoi(argv[1]); port_tls = atoi(argv[2]); }

    // Limpiar base de datos de IPs al inicio
    memset(ip_database, 0, sizeof(ip_database));

    signal(SIGPIPE, SIG_IGN); 
    SSL_CTX *ctx = create_ssl_context();
    int server_tcp = create_server_socket(port_tcp);
    int server_tls = create_server_socket(port_tls);

    if (server_tcp < 0 || server_tls < 0) exit(1);

    write_log(NULL, "SISTEMA", "🚀 PROXY DUAL BARE-METAL INICIADO (Ultimate Edition V9)");
    write_log(NULL, "SISTEMA", "🛡️  Módulos cargados: Anti-Flood (15/s), Auto-Ban, SSL_pending Fix, Full Headers");

    int max_server_fd = (server_tcp > server_tls) ? server_tcp : server_tls;

    while (1) {
        fd_set master_fds; FD_ZERO(&master_fds); FD_SET(server_tcp, &master_fds); FD_SET(server_tls, &master_fds);
        if (select(max_server_fd + 1, &master_fds, NULL, NULL, NULL) < 0) continue;

        int active_sock = -1, is_tls = 0;
        if (FD_ISSET(server_tcp, &master_fds)) { active_sock = server_tcp; is_tls = 0; }
        else if (FD_ISSET(server_tls, &master_fds)) { active_sock = server_tls; is_tls = 1; }

        struct sockaddr_storage c_addr;
        socklen_t c_len = sizeof(c_addr);
        int client_sock = accept(active_sock, (struct sockaddr *)&c_addr, &c_len);
        if (client_sock < 0) continue;

        pthread_mutex_lock(&conn_mutex);
        if (active_connections >= MAX_CONNECTIONS) { pthread_mutex_unlock(&conn_mutex); close(client_sock); continue; }
        active_connections++; pthread_mutex_unlock(&conn_mutex);

        client_data_t *d = malloc(sizeof(client_data_t));
        d->client_fd = client_sock; d->addr = c_addr; d->is_tls = is_tls; d->ssl_ctx = ctx;

        pthread_t tid; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
        if (pthread_create(&tid, &attr, connection_handler, d) != 0) {
            close(client_sock); free(d);
            pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
        }
        pthread_attr_destroy(&attr);
    }
    return 0;
}