A versatile and efficient proxy framework with nice features suitable for various use cases.

Overview

releases ci

Leaf

A versatile and efficient proxy framework with nice features suitable for various use cases.

Multiplexing

There are 2 transports for traffic multiplexing:

  • AMux: A multiplexd transport based on reliable streams suitable for TCP-based protocols and transports
  • QUIC: A UDP-based, multiplexed and secure transport

The benefit of amux is that we can reuse connections to reduce handshake overhead, it's not designed to be memory efficient because it focus only on reusing connections and not reducing the number of connections. While quic can reduce both handshake overhead and memory usage without suffering the head-of-line blocking issue.

Transparent Proxying

There's the TUN inbound for this purpose, which is also of fundamental importance for VPN-like proxying use cases such as VPN apps on iOS and Android.

High Availability

Outbounds such as failover, tryall, retry, random and their combinations are able to flexibly deliver reqeusts to other outbounds based on their own metrics to achieve high availability or load balancing behaviors.

Request Routing

Rule-based request routing is also supported. Requests can be routed to different outbounds based on domain, IP, GEOIP and port rules.

Getting Started

[General]
dns-server = 223.5.5.5
socks-interface = 127.0.0.1
socks-port = 1080

[Proxy]
Direct = direct

More configuration examples can be found here.

TUN Mode and Gateway Mode

TUN Mode

This syntax (tun = auto) is supported on macOS and Linux.

[General]
dns-server = 223.5.5.5
tun = auto

[Proxy]
Direct = direct

Gateway Mode

Running in gateway mode requires a configuration with TUN mode enabled. Gateway mode can be enabled by an environment variable.

GATEWAY_MODE=true leaf -c config.conf

Windows

  • Maple: A lightweight Universal Windows proxy app based on leaf

iOS & Android

Build

Install Rust: https://www.rust-lang.org/tools/install

Install GCC or Clang.

Clone & Build:

git clone --recursive https://github.com/eycorsican/leaf.git
cd leaf
cargo build -p leaf-bin

Run:

./target/debug/leaf --help

License

This project is licensed under the Apache License 2.0.

Comments
  • Can not connet to IPv6 only website

    Can not connet to IPv6 only website

    curl -x socks5h://127.0.0.1:1086 http://bbs6.ustc.edu.cn/ -v

    [2021-04-15 10:43:34][DEBUG] looking up domain bbs6.ustc.edu.cn on 114.114.114.114:53
    [2021-04-15 10:43:34][DEBUG] looking up domain bbs6.ustc.edu.cn on 223.5.5.5:53
    [2021-04-15 10:43:34][DEBUG] looking up domain bbs6.ustc.edu.cn on 114.114.114.114:53
    [2021-04-15 10:43:34][DEBUG] looking up domain bbs6.ustc.edu.cn on 223.5.5.5:53
    [2021-04-15 10:43:34][DEBUG] return 1 ips for bbs6.ustc.edu.cn from 223.5.5.5:53 in 133ms
    [2021-04-15 10:43:34][TRACE] ips for bbs6.ustc.edu.cn:
    [
        2001:da8:d800::3,
    ]
    [2021-04-15 10:43:34][TRACE] re-matching with resolved ip [2001:da8:d800::3] for [bbs6.ustc.edu.cn]
    [2021-04-15 10:43:34][DEBUG] [2001:da8:d800::3] matches geoip code [cn]
    [2021-04-15 10:43:34][DEBUG] picked route [Direct] for 127.0.0.1:57306 -> bbs6.ustc.edu.cn:80
    [2021-04-15 10:43:34][TRACE] active direct tcp connections +1: 39
    [2021-04-15 10:43:34][DEBUG] dispatch tcp 127.0.0.1:57306 -> bbs6.ustc.edu.cn:80 to [Direct] failed: all attempts failed, last error: Address family not supported by protocol family (os error 47)
    [2021-04-15 10:43:34][TRACE] active direct tcp connections -1: 38
    

    curl -x socks5://127.0.0.1:1086 http://bbs6.ustc.edu.cn/ -v

    [2021-04-15 10:50:18][DEBUG] [2001:da8:d800::3] matches geoip code [cn]
    [2021-04-15 10:50:18][DEBUG] picked route [Direct] for 127.0.0.1:58225 -> [2001:da8:d800::3]:80
    [2021-04-15 10:50:18][TRACE] active direct tcp connections +1: 1
    [2021-04-15 10:50:18][DEBUG] dispatch tcp 127.0.0.1:58225 -> [2001:da8:d800::3]:80 to [Direct] failed: all attempts failed, last error: Address family not supported by protocol family (os error 47)
    [2021-04-15 10:50:18][TRACE] active direct tcp connections -1: 0
    
    opened by EkkoG 36
  • [Bug Report]Can't set absolute site.dat path on Windows

    [Bug Report]Can't set absolute site.dat path on Windows

    I'm trying to add the EXTERNAL rules support to Maple, and I find that there's some problem in Leaf's parsing the rule.

    pub fn load_file_or_default(filter: &str, default: &str) -> Result<(String, String)> {
        let parts: Vec<&str> = filter.split(':').collect();
        let (file, code) = if parts.len() == 3 {
          // ...
        }
    }
    

    The code above gets the path in EXTERNAL rule by splitting :. When it comes to Windows, absolute path won't work because the : comes after the drive letter:

    EXTERNAL site:C:\Users\Perqin\geosite.dat:cn, Direct
    

    Though we can simply concatenate the parts[2] and parts[3] if parts.len() == 4, I'm wondering if there's better way to solve this issue.

    opened by perqin 17
  • [Feature Request] Support menaul select proxy group

    [Feature Request] Support menaul select proxy group

    leaf already has a wide variety of proxy groups, but there is no select proxy group, the lack of this feature causes the user can not manually adjust, but rely on the program's algorithm, I think it is necessary to add this feature.

    opened by EkkoG 17
  • Infinity loop after tun inbound setup

    Infinity loop after tun inbound setup

    Run leaf with config

    tun = utun8, 172.16.0.2, 255.255.255.0, 172.16.0.1, 1500
    
    ifconfig utun7 172.16.0.2 netmask 255.255.255.0 172.16.0.1
    
    route delete default
    route delete default -ifscope en0
    route add default 172.16.0.1
    route add default 192.168.xx.1 -ifscope en0
    networksetup -setdnsservers Ethernet 172.16.0.1
    

    log, these logs will repeat thousand times in a few seconds. Bug ? or my setup with the wrong way.

    [2021-04-08 00:45:21][INFO] inbound listening tcp 127.0.0.1:1086
    [2021-04-08 00:45:21][INFO] inbound listening udp 127.0.0.1:1086
    [2021-04-08 00:45:21][INFO] inbound listening tcp 127.0.0.1:1087
    [2021-04-08 00:45:21][INFO] tun inbound started
    [2021-04-08 00:45:27][DEBUG] added udp session 172.16.0.2:59845 -> 172.16.0.1:53 (1)
    [2021-04-08 00:45:27][DEBUG] [172.16.0.1] matches ip-cidr [172.16.0.0/16]
    [2021-04-08 00:45:27][DEBUG] picked route [Direct] for 172.16.0.2:59845 -> 172.16.0.1:53
    [2021-04-08 00:45:27][INFO] [tun] [udp] [Direct] [0ms] 172.16.0.1:53
    [2021-04-08 00:45:27][DEBUG] added udp session 172.16.0.2:53843 -> 172.16.0.1:53 (2)
    [2021-04-08 00:45:27][DEBUG] added udp session 172.16.0.2:57597 -> 172.16.0.1:53 (3)
    [2021-04-08 00:45:27][DEBUG] [172.16.0.1] matches ip-cidr [172.16.0.0/16]
    [2021-04-08 00:45:27][DEBUG] picked route [Direct] for 172.16.0.2:53843 -> 172.16.0.1:53
    [2021-04-08 00:45:27][INFO] [tun] [udp] [Direct] [0ms] 172.16.0.1:53
    [2021-04-08 00:45:27][DEBUG] [172.16.0.1] matches ip-cidr [172.16.0.0/16]
    
    opened by EkkoG 16
  • [question] leaf 0.3.1 seems not working on linux

    [question] leaf 0.3.1 seems not working on linux

    i'm not familiar with leaf, here is my testing:

    os: ubuntu 1804 leaf version: 0.3.1 (9afcc27 - 2021-05-07 17:55:14 +0800) conf:

    [General]
    loglevel = trace
    dns-server = 114.114.114.114, 223.5.5.5
    routing-domain-resolve = true
    #always-real-ip = *
    #dns-interface = 192.168.31.244
    
    # Local SOCKS5 proxy with UDP Associate support
    socks-interface = 127.0.0.1
    socks-port = 1086
    
    # TUN interface
    #tun = tun2, 10.255.0.2, 255.255.255.0, 10.255.0.1, 1500
    
    [Proxy]
    Socks = socks, 47.110.x.x, 8118, interface=192.168.31.244
    Direct = direct, interface=192.168.31.244
    Reject = reject
    
    [Rule]
    IP-CIDR, 223.5.5.5/32, Direct
    IP-CIDR, 114.114.114.114/32, Direct
    IP-CIDR, 192.168.0.0/16, Direct
    IP-CIDR, 10.0.0.0/8, Direct
    IP-CIDR, 172.16.0.0/12, Direct
    DOMAIN, www.baidu.com, Socks
    DOMAIN-SUFFIX, sina.com, Socks
    DOMAIN-KEYWORD, sina, Socks
    PORT-RANGE, 3478-3478, Socks
    
    FINAL, Reject
    

    i ran with ./leaf -c /etc/leaf.conf

    start with options:
    StartOptions {
        config: File(
            "/etc/leaf.conf",
        ),
        auto_reload: false,
        runtime_opt: MultiThreadAuto(
            131072,
        ),
    }
    [2021-05-27 10:53:37][DEBUG] default handler [Reject]
    [2021-05-27 10:53:37][TRACE] add handler [Reject]
    [2021-05-27 10:53:37][TRACE] add handler [Socks]
    [2021-05-27 10:53:37][TRACE] add handler [Direct]
    [2021-05-27 10:53:37][INFO] inbound listening tcp 127.0.0.1:1086
    [2021-05-27 10:53:37][INFO] inbound listening udp 127.0.0.1:1086
    

    and then i test with curl www.baidu.com, and no packet was captured on my remote socks server (47.110.x.x).

    did i missed something, any suggestion will be appreciated

    opened by gjmzj 12
  • The Issue with Trojan Uploading

    The Issue with Trojan Uploading

    When I use Leaf Trojan to test on speedtest, the download will reach 200+Mbps, but the upload will reach 30+Mbps and drop to 1Mbps immediately.

    When I use Leaf SS to test on speedtest, the download will reach 200+Mbps, the upload will reach 30+Mbps and remain the speed until it's finished testing.

    When I use Trojan-qt5 and same Trojan server to test on speedtest, the download will reach 200+Mbps, the upload will reach 30+Mbps and remain the speed until it's finished testing.

    When I use WireShark to check the activities, I see there are tons of TCP Out of Order, TCP Dup Ack and TCP retransmission when it's uploading.

    I use Macbook and all tests are done in outside of China. I see there are several issues talking about the uploading issue. When they upload videos or images to YouTube or Instagram, it will stuck.

    Hope this can help. I wish i know more in rust.

    opened by giftedunicorn 9
  • Can't create a fallback group with two group

    Can't create a fallback group with two group

    Proxy=select,Fffff, AllSelect, Fallback, Failover, Tryall, HKAuto, Random
    HKAuto=url-test, x1.0香港-中转1, x1.0香港-中转2, x1.0香港-中转3, x1.0香港-中转4, x1.0香港-中转5, x1.0香港-中转6, x1.0香港1, x1.0香港2, x1.0香港3, x1.0香港4, x1.0香港5, x1.0香港6, 香港丨专线丨HKBN丨1x, 香港丨专线丨HGC丨1x, 香港丨专线丨NTT丨1x, interval=60, timeout=5
    Fallback=fallback, x1.0香港-中转1, x1.0香港-中转2, x1.0香港-中转3, x1.0香港-中转4, x1.0香港-中转5, x1.0香港-中转6, x1.0香港1, x1.0香港2, x1.0香港3, x1.0香港4, x1.0香港5, x1.0香港6, 香港丨专线丨HKBN丨1x, 香港丨专线丨HGC丨1x, 香港丨专线丨NTT丨1x, interval=600, timeout=5
    Failover=failover, x1.0香港-中转1, x1.0香港-中转2, x1.0香港-中转3, x1.0香港-中转4, x1.0香港-中转5, x1.0香港-中转6, x1.0香港1, x1.0香港2, x1.0香港3, x1.0香港4, x1.0香港5, x1.0香港6, 香港丨专线丨HKBN丨1x, 香港丨专线丨HGC丨1x, 香港丨专线丨NTT丨1x, health-check=true, check-interval=600, fail-timeout=5, failover=true
    Tryall=tryall, x1.0香港-中转1, x1.0香港-中转2, x1.0香港-中转3, x1.0香港-中转4, x1.0香港-中转5, x1.0香港-中转6, x1.0香港1, x1.0香港2, x1.0香港3, x1.0香港4, x1.0香港5, x1.0香港6, 香港丨专线丨HKBN丨1x, 香港丨专线丨HGC丨1x, 香港丨专线丨NTT丨1x,  delay-base=0
    Random=random, x1.0香港-中转1, x1.0香港-中转2, x1.0香港-中转3, x1.0香港-中转4, x1.0香港-中转5, x1.0香港-中转6, x1.0香港1, x1.0香港2, x1.0香港3, x1.0香港4, x1.0香港5, x1.0香港6, 香港丨专线丨HKBN丨1x, 香港丨专线丨HGC丨1x, 香港丨专线丨NTT丨1x
    AllSelect=select, x1.0香港-中转1, x1.0香港-中转2, x1.0香港-中转3, x1.0香港-中转4, x1.0香港-中转5, x1.0香港-中转6, x1.0香港1, x1.0香港2, x1.0香港3, x1.0香港4, x1.0香港5, x1.0香港6, 香港丨专线丨HKBN丨1x, 香港丨专线丨HGC丨1x, 香港丨专线丨NTT丨1x
    Fffff=fallback, AllSelect, HKAuto
    

    If Fffff exists and in Proxy group, Proxy will return {"selected":null} when requests with get select API, and can't set Proxy group's select.

    needs investigation 
    opened by EkkoG 9
  • 最新代码编译出的ios静态库会出现PacketTunnel 15M内存崩溃问题

    最新代码编译出的ios静态库会出现PacketTunnel 15M内存崩溃问题

    使用0.3.1的正式版编译的ios静态库,没有碰到过上传大文件导致VPN崩溃的现象,用speedtest测试上传速度也没问题。不过0.3.1版本在iPhone上用起来感觉经常卡顿,特别是网页上域名特别多的页面。由于不知道怎么去调试,只能靠猜测感觉是UDP或者是DNS解析方面有某种问题。

    这两天看到leaf有更新,就试着编译了一个新的ios库。测试下来刷页面非常流畅,没有卡顿的现象了。但是发现在电报等软件上传3张以上的图片都不行。用Speedtest测试,一到上传测试阶段,leaf就会出现15M内存崩溃的现象。

    以前很多人讨论过ios NE 15M内存限制的问题,希望leaf在下一个正式版里能解决这个问题。

    如果高手能指明一些调查方向,我也希望自己能为解决这个问题出点力量。

    opened by stoneport 8
  • osx 非NE,dmg版

    osx 非NE,dmg版

    mac 网络->高级->代理 勾选了 https/http/socks 代理和配置文件代理一致

    打开商店版tg的,不使用tg自带的代理功能,出现以下日志错误信息,打开tg自带的代理,可以正常连接  [37m[2021-04-23 19:58:34][DEBUG] accept conn failed: invalid HTTP method parsed [2021-04-23 19:58:34][DEBUG] handle inbound tcp failed: Custom { kind: Other, error: "unspecified" } [2021-04-23 19:58:34][DEBUG] accept conn failed: invalid HTTP method parsed [2021-04-23 19:58:34][DEBUG] handle inbound tcp failed: Custom { kind: Other, error: "unspecified" } [2021-04-23 19:58:34][DEBUG] accept conn failed: invalid HTTP method parsed [2021-04-23 19:58:34][DEBUG] handle inbound tcp failed: Custom { kind: Other, error: "unspecified" }

    opened by alsojin0806 8
  • Need root permissions when use tun feature

    Need root permissions when use tun feature

    System: macOS 11.1 leaf version: v0.2.14

    [2021-04-07 18:29:57][INFO] inbound listening tcp 127.0.0.1:1086
    [2021-04-07 18:29:57][INFO] inbound listening udp 127.0.0.1:1086
    [2021-04-07 18:29:57][INFO] inbound listening tcp 127.0.0.1:1087
    thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Io(Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" })', leaf/src/proxy/tun/inbound.rs:75:46
    note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
    

    Must this feature need root permission?

    opened by EkkoG 8
  • resolveDomain option in the router not working properly

    resolveDomain option in the router not working properly

    when I enabled domainResolve option in routing, I can't access block sites because my isp change the responded DNS because DNS client create UDP socket and UDP socket protect from android VPN service

    opened by mokhtarabadi 7
  • 最新代码编译报错

    最新代码编译报错

    error[E0658]: use of unstable library feature 'vec_spare_capacity' --> /Users/chending/.cargo/registry/src/github.com-1ecc6299db9ec823/protobuf-3.2.0/src/coded_output_stream/mod.rs:179:53 | 179 | self.buffer = OutputBuffer::new(vec.spare_capacity_mut()); | ^^^^^^^^^^^^^^^^^^ | = note: see issue #75017 https://github.com/rust-lang/rust/issues/75017 for more information

    opened by ding2chen 4
  • Possible typos in the example conf?

    Possible typos in the example conf?

    In the example configuration file,

    # fallback 等效于 failover
    Fallback = fallback, Trojan, VMessWSS, SS, interval=600, timeout=5
    
    # url-test 等效于 failover=false 的 failover
    UrlTest = url-test, Trojan, VMessWSS, SS, interval=600, timeout=5
    

    It seems like interval and timeout should be check-interval and fail-timeout instead?

    Random = random, Trojan, VMessWSS
    

    random has been superseded by static?

    opened by bdbai 0
  • UDP over socks outbound

    UDP over socks outbound

    Are there any plans to support UDP over the socks outbound? UDP traffic seems not to be proxied to a socks outbound even if the socks proxy has support for UDP ASSOCIATE. Thanks.

    opened by mukswilly 2
Releases(v0.6.0)
Owner
null
Web3-proxy: a fast caching and load balancing proxy for web3 (Ethereum or similar) JsonRPC servers.

web3-proxy Web3-proxy is a fast caching and load balancing proxy for web3 (Ethereum or similar) JsonRPC servers. Signed transactions (eth_sendRawTrans

null 49 Nov 14, 2022
A fast, stable, efficient, and lightweight intranet penetration, port forwarding tool supports multiple connections, cascading proxy, and transmission encryption

A fast, stable, efficient, and lightweight intranet penetration, port forwarding tool supports multiple connections, cascading proxy, and transmission encryption

editso 1.2k Nov 30, 2022
Proxy sentry request to a sentry server using a tunnel/proxy endpoint

Sentry Tunnel This is a proxy that forwards tunneled sentry requests to the real sentry server. The implementation is based on the explanation provide

Paul FLORENCE 11 Oct 15, 2022
Lightweight proxy that allows redirect HTTP(S) traffic through a proxy.

Proxyswarm Proxyswarm is a lightweight proxy that allows redirect HTTP(S) traffic through a proxy. WARNING: This app isn't recomended for download lar

Jorge Alejandro Jimenez Luna 4 Apr 16, 2022
A TCP proxy using HTTP - Reach SSH behind a Nginx reverse proxy

?? TCP over HTTP ?? The Questions ?? What does it do? You can proxy TCP traffic over HTTP. A basic setup would be: [Your TCP target] <--TCP-- [Exit No

Julian 182 Nov 2, 2022
♻ A simple and efficient Gemini-to-HTTP proxy written in Rust.

September A simple and efficient Gemini-to-HTTP proxy written in Rust. Usage Docker $ docker run -d [ -e ROOT="gemini://fuwn.me" ] [ -e PORT="8080"] [

GemRest 10 Jul 2, 2022
🤖 brwrs is a new protocol running over TCP/IP that is intended to be a suitable candidate for terminal-only servers

brwrs is a new protocol running over TCP/IP that is intended to be a suitable candidate for terminal-only servers (plain text data). That is, although it can be accessed from a browser, brwrs will not correctly interpret the browser's GET request.

daCoUSB 3 Jul 30, 2021
Basic chat example to demonstrate I/O and other rust features.

Basic chat Provides basic chat functions: create room send messages to room fetch room's messages Components STP - custom string transfer protocol lib

f3kilo 8 Jul 21, 2022
A proxy implement with http / socks5 in-bound and vmess out-bound, written in Rust and tokio.rs

tokio-vmess an Asynchronous proxy implement with http / socks5 in-bound and vmess out-bound, written in Rust and tokio Run example first, Fill out the

irumeria 7 Oct 3, 2022
Simple and fast layer 4 proxy in Rust

Fourth 这一波在第四层。 English Fourth是一个Rust实现的Layer 4代理,用于监听指定端口TCP流量,并根据规则转发到指定目标。 功能 监听指定端口代理到本地或远端指定端口 监听指定端口,通过TLS ClientHello消息中的SNI进行分流 安装方法 为了确保获得您架构

Rui Li 17 Nov 8, 2022
Drop-in proxy for Discord gateway connections and sessions allowing for zero downtime deploys

gateway-proxy This is a very hacky project, so it might stop working if Discord changes their API core. This is unlikely, but keep that in mind while

Jens Reidel 38 Nov 10, 2022
A remote shell, TCP tunnel and HTTP proxy for Replit.

Autobahn A remote shell, TCP tunnel and HTTP proxy for Replit. Hybrid SSH/HTTP server for Replit. Based on leon332157/replish. Autobahn runs a WebSock

Patrick Winters 12 Sep 24, 2022
Image proxy and embed generator.

January Description Image proxy and metadata scraper. Features: Can scrape metadata from websites, e.g. OpenGraph Can scrape embeds from websites, e.g

Revolt 25 Oct 14, 2022
A fast and stable reverse proxy for NAT traversal, written in Rust

rathole A fast and stable reverse proxy for NAT traversal, written in Rust rathole, like frp, can help to expose the service on the device behind the

Yujia Qiao 4.4k Nov 30, 2022
🔌 A curseforge proxy server, keeping your API key safe and sound.

?? CFPROXY - The curseforge proxy server Curseforge has locked down their API and now restricts access without authentification. This spells trouble f

null 6 Nov 7, 2022
Reverse proxy for HTTP microservices and STDIO. Openfass watchdog which can run webassembly with wasmer-gpu written in rust.

The of-watchdog implements an HTTP server listening on port 8080, and acts as a reverse proxy for running functions and microservices. It can be used independently, or as the entrypoint for a container with OpenFaaS.

yanghaku 7 Sep 15, 2022
An asynchronous dumb exporter proxy for prometheus. This aggregates all the metrics and exposes as a single scrape endpoint.

A dumb light weight asynchronous exporter proxy This is a dumb lightweight asynchronous exporter proxy that will help to expose multiple application m

Dark streams 3 Aug 1, 2022
A multi-connection TCP reverse proxy server and client.

tprox A multi-connection TCP reverse proxy. The tprox server is able to proxy multiple incoming connections to the tprox client over a single TCP conn

Mohammed Ajmal Siddiqui 4 Sep 21, 2022
Flexible DNS hijacking and proxy tool.

kungfu Flexible DNS hijacking and proxy tool. Features Flexible rules e.g. glob pattern domain, static routes, response CIDR Host file include /etc/ho

yinheli 26 Nov 5, 2022