feat: 支持 Loon Hysteria2 salamander 混淆

feat: 读取节点的 ca-str 和 _ca (后端文件路径) 字段, 自动计算 fingerprint
feat: Stash 支持 juicity, ssh
2025-08-10 00:52:40 +00:00 · 2024-06-16 21:49:13 +08:00 · 2024-06-13 20:44:12 +08:00 · 2024-06-12 15:16:56 +08:00 · 2024-06-10 19:10:57 +08:00 · 2024-06-10 19:07:19 +08:00
19 changed files with 119 additions and 38 deletions
--- a/README.md
+++ b/README.md
@@ -35,7 +35,7 @@ Core functionalities:
 - [x] Surfboard (SS, VMess, Trojan, HTTP, SOCKS5, SOCKS5-TLS, WireGuard(Surfboard to Surfboard))
 - [x] Shadowrocket (SS, SSR, VMess, Trojan, HTTP, SOCKS5, Snell, VLESS, WireGuard, Hysteria, Hysteria 2, TUIC)
 - [x] Clash.Meta (SS, SSR, VMess, Trojan, HTTP, SOCKS5, Snell, VLESS, WireGuard, Hysteria, Hysteria 2, TUIC)
- [x] Stash (SS, SSR, VMess, Trojan, HTTP, SOCKS5, Snell, VLESS, WireGuard, Hysteria, TUIC)
+- [x] Stash (SS, SSR, VMess, Trojan, HTTP, SOCKS5, Snell, VLESS, WireGuard, Hysteria, TUIC, Juicity, SSH)
 - [x] Clash (SS, SSR, VMess, Trojan, HTTP, SOCKS5, Snell, VLESS, WireGuard)

 ### Supported Target Platforms
--- a/backend/package.json
+++ b/backend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "sub-store",
-  "version": "2.14.333",
+  "version": "2.14.340",
  "description": "Advanced Subscription Manager for QX, Loon, Surge, Stash and ShadowRocket.",
  "main": "src/main.js",
  "scripts": {
@@ -25,6 +25,7 @@
    "express": "^4.17.1",
    "http-proxy-middleware": "^2.0.6",
    "js-base64": "^3.7.2",
+    "jsrsasign": "^11.1.0",
    "lodash": "^4.17.21",
    "request": "^2.88.2",
    "requests": "^0.3.0",
--- a/backend/pnpm-lock.yaml
+++ b/backend/pnpm-lock.yaml
@@ -29,6 +29,9 @@ dependencies:
  js-base64:
    specifier: ^3.7.2
    version: registry.npmmirror.com/js-base64@3.7.2
+  jsrsasign:
+    specifier: ^11.1.0
+    version: registry.npmmirror.com/jsrsasign@11.1.0
  lodash:
    specifier: ^4.17.21
    version: registry.npmmirror.com/lodash@4.17.21
@@ -6634,6 +6637,12 @@ packages:
      verror: registry.npmmirror.com/verror@1.10.0
    dev: false

+  registry.npmmirror.com/jsrsasign@11.1.0:
+    resolution: {integrity: sha512-Ov74K9GihaK9/9WncTe1mPmvrO7Py665TUfUKvraXBpu+xcTWitrtuOwcjf4KMU9maPaYn0OuaWy0HOzy/GBXg==, registry: http://registry.npm.taobao.org/, tarball: https://registry.npmmirror.com/jsrsasign/-/jsrsasign-11.1.0.tgz}
+    name: jsrsasign
+    version: 11.1.0
+    dev: false
+
  registry.npmmirror.com/just-debounce@1.1.0:
    resolution: {integrity: sha512-qpcRocdkUmf+UTNBYx5w6dexX5J31AKK1OmPwH630a83DdVVUIngk55RSAiIGpQyoH0dlr872VHfPjnQnK1qDQ==, registry: http://registry.npm.taobao.org/, tarball: https://registry.npmmirror.com/just-debounce/-/just-debounce-1.1.0.tgz}
    name: just-debounce
--- a/backend/src/core/proxy-utils/index.js
+++ b/backend/src/core/proxy-utils/index.js
@@ -1,3 +1,4 @@
+import rs from '@/utils/rs';
 import YAML from '@/utils/yaml';
 import download from '@/utils/download';
 import {
@@ -83,7 +84,7 @@ async function processFn(proxies, operators = [], targetPlatform, source) {
            const { mode, content } = item.args;
            if (mode === 'link') {
                let noCache;
-                let url = content;
+                let url = content || '';
                if (url.endsWith('#noCache')) {
                    url = url.replace(/#noCache$/, '');
                    noCache = true;
@@ -338,7 +339,11 @@ function lastParse(proxy) {
            proxy.network = 'tcp';
        }
    }
-    if (['trojan', 'tuic', 'hysteria', 'hysteria2'].includes(proxy.type)) {
+    if (
+        ['trojan', 'tuic', 'hysteria', 'hysteria2', 'juicity'].includes(
+            proxy.type,
+        )
+    ) {
        proxy.tls = true;
    }
    if (proxy.network) {
@@ -459,6 +464,25 @@ function lastParse(proxy) {
    if (['', 'off'].includes(proxy.sni)) {
        proxy['disable-sni'] = true;
    }
+    let caStr = proxy['ca_str'];
+    if (proxy['ca-str']) {
+        caStr = proxy['ca-str'];
+    } else if (caStr) {
+        delete proxy['ca_str'];
+        proxy['ca-str'] = caStr;
+    }
+    try {
+        if ($.env.isNode && !caStr && proxy['_ca']) {
+            caStr = $.node.fs.readFileSync(proxy['_ca'], {
+                encoding: 'utf8',
+            });
+        }
+    } catch (e) {
+        $.error(`Read ca file failed\nReason: ${e}`);
+    }
+    if (!proxy['tls-fingerprint'] && caStr) {
+        proxy['tls-fingerprint'] = rs.generateFingerprint(caStr);
+    }
    return proxy;
 }

--- a/backend/src/core/proxy-utils/parsers/peggy/loon.js
+++ b/backend/src/core/proxy-utils/parsers/peggy/loon.js
@@ -68,7 +68,7 @@ trojan = tag equals "trojan"i address password (transport/transport_host/transpo
    proxy.type = "trojan";
    handleTransport();
 }
-hysteria2 = tag equals "hysteria2"i address password (tls_host/tls_verification/udp_relay/fast_open/download_bandwidth/ecn/others)* {
+hysteria2 = tag equals "hysteria2"i address password (tls_host/tls_verification/udp_relay/fast_open/download_bandwidth/salamander_password/ecn/others)* {
    proxy.type = "hysteria2";
 }
 https = tag equals "https"i address (username password)? (tls_host/tls_verification/fast_open/udp_relay/others)* {
@@ -178,6 +178,7 @@ udp_relay = comma "udp" equals flag:bool { proxy.udp = flag; }

 ecn = comma "ecn" equals flag:bool { proxy.ecn = flag; }
 download_bandwidth = comma "download-bandwidth" equals match:[^,]+ { proxy.down = match.join(""); }
+salamander_password = comma "salamander-password" equals match:[^,]+ { proxy['obfs-password'] = match.join(""); proxy.obfs = 'salamander'; }

 tag = match:[^=,]* { proxy.name = match.join("").trim(); }
 comma = _ "," _
--- a/backend/src/core/proxy-utils/parsers/peggy/loon.peg
+++ b/backend/src/core/proxy-utils/parsers/peggy/loon.peg
@@ -66,7 +66,7 @@ trojan = tag equals "trojan"i address password (transport/transport_host/transpo
    proxy.type = "trojan";
    handleTransport();
 }
-hysteria2 = tag equals "hysteria2"i address password (tls_host/tls_verification/udp_relay/fast_open/download_bandwidth/ecn/others)* {
+hysteria2 = tag equals "hysteria2"i address password (tls_host/tls_verification/udp_relay/fast_open/download_bandwidth/salamander_password/ecn/others)* {
    proxy.type = "hysteria2";
 }
 https = tag equals "https"i address (username password)? (tls_host/tls_verification/fast_open/udp_relay/others)* {
@@ -176,6 +176,7 @@ udp_relay = comma "udp" equals flag:bool { proxy.udp = flag; }

 ecn = comma "ecn" equals flag:bool { proxy.ecn = flag; }
 download_bandwidth = comma "download-bandwidth" equals match:[^,]+ { proxy.down = match.join(""); }
+salamander_password = comma "salamander-password" equals match:[^,]+ { proxy['obfs-password'] = match.join(""); proxy.obfs = 'salamander'; }

 tag = match:[^=,]* { proxy.name = match.join("").trim(); }
 comma = _ "," _
--- a/backend/src/core/proxy-utils/producers/clash.js
+++ b/backend/src/core/proxy-utils/producers/clash.js
@@ -133,9 +133,13 @@ export default function Clash_Producer() {
                    }
                }
                if (
-                    ['trojan', 'tuic', 'hysteria', 'hysteria2'].includes(
-                        proxy.type,
-                    )
+                    [
+                        'trojan',
+                        'tuic',
+                        'hysteria',
+                        'hysteria2',
+                        'juicity',
+                    ].includes(proxy.type)
                ) {
                    delete proxy.tls;
                }
--- a/backend/src/core/proxy-utils/producers/clashmeta.js
+++ b/backend/src/core/proxy-utils/producers/clashmeta.js
@@ -149,9 +149,13 @@ export default function ClashMeta_Producer() {
                    }
                }
                if (
-                    ['trojan', 'tuic', 'hysteria', 'hysteria2'].includes(
-                        proxy.type,
-                    )
+                    [
+                        'trojan',
+                        'tuic',
+                        'hysteria',
+                        'hysteria2',
+                        'juicity',
+                    ].includes(proxy.type)
                ) {
                    delete proxy.tls;
                }
--- a/backend/src/core/proxy-utils/producers/loon.js
+++ b/backend/src/core/proxy-utils/producers/loon.js
@@ -408,8 +408,8 @@ function wireguard(proxy) {
 }

 function hysteria2(proxy) {
-    if (proxy.obfs || proxy['obfs-password']) {
-        throw new Error(`obfs is unsupported`);
+    if (proxy['obfs-password'] && proxy.obfs != 'salamander') {
+        throw new Error(`only salamander obfs is supported`);
    }
    const result = new Result(proxy);
    result.append(`${proxy.name}=Hysteria2,${proxy.server},${proxy.port}`);
@@ -423,6 +423,10 @@ function hysteria2(proxy) {
        'skip-cert-verify',
    );

+    if (proxy['obfs-password'] && proxy.obfs == 'salamander') {
+        result.append(`,salamander-password="${proxy['obfs-password']}"`);
+    }
+
    // tfo
    result.appendIfPresent(`,fast-open=${proxy.tfo}`, 'tfo');

--- a/backend/src/core/proxy-utils/producers/shadowrocket.js
+++ b/backend/src/core/proxy-utils/producers/shadowrocket.js
@@ -152,9 +152,13 @@ export default function ShadowRocket_Producer() {
                    }
                }
                if (
-                    ['trojan', 'tuic', 'hysteria', 'hysteria2'].includes(
-                        proxy.type,
-                    )
+                    [
+                        'trojan',
+                        'tuic',
+                        'hysteria',
+                        'hysteria2',
+                        'juicity',
+                    ].includes(proxy.type)
                ) {
                    delete proxy.tls;
                }
--- a/backend/src/core/proxy-utils/producers/sing-box.js
+++ b/backend/src/core/proxy-utils/producers/sing-box.js
@@ -202,8 +202,8 @@ const tlsParser = (proxy, parsedProxy) => {
        parsedProxy.tls.alpn = [proxy.alpn];
    } else if (Array.isArray(proxy.alpn)) parsedProxy.tls.alpn = proxy.alpn;
    if (proxy.ca) parsedProxy.tls.certificate_path = `${proxy.ca}`;
-    if (proxy.ca_str) parsedProxy.tls.certificate = proxy.ca_sStr;
-    if (proxy['ca-str']) parsedProxy.tls.certificate = proxy['ca-str'];
+    if (proxy.ca_str) parsedProxy.tls.certificate = [proxy.ca_str];
+    if (proxy['ca-str']) parsedProxy.tls.certificate = [proxy['ca-str']];
    if (proxy['client-fingerprint'] && proxy['client-fingerprint'] !== '')
        parsedProxy.tls.utls = {
            enabled: true,
--- a/backend/src/core/proxy-utils/producers/stash.js
+++ b/backend/src/core/proxy-utils/producers/stash.js
@@ -21,6 +21,8 @@ export default function Stash_Producer() {
                        'wireguard',
                        'hysteria',
                        'hysteria2',
+                        'ssh',
+                        'juicity',
                    ].includes(proxy.type) ||
                    (proxy.type === 'ss' &&
                        ![
@@ -232,9 +234,13 @@ export default function Stash_Producer() {
                    }
                }
                if (
-                    ['trojan', 'tuic', 'hysteria', 'hysteria2'].includes(
-                        proxy.type,
-                    )
+                    [
+                        'trojan',
+                        'tuic',
+                        'hysteria',
+                        'hysteria2',
+                        'juicity',
+                    ].includes(proxy.type)
                ) {
                    delete proxy.tls;
                }
--- a/backend/src/core/proxy-utils/producers/uri.js
+++ b/backend/src/core/proxy-utils/producers/uri.js
@@ -16,7 +16,11 @@ export default function URI_Producer() {
                delete proxy[key];
            }
        }
-        if (['trojan', 'tuic', 'hysteria', 'hysteria2'].includes(proxy.type)) {
+        if (
+            ['trojan', 'tuic', 'hysteria', 'hysteria2', 'juicity'].includes(
+                proxy.type,
+            )
+        ) {
            delete proxy.tls;
        }
        if (proxy.server && isIPv6(proxy.server)) {
--- a/backend/src/restful/download.js
+++ b/backend/src/restful/download.js
@@ -123,10 +123,11 @@ async function downloadSubscription(req, res) {
                ['localFirst', 'remoteFirst'].includes(sub.mergeSources)
            ) {
                try {
-                    url = `${url || sub.url}`
-                        .split(/[\r\n]+/)
-                        .map((i) => i.trim())
-                        .filter((i) => i.length)?.[0];
+                    url =
+                        `${url || sub.url}`
+                            .split(/[\r\n]+/)
+                            .map((i) => i.trim())
+                            .filter((i) => i.length)?.[0] || '';

                    let $arguments = {};
                    const rawArgs = url.split('#');
@@ -283,10 +284,11 @@ async function downloadCollection(req, res) {
                    ['localFirst', 'remoteFirst'].includes(sub.mergeSources)
                ) {
                    try {
-                        let url = `${sub.url}`
-                            .split(/[\r\n]+/)
-                            .map((i) => i.trim())
-                            .filter((i) => i.length)?.[0];
+                        let url =
+                            `${sub.url}`
+                                .split(/[\r\n]+/)
+                                .map((i) => i.trim())
+                                .filter((i) => i.length)?.[0] || '';

                        let $arguments = {};
                        const rawArgs = url.split('#');
--- a/backend/src/restful/subscriptions.js
+++ b/backend/src/restful/subscriptions.js
@@ -34,6 +34,11 @@ export default function register($app) {
 async function getFlowInfo(req, res) {
    let { name } = req.params;
    name = decodeURIComponent(name);
+    let { url } = req.query;
+    if (url) {
+        url = decodeURIComponent(url);
+        $.info(`指定远程订阅 URL: ${url}`);
+    }
    const allSubs = $.read(SUBS_KEY);
    const sub = findByName(allSubs, name);
    if (!sub) {
@@ -68,10 +73,11 @@ async function getFlowInfo(req, res) {
        return;
    }
    try {
-        let url = `${sub.url}`
-            .split(/[\r\n]+/)
-            .map((i) => i.trim())
-            .filter((i) => i.length)?.[0];
+        url =
+            `${url || sub.url}`
+                .split(/[\r\n]+/)
+                .map((i) => i.trim())
+                .filter((i) => i.length)?.[0] || '';

        let $arguments = {};
        const rawArgs = url.split('#');
--- a/backend/src/utils/download.js
+++ b/backend/src/utils/download.js
@@ -15,7 +15,7 @@ import $ from '@/core/app';
 const tasks = new Map();

 export default async function download(
-    rawUrl,
+    rawUrl = '',
    ua,
    timeout,
    proxy,
--- a/backend/src/utils/flow.js
+++ b/backend/src/utils/flow.js
@@ -11,7 +11,7 @@ export function getFlowField(headers) {
    return headers[subkey];
 }
 export async function getFlowHeaders(rawUrl, ua, timeout, proxy, flowUrl) {
-    let url = flowUrl || rawUrl;
+    let url = flowUrl || rawUrl || '';
    let $arguments = {};
    const rawArgs = url.split('#');
    url = url.split('#')[0];
--- a/backend/src/utils/rs.js
+++ b/backend/src/utils/rs.js
@@ -0,0 +1,11 @@
+import rs from 'jsrsasign';
+
+export function generateFingerprint(caStr) {
+    const hex = rs.pemtohex(caStr);
+    const fingerPrint = rs.KJUR.crypto.Util.hashHex(hex, 'sha256');
+    return fingerPrint.match(/.{2}/g).join(':').toUpperCase();
+}
+
+export default {
+    generateFingerprint,
+};
--- a/scripts/demo.js
+++ b/scripts/demo.js
@@ -103,7 +103,7 @@ function operator(proxies = [], targetPlatform, context) {
  // 4. 一个比较折腾的方案: 在脚本操作中, 把内容同步到另一个 gist
  // 见 https://t.me/zhetengsha/1428
  // 
-  // const content = ProxyUtils.produce(proxies, platform)
+  // const content = ProxyUtils.produce([...proxies], platform)

  // // YAML
  // ProxyUtils.yaml.load('YAML String')
Author	SHA1	Message	Date
xream	11d9ce7372	feat: 支持 Loon Hysteria2 salamander 混淆	2024-06-16 21:49:13 +08:00
xream	ad3d2270ac	feat: 读取节点的 ca-str 和 _ca (后端文件路径) 字段, 自动计算 fingerprint	2024-06-13 20:44:12 +08:00
xream	3ad42f2c10	feat: Stash 支持 juicity, ssh	2024-06-12 15:16:56 +08:00
xream	ec06eb8659	fix: sing-box tls cert 应该为数组	2024-06-10 19:10:57 +08:00
xream	4a23a4d8b6	fix: tlsParser typo	2024-06-10 19:07:19 +08:00
xream	913638a233	feat: /api/sub/flow/:name 接口支持指定远程订阅 url(可携带订阅 url 支持的参数, 例如 flowUserAgent)	2024-06-10 13:24:06 +08:00
xream	bf642ce0e6	fix: 兼容空的订阅链接	2024-06-09 01:42:40 +08:00
xream	1ecac9da92	chore: demo.js	2024-06-06 21:50:13 +08:00