Add toggle control for socks5 proxy and password protection for socks5 outbounds like naive#1166
Open
IdiotEbrilo wants to merge 6 commits into
Open
Add toggle control for socks5 proxy and password protection for socks5 outbounds like naive#1166IdiotEbrilo wants to merge 6 commits into
IdiotEbrilo wants to merge 6 commits into
Conversation
Author
|
Refactored UI a bit to make it more intuitive 
|
|
Чел у тебя даже скрины косые и искренне не одупляешь, что что-то не так? Даже не представляю что ты мог наворотить хорошего в коде. "Юзернейм" - это мы на базаре? семки есть? а если найду? |
hawkff
added a commit
to hawkff/NekoBoxForAndroid
that referenced
this pull request
Jun 20, 2026
* feat(security): authenticate naive local SOCKS loopback (MatsuriDayo#1166 part 2) Generate per-port credentials for the naive external-plugin SOCKS listener and dial it from the sing-box socks outbound with the same creds. Android does not isolate 127.0.0.1 per app, so an unauthenticated plugin SOCKS listener could be reached by any local app to leak the egress IP. Verified on-device: the naive SOCKS port now rejects unauthenticated connections (curl: 'No authentication method was acceptable') and accepts with creds. Scoped to naive only; other external plugins (mieru/trojan-go/hysteria v1) need separate per-plugin auth verification before enabling. * review: address Greptile feedback (skip creds on export, rename shadowed params) - ConfigBuilder: gate naive loopback creds on !forExport so the exported sing-box config stays credential-free and matches the credential-free exported naive config (ProxyEntity.buildNaiveConfig), avoiding a broken standalone export. - NaiveFmt: rename buildNaiveConfig params username/password -> listenUsername/ listenPassword to stop shadowing NaiveBean.username/.password receiver properties.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The first part of this PR extends PRs #1154 and #1158
To improve security and to simplify configurations a toggle control has been added to disable or enable socks5 mixed-in proxy at once. With it there's no more need to create socks5-specific routes or add custom JSON rules to prevent IP leaks, you just have to toggle it off, and there will be no more mixed-in inbound, no matter is it password-protected or not.
Active socks5 controls and mixed-in inbounds:
Disabled socks5 controls and removed socks5 mixed-in proxy:
The second part adds password protection to socks5 outbounds like naive since they currently don't use any credentials and are extremely vulnerable to IP detection mechanisms.
Current naive auto-generated section without credentials and sample of ip detection:
Auto-generated naive sections with randomly generated credentials: