v1.0.0

2025-04-30 09:18:34 +00:00 · 2020-11-25 19:01:53 +08:00 · 2020-11-25 19:01:53 +08:00 · c7f7c08ead
commit c7f7c08ead
parent 47d23e9972
711 changed files with 82154 additions and 2 deletions
--- a/app/reverse/bridge.go
+++ b/app/reverse/bridge.go
@ -0,0 +1,194 @@
+// +build !confonly
+
+package reverse
+
+import (
+	"context"
+	"time"
+
+	"github.com/golang/protobuf/proto"
+	"github.com/xtls/xray-core/v1/common/mux"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/common/session"
+	"github.com/xtls/xray-core/v1/common/task"
+	"github.com/xtls/xray-core/v1/features/routing"
+	"github.com/xtls/xray-core/v1/transport"
+	"github.com/xtls/xray-core/v1/transport/pipe"
+)
+
+// Bridge is a component in reverse proxy, that relays connections from Portal to local address.
+type Bridge struct {
+	dispatcher  routing.Dispatcher
+	tag         string
+	domain      string
+	workers     []*BridgeWorker
+	monitorTask *task.Periodic
+}
+
+// NewBridge creates a new Bridge instance.
+func NewBridge(config *BridgeConfig, dispatcher routing.Dispatcher) (*Bridge, error) {
+	if config.Tag == "" {
+		return nil, newError("bridge tag is empty")
+	}
+	if config.Domain == "" {
+		return nil, newError("bridge domain is empty")
+	}
+
+	b := &Bridge{
+		dispatcher: dispatcher,
+		tag:        config.Tag,
+		domain:     config.Domain,
+	}
+	b.monitorTask = &task.Periodic{
+		Execute:  b.monitor,
+		Interval: time.Second * 2,
+	}
+	return b, nil
+}
+
+func (b *Bridge) cleanup() {
+	var activeWorkers []*BridgeWorker
+
+	for _, w := range b.workers {
+		if w.IsActive() {
+			activeWorkers = append(activeWorkers, w)
+		}
+	}
+
+	if len(activeWorkers) != len(b.workers) {
+		b.workers = activeWorkers
+	}
+}
+
+func (b *Bridge) monitor() error {
+	b.cleanup()
+
+	var numConnections uint32
+	var numWorker uint32
+
+	for _, w := range b.workers {
+		if w.IsActive() {
+			numConnections += w.Connections()
+			numWorker++
+		}
+	}
+
+	if numWorker == 0 || numConnections/numWorker > 16 {
+		worker, err := NewBridgeWorker(b.domain, b.tag, b.dispatcher)
+		if err != nil {
+			newError("failed to create bridge worker").Base(err).AtWarning().WriteToLog()
+			return nil
+		}
+		b.workers = append(b.workers, worker)
+	}
+
+	return nil
+}
+
+func (b *Bridge) Start() error {
+	return b.monitorTask.Start()
+}
+
+func (b *Bridge) Close() error {
+	return b.monitorTask.Close()
+}
+
+type BridgeWorker struct {
+	tag        string
+	worker     *mux.ServerWorker
+	dispatcher routing.Dispatcher
+	state      Control_State
+}
+
+func NewBridgeWorker(domain string, tag string, d routing.Dispatcher) (*BridgeWorker, error) {
+	ctx := context.Background()
+	ctx = session.ContextWithInbound(ctx, &session.Inbound{
+		Tag: tag,
+	})
+	link, err := d.Dispatch(ctx, net.Destination{
+		Network: net.Network_TCP,
+		Address: net.DomainAddress(domain),
+		Port:    0,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	w := &BridgeWorker{
+		dispatcher: d,
+		tag:        tag,
+	}
+
+	worker, err := mux.NewServerWorker(context.Background(), w, link)
+	if err != nil {
+		return nil, err
+	}
+	w.worker = worker
+
+	return w, nil
+}
+
+func (w *BridgeWorker) Type() interface{} {
+	return routing.DispatcherType()
+}
+
+func (w *BridgeWorker) Start() error {
+	return nil
+}
+
+func (w *BridgeWorker) Close() error {
+	return nil
+}
+
+func (w *BridgeWorker) IsActive() bool {
+	return w.state == Control_ACTIVE && !w.worker.Closed()
+}
+
+func (w *BridgeWorker) Connections() uint32 {
+	return w.worker.ActiveConnections()
+}
+
+func (w *BridgeWorker) handleInternalConn(link transport.Link) {
+	go func() {
+		reader := link.Reader
+		for {
+			mb, err := reader.ReadMultiBuffer()
+			if err != nil {
+				break
+			}
+			for _, b := range mb {
+				var ctl Control
+				if err := proto.Unmarshal(b.Bytes(), &ctl); err != nil {
+					newError("failed to parse proto message").Base(err).WriteToLog()
+					break
+				}
+				if ctl.State != w.state {
+					w.state = ctl.State
+				}
+			}
+		}
+	}()
+}
+
+func (w *BridgeWorker) Dispatch(ctx context.Context, dest net.Destination) (*transport.Link, error) {
+	if !isInternalDomain(dest) {
+		ctx = session.ContextWithInbound(ctx, &session.Inbound{
+			Tag: w.tag,
+		})
+		return w.dispatcher.Dispatch(ctx, dest)
+	}
+
+	opt := []pipe.Option{pipe.WithSizeLimit(16 * 1024)}
+	uplinkReader, uplinkWriter := pipe.New(opt...)
+	downlinkReader, downlinkWriter := pipe.New(opt...)
+
+	w.handleInternalConn(transport.Link{
+		Reader: downlinkReader,
+		Writer: uplinkWriter,
+	})
+
+	return &transport.Link{
+		Reader: uplinkReader,
+		Writer: downlinkWriter,
+	}, nil
+}
--- a/app/reverse/config.go
+++ b/app/reverse/config.go
@ -0,0 +1,16 @@
+// +build !confonly
+
+package reverse
+
+import (
+	"crypto/rand"
+	"io"
+
+	"github.com/xtls/xray-core/v1/common/dice"
+)
+
+func (c *Control) FillInRandom() {
+	randomLength := dice.Roll(64)
+	c.Random = make([]byte, randomLength)
+	io.ReadFull(rand.Reader, c.Random)
+}
--- a/app/reverse/config.pb.go
+++ b/app/reverse/config.pb.go
@ -0,0 +1,439 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.14.0
+// source: app/reverse/config.proto
+
+package reverse
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type Control_State int32
+
+const (
+	Control_ACTIVE Control_State = 0
+	Control_DRAIN  Control_State = 1
+)
+
+// Enum value maps for Control_State.
+var (
+	Control_State_name = map[int32]string{
+		0: "ACTIVE",
+		1: "DRAIN",
+	}
+	Control_State_value = map[string]int32{
+		"ACTIVE": 0,
+		"DRAIN":  1,
+	}
+)
+
+func (x Control_State) Enum() *Control_State {
+	p := new(Control_State)
+	*p = x
+	return p
+}
+
+func (x Control_State) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (Control_State) Descriptor() protoreflect.EnumDescriptor {
+	return file_app_reverse_config_proto_enumTypes[0].Descriptor()
+}
+
+func (Control_State) Type() protoreflect.EnumType {
+	return &file_app_reverse_config_proto_enumTypes[0]
+}
+
+func (x Control_State) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use Control_State.Descriptor instead.
+func (Control_State) EnumDescriptor() ([]byte, []int) {
+	return file_app_reverse_config_proto_rawDescGZIP(), []int{0, 0}
+}
+
+type Control struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	State  Control_State `protobuf:"varint,1,opt,name=state,proto3,enum=xray.app.reverse.Control_State" json:"state,omitempty"`
+	Random []byte        `protobuf:"bytes,99,opt,name=random,proto3" json:"random,omitempty"`
+}
+
+func (x *Control) Reset() {
+	*x = Control{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_app_reverse_config_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Control) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Control) ProtoMessage() {}
+
+func (x *Control) ProtoReflect() protoreflect.Message {
+	mi := &file_app_reverse_config_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Control.ProtoReflect.Descriptor instead.
+func (*Control) Descriptor() ([]byte, []int) {
+	return file_app_reverse_config_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Control) GetState() Control_State {
+	if x != nil {
+		return x.State
+	}
+	return Control_ACTIVE
+}
+
+func (x *Control) GetRandom() []byte {
+	if x != nil {
+		return x.Random
+	}
+	return nil
+}
+
+type BridgeConfig struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Tag    string `protobuf:"bytes,1,opt,name=tag,proto3" json:"tag,omitempty"`
+	Domain string `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
+}
+
+func (x *BridgeConfig) Reset() {
+	*x = BridgeConfig{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_app_reverse_config_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *BridgeConfig) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*BridgeConfig) ProtoMessage() {}
+
+func (x *BridgeConfig) ProtoReflect() protoreflect.Message {
+	mi := &file_app_reverse_config_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use BridgeConfig.ProtoReflect.Descriptor instead.
+func (*BridgeConfig) Descriptor() ([]byte, []int) {
+	return file_app_reverse_config_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *BridgeConfig) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+func (x *BridgeConfig) GetDomain() string {
+	if x != nil {
+		return x.Domain
+	}
+	return ""
+}
+
+type PortalConfig struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Tag    string `protobuf:"bytes,1,opt,name=tag,proto3" json:"tag,omitempty"`
+	Domain string `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
+}
+
+func (x *PortalConfig) Reset() {
+	*x = PortalConfig{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_app_reverse_config_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *PortalConfig) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PortalConfig) ProtoMessage() {}
+
+func (x *PortalConfig) ProtoReflect() protoreflect.Message {
+	mi := &file_app_reverse_config_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PortalConfig.ProtoReflect.Descriptor instead.
+func (*PortalConfig) Descriptor() ([]byte, []int) {
+	return file_app_reverse_config_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *PortalConfig) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+func (x *PortalConfig) GetDomain() string {
+	if x != nil {
+		return x.Domain
+	}
+	return ""
+}
+
+type Config struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	BridgeConfig []*BridgeConfig `protobuf:"bytes,1,rep,name=bridge_config,json=bridgeConfig,proto3" json:"bridge_config,omitempty"`
+	PortalConfig []*PortalConfig `protobuf:"bytes,2,rep,name=portal_config,json=portalConfig,proto3" json:"portal_config,omitempty"`
+}
+
+func (x *Config) Reset() {
+	*x = Config{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_app_reverse_config_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Config) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Config) ProtoMessage() {}
+
+func (x *Config) ProtoReflect() protoreflect.Message {
+	mi := &file_app_reverse_config_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Config.ProtoReflect.Descriptor instead.
+func (*Config) Descriptor() ([]byte, []int) {
+	return file_app_reverse_config_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *Config) GetBridgeConfig() []*BridgeConfig {
+	if x != nil {
+		return x.BridgeConfig
+	}
+	return nil
+}
+
+func (x *Config) GetPortalConfig() []*PortalConfig {
+	if x != nil {
+		return x.PortalConfig
+	}
+	return nil
+}
+
+var File_app_reverse_config_proto protoreflect.FileDescriptor
+
+var file_app_reverse_config_proto_rawDesc = []byte{
+	0x0a, 0x18, 0x61, 0x70, 0x70, 0x2f, 0x72, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x2f, 0x63, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x78, 0x72, 0x61, 0x79,
+	0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x22, 0x78, 0x0a, 0x07,
+	0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x12, 0x35, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70,
+	0x70, 0x2e, 0x72, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f,
+	0x6c, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x12, 0x16,
+	0x0a, 0x06, 0x72, 0x61, 0x6e, 0x64, 0x6f, 0x6d, 0x18, 0x63, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06,
+	0x72, 0x61, 0x6e, 0x64, 0x6f, 0x6d, 0x22, 0x1e, 0x0a, 0x05, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12,
+	0x0a, 0x0a, 0x06, 0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x44,
+	0x52, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x22, 0x38, 0x0a, 0x0c, 0x42, 0x72, 0x69, 0x64, 0x67, 0x65,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61,
+	0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
+	0x22, 0x38, 0x0a, 0x0c, 0x50, 0x6f, 0x72, 0x74, 0x61, 0x6c, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74,
+	0x61, 0x67, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x22, 0x92, 0x01, 0x0a, 0x06, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x43, 0x0a, 0x0d, 0x62, 0x72, 0x69, 0x64, 0x67, 0x65, 0x5f,
+	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x78,
+	0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x2e,
+	0x42, 0x72, 0x69, 0x64, 0x67, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0c, 0x62, 0x72,
+	0x69, 0x64, 0x67, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x43, 0x0a, 0x0d, 0x70, 0x6f,
+	0x72, 0x74, 0x61, 0x6c, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x1e, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x65, 0x76,
+	0x65, 0x72, 0x73, 0x65, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x61, 0x6c, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x52, 0x0c, 0x70, 0x6f, 0x72, 0x74, 0x61, 0x6c, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42,
+	0x59, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x78,
+	0x79, 0x2e, 0x72, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x50, 0x01, 0x5a, 0x28, 0x67, 0x69, 0x74,
+	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61,
+	0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x70, 0x2f, 0x72, 0x65,
+	0x76, 0x65, 0x72, 0x73, 0x65, 0xaa, 0x02, 0x12, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x50, 0x72, 0x6f,
+	0x78, 0x79, 0x2e, 0x52, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
+}
+
+var (
+	file_app_reverse_config_proto_rawDescOnce sync.Once
+	file_app_reverse_config_proto_rawDescData = file_app_reverse_config_proto_rawDesc
+)
+
+func file_app_reverse_config_proto_rawDescGZIP() []byte {
+	file_app_reverse_config_proto_rawDescOnce.Do(func() {
+		file_app_reverse_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_app_reverse_config_proto_rawDescData)
+	})
+	return file_app_reverse_config_proto_rawDescData
+}
+
+var file_app_reverse_config_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_app_reverse_config_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_app_reverse_config_proto_goTypes = []interface{}{
+	(Control_State)(0),   // 0: xray.app.reverse.Control.State
+	(*Control)(nil),      // 1: xray.app.reverse.Control
+	(*BridgeConfig)(nil), // 2: xray.app.reverse.BridgeConfig
+	(*PortalConfig)(nil), // 3: xray.app.reverse.PortalConfig
+	(*Config)(nil),       // 4: xray.app.reverse.Config
+}
+var file_app_reverse_config_proto_depIdxs = []int32{
+	0, // 0: xray.app.reverse.Control.state:type_name -> xray.app.reverse.Control.State
+	2, // 1: xray.app.reverse.Config.bridge_config:type_name -> xray.app.reverse.BridgeConfig
+	3, // 2: xray.app.reverse.Config.portal_config:type_name -> xray.app.reverse.PortalConfig
+	3, // [3:3] is the sub-list for method output_type
+	3, // [3:3] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
+}
+
+func init() { file_app_reverse_config_proto_init() }
+func file_app_reverse_config_proto_init() {
+	if File_app_reverse_config_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_app_reverse_config_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Control); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_app_reverse_config_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*BridgeConfig); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_app_reverse_config_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PortalConfig); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_app_reverse_config_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Config); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_app_reverse_config_proto_rawDesc,
+			NumEnums:      1,
+			NumMessages:   4,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_app_reverse_config_proto_goTypes,
+		DependencyIndexes: file_app_reverse_config_proto_depIdxs,
+		EnumInfos:         file_app_reverse_config_proto_enumTypes,
+		MessageInfos:      file_app_reverse_config_proto_msgTypes,
+	}.Build()
+	File_app_reverse_config_proto = out.File
+	file_app_reverse_config_proto_rawDesc = nil
+	file_app_reverse_config_proto_goTypes = nil
+	file_app_reverse_config_proto_depIdxs = nil
+}
--- a/app/reverse/config.proto
+++ b/app/reverse/config.proto
@ -0,0 +1,32 @@
+syntax = "proto3";
+
+package xray.app.reverse;
+option csharp_namespace = "Xray.Proxy.Reverse";
+option go_package = "github.com/xtls/xray-core/v1/app/reverse";
+option java_package = "com.xray.proxy.reverse";
+option java_multiple_files = true;
+
+message Control {
+  enum State {
+    ACTIVE = 0;
+    DRAIN = 1;
+  }
+
+  State state = 1;
+  bytes random = 99;
+}
+
+message BridgeConfig {
+  string tag = 1;
+  string domain = 2;
+}
+
+message PortalConfig {
+  string tag = 1;
+  string domain = 2;
+}
+
+message Config {
+  repeated BridgeConfig bridge_config = 1;
+  repeated PortalConfig portal_config = 2;
+}
--- a/app/reverse/errors.generated.go
+++ b/app/reverse/errors.generated.go
@ -0,0 +1,9 @@
+package reverse
+
+import "github.com/xtls/xray-core/v1/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}
--- a/app/reverse/portal.go
+++ b/app/reverse/portal.go
@ -0,0 +1,266 @@
+// +build !confonly
+
+package reverse
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/golang/protobuf/proto"
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/buf"
+	"github.com/xtls/xray-core/v1/common/mux"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/common/session"
+	"github.com/xtls/xray-core/v1/common/task"
+	"github.com/xtls/xray-core/v1/features/outbound"
+	"github.com/xtls/xray-core/v1/transport"
+	"github.com/xtls/xray-core/v1/transport/pipe"
+)
+
+type Portal struct {
+	ohm    outbound.Manager
+	tag    string
+	domain string
+	picker *StaticMuxPicker
+	client *mux.ClientManager
+}
+
+func NewPortal(config *PortalConfig, ohm outbound.Manager) (*Portal, error) {
+	if config.Tag == "" {
+		return nil, newError("portal tag is empty")
+	}
+
+	if config.Domain == "" {
+		return nil, newError("portal domain is empty")
+	}
+
+	picker, err := NewStaticMuxPicker()
+	if err != nil {
+		return nil, err
+	}
+
+	return &Portal{
+		ohm:    ohm,
+		tag:    config.Tag,
+		domain: config.Domain,
+		picker: picker,
+		client: &mux.ClientManager{
+			Picker: picker,
+		},
+	}, nil
+}
+
+func (p *Portal) Start() error {
+	return p.ohm.AddHandler(context.Background(), &Outbound{
+		portal: p,
+		tag:    p.tag,
+	})
+}
+
+func (p *Portal) Close() error {
+	return p.ohm.RemoveHandler(context.Background(), p.tag)
+}
+
+func (p *Portal) HandleConnection(ctx context.Context, link *transport.Link) error {
+	outboundMeta := session.OutboundFromContext(ctx)
+	if outboundMeta == nil {
+		return newError("outbound metadata not found").AtError()
+	}
+
+	if isDomain(outboundMeta.Target, p.domain) {
+		muxClient, err := mux.NewClientWorker(*link, mux.ClientStrategy{})
+		if err != nil {
+			return newError("failed to create mux client worker").Base(err).AtWarning()
+		}
+
+		worker, err := NewPortalWorker(muxClient)
+		if err != nil {
+			return newError("failed to create portal worker").Base(err)
+		}
+
+		p.picker.AddWorker(worker)
+		return nil
+	}
+
+	return p.client.Dispatch(ctx, link)
+}
+
+type Outbound struct {
+	portal *Portal
+	tag    string
+}
+
+func (o *Outbound) Tag() string {
+	return o.tag
+}
+
+func (o *Outbound) Dispatch(ctx context.Context, link *transport.Link) {
+	if err := o.portal.HandleConnection(ctx, link); err != nil {
+		newError("failed to process reverse connection").Base(err).WriteToLog(session.ExportIDToError(ctx))
+		common.Interrupt(link.Writer)
+	}
+}
+
+func (o *Outbound) Start() error {
+	return nil
+}
+
+func (o *Outbound) Close() error {
+	return nil
+}
+
+type StaticMuxPicker struct {
+	access  sync.Mutex
+	workers []*PortalWorker
+	cTask   *task.Periodic
+}
+
+func NewStaticMuxPicker() (*StaticMuxPicker, error) {
+	p := &StaticMuxPicker{}
+	p.cTask = &task.Periodic{
+		Execute:  p.cleanup,
+		Interval: time.Second * 30,
+	}
+	p.cTask.Start()
+	return p, nil
+}
+
+func (p *StaticMuxPicker) cleanup() error {
+	p.access.Lock()
+	defer p.access.Unlock()
+
+	var activeWorkers []*PortalWorker
+	for _, w := range p.workers {
+		if !w.Closed() {
+			activeWorkers = append(activeWorkers, w)
+		}
+	}
+
+	if len(activeWorkers) != len(p.workers) {
+		p.workers = activeWorkers
+	}
+
+	return nil
+}
+
+func (p *StaticMuxPicker) PickAvailable() (*mux.ClientWorker, error) {
+	p.access.Lock()
+	defer p.access.Unlock()
+
+	if len(p.workers) == 0 {
+		return nil, newError("empty worker list")
+	}
+
+	var minIdx int = -1
+	var minConn uint32 = 9999
+	for i, w := range p.workers {
+		if w.draining {
+			continue
+		}
+		if w.client.ActiveConnections() < minConn {
+			minConn = w.client.ActiveConnections()
+			minIdx = i
+		}
+	}
+
+	if minIdx == -1 {
+		for i, w := range p.workers {
+			if w.IsFull() {
+				continue
+			}
+			if w.client.ActiveConnections() < minConn {
+				minConn = w.client.ActiveConnections()
+				minIdx = i
+			}
+		}
+	}
+
+	if minIdx != -1 {
+		return p.workers[minIdx].client, nil
+	}
+
+	return nil, newError("no mux client worker available")
+}
+
+func (p *StaticMuxPicker) AddWorker(worker *PortalWorker) {
+	p.access.Lock()
+	defer p.access.Unlock()
+
+	p.workers = append(p.workers, worker)
+}
+
+type PortalWorker struct {
+	client   *mux.ClientWorker
+	control  *task.Periodic
+	writer   buf.Writer
+	reader   buf.Reader
+	draining bool
+}
+
+func NewPortalWorker(client *mux.ClientWorker) (*PortalWorker, error) {
+	opt := []pipe.Option{pipe.WithSizeLimit(16 * 1024)}
+	uplinkReader, uplinkWriter := pipe.New(opt...)
+	downlinkReader, downlinkWriter := pipe.New(opt...)
+
+	ctx := context.Background()
+	ctx = session.ContextWithOutbound(ctx, &session.Outbound{
+		Target: net.UDPDestination(net.DomainAddress(internalDomain), 0),
+	})
+	f := client.Dispatch(ctx, &transport.Link{
+		Reader: uplinkReader,
+		Writer: downlinkWriter,
+	})
+	if !f {
+		return nil, newError("unable to dispatch control connection")
+	}
+	w := &PortalWorker{
+		client: client,
+		reader: downlinkReader,
+		writer: uplinkWriter,
+	}
+	w.control = &task.Periodic{
+		Execute:  w.heartbeat,
+		Interval: time.Second * 2,
+	}
+	w.control.Start()
+	return w, nil
+}
+
+func (w *PortalWorker) heartbeat() error {
+	if w.client.Closed() {
+		return newError("client worker stopped")
+	}
+
+	if w.draining || w.writer == nil {
+		return newError("already disposed")
+	}
+
+	msg := &Control{}
+	msg.FillInRandom()
+
+	if w.client.TotalConnections() > 256 {
+		w.draining = true
+		msg.State = Control_DRAIN
+
+		defer func() {
+			common.Close(w.writer)
+			common.Interrupt(w.reader)
+			w.writer = nil
+		}()
+	}
+
+	b, err := proto.Marshal(msg)
+	common.Must(err)
+	mb := buf.MergeBytes(nil, b)
+	return w.writer.WriteMultiBuffer(mb)
+}
+
+func (w *PortalWorker) IsFull() bool {
+	return w.client.IsFull()
+}
+
+func (w *PortalWorker) Closed() bool {
+	return w.client.Closed()
+}
--- a/app/reverse/portal_test.go
+++ b/app/reverse/portal_test.go
@ -0,0 +1,20 @@
+package reverse_test
+
+import (
+	"testing"
+
+	"github.com/xtls/xray-core/v1/app/reverse"
+	"github.com/xtls/xray-core/v1/common"
+)
+
+func TestStaticPickerEmpty(t *testing.T) {
+	picker, err := reverse.NewStaticMuxPicker()
+	common.Must(err)
+	worker, err := picker.PickAvailable()
+	if err == nil {
+		t.Error("expected error, but nil")
+	}
+	if worker != nil {
+		t.Error("expected nil worker, but not nil")
+	}
+}
--- a/app/reverse/reverse.go
+++ b/app/reverse/reverse.go
@ -0,0 +1,98 @@
+// +build !confonly
+
+package reverse
+
+//go:generate go run github.com/xtls/xray-core/v1/common/errors/errorgen
+
+import (
+	"context"
+
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/errors"
+	"github.com/xtls/xray-core/v1/common/net"
+	core "github.com/xtls/xray-core/v1/core"
+	"github.com/xtls/xray-core/v1/features/outbound"
+	"github.com/xtls/xray-core/v1/features/routing"
+)
+
+const (
+	internalDomain = "reverse.internal.example.com"
+)
+
+func isDomain(dest net.Destination, domain string) bool {
+	return dest.Address.Family().IsDomain() && dest.Address.Domain() == domain
+}
+
+func isInternalDomain(dest net.Destination) bool {
+	return isDomain(dest, internalDomain)
+}
+
+func init() {
+	common.Must(common.RegisterConfig((*Config)(nil), func(ctx context.Context, config interface{}) (interface{}, error) {
+		r := new(Reverse)
+		if err := core.RequireFeatures(ctx, func(d routing.Dispatcher, om outbound.Manager) error {
+			return r.Init(config.(*Config), d, om)
+		}); err != nil {
+			return nil, err
+		}
+		return r, nil
+	}))
+}
+
+type Reverse struct {
+	bridges []*Bridge
+	portals []*Portal
+}
+
+func (r *Reverse) Init(config *Config, d routing.Dispatcher, ohm outbound.Manager) error {
+	for _, bConfig := range config.BridgeConfig {
+		b, err := NewBridge(bConfig, d)
+		if err != nil {
+			return err
+		}
+		r.bridges = append(r.bridges, b)
+	}
+
+	for _, pConfig := range config.PortalConfig {
+		p, err := NewPortal(pConfig, ohm)
+		if err != nil {
+			return err
+		}
+		r.portals = append(r.portals, p)
+	}
+
+	return nil
+}
+
+func (r *Reverse) Type() interface{} {
+	return (*Reverse)(nil)
+}
+
+func (r *Reverse) Start() error {
+	for _, b := range r.bridges {
+		if err := b.Start(); err != nil {
+			return err
+		}
+	}
+
+	for _, p := range r.portals {
+		if err := p.Start(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (r *Reverse) Close() error {
+	var errs []error
+	for _, b := range r.bridges {
+		errs = append(errs, b.Close())
+	}
+
+	for _, p := range r.portals {
+		errs = append(errs, p.Close())
+	}
+
+	return errors.Combine(errs...)
+}