Compliance: Server-side anti-proxy for trail authorization

2026-05-16 13:19:01 +02:00
parent 4279e79aa7
commit 4d2b12a9dd
11 changed files with 642 additions and 1 deletions
--- a/server/2015Remote/2015RemoteDlg.cpp
+++ b/server/2015Remote/2015RemoteDlg.cpp
@@ -820,6 +820,8 @@ BEGIN_MESSAGE_MAP(CMy2015RemoteDlg, CDialogEx)
    ON_MESSAGE(WM_SHOWMESSAGE, OnShowMessage)
    ON_MESSAGE(WM_SHOWNOTIFY, OnShowNotify)
    ON_MESSAGE(WM_SHOWERRORMSG, OnShowErrMessage)
+    ON_MESSAGE(WM_TRIAL_RTT_ABUSE, OnTrialRttAbuse)
+    ON_MESSAGE(WM_TRIAL_WAN_IP_ABUSE, OnTrialWanIpAbuse)
    ON_MESSAGE(WM_INJECT_SHELLCODE, InjectShellcode)
    ON_MESSAGE(WM_ANTI_BLACKSCREEN, AntiBlackScreen)
    ON_MESSAGE(WM_SHARE_CLIENT, ShareClient)
@@ -1574,6 +1576,52 @@ VOID CMy2015RemoteDlg::ShowMessage(CString strType, CString strMsg)
        m_StatusBar.SetPaneText(0,strStatusMsg);   //在状态条上显示文字
 }

+// 试用版 IP 段触发：OnAccept 发现入站连接对端是公网 IP（已透过 Proxy Protocol v2 解出真实 IP）。
+// 与 OnTrialRttAbuse 共用 IOCPServer::s_TrialAbuseWarned latch，本函数每进程最多调一次。
+LRESULT CMy2015RemoteDlg::OnTrialWanIpAbuse(WPARAM wParam, LPARAM lParam)
+{
+    CString* ip = (CString*)wParam;
+    CString detail;
+    detail.FormatL("入站公网 IP=%s （Proxy Protocol 真实 IP 或 raw TCP 对端）",
+                   ip ? (LPCTSTR)*ip : _T("?"));
+    ShowMessage(_TR("入站告警"), detail);
+
+    CString msg;
+    msg.FormatL(
+        "检测到入站连接来自公网 IP：%s\r\n\r\n"
+        "试用版仅供 LAN 内自用，跨网使用属于违反授权条款。\r\n"
+        "如需跨网远控，请向发行方申请正式授权。\r\n\r\n"
+        "详细记录见消息列表与运行日志。",
+        ip ? (LPCTSTR)*ip : _T("?"));
+    THIS_APP->MessageBox(msg, _TR("试用版 LAN-only 限制"), MB_OK | MB_ICONWARNING | MB_TOPMOST);
+    if (ip) delete ip;
+    return S_OK;
+}
+
+// 试用版反代理触发后的主窗口处理：写日志列表 + 弹一次模态框（前面已 latch，本函数每进程只会被调一次）。
+// 不在 IOCPServer 的 RTT 轮询线程里直接弹框，避免阻塞后续采样。
+LRESULT CMy2015RemoteDlg::OnTrialRttAbuse(WPARAM wParam, LPARAM lParam)
+{
+    uint32_t clientIdLow = (uint32_t)wParam;
+    int medianMs         = (int)lParam;
+    CString detail;
+    // 纯英文格式串，不进翻译表
+    detail.Format(_T("ClientID(low32)=%u  median RTT=%d ms  threshold=%d ms"),
+                  clientIdLow, medianMs, (int)TcpRttBreachDetector::RTT_THRESHOLD_MS);
+    ShowMessage(_TR("反代理告警"), detail);
+
+    CString msg;
+    msg.FormatL(
+        "检测到可疑连接：内核 RTT 中位数 %d ms，超出阈值 %d ms。\r\n\r\n"
+        "持续偏高的 RTT 提示该连接可能经由代理 / VPN / 隧道中转。\r\n"
+        "试用版仅供 LAN 内自用，跨网使用属于违反授权条款。\r\n\r\n"
+        "如需跨网远控，请向发行方申请正式授权。\r\n"
+        "详细记录见消息列表与运行日志。",
+        medianMs, (int)TcpRttBreachDetector::RTT_THRESHOLD_MS);
+    THIS_APP->MessageBox(msg, _TR("试用版 LAN-only 限制"), MB_OK | MB_ICONWARNING | MB_TOPMOST);
+    return S_OK;
+}
+
 LRESULT CMy2015RemoteDlg::OnShowErrMessage(WPARAM wParam, LPARAM lParam)
 {
    CString* text = (CString*)wParam;