feat: add per-listener SOCKS5 server authentication (RFC 1929)

Per-listener username/password auth via `auth:` config key. When set, clients must negotiate method 0x02 and pass RFC 1929 subnegotiation; no-auth (0x00) is rejected to prevent downgrade. Listeners without `auth` keep current no-auth behavior. Includes auth_failures metric, API integration (/status auth flag, /config auth_users count without exposing passwords), config parsing with YAML int coercion, integration tests (success, failure, method rejection, no-auth unchanged), and documentation updates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 17:03:03 +01:00
parent 76dac61eb6
commit fa3621806d
13 changed files with 505 additions and 13 deletions
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -90,6 +90,25 @@ listeners:
 | `localhost` | Exact host | String equal |
 | `.local` | Suffix | `*.local` and `local` |

+## Listener Authentication (config)
+
+```yaml
+listeners:
+  - listen: 0.0.0.0:1080
+    auth:
+      alice: s3cret
+      bob: hunter2
+    chain:
+      - socks5://127.0.0.1:9050
+      - pool
+```
+
+```bash
+curl -x socks5h://alice:s3cret@127.0.0.1:1080 https://example.com
+```
+
+No `auth:` key = no authentication required (default).
+
 ## Multi-Tor Round-Robin (config)

 ```yaml