feat: Add ACL in tuic-server and reject client's access to server's localhost by default, implement SOCKS5 outbound

[fokx]

Altough you suggest me to contribute to wind in the previous PR,
I think this PR is crucial as it fixes a security pitfall of tuic.

Also, this implements SOCKS5 outbound, which is marked as TODO in the previous PR.

This PR includes:

• Can configure ACL of tuic-server's outbound. See server's README.md for more.
  The syntax is inspired by Hysteria
• The default outbound ACL will REJECT access to server's localhost.
  Currently, Tuic allows the client to access services not publicly exposed(i.e. bind to 127.0.0.1 / ::1) on the server. However, users having access to Tuic are not necessarily supposed to have SSH access to server, thus, this may lead to unwanted and unaware intrusions into local services.
  To expose services on the server to client users deliberately, explicitly whitelist those ports or use '*' to allow access to all ports on localhost.
• implement SOCKS5 outbound

I think after this PR, Tuic's outbound and ACL feature is on par with Hysteria.

[Copilot]

Pull Request Overview

This PR adds crucial security features to tuic-server by implementing Access Control Lists (ACL) with SOCKS5 outbound support. The main purpose is to fix a security vulnerability where clients could access server localhost services and to provide more granular control over outbound connections.

• Implements a comprehensive ACL system for controlling client access to outbound destinations
• Adds SOCKS5 outbound support for proxying connections through external SOCKS5 servers
• Adds default security policy that blocks client access to server's localhost services

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
tuic/src/protocol/mod.rs	Adds port() method to Address enum for ACL port matching
tuic-server/src/main.rs	Adds acl module import
tuic-server/src/connection/handle_task.rs	Implements ACL decision logic and SOCKS5 connection handling
tuic-server/src/config.rs	Adds ACL configuration parsing with support for both TOML tables and multiline string formats
tuic-server/src/acl.rs	New module implementing ACL rule parsing, matching logic, and data structures
tuic-server/README.md	Documents ACL configuration syntax and SOCKS5 outbound options
tuic-server/Cargo.toml	Adds ip_network dependency for CIDR matching

Comments suppressed due to low confidence (1)

tuic-server/src/connection/handle_task.rs:1

• Consistent with previous comments - cloning protocol is unnecessary here. AclProtocol should implement Copy trait.

use std::{

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}