search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
24.7k stars 3.85k forks source link

XTLS回落到反代,内网用Caddy代理nextcloud报错ERR_HTTP2_PROTOCOL_ERROR #881

Closed Phoveran closed 2 years ago

Phoveran commented 2 years ago

内网机器A 外网服务器B B监听443端口,根据域名回落到8080,使用xray反代到A的80端口,A使用Caddy监听80,反代到8888(nextcloud端口)。 如上报错,配置如下 A:

{   
    "reverse" : {
        "bridges": [
            {
              "tag": "bridge",
              "domain": "xxx.xxx.com"
            }
        ]
    },
    "inbounds": [
        {
            "port": 10800,
            "listen": "127.0.0.1",
            "protocol": "http",
            "settings": {
                "udp": true
            }
        }
    ],
    "outbounds": [
        {
            "tag": "bridge_to_web",
            "protocol": "freedom",
            "settings": {
              "redirect": "127.0.0.1:80"
            }
        },
        {
            "protocol": "vmess",
            "settings": {
              "vnext": [
                {
                  "address": "96.45.167.203",
                  "port": 7000,
                  "users": [
                    {
                      "id": "xxxx"
                    }
                  ]
                }
              ]
            },
            "tag": "interconn"
        },
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "xxx.xxx.com",
                        "port": 443,
                        "users": [
                            {
                                "encryption": "none",
                                "flow": "xtls-rprx-direct",
                                "id": "xxxx"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "security": "xtls",
                "tlsSettings": {
                    "disableSystemRoot": false
                },
                "xtlsSettings": {
                    "disableSystemRoot": false
                }
            },
            "tag": "PROXY"
        },
        {
            "protocol": "freedom",
            "sendThrough": "0.0.0.0",
            "settings": {
                "domainStrategy": "Ip",
                "redirect": ":0"
            },
            "streamSettings": {
            },
            "tag": "DIRECT"
        },
        {
            "protocol": "blackhole",
            "sendThrough": "0.0.0.0",
            "settings": {
                "response": {
                    "type": "none"
                }
            },
            "streamSettings": {
            },
            "tag": "BLACKHOLE"
        }
    ],
    "routing": {
        "domainMatcher": "mph",
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "inboundTag": [
                    "QV2RAY_API_INBOUND"
                ],
                "outboundTag": "QV2RAY_API",
                "type": "field"
            },
            {
                "ip": [
                    "geoip:private"
                ],
                "outboundTag": "DIRECT",
                "type": "field"
            },
            {
                "domain": [
                    "geosite:category-ads-all"
                ],
                "outboundTag": "BLACKHOLE",
                "type": "field"
            },
            {
                "domain": [
                    "geosite:gfw",
                    "geosite:greatfire",
                    "geosite:github",
                    "geosite:cloudflare"
                ],
                "outboundTag": "PROXY",
                "type": "field"
            },
            {
                "ip": [
                    "geoip:cn"
                ],
                "outboundTag": "DIRECT",
                "type": "field"
            },
            {
                "domain": [
                    "domain:12306.com",
                    "domain:51ym.me",
                    "domain:52pojie.cn",
                    "domain:8686c.com",
                    "domain:abercrombie.com",
                    "domain:adobesc.com",
                    "domain:air-matters.com",
                    "domain:air-matters.io",
                    "domain:airtable.com",
                    "domain:akadns.net",
                    "domain:apache.org",
                    "domain:api.crisp.chat",
                    "domain:api.termius.com",
                    "domain:appshike.com",
                    "domain:appstore.com",
                    "domain:aweme.snssdk.com",
                    "domain:bababian.com",
                    "domain:battle.net",
                    "domain:beatsbydre.com",
                    "domain:bet365.com",
                    "domain:bilibili.cn",
                    "domain:ccgslb.com",
                    "domain:ccgslb.net",
                    "domain:chunbo.com",
                    "domain:chunboimg.com",
                    "domain:clashroyaleapp.com",
                    "domain:cloudsigma.com",
                    "domain:cloudxns.net",
                    "domain:cmfu.com",
                    "domain:culturedcode.com",
                    "domain:dct-cloud.com",
                    "domain:didialift.com",
                    "domain:douyutv.com",
                    "domain:duokan.com",
                    "domain:dytt8.net",
                    "domain:easou.com",
                    "domain:ecitic.net",
                    "domain:eclipse.org",
                    "domain:eudic.net",
                    "domain:ewqcxz.com",
                    "domain:fir.im",
                    "domain:frdic.com",
                    "domain:fresh-ideas.cc",
                    "domain:godic.net",
                    "domain:goodread.com",
                    "domain:haibian.com",
                    "domain:hdslb.ne",
                    "geosite:microsoft",
                    "geosite:microsoft-dev"
                ],
                "outboundTag": "DIRECT",
                "type": "field"
            },
            {
                "ip": [
                    "geoip:cn"
                ],
                "outboundTag": "DIRECT",
                "type": "field"
            },
            {
                "domain": [
                    "geosite:cn"
                ],
                "outboundTag": "DIRECT",
                "type": "field"
            },
            {
                "type": "field",
                "inboundTag": ["bridge"],
                "domain": ["full:xxx.xxx.com"],
                "outboundTag": "interconn"
            },
            {
                "type": "field",
                "inboundTag": ["bridge"],
                "outboundTag": "bridge_to_web"
            }
        ]
    }
}

B:

{
    "reverse" : {
        "portals":[  
            {  
              "tag":"portal",
              "domain":"xxx.xxx.com"
            }
        ]
    },
    "log": {
        "loglevel": "info"
    },
    "inbounds": [
        {
            "tag": "external",
            "port": 8080,
            "protocol": "dokodemo-door",
            "settings": {
              "address": "127.0.0.1",
              "port": 80,
              "network": "tcp"
            }
        },
        {
            "port": 7000,
            "tag": "interconn",
            "protocol": "vmess",
            "settings": {
              "clients": [
                {
                  "id": "xxxx"
                }
              ]
            }
        },
        {
            "port": 443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "xxxx",
                        "flow": "xtls-rprx-direct",
                        "level": 0
                    }
                ],
                "decryption": "none",
                "fallbacks": [
                    {
                        "name": "xxx.xxx.com",
                        "dest": 8443,
                        "xver": 1
                    },                    
                    {
                        "name": "xxx.xxx.com",
                        "dest": 8080,
                        "xver": 1
                    },
                    {
                        "dest": 5000,
                        "xver": 1
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "xtls",
                "xtlsSettings": {
                    "alpn": [
                        "h2",
                        "http/1.1"
                    ],
                    "certificates": [
                        {
                            "certificateFile": "xxx",
                            "keyFile": "xxx"
                        }
                    ]
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom"
        }
    ],
    "rules": [
        {
            "type": "field",
            "inboundTag": ["external"],
            "outboundTag": "portal"
        },
        {
            "type": "field",
            "inboundTag": ["interconn"],
            "outboundTag": "portal"
        }
    ]
}
Phoveran commented 2 years ago

日志

Dec 31 00:55:49 racknerd-2c29ed xray[11080]: 2021/12/31 00:55:49 [Info] [1010969045] app/dispatcher: taking detour [portal] for [tcp:127.0.0.1:80] Dec 31 00:55:49 racknerd-2c29ed xray[11080]: 2021/12/31 00:55:49 [Info] [1010969045] common/mux: dispatching request to tcp:127.0.0.1:80 Dec 31 00:55:49 racknerd-2c29ed xray[11080]: 2021/12/31 00:55:49 127.0.0.1:53566 accepted tcp:127.0.0.1:80 [portal] Dec 31 00:55:50 racknerd-2c29ed xray[11080]: 2021/12/31 00:55:50 [Info] [4102222851] app/proxyman/inbound: connection ends > proxy/vless/inbound: fallback ends > context canceled Dec 31 00:55:50 racknerd-2c29ed xray[11080]: 2021/12/31 00:55:50 [Info] [1771228940] app/proxyman/outbound: failed to process outbound traffic > proxy/freedom: connection ends > context canceled

Phoveran commented 2 years ago

解决了...关掉h2,但是为什么不能用h2?

huangguiniab commented 2 years ago

请问您的证书是通配符证书吗,就是域名列表里有*号的那种。我觉得这可能就是问题所在

http2有一个连接复用机制,比如说你先访问a.example.com,然后再访问b.example.com。如果浏览器识别a.example.com和b.example.com指向同一个IP地址,并且是通配符证书。那么,在你加载b.example.com时浏览器就会复用上一次还没关闭的a.example.com的TLS连接。这本身是没有什么问题的。但是由于连接复用,挡在443端口的xray就检测不到SNI,认为你还是使用上次的连接。于是就把你的流量dest到错误的端口,由于你的请求发送到了错误的服务器,服务器不懂怎么处理,就抛出http2 error。 当然,上面这些东西都是我照着h2的文档瞎猜的,我文化水平太低了,只能理解成这样了,如果有问题,欢迎大佬指正,大概就是这样吧

解决办法很简单,要么就禁用http2,要么就给你的每一个子域名单独颁发证书,不要用通配符证书

Phoveran commented 2 years ago

了解,十分感谢!但是这个时候如果需要两个域名指向同一个服务器,并且共用443端口,其中一个域名用来处理代理流量和blog,另外一个域名用来处理nas的反代,并且都使用ssl,不用通配符是不是就没法实现了?

huangguiniab commented 2 years ago

才发现我用的是nginx,压根不支持h2c,所以h2回落压根实现不了,好尴尬

不过我确实也遇到了h2错误,不知道为啥,反正我分域名颁发证书就行了,太奇怪了

DNS你啥都不用调。配置里面只有两个域名,所以你给这两个域名分别颁发证书。不要加星号,比如a.xxx.com和b.xxx.com,然后把拿到证书按下面的方法部署

cert块是支持多证书的,像这样怎么改

"certificates": [
                        {
                            "certificateFile": "第一个证书",
                            "keyFile": "密钥"
                        },
                      {
                            "certificateFile": "第二个证书",
                            "keyFile": "密钥"
                        }

                    ]

方法仅供参考 如果不行,我也没办法了,毕竟我用的服务器不一样,好尴尬啊😓

Phoveran commented 2 years ago

好像用分域名证书也h2错误...奇了怪了

huangguiniab commented 2 years ago

该不会是alpn的问题吧? 我看示例配置文件有监听h2的地方,大概是这一行,他这里有alpn,你这里没有填写。链接 caddy单独开放一个h2端口,然后用alpn+域名分流试试

shenlijun commented 2 years ago

nginx如果是给apache反代好像是因为某个默认配置会导致h2出问题,网上搜到的,忘了具体是apache2的问题还是nginx的问题

忘了具体是哪一条,我这样写就可以开h2,好像是proxy_hide_header Upgrade。望参考

            location / {
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    add_header Front-End-Https on;
                    proxy_hide_header Upgrade;
                    proxy_buffering off;
                    proxy_redirect off;
                    proxy_max_temp_file_size 0;
                    proxy_pass http://另一台机器的ip;
            }
shenlijun commented 2 years ago

http 301 xray 443 https 回落

Phoveran commented 2 years ago

alpn分流应该是不需要的,因为caddy支持h2c,不需要像nginx一样开两个端口 最近没什么时间折腾这个...我先close掉了,先用http/1.1吧,谢谢两位!