search

klzgrad / naiveproxy

Make a fortune quietly
BSD 3-Clause "New" or "Revised" License
6.39k stars 874 forks source link

How to setup caddyserver http3 and naive client http3? ERR_QUIC_HANDSHAKE_FAILED #175

Closed diyism closed 3 years ago

diyism commented 3 years ago

I see a caddy2-h3 branch in https://github.com/klzgrad/forwardproxy Can the naiveproxy client and server work over http3 protocol? If they can work, do you have time to write some manual about how to setup "caddyserver forwardproxy http3" and "naive client http3"?

diyism commented 3 years ago

Sorry, I just saw these:

v88.0.4324.96-1

klzgrad released this on Jan 20

Rebased to 88.0.4324.96.

HTTP/3/QUIC support is fully functional, but it is not competitive with HTTP/2/TLS in practice due to carrier throttling or congestion control fairness.

QUIC support can be tested using

{ experimental_http3 }

in Caddyfile and quic://user:pass@example.com in Naive config.json.

and this: https://github.com/klzgrad/naiveproxy/issues/77

QUIC support can be tested as following:

Use naiveproxy v85.0.4183.83-4 or newer
    Caddyfile:

{
  experimental_http3
}
:443, example.com
tls me@example.com
route {
  forward_proxy {
    basic_auth user pass
    hide_ip
    hide_via
    probe_resistance secret.com
  }
  file_server {
    root /var/www/html
  }
}

    Naive config.json:

{
  "listen": "socks://127.0.0.1:1080",
  "proxy": "quic://user:pass@example.com",
  "log": ""
}

I'll give a try first

diyism commented 3 years ago

Caddyfile in server(installed latest github.com/klzgrad/forwardproxy@naive): { experimental_http3 } :443, myserver.com tls i@myserver.com route { forward_proxy { basic_auth user1 user1pass1 hide_ip hide_via probe_resistance secret.com } respond / "Hello, world!" }

in local debian(downloaded latest naiveproxy-v89.0.4389.72-1-linux-x64): visit https://myserver.com in firefox, I can see log under Developer/Network:

HTTP/3 200 OK
server: Caddy
alt-svc: h3-32=":443"; ma=2592000,h3-29=":443"; ma=2592000

config.json in local debian: { "listen": "socks://127.0.0.1:8085", "proxy": "quic://user1:user1pass1@myserver.com", "log": "" }

$ ./naive [0414/223117.228951:INFO:naive_proxy_bin.cc(412)] Proxying via quic://myserver.com [0414/223117.229323:INFO:naive_proxy_bin.cc(551)] Listening on 127.0.0.1:8085

$ curl --socks5 127.0.0.1:8085 https://myip.ipip.net curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to myip.ipip.net:443

$ ./naive [0414/223626.473635:INFO:naive_proxy_bin.cc(412)] Proxying via quic://myserver.com [0414/223626.474000:INFO:naive_proxy_bin.cc(551)] Listening on 127.0.0.1:8085 [0414/223633.107353:INFO:naive_connection.cc(250)] Connection 1 to 117.23.61.188:443 [0414/223633.112192:INFO:naive_proxy.cc(178)] Connection 1 closed: ERR_QUIC_HANDSHAKE_FAILED

diyism commented 3 years ago 
$ ./caddy adapt --pretty
2021/04/14 15:05:10.140 INFO    using adjacent Caddyfile
[WARNING][caddyfile] :0: the 'experimental_http3' global option is deprecated, please use the 'servers > protocol > experimental_http3' option instead
{
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [
                        ":443"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "subroute",
                                    "routes": [
                                        {
                                            "handle": [
                                                {
                                                    "auth_pass_deprecated": "user1pass1",
                                                    "auth_user_deprecated": "usser1",
                                                    "handler": "forward_proxy",
                                                    "hide_ip": true,
                                                    "hide_via": true,
                                                    "probe_resistance": {
                                                        "domain": "secret.com"
                                                    }
                                                }
                                            ]
                                        },
                                        {
                                            "handle": [
                                                {
                                                    "body": "Hello, world!",
                                                    "handler": "static_response"
                                                }
                                            ],
                                            "match": [
                                                {
                                                    "path": [
                                                        "/"
                                                    ]
                                                }
                                            ]
                                        }
                                    ]
                                }
                            ]
                        }
                    ],
                    "experimental_http3": true
                }
            }
        },
        "tls": {
            "certificates": {
                "automate": [
                    "myserver.com"
                ]
            },
            "automation": {
                "policies": [
                    {
                        "issuers": [
                            {
                                "email": "i@myserver.com",
                                "module": "acme"
                            }
                        ]
                    }
                ]
            }
        }
    }
}
diyism commented 3 years ago

Sorry, my fault, I have an ip route rule of the ip of myserver.com, after I get rid of it, everything is ok