请问如何使用caddy2的SNI来控制forward走不同upstream

Kaze1027 commented 2 years ago

提出该问题的背景：我有一台美西vps（后文称作vps1），还有一台新加坡vps（后文称作vps2），vps1作为高速上网使用，而vps2作为流媒体解锁使用。但是vps2直连速度很低，所以我想使用vps1作为中转服务器来代理vps2的流量，现在我想使用不同参数来区分两台vps流量。
我的尝试：从客户端到服务器之间使用naiveproxy，到了caddy之后再对流量进行分流之后转发至本地其他程序进一步处理。目前是这样一个流程，vps1上面的caddy接收来自client的流量，然后分流后转发给127.0.0.1的两个端口再次入站进入其他软件实现geosite.dat文件分流，弥补caddy不支持geosite.dat文件路由的功能。
```
      high speed
client <---------> vps1(with caddy) <-----------> internet
                         normal speed
                        ⌃<---------->vps2<-----------> Netflix
```
1. 使用多用户认证的方式来区分。【但是在查询forward proxy插件的资料后没有看见有关不同用户分别走upstream的说明，大概率不行。】
2. 使用SNI来将流量引向两个forward proxy模块。初步测试通过。【我在参考了lxhao61 / integrated-examples的项目https://github.com/lxhao61/integrated-examples/tree/main/v2ray(E%2BB%2BF%2BC%2BD%2BG%2BA)%2Bnaiveproxy中关于caddy SNI的配置后尝试嵌套了两个forward proxy模块，并成功实现了通过SNI来将不同流量引向不同forward proxy模块，最终走了不同upstream "http://127.0.0.1:xxxx"】

目前方案2能够实现需求分流上网，但是我发现q2vray中仍然有大量报错，我自己水平有限写的json文件有错误，以至于file server一直未能生效。特此请教大佬指点。目前vps1配置了两个域名用于使用不同SNI，以下是我的服务器caddy现在所使用的json文件：

{
    "admin": {
        "disabled": true
    },
    "logging": {
        "logs": {
            "default": {
                "writer": {
                    "output": "file",
                    "filename": "/var/log/caddy/access.log"
                },
                "level": "ERROR"
            }
        }
    },
    "apps": {
        "layer4": {
            "servers": {
                "sni": {
                    "listen": [
                        ":443"
                    ],
                    "routes": [
                        {
                            "match": [
                                {
                                    "tls": {
                                        "sni": [
                                            "vps2.example.com"
                                        ]
                                    }
                                }
                            ],
                            "handle": [
                                {
                                    "handler": "proxy",
                                    "upstreams": [
                                        {
                                            "dial": [
                                                "127.0.0.1:5443"
                                            ]
                                        }
                                    ]
                                }
                            ]
                        },
                        {
                            "match": [
                                {
                                    "tls": {
                                        "sni": [
                                            "vps1.example.com"
                                        ]
                                    }
                                }
                            ],
                            "handle": [
                                {
                                    "handler": "proxy",
                                    "upstreams": [
                                        {
                                            "dial": [
                                                "127.0.0.1:4443"
                                            ]
                                        }
                                    ]
                                }
                            ]
                        }
                    ]
                }
            }
        },
        "http": {
            "servers": {
                "h1": {
                    "listen": [
                        ":80"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "static_response",
                                    "headers": {
                                        "Location": [
                                            "https://{http.request.host}{http.request.uri}"
                                        ]
                                    },
                                    "status_code": 301
                                }
                            ]
                        }
                    ]
                },
                "h1h2c": {
                    "listen": [
                        "127.0.0.1:88"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "headers",
                                    "response": {
                                        "set": {
                                            "Strict-Transport-Security": [
                                                "max-age=31536000; includeSubDomains; preload"
                                            ]
                                        }
                                    }
                                },
                                {
                                    "handler": "file_server",
                                    "root": "/var/www/html/fixing-userinyerface"
                                }
                            ]
                        }
                    ],
                    "protocols": [
                        "h1",
                        "h2c"
                    ]
                },
                "vps2": {
                    "listen": [
                        "127.0.0.1:5443"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "forward_proxy",
                                    "auth_user_deprecated": "vps2",
                                    "auth_pass_deprecated": "passwd",
                                    "hide_ip": true,
                                    "hide_via": true,
                                    "upstream": "http://127.0.0.1:7443"
                                }
                            ]
                        },
                        {
                            "handle": [
                                {
                                    "handler": "headers",
                                    "response": {
                                        "set": {
                                            "Strict-Transport-Security": [
                                                "max-age=31536000; includeSubDomains; preload"
                                            ]
                                        }
                                    }
                                },
                                {
                                    "handler": "file_server",
                                    "root": "/var/www/html/fixing-userinyerface"
                                }
                            ]
                        }
                    ],
                    "tls_connection_policies": [
                        {
                            "certificate_selection": {
                                "any_tag": [
                                    "tls01"
                                ]
                            },
                            "cipher_suites": [
                                "TLS_AES_256_GCM_SHA384",
                                "TLS_AES_128_GCM_SHA256",
                                "TLS_CHACHA20_POLY1305_SHA256",
                                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                                "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
                                "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
                                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
                                "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
                                "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
                            ],
                            "curves": [
                                "x25519",
                                "secp521r1",
                                "secp384r1",
                                "secp256r1"
                            ],
                            "alpn": [
                                "h2",
                                "http/1.1"
                            ]
                        }
                    ],
                    "protocols": [
                        "h1",
                        "h2"
                    ]
                },
                "vps1": {
                    "listen": [
                        "127.0.0.1:4443"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "forward_proxy",
                                    "auth_user_deprecated": "vps1",
                                    "auth_pass_deprecated": "passwd",
                                    "hide_ip": true,
                                    "hide_via": true,
                                    "upstream": "http://127.0.0.1:6443"
                                }
                            ]
                        },
                        {
                            "handle": [
                                {
                                    "handler": "headers",
                                    "response": {
                                        "set": {
                                            "Strict-Transport-Security": [
                                                "max-age=31536000; includeSubDomains; preload"
                                            ]
                                        }
                                    }
                                },
                                {
                                    "handler": "file_server",
                                    "root": "/var/www/html/fixing-userinyerface"
                                }
                            ]
                        }
                    ],
                    "tls_connection_policies": [
                        {
                            "certificate_selection": {
                                "any_tag": [
                                    "tls02"
                                ]
                            },
                            "cipher_suites": [
                                "TLS_AES_256_GCM_SHA384",
                                "TLS_AES_128_GCM_SHA256",
                                "TLS_CHACHA20_POLY1305_SHA256",
                                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                                "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
                                "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
                                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
                                "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
                                "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
                            ],
                            "curves": [
                                "x25519",
                                "secp521r1",
                                "secp384r1",
                                "secp256r1"
                            ],
                            "alpn": [
                                "h2",
                                "http/1.1"
                            ]
                        }
                    ],
                    "protocols": [
                        "h1",
                        "h2"
                    ]
                }
            }
        },
        "tls": {
            "certificates": {
                "load_files": [
                    {
                        "certificate": "/etc/caddy/vps2.example.com/vps2.example.com_bundle.crt",
                        "key": "/etc/caddy/vps2.example.com/vps2.example.com.key",
                        "tags": [
                            "tls01"
                        ]
                    },
                    {
                        "certificate": "/etc/caddy/vps1.example.com/vps1.example.com_bundle.crt",
                        "key": "/etc/caddy/vps1.example.com/vps1.example.com.key",
                        "tags": [
                            "tls02"
                        ]
                    }
                ]
            }
        }
    }
}

后端是使用某ray作为后端进行geosite分流，json文件如下：

{
    "log": {
        "access": "",
        "error": "",
        "loglevel": "debug"
    },
    "dns": {
        "servers": [
            "1.1.1.1"
        ],
        "queryStrategy": "UseIPv4"
    },
    "routing": {
        "domainStrategy": "IPIfNonMatch",
        "domainMatcher": "hybrid",
        "rules": [
            {
                "type": "field",
                "outboundTag": "Dns-Out",
                "network": "udp",
                "port": 53
            },
            {
                "type": "field",
                "outboundTag": "Block",
                "domain": [
                    "geosite:category-ads-all"
                ]
            },
            {
                "type": "field",
                "outboundTag": "Block",
                "protocol": [
                    "bittorrent"
                ]
            },
            {
                "type": "field",
                "inboundTag": "forward-in-nf",
                "outboundTag": "RelayTV",
                "domain": [
                    "geosite:netflix"
                ]
            },
            {
                "type": "field",
                "inboundTag": "forward-in-nf",
                "outboundTag": "RelayTV",
                "ip": [
                    "geoip:netflix"
                ]
            },
            {
                "type": "field",
                "outboundTag": "Block",
                "domain": [
                    "geosite:cn",
                    "geosite:private",
                    "geosite:cnki"
                ]
            },
            {
                "type": "field",
                "outboundTag": "Block",
                "ip": [
                    "geoip:cn",
                    "geoip:private"
                ]
            },
            {
                "type": "field",
                "inboundTag": [
                    "metrics_in"
                ],
                "outboundTag": "metrics_out"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": 6443,
            "protocol": "http",
            "settings": {
                "timeout": 0,
                "allowTransparent": true
            },
            "streamSettings": {
                "network": "tcp",
                "security": "none",
                "tcpSettings": {
                    "header": {
                      "type": "none"
                    }
                },
                "sockopt": {
                    "tcpFastOpen": true,
                    "tproxy": "tproxy",
                    "domainStrategy": "AsIs",
                    "tcpKeepAliveInterval": 0
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls",
                    "quic"
                ]
            },
            "allocate": {
                "strategy": "always",
                "refresh": 5,
                "concurrency": 3
            },
            "tag": "forward-in"
        },
        {
            "listen": "127.0.0.1",
            "port": 7443,
            "protocol": "http",
            "settings": {
                "timeout": 0,
                "allowTransparent": true
            },
            "streamSettings": {
                "network": "tcp",
                "security": "none",
                "tcpSettings": {
                    "header": {
                      "type": "none"
                    }
                },
                "sockopt": {
                    "tcpFastOpen": true,
                    "tproxy": "tproxy",
                    "domainStrategy": "AsIs",
                    "tcpKeepAliveInterval": 0
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls",
                    "quic"
                ]
            },
            "allocate": {
                "strategy": "always",
                "refresh": 5,
                "concurrency": 3
            },
            "tag": "forward-in-nf"
        },
        {
            "listen": "127.0.0.1",
            "port": 11111,
            "protocol": "dokodemo-door",
            "settings": {
                "address": "127.0.0.1"
            },
            "tag": "metrics_in"
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "settings": {
                "domainStrategy": "UseIPv4"
            },
            "tag": "Direct"
        },
        {
            "protocol": "dns",
            "address": "1.1.1.1",
            "tag": "Dns-Out"
        },
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "",
                        "port": 443,
                        "users": [
                            {
                                "id": "",
                                "email": "netflix@xray.com",
                                "encryption": "none",
                                "flow": "xtls-rprx-direct"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "xtls",
                "xtlsSettings": {
                    "allowInsecure": false
                }
            },
            "tag": "RelayTV"
        },
        {
            "protocol": "blackhole",
            "settings": {
                "response": {
                    "type": "http"
                }
            },
            "tag": "Block"
        }
    ],
    "stats": {},
    "api": {
        "services": [
            "StatsService"
        ],
        "tag": "api"
    },
    "policy": {
        "levels": {
            "0": {
                "statsUserDownlink": true,
                "statsUserUplink": true
            }
        },
        "system": {
            "statsInboundUplink": true,
            "statsInboundDownlink": true,
            "statsOutboundUplink": true,
            "statsOutboundDownlink": true
        }
    },
    "metrics": {
        "tag": "metrics_out"
    }
}

klzgrad commented 2 years ago

纯caddy配置问题，我也不懂

yjd commented 1 year ago

https://caddy.community/t/load-balancing-caddy/10467 https://caddy.community/t/combining-the-layer4-and-http-apps-ssl-pass-through-http-file-server-reverse-proxy/12698 看看这两篇对你有没有用，我也在找共用443通过sni分流到2个caddy 端口，发现caddy配置json很复杂。

Kaze1027 commented 1 year ago

https://caddy.community/t/load-balancing-caddy/10467 https://caddy.community/t/combining-the-layer4-and-http-apps-ssl-pass-through-http-file-server-reverse-proxy/12698 看看这两篇对你有没有用，我也在找共用443通过sni分流到2个caddy 端口，发现caddy配置json很复杂。

非常感谢您，我已经捣鼓明白了，我明天将过程发到我的github页面，供同样需求的人捣鼓。

1984admin commented 1 year ago

https://caddy.community/t/load-balancing-caddy/10467 https://caddy.community/t/combining-the-layer4-and-http-apps-ssl-pass-through-http-file-server-reverse-proxy/12698 看看这两篇对你有没有用，我也在找共用443通过sni分流到2个caddy 端口，发现caddy配置json很复杂。

非常感谢您，我已经捣鼓明白了，我明天将过程发到我的github页面，供同样需求的人捣鼓。

可以详细写一下吗？谢谢。

FenchD commented 1 year ago

https://caddy.community/t/load-balancing-caddy/10467 https://caddy.community/t/combining-the-layer4-and-http-apps-ssl-pass-through-http-file-server-reverse-proxy/12698 看看这两篇对你有没有用，我也在找共用443通过sni分流到2个caddy 端口，发现caddy配置json很复杂。

非常感谢您，我已经捣鼓明白了，我明天将过程发到我的github页面，供同样需求的人捣鼓。

有同样的需求，求大佬指教下怎么操作 @Kaze1027

Kaze1027 commented 1 year ago

https://caddy.community/t/load-balancing-caddy/10467 https://caddy.community/t/combining-the-layer4-and-http-apps-ssl-pass-through-http-file-server-reverse-proxy/12698 看看这两篇对你有没有用，我也在找共用443通过sni分流到2个caddy 端口，发现caddy配置json很复杂。

非常感谢您，我已经捣鼓明白了，我明天将过程发到我的github页面，供同样需求的人捣鼓。

有同样的需求，求大佬指教下怎么操作 @Kaze1027

不好意思因为写得太烂一直没好意思发出来，我马上发出来，大家做做参考，纯拼凑，轻喷。

klzgrad / naiveproxy

请问如何使用caddy2的SNI来控制forward走不同upstream #345