search

klzgrad / naiveproxy

Make a fortune quietly
BSD 3-Clause "New" or "Revised" License
6.52k stars 875 forks source link

MITM'd by Huorong Anti-Virus Personal Root Certificate #646

Closed namelessvon closed 3 months ago

namelessvon commented 4 months ago

奇怪的是我服务端没升级,连续用了小一年没有过这种问题,重启并重新连接依然是这个故障 试着全新安装依旧报错,最开始以为是caddy/naiveproxy的用户/密码认证方式不兼容老版本了(可能是小火箭更新客户端升级了naiveproxy), 之前caddyfile中的 basic_auth user pass被 ./caddy adapt -c Caddyfile --pretty转换成auth_user_deprecated": 和 "auth_pass_deprecated。 但装了新版后caddy后发现转换成auth_credentials方式依旧无法连接 ubuntu 24.04 caddy 2.7.6 naiveproxy naive 124.0.6367.54 Chrome 已是最新版本 版本 124.0.6367.119(正式版本) (64 位)

Caddyfile配置文件:

{
    order forward_proxy before file_server
}
:443, aax.com {
    tls me@example.com
    forward_proxy {
        basic_auth e P
        hide_ip
        hide_via
        probe_resistance
    }
    file_server {
        root /var/www/html
    }
}

转换成json为:

{
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [
                        ":443"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "auth_credentials": [
                                        "WlZE"
                                    ],
                                    "handler": "forward_proxy",
                                    "hide_ip": true,
                                    "hide_via": true,
                                    "probe_resistance": {}
                                },
                                {
                                    "handler": "file_server",
                                    "hide": [
                                        "./Caddyfile"
                                    ],
                                    "root": "/var/www/html"
                                }
                            ]
                        }
                    ]
                }
            }
        },
        "tls": {
            "certificates": {
                "automate": [
                    "aax.com"
                ]
            },
            "automation": {
                "policies": [
                    {
                        "subjects": [
                            "aax.com"
                        ],
                        "issuers": [
                            {
                                "email": "me@example.com",
                                "module": "acme"
                            },
                            {
                                "email": "me@example.com",
                                "module": "zerossl"
                            }
                        ]
                    }
                ]
            }
        }
    }
}

win客户端配置:

{
  "listen": "socks://127.0.0.1:10808",
  "proxy": "https://e:p@aax.com:443",
  "log": ""
}

情况表现: win客户端显示

[0506/220622.432:INFO:naive_proxy_bin.cc(194)] Proxying via HTTPS aax.com:443
[0506/220622.434:INFO:naive_proxy_bin.cc(449)] Listening on socks://127.0.0.1:10808
[0506/220627.930:INFO:naive_connection.cc(273)] Connection 1 to www.gstatic.com:80
[0506/220628.584:INFO:naive_proxy_delegate.cc(137)] [https://aax.com:443] negotiated padding type: Variant1
[0506/220628.857:INFO:naive_proxy.cc(184)] Connection 1 closed: OK
[0506/220629.321:INFO:naive_connection.cc(273)] Connection 2 to www.gstatic.com:80
[0506/220629.482:INFO:naive_connection.cc(273)] Connection 3 to www.baidu.com:443
[0506/220630.037:INFO:naive_connection.cc(273)] Connection 4 to collector-hpn.ghostery.net:443
[0506/220630.137:INFO:naive_proxy.cc(184)] Connection 2 closed: OK
[0506/220630.228:INFO:naive_proxy.cc(184)] Connection 3 closed: OK
[0506/220630.228:INFO:naive_connection.cc(273)] Connection 5 to www.baidu.com:443
[0506/220630.644:INFO:naive_proxy.cc(184)] Connection 4 closed: OK

但有时浏览器会跳转到http://www.gstatic.com/generate_204 页面显示

P/1.1 200 OK
Server: Caddy
Content-Length: 0

HTTP/1.0 400 Bad Request
Content-Length: 54
Content-Type: text/html; charset=UTF-8
Date: Mon, 06 May 2024 14:06:32 GMT

<html><title>Error 400 (Bad Request)!!1</title></html>

有的时候又会显示为ERR_SSL_PROTOCOL_ERROR

服务器端:

1:~# ./caddy start
2024/05/06 14:05:20.631 INFO    using adjacent Caddyfile
2024/05/06 14:05:20.635 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/05/06 14:05:20.636 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/05/06 14:05:20.637 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects    {"server_name": "srv0"}
2024/05/06 14:05:20.639 INFO    http.log    server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2024/05/06 14:05:20.640 INFO    http    enabling HTTP/3 listener    {"addr": ":443"}
2024/05/06 14:05:20.640 INFO    http.log    server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/05/06 14:05:20.640 INFO    autosaved config (load with --resume flag)  {"file": "/root/.config/caddy/autosave.json"}
2024/05/06 14:05:20.640 INFO    serving initial configuration
2024/05/06 14:05:20.641 INFO    tls.cache.maintenance   started background certificate maintenance  {"cache": "0xc0003ad600"}
2024/05/06 14:05:20.645 WARN    tls storage cleaning happened too recently; skipping for now    {"storage": "FileStorage:/root/.local/share/caddy", "instance": "6e304fbf-1fb5-45da-9d41-ab81d7abf05d", "try_again": "2024/05/07 14:05:20.645", "try_again_in": 86399.999999061}
2024/05/06 14:05:20.645 INFO    tls finished cleaning storage units
Successfully started Caddy (pid=3980) - Caddy is running in the background
root@glowing-win-1:~# 2024/05/06 14:06:30.394   ERROR   http.log.error  read tcp 67.9.9.9:40080->100:443: read: connection reset by peer    {"request": {"remote_ip": "110.4", "remote_port": "31047", "client_ip": "114", "proto": "HTTP/1.1", "method": "CONNECT", "host": "www.baidu.com:443", "uri": "www.baidu.com:443", "headers": {"Proxy-Connection": ["keep-alive"], "Proxy-Authorization": [], "Padding": ["$#>!'#*)$&,'$,$>XXX"], "Fastopen": ["1"], "Padding-Type-Request": ["1, 0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "aax.com"}}, "duration": 0.410518272}
2024/05/06 14:06:31.139 ERROR   http.log.error  read tcp 67.9.9.9:40096->103.23.3.20:443: read: connection reset by peer    {"request": {"remote_ip": "110.1.1.4", "remote_port": "30525", "client_ip": "110.1.1.4", "proto": "HTTP/1.1", "method": "CONNECT", "host": "www.baidu.com:443", "uri": "www.baidu.com:443", "headers": {"Proxy-Connection": ["keep-alive"], "Proxy-Authorization": [], "Padding": ["!??'@@',+#'\"?!\">XXXXXXXX"], "Fastopen": ["1"], "Padding-Type-Request": ["1, 0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "aax.com"}}, "duration": 0.403661815}
klzgrad commented 4 months ago

任何访问都会跳转到页面http://www.gstatic.com/generate_204

装了新版后caddy后发现转换成auth_credentials方式依旧无法连接

你的问题是哪个?

可能是小火箭更新客户端升级了naiveproxy

小火箭是什么?跟你的问题有关吗?

namelessvon commented 4 months ago

任何访问都会跳转到页面http://www.gstatic.com/generate_204

装了新版后caddy后发现转换成auth_credentials方式依旧无法连接

你的问题是哪个?

可能是小火箭更新客户端升级了naiveproxy

小火箭是什么?跟你的问题有关吗?

1.目前就是无法通过naiveproxy访问任何网站,浏览器返回ERR_SSL_PROTOCOL_ERROR,然后会新打开一个页面http://www.gstatic.com/generate_204 目前重装linux系统并配置caddy后依旧无法使用,配置、客户端和服务器端的报错如之前提供的那样。

2.小火箭我说的是shadowrocket里面配置naiveproxy客户端的方式,提到他是因为我的linux服务器端没有更新过,但手机的shadowrocket更新了,不知道是不是同步更新了新版naiveproxy客户端,有什么协议变化导致无法使用,这只是当时我的猜测。但没看到大家有同样问题,所以估计跟客户端版本没关系。

klzgrad commented 4 months ago

win客户端配置

手机的shadowrocket更新了,不知道是不是同步更新了新版naiveproxy客户端,有什么协议变化导致无法使用

你究竟在提什么问题?手机的shadowrocket更新,导致win客户端无法使用?

namelessvon commented 4 months ago

win客户端配置

手机的shadowrocket更新了,不知道是不是同步更新了新版naiveproxy客户端,有什么协议变化导致无法使用

你究竟在提什么问题?手机的shadowrocket更新,导致win客户端无法使用?

“”shadowrocker更新导致“” 这点只是我自己的猜测,估计不正确,如果是这个原因的话肯定已经有大量用户反馈了。 我的问题是即使重装os+caddy后,使用基本配置文件的情况下,依然无法使用,想问一下从这些报错里能否看出来问题所在。或者还需要我提供什么日志和测试,多谢。

klzgrad commented 3 months ago

shadowrocket是无关独立项目。一切与shadowrocket相关的问题报告都不属于这里解决。

namelessvon commented 3 months ago

shadowrocket是无关独立项目。一切与shadowrocket相关的问题报告都不属于这里解决。

抱歉,可能我还是没表述清楚,现在的问题可以理解为跟手机shadowrocket无关。目前纯linux服务器重新搭建+win naiveproxy客户端的环境依然无法正常使用。

klzgrad commented 3 months ago

在config里面添加这一行

"log-net-log": "netlog.json",

运行,得到netlog.json以后,在 https://netlog-viewer.appspot.com/#import 打开,查看与gstatic.com相关的request response情况。

namelessvon commented 3 months ago

抱歉我不会看,不知道是不是这部分内容

55: HTTP_PROXY_CONNECT_JOB
dsd/http://www.gstatic.com <null [internally: (5BCDFED0F15D4AF49367094D5E88B84F) anonymous] same_site>
Start Time: 2024-05-10 16:42:49.860

t=2991 [st=  0] +CONNECT_JOB  [dt=534]
t=2991 [st=  0]    SOCKET_POOL_CONNECT_JOB_CREATED
                   --> backup_job = false
                   --> group_id = "dsd/http://www.gstatic.com <null [internally: (5BCDFED0F15D4AF49367094D5E88B84F) anonymous] same_site>"
t=2991 [st=  0]   +HTTP_PROXY_CONNECT_JOB_CONNECT  [dt=534]
t=2991 [st=  0]     +SSL_CONNECT_JOB_CONNECT  [dt=357]
t=2991 [st=  0]       +TRANSPORT_CONNECT_JOB_CONNECT  [dt=175]
t=2991 [st=  0]         +HOST_RESOLVER_MANAGER_REQUEST  [dt=0]
                         --> allow_cached_response = true
                         --> dns_query_type = "UNSPECIFIED"
                         --> host = "aax.com:443"
                         --> is_speculative = false
                         --> network_anonymization_key = "null [internally: (5662011B78EB77600D4EA709B5FF5D80) anonymous] same_site"
                         --> secure_dns_policy = 1
t=2991 [st=  0]            HOST_RESOLVER_MANAGER_IPV6_REACHABILITY_CHECK
                           --> cached = false
                           --> ipv6_available = true
t=2991 [st=  0]            HOST_RESOLVER_MANAGER_CACHE_HIT
                           --> results = {
                                 "aliases": [],
                                 "canonical_names": [],
                                 "endpoint_metadatas": [],
                                 "expiration": "13359804226903484",
                                 "host_ports": [],
                                 "hostname_results": [],
                                 "ip_endpoints": [
                                   {
                                     "endpoint_address": "6.7.8.9",
                                     "endpoint_port": 0
                                   }
                                 ],
                                 "text_records": []
                               }
t=2991 [st=  0]            HOST_RESOLVER_MANAGER_CACHE_HIT
                           --> results = {
                                 "aliases": [],
                                 "canonical_names": [],
                                 "endpoint_metadatas": [],
                                 "expiration": "13359804226903484",
                                 "host_ports": [],
                                 "hostname_results": [],
                                 "ip_endpoints": [
                                   {
                                     "endpoint_address": "6.7.8.9",
                                     "endpoint_port": 0
                                   }
                                 ],
                                 "text_records": []
                               }
t=2991 [st=  0]         -HOST_RESOLVER_MANAGER_REQUEST
t=2991 [st=  0]          TRANSPORT_CONNECT_JOB_CONNECT_ATTEMPT
                         --> address = "6.7.8.9:443"
                         --> source_dependency = 58 (SOCKET)
t=3166 [st=175]          CONNECT_JOB_SET_SOCKET
                         --> source_dependency = 58 (SOCKET)
t=3166 [st=175]       -TRANSPORT_CONNECT_JOB_CONNECT
t=3348 [st=357]        CONNECT_JOB_SET_SOCKET
                       --> source_dependency = 58 (SOCKET)
t=3348 [st=357]     -SSL_CONNECT_JOB_CONNECT
t=3525 [st=534]      CONNECT_JOB_SET_SOCKET
                     --> source_dependency = 58 (SOCKET)
t=3525 [st=534]   -HTTP_PROXY_CONNECT_JOB_CONNECT
t=3525 [st=534] -CONNECT_JOB

image 同时linux server端报错如下

2024/05/10 08:47:02.302 ERROR   http.log.error  read tcp 6.7.8.9:41970->204.79.197.235:443: read: connection reset by peer  {"request": {"remote_ip": "1.2.3.4", "remote_port": "34184", "client_ip": "1.2.3.4", "proto": "HTTP/1.1", "method": "CONNECT", "host": "api.msn.cn:443", "uri": "api.msn.cn:443", "headers": {"Proxy-Authorization": [], "Padding": ["$&$,\")+&,)#+;!)\"XXXXXXXXX"], "Fastopen": ["1"], "Padding-Type-Request": ["1, 0"], "Proxy-Connection": ["keep-alive"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "aax.com"}}, "duration": 0.187741194}
2024/05/10 08:47:02.357 ERROR   http.log.error  read tcp 6.7.8.9:45812->20.125.62.241:443: read: connection reset by peer   {"request": {"remote_ip": "1.2.3.4", "remote_port": "37606", "client_ip": "1.2.3.4", "proto": "HTTP/1.1", "method": "CONNECT", "host": "c.msn.cn:443", "uri": "c.msn.cn:443", "headers": {"Proxy-Connection": ["keep-alive"], "Proxy-Authorization": [], "Padding": [",;)'?@@#@$\"($$$+XXXXXXXXX"], "Fastopen": ["1"], "Padding-Type-Request": ["1, 0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "aax.com"}}, "duration": 0.205079085}
2024/05/10 08:47:02.670 ERROR   http.log.error  read tcp 6.7.8.9:33668->20.99.185.48:443: read: connection reset by peer    {"request": {"remote_ip": "1.2.3.4", "remote_port": "37166", "client_ip": "1.2.3.4", "proto": "HTTP/1.1", "method": "CONNECT", "host": "arc.msn.com:443", "uri": "arc.msn.com:443", "headers": {"Padding-Type-Request": ["1, 0"], "Proxy-Connection": ["keep-alive"], "Proxy-Authorization": [], "Padding": [";#>&+$;(*\"&@''$(XXXXXXX"], "Fastopen": ["1"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "aax.com"}}, "duration": 0.215730174}
2024/05/10 08:47:02.820 ERROR   http.log.error  read tcp 6.7.8.9:48244->23.62.178.26:443: read: connection reset by peer    {"request": {"remote_ip": "1.2.3.4", "remote_port": "35891", "client_ip": "1.2.3.4", "proto": "HTTP/1.1", "method": "CONNECT", "host": "assets.msn.cn:443", "uri": "assets.msn.cn:443", "headers": {"Proxy-Connection": ["keep-alive"], "Proxy-Authorization": [], "Padding": ["#*!>'\"(\"+;;+<@,@"], "Fastopen": ["1"], "Padding-Type-Request": ["1, 0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "aax.com"}}, "duration": 0.178843449}
2024/05/10 08:47:02.851 ERROR   http.log.error  read tcp 6.7.8.9:59544->204.79.197.203:443: read: connection reset by peer  {"request": {"remote_ip": "1.2.3.4", "remote_port": "34669", "client_ip": "1.2.3.4", "proto": "HTTP/1.1", "method": "CONNECT", "host": "srtb.msn.com:443", "uri": "srtb.msn.com:443", "headers": {"Proxy-Connection": ["keep-alive"], "Proxy-Authorization": [], "Padding": [">(<';)>,,@+>#>,;XXXXXXXX"], "Fastopen": ["1"], "Padding-Type-Request": ["1, 0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "aax.com"}}, "duration": 0.177242148}
2024/05/10 08:47:03.377 ERROR   http.log.error  read tcp 6.7.8.9:48252->23.62.178.26:443: read: connection reset by peer    {"request": {"remote_ip": "1.2.3.4", "remote_port": "35557", "client_ip": "1.2.3.4", "proto": "HTTP/1.1", "method": "CONNECT", "host": "assets.msn.cn:443", "uri": "assets.msn.cn:443", "headers": {"Fastopen": ["1"], "Padding-Type-Request": ["1, 0"], "Proxy-Connection": ["keep-alive"], "Proxy-Authorization": [], "Padding": ["\"!?';>!!!&&>##?\"XXXXXXXXXXXXXXXX"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "aax.com"}}, "duration": 0.184887156}
2024/05/10 08:47:03.412 ERROR   http.log.error  read tcp 6.7.8.9:59548->204.79.197.203:443: read: connection reset by peer  {"request": {"remote_ip": "1.2.3.4", "remote_port": "35079", "client_ip": "1.2.3.4", "proto": "HTTP/1.1", "method": "CONNECT", "host": "srtb.msn.com:443", "uri": "srtb.msn.com:443", "headers": {"Proxy-Authorization": [], "Padding": [";>!&+\")<\">>\",;;<X"], "Fastopen": ["1"], "Padding-Type-Request": ["1, 0"], "Proxy-Connection": ["keep-alive"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "aax.com"}}, "duration": 0.175766238}
klzgrad commented 3 months ago

Source Type HTTP2_SESSION, PROXY_CLIENT_SOCKET这两个可以看。 HTTP_PROXY_CONNECT_JOB没有信息含量。 Caddy log没有信息含量。

namelessvon commented 3 months ago

Source Type HTTP2_SESSION, PROXY_CLIENT_SOCKET这两个可以看。 HTTP_PROXY_CONNECT_JOB没有信息含量。 Caddy log没有信息含量。

netlog.json中完全没有HTTP2_SESSION, PROXY_CLIENT_SOCKET这两个类别的信息,是我哪里配错了吗

klzgrad commented 3 months ago

无论如何,你应该找到访问www.gstatic.com的HTTP request, response headers

上面还没有找到

namelessvon commented 3 months ago

破案了,我是在netlog中看到了huorong字样,试着关闭火绒发现解决了问题。 image

具体来说是huorong 火绒安全软件里面的--病毒防护--web扫描功能给拦截了代理流量,不知道是他近期哪个版本更新导致的,把naiveproxy添加受信任程序中可以解决。 手机端shadowrocket连接暂时还有问题,我再自己研究一下,谢谢啦。

BFNOC commented 3 months ago

破案了,我是在netlog中看到了huorong字样,试着关闭火绒发现解决了问题。 image

具体来说是huorong 火绒安全软件里面的--病毒防护--web扫描功能给拦截了代理流量,不知道是他近期哪个版本更新导致的,把naiveproxy添加受信任程序中可以解决。 手机端shadowrocket连接暂时还有问题,我再自己研究一下,谢谢啦。

蓝点网上2024年3月28日有文章描述。

火绒安全现在也会默认启用火绒 SSL证书解密流量识别网站安全性,新增检测勒索软件改动后自动回滚。

多数安全软件对于HTTPS加密流量是无法识别的,主要是因为强制解密加密流量可能会导致网页加载时报错。 但这种也是有解决方案的,那就是安全软件使用自签名证书在本地为所有网站签发证书,这样即可解密流量。 火绒安全在6.0版中就增加了加密连接扫描功能,此功能会通过火绒内置的证书签发并解密SSL进而识别流量。 这个功能在卡巴斯基等安全软件中也存在,不过火绒安全的这个功能当前可能尚未支持火狐浏览器无法解密。