Open ttc0419 opened 1 year ago
Hi ttc0419,
被封前最后日志,似乎GFW在主动探测,而且成功了
Thank you for reporting on this. To us, it seems to be too early to draw this conclusion. Every host on the Internet will receive a lot of connections from different scanners. It thus requires a close filtering and observation to see if any probe is from the GFW.
For example, the GFW always uses Chinese IP addresses for active probing. Below are the only two Chinese IP addresses in your log:
host | asn | asname | cc | registry |
---|---|---|---|---|
116.224.121.220 | AS4812 | CHINANET-SH-AP China Telecom Group, CN | CN | apnic |
183.136.225.32 | AS58461 | CT-HANGZHOU-IDC No.288,Fu-chun Road, CN | CN | apnic |
As you can see 183.136.225.32
appears to be a known scanner, but it is not necessarily from the GFW.
已使用utls
Could you please elaborate on your setup? For example, what are the clients you used? What OSes were you using? What are the version numbers of your clients?
Provide these details about the clients will help us diagnose any potential problem.
@gfw-report Thanks for looking into it. I'm mainly using shadowrocket on iOS and trojan-go command line client on desktops. The following is my config, and I'm using you branch to compile the client binary. config.json
{
"run_type": "client",
"local_addr": "127.0.0.1",
"local_port": 1080,
"remote_addr": "abc.com",
"remote_port": 443,
"password": ["xxx"],
"tcp": {"fast_open": true},
"ssl": {"fingerprint": "edge"},
"router": {
"enabled": true,
"bypass": [
"geoip:cn",
"geoip:private",
"geosite:cn",
"geosite:private"
],
"block": ["geosite:category-ads"],
"proxy": ["geosite:geolocation-!cn"],
"default_policy": "proxy",
"geoip": "geoip.dat",
"geosite": "dlc.dat"
}
}
According to the log, the prober seems using SNI and ALPN to detect the server type? And I tried to write a utls client with the same ALPN values in the log. The trojan-go server and the nginx https setup will act differently. Trojan go server will fail at TLS handshake but nginx will choose http/1.0 or http/0.9 if available. Will that be a problem?
I tried to use NGINX as the TLS server and run trojan server as a stream backend, however, the port 443 is still got block. However, I think it's still because of the inconsistent behaviour of the ALPN negotiation between http and stream proxy (somehow, the stream will reply with ALPN ""). The following is the log of NGINX:
[error]: *1 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *3 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:0/0, bytes from/to upstream:0/0
[error]: *5 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0
[error]: *7 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:0/0, bytes from/to upstream:0/0
[error]: *8 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:600/0, bytes from/to upstream:0/0
[error]: *11 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *13 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0
[error]: *15 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *17 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *19 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0
[error]: *454 open() "/usr/share/trojan/web/ab2g" failed (2: No such file or directory), client: 127.0.0.1, server: abc.com, request: "GET /ab2g HTTP/1.1", host: "s.s.s.s"
[error]: *457 open() "/usr/share/trojan/web/ab2h" failed (2: No such file or directory), client: 127.0.0.1, server: abc.com, request: "GET /ab2h HTTP/1.1", host: "s.s.s.s"
[error]: *508 open() "/usr/share/trojan/web/ab2g" failed (2: No such file or directory), client: 127.0.0.1, server: abc.com, request: "GET /ab2g HTTP/1.1", host: "s.s.s.s"
[error]: *511 open() "/usr/share/trojan/web/ab2h" failed (2: No such file or directory), client: 127.0.0.1, server: abc.com, request: "GET /ab2h HTTP/1.1", host: "s.s.s.s"
近期我搭的trojan-go开放后几天就会被封掉端口……换个端口过几天又被干掉,感觉已经被gfw摸透了
近期我搭的trojan-go开放后几天就会被封掉端口……换个端口过几天又被干掉,感觉已经被gfw摸透了
我的环境换了xray就没有在封过了,之前trojan被封的端口都被解封了。奇怪的是就算用direct控流也不会被封,所以估计是trojan的request长度被拉入的重点关注对象。
我的443端口也被干掉了
我的也是,有啥解决方法吗 QaQ
不知道是不是被封锁,换了个网络(用移动数据、重启光猫之类的)之后又能用了。之前的表现一直是稳定的TLS handshake timeout
。
I tried to use NGINX as the TLS server and run trojan server as a stream backend, however, the port 443 is still got block. However, I think it's still because of the inconsistent behaviour of the ALPN negotiation between http and stream proxy (somehow, the stream will reply with ALPN ""). The following is the log of NGINX:
[error]: *1 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0 [error]: *3 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:0/0, bytes from/to upstream:0/0 [error]: *5 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0 [error]: *7 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:0/0, bytes from/to upstream:0/0 [error]: *8 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:600/0, bytes from/to upstream:0/0 [error]: *11 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0 [error]: *13 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0 [error]: *15 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0 [error]: *17 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0 [error]: *19 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0 [error]: *454 open() "/usr/share/trojan/web/ab2g" failed (2: No such file or directory), client: 127.0.0.1, server: cpanel.sunwisefinance.com, request: "GET /ab2g HTTP/1.1", host: "s.s.s.s" [error]: *457 open() "/usr/share/trojan/web/ab2h" failed (2: No such file or directory), client: 127.0.0.1, server: cpanel.sunwisefinance.com, request: "GET /ab2h HTTP/1.1", host: "s.s.s.s" [error]: *508 open() "/usr/share/trojan/web/ab2g" failed (2: No such file or directory), client: 127.0.0.1, server: cpanel.sunwisefinance.com, request: "GET /ab2g HTTP/1.1", host: "s.s.s.s" [error]: *511 open() "/usr/share/trojan/web/ab2h" failed (2: No such file or directory), client: 127.0.0.1, server: cpanel.sunwisefinance.com, request: "GET /ab2h HTTP/1.1", host: "s.s.s.s"
Have u tried to do the reverse proxy in the http
block instead of the stream
block? Because my understanding is that TLS is on top of TCP/UDP layer, doing a stream reverse proxy doesn't really let nginx handles the TLS handshake, but simply forward the stream to the Trojan-GO. Whereas a reverse proxy on http
side will really makes nginx handling the TLS handshake
Make sure to enable websocket to enable the reverse proxy in the http
block
nginx.conf
config.json
被封前最后日志,似乎GFW在主动探测,而且成功了,已使用utls,s.s.s.s是服务器ip