443端口主动探测后被封锁

nginx.conf

user http;
worker_processes auto;

events {}

http {
    include mime.types;

    gzip on;
    sendfile on;
    tcp_nopush on;
    types_hash_max_size 4096;

    access_log off;
    error_log stderr;

    server {
        listen 80;
        server_name abc.com;
        return 301 https://abc.com$request_uri;
    }

    server {
        listen 127.0.0.1:8080;
        server_name abc.com;
        root /usr/share/trojan/web;
        index index.html;
    }
}

config.json

{
    "run_type": "server",
    "log_level": 2,
    "local_addr": "0.0.0.0",
    "local_port": 443,
    "remote_addr": "127.0.0.1",
    "remote_port": 8080,
    "password": ["xxx"],
    "ssl": {
        "cert": "/usr/share/trojan/certificate.pem",
        "key": "/usr/share/trojan/private.pem"
    },
    "tcp": {"fast_open": true},
    "api": {
        "enabled": true,
        "api_addr": "127.0.0.1",
        "api_port": 1314
    }
}

被封前最后日志，似乎GFW在主动探测，而且成功了，已使用utls，s.s.s.s是服务器ip

[ERROR] github.com/p4gefau1t/trojan-go/tunnel/trojan.(*Server).acceptLoop:server.go:130 trojan failed to accept conn | websocket is disabled. redirecting http request from 162.142.125.219:39012
[WARN]  redirecting connection from 162.142.125.219:39012 to 127.0.0.1:8080
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/trojan.(*Server).acceptLoop:server.go:130 trojan failed to accept conn | websocket is disabled. redirecting http request from 128.1.248.42:39620
[WARN]  redirecting connection from 128.1.248.42:39620 to 127.0.0.1:8080
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/trojan.(*Server).acceptLoop:server.go:130 trojan failed to accept conn | websocket is disabled. redirecting http request from 172.105.161.142:50120
[WARN]  redirecting connection from 172.105.161.142:50120 to 127.0.0.1:8080
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:55839: read: connection timed out
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:55812: read: connection timed out
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:55845: read: connection timed out
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:55847: read: connection timed out
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:124 failed to perform tls handshake with 109.237.97.180:60434, redirecting | tls: first record does not look like a TLS handshake
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:55849: read: connection timed out
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:64803: read: connection reset by peer
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:64804: read: connection reset by peer
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:65123: read: connection reset by peer
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:64806: read: connection reset by peer
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/trojan.(*Server).acceptLoop:server.go:130 trojan failed to accept conn | websocket is disabled. redirecting http request from 183.136.225.32:6675
[WARN]  redirecting connection from 183.136.225.32:6675 to 127.0.0.1:8080
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:55871: read: connection timed out
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:124 failed to perform tls handshake with 66.240.205.34:50746, redirecting | tls: first record does not look like a TLS handshake
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:124 failed to perform tls handshake with 147.182.208.9:57128, redirecting | tls: first record does not look like a TLS handshake
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:124 failed to perform tls handshake with 147.182.208.9:57130, redirecting | tls: first record does not look like a TLS handshake
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:124 failed to perform tls handshake with 147.182.208.9:57142, redirecting | tls: first record does not look like a TLS handshake
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: s.s.s.s, expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: s.s.s.s, expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: s.s.s.s, expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: s.s.s.s, expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: s.s.s.s, expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: s.s.s.s, expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: s.s.s.s, expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: s.s.s.s, expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:124 failed to perform tls handshake with 147.182.208.9:47412, redirecting | tls: first record does not look like a TLS handshake
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:124 failed to perform tls handshake with 147.182.208.9:47414, redirecting | tls: first record does not look like a TLS handshake
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:80 read tcp s.s.s.s:443->116.224.121.220:55875: read: connection timed out
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/trojan.(*Server).acceptLoop:server.go:130 trojan failed to accept conn | websocket is disabled. redirecting http request from 87.236.176.194:52223
[WARN]  redirecting connection from 87.236.176.194:52223 to 127.0.0.1:8080
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/trojan.(*Server).acceptLoop:server.go:130 trojan failed to accept conn | websocket is disabled. redirecting http request from 87.236.176.109:44993
[WARN]  redirecting connection from 87.236.176.109:44993 to 127.0.0.1:8080
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/trojan.(*Server).acceptLoop:server.go:130 trojan failed to accept conn | websocket is disabled. redirecting http request from 142.93.191.98:56535
[WARN]  redirecting connection from 142.93.191.98:56535 to 127.0.0.1:8080
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/trojan.(*Server).acceptLoop:server.go:130 trojan failed to accept conn | websocket is disabled. redirecting http request from 179.43.159.197:43140
[WARN]  redirecting connection from 179.43.159.197:43140 to 127.0.0.1:8080
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:
[ERROR] github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:140 tls handshake failed | sni mismatched: , expected:

Hi ttc0419,

被封前最后日志，似乎GFW在主动探测，而且成功了

Thank you for reporting on this. To us, it seems to be too early to draw this conclusion. Every host on the Internet will receive a lot of connections from different scanners. It thus requires a close filtering and observation to see if any probe is from the GFW.

For example, the GFW always uses Chinese IP addresses for active probing. Below are the only two Chinese IP addresses in your log:

host	asn	asname	cc	registry
116.224.121.220	AS4812	CHINANET-SH-AP China Telecom Group, CN	CN	apnic
183.136.225.32	AS58461	CT-HANGZHOU-IDC No.288,Fu-chun Road, CN	CN	apnic

As you can see 183.136.225.32 appears to be a known scanner, but it is not necessarily from the GFW.

已使用utls

Could you please elaborate on your setup? For example, what are the clients you used? What OSes were you using? What are the version numbers of your clients?

Provide these details about the clients will help us diagnose any potential problem.

@gfw-report Thanks for looking into it. I'm mainly using shadowrocket on iOS and trojan-go command line client on desktops. The following is my config, and I'm using you branch to compile the client binary. config.json

{
        "run_type": "client",
        "local_addr": "127.0.0.1",
        "local_port": 1080,
        "remote_addr": "abc.com",
        "remote_port": 443,
        "password": ["xxx"],
        "tcp": {"fast_open": true},
        "ssl": {"fingerprint": "edge"},
        "router": {
                "enabled": true,
                "bypass": [
                        "geoip:cn",
                        "geoip:private",
                        "geosite:cn",
                        "geosite:private"
                ],
                "block": ["geosite:category-ads"],
                "proxy": ["geosite:geolocation-!cn"],
                "default_policy": "proxy",
                "geoip": "geoip.dat",
                "geosite": "dlc.dat"
        }
}

According to the log, the prober seems using SNI and ALPN to detect the server type? And I tried to write a utls client with the same ALPN values in the log. The trojan-go server and the nginx https setup will act differently. Trojan go server will fail at TLS handshake but nginx will choose http/1.0 or http/0.9 if available. Will that be a problem?

I tried to use NGINX as the TLS server and run trojan server as a stream backend, however, the port 443 is still got block. However, I think it's still because of the inconsistent behaviour of the ALPN negotiation between http and stream proxy (somehow, the stream will reply with ALPN ""). The following is the log of NGINX:

[error]: *1 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *3 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:0/0, bytes from/to upstream:0/0
[error]: *5 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0
[error]: *7 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:0/0, bytes from/to upstream:0/0
[error]: *8 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:600/0, bytes from/to upstream:0/0
[error]: *11 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *13 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0
[error]: *15 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *17 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *19 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0
[error]: *454 open() "/usr/share/trojan/web/ab2g" failed (2: No such file or directory), client: 127.0.0.1, server: abc.com, request: "GET /ab2g HTTP/1.1", host: "s.s.s.s"
[error]: *457 open() "/usr/share/trojan/web/ab2h" failed (2: No such file or directory), client: 127.0.0.1, server: abc.com, request: "GET /ab2h HTTP/1.1", host: "s.s.s.s"
[error]: *508 open() "/usr/share/trojan/web/ab2g" failed (2: No such file or directory), client: 127.0.0.1, server: abc.com, request: "GET /ab2g HTTP/1.1", host: "s.s.s.s"
[error]: *511 open() "/usr/share/trojan/web/ab2h" failed (2: No such file or directory), client: 127.0.0.1, server: abc.com, request: "GET /ab2h HTTP/1.1", host: "s.s.s.s"

近期我搭的trojan-go开放后几天就会被封掉端口……换个端口过几天又被干掉，感觉已经被gfw摸透了

近期我搭的trojan-go开放后几天就会被封掉端口……换个端口过几天又被干掉，感觉已经被gfw摸透了

我的环境换了xray就没有在封过了，之前trojan被封的端口都被解封了。奇怪的是就算用direct控流也不会被封，所以估计是trojan的request长度被拉入的重点关注对象。

我的443端口也被干掉了

我的也是，有啥解决方法吗 QaQ

不知道是不是被封锁，换了个网络（用移动数据、重启光猫之类的）之后又能用了。之前的表现一直是稳定的TLS handshake timeout。

[error]: *1 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *3 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:0/0, bytes from/to upstream:0/0
[error]: *5 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0
[error]: *7 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:0/0, bytes from/to upstream:0/0
[error]: *8 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:600/0, bytes from/to upstream:0/0
[error]: *11 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *13 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0
[error]: *15 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *17 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:592/0, bytes from/to upstream:0/0
[error]: *19 connect() failed (111: Connection refused) while proxying connection, client: 180.152.237.155, server: 0.0.0.0:443, upstream: "127.0.0.1:5419", bytes from/to client:224/0, bytes from/to upstream:0/0
[error]: *454 open() "/usr/share/trojan/web/ab2g" failed (2: No such file or directory), client: 127.0.0.1, server: cpanel.sunwisefinance.com, request: "GET /ab2g HTTP/1.1", host: "s.s.s.s"
[error]: *457 open() "/usr/share/trojan/web/ab2h" failed (2: No such file or directory), client: 127.0.0.1, server: cpanel.sunwisefinance.com, request: "GET /ab2h HTTP/1.1", host: "s.s.s.s"
[error]: *508 open() "/usr/share/trojan/web/ab2g" failed (2: No such file or directory), client: 127.0.0.1, server: cpanel.sunwisefinance.com, request: "GET /ab2g HTTP/1.1", host: "s.s.s.s"
[error]: *511 open() "/usr/share/trojan/web/ab2h" failed (2: No such file or directory), client: 127.0.0.1, server: cpanel.sunwisefinance.com, request: "GET /ab2h HTTP/1.1", host: "s.s.s.s"

Have u tried to do the reverse proxy in the http block instead of the stream block? Because my understanding is that TLS is on top of TCP/UDP layer, doing a stream reverse proxy doesn't really let nginx handles the TLS handshake, but simply forward the stream to the Trojan-GO. Whereas a reverse proxy on http side will really makes nginx handling the TLS handshake

Make sure to enable websocket to enable the reverse proxy in the http block

p4gefau1t / trojan-go

443端口主动探测后被封锁 #482