Closed killgcd4ever closed 4 years ago
killgcd4ever
commented
4 years ago May 24 21:26:29 vultr.guest trojan-go[18101]: [ERROR] 2020/05/24 21:26:29 github.com/p4gefau1t/trojan-go/proxy.(*proxyOption).Handle:option.go:38 Failed to parse config file | 127.0.0.1:80 is not a valid web server | Get "https://127.0.0.1/"
启动之后报这个错误,什么意思?
p4gefau1t
commented
4 years ago 可以指定路径,请先仔细阅读文档并学习systemd的基本配置
trojan-go启动时,会检测用户提供的伪装http服务器是否有效,如果无效则拒绝启动服务,请先仔细阅读文档
killgcd4ever
commented
4 years ago 1.第一个问题,未找到文档说明,能指明在文档哪一节吗 2.确认伪装服务正常,因为原版trojan就是正常的 另外文档里面完整版的配置文件里面给出的内容有两处错误: node:websocket->ssl->plain_http_response 后面多了一个逗号 node:api->ssl 外面一个花括号多了一个逗号
p4gefau1t
commented
4 years ago 请学习systemd的配置,阅读trojan-go.service,善用-h选项,并且readme也有提到如何启动服务
trojan-gfw可以启动,是因为trojan-gfw没有检测伪装服务合法性的机制。并且你所提供的日志并不完整,我也无法详细判定问题所在
文档已经修正,感谢提醒
killgcd4ever
commented
4 years ago 我的配置如下,烦请指正下,谢谢。因为我想和nginx和v2ray共存,所以利用了nginx的ngx_stream_ssl_preread_module模块的特性,把trojan-go放到了nginx后面。原版这样配置是没问题的。请问作者trojan-go该如何配置?顺便问下这样配置会不会降低安全性?如果实在要这样配置还有没有更好的建议?谢谢了,给你作揖! nginx: user nginx; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /run/nginx.pid;
events { accept_mutex on; worker_connections 1024; }
stream { log_format proxy '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time "$upstream_addr" ' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; access_log /var/log/nginx/access.log proxy;
map $ssl_preread_server_name $name {
default nginx;
}
upstream nginx {
server 127.0.0.1:8443;
}
server {
listen 443;
proxy_pass $name;
ssl_preread on;
}}
http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomain.com ssr.mydomain.com www.mydomain.com;
return 301 https://$host$request_uri;
}
server {
listen 80;
listen [::]:80;
root /usr/share/nginx/html;
index index.html index.htm;
server_name daze.mydomain.com goflyway.mydomain.com trojan.mydomain.com;
}
server {
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
root /usr/share/nginx/html;
index index.html index.htm;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/key.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_dhparam /etc/letsencrypt/live/mydomain.com/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
server_name mydomain.com ssr.mydomain.com tj.mydomain.com www.mydomain.com;
location /websocketpath {
proxy_redirect off;
proxy_pass http://127.0.0.1:29443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}trojan-go: { "run_type": "server", "local_addr": "127.0.0.1", "local_port": 29443, "remote_addr": "127.0.0.1", "remote_port": 80, "log_level": 1, "log_file": "", "password": [ "mypassword" ], "buffer_size": 32, "dns": [ "dot://1.1.1.1", "1.1.1.1", "8.8.8.8" ], "ssl": { "verify": true, "cert": "/etc/letsencrypt/live/mydomain.com/fullchain.pem", "key": "/etc/letsencrypt/live/mydomain.com/key.pem", "key_password": "", "cipher": "", "cipher_tls13": "", "curves": "", "prefer_server_cipher": false, "sni": "mydomain.com", "alpn": [ "http/1.1" ], "session_ticket": true, "reuse_session": true, "plain_http_response": "", "fallback_port": 0, "fingerprint": "firefox", "serve_plain_text": false }, "tcp": { "no_delay": true, "keep_alive": true, "reuse_port": false, "prefer_ipv4": false, "fast_open": false, "fast_open_qlen": 20 }, "mux": { "enabled": false, "concurrency": 8, "idle_timeout": 60 }, "router": { "enabled": false, "bypass": [], "proxy": [], "block": [], "default_policy": "proxy", "domain_strategy": "as_is", "geoip": "./geoip.dat", "geosite": "./geoip.dat" }, "websocket": { "enabled": true, "path": "/websocketpath", "hostname": "mydomain.com", "obfuscation_password": "mypassword", "double_tls": true, "ssl": { "verify": true, "verify_hostname": true, "cert": "/etc/letsencrypt/live/mydomain.com/fullchain.pem", "key": "/etc/letsencrypt/live/mydomain.com/key.pem", "key_password": "", "prefer_server_cipher": false, "sni": "mydomain.com", "session_ticket": true, "reuse_session": true, "plain_http_response": "", } }, "forward_proxy": { "enabled": false, "proxy_addr": "", "proxy_port": 0, "username": "", "password": "" }, "mysql": { "enabled": false, "server_addr": "localhost", "server_port": 3306, "database": "", "username": "", "password": "", "check_rate": 60 }, "redis": { "enabled": false, "server_addr": "localhost", "server_port": 6379, "password": "" }, "api": { "enabled": false, "api_addr": "", "api_port": 0, "api_tls": false, "ssl": { "cert": "", "key": "", "key_password": "", "client_cert": [] }, } }
p4gefau1t
commented
4 years ago 如果要让nginx做tls加解密,那trojan-go应该只处理明文tcp内容,serve_plain_text应该设置为true
配置相关的问题建议在群组里提问,而不是使用issue,issue主要用来讨论bug和feature
第一次使用,用的trojan-gfw的systemd例子用了,结果启动失败,查看日志才发现找不到配置项。所以能否让用户自定义配置路径呢?谢谢!