search

trojan-gfw / trojan

An unidentifiable mechanism that helps you bypass GFW.
https://trojan-gfw.github.io/trojan/
GNU General Public License v3.0
18.93k stars 3.04k forks source link

Documentation on how to config TCP loadbanlacing/sharing a port with other SSL services #180

Closed llouislu closed 4 years ago

llouislu commented 4 years ago

Is your feature request related to a problem? Please describe. My expectation to set up an environment where a tcp loadbalancer (e.g. haproxy) only binds 443 port to provide multiple services as follows: client => haproxy => {ocserv, trojan, nginx(legit, not honeypot requests)}

I have tried serveral approaches, based on the config by ocserv's author. Ocserv works as expected. However, trojan doesn't work in a while after initial connection to the server. And I end up with this, which also works the best. This config hasn't supported nginx yet, but it shoud be working. haproxy.cfg

frontend www-https
   bind 0.0.0.0:443
   mode tcp
   tcp-request inspect-delay 100ms
   #tcp-request content accept if { req.ssl_hello_type 1 }
   default_backend bk_ssl_default

backend bk_ssl_default
   mode tcp
   acl ocserv-app req.ssl_sni -m end oc.exmaple.com
   #acl web-app req_ssl_sni -i www.example.com
   acl trojan-app req.ssl_sni -m end tj.exmaple.com

   use-servmanualer server-ocserv if ocserv-app
   use-server server-trojan if trojan-app
   #use-server server-web if web-app
   use-server server-ocserv if !ocserv-app !trojan-app #!web-app

   option tcp-check
   server server-ocserv 127.0.0.1:4001 send-proxy-v2 check
   #server server-web 127.0.0.1:4444 check
   server server-trojan 127.0.0.1:4002 check

trojan server

{
    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 4002,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
    "password": [
        "password1"
    ],
    "log_level": 1,
    "ssl": {
        "cert": "/certs/fullchain.cer",
        "key": "/certs/domain.key",
        "key_password": "",
        "cipher": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
        "prefer_server_cipher": true,
        "alpn": [
        "http/2",
            "http/1.1"
        ],
        "reuse_session": false,
        "session_ticket": false,
        "session_timeout": 600,
        "plain_http_response": "",
        "curves": "",
        "dhparam": ""
    },
    "tcp": {
        "prefer_ipv4": false,
        "no_delay": false,
        "keep_alive": false,
        "fast_open": false,
        "fast_open_qlen": 20
    },
    "mysql": {
        "enabled": false,
        "server_addr": "127.0.0.1",
        "server_port": 3306,
        "database": "trojan",
        "username": "trojan",
        "password": ""
    }
}

trojan client:

{
    "run_type": "client",
    "local_addr": "127.0.0.1",
    "local_port": 1080,
    "remote_addr": "example.com",
    "remote_port": 443,
    "password": [
        "password1"
    ],
    "log_level": 1,
    "ssl": {
        "verify": true,
        "verify_hostname": true,
        "cert": "",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RSA-AES128-GCM-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-SHA:RSA-AES256-SHA:RSA-3DES-EDE-SHA",
        "sni": "",
        "alpn": [
            "h2",
            "http/1.1"
        ],
        "reuse_session": false,
        "session_ticket": false,
        "curves": ""
    },
    "tcp": {
        "no_delay": false,
        "keep_alive": false,
        "fast_open": true,
        "fast_open_qlen": 20
    }
}

Is this problem relevant to what trojan should care about? I haven't read code for the relay server. But I doubt there is some "私货" in the TCP connection initialization and session reuse that potentially fail the haproxy. Or, it's just my misconfiguration.

Describe the solution you'd like Hope trojan works as a backend in haproxy stack, by plaintext configuration.

Describe alternatives you've considered fallback option 1: some non-standard inspect and rewite hacks at haproxy side to support trojan. fallback option 2: trojan as tcp loadbalancer that inspects and redirects all traffic to backend. but it's too much for a proxy software.

Additional context All stuff are on Linux platform.

GreaterFire commented 4 years ago

This kind of setup-related stuff will not be put in the documentation as the documentation should be general. You are welcome to write a wiki article about it if you'd like.