search

v2ray / v2ray-core

A platform for building proxies to bypass network restrictions.
https://www.v2ray.com/
MIT License
45.37k stars 8.94k forks source link

dokodemo-door 转发 https 请求的时候,twitter 报 NET::ERR_CERT_COMMON_NAME_INVALID #756

Closed DrayChou closed 6 years ago

DrayChou commented 6 years ago

Please skip to the English section below if you don't write Chinese.

中文: 提交 Issue 之前请先阅读 Issue 指引,然后回答下面的问题,谢谢。 除非特殊情况,请完整填写所有问题。不按模板发的 issue 将直接被关闭。

1) 你正在使用哪个版本的 V2Ray?(如果服务器和客户端使用了不同版本,请注明) v2ray-v3.0-linux-arm 2) 你的使用场景是什么?比如使用 Chrome 通过 Socks/VMess 代理观看 YouTube 视频。 树莓派上搭建透明网关 3) 你看到的不正常的现象是什么?(请描述具体现象,比如访问超时,TLS 证书错误等) twitter,facebook,youtube 等报 NET::ERR_CERT_COMMON_NAME_INVALID 异常 提示:

您的连接不是私密连接

攻击者可能会试图从 twitter.com 窃取您的信息(例如:密码、通讯内容或信用卡信息)。了解详情 NET::ERR_CERT_COMMON_NAME_INVALID 重新加载隐藏详情 twitter.com 通常会使用加密技术来保护您的信息。Google Chrome 此次尝试连接到 twitter.com 时,此网站发回了异常的错误凭据。这可能是因为有攻击者在试图冒充 twitter.com,或 Wi-Fi 登录屏幕中断了此次连接。请放心,您的信息仍然是安全的,因为 Google Chrome 尚未进行任何数据交换便停止了连接。

您目前无法访问 twitter.com,因为此网站使用了 HSTS。网络错误和攻击通常是暂时的,因此,此网页稍后可能会恢复正常。

4) 你期待看到的正确表现是怎样的? 能正确访问 twitter 5) 请附上你的配置(提交 Issue 前请隐藏服务器端IP地址)。 树莓派 Iptables

pi@raspberrypi:/tmp/v2ray/v2ray-v3.0-linux-arm $ sudo iptables -t mangle -L Chain PREROUTING (policy ACCEPT) target prot opt source destination
SS-UDP udp -- 192.168.0.0/16 anywhere
SS-UDP udp -- 192.168.0.0/16 anywhere

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Chain POSTROUTING (policy ACCEPT) target prot opt source destination

Chain SS-UDP (2 references) target prot opt source destination
RETURN all -- anywhere default/8
RETURN all -- anywhere loopback/8
RETURN all -- anywhere 10.0.0.0/8
RETURN all -- anywhere link-local/16
RETURN all -- anywhere 172.16.0.0/12
RETURN all -- anywhere 192.168.0.0/16
RETURN all -- anywhere 240.0.0.0/4
RETURN all -- anywhere anywhere match-set chnip dst TPROXY udp -- anywhere anywhere TPROXY redirect 127.0.0.1:1082 mark 0x2333/0x2333 pi@raspberrypi:/tmp/v2ray/v2ray-v3.0-linux-arm $ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination
SS-TCP tcp -- 192.168.0.0/16 anywhere

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination
SS-TCP tcp -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT) target prot opt source destination
MASQUERADE all -- 192.168.0.0/16 anywhere

Chain SS-TCP (2 references) target prot opt source destination
RETURN all -- anywhere default/8
RETURN all -- anywhere loopback/8
RETURN all -- anywhere 10.0.0.0/8
RETURN all -- anywhere link-local/16
RETURN all -- anywhere 172.16.0.0/12
RETURN all -- anywhere 192.168.0.0/16
RETURN all -- anywhere 240.0.0.0/4
RETURN all -- anywhere anywhere match-set chnip dst REDIRECT tcp -- anywhere anywhere redir ports 1082

服务器端配置:
    // 在这里附上服务器端配置文件
{
    "log": {
        "access": "/var/log/v2ray/access.log",
        "error": "/var/log/v2ray/error.log",
        "loglevel": "warning"
    },
    "inbound": {
        "port": 13100,
        "protocol": "vmess",
        "settings": {
            "clients": [{
                "id": "****",
                "level": 1,
                "alterId": 64
            }],
            "detour": { // 绕路设置
                "to": "detour" // 指定绕路协议的标签,要和“一”中的标签一样
            }
        }
    },
    "inboundDetour": [{
        "protocol": "vmess",
        "port": "10000-20000", // 端口范围
        "tag": "detour", // 此传入协议的标签,在第二部分中会用到
        "settings": {
            "default": {
                "level": 1,
                "alterId": 64
            }
        },
        "allocate": { // 分配模式
            "strategy": "random", // 随机开启
            "concurrency": 2, // 同时开放两个端口
            "refresh": 5 // 每五分钟刷新一次
        }
    }],
    "outbound": {
        "protocol": "freedom",
        "settings": {}
    },
    "outboundDetour": [{
        "protocol": "blackhole",
        "settings": {},
        "tag": "blocked"
    }],
    "routing": {
        "strategy": "rules",
        "settings": {
            "rules": [{
                "type": "field",
                "ip": [
                    "0.0.0.0/8",
                    "10.0.0.0/8",
                    "100.64.0.0/10",
                    "127.0.0.0/8",
                    "169.254.0.0/16",
                    "172.16.0.0/12",
                    "192.0.0.0/24",
                    "192.0.2.0/24",
                    "192.168.0.0/16",
                    "198.18.0.0/15",
                    "198.51.100.0/24",
                    "203.0.113.0/24",
                    "::1/128",
                    "fc00::/7",
                    "fe80::/10"
                ],
                "outboundTag": "blocked"
            }]
        }
    }
}
客户端配置:
    // 在这里附上客户端配置
{
    "inbound": {
        "port": 1081,
        "listen": "0.0.0.0",
        "protocol": "socks",
        "settings": {
            "auth": "noauth",
            "udp": true,
            "ip": "0.0.0.0"
        }
    },
    "inboundDetour": [{
        "port": 1080,
        "listen": "0.0.0.0",
        "protocol": "http",
        "settings": {
            "ip": "0.0.0.0"
        },
        "allowPassive": false
    }, {
        "protocol": "dokodemo-door",
        "port": 1082,
        "settings": {
            "network": "tcp,udp",
            "timeout": 0,
            "followRedirect": true
        }
    }, {
        "protocol": "dokodemo-door",
        "port": 53,
        "settings": {
            "address": "8.8.4.4",
            "port": 53,
            "network": "udp",
            "timeout": 0
        }
    }],
    "log": {
        "loglevel": "debug",
        "access": "/var/log/v2ray/access.log",
        "error": "/var/log/v2ray/error.log"
    },
    "outbound": {
        "protocol": "vmess",
        "streamSettings": {
            "network": "tcp",
            "tcpSettings": {
                "connectionReuse": true,
                "header": {
                    "type": "none"
                }
            }
        },
        "settings": {
            "vnext": [{
                "address": "****",
                "port": "****",
                "users": [{
                    "id": "****",
                    "alterId": 64,
                    "security": "auto"
                }]
            }]
        }
    },
    "outboundDetour": [{
        "protocol": "freedom",
        "tag": "direct",
        "settings": {}
    }],
    "dns": {
        "servers": [
            "8.8.8.8",
            "8.8.4.4",
            "localhost"
        ]
    }
}

6) 请附上出错时软件输出的错误日志。在 Linux 中,日志通常在 /var/log/v2ray/error.log 文件中。

服务器端错误日志:
    // 在这里附上服务器端日志
客户端错误日志:
    // 在这里附上客户端日志
2017/12/02 09:48:31 [Info]App|Proxyman|Inbound: connection ends > Proxy|Dokodemo: connection ends > context canceled
2017/12/02 09:48:31 [Info]Proxy|VMess|Outbound: tunneling request to tcp:13.107.6.151:443 via tcp:s5.v2ray.server:10768
2017/12/02 09:48:32 [Info]App|Proxyman|Outbound: failed to process outbound traffic > Proxy|VMess|Outbound: connection ends > context canceled
2017/12/02 09:48:32 [Info]App|Proxyman|Inbound: connection ends > Proxy|Dokodemo: connection ends > Proxy|Dokodemo: failed to transport response > io: read/write on closed pipe
2017/12/02 09:48:32 [Info]Proxy|VMess|Outbound: tunneling request to tcp:13.107.6.151:443 via tcp:s5.v2ray.server:10768
2017/12/02 09:48:33 [Debug]Proxy|Dokodemo: processing connection from: 192.168.1.5:40569
2017/12/02 09:48:33 [Info]Transport|Internet|TCP: dailing TCP to tcp:s2.v2ray.server:12162
2017/12/02 09:48:34 [Info]App|Proxyman|Outbound: failed to process outbound traffic > Proxy|VMess|Outbound: connection ends > context canceled
2017/12/02 09:48:34 [Info]App|Proxyman|Inbound: connection ends > Proxy|Dokodemo: connection ends > Proxy|Dokodemo: failed to transport response > io: read/write on closed pipe
2017/12/02 09:48:35 [Info]Proxy|VMess|Outbound: tunneling request to tcp:54.191.119.104:443 via tcp:s2.v2ray.server:12162
2017/12/02 09:48:35 [Info]App|Proxyman|Inbound: connection ends > Proxy|Dokodemo: connection ends > context canceled
2017/12/02 09:48:35 [Debug]Proxy|Dokodemo: processing connection from: 192.168.1.5:40579
2017/12/02 09:48:35 [Info]App|Proxyman|Outbound: failed to process outbound traffic > Proxy|VMess|Outbound: connection ends > context canceled
2017/12/02 09:48:35 [Debug]Proxy|Dokodemo: processing connection from: 192.168.1.5:40576
2017/12/02 09:48:35 [Debug]Proxy|Dokodemo: processing connection from: 192.168.1.5:40577
2017/12/02 09:48:35 [Info]Transport|Internet|TCP: dailing TCP to tcp:s5.v2ray.server:14977
2017/12/02 09:48:35 [Info]App|Proxyman|Inbound: connection ends > Proxy|Dokodemo: connection ends > context canceled
2017/12/02 09:48:35 [Info]Transport|Internet|TCP: dailing TCP to tcp:s3.v2ray.server:12866
2017/12/02 09:48:35 [Info]Transport|Internet|TCP: dailing TCP to tcp:s2.v2ray.server:14234
2017/12/02 09:48:36 [Info]App|Proxyman|Outbound: failed to process outbound traffic > Proxy|VMess|Outbound: connection ends > context canceled
2017/12/02 09:48:36 [Info]App|Proxyman|Inbound: connection ends > Proxy|Dokodemo: connection ends > Proxy|Dokodemo: failed to transport response > io: read/write on closed pipe
2017/12/02 09:48:37 [Debug]Proxy|Dokodemo: processing connection from: 192.168.1.4:44948
2017/12/02 09:48:37 [Info]App|Proxyman|Outbound: failed to process outbound traffic > Proxy|VMess|Outbound: connection ends > context canceled
2017/12/02 09:48:37 [Info]App|Proxyman|Inbound: connection ends > Proxy|Dokodemo: connection ends > Proxy|Dokodemo: failed to transport response > io: read/write on closed pipe

7) 请附上访问日志。在 Linux 中,日志通常在 /var/log/v2ray/error.log 文件中。

    // 在这里附上服务器端日志

8) 其它相关的配置文件(如 Nginx)和相关日志。

请预览一下你填的内容再提交。

如果你已经填完上面的问卷,请把下面的英文部份删除,再提交 Issue。

dexcomman commented 6 years ago

其实你只配置最简单的全局vmess也有一定几率一开网页提示这个

DrayChou commented 6 years ago

是不是因为服务端的配置里写了 router ?我晚上去掉看看。 dexcomman notifications@github.com於 2017年12月2日 週六,14:37寫道:

其实你只配置最简单的全局vmess也有一定几率一开网页提示这个

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/v2ray/v2ray-core/issues/756#issuecomment-348672693, or mute the thread https://github.com/notifications/unsubscribe-auth/AAuZtf45tNZjB4DEZnYXVEPgp2NAZ8UBks5s8PBBgaJpZM4QzH0K .

DarienRaymond commented 6 years ago

DNS污染,一般是在使用代理之前就污染了。可能的解决方案是1. 清空DNS缓存 2.使用安全的DNS服务器 3.使用domainOverride

DrayChou commented 6 years ago

@DarienRaymond

我 DNS 服务器设置的 树莓派,树莓派上面开了 dokodemo-door 转发到 8.8.8.8 。 这都会被污染?

DarienRaymond commented 6 years ago

在使用代理之前就已经污染了

DrayChou commented 6 years ago

我现在在树莓派上起了一个 dnsmasq ,然后给他设置了一个 gfwlist 过滤规则,这些网站走 本地 v2ray 的 5353 端口转发到 8.8.8.8 进行解析。

我本地测试之后可以解析到正确的地址了,结果如下:

PC:~$ dig @192.168.1.4 -p 53 www.twitter.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.1.4 -p 53 www.twitter.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64440
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.twitter.com.               IN      A

;; ANSWER SECTION:
www.twitter.com.        247     IN      CNAME   twitter.com.
twitter.com.            1448    IN      A       104.244.42.193
twitter.com.            1448    IN      A       104.244.42.129

;; Query time: 4686 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Sun Dec 03 10:02:42 DST 2017
;; MSG SIZE  rcvd: 90

我本地 windows 也设置了 dns 到 192.168.1.4 ,可是还是访问不到。 不是提示我 DNS 无法解析,就是 您的连接不是私密连接 。

应该设置完 DNS 之后就可以用了吧,奇怪?

DarienRaymond commented 6 years ago

具体如何污染的不得而知。domainOverride 应该可以修正 IP 的问题。