Comments (14)
haruue
commented on July 17, 2024
无法复现。
建议检查服务端防火墙是否放行 TCP 443 端口。
from hysteria.
giveup
commented on July 17, 2024
无法复现。
建议检查服务端防火墙是否放行 TCP 443 端口。
可以肯定443端口打开,并且,使用curl请求时,并不是超时,而是返回一个OK%字符串。预期返回是html内容。
其他的额外信息是,本地(macOS)搭建服务时,使用curl请求,日志没有显示任何报错或者警告信息。
而在Linux服务端搭建并发送请求时,日志则显示一条client connected,如果您这边方便的话,我可以使用邮件发送我的服务器相关信息以便测试验证。
除了curl验证外,使用浏览器打开也无法按预期工作。
from hysteria.
haruue
commented on July 17, 2024
不太可能用单纯的 curl 让服务端输出 client connected , 除非配置环境变量或者透明代理让这个 curl 走了 hysteria 客户端的代理, 从而触发了 hysteria 客户端的连接(假设客户端启用了 lazy)。
你可以在运行 hysteria 服务端的时候加一个 HYSTERIA_LOG_LEVEL=debug 环境变量, 以及在运行 curl 的时候加上 -vv 参数以获取更详细的日志。
另外补充一下你看到的返回的字符串实际上是 OK 而不是 OK%, % 是 zsh 用来表示 OK 后面没有换行符而额外加上去的。
from hysteria.
giveup
commented on July 17, 2024
确实在路由器上部署了透明代理。这个IP属于direct规则,但后续我使用nft排除该IP,确保该IP的流量不会经过透明代理核心的处理。
root@AX6S:~# nft list ruleset | grep 'server_ip'
server_ip, 100.64.0.0/10,
在控制面板上也的确看不到关于该IP连接的信息。
重复测试一次后,结果依旧。
curl日志
curl -k -L -vv https://server_ip
* Trying server_ip..
* Connected to server_ip (server_ip) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
* start date: Jul 8 06:25:31 2024 GMT
* expire date: Jul 8 06:25:31 2025 GMT
* issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://server_ip/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: server_ip]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: server_ip
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 203
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-cache, no-store, must-revalidate
< content-type: text/xml
< date: Mon, 08 Jul 2024 16:34:35 GMT
< expires: 0
< mime-version: 1.0
< pragma: no-cache
< x-cdn-traceid: 0.c9a6dc17.1720456475.13a28610
< content-length: 2
<
* Connection #0 to host server_ip left intact
OK
在移动设备上测试,使用蜂窝网络连接,确保不会受到透明代理的干扰(移动设备完全关闭任何代理软件)。
结果和上面的Chrome浏览器一样,浏览器无法正常渲染返回内容。
from hysteria.
haruue
commented on July 17, 2024
你反代的是啥网站, 真的是 https://www.example.com 吗?
你给出的 curl 输出里的 headers 显然不像是 https://www.example.com 返回的。
你把 hysteria 配置文件里伪装反代的网站换成 https://www.example.com 试试看会怎么样呢?
from hysteria.
haruue
commented on July 17, 2024
有些怀疑是服务器上的 TCP 443 端口被转发到了其他机器上。 建议导出完整的防火墙规则检查一下。
你可以在服务器上使用以下命令导出所有防火墙规则:
iptables-save
nft list rulesetfrom hysteria.
giveup
commented on July 17, 2024
你反代的是啥网站, 真的是 https://www.example.com 吗? 你给出的 curl 输出里的 headers 显然不像是 https://www.example.com 返回的。
你把 hysteria 配置文件里伪装反代的网站换成 https://www.example.com 试试看会怎么样呢?
反向代理是任意的一个网站,配置文件是作为示例。实际测试时,本地macOS部署时,curl可以打印反向代理的网站的html源码,Linux服务器端则返回一个OK字符串。
from hysteria.
giveup
commented on July 17, 2024
iptables导出结果
# iptables-save
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jul 8 13:07:19 2024
*filter
:INPUT DROP [3168698:155365888]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [290:44197]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-logging-forward -j RETURN
-A ufw-user-logging-input -j RETURN
-A ufw-user-logging-output -j RETURN
COMMIT
# Completed on Mon Jul 8 13:07:19 2024
nft导出结果
# nft list ruleset
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain ufw-before-logging-input {
}
chain ufw-before-logging-output {
}
chain ufw-before-logging-forward {
}
chain ufw-before-input {
iifname "lo" counter packets 8818 bytes 1511229 accept
ct state related,established counter packets 288650726 bytes 825865698526 accept
ct state invalid counter packets 31469 bytes 2105115 jump ufw-logging-deny
ct state invalid counter packets 31469 bytes 2105115 drop
meta l4proto icmp icmp type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto icmp icmp type time-exceeded counter packets 0 bytes 0 accept
meta l4proto icmp icmp type parameter-problem counter packets 0 bytes 0 accept
meta l4proto icmp icmp type echo-request counter packets 546790 bytes 21447655 accept
udp sport 67 udp dport 68 counter packets 648 bytes 212544 accept
counter packets 3294715 bytes 203699381 jump ufw-not-local
ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept
ip daddr 239.255.255.250 udp dport 1900 counter packets 0 bytes 0 accept
counter packets 3294715 bytes 203699381 jump ufw-user-input
}
chain ufw-before-output {
oifname "lo" counter packets 8818 bytes 1511229 accept
ct state related,established counter packets 224540590 bytes 954109694133 accept
counter packets 2807941 bytes 527523919 jump ufw-user-output
}
chain ufw-before-forward {
ct state related,established counter packets 0 bytes 0 accept
meta l4proto icmp icmp type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto icmp icmp type time-exceeded counter packets 0 bytes 0 accept
meta l4proto icmp icmp type parameter-problem counter packets 0 bytes 0 accept
meta l4proto icmp icmp type echo-request counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw-user-forward
}
chain ufw-after-input {
udp dport 137 counter packets 1301 bytes 101526 jump ufw-skip-to-policy-input
udp dport 138 counter packets 38 bytes 1064 jump ufw-skip-to-policy-input
tcp dport 139 counter packets 1742 bytes 75308 jump ufw-skip-to-policy-input
tcp dport 445 counter packets 12523 bytes 591448 jump ufw-skip-to-policy-input
udp dport 67 counter packets 44 bytes 1232 jump ufw-skip-to-policy-input
udp dport 68 counter packets 38 bytes 1064 jump ufw-skip-to-policy-input
fib daddr type broadcast counter packets 0 bytes 0 jump ufw-skip-to-policy-input
}
chain ufw-after-output {
}
chain ufw-after-forward {
}
chain ufw-after-logging-input {
}
chain ufw-after-logging-output {
}
chain ufw-after-logging-forward {
}
chain ufw-reject-input {
}
chain ufw-reject-output {
}
chain ufw-reject-forward {
}
chain ufw-track-input {
}
chain ufw-track-output {
meta l4proto tcp ct state new counter packets 841487 bytes 50492390 accept
meta l4proto udp ct state new counter packets 1966164 bytes 476987332 accept
}
chain ufw-track-forward {
}
chain INPUT {
type filter hook input priority filter; policy drop;
counter packets 296933585 bytes 843902234555 jump ufw-before-logging-input
counter packets 296933585 bytes 843902234555 jump ufw-before-input
counter packets 3258189 bytes 190757283 jump ufw-after-input
counter packets 3242218 bytes 189971563 jump ufw-after-logging-input
counter packets 3242218 bytes 189971563 jump ufw-reject-input
counter packets 3242218 bytes 189971563 jump ufw-track-input
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 231630023 bytes 976576138261 jump ufw-before-logging-output
counter packets 231630023 bytes 976576138261 jump ufw-before-output
counter packets 2896078 bytes 563370726 jump ufw-after-output
counter packets 2896078 bytes 563370726 jump ufw-after-logging-output
counter packets 2896078 bytes 563370726 jump ufw-reject-output
counter packets 2896078 bytes 563370726 jump ufw-track-output
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump ufw-before-logging-forward
counter packets 0 bytes 0 jump ufw-before-forward
counter packets 0 bytes 0 jump ufw-after-forward
counter packets 0 bytes 0 jump ufw-after-logging-forward
counter packets 0 bytes 0 jump ufw-reject-forward
counter packets 0 bytes 0 jump ufw-track-forward
}
chain ufw-logging-deny {
}
chain ufw-logging-allow {
}
chain ufw-skip-to-policy-input {
counter packets 15686 bytes 771642 drop
}
chain ufw-skip-to-policy-output {
counter packets 0 bytes 0 accept
}
chain ufw-skip-to-policy-forward {
counter packets 0 bytes 0 drop
}
chain ufw-not-local {
fib daddr type local counter packets 3294715 bytes 203699381 return
fib daddr type multicast counter packets 0 bytes 0 return
fib daddr type broadcast counter packets 0 bytes 0 return
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 jump ufw-logging-deny
counter packets 0 bytes 0 drop
}
chain ufw-user-input {
tcp dport 443 counter packets 118 bytes 6356 accept
udp dport 443 counter packets 174 bytes 142276 accept
}
chain ufw-user-output {
}
chain ufw-user-forward {
}
chain ufw-user-logging-input {
counter packets 0 bytes 0 return
}
chain ufw-user-logging-output {
counter packets 0 bytes 0 return
}
chain ufw-user-logging-forward {
counter packets 0 bytes 0 return
}
chain ufw-user-limit {
counter packets 0 bytes 0 reject
}
chain ufw-user-limit-accept {
counter packets 0 bytes 0 accept
}
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
chain ufw6-before-logging-input {
}
chain ufw6-before-logging-output {
}
chain ufw6-before-logging-forward {
}
chain ufw6-before-input {
iifname "lo" counter packets 0 bytes 0 accept
rt type 0 counter packets 0 bytes 0 drop
ct state related,established counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 jump ufw6-logging-deny
ct state invalid counter packets 0 bytes 0 drop
meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept
ip6 daddr ff02::fb udp dport 5353 counter packets 0 bytes 0 accept
ip6 daddr ff02::f udp dport 1900 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw6-user-input
}
chain ufw6-before-output {
oifname "lo" counter packets 0 bytes 0 accept
rt type 0 counter packets 0 bytes 0 drop
ct state related,established counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 9351 bytes 523656 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw6-user-output
}
chain ufw6-before-forward {
rt type 0 counter packets 0 bytes 0 drop
ct state related,established counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw6-user-forward
}
chain ufw6-after-input {
udp dport 137 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
udp dport 138 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
tcp dport 139 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
tcp dport 445 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
udp dport 546 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
udp dport 547 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
}
chain ufw6-after-output {
}
chain ufw6-after-forward {
}
chain ufw6-after-logging-input {
}
chain ufw6-after-logging-output {
}
chain ufw6-after-logging-forward {
}
chain ufw6-reject-input {
}
chain ufw6-reject-output {
}
chain ufw6-reject-forward {
}
chain ufw6-track-input {
}
chain ufw6-track-output {
meta l4proto tcp ct state new counter packets 0 bytes 0 accept
meta l4proto udp ct state new counter packets 0 bytes 0 accept
}
chain ufw6-track-forward {
}
chain INPUT {
type filter hook input priority filter; policy drop;
counter packets 0 bytes 0 jump ufw6-before-logging-input
counter packets 0 bytes 0 jump ufw6-before-input
counter packets 0 bytes 0 jump ufw6-after-input
counter packets 0 bytes 0 jump ufw6-after-logging-input
counter packets 0 bytes 0 jump ufw6-reject-input
counter packets 0 bytes 0 jump ufw6-track-input
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 9534 bytes 533904 jump ufw6-before-logging-output
counter packets 9534 bytes 533904 jump ufw6-before-output
counter packets 0 bytes 0 jump ufw6-after-output
counter packets 0 bytes 0 jump ufw6-after-logging-output
counter packets 0 bytes 0 jump ufw6-reject-output
counter packets 0 bytes 0 jump ufw6-track-output
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump ufw6-before-logging-forward
counter packets 0 bytes 0 jump ufw6-before-forward
counter packets 0 bytes 0 jump ufw6-after-forward
counter packets 0 bytes 0 jump ufw6-after-logging-forward
counter packets 0 bytes 0 jump ufw6-reject-forward
counter packets 0 bytes 0 jump ufw6-track-forward
}
chain ufw6-logging-deny {
}
chain ufw6-logging-allow {
}
chain ufw6-skip-to-policy-input {
counter packets 0 bytes 0 drop
}
chain ufw6-skip-to-policy-output {
counter packets 0 bytes 0 accept
}
chain ufw6-skip-to-policy-forward {
counter packets 0 bytes 0 drop
}
chain ufw6-user-input {
tcp dport 443 counter packets 0 bytes 0 accept
udp dport 443 counter packets 0 bytes 0 accept
}
chain ufw6-user-output {
}
chain ufw6-user-forward {
}
chain ufw6-user-logging-input {
counter packets 0 bytes 0 return
}
chain ufw6-user-logging-output {
counter packets 0 bytes 0 return
}
chain ufw6-user-logging-forward {
counter packets 0 bytes 0 return
}
chain ufw6-user-limit {
counter packets 0 bytes 0 reject
}
chain ufw6-user-limit-accept {
counter packets 0 bytes 0 accept
}
}
from hysteria.
haruue
commented on July 17, 2024
- 你换一个网站(比如换成 https://www.example.com )来反代, 看看 curl -vv 的 header 是否发生改变。
- 你把 hysteria 服务端停止, 看看 curl -vv 的输出是否有改变。
from hysteria.
giveup
commented on July 17, 2024
- 你换一个网站(比如换成 https://www.example.com )来反代, 看看 curl -vv 的 header 是否发生改变。
- 你把 hysteria 服务端停止, 看看 curl -vv 的输出是否有改变。
经测试,只有某些网站才会返回一个OK字符串。
proxy:
url: https://www.bing.com/new
rewriteHost: true这种配置会返回一个OK字符串。换成https://www.bing.com也会。
换成https://www.amd.com/en.html则能正常变成反向代理。
以上测试使用浏览器验证。
这是能正常反向代理的curl输出
curl -k -L -vv https://server_ip
* Trying server_ip:443...
* Connected to server_ip (server_ip) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
* start date: Jul 8 06:25:31 2024 GMT
* expire date: Jul 8 06:25:31 2025 GMT
* issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://server_ip/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: server_ip]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: server_ip
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 502
< alt-svc: h3=":443"; ma=2592000
< content-length: 0
< date: Tue, 09 Jul 2024 04:08:42 GMT
<
* Connection #0 to host server_ip left intact
from hysteria.
haruue
commented on July 17, 2024
你直接在你的服务器上执行 curl -vv https://www.bing.com/new 能正常返回吗?
from hysteria.
giveup
commented on July 17, 2024
curl -vv https://www.bing.com/new
似乎是bing的问题...直接在服务器上执行也是返回OK。这个可以关闭了。
from hysteria.
haruue
commented on July 17, 2024
能否给一下你的服务器上执行 curl -vv https://www.bing.com/new 的输出(请勿修改其中的 IP 等信息, 放心它和你的服务器 IP 无关)。 我们希望记录一下这一类异常情况以供以后的用户参考。
from hysteria.
giveup
commented on July 17, 2024
curl -vv https://www.bing.com/new
主要是之前也是配置的bing,用浏览器测试可以跳转到bing的首页,所以这次就以为是hysteria的改动导致的。
# curl -vv https://www.bing.com/new
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 23.43.51.134:443...
* Connected to www.bing.com (23.43.51.134) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [29 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2611 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=r.bing.com
* start date: Jun 24 16:16:15 2024 GMT
* expire date: Jun 19 16:16:15 2025 GMT
* subjectAltName: host "www.bing.com" matched cert's "*.bing.com"
* issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure ECC TLS Issuing CA 04
* SSL certificate verify ok.
} [5 bytes data]
* using HTTP/2
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* h2h3 [:method: GET]
* h2h3 [:path: /new]
* h2h3 [:scheme: https]
* h2h3 [:authority: www.bing.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x559e0ed92ce0)
} [5 bytes data]
> GET /new HTTP/2
> Host: www.bing.com
> user-agent: curl/7.88.1
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/2 203
< mime-version: 1.0
< content-length: 2
< cache-control: no-cache, no-store, must-revalidate
< pragma: no-cache
< expires: 0
< content-type: text/xml
< date: Tue, 09 Jul 2024 06:25:03 GMT
< alt-svc: h3=":443"; ma=93600
< x-cdn-traceid: 0.c6a6dc17.1720506303.a840f7b4
<
{ [5 bytes data]
100 2 100 2 0 0 22 0 --:--:-- --:--:-- --:--:-- 22
* Connection #0 to host www.bing.com left intact
OKExit code: 0from hysteria.
Related Issues (20)
- acme非标端口申请证书 HOT 11
- 仅指定IP走代理 HOT 1
- Does hysteria support reverse proxy? HOT 1
- 使用DNS服务解锁奈飞的疑惑 HOT 6
- hysteriav2经过转发速度变慢 HOT 1
- 树莓派布置hysteria2
- 希望增加客户端ACL
- tun模式白名单模式 HOT 1
- 最新v2.5.0版本的windows 32位软件,谷歌浏览器始终无法下载,报病毒 HOT 3
- 更新到 2.5.0后,启用嗅探,部分面板如x-ui无法连接。关闭嗅探后,x-ui面板又能连接了。 HOT 2
- parse client config failed decoding:\n\n* 'obfs' expected a map HOT 5
- Wireguard Outbound HOT 2
- 是否考虑支持listen多个port ? HOT 1
- Add ECH to TLS Parameters
- [Feature Request] New Obfuscations
- 如果服务器禁用udp是不是就无法使用了? HOT 1
- hy2今日被墙
- 做了几次测速,之后用不了了:"accepting stream failed: timeout: no recent network activity" HOT 7
- Add TCP-Brutal to Hysteria2 for Enhanced GFW Evasion
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hysteria.