liberal-boy / tls-shunt-proxy Goto Github PK
View Code? Open in Web Editor NEW分流 TLS 流量,支持按 sni 分流,分流 http 和无特征流量
分流 TLS 流量,支持按 sni 分流,分流 http 和无特征流量
留个脚印,以后自己好找
提醒:
可能是我用nano编辑器的原因,tls-shunt-proxy的配置文件,手动输入的很可能报错而导致没法启动。
所以建议所有的条目都在示范文件中去复制。
如果浏览器提示“无法与服务器建立安全连接”
tls-shunt-proxy日志报错
命令:journalctl -u tls-shunt-proxy.service -f
tls: client requested unsupported application protocols ([http/1.1])
tls: client offered only unsupported versions: [301]
按下面的代码放在配置文件的最下面
配置文件目录
/etc/tls-shunt-proxy/config.yaml
另一个后面有数字的是示范文件
It looks like there's something missing. I'm using this to start him up.
systemctl enable tls-shunt-proxy.service
使用过程中尝试将某个vhost的流量默认直接转发到Caddy,并在alpn中设置了h2,http/1.1,但访问网站时浏览器(Chrome 80, Microsoft Edge均测试过)出现错误提示ERR_HTTP2_PROTOCOL_ERROR
(alpn http/1.1时正常)。
tls-shunt-proxy的运行日志:
tls-shunt-proxy的config.yaml如下:
listen: 0.0.0.0:443
vhosts:
- name: mydomain.com
tlsoffloading: true
managedcert: false
cert: /usr/local/caddy/mydomain.com.crt
key: /usr/local/caddy/mydomain.com.key
alpn: h2,http/1.1
default:
handler: proxyPass
args: 127.0.0.1:8082
对应的Caddyfile中相关的内容如下:
http://mydomain.com:8082 {
proxy / localhost:8080 {
transparent
}
proxy /secret localhost:8888 {
websocket
header_upstream -Origin
}
}
经测试,如果不经过分流器转发(删除该vhost内容),直接通过Caddy访问8082端口是正常的,并可检测出是h2连接。此时Caddyfile改写为:
https://mydomain.com:8082 {
tls /usr/local/caddy/mydomain.com.crt /usr/local/caddy/mydomain.com.key {
must_staple
}
proxy / localhost:8080 {
transparent
}
proxy /secret localhost:8888 {
websocket
header_upstream -Origin
}
}
个人认为这跟Caddy是否支持反代h2c流量应该没有关系,整个过程Caddy中proxy的内容并不涉及h2,不知道为何会出现这个问题,还请大佬指点!
我的使用情况:
1.使用tsp分流,实现xray和trojan-go共同使用443端口
2.申请2个子域名并acme签证书分别用于xray和trojan-go
3.后端使用caddy部署网页,由xray及trojan-go各自回落到caddy接收端口
4.使用中xray,trojan-go没有问题,但是使用一段时间后,查看tsp状态为:
● tls-shunt-proxy.service - TLS Shunt Proxy Service
Loaded: loaded (/etc/systemd/system/tls-shunt-proxy.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-12-04 20:42:11 CST; 15h ago
Docs: https://github.com/liberal-boy/tls-shunt-proxy/blob/master/README.md
Main PID: 11145 (tls-shunt-proxy)
Tasks: 5 (limit: 1149)
Memory: 14.5M
CGroup: /system.slice/tls-shunt-proxy.service
└─11145 /usr/cfw/bin/tls-shunt-proxy -config /usr/cfw/config/tsp/config.yaml
Dec 05 12:00:19 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:00:19 failed to proxy pass: write tcp 172.17.31.111:443->120.193.229.122:4011: write: broken pipe
Dec 05 12:00:27 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:00:27 failed to proxy pass: write tcp 172.17.31.111:443->120.193.229.122:6170: write: broken pipe
Dec 05 12:01:03 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:01:03 failed to proxy pass: write tcp 172.17.31.111:443->120.193.229.122:6203: write: broken pipe
Dec 05 12:01:04 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:01:04 failed to proxy pass: write tcp 172.17.31.111:443->120.193.229.122:6217: write: broken pipe
Dec 05 12:01:07 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:01:07 failed to proxy pass: write tcp 172.17.31.111:443->120.193.229.122:6223: write: broken pipe
Dec 05 12:02:51 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:02:51 failed to proxy pass: write tcp 172.17.31.111:443->120.193.229.122:6490: write: broken pipe
Dec 05 12:03:04 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:03:04 failed to proxy pass: write tcp 172.17.31.111:443->120.193.229.122:6389: write: broken pipe
Dec 05 12:03:04 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:03:04 failed to proxy pass: write tcp 172.17.31.111:443->120.193.229.122:6390: write: broken pipe
Dec 05 12:03:37 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:03:37 failed to proxy pass: write tcp 172.17.31.111:443->120.193.229.122:6413: write: broken pipe
Dec 05 12:08:19 iZj6caip6whzau2x81mj3aZ tls-shunt-proxy[11145]: 2020/12/05 12:08:19 failed to proxy pass: readfrom tcp 127.0.0.1:41298->127.0.0.1:8443: read tcp 172.17.31.111:443->
配置文件为:
listen: 0.0.0.0:443
#redirecthttps: 0.0.0.0:80
inboundbuffersize: 4
outboundbuffersize: 32
vhosts:
name: xry.xxxx.yyy
tlsoffloading: false
default:
handler: proxyPass
args: 127.0.0.1:8443
name: trg.xxxx.yyy
tlsoffloading: false
default:
handler: proxyPass
args: 127.0.0.1:9443
请问出现这个问题,是配置问题还是哪里设置有问题?
如题,一直正常使用,最近突然没法连接,ssh一看,显示连接到trojan-go的端口时connection time out,trojan-go的no delay和keep alive都打开了
透过 X-Forwarded-For 传送客户端 IP 给后端,方便 v2ray 统计。
版本0.61
发现个问题,写成下面这样时,letsencrypt.org-directory里找不到 trojan.myname.com的证书,只找到v2.myname.com证书(DNS解析正确)。第一段vhost复制下去,域名改成trojan.myname.com则签出来了
listen: 0.0.0.0:443
inboundbuffersize: 4
outboundbuffersize: 32
vhosts:
name: v2.myname.com
tlsoffloading: true
managedcert: true
alpn: h2,http/1.1
protocols: tls12,tls13
http:
handler: fileServer
args: /var/www/html
default:
handler: proxyPass
args: 127.0.0.1:60001
name: trojan.myname.com
managedcert: true
tlsoffloading: false
default:
handler: proxyPass
args: 127.0.0.1:60002
启动后报错,获取证书失败
域名已A记录解析到该服务器。服务器dns是8.8.8.8,服务器在香港,可以访问外网
Jul 10 09:00:25 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:25 [INFO] [域名] acme: use http-01 solver
Jul 10 09:00:25 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:25 [INFO] [域名] acme: Trying to solve HTTP-01
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:32 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/75044397
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:32 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/75044397
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:32 [ERROR] acme: Error -> One or more domains had a problem:
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: [域名] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://域名/.well-known/acme-challenge/tu9W8JY4FjUyDpwPQAyDawK6CZzSs6A5kdeH7EP9Nig: Error getting validation data, url:
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: (challenge=http-01 remaining=[])
Jul 10 09:00:34 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:34 [ERROR] attempt 2: [域名] Obtain: [域名] acme: Error -> One or more domains had a problem:
Jul 10 09:00:34 ecs-rDQq tls-shunt-proxy[8276]: [域名] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://域名/.well-known/acme-challenge/tu9W8JY4FjUyDpwPQAyDawK6CZzSs6A5kdeH7EP9Nig: Error getting validation data, url:
Jul 10 09:00:34 ecs-rDQq tls-shunt-proxy[8276]: - retrying in 2m0s (1m55.074590577s/720h0m0s elapsed)...
如需将Client的IP传给反代的Web服务器,如何实现。
https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
分流器配置文件
listen: 0.0.0.0:443
redirecthttps: 0.0.0.0:80
vhosts:
- name: 域名
tlsoffloading: true
managedcert: true
keytype: p256
alpn: h2,http/1.1
protocols: tls12,tls13
http:
handler: proxyPass
args: 127.0.0.1:5212
default:
handler: proxyPass
args: unix:/tmp/v2ray-ds/v2ray.sock
目的主要是用来分流tcp和http流量,下面是日志
使用tcp代理的时候正常转发,但是访问网站就出问题了,直接访问网站5212端口网站正常显示。
下面是网站的开源地址 Cloudreve
有些应用比如google Cloud Run上的container 不转发https,直接offload tls后发到docker的http 8080端口。这种情况如何设置?
用acme 签发好的证书似乎 是有问题 .(即把managedcert 设置为false,用以前已经签发好的证书失败)
小软件很不错,感谢作者辛苦付出,就是更新的有点太频繁了,可能是刚开始吧
如题。因为在公司内网办公、玩游戏、日常使用需要分别挂3个代理软件,其中只有日常使用的代理可以出墙。但是我需要TG全天候在线,所以认为MTProto协议很重要。请问什么时候能支持这个协议的代理分流功能。
root@vultr:# systemctl daemon-reload# systemctl restart v2ray
root@vultr:
root@vultr:# systemctl restart tls-shunt-proxy# sudo setcap "cap_net_bind_service=+ep" /usr/local/bin/tls-shunt-proxy
root@vultr:
root@vultr:# sudo -u tls-shunt-proxy /usr/local/bin/tls-shunt-proxy -config /etc/tls-shunt-proxy/config.yaml#
tls-shunt-proxy version 0.7.0
2022/03/13 21:58:21 failed to listen on 0.0.0.0:443: listen tcp 0.0.0.0:443: bind: address already in use
root@vultr:
例如
2022/04/15 04:36:58 fail to obtain server name: No hostname
trojan:
handler: proxyPass
args: 127.0.0.1:4430
鉴于trojan-gfw先出,trojan-go后出。
这注释估计让很多trojan-gfw用户撞板
You can close it off at any time.
tls 1.3 esni 应该嗅探不了吧?
tls-shunt-proxy version 0.5.1
2020/07/10 08:50:58 [INFO][cache:0xc00005e410] Started certificate maintenance routine
2020/07/10 08:50:58 [ERROR] domian.com: obtaining certificate: failed storage check: open rw_test_612305805690060057: permission denied - storage is probably misconfigured
是证书文件夹没有给权限还是工作目录没给权限呢
按照 https://guide.v2fly.org/advanced/tcp_tls_shunt_proxy.html#实现 介绍的方法配置成功后,PC端用V2RayN V3.18 (Core 4.23.1)可以正常连通,而Android端用无论用V2RayN 1.2.6 (Core V4.23.1)还是BifrostV 0.6.8 (Core V4.19) 都无法连通,服务器端 lsof -i:443 发现大量连接CLOSE_WAIT,Android端V2RayN测试连接显示:“失败::io: read/write on closed pipe"。
作者大大,更新了最新版的v2fly 5.10.1就无法科学上网了,不知道是什么原因导致的,换了几个小机都一样的情况。
failed to proxy pass: remote error: tls: bad certificate
# cert: tls 证书路径,
cert: /etc/ssl/***********.crt
# key: tls 私钥路径
key: /etc/ssl/private.key
按白话文指南基本配置走tcp没成功,提示
基础连接已经关闭,发送时发生错误
最新版及次新版,都跑不起来。请大佬们帮忙看看
即使使用默认配置文件,运行 sudo -u tls-shunt-proxy /usr/local/bin/tls-shunt-proxy -config /etc/tls-shunt-proxy/config.yaml
时,得到错误提示如下:
/usr/local/bin/tls-shunt-proxy: 1: Syntax error: word unexpected (expecting ")")
或者
/usr/local/bin/tls-shunt-proxy: 1: Syntax error: "|" unexpected
目前没有看到针对 IPv6 的有关配置说明,自己也尝试着配置了但是没有成功,只好来求助了。😶
vhosts 支持泛域名吗? 类似 *.example.com 可以匹配 a.example.com b.example.com
@CyangHH @ phlinhng/v2ray-tcp-tls-web#13
在跑speedtest,tls-shunt-proxy比较影响性能
Let's 不支持
attempt 1: unsupported key type: ed25519.PrivateKey
go-acme/lego
支持 ecdsa 證書申請,如果不麻煩的話,希望可以加上內建 ACME 模塊的 ecdsa 支持。
[已解决]
解决方案:用另一个域名。
在vhosts下面添加
RT,配置文件如下,更新到0.4.0版本后,第1个vhost可以正常分流转发,后2个就失效了;退回到0.3.1版本后又能恢复正常。
# listen: 监听地址
listen: 0.0.0.0:443
# vhosts: 按照按照 tls sni 扩展划分为多个虚拟 host
vhosts:
# name 对应 tls sni 扩展的 server name
- name: v2cn.win
# tlsoffloading: 解开 tls,true 为解开,解开后可以识别 http 流量,适用于 vmess over tls 和 http over tls (https) 分流等
tlsoffloading: true
# managedcert: 管理证书,开启后将自动从 LetsEncrypt 获取证书,根据 LetsEncrypt 的要求,必须监听 443 端口才能签发
# 开启时 cert 和 key 设置的证书无效,关闭时将使用 cert 和 key 设置的证书
managedcert: false
# cert: tls 证书路径,
cert: /usr/local/caddy/v2cn.win.crt
# key: tls 私钥路径
key: /usr/local/caddy/v2cn.win.key
# http: 识别出的 http 流量的处理方式
http:
# handler: fileServer 将服务一个静态网站
handler: proxyPass
# args: 静态网站的文件路径
args: 127.0.0.1:8081
# default: 其他流量处理方式
default:
# handler: proxyPass 将流量转发至另一个地址
handler: proxyPass
# args: 转发的目标地址
args: 127.0.0.1:9441
# args: 也可以使用 domain socket
# args: unix:/path/to/ds/file
- name: router.v2cn.win
tlsoffloading: true
managedcert: false
cert: /usr/local/caddy/v2cn.win.crt
key: /usr/local/caddy/v2cn.win.key
default:
handler: proxyPass
args: 127.0.0.1:8082
- name: disqus.haomwei.com
tlsoffloading: true
managedcert: false
cert: /usr/local/caddy/haomwei.com.crt
key: /usr/local/caddy/haomwei.com.key
default:
handler: proxyPass
args: 127.0.0.1:8083
vmess 都有 了
你好,请教一下:
我现在用tls-shunt-proxy 分流伪装网站html和trojan
tls-shunt-proxy的config.json这样:
vhosts:
vps还搭建了emyb-server,用8096默认端口正常观影
然后想让emby走443,替换掉html伪装网站
尝试args: /var/www/html改成args: 127.0.0.1:8096
访问https提示404 page not found;
然后卡住不知道怎么处理了~
特此上来求助下 :)
浏览器打开直接就网络错误。
用 curl 报错:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.