From 59a39e66b156171dd4a6ccb27bbc391d6378cd23 Mon Sep 17 00:00:00 2001 From: zakuwaki Date: Thu, 25 Aug 2022 13:35:48 +0800 Subject: [PATCH] Add trojan fallback for ALPN #31 --- docs/configuration/inbound/trojan.md | 16 +++++- docs/configuration/inbound/trojan.zh.md | 18 +++++-- inbound/trojan.go | 66 +++++++++++++++++++------ option/trojan.go | 9 ++-- 4 files changed, 83 insertions(+), 26 deletions(-) diff --git a/docs/configuration/inbound/trojan.md b/docs/configuration/inbound/trojan.md index 1bccff68..5b864c66 100644 --- a/docs/configuration/inbound/trojan.md +++ b/docs/configuration/inbound/trojan.md @@ -23,9 +23,15 @@ ], "tls": {}, "fallback": { - "server": "127.0.0.0.1", + "server": "127.0.0.1", "server_port": 8080 }, + "fallback_for_alpn": { + "http/1.1": { + "server": "127.0.0.1", + "server_port": 8081 + } + }, "transport": {} } ] @@ -50,7 +56,13 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound). There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature. -Fallback server configuration. Disabled if empty. +Fallback server configuration. Disabled if `fallback` and `fallback_for_alpn` are empty. + +#### fallback_for_alpn + +Fallback server configuration for specified ALPN. + +If not empty, TLS fallback requests with ALPN not in this table will be rejected. #### transport diff --git a/docs/configuration/inbound/trojan.zh.md b/docs/configuration/inbound/trojan.zh.md index 916e5058..f2509c78 100644 --- a/docs/configuration/inbound/trojan.zh.md +++ b/docs/configuration/inbound/trojan.zh.md @@ -6,7 +6,6 @@ { "type": "trojan", "tag": "trojan-in", - "listen": "::", "listen_port": 2080, "tcp_fast_open": false, @@ -14,7 +13,6 @@ "sniff_override_destination": false, "domain_strategy": "prefer_ipv6", "proxy_protocol": false, - "users": [ { "name": "sekai", @@ -23,9 +21,15 @@ ], "tls": {}, "fallback": { - "server": "127.0.0.0.1", + "server": "127.0.0.1", "server_port": 8080 }, + "fallback_for_alpn": { + "http/1.1": { + "server": "127.0.0.1", + "server_port": 8081 + } + }, "transport": {} } ] @@ -52,7 +56,13 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。 没有证据表明 GFW 基于 HTTP 响应检测并阻止木马服务器,并且在服务器上打开标准 http/s 端口是一个更大的特征。 -备用服务器配置。默认禁用。 +回退服务器配置。如果 `fallback` 和 `fallback_for_alpn` 为空,则禁用回退。 + +#### fallback_for_alpn + +为 ALPN 指定回退服务器配置。 + +如果不为空,ALPN 不在此列表中的 TLS 回退请求将被拒绝。 #### transport diff --git a/inbound/trojan.go b/inbound/trojan.go index d572975b..ef6af65f 100644 --- a/inbound/trojan.go +++ b/inbound/trojan.go @@ -24,11 +24,12 @@ var _ adapter.Inbound = (*Trojan)(nil) type Trojan struct { myInboundAdapter - service *trojan.Service[int] - users []option.TrojanUser - tlsConfig *TLSConfig - fallbackAddr M.Socksaddr - transport adapter.V2RayServerTransport + service *trojan.Service[int] + users []option.TrojanUser + tlsConfig *TLSConfig + fallbackAddr M.Socksaddr + fallbackAddrTLSNextProto map[string]M.Socksaddr + transport adapter.V2RayServerTransport } func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TrojanInboundOptions) (*Trojan, error) { @@ -44,9 +45,35 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog }, users: options.Users, } + if options.TLS != nil { + tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS)) + if err != nil { + return nil, err + } + inbound.tlsConfig = tlsConfig + } var fallbackHandler N.TCPConnectionHandler - if options.Fallback != nil && options.Fallback.Server != "" { - inbound.fallbackAddr = options.Fallback.Build() + if options.Fallback != nil && options.Fallback.Server != "" || len(options.FallbackForALPN) > 0 { + if options.Fallback != nil && options.Fallback.Server != "" { + inbound.fallbackAddr = options.Fallback.Build() + if !inbound.fallbackAddr.IsValid() { + return nil, E.New("invalid fallback address: ", inbound.fallbackAddr) + } + } + if len(options.FallbackForALPN) > 0 { + if inbound.tlsConfig == nil { + return nil, E.New("fallback for ALPN is not supported without TLS") + } + fallbackAddrNextProto := make(map[string]M.Socksaddr) + for nextProto, destination := range options.FallbackForALPN { + fallbackAddr := destination.Build() + if !fallbackAddr.IsValid() { + return nil, E.New("invalid fallback address for ALPN ", nextProto, ": ", fallbackAddr) + } + fallbackAddrNextProto[nextProto] = fallbackAddr + } + inbound.fallbackAddrTLSNextProto = fallbackAddrNextProto + } fallbackHandler = adapter.NewUpstreamContextHandler(inbound.fallbackConnection, nil, nil) } service := trojan.NewService[int](adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound), fallbackHandler) @@ -58,13 +85,6 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog if err != nil { return nil, err } - if options.TLS != nil { - tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS)) - if err != nil { - return nil, err - } - inbound.tlsConfig = tlsConfig - } if options.Transport != nil { var tlsConfig *tls.Config if inbound.tlsConfig != nil { @@ -153,8 +173,22 @@ func (h *Trojan) newConnection(ctx context.Context, conn net.Conn, metadata adap } func (h *Trojan) fallbackConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error { - h.logger.InfoContext(ctx, "fallback connection to ", h.fallbackAddr) - metadata.Destination = h.fallbackAddr + var fallbackAddr M.Socksaddr + if len(h.fallbackAddrTLSNextProto) > 0 { + if tlsConn, loaded := common.Cast[*tls.Conn](conn); loaded { + connectionState := tlsConn.ConnectionState() + if connectionState.NegotiatedProtocol != "" { + if fallbackAddr, loaded = h.fallbackAddrTLSNextProto[connectionState.NegotiatedProtocol]; !loaded { + return E.New("fallback disabled for ALPN: ", connectionState.NegotiatedProtocol) + } + } + } + } + if !fallbackAddr.IsValid() { + fallbackAddr = h.fallbackAddr + } + h.logger.InfoContext(ctx, "fallback connection to ", fallbackAddr) + metadata.Destination = fallbackAddr return h.router.RouteConnection(ctx, conn, metadata) } diff --git a/option/trojan.go b/option/trojan.go index 2deb4580..ad81e3b2 100644 --- a/option/trojan.go +++ b/option/trojan.go @@ -2,10 +2,11 @@ package option type TrojanInboundOptions struct { ListenOptions - Users []TrojanUser `json:"users,omitempty"` - TLS *InboundTLSOptions `json:"tls,omitempty"` - Fallback *ServerOptions `json:"fallback,omitempty"` - Transport *V2RayTransportOptions `json:"transport,omitempty"` + Users []TrojanUser `json:"users,omitempty"` + TLS *InboundTLSOptions `json:"tls,omitempty"` + Fallback *ServerOptions `json:"fallback,omitempty"` + FallbackForALPN map[string]*ServerOptions `json:"fallback_for_alpn,omitempty"` + Transport *V2RayTransportOptions `json:"transport,omitempty"` } type TrojanUser struct {