Add trojan fallback for ALPN #31

This commit is contained in:
zakuwaki 2022-08-25 13:35:48 +08:00 committed by 世界
parent fd5ac69a35
commit 59a39e66b1
No known key found for this signature in database
GPG key ID: CD109927C34A63C4
4 changed files with 83 additions and 26 deletions

View file

@ -23,9 +23,15 @@
], ],
"tls": {}, "tls": {},
"fallback": { "fallback": {
"server": "127.0.0.0.1", "server": "127.0.0.1",
"server_port": 8080 "server_port": 8080
}, },
"fallback_for_alpn": {
"http/1.1": {
"server": "127.0.0.1",
"server_port": 8081
}
},
"transport": {} "transport": {}
} }
] ]
@ -50,7 +56,13 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature. There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.
Fallback server configuration. Disabled if empty. Fallback server configuration. Disabled if `fallback` and `fallback_for_alpn` are empty.
#### fallback_for_alpn
Fallback server configuration for specified ALPN.
If not empty, TLS fallback requests with ALPN not in this table will be rejected.
#### transport #### transport

View file

@ -6,7 +6,6 @@
{ {
"type": "trojan", "type": "trojan",
"tag": "trojan-in", "tag": "trojan-in",
"listen": "::", "listen": "::",
"listen_port": 2080, "listen_port": 2080,
"tcp_fast_open": false, "tcp_fast_open": false,
@ -14,7 +13,6 @@
"sniff_override_destination": false, "sniff_override_destination": false,
"domain_strategy": "prefer_ipv6", "domain_strategy": "prefer_ipv6",
"proxy_protocol": false, "proxy_protocol": false,
"users": [ "users": [
{ {
"name": "sekai", "name": "sekai",
@ -23,9 +21,15 @@
], ],
"tls": {}, "tls": {},
"fallback": { "fallback": {
"server": "127.0.0.0.1", "server": "127.0.0.1",
"server_port": 8080 "server_port": 8080
}, },
"fallback_for_alpn": {
"http/1.1": {
"server": "127.0.0.1",
"server_port": 8081
}
},
"transport": {} "transport": {}
} }
] ]
@ -52,7 +56,13 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
没有证据表明 GFW 基于 HTTP 响应检测并阻止木马服务器,并且在服务器上打开标准 http/s 端口是一个更大的特征。 没有证据表明 GFW 基于 HTTP 响应检测并阻止木马服务器,并且在服务器上打开标准 http/s 端口是一个更大的特征。
备用服务器配置。默认禁用。 回退服务器配置。如果 `fallback``fallback_for_alpn` 为空,则禁用回退。
#### fallback_for_alpn
为 ALPN 指定回退服务器配置。
如果不为空ALPN 不在此列表中的 TLS 回退请求将被拒绝。
#### transport #### transport

View file

@ -24,11 +24,12 @@ var _ adapter.Inbound = (*Trojan)(nil)
type Trojan struct { type Trojan struct {
myInboundAdapter myInboundAdapter
service *trojan.Service[int] service *trojan.Service[int]
users []option.TrojanUser users []option.TrojanUser
tlsConfig *TLSConfig tlsConfig *TLSConfig
fallbackAddr M.Socksaddr fallbackAddr M.Socksaddr
transport adapter.V2RayServerTransport fallbackAddrTLSNextProto map[string]M.Socksaddr
transport adapter.V2RayServerTransport
} }
func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TrojanInboundOptions) (*Trojan, error) { func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TrojanInboundOptions) (*Trojan, error) {
@ -44,9 +45,35 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
}, },
users: options.Users, users: options.Users,
} }
if options.TLS != nil {
tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
if err != nil {
return nil, err
}
inbound.tlsConfig = tlsConfig
}
var fallbackHandler N.TCPConnectionHandler var fallbackHandler N.TCPConnectionHandler
if options.Fallback != nil && options.Fallback.Server != "" { if options.Fallback != nil && options.Fallback.Server != "" || len(options.FallbackForALPN) > 0 {
inbound.fallbackAddr = options.Fallback.Build() if options.Fallback != nil && options.Fallback.Server != "" {
inbound.fallbackAddr = options.Fallback.Build()
if !inbound.fallbackAddr.IsValid() {
return nil, E.New("invalid fallback address: ", inbound.fallbackAddr)
}
}
if len(options.FallbackForALPN) > 0 {
if inbound.tlsConfig == nil {
return nil, E.New("fallback for ALPN is not supported without TLS")
}
fallbackAddrNextProto := make(map[string]M.Socksaddr)
for nextProto, destination := range options.FallbackForALPN {
fallbackAddr := destination.Build()
if !fallbackAddr.IsValid() {
return nil, E.New("invalid fallback address for ALPN ", nextProto, ": ", fallbackAddr)
}
fallbackAddrNextProto[nextProto] = fallbackAddr
}
inbound.fallbackAddrTLSNextProto = fallbackAddrNextProto
}
fallbackHandler = adapter.NewUpstreamContextHandler(inbound.fallbackConnection, nil, nil) fallbackHandler = adapter.NewUpstreamContextHandler(inbound.fallbackConnection, nil, nil)
} }
service := trojan.NewService[int](adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound), fallbackHandler) service := trojan.NewService[int](adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound), fallbackHandler)
@ -58,13 +85,6 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
if err != nil { if err != nil {
return nil, err return nil, err
} }
if options.TLS != nil {
tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
if err != nil {
return nil, err
}
inbound.tlsConfig = tlsConfig
}
if options.Transport != nil { if options.Transport != nil {
var tlsConfig *tls.Config var tlsConfig *tls.Config
if inbound.tlsConfig != nil { if inbound.tlsConfig != nil {
@ -153,8 +173,22 @@ func (h *Trojan) newConnection(ctx context.Context, conn net.Conn, metadata adap
} }
func (h *Trojan) fallbackConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error { func (h *Trojan) fallbackConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
h.logger.InfoContext(ctx, "fallback connection to ", h.fallbackAddr) var fallbackAddr M.Socksaddr
metadata.Destination = h.fallbackAddr if len(h.fallbackAddrTLSNextProto) > 0 {
if tlsConn, loaded := common.Cast[*tls.Conn](conn); loaded {
connectionState := tlsConn.ConnectionState()
if connectionState.NegotiatedProtocol != "" {
if fallbackAddr, loaded = h.fallbackAddrTLSNextProto[connectionState.NegotiatedProtocol]; !loaded {
return E.New("fallback disabled for ALPN: ", connectionState.NegotiatedProtocol)
}
}
}
}
if !fallbackAddr.IsValid() {
fallbackAddr = h.fallbackAddr
}
h.logger.InfoContext(ctx, "fallback connection to ", fallbackAddr)
metadata.Destination = fallbackAddr
return h.router.RouteConnection(ctx, conn, metadata) return h.router.RouteConnection(ctx, conn, metadata)
} }

View file

@ -2,10 +2,11 @@ package option
type TrojanInboundOptions struct { type TrojanInboundOptions struct {
ListenOptions ListenOptions
Users []TrojanUser `json:"users,omitempty"` Users []TrojanUser `json:"users,omitempty"`
TLS *InboundTLSOptions `json:"tls,omitempty"` TLS *InboundTLSOptions `json:"tls,omitempty"`
Fallback *ServerOptions `json:"fallback,omitempty"` Fallback *ServerOptions `json:"fallback,omitempty"`
Transport *V2RayTransportOptions `json:"transport,omitempty"` FallbackForALPN map[string]*ServerOptions `json:"fallback_for_alpn,omitempty"`
Transport *V2RayTransportOptions `json:"transport,omitempty"`
} }
type TrojanUser struct { type TrojanUser struct {