mirror of
https://github.com/SagerNet/sing-box.git
synced 2024-11-22 08:31:30 +00:00
Add trojan fallback for ALPN #31
This commit is contained in:
parent
fd5ac69a35
commit
59a39e66b1
|
@ -23,9 +23,15 @@
|
||||||
],
|
],
|
||||||
"tls": {},
|
"tls": {},
|
||||||
"fallback": {
|
"fallback": {
|
||||||
"server": "127.0.0.0.1",
|
"server": "127.0.0.1",
|
||||||
"server_port": 8080
|
"server_port": 8080
|
||||||
},
|
},
|
||||||
|
"fallback_for_alpn": {
|
||||||
|
"http/1.1": {
|
||||||
|
"server": "127.0.0.1",
|
||||||
|
"server_port": 8081
|
||||||
|
}
|
||||||
|
},
|
||||||
"transport": {}
|
"transport": {}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
@ -50,7 +56,13 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
|
||||||
|
|
||||||
There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.
|
There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.
|
||||||
|
|
||||||
Fallback server configuration. Disabled if empty.
|
Fallback server configuration. Disabled if `fallback` and `fallback_for_alpn` are empty.
|
||||||
|
|
||||||
|
#### fallback_for_alpn
|
||||||
|
|
||||||
|
Fallback server configuration for specified ALPN.
|
||||||
|
|
||||||
|
If not empty, TLS fallback requests with ALPN not in this table will be rejected.
|
||||||
|
|
||||||
#### transport
|
#### transport
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,6 @@
|
||||||
{
|
{
|
||||||
"type": "trojan",
|
"type": "trojan",
|
||||||
"tag": "trojan-in",
|
"tag": "trojan-in",
|
||||||
|
|
||||||
"listen": "::",
|
"listen": "::",
|
||||||
"listen_port": 2080,
|
"listen_port": 2080,
|
||||||
"tcp_fast_open": false,
|
"tcp_fast_open": false,
|
||||||
|
@ -14,7 +13,6 @@
|
||||||
"sniff_override_destination": false,
|
"sniff_override_destination": false,
|
||||||
"domain_strategy": "prefer_ipv6",
|
"domain_strategy": "prefer_ipv6",
|
||||||
"proxy_protocol": false,
|
"proxy_protocol": false,
|
||||||
|
|
||||||
"users": [
|
"users": [
|
||||||
{
|
{
|
||||||
"name": "sekai",
|
"name": "sekai",
|
||||||
|
@ -23,9 +21,15 @@
|
||||||
],
|
],
|
||||||
"tls": {},
|
"tls": {},
|
||||||
"fallback": {
|
"fallback": {
|
||||||
"server": "127.0.0.0.1",
|
"server": "127.0.0.1",
|
||||||
"server_port": 8080
|
"server_port": 8080
|
||||||
},
|
},
|
||||||
|
"fallback_for_alpn": {
|
||||||
|
"http/1.1": {
|
||||||
|
"server": "127.0.0.1",
|
||||||
|
"server_port": 8081
|
||||||
|
}
|
||||||
|
},
|
||||||
"transport": {}
|
"transport": {}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
@ -52,7 +56,13 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
|
||||||
|
|
||||||
没有证据表明 GFW 基于 HTTP 响应检测并阻止木马服务器,并且在服务器上打开标准 http/s 端口是一个更大的特征。
|
没有证据表明 GFW 基于 HTTP 响应检测并阻止木马服务器,并且在服务器上打开标准 http/s 端口是一个更大的特征。
|
||||||
|
|
||||||
备用服务器配置。默认禁用。
|
回退服务器配置。如果 `fallback` 和 `fallback_for_alpn` 为空,则禁用回退。
|
||||||
|
|
||||||
|
#### fallback_for_alpn
|
||||||
|
|
||||||
|
为 ALPN 指定回退服务器配置。
|
||||||
|
|
||||||
|
如果不为空,ALPN 不在此列表中的 TLS 回退请求将被拒绝。
|
||||||
|
|
||||||
#### transport
|
#### transport
|
||||||
|
|
||||||
|
|
|
@ -24,11 +24,12 @@ var _ adapter.Inbound = (*Trojan)(nil)
|
||||||
|
|
||||||
type Trojan struct {
|
type Trojan struct {
|
||||||
myInboundAdapter
|
myInboundAdapter
|
||||||
service *trojan.Service[int]
|
service *trojan.Service[int]
|
||||||
users []option.TrojanUser
|
users []option.TrojanUser
|
||||||
tlsConfig *TLSConfig
|
tlsConfig *TLSConfig
|
||||||
fallbackAddr M.Socksaddr
|
fallbackAddr M.Socksaddr
|
||||||
transport adapter.V2RayServerTransport
|
fallbackAddrTLSNextProto map[string]M.Socksaddr
|
||||||
|
transport adapter.V2RayServerTransport
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TrojanInboundOptions) (*Trojan, error) {
|
func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TrojanInboundOptions) (*Trojan, error) {
|
||||||
|
@ -44,9 +45,35 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
|
||||||
},
|
},
|
||||||
users: options.Users,
|
users: options.Users,
|
||||||
}
|
}
|
||||||
|
if options.TLS != nil {
|
||||||
|
tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
inbound.tlsConfig = tlsConfig
|
||||||
|
}
|
||||||
var fallbackHandler N.TCPConnectionHandler
|
var fallbackHandler N.TCPConnectionHandler
|
||||||
if options.Fallback != nil && options.Fallback.Server != "" {
|
if options.Fallback != nil && options.Fallback.Server != "" || len(options.FallbackForALPN) > 0 {
|
||||||
inbound.fallbackAddr = options.Fallback.Build()
|
if options.Fallback != nil && options.Fallback.Server != "" {
|
||||||
|
inbound.fallbackAddr = options.Fallback.Build()
|
||||||
|
if !inbound.fallbackAddr.IsValid() {
|
||||||
|
return nil, E.New("invalid fallback address: ", inbound.fallbackAddr)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(options.FallbackForALPN) > 0 {
|
||||||
|
if inbound.tlsConfig == nil {
|
||||||
|
return nil, E.New("fallback for ALPN is not supported without TLS")
|
||||||
|
}
|
||||||
|
fallbackAddrNextProto := make(map[string]M.Socksaddr)
|
||||||
|
for nextProto, destination := range options.FallbackForALPN {
|
||||||
|
fallbackAddr := destination.Build()
|
||||||
|
if !fallbackAddr.IsValid() {
|
||||||
|
return nil, E.New("invalid fallback address for ALPN ", nextProto, ": ", fallbackAddr)
|
||||||
|
}
|
||||||
|
fallbackAddrNextProto[nextProto] = fallbackAddr
|
||||||
|
}
|
||||||
|
inbound.fallbackAddrTLSNextProto = fallbackAddrNextProto
|
||||||
|
}
|
||||||
fallbackHandler = adapter.NewUpstreamContextHandler(inbound.fallbackConnection, nil, nil)
|
fallbackHandler = adapter.NewUpstreamContextHandler(inbound.fallbackConnection, nil, nil)
|
||||||
}
|
}
|
||||||
service := trojan.NewService[int](adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound), fallbackHandler)
|
service := trojan.NewService[int](adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound), fallbackHandler)
|
||||||
|
@ -58,13 +85,6 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if options.TLS != nil {
|
|
||||||
tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
inbound.tlsConfig = tlsConfig
|
|
||||||
}
|
|
||||||
if options.Transport != nil {
|
if options.Transport != nil {
|
||||||
var tlsConfig *tls.Config
|
var tlsConfig *tls.Config
|
||||||
if inbound.tlsConfig != nil {
|
if inbound.tlsConfig != nil {
|
||||||
|
@ -153,8 +173,22 @@ func (h *Trojan) newConnection(ctx context.Context, conn net.Conn, metadata adap
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *Trojan) fallbackConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
|
func (h *Trojan) fallbackConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
|
||||||
h.logger.InfoContext(ctx, "fallback connection to ", h.fallbackAddr)
|
var fallbackAddr M.Socksaddr
|
||||||
metadata.Destination = h.fallbackAddr
|
if len(h.fallbackAddrTLSNextProto) > 0 {
|
||||||
|
if tlsConn, loaded := common.Cast[*tls.Conn](conn); loaded {
|
||||||
|
connectionState := tlsConn.ConnectionState()
|
||||||
|
if connectionState.NegotiatedProtocol != "" {
|
||||||
|
if fallbackAddr, loaded = h.fallbackAddrTLSNextProto[connectionState.NegotiatedProtocol]; !loaded {
|
||||||
|
return E.New("fallback disabled for ALPN: ", connectionState.NegotiatedProtocol)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !fallbackAddr.IsValid() {
|
||||||
|
fallbackAddr = h.fallbackAddr
|
||||||
|
}
|
||||||
|
h.logger.InfoContext(ctx, "fallback connection to ", fallbackAddr)
|
||||||
|
metadata.Destination = fallbackAddr
|
||||||
return h.router.RouteConnection(ctx, conn, metadata)
|
return h.router.RouteConnection(ctx, conn, metadata)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -2,10 +2,11 @@ package option
|
||||||
|
|
||||||
type TrojanInboundOptions struct {
|
type TrojanInboundOptions struct {
|
||||||
ListenOptions
|
ListenOptions
|
||||||
Users []TrojanUser `json:"users,omitempty"`
|
Users []TrojanUser `json:"users,omitempty"`
|
||||||
TLS *InboundTLSOptions `json:"tls,omitempty"`
|
TLS *InboundTLSOptions `json:"tls,omitempty"`
|
||||||
Fallback *ServerOptions `json:"fallback,omitempty"`
|
Fallback *ServerOptions `json:"fallback,omitempty"`
|
||||||
Transport *V2RayTransportOptions `json:"transport,omitempty"`
|
FallbackForALPN map[string]*ServerOptions `json:"fallback_for_alpn,omitempty"`
|
||||||
|
Transport *V2RayTransportOptions `json:"transport,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type TrojanUser struct {
|
type TrojanUser struct {
|
||||||
|
|
Loading…
Reference in a new issue