Add trojan fallback for ALPN #31

2024-11-22 08:31:30 +00:00 · 2022-08-25 13:35:48 +08:00 · 2022-08-25 13:35:48 +08:00 · 59a39e66b1
parent fd5ac69a35
commit 59a39e66b1
4 changed files with 83 additions and 26 deletions
--- a/docs/configuration/inbound/trojan.md
+++ b/docs/configuration/inbound/trojan.md
@ -23,9 +23,15 @@
      ],
      "tls": {},
      "fallback": {
-        "server": "127.0.0.0.1",
+        "server": "127.0.0.1",
        "server_port": 8080
      },
+      "fallback_for_alpn": {
+        "http/1.1": {
+          "server": "127.0.0.1",
+          "server_port": 8081
+        }
+      },
      "transport": {}
    }
  ]
@ -50,7 +56,13 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

    There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.

-Fallback server configuration. Disabled if empty.
+Fallback server configuration. Disabled if `fallback` and `fallback_for_alpn` are empty.
+
+#### fallback_for_alpn
+
+Fallback server configuration for specified ALPN.
+
+If not empty, TLS fallback requests with ALPN not in this table will be rejected.

 #### transport

--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@ -6,7 +6,6 @@
    {
      "type": "trojan",
      "tag": "trojan-in",
-      
      "listen": "::",
      "listen_port": 2080,
      "tcp_fast_open": false,
@ -14,7 +13,6 @@
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv6",
      "proxy_protocol": false,
-
      "users": [
        {
          "name": "sekai",
@ -23,9 +21,15 @@
      ],
      "tls": {},
      "fallback": {
-        "server": "127.0.0.0.1",
+        "server": "127.0.0.1",
        "server_port": 8080
      },
+      "fallback_for_alpn": {
+        "http/1.1": {
+          "server": "127.0.0.1",
+          "server_port": 8081
+        }
+      },
      "transport": {}
    }
  ]
@ -52,7 +56,13 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

    没有证据表明 GFW 基于 HTTP 响应检测并阻止木马服务器，并且在服务器上打开标准 http/s 端口是一个更大的特征。

-备用服务器配置。默认禁用。
+回退服务器配置。如果 `fallback` 和 `fallback_for_alpn` 为空，则禁用回退。
+
+#### fallback_for_alpn
+
+为 ALPN 指定回退服务器配置。
+
+如果不为空，ALPN 不在此列表中的 TLS 回退请求将被拒绝。

 #### transport

--- a/inbound/trojan.go
+++ b/inbound/trojan.go
@ -24,11 +24,12 @@ var _ adapter.Inbound = (*Trojan)(nil)

 type Trojan struct {
 	myInboundAdapter
-	service      *trojan.Service[int]
-	users        []option.TrojanUser
-	tlsConfig    *TLSConfig
-	fallbackAddr M.Socksaddr
-	transport    adapter.V2RayServerTransport
+	service                  *trojan.Service[int]
+	users                    []option.TrojanUser
+	tlsConfig                *TLSConfig
+	fallbackAddr             M.Socksaddr
+	fallbackAddrTLSNextProto map[string]M.Socksaddr
+	transport                adapter.V2RayServerTransport
 }

 func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TrojanInboundOptions) (*Trojan, error) {
@ -44,9 +45,35 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
 		},
 		users: options.Users,
 	}
+	if options.TLS != nil {
+		tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
+		if err != nil {
+			return nil, err
+		}
+		inbound.tlsConfig = tlsConfig
+	}
 	var fallbackHandler N.TCPConnectionHandler
-	if options.Fallback != nil && options.Fallback.Server != "" {
-		inbound.fallbackAddr = options.Fallback.Build()
+	if options.Fallback != nil && options.Fallback.Server != "" || len(options.FallbackForALPN) > 0 {
+		if options.Fallback != nil && options.Fallback.Server != "" {
+			inbound.fallbackAddr = options.Fallback.Build()
+			if !inbound.fallbackAddr.IsValid() {
+				return nil, E.New("invalid fallback address: ", inbound.fallbackAddr)
+			}
+		}
+		if len(options.FallbackForALPN) > 0 {
+			if inbound.tlsConfig == nil {
+				return nil, E.New("fallback for ALPN is not supported without TLS")
+			}
+			fallbackAddrNextProto := make(map[string]M.Socksaddr)
+			for nextProto, destination := range options.FallbackForALPN {
+				fallbackAddr := destination.Build()
+				if !fallbackAddr.IsValid() {
+					return nil, E.New("invalid fallback address for ALPN ", nextProto, ": ", fallbackAddr)
+				}
+				fallbackAddrNextProto[nextProto] = fallbackAddr
+			}
+			inbound.fallbackAddrTLSNextProto = fallbackAddrNextProto
+		}
 		fallbackHandler = adapter.NewUpstreamContextHandler(inbound.fallbackConnection, nil, nil)
 	}
 	service := trojan.NewService[int](adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound), fallbackHandler)
@ -58,13 +85,6 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
 	if err != nil {
 		return nil, err
 	}
-	if options.TLS != nil {
-		tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
-		if err != nil {
-			return nil, err
-		}
-		inbound.tlsConfig = tlsConfig
-	}
 	if options.Transport != nil {
 		var tlsConfig *tls.Config
 		if inbound.tlsConfig != nil {
@ -153,8 +173,22 @@ func (h *Trojan) newConnection(ctx context.Context, conn net.Conn, metadata adap
 }

 func (h *Trojan) fallbackConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	h.logger.InfoContext(ctx, "fallback connection to ", h.fallbackAddr)
-	metadata.Destination = h.fallbackAddr
+	var fallbackAddr M.Socksaddr
+	if len(h.fallbackAddrTLSNextProto) > 0 {
+		if tlsConn, loaded := common.Cast[*tls.Conn](conn); loaded {
+			connectionState := tlsConn.ConnectionState()
+			if connectionState.NegotiatedProtocol != "" {
+				if fallbackAddr, loaded = h.fallbackAddrTLSNextProto[connectionState.NegotiatedProtocol]; !loaded {
+					return E.New("fallback disabled for ALPN: ", connectionState.NegotiatedProtocol)
+				}
+			}
+		}
+	}
+	if !fallbackAddr.IsValid() {
+		fallbackAddr = h.fallbackAddr
+	}
+	h.logger.InfoContext(ctx, "fallback connection to ", fallbackAddr)
+	metadata.Destination = fallbackAddr
 	return h.router.RouteConnection(ctx, conn, metadata)
 }

--- a/option/trojan.go
+++ b/option/trojan.go
@ -2,10 +2,11 @@ package option

 type TrojanInboundOptions struct {
 	ListenOptions
-	Users     []TrojanUser           `json:"users,omitempty"`
-	TLS       *InboundTLSOptions     `json:"tls,omitempty"`
-	Fallback  *ServerOptions         `json:"fallback,omitempty"`
-	Transport *V2RayTransportOptions `json:"transport,omitempty"`
+	Users           []TrojanUser              `json:"users,omitempty"`
+	TLS             *InboundTLSOptions        `json:"tls,omitempty"`
+	Fallback        *ServerOptions            `json:"fallback,omitempty"`
+	FallbackForALPN map[string]*ServerOptions `json:"fallback_for_alpn,omitempty"`
+	Transport       *V2RayTransportOptions    `json:"transport,omitempty"`
 }

 type TrojanUser struct {