sing-box
sing-box copied to clipboard
SagerNet
通过 sing-box tun 连接经过 nginx stream 流量转发的网站内容异常
Operating system
Windows
System version
sing-box version 1.10.0-alpha.28
Installation type
Original sing-box Command Line
If you are using a graphical client, please provide the version of the client.
No response
Version
sing-box version 1.10.0-alpha.28
Environment: go1.22.5 windows/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 3c21bd7f6bfdff0f01a523ab6a5d6734e339e6af
CGO: disabled
Description
sing-box 会导致 nginx stream 模块分流不正常
Reproduction
vps 上 nginx 使用 stream 模块监听 443 端口,将流量转发到不同的地址,所有的服务都运行在 docker 中(包括 nginx),其中 alist,dufs 和 adguardhome 都分别配置了 ssl。
在不使用 sing-box 的情况下,直接连接到对应的域名,都可以显示对应的页面(alist.domain_xxx.com,dufs.domain_xxx.com, adguardhome.domain_xxx.com),在使用下面的配置启动 sing-box 之后,使用 Firefox 的隐私模式(chrome 的隐私模式也试了),第一次访问上面三个任一个域名都可以正确打开对应的页面,但是继续在地址栏输入另外两个域名,在加载完成之后,会显示第一个域名的内容。退出 Firefox 重新打开 Firefox 的隐私模式,第一次访问上面的任何一个域名还是能够正常显示对应的内容的。
应该是 sing-box 会导致 nginx stream 模块分流不正常。同时也试了 fakeip 模式,是正常的,每个域名对应的内容都能够正常显示。
sing-box 配置文件,只是把两个节点的信息隐藏了
{
"log": {
"disabled": false,
"level": "info",
"timestamp": true
},
"dns": {
"servers": [
{
"tag": "default-dns",
"address": "223.5.5.5",
"detour": "direct-out"
},
{
"tag": "block-dns",
"address": "rcode://name_error"
},
{
"tag": "google-dot",
"address": "tls://8.8.8.8",
"strategy": "ipv4_only",
"client_subnet": "1.0.1.0"
}
],
"rules": [
{
"outbound": "any",
"server": "default-dns"
},
{
"query_type": "HTTPS",
"server": "block-dns"
},
{
"clash_mode": "Direct",
"server": "default-dns"
},
{
"clash_mode": "Global",
"server": "google-dot"
},
{
"rule_set": "cnsite",
"server": "default-dns"
}
],
"strategy": "ipv4_only",
"disable_cache": false,
"disable_expire": false,
"independent_cache": false,
"final": "google-dot"
},
"inbounds": [
{
"type": "tun",
"tag": "tun-in",
"inet4_address": "172.19.0.1/30",
"mtu": 9000,
"gso": true,
"auto_route": true,
"stack": "system",
"sniff": true,
"sniff_override_destination": true
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct-out"
},
{
"type": "block",
"tag": "block-out"
},
{
"type": "dns",
"tag": "dns-out"
},
{
"type": "selector",
"tag": "select-out",
"outbounds": [
"direct-out",
"block-out",
"auto-out",
"🔴",
"🟠"
],
"default": "auto-out"
},
{
"type": "urltest",
"tag": "auto-out",
"outbounds": [
"🔴",
"🟠"
]
},
{
"type": "selector",
"tag": "GLOBAL",
"outbounds": [
"direct-out",
"select-out",
"auto-out",
"🔴",
"🟠"
],
"default": "auto-out"
},
{
"type": "vmess",
"tag": "🔴",
"server": "vmess1.example.com",
"server_port": 8879,
"uuid": "ebc0f831-3512-42fd-8d84-9d3bccd32ea8",
"packet_encoding": "xudp",
"security": "auto",
"alter_id": 0
},
{
"type": "vmess",
"tag": "🟠",
"server": "vmess2.example.com",
"server_port": 8879,
"uuid": "7095b0f3-e425-4636-9b8c-1fe94de1e9c9",
"packet_encoding": "xudp",
"security": "auto",
"alter_id": 0
}
],
"route": {
"rules": [
{
"inbound": "dns-in",
"outbound": "dns-out"
},
{
"protocol": "dns",
"outbound": "dns-out"
},
{
"protocol": "quic",
"outbound": "block-out"
},
{
"clash_mode": "Direct",
"outbound": "direct-out"
},
{
"clash_mode": "Global",
"outbound": "GLOBAL"
},
{
"rule_set": [
"cnip",
"cnsite"
],
"outbound": "direct-out"
}
],
"rule_set": [
{
"type": "remote",
"tag": "cnip",
"format": "binary",
"url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo-lite/geoip/cn.srs",
"download_detour": "auto-out"
},
{
"type": "remote",
"tag": "cnsite",
"format": "binary",
"url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo-lite/geosite/cn.srs",
"download_detour": "auto-out"
}
],
"auto_detect_interface": true,
"final": "select-out"
},
"experimental": {
"cache_file": {
"enabled": true,
"path": "cache.db"
},
"clash_api": {
"external_controller": "127.0.0.1:9090",
"external_ui": "clash-dashboard",
"external_ui_download_detour": "auto-out",
"secret": "1234567890",
"default_mode": "Rule"
}
}
}
nginx stream 模块的配置
stream {
map $ssl_preread_server_name $backend {
alist.domain_xxx.com alist;
dufs.domain_xxx.com dufs;
adguardhome.domain_xxx.com adguardhome;
default web;
}
# alist
upstream alist {
server alist:5245;
}
# dufs
upstream dufs {
server dufs:5000;
}
# adguardhome
upstream adguardhome {
server adguardhome:443;
}
# redirect to web
upstream web {
server web:443;
}
server {
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $backend;
ssl_preread on;
}
}
Logs
No response
Supporter
- [ ] I am a sponsor
Integrity requirements
- [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
- [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
- [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
- [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}