Xray-core icon indicating copy to clipboard operation
Xray-core copied to clipboard

Published 20 hours ago verified publisher icon XTLS

使用 Xray-core进行Http代理时,会导致ECH(Encrypted Client Hello)无法使用。

Open fuchanghao opened this issue 1 year ago • 1 comments

配置如下的路由信息,确保所有链接都是直连:

[ { "port": "0-65535", "inboundTag": [], "outboundTag": "direct", "enabled": true } ]

在浏览器设置好xray-core的http代理地址:

并配置好设置开启ECH后,访问如下ECH测试网站:

https://tls-ech.dev/ https://defo.ie/ech-check.php

结果都显示没有使用ECH,不知道为何过了一到手后就没法使用ECH了?

完整配置:

{
  "policy": {
    "system": {
      "statsOutboundUplink": true,
      "statsOutboundDownlink": true
    }
  },
  "log": {
    "access": "",
    "error": "",
    "loglevel": "warning"
  },
  "inbounds": [
    {
      "tag": "socks",
      "port": 10808,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "settings": {
        "auth": "noauth",
        "udp": true,
        "allowTransparent": false
      }
    },
    {
      "tag": "http",
      "port": 10809,
      "listen": "127.0.0.1",
      "protocol": "http",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "settings": {
        "auth": "noauth",
        "udp": true,
        "allowTransparent": false
      }
    },
    {
      "tag": "socks2",
      "port": 10810,
      "listen": "0.0.0.0",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "settings": {
        "auth": "noauth",
        "udp": true,
        "allowTransparent": false
      }
    },
    {
      "tag": "http2",
      "port": 10811,
      "listen": "0.0.0.0",
      "protocol": "http",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "settings": {
        "auth": "noauth",
        "udp": true,
        "allowTransparent": false
      }
    },
    {
      "tag": "api",
      "port": 63597,
      "listen": "127.0.0.1",
      "protocol": "dokodemo-door",
      "settings": {
        "udp": false,
        "address": "127.0.0.1",
        "allowTransparent": false
      }
    }
  ],
  "outbounds": [
    {
      "tag": "proxy",
      "protocol": "vmess",
      "settings": {
        "vnext": [
        // 隐藏
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
         // 隐藏
          }
        }
      },
      "mux": {
        "enabled": true,
        "concurrency": 8
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {}
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    }
  ],
  "stats": {},
  "api": {
    "tag": "api",
    "services": [
      "StatsService"
    ]
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "domainMatcher": "mph",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "enabled": true
      },
      {
        "type": "field",
        "port": "0-65535",
        "inboundTag": [],
        "outboundTag": "direct",
        "enabled": true
      }
    ]
  }
}

Possible Solution

fuchanghao avatar Sep 07 '22 07:09 fuchanghao

ECH 的原理是把 server hello 里的信息 提前到 dns 这一步发给 client 也就是说 client 必须自己处理 dns 才能生效

yuhan6665 avatar Sep 27 '22 15:09 yuhan6665