trojan-go
trojan-go copied to clipboard
Published
20 hours ago •
p4gefau1t
p4gefau1t
开启cloudflare代理后,间歇性出现“failed to read hash”错误
- [x] 我确定我已经尝试多次复现此次问题,并且将会提供涉及此问题的系统和网络环境,软件及其版本。
简单描述这个 Bug
通过cloudflare代理后,服务端间歇性出现connection with invalid trojan header from xxx:xxx | failed to read hash | EOF连接错误,客户端对应出现proxy failed to dial connection | websocket cannot dial with underlying client | tls failed to handshake with remote server | read tcp xxx:xxx->xxx:xxx: read: connection reset by peer错误。无法正常工作,过一段时间又自行恢复。
如何复现这个 Bug
开启cloudflare代理后,间歇性出现该错误,关闭cloudflare代理,直连服务端后,不再出现该问题。
服务器和客户端环境信息
服务器为Linux 5.10.0-15 amd64,docker镜像为teddysun/trojan-go 0.10.6
客户端为ubuntu 22.04 lts,docker镜像同上
cloudflare的SSL/TLS 加密模式已设置为“完全”
服务端和客户端日志
服务端日志
[INFO] 2022/06/25 15:40:03 tcp connection from 172.70.214.110:28542
[INFO] 2022/06/25 15:40:03 tls connection from 172.70.214.110:28542
[TRACE] 2022/06/25 15:40:03 tls handshake TLS_AES_128_GCM_SHA256 false
[DEBUG] 2022/06/25 15:40:03 github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:172 http req: &{GET /my_ws_path/ HTTP/1.1 1 1 map[Accept-Encoding:[gzip] Cdn-Loop:[cloudflare] Cf-Connecting-Ip:[my_real_ip] Cf-Ipcountry:[CN] Cf-Ray:[720c0d883b427cda-LAX] Cf-Visitor:[{"scheme":"https"}] Connection:[Upgrade] Origin:[https://my_site] Sec-Websocket-Key:[ZXpMXeo6QeFERIsnGrUH5Q==] Sec-Websocket-Version:[13] Upgrade:[websocket] X-Forwarded-For:[my_real_ip] X-Forwarded-Proto:[https]] {} <nil> 0 [] false my_site map[] map[] <nil> map[] /my_ws_path/ <nil> <nil> <nil> <nil>}
[DEBUG] 2022/06/25 15:40:03 github.com/p4gefau1t/trojan-go/tunnel/websocket.(*Server).AcceptConn.func2:server.go:115 websocket url /my_ws_path/ origin https://my_site
[DEBUG] 2022/06/25 15:40:03 github.com/p4gefau1t/trojan-go/tunnel/websocket.(*Server).AcceptConn.func1:server.go:107 websocket obtained
[DEBUG] 2022/06/25 15:40:03 github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).AcceptConn:server.go:184 next proto http
[WARN] 2022/06/25 15:41:43 connection with invalid trojan header from 172.70.214.110:28542 | failed to read hash | EOF
[DEBUG] 2022/06/25 15:41:43 github.com/p4gefau1t/trojan-go/redirector.(*Redirector).Redirect:redirector.go:33 redirect request
[WARN] 2022/06/25 15:41:43 redirecting connection from 172.70.214.110:28542 to caddy:80
[INFO] 2022/06/25 15:41:43 redirection done
[DEBUG] 2022/06/25 15:41:43 github.com/p4gefau1t/trojan-go/tunnel/websocket.(*Server).AcceptConn.func1:server.go:112 websocket closed
客户端日志
[ERROR] 2022/06/25 15:48:18 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:66 proxy failed to dial connection | websocket failed to handshake with server | unexpected EOF
[DEBUG] 2022/06/25 15:48:18 github.com/p4gefau1t/trojan-go/tunnel/adapter.(*Server).acceptConnLoop:server.go:53 socks5 connection
[INFO] 2022/06/25 15:48:18 socks connection from 172.17.0.1:47656 metadata www.google.com:443
[DEBUG] 2022/06/25 15:48:29 github.com/p4gefau1t/trojan-go/tunnel/adapter.(*Server).acceptConnLoop:server.go:53 socks5 connection
[INFO] 2022/06/25 15:48:29 socks connection from 172.17.0.1:47658 metadata ogs.google.com:443
[ERROR] 2022/06/25 15:49:01 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:66 proxy failed to dial connection | websocket cannot dial with underlying client | tls failed to dial conn | transport failed to connect to remote server | freedom failed to dial my_site:443 | dial tcp 104.21.10.67:443: connect: connection timed out
[ERROR] 2022/06/25 15:49:10 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:66 proxy failed to dial connection | websocket failed to handshake with server | read tcp 172.17.0.4:33270->172.67.131.66:443: read: connection reset by peer
[DEBUG] 2022/06/25 15:49:41 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:86 conn relay ends
[INFO] 2022/06/25 15:49:41 connection to content-autofill.googleapis.com:443 closed sent: 64 B recv: 4.63 KiB
[DEBUG] 2022/06/25 15:49:41 github.com/p4gefau1t/trojan-go/tunnel/adapter.(*Server).acceptConnLoop:server.go:53 socks5 connection
[INFO] 2022/06/25 15:49:41 socks connection from 172.17.0.1:47660 metadata www.google.com:443
[ERROR] 2022/06/25 15:50:13 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:66 proxy failed to dial connection | websocket cannot dial with underlying client | tls failed to handshake with remote server | read tcp 172.17.0.4:43748->104.21.10.67:443: read: connection reset by peer
服务端和客户端配置文件
服务端配置
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "caddy",
"remote_port": 80,
"log_level": 0,
"password": [
"my_password"
],
"ssl": {
"cert": "/etc/trojan-go/cert/fullchain1.pem",
"key": "/etc/trojan-go/cert/privkey1.pem",
"sni": "my_site"
}
}
服务端使用letencrypt证书
客户端配置
{
"run_type": "client",
"local_addr": "0.0.0.0",
"local_port": 1080,
"remote_addr": "my_site",
"remote_port": 443,
"log_level": 0,
"websocket": {
"enabled": true,
"path": "/my_ws_path/",
"double_tls": false,
"host": "my_site"
},
"password": [
"my_password"
],
"ssl": {
"sni": "my_site",
"fingerprint": ""
}
}
服务端和客户端版本信息
Trojan-Go v0.10.6
Go Version: go1.17.1
OS/Arch: linux/amd64
Git Commit: 2dc60f52e79ff8b910e78e444f1e80678e936450
以防万一提醒一下,就你最开始post出来的服务端配置就属于没有设置websocket。如果改了还是不行的话就把你新改的配置放上来看看吧
谢谢,但其实不是我post的,只是日志里出现了一样的错误提示,所以我跟了个帖子。不过还是感谢你:) 我的客户端是iOS端的ShadowRocket,服务器配置是Nginx监听443,域名4层分流,trojan是p4gefau1t/trojan-go的docker镜像,具体config.json如下:
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 20001,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"log_level": 0,
"log_file": "/etc/trojan-go/trojan-go.log",
"password": [
“mypassword.com", “mypassword.net"
],
"ssl": {
"verify": true,
"verify_hostname": true,
"cert": "/tls/fullchain.cer",
"key": "/tls/mydomain.com.key",
"sni": "trojan.mydomain.com",
"fallback_addr": "127.0.0.1",
"fallback_port": 20001,
"alpn": [
"h2",
"http\/1.1"
],
"reuse_session": true,
"session_ticket": true,
"session_timeout": 600,
"plain_http_response": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"curves": "",
"dhparam": ""
},
"tcp": {
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"prefer_ipv4": false,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": ""
},
"websocket": {
"enabled": true,
"path": "/fuckccp",
"hostname": "trojan.mydomain.com",
"obfuscation_password": "",
"double_tls": false,
"ssl": {
"verify": true,
"verify_hostname": true,
"cert": "/tls/fullchain.cer",
"key": "/tls/mydomain.com.key",
"key_password": "",
"prefer_server_cipher": true,
"sni": "trojan.mydomain.com",
"session_ticket": true,
"reuse_session": true,
"plain_http_response": ""
}
}
}
好吧我才发现你不是原post主, 而且我用的是nginx7层分流, 也就是http里的分流, 在https://github.com/p4gefau1t/trojan-go/issues/234#issuecomment-946342401 里我介绍过我自己的配置, 不知道对你有没有帮助
同样的错误, 一开始用的nginx/sni分发, 后来看了眼文档, 直接关了trajon的tls, 还是统一给nginx处理 配置文件就很常规+简单了
trojan.conf中加入: "transport_plugin": { "enabled": true, "type": "plaintext", "command": "", "option": "", "arg": [], "env": [] },
btw, 我在xray/vless中也是这么干的, tls之类的还是全部统一丢给nginx处理比较好 内核支持可以开启nginx的kTLS, 具体可参见:https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/
