v2ray-core icon indicating copy to clipboard operation
v2ray-core copied to clipboard
verified publisher icon v2fly

v2ray dokodemo-door 透明代理没有正确处理SNI中不带端口的host

Open kirbyzhou opened this issue 6 months ago • 4 comments

你正在使用哪个版本的 V2Ray?

5.30

你的使用场景是什么?

使用 dokodemo-door 实现 https 透明代理

你看到的异常现象是什么?

如果透明代理自身监听的不是443端口,而是其他端口,例如2983 透明代理在转发流量时,从https sni字段读取到不带端口号的host www.google.com 后,会尝试通过outbound去访问 www.google.com:2983

你期待看到的正常表现是怎样的?

如果SNI里的host不带端口号,则采用https的默认端口号443

请附上你的配置

服务端配置:

    // 和服务器端无关

客户端配置:

{
  "log": {
    "access": "/var/log/v2ray/access.log",
    "error": "/var/log/v2ray/error.log",
    "loglevel": "info"
  },
  "inbounds": [
    {
      "port": 2983,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vless",
      "tag": "proxy",
      "mux": {
        "concurrency": 8,
        "enabled": false
      },
      "settings": {
        "vnext": [
          {
            "users": [
              {
                "encryption": "none",
                "id": "...",
                "flow": "",
                "level": 0
              }
            ],
            "address": "XXX",
            "port": 12345
          }
        ]
      },
      "streamSettings": { ... }
   }, 
   {
      "protocol": "freedom",
      "tag": "direct",
      "settings": {
        "userLevel": 0,
        "domainStrategy": "UseIP"
      }
    },
    {
      "protocol": "blackhole",
      "tag": "block",
      "settings": {
        "response": {
          "type": "none"
        }
      }
    }
  ],
  "transport": {},
  "dns": {
    "servers": [
      "1.1.1.1",
      "8.8.8.8"
    ]
  },
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api"
      },
      {
        "type": "field",
        "outboundTag": "block",
        "domain": [
          "geosite:category-ads-all"
        ]
      },
      {
        "type": "field",
        "outboundTag": "direct",
        "domain": [
          "geosite:cn"
        ]
      },
      {
        "type": "field",
        "port": "0-65535",
        "outboundTag": "proxy"
      }
    ]
  }
}

请附上出错时软件输出的错误日志

服务器端错误日志:

// 在这里附上服务器端日志

客户端错误日志:

2025/07/07 15:04:56 [Info] [704599051] proxy/dokodemo: received request for 192.168.18.82:59016
2025/07/07 15:04:56 [Info] [704599051] app/dispatcher: sniffed domain: www.google.com for tcp:192.168.18.3:2983
2025/07/07 15:04:56 [Info] [704599051] app/dispatcher: taking detour [proxy] for [tcp:www.google.com:2983]
2025/07/07 15:04:56 [Info] [704599051] transport/internet/websocket: creating connection to tcp:XXX:12345
2025/07/07 15:04:56 [Info] [704599051] proxy/vless/outbound: tunneling request to tcp:www.google.com:2983 via XXX:12345

请附上访问日志

// 这是客户端日志
2025/07/07 15:04:56 192.168.18.

其它相关的配置文件(如 Nginx)和相关日志

如果 V2Ray 无法启动,请附上 --test 命令的输出

如果 V2Ray 服务运行异常,请附上 journal 日志

kirbyzhou avatar Jul 09 '25 14:07 kirbyzhou

过路 为什麽发起方没有带端口? 或有什麽 app/场景 发出url请求 但又不带端口?

kingwilliam avatar Jul 13 '25 22:07 kingwilliam

过路 为什麽发起方没有带端口? 或有什麽 app/场景 发出url请求 但又不带端口?

我也不懂。sni是host name,哪有什么端口呀。端口号不是写在传输层协议里的嘛。

tomandjerry27 avatar Jul 14 '25 06:07 tomandjerry27

SNI is a TLS extension in TLS Client Hello, and destination port is a part of TCP Header. How is it possible to read the destination port from SNI?

AkinoKaede avatar Aug 09 '25 10:08 AkinoKaede

This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Dec 08 '25 02:12 github-actions[bot]