New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

关于 h2s 与 v2ray 进行代理链拼接的说明与讨论 #1

Open
Equim-chan opened this Issue Apr 4, 2018 · 22 comments

Comments

Projects
None yet
8 participants
@Equim-chan
Copy link
Owner

Equim-chan commented Apr 4, 2018

如果你想让 h2s 与 v2ray 以代理链(传出代理)的方式配合使用的话,那么就需要注意一些地方。

首先必须要明确的一点是,无论如何 h2s 都只接受 TCP 的输入,因为 HTTP 代理只能处理 TCP。

假如你原先的 v2ray 配置没有使用自定义的传输,即 streamSettings 为默认值,也就是朴素的 TCP (朴素 VMess)的话,那么直接将 h2s 的监听地址设为一个 outboundDetour 再设置传出代理 proxySettings 桥接过去是没有问题的。而目前问题就在于,如果你设置了 streamSettings,比如配置了 TLS 或/与 WS 的话,就必须要进行额外的配置才可正常使用。

原理上说,之所以在这种情况下不能直接设置 proxySettings,是因为 v2ray 目前(v3.15)不能同时应用 streamSettingsproxySettings,即,这两个设置是互斥的,只有一个能生效。这是在 v2ray 的文档上就有写的:

proxySettings: 传出代理配置。当传出代理生效时,此传出协议的 streamSettings 将不起作用。

这大概是因为 v2ray 的设计者没有考虑到将传输层也可以作为代理链数据的一部分发给下游,或者是出于代理模型本身的考虑(比如 h2s 无法处理 UDP,那么就不能将 mKCP 的 stream 传给下游,这是在设计上就不允许的)。总之,我们现在需要解决两个设置冲突的问题。否则 streamSettings 无法生效的话,TLS/WS 也就无法起作用了。从表面上看,结果会表现为 v2ray 报协议头错误(如果是 VMess + TLS + WS 的话就是 VMess 头错误)。

这里我假定你的代理模式是 VMess + TLS + WS,并且已完成了符合“传出将直连至服务端”这一场景的配置,现在要让这个协议栈与 h2s 合为代理链。即

v2ray 客户端 ---h2s 的 SOCKS5---> 内网 HTTP 代理服务器 ---VMess + TLS + WS (或类似配置)---> v2ray 服务端

那么就要在原有配置文件的基础上作出一些修改。

以下为上述场景中 v2ray 的参考配置。省去了一些冗余的部分,只提重点。

{
  "inbound": {
    // 你原先的 inbound,无需改动
    // ...
  },

  "outbound": {
    "protocol": "vmess",
    "settings": {
      "vnext": [{
        "address": "127.0.0.1", // 注意这里
        "port": 50001,          // 注意这里。端口可自定义,与下方任意门的相同即可
        "users": [{
          // 此处与原先的配置相同
          // ...
        }]
      }]
    },
    "streamSettings": {
      "network": "ws",
      "security": "tls",
      "wsSettings": {
        // path 等设置与原先的相同
        // ...
        "headers": {
          "Host": "你的主机名(一般是域名)" // 请务必正确地配置这段,否则 WS 握手会失败
        }
      },
      "tlsSettings": {
        // ...
        "serverName": "你的主机名(一般是域名)", // 请务必正确地配置这段,否则 TLS 握手会失败。一般的,它与上述的 Host 相同
      }
    }
  },

  // 新加入的任意门 inbound,用于内部桥接
  "inboundDetour": [{
    "listen": "127.0.0.1",
    "port": 50001, // 与上面的 VMess 的 port 相同即可
    "protocol": "dokodemo-door",
    "settings": {
      "network": "tcp", // h2s 只接受 TCP
      "address": "在此填上原本应该填在 VMess 的 address 里的内容", // 注意这里,一般来说就是你的 v2ray 服务端地址
      "port": 443 // 在此填上原本应该填在 VMess 的 port 里的内容。同上
    },
    "tag": "内部桥接点" // tag 是必须要有的,否则无法进行路由
  }],

  // 此 outbound 连接至 h2s
  "outboundDetour": [{
    "protocol": "socks",
    "settings": {
      "servers": [{
        // 此处参照 h2s 的配置进行配置即可
        // ...
      }]
    },
    "tag": "h2s" // tag 是必须要有的,否则无法进行路由
  }],

  "routing": {
    "strategy": "rules",
    "settings": {
      // 添加下面这条规则
      "rules": [{
        "type": "field",
        "inboundTag": ["内部桥接点"],
        "outboundTag": "h2s"
      }],
      // 其余部分不变
      // ...
    }
  }
}

如果在 h2s 与 v2ray 的桥接问题上有疑问,请在本 issue 中提出。

@Equim-chan Equim-chan changed the title 关于与 v2ray 自定义传输配置的配合方式 关于与 v2ray 进行代理链拼接的方式 Apr 4, 2018

@Equim-chan Equim-chan changed the title 关于与 v2ray 进行代理链拼接的方式 关于 h2s 与 v2ray 进行代理链拼接的说明与讨论 Apr 4, 2018

@DarienRaymond

This comment has been minimized.

Copy link

DarienRaymond commented Apr 4, 2018

上述的方式是一个预期的将streamSettings传导出去的方式。

顺便说一句,VMess的所有数据都通过stream (TCP)的方式传输,可以安全地使用上述方式代理客户端的TCP和UDP数据。

@KiriKira

This comment has been minimized.

Copy link

KiriKira commented Apr 6, 2018

另外提一下, 直接用 Dokodemo-door 搭配 h2s 做成透明代理也是可行的, 不过使用时间不长稳定性尚未测试。

{
    "inbound":{
         "domainOverride": ["tls","http"],
         "port": 12345,
         "protocol": "dokodemo-door",
         "settings": {
             "network": "tcp",
             "followRedirect": true
         }
     },
     "outbound": {
            "protocol": "socks",
            "settings": {
                "servers": [
                    {
                        "address": "127.0.0.1",
                        "port": 3378
                    }
                ]
            }
        }

}
@pharmcube

This comment has been minimized.

Copy link

pharmcube commented Apr 8, 2018

麻烦楼主帮忙看一下我的配置哪里有问题,客户端具体配置如下:
{
"log": {
"access": "D:/Green Tools/V2Ray/access.log",
"error": "D:/Green Tools/V2Ray/error.log",
"loglevel": "warning"
},
"inbound": {
"port": 1288,
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": false
}
},
"outbound": {
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "127.0.0.1",
"port": 19688,
"users": [
{
"id": "50ef5298-b9ca-4b02-b32b-a3bd108e750f",
"alterId": 64
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"tlsSettings": {
"serverName": "domain.me"
},
"wsSettings": {
"path": "/domain/",
"headers": {
"Host": "domain.me"
}
}
}
},
"inboundDetour": [
{
"listen": "127.0.0.1",
"port": 19688,
"protocol": "dokodemo-door",
"settings": {
"network": "tcp",
"address": "127.0.0.1",//不确定此处填哪个地址?
"port": 19688//同上
},
"tag": "内部桥接点"
}
],
"outboundDetour": [
{
"protocol": "socks",
"settings": {
"servers": [
{
"address": "公司代理IP",
"port": 8080,
"username": "USER",
"password": "PASSWORD"
}
]
},
"tag": "h2s"
}
],
"routing": {
"strategy": "rules",
"settings": {
"rules": [
{
"type": "field",
"inboundTag": [
"内部桥接点"
],
"outboundTag": "h2s"
}
]
}
}
}

错误提示:
2018/04/08 11:11:35 [Warning] [4177646999] App|Proxyman|Outbound: failed to process outbound traffic > Proxy|VMess|Outbound: failed to find an available destination > Retry: [Transport|Internet|WebSocket: failed to dial WebSocket > Transport|Internet|WebSocket: failed to dial to (wss://127.0.0.1:19688/domain/): > EOF] > Retry: all retry attempts failed
2018/04/08 11:11:37 [Warning] [3562402570] App|Proxyman|Outbound: failed to process outbound traffic > Proxy|Socks: failed to establish connection to server > read tcp 192.168.2.104:9779->172.16.8.8:8080: i/o timeout
2018/04/08 11:11:39 [Warning] [248939248] App|Proxyman|Outbound: failed to process outbound traffic > Proxy|Socks: failed to establish connection to server > read tcp 192.168.2.104:9782->172.16.8.8:8080: i/o timeout

@Equim-chan

This comment has been minimized.

Copy link
Owner

Equim-chan commented Apr 8, 2018

@pharmcube

"address": "127.0.0.1",//不确定此处填哪个地址?
"port": 19688//同上

我不是有写吗

      "address": "在此填上原本应该填在 VMess 的 address 里的内容", // 注意这里,一般来说就是你的 v2ray 服务端地址
      "port": 443 // 在此填上原本应该填在 VMess 的 port 里的内容。同上

就是说,假如你是直连的,不用经过什么 h2s 之类的东西,你原本应该在 VMess 那段填上的内容。也就是你的 v2ray 服务器地址。

@pharmcube

This comment has been minimized.

Copy link

pharmcube commented Apr 8, 2018

@pharmcube

This comment has been minimized.

Copy link

pharmcube commented Apr 8, 2018

如何让程序在后台运行不显示界面呢?能否指导一下?另外能否在此基础上区分国内外的网站,国内走公司代理,国外走v2ray? 路由设置的策略能否指导一下?

@Equim-chan

This comment has been minimized.

Copy link
Owner

Equim-chan commented Apr 8, 2018

@pharmcube 如果是 Windows,可以建立一个批处理文件

mshta vbscript:createobject("wscript.shell").run("C:\path\to\your\h2s 带上参数",0)(window.close)

*nix 直接用 nohup。

剩下的问题请到 v2ray 那边问吧。

@vikibg

This comment has been minimized.

Copy link

vikibg commented Apr 25, 2018

为了Google一直在内外网切换,先谢了

@vikibg

This comment has been minimized.

Copy link

vikibg commented Apr 26, 2018

今天测试了一下,成功了,完全没有问题。感谢😃

@vikibg

This comment has been minimized.

Copy link

vikibg commented Apr 26, 2018

一开始还行,后面h2s 提示出现 407错误,可能我的账号被锁了!

@vikibg

This comment has been minimized.

Copy link

vikibg commented May 8, 2018

我贴一下H2S的配置,
{
"bind": "127.0.0.1:1088",
"upstreams": [
{

"address": "172.31.2.20"

},
{
"username": "mydomain\username",
"password": "mypassword"
}
]
}

感觉是认证的配置没有生效,5分钟左右提示如下:
2018/05/08 09:15:55.534309 h2s: handshake upstream: 407 Proxy Authentication Req
uired

请帮忙看看,谢谢

@Equim-chan

This comment has been minimized.

Copy link
Owner

Equim-chan commented May 8, 2018

@vikibg 在出现提示前使用都正常吗?我感觉可能这个认证有时限之类的。

@vikibg

This comment has been minimized.

Copy link

vikibg commented May 8, 2018

@Equim-chan 分析的蛮对的,出现407后,我尝试将浏览器切换到默认代理,能够正常上网,再切回h2s+v2ray后,407错误就不报了,也可以正常穿墙了。

是不是h2s缺少重新认证的机制?

内网的http代理功能较强,正常是AD域作统一认证-kerberos

@vikibg

This comment has been minimized.

Copy link

vikibg commented May 8, 2018

另外 H2S 一直有如下错误告警:
2018/05/08 14:45:46.463419 h2s: dial upstream: max retry exceeded: dial tcp :80:
connectex: No connection could be made because the target machine actively refu
sed it.
2018/05/08 14:45:47.978635 h2s: dial upstream: max retry exceeded: dial tcp :80:
connectex: No connection could be made because the target machine actively refu
sed it.
2018/05/08 14:46:05.577879 h2s: dial upstream: max retry exceeded: dial tcp :80:
connectex: No connection could be made because the target machine actively refu
sed it.
2018/05/08 14:51:20.122280 h2s: dial upstream: max retry exceeded: dial tcp :80:
connectex: No connection could be made because the target machine actively refu
sed it.
2018/05/08 14:57:12.078371 h2s: dial upstream: max retry exceeded: dial tcp :80:
connectex: No connection could be made because the target machine actively refu
sed it.
2018/05/08 14:57:13.643125 h2s: dial upstream: max retry exceeded: dial tcp :80:
connectex: No connection could be made because the target machine actively refu
sed it.

@Equim-chan

This comment has been minimized.

Copy link
Owner

Equim-chan commented May 8, 2018

@vikibg h2s 没有考虑重新认证的情况。

那些错误提示是说代理服务器那边 RST 了(可能有 rate limit 之类的)。

@vikibg

This comment has been minimized.

Copy link

vikibg commented May 9, 2018

我在h2s 配置里设置 "retries": 8 ,max retry exceeded 报错减少了。

407的问题还是不定期出现,需要重启h2s或者改用常规代理方式重新认证。

H2S+V2ray 很厉害,

  1. 轻松翻墙
  2. 隐藏上网记录,proxy上除了v2rayserver https信息外没有其他任何上网记录
@bitching

This comment has been minimized.

Copy link

bitching commented May 24, 2018

Damn gorgeous, this helped me.

@mysteryboy2000

This comment has been minimized.

Copy link

mysteryboy2000 commented Jun 26, 2018

公司有HTTP PROXY,我在瓦工上架了V2ray,用的朴素TCP
全都配好了,出现了如下错误。。。

Handshake failed
The SSL handshake could not be performed.
Host: pan.baidu.com
Reason: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request:state 23:Application response 500 handshakefailed
Company Acceptable Use Policy
This is an optional acceptable use disclaimer that appears on every page. You may change the wording or remove this section entirely in index.html.
For assistance, please contact your system administrator.
generated 2018-06-26 16:49:47 by McAfee Web Gateway

这个是没救了?
感觉是证书的问题?

@mysteryboy2000

This comment has been minimized.

Copy link

mysteryboy2000 commented Jun 26, 2018

h2s config
{
"bind": "127.0.0.1:8088",
"upstreams": [ {
"address": "192.168.170.5:8080"
}, {
"address": "192.168.170.5:443",
"tls": {
"serverName": "192.168.170.5",
"insecureSkipVerify": false,
"rootCA": "",
"certFile": "",
"keyFile": ""
}
}],
"timeout": "20s",
"retries": 3
}

V2ray config
{
"log": {
"access": "access.log",
"error": "error.log",
"loglevel": "warning"
},
"inbound": {
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": false
}
},
"outbound": {
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "127.0.0.1",
"port": 50001,
"users": [
{
"id": "my-id-from-vmess-config",
"alterId": 233,
"security": "auto"
}
]
}
]
},
"mux": {
"enabled": true
}
},
"inboundDetour": [
{
"listen": "127.0.0.1",
"port": 50001,
"protocol": "dokodemo-door",
"settings": {
"network": "tcp",
"address": "my vmess server id",
"port": 3366
},
"tag": "inner"
}
],
"outboundDetour": [
{
"protocol": "socks",
"settings": {
"servers": [{
"address": "127.0.0.1",
"port": 8088,
"username": "",
"password": ""
}]
},
"tag": "h2s"
}
],
"dns": {
"servers": [
"8.8.8.8",
"8.8.4.4",
"localhost"
]
},
"routing": {
"strategy": "rules",
"settings": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10",
"geoip:cn"
],
"domain": [
"geosite:cn"
],
"outboundTag": "direct"
},
{
"type": "chinasites",
"outboundTag": "h2s"
},
{
"type": "chinaip",
"outboundTag": "h2s"
},
{
"type": "field",
"inboundTag": ["inner"],
"outboundTag": "h2s"
}
]
}
}
}

@mysteryboy2000

This comment has been minimized.

Copy link

mysteryboy2000 commented Jun 26, 2018

error log

2018/06/26 17:13:59 [Warning] App|DNS: failed to lookup IPs for domain www.google.com. > lookup www.google.com.: no such host
2018/06/26 17:13:59 [Warning] App|DNS: failed to lookup IPs for domain www.google.com. > lookup www.google.com.: no such host

@vikibg

This comment has been minimized.

Copy link

vikibg commented Jun 28, 2018

我来更新一下

2018/06/28 16:26:05.448673 h2s: handshake upstream: 407 Proxy Authentication Req
uired
2018/06/28 16:26:05.721084 h2s: handshake upstream: 407 Proxy Authentication Req
uired
2018/06/28 16:26:06.022498 h2s: handshake upstream: 407 Proxy Authentication Req
uired
2018/06/28 16:26:06.370911 h2s: handshake upstream: 407 Proxy Authentication Req
uired

C:\Users\Programs\v2ray>h2s.exe -config h2s.json
2018/06/28 16:26:57.922073 Listening on 127.0.0.1:1088

今天仔细看了一下h2s.json的 配置,发现address 和username password 之间有一个大括号,被隔开了,如下。

{
"bind": "127.0.0.1:1088",
"upstreams": [
{

"address": "172.31.2.20"
},
{
"username": "mydomain\username",
"password": "mypassword"
}
]
}

将大括号删除后配置如下

{
"bind": "127.0.0.1:1088",
"upstreams": [
{

"address": "172.31.2.20",
"username": "mydomain\username",
"password": "mypassword"
}
]
}

407的问题解决了,看来程序本身没有问题,是我的配置的问题。

谢谢作者,谢谢大家。

@ch331917692

This comment has been minimized.

Copy link

ch331917692 commented Nov 15, 2018

{
  "log": {
    "loglevel": "warning"
  },
  "inbounds": [{
    "port": 1080,
    "listen": "127.0.0.1",
    "tag": "socks-inbound",
    "protocol": "socks",
    "settings": {
      "auth": "noauth",
      "udp": false,
      "ip": "127.0.0.1"
    }
  }],
  "outbound": 
    {
    "protocol": "vmess",
    "settings":{
      "vnext": [{
          "address":"x.x.x.x", 
          "port":8888,
          "users":[
            {
              "id":"c5f1ecdb-07d5-4834-ac30-83433804c8af",
              "alterId":64
            }
          ]
        }
      ]
    },
    "proxySettings":{
      "tag":"h2s"
    },
    "tag": "proxy"
  },

  "outboundDetour":[
    {
      "protocol":"socks",
      "settings":{
        "servers":[{
          "address":"127.0.0.1", //h2s
          "port":1090 //h2s port
        }]
      },
      "tag":"h2s"
    }
  ],
}

麻烦看一下我这个配置有没有什么问题,我现在是国内直连能访问,但是走vmess的访问不了, h2s日志一直503,感觉没访问到我自己的vmess服务

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment