-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue on dokodemo inbounds #1213
Comments
followRedirect should be off. |
I tested it and can confirm that sniffing is the problem. There's a website my.ip.fi with ip address of 91.198.120.42 that returns your IP address when you visit it. First with sniffing ON:
The first command's output is as expected. Then I disabled sniffing on Dokodemo-Door:
The first command's output is as expected. |
@alireza0 It might be a good idea to turn off sniffing by default on Dokodemo-Door inbounds when first created by user. |
Thank you for your analyse. I will consider it in next version. |
It is now sniffing will be disabled by default! |
Thanks. Just a question: Disabled on all protocols or only Dokodemo-Door? |
All protocols by default (for new inbounds). |
این مشکل فقط برای پروتکلDokodemo-Door وجود داره یا برای vless و بقیه هم هست؟ |
مشکل از اونجاست که این پروتکل Dokodemo-Door احراز هویت نداره. بقیه پروتکلهایی که احراز هویت دارن، قاعدتا نباید همچین مشکلی داشته باشن. |
Describe the bug
Dokodemo Inbound works as a proxy server. it seems that if we provide a sni to the inbound port then the server forwards the connection to the provided sni without any restriction. it looks like a security issue
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expect that Dekodomo only forwards the traffic to the target IP.
it looks like some users scan all Iran VPS providers' IPs, and then use these local IPs as clean IP.
so they can use these IPs and overload the VPS.
we have seen this issue on the latest version of Sanaei but did not check on the Alireza Panel,
the source issue might be from the Xray core.
The text was updated successfully, but these errors were encountered: