Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't work with some https sites? #44

Closed
kiddyfurby opened this issue Sep 5, 2013 · 5 comments
Closed

Doesn't work with some https sites? #44

kiddyfurby opened this issue Sep 5, 2013 · 5 comments

Comments

@kiddyfurby
Copy link

I use redsocks to redirect my traffic via a ssh -D connection on port 8080
When I point my browser's proxy to router:8080, I can access the following sites
When I leave my browser's proxy empty, iptables rules should catch the connection and redirect them to redsocks on port 12345 then to router:8080.

I can see that the connections are redirected to redsocks, but the sites doesn't load. Other https sites worked for me.

Sites are:
https://www.facebook.com/
https://plus.google.com

redsocks output for https://www.facebook.com/
1378343135.757457 redsocks.c:702 redsocks_accept_client(...) [192.168.1.149:50376->159.106.121.75:443]: accepted
1378343139.187509 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50376->159.106.121.75:443]: both client and server disconnected
1378343139.187628 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50376->159.106.121.75:443]: dropping client
1378343139.188126 redsocks.c:702 redsocks_accept_client(...) [192.168.1.149:50377->159.106.121.75:443]: accepted
1378343143.334325 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50334->173.194.72.84:443]: both client and server disconnected
1378343143.334468 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50334->173.194.72.84:443]: dropping client
1378343148.956355 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50322->173.194.127.81:443]: both client and server disconnected
1378343148.956559 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50322->173.194.127.81:443]: dropping client
1378343149.216688 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50335->74.125.128.132:443]: both client and server disconnected
1378343149.216807 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50335->74.125.128.132:443]: dropping client
1378343150.031977 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50337->74.125.235.160:443]: both client and server disconnected
1378343150.032156 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50337->74.125.235.160:443]: dropping client
1378343150.034353 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50338->74.125.128.120:443]: both client and server disconnected
1378343150.034469 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50338->74.125.128.120:443]: dropping client
1378343151.341934 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50340->74.125.128.189:443]: both client and server disconnected
1378343151.342049 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50340->74.125.128.189:443]: dropping client
1378343152.491525 redsocks.c:395 redsocks_shutdown(...) [192.168.1.149:50343->74.125.31.100:443]: both client and server disconnected
1378343152.491705 redsocks.c:332 redsocks_drop_client(...) [192.168.1.149:50343->74.125.31.100:443]: dropping client
@samos123
Copy link

I'm having the same issue. Many https sites don't work while some do work. @kiddyfurby

https://www.google.com and searching my ip shows that everythign is working well

Going to https://www.facebook.com in firefox shows: Secure connection failed
Doing wget https://www.facebook.com shows Unable to establish SSL connection.

Can provide any more information as requested. These are my iptables rules:

iptables -t nat -S 
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N REDSOCKS
-A PREROUTING -i wlan0 -p tcp -j REDSOCKS
-A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -o eth0 -j MASQUERADE
-A REDSOCKS -d my_socksproxy_server_ip -j RETURN
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 169.254.0.0/16 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.0.0/16 -j RETURN
-A REDSOCKS -d 224.0.0.0/4 -j RETURN
-A REDSOCKS -d 240.0.0.0/4 -j RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 31338

iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N TCP
-N UDP
-N fw-interfaces
-N fw-open
-A INPUT -i wlan0 -p udp -m udp --dport 31338 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 31338 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -s 10.0.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A TCP -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A TCP -s 192.168.60.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A UDP -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A UDP -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A fw-interfaces -i wlan0 -j ACCEPT

Related log (notice that 159.106.121.75 is facebook https)::
Sep 10 14:32:41 lemaker sslocal[2451]: 2015-09-10 14:32:41 INFO     connecting 216.58.221.35:80 from 127.0.0.1:33840
Sep 10 14:32:46 lemaker redsocks[2497]: [10.0.0.106:46401->159.106.121.75:443]: accepted
Sep 10 14:32:46 lemaker redsocks[2497]: [10.0.0.106:46401->159.106.121.75:443]: data relaying started
Sep 10 14:32:46 lemaker sslocal[2451]: 2015-09-10 14:32:46 INFO     connecting 159.106.121.75:443 from 127.0.0.1:33842
Sep 10 14:32:47 lemaker redsocks[2497]: [10.0.0.106:37337->63.245.217.162:443]: accepted
Sep 10 14:32:47 lemaker sslocal[2451]: 2015-09-10 14:32:47 INFO     connecting 63.245.217.162:443 from 127.0.0.1:33844
Sep 10 14:32:47 lemaker redsocks[2497]: [10.0.0.106:37337->63.245.217.162:443]: data relaying started
Sep 10 14:32:54 lemaker redsocks[2497]: [10.0.0.106:46401->159.106.121.75:443]: both client and server disconnected
Sep 10 14:32:54 lemaker redsocks[2497]: [10.0.0.106:46401->159.106.121.75:443]: dropping client
Sep 10 14:32:54 lemaker redsocks[2497]: [10.0.0.106:41780->159.106.121.75:443]: accepted
Sep 10 14:32:54 lemaker sslocal[2451]: 2015-09-10 14:32:54 INFO     connecting 159.106.121.75:443 from 127.0.0.1:33846
Sep 10 14:32:54 lemaker redsocks[2497]: [10.0.0.106:41780->159.106.121.75:443]: data relaying started
Sep 10 14:33:01 lemaker redsocks[2497]: [10.0.0.106:41780->159.106.121.75:443]: both client and server disconnected
Sep 10 14:33:01 lemaker redsocks[2497]: [10.0.0.106:41780->159.106.121.75:443]: dropping client
Sep 10 14:33:01 lemaker redsocks[2497]: [10.0.0.106:49450->159.106.121.75:443]: accepted
Sep 10 14:33:01 lemaker sslocal[2451]: 2015-09-10 14:33:01 INFO     connecting 159.106.121.75:443 from 127.0.0.1:33848
Sep 10 14:33:01 lemaker redsocks[2497]: [10.0.0.106:49450->159.106.121.75:443]: data relaying started
Sep 10 14:33:02 lemaker redsocks[2497]: [10.0.0.106:49450->159.106.121.75:443]: both client and server disconnected
Sep 10 14:33:02 lemaker redsocks[2497]: [10.0.0.106:49450->159.106.121.75:443]: dropping client
Sep 10 14:33:02 lemaker redsocks[2497]: [10.0.0.106:37023->159.106.121.75:443]: accepted
Sep 10 14:33:02 lemaker sslocal[2451]: 2015-09-10 14:33:02 INFO     connecting 159.106.121.75:443 from 127.0.0.1:33850

@dista
Copy link

dista commented Jul 20, 2016
edited
Loading

I have the same issue. After some investigation I find that it is caused by DNS resolver. The ip address resolved in local machine can not be connected in proxy server.

So I installed pdnsd as a dns proxy in my local machine, and use -mto option(only use tcp so that it can be passed to my proxy server) to resolve DNS, then every is ok, now I can visit facebook or youtube.
Some notes: Some domain can't be resolved by DNS over TCP(maybe the DNS server can not find the domain), if that is the case, it can't be visited.

Hope that will help.

@gilcu3
Copy link

gilcu3 commented Apr 25, 2017

@dista could you explain how to use pdnsd and redsocks together, I think I confront the same issue, the proxy restricts some direct https to ip, while not to name

@dista
Copy link

dista commented Aug 11, 2017
edited
Loading

@gilcu3 Sorry, I can not remember the detail now. I original use redsocks with shadowsocks as an transparent proxy. Now I can archive transparent proxy with just shadowsocks-libev. My shadowsocks config files: https://github.com/dista/tools/tree/master/ss-ev-scripts

@darkk
Copy link
Owner

darkk commented Feb 1, 2018
edited
Loading

I'm not sure if the original issue was ever related to DNS.
There was some bug fixed between v0.4 and v0.5 that was caused by bad bufferevent juggling (I remember, that I've managed to reproduce it, but I don't remember exact commit), so I'm closing this issue.
Please, try v0.5 if you see issues with https.

@darkk darkk closed this as completed Feb 1, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@darkk @samos123 @dista @gilcu3 @kiddyfurby