Some questions and suggestions

[antonchen]

Explain: English is not good, using machine translation.

• Can I use Nginx proxy to a url?
  Like example.com/xxx/trojan, example.com is a real web site
  Advantages: HTTPS transport only visible domain, path is encrypted
• Would it be better to use WebSocket or QUIC ?
  HTTP mostly short links, and WebSockets or QUIC is more suitable for long connections

PS: Not deep understanding of the network, if any errors, please correct me
PS2: QUIC using UDP may be QOS

[klzgrad]

example.com/xxx/trojan - you are trying to suggest using some part of the http request as the authentication token. I think an http header is more suitable for this purpose. In the new mode (in development) of the Trojan protocol we will use proxy-authorization for this.

Websocket involves extra protocol round trips compared to HTTPS or raw TLS with no real benefits for tunneling. QUIC is a possible alternative transport to HTTP/2, but only after it is standardized, deployed in Chrome, and has server implementations.

[antonchen]

@klzgrad My point is: example.com/xxx/trojan to hide trojan In a web site, https encrypted outside the path can not be obtained, GFW only know example.com do not know trojan.
The purpose is not authentication, is hidden trojan.

Websocket is my error.

[klzgrad]

example.com without auth header -> masquerade website

example.com with auth header -> proxy

This is all "content switching" or load balancing using part of the request as the key. Only difference is to use which part, the url or a header.

[antonchen]

@klzgrad I understand.

About proxy-authorization
Will the proxy-authorization verification by whom?
What I'm worried about is：Unauthenticated request use proxy-authorization header, trojan return what?

[klzgrad]

Verified by a Trojan server.

If unauthenticated, the Trojan server returns the masquerade website.

[antonchen]

@klzgrad

How to return to the masquerade website? If it is 301 or 302 that formed a feature

Seems to be back to my earliest question.

The correct URL to trojan check proxy-authorization
The wrong URL can never find trojan

The goal is to reduce trojan's connection to unknown requests

So I think custom URL is useful.

PS：Whether there is a telegraph group, English is not good, discuss some difficult.

[klzgrad]

In Nginx's language,

server {
    ...
    set $upstream "masquerade";
    if ($http_proxy_authorization ~ "Basic aGVsbG86d29ybGQ=") {
        set $upstream "proxy";                                   
    }

    location / {
        proxy_pass $upstream
    }
}

This makes the goal you defined too.

[antonchen]

@klzgrad Got it, thanks for the answer. Look forward to the new version.