Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nginx 反向代理握手失败 #67

Closed
muweigg opened this issue Feb 21, 2019 · 24 comments
Assignees
Labels

Comments

@muweigg
Copy link

@muweigg muweigg commented Feb 21, 2019

因为 443 端口需要提供其他服务,所以用 Nginx 做的代理。
Trojan server 启动监听 445 端口,配置 Nginx 片段:

server {
	listen 443 ssl;
	ssl on;
	ssl_certificate /etc/letsencrypt/live/www/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers HIGH:!aNULL:!MD5;
	server_name 我的域名;
	location / {
		proxy_pass http://127.0.0.1:445;
	}
}

Trojan server config:

{
	"run_type": "server",
	"local_addr": "0.0.0.0",
	"local_port": 445,
	"remote_addr": "127.0.0.1",
	"remote_port": 80,
	"password": [
		"@777m777w"
	],
	"log_level": 0,
	"ssl": {
		"cert": "/etc/letsencrypt/live/www/fullchain.pem",
		"key": "/etc/letsencrypt/live/www/privkey.pem",
		"key_password": "",
		"cipher": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
		"prefer_server_cipher": true,
		"alpn": [
			"http/1.1"
		],
		"reuse_session": true,
		"session_ticket": false,
		"session_timeout": 600,
		"plain_http_response": "",
		"curves": "",
		"dhparam": ""
	},
	"tcp": {
		"prefer_ipv4": false,
		"no_delay": true,
		"keep_alive": true,
		"fast_open": false,
		"fast_open_qlen": 20
	},
	"mysql": {
		"enabled": false,
		"server_addr": "127.0.0.1",
		"server_port": 3306,
		"database": "trojan",
		"username": "trojan",
		"password": ""
	}
}

Trojan client config:

{
	"run_type": "client",
	"local_addr": "127.0.0.1",
	"local_port": 1080,
	"remote_addr": "我的域名",
	"remote_port": 443,
	"password": [
		"@777m777w"
	],
	"append_payload": true,
	"log_level": 0,
	"ssl": {
		"verify": true,
		"verify_hostname": true,
		"cert": "www/fullchain.pem",
		"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RSA-AES128-GCM-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-SHA:RSA-AES256-SHA:RSA-3DES-EDE-SHA",
		"sni": "",
		"alpn": [
			"h2",
			"http/1.1"
		],
		"reuse_session": true,
		"session_ticket": false,
		"curves": ""
	},
	"tcp": {
		"no_delay": true,
		"keep_alive": true,
		"fast_open": false,
		"fast_open_qlen": 20
	}
}

Trojan 服务器一直提示握手失败:

[2019-02-21 16:48:54] [ERROR] 183.83.69.87:1653 SSL handshake failed: wrong version number
[2019-02-21 16:48:54] [INFO] 183.83.69.87:1653 disconnected, 0 bytes received, 0 bytes sent, lasted for 0 seconds

请问我应该如何配置代理转发?

@LimiQS

This comment has been minimized.

Copy link

@LimiQS LimiQS commented Feb 21, 2019

@muweigg You have misconfigured Trojan and Nginx. You should put Trojan BEFORE Nginx, not BEHIND. It should look like: Internet-Trojan-Nginx. Please let Trojan handle incoming TLS.

@muweigg

This comment has been minimized.

Copy link
Author

@muweigg muweigg commented Feb 21, 2019

@LimiQS 感谢回复,可是我不是专业的,请问我应该怎么查看?
因为如果直接使用 443 端口是没有问题的,非常的稳定

@LimiQS

This comment has been minimized.

Copy link

@LimiQS LimiQS commented Feb 21, 2019

@muweigg Sorry I've made a mistake in understanding your description. Now I've corrected it and edited my reply. See #67 (comment)

@muweigg

This comment has been minimized.

Copy link
Author

@muweigg muweigg commented Feb 21, 2019

@LimiQS 请问我应该如何配置呢,因为 Nginx 有监听 443 端口,有转发 url 到本机其他端口的应用处理,类似 location /site { proxy_pass http://127.0.0.1:7788; }

@muweigg

This comment has been minimized.

Copy link
Author

@muweigg muweigg commented Feb 21, 2019

@LimiQS 是否是这样,我的理解是,Nginx 监听其他端口(555),Trojan server config 配置 “remote_port” : 555,如果 Trojan 接收到其他的协议请求就转发到 Nginx,是这样吗?

@LimiQS

This comment has been minimized.

Copy link

@LimiQS LimiQS commented Feb 21, 2019

@muweigg Yes.

@muweigg

This comment has been minimized.

Copy link
Author

@muweigg muweigg commented Feb 21, 2019

@LimiQS 非常感谢.

@muweigg

This comment has been minimized.

Copy link
Author

@muweigg muweigg commented Feb 21, 2019

@LimiQS 你好,现在有其他问题,我的 Nginx 也有配置证书,也需要握手,通过 Trojan 转发过去发现握手失败了,我不是太专业,Trojan 的服务器配置使用的 server.json-example 示例里的,是这样配置的 "remote_addr": "域名", "remote_port": 555,但是失败了,不知是配置使用错误了还是什么,发现示例里还有 forward.json-example 这样的一个示例,我是否应该使用这个?

@LimiQS

This comment has been minimized.

Copy link

@LimiQS LimiQS commented Feb 21, 2019

@muweigg As what Trojan forwarded is the content INSIDE TLS, you shall not configure Nginx SSL Extension on the corresponding port. Which means you should read and write plain HTTP data on port 555 in your case.

@muweigg

This comment has been minimized.

Copy link
Author

@muweigg muweigg commented Feb 21, 2019

@LimiQS 谢谢回复,大致上明白了

@muweigg

This comment has been minimized.

Copy link
Author

@muweigg muweigg commented Feb 21, 2019

@LimiQS 真心的非常感谢,已经配置成功了,太帅了

@cattyhouse

This comment has been minimized.

Copy link

@cattyhouse cattyhouse commented Aug 3, 2019

@LimiQS

This is very interesting, if Trojan is to listen on 443, then i'm unable to run HTTPS websites on my server, it that true?

@LimiQS

This comment has been minimized.

Copy link

@LimiQS LimiQS commented Aug 3, 2019

@cattyhouse Yes, you can. While Trojan will handle TLS layer, you can still handle HTTP/HTTPS content in it with some web server. It's just looks like a simple reverse proxy which will add TLS support to your web service.

@cattyhouse

This comment has been minimized.

Copy link

@cattyhouse cattyhouse commented Aug 4, 2019

@LimiQS

If so, a simple lightttpd/darkhttp or any other light weight web server program running and listening on 80 is good enough for trojan to work?

@LimiQS

This comment has been minimized.

Copy link

@LimiQS LimiQS commented Aug 4, 2019

@GreaterFire

This comment has been minimized.

Copy link
Member

@GreaterFire GreaterFire commented Aug 4, 2019

@cattyhouse You can just set the server's remote_* to your (plain HTTP) web server and everything will work.

@cattyhouse

This comment has been minimized.

Copy link

@cattyhouse cattyhouse commented Aug 4, 2019

Thanks. But how can i run vmess + ws + tls at the same time, you know, as a backup.

@GreaterFire

This comment has been minimized.

Copy link
Member

@GreaterFire GreaterFire commented Aug 4, 2019

@cattyhouse Trojan (for TLS termination) - NGINX WS - Vmess

@cattyhouse

This comment has been minimized.

Copy link

@cattyhouse cattyhouse commented Aug 4, 2019

@greatfire

So i add a location like this?

Server {

listen 80
.....
location /v2ray {

...

}

}

@GreaterFire

This comment has been minimized.

Copy link
Member

@GreaterFire GreaterFire commented Aug 4, 2019

@cattyhouse I'm @GreaterFire. Also, we Trojan-GFW don't provide generic tech support. Sorry and thank you for your understanding.

@GreaterFire

This comment has been minimized.

Copy link
Member

@GreaterFire GreaterFire commented Aug 4, 2019

@cattyhouse but you are mostly right.

@cattyhouse

This comment has been minimized.

Copy link

@cattyhouse cattyhouse commented Aug 4, 2019

Thank you very much. Sorry for the typo

@xixiri

This comment has been minimized.

Copy link

@xixiri xixiri commented Sep 20, 2019

@LimiQS 真心的非常感谢,已经配置成功了,太帅了

能贴一下你的配置吗,我也遇到这个问题了

@AaG7xNnrgbzeyqc5woPS

This comment has been minimized.

Copy link

@AaG7xNnrgbzeyqc5woPS AaG7xNnrgbzeyqc5woPS commented Nov 5, 2019

@cattyhouse You can just set the server's remote_* to your (plain HTTP) web server and everything will work.

Great! This words must write to Trojan's FAQ

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
6 participants
You can’t perform that action at this time.