SagerNet
1.1-beta9使用trojan协议无法打开网页
Welcome
- [X] Yes, I'm using the latest major release. Only such installations are supported.
- [X] Yes, I'm using the latest Golang release. Only such installations are supported.
- [X] Yes, I've searched similar issues on GitHub and didn't find any.
- [X] Yes, I've included all information below (version, config, log, etc).
Description of the problem
日志看起来一切正常,但浏览器无法打开任何网页,所有流量都被重置。
Version of sing-box
sing-box version 1.1-beta9
Environment: go1.19.1 linux/amd64
Tags: with_quic,with_grpc,with_acme,with_clash_api,with_wireguard,with_shadowsocksr,with_ech,with_utls,with_gvisor,with_lwip
Revision: 39c141651a145ebf4406b07cafe887978022471e
CGO: enabled
Server and client configuration file
{
"log": {
"disabled": false,
"level": "info",
"output": "",
"timestamp": true
},
"dns": {
"servers": [
{
"tag": "cloudflare",
"address": "https://1.1.1.1/dns-query"
},
{
"tag": "self",
"address": "local",
"detour": "direct-out"
}
],
"rules": [
{
"inbound": [
"mixed-in"
],
"domain_keyword": [
"bilibili.com",
"hdslb.com",
"akamaized.net",
"szbdyd.com",
"b23.tv"
],
"geosite": [
"geolocation-!cn",
"greatfire",
"bilibili",
"telegram"
],
"server": "cloudflare"
},
{
"inbound": [
"mixed-in"
],
"domain_keyword": [
"monitor.uu.qq.com",
"pingjs.qq.com",
"pingma.qq.com",
"pingtcss.qq.com",
"mi.gdt.qq.com",
"qq.com",
"api.mixpanel.com"
],
"geosite": [
"category-ads",
"category-ads-all",
"google-ads"
],
"domain_regex": [
"^adservice.google.([a-z]{2}|com?)(.[a-z]{2})?$"
],
"server": "self"
}
],
"final": "cloudflare",
"strategy": "prefer_ipv6",
"disable_cache": true,
"disable_expire": true
},
"outbounds": [
{
"type": "trojan",
"tag": "trojan-out",
"server": "xxx.xxx.xxx",
"server_port": 443,
"password": "abcd",
"tls": {
"enabled": true,
"disable_sni": false,
"server_name": "xxx.xxx.xxx",
"insecure": false,
"alpn": [
"http/2"
],
"min_version": "1.2",
"max_version": "1.3",
"cipher_suites": [
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"utls": {
"enabled": false,
"fingerprint": "chrome"
}
},
"multiplex": {
"enabled": false,
"protocol": "smux",
"max_connections": 30,
"min_streams": 4,
"max_streams": 0
},
"transport": {
"type": "ws",
"path": "/yyy"
},
"connect_timeout": "5s",
"tcp_fast_open": true,
"udp_fragment": false,
"domain_strategy": "prefer_ipv6",
"fallback_delay": "100ms"
},
{
"type": "dns",
"tag": "dns-out"
},
{
"type": "block",
"tag": "block-out"
},
{
"type": "direct",
"tag": "direct-out",
"connect_timeout": "5s",
"tcp_fast_open": false,
"udp_fragment": false,
"domain_strategy": "prefer_ipv6",
"fallback_delay": "100ms"
}
],
"inbounds": [
{
"type": "mixed",
"tag": "mixed-in",
"listen": "127.0.0.1",
"listen_port": 1080,
"tcp_fast_open": false,
"udp_fragment": false,
"sniff": true,
"proxy_protocol": true,
"proxy_protocol_accept_no_header": true,
"set_system_proxy": false
}
],
"route": {
"geoip": {
"path": "geoip.db"
},
"geosite": {
"path": "geosite.db"
},
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
},
{
"inbound": [
"mixed-in"
],
"domain_keyword": [
"bilibili.com",
"hdslb.com",
"akamaized.net",
"szbdyd.com",
"b23.tv"
],
"geosite": [
"geolocation-!cn",
"greatfire",
"bilibili",
"telegram"
],
"outbound": "trojan-out"
},
{
"inbound": [
"mixed-in"
],
"domain_keyword": [
"monitor.uu.qq.com",
"pingjs.qq.com",
"pingma.qq.com",
"pingtcss.qq.com",
"mi.gdt.qq.com",
"qq.com",
"api.mixpanel.com"
],
"domain_regex": [
"^adservice.google.([a-z]{2}|com?)(.[a-z]{2})?$"
],
"outbound": "block-out"
}
],
"final": "trojan-out",
"auto_detect_interface": true
}
}
Server and client log file
+0800 2022-10-08 15:04:17 INFO [558707430] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:40704
+0800 2022-10-08 15:04:17 INFO [558707430] inbound/mixed[mixed-in]: inbound connection to www.baidu.com:80
+0800 2022-10-08 15:04:17 INFO [558707430] outbound/trojan[trojan-out]: outbound connection to www.baidu.com:80
+0800 2022-10-08 15:04:17 INFO [558707430] dns: lookup succeed for xxx.xxx.xxx
有没有可能,你被墙了(?
并没有,换旧版本立马就能用了。新版本的还没连接立马就被精准识别了?
ios还在正常使用,同时电脑用1.1-beta9版就无法连接。另外测过用海外vps当客户端也无法连接。。。
配置如下: { "log": { "disabled": false, "level": "info", "timestamp": true }, "outbounds": [ { "type": "trojan", "tag": "trojan-out", "server": "xxx.xxx.xxx", "server_port": 443, "password": "password", "tls": { "enabled": true, "disable_sni": false, "server_name": "xxx.xxx.xxx", "insecure": false, "alpn": [ "http/2" ] }, "transport": { "type": "ws", "path": "/path", "headers": { "Host": "xxx.xxx.xxx" }, "max_early_data": 4096, "early_data_header_name": "Sec-WebSocket-Protocol" }, "connect_timeout": "5s", "tcp_fast_open": true, "udp_fragment": false, "domain_strategy": "prefer_ipv6", "fallback_delay": "100ms" } ], "inbounds": [ { "type": "mixed", "tag": "mixed-in", "listen": "127.0.0.1", "listen_port": 1080, "tcp_fast_open": false, "udp_fragment": false, "sniff": true, "proxy_protocol": true, "proxy_protocol_accept_no_header": true, "set_system_proxy": false } ] }
另,发现在关闭tcp_fast_open选项后能重新打开浏览器页面,服务端已开启tcp_fast_open。
遇到类似的TFO问题,centos8内核已开启TFO,服务端程序开启了tcp_fast_open参数,用nginx反代,且在nginx的listen后面已经加上了fastopen=256,但实际抓包发现并没有附带TFO的cookie
@pmkol Have you set net.ipv4.tcp_fastopen = 3 on your server?
What OS is your client on? If it's Windows, have you tried to disable the fallback logic as mentioned in shadowsocks/shadowsocks-libev#1965?
Note that on Windows 11 22H2, even if you disable fallback, TFO may still not work. That's just how it is. If you really want TFO to work, I recommend using a recent version of the Linux kernel on both ends.
net.ipv4.tcp_fastopen = 3 参数是开启的,且通过命令已验证该数值为3生效, 我使用的是trojan协议而非shadowsocks,配置中我有关闭sing-box的tls加密,使用nignx作为前端进行tls加密,并使用了h2协议 我的客户端并非是windows,而是是路由器使用了xray并开启了fastopen选项,为了验证这个问题,我又使用了IOS系统上的shadowrocket客户端,并开启了fastopen,但通过抓包发现TFO依旧没有生效
- Is the cookie request option present in your captured SYN packet?
- Once again, what OS and kernel version is your router on?
- Maybe you should report your issue to Xray, not here.
- Using proprietary software like ShadowRocket doesn't prove anything.
您捕获的 SYN 数据包中,并没有存在 cookie 请求选项 后面的3个问题,我暂时无法给出回应,后续有时间精力测试后可以给出反馈。
目前我已经关闭了TFO选项,因为使用H2方式连接,TFO是否开启影响并不大。
提一个问题,"tcp_fast_open": true,这个参数,是否只是针对监听客户端的,或者说这个参数是不是只生效在客户端与sing-box服务端连接的过程中? 当开启TFO后,如果客户端与sing-box服务端没有使用TFO连接,sing-box连接网站时,是否还带有TFO特性呢?
I'm not familiar with sing-box's configuration. I'm only here because sing-box uses my tfo-go library for TFO support.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}