Xray-core icon indicating copy to clipboard operation
Xray-core copied to clipboard
verified publisher icon XTLS

透明路由模式下有些网站报curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection

Open Bearljj opened this issue 3 years ago • 1 comments

我使用GID分流模式配置的透明代理,访问一些网站会报curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection, 而有些又可以正常访问,如果绕过透明代理,直接使用小火箭连同一个VPS,则可以正常访问报错的网站。不知道有没有同学也遇到过。 { "log": { "access": "/usr/share/access.log", // 访问记录 "error": "/usr/share/error.log", // 错误记录 "loglevel": "warning" // 内容从少到多: "none", "error", "warning", "info", "debug" },

// 2_DNS设置 "dns": { "servers": [ // 2.1 国外域名使用国外DNS查询 { "address": "1.1.1.1", "domains": ["geosite:geolocation-!cn"] }, // 2.2 国内域名使用国内DNS查询,并期待返回国内的IP,若不是国内IP则舍弃,用下一个查询 { "address": "223.5.5.5", "domains": ["geosite:cn"], "expectIPs": ["geoip:cn"] }, // 2.3 作为2.2的备份,对国内网站进行二次查询 { "address": "114.114.114.114", "domains": ["geosite:cn"] }, // 2.4 最后的备份,上面全部失败时,用本机DNS查询 "localhost" ] },

"routing": { "domainStrategy": "IPOnDemand", "rules": [ // 3.1 广告域名屏蔽 //{ // "type": "field", // "domain": ["geosite:category-ads-all"], // "outboundTag": "block" //}, // 3.2 国内域名直连 { "type": "field", "domain": ["geosite:cn"], "outboundTag": "direct" }, // 3.3 国内IP直连 { "type": "field", "ip": ["geoip:cn", "geoip:private"], "outboundTag": "direct" }, // 3.4 国外域名代理 { "type": "field", "domain": ["geosite:geolocation-!cn"], "outboundTag": "proxy" } // 3.5 默认规则

]

},

// 4_入站设置 "inbounds": [ { "port": 12345, "protocol": "dokodemo-door", "settings": { "network": "tcp,udp", "followRedirect": true }, "streamSettings": { "sockopt": { "tproxy": "tproxy" } } } ],

// 5_出站设置 "outbounds": [ // 5.1 默认转发VPS { "tag": "proxy", "protocol": "vless", "settings": { "vnext": [ { "address": "", "port": 443, "users": [ { "id": "", "flow": "xtls-rprx-splice", "encryption": "none" } ] } ] }, "streamSettings": { "network": "tcp", "security": "xtls", "xtlsSettings": { "serverName": "*******" } } },

{
  "tag": "direct",
  "protocol": "freedom"
},
{
  "tag": "block",
  "protocol": "blackhole"
}

] }

Bearljj avatar Apr 04 '22 15:04 Bearljj

访问失败的例子

» curl https://www.cloudoracle.com/ -v

  • Trying 34.102.136.180:443...
  • Connected to www.cloudoracle.com (34.102.136.180) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/cert.pem
  • CApath: none
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.cloudoracle.com:443
  • Closing connection 0 curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.cloudoracle.com:443

google可以上 curl https://www.google.com -v

  • Trying 142.250.199.100:443...
  • Connected to www.google.com (142.250.199.100) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/cert.pem
  • CApath: none
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=www.google.com
  • start date: Mar 17 11:49:13 2022 GMT
  • expire date: Jun 9 11:49:12 2022 GMT
  • subjectAltName: host "www.google.com" matched cert's "www.google.com"
  • issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x7fb920811e00)

GET / HTTP/2 Host: www.google.com user-agent: curl/7.77.0 accept: /

< HTTP/2 302 < location: https://www.google.com.hk/url?sa=p&hl=zh-CN&pref=hkredirect&pval=yes&q=https://www.google.com.hk/&ust=1649135377388575&usg=AOvVaw2YJ-pCIUFOBwTwYteIKoVC < cache-control: private < content-type: text/html; charset=UTF-8 < p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info." < date: Tue, 05 Apr 2022 05:09:07 GMT < server: gws < content-length: 372 < x-xss-protection: 0 < x-frame-options: SAMEORIGIN < set-cookie: 1P_JAR=2022-04-05-05; expires=Thu, 05-May-2022 05:09:07 GMT; path=/; domain=.google.com; Secure < set-cookie: AEC=AVQQ_LCUxjUQxtz2QlgfZguCsrPqJa7SQVGxhwYWUj8Vp4jrcyoOqjBUQXE; expires=Sun, 02-Oct-2022 05:09:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax < set-cookie: NID=511=bltavrCeDSN_6H4I_bQSpC8Pa_e42WqoQQDP8xSieuBUDBVmHpbHR6NayhE4ggJhm6PS8ljR0xC6JlXX1jYqlduZSnzK72izSYQPTb62MVn7XHqToQ_5EJTDPFGFs0DtanNmTXgh3kob--J23tgtjR7AliDDww8wynTAPCOeyU0; expires=Wed, 05-Oct-2022 05:09:07 GMT; path=/; domain=.google.com; HttpOnly < alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" <

302 Moved

302 Moved

The document has moved here.

Bearljj avatar Apr 05 '22 05:04 Bearljj

#2092

SDGLBL avatar Oct 16 '23 03:10 SDGLBL

log呢,你服务端配置呢

chise0713 avatar Oct 16 '23 04:10 chise0713