通过SNI反代CF IP后，流量偷跑疑问

把JA3记录下来，看看是不是浏览器的。

@yellowsix #10 已查明，haproxy配置问题。查看日志后发现，大量未在白名单中的请求通过了acl验证，我现在也没想明白为什么
后端是cloudflare1，如果被成功拦截，应该显示为https_frontend/<NOSRV>

Apr 17 01:16:14 vm41583 haproxy[143644]: 27.187.224.182:23691 [17/Apr/2024:01:16:14.185] https_frontend default_https/cloudflare1 4/1/758 5459 -- 12/12/11/11/0 0/0 SNI="uubvkp.9527666.onflashdrive.app"
Apr 17 01:16:14 vm41583 haproxy[143644]: 27.187.224.182:23692 [17/Apr/2024:01:16:14.256] https_frontend default_https/cloudflare1 20/1/714 5459 -- 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app"
Apr 17 01:16:15 vm41583 haproxy[143644]: 27.187.224.182:23693 [17/Apr/2024:01:16:15.008] https_frontend default_https/cloudflare1 9/1/736 5465 -- 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app"
Apr 17 01:16:18 vm41583 haproxy[143644]: 27.187.224.182:23694 [17/Apr/2024:01:16:17.365] https_frontend default_https/cloudflare1 5/1/689 5457 -- 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app"
Apr 17 01:16:19 vm41583 haproxy[143644]: 27.187.224.182:23697 [17/Apr/2024:01:16:18.275] https_frontend default_https/cloudflare1 7/1/726 5455 -- 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app"
Apr 17 01:16:20 vm41583 haproxy[143644]: 27.187.224.182:23643 [17/Apr/2024:01:15:28.911] https_frontend default_https/cloudflare1 4/1/51203 12964 cD 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app"
Apr 17 01:16:20 vm41583 haproxy[143644]: 27.187.224.182:23699 [17/Apr/2024:01:16:20.269] https_frontend default_https/cloudflare1 2/1/712 5459 -- 12/12/11/11/0 0/0 SNI="uubvkp.9527666.onflashdrive.app"

但我自己测试随机SNI，是可以被正常拦截的，真是见了鬼了

~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com"
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure

@baiiylu #12
加上 -servername example.com再试试，你这个不是SNI

@SKIDROW #13 我之前一直这样测试的，居然是错的
哈哈，加上servername后畅通无阻，血压升高了

baiiylu@baiiylu:~$ curl --tls-max 1.2 https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com" -servername 123.example.com -v
* Added example.com:443:123.123.123.123 to DNS cache
*   Trying 123.123.123.123:443...
* Connected to 123.123.123.123 (123.123.123.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.cloudflare.com
*  start date: Apr  5 17:10:16 2024 GMT
*  expire date: Jul  4 17:10:15 2024 GMT
*  issuer: C=US; O=Let's Encrypt; CN=E1
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x561535446eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: example.com
> user-agent: curl/7.81.0
> accept: */*
> referer: rvername
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 403
< server: cloudflare
< date: Tue, 16 Apr 2024 17:38:25 GMT
< content-type: text/html
< content-length: 151
< cf-ray: 879a65d2-FRA
<
* TLSv1.2 (IN), TLS header, Supplemental data (23):
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
* Connection #0 to host 123.123.123.123 left intact
* RESOLVE example.com:443 is - old addresses discarded!
* Added example.com:443:123.123.123.123 to DNS cache
* Could not resolve host: 123.example.com
* Closing connection 1

而且我刚才就发现问题了，我重复执行几次curl，就有一两次能成功，不理解

baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com"
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com"
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com"
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com"
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com"
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>cloudflare</center>
</body>
</html>

同时后台日志记录不到任何SNI，即使curl中使用了-servername，haproxy也获取不到任何SNI,这个可能是我自己捕获sni配置写的有问题：

222.222.222.222:4910 [16/Apr/2024:18:39:52.046] https_frontend default_https/cloudflare2 2/5/148 4830 -- 2/2/1/0/0 0/0 SNI=""

你这个 cloudflare1 的 ip 也得常换吧？

@bugger #15 不常换，一直用，这台机在海外

@baiiylu #16
但感觉你这个技术问题可以跟 gpt4 过两招。。

顺便请教下，你这样的配置，在 cf 端还需要什么配置吗？跳板机反代 cf, 那 cf 怎么把请求继续发到服务机？

@bugger #17 gpt4问不出来才来论坛里问的....
gpt4:你遇到的问题很有趣，这有几种可能的原因：xxxx但是都不是，很抽象

haproxy就和nginx反代一样，原理是一样的，但是haproxy可以tcp模式反代，不需要额外配置证书了

我虽然没反代cf，但也配了sni验证的反代，我用的是这个项目，你试试？

说明你没成功