@yellowsix #10 已查明,haproxy配置问题。查看日志后发现,大量未在白名单中的请求通过了acl验证,我现在也没想明白为什么 后端是cloudflare1,如果被成功拦截,应该显示为https_frontend/<NOSRV> Apr 17 01:16:14 vm41583 haproxy[143644]: 27.187.224.182:23691 [17/Apr/2024:01:16:14.185] https_frontend default_https/cloudflare1 4/1/758 5459 -- 12/12/11/11/0 0/0 SNI="uubvkp.9527666.onflashdrive.app" Apr 17 01:16:14 vm41583 haproxy[143644]: 27.187.224.182:23692 [17/Apr/2024:01:16:14.256] https_frontend default_https/cloudflare1 20/1/714 5459 -- 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app" Apr 17 01:16:15 vm41583 haproxy[143644]: 27.187.224.182:23693 [17/Apr/2024:01:16:15.008] https_frontend default_https/cloudflare1 9/1/736 5465 -- 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app" Apr 17 01:16:18 vm41583 haproxy[143644]: 27.187.224.182:23694 [17/Apr/2024:01:16:17.365] https_frontend default_https/cloudflare1 5/1/689 5457 -- 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app" Apr 17 01:16:19 vm41583 haproxy[143644]: 27.187.224.182:23697 [17/Apr/2024:01:16:18.275] https_frontend default_https/cloudflare1 7/1/726 5455 -- 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app" Apr 17 01:16:20 vm41583 haproxy[143644]: 27.187.224.182:23643 [17/Apr/2024:01:15:28.911] https_frontend default_https/cloudflare1 4/1/51203 12964 cD 11/11/10/10/0 0/0 SNI="uubvkp.9527666.onflashdrive.app" Apr 17 01:16:20 vm41583 haproxy[143644]: 27.187.224.182:23699 [17/Apr/2024:01:16:20.269] https_frontend default_https/cloudflare1 2/1/712 5459 -- 12/12/11/11/0 0/0 SNI="uubvkp.9527666.onflashdrive.app" 但我自己测试随机SNI,是可以被正常拦截的,真是见了鬼了 ~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com" curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
@SKIDROW #13 我之前一直这样测试的,居然是错的 哈哈,加上servername后畅通无阻,血压升高了 baiiylu@baiiylu:~$ curl --tls-max 1.2 https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com" -servername 123.example.com -v * Added example.com:443:123.123.123.123 to DNS cache * Trying 123.123.123.123:443... * Connected to 123.123.123.123 (123.123.123.123) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=www.cloudflare.com * start date: Apr 5 17:10:16 2024 GMT * expire date: Jul 4 17:10:15 2024 GMT * issuer: C=US; O=Let's Encrypt; CN=E1 * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * Using HTTP2, server supports multiplexing * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * Using Stream ID: 1 (easy handle 0x561535446eb0) * TLSv1.2 (OUT), TLS header, Supplemental data (23): > GET / HTTP/2 > Host: example.com > user-agent: curl/7.81.0 > accept: */* > referer: rvername > * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.2 (IN), TLS header, Supplemental data (23): < HTTP/2 403 < server: cloudflare < date: Tue, 16 Apr 2024 17:38:25 GMT < content-type: text/html < content-length: 151 < cf-ray: 879a65d2-FRA < * TLSv1.2 (IN), TLS header, Supplemental data (23): <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>cloudflare</center> </body> </html> * Connection #0 to host 123.123.123.123 left intact * RESOLVE example.com:443 is - old addresses discarded! * Added example.com:443:123.123.123.123 to DNS cache * Could not resolve host: 123.example.com * Closing connection 1 而且我刚才就发现问题了,我重复执行几次curl,就有一两次能成功,不理解 baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com" curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com" curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com" curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com" curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure baiiylu@baiiylu:~$ curl https://123.123.123.123:443 --resolve example.com:443:123.123.123.123 --insecure -H "Host: example.com" <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>cloudflare</center> </body> </html> 同时后台日志记录不到任何SNI,即使curl中使用了-servername,haproxy也获取不到任何SNI,这个可能是我自己捕获sni配置写的有问题: 222.222.222.222:4910 [16/Apr/2024:18:39:52.046] https_frontend default_https/cloudflare2 2/5/148 4830 -- 2/2/1/0/0 0/0 SNI=""
@bugger #17 gpt4问不出来才来论坛里问的.... gpt4:你遇到的问题很有趣,这有几种可能的原因:xxxx但是都不是,很抽象 haproxy就和nginx反代一样,原理是一样的,但是haproxy可以tcp模式反代,不需要额外配置证书了
把JA3记录下来,看看是不是浏览器的。
@yellowsix #10 已查明,haproxy配置问题。查看日志后发现,大量未在白名单中的请求通过了acl验证,我现在也没想明白为什么
后端是cloudflare1,如果被成功拦截,应该显示为
https_frontend/<NOSRV>
但我自己测试随机SNI,是可以被正常拦截的,真是见了鬼了
@baiiylu #12
加上 -servername example.com再试试,你这个不是SNI
@SKIDROW #13 我之前一直这样测试的,居然是错的
哈哈,加上servername后畅通无阻,血压升高了
而且我刚才就发现问题了,我重复执行几次curl,就有一两次能成功,不理解
同时后台日志记录不到任何SNI,即使curl中使用了-servername,haproxy也获取不到任何SNI,这个可能是我自己捕获sni配置写的有问题:
你这个 cloudflare1 的 ip 也得常换吧?
@bugger #15 不常换,一直用,这台机在海外
@baiiylu #16
但感觉你这个技术问题可以跟 gpt4 过两招。。
顺便请教下,你这样的配置,在 cf 端还需要什么配置吗?跳板机反代 cf, 那 cf 怎么把请求继续发到服务机?
@bugger #17 gpt4问不出来才来论坛里问的....
gpt4:你遇到的问题很有趣,这有几种可能的原因:xxxx但是都不是,很抽象
haproxy就和nginx反代一样,原理是一样的,但是haproxy可以tcp模式反代,不需要额外配置证书了
我虽然没反代cf,但也配了sni验证的反代,我用的是这个项目,你试试?
说明你没成功