Invalid whitelist
OfficialBoyfriend opened this issue · 4 comments
I try to enable the whitelist in the configuration and add related configuration files, but I keep getting the error message: ip was rejected by whitelist. When I added the following code to line 112 of the mtg/internal/cli/run_proxy.go file, the problem looked like it was resolved (more tests are missing).
go firehol.Run(time.Hour)
time.Sleep(500 * time.Millisecond)config.toml file content:
debug = true
secret = "xxx"
bind-to = "0.0.0.0:3128"
# 最大并发数量
concurrency = 8192
# 连接到Telegramde方式
# 首选IPV6
prefer-ip = "prefer-ipv6"
# FakeTLS
domain-fronting-port = 443
# FakeTLS 允许的时间差
tolerate-time-skewness = "5s"
allow-fallback-on-unknown-dc = false
[network]
#doh-ip = "9.9.9.9"
doh-ip = "2606:4700:4700::1111"
# 前置代理
proxies = [
# "socks5://user:password@host:port?open_threshold=5&half_open_timeout=1m&reset_failures_timeout=10s"
]
[network.timeout]
tcp = "5s"
http = "10s"
idle = "1m"
[defense.anti-replay]
enabled = true
max-size = "1mib"
error-rate = 0.001
[defense.blocklist]
enabled = false
download-concurrency = 2
urls = [
# "https://iplists.firehol.org/files/firehol_level1.netset",
# "/local.file"
]
update-each = "12h"
[defense.allowlist]
enabled = true
download-concurrency = 2
urls = [
# "https://iplists.firehol.org/files/firehol_level1.netset",
"/local.ipset"
]
update-each = "12h"
[stats.statsd]
enabled = false
address = "127.0.0.1:8888"
metric-prefix = "mtg"
tag-format = "datadog"
[stats.prometheus]
enabled = false
bind-to = "127.0.0.1:3129"
http-path = "/"
metric-prefix = "mtg"
local.ipset file content:
#
# This is an intentionally broken ipset.
#
192.168.192.0/24
::1
127.0.0.1
If I did something wrong, please let me know.
Could you please show how do you start your proxy? Also, in a message that you've mentioned, you should see an IP that was blocked.
Could you please show how do you start your proxy? Also, in a message that you've mentioned, you should see an IP that was blocked.
Yes, there is indeed a prompt message that the IP is blocked. I start the proxy through docker-compose, and the mtg source code is located in the mtg directory of the current folder.
version: '3.5'
services:
mtproxy:
#image: nineseconds/mtg:2
build: ./mtg
restart: always
ports:
- 443:3128
volumes:
- ./data/config.toml:/config.toml
- ./data/local.netset:/local.netsetI've meant, this message is JSON. This JSON has an IP address that was blocked. If you start it via docker-compose, then your local address is not 127.0.0.1. IIRC, docker bridges network adapters so your request should go from 172.16.0.0/12 network.
It makes no sense to whitelist IPs being in a container because you won't see a real IP address anyway, unless you use host network. This has to be done in iptables instead.
The following is the running log when there is a problem:
mtproxy_1 | {"level":"debug","configuration":{"debug":true,"allowFallbackOnUnknownDc":false,"secret":"xxx","bindTo":"0.0.0.0:3128","preferIp":"prefer-ipv6","domainFrontingPort":443,"tolerateTimeSkewness":"5s","concurrency":8192,"defense":{"antiReplay":{"enabled":true,"maxSize":"1mib","errorRate":0.001},"blocklist":{"enabled":false,"downloadConcurrency":2,"urls":null,"updateEach":"12h0m0s"},"allowlist":{"enabled":true,"downloadConcurrency":2,"urls":["/local.netset"],"updateEach":"12h0m0s"}},"network":{"timeout":{"tcp":"5s","http":"10s","idle":"1m0s"},"dohIp":"2606:4700:4700::1111","proxies":null},"stats":{"statsd":{"enabled":false,"address":"127.0.0.1:8888","metricPrefix":"mtg","tagFormat":"datadog"},"prometheus":{"enabled":false,"bindTo":"127.0.0.1:3129","httpPath":"/","metricPrefix":"mtg"}}}
mtproxy_1 | ,"logger":"","timestamp":1640797053079,"message":"configuration"}
mtproxy_1 | {"level":"info","ip":"192.168.192.185","logger":"proxy","timestamp":1640797090939,"message":"ip was rejected by whitelist"}
mtproxy_1 | {"level":"info","ip":"192.168.192.185","logger":"proxy","timestamp":1640797095234,"message":"ip was rejected by whitelist"}
mtproxy_1 | {"level":"info","ip":"192.168.192.185","logger":"proxy","timestamp":1640797095256,"message":"ip was rejected by whitelist"}
mtproxy_1 | {"level":"info","ip":"192.168.192.185","logger":"proxy","timestamp":1640797095256,"message":"ip was rejected by whitelist"}
mtproxy_1 | {"level":"info","ip":"192.168.192.185","logger":"proxy","timestamp":1640797095846,"message":"ip was rejected by whitelist"}
mtproxy_1 | {"level":"info","ip":"192.168.192.185","logger":"proxy","timestamp":1640797095912,"message":"ip was rejected by whitelist"}
local.netset file content:
#
# This is very good ipset
#
10.0.0.10 # just an example
10.1.0.0/24
2001:0db8:85a3:0000:0000:8a2e:0370:7334
192.168.192.0/24