apernet/hysteria

Linux 版2.5.0伪装功能异常

giveup opened this issue · 14 comments

描述问题
配置文件

tls:
  cert: server.crt
  key: server.key

auth:
  type: password
  password: password
masquerade: 
  type: proxy
  proxy:
    url: https://www.example.com
    rewriteHost: true     
  listenHTTP: :80 
  listenHTTPS: :443 
  forceHTTPS: true 

resolver:
  https:
    addr: 8.8.8.8:443 
    timeout: 10s
    sni: dns.google
    insecure: true

经测试,macOS版本使用上述配置,服务端可以正常伪装(作为反向代理)。Linux版则无法按预期工作。
如何复现
使用proxy作为伪装,客户端使用curl -k -L https://your_server验证。
Linux版返回如下内容

curl -k -L https://your_server
OK%              

预期行为
使用curl验证,预期返回下列内容(后续打印内容已忽略)

<!doctype html><html lang

日志
附上客户端/服务器端在错误发生前后的日志。

macOS端日志

 ./hysteria-darwin-amd64 server -c ./config-tls.yaml    
2024-07-08T14:33:59+08:00	INFO	server mode
2024-07-08T14:33:59+08:00	INFO	masquerade HTTPS server up and running	{"listen": ":443"}
2024-07-08T14:33:59+08:00	INFO	masquerade HTTP server up and running	{"listen": ":80"}
2024-07-08T14:33:59+08:00	INFO	server up and running	{"listen": ":443"}

Linux端日志

 hysteria server -c /etc/hysteria/config-tls.yaml 
2024-07-07T23:27:16-07:00	INFO	server mode
2024-07-07T23:27:16-07:00	INFO	masquerade HTTPS server up and running	{"listen": ":443"}
2024-07-07T23:27:16-07:00	INFO	server up and running	{"listen": ":443"}
2024-07-07T23:27:16-07:00	INFO	masquerade HTTP server up and running	{"listen": ":80"}
2024-07-07T23:27:24-07:00	INFO	client connected	{"addr": "ip:port", "id": "****", "tx": 0}

设备和操作系统
客户端:curl 8.4.0 (x86_64-apple-darwin21.0) libcurl/8.4.0 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.45.1
操作系统:macOS 12.7.5 (21H1222)

额外信息
2.5.0之前的Linux版可以正常使用伪装。

无法复现。

建议检查服务端防火墙是否放行 TCP 443 端口。

无法复现。

建议检查服务端防火墙是否放行 TCP 443 端口。

可以肯定443端口打开,并且,使用curl请求时,并不是超时,而是返回一个OK%字符串。预期返回是html内容。
其他的额外信息是,本地(macOS)搭建服务时,使用curl请求,日志没有显示任何报错或者警告信息。
而在Linux服务端搭建并发送请求时,日志则显示一条client connected,如果您这边方便的话,我可以使用邮件发送我的服务器相关信息以便测试验证。
除了curl验证外,使用浏览器打开也无法按预期工作。
image

不太可能用单纯的 curl 让服务端输出 client connected , 除非配置环境变量或者透明代理让这个 curl 走了 hysteria 客户端的代理, 从而触发了 hysteria 客户端的连接(假设客户端启用了 lazy)。

你可以在运行 hysteria 服务端的时候加一个 HYSTERIA_LOG_LEVEL=debug 环境变量, 以及在运行 curl 的时候加上 -vv 参数以获取更详细的日志。

另外补充一下你看到的返回的字符串实际上是 OK 而不是 OK%% 是 zsh 用来表示 OK 后面没有换行符而额外加上去的。

确实在路由器上部署了透明代理。这个IP属于direct规则,但后续我使用nft排除该IP,确保该IP的流量不会经过透明代理核心的处理。

root@AX6S:~# nft list ruleset | grep 'server_ip'
			     server_ip, 100.64.0.0/10,

在控制面板上也的确看不到关于该IP连接的信息。
重复测试一次后,结果依旧。
curl日志

 curl -k -L -vv https://server_ip     
*   Trying server_ip..
* Connected to server_ip (server_ip) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  start date: Jul  8 06:25:31 2024 GMT
*  expire date: Jul  8 06:25:31 2025 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://server_ip/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: server_ip]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: server_ip
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 203 
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-cache, no-store, must-revalidate
< content-type: text/xml
< date: Mon, 08 Jul 2024 16:34:35 GMT
< expires: 0
< mime-version: 1.0
< pragma: no-cache
< x-cdn-traceid: 0.c9a6dc17.1720456475.13a28610
< content-length: 2
< 
* Connection #0 to host server_ip left intact
OK

在移动设备上测试,使用蜂窝网络连接,确保不会受到透明代理的干扰(移动设备完全关闭任何代理软件)。
结果和上面的Chrome浏览器一样,浏览器无法正常渲染返回内容。

你反代的是啥网站, 真的是 https://www.example.com 吗?
你给出的 curl 输出里的 headers 显然不像是 https://www.example.com 返回的。

你把 hysteria 配置文件里伪装反代的网站换成 https://www.example.com 试试看会怎么样呢?

有些怀疑是服务器上的 TCP 443 端口被转发到了其他机器上。 建议导出完整的防火墙规则检查一下。

你可以在服务器上使用以下命令导出所有防火墙规则:

iptables-save
nft list ruleset

你反代的是啥网站, 真的是 https://www.example.com 吗? 你给出的 curl 输出里的 headers 显然不像是 https://www.example.com 返回的。

你把 hysteria 配置文件里伪装反代的网站换成 https://www.example.com 试试看会怎么样呢?

反向代理是任意的一个网站,配置文件是作为示例。实际测试时,本地macOS部署时,curl可以打印反向代理的网站的html源码,Linux服务器端则返回一个OK字符串。

iptables导出结果

# iptables-save
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jul  8 13:07:19 2024
*filter
:INPUT DROP [3168698:155365888]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [290:44197]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-logging-forward -j RETURN
-A ufw-user-logging-input -j RETURN
-A ufw-user-logging-output -j RETURN
COMMIT
# Completed on Mon Jul  8 13:07:19 2024

nft导出结果

# nft list ruleset
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
	chain ufw-before-logging-input {
	}

	chain ufw-before-logging-output {
	}

	chain ufw-before-logging-forward {
	}

	chain ufw-before-input {
		iifname "lo" counter packets 8818 bytes 1511229 accept
		ct state related,established counter packets 288650726 bytes 825865698526 accept
		ct state invalid counter packets 31469 bytes 2105115 jump ufw-logging-deny
		ct state invalid counter packets 31469 bytes 2105115 drop
		meta l4proto icmp icmp type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type echo-request counter packets 546790 bytes 21447655 accept
		udp sport 67 udp dport 68 counter packets 648 bytes 212544 accept
		counter packets 3294715 bytes 203699381 jump ufw-not-local
		ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept
		ip daddr 239.255.255.250 udp dport 1900 counter packets 0 bytes 0 accept
		counter packets 3294715 bytes 203699381 jump ufw-user-input
	}

	chain ufw-before-output {
		oifname "lo" counter packets 8818 bytes 1511229 accept
		ct state related,established counter packets 224540590 bytes 954109694133 accept
		counter packets 2807941 bytes 527523919 jump ufw-user-output
	}

	chain ufw-before-forward {
		ct state related,established counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type echo-request counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw-user-forward
	}

	chain ufw-after-input {
		udp dport 137 counter packets 1301 bytes 101526 jump ufw-skip-to-policy-input
		udp dport 138 counter packets 38 bytes 1064 jump ufw-skip-to-policy-input
		tcp dport 139 counter packets 1742 bytes 75308 jump ufw-skip-to-policy-input
		tcp dport 445 counter packets 12523 bytes 591448 jump ufw-skip-to-policy-input
		udp dport 67 counter packets 44 bytes 1232 jump ufw-skip-to-policy-input
		udp dport 68 counter packets 38 bytes 1064 jump ufw-skip-to-policy-input
		fib daddr type broadcast counter packets 0 bytes 0 jump ufw-skip-to-policy-input
	}

	chain ufw-after-output {
	}

	chain ufw-after-forward {
	}

	chain ufw-after-logging-input {
	}

	chain ufw-after-logging-output {
	}

	chain ufw-after-logging-forward {
	}

	chain ufw-reject-input {
	}

	chain ufw-reject-output {
	}

	chain ufw-reject-forward {
	}

	chain ufw-track-input {
	}

	chain ufw-track-output {
		meta l4proto tcp ct state new counter packets 841487 bytes 50492390 accept
		meta l4proto udp ct state new counter packets 1966164 bytes 476987332 accept
	}

	chain ufw-track-forward {
	}

	chain INPUT {
		type filter hook input priority filter; policy drop;
		counter packets 296933585 bytes 843902234555 jump ufw-before-logging-input
		counter packets 296933585 bytes 843902234555 jump ufw-before-input
		counter packets 3258189 bytes 190757283 jump ufw-after-input
		counter packets 3242218 bytes 189971563 jump ufw-after-logging-input
		counter packets 3242218 bytes 189971563 jump ufw-reject-input
		counter packets 3242218 bytes 189971563 jump ufw-track-input
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 231630023 bytes 976576138261 jump ufw-before-logging-output
		counter packets 231630023 bytes 976576138261 jump ufw-before-output
		counter packets 2896078 bytes 563370726 jump ufw-after-output
		counter packets 2896078 bytes 563370726 jump ufw-after-logging-output
		counter packets 2896078 bytes 563370726 jump ufw-reject-output
		counter packets 2896078 bytes 563370726 jump ufw-track-output
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 jump ufw-before-logging-forward
		counter packets 0 bytes 0 jump ufw-before-forward
		counter packets 0 bytes 0 jump ufw-after-forward
		counter packets 0 bytes 0 jump ufw-after-logging-forward
		counter packets 0 bytes 0 jump ufw-reject-forward
		counter packets 0 bytes 0 jump ufw-track-forward
	}

	chain ufw-logging-deny {
	}

	chain ufw-logging-allow {
	}

	chain ufw-skip-to-policy-input {
		counter packets 15686 bytes 771642 drop
	}

	chain ufw-skip-to-policy-output {
		counter packets 0 bytes 0 accept
	}

	chain ufw-skip-to-policy-forward {
		counter packets 0 bytes 0 drop
	}

	chain ufw-not-local {
		fib daddr type local counter packets 3294715 bytes 203699381 return
		fib daddr type multicast counter packets 0 bytes 0 return
		fib daddr type broadcast counter packets 0 bytes 0 return
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 jump ufw-logging-deny
		counter packets 0 bytes 0 drop
	}

	chain ufw-user-input {
		tcp dport 443 counter packets 118 bytes 6356 accept
		udp dport 443 counter packets 174 bytes 142276 accept
	}

	chain ufw-user-output {
	}

	chain ufw-user-forward {
	}

	chain ufw-user-logging-input {
		counter packets 0 bytes 0 return
	}

	chain ufw-user-logging-output {
		counter packets 0 bytes 0 return
	}

	chain ufw-user-logging-forward {
		counter packets 0 bytes 0 return
	}

	chain ufw-user-limit {
		counter packets 0 bytes 0 reject
	}

	chain ufw-user-limit-accept {
		counter packets 0 bytes 0 accept
	}
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
	chain ufw6-before-logging-input {
	}

	chain ufw6-before-logging-output {
	}

	chain ufw6-before-logging-forward {
	}

	chain ufw6-before-input {
		iifname "lo" counter packets 0 bytes 0 accept
		rt type 0 counter packets 0 bytes 0 drop
		ct state related,established counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
		ct state invalid counter packets 0 bytes 0 jump ufw6-logging-deny
		ct state invalid counter packets 0 bytes 0 drop
		meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
		ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept
		ip6 daddr ff02::fb udp dport 5353 counter packets 0 bytes 0 accept
		ip6 daddr ff02::f udp dport 1900 counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw6-user-input
	}

	chain ufw6-before-output {
		oifname "lo" counter packets 0 bytes 0 accept
		rt type 0 counter packets 0 bytes 0 drop
		ct state related,established counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 9351 bytes 523656 accept
		meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw6-user-output
	}

	chain ufw6-before-forward {
		rt type 0 counter packets 0 bytes 0 drop
		ct state related,established counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw6-user-forward
	}

	chain ufw6-after-input {
		udp dport 137 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		udp dport 138 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		tcp dport 139 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		tcp dport 445 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		udp dport 546 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		udp dport 547 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
	}

	chain ufw6-after-output {
	}

	chain ufw6-after-forward {
	}

	chain ufw6-after-logging-input {
	}

	chain ufw6-after-logging-output {
	}

	chain ufw6-after-logging-forward {
	}

	chain ufw6-reject-input {
	}

	chain ufw6-reject-output {
	}

	chain ufw6-reject-forward {
	}

	chain ufw6-track-input {
	}

	chain ufw6-track-output {
		meta l4proto tcp ct state new counter packets 0 bytes 0 accept
		meta l4proto udp ct state new counter packets 0 bytes 0 accept
	}

	chain ufw6-track-forward {
	}

	chain INPUT {
		type filter hook input priority filter; policy drop;
		counter packets 0 bytes 0 jump ufw6-before-logging-input
		counter packets 0 bytes 0 jump ufw6-before-input
		counter packets 0 bytes 0 jump ufw6-after-input
		counter packets 0 bytes 0 jump ufw6-after-logging-input
		counter packets 0 bytes 0 jump ufw6-reject-input
		counter packets 0 bytes 0 jump ufw6-track-input
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 9534 bytes 533904 jump ufw6-before-logging-output
		counter packets 9534 bytes 533904 jump ufw6-before-output
		counter packets 0 bytes 0 jump ufw6-after-output
		counter packets 0 bytes 0 jump ufw6-after-logging-output
		counter packets 0 bytes 0 jump ufw6-reject-output
		counter packets 0 bytes 0 jump ufw6-track-output
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 jump ufw6-before-logging-forward
		counter packets 0 bytes 0 jump ufw6-before-forward
		counter packets 0 bytes 0 jump ufw6-after-forward
		counter packets 0 bytes 0 jump ufw6-after-logging-forward
		counter packets 0 bytes 0 jump ufw6-reject-forward
		counter packets 0 bytes 0 jump ufw6-track-forward
	}

	chain ufw6-logging-deny {
	}

	chain ufw6-logging-allow {
	}

	chain ufw6-skip-to-policy-input {
		counter packets 0 bytes 0 drop
	}

	chain ufw6-skip-to-policy-output {
		counter packets 0 bytes 0 accept
	}

	chain ufw6-skip-to-policy-forward {
		counter packets 0 bytes 0 drop
	}

	chain ufw6-user-input {
		tcp dport 443 counter packets 0 bytes 0 accept
		udp dport 443 counter packets 0 bytes 0 accept
	}

	chain ufw6-user-output {
	}

	chain ufw6-user-forward {
	}

	chain ufw6-user-logging-input {
		counter packets 0 bytes 0 return
	}

	chain ufw6-user-logging-output {
		counter packets 0 bytes 0 return
	}

	chain ufw6-user-logging-forward {
		counter packets 0 bytes 0 return
	}

	chain ufw6-user-limit {
		counter packets 0 bytes 0 reject
	}

	chain ufw6-user-limit-accept {
		counter packets 0 bytes 0 accept
	}
}
  1. 你换一个网站(比如换成 https://www.example.com )来反代, 看看 curl -vv 的 header 是否发生改变。
  2. 你把 hysteria 服务端停止, 看看 curl -vv 的输出是否有改变。
  1. 你换一个网站(比如换成 https://www.example.com )来反代, 看看 curl -vv 的 header 是否发生改变。
  2. 你把 hysteria 服务端停止, 看看 curl -vv 的输出是否有改变。

经测试,只有某些网站才会返回一个OK字符串。

  proxy:
    url: https://www.bing.com/new
    rewriteHost: true

这种配置会返回一个OK字符串。换成https://www.bing.com也会。
换成https://www.amd.com/en.html则能正常变成反向代理。
以上测试使用浏览器验证。
这是能正常反向代理的curl输出

curl -k -L -vv  https://server_ip
*   Trying server_ip:443...
* Connected to server_ip (server_ip) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  start date: Jul  8 06:25:31 2024 GMT
*  expire date: Jul  8 06:25:31 2025 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://server_ip/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: server_ip]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: server_ip
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 502 
< alt-svc: h3=":443"; ma=2592000
< content-length: 0
< date: Tue, 09 Jul 2024 04:08:42 GMT
< 
* Connection #0 to host server_ip left intact

你直接在你的服务器上执行 curl -vv https://www.bing.com/new 能正常返回吗?

curl -vv https://www.bing.com/new

似乎是bing的问题...直接在服务器上执行也是返回OK。这个可以关闭了。

能否给一下你的服务器上执行 curl -vv https://www.bing.com/new 的输出(请勿修改其中的 IP 等信息, 放心它和你的服务器 IP 无关)。 我们希望记录一下这一类异常情况以供以后的用户参考。

curl -vv https://www.bing.com/new

主要是之前也是配置的bing,用浏览器测试可以跳转到bing的首页,所以这次就以为是hysteria的改动导致的。

# curl -vv https://www.bing.com/new
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 23.43.51.134:443...
* Connected to www.bing.com (23.43.51.134) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [29 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2611 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=r.bing.com
*  start date: Jun 24 16:16:15 2024 GMT
*  expire date: Jun 19 16:16:15 2025 GMT
*  subjectAltName: host "www.bing.com" matched cert's "*.bing.com"
*  issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure ECC TLS Issuing CA 04
*  SSL certificate verify ok.
} [5 bytes data]
* using HTTP/2

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* h2h3 [:method: GET]
* h2h3 [:path: /new]
* h2h3 [:scheme: https]
* h2h3 [:authority: www.bing.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x559e0ed92ce0)
} [5 bytes data]
> GET /new HTTP/2
> Host: www.bing.com
> user-agent: curl/7.88.1
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/2 203 
< mime-version: 1.0
< content-length: 2
< cache-control: no-cache, no-store, must-revalidate
< pragma: no-cache
< expires: 0
< content-type: text/xml
< date: Tue, 09 Jul 2024 06:25:03 GMT
< alt-svc: h3=":443"; ma=93600
< x-cdn-traceid: 0.c6a6dc17.1720506303.a840f7b4
< 
{ [5 bytes data]

100     2  100     2    0     0     22      0 --:--:-- --:--:-- --:--:--    22
* Connection #0 to host www.bing.com left intact
OKExit code: 0