Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

协议SSL被阻,该如何配置? #2092

Closed
xiagw opened this issue May 16, 2023 · 15 comments
Closed

协议SSL被阻,该如何配置? #2092

xiagw opened this issue May 16, 2023 · 15 comments

Comments

@xiagw
Copy link

xiagw commented May 16, 2023

按照以下 配置,
https://github.com/XTLS/Xray-examples/tree/main/VLESS-TCP-XTLS-Vision

服务端,客户端版本:

xray --version
Xray 1.7.5 (Xray, Penetrates Everything.) Custom (go1.20 linux/amd64)
A unified platform for anti-censorship.

设置 xray 后,正常代理

curl google.com

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

brew install 任何都失败,

brew install argocd

==> Upgrading 1 outdated package:
argocd 2.6.4 -> 2.7.2
==> Fetching argocd
==> Downloading https://ghcr.io/v2/homebrew/core/argocd/manifests/2.7.2
Error: argocd: Failed to download resource "argocd_bottle_manifest"
Failure while executing; `/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.18\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.3.1\)\ curl/7.87.0 --header Accept-Language:\ en --retry 3 --header Accept:\ application/vnd.oci.image.index.v1\+json --header Authorization:\ Bearer\ QQ== --fail --location --silent --head https://ghcr.io/v2/homebrew/core/argocd/manifests/2.7.2` exited with 35. Here's the output:
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ghcr.io:443
HTTP/1.1 200 Connection established

不走 xray 代理可以正常:
(尝试过多次 unset http_proxy https_proxy 后正常,设置 proxy 就无法安装)

curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.18\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.3.1\)\ curl/7.87.0 --header Accept-Language:\ en --retry 3 --header Accept:\ application/vnd.oci.image.index.v1\+json --header Authorization:\ Bearer\ QQ== --fail --location --silent --head https://ghcr.io/v2/homebrew/core/argocd/manifests/2.7.2

HTTP/2 200
content-length: 7463
content-type: application/vnd.oci.image.index.v1+json
docker-content-digest: sha256:b5cbb208c80478a390e3213b43677243086021b1319d31bd48c356526cbe1f83
docker-distribution-api-version: registry/2.0
etag: "sha256:b5cbb208c80478a390e3213b43677243086021b1319d31bd48c356526cbe1f83"
date: Tue, 16 May 2023 08:47:42 GMT
x-github-request-id: E663:7A78:326EF0:40ECCB:6463432E
@xiagw
Copy link
Author

xiagw commented May 16, 2023

"inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 443,
            "protocol": "vless",
            "tag": "xray6",
            "settings": {
                "clients": [
                    {
                        "id": "",
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "none",
                "fallbacks": [
                    {
                        "dest": "80",
                        "xver": 1
                    },
                    {
                        "alpn": "h2",
                        "dest": "8443",
                        "xver": 1
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "rejectUnknownSni": true,
                    "minVersion": "1.2",
                    "certificates": [
                        {
                            "ocspStapling": 3600,
                            "certificateFile": "/usr/local/ssl/xray.com.crt",
                            "keyFile": "/usr/local/ssl/xray.com.key"
                        }
                    ]
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ]
            }
        }
    ],

@FranzKafkaYu
Copy link
Contributor

@xiagw it seems that the problem is not in xray core itself,plz refer to this:https://stackoverflow.com/questions/48987512/ssl-connect-ssl-error-syscall-in-connection-to-github-com443/51544596#51544596

@FranzKafkaYu
Copy link
Contributor

I guess the cause of this problem is LibreSSL

@xiagw
Copy link
Author

xiagw commented May 16, 2023

How to change the curl that brew uses? · Homebrew · Discussion #1752
https://github.com/orgs/Homebrew/discussions/1752

export HOMEBREW_FORCE_BREWED_CURL=1

@RPRX
Copy link
Member

RPRX commented May 19, 2023

被当回国流量掐了?

@RPRX RPRX closed this as not planned Won't fix, can't repro, duplicate, stale May 19, 2023
@xiagw
Copy link
Author

xiagw commented May 22, 2023

不知道,应该不是吧。
服务器设置了 block 的。

    "routing": {
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "type": "field",
                "ip": [
                    "geoip:cn"
                ],
                "outboundTag": "block"
            },
            {
                "type": "field",
                "outboundTag": "block",
                "protocol": [
                    "bittorrent"
                ]
            },

@jinmiaoluo
Copy link

jinmiaoluo commented Apr 18, 2024

这个问题在 Arch Linux 上也存在:

  • A 服务器运行 Xray + Firewalld 作为透明代理
  • B 配置静态 IP,将网关地址指向 A 的内网 IP

在 B 上通过 curl 下载大文件,大概在 300 - 800 MB 的时候,就会出现

curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 0

Xray 版本:1.8.10
curl 版本:8.7.1
OpenSSL:3.2.1
Kernel:6.8.2

我这边发生这个错误时的场景:

  1. 从国外站点下载一份视频的时候(2G)
  2. 从 OpenAI 下载 Whisper 模型文件的时候(2.88G)

@Fangliding
Copy link
Member

@jinmiaoluo 不用透明代理 用http代理会不会有问题

@yuhan6665
Copy link
Member

盲猜需要关掉splice ;)

@jinmiaoluo
Copy link

@jinmiaoluo 不用透明代理 用http代理会不会有问题

@Fangliding 还是以 A 服务器作为局域网中的代理服务器,在 A 上开启 HTTP 监听。
B 将默认网关地址改回路由器地址,然后配置 HTTP 代理。

会有同样的问题。
image

@Fangliding
Copy link
Member

那就是网络问题了 没啥好说的()

@jinmiaoluo
Copy link

重复测试了几遍,当下载的数据大小在 960 MBytes 左右时,就会出现(重复测试几遍都会这样)

服务器是阿里云轻量应用服务器(香港 2C1G 实例)

做了以下的尝试:

  1. 关闭 IP_Forward
  2. 关闭 BBR
  3. 基于 HTTP 接入
  4. 基于 dokodemo-door 接入

不确定是什么原因导致,如果是线路不稳定,应该跟下载数据的大小无关。现在是的特征是,每当下载到 960 Mbytes 左右是就会出现。
image

@jinmiaoluo
Copy link

直接在香港的服务器下载是正常的:
image

通过 Xray 再下载则会在下载了 960M - 970M 数据时出现。无论将 Xray 客户端进程运行在 Windows 上还是 Linux 上。

@jinmiaoluo
Copy link

盲猜需要关掉splice ;)

如何关闭?

@jinmiaoluo
Copy link

jinmiaoluo commented Apr 18, 2024

通过将 flow 从 xtls-rprx-vision 改为空字符串,问题消失。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants