Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reality突然无法访问,在两个小时前依然正常 #2366

Closed
lanvada opened this issue Jul 24, 2023 · 13 comments
Closed

Reality突然无法访问,在两个小时前依然正常 #2366

lanvada opened this issue Jul 24, 2023 · 13 comments

Comments

@lanvada
Copy link

lanvada commented Jul 24, 2023
edited
Loading

如题,我检查了服务器的IP和域名,都能正常访问
这是我的V2RayN程序中报的错误:

app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: failed to find an available destination > common/retry: [x509: certificate is valid for lovelive.xxx.net, not www.lovelive-anime.jp] > common/retry: all retry attempts failed

这是我的Xray配置:

{
  "log": {
    "access": "/var/log/xray/access.log",
    "error": "/var/log/xray/error.log",
    "loglevel": "warning"
  },
  "dns": {
    "servers": [
      "https+local://1.1.1.1/dns-query",
      "https+local://dns.google/dns-query",
      "localhost"
    ]
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "domain": [
          "geosite:openai",
          "geosite:cloudflare",
          "geosite:netflix",
          "geosite:spotify"
        ],
        "outboundTag": "warp"
      },
      {
        "type": "field",
        "domain": [
          "geosite:cn"
        ],
        "outboundTag": "warp-cn"
      },
      {
        "type": "field",
        "ip": [
          "geoip:cn"
        ],
        "outboundTag": "warp-cn"
      },
      {
        "type": "field",
        "ip": [
          "geoip:private"
        ],
        "outboundTag": "block"
      }
    ]
  },
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            ...
          },
          {
            ...
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "172.11.27.2:8082",
          "xver": 1,
          "serverNames": [
            "www.lovelive-anime.jp"
          ],
          "privateKey": "gFqWM8thEXdxtE0JPPS9oQfDCF9vFa7c6Vw-RK3Wbko",
          "maxTimeDiff": 4000,
          "shortIds": [
            "0010",
            "0011"
          ]
        }
      },
      "sniffing": {
        "enabled": false,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "protocol": "wireguard",
      "tag": "warp",
      "settings": {
        "secretKey": ...,
        "address": [
          "172.16.0.2/32",
          "2606:4700:110:89a0:f1a3:5075:b087:6fb2/128"
        ],
        "peers": [
          {
            "publicKey": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=",
            "keepAlive": 4000,
            "allowedIPs": [
              "0.0.0.0/0",
              "::/0"
            ],
            "endpoint": "162.159.192.1:2408"
          }
        ],
        "reserved": [
          0,
          0,
          0
        ],
        "mtu": 1280
      }
    },
    {
      "protocol": "wireguard",
      "tag": "warp-cn",
      "settings": {
        "secretKey": ...,
        "address": [
          "172.16.0.2/32",
          "2606:4700:110:89a0:f1a3:5075:b087:6fb2/128"
        ],
        "peers": [
          {
            "publicKey": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=",
            "keepAlive": 4000,
            "allowedIPs": [
              "0.0.0.0/0",
              "::/0"
            ],
            "endpoint": "162.159.192.1:2408"
          }
        ],
        "reserved": [
          0,
          0,
          0
        ],
        "mtu": 1280
      }
    },
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ],
  "policy": {
    "levels": {
      "0": {
        "handshake": 3,
        "connIdle": 180
      },
      "1": {
        "handshake": 2,
        "connIdle": 120
      }
    }
  }
}
@lanvada
Copy link
Author

lanvada commented Jul 24, 2023
edited
Loading

这是我的nginx配置:

user nginx;
worker_processes auto;

# error_log  /var/log/nginx/error.log;
error_log /var/log/nginx/error.log notice;
# error_log  /var/log/nginx/info.log  info;

pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format main '[$time_local] $proxy_protocol_addr "$http_referer" "$http_user_agent"';
    access_log /var/log/nginx/access.log main;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ""      close;
    }

    map $proxy_protocol_addr $proxy_forwarded_elem {
        ~^[0-9.]+$        "for=$proxy_protocol_addr";
        ~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
        default           "for=unknown";
    }

    map $http_forwarded $proxy_add_forwarded {
        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
        default "$proxy_forwarded_elem";
    }

    server {
        listen 80;
        return 301 https://$host$request_uri;
    }

    server {
        # http2 on; 这条指令出现在1.25.1版本中 https://nginx.org/en/docs/http/ngx_http_v2_module.html
        listen                  172.11.27.2:8082 ssl proxy_protocol;
        http2                   on;

        set_real_ip_from        172.11.27.2;

        ssl_certificate         /cert/xxx/lovelive/cert.pem;
        ssl_certificate_key     /cert/xxx/lovelive/key.pem;

        ssl_protocols           TLSv1.2 TLSv1.3;
        ssl_ciphers             TLS13_AES_128_GCM_SHA256:TLS13_AES_256_GCM_SHA384:TLS13_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;

        ssl_session_timeout     1d;
        ssl_session_cache       shared:SSL:10m;
        ssl_session_tickets     off;

        ssl_stapling            on;
        ssl_stapling_verify     on;
        ssl_trusted_certificate /cert/xxx/lovelive/cert.pem;
        resolver                1.1.1.1 valid=60s;
        resolver_timeout        2s;

# 使用 https://www.digitalocean.com/community/tools/nginx 生成的反向代理配置
        location / {
            sub_filter                         $proxy_host $host;
            sub_filter_once                    off;

            set $website                       www.lovelive-anime.jp;
            proxy_pass                         https://$website;
            resolver 1.1.1.1;

            proxy_set_header Host              $proxy_host;

            proxy_http_version                 1.1;
            proxy_cache_bypass                 $http_upgrade;

            proxy_ssl_server_name              on;

            proxy_set_header Upgrade           $http_upgrade;
            proxy_set_header Connection        $connection_upgrade;
            proxy_set_header X-Real-IP         $proxy_protocol_addr;
            proxy_set_header Forwarded         $proxy_add_forwarded;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host  $host;
            proxy_set_header X-Forwarded-Port  $server_port;

            proxy_connect_timeout              60s;
            proxy_send_timeout                 60s;
            proxy_read_timeout                 60s;
        }
    }
}

@lanvada
Copy link
Author

lanvada commented Jul 24, 2023

我检查了服务器上的错误日志,也没有发现任何错误

@lanvada
Copy link
Author

lanvada commented Jul 24, 2023

这是我的docker-compose.yml

version: '3'

services:

# Network Basic Services

  nginx:
    image: nginx
    volumes:
      - /home/ubuntu/docker-apps/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
      - /home/ubuntu/docker-apps/var/log/nginx:/var/log/nginx
      - /home/ubuntu/docker-apps/cert:/cert:ro
    networks:
      net0:
        ipv4_address: 172.11.27.2
    ports:
      - "80:80/tcp"
    expose:
      - 8082
    restart: on-failure

  xray:
    image: teddysun/xray:latest
    volumes:
      - /home/ubuntu/docker-apps/etc/xray:/etc/xray
      - /home/ubuntu/docker-apps/var/log/xray:/var/log/xray
    networks:
      net0:
        ipv4_address: 172.11.27.3
    ports:
      - "443:443/tcp"
    depends_on:
      - nginx
    restart: on-failure
    
  # wgcf:
  #   image: neilpang/wgcf-docker:latest
  #   volumes:
  #     - /home/ubuntu/docker-apps/etc/wgcf:/wgcf
  #     - /home/ubuntu/docker-apps/lib/modules:/lib/modules
  #   networks:
  #     net0:
  #       ipv4_address: 172.11.27.4
  #   sysctls:
  #     net.ipv6.conf.all.disable_ipv6: 0
  #   cap_add:
  #     - NET_ADMIN
  #   privileged: true

networks:
  net0:
    driver: bridge
    ipam:
      config:
        - subnet: 172.11.0.0/16
          ip_range: 172.11.27.0/24
          gateway: 172.11.27.1

@qist
Copy link

qist commented Jul 24, 2023
edited
Loading

把dest 改一下。你看看你docker 是不是重启了 ip 不能访问了。

@lanvada
Copy link
Author

lanvada commented Jul 24, 2023

把dest 改一下。你看看你docker 是不是重启了 ip 不能访问了。

不是吧,我的docker ip不是已经写成固定的了吗,而且通过网页是可以访问域名的,说明验证未通过的流量已经进入nginx了吧

@qist
Copy link

qist commented Jul 24, 2023

是的。x509: certificate is valid for lovelive.xxx.net, not www.lovelive-anime.jp 这个说你的证书没有 这两个域名,也就是验证没通过,你可以试着换一个外部dest 或者 创建一个新的来连接看看。

@lanvada
Copy link
Author

lanvada commented Jul 24, 2023
edited
Loading

是的。x509: certificate is valid for lovelive.xxx.net, not www.lovelive-anime.jp 这个说你的证书没有 这两个域名,也就是验证没通过,你可以试着换一个外部dest 或者 创建一个新的来连接看看。

dest换成www.lovelive-anime.jp:443还是不行

app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: failed to find an available destination > common/retry: [REALITY: processed invalid connection] > common/retry: all retry attempts failed

看上去就像是设置的public key和private key错了似的,但是我也没改过啊
创建一个新的连接是指?换个客户端?现在我的Surface和PC上的都出现了这个问题,手机上的Shadowrocket也连不上了

@chika0801
Copy link
Contributor

看了下配置,你服务端Xray配置中

"dest": "172.11.27.2:8082", 这个IP我问了下GPT 截至我上次更新知识的时间是2021年9月,IP地址范围172.11.27.2不被视为私有IP地址。私有IP地址是保留在私有网络中使用,不能在公共互联网上进行路由传输。

它不是私有IP的话,你用的丢自己形式,这儿填127.0.0.1:8082,表示到本机的8082端口。你nginx配置也相应改下。

如果这IP没什么毛病,再问下我看你NGINX加载了你自己的证书的,你的xray配置中的 "serverNames" 我推荐你填你SSL证书中包含的域名就行了,你没必要硬填个 www.lovelive-anime.jp

其它地方没发现问题。你看看配置了。

@lanvada
Copy link
Author

lanvada commented Jul 24, 2023

看了下配置,你服务端Xray配置中

"dest": "172.11.27.2:8082", 这个IP我问了下GPT 截至我上次更新知识的时间是2021年9月,IP地址范围172.11.27.2不被视为私有IP地址。私有IP地址是保留在私有网络中使用,不能在公共互联网上进行路由传输。

它不是私有IP的话,你用的丢自己形式,这儿填127.0.0.1:8082,表示到本机的8082端口。你nginx配置也相应改下。

如果这IP没什么毛病,再问下我看你NGINX加载了你自己的证书的,你的xray配置中的 "serverNames" 我推荐你填你SSL证书中包含的域名就行了,你没必要硬填个 www.lovelive-anime.jp

其它地方没发现问题。你看看配置了。

好的,非常感谢,我改改证书试试。
我是用docker部署的,在docker中创建了虚拟网络,nginx容器的ip地址是172.11.27.2,所以dest地址才会是这个,我感觉应该不会是这里的问题

@chika0801
Copy link
Contributor

chika0801 commented Jul 24, 2023
edited
Loading

看了下配置,你服务端Xray配置中
"dest": "172.11.27.2:8082", 这个IP我问了下GPT 截至我上次更新知识的时间是2021年9月,IP地址范围172.11.27.2不被视为私有IP地址。私有IP地址是保留在私有网络中使用,不能在公共互联网上进行路由传输。
它不是私有IP的话,你用的丢自己形式,这儿填127.0.0.1:8082,表示到本机的8082端口。你nginx配置也相应改下。
如果这IP没什么毛病,再问下我看你NGINX加载了你自己的证书的,你的xray配置中的 "serverNames" 我推荐你填你SSL证书中包含的域名就行了,你没必要硬填个 www.lovelive-anime.jp
其它地方没发现问题。你看看配置了。

好的,非常感谢,我改改证书试试。 我是用docker部署的,在docker中创建了虚拟网络,nginx容器的ip地址是172.11.27.2,所以dest地址才会是这个,我感觉应该不会是这里的问题

原来是用docker部署,那排除这IP地址,只有建议你 你的xray配置中的 "serverNames" 我推荐你填你SSL证书中包含的域名就行了,你没必要硬填个 www.lovelive-anime.jp 再推荐把你的这域名指向你的VPS IP

另外你不会只有1个VPS吧,建议同时在多个VPS上搭了再测试测试

@lanvada
Copy link
Author

lanvada commented Jul 24, 2023

看了下配置,你服务端Xray配置中
"dest": "172.11.27.2:8082", 这个IP我问了下GPT 截至我上次更新知识的时间是2021年9月,IP地址范围172.11.27.2不被视为私有IP地址。私有IP地址是保留在私有网络中使用,不能在公共互联网上进行路由传输。
它不是私有IP的话,你用的丢自己形式,这儿填127.0.0.1:8082,表示到本机的8082端口。你nginx配置也相应改下。
如果这IP没什么毛病,再问下我看你NGINX加载了你自己的证书的,你的xray配置中的 "serverNames" 我推荐你填你SSL证书中包含的域名就行了,你没必要硬填个 www.lovelive-anime.jp
其它地方没发现问题。你看看配置了。

好的,非常感谢,我改改证书试试。 我是用docker部署的,在docker中创建了虚拟网络,nginx容器的ip地址是172.11.27.2,所以dest地址才会是这个,我感觉应该不会是这里的问题

原来是用docker部署,那排除这IP地址,只有建议你 你的xray配置中的 "serverNames" 我推荐你填你SSL证书中包含的域名就行了,你没必要硬填个 www.lovelive-anime.jp 再推荐把你的这域名指向你的VPS IP

另外你不会只有1个VPS吧,建议同时在多个VPS上搭了再测试测试

我有好几个,两个vision的,六个reality的,今天上午是reality的全挂了,vision都正常。但是怪就怪在,我啥也没改呢,大概晚上八点左右就又恢复正常了

@chika0801
Copy link
Contributor

看了下配置,你服务端Xray配置中
"dest": "172.11.27.2:8082", 这个IP我问了下GPT 截至我上次更新知识的时间是2021年9月,IP地址范围172.11.27.2不被视为私有IP地址。私有IP地址是保留在私有网络中使用,不能在公共互联网上进行路由传输。
它不是私有IP的话,你用的丢自己形式,这儿填127.0.0.1:8082,表示到本机的8082端口。你nginx配置也相应改下。
如果这IP没什么毛病,再问下我看你NGINX加载了你自己的证书的,你的xray配置中的 "serverNames" 我推荐你填你SSL证书中包含的域名就行了,你没必要硬填个 www.lovelive-anime.jp
其它地方没发现问题。你看看配置了。

好的,非常感谢,我改改证书试试。 我是用docker部署的,在docker中创建了虚拟网络,nginx容器的ip地址是172.11.27.2,所以dest地址才会是这个,我感觉应该不会是这里的问题

原来是用docker部署,那排除这IP地址,只有建议你 你的xray配置中的 "serverNames" 我推荐你填你SSL证书中包含的域名就行了,你没必要硬填个 www.lovelive-anime.jp 再推荐把你的这域名指向你的VPS IP
另外你不会只有1个VPS吧,建议同时在多个VPS上搭了再测试测试

我有好几个,两个vision的,六个reality的,今天上午是reality的全挂了,vision都正常。但是怪就怪在,我啥也没改呢,大概晚上八点左右就又恢复正常了

这样的话,我也没其它建议你查看的点了。我的VPS都正常的。有偷自己的,有偷 www.lovelive-anime.jp 的。有些事不要问为什么,问也是浪费自己时间嘛。如果你喜欢把这个当每天爱好的话可以深入自己研究。网上总一直有事做不完,这样。帮不上你了。

@lanvada lanvada mentioned this issue Jul 24, 2023
Closed
@RPRX
Copy link
Member

RPRX commented Jul 24, 2023

#2017 (comment)

@RPRX RPRX closed this as not planned Won't fix, can't repro, duplicate, stale Jul 24, 2023
@lanvada lanvada mentioned this issue Jul 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@qist @lanvada @RPRX @chika0801