starred/goproxy
1
0
Fork 0
mirror of https://github.com/snail007/goproxy.git synced 2026-04-27 16:35:49 +03:00
Code Issues 144 Projects Releases 3 Packages Wiki Activity

[GH-ISSUE #183] 协议转换后透明代理不支持telegram #113

New issue
Closed
opened 2026-02-27 23:15:30 +03:00 by kerem · 2 comments
kerem commented 2026-02-27 23:15:30 +03:00
Owner
Copy link

Originally created by @yulinsoft on GitHub (Nov 25, 2018).
Original GitHub issue: https://github.com/snail007/goproxy/issues/183

启动命令如下
proxy sps -S ss -H chacha20-ietf -J ss密码 -T tcp -P SS服务器IP:10780 -t tcp -p 0.0.0.0:8080 --disable-ss --daemon --forever --log /var/log/proxy.log

透明代理设置iptables命令如下

    iptables -t nat -N ss-redir # 新建一个名为 ss-redir 的链
    iptables -t nat -A ss-redir -d $ServerIP -j RETURN #服务器所在地址
    iptables -t nat -A ss-redir -d 0.0.0.0/8 -j RETURN
    iptables -t nat -A ss-redir -d 10.0.0.0/8 -j RETURN
    iptables -t nat -A ss-redir -d 127.0.0.0/8 -j RETURN
    iptables -t nat -A ss-redir -d 169.254.0.0/16 -j RETURN
    iptables -t nat -A ss-redir -d 172.16.0.0/12 -j RETURN
    iptables -t nat -A ss-redir -d 192.168.0.0/16 -j RETURN
    iptables -t nat -A ss-redir -s 192.168.199.224 -j RETURN
    iptables -t nat -A ss-redir -s 192.168.199.100 -j RETURN
    iptables -t nat -A ss-redir -s 192.168.199.248 -j RETURN
    iptables -t nat -A ss-redir -s 192.168.199.235 -j RETURN
    iptables -t nat -A ss-redir -s 192.168.199.149 -j RETURN
    iptables -t nat -A ss-redir -d 224.0.0.0/4 -j RETURN
    iptables -t nat -A ss-redir -d 240.0.0.0/4 -j RETURN
    iptables -t nat -A ss-redir -m set --match-set china dst -j RETURN
    #iptables -t nat -A ss-redir -p tcp -j RETURN -m mark --mark 0xff # 直连 SO_MARK为 0xff 的流量(0xff 是 16 进制数,数值上等同与上面的 255),此规则目的是避免代理本机(网关)流量出现回环问题
    iptables -t nat -A ss-redir -p tcp -j REDIRECT --to-ports 8080 # 其余流量转发到 8080 端口(即 proxy)
    #iptables -t nat -A ss-redir -p udp -j REDIRECT --to-ports 8080 # 其余流量转发到 8080 端口(即 proxy)
    iptables -t nat -A PREROUTING -p tcp -j ss-redir # 对局域网其他设备进行透明代理
    iptables -t nat -A OUTPUT -p tcp -j ss-redir # 对本机进行透明代理

电脑和手机浏览google正常
手机打开telegram一直显示连接中
在telegram中设置socket5代理为路由器8080端口后正常。
日志如下

2018/11/25 03:08:50 forever proxy [PID] 7822 running...
2018/11/25 03:08:51 worker proxy [PID] 7830 running...
2018/11/25 03:08:51 use tcp ss parent [ss服务器IP:10780] [ ROUNDROBIN ]
2018/11/25 03:08:51 warn : udp only for socks parent 
2018/11/25 03:08:51 tcp http(s)+socks+ss proxy on [::]:8080
2018/11/25 03:08:53 conn 192.168.199.242:39425 - ss服务器IP:10780 connected [91.108.56.140:443]
2018/11/25 03:09:01 conn 192.168.199.242:39432 - ss服务器IP:10780 connected [91.108.56.140:443]
2018/11/25 03:09:01 conn 192.168.199.242:39434 - ss服务器IP:10780 connected [91.108.56.140:443]
2018/11/25 03:09:07 conn 192.168.199.242:39434 - ss服务器IP:10780 released [91.108.56.140:443]

在手机wifi中设置http代理为路由器8080端口后,和透明代理时一样显示连接中。

透明代理时的日志如下:

2018/11/25 03:29:59 forever proxy [PID] 9548 running...
2018/11/25 03:29:59 worker proxy [PID] 9577 running...
2018/11/25 03:30:00 use tcp ss parent [ss服务器IP:10780] [ ROUNDROBIN ]
2018/11/25 03:30:00 warn : udp only for socks parent 
2018/11/25 03:30:00 tcp http(s)+socks+ss proxy on [::]:8080
2018/11/25 03:30:07 SNI:https://www.google.com:443
2018/11/25 03:30:07 conn 192.168.199.242:41870 - ss服务器IP:10780 connected [www.google.com:443]
2018/11/25 03:30:11 GET:https://httpbin.org/get?show_env=1
2018/11/25 03:30:12 conn 180.163.220.99:28492 - ss服务器IP:10780 connected [httpbin.org:80]
2018/11/25 03:30:12 conn 192.168.199.242:41870 - ss服务器IP:10780 released [www.google.com:443]
2018/11/25 03:30:12 SNI:https://www.google.ru:443
2018/11/25 03:30:12 conn 180.163.220.99:28492 - ss服务器IP:10780 released [httpbin.org:80]
2018/11/25 03:30:12 conn 192.168.199.242:46840 - ss服务器IP:10780 connected [www.google.ru:443]
2018/11/25 03:30:17 SNI:https://www.google.com:443
2018/11/25 03:30:19 conn 192.168.199.242:42117 - ss服务器IP:10780 connected [www.google.com:443]
2018/11/25 03:30:23 conn 192.168.199.242:42117 - ss服务器IP:10780 released [www.google.com:443]
2018/11/25 03:30:28 SNI:https://www.google.com:443
2018/11/25 03:30:29 conn 192.168.199.242:42384 - ss服务器IP:10780 connected [www.google.com:443]

同样的ip规则,在r2ray和ss-redir中,telegram都能正常工作,因此怀疑在此种条件下,proxy的透明代理只是处理了http代理,而没有处理socks代理。我感觉正常的处理流程应该是透明代理转发到更底层的socks代理上,不知道这样说对不对。

Originally created by @yulinsoft on GitHub (Nov 25, 2018). Original GitHub issue: https://github.com/snail007/goproxy/issues/183 启动命令如下 `proxy sps -S ss -H chacha20-ietf -J ss密码 -T tcp -P SS服务器IP:10780 -t tcp -p 0.0.0.0:8080 --disable-ss --daemon --forever --log /var/log/proxy.log` 透明代理设置iptables命令如下 ``` iptables -t nat -N ss-redir # 新建一个名为 ss-redir 的链 iptables -t nat -A ss-redir -d $ServerIP -j RETURN #服务器所在地址 iptables -t nat -A ss-redir -d 0.0.0.0/8 -j RETURN iptables -t nat -A ss-redir -d 10.0.0.0/8 -j RETURN iptables -t nat -A ss-redir -d 127.0.0.0/8 -j RETURN iptables -t nat -A ss-redir -d 169.254.0.0/16 -j RETURN iptables -t nat -A ss-redir -d 172.16.0.0/12 -j RETURN iptables -t nat -A ss-redir -d 192.168.0.0/16 -j RETURN iptables -t nat -A ss-redir -s 192.168.199.224 -j RETURN iptables -t nat -A ss-redir -s 192.168.199.100 -j RETURN iptables -t nat -A ss-redir -s 192.168.199.248 -j RETURN iptables -t nat -A ss-redir -s 192.168.199.235 -j RETURN iptables -t nat -A ss-redir -s 192.168.199.149 -j RETURN iptables -t nat -A ss-redir -d 224.0.0.0/4 -j RETURN iptables -t nat -A ss-redir -d 240.0.0.0/4 -j RETURN iptables -t nat -A ss-redir -m set --match-set china dst -j RETURN #iptables -t nat -A ss-redir -p tcp -j RETURN -m mark --mark 0xff # 直连 SO_MARK为 0xff 的流量(0xff 是 16 进制数,数值上等同与上面的 255),此规则目的是避免代理本机(网关)流量出现回环问题 iptables -t nat -A ss-redir -p tcp -j REDIRECT --to-ports 8080 # 其余流量转发到 8080 端口(即 proxy) #iptables -t nat -A ss-redir -p udp -j REDIRECT --to-ports 8080 # 其余流量转发到 8080 端口(即 proxy) iptables -t nat -A PREROUTING -p tcp -j ss-redir # 对局域网其他设备进行透明代理 iptables -t nat -A OUTPUT -p tcp -j ss-redir # 对本机进行透明代理 ``` 电脑和手机浏览google正常 手机打开telegram一直显示连接中 在telegram中设置socket5代理为路由器8080端口后正常。 日志如下 ``` 2018/11/25 03:08:50 forever proxy [PID] 7822 running... 2018/11/25 03:08:51 worker proxy [PID] 7830 running... 2018/11/25 03:08:51 use tcp ss parent [ss服务器IP:10780] [ ROUNDROBIN ] 2018/11/25 03:08:51 warn : udp only for socks parent 2018/11/25 03:08:51 tcp http(s)+socks+ss proxy on [::]:8080 2018/11/25 03:08:53 conn 192.168.199.242:39425 - ss服务器IP:10780 connected [91.108.56.140:443] 2018/11/25 03:09:01 conn 192.168.199.242:39432 - ss服务器IP:10780 connected [91.108.56.140:443] 2018/11/25 03:09:01 conn 192.168.199.242:39434 - ss服务器IP:10780 connected [91.108.56.140:443] 2018/11/25 03:09:07 conn 192.168.199.242:39434 - ss服务器IP:10780 released [91.108.56.140:443] ``` 在手机wifi中设置http代理为路由器8080端口后,和透明代理时一样显示连接中。 透明代理时的日志如下: ``` 2018/11/25 03:29:59 forever proxy [PID] 9548 running... 2018/11/25 03:29:59 worker proxy [PID] 9577 running... 2018/11/25 03:30:00 use tcp ss parent [ss服务器IP:10780] [ ROUNDROBIN ] 2018/11/25 03:30:00 warn : udp only for socks parent 2018/11/25 03:30:00 tcp http(s)+socks+ss proxy on [::]:8080 2018/11/25 03:30:07 SNI:https://www.google.com:443 2018/11/25 03:30:07 conn 192.168.199.242:41870 - ss服务器IP:10780 connected [www.google.com:443] 2018/11/25 03:30:11 GET:https://httpbin.org/get?show_env=1 2018/11/25 03:30:12 conn 180.163.220.99:28492 - ss服务器IP:10780 connected [httpbin.org:80] 2018/11/25 03:30:12 conn 192.168.199.242:41870 - ss服务器IP:10780 released [www.google.com:443] 2018/11/25 03:30:12 SNI:https://www.google.ru:443 2018/11/25 03:30:12 conn 180.163.220.99:28492 - ss服务器IP:10780 released [httpbin.org:80] 2018/11/25 03:30:12 conn 192.168.199.242:46840 - ss服务器IP:10780 connected [www.google.ru:443] 2018/11/25 03:30:17 SNI:https://www.google.com:443 2018/11/25 03:30:19 conn 192.168.199.242:42117 - ss服务器IP:10780 connected [www.google.com:443] 2018/11/25 03:30:23 conn 192.168.199.242:42117 - ss服务器IP:10780 released [www.google.com:443] 2018/11/25 03:30:28 SNI:https://www.google.com:443 2018/11/25 03:30:29 conn 192.168.199.242:42384 - ss服务器IP:10780 connected [www.google.com:443] ``` 同样的ip规则,在r2ray和ss-redir中,telegram都能正常工作,因此怀疑在此种条件下,proxy的透明代理只是处理了http代理,而没有处理socks代理。我感觉正常的处理流程应该是透明代理转发到更底层的socks代理上,不知道这样说对不对。
kerem closed this issue 2026-02-27 23:15:30 +03:00
kerem commented 2026-02-27 23:15:31 +03:00
Author
Owner
Copy link

@yulinsoft commented on GitHub (Nov 25, 2018):

建议透明代理启用专门的端口,像v2ray一样,这样http和scoks还可以设置用户验证,不影响透明代理,现在的情况是设置用户验证后透明代理就不能用了。

<!-- gh-comment-id:441413201 --> @yulinsoft commented on GitHub (Nov 25, 2018): 建议透明代理启用专门的端口,像v2ray一样,这样http和scoks还可以设置用户验证,不影响透明代理,现在的情况是设置用户验证后透明代理就不能用了。
kerem commented 2026-02-27 23:15:31 +03:00
Author
Owner
Copy link

@snail007 commented on GitHub (Feb 26, 2019):

手册已经说明,透明代理只支持http(s)协议,目标地址是从http(s)协议中获取,并不是同过iptabls转发的socket获取目标地址.

<!-- gh-comment-id:467346691 --> @snail007 commented on GitHub (Feb 26, 2019): 手册已经说明,透明代理只支持http(s)协议,目标地址是从http(s)协议中获取,并不是同过iptabls转发的socket获取目标地址.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v15.2
v15.1
v15.0
Labels
Clear labels   
TODO

   
bug

   
duplicate

   
enhancement

   
good first issue

   
help wanted

   
helpful

   
invalid

   
need-confirm

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wontfix
No labels
TODO
bug
duplicate
enhancement
good first issue
help wanted
helpful
invalid
need-confirm
pull-request
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/goproxy#113
No description provided.