mirror of
https://github.com/snail007/goproxy.git
synced 2026-04-27 00:15:51 +03:00
[GH-ISSUE #456] 证书有效期是多久啊?最近两次断网后,转发突然失效了 #363
Labels
No labels
TODO
bug
duplicate
enhancement
good first issue
help wanted
helpful
invalid
need-confirm
pull-request
question
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/goproxy#363
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @geekli on GitHub (Nov 18, 2021).
Original GitHub issue: https://github.com/snail007/goproxy/issues/456
Expected Behavior
Current Behavior
client端断网后(断电重启,或者断网),
转发会断掉
server端日志提示
tls handshake fail from client外网IP:31363, write tcp server端内网ip:33080->client外网IP:31363: write: connection reset by peer
Possible Solution
Steps to Reproduce
Context (Environment)
proxy version is : free_11.2
full command is :
client /usr/local/bin/goproxy client --k gxweb -P "xxxx.com:33080" -C /etc/goproxy/proxy.crt -K /etc/goproxy/proxy.key
server /usr/local/bin/goproxy bridge -p ":33080" -C /etc/goproxy/proxy.crt -K /etc/goproxy/proxy.key
server /usr/local/bin/goproxy server --k gxweb -P "127.0.0.1:33080" -C /etc/goproxy/proxy.crt -K /etc/goproxy/proxy.key -r "tcp://127.0.0.1:8088@:8088"
system is : Ubuntu Server
full log is: ?
2021/11/18 13:32:01.628573 WARN tls handshake fail from 【clientip】:28192, write tcp 10.15.0.242:33080->【clientip】:28192: write: connection reset by peer
2021/11/18 13:32:01.628610 WARN attacking access 【clientip】:28192 <--> 10.15.0.242:33080
2021/11/18 13:32:01.675112 WARN tls handshake fail from 【clientip】:31197, write tcp 10.15.0.242:33080->【clientip】:31197: write: connection reset by peer
2021/11/18 13:32:01.675223 WARN attacking access 【clientip】:31197 <--> 10.15.0.242:33080
2021/11/18 13:32:01.675112 WARN tls handshake fail from 【clientip】:28194, write tcp 10.15.0.242:33080->【clientip】:28194: write: connection reset by peer
2021/11/18 13:32:01.675260 WARN attacking access 【clientip】:28194 <--> 10.15.0.242:33080
2021/11/18 13:32:02.307119 WARN client gxweb session not exists for server stream ac19b02a8aa65ecdd9f3cbeeaf79d07d7aa81855, retrying...
2021/11/18 13:32:02.420367 WARN client gxweb session not exists for server stream ac19b02a8aa65ecdd9f3cbeeaf79d07d7aa81855, retrying...
2021/11/18 13:32:02.550287 WARN client gxweb session not exists for server stream ac19b02a8aa65ecdd9f3cbeeaf79d07d7aa81855, retrying...
2021/11/18 13:32:02.600531 WARN tls handshake fail from 【clientip】:31186, write tcp 10.15.0.242:33080->【clientip】:31186: write: connection reset by peer
2021/11/18 13:32:02.600605 WARN attacking access 【clientip】:31186 <--> 10.15.0.242:33080
Detailed Description
Possible Implementation
@snail007 commented on GitHub (Nov 18, 2021):
证书有效期默认365天,可以自己指定参数修改。
@geekli commented on GitHub (Nov 18, 2021):
但是我这两次转发失效 ,证书生成时间都在一个月内
第一次是client端服务器断电重启后,
第二次是client端服务器断网了,
重启client和server也不行
@geekli commented on GitHub (Nov 24, 2021):
今天断网后又出现同样的问题了
@snail007 commented on GitHub (Nov 24, 2021):
贴出来,三个端的日志。
@geekli commented on GitHub (Nov 25, 2021):
昨天又重新生成了证书,直接运行的看不到日志了
我又用昨天的证书新开的server和client(在相同的服务器上一个公网,一个内网)
以下是三端的日志
##Bridge 日志
2021/11/25 10:27:53.236330 server/server.go:109 WARN tls handshake fail from 【clientIP】:28632, write tcp 10.15.0.242:33080->【clientIP】:28632: write: connection reset by peer
2021/11/25 10:27:53.236382 server/server.go:59 WARN attacking access 【clientIP】:28632 <--> 10.15.0.242:33080
2021/11/25 10:27:53.239338 server/server.go:109 WARN tls handshake fail from 【clientIP】:30760, write tcp 10.15.0.242:33080->【clientIP】:30760: write: connection reset by peer
2021/11/25 10:27:53.239381 server/server.go:59 WARN attacking access 【clientIP】:30760 <--> 10.15.0.242:33080
2021/11/25 10:27:53.242182 server/server.go:109 WARN tls handshake fail from 【clientIP】:30759, write tcp 10.15.0.242:33080->【clientIP】:30759: write: connection reset by peer
2021/11/25 10:27:53.242220 server/server.go:59 WARN attacking access 【clientIP】:30759 <--> 10.15.0.242:33080
2021/11/25 10:27:53.244850 server/server.go:109 WARN tls handshake fail from 【clientIP】:28630, write tcp 10.15.0.242:33080->【clientIP】:28630: write: connection reset by peer
2021/11/25 10:27:53.244883 server/server.go:59 WARN attacking access 【clientIP】:28630 <--> 10.15.0.242:33080
2021/11/25 10:27:53.247551 server/server.go:109 WARN tls handshake fail from 【clientIP】:30761, write tcp 10.15.0.242:33080->【clientIP】:30761: write: connection reset by peer
2021/11/25 10:27:53.247586 server/server.go:59 WARN attacking access 【clientIP】:30761 <--> 10.15.0.242:33080
2021/11/25 10:27:53.251170 server/server.go:109 WARN tls handshake fail from 【clientIP】:28631, write tcp 10.15.0.242:33080->【clientIP】:28631: write: connection reset by peer
2021/11/25 10:27:53.251227 server/server.go:59 WARN attacking access 【clientIP】:28631 <--> 10.15.0.242:33080
2021/11/25 10:27:53.251797 server/server.go:109 WARN tls handshake fail from 【clientIP】:30763, write tcp 10.15.0.242:33080->【clientIP】:30763: write: connection reset by peer
2021/11/25 10:27:53.251962 server/server.go:59 WARN attacking access 【clientIP】:30763 <--> 10.15.0.242:33080
2021/11/25 10:27:53.255252 server/server.go:109 WARN tls handshake fail from 【clientIP】:28628, write tcp 10.15.0.242:33080->【clientIP】:28628: write: connection reset by peer
2021/11/25 10:27:53.255305 server/server.go:59 WARN attacking access 【clientIP】:28628 <--> 10.15.0.242:33080
2021/11/25 10:27:53.256394 server/server.go:109 WARN tls handshake fail from 【clientIP】:30762, write tcp 10.15.0.242:33080->【clientIP】:30762: write: connection reset by peer
2021/11/25 10:27:53.256555 server/server.go:59 WARN attacking access 【clientIP】:30762 <--> 10.15.0.242:33080
2021/11/25 10:27:53.258289 server/server.go:109 WARN tls handshake fail from 【clientIP】:28629, write tcp 10.15.0.242:33080->【clientIP】:28629: write: connection reset by peer
##client 日志
2021/11/25 10:27:42.136387 INFO use tls parent xxx.com:33080
2021/11/25 10:27:42.136459 INFO client started
2021/11/25 10:27:42.136464 INFO session worker[1] started
2021/11/25 10:27:42.136472 INFO session worker[2] started
2021/11/25 10:27:42.136475 INFO session worker[3] started
2021/11/25 10:27:42.136479 INFO session worker[4] started
2021/11/25 10:27:42.136483 INFO session worker[5] started
2021/11/25 10:27:42.136486 INFO session worker[6] started
2021/11/25 10:27:42.136489 INFO session worker[7] started
2021/11/25 10:27:42.136492 INFO session worker[8] started
2021/11/25 10:27:42.136495 INFO session worker[9] started
2021/11/25 10:27:42.136498 INFO session worker[10] started
2021/11/25 10:27:44.137268 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:44.137314 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:44.137401 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:44.137345 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:44.137301 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:44.137338 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:44.137375 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:44.137403 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:44.137442 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:44.137272 WARN connection err: dial tcp: i/o timeout, retrying...
2021/11/25 10:27:47.189976 WARN connection err: read tcp 10.10.2.251:43224->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:47.190117 WARN connection err: read tcp 10.10.2.251:43226->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:47.190549 WARN connection err: read tcp 10.10.2.251:43228->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:47.190750 WARN connection err: read tcp 10.10.2.251:43230->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:47.190932 WARN connection err: read tcp 10.10.2.251:43220->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:47.192425 WARN connection err: read tcp 10.10.2.251:43232->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:47.193655 WARN connection err: read tcp 10.10.2.251:43218->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:47.193745 WARN connection err: read tcp 10.10.2.251:43216->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:47.194773 WARN connection err: read tcp 10.10.2.251:43214->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:47.195723 WARN connection err: read tcp 10.10.2.251:43222->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.210704 WARN connection err: read tcp 10.10.2.251:43238->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.210809 WARN connection err: read tcp 10.10.2.251:43240->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.212211 WARN connection err: read tcp 10.10.2.251:43250->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.214270 WARN connection err: read tcp 10.10.2.251:43254->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.214329 WARN connection err: read tcp 10.10.2.251:43242->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.215935 WARN connection err: read tcp 10.10.2.251:43256->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.215988 WARN connection err: read tcp 10.10.2.251:43248->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.216956 WARN connection err: read tcp 10.10.2.251:43258->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.218422 WARN connection err: read tcp 10.10.2.251:43252->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:50.221246 WARN connection err: read tcp 10.10.2.251:43246->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:53.231350 WARN connection err: read tcp 10.10.2.251:43260->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:53.231463 WARN connection err: read tcp 10.10.2.251:43262->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:53.232991 WARN connection err: read tcp 10.10.2.251:43264->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:53.234602 WARN connection err: read tcp 10.10.2.251:43266->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:53.234946 WARN connection err: read tcp 10.10.2.251:43268->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:53.238318 WARN connection err: read tcp 10.10.2.251:43276->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:53.240013 WARN connection err: read tcp 10.10.2.251:43270->【bridgeIP】:33080: read: connection reset by peer, retrying...
2021/11/25 10:27:53.241832 WARN connection err: read tcp 10.10.2.251:43272->【bridgeIP】:33080: read: connection reset by peer, retrying...
#server 貌似是因为没有连接成功,这里没有日志
2021/11/25 10:06:38.372368 INFO use tls parent 127.0.0.1:33080
2021/11/25 10:06:38.372423 INFO server id: 5da3356e49fa7a31d91e5548265cafbe61ff73cc
2021/11/25 10:06:38.372534 INFO server on 127.0.0.1:8099
@snail007 commented on GitHub (Nov 26, 2021):
基本确定是中间tls通讯被阻断,应该是client到bridge有网络审查存在。
@geekli commented on GitHub (Dec 6, 2021):
那就奇怪了,client 和 bridge 都在国内,
bridge 是aliyun 服务器,最近几个月才出现这种情况 之前稳定运行一两年了没出现过
@geekli commented on GitHub (Dec 6, 2021):
另外 今天貌似没有出现断网情况(也可能断了没感觉到,起码没长时间断网)
又出现同样的问题
@iambus commented on GitHub (Dec 9, 2021):
和我这几天遇到的问题一样,证书有限期十年。很奇怪的是重新生成一下证书就好了。然后第二天又不行了。
@iambus commented on GitHub (Dec 10, 2021):
怀疑是阿里云盾的问题。设置了IP白名单,卸载了客户端,都不解决问题。暂时没有别的办法,再更换一次证书,明天再看看。这几天每天都要换一次证书。
@devsvc commented on GitHub (Dec 14, 2021):
同样的问题,aliyun,现在重新生成证书就只能撑个十几二十分钟了
@devsvc commented on GitHub (Dec 15, 2021):
日志里没有什么有用的信息,试着抓包看了一下,对协议不太了解,看起来可能有点奇怪的地方
两次尝试连接的包里面这个时间跳的有点随心所欲啊
不知道是不是设计如此, 希望能提供些许帮助
@snail007 commented on GitHub (Dec 16, 2021):
这是在客户端抓的,还是服务端?
@devsvc commented on GitHub (Dec 16, 2021):
服务端
@snail007 commented on GitHub (Dec 16, 2021):
那就可以证明是阿里云搞鬼了,它的手段是修改tls握手包的时间戳字段,达到导致握手失败的目的,阻断它认为不应该允许的tls链接。
@devsvc commented on GitHub (Dec 16, 2021):
根据网上查到的一些信息, 云盾会检查证书当中的域名,如果域名没有备案就会被阻断。
来源:https://developer.aliyun.com/article/708243
重新生成证书,并使用-n参数指定域名,目前看起来果然就可以了,具体可能得再运行一段时间看。(没有指定之前,基本上连不上,就算连上连接只要断开一次后面就连不上了)
因为我们恰好有个域名已备案,并且指向的就是这台服务器,所以不清楚如果域名和服务器没有对应的情况下是否也有用,有兴趣的可以尝试一下。
以上供其他遇到类似问题的同学参考
@dadigang commented on GitHub (Apr 5, 2022):
重新生成证书,并使用-n参数指定域名 ok