代理链 dialerProxy: reality -> trojan, Linux 出错 HTTP/0.9 when not allowed

[killbus]

故障:
相同配置，Windows 下正常，放到 VM 虚拟机及 docker 下出现错误：

> curl -x socks5h://192.168.216.3:1080 ip.sb
curl: (1) Received HTTP/0.9 when not allowed

1. reality (out-b) -> trojan (out-a) 出现上述错误
2. 而 trojan (out-c) -> trojan (out-a) 是正常的

Xray 版本:
https://github.com/XTLS/Xray-core/releases/tag/v1.8.0

配置文件:

click this

{
    "log": {
        "loglevel": "info"
    },
    "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 1080,
            "protocol": "socks",
            "settings": {
                "udp": true
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ]
            },
            "tag": "in"
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "foo.com", // 服务端的域名或 IP
                        "port": 443,
                        "users": [
                            {
                                "id": "uuid", // 与服务端一致
                                "encryption": "none",
                                "flow": "xtls-rprx-vision"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                    "show": false, // 若为 true，输出调试信息
                    "fingerprint": "chrome", // 使用 uTLS 库模拟客户端 TLS 指纹
                    "serverName": "foo.com", // 与服务端一致
                    "publicKey": "pub", // 服务端执行 xray x25519 生成，私钥对应的公钥，填 "Public key" 的值
                    "shortId": "", // 服务端 shortIds 之一
                    "spiderX": "/" // 爬虫初始路径与参数，建议每个客户端不同
                }
            },
            "tag": "out-b"
        },
        {
            "protocol": "trojan",
            "settings": {
                "servers": [
                    {
                        "address": "foo.com",
                        "port": 443,
                        "password": "passwd"
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls"
            },
            "tag": "out-c"
        },
        {
            "protocol": "trojan",
            "settings": {
                "servers": [
                    {
                        "address": "bar.com",
                        "port": 443,
                        "password": "passwd"
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "sockopt": {
                    "dialerProxy": "out-b"  // reality
                    // "dialerProxy": "out-c"  // trojan
                }
            },
            "tag": "out-a"
        }
    ],
    "routing": {
        "rules": [
            {
                "type": "field",
                "inboundTag": ["in"],
                "outboundTag": "out-a"
            }
        ]
    }
}

日志:

click this

Xray 1.8.0 (Xray, Penetrates Everything.) Custom (go1.20.2 linux/amd64)
A unified platform for anti-censorship.
2023/03/22 08:39:09 [Info] infra/conf/serial: Reading config: /mnt/e/Studio/GFW/Xray-windows-64/config.json
2023/03/22 08:39:09 [Debug] app/log: Logger started
2023/03/22 08:39:09 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:1080
2023/03/22 08:39:09 [Info] transport/internet/tcp: listening TCP on 0.0.0.0:1080
2023/03/22 08:39:09 [Info] transport/internet/udp: listening UDP on 0.0.0.0:1080
2023/03/22 08:39:09 [Warning] core: Xray 1.8.0 started
2023/03/22 08:39:12 [Info] [2990575842] proxy/socks: TCP Connect request to tcp:ip.sb:80
2023/03/22 08:39:12 [Info] [2990575842] app/dispatcher: sniffed domain: ip.sb
2023/03/22 08:39:12 [Info] [2990575842] app/dispatcher: taking detour [out-a] for [tcp:ip.sb:80]
2023/03/22 08:39:12 [Info] [2990575842] transport/internet/tcp: dialing TCP to tcp:bar.com:443
2023/03/22 08:39:12 [Info] [2990575842] transport/internet: redirecting request tcp:bar.com:443 to out-b
2023/03/22 08:39:12 tcp:192.168.216.1:5228 accepted tcp:ip.sb:80 [in -> out-a]
2023/03/22 08:39:12 [Info] [2990575842] transport/internet/tcp: dialing TCP to tcp:foo.com:443
2023/03/22 08:39:12 [Debug] transport/internet: dialing to tcp:foo.com:443
2023/03/22 08:39:12 [Info] [2990575842] proxy/trojan: tunneling request to tcp:ip.sb:80 via bar.com:443
2023/03/22 08:39:12 [Info] [2990575842] proxy/vless/outbound: tunneling request to tcp:bar.com:443 via foo.com:443
2023/03/22 08:39:12 [Info] [2990575842] proxy/vless/encoding: XtlsFilterTls found tls client hello! 292
2023/03/22 08:39:12 [Info] [2990575842] proxy/vless/encoding: XtlsPadding 292 1085 0
2023/03/22 08:39:13 [Info] [2990575842] proxy/vless/encoding: Xtls Unpadding new block0 16 content 5105 padding 237 0
2023/03/22 08:39:13 [Info] [2990575842] proxy/vless/encoding: XtlsFilterTls found tls 1.3! 1163 TLS_AES_128_GCM_SHA256
2023/03/22 08:39:13 [Info] [2990575842] proxy/vless/encoding: XtlsPadding 64 1109 0
2023/03/22 08:39:13 [Info] [2990575842] proxy/vless/encoding: XtlsPadding 161 1234 2
2023/03/22 08:39:13 [Info] [2990575842] proxy/vless/encoding: XtlsWrite writeV 0 1400 0
2023/03/22 08:39:13 [Info] [2990575842] proxy/vless/encoding: Xtls Unpadding new block0 0 content 158 padding 1142 2
2023/03/22 08:39:13 [Info] [2990575842] proxy/vless/encoding: XtlsRead splice

[RPRX]

这是要干啥

[chika0801]

看了一下，你是链式代理，vision的入站只支持纯净入站 #1612 (comment)

你配置我理解了下，应该vision的入站前面是trojan 所以出这错误？你要不么这样配了？就直接 客户端 vision 到你服务端。简化点。

[killbus]

是链式代理，就是想 reality 中转一下 trojan。应该是 trojan 的入站前面是 xtls-rprx-vision-reality

[RPRX]

Windows 下正常

这个 bug 是这样的，要中转的话不能用 Vision，但其实可以 REALITY H2 / gRPC

以前我只知道 SS / VMess 中转机场，现在 Trojan 也开始了

我说一下这个问题在哪，你们中转这些协议，支持的客户端是多，但是会给用机场的小白传达一种错误信息：机场都在用（名言）

现在还在用 SS / VMess 的机场很多，但很少直接过墙了，大都是中转 / IPLC，而后者很贵，机场要赚钱的，所以可想而知是什么

它们的安全性详见 #1811 (comment) ，我是觉得那一层加密是自欺欺人，因为迟早全解密了，在 GFW 面前其实无异于裸 Socks5

[RPRX]

对了，很多人认为 GFW 只在出入境有，我纠正一下：是每个城市都有。

机场主以为所谓的“国内段”用 SS / VMess 没事，实际上底裤都被扒了。

[Fangliding]

@RPRX 甚至光猫墙(绝望)

[killbus]

机场不懂，就想安全加速下我的UK节点，之前用 Naiveproxy 和 Trojan，觉得配置起来简单一点。规则什么的给 clash premium 处理，比较依赖它的分流功能。

现在想淘汰掉 trojan, 清一色 reality 或 naiveproxy，就暴露 socks5 给 clash

或者用 clash meta

这些 clash 不支持的协议，我就直接用本地 socks5 了，那 relay 也不能用了。中转也倒是可以直接服务端的 traefik 处理，确实也不麻烦，动一次就可以，也是一直的做法。

这次首试本地链式代理，就是觉得 这理论上可以用，有点疑惑

目前，想到方便可用的方法，还是用 clash relay，保留 trojan, local socks5 proxy - any remote proxy [- any-remote-proxy]

[RPRX]

@killbus 换 Clash.Meta

[killbus]

@killbus 换 Clash.Meta

行

[chise0713]

关于这个，我发现可以用 dokodemo-door 路由进vision组链式代理：

客户端

入站

    {
      "listen": "127.0.0.1",
      "port": 1024,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "127.0.0.1",
        "port": 1024,
        "network": "tcp"
      },
      "tag": "Chain-In"
    },

出站：

    {
      "tag": "Chain",
      "protocol": "trojan",
      "settings": {
        "servers": [
           {
             "address": "127.0.0.1",
             "port": 1024,
             "password": "",
             "level": 0,
             "flow": ""
           }
        ]
      }
    },
    {
你的vision出站
    }

路由

      {
        "type": "field",
        "inboundTag": ["Chain-In"],
        "outboundTag": "VisionTag",
        "enabled": true
      },

服务端

入站

    {
      "tag": "inSideVision-Trojan",
      "port": "1024",
      "listen": "127.0.0.1",
      "protocol": "trojan",
      "settings":{
        "clients": [
          {
            "password": "o1rkdmSByPOrwGP8",
            "level": 0,
            "flow": ""
          }
        ]
      }
    },
    {
你的vision入站
    }

路由

      {
        "type": "field",
        "ip": [
          "geoip:private"
      ],
        "outboundTag": "directPrivate"
      },

这里用dircetPrivate是因为sockOpt绑定设备之后似乎没办法访问本地网络 ，所以我单独把private的ip路由到单独的freedom出站