Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acl not working #1837

Open
shurakenas opened this issue Jan 7, 2025 · 4 comments
Open

acl not working #1837

shurakenas opened this issue Jan 7, 2025 · 4 comments

Comments

@shurakenas
Copy link

Does not work by domain name. If you specify an IP, only then the traffic goes through a proxy. What am I doing wrong?

/etc/shadowsocks/config.json:

{
    "server":"my_ip",
    "server_port":my_port,
    "local_address": "my_local_ip",
    "local_port":my_local_port,
    "password":"my_password",
    "timeout":5,
    "method":"chacha20-ietf-poly1305",
    "acl":"/etc/shadowsocks/hosts.acl",
    "plugin": "/etc/shadowsocks/simple-tls",
    "plugin_opts": "cert-hash=my_cert_hash;no-verify;n=my_domen"
}

/etc/shadowsocks/hosts.acl:

[bypass_all]

[proxy_list]
^[a-z]{5}\.2ip\.ru
^[a-z]{5}\.ident\.me
@zonyitoo
Copy link
Collaborator

zonyitoo commented Jan 7, 2025

It works perfectly fine with your configuration. How did you test? How to reproduce? What did you see in log?

@shurakenas
Copy link
Author

shurakenas commented Jan 7, 2025
edited
Loading

I am using a proxy client in the keenetic router to redirect traffic to the proxy. The proxy itself is raised on a separate virtual machine in its local network. If I use without "acl":"/etc/shadowsocks/hosts.acl", then everything works fine, all sites go through a proxy. But I need to run some sites through a proxy, not all of them. As soon as I use the acl, the regular expression for the domain name does not work, but if you specify the ip address of the site, it will work. Moreover, if you omit the topic with the keenetic router and specify the proxy address in the browser, then there will be no problem. I understand that it has something to do with the DNS and the keenetic router. DNS in the router uses DNS-over-HTTPS. I would be grateful if you could help me figure it out.

@zonyitoo
Copy link
Collaborator

zonyitoo commented Jan 8, 2025

What version of sslocal are you using? Could you run sslocal with -vvv and see what exactly it was happening.

@shurakenas
Copy link
Author

version sslocal - 1.22.0

part of the log at startup

2025-01-08T09:25:52.346508549+03:00 TRACE main ThreadId(01) shadowsocks_rust::service::local: src/service/local.rs:618: Config { log: LogConfig { level: 3, format: LogFormatConfig { without_time: false }, config_path: None }, runtime: RuntimeConfig { worker_count: None, mode: MultiThread } }
2025-01-08T09:25:52.346680679+03:00 TRACE main ThreadId(01) shadowsocks_service::acl: crates/shadowsocks-service/src/acl/mod.rs:347: ACL loading from "/etc/shadowsocks/hosts.acl"
2025-01-08T09:25:52.346701675+03:00 TRACE main ThreadId(01) shadowsocks_service::acl: crates/shadowsocks-service/src/acl/mod.rs:362: ACL parsing start from mode BlackList and black_list / bypass_list
2025-01-08T09:25:52.346730914+03:00 TRACE main ThreadId(01) shadowsocks_service::acl: crates/shadowsocks-service/src/acl/mod.rs:395: switch to mode WhiteList
2025-01-08T09:25:52.346741567+03:00 TRACE main ThreadId(01) shadowsocks_service::acl: crates/shadowsocks-service/src/acl/mod.rs:411: loading white_list / proxy_list
2025-01-08T09:25:52.346991791+03:00 TRACE main ThreadId(01) shadowsocks_service::acl: crates/shadowsocks-service/src/acl/mod.rs:222: REGEX-RULE ident.me
2025-01-08T09:25:52.349340236+03:00 TRACE main ThreadId(01) shadowsocks_rust::sys: src/sys.rs:25: rlimit NOFILE rlimit { rlim_cur: 1024, rlim_max: 524288 } require adjustion
2025-01-08T09:25:52.349359055+03:00 DEBUG main ThreadId(01) shadowsocks_rust::sys: src/sys.rs:72: rlimit NOFILE adjusted rlimit { rlim_cur: 524288, rlim_max: 524288 }
2025-01-08T09:25:52.349377516+03:00  INFO main ThreadId(01) shadowsocks_rust::service::local: src/service/local.rs:982: shadowsocks local 1.22.0 build 2025-01-02T14:53:49.390696600+00:00
2025-01-08T09:25:52.349558292+03:00 TRACE main ThreadId(01) mio::poll: /cargo/registry/src/index.crates.io-6f17d22bba15001f/mio-1.0.3/src/poll.rs:571: registering event source with poller: token=Token(1), interests=READABLE

part of the log when accessing the site ident.me (49.12.234.183), as can be seen in the log in the first line of CONNECT 49.12.234.183:80, for some reason the ip address is instead of the name. At this moment, the proxy client in the keenetic router is being used to redirect traffic to ss, no proxy is specified in the browser.

2025-01-08T09:26:40.635380082+03:00 DEBUG tokio-runtime-worker ThreadId(02) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:208: CONNECT 49.12.234.183:80
2025-01-08T09:26:40.63547977+03:00 TRACE tokio-runtime-worker ThreadId(02) mio::poll: /cargo/registry/src/index.crates.io-6f17d22bba15001f/mio-1.0.3/src/poll.rs:571: registering event source with poller: token=Token(934829823535023), interests=READABLE | WRITABLE
2025-01-08T09:26:40.695346417+03:00 TRACE tokio-runtime-worker ThreadId(02) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:267: sent header: TcpResponseHeader { reply: Succeeded, address: 192.168.253.100:51504 }
2025-01-08T09:26:40.69538493+03:00 DEBUG tokio-runtime-worker ThreadId(02) shadowsocks_service::local::utils: /project/crates/shadowsocks-service/src/local/utils.rs:103: established tcp tunnel 192.168.253.50:50564 <-> 49.12.234.183:80 bypassed
2025-01-08T09:26:41.058859047+03:00 TRACE tokio-runtime-worker ThreadId(02) mio::poll: /cargo/registry/src/index.crates.io-6f17d22bba15001f/mio-1.0.3/src/poll.rs:571: registering event source with poller: token=Token(895848482309347), interests=READABLE | WRITABLE
2025-01-08T09:26:41.059489421+03:00 TRACE tokio-runtime-worker ThreadId(02) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:187: socks5 HandshakeRequest { methods: [0] }
2025-01-08T09:26:41.059511858+03:00 TRACE tokio-runtime-worker ThreadId(02) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:76: reply handshake HandshakeResponse { chosen_method: 0 }
2025-01-08T09:26:41.060451448+03:00 TRACE tokio-runtime-worker ThreadId(02) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:201: socks5 TcpRequestHeader { command: TcpConnect, address: 64.233.161.188:5228 } peer: 192.168.253.50:50566

part of the log when accessing the site ident.me (49.12.234.183), as can be seen in the log in the first line of CONNECT identifier.me:80, the domain name is displayed correctly here. A proxy in the browser is currently being used.

2025-01-08T09:35:31.577895099+03:00 DEBUG tokio-runtime-worker ThreadId(03) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:208: CONNECT ident.me:80
2025-01-08T09:35:31.57809715+03:00 TRACE tokio-runtime-worker ThreadId(03) mio::poll: /cargo/registry/src/index.crates.io-6f17d22bba15001f/mio-1.0.3/src/poll.rs:571: registering event source with poller: token=Token(290382942049263), interests=READABLE | WRITABLE
2025-01-08T09:35:31.578162395+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks::relay::tcprelay::proxy_stream::client: /project/crates/shadowsocks/src/relay/tcprelay/proxy_stream/client.rs:138: connected tcp remote my_ip:my_port (outbound: 127.0.0.1:38311) with ConnectOpts { fwmark: None, bind_local_addr: None, bind_interface: None, tcp: TcpSocketOpts { send_buffer_size: None, recv_buffer_size: None, nodelay: false, fastopen: false, keepalive: Some(15s), mptcp: false }, udp: UdpSocketOpts { mtu: None, allow_fragmentation: false } }
2025-01-08T09:35:31.578198824+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks::relay::tcprelay::crypto_io: /project/crates/shadowsocks/src/relay/tcprelay/crypto_io.rs:409: generated AEAD cipher salt b"something"
2025-01-08T09:35:31.578295327+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:267: sent header: TcpResponseHeader { reply: Succeeded, address: 127.0.0.1:58210 }
2025-01-08T09:35:31.578315362+03:00 DEBUG tokio-runtime-worker ThreadId(03) shadowsocks_service::local::utils: /project/crates/shadowsocks-service/src/local/utils.rs:29: established tcp tunnel 192.168.253.3:53078 <-> ident.me:80 through sever 127.0.0.1:38311 (outbound: my_ip:my_port)
2025-01-08T09:35:31.922594006+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks::relay::tcprelay::aead: /project/crates/shadowsocks/src/relay/tcprelay/aead.rs:204: got AEAD salt b"something"
2025-01-08T09:35:37.151728601+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks::relay::tcprelay::utils: /project/crates/shadowsocks/src/relay/tcprelay/utils.rs:256: copy bidirection ends, a_to_b: Done(482), b_to_a: Done(370)
2025-01-08T09:35:37.151754322+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks_service::local::utils: /project/crates/shadowsocks-service/src/local/utils.rs:72: tcp tunnel 192.168.253.3:53078 <-> ident.me:80 (proxied) closed, L2R 370 bytes, R2L 482 bytes
2025-01-08T09:35:37.151775658+03:00 TRACE tokio-runtime-worker ThreadId(03) mio::poll: /cargo/registry/src/index.crates.io-6f17d22bba15001f/mio-1.0.3/src/poll.rs:702: deregistering event source from poller
2025-01-08T09:35:37.15180881+03:00 TRACE tokio-runtime-worker ThreadId(03) mio::poll: /cargo/registry/src/index.crates.io-6f17d22bba15001f/mio-1.0.3/src/poll.rs:702: deregistering event source from poller
2025-01-08T09:35:41.682298932+03:00 TRACE tokio-runtime-worker ThreadId(03) mio::poll: /cargo/registry/src/index.crates.io-6f17d22bba15001f/mio-1.0.3/src/poll.rs:571: registering event source with poller: token=Token(141234567898765), interests=READABLE | WRITABLE
2025-01-08T09:35:41.682543007+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:187: socks5 HandshakeRequest { methods: [0] }
2025-01-08T09:35:41.682567825+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:76: reply handshake HandshakeResponse { chosen_method: 0 }
2025-01-08T09:35:41.682907729+03:00 TRACE tokio-runtime-worker ThreadId(03) mio::poll: /cargo/registry/src/index.crates.io-6f17d22bba15001f/mio-1.0.3/src/poll.rs:571: registering event source with poller: token=Token(139751994871680), interests=READABLE | WRITABLE
2025-01-08T09:35:41.683628227+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:187: socks5 HandshakeRequest { methods: [0] }
2025-01-08T09:35:41.683650977+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:76: reply handshake HandshakeResponse { chosen_method: 0 }
2025-01-08T09:35:41.683967526+03:00 TRACE tokio-runtime-worker ThreadId(03) shadowsocks_service::local::socks::server::socks5::tcprelay: /project/crates/shadowsocks-service/src/local/socks/server/socks5/tcprelay.rs:201: socks5 TcpRequestHeader { command: TcpConnect, address: 149.154.167.41:443 } peer: 192.168.253.50:56484

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zonyitoo @shurakenas