在同一个域名上同时提供trojan和trojan-grpc

注意:本文仅用做技术交流,任何因尝试本文内步骤所导致的法律后果由您自行承担

因为发现v2ray新增的grpc模式附带的复用buff用起来很爽,但是iOS上某个代理app到目前为止还是只支持纯的trojan
因此打算在同一个域名同时提供这两种访问方式,具体思路如下:

用户----haproxy-----(h2)-----nginx------(grpc)------v2ray-------PROXY
           |                   └--------------------------------return 404
           └-----(http1.1)---v2ray-----(trojan)-----------------PROXY
                               └--------------------nginx-------return 404
haproxy返回alpn包含h2和http1.1,目前为止我手上的trojan客户端只会使用http1.1建立连接,而grpc是一个基于h2的服务 因此通过客户端发来的alpn中的协议做分流分别发给不同的服务端即可(纯粹的trojan流量无法使用http服务器代理,因此只能采用tcp方式分流)

Haproxy配置:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon
    ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

defaults
    log global
    mode    tcp
    option  dontlognull
    maxconn 5000
    timeout connect 5s
    timeout client  20s
    timeout server  20s
    timeout queue   30s
    timeout http-request 5s
    timeout http-keep-alive 15s
        
frontend www
   bind :443 ssl crt /etc/haproxy/cert.pem alpn h2,http/1.1
   mode tcp
   use_backend nodes-http2 if { ssl_fc_alpn -i h2 }
   default_backend nodes-http

backend nodes-http
    mode tcp
    server http 127.0.0.1:44445

backend nodes-http2
    mode tcp
    server http2 127.0.0.1:44444 send-proxy

Nginx配置:

server {
    listen 80;
    server_name domain.example.com;

    location / {
        default_type text/html;
        return 404 '<h1>Not Found!</h1>';
    }
}
server {
    listen       127.0.0.1:44444 http2 proxy_protocol;
    server_name  domain.example.com;
    
    real_ip_header  proxy_protocol;
    set_real_ip_from "unix:";

    location / {
        default_type text/html;
        return 404 '<h1>Not Found!</h1>';
    }

    location /GrpcServiceName/Tun {
        grpc_pass grpc://127.0.0.1:44443;
    }
}

V2Ray配置:

...
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": 44445,
            "tag": "trojan",
            "protocol": "trojan",
            "settings": {
                "clients":[
                    {
                        "email": "testuser",
                        "password": "99999999-9999-9999-9999-999999999999",
                        "level": 0
                    }
                ],
                "fallbacks": [
                    {
                        "dest": 80
                    }
                ]
            },
            "sniffing": {
                "enabled": true,
                "destOverride": ["http", "tls"]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "none"
            }
        },
        {
            "listen": "127.0.0.1",
            "port": 44443,
            "tag": "trojan-grpc",
            "protocol": "trojan",
            "settings": {
                "clients":[
                    {
                        "email": "testuser",
                        "password": "99999999-9999-9999-9999-999999999999",
                        "level": 0
                    }
                ]
            },
            "sniffing": {
                "enabled": true,
                "destOverride": ["http", "tls"]
            },
            "streamSettings": {
                "network": "grpc",
                "security": "none",
                "grpcSettings": {
                    "serviceName": "GrpcServiceName"
                }
            }
        }
    ],
...

PS:
不知道为什么只要我使用unix socket就什么都连不上了,最后只能用端口
其实可以直接用Haproxy或Nginx其中一个达到所有要求的,不过我懒得弄了(
至于为什么不用sni分流,因为我只买了一个证书啊(((
而且一个域名只有http1.1的客户端连接,另一个只有h2连接这样也很奇怪啊(

标签: v2ray, haproxy, trojan, grpc, trojan-grpc, nginx

添加新评论