伪造 SNI 后 522 证书错误

[Franinc]

通过gotox访问https://nyaa.si/ 会显示：无法验证 nyaa.si 的证书：('self signed, issuer: /C=EU/ST=*/O=ddos-guard', 0)
但nginx我本地建反向代理自签证书和CA，靠proxy_pass为ip不向外暴露sni，倒是能正常访问nyaa
请问下gotox是我哪里设置错了吗？

版本：GotoX-3.6.3-cp38-win_amd64.7z
chorme和ie一样都报522证书错误

配置

[0-fakecert]
nyaa.si = @none

日志

06:58:06 T 162.159.132.53 dns_over_https 已缓存：4/1024，耗时：179 毫秒，nyaa.si = ['185.178.208.182']
06:58:07 W 185.178.208.182 _create_ssl_connection 'nyaa.si' 返回 CertificateError(-1, ('self signed, issuer: /C=EU/ST=*/O=ddos-guard', 0))，重试
06:58:07 W 185.178.208.182 create_ssl_connection 'https://nyaa.si/' 失败：CertificateError(-1, ('self signed, issuer: /C=EU/ST=*/O=ddos-guard', 0))
06:58:07 W L4:64716->185.178.208.182 do_DIRECT "GET https://nyaa.si/" 证书验证失败，返回 522
06:58:08 W 185.178.208.182 _create_ssl_connection 'nyaa.si' 返回 CertificateError(-1, ('self signed, issuer: /C=EU/ST=*/O=ddos-guard', 0))，重试
06:58:08 W 185.178.208.182 create_ssl_connection 'https://nyaa.si/favicon.ico' 失败：CertificateError(-1, ('self signed, issuer: /C=EU/ST=*/O=ddos-guard', 0))
06:58:08 W L4:64719->185.178.208.182 do_DIRECT "GET https://nyaa.si/favicon.ico" 证书验证失败，返回 522

dig查询CNAME结果

;; AUTHORITY SECTION:
nyaa.si.		1799	IN	SOA	dns1.cloudns.net. support.cloudns.net. 2020120204 7200 1800 1209600 3600

nginx配置
https://github.com/mashirozx/Pixiv-Nginx/blob/main/conf/pixiv.conf#L405-L424

server {
    listen 443 ssl;
    server_name nyaa.si;
    server_name www.nyaa.si;
    server_name sukebei.nyaa.si;


    ssl_certificate ca/pixiv.net.crt;
    ssl_certificate_key ca/pixiv.net.key;

    location / {
        proxy_pass https://185.178.208.182/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header Accept-Encoding '';
        proxy_buffering off;
    }
}

[SeaHOH]

我现在没办法解决这个问题，估计要上 ESNI 或 ECH 才能解决。
你的 nginx 服务器能用，应该是在境外的原因，直连没法避开 SNI 安全检查。

[Franinc]

nginx和gotox都运行在国内同一电脑，同一网络
nginx靠监听本地443端口，hosts加127.0.0.1 nyaa.si就能正常打开。gotox拿到了正确ip+不发送sni却是522错误
我三脚猫水准实在找不出两者有啥区别

[SeaHOH]

本机可以的话，抓个包就能看到细节区别。有空可能会看下，但不一定能解决问题，我也不知自己是几只脚。 😸

[ghost]

nyaa.si 服务器无论客户端的 HTTP header 里的 Accept-Encoding 为何 都返回的是 gzip 压缩的结果

curl -v https://185.178.208.182 -H "Host: nyaa.si" -k

*   Trying 185.178.208.182:443...
* Connected to 185.178.208.182 (185.178.208.182) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=EU; ST=*; O=ddos-guard
*  start date: Mar 28 19:26:13 2018 GMT
*  expire date: Mar 25 19:26:13 2028 GMT
*  issuer: C=EU; ST=*; O=ddos-guard
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9401813400)
> GET / HTTP/2
> Host: nyaa.si
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: ddos-guard
< set-cookie: __ddg1=qgXPyc0cZTbnlStkj8vN; Domain=.nyaa.si; HttpOnly; Path=/; Expires=Thu, 27-Jan-2022 08:59:47 GMT
< date: Wed, 27 Jan 2021 08:59:47 GMT
< content-type: text/html; charset=utf-8
< content-encoding: gzip
< x-proxy-cache: HIT
< cache-control: no-cache, no-store, must-revalidate
< referrer-policy: same-origin
< 
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
* Failure writing output to destination
* stopped the pause stream!
* Connection #0 to host 185.178.208.182 left intact

隔壁 Accesser 无法处理返回的这些内容，就会超时 （522）

[SeaHOH]

意思是 Accesser 也能 bypass，只是无法正确解编码？如果是这样，我会去看看具体实现。

[ghost]

是的。
之前发现 signal.org 也是这样

❯ curl https://signal.org -H "Accept-Encoding: deflate" --head
HTTP/2 200 
content-type: text/html; charset=utf-8
content-length: 7564
x-amz-id-2: TE7FBe9uAUPKEQBj7OH7kTK5j05wtw/nY04Vv2EOUrnubnL10271pcTnijT5YWaQkzqm5Lw2Cmc=
x-amz-request-id: 4FF42600624066FC
date: Wed, 27 Jan 2021 15:32:58 GMT
cache-control: max-age=300
content-encoding: gzip <======
last-modified: Fri, 22 Jan 2021 17:00:38 GMT
etag: "72f9e3f86fcdd0527464d25e57b84fb0"
server: AmazonS3
strict-transport-security: max-age=31536000; preload
x-frame-options: DENY
x-cache: Miss from cloudfront
via: 1.1 8c250398edc42574d769dea42e6dbecc.cloudfront.net (CloudFront)
x-amz-cf-pop: HKG60-C1
x-amz-cf-id: ukYeBJR3PMOrn1eJVYRGoDeVVRgURuKbbIv-VLNi_BkuHjyA3UOVmA==

[SeaHOH]

Ok，搞定。信任 ddos-guard，不验证 Host 即可。请谨慎使用这个配置，一定要搭配可靠的 DNS，即使这样也有风险。

把 ddos-guard 自签 CA 导出为 pem 格式，后缀也改成 pem，放入 cert/cacerts 文件夹。
nyaa.si = none@none

[SeaHOH]

a414760
nyaa.si = ddos-guard@none
已更新成更安全的策略，并内置证书，不用设置成不验证 Host。

#173 (reply in thread) 另一种无需添加 CA 证书的设置方法。

[ghost]

nyaa.si 看起来不是 gzip 的问题

Accesser 会拒绝自签证书

[SeaHOH]

可以跟我这一样自己加载那个证书，不过 Accesser 好像没有相关设置。

[ghost]

解决了，nyaa.si 服务器也可以返回 ddos-guard.net 的正确证书（非自签）

在 config.json 的 alert_hostname 加入

"nyaa.si": "ddos-guard.net",

[SeaHOH]

嗯，我这里也可以这样设置。
nyaa.si = [email protected]

[ghost]

sukebei.nyaa.si 不使用 ddos-guard, 返回了另一个自签证书， CN 是 lcoalhost : P

[SeaHOH]

是的，已经内置。遇到其它类似的，用户也可以自己添加。