Optimize the SNI matching process
This commit is contained in:
yunshu
+5
-4
@@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
# 定义当前版本号
|
||||
mf_SCRIPT_VERSION="1.1.2"
|
||||
mf_SCRIPT_VERSION="1.1.4"
|
||||
|
||||
mf_main_menu() {
|
||||
check_system
|
||||
@@ -70,7 +70,7 @@ mf_configure_fail2ban() {
|
||||
# 启用 nginx-no-host 规则
|
||||
if [[ ${reality_add_nginx} == "on" ]] && [[ -z $(grep "filter = nginx-no-host" /etc/fail2ban/jail.local) ]]; then
|
||||
mf_create_nginx_no_host_filter
|
||||
sed -i "\$ a\\\n[nginx-no-host]\nenabled = true\nfilter = nginx-no-host\nlogpath = $nginx_dir/logs/error.log\nbantime = 604800\nmaxretry = 600" /etc/fail2ban/jail.local
|
||||
sed -i "\$ a\\\n[nginx-no-host]\nenabled = true\nfilter = nginx-no-host\nlogpath = $nginx_dir/logs/sni_abnormal.log\nbantime = 604800\nmaxretry = 3\nfindtime = 120" /etc/fail2ban/jail.local
|
||||
fi
|
||||
systemctl daemon-reload
|
||||
systemctl restart fail2ban
|
||||
@@ -80,9 +80,10 @@ mf_configure_fail2ban() {
|
||||
mf_create_nginx_no_host_filter() {
|
||||
local filter_file="/etc/fail2ban/filter.d/nginx-no-host.conf"
|
||||
if [[ ! -f "$filter_file" ]]; then
|
||||
cat >"$filter_file" <<EOF
|
||||
cat >"$filter_file" <<'EOF'
|
||||
[Definition]
|
||||
failregex = \[error\].*?no host in upstream.*?, client: <HOST>,
|
||||
datepattern = ^%%d/%%b/%%Y:%%H:%%M:%%S %%z$
|
||||
failregex = ^<HOST> \[.*\] \".*\".*\d+$
|
||||
ignoreregex =
|
||||
EOF
|
||||
fi
|
||||
|
||||
+39
-7
@@ -35,7 +35,7 @@ OK="${Green}[OK]${Font}"
|
||||
Error="${RedW}[$(gettext "错误")]${Font}"
|
||||
Warning="${RedW}[$(gettext "警告")]${Font}"
|
||||
|
||||
shell_version="2.4.2"
|
||||
shell_version="2.5.0"
|
||||
shell_mode="$(gettext "未安装")"
|
||||
tls_mode="None"
|
||||
ws_grpc_mode="None"
|
||||
@@ -1912,23 +1912,55 @@ nginx_reality_conf_add() {
|
||||
cat >${nginx_conf} <<EOF
|
||||
|
||||
stream {
|
||||
map \$ssl_preread_server_name \$stream_map {
|
||||
map \$ssl_preread_protocol \$is_valid_protocol {
|
||||
TLSv1.2 1;
|
||||
TLSv1.3 1;
|
||||
default 0;
|
||||
}
|
||||
|
||||
map \$ssl_preread_server_name \$sni_upstream {
|
||||
include ${nginx_conf_dir}/*.serverNames;
|
||||
default deny;
|
||||
}
|
||||
|
||||
map "\$sni_upstream:\$is_valid_protocol" \$final_upstream {
|
||||
# 格式:上游名称:协议标记 => 最终上游
|
||||
~^reality:1\$ reality;
|
||||
default deny;
|
||||
}
|
||||
|
||||
map \$final_upstream \$is_abnormal {
|
||||
deny 1;
|
||||
default 0;
|
||||
}
|
||||
|
||||
upstream reality {
|
||||
server 127.0.0.1:9443;
|
||||
}
|
||||
|
||||
upstream deny {
|
||||
server 127.0.0.1:9403;
|
||||
}
|
||||
|
||||
log_format sni_log_abnormal '\$remote_addr [\$time_local] "\$ssl_preread_server_name" '
|
||||
'\$ssl_preread_protocol \$status';
|
||||
|
||||
server {
|
||||
listen 443 reuseport so_keepalive=on backlog=65535;
|
||||
proxy_pass \$stream_map;
|
||||
proxy_pass \$final_upstream;
|
||||
ssl_preread on;
|
||||
#proxy_protocol on;
|
||||
proxy_connect_timeout 5s;
|
||||
proxy_timeout 300s;
|
||||
access_log ${nginx_dir}/logs/sni_abnormal.log sni_log_abnormal if=\$is_abnormal;
|
||||
}
|
||||
|
||||
# 超时设置
|
||||
proxy_connect_timeout 20s; # 连接超时时间
|
||||
proxy_timeout 300s; # 数据传输超时时间
|
||||
server {
|
||||
listen 127.0.0.1:9403 reuseport;
|
||||
#ssl_preread on;
|
||||
ssl_reject_handshake on;
|
||||
return 444;
|
||||
access_log off;
|
||||
error_log /dev/null;
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
Reference in New Issue
Block a user