From 09606889af8de1df03f07d505a4791128ef4f2e8 Mon Sep 17 00:00:00 2001
From: yunshu <louisowen@me.com>
Date: Mon, 31 Mar 2025 21:31:52 +0800
Subject: [PATCH] Optimize the SNI matching process

---
 fail2ban_manager.sh |  9 +++++----
 install.sh          | 46 ++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/fail2ban_manager.sh b/fail2ban_manager.sh
index daa8d7a..44e23eb 100644
--- a/fail2ban_manager.sh
+++ b/fail2ban_manager.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # 定义当前版本号
-mf_SCRIPT_VERSION="1.1.2"
+mf_SCRIPT_VERSION="1.1.4"
 
 mf_main_menu() {
     check_system
@@ -70,7 +70,7 @@ mf_configure_fail2ban() {
     # 启用 nginx-no-host 规则
     if [[ ${reality_add_nginx} == "on" ]] && [[ -z $(grep "filter   = nginx-no-host" /etc/fail2ban/jail.local) ]]; then
         mf_create_nginx_no_host_filter
-        sed -i "\$ a\\\n[nginx-no-host]\nenabled  = true\nfilter   = nginx-no-host\nlogpath  = $nginx_dir/logs/error.log\nbantime  = 604800\nmaxretry = 600" /etc/fail2ban/jail.local
+        sed -i "\$ a\\\n[nginx-no-host]\nenabled  = true\nfilter   = nginx-no-host\nlogpath  = $nginx_dir/logs/sni_abnormal.log\nbantime  = 604800\nmaxretry = 3\nfindtime = 120" /etc/fail2ban/jail.local
     fi
     systemctl daemon-reload
     systemctl restart fail2ban
@@ -80,9 +80,10 @@ mf_configure_fail2ban() {
 mf_create_nginx_no_host_filter() {
     local filter_file="/etc/fail2ban/filter.d/nginx-no-host.conf"
     if [[ ! -f "$filter_file" ]]; then
-        cat >"$filter_file" <<EOF
+        cat >"$filter_file" <<'EOF'
 [Definition]
-failregex = \[error\].*?no host in upstream.*?, client: <HOST>,
+datepattern = ^%%d/%%b/%%Y:%%H:%%M:%%S %%z$
+failregex = ^<HOST> \[.*\] \".*\".*\d+$
 ignoreregex =
 EOF
     fi
diff --git a/install.sh b/install.sh
index 9d9e3dd..d9b6b59 100644
--- a/install.sh
+++ b/install.sh
@@ -35,7 +35,7 @@ OK="${Green}[OK]${Font}"
 Error="${RedW}[$(gettext "错误")]${Font}"
 Warning="${RedW}[$(gettext "警告")]${Font}"
 
-shell_version="2.4.2"
+shell_version="2.5.0"
 shell_mode="$(gettext "未安装")"
 tls_mode="None"
 ws_grpc_mode="None"
@@ -1912,23 +1912,55 @@ nginx_reality_conf_add() {
     cat >${nginx_conf} <<EOF
 
 stream {
-    map \$ssl_preread_server_name \$stream_map {
+    map \$ssl_preread_protocol \$is_valid_protocol {
+        TLSv1.2    1;
+        TLSv1.3    1;
+        default    0;
+    }
+
+    map \$ssl_preread_server_name \$sni_upstream {
         include ${nginx_conf_dir}/*.serverNames;
+        default deny;
+    }
+
+    map "\$sni_upstream:\$is_valid_protocol" \$final_upstream {
+        # 格式：上游名称:协议标记 => 最终上游
+        ~^reality:1\$     reality;
+        default          deny;
+    }
+
+    map \$final_upstream \$is_abnormal {
+        deny    1;
+        default 0;
     }
 
     upstream reality {
         server 127.0.0.1:9443;
     }
 
+    upstream deny {
+        server 127.0.0.1:9403;
+    }
+
+    log_format sni_log_abnormal '\$remote_addr [\$time_local] "\$ssl_preread_server_name" '
+                             '\$ssl_preread_protocol \$status';
+
     server {
         listen 443 reuseport so_keepalive=on backlog=65535;
-        proxy_pass \$stream_map;
+        proxy_pass \$final_upstream;
         ssl_preread on;
-        #proxy_protocol on;
+        proxy_connect_timeout 5s;
+        proxy_timeout 300s;
+        access_log ${nginx_dir}/logs/sni_abnormal.log sni_log_abnormal if=\$is_abnormal;
+    }
 
-        # 超时设置
-        proxy_connect_timeout 20s;       # 连接超时时间
-        proxy_timeout 300s;            # 数据传输超时时间
+    server {
+        listen 127.0.0.1:9403 reuseport;
+        #ssl_preread on;
+        ssl_reject_handshake on;
+        return 444;
+        access_log off;
+        error_log /dev/null;
     }
 }
 EOF