V2ray-core: [Discussion]询问TLS1.3的Nginx配置问题
描述
- 服务器TLS1.3正常(ChromeF12可见TLS1.3连接建立)
- 使用4.18.0或更老版本的时候一切正常
- 升级到 4.18.1或 4.18.2 时则无法建立链接,初步排查怀疑是Nginx的ssl_ciphers配置问题,需要告知一下TLS1.3的一些细节配置项
版本
4.18.1 或 4.18.2 (服务端与客户端保持一致)
网路结构
Nginx(TLS1.3)+反代WebSocket+V2Ray(WebSocket)
Nginx配置
server {
listen 443 ssl http2 default_server;
ssl_certificate /etc/v2ray/v2ray.crt;
ssl_certificate_key /etc/v2ray/v2ray.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;
root /home/www;
index index.html index.htm;
server_name xxxxxxxx.com;
location /ws {
proxy_redirect off;
proxy_pass http://127.0.0.1:12345;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
}
V2Ray配置
"inbounds": [{
"port": 12345,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [{
"id": "12345",
"level": 1
}]
},
"streamSettings": {
"network": "ws",
"security": "none",
"sockopt": {
"tcpFastOpen": true
},
"wsSettings": {
"path": "/ws"
}
}
}
}],
sunsan05
All 3 comments
建议你观察一下nginx日志
https://github.com/v2ray/v2ray-core/blob/master/transport/internet/tls/config.go#L191-L193
kslr
on 20 May 2019
https://github.com/v2ray/v2ray-core/compare/v4.18.0...v4.18.2
看起来支持 TLS 1.3 是这个 Commit 引入的。我建议你访问一下这个链接,对照代码里新增支持的 cipher 协议来配置你的 nginx,以免 nginx 要求客户端使用一个 v2ray 暂时还不支持的协议(或者应该说是协商协议失败吧)
当然楼上开发者的建议是最有用的,如果上面的建议不起作用的话你最好还是回到 nginx 日志里面找找线索。
IceCodeNew
on 20 May 2019
直接按照代码里的重新配置了一下,没问题了。
我是基于openssl 1.1.1b的版本
最终配置如下:
# 只要在里面加上 TSLv1.2即可兼容老版本V2Ray或者去掉之后只支持4.18.0以上的版本
server {
listen 443 ssl http2 default_server;
ssl_certificate /etc/v2ray/v2ray.crt;
ssl_certificate_key /etc/v2ray/v2ray.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_early_data on; #如果遇到重放攻击可以选择off,但就不是0RTT了
ssl_session_tickets on;
ssl_ecdh_curve auto;
ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;
ssl_prefer_server_ciphers on;
root /home/www;
index index.html index.htm;
server_name #域名;
location / #path地址 {
proxy_redirect off;
proxy_pass http://127.0.0.1:12345;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
}
👍3
Was this page helpful?
0 / 5 - 0 ratings
Related issues
samjoeyang
·
4Comments
vonhezhou
·
4Comments
ferocknew
·
3Comments
ahdung
·
3Comments
limaofu
·
3Comments
Most helpful comment
直接按照代码里的重新配置了一下,没问题了。
我是基于openssl 1.1.1b的版本
最终配置如下: