klzgrad / naiveproxy Goto Github PK

问题已经解决。降低 HAProxy 版本到 1.8.x 可解。

I read the wiki of naiveproxy and got that Caddy can work with naiveproxy. However, I have had apache2 server, does the naiveproxy compatible with apache2? Do you have any guide for this configuration?

If I use QUIC mode, the software quit(the windows version quit too, without any message). HTTPS mode is OK. I run caddy like this: ./caddy -quic -conf=Caddyfile.

root@xxx:~$ naiveproxy/src/out/Release/naive --proxy=quic://user:[email protected] --listen=socks://127.0.0.1:1080 --padding=true
Segmentation fault (core dumped)

no action found for directive 'forwardproxy' with server type 'http' (missing a plugin?)

作者您好，请问有ios客户端吗

我想让未认证的用户看到别的页面，比如登录我的私有云的页面，这样流量看起来才不可疑。Trojan可以直接设定remote_addr, remote_port，那naiveproxy能设置吗？

EdgeRouter 4 runs on Linux kernel 4.9 with a MIPS64 CPU. It also supports standard Debian repository packages. I would assume it can run naiveproxy smoothly. Can I ask for a binary release for MIPS or MIPS64 architecture? Thanks.

这样单个域名可以以目录区分后端，同时外人只访问域名打开的是正常网站。

Error reading config.json: (1003) File doesn't exist.
logout
Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.

谢谢🙏

Could you provide caddy 2.0 config file and systemd scripts?

The Gl.iNet portable routers are pretty popular in use for travel.
I am using the GL-AR750S router and it is running LuCI openwrt-18.06
The output of uname -a is:
Linux GL-AR750S 4.9.120 #0 Thu Aug 16 07:51:15 2018 mips GNU/Linux

Could there please be client support on this platform?
Thanks!

There seems to be quite a lot of code that could be removed and slimmed down. I am currently trying to write a Qt5 cross platform fronted for this project and it is taking a while to properly hook together things. In the future when this project evolves, the readability of the code base would be really important for further improvements. Can I suggest an effort to clean up the current code base before progressing to other things?

don't know how to cross compile using ninja

I download the arm version of naive. Copy it into the home folder of termux (terminal app of android). Get some errors as follows when I excute naive.

$ ./naive --h
bash: ./naive: Permission denied
$ chmod 755 naive
$ ./naive --h
bash: ./naive: No such file or directory
$ file naive
naive: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=3bca406d6b3aee188485dabb1427130677470768, not stripped
$ ldd naive
libdl.so.2
libpthread.so.0
librt.so.1
libnss3.so
libnssutil3.so
libnspr4.so
libm.so.6
libgcc_s.so.1
libc.so.6
ld-linux-armhf.so.3

我最近把navieproxy搭配HAPROXY，照下面的接法。速度變得非常快。
但是HAPROXY只會檢查client端的socks是不是還活著，不知道naiveproxy_server還能不能連。所以有時候會莫名的卡住。

naiveproxy_server_1:443--|gfw|--naiveproxy_client_1:1081(SOCKS)─┐
naiveproxy_server_2:443--|gfw|--naiveproxy_client_2:1082(SOCKS)─┤
naiveproxy_server_3:443--|gfw|--naiveproxy_client_3:1083(SOCKS)─┼─ HAPROXY:1079(SOCKS)
naiveproxy_server_4:443--|gfw|--naiveproxy_client_4:1084(SOCKS)─┘

請問有沒有辦法實現像下面這種接法

naiveproxy_server_1:443--|gfw|─┐
naiveproxy_server_2:443--|gfw|─┤
naiveproxy_server_3:443--|gfw|─┼─ HAPROXY--naiveproxy_client:1080(SOCKS)
naiveproxy_server_4:443--|gfw|─┘

讓HAPROXY檢查naiveproxy_server是不是還活著？

error message:

ERROR at //third_party/protobuf/proto_library.gni:369:15: Only source, header, and object files belong in the sources of a static_library. //out/Release/pyproto/google_apis/gcm/protocol/mcs_pb2.py is not one of the valid types.
    sources = get_target_outputs(":$action_name")
              ^---------------------------------
See //google_apis/gcm/BUILD.gn:78:1: whence it was called.
proto_library("proto") {
^-----------------------
See //BUILD.gn:83:7: which caused the file to be included.
      "//google_apis/gcm:gcm_unit_tests",
      ^---------------------------------

the chromium version is 74.0.3729.108 and ninja version is 1.9.0, i use v74.0.3729.108-1 git branch. but when i run ./build.sh i got this error. how to solve this problem? thank you.

Naiveproxy is a great project to bypass gfw. It has been running smoothly for months on my VPS.
Thanks for ur work done.
Does the develop team has any plan to support cdn? Naiveproxy would be unbreakable if can work with cdn.

Synology DSM is basically customized Debian that does not use dpkg as package manager. The problem is it has legacy version of libnss3 (and libnss3-nssdb). I can successfully run naiveproxy after copy&paste all the necessary libraries from Ubuntu repository (which means messing around with Synology's own versions of libraries). I think it's better to have statically linked libraries compiled into the program, just like what has been done for OpenWRT. Thanks!

Thanks for building this tool. We've been testing in Iran. Works pretty well.

Any thoughts on developing an Android app?

After testing, I find out that naive only support socks5 proxy, but don't support http proxy in local. Could you please add http proxy support in local? Thank you.

I used OpenWrt 19.07.1_x86-64 at Qemu.
It can run caddy without error by their linux-x64 version.

When I started naiveproxy-linux-x64.
It showed "/bin/ash: naive: not found"

Should I build a OpenWrt Version? Is it difficult?
Please help. Thanks

I need listen one redir port to support tproxy,and another socks5 port for some client.
Is there any other way to achieve rather than start two instances?

Hi @klzgrad.
First of all really thank you for your efforts.
Naïve is 2X faster compared to other complex authenticated, traffic encrypted alternatives.
If it's not much work to do can you please add support for standalone usage?
(client/server QUIC -UDP only transport)

See "Generate certificates" in https://www.chromium.org/quic/playing-with-quic and https://source.chromium.org/chromium/chromium/src/+/master:docs/linux/cert_management.md (though you don't actually need certutil for adding root CA; you can do that in the browser with GUI). #37 (comment)

I see it make possible to use a certificate signed with self-signed CA. To those who don't have a domain name, this will save them a lot of money. It can write an IP address in SSL certificate's "Common Name(CN)". Then run ./naive --listen=socks://127.0.0.1:1080 --proxy=https://aa.bb.cc.dd/.

The remain question is naive doesn't allow proxy URL contain an IP address:

I don't see it is necessary to replace server_name to "example", because It shouldn't be sent server_name when you visit an IP address directly, like https://1.1.1.1/.

Another problem is missing server_name will change the ClientHello fingerprint, and make it become uncommon traffic(Hoping the Chromium will enable the DoH by default:-)):
https://tlsfingerprint.io/id/e94fcb2176c0b827
https://tlsfingerprint.io/compare/bbf04e5f1881f506/e94fcb2176c0b827

Edited: The way to workaround now is write both IP address and domain name(eg. example) in "subjectAltName(SAN)".

What do you think? @klzgrad

0. naiveproxy version
   v73.0.3683.86-1

1. caddy version
   official latest version with forwardproxy plugin

2. caddy config

<domain.name> {
    tls {
        dns cloudflare
    }
    root /home/ubuntu/blog
    gzip
    forwardproxy {
        basicauth ping pong
        probe_resistance secret.localhost
        hide_ip
        hide_via
        upstream http://127.0.0.1:8080
    }
}

3. naiveproxy server side
   ./naive --listen=http://127.0.0.1:8080

4. naiveproxy local side
   ./naive --proxy=https://ping:pong@<domain.name>

5. curl -v --proxy socks5h://127.0.0.1 google.com

* Rebuilt URL to: google.com/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* SOCKS5 communication to google.com:80
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 1080 (#0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.54.0
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 127.0.0.1 left intact
curl: (52) Empty reply from server

Thanks for your reading.

本地监听端口(HTTP or socks)添加简单的帐密验证，方便手机使用，比如外网访问家宽部署的端口

还一个是 当有请求进来的时候报错，运行环境是在openwrt arm8的路由上
NSS_VersionCheck("3.26") failed. NSS >= 3.26 is required. Please upgrade to the latest NSS, and if you still get this error, contact your distribution maintainer.

I want to deploy in router, many thanks!

version: 80.0.3987.87-3

# curl -v https://www.google.com
* Rebuilt URL to: https://www.google.com/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 1090 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Padding: ..................................................
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

服务器 和客户端都能正常接受到请求

[0312/025035.777349:INFO:naive_connection.cc(237)] Connection 2 to www.google.com:443
[0312/025036.642522:INFO:naive_proxy.cc(164)] Connection 2 closed: OK

version: 81.0.4044.92-1
OS: debian 10

[0513/172202.481452:ERROR:cert_verify_proc_builtin.cc(493)] No net_fetcher for performing AIA chasing.
linux's client can not work since a few days ago, The same version previously worked fine.
Both os and program are not upgraded.
program on windows have no problem like this.

刚刚碰到个奇特的情况，将之前的tls over https代理升级了naiveproxy padding模式的代理。

其他域名都正常。但是某个域名里面有 1984的字符串，结果马上被封锁了，80和443端口都连不上。过了几分钟后解封，测试了几遍都是这样。

之前是用meow的https代理支持访问，反而一直正常。

Scaned by Virustotal. Malware Detected?

How to cross compile for mips Padavan version?
I build Padavan toolchain, but how to build naive use that

It's nice to have it to do transparent redirect dst -j REDIRECT on Linux gateway.

區網的電腦做TPROXY透明代理，TCP可以正常連出去。但UDP發出去都沒有回應。無法nslookup。

平台是OpenWrt X86-64，NaiveProxy架的Socks5，
用ipt2socks當作橋梁做純TPROXY透明代理。
發現TCP可以透明代理過去。UDP透明代理無回應。
交叉比對其他的Socks5搭配ipt2socks可以讓UDP穿透過去。

我目前用 https-dns-proxy 把DNS查詢流量轉成TCP直接送到NavieProxy的Socks5，使用尚不受影響。

謝謝

Hi,

I have read most part of this project documentation, and I try to learn the design of this project. But I am still not clear about the multiplexing part of the NaïveProxy.

From my understanding (may incorrect), the NaïveProxy opens a TLS connection for each hostname and multiplex the same hostname request in one connection. But it won't multiplex different hostname requests in a TLS connection. Am' I understand it correctly?

If yes, does the current NaïveProxy multiplexing have any difference from V2Ray's WS+TLS or Trojan?
If I use V2Ray with socks5 for Chrome, the Chrome would also multiplex the same hostname request in one TLS connection (The Chrome open a TCP tunnel to the remote server, and use HTTP/2 in it).

Could you shed me some light about this? Thanks.

hi.

[root@host src]# ./build.sh
Done. Made 13176 targets from 1938 files in 19710ms
./build.sh: line 75: ninja: command not found
[root@host src]# which ninja
/usr/bin/which: no ninja in (/root/.cargo/bin:/usr/local/php/bin:/usr/local/nginx/sbin:/usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/local/python-3.6.4/bin:/usr/bin/v2ray:/root/bin)
[root@host src]# which ninja-build
/usr/bin/ninja-build
[root@host src]# yum install -y ninja
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile

• base: mirrors.sonic.net
• elrepo-kernel: repos.lax-noc.com
• epel: mirrors.sonic.net
• extras: mirror.keystealth.org
• updates: sjc.edge.kernel.org
  No package ninja available.
  Error: Nothing to do
  [root@host src]#

没有ninja这个包，如何安装ninja?

本地网络 -> serverA ->serverB ->Global Internet

Hi, could you please tell me how to build a windows x86 or linux arm version? Many thanks!

I see the binary on the releases is not stripped. Should it add strip command on .travis.yml? It will save about 2MB space.

Hi dev, thanks for this great app, it seems promising and real performance focus, that's good. I did a quick play with it, but in the local config, I changed socks to http, curl test failed. Any suggestion?

~ % curl -x 127.0.0.1:1080 example.com
curl: (52) Empty reply from server
 ~ % curl -x 127.0.0.1:1080 https://example.com
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443

[0620/220004.704968:INFO:naive_proxy_bin.cc(131)] Proxying via https://myproxy.com:2015
[0620/220004.705350:INFO:naive_proxy_bin.cc(467)] Listening on 127.0.0.1:1080
[0620/220016.430001:INFO:naive_proxy.cc(162)] Connection 1 closed: ERR_INVALID_ARGUMENT
[0620/220031.058048:INFO:naive_connection.cc(197)] Connection 2 to example.com:443
[0620/220031.079902:ERROR:ssl_client_socket_impl.cc(946)] handshake failed; returned -1, SSL error code 1, net_error -100
[0620/220031.080009:INFO:naive_proxy.cc(162)] Connection 2 closed: ERR_PROXY_CONNECTION_FAILED

尝试打包成docker image 可是在其中无法直接运行linux x86,已经安装nss libc6-compat包

Error loading shared library ld-linux-x86-64.so.2: No such file or directory (needed by ./naive)
Error relocating ./naive: __register_atfork: symbol not found
Error relocating ./naive: __sbrk: symbol not found
Error relocating ./naive: __res_nclose: symbol not found
Error relocating ./naive: __res_ninit: symbol not found
Error relocating ./naive: strtoll_l: symbol not found
Error relocating ./naive: strtoull_l: symbol not found
Error relocating ./naive: __vsnprintf_chk: symbol not found
Error relocating ./naive: __isnan: symbol not found
Error relocating ./naive: backtrace: symbol not found
Error relocating ./naive: __strncat_chk: symbol not found
Segmentation fault (core dumped)

ldd naive

	/lib64/ld-linux-x86-64.so.2 (0x7f257c020000)
	libdl.so.2 => /lib64/ld-linux-x86-64.so.2 (0x7f257c020000)
	libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f257c020000)
	librt.so.1 => /lib64/ld-linux-x86-64.so.2 (0x7f257c020000)
	libnss3.so => /usr/lib/libnss3.so (0x7f257ba0f000)
	libnssutil3.so => /usr/lib/libnssutil3.so (0x7f257b9dc000)
	libnspr4.so => /usr/lib/libnspr4.so (0x7f257b99a000)
	libm.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f257c020000)
	libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f257c020000)
Error loading shared library ld-linux-x86-64.so.2: No such file or directory (needed by naive)
	libplc4.so => /usr/lib/libplc4.so (0x7f257b993000)
	libplds4.so => /usr/lib/libplds4.so (0x7f257b98e000)
Error relocating naive: __register_atfork: symbol not found
Error relocating naive: __sbrk: symbol not found
Error relocating naive: __res_nclose: symbol not found
Error relocating naive: __res_ninit: symbol not found
Error relocating naive: strtoll_l: symbol not found
Error relocating naive: strtoull_l: symbol not found
Error relocating naive: __vsnprintf_chk: symbol not found
Error relocating naive: __isnan: symbol not found
Error relocating naive: backtrace: symbol not found
Error relocating naive: __strncat_chk: symbol not found

The openwrt was downloaded from here.
http://firmware.koolshare.cn/LEDE_X64_fw867/

root@Openwrt:~# opkg install libnss libatomic1
Package libnss (3.51-1) installed in root is up to date.
Package libatomic1 (8.4.0-2) installed in root is up to date.

root@Openwrt:~# ./naive -h
Error relocating /usr/lib/libnspr4.so: secure_getenv: symbol not found

root@Openwrt:~# ldd naive
/lib/ld-musl-x86_64.so.1 (0x7fb77bfb0000)
libnss3.so => /usr/lib/libnss3.so (0x7fb77ba30000)
libnssutil3.so => /usr/lib/libnssutil3.so (0x7fb77ba02000)
libnspr4.so => /usr/lib/libnspr4.so (0x7fb77b9ca000)
libc.so => /lib/ld-musl-x86_64.so.1 (0x7fb77bfb0000)
libplc4.so => /usr/lib/libplc4.so (0x7fb77b9c3000)
libplds4.so => /usr/lib/libplds4.so (0x7fb77b9be000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x7fb77b9aa000)
Error relocating /usr/lib/libnspr4.so: secure_getenv: symbol not found

• h2 tunnel and real h2 traffic histograms of SSL payload lengths

As of version 64.x.y.z.

Negative means traffic from the client; positive means traffic from the server.

An example of tunneled TLS data:

20: IP
20: TCP
10: TCP Timestamps
 5: TLS header
24: TLS GCM mode overhead (Nonce + MAC)
---- (Encrypted data below)
 9: HTTP/2 frame header
 5: TLS header
24: TLS GCM mode overhead (Nonce + MAC)
---- (Tunneled payload below)

The lengths being counted here are the length of "Encryped Data" in the above diagram, because these lengths are cleartext and are independent from TCP segmentation. Cleartext TLS handshakes are not counted in the lengths.

Payload length -2000:2000:

The largest spikes from server side are: 1024, 1179 (Google servers), 1389 (Cloudflare?), 1427/1429 (TCP MSS?). These should be various self-imposed MTU/MSS related optimizations.

Large spikes from the client are mostly TLS handshakes being tunneled in h2 DATA frames:

-526: padded ClientHello with session resumption.
-267: some ECDH (pubkey len: 32) ClientKeyExchange + ChangeCipherSpec + 2x Encrypted Handshake Message.
? ~ -193: the bell curve covers unpadded ClientHellos with SNIs of various sizes. (-193 is the lower bound with an empty SNI.)
-225: ChangeCipherSpec + 2x Encrypted Handshake Message.
-135: some ECDH ClientKeyExchange (pubkey len: 65) + Encrypted Handshake Message.
-102: some ECDH ClientKeyExchange (pubkey len: 32) + Encrypted Handshake Message.

Thanks for this lovely project.

From the release page, OpenWrt arm64 is supported, but OpenWrt arm32 is not.

Many routers are still using 32-bit processors, even for high-end models such as Netgear 7800

There was an issue for this: #53

Armv7 is still a 32-bit processor.

Armv7 is too broad a concept.

That's right, but a generic arm 32-bit build should work for many arm processors out there.

v2ray support those and it even has an armv7 build (slightly smaller and more performant than the generic one) beside the generic 32-bit build.

I guess they don't build it for a specific CPU but for an instruction set.

Sorry to just ask for help but not trying myself, it's just a bit hard for me to set it up from scratch.

Some commercial HTTPS proxy providers uses Proxy-Authorization: Bearer <token> instead of basic auth for proxy authorization. With this supported and padding off, naiveproxy can be used as a socks2https tool.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml

抱歉，此帖非issues，应该是caddy方面的配置问题（本人小白一个），参考了网上的文章
之前能配置成功，最近重新配置时出错：“caddy.service: Failed at step USER spawning /usr/bin/caddy: No such process”，还有一行错误提示忘记了。
因为caddy.service原来的脚本不在了，新的脚本在此地址：wget https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service，这个文件我也看不出哪有问题，所以也不知道是不是这个脚本导致的错误。

when I run get-clang.sh

+ uname
+ ARCH=Linux
+ [ Linux = Linux ]
+ [  ]
+ eval
+ which python2
+ python2=/usr/bin/python2
+ /usr/bin/python2 tools/clang/scripts/update.py --print-revision
+ CLANG_REVISION=n332890-c2443155-1
+ CLANG_PATH=clang-n332890-c2443155-1.tgz
+ clang_url=https://commondatastorage.googleapis.com/chromium-browser-clang/Linux_x64/clang-n332890-c2443155-1.tgz
+ [ ! -d third_party/llvm-build/Release+Asserts/bin ]
+ mkdir -p third_party/llvm-build/Release+Asserts
+ curl https://commondatastorage.googleapis.com/chromium-browser-clang/Linux_x64/clang-n332890-c2443155-1.tgz
+ tar xzf - -C third_party/llvm-build/Release+Asserts
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number