Server:
stream {
proxy_buffer_size 128k;
proxy_connect_timeout 5s;
map $ssl_preread_server_name $backend {
~*[0-9]$ unix:/dev/shm/null.sock;
default $ssl_preread_server_name:443;
}
server {
listen 4333 ssl;
listen 8443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_prefer_server_ciphers on;
ssl_certificate /root/.acme.sh/2heng.xin/fullchain.cer;
ssl_certificate_key /root/.acme.sh/2heng.xin/2heng.xin.key;
ssl_client_certificate /root/.acme.sh/2heng.xin/fullchain.cer;
ssl_trusted_certificate /root/.acme.sh/2heng.xin/fullchain.cer;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_preread on;
resolver [2001:4860:4860::8888] ipv6=on;
proxy_pass $backend;
}
}
Proxy:
stream {
proxy_buffer_size 128k;
proxy_connect_timeout 5s;
#limit_conn_zone $binary_remote_addr zone=addr:10m;
log_format main '$time_iso8601|$remote_addr|$ssl_preread_server_name'
'|$bytes_received|$bytes_sent|$session_time';
#log_format basic '$proxy_protocol_addr - $remote_user [$time_local] '
# '$protocol $status $bytes_sent $bytes_received '
# '$session_time';
map $ssl_preread_server_name $backend {
~*[0-9]$ unix:/dev/shm/localweb.sock;
pixiv.net unix:/dev/shm/nginx-sni.sock;
~*pixiv.net$ unix:/dev/shm/nginx-sni.sock;
i.pximg.net unix:/dev/shm/nginx-sni.sock;
cdn.ampproject.org unix:/dev/shm/nginx-sni.sock;
~*wikipedia.org$ unix:/dev/shm/nginx-sni.sock;
www.google.com unix:/dev/shm/nginx-sni.sock;
wordpress.org unix:/dev/shm/nginx-sni.sock;
~*wordpress.org$ unix:/dev/shm/nginx-sni.sock;
default unix:/dev/shm/localweb.sock;
}
upstream sni_stunnel {
zone upstream_sni_stunnel 64k;
server 45.xxx.66:4333 fail_timeout=120s;
server 45.xxx.24.54:4333 backup;
}
server {
#listen 4433 proxy_protocol;
listen unix:/dev/shm/nginx-sni.sock proxy_protocol;
proxy_protocol off;
proxy_ssl on;
proxy_pass sni_stunnel;
ssl_preread on;
}
server {
listen 443;
proxy_protocol on;
#limit_conn addr 10;
#proxy_download_rate 50k;
#proxy_upload_rate 400k;
access_log /var/log/nginx/sniproxy.log main buffer=8k flush=5s if=$ssl_preread_server_name;
proxy_pass $backend;
ssl_preread on;
}
}
@eh5 可惜 ESNI 很好@[email protected]
@mashiro @xiamx 不是封杀tls1.3,ESNI是tls1.3的一个可选extension,封杀的是带有ESNI扩展标识的包 https://github.com/net4people/bbs/issues/43