我正在尝试在服务器上为 websocket 服务运行一个透明的 stunnel4 代理。
WS 服务器基于 Ratchet 框架,因此不支持 WSS,因此需要代理。
当在 stunnel.conf 中将 transparent 设置为 none 时,websocket 流量可以顺利通过,并且除了 WS 服务器而言,所有流量都来自 127.0.0.1 之外,一切都运行良好。但是,一旦将透明设置为源,客户端就会得到
WebSocket connection to 'wss://<ADDR>:32770/' failed: Error during WebSocket handshake: net::ERR_CONNECTION_RESET
据我所知,问题始于setsockopt IP_TRANSPARENT: Operation not permitted (1)
stunnel 日志。我已经设置了 stunnel 文档中所需的所有 iptables 设置,并确保一切都以 root 身份运行。我已经解决这个问题三天了,我的搜索词的所有变体都变成了紫色,但无济于事。我希望这里有一个服务器向导来帮助我解决问题。
stunnel 文档参考:https ://www.stunnel.org/static/stunnel.html#SERVICE-LEVEL-OPTIONS
设置:
服务器正在运行 Ubuntu 12.04.5 LTS (GNU/Linux 2.6.32-042stab093.4 x86_64)
使用 stunnel 4
open_server.php 文件:
use Ratchet\App;
use Websocket_Server\Server;
require dirname(__DIR__) . '/vendor/autoload.php';
$loop = React\EventLoop\Factory::create();
$webSock = new React\Socket\Server($loop);
$webSock->listen(8888, '0.0.0.0');
$webServer = new Ratchet\Server\IoServer(
new Ratchet\Http\HttpServer(
new Ratchet\WebSocket\WsServer(new Server($loop))
), $webSock
);
$loop->run();
stunnel.conf:
key = <key file dir>
cert = <crt file dir>
debug = 7
output = /var/log/stunnel_log.log
setgid = 0
[websocket]
accept = 32770
connect = 8888
transparent = source
尝试使用 transparent = source 命中套接字时的整个调试输出:
2015.07.26 15:09:26 LOG7[14108:140701658388224]: local socket: FD=0 allocated (non-blocking mode)
2015.07.26 15:09:26 LOG7[14108:140701658388224]: Service websocket accepted FD=0 from <MY EXTERNAL IP>:54421
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Service websocket started
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Option TCP_NODELAY set on local socket
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Waiting for a libwrap process
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Acquired libwrap process #0
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Releasing libwrap process #0
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Released libwrap process #0
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Service websocket permitted by libwrap from <MY EXTERNAL IP>:54421
2015.07.26 15:09:26 LOG5[14108:140701658478336]: Service websocket accepted connection from <MY EXTERNAL IP>:54421
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): before/accept initialization
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 read client hello A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write server hello A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write certificate A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write key exchange A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write server done A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 flush data
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 read client key exchange A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 read finished A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write session ticket A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write change cipher spec A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write finished A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 flush data
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 items in the session cache
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 client connects (SSL_connect())
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 client connects that finished
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 client renegotiations requested
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 1 server connects (SSL_accept())
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 1 server connects that finished
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 server renegotiations requested
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 session cache hits
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 external session cache hits
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 session cache misses
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 session cache timeouts
2015.07.26 15:09:26 LOG6[14108:140701658478336]: SSL accepted: new session negotiated
2015.07.26 15:09:26 LOG6[14108:140701658478336]: Negotiated ciphers: ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
2015.07.26 15:09:26 LOG7[14108:140701658478336]: remote socket: FD=1 allocated (non-blocking mode)
2015.07.26 15:09:26 LOG3[14108:140701658478336]: setsockopt IP_TRANSPARENT: Operation not permitted (1)
2015.07.26 15:09:26 LOG3[14108:140701658478336]: local_bind (original port): Cannot assign requested address (99)
2015.07.26 15:09:26 LOG5[14108:140701658478336]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Service websocket finished (0 left)
2015.07.26 15:09:26 LOG7[14108:140701658478336]: str_stats: 0 block(s), 0 byte(s)
检查权限时的 Bash 输出:
# ps aux | grep stunnel4
root 14103 0.0 0.1 29820 1032 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14104 0.0 0.1 29820 704 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14105 0.0 0.1 29820 704 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14106 0.0 0.1 29820 704 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14107 0.0 0.1 29820 704 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14108 0.0 0.4 95424 2252 ? Ss 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 20477 0.0 0.1 6460 776 pts/5 S+ 17:00 0:00 grep --color=auto stunnel4