我正在尝试在服务器上运行透明的stunnel4代理以获取websocket服务。
WS服务器基于Ratchet框架,因此不支持WSS,因此需要代理。
当stunnel.conf中的transparent设置为none时,websocket流量没有发生任何事故,除了WS服务器之外,所有流量都来自127.0.0.1,一切都运行良好。
但是,一旦透明设置为source,客户端就会获得
WebSocket connection to 'wss://<ADDR>:32770/' failed: Error during WebSocket handshake: net::ERR_CONNECTION_RESET
据我所知,这些问题在stunnel日志中的setsockopt IP_TRANSPARENT: Operation not permitted (1)
之后开始。我已经设置了stunnel文档中所需的所有iptables设置,并确保一切都以root身份运行。
我已经在这个问题上工作了三天,并将我搜索条件的所有变化都变为紫色,但无济于事。我希望这里有一个服务器向导来帮助我解决我的麻烦。
stunnel doc reference:https://www.stunnel.org/static/stunnel.html#SERVICE-LEVEL-OPTIONS
设置:
服务器正在运行Ubuntu 12.04.5 LTS(GNU / Linux 2.6.32-042stab093.4 x86_64)
使用stunnel 4
open_server.php文件:
use Ratchet\App;
use Websocket_Server\Server;
require dirname(__DIR__) . '/vendor/autoload.php';
$loop = React\EventLoop\Factory::create();
$webSock = new React\Socket\Server($loop);
$webSock->listen(8888, '0.0.0.0');
$webServer = new Ratchet\Server\IoServer(
new Ratchet\Http\HttpServer(
new Ratchet\WebSocket\WsServer(new Server($loop))
), $webSock
);
$loop->run();
stunnel.conf:
key = <key file dir>
cert = <crt file dir>
debug = 7
output = /var/log/stunnel_log.log
setgid = 0
[websocket]
accept = 32770
connect = 8888
transparent = source
尝试使用transparent = source:
命中套接字时的整个调试输出2015.07.26 15:09:26 LOG7[14108:140701658388224]: local socket: FD=0 allocated (non-blocking mode)
2015.07.26 15:09:26 LOG7[14108:140701658388224]: Service websocket accepted FD=0 from <MY EXTERNAL IP>:54421
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Service websocket started
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Option TCP_NODELAY set on local socket
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Waiting for a libwrap process
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Acquired libwrap process #0
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Releasing libwrap process #0
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Released libwrap process #0
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Service websocket permitted by libwrap from <MY EXTERNAL IP>:54421
2015.07.26 15:09:26 LOG5[14108:140701658478336]: Service websocket accepted connection from <MY EXTERNAL IP>:54421
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): before/accept initialization
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 read client hello A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write server hello A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write certificate A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write key exchange A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write server done A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 flush data
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 read client key exchange A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 read finished A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write session ticket A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write change cipher spec A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write finished A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 flush data
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 items in the session cache
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 client connects (SSL_connect())
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 client connects that finished
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 client renegotiations requested
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 1 server connects (SSL_accept())
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 1 server connects that finished
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 server renegotiations requested
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 session cache hits
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 external session cache hits
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 session cache misses
2015.07.26 15:09:26 LOG7[14108:140701658478336]: 0 session cache timeouts
2015.07.26 15:09:26 LOG6[14108:140701658478336]: SSL accepted: new session negotiated
2015.07.26 15:09:26 LOG6[14108:140701658478336]: Negotiated ciphers: ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
2015.07.26 15:09:26 LOG7[14108:140701658478336]: remote socket: FD=1 allocated (non-blocking mode)
2015.07.26 15:09:26 LOG3[14108:140701658478336]: setsockopt IP_TRANSPARENT: Operation not permitted (1)
2015.07.26 15:09:26 LOG3[14108:140701658478336]: local_bind (original port): Cannot assign requested address (99)
2015.07.26 15:09:26 LOG5[14108:140701658478336]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Service websocket finished (0 left)
2015.07.26 15:09:26 LOG7[14108:140701658478336]: str_stats: 0 block(s), 0 byte(s)
检查权限时Bash输出:
# ps aux | grep stunnel4
root 14103 0.0 0.1 29820 1032 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14104 0.0 0.1 29820 704 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14105 0.0 0.1 29820 704 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14106 0.0 0.1 29820 704 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14107 0.0 0.1 29820 704 pts/2 S 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 14108 0.0 0.4 95424 2252 ? Ss 15:09 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root 20477 0.0 0.1 6460 776 pts/5 S+ 17:00 0:00 grep --color=auto stunnel4