Skip to content

REALITY: Add rate limiting to fallback handling via token bucket #4553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

REALITY: Add rate limiting to fallback handling via token bucket #4553

wants to merge 2 commits into from

Conversation

Meo597
Copy link
Contributor

@Meo597 Meo597 commented Mar 26, 2025
edited
Loading

这下小学生论坛的mjj们再也不用担心reality偷cf导致小鸡流量被人偷了

建议配置
给一个较大的after以应付探测,rate和brust弄小点防止mjj偷流量
过大的after和brust将起不到限速效果,过小的rate和brust则十分容易被探测
应结合被偷网站的资源大小合理设置参数
如果不允许突发,可以把brust设为和rate一样

技术细节:
当传输after减去brust字节后开启限速算法
限速采用令牌桶算法
桶的容量是brust,每传输一个字节用掉一个token,初始brust是满的
每秒以rate个token填充桶,直到容量满

示例配置:
如果下载一个文件,效果是:
前10mb不限速,然后被卡256kb/s
如果此时暂停了一会儿,随着时间推移慢慢攒令牌直到上限
再恢复下载又能跑到突发的2mb/s,然后继续被限为256kb/s

至于上行按感觉来配比,一般给很小就足够了

{
    "inbounds": [ // 服务端入站配置
        {
            // 省略...
            "streamSettings": {
                  // 省略...
                "realitySettings": {
                    // 省略...
                    // 下列六个 limit 为选填,可对回落的 REALITY 连接限速,单位是字节/秒。默认为 0 即不启用
                    "limitUploadRate": 65536, // 上行基准速率 64kb/s
                    "limitUploadBrust": 65536, // 上行不允许突发
                    "limitUploadAfter": 0, // 立即对上传开启限速
                    "limitDownloadRate": 262144, // 下行基准速率 256kb/s
                    "limitDownloadBrust": 2097152, // 下行突发速率 2048kb/s
                    "limitDownloadAfter": 10485760 // 下载10mb后开启限速
                }
            }
        }
    ]
}

@Meo597
Copy link
Contributor Author

Meo597 commented Mar 26, 2025
edited
Loading

TODO:

  1. 现在的mod require是我这里的,为了临时测试
    等reality的repo合了之后才有哈希再改此PR

  2. 我这里的protobuf版本有点高,不行的话 @RPRX 只能你生成了

@Fangliding
Copy link
Member

然后面板脚本们随便往里填个或高或低默认参数 很多reality就有了一个限速特征 如果是中间人的人话还可以顺便观察到别人可以长时间得到高于主动探测的速度

@Meo597
Copy link
Contributor Author

Meo597 commented Mar 26, 2025
edited
Loading

探测想要触发到限速,是需要时间和带宽成本的
合理的参数想被探测出来,墙需要无差别cc攻击所有目标

然后还可以加rate随机抖动

刚才随机找了几个可以偷的站,体积小的2mb,图片很多的也不过30mb
如果担心brust给太大起不到限速效果
也可以加limitUp/DownloadAfter且随机化再限速
刚刚加好了,没测,目测没问题

至于中间人那就跟限速无关了
假设真的无差别中间人所有
不用探测限速都知道你在爬梯

@RPRX
Copy link
Member

RPRX commented Mar 29, 2025
edited
Loading

这个功能我打算在 REALITY 抗量子更新之后合并,因为现在支持抗量子的服务端 CF 占最多?Nginx 用的 OpenSSL 才刚合并它

至于会引入限速特征,虽然会标明,但即使不标明,这太明显了,任何人都应该能自己想到吧,所以说这是个风险自负的问题

@Meo597
Copy link
Contributor Author

Meo597 commented Mar 29, 2025

我感觉特征这块还好,因为:

  • 毕竟他都偷CDN了,ASN都不在一个段,不用探测都知道是reality
  • 同ASN的话,站长也没必要反过来把reality当边缘,流量都一样跑何苦呢

实在不行下个PR加个参数随机浮动

@RPRX
Copy link
Member

RPRX commented Mar 29, 2025

反正要偷 CDN 就是个风险自负的问题,不偷 CDN 的话也用不上这个限速,确实得说明一下以防面版脚本们无差别设默认值

@Fangliding
Copy link
Member

看了一眼好长的选项 感觉加个下行限速够了

@Meo597
Copy link
Contributor Author

Meo597 commented Mar 31, 2025
edited
Loading

after和brust是为了规避探测,因此要3个
上下行都可以被滥用,因此要x2

nginx也是六个参数限速,当前行为也和nginx一模一样
或者你有啥好办法没

@Fangliding

@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 6d2b816 to 4cde0ed Compare March 31, 2025 13:38
@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 4cde0ed to 99118bc Compare April 12, 2025 10:47
@intmain0
Copy link

这个功能不要仅限于reality吧,其它入站协议也需要

@RPRX
Copy link
Member

RPRX commented Apr 28, 2025

没合是因为现在还无法合并 XTLS/REALITY#12 ,因为它 base 的 XTLS/REALITY@e26ae23 似乎有问题,@yuhan6665

目前 REALITY 这块的代码只能等跟进 Go 1.24 的改动后再合入新的代码

@RPRX
Copy link
Member

RPRX commented Apr 28, 2025

Xray-core/go.mod

Line 23 in a608c5a

github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d

比如说 Xray-core 用的 REALITY 都不是 XTLS/REALITY@e26ae23 ,此前 @yuhan6665 好像升级到了该版本然后回退了

给 REALITY 加抗量子更新没啥难度,麻烦的是同步 Go 1.24,又是 boring 又是 internal 的,Golang 这 TLS 库写得真的很烦人,也不知道从哪学的,我都想要不 fork uTLS 搞 REALITY 算了,但是 VLESS 加密要抗量子的话似乎得暴露 internal?还有待研究

@yuhan6665
Copy link
Member

当时好像是 v2rayng 用不了新版 go 现在应该没问题了

@RPRX
Copy link
Member

RPRX commented Apr 28, 2025

@yuhan6665 有时间同步下 Go 1.24 吗,这个我是真不想弄

@yuhan6665
Copy link
Member

@yuhan6665 有时间同步下 Go 1.24 吗,这个我是真不想弄

好吧 我有空尝试更新 reality 到最新

@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 99118bc to 0ff1466 Compare May 10, 2025 00:36
@yuhan6665
Copy link
Member

@yuhan6665 有时间同步下 Go 1.24 吗,这个我是真不想弄

XTLS/REALITY#14

@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 0ff1466 to 4f2d3ec Compare May 14, 2025 20:48
@Meo597
Copy link
Contributor Author

Meo597 commented May 14, 2025
edited
Loading

@yuhan6665 @RPRX

XTLS/REALITY 的测试挂了,仅macos跑不通

我试了剥离此PR,REALITY和core都用latest得到一样结果

See: https://github.com/Meo597/Xray-core/actions/runs/15030945205/job/42243080029

=== RUN   TestVlessXtlsVisionReality
Xray 25.4.30 (Xray, Penetrates Everything.) Custom (go1.24.3 darwin/arm64)
A unified platform for anti-censorship.
2025/05/14 21:03:21.070922 [Debug] app/log: Logger started
2025/05/14 21:03:21.071033 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:58205
2025/05/14 21:03:21.071042 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:58205
Warning: 4 21:03:21.071044 [Warning] core: Xray 25.4.30 started
Xray 25.4.30 (Xray, Penetrates Everything.) Custom (go1.24.3 darwin/arm64)
A unified platform for anti-censorship.
2025/05/14 21:03:21.076927 [Debug] app/log: Logger started
2025/05/14 21:03:21.077045 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:58206
2025/05/14 21:03:21.077165 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:58206
Warning: 4 21:03:21.077168 [Warning] core: Xray 25.4.30 started
2025/05/14 21:03:23.078362 [Debug] [3650243354] proxy/dokodemo: processing connection from: 127.0.0.1:58207
2025/05/14 21:03:23.078436 [Info] [3650243354] proxy/dokodemo: received request for 127.0.0.1:58207
2025/05/14 21:03:23.078466 [Info] [3650243354] app/dispatcher: default route for tcp:127.0.0.1:58204
2025/05/14 21:03:23.078485 [Info] [3650243354] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:58205
2025/05/14 21:03:23.078830 [Debug] [3650243354] transport/internet: dialing to tcp:127.0.0.1:58205
REALITY remoteAddr: 127.0.0.1:58208
2025/05/14 21:03:23.080876 [Info] [3650243354] transport/internet/reality: REALITY localAddr: 127.0.0.1:58208	hello.SessionId[:16]: [25 4 30 0 104 37 5 27 1 35 69 103 137 171 205 239]

2025/05/14 21:03:23.080950 [Info] [3650243354] transport/internet/reality: REALITY localAddr: 127.0.0.1:58208	uConn.AuthKey[:16]: [204 238 135 162 160 161 66 217 225 50 74 121 191 110 174 79]	AEAD: *gcm.GCM

REALITY remoteAddr: 127.0.0.1:58208	hs.c.AuthKey[:16]: [204 238 135 162 160 161 66 217 225 50 74 121 191 110 174 79]	AEAD: *chacha20poly1305.chacha20poly1305
REALITY remoteAddr: 127.0.0.1:58208	hs.c.conn == conn: false
REALITY remoteAddr: 127.0.0.1:58208	forwarded SNI: www.google.com
panic: runtime error: index out of range [8] with length 0

goroutine 20 [running]:
github.com/xtls/xray-core/transport/internet/reality.UClient({0x101f92ad8, 0x1400028c070}, 0x140000feb00, {0x101f8b500, 0x140003343c0}, {{0x101f8b650?, 0x14000306148?}, 0x2?, 0x0?})
	/Users/runner/work/Xray-core/Xray-core/transport/internet/reality/reality.go:256 +0xf48
github.com/xtls/xray-core/transport/internet/tcp.Dial({0x101f8b500, 0x140003343c0}, {{0x101f8b650, 0x14000306148}, 0xe35d, 0x2}, 0x14000301aa0)
	/Users/runner/work/Xray-core/Xray-core/transport/internet/tcp/dialer.go:90 +0x15c
github.com/xtls/xray-core/transport/internet.Dial({0x101f8b500, 0x140003343c0}, {{0x101f8b650?, 0x14000306148?}, 0x6148?, 0x140?}, 0x0?)
	/Users/runner/work/Xray-core/Xray-core/transport/internet/dialer.go:64 +0x14c
github.com/xtls/xray-core/app/proxyman/outbound.(*Handler).Dial(0x14000271700, {0x101f8b500, 0x140003343c0}, {{0x101f8b650, 0x14000306148}, 0xe35d, 0x2})
	/Users/runner/work/Xray-core/Xray-core/app/proxyman/outbound/handler.go:316 +0x988
github.com/xtls/xray-core/proxy/vless/outbound.(*Handler).Process.func1()
	/Users/runner/work/Xray-core/Xray-core/proxy/vless/outbound/outbound.go:84 +0xac
github.com/xtls/xray-core/common/retry.(*retryer).On(0x14000131d28, 0x14000131d48)
	/Users/runner/work/Xray-core/Xray-core/common/retry/retry.go:27 +0xbc
github.com/xtls/xray-core/proxy/vless/outbound.(*Handler).Process(0x14000334cf0, {0x101f8b500, 0x140003343c0}, 0x1400027a120, {0x101f88970, 0x14000271700})
	/Users/runner/work/Xray-core/Xray-core/proxy/vless/outbound/outbound.go:81 +0x19c
github.com/xtls/xray-core/app/proxyman/outbound.(*Handler).Dispatch(0x14000271700, {0x101f8b500, 0x140003343c0}, 0x1400027a120)
	/Users/runner/work/Xray-core/Xray-core/app/proxyman/outbound/handler.go:211 +0x3a0
github.com/xtls/xray-core/app/dispatcher.(*DefaultDispatcher).routedDispatch(0x140001fff20, {0x101f8b500, 0x140003343c0}, 0x1400027a120, {{0x101f8b650, 0x140003060a0}, 0xe35c, 0x2})
	/Users/runner/work/Xray-core/Xray-core/app/dispatcher/default.go:486 +0xaa0
created by github.com/xtls/xray-core/app/dispatcher.(*DefaultDispatcher).Dispatch in goroutine 19
	/Users/runner/work/Xray-core/Xray-core/app/dispatcher/default.go:266 +0x4a4
testConn finishes: 151 ms	 read tcp 127.0.0.1:58207->127.0.0.1:58206: read: connection reset by peer 	Alloc = 472.58MB 	TotalAlloc = 5.87GB 	Sys = 1.51GB 	NumGC = 35
    vless_test.go:509: read tcp 127.0.0.1:58207->127.0.0.1:58206: read: connection reset by peer
2025/05/14 21:03:23.230340 [Info] Closing all servers.
2025/05/14 21:03:23.230475 [Debug] app/log: Logger closing
Failed accept TCP connection: accept tcp 127.0.0.1:58204: use of closed network connection
--- FAIL: TestVlessXtlsVisionReality (2.18s)

@RPRX
Copy link
Member

RPRX commented May 16, 2025

09d84c4 修了,rebase 即可

@RPRX RPRX mentioned this pull request May 16, 2025
Merged
@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 4f2d3ec to 14af429 Compare May 16, 2025 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Meo597 @Fangliding @RPRX @intmain0 @yuhan6665