Issue trying to regex domain name in ping or minecraft server connection request
psychodracon opened this issue · comments
Hello,
I wanted to redirect by domain name eg. "minecraft.play.com" to minecraft server port (TCP). Since it is not tls request i cannot use tls protocol with sni hostname here. When i'm trying to use regex nothing is working I can clearly see in dumped incoming packet that domain name is there but regex with regex patterns set to string like "minecraft.play.com" or UTF-8 literals are not working. Can somebody explain me how regex is working, i'm kinda lost right know. Thanks in advance!
Please post a dump of incoming packet and the config file you expect to work
Here is dump of first 2 packets (when you add server to list or click refresh)
sslh | hexdump of incoming packet:
sslh | 0x000000: 22 00 fb 05 1b 6d 69 6e 65 63 72 61 66 74 2e 73 "....minecraft.s
sslh | 0x000010: 6d 6d 65 74 65 73 74 64 6d 6d 61 69 6e 2e 70 6c ometestdomain.pl
sslh | 0x000020: 01 bb 01 01 00 .....
sslh | probing for http
sslh | probed for http: PROBE_NEXT
sslh | probing for tls
sslh | Request did not begin with TLS handshake.
sslh | probed for tls: PROBE_NEXT
sslh | probing for regex
sslh | probed for regex: PROBE_MATCH
sslh | regex: lost incoming connection
sslh | hexdump of incoming packet:
sslh | 0x000000: fe 01 fa 00 0b 00 4d 00 43 00 7c 00 50 00 69 00 ......M.C.|.P.i.
sslh | 0x000010: 6e 00 67 00 48 00 6f 00 73 00 74 00 3d 7f 00 1b n.g.H.o.s.t.=...
sslh | 0x000020: 00 6d 00 69 00 6e 00 65 00 63 00 72 00 61 00 66 .m.i.n.e.c.r.a.f
sslh | 0x000030: 00 74 00 2e 00 73 00 6d 00 6d 00 65 00 74 00 65 .t...s.o.m.e.t.e
sslh | 0x000040: 00 73 00 74 00 64 00 6d 00 6d 00 61 00 69 00 6e .s.t.d.o.m.a.i.n
sslh | 0x000050: 00 2e 00 70 00 6c 00 00 01 bb ...p.l....
sslh | probing for http
sslh | probed for http: PROBE_NEXT
sslh | probing for tls
sslh | Request did not begin with TLS handshake.
sslh | probed for tls: PROBE_NEXT
sslh | probing for regex
sslh | probed for regex: PROBE_NEXT
sslh | probing for tls
sslh | Request did not begin with TLS handshake.
sslh | probed for tls: PROBE_NEXT
here is second packet when you try to press "Join server" button
sslh | hexdump of incoming packet:
sslh | 0x000000: 22 00 fb 05 1b 6d 69 6e 65 63 72 61 66 74 2e 73 "....minecraft.s
sslh | 0x000010: 6d 6d 65 74 65 73 74 64 6d 6d 61 69 6e 2e 70 6c ometestdomain.pl
sslh | 0x000020: 01 bb 02 22 00 0f 73 6d 6d 65 75 73 65 72 6e 61 ..."..someuserna
sslh | 0x000030: 6f 6e 39 39 30 01 4b 17 22 10 2d 94 4e b4 87 ae me990.K.".-.N...
sslh | 0x000040: 08 64 d3 62 fb 7c .d.b.|
sslh | probing for http
sslh | probed for http: PROBE_NEXT
sslh | probing for tls
sslh | Request did not begin with TLS handshake.
sslh | probed for tls: PROBE_NEXT
sslh | probing for regex
sslh | probed for regex: PROBE_MATCH
sslh | regex: lost incoming connection
i've already tried following configuration but none of it is working
{ name: "regex"; host: "192.168.10.10"; port: "25545"; regex_patterns: ["^minecraft"]; log_level: 1; },
{ name: "regex"; host: "192.168.10.10"; port: "25545"; regex_patterns: ["minecraft"]; log_level: 1; },
{ name: "regex"; host: "192.168.10.10"; port: "25545"; regex_patterns: ["\x6D\x69\x6E\x65\x63\x72\x61\x66\x74"]; log_level: 1; },
I'm not sure if i understood something wrongly, thanks!
PS: I'll just add that i'm using docker version build from master branch and i'm not using transparent mode, other configuration entries for tls or openvpn are working correctly but i cannot make regex to work it is always using last protocol entry
IIRC you can specify several regex in one probe, i.e.:
{ name: "regex"; host: "192.168.10.10"; port: "25545"; regex_patterns: ["^minecraft", "minecraft", "\x6D..."]; log_level: 1; }
Also, "^" means "match at beginning of packet", so here the first rule will never match.
That said, the second rule should match both packets you are showing (the rule means "contains the word 'minecraft' anywhere"). What's strange is the error regex: lost incoming connection: this suggests the probe did work, but the connection closed before getting the information to log it. This branch of code usually only gets called in extreme conditions (system under heavy loads that starts to drop connections after accepting them), it's pretty strange that it would happen repeatedly.
So, I am not sure what's happening, but I would say the probe is in fact working. Does it work if you use the anyprot probe instead?
Hmm, using anyprot seems to work. I'm still curious why it is not working with tls but at least problem is solved. Thank you very much
Well, it can't work the tls because it's not tls :-) That might be an option to set on the client, I suppose.
anyprot matches anything. I don't get how regex fails here, the fact it works means there is something specific to the probe (rather than the client dropping the connection), yet the way it fails suggests the probe works, so... I'm confused.
I was thinking about regex sorry 😀. Also I've found the reason why regex was not working... It's "user is stupid" error, I've made a typo in port number.
You mean 25545? I would expect a different error in that case ("forward to 192....:25545 failed")
You mean 25545? I would expect a different error in that case ("forward to 192....:25545 failed")
Yes exactly instead of using 25565 I've used 25545, after changing the port number it started to work