bivashy/Blitz-Proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b8e6a5475bab291e1d4df89a4ab3eaf27bdee0b0
Blitz-Proxy/core/scripts/hysteria2/change_sni.sh
Whispering Wind 7546e13cfb fix: handle domain names in IP4 configuration variable 
Previously, when the IP4 variable contained a domain name instead of an actual IP address, the SNI validation would fail and force the use of self-signed certificates. This update adds detection and resolution of domain names in the IP4 variable, ensuring proper DNS comparison when checking if the SNI domain points to the server.
2025-04-27 11:32:43 +03:30

134 lines
4.7 KiB
Bash
Raw Blame History

#!/bin/bash
source /etc/hysteria/core/scripts/path.sh
sni="$1"
if [ -f "$CONFIG_ENV" ]; then
source "$CONFIG_ENV"
else
echo "Error: Config file $CONFIG_ENV not found."
exit 1
fi
update_sni() {
local sni=$1
local server_ip
if [ -z "$sni" ]; then
echo "Invalid SNI. Please provide a valid SNI."
echo "Example: $0 yourdomain.com"
return 1
fi
if [ -n "$IP4" ]; then
if [[ $IP4 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
server_ip="$IP4"
echo "Using server IP from config: $server_ip"
else
domain_ip=$(dig +short "$IP4" A | head -n 1)
if [ -n "$domain_ip" ]; then
server_ip="$domain_ip"
echo "Resolved domain $IP4 to IP: $server_ip"
else
server_ip=$(curl -s -4 ifconfig.me)
echo "Could not resolve domain $IP4. Using auto-detected server IP: $server_ip"
fi
fi
else
server_ip=$(curl -s -4 ifconfig.me)
echo "Using auto-detected server IP: $server_ip"
fi
echo "Checking if $sni points to this server ($server_ip)..."
domain_ip=$(dig +short "$sni" A | head -n 1)
if [ -z "$domain_ip" ]; then
echo "Warning: Could not resolve $sni to an IPv4 address."
use_certbot=false
elif [ "$domain_ip" = "$server_ip" ]; then
echo "Success: $sni correctly points to this server ($server_ip)."
use_certbot=true
else
echo "Notice: $sni points to $domain_ip, not to this server ($server_ip)."
use_certbot=false
fi
cd /etc/hysteria/ || exit
if [ "$use_certbot" = true ]; then
echo "Using certbot to obtain a valid certificate for $sni..."
if certbot certificates | grep -q "$sni"; then
echo "Certificate for $sni already exists. Renewing..."
certbot renew --cert-name "$sni"
else
echo "Requesting new certificate for $sni..."
certbot certonly --standalone -d "$sni" --non-interactive --agree-tos --email admin@"$sni"
fi
cp /etc/letsencrypt/live/"$sni"/fullchain.pem /etc/hysteria/ca.crt
cp /etc/letsencrypt/live/"$sni"/privkey.pem /etc/hysteria/ca.key
echo "Certificates successfully installed from Let's Encrypt."
if [ -f "$CONFIG_FILE" ]; then
jq '.tls.insecure = false' "$CONFIG_FILE" > "${CONFIG_FILE}.temp" && mv "${CONFIG_FILE}.temp" "$CONFIG_FILE"
echo "TLS insecure flag set to false in $CONFIG_FILE"
fi
else
echo "Using self-signed certificate with openssl for $sni..."
rm -f ca.key ca.crt
echo "Generating CA key and certificate for SNI: $sni ..."
openssl ecparam -genkey -name prime256v1 -out ca.key >/dev/null 2>&1
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/CN=$sni" >/dev/null 2>&1
echo "Self-signed certificate generated for $sni"
if [ -f "$CONFIG_FILE" ]; then
jq '.tls.insecure = true' "$CONFIG_FILE" > "${CONFIG_FILE}.temp" && mv "${CONFIG_FILE}.temp" "$CONFIG_FILE"
echo "TLS insecure flag set to true in $CONFIG_FILE"
fi
fi
chown hysteria:hysteria /etc/hysteria/ca.key /etc/hysteria/ca.crt
chmod 640 /etc/hysteria/ca.key /etc/hysteria/ca.crt
sha256=$(openssl x509 -noout -fingerprint -sha256 -inform pem -in ca.crt | sed 's/.*=//;s///g')
echo "SHA-256 fingerprint generated: $sha256"
if [ -f "$CONFIG_FILE" ]; then
jq --arg sha256 "$sha256" '.tls.pinSHA256 = $sha256' "$CONFIG_FILE" > "${CONFIG_FILE}.temp" && mv "${CONFIG_FILE}.temp" "$CONFIG_FILE"
echo "SHA-256 updated successfully in $CONFIG_FILE"
else
echo "Error: Config file $CONFIG_FILE not found."
return 1
fi
if [ -f "$CONFIG_ENV" ]; then
if grep -q "^SNI=" "$CONFIG_ENV"; then
sed -i "s/^SNI=.*$/SNI=$sni/" "$CONFIG_ENV"
echo "SNI updated successfully in $CONFIG_ENV"
else
echo "SNI=$sni" >> "$CONFIG_ENV"
echo "Added new SNI entry to $CONFIG_ENV"
fi
else
echo "SNI=$sni" > "$CONFIG_ENV"
echo "Created $CONFIG_ENV with new SNI."
fi
python3 "$CLI_PATH" restart-hysteria2 > /dev/null 2>&1
echo "Hysteria2 restarted successfully with new SNI: $sni."
if [ "$use_certbot" = true ]; then
echo "✅ Valid Let's Encrypt certificate installed for $sni"
echo " TLS insecure mode is now DISABLED"
else
echo "⚠️ Self-signed certificate installed for $sni"
echo " TLS insecure mode is now ENABLED"
echo " (This certificate won't be trusted by browsers)"
fi
}
update_sni "$sni"
Reference in New Issue View Git Blame Copy Permalink