@SurgeTeam
根据 Surge 的说明,QUIC 流量会被自动 block。
下面是我的 Proxy 配置(示例):
EXAMPLE = ss, HOST, PORT, encrypt-method=aes-128-gcm, password=PASSWORD, tfo=false, udp-relay=false
但是在 iOS 上打开 OpenAI 客户端时,QUIC 流量没有被 block,而是走了 DIRECT。信息如下:
10:44:29.542686 [TLS] QUIC TLS SNI: ios.chat.openai.com
10:44:29.543908 [Rule] Sub-rule matched: .openai.com(in ai_suit)
10:44:29.543944 [Rule] Rule matched: RULE-SET ai_suit
10:44:29.544044 [Rule] Policy decision path: AI -> Proxy -> TW Auto
10:44:29.544273 [UDP] Fallback to DIRECT since the policy doesn't support UDP
10:44:29.545817 [UDP] QUIC traffic detected, allowed based on policy settings
10:44:29.552822 [UDP] New remote address: 31.13.67.19:443
我尝试在 Policy Parameters 中加入 block-quic=true:
EXAMPLE = ss, HOST, PORT, encrypt-method=aes-128-gcm, password=PASSWORD, tfo=false, udp-relay=false, block-quic=true
但是没有效果,流量依旧走的是 DIRECT。
但是如果设置 udp-relay=true:
EXAMPLE = ss, HOST, PORT, encrypt-method=aes-128-gcm, password=PASSWORD, tfo=false, udp-relay=true
则可使 QUIC 流量被正确 block。信息如下:
10:52:42.982609 [TLS] QUIC TLS SNI: ios.chat.openai.com
10:52:42.983253 [Rule] Sub-rule matched: .openai.com(in ai_suit)
10:52:42.983283 [Rule] Rule matched: RULE-SET ai_suit
10:52:42.983368 [Rule] Policy decision path: AI -> TWManual
10:52:42.984960 [UDP] QUIC traffic detected, blocked based on policy settings
或者将 udp-policy-not-supported-behaviour 设置为 REJECT:
[General]
udp-policy-not-supported-behaviour = REJECT
也可以可使 QUIC 流量被正确 block。信息如下:
10:58:34.577464 [TLS] QUIC TLS SNI: ios.chat.openai.com
10:58:34.580868 [Rule] Sub-rule matched: .openai.com(in ai_suit)
10:58:34.580975 [Rule] Rule matched: RULE-SET ai_suit
10:58:34.581115 [Rule] Policy decision path: AI -> TWManual
10:58:34.581401 [UDP] Fallback to REJECT since the policy doesn't support UDP
QUIC 流量走 DIRECT 的话,会导致 iPad 上的 ChatGPT 无法登录(我在 iPhone 上可以正常登录,Surge 配置文件是一样的,原因未知),请考虑修复这个问题。谢谢!
其他相关 Report:
Surge iOS 对 QUIC 协议的处理有些问题
