DNS：特定环境下fakeIP失效问题

[Meo597]

完整性要求

• 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
• 我提供了完整的配置文件和日志，而不是出于自己的判断只给出截取的部分。
• 我搜索了 issues, 没有发现已提出的类似问题。
• 问题在 Release 最新的版本上可以成功复现

描述

细节：
fakeIP原理是Xray污染DNS，给客户端返回特定IP段
若客户端发往xray的IP因各种原因被修改，fakeIP即失效

详见代码

			if err == nil && d.shouldOverride(ctx, result, sniffingRequest, destination) {
				domain := result.Domain()
				errors.LogInfo(ctx, "sniffed domain: ", domain)
				destination.Address = net.ParseAddress(domain)
				protocol := result.Protocol()
				if resComp, ok := result.(SnifferResultComposite); ok {
					protocol = resComp.ProtocolForDomainResult()
				}
                                // fakeIP依赖于客户端发往xray IP`ob.Target.Address`的准确性
				isFakeIP := false
				if fkr0, ok := d.fdns.(dns.FakeDNSEngineRev0); ok && fkr0.IsIPInIPPool(ob.Target.Address) {
					isFakeIP = true
				}
				if sniffingRequest.RouteOnly && protocol != "fakedns" && protocol != "fakedns+others" && !isFakeIP {
					ob.RouteTarget = destination
				} else {
					ob.Target = destination
				}
			}

修复建议
入站时选择不相信客户端带来的ip，强行用xray的dns重解析一次，因为可命中缓存因此无开销
See demo: Meo597@d5b80c7
(此Demo是之前专为realIP修复，若确认fakeIP需要PR，我可再次修改)

重现方式

DNS被污染触发条件：

PC端Chrome系浏览器，电脑网卡配置为知名公共DNS，且他们支持DOH
或 Android系统自动配置了安全DNS
或手机端App接入了天朝特色httpdns SDK

影响到Xray的条件（绕过fakeIP的逻辑）：

透明代理 + fakeIP
routeOnly=true

实际不利影响：
因fakeIP失效，若远端xray节点没有sniff+destOverride+routeOnly=false
则目标网站仍被污染，导致访问失败

PS：透明代理+realIP同理

客户端配置

N/A

服务端配置

N/A

客户端日志

N/A

服务端日志

N/A

[RPRX]

虽然客户端发起的 TCP 不一定就是 TLS 或 plain HTTP，甚至不一定是 TCP 或 QUIC，而是奇形怪状的 UDP

[Fangliding]

什么玩意 浏览器DOH解析出来的不是正常IP？正常IP直接过去了哪来被Xray污染的说法 而且fakedns你不override
不就是想推你那个解析 已经说过问题了

[Meo597]

电脑网卡设阿里，chrome系浏览器默认开doh为阿里的

安卓手机系统设置默认开安全dns

一堆垃圾app有httpdps sdk

都会导致解析错误

@Fangliding 你不懂就不要乱评价

[Fangliding]

哦是GFW污染 你牵头说了个Xray污染搞混了
解决问题很简单就是sniff override就行了
“入站时选择不相信客户端带来的ip，强行用xray的dns重解析一次”
和override就是干的一样的事 只是发出去的是域名还是重解析的ip的区别
你偏要搞这么刁钻的条件把本地把目标地址解析为IP发出去这个东西表达出来 这个前段时间就已经讨论过 dup了

[Meo597]

客户端发往Xray的数据包，IP在特定情况下就可能是错的，要么是CDN不友好，要么是被污染

照你这么说那还搞啥routeOnly直接删了得了，凡是能嗅探出来的，统统换成域名

你没考虑过换成域名需要多一次DNS解析吗

[Fangliding]

首先服务端解析域名开销很小 大概只有十几二十ms而且同样有缓存
对 你这个可以解决这个刁钻情况 我为什么对类似方向的功能意见这么大 因为以前的我折腾这些东西对着几个strategy发呆思考它们的含义是什么组合起来会发生什么很绝望 所以类似作用的参数越少越好 如果要加最好只多一个参数 一次不改好 以后继续加 后人再来看问号更多 拿不好就别动
而且这个功能他们好像讨论可以套一层完成 那个issue被关掉了 你这个也一样 dup就是dup 要reopen也是open之前那个
你这个commit 在shouldoverride的情况下(里面就一堆条件) 然后routeonly启用 再用sniff来的域名 去解析并重置地址 这个条件太细分了 所以我觉得不行

[Meo597]

本地xray解析域名，显然不会让节点xray产生dns缓存

routeOnly=true就是为了防止节点xray产生二次DNS请求

但显然它不完美，它没考虑到客户端(pc/phone)请求的IP或许不可信

[Meo597]

我拿xray充当透明代理用没多久，配下来发现有这样那样的缺陷，显然它不够完美

这些改动不做行不行？不做当然不影响爬墙，总归能保证你打开Google
但性能或者功能上始终有缺陷

就像我提交的这个issues，如果不改，利用现有选项，强制把ip换成域名行不行？
当然没问题
但有人大价钱买的HK CN2GIA，首次访问谷歌延迟可能多了十几浪费在DNS上，体验秒变美西

---

我这几天提交的关于DNS的PR和issue都是为了解决这些历史遗留问题

只需要很小的改动，让它性能上有更好的表现

这些缺陷根源在于当初*ray系设计，出发点只是一个PC端软件
显然没准备好在路由器充当网关

singbox作者 @nekohasekai 以前弄的 routeOnly 也是为了追求极致性能

至于配置选项太多的问题，完全可以更新官方example，针对每个用途给最佳指南

这些情景不是刁钻，是为了追求最佳体验不得不这么干，别人没发现是因为他们菜

[patterniha]

@Meo597

Your problem is similar to my problem, and this problem has been solved.

You want your domains be resolved only with trusted-built-in-dns, and use that IP in server too.

///

Solution 1: (one name-to-ip convertor, but require redirect-socks-in/out)

you should set routeOnly=false for main-inbound but set routeOnly=true for redirect-inbound and then use #4423 (comment), it means:

"inbounds": [
    {
      "tag": "main-socks-in",
      "port": 10808,
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"],
        "routeOnly": false
      },
      "settings": {"udp": true}
    },
    {
      "tag": "redirect-socks-in",
      "port": 10909,
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"],
        "routeOnly": true
      },
      "settings": {"udp": true}
    }    
],
"outbounds": [    
    {
      "tag": "name-to-ip",
      "protocol": "freedom",      
      "settings": {"domainStrategy": "ForceIP"},
      "streamSettings": {"sockopt": {"dialerProxy": "redirect-socks-out"}}
    },
    { 
      "tag": "redirect-socks-out",
      "protocol": "socks",
      "settings": {
        "servers": [
          {
            "address": "127.0.0.1",
            "port": 10909 // connect to redirect-socks-in    
          }
        ]
      }
    },
    {
      "tag": "proxy-1",
      ...
    },
    {
      "tag": "proxy-2",
      ...
    },
    ...
]

///

Solution 2: (no need for redirect-socks-in/out, but require name-to-ip convertor for each proxy)

you can omit redirect-socks-in/out in Solution 1, but you need add name-to-ip convertor for each proxy, it means:

"inbounds": [
    {
      "tag": "main-socks-in",
      "port": 10808,
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"],
        "routeOnly": false
      },
      "settings": {"udp": true}
    }        
],
"outbounds": [    
    {
      "tag": "name-to-ip-for-proxy-1",
      "protocol": "freedom",      
      "settings": {"domainStrategy": "ForceIP"},
      "streamSettings": {"sockopt": {"dialerProxy": "proxy-1"}}
    },
    {
      "tag": "proxy-1",
      ...
    },
    {
      "tag": "name-to-ip-for-proxy-2",
      "protocol": "freedom",      
      "settings": {"domainStrategy": "ForceIP"},
      "streamSettings": {"sockopt": {"dialerProxy": "proxy-2"}}
    },
    {
      "tag": "proxy-2",
      ...
    },
    ...    
]

///

I also had another problem other than yours and that was that we have no control over "forceIP" and it can return any IP, so I added "allowUnexpectedIPs" to filter out my desired IPs.

///

I know these are not elegant, but any other solution does not have the comprehensiveness of these solutions.

[Meo597]

不，所有的域都可能被污染，你的配置文件会导致所有的流量绕一圈，而不是某个域

要么尽可能屏蔽所有DOH和httpclient，这显然不可能
要么让本地或Xray把IP替换为域名，这显然会增加延迟

让xray强制把所有域重新解析一次是唯一办法。

[patterniha]

The only way is to let xray force all domains to be re-parsed.

i omit routing section in my solutions, because, you are free to do whatever you want with routing.

I also think you still don't understand how "dialerProxy" works.

if you want to force all domains to be re-parsed just add this rule to the top of routing-rules in solution 1:

"routing": {
    "rules": [                  
      {"outboundTag": "name-to-ip",
       "inboundTag": ["main-socks-in"]
      },
      ...
    ]
}

[Meo597]

不，我并不关心dialerProxy是否能够满足需求

透明代理 + realIp下，我的用例是最佳实践，因为减少了一次DNS解析，它具有最好的性能

因此它应该被重视，所以它应该享有一个独立的开关，直截了当地解决客户端DNS被污染问题

其它人没发现，单纯是因为他们菜

[patterniha]

Transparent proxy + realIp is the best practice for my use case

What does it have to do with transparent proxy?
You can still use transparent proxy + real-IP, just use "main-tproxy-in" instead of "main-socks-in".
also, only one DNS resolution is used, and the performance is the same but it has more flexibility.
"dialerProxy" is just an internal feature in Xray-core. I think the name "dialerProxy" has confused you.

"inbounds": [
    {
      "tag": "main-tproxy-in",
      "port": 12345,
      "protocol": "dokodemo-door",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"],
        "routeOnly": false
      },
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    },
    {
      "tag": "redirect-socks-in",
      "port": 10909,
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"],
        "routeOnly": true
      },
      "settings": {"udp": true}
    }    
],
"outbounds": [    
    {
      "tag": "name-to-ip",
      "protocol": "freedom",      
      "settings": {"domainStrategy": "ForceIP"},
      "streamSettings": {"sockopt": {"dialerProxy": "redirect-socks-out"}}
    },
    { 
      "tag": "redirect-socks-out",
      "protocol": "socks",
      "settings": {
        "servers": [
          {
            "address": "127.0.0.1",
            "port": 10909 // connect to redirect-socks-in    
          }
        ]
      }
    },
    {
      "tag": "proxy-1",
      ...
    },
    {
      "tag": "proxy-2",
      ...
    },
    ...
],
"routing": {
    "rules": [                  
      {"outboundTag": "name-to-ip",
       "inboundTag": ["main-tproxy-in"]
      },
      ...
    ]
}

[patterniha]

This does exactly what "ignoreClientIp" does in #4423,
but instead of inbound, It does it in outbound and then redirect to another inbound again.
because it convert domains to IP after routing, it has more flexibility, and it allows you to not convert some domains if you want.

also, if you don't like redirect, you can use solution 2, but you need to make some appropriate changes to the routing.

[RPRX]

解决问题很简单就是sniff override就行了

我也觉得这样就行，如果客户端实际请求的 IP 不是 fake IP，那么变成哪个 IP 则是不一定的，只能无差别 AOE 开 sniff + override

不觉得有什么问题

[RPRX]

如果你要把 sniff 出来的域名先本地覆写为 IP 再发给服务端 proxy，则是另一件事，感觉你总是搞混 #4497 (comment)

并且绝大多数场景下本地覆写域名为 IP 没什么好处，除非你要像 @patterniha 先在本地分流，也有 workaround #4423 (comment)

[patterniha]

If you want to rewrite the sniffed domain name to IP locally before sending it to the server proxy, that's another matter. I feel like you're always confusing it. #4497 (comment)

And in most scenarios, there is no benefit in locally overriding the domain name to the IP, unless you want to@patternihaDivert locally first, there is also a workaround #4423 (comment)

@RPRX

also, there is no need for #4423 (comment) and redirect-socks, see solution 1 and solution 2 in #4543 (comment)

[RPRX]

@patterniha ？你这个 solution 2 把域名覆写为 IP 后不重新走一遍路由，怎么选择要不要走 worker proxy

[patterniha]

@patterniha? Your solution 2 rewrites the domain name to IP without rerouting. How to choose whether to use the worker proxy?

@RPRX

we have "IPifNonMatch"/"IPonDemand" ability in routing,

So we have everything we need(IPs) in the first step routing.

so we don't need second step.

[RPRX]

@patterniha 你的意思是共用 DNS cache 了，但非 AsIs 的弊端是影响了所有没在 geosite 里的域名，虽然在的也有可能被影响

不过共用 DNS cache 以免 routing 干 override 的脏活，确实可以有

[patterniha]

You mean to share the DNS cache

yes, i also add "allowUnexpecteIPs" to prevent using different IP (in diffrenet range) in outbound and routing.

but the disadvantage of non-AsIs is that it affects all domain names that are not in the geosite.

i don't understand exactly what you mean, we can put domain-need-rules on top of routing-rules, so it doesn't affect them.
also we can use "IPifNonMatch" to avoid using "DNS-resolution" as much as possible unless we have to.

[RPRX]

@patterniha 总之正如我之前所说，我以前总想搞个 NEXT 架构，把 feature 变成 node，用户自己串起来，更加直观，但是后来发现通过现有的 tag-match、dialer-proxy、socks-redirect-in 等能力也是可以做到“图灵完备”的，只是看起来绕一些，且有些性能上有折扣

但前段时间因为你这些奇奇怪怪的需求，我发现 NEXT 还不够，要弄个简易的 script 机制，把 feature 做成 API，用户自己写 if else，颗粒度更细，这就是 Xray 未来的方向，此外像这样的东西肯定做不进分享链接，必须要有 JSON 订阅机制，没啥协议写了就开始搞

[Meo597]

如果你要把 sniff 出来的域名先本地覆写为 IP 再发给服务端 proxy，则是另一件事，感觉你总是搞混 #4497 (comment)

并且绝大多数场景下本地覆写域名为 IP 没什么好处，除非你要像 @patterniha 先在本地分流，也有 workaround #4423 (comment)

我们的沟通出现了障碍

我想要的始终是 IP替换为IP

如果原来是IP，允许xray选择不信任它，让xray重新解析此域，替换掉原IP

[patterniha]

If you want to rewrite the sniffed domain name to IP locally before sending it to the server proxy, that's another matter. I feel like you're always confusing it. #4497 (comment)
And in most scenarios, there is no benefit in locally overriding the domain name to the IP, unless you want to split it locally first like @patterniha did. There is also workaround #4423 (comment)

There was a breakdown in our communication

What I want is always IP replaced with IP

If it was originally an IP, allow xray to choose not to trust it, let xray re-parse this domain and replace the original IP

#4543 (comment), #4543 (comment)

[RPRX]

@patterniha 还有对于 DNS，expectIPs 这名字读起来太难受了，加个别名 expectedIPs 吧，你 PR 一下，带上 #4544

[RPRX]

并且 expectedIPs + allowUnexpectedIPs 实际上是“优先选择该范围内的 IP”，一时间可能理解不到，文档需要标注 @Fangliding

[Meo597]

@patterniha 我知道可以通过你说的那种配置做到替换所有，但我并不感兴趣
我追求的是直接，简单，有效地允许xray把ip替换为ip
你根本没搞懂我的需求，也没用过透明代理

透明代理下，为了实现realip，同时避免二次解析dns增加的延迟
不得不面临pc/phone的可能被dns污染

因此简单直接地把ip换ip是必要的操作

我都追求极限速度了，为什么要绕那么大一圈利用dialproxy呢？

[RPRX]

@Meo597 我觉得 ray 没直接的这个功能可能就是因为本地把域名覆写为 IP 很不优雅

但是我又觉得如果实在需要，加个这功能也不是不行，至于加在路由还是哪，还需要讨论一下

[Meo597]

按我的需求来看，这玩意的目的就是要对所有域开AOE

所以这个开关必须是routeOnly=true时才可生效

因为客户端请求的任何一个域的IP都有可能被污染
正常情况下，客户端请求这个IP的来源，只能是xray的DNS模块

至于outbound加肯定不行，会导致ip分流失效
路由加我不知道是否好实现，代码角度是否绕

[RPRX]

要加这个功能就要能被最大程度复用，比如说同时覆盖 @patterniha 的需求

[Meo597]

首先得达成共识：

对于@patterniha之前的那个需求
只要入站的目的地，从域被替换成一个确定的ip，之前他提到的一切问题都迎刃而解

按照目前我自己的补丁，只有在客户端请求的是ip时，才允许替换

为了满足@patterniha的需求
如果想把域强行替换为ip，有ip偏好问题，首选v4还是v6。不可知，因此还得再加个选项

我能想到的就这些

---

插个题外话：你是否有兴趣让reality和vless在fallback时，对这些连接限速？
这比搭nginx过滤sni更隐蔽，而且简单

[patterniha]

@Meo597

there is an IP preference issue, whether v4 or v6 is preferred

We already have this option, forceIPv4, forceIPv6, ForceIPv4v6, ForceIPv6v4

@RPRX

the ignoreClientIP option introduced by @Meo597 is like DNS +local option.

It makes things simpler, but it is a very limiting option, it affects all domains.

and it can be implemented with dialerProxy.

also, it is not useful when the original address is domain.

anyway, this is just an extra option and it can be added, It depends on your opinion.

[RPRX]

按照目前我自己的补丁，只有在客户端请求的是ip时，才允许替换

你透明代理，还能请求不是 IP？

[Meo597]

按照目前我自己的补丁，只有在客户端请求的是ip时，才允许替换

你透明代理，还能请求不是 IP？

考虑到p的需求时，它的请求肯定是个域。

透明代理当然始终是ip

[RPRX]

考虑到p的需求时，它的请求肯定是个域。

所以要放路由或路由后

[RPRX]

@Meo597 @patterniha 至于其它功能，先弄完这个“本地把域名覆写为 IP”再说，我是觉得这功能都两个人想要了，Xray 可以加

[Meo597]

感谢

我要的是把IP覆写为IP
他要的是把域名覆写为IP，因此有v4 v6偏好

至于咋实现我没啥好主意了

outbound显然不行，导致ip rule失效

[patterniha]

Or another direction is to remove the loss of freedom-non-transport dialer-proxy,But I feel that making a special case is not elegant

@RPRX

i think this the best, merge freedom-non-transport-dialer-proxy to the main-outbound.
This works even when the original-address is a domain.

Although this is just a simplification option.

[patterniha]

What I want is to rewrite the IP to IP.

@Meo597

first, you have to convert the IP to the domain, then to another IP, so we both want the same thing.

we both need to convert the domain via "built-in-dns"

[patterniha]

@Meo597

The difference is that you want everything to be done in inbound,
but i say just convert ip to domain in inbound, and then convert to another ip after routing.

because i convert the domain to ip after routing, my solution has more flexibility, and also works for domain-original address.

This is the whole thing

[Meo597]

没错，这是所有的分歧点

我需要的是在路由模块时，就已经是最终ip
因为对于透明代理的需求来说，十分需要ip rule分流

[patterniha]

What I need is that the final IP address is already in the routing module

@Meo597

ok, just use solution 1, so you have final IP in routing, this works even if your original-address is domain.

this is the complete config that you need: #4543 (comment)

even if you only need trusted-IP in routing and don't need the domain just disable sniffing in redirect-inbound.

(also, you can use solution 2, but with a little more complex routing)

[patterniha]

even if you only need trusted-IP in routing and don't need the domain just disable sniffing in redirect-inbound.

@Meo597

I think you didn't notice this.

[Meo597]

请相信，我完全明白你的配置的思路，很抱歉我没有尝试去配置他
我坚信你的配置可满足我的需求

但我认为如果流量要这样绕一圈的话，我宁愿选择fork xray，然后每次打自己的补丁

透明代理是高频使用的场景，无数的路由器中跑着xray
这样是不可接受的

[patterniha]

Please believe that I fully understand your configuration ideas. I am sorry that I did not try to configure it. I firmly believe that your configuration can meet my needs.

But I think if the traffic has to go around like this, I would rather fork xray and apply my own patches each time

Transparent proxy is a frequently used scenario. It is unacceptable to run xray in countless routers.

@Meo597

ok, if you have a problem with redirecting just use solution 2.

please give me your full json-configuration that using "ignoreClientIP", and i will give you exact same configuration without it, and just using dialerProxy.

OK?

or do you have problems with dialerProxy too? It doesn't do anything except pass the connection to another outbound after resolving its domain to ip, and no data is transferred.

[Meo597]

我有十几个xray节点，在不同的国家
我需要geoip分流

说了八百遍了：dialerProxy不可接受，redirect-socks-out也不可接受

透明代理是重要的用途，是典型应用场景
做这个开关本就是为了追求性能的，你偏要绕一圈

请你先搞明白需求再说

[dyhkwong]

这是预期行为不是 bug，routeOnly 需要保证 DNS 解析是准确的，不处理 DNS 被污染/无法劫持/不可信导致的问题。routeOnly 另外一个作用是不要让虚假的 SNI 作为目标地址导致无法连接，你的所谓修复会导致这个作用失效，且会再次把 UDP 弄坏。

[Meo597]

这的确是预期行为，但是设计缺陷。

@dyhkwong

让UDP再次损坏的原理是什么？
我单纯好奇：原生UDP怎么能被嗅探出SNI等域的，包头啥时候能携带域名了
只有被嗅探到域的，原始请求为IP的才会被替换IP

此外os发给xray的包，什么情况下会有虚假SNI

[patterniha]

I need geoip traffic diversion

Use IPOnDemand / IPifNonMatch

I have a dozen xray nodes in different countries.

This is another problem, you need node instead of json.

So we need to merge freedom-dialer-proxy to outbounds.

It means we need "targetDomainStrategy" option for outbounds.

That is:

"outbounds": [
    {
      "tag": "proxy",
      "targetDomainStrategy": "ForceIP"
      ...
    }
]

Which is equivalent to:

"outbounds": [    
    {
      "tag": "_proxy",
      "protocol": "freedom",      
      "settings": {"domainStrategy": "ForceIP"},
      "streamSettings": {"sockopt": {"dialerProxy": "proxy"}}
    },
    {
      "tag": "proxy",
      ...
    }
]

So it can converted to nodes and share.

cc @RPRX @Fangliding

[Meo597]

@patterniha 你说的内容中国人看不懂

[patterniha]

@patternihaChinese people can't understand what you said

So @RPRX is not Chinese.

@RPRX see #4543 (comment)

[Meo597]

扯了那么半天，你还是想把流量从outbound绕一圈，不管是freedom还是dialProxy
别再一次次发你那个配置了，能看懂，不想用，太愚蠢。绕那么大一圈没必要

[patterniha]

The traffic does not go anywhere, dialerProxy only change the outbound in internal code.

dialerProxy is just some code.

also, targetDomainStrategy will not use dialerProxy, It's just equivalent to using dialerProxy.

///

You need trusted-ip instead of domain/client-ip in routing and server.

-> so for routing you need IPOnDemand/IPifNonMatch,
-> and for server you need targetDomainStrategy=forceIP.

[Meo597]

我之前就说过了你根本没深度使用过透明代理和ip分流
我不需要你教我怎么用xray，况且你根本不会用

IPOnDemand/IPifNonMatch导致路由匹配的ip不一定是出站的时候那个ip，根本不行

还有，分流不能光靠域名，你根本不知道sdwan是什么
这严重依赖ip分流

说了半天你毛都不懂，你这人的消息我不会再回复，就这样
@patterniha

[patterniha]

IPOnDemand/IPifNonMatch causes the IP matched by the route to not necessarily be the IP used when outbound, which does not work at all

This is exactly why I added "allowUnexpectedIPs".

///

I just say give me your config with "ignoreClientIP" and I'll give you the equivalent config with targetDomainStrategy/dialerProxy even with better performance.

///

In addition, your solution affects all domains, and doesn't work when original address is domain.

I have nothing else to say.

[Meo597]

我不得不澄清三点就是：

1.我的需求必须要影响所有域名，因为在我的需求场景下，所有域名都可能被污染。

2.在原始地址是域名时，它可以工作，但不是此issue提到的PR。
只需要改动两行，它便可以在域名时工作。

3.把IP or 域名替换为IP，路由规则会同时看到域名和唯一IP