inconsistencies in configuring host header between httpupgrade and websocket

[mmmray]

Operating system

Ubuntu 22

System version

Ubuntu 22

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

`make build` on dev-next

$ ./sing-box version
sing-box version 1.10.0-alpha.7

Environment: go1.22.4 linux/amd64
Tags: with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls,with_ech
Revision: 86b00ea90397e67c0c7f1f6611b70ee6aaf663cf
CGO: enabled

Description

• the configuration {"headers": {"Host": "example.com"}} does not have the desired effect on httpupgrade, but does work on websocket. httpupgrade falls back to the address for the Host header even if the host header is explicitly provided as shown.

• the configuration {"host": "example.com"} does not work on websocket, but does work on httpupgrade, as websocket does not have a host field to begin with.

• the configuration {"headers": {"host": "example.com"}} (lowercase host) in httpupgrade will produce duplicate host headers, which is definitely not desirable.

I suggest to make the behavior consistent across transports, or maybe even consistent with xray. It could be considered intended behavior, but it feels like a footgun.

it seems some GUI authors got confused by this, and as a result their host setting for httpupgrade does not work, as it produces config for httpupgrade like {"headers": {"host": "example.com"}}. this was probably copypasted from their code for websocket.

credit goes to @mikeesierrah for discovering and debugging

Reproduction

{
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen": "::",
      "listen_port": 2080,
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "vless",
      "tag": "proxy",
      "server": "speedtest.net",
      "server_port": 8080,
      "uuid": "xxx",
      "transport": {
        "type": "httpupgrade",
        "headers": {"Host": "example.com"},
        "path": "/asdasdasd"
      },
      "packet_encoding": ""
    }
  ]
}

it is not necessary to provide a server config, as the issue is purely within the request headers. the above config can be launched with ./sing-box run -c config.json as-is, and curl -x socks5h://127.0.0.1:2080 will trigger the handshake.

Then, wireshark can be used to observe the result:

Host: example.com is expected instead of speedtest. It can be fixed by changing "headers": {"Host": ...} to "host": ...

Logs

there are no crashes

Supporter

• [ ] I am a sponsor

Integrity requirements

• [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

[nekohasekai]

https://www.v2fly.org/en_US/v5/config/stream/websocket.html https://www.v2fly.org/en_US/v5/config/stream/httpupgrade.html

If people who call themselves developers cannot do basic things like generate different json for different transports, then we will not provide any support.

[mmmray]

I feel that the experience for direct core users is also affected. Fixing this will not just help GUI, it will help everyone.

In general, sing-box seems to have much cleaner config format than other cores. But somehow this inconsistency is OK?

Nobody is asking for free work to support Hiddify here, that's why PR was filed.