REALITY: processed invalid connection (caddy sni+vless+vision+reality)

[JKSTAFF]

Operating system

Linux

System version

Debian 12

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

v1.10.1

Description

构建由Caddy进行SNI分流的vless+vision+reality协议组合，经xray-core原生环境验证可用。
后将xray-core替换为sing-box并转制配置文件（见Reproduction部分），代理功能无法达成。sing-box日志报错为REALITY: processed invalid connection。
p.s. 在自排查时，我注意到xray-core会要求此组合下xver=0，但我并没有在sing-box中配置它。

Reproduction

sing-box（服务端）配置如下：

{
    "log": {},
    "inbounds": [
        {
            "tag": "reality-in",
            "type": "vless",
            "listen": "::",
            "listen_port": 5443,
            "sniff": true,
            "sniff_override_destination": true,
            "users": [
                {
                    "uuid": "my-uuid",
                    "flow": "xtls-rprx-vision"
                }
            ],
            "tls": {
                "enabled": true,
                "server_name": "itunes.apple.com",
                "reality": {
                    "enabled": true,
                    "handshake": {
                        "server": "itunes.apple.com",
                        "server_port": 443
                    },
                    "private_key": "my-private-key",
                    "short_id": [""]
                }
            }
        }
    ],
    "outbounds": [
        {
            "tag": "direct",
            "type": "direct"
        },
        {
            "tag": "block",
            "type": "block"
        }
    ],
    "route": {
        "rule_set": [],
        "rules": [],
        "final": "direct"
    }
}

作为对照组经xray-core和caddy（已包含所需l4等插件）验证可完成代理的配置如下：

caddy配置文件

它负责反代我的网站（8080端口，网址是sub.mydomain.com）并生成证书，同时处理xray（5443端口）的分流。这部分在替换sing-box时并没有改变：

{
    "admin": {
        "disabled": true
    },
    "logging": {
        "logs": {
            "default": {
                "writer": {
                    "filename": "/etc/caddy/error.log",
                    "output": "file"
                },
                "encoder": {"format": "console"},
                "level": "error",
                "exclude": ["http.log.access.log0"]
            },
            "log0": {
                "writer": {
                    "filename": "/etc/caddy/access.log",
                    "output": "file"
                },
                "encoder": {
                    "format": "transform",
                    "template": "{common_log}"
                },
                "include": ["http.log.access.log0"]
            }
        }
    },
    "apps": {
        "layer4": {
            "servers": {
                "sni": {
                    "listen": [":443"],
                    "routes": [{
                        "match": [{"tls": {"sni": ["itunes.apple.com"]}}],
                        "handle": [{
                            "handler": "proxy",
                            "upstreams": [{"dial": ["127.0.0.1:5443"]}],
                            "proxy_protocol": "v2"
                        }]
                    }]
                }
            }
        },
        "http": {
            "https_port": 443,
            "servers": {
                "srv0": {
                    "listen": [":443"],
                    "routes": [{
                        "match": [{"host": ["*.mydomain.com"]}],
                        "handle": [{
                            "handler": "subroute",
                            "routes": [
                                {
                                    "handle": [{
                                        "encodings": {"gzip": {},"zstd": {}},
                                        "handler": "encode",
                                        "prefer": ["gzip","zstd"]
                                    }]
                                },
                                {
                                    "handle": [{
                                        "handler": "subroute",
                                        "routes": [
                                            {
                                                "handle": [{
                                                    "handler": "reverse_proxy",
                                                    "upstreams": [{"dial": "127.0.0.1:8080"}]
                                                }]
                                            }
                                        ]
                                    }],
                                    "match": [{"host": ["sub.mydomain.com"]}]
                                }
                            ]
                        }],
                        "terminal": true
                    }],
                    "logs": {"logger_names": {"*.mydomain.com": ["log0"]}}
                }
            }
        },
        "tls": {
            "automation": {
                "policies": [{
                    "subjects": ["*.mydomain.com"],
                    "issuers": [
                        {
                            "challenges": {
                                "dns": {
                                    "provider": {
                                        "api_token": "my_api_token",
                                        "name": "cloudflare"
                                    }
                                },
                                "tls-alpn": {"alternate_port": 443}
                            },
                            "email": "my@email.com",
                            "module": "acme"
                        },
                        {
                            "ca": "https://acme.zerossl.com/v2/DV90",
                            "challenges": {
                                "dns": {
                                    "provider": {
                                        "api_token": "my_api_token",
                                        "name": "cloudflare"
                                    }
                                },
                                "tls-alpn": {"alternate_port": 443}
                            },
                            "email": "my@email.com",
                            "module": "acme"
                        }
                    ]
                }]
            }
        }
    }
}

服务端xray-core配置文件

{
    "log" : {},
    "stats": {},
    "api": {},
    "inbounds": [
        {
            "tag": "reality-in",
            "sniffing": {
                "enabled": true,
                "destOverride": ["http","tls","quic"]
            },
            "port": 5443,
            "listen": "127.0.0.1",
            "protocol": "vless",
            "settings": {
                "clients": [{
                    "id": "my-uuid",
                    "email": "mymailbox@gmail.com",
                    "flow": "xtls-rprx-vision"
                }],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "raw",
                "rawSettings": {"acceptProxyProtocol": true},
                "security": "reality",
                "realitySettings": {
                    "dest": "itunes.apple.com:443",
                    "serverNames": ["itunes.apple.com"],
                    "xver": 0,
                    "privateKey": "my-private-key",
                    "shortIds": [""]
                }
           }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "settings": {},
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "settings": {},
            "tag": "block"
        }
    ],
    "routing": {
        "domainStrategy": "IPIfNotMatch",
        "rules": [
            {
                "type": "field",
                "outboundTag": "block",
                "protocol": ["bittorrent"]
            }
        ]
    }
}

Logs

替换后SBA重复出现以下报错

tls: first record does not look like a TLS handshake
remote error: tls :internal error

Supporter

• [ ] I am a sponsor

Integrity requirements

• [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

[zeetex]

从 v1.6.0 开始，sing-box 删掉了对 Proxy Protocol 的支持，你先删掉 caddy 配置中的 proxy_protocol 试一试。

[JKSTAFF]

从 v1.6.0 开始，sing-box 删掉了对 Proxy Protocol 的支持，你先删掉 caddy 配置中的 proxy_protocol 试一试。

成功排障，感谢开发者解答