Closed lostsoul6 closed 5 months ago
us254
commented
1 year ago it is recommended to use NGINX reverse proxy along with a camouflage website in conjunction with vless, WebSocket, and TLS protocols.,
And, include "?ed=2048" to the path in [WebSocket]
RPRX
commented
1 year ago Use gRPC
lostsoul6
commented
1 year ago @us254 thanks for the information . I will do a research on session_ticket to see if I can implement it in my setup .
@RPRX Vless + gRPC + TLS + Cloudflare is what I need ? this setup will only expose SNI once during tls handshake ? I read somewhere that alpn=h2 also helps . can you verify this ?
RPRX
commented
1 year ago Just use gRPC, and do not change alpn manually.
RPRX
commented
1 year ago WSS 的问题已经说过了 https://github.com/XTLS/Xray-core/issues/1750#issuecomment-1459469821 ,现在伊朗 GFW 还针对连接数,中国 GFW 暂时没针对这个,可能是附带伤害有点高
@yuhan6665 我们需要在文档、模板里,以及 Xray 的配置加载处,标明 WSS 的风险、已弃用,防止小白一上来就配置这个
WSS 曾是比较流行、稳定(不被封)的模式,然而去年底开始已变为高危模式,且并非无替代品。 还有其它一些常见组合的优缺点,padding 等混淆程度,性能、延迟、多路复用,有没有前向安全,有没有被 GFW 稳定识别、封锁等,以后我们也写一下。
lostsoul6
commented
1 year ago @RPRX yes the Iran GFW on one of the most popular providers ( IR-MCI ) blocks the SNI after a few days when using WS because the number of times the SNI is exposed to GFW while using WS . Now that you have suggested gRPC , I will check it but I heard that they also find the servers using gRPC and block them but I haven't tested myself .
Just to know , can GFW figure out if I'm using WS or gRPC or can it only see the high number of SNIs exposed ? In GFW eyes , is the WS traffic different to gRPC traffic in any thing other than the number of TLS handshakes ? what I want to know if that can they block gRPC traffic without hurting the internet experience for everyone?
RPRX
commented
1 year ago In GFW eyes , is the WS traffic different to gRPC traffic in any thing other than the number of TLS handshakes ?
ALPN
vahidx4r4x
commented
1 year ago In GFW eyes , is the WS traffic different to gRPC traffic in any thing other than the number of TLS handshakes ?
ALPN
so to solve this problem we should use ALPN.
but which one? http/1.1 or h2 ?
what about Reality gRPC ?
Thanks
us254
commented
1 year ago As for the choice between ALPN http/1.1 and h2, it's recommended not to manually change the ALPN. The specific ALPN negotiation will depend on the configuration and capabilities of your server and client. You can let the gRPC implementation handle the ALPN negotiation automatically.
chika0801
commented
1 year ago @RPRX yes the Iran GFW on one of the most popular providers ( IR-MCI ) blocks the SNI after a few days when using WS because the number of times the SNI is exposed to GFW while using WS . Now that you have suggested gRPC , I will check it but I heard that they also find the servers using gRPC and block them but I haven't tested myself .
Just to know , can GFW figure out if I'm using WS or gRPC or can it only see the high number of SNIs exposed ? In GFW eyes , is the WS traffic different to gRPC traffic in any thing other than the number of TLS handshakes ? what I want to know if that can they block gRPC traffic without hurting the internet experience for everyone?
https://github.com/XTLS/Xray-core/issues/1750#issuecomment-1459340564
https://github.com/XTLS/Xray-core/issues/1750#issuecomment-1459469821
From the experience in China, using the WS TLS combination configuration can be easily detected, and the Chinese firewall will block the ports on your server side, but usually not the server's IP. It is necessary to frequently change the port number in your server configuration after it gets blocked. Even when using a free CDN service like Cloudflare, interference from the firewall on Cloudflare's CDN IP is still common.
According to the author's viewpoint in the linked article, the author (RPRX) now recommends using the xxx gRPC TLS combination configuration together with Cloudflare's CDN. You can try the combination approach suggested by the author.
For this combination approach, I personally use nginx to listen on port 443. You can configure gRPC using Xray/sing-box as the backend. Here is an example configuration for sing-box that you can refer to: https://github.com/chika0801/sing-box-examples/tree/main/VMess.
Hello Friends ,
I currently use Vless + WS + Cloudflare and my SNI keeps getting blocked by GFW although I'm the only one using the server . I read somewhere that using WS , hundreds of connections are created even for 1 client and each connection exposes SNI to GFW .
I'm not familiar with how xray-core works but is it a way that we can make TLS persistent so only the handshake exposes the SNI once and the rest of the connection works with that 1 tls handshake?