search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
22.83k stars 3.66k forks source link

vless fallback 失败,firstLen = 0,导致身份验证失败? #2874

Closed MelodyUSA closed 1 month ago

MelodyUSA commented 6 months ago

问题是这样的。我在服务器上配置了 vless 回落,监听443端口,分别回落到 ws 入站nginx 伪装网站,nginx 会把 grpc 流量转发给 grpc入站 。不知道为什么回落总是失败,从客户端发送的 ws 请求在服务器端显示 firstLen = 0,这个是指首包长度对吧?,首包身份认证失败,也匹配不到任何 path,无论是 ws 还是 grpc 都无法正常回落。

申请证书的域名用的是 cloudns.net 的二级域名,托管在 cloudflare 上做解析。

个人水平有限,一番搜索查找后实在找不到什么原因会这样,下面放上日志和配置,希望有热心的大佬能帮小弟解答。

服务器日志

 [Debug] app/log: Logger started
 [Info] app/dns: DNS: created localhost client
 [Debug] app/router: MphDomainMatcher is enabled for 2 domain rule(s)
 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:443
 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:9527
 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:9528
 [Info] transport/internet/tcp: listening TCP on 0.0.0.0:443
 [Info] transport/internet/websocket: listening TCP(for WS) on 127.0.0.1:9527
 [Warning] transport/internet/websocket: accepting PROXY protocol
 [Warning] core: Xray 1.8.6 started
 [Debug] transport/internet/grpc: gRPC listen for service name `pathgrpc` tun `Tun` multi tun `TunMulti`
 [Info] [3717320926] proxy/vless/inbound: firstLen = 0
 [Info] [3717320926] proxy/vless/inbound: fallback starts > proxy/vless/inbound: fallback directly
 [Info] [3717320926] proxy/vless/inbound: realName = my.second.level.domain
 [Info] [3717320926] proxy/vless/inbound: realAlpn = 
 [Info] [3717320926] app/proxyman/inbound: connection ends > proxy/vless/inbound: fallback ends > proxy/vless/inbound: failed to fallback request payload > write tcp [remoteip]:443->[myip]:24624: write: connection reset by peer

Vless入站

{
  "inbounds": [
    {
      "port": 443,
      "protocol": "vless",
      "tag": "VLESSTCP",
      "settings": {
        "clients": [
          {
            "id": "my-uuid",
            "flow": "xtls-rprx-vision",
            "email": "tt@zz.com"
          }
        ],
        "decryption": "none",
        "fallbacks": [
          {
            "dest": 31300,     //nginx 监听,伪装网站的端口
            "xver": 0
          },
          {
            "alpn": "h2",      //nginx 监听,转发 grpc
            "dest": 31301,
            "xver": 0
          },
          {
            "path": "/wspath",
            "dest": 9527,
            "xver": 1
          }
        ]
      },
      "add": "my.second.level.domain",
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "rejectUnknownSni": true,
          "minVersion": "1.2",
          "certificates": [
            {
              "certificateFile": "/path/to/tls/my.second.level.domain.crt",
              "keyFile": "/path/to/tls/my.second.level.domain.key",
              "ocspStapling": 3600
            }
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ]
}

nginx 配置

    server {
            listen 127.0.0.1:31300;
            server_name _;
            return 403;
    }
server {
    listen 127.0.0.1:31301 so_keepalive=on;http2 on;
    server_name my.second.level.domain;
    root /usr/share/nginx/html/;
    location ~ ^/s/(clashMeta|default|clashMetaProfiles)/(.*) {
        default_type 'text/plain; charset=utf-8';
        alias /path/to/subscribe/$1/$2;
    }
    location /pathgrpc {
        client_max_body_size 0;
        keepalive_requests 4294967296;
        client_body_timeout 1071906480m;
        send_timeout 1071906480m;
        lingering_close always;
        grpc_read_timeout 1071906480m;
        grpc_send_timeout 1071906480m;
        grpc_pass grpc://127.0.0.1:9528;
    }
}
server {
    listen 127.0.0.1:31300;
    server_name my.second.level.domain;
    root /usr/share/nginx/html/;
    location ~ ^/s/(clashMeta|default|clashMetaProfiles)/(.*) {
            default_type 'text/plain; charset=utf-8';
            alias /path/to/subscribe/$1/$2;
        }
    location / {
    }
}

Vless+WS入站

{
  "inbounds": [
    {
      "port": 9527,
      "listen": "127.0.0.1",
      "protocol": "vless",
      "tag": "VLESSWS",
      "settings": {
        "clients": [
          {
            "id": "my-uuid",
            "email": "tt@zz.com"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "ws",
        "security": "none",
        "wsSettings": {
          "acceptProxyProtocol": true,
          "path": "/wspath"
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ]
}

Vless-grpc入站

{
  "inbounds": [
    {
      "port": 9528,
      "listen": "127.0.0.1",
      "protocol": "vless",
      "tag": "VLESSGRPC",
      "settings": {
        "clients": [
          {
            "id": "my-uuid",
            "email": "tt@zz.com"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "grpc",
        "grpcSettings": {
          "serviceName": "pathgrpc"
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ]
}

因为 VPS 厂商线路普通,晚高峰上网会很卡,直连的话网速很差。 所以我需要能够套CDN的配置,选出一堆 CF ip 后配合 clash 客户端负载均衡来达到加速的目的。

MichaelWei7 commented 3 months ago

我也遇到了同样的问题,本地局域网测试过可以,但是一部署到公网服务器就不行了

wtfr-dot commented 2 months ago

套cdn就不要用流控flow

RPRX commented 1 month ago

描述有问题,"firstLen = 0" 的话会直接回落到 Nginx,按你说的的配置 Nginx 会转发给 gRPC,至少不会用不了 gRPC

"firstLen = 0" 且用不了代理,只能是 Xray 服务端在 TLS 内没收到任何有效数据