search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
25.57k stars 3.95k forks source link

vless-grpc + nginx setup produce lots of error #3246

Closed s-yakubovskiy closed 7 months ago

s-yakubovskiy commented 7 months ago

Hello, I've faced couple of problems with my current setup. On my vps I am running nginx (configuration is below). The idea was to use cloudflare cdn/grpc (but errors with grpc are not related to cloudflare, I've tried the same setup without using cf's cdn grpc).

Any help or ideas are appreciate :)

Here is my server side config.json:

{
  "log": {
    "loglevel": "debug",
    "access": "/var/log/xray/access.log",
    "error": "/var/log/xray/error.log"
  },
  "api": {
    "tag": "api",
    "services": [
      "ReflectionService",
      "HandlerService",
      "LoggerService",
      "StatsService"
    ]
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api"
      },
      {
        "type": "field",
        "outboundTag": "blocked",
        "ip": [
          "geoip:private"
        ]
      },
      {
        "type": "field",
        "outboundTag": "block",
        "protocol": [
          "bittorrent"
        ]
      },
      {
        "type": "field",
        "outboundTag": "block",
        "domain": [
          "geosite:category-ads-all"
        ]
      },
      {
        "type": "field",
        "outboundTag": "IPv4",
        "domain": [
          "geosite:google"
        ]
      },
      {
        "type": "field",
        "domain": [
          "geosite:openai",
          "geoip:ru",
          "icanhazip.com",
          "reddit.com"
        ],
        "outboundTag": "WARP"
      }
    ]
  },
  "inbounds": [
    {
      "tag": "api",
      "listen": "127.0.0.1",
      "port": 62789,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "127.0.0.1"
      }
    },
    {
      "port": 8443,
      "listen": "127.0.0.1",
      "protocol": "vless",
      "tag": "vless_tls",
      "settings": {
        "clients": [
          {
            "id": "aaa",
            "email": "user1@myserver",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "www.distortionbyte.com:443",
          "xver": 0,
          "serverNames": [
            "www.distortionbyte.com",
            "distortionbyte.com"
          ],
          "privateKey": "aaa",
          "maxTimeDiff": 0,
          "shortIds": [
            "aaa"
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    },
    {
        "listen": "127.0.0.1",
        "port": 8888,
        "protocol": "vless",
        "tag": "grpc",
        "settings": {
          "clients": [
            {
              "id": "aaa"
            }
          ],
          "decryption": "none"
        },
        "streamSettings": {
          "network": "grpc",
          "grpcSettings": {
            "serviceName": "MarhabteGRPC"
          }
        }
    },
    {
        "listen": "127.0.0.1",
        "port": 8889,
        "protocol": "vless",
        "tag": "ws",
        "settings": {
          "clients": [
            {
              "id": "aaa"
            }
          ],
          "decryption": "none"
        },
        "streamSettings": {
          "network": "ws",
          "wsSettings": {
            "path": "MarhabteWS"
          }
        }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "tag": "IPv4",
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIPv4"
      }
    },
    {
      "tag": "WARP",
      "protocol": "socks",
      "settings": {
        "servers": [
          {
            "address": "127.0.0.1",
            "port": 40000
          }
        ]
      }
    },
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ]
}

Client config:

{
  "log": {
    "loglevel": "info"
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "domain": [
          "geosite:category-ads-all"
        ],
        "outboundTag": "block"
      },
      {
        "type": "field",
        "domain": [
          "geosite:category-gov-ru"
        ],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "domain": [
          "ifconfig.me"
        ],
        "outboundTag": "cdn"
      },
      {
        "type": "field",
        "ip": [
          "geoip:ru",
          "geoip:private"
        ],
        "outboundTag": "direct"
      }
    ]
  },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 10808,
      "protocol": "socks",
      "settings": {
        "udp": true,
        "auth": "noauth"
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    },
    {
      "listen": "127.0.0.1",
      "port": 10809,
      "protocol": "http",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    }
  ],
  "outbounds": [
    {
      "tag": "cdn",
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "cf.example.com",
            "port": 443,
            "users": [
              {
                "id": "aaa",
                "email": "user1@myserver",
                "encryption": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "grpc",
        "security": "tls",
        "sockopt": {
          "dialerProxy": "direct",
          "acceptProxyProtocol": true
        },
        "tlsSettings": {
          "serverName": "cf.example.com",
          "allowInsecure": true
        },
        "grpcSettings": {
          "serviceName": "MarhabteGRPC",
          "multiMode": false,
          "idle_timeout": 600,
          "initial_windows_size": 35536,
          "permit_without_stream": true
        }
      }
    },
    {
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIP"
      },
      "streamSettings": {
        "sockopt": {
          "mark": 5
        }
      },
      "tag": "direct"
    },
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ]
}

And the final part is nginx configs:

worker_processes auto;
# pid /var/run/nginx.pid;

events {
    worker_connections 1024;
    # multi_accept on;
}

### stream sni proxy for xray
stream {
  map $ssl_preread_server_name $backend {
      www.distortionbyte.com   reality;
      cf.example.coom            local;
      default                  reality;
  }

  upstream reality {
      server 127.0.0.1:8443;
  }

  upstream local {
      server 127.0.0.1:8444;
  }

  upstream nocdn {
      server 127.0.0.1:8445;
  }

  server {
      listen          443 reuseport so_keepalive=on;
      ssl_preread     on;
      proxy_pass      $backend;
  }
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096;

    server_tokens off;

    server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip on;
    gzip_disable "msie6";

    include /etc/nginx/conf.d/*.conf;
}

server {
    listen 127.0.0.1:8444 ssl http2 so_keepalive=on;

    server_name cf.example.com;

    index index.html;
      root /opt/www/xray;

      ssl_certificate /etc/ssl/certs/cf.crt;
      ssl_certificate_key /etc/ssl/private/cf.key;

      client_header_timeout 52w;
    keepalive_timeout 52w;

    location /MarhabteGRPC {
            if ($content_type !~ "application/grpc") {
                return 404;
            }
            # client_max_body_size 0;
            client_body_buffer_size 1024k;
            grpc_set_header X-Real-IP $remote_addr;
            client_body_timeout 52w;
            grpc_read_timeout 52w;
            grpc_pass grpc://127.0.0.1:8888;
    }
}

Basically, for every request through grpc I've got following output inside of xray's error.log .

==> /var/log/xray/error.log <==
2024/04/08 05:05:10 [Info] [1467965021] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > transport/internet/grpc/encoding: failed to fetch hunk from gRPC tunnel > rpc error: code = Canceled desc = context canceled

And it doesn't matter if I use cloudflare cdn or going directly to my vps nginx. The error is the same. Also to mention, even though I have those errors the proxy is working fine as for me (at least I can connect and open websites, etc).

Fangliding commented 7 months ago

just ignore it if it works fine :) ()