Closed iamtrazy closed 2 weeks ago
mmmray
commented
2 weeks ago I can't make sense of the logs, but I see that you are proxy_pass-ing /xray to the server, but the server expects / as path.
Can you add an extra slash to nginx?
location /xray {
proxy_pass http://127.0.0.1:17773/;
}Or change xray server path to /xray
iamtrazy
commented
2 weeks ago will do
I can't make sense of the logs, but I see that you are
proxy_pass-ing/xrayto the server, but the server expects/as path.Can you add an extra slash to nginx?
location /xray { proxy_pass http://127.0.0.1:17773/; }Or change xray server
pathto/xray
will do.
iamtrazy
commented
2 weeks ago [Warning] [2853691353] transport/internet/http: failed to dial to tcp:example.com:443 > Put "https://example.com:443/": http2: Transport: cannot retry err [stream error: stream ID 1; PROTOCOL_ERROR; received from peer] after Request.Body was written; define Request.GetBody to avoid this error
im still getting the error , will do more testing and report. i think problem might be with my configuration.
RPRX
commented
2 weeks ago 是不是变成了 h2c,对了现在 SplitHTTP server 支持 h2c 吗 @mmmray
iamtrazy
commented
2 weeks ago i tried to replicate this on one of my local servers with nginx
below are all my configs for nginx , server and client.
nginx config:
server
{
listen 443 ssl;
root /var/www/default/html;
index index.html index.htm index.nginx-debian.html;
server_name hp-15.local;
ssl_certificate /home/iamtrazy/ssl/nginx-selfsigned.crt;
ssl_certificate_key /home/iamtrazy/ssl/nginx-selfsigned.key;
location /
{
try_files $uri $uri/ =404;
}
location /vrezdxop {
proxy_pass http://127.0.0.1:17773;
}
}
server
{
listen 80;
listen [::]:80;
server_name hp-15.local;
return 302 https://$server_name$request_uri;
}server xray config:
{
"log": {
"loglevel": "debug"
},
"routing": {
"rules": [
{
"port": "443",
"network": "udp",
"outboundTag": "block"
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 17773,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "6f3a6d39-0990-4b82-a581-4e65a17ec206"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "http",
"splithttpSettings": {
"path": "/vrezdxop"
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls",
"quic"
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
]
}client xray_config:
{
"log": {
"loglevel": "warning"
},
"routing": {
"rules": [
{
"ip": [
"geoip:private"
],
"outboundTag": "direct"
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks"
},
{
"listen": "127.0.0.1",
"port": 10809,
"protocol": "http"
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "hp-15.local",
"port": 443,
"users": [
{
"id": "6f3a6d39-0990-4b82-a581-4e65a17ec206",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "http",
"splithttpSettings": {
"path": "/vrezdxop"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": true,
"serverName": "hp-15.local",
"fingerprint": "chrome"
}
},
"tag": "proxy"
},
{
"protocol": "freedom",
"tag": "direct"
}
]
}client_log :
Xray 1.8.16 (Xray, Penetrates Everything.) 9432a60 (go1.22.4 linux/amd64)
A unified platform for anti-censorship.
2024/06/21 12:23:03 [Info] infra/conf/serial: Reading config: /usr/local/etc/xray/config.json
2024/06/21 12:23:03 [Warning] core: Xray 1.8.16 started
2024/06/21 12:23:05 tcp:127.0.0.1:34270 accepted tcp:whoer.net:443 [proxy]
2024/06/21 12:23:05 [Warning] [1201636950] transport/internet/http: failed to dial to tcp:hp-15.local:443 > Put "https://hp-15.local:443/": transport/internet/http: http2: unexpected ALPN protocol http/1.1; want qh2
2024/06/21 12:23:42 tcp:127.0.0.1:44696 accepted tcp:push.services.mozilla.com:443 [proxy]
2024/06/21 12:23:42 [Warning] [2596877201] transport/internet/http: failed to dial to tcp:hp-15.local:443 > Put "https://hp-15.local:443/": transport/internet/http: http2: unexpected ALPN protocol http/1.1; want qh2
lxhao61
commented
2 weeks ago Nginx 不支持反代 HTTP/2(写法:http 或 h2 都可以) 的传输方式。
iamtrazy
commented
2 weeks ago Nginx 不支持反代 HTTP/2(写法:http 或 h2 都可以) 的传输方式。
yep i think it is due to xray client using http2 instead of http/1.1 with tls . meek works in this way though.
lxhao61
commented
2 weeks ago Nginx 不支持反代 HTTP/2(写法:http 或 h2 都可以) 的传输方式。
yep i think it is due to xray client using http2 instead of http/1.1 with tls . meek works in this way though.
你的 "network": "http" 写错,应该是 "network": "splithttp"。
Fangliding
commented
2 weeks ago
- I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote
《 I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote》
iamtrazy
commented
2 weeks ago Nginx 不支持反代 HTTP/2(写法:http 或 h2 都可以) 的传输方式。
yep i think it is due to xray client using http2 instead of http/1.1 with tls . meek works in this way though.
你的 "network": "http", 写错,应该是 "network": "splithttp"。
okay i didnt knew there was a seprate splithttp network. i will try that
iamtrazy
commented
2 weeks ago Nginx 不支持反代 HTTP/2(写法:http 或 h2 都可以) 的传输方式。
yep i think it is due to xray client using http2 instead of http/1.1 with tls . meek works in this way though.
你的 "network": "http" 写错,应该是 "network": "splithttp"。
with network as "splithttp" a request to path from browser gives OK response
but when connecting using xray client it timesout with server printing below error msg
2024/06/21 09:18:27 [Info] transport/internet/splithttp: failed to upload > strconv.ParseUint: parsing "1089a331-9b32-435c-bdb6-c55e34900e98": invalid syntax
lxhao61
commented
2 weeks ago @iamtrazy 正如 RPRX 大佬所说可能变成了 H2C,而 Nginx 不支持代理 HTTP/2 传输协议,若有可能使用 Caddy(v2) 试试 。versions 配置 成 1.1 h2c
刚重新看了配置指南,发现暂时未支持 H2C。
mmmray
commented
2 weeks ago I got it working, you don't have h2 support enabled in nginx. Here is the full config I use:
In short, http2 on; is required if nginx should terminate SSL. If nginx does not recognize this option in server {}, your nginx needs to be upgraded.
It is also probably a good idea to set proxy_http_version 1.1; just in case nginx decides to send h2c, but I have not found it necessary. It seems in general, nginx requires opting into h2 everywhere all the time, and this causes a lot of trouble.
iamtrazy
commented
2 weeks ago @mmmray so splithttp uses http2 and when nginx terminates ssl it becomes h2c instead of http/1.1 . is this correct ?
lxhao61
commented
2 weeks ago @mmmray Nginx 版本不小于 v1.25.1 才使用 http2 on;开启,版本小于 v1.25.1 是 listen中直接加http2。
mmmray
commented
2 weeks ago By the way, does SplitHTTP server support h2c now?
@RPRX I had to test this, but no, it does not seem to work right now. Too many combinations to try, ~I almost believe http3 should not be added.~
so splithttp uses http2 and when nginx terminates ssl it becomes h2c instead of http/1.1 . is this correct ?
@iamtrazy in your config, the client attempts to talk h2 to the server, but the server does not support h2 at all. it probably responds with http1.1 400 bad request, which the client doesn't understand.
in my config, client talks h2 to nginx successfully, and nginx apparently translates to http/1.1.
Only use Nginx version no less than v1.25.1
~I tested it with 1.26, and I had to add http2 on. Are you saying that there is an nginx version that enables h2 by default?~
~I think if somebody adds this to xray-examples, http2 on; should be added anyway so that old nginx versions are rejected early.~
EDIT: Oh, I think you are saying I should use listen .. http2 for older versions of nginx.
iamtrazy
commented
2 weeks ago @mmmray okay i added
listen 443 ssl http2;
now
client receive 500 bad request:
Xray 1.8.16 (Xray, Penetrates Everything.) 9432a60 (go1.22.4 linux/amd64)
A unified platform for anti-censorship.
2024/06/21 16:06:36 [Info] infra/conf/serial: Reading config: /usr/local/etc/xray/config2.json
2024/06/21 16:06:36 [Debug] app/log: Logger started
2024/06/21 16:06:36 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:10808
2024/06/21 16:06:36 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:10809
2024/06/21 16:06:36 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:10808
2024/06/21 16:06:36 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:10809
2024/06/21 16:06:36 [Warning] core: Xray 1.8.16 started
2024/06/21 16:06:41 [Info] [3838789357] proxy/socks: TCP Connect request to tcp:github.com:443
2024/06/21 16:06:41 [Info] [3838789357] app/dispatcher: default route for tcp:github.com:443
2024/06/21 16:06:41 [Info] [3838789357] transport/internet/splithttp: dialing splithttp to tcp:hp-15.local:443
2024/06/21 16:06:41 tcp:127.0.0.1:47838 accepted tcp:github.com:443 [proxy]
2024/06/21 16:06:41 [Info] [3656145314] proxy/socks: TCP Connect request to tcp:github.com:443
2024/06/21 16:06:41 tcp:127.0.0.1:47842 accepted tcp:github.com:443 [proxy]
2024/06/21 16:06:41 [Info] [3656145314] app/dispatcher: default route for tcp:github.com:443
2024/06/21 16:06:41 [Info] [3656145314] transport/internet/splithttp: dialing splithttp to tcp:hp-15.local:443
2024/06/21 16:06:41 [Info] [2541238212] proxy/socks: TCP Connect request to tcp:github.com:443
2024/06/21 16:06:41 [Info] [2620590992] proxy/socks: TCP Connect request to tcp:github.com:443
2024/06/21 16:06:41 [Info] [2620590992] app/dispatcher: default route for tcp:github.com:443
2024/06/21 16:06:41 [Info] [2541238212] app/dispatcher: default route for tcp:github.com:443
2024/06/21 16:06:41 tcp:127.0.0.1:47852 accepted tcp:github.com:443 [proxy]
2024/06/21 16:06:41 tcp:127.0.0.1:47850 accepted tcp:github.com:443 [proxy]
2024/06/21 16:06:41 [Info] [2620590992] transport/internet/splithttp: dialing splithttp to tcp:hp-15.local:443
2024/06/21 16:06:41 [Info] [2541238212] transport/internet/splithttp: dialing splithttp to tcp:hp-15.local:443
2024/06/21 16:06:41 [Info] [3981411702] proxy/socks: TCP Connect request to tcp:github.com:443
2024/06/21 16:06:41 tcp:127.0.0.1:47860 accepted tcp:github.com:443 [proxy]
2024/06/21 16:06:41 [Info] [3981411702] app/dispatcher: default route for tcp:github.com:443
2024/06/21 16:06:41 [Info] [3981411702] transport/internet/splithttp: dialing splithttp to tcp:hp-15.local:443
2024/06/21 16:06:41 [Debug] transport/internet: dialing to tcp:hp-15.local:443
2024/06/21 16:06:42 [Info] [1893548512] proxy/socks: TCP Connect request to tcp:whoer.net:443
2024/06/21 16:06:42 [Info] [1893548512] app/dispatcher: default route for tcp:whoer.net:443
2024/06/21 16:06:42 tcp:127.0.0.1:47876 accepted tcp:whoer.net:443 [proxy]
2024/06/21 16:06:42 [Info] [1893548512] transport/internet/splithttp: dialing splithttp to tcp:hp-15.local:443
2024/06/21 16:06:42 [Info] [3656145314] proxy/vless/outbound: tunneling request to tcp:github.com:443 via hp-15.local:443
2024/06/21 16:06:42 [Info] [2620590992] proxy/vless/outbound: tunneling request to tcp:github.com:443 via hp-15.local:443
2024/06/21 16:06:42 [Info] [2541238212] proxy/vless/outbound: tunneling request to tcp:github.com:443 via hp-15.local:443
2024/06/21 16:06:42 [Info] [3838789357] proxy/vless/outbound: tunneling request to tcp:github.com:443 via hp-15.local:443
2024/06/21 16:06:42 [Info] [1893548512] proxy/vless/outbound: tunneling request to tcp:whoer.net:443 via hp-15.local:443
2024/06/21 16:06:42 [Info] [3981411702] proxy/vless/outbound: tunneling request to tcp:github.com:443 via hp-15.local:443
2024/06/21 16:06:42 [Info] transport/internet/splithttp: failed to send upload, bad status code:500 Internal Server Error
2024/06/21 16:06:42 [Info] transport/internet/splithttp: failed to send upload, bad status code:500 Internal Server Error
2024/06/21 16:06:42 [Info] transport/internet/splithttp: failed to send upload, bad status code:500 Internal Server Error
2024/06/21 16:06:42 [Info] transport/internet/splithttp: failed to send upload, bad status code:500 Internal Server Error
2024/06/21 16:06:42 [Info] transport/internet/splithttp: failed to send upload, bad status code:500 Internal Server Error
2024/06/21 16:06:42 [Info] transport/internet/splithttp: failed to send upload, bad status code:500 Internal Server Error
2024/06/21 16:07:42 [Info] [3981411702] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: connection ends > proxy/vless/outbound: failed to decode response header > proxy/vless/encoding: failed to read response version > stream error: stream ID 7; INTERNAL_ERROR; received from peer
2024/06/21 16:07:42 [Info] [3656145314] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: connection ends > proxy/vless/outbound: failed to decode response header > proxy/vless/encoding: failed to read response version > stream error: stream ID 3; INTERNAL_ERROR; received from peer
2024/06/21 16:07:42 [Info] [3838789357] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: connection ends > proxy/vless/outbound: failed to decode response header > proxy/vless/encoding: failed to read response version > stream error: stream ID 1; INTERNAL_ERROR; received from peer
2024/06/21 16:07:42 [Info] [2620590992] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: connection ends > proxy/vless/outbound: failed to decode response header > proxy/vless/encoding: failed to read response version > stream error: stream ID 5; INTERNAL_ERROR; received from peer
2024/06/21 16:07:42 [Info] [3838789357] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipeserver xray log
Jun 21 16:06:42 HP-15 xray[15489]: 2024/06/21 16:06:42 [Info] transport/internet/splithttp: failed to upload > strconv.ParseUint: parsing "b64dc357-4e99-436a-9d61-9a367eed8733": invalid syntaxmy nginx version on server
nginx version: nginx/1.24.0 (Ubuntu)The config I posted works for me on nginx/1.24.0, when changing http2 on to listen http2. I think there is an issue on your end. I suggest to check nginx access/error logs.
lxhao61
commented
2 weeks ago @iamtrazy 你 nginx 1.24.0 再加上 proxy_redirect off; proxy_http_version 1.1; 试试。
iamtrazy
commented
2 weeks ago nginx conf
server
{
listen 443 http2 ssl;
root /var/www/default/html;
index index.html index.htm index.nginx-debian.html;
server_name hp-15.local;
ssl_certificate /home/iamtrazy/ssl/nginx-selfsigned.crt;
ssl_certificate_key /home/iamtrazy/ssl/nginx-selfsigned.key;
location /
{
try_files $uri $uri/ =404;
}
location /vrezdxop {
proxy_pass http://127.0.0.1:17773;
proxy_http_version 1.1;
proxy_redirect off;
}
}
server
{
listen 80;
listen [::]:80;
server_name hp-15.local;
return 302 https://$server_name$request_uri;
}xray server config.json
{
"log": {
"loglevel": "debug"
},
"routing": {
"rules": [
{
"port": "443",
"network": "udp",
"outboundTag": "block"
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 17773,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "6f3a6d39-0990-4b82-a581-4e65a17ec206"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "splithttp",
"splithttpSettings": {
"path": "/"
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls",
"quic"
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
]
}xray client.json
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks"
},
{
"listen": "127.0.0.1",
"port": 10809,
"protocol": "http"
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "hp-15.local",
"port": 443,
"users": [
{
"id": "6f3a6d39-0990-4b82-a581-4e65a17ec206",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "splithttp",
"splithttpSettings": {
"path": "/vrezdxop"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": true,
"serverName": "hp-15.local",
"fingerprint": "chrome"
}
},
"tag": "proxy"
}
]
}this is the configuration i tried. if i use
listen 443 http2;
instead of
listen 443 http2 ssl;
it will lead to not even show the html page hosted from nginx. dont understand why it wont work.
with ssl also in the nginx conf
xray shows following error
Jun 21 16:06:42 HP-15 xray[15489]: 2024/06/21 16:06:42 [Info] transport/internet/splithttp: failed to upload > strconv.ParseUint: parsing "b64dc357-4e99-436a-9d61-9a367eed8733": invalid syntaxOkay i was stupid, i needed to add
"splithttpSettings": { "path": "/vrezdxop" },
to server config as well , that was the issue
mmmray
commented
2 weeks ago do you mind submitting this setup to xray-examples? somebody will run into these issues again
iamtrazy
commented
2 weeks ago do you mind submitting this setup to xray-examples? somebody will run into these issues again
https://github.com/XTLS/Xray-examples/pull/186
added my configs files and created a pull request. dont know if it is in the correct standards though.
p.s also huge thanks for this feature its much faster than meek.
Integrity requirements
Version
1.8.16
Description
When using nginx as a simple http reverse proxy like below.
xray client is running on port 17773 with split tunneling enabled and using http as stream protocol.
xray client will give below error
failed to dial to tcp:example.com:443 > Put "https://example.com:443/": http2: Transport: cannot retry err [stream error: stream ID 1; PROTOCOL_ERROR; received from peer] after Request.Body was written; define Request.GetBody to avoid this error
Reproduction Method
create a xray server with split tunneling enabled and using stream protocol http
using nginx as ssl enabled reverse proxy with proxy passing to xray server
xray client with TLS + http with split tunneling enabled
Client config
Server config
Client log
Server log