search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
24.19k stars 3.81k forks source link

Unable to process parse X-Forwarded-For correctly #3545

Closed MEM-917 closed 1 month ago

MEM-917 commented 1 month ago

After updating to the newest cores and checking logs for haproxy, nginx and xray, although IP entries passed over to xray register for Reality and gRPC, WebSocket doesn't register client IP. For more investigation, I downgraded the core to 1.8.16 and everything works flawlessly. Has anyone else noticed this?

Fangliding commented 1 month ago

Might be a bug. What is "register client ip" please follow the issue template

MEM-917 commented 1 month ago

What is "register client ip"

Client's real IP. Whether it is behind the CDN or it is the real IP.

In these tests, only the core has been changed and all the configs of nginx and haproxy are the same.

Here is the log of 1.8.18:

2024/07/16 21:27:57 127.0.0.1:15364 accepted tcp:speedtest.us-west-02.lunavi.com.prod.hosts.ooklaserver.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:27:57 127.0.0.1:15366 accepted tcp:speedtest.mtc4me.com.prod.hosts.ooklaserver.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:27:57 127.0.0.1:15380 accepted tcp:speedtest.ideatek.com:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:27:57 127.0.0.1:15390 accepted tcp:speedtest.sctelcom.com.prod.hosts.ooklaserver.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:27:57 127.0.0.1:15410 accepted tcp:speedtest.us-la.kamatera.com.prod.hosts.ooklaserver.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:27:57 127.0.0.1:15394 accepted tcp:speedtest.rd.ks.cox.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:27:57 127.0.0.1:15422 accepted tcp:speedtest-wichita.kanren.net.prod.hosts.ooklaserver.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:27:57 127.0.0.1:15430 accepted tcp:speedtest2.ideatek.com:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:27:57 127.0.0.1:15434 accepted tcp:speedtest.homecomminc.com.prod.hosts.ooklaserver.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:27:58 127.0.0.1:15458 accepted tcp:clients4.google.com:443 [inbound-127.0.0.1:2090 >> direct] email: M.DIREC

And here is the log of 1.8.16:

2024/07/16 21:37:33 86.57...:0 accepted tcp:www.speedtest.net:443 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:33 86.57...:0 accepted tcp:i.pcmag.com:443 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:33 86.57...:0 accepted tcp:i.pcmag.com:443 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:33 86.57...:0 accepted tcp:i.pcmag.com:443 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:33 86.57...:0 accepted tcp:i.pcmag.com:443 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:33 86.57...:0 accepted tcp:i.pcmag.com:443 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:33 86.57...:0 accepted tcp:i.pcmag.com:443 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:33 86.57...:0 accepted tcp:www.speedtest.net:443 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:34 127.0.0.1:16244 accepted tcp:127.0.0.1:0 [api -> api]
2024/07/16 21:37:35 86.57...:0 accepted tcp:speedtest.mtc4me.com.prod.hosts.ooklaserver.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:36 86.57...:0 accepted tcp:speedtest.homecomminc.com.prod.hosts.ooklaserver.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:36 86.57...:0 accepted tcp:speedtest.rd.ks.cox.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
2024/07/16 21:37:37 86.57...:0 accepted tcp:speedtest.us-west-02.lunavi.com.prod.hosts.ooklaserver.net:8080 [inbound-127.0.0.1:2090 >> direct] email: M.DIRECT
Fangliding commented 1 month ago

what are you using to pass source ip, proxy protocol? or X-Forwarded-For?

MEM-917 commented 1 month ago

what are you using to pass source ip, proxy protocol? or X-Forwarded-For?

I use X-Forward-For because by using"proxy_protocol", the real IP of the client behind CF cdn can't be obtained with gRPC protocol.

Fangliding commented 1 month ago

It seems that a small change in WS has break it, we will fix it

Fangliding commented 1 month ago

Try https://github.com/XTLS/Xray-core/actions/runs/9967617597 ?

MEM-917 commented 1 month ago

Thanks, I'll try it now and will let you know.

EDIT: It works like a charm. Thanks, man.