getting (110: Connection timed out) while reading PROXY protocol on steal yourself

[arminmacx]

Hi,

After I config my server based on your config on Steal yourself, when I run xray and check the logs on nginx and xray i got this error : *1 client timed out (110: Connection timed out) while reading PROXY protocol, client: 127.0.0.1, server: 127.0.0.1:8001 and on xray i got this transport/internet/tcp: REALITY: failed to dial dest: dial tcp 127.0.0.1:8001: connect: connection refused

i checked the 8001 port is not used and i already try different ports but still got same error

btw i see http2 need to be added like http2 on; instead of adding http2 on listen section

my server config :

{
    "log": {
        "loglevel": "debug",
        "error": "/var/log/xray/error.log",
        "access": "/var/log/xray/access.log"
    },
    "routing": {
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "type": "field",
                "ip": [
                    "geoip:ir",
                    "geoip:private"
                ],
                "outboundTag": "block"
            },
            {
                "type": "field",
                "domain": [
                             "geosite:category-ir",
                             "geosite:category-bank-ir",
                             "geosite:category-gov-ir",
                             "geosite:category-insurance-ir",
                             "geosite:category-media-ir",
                             "geosite:category-news-ir",
                             "geosite:category-payment-ir",
                             "geosite:category-scholar-ir",
                             "geosite:category-shopping-ir",
                             "geosite:category-tech-ir",
                             "geosite:category-travel-ir",
                             "geosite:category-bourse-ir",
                             "geosite:category-education-ir"
                 ],
                 "outboundTag": "block"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "7c8b2381-3cf6-42e9-b193-bfb8efc14b0f",
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                    "show": false,
                    "dest": "8001",
                    "xver":0,
                    "serverNames": [
                        "MY OWN DOMAIN"
                    ],
                    "privateKey": "MY OWN PRIVATE KEY",
                    "minClientVer": "1.8.0",
                    "maxClientVer":"",
//                    "maxTimeDiff":0,
                    "shortIds": [ 
                        "517c28b4bec7ed28"
                    ]
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls",
                    "quic"
                ]
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "tag": "block"
        }
    ],
    "policy": {
        "levels": {
            "0": {
                "handshake": 2,
                "connIdle": 120
            }
        }
    }
}

nginx config :

user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format main '[$time_local] $proxy_protocol_addr "$http_referer" "$http_user_agent"';
    access_log /var/log/nginx/access.log main;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ""      close;
    }

    map $proxy_protocol_addr $proxy_forwarded_elem {
        ~^[0-9.]+$        "for=$proxy_protocol_addr";
        ~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
        default           "for=unknown";
    }

    map $http_forwarded $proxy_add_forwarded {
        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
        default "$proxy_forwarded_elem";
    }

#    server {
#        listen 80;
#        listen [::]:80;
#        return 301 https://$host$request_uri;
#    }

    server {
        listen                  127.0.0.1:8001 ssl default_server;

        ssl_reject_handshake    on;

        ssl_session_timeout     1h;
        ssl_session_cache       shared:SSL:10m;

        ssl_early_data          on;
    }

    server {
        listen                     127.0.0.1:8001 ssl proxy_protocol;
    http2                      on;
        set_real_ip_from           127.0.0.1;
        real_ip_header             proxy_protocol;

        server_name                MY OWN DOMAIN;

        ssl_certificate            /etc/ssl/private/fullchain.cer;
        ssl_certificate_key        /etc/ssl/private/private.key;

        ssl_protocols              TLSv1.2 TLSv1.3;
        ssl_ciphers                TLS13_AES_128_GCM_SHA256:TLS13_AES_256_GCM_SHA384:TLS13_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;

        ssl_session_tickets        on;

        ssl_stapling               on;
        ssl_stapling_verify        on;
        resolver                   1.1.1.1 valid=60s;
        resolver_timeout           2s;

        location / {
            sub_filter                            $proxy_host $host;
            sub_filter_once                       off;

            set $website                          www.samsung.com;
            proxy_pass                            https://$website;
            resolver                              1.1.1.1;

            proxy_set_header Host                 $proxy_host;

            proxy_http_version                    1.1;
            proxy_cache_bypass                    $http_upgrade;

            proxy_ssl_server_name                 on;

            proxy_set_header Upgrade              $http_upgrade;
            proxy_set_header Connection           $connection_upgrade;
            proxy_set_header X-Real-IP            $proxy_protocol_addr;
            proxy_set_header Forwarded            $proxy_add_forwarded;
            proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto    $scheme;
            proxy_set_header X-Forwarded-Host     $host;
            proxy_set_header X-Forwarded-Port     $server_port;

            proxy_connect_timeout                 60s;
            proxy_send_timeout                    60s;
            proxy_read_timeout                    60s;

            proxy_set_header Early-Data           $ssl_early_data;
        }
    }
}

[chika0801]

"xver":0,

You are using 0 for this parameter, if you use 0 you need to remove this place in the nginx configuration

    listen                     127.0.0.1:8001 ssl proxy_protocol;

proxy_protocol;

Remove this parameter. xver 1 and use this parameter. which serves to enable nginx to log normal access to your domain name. the IP address of the visitor. If you use 0 for Xver, and don't use this parameter in nginx, the visitor's IP address will be 127.0.0.1 in the logs.

Xver1 must be added to proxy_protocol

Xver0 must not add proxy_protocol.

Otherwise xray and nginx access will fail.

http2 on;

This way of writing requires NGINX version is supported from 1.25 onwards, I use this way myself, the example is the previous way of writing, when starting nginx, nginx will be prompted.

I've looked at the rest of your XRAY and NGINX configurations and they should be fine, you modify them and test them.

Or you refer to my configuration.

[arminmacx]

yes i forgot to change "xver" back to one after i was tryin to test to see if it maybe having issue on that part.

and something else now my client is connected but its not working, i can ping my vps IP.

i get this

client timed out (110: Connection timed out) while SSL handshaking, client: 127.0.0.1, server: 127.0.0.1:8001

and on xray

2023/09/24 13:02:16 [Info] transport/internet/tcp: REALITY: processed invalid connection

do you have any idea why its not working?

[chika0801]

I have a few test ideas:

Let's say you've purchased a domain name from a website that resolves your domain name "MY OWN DOMAIN" to the IP address of your VPS. The resolution is already working. If you type your domain name into your browser, it should show you the content of the reverse proxy site in your nginx configuration.

If this is normal, it means that the dest to nginx configuration part of the xray configuration is correct.

If it is normal. The client still can not connect to the server, check Xray's client and server configuration in several corresponding to some parameters:

Whether the generated public key and private key correspond to fill in correctly.

Whether the short ID corresponds to the same.

If the address in the client configuration is filled in the IP of VPS, whether the service name is correctly written in your domain name.

Guess if you use non-Xray-core files on the client side, it is recommended that you don't use the

"minClientVer": "1.8.0", "maxClientVer":"","".

These 2 parameters. Avoid some problems that you don't know the cause of.

"maxTimeDiff":0, This parameter is usually left out, or written with 0, both meaning it is not enabled by default, and I never use it.

[arminmacx]

ok i recreate another vps with new ip and setup normal nginx and point my domain to my vps ip and everything work without any problem.

but after i setup my xray based on your config and nginx based on your config again i got the

REALITY: processed invalid connection

from xray and this time with new error and old error from nginx

client sent frame with unknown type 32 while processing HTTP/2 connection, client: 127.0.0.1, server: 127.0.0.1:8001
client timed out (110: Connection timed out) while processing HTTP/2 connection, client: 127.0.0.1, server: 127.0.0.1:8001
client timed out (110: Connection timed out) while SSL handshaking, client: 127.0.0.1, server: 127.0.0.1:8001

i removed those section as you recommended to not useing it and i put my ip address in my client side and get same error and put my domain name in client side and still getting same thing

UUID and shortid and private and public key are correct in their place in my configs

[chika0801]

What you mean is that after you change your own configuration, the client can access those proxied websites normally, right?

But you can't get the client to connect with my configuration. If that's the case, you also checked those REALITY factors (possible causes). I can't give any suggestion. Still you need to double check it yourself.

[S1aanesh]

Hi! i prepare same configuration and can someone explain me, how it works? What is this part for?

set $website www.samsung.com;
proxy_pass https://$website;

Judging by what I read about setting up the xray server at the tls-hello stage:

• when receiving the correct key, it releases it through itself to the Internet (and encrypts the traffic with its private key?)
• when receiving the wrong key, it forwards requests to the site specified in serverNames (in our case - abstract MY OWN DOMAIN on port 8001) Then why is www.samsung.com needed in this configuration at all?

My other question is this: if we disguise ourselves as www.samsung.com, why can't DPI at the packet inspection stage (and it sees the domain in our request) check the DNS records, compare them with the IP in our request, see that the IP in our request is different from the IP for the www.samsung.com domain (from external DNS) and block

[chika0801]

Judging by what I read about setting up the xray server at the tls-hello stage:

when receiving the correct key, it releases it through itself to the Internet (and encrypts the traffic with its private key?)
when receiving the wrong key, it forwards requests to the site specified in serverNames (in our case - abstract MY OWN DOMAIN on port 8001)
Then why is [www.samsung.com](http://www.samsung.com/) needed in this configuration at all?

这是nginx配置中反向代理的一个网站，它没有太多实际作用。我只是按我自己的喜好，使用的这个参数。

比如其他人通过你的域名访问，请求到了你的VPS，它不符合REALITY的要求，nginx就要显示对应的内容，这时是反向代理了三星的官方网站。

你也可以使用nginx的一个默认安装完毕后的html网页，或者其它的一些blog网站程序等。我的看法是对于中国的网络防火墙，并不会人工审查这些网站显示的是什么内容。

所以不过太在意，没太多实际重要的作用。

[chika0801]

My other question is this:
if we disguise ourselves as [www.samsung.com](http://www.samsung.com/), why can't DPI at the packet inspection stage (and it sees the domain in our request) check the DNS records, compare them with the IP in our request, see that the IP in our request is different from the IP for the [www.samsung.com](http://www.samsung.com/) domain (from external DNS) and block

This one question, and the one I replied to above, are 2 different ones as I understand it.

Some other people have asked similar questions in the Chinese community before, and I recalled that one of them was about the dest parameter in the XRAY configuration, for example, filling in the domain name of abc.com, but we accessed the IP of our own VPS. at this time, why didn't the firewall compare the IP of the corresponding abc.com with the IP of our VPS, and block the access through this method.

As for why not, I forgot the exact explanation. In the Chinese community, XRAY's tg group, it was discussed, and it seems even the RPRX author answered some of them, but I've forgotten them now.

Also, in the Chinese community, my suggestion is that if you buy your own domain name, you will apply for an SSL certificate yourself, and using REALITY in the form of what we call Steal Your Own, is a much more recommended type of configuration. I've been using it this way myself.

Translated with DeepL.com (free version)

https://github.com/chika0801/Xray-examples/tree/main/VLESS-Vision-REALITY/steal_oneself