search

chika0801 / Xray-examples

Xray 配置示例
https://github.com/XTLS/Xray-core
507 stars 97 forks source link

nginx in ws/httpupgrade #34

Closed hawshemi closed 4 months ago

hawshemi commented 4 months ago

Hello

In your examples: https://github.com/chika0801/Xray-examples/tree/main/VLESS-WebSocket_or_HTTPUpgrade-TLS

What are the advantages of using nginx to handle the SSL and Path and then fallback from the xray-core ? Is there anything wrong with using xray-core directly to handle SSL and other configurations?

(ps. The main goal is to use Cloudflare CDN for WebSocket protocol)

chika0801 commented 4 months ago

What are the advantages of using nginx to handle the SSL and Path and then fallback from the xray-core ? Is there anything wrong with using xray-core directly to handle SSL and other configurations?

This configuration is capable of using cloudflare's CDN service.

As for why it is Nginx listening on port 443 and loading SSL certificates. The reason for this is that this is how it was used many years ago in the v2ray days when netizens were working on their configurations.

If Xray listens on port 443 and loads SSL certificates, I haven't tested whether it can be used, and whether it can be used successfully CDN, you can try it yourself.

There's no particular reason for doing this, it's just that this is how netizens used to use it, and tutorial articles have been so popular on the web.

Translated with DeepL.com (free version)

hawshemi commented 4 months ago

This is a configuration for omitting the need for nginx. I thought Nginx would provide some sort of improvements. (performance or security)

{
  "log": {
    "loglevel": "warning"
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
          {
                "port": "443",
                "network": "udp",
                "outboundTag": "block"
           }
    ]
  },
  "inbounds": [
    {
      "listen": null,
      "port": 2083,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "flow": "",
            "id": "XXX"
          }
        ],
        "decryption": "none",
        "fallbacks": []
      },
      "sniffing": {
        "destOverride": [
          "http",
          "tls",
          "quic",
          "fakedns"
        ],
        "enabled": true
      },
      "streamSettings": {
        "network": "httpupgrade",
        "security": "tls",
        "tlsSettings": {
          "alpn": [
            "h2",
            "http/1.1"
          ],
          "certificates": [
            {
              "certificateFile": "/etc/ssl/private/fullchain.pem",
              "keyFile": "/etc/ssl/private/private.pem",
              "ocspStapling": 3600
            }
          ],
          "maxVersion": "1.3",
          "minVersion": "1.2",
          "rejectUnknownSni": false,
          "serverName": "XXX"
        },
        "httpupgradeSettings": {
          "acceptProxyProtocol": false,
          "host": "XXX",
          "path": "/httpupgrade?ed=2560"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ]
}
chika0801 commented 4 months ago

I thought Nginx would provide some sort of improvements. (performance or security)

One of the things that has been said in the Chinese community that uses proxies is that there is a TLS fingerprinting problem.

For example, when Xray is used as a server, the TLS fingerprint is go. For example, Caddy's TLS fingerprint is also in go.

But if Nginx listens to 443 and loads SSL certificates, the TLS fingerprint is not go.

https://www.youtube.com/watch?v=F2VsjS6fybs&t=757s

Here's a Chinese video where this guy talks about using proxies. In the second half of the video, starting at 9:13, he demonstrates some methods of TLS fingerprinting.

This is actually not a major vulnerability in Chinese usage circles. This guy's video, what he talks about, is more for traffic (he has to make money himself)

As for your configuration, the use of Xray to listen to 443 configuration WS TLS, as I replied earlier, just in the Chinese exchange circle, we 4 5 years ago Chinese tutorials at that time did not mention the use of this way, on the slow thought to use WS TLS when the Chinese tutorials are mentioned to use the Nginx to listen to 443 of this method. There is no special meaning.

Translated with DeepL.com (free version)

hawshemi commented 4 months ago

Thanks. So it doesn't matter if the server IP address is behind Cloudflare CDN?

chika0801 commented 4 months ago

So it doesn't matter if the server IP address is behind Cloudflare CDN?

More than 5 years ago, in mainland China, we were still using SS+TCP. at that time, China's firewall carried out a massive blocking of the IPs of the VPS we were using. at this time, people in China thought of saving the VPS that had its IP blocked by the firewalls by using VMESS+WS+TLS+CDN. i think a lot of people were using this combo because they didn't want to save money by buying a new VPS again! as a starting point.

And in mainland China, connecting to CF's CDN IP, the speed is not good, so the number of people using CF's CDN or other CDNs in China, is not too many. Here's some history from a couple years ago.

If you are in your country, and you want to protect your VPS's IP from being blocked by your country's firewall, or you don't want to be blocked and spend money on another VPS, then you can use a combination of XXX+WS+TLS+CDN at the beginning. At present, the combination of XXX+WS+TLS in mainland China is blocked ports, replace the other ports can continue to use, will continue to be blocked, but due to the TLS, the situation of being blocked VPS IP feedback is very small.

Translated with DeepL.com (free version)

hawshemi commented 3 months ago

@chika0801 Thanks. So nginx is good for being in front of xray to handle SSL and other stuff.

But are there any reasons not to put it in this guide? https://github.com/chika0801/Xray-examples/blob/main/VLESS-Vision-TLS/config_server.json#L36

In VLESS-TCP-TLS, the x-ray handles SSL and then falls back to nginx.

chika0801 commented 3 months ago

But are there any reasons not to put it in this guide?

Because I have not used it in this way, as far as I know in the Chinese communication circle, such as Xray's telegram group, Chinese youtube teach how to build a proxy of the video, or blogs do not have any related videos and articles, so I do not recommend it. This is just my personal habit and opinion.

hawshemi commented 3 months ago

Do you know any example of the nginx being at the front of vless-tls-vision ? for handling the SSL/TLS

chika0801 commented 3 months ago

https://github.com/chika0801/Xray-examples/blob/main/VLESS-Vision-REALITY/nginx_sni_shunting/nginx.conf

The only way I can think of for you to use this combination of protocol configurations with vless-tls-vision, and to front-load NGINX to listen for 443, is the SNI triage method with NGINX.

For NGINX configuration you refer to this link, the keyword is NGINX SNI shunt, the only benefit I can think of for this form is to have your VPS, multiple services, share port 443. This usage, in my knowledge, I don't think is used much.

Translated with DeepL.com (free version)