Iran firewall blocks my subdomain, in vless/trojan CDN configuration.

[Hadi-1624]

Hi there I've been frustrated and i don't know how to resolve this problem. I use xray to create a vless or trojan WS configuration. Then, I use cloudflare to connect to port 443 or 2083 to my xray server. in the SNI section, i have to use my subdomain so that cloudflare can connect to my server. After a day or one week, my subdomain is blocked by the iranian firewall and i need to add another subdomain, issue a certificate and reconfigure my nginx server again.

-I use nginx so that when my subdomain is visited, a page from wikipedia is shown -I've tried vmess, vless and trojan Could you please help me to find a way to avoid getting my domains blocked?

[computerscot]

There are some suggestions for Iran in the thread https://github.com/net4people/bbs/issues/217

[SasukeFreestyle]

Hi! @Hadi-1624 I've some tips you can try. But you should also know that Iranian DPI firewall has blocked some Cloudflare services/IP's and this is maybe one of your Issues.

You should add a outbound CIDR-IP block so your server that looks like a website does not initiate the connection back to Iran, as "web servers" normally does not do this. Check my json config in my repository.

Also use xtls-rprx-vision as flow (without ,none). Unfortunately vision does not support websockets as a direct connection.

Configure your clients to use a uTLS fingerprint, like Chrome.

You should NOT point your homepage on your server to Wikipedia. You need to create a fake website preferably in Persian with Persian text. The Iranian firewall probably has banned some keywords when they active-probe your website.

If you don't want to create a fake website then point your nginx to load a page from inside Iran, an Iranian website that has Iranian an IP.

I'm currently running my xray server without a CDN. But If you want to use a CDN, follow these steps here.

https://www.digitalocean.com/community/tutorials/how-to-host-a-website-using-cloudflare-and-nginx-on-ubuntu-22-04

https://github.com/XTLS/Xray-examples/blob/main/All-in-One-fallbacks-Nginx/nginx.conf

[Hadi-1624]

@computerscot I believe that guide won't support websocket, which i use. I'd like to use cloudflare to protect my server's IP.

[Hadi-1624]

@SasukeFreestyle Thanks for your comment I've payed in advance for my server, and its IP is blocked now by the iranian firewall, so my only option is cloudflare now, I'd like to avoid paying for another server if i can. I didn't know about outbound CIDR-IP block, i will check your manual for it. Which method do you recommend for redirecting to an iranian page? I've used redirect 302, and my subdomain got blocked still thanks

[SasukeFreestyle]

You could use this in your nginx serverblock configuration. But I highly recommend you create a fake website. replace https://Iranianwebsite.ir with an Iranian website that has an Iranian IP.

location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        proxy_ssl_server_name on;
        proxy_pass https://Iranianwebsite.ir;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

Check configurations on https://github.com/XTLS/Xray-examples/blob/main/All-in-One-fallbacks-Nginx/server.json that uses Vision as its entry point to websockets using fallbacks, I have not tried this but it might work for you.

[ValdikSS]

As far as I remember, Websocket connection over Cloudflare uses HTTP/1.1 instead of HTTP/2 (h2 TLS ALPN), and thus is distinguishable from the regular web traffic. Maybe this is the mark which is later used for manual validation and block.

[computerscot]

Xray supports HTTP/2 as "network": "h2" and I believe HTTP/2 is also proxied by Cloudflare.

https://github.com/XTLS/Xray-examples/blob/main/VLESS-H2C-Caddy2/server.json

[ValdikSS]

https://github.com/v2fly/v2ray-core/issues/557#issuecomment-751950969

[Evolve6996]

As far as I remember, Websocket connection over Cloudflare uses HTTP/1.1 instead of HTTP/2 (h2 TLS ALPN), and thus is distinguishable from the regular web traffic. Maybe this is the mark which is later used for manual validation and block. hello you mean vless+ws+cdn over h1 us safe ? thanks

[ValdikSS]

you mean vless+ws+cdn over h1 us safe ? thanks

However, Golang programs are known to have h2,http/1.1 alpns. If we don't change this default value, when we handshake with CDN edge nodes, we will likely to get an HTTP/2 connection instead of HTTP/1 connection. It's known that WebSocket can only be upgraded from HTTP/1, so getting an HTTP/2 connection means no WebSocket available. That's why we need to hardcode http/1.1 into alpn when we are using WebSocket as transport. And when you hardcode http/1.1, this becomes distinguishable from normal Golang network traffic.

[Evolve6996]

you mean vless+ws+cdn over h1 us safe ? thanks

However, Golang programs are known to have h2,http/1.1 alpns. If we don't change this default value, when we handshake with CDN edge nodes, we will likely to get an HTTP/2 connection instead of HTTP/1 connection. It's known that WebSocket can only be upgraded from HTTP/1, so getting an HTTP/2 connection means no WebSocket available. That's why we need to hardcode http/1.1 into alpn when we are using WebSocket as transport. And when you hardcode http/1.1, this becomes distinguishable from normal Golang network traffic.

yes i readed that before but couldnt understand meaning of it 😕

However, Golang programs are known to have h2,http/1.1 alpns. If we don't change this default value, when we handshake with CDN edge nodes, we will likely to get an HTTP/2 connection instead of HTTP/1 connection.

what i get from this is for example if i dont put anything in alpn of v2rayn vless its gonna be h2 when it handsahke with cdn ?

It's known that WebSocket can only be upgraded from HTTP/1

is that means if i force H2 in v2rayn vless not connect ?

thanks ❤️

[ValdikSS]

is that means if i force H2 in v2rayn vless not connect ?

Yes. Cloudflare does not support websocket over h2. https://community.cloudflare.com/t/websocket-over-http-2/436690

[Evolve6996]

is that means if i force H2 in v2rayn vless not connect ?

Yes. Cloudflare does not support websocket over h2. https://community.cloudflare.com/t/websocket-over-http-2/436690

just puted checkmark of alpn to h2 in vless and it connected ? 😕