Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vless fallback 失败,firstLen = 0,导致身份验证失败? #2874

Closed
MelodyUSA opened this issue Dec 29, 2023 · 3 comments
Closed

vless fallback 失败,firstLen = 0,导致身份验证失败? #2874

MelodyUSA opened this issue Dec 29, 2023 · 3 comments

Comments

@MelodyUSA
Copy link

MelodyUSA commented Dec 29, 2023
edited

问题是这样的。我在服务器上配置了 vless 回落,监听443端口,分别回落到 ws 入站nginx 伪装网站,nginx 会把 grpc 流量转发给 grpc入站 。不知道为什么回落总是失败,从客户端发送的 ws 请求在服务器端显示 firstLen = 0,这个是指首包长度对吧?,首包身份认证失败,也匹配不到任何 path,无论是 ws 还是 grpc 都无法正常回落。

申请证书的域名用的是 cloudns.net 的二级域名,托管在 cloudflare 上做解析。

个人水平有限,一番搜索查找后实在找不到什么原因会这样,下面放上日志和配置,希望有热心的大佬能帮小弟解答。

服务器日志

 [Debug] app/log: Logger started
 [Info] app/dns: DNS: created localhost client
 [Debug] app/router: MphDomainMatcher is enabled for 2 domain rule(s)
 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:443
 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:9527
 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:9528
 [Info] transport/internet/tcp: listening TCP on 0.0.0.0:443
 [Info] transport/internet/websocket: listening TCP(for WS) on 127.0.0.1:9527
 [Warning] transport/internet/websocket: accepting PROXY protocol
 [Warning] core: Xray 1.8.6 started
 [Debug] transport/internet/grpc: gRPC listen for service name `pathgrpc` tun `Tun` multi tun `TunMulti`
 [Info] [3717320926] proxy/vless/inbound: firstLen = 0
 [Info] [3717320926] proxy/vless/inbound: fallback starts > proxy/vless/inbound: fallback directly
 [Info] [3717320926] proxy/vless/inbound: realName = my.second.level.domain
 [Info] [3717320926] proxy/vless/inbound: realAlpn = 
 [Info] [3717320926] app/proxyman/inbound: connection ends > proxy/vless/inbound: fallback ends > proxy/vless/inbound: failed to fallback request payload > write tcp [remoteip]:443->[myip]:24624: write: connection reset by peer

Vless入站

{
  "inbounds": [
    {
      "port": 443,
      "protocol": "vless",
      "tag": "VLESSTCP",
      "settings": {
        "clients": [
          {
            "id": "my-uuid",
            "flow": "xtls-rprx-vision",
            "email": "[email protected]"
          }
        ],
        "decryption": "none",
        "fallbacks": [
          {
            "dest": 31300,     //nginx 监听,伪装网站的端口
            "xver": 0
          },
          {
            "alpn": "h2",      //nginx 监听,转发 grpc
            "dest": 31301,
            "xver": 0
          },
          {
            "path": "/wspath",
            "dest": 9527,
            "xver": 1
          }
        ]
      },
      "add": "my.second.level.domain",
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "rejectUnknownSni": true,
          "minVersion": "1.2",
          "certificates": [
            {
              "certificateFile": "/path/to/tls/my.second.level.domain.crt",
              "keyFile": "/path/to/tls/my.second.level.domain.key",
              "ocspStapling": 3600
            }
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ]
}

nginx 配置

    server {
    		listen 127.0.0.1:31300;
    		server_name _;
    		return 403;
    }
server {
	listen 127.0.0.1:31301 so_keepalive=on;http2 on;
	server_name my.second.level.domain;
	root /usr/share/nginx/html/;
	location ~ ^/s/(clashMeta|default|clashMetaProfiles)/(.*) {
        default_type 'text/plain; charset=utf-8';
        alias /path/to/subscribe/$1/$2;
    }
	location /pathgrpc {
		client_max_body_size 0;
		keepalive_requests 4294967296;
		client_body_timeout 1071906480m;
 		send_timeout 1071906480m;
 		lingering_close always;
 		grpc_read_timeout 1071906480m;
 		grpc_send_timeout 1071906480m;
		grpc_pass grpc://127.0.0.1:9528;
	}
}
server {
	listen 127.0.0.1:31300;
	server_name my.second.level.domain;
	root /usr/share/nginx/html/;
	location ~ ^/s/(clashMeta|default|clashMetaProfiles)/(.*) {
            default_type 'text/plain; charset=utf-8';
            alias /path/to/subscribe/$1/$2;
        }
	location / {
	}
}

Vless+WS入站

{
  "inbounds": [
    {
      "port": 9527,
      "listen": "127.0.0.1",
      "protocol": "vless",
      "tag": "VLESSWS",
      "settings": {
        "clients": [
          {
            "id": "my-uuid",
            "email": "[email protected]"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "ws",
        "security": "none",
        "wsSettings": {
          "acceptProxyProtocol": true,
          "path": "/wspath"
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ]
}

Vless-grpc入站

{
  "inbounds": [
    {
      "port": 9528,
      "listen": "127.0.0.1",
      "protocol": "vless",
      "tag": "VLESSGRPC",
      "settings": {
        "clients": [
          {
            "id": "my-uuid",
            "email": "[email protected]"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "grpc",
        "grpcSettings": {
          "serviceName": "pathgrpc"
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ]
}

因为 VPS 厂商线路普通,晚高峰上网会很卡,直连的话网速很差。
所以我需要能够套CDN的配置,选出一堆 CF ip 后配合 clash 客户端负载均衡来达到加速的目的。
@MichaelWei7
Copy link

我也遇到了同样的问题,本地局域网测试过可以,但是一部署到公网服务器就不行了

@wtfr-dot
Copy link

wtfr-dot commented May 5, 2024

套cdn就不要用流控flow

@RPRX
Copy link
Member

RPRX commented May 15, 2024

描述有问题,"firstLen = 0" 的话会直接回落到 Nginx,按你说的的配置 Nginx 会转发给 gRPC,至少不会用不了 gRPC

"firstLen = 0" 且用不了代理,只能是 Xray 服务端在 TLS 内没收到任何有效数据

@RPRX RPRX closed this as not planned Won't fix, can't repro, duplicate, stale May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MichaelWei7 @RPRX @wtfr-dot @MelodyUSA