Conversation
Both VPN protocols (VLESS+Reality TCP and VLESS+XHTTP+Reality) now share port 443 via nginx stream ssl_preread SNI routing on both EU and RU servers. EU server: - nginx stream :443 routes by SNI: www.adobe.com → Xray XHTTP (:2053), media.zirgate.com → nginx HTTPS (:8443), default → Xray Reality (:4443) - Xray inbounds bind 127.0.0.1 (no longer exposed directly) - XHTTP Reality dest changed to www.adobe.com with xPaddingBytes RU relay: - Single stream :443 routes by SNI: zirgate.com/my.zirgate.com → local nginx HTTPS (:8443), everything else → EU:443 - Removed separate per-protocol stream ports (8444, 2053) nginx_frontend HTTPS: removed XHTTP proxy location (now handled by stream) Raven-subscribe: updated inbound_ports comments for port 443
…ra domains - xray XHTTP scMaxPacketSize: 50000 → 1048576 (1MB) — reduces HTTP round-trips - relay stream: add relay_extra_eu_https_domains for SNI routing to EU:8443 (used when a domain's DNS is moved to RU but cert is on EU nginx)
…sites-enabled - relay stream: remove relay_extra_eu_https_domains (no longer needed) - nginx_frontend: deploy HTTPS config to sites-enabled/ instead of conf.d/ (nginx.conf on EU only includes sites-enabled/)
- New role roles/wireguard: installs wireguard-tools, deploys wg0 on EU (10.10.0.1) and RU (10.10.0.2), PersistentKeepalive=25s - role_wireguard.yml playbook applies to both vm_my_srv and vm_my_ru - monitoring: remove ssh_tunnel_ru task/handler/vars; node_exporter on RU now binds to 10.10.0.2:9100 (WireGuard iface); VictoriaMetrics scrapes RU via 10.10.0.2:9100 instead of SSH tunnel 127.0.0.1:19100 - monitoring/node_exporter: add ufw allow from 10.10.0.0/24 for RU - role_monitoring.yml: apply role to both EU and RU hosts; EU-only components (VictoriaMetrics, Grafana, exporters) guarded by when
Xray requires non-empty email for StatsService per-user counters. If user.email is missing or blank, use user.id instead. Applies to 200-in-vless-reality, 210-in-xhttp, 230/240-in-*-users.
GitHub /releases/latest returns enterprise release (no single-node
tarball). Switch to /releases list and find first release that has
victoria-metrics-linux-{arch}-vX.Y.Z.tar.gz (non-enterprise, non-cluster).
Also fix task order: detect arch before fetching releases list.
server-status: add unique_users (stat), total_connections (stat), routing requests rate (freedom vs blocked), Xray heap memory timeseries. xray-users-traffic: replace cumulative counter tables with bar gauges using increase($__range) — shows traffic per user for selected period.
…ibe monitoring, Grafana alerts - xray-stats-exporter: add xray_inbound_uplink/downlink_bytes_total metrics by querying inbound>>> pattern alongside user>>> in StatsService - scrape.yml: add raven-subscribe job scraping /health (up=0 on failure) - dashboards: add inbound traffic panels and sort_desc on user top charts - server-status: add Raven-subscribe UP/DOWN status and latency panels - grafana-alerting.yml: provision 5 alert rules (xray down, raven-subscribe down, EU/RU server down, EU disk >85%)
Geo metrics (country/city) not available — Xray access.log shows 127.0.0.1 after nginx proxy_protocol was added. Removed geo row and shifted inbound panels up.
…t ports - Fix architecture diagrams: SNI routing on :443, ports 4443/2053/8443 - Add nginx_frontend PROXY protocol notes and deploy order warning - Add monitoring role description (xray-stats-exporter, VictoriaMetrics, Grafana) - Add Monitoring section with Grafana dashboard and alerting description - Update nginx_frontend and relay config variable tables - Add xray-stats-exporter to Related Projects - Sync README.ru.md with EN changes
feat: SNI routing v2, PROXY protocol, monitoring improvements
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
proxy_protocol on/xver: 2) — real client IPs in Xray statsxray_inbound_uplink/downlink_bytes_total--log-path,--geo-city-db,--geo-asn-db)developbranch and PRs targetingdevelopDeploy order (CRITICAL)
When deploying nginx_frontend and Xray inbounds together — always deploy Xray first (
--tags xray_inbounds), then nginx.Test plan
xray_up 1in exporter metrics