xray VLESS-TCP-Reality + xtls-rprx-vision +nginx stream 443 sni 分流端口复用 + Proxy Protocol 访客IP是127.0.0.1

[heygo1345678]

日志：2023/02/23 01:52:46 127.0.0.1:52556 accepted tcp:github.githubassets.com:443 [VLESS-TCP-Reality >> direct]
nginx stream 配置：

map $ssl_preread_server_name $stream_map {

xtls.test vless;
www.microsoft.com real;

}

upstream vless {
server 127.0.0.1:8443;
}

upstream real {
server 127.0.0.1:44443 ;

}

stream模块监听443端口，并进行端口复用

server {
listen 443 reuseport ;
listen [::]:443 reuseport ;
proxy_pass $stream_map;
ssl_preread on;
proxy_protocol on; # 开启Proxy protocol

}

}

reality版本：

xray version

Xray 1.7.5 (Xray, Penetrates Everything.) 4d5c319 (go1.20.1 linux/amd64)
A unified platform for anti-censorship.

reality服务器配置文件：
{
"log": {
"loglevel": "warning"
},

"inbounds": [
    {

"tag": "VLESS-TCP-Reality",
"listen": "0.0.0.0",
"port": 44443, //服务器监听端口号，可以不是443，防火墙打开或者vps面板操作：iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
"protocol": "vless",
"settings": {
"clients": [
{
"id": "",
"flow": "xtls-rprx-vision" //解决tls in tls流量特征
}
],
"decryption": "none"
},
"streamSettings": {

"tcpSettings": {
          "acceptProxyProtocol": true
        },
"network": "tcp",
"security": "reality",      //魔改的tls协议 reality
"realitySettings": {
  
  
  "show": false,
  "privateKey": "",        //使用上面生成的私钥
  "shortIds": [
    ""
  ],
  "Dest": "61.147.219.124:443",     //这个是sni白名单网站www.microsoft.com的cdn IP和 https网站端口号
  "type": "tcp",
  "serverNames": [
    "www.microsoft.com"
  ]
}

}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
}
]
}

客户端配置：
{
"log": {
"loglevel": "warning"
},

"inbounds": [
     {
       // "listen": "127.0.0.1",
        "port": 10000, // 本地监听端口
        "protocol": "socks",
        "settings": {
            "udp": true
        },
        "sniffing": {
            "enabled": true,
            "destOverride": [
                "http",
                "tls"
            ]
        }
    }
	
	
	
	
	
	
],
"outbounds": [
     {
"tag": "VLESS-TCP-Reality",
"protocol": "vless",
"settings": {
  "vnext": [
    {
      
      "address": "1.2.3.4",        //这里是vps服务器节点IP
      "port": 443,  		 //vps服务器节点端口号
      "users": [
        {
          "id": "",
          "encryption": "none",
          "flow": "xtls-rprx-vision"              //解决tls in tls流量特征
        }
      ]
    }
  ]
},
"streamSettings": {
  "network": "tcp",
  "security": "reality",                   //魔改的tls协议 reality
  "realitySettings": {
    "publicKey": "",                 //公钥验证，用于验证服务器预防中间人攻击
    "shortId": "",
    "serverName": "www.microsoft.com",          //客户端向sni白名单的境外网站 偷证书发起假装的连接，糊弄gfw，
    "fingerprint": "chrome",       //模拟uTLS指纹，糊弄gfw以为是浏览器访问
    "spiderX": "/"
  }
}

}
]

}
相同的action build版本，用老的xtls是可以获取访客IP的：
2023/02/23 01:51:52 [Warning] infra/conf: You are using an old version of XTLS, which is deprecated now and will be removed soon. Please use flow "xtls-rprx-vision" with "tls & tlsSettings" instead.
2023/02/23 01:51:52 [Warning] transport/internet/websocket: accepting PROXY protocol
2023/02/23 01:51:52 [Warning] core: Xray 1.7.5 started
2023/02/23 01:51:53 234.12.31.12:38640 accepted tcp:149.12.1.100:80
nginx stream配置同上；
xray配置文件：
{
"log": {

"loglevel": "warning"

},
"inbounds": [
{
"port": 8443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "",
"flow": "xtls-rprx-direct"
}
],
"decryption": "none",
"fallbacks": [
{
"dest": 60000,
"alpn": "",
"xver": 1
},
{
"dest": 60001,
"alpn": "h2",
"xver": 1
},
{
"dest": 60002,
"path": "/9d/",
"xver": 1
},
{
"name": "",
"dest": 5003,
"xver": 1
},
{
"name": "",
"alpn": "h2",
"dest": 5004,
"xver": 1
},
{
"alpn": "http/1.1",
"dest": 800
},
{
"alpn": "h2",
"dest": 801
}

    ]
  },
  "streamSettings": {
    "network": "tcp",
    "security": "xtls",
	"tcpSettings": {
          "acceptProxyProtocol": true
        },
    "xtlsSettings": {
      "minVersion": "1.2",
      "certificates": [
        {
          "certificateFile": "/root/ecc/fullchain.cer",
          "keyFile": "/root/ecc/top.key"
        }
        
      ]
    }
  },
  "sniffing": {
    "enabled": true,
    "destOverride": [
      "http",
      "tls"
    ]
  }
},
{
  "port": 60002,
  "listen": "127.0.0.1",
  "protocol": "vless",
  "settings": {
    "clients": [
      {
        "id": ""
      }
    ],
    "decryption": "none"
  },
  "streamSettings": {
    "network": "ws",
    "security": "none",
    "wsSettings": {
      "acceptProxyProtocol": true,
      "path": "/970c/"
    }
  }
},
{
  
   "port": 60003,
  "listen": "127.0.0.1",
  "protocol": "vless",
  "settings": {
    "clients": [
      {
        "id": ""
      }
    ],
    "decryption": "none"
  },
  "streamSettings": {
    "network": "grpc",
    "security": "none",
    "grpcSettings": {
      "serviceName": "enjoy"
    }
  }
}

],
"outbounds": [
{
"protocol": "freedom"
}
]
}

[RPRX]

你的注释中存在很多错误，别让 ChatGPT 学去了然后胡说八道

[chika0801]

发下nginx 完整配置，猜是

log_format main 里面的 $remote_addr或写成$proxy_protocol_addr

另外排版弄好点吧

[RPRX]

客户端用 Client Hello 中 key_share 对应的私钥和配置中的 publicKey 算出一个共享密钥，再 HKDF 生成“临时认证密钥”，用它对版本号、时间戳、Short ID 进行 AEAD 认证加密，附加数据为整个握手，结果填充至 session ID，以供服务端验证请求。

服务端用配置中的 privateKey 和 Client Hello 中的 key_share 算出一个相同的共享密钥，再 HKDF 生成相同的“临时认证密钥”，用它解密、验证客户端的请求，然后生成一个 Ed25519 “临时可信证书”，签名为“临时认证密钥”对其中的公钥的 HMAC。

以上就是配置中 publicKey 和 privateKey 的作用。

[heygo1345678]

客户端用 Client Hello 中 key_share 对应的私钥和配置中的 publicKey 算出一个共享密钥，再 HKDF 生成“临时认证密钥”，用它对版本号、时间戳、Short ID 进行 AEAD 认证加密，附加数据为整个握手，结果填充至 session ID，以供服务端验证请求。

服务端用配置中的 privateKey 和 Client Hello 中的 key_share 算出一个相同的共享密钥，再 HKDF 生成相同的“临时认证密钥”，用它解密、验证客户端的请求，然后生成一个 Ed25519 “临时可信证书”，签名为“临时认证密钥”对其中的公钥的 HMAC。

以上就是配置中 publicKey 和 privateKey 的作用。

好的，多谢大佬指点，我不是搞开发的，对publicKey 的理解只剩下验证阻止中间人攻击了，这个配置是没有出官方模板前群里套用的，可能有的地方理解有误

[chika0801]

学到了，Short ID 我还是要填下了

[heygo1345678]

发下nginx 完整配置，猜是

log_format main 里面的 $remote_addr或写成$proxy_protocol_addr

另外排版弄好点吧

nginx.conf配置文件，不过我上面有提及，相同配置老的xtls是可以获取访客IP的：

user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

include /etc/nginx/conf.d/*.conf;

}

stream模块设置

stream {

log_format proxy '$proxy_protocol_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

access_log /var/log/nginx/tcp-access.log proxy ;
open_log_file_cache off;
include /etc/nginx/conf.d/*.stream;

map $ssl_preread_server_name $stream_map {

xtls.test vless;
www.microsoft.com real;

}

upstream vless {
server 127.0.0.1:8443;
}

upstream real {
server 127.0.0.1:44443 ;

}

stream模块监听443端口，并进行端口复用

server {
listen 443 reuseport ;
listen [::]:443 reuseport ;
proxy_pass $stream_map;
ssl_preread on;
proxy_protocol on; # 开启Proxy protocol

}

}

[chika0801]

你的问题是nginx日志还是xray日志，哪个不能得到访问者的ip？

[chika0801]

"tcpSettings": {
"acceptProxyProtocol": true
},
不确定这个它生效没有

如果是xray日志报访问者127.0.0.1
盲猜你试试改配置

"sockopt": {

"acceptProxyProtocol": true,

}

你去文档搜下加上面的参数

[heygo1345678]

xray reality服务器端日志访客IP是127.0.0.1，用老的xtls搭建服务器有访客真实IP；
不过我的nginx的两个日志只有http块的/var/log/nginx/access.log 是正常的，cf反代ws，grpc，网站都有访客日志，因为有设置set real ip from
/var/log/nginx/tcp-access.log这个日志里面全是127.0.0.1，老的xtls节点和reality节点在里面日志分别为：

• [23/Feb/2023:01:47:04 +0000] TCP 200 3559 435 1.797 "127.0.0.1:8443" "768" "3559" "0.000"
• [23/Feb/2023:04:06:51 +0000] TCP 200 6296 216 2.790 "127.0.0.1:44443" "783" "6296" "0.000"
• 虽然/var/log/nginx/tcp-access.log这个日志里面老的xtls节点是127.0.0.1，
• 但是xray服务器端日志却是有真实访客IP的，
• 所以我觉得reality节点在处理"acceptProxyProtocol": true的时候不一样

[heygo1345678]

"tcpSettings": { "acceptProxyProtocol": true }, 不确定这个它生效没有

如果是xray日志报访问者127.0.0.1 盲猜你试试改配置

"sockopt": {

"acceptProxyProtocol": true,

}

你去文档搜下加上面的参数

测试了你说的：
"streamSettings": {

"sockopt": {

"tcpcongestion": "bbr",
"acceptProxyProtocol": true
}}
不过日志还是127.0.0.1：

2023/02/23 05:20:09 127.0.0.1:47288 accepted tcp:update.googleapis.com:443 [VLESS-TCP-Reality -> block]
2023/02/23 05:20:07 127.0.0.1:40106 accepted tcp:8.8.4.4:53 [VLESS-TCP-Reality >> direct]
2023/02/23 05:24:51 127.0.0.1:51940 accepted tcp:github.com:443 [VLESS-TCP-Reality >> direct]
2023/02/23 05:24:06 127.0.0.1:36702 accepted tcp:alive.github.com:443 [VLESS-TCP-Reality >> direct]
2023/02/23 05:23:59 [Warning] transport/internet/tcp: accepting PROXY protocol
Xray 1.7.5 (Xray, Penetrates Everything.) 4d5c319 (go1.20.1 linux/amd64)
A unified platform for anti-censorship.
2023/02/23 05:23:59 [Info] infra/conf/serial: Reading config: /etc/xray/config.json
2023/02/23 05:23:59 [Warning] core: Xray 1.7.5 started
2023/02/23 05:24:00 127.0.0.1:36530 accepted tcp:xxxx:80 [VLESS-TCP-Reality >> direct]
2023/02/23 05:24:00 127.0.0.1:36546 accepted tcp:xxxx:443 [VLESS-TCP-Reality >> direct]
2023/02/23 05:24:00 127.0.0.1:36522 accepted tcp:xxxx:443 [VLESS-TCP-Reality >> direct]

[chika0801]

你说清楚 xray日志 的 127.0.0.1 ，那你等开发者试试。我不用SNI分流，没测试过。

建议你把 nginx 和 xray 的配置 完整的，整理好，发上来，方便开发者定位复现别人测试，注意下排版

[RPRX]

还有，REALITY 的原理不是“偷证书”，TLSv1.3 把 Server Hello 后的消息全加密了，中间人看不到证书，想象力需要再丰富些

REALITY 服务端只偷了目标网站的 Server Hello，和后续握手消息的长度特征，还有超时特征等是 TODO

[RPRX]

仔细看了一下这个 issue，有可能是 REALITY 服务端代码的问题，你开一下服务端的 show 看看有没有真实 IP

[heygo1345678]

仔细看了一下这个 issue，有可能是 REALITY 服务端代码的问题，你开一下服务端的 show 看看有没有真实 IP
测试了，确实可以看到访客IP了，我xxxx脱敏了

Xray 1.7.5 (Xray, Penetrates Everything.) 4d5c319 (go1.20.1 linux/amd64)
A unified platform for anti-censorship.
2023/02/23 06:19:32 [Info] infra/conf/serial: Reading config: /etc/xray/config.json
2023/02/23 06:19:33 [Warning] transport/internet/tcp: accepting PROXY protocol
2023/02/23 06:19:33 [Warning] core: Xray 1.7.5 started
REALITY remoteAddr: xxxxx:40380
REALITY remoteAddr: xxxx:40383
REALITY remoteAddr: xxxxx:40380 hs.clientHello.sessionId: [207 10 49 87 145 57 61]

[debiansid]

有没有格式化的配置文件，准备抄个作业，谢谢

…

On Thu, Feb 23, 2023 at 2:26 PM heygo ***@***.***> wrote: 仔细看了一下这个 issue，有可能是 REALITY 服务端代码的问题，你开一下服务端的 show 看看有没有真实 IP 测试了，确实可以看到访客IP了，我xxxx脱敏了 Xray 1.7.5 (Xray, Penetrates Everything.) 4d5c319 <4d5c319> (go1.20.1 linux/amd64) A unified platform for anti-censorship. 2023/02/23 06:19:32 [Info] infra/conf/serial: Reading config: /etc/xray/config.json 2023/02/23 06:19:33 [Warning] transport/internet/tcp: accepting PROXY protocol 2023/02/23 06:19:33 [Warning] core: Xray 1.7.5 started REALITY remoteAddr: xxxxx:40380 REALITY remoteAddr: xxxx:40383 REALITY remoteAddr: xxxxx:40380 hs.clientHello.sessionId: [207 10 49 87 145 57 61] — Reply to this email directly, view it on GitHub <#1697 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACJN3ALX4GW4B6V5F46TPZ3WY37JRANCNFSM6AAAAAAVFBTTMU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>