ss+v2ray-plugin+nginx+tls https not working

[Nerom]

v2ray-plugin through nginx with tls is not working properly. I have built ss with v2ray plugin through nginx without tls, it is working fine. but when I only add tls support for nginx and modify client config accordingly, it did not work. I have tested nginx tls, it works. u can try n3ro.me to test tls. could anybody help me to investigating the issue ? here is the config content.

• nginx:

server {
        listen 80;
        listen [::]:80;

        server_name n3ro.me;

        error_page 497  https://$host$uri;

        location = /ss {
                proxy_pass                  http://127.0.0.1:9999/;
                proxy_redirect              off;
                proxy_http_version          1.1;
                proxy_set_header Upgrade    $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host       $http_host;
        }

	location / {
		return 497;
	}
}


server {
	listen 443 ssl;
	listen [::]:443 ssl;

	server_name n3ro.me;
	ssl                  on;
	ssl_certificate      /root/.acme.sh/n3ro.me/n3ro.me.cer;
	ssl_certificate_key  /root/.acme.sh/n3ro.me/n3ro.me.key;
	ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

	location = /ss {
    		proxy_pass                  http://127.0.0.1:9999/;
		proxy_redirect              off;
    		proxy_http_version          1.1;
    		proxy_set_header Upgrade    $http_upgrade;
    		proxy_set_header Connection "upgrade";
    		proxy_set_header Host       $http_host;
    	}

	location = / {
		return 302 /yacd;
	}

	location / {
		root /root/websites/n3ro.me;
		index	index.html;
	}
}

• shadowsocks

{
    "server":"0.0.0.0",
    "server_port":9999,
    "local_port":1080,
    "mode":"tcp_and_udp",
    "password":"******",
    "timeout":600,
    "method":"chacha20-ietf-poly1305",
    "fast_open":true,
    "plugin":"v2ray-plugin",
    "plugin-opts":"server"
}

• starting shadowsocks command

/usr/bin/ss-server -c /etc/shadowsocks-libev/config.json --plugin v2ray-plugin --plugin-opts "server"

ps: why I start it using this command, it is because if I use systemctl start shadowsocks-libev, it cannot start v2ray-plugin, but this way works.

• client
  active v2ray-plugin plugin, and set plugin opts as host=n3ro.me;path=/ss, set port as 80, if with tls, then set plugin opts as tls;host=n3ro.me;path=/ss and port as 443

[vanyaindigo]

Proxy_pass must be https:

location /ss {
    		proxy_pass                  https://127.0.0.1:9999;
...
    	}

[rampageX]

@vanyaindigo is http not https

@Nerom

1. remove = from location = /ssm like location /ss, i dont belive you can pass nginx -t with your config;

2. remove last / from http://127.0.0.1:9999/ like http://127.0.0.1:9999

3. if you just want use tls, remove all location = /ss { ... } code block from your 80 listen.

[vanyaindigo]

@vanyaindigo is http not https

Nope https, I'm now working through https

[Nerom]

@vanyaindigo is http not https

Nope https, I'm now working through https

yes, I read a lot of articles, all told it should work... but it did not... weird...

[Nerom]

@vanyaindigo is http not https

@Nerom

1. remove = from location = /ssm like location /ss, i dont belive you can pass nginx -t with your config;
2. remove last / from http://127.0.0.1:9999/ like http://127.0.0.1:9999
3. if you just want use tls, remove all location = /ss { ... } code block from your 80 listen.

1. it does work with =, I config refer to nginx official docs, and it does pass nginx -t
2. I need last / , because I did not config a path in v2ray-plugin opts. and you can refer to nginx official docs to find out what config like that means.
3. I think listening on 80 at the same time won't impact anything of tls. the problem here is v2ray-plugin behind nginx with tls does not work. but the website with tls works fine. it is weird.

it seems the issue of nginx reverse proxying websocket with tls

[vanyaindigo]

it seems the issue of nginx reverse proxying websocket with tls

There is no issue. all is working perfectly.

I read a lot of articles

So you can read one more

[liujunhui2]

v2ray-plugin through nginx with tls is not working properly. I have built ss with v2ray plugin through nginx without tls, it is working fine. but when I only add tls support for nginx and modify client config accordingly, it did not work. I have tested nginx tls, it works. u can try n3ro.me to test tls. could anybody help me to investigating the issue ? here is the config content.

• nginx:

server {
        listen 80;
        listen [::]:80;

        server_name n3ro.me;

        error_page 497  https://$host$uri;

        location = /ss {
                proxy_pass                  http://127.0.0.1:9999/;
                proxy_redirect              off;
                proxy_http_version          1.1;
                proxy_set_header Upgrade    $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host       $http_host;
        }

	location / {
		return 497;
	}
}


server {
	listen 443 ssl;
	listen [::]:443 ssl;

	server_name n3ro.me;
	ssl                  on;
	ssl_certificate      /root/.acme.sh/n3ro.me/n3ro.me.cer;
	ssl_certificate_key  /root/.acme.sh/n3ro.me/n3ro.me.key;
	ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

	location = /ss {
    		proxy_pass                  http://127.0.0.1:9999/;
		proxy_redirect              off;
    		proxy_http_version          1.1;
    		proxy_set_header Upgrade    $http_upgrade;
    		proxy_set_header Connection "upgrade";
    		proxy_set_header Host       $http_host;
    	}

	location = / {
		return 302 /yacd;
	}

	location / {
		root /root/websites/n3ro.me;
		index	index.html;
	}
}

• shadowsocks

{
    "server":"0.0.0.0",
    "server_port":9999,
    "local_port":1080,
    "mode":"tcp_and_udp",
    "password":"******",
    "timeout":600,
    "method":"chacha20-ietf-poly1305",
    "fast_open":true,
    "plugin":"v2ray-plugin",
    "plugin-opts":"server"
}

• starting shadowsocks command

/usr/bin/ss-server -c /etc/shadowsocks-libev/config.json --plugin v2ray-plugin --plugin-opts "server"

ps: why I start it using this command, it is because if I use systemctl start shadowsocks-libev, it cannot start v2ray-plugin, but this way works.

• client
  active v2ray-plugin plugin, and set plugin opts as host=n3ro.me;path=/ss, set port as 80, if with tls, then set plugin opts as tls;host=n3ro.me;path=/ss and port as 443

"plugin-opts" should be "plugin_opts". Give it a try.
This is mine:
"plugin_opts":"server;host=example.com;path=/example;loglevel=none"

[picmax]

It does work. However, UDP doesn't seem to work. The server received the packets but it seems shadowsocks with v2-ray plugin on the server side cannot handle the UDP packet. Or, perhaps Nginx couldn't handle the UDP packets.

[vanyaindigo]

v2-ray plugin on the server side

works only with tcp - websockets

[beanslel]

It does work. However, UDP doesn't seem to work. The server received the packets but it seems shadowsocks with v2-ray plugin on the server side cannot handle the UDP packet. Or, perhaps Nginx couldn't handle the UDP packets.

Only TCP goes through the plugin. UDP bypasses the plugin (by shadowsocks design) and will try to connect to plain shadowsocks. If you run the server with -u and open up the UDP port it will work, but it will be just regular shadowsocks over UDP.

[CresentMoon]

I have successfully run ss-libev on my VPS (CentOS 8 x64 ) without any plugins. Today I'd like to try the v2ray plugin but I came to similar problems.

ss config.json

{
    "server":"localhost",
    "mode":"tcp_only",
    "server_port":8348,
    "local_port":1080,
    "password":"******",
    "timeout":86400,
    "method":"chacha20-ietf-poly1305",
    "plugin":"v2ray-plugin",
    "nameserver":"1.1.1.1",  
    "plugin_opts":"server;path=/magic;host=super******.mooo.com;loglevel=none"
}

nginx nginx.conf

erver {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        proxy_pass http://www.bing.com/;
        limit_rate 1000k;
        proxy_redirect off;
        }
        location /magic {
        proxy_redirect off;
        proxy_pass http://localhost:8348;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

The nginx service seems to be working well, since when trying to visit super******.mooo.com, it will be forwarded to www.bing.com.

Unfortunately when I tried to run ss with v2ray plugin
shadowsocks-libev.ss-server -c config.json --plugin v2ray-plugin_linux_amd64

[root@vultrguest ~]# cd /var/lib/snapd/snap/bin/
[root@vultrguest bin]# dir
config.json   shadowsocks-libev.ss-local    shadowsocks-libev.ss-server
configo.json  shadowsocks-libev.ss-manager  shadowsocks-libev.ss-tunnel
nohup.out     shadowsocks-libev.ss-redir    v2ray-plugin_linux_amd64
[root@vultrguest bin]# shadowsocks-libev.ss-server -c config.json --plugin v2ray-plugin_linux_amd64 
 2020-04-23 14:03:53 INFO: using tcp fast open
 2020-04-23 14:03:53 INFO: plugin "v2ray-plugin_linux_amd64" enabled
 2020-04-23 14:03:53 INFO: initializing ciphers... chacha20-ietf-poly1305
 2020-04-23 14:03:53 INFO: tcp server listening at 127.0.0.1:41415
 2020-04-23 14:03:53 INFO: running from root user
2020/04/23 14:03:53 V2Ray 4.22.1 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.13.4 linux/amd64)
2020/04/23 14:03:53 A unified platform for anti-censorship.

At the moment, in the config.json I have specified the listening port "8348", but eveytime I run the line above, it displays "tcp server listening at 127.0.0.1:41415", 45321,52344, etc. It keeps changing.

client android phone

**typical parameters**
Server (MyVPS IP address)
Port 8348
**v2ray-plugin parameters**
active
Transport mode: websocket http
Hostname:    super******.mooo.com
Path:              /magic
Concurrent connections:  1

By the way.
super******.mooo.com is a subdomain name I registered linked to my VPS. it actually can not be visited here since DNS pollution. But it can be visited using ss.

Finally, it doesn't work for my phone with v2ray plugin.

So could anyone tell me how I came to this problem?

[liujunhui2]

I have successfully run ss-libev on my VPS (CentOS 8 x64 ) without any plugins. Today I'd like to try the v2ray plugin but I came to similar problems.

ss config.json

{
    "server":"localhost",
    "mode":"tcp_only",
    "server_port":8348,
    "local_port":1080,
    "password":"******",
    "timeout":86400,
    "method":"chacha20-ietf-poly1305",
    "plugin":"v2ray-plugin",
    "nameserver":"1.1.1.1",  
    "plugin_opts":"server;path=/magic;host=super******.mooo.com;loglevel=none"
}

nginx nginx.conf

erver {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        proxy_pass http://www.bing.com/;
        limit_rate 1000k;
        proxy_redirect off;
        }
        location /magic {
        proxy_redirect off;
        proxy_pass http://localhost:8348;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

The nginx service seems to be working well, since when trying to visit super******.mooo.com, it will be forwarded to www.bing.com.

Unfortunately when I tried to run ss with v2ray plugin
shadowsocks-libev.ss-server -c config.json --plugin v2ray-plugin_linux_amd64

[root@vultrguest ~]# cd /var/lib/snapd/snap/bin/
[root@vultrguest bin]# dir
config.json   shadowsocks-libev.ss-local    shadowsocks-libev.ss-server
configo.json  shadowsocks-libev.ss-manager  shadowsocks-libev.ss-tunnel
nohup.out     shadowsocks-libev.ss-redir    v2ray-plugin_linux_amd64
[root@vultrguest bin]# shadowsocks-libev.ss-server -c config.json --plugin v2ray-plugin_linux_amd64 
 2020-04-23 14:03:53 INFO: using tcp fast open
 2020-04-23 14:03:53 INFO: plugin "v2ray-plugin_linux_amd64" enabled
 2020-04-23 14:03:53 INFO: initializing ciphers... chacha20-ietf-poly1305
 2020-04-23 14:03:53 INFO: tcp server listening at 127.0.0.1:41415
 2020-04-23 14:03:53 INFO: running from root user
2020/04/23 14:03:53 V2Ray 4.22.1 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.13.4 linux/amd64)
2020/04/23 14:03:53 A unified platform for anti-censorship.

At the moment, in the config.json I have specified the listening port "8348", but eveytime I run the line above, it displays "tcp server listening at 127.0.0.1:41415", 45321,52344, etc. It keeps changing.

client android phone

**typical parameters**
Server (MyVPS IP address)
Port 8348
**v2ray-plugin parameters**
active
Transport mode: websocket http
Hostname:    super******.mooo.com
Path:              /magic
Concurrent connections:  1

By the way.
super******.mooo.com is a subdomain name I registered linked to my VPS. it actually can not be visited here since DNS pollution. But it can be visited using ss.

Finally, it doesn't work for my phone with v2ray plugin.

So could anyone tell me how I came to this problem?

I think you're almost there.
For the tcp port, it's working properly. Since V2ray is taking over the http traffic, the port specified in ss-libev is actually served by v2ray, and then the decoded traffic is passed to ss-libev through a insignificant port number. Thus you see the port number changing between ss-libev service restarts.
You can confirm the service is running by netstat -ltp, and check if the port is actually in LISTEN state and served by corresponding v2ray plugin.

Next you need to verify the nginx forwarding chain. Check access.log and error.log in /var/log/nginx to see if your request is received and processed.
You client should specify the nginx port 80 instead of 8348.

In the end I suggest that you enable SSL. A domain name costs much less than your VPS. Use let's encrypt to obtain valid certificates (I use acme.sh for managing certificates). In this way all your traffic is encrypted.

[CresentMoon]

Thanks to liujunhui74 !

I check the output of netstat -ltp

[root@vultrguest bin]# netstat -ltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN      1430/nginx: master  
tcp        0      0 localhost:35953         0.0.0.0:*               LISTEN      1436/ss-server      
tcp        0      0 0.0.0.0:10033           0.0.0.0:*               LISTEN      732/sshd            
tcp        0      0 localhost:8348          0.0.0.0:*               LISTEN      1455/v2ray-plugin_l 
tcp6       0      0 [::]:http               [::]:*                  LISTEN      1430/nginx: master  
tcp6       0      0 [::]:10033              [::]:*                  LISTEN      732/sshd   

it seems everthing goes well.

then, i modified the ss-android config as following.

**typical parameters**
Server  108.(*hidden*)
Port 80 (I have done according to as you said above.)

**v2ray-plugin parameters**
v2ray: active
Transport mode: websocket http
Hostname:    super******.mooo.com
Path:              /magic
Concurrent connections:  1

however, it still tells that "no internet connection: unable to resolve host www.google.com No address associated with hostname "

I checked /var/log/nginx/access.log

124.(*hidden*)- - [25/Apr/2020:12:52:21 +0000] "GET /magic HTTP/1.1" 499 0 "-" "Go-http-client/1.1" "-"
124.(*hidden*) - - [25/Apr/2020:12:52:21 +0000] "GET /magic HTTP/1.1" 499 0 "-" "Go-http-client/1.1" "-"
124.(*hidden*)- - [25/Apr/2020:12:52:21 +0000] "GET /magic HTTP/1.1" 499 0 "-" "Go-http-client/1.1" "-"
………………

I guess that there must be something run with nginx-v2rayplugin forwarding chain.
so here's the full text of the/etc/nginx/nginx.conf

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        #Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location /magic {
        proxy_redirect off;
        proxy_pass http://127.0.0.1:8348/;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
     location / {
        proxy_pass http://www.bing.com/;
        limit_rate 1000k;
        proxy_redirect off;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers PROFILE=SYSTEM;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

}

By the way, until now I don't know where to register a domain name at an acceptable cost(not a subdomain name) to utilize CLOUDFLARE service. Actually, it only spent me 10$ to have this vps for 2 years.

[vanyaindigo]

What about resolver? For domain name you can use https://www.dynadot.com/

[liujunhui2]

**typical parameters**
Server  108.(*hidden*)
Port 80 (I have done according to as you said above.)

**v2ray-plugin parameters**
v2ray: active
Transport mode: websocket http
Hostname:    super******.mooo.com
Path:              /magic
Concurrent connections:  1

however, it still tells that "no internet connection: unable to resolve host www.google.com No address associated with hostname "

I checked /var/log/nginx/access.log

124.(*hidden*)- - [25/Apr/2020:12:52:21 +0000] "GET /magic HTTP/1.1" 499 0 "-" "Go-http-client/1.1" "-"
124.(*hidden*) - - [25/Apr/2020:12:52:21 +0000] "GET /magic HTTP/1.1" 499 0 "-" "Go-http-client/1.1" "-"
124.(*hidden*)- - [25/Apr/2020:12:52:21 +0000] "GET /magic HTTP/1.1" 499 0 "-" "Go-http-client/1.1" "-"
………………

Domain name is the easiest part. I use namesilo and search for domains with cheapest renewal prices. Typically you'll get $2.95 a year for a domain (e.g. .win).

The nginx access log above shows you're getting http 499 responses. This means the HTTP connection is not good. There could be a lot of reasons leading to this.

First, check you client. What android client do you use? Do you use "official" shadowsocks and v2ray plugin client? You'd better test your setup with a PC client so that to tell if the problem is at the client side.

For the server side, try to use this nginx configuration:

    location /<example> {
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_pass http://localhost:<*****>;     # Port of v2ray-plugin
        proxy_set_header Host <example.com>;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

And remember to reload nginx service.

[CresentMoon]

I bought a domain name super*****.xyz.
After trial and error for nearly 2 hours, ...hmm....Eventually I got 404 ...Nothing in Error.log Very frustrating...
(124...** Android 4G; 222...** Windows PC)
Nginx access.log

124.**.**.** - - [27/Apr/2020:14:32:46 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
124.**.**.** - - [27/Apr/2020:14:32:47 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
124.**.**.** - - [27/Apr/2020:14:32:47 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
124.**.**.** - - [27/Apr/2020:14:32:49 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
124.**.**.** - - [27/Apr/2020:14:32:50 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
124.**.**.** - - [27/Apr/2020:14:32:50 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
124.**.**.** - - [27/Apr/2020:14:32:51 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
124.**.**.** - - [27/Apr/2020:14:32:51 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
124.**.**.** - - [27/Apr/2020:14:32:52 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
222.**.**.** - - [27/Apr/2020:14:42:55 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
222.**.**.** - - [27/Apr/2020:14:42:55 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
222.**.**.** - - [27/Apr/2020:14:42:56 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
222.**.**.** - - [27/Apr/2020:14:42:56 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
222.**.**.** - - [27/Apr/2020:14:42:57 +0000] "GET /magic HTTP/1.1" 404 0 "-" "Go-http-client/1.1" "-"
                                                                            

Both ss & vray_plugin android clients are downloaded from the GooglePlay Store.
Is using Cloudflare a must?

[CresentMoon]

Ahhhhhh! Finally, i get where the bug is! I almost give up, but I succeed with last attempt.

    location /magic {
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_pass http://localhost:8388;
        proxy_set_header Host super******.xyz;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }

It's http://localhost:8388; NOT http://localhost:8388/; .
And what's more, vray_plugin should listen both ipv4 and ipv6.

I decide to make a brief summary for rookies several days later.

[vanyaindigo]

vray_plugin should listen both ipv4 and ipv6

What do you mean?

[liujunhui2]

Is using Cloudflare a must?

No.
But with Cloudflare there are more possibilities.
Your can still access your vps even if it is blocked by gfw.
Sometimes it’s faster than directly connecting to your vps (depending on the vps location).
Last you’re able to use a very cheap vps with only ipv6 addresses.

[liujunhui2]

vray_plugin should listen both ipv4 and ipv6

What do you mean?

This is because sometimes “localhost” are resolved to ipv6 address. In this regard it’s better to use 127.0.0.1 in the nginx conf file.

[vanyaindigo]

The resolution of the name localhost to one or more IP addresses is normally configured by the following lines in the operating system's hosts file:

127.0.0.1    localhost
::1          localhost

[CresentMoon]

vray_plugin should listen both ipv4 and ipv6

What do you mean?

config.json could be as following:
Caution "server":["[::1]", "127.0.0.1"],

{
           "server":["[::1]", "127.0.0.1"],
           "mode":"tcp_and_udp",
           "server_port":8388,
           "local_port":1080,
           "password":"*******",
             "timeout":600,
            "method":"chacha20-ietf-poly1305",
            "fast_open":true,
            "plugin":"v2ray-plugin",
            "plugin_opts":"server;path=/*******;host=super*******.xyz;loglevel=none"
}

What'more, I found a detailed instruction on setting-up vray-plugins and nginx server for Chinese-speaking rookies.
https://blog.icpz.dev/articles/bypass-gfw/shadowsocks-with-v2ray-plugin/

[vanyaindigo]

I found a detailed instruction on setting-up vray-plugins and nginx server for Chinese-speaking rookies.

And this is my detailed instruction for Russian-speaking rookies: https://overclockers.ru/blog/Indigo81/show/31739/shadowsocks-cherez-cloudflare-cdn-povyshaem-bezopasnost-v-seti

[aboka2k]

hi all, just finish reading this thread and got a couple questions as im interest too to try out ss+v2ray setup-

1. do we need a webserver for the ss+v2ray+tls to work? if yes, then could we do it with Apache?

2. lets say we use the setup here correctly and add a cdn, what IP address will 'whatismyip' show? the vps or cdn?

thank you,

[vanyaindigo]

hi all, just finish reading this thread and got a couple questions as im interest too to try out ss+v2ray setup-

1. do we need a webserver for the ss+v2ray+tls to work? if yes, then could we do it with Apache?

This is not necessary

2. lets say we use the setup here correctly and add a cdn, what IP address will 'whatismyip' show? the vps or cdn?

Your VPS.

[aboka2k]

@vanyaindigo thats the best news for today as i hv read, learn and setup a ss+v2ray+tls+cdn without proxy reverse. i do have apache installed but i change apache 443 to 8443 and use 443 for ss and client connection. is that ok?

thought i did something wrong when it shows my vps ip instead of the cdn's ip. is there way for us to check if the setup/obfuscation working fine?

p/s - bcoz of the pandemic, not sure when could travel to china, so hopefully could setup eveyrthing and make sure its running when we can travel

thank you very much,

[vanyaindigo]

The easiest way to check is if the traffic is running, then everything is fine.

[aboka2k]

The easiest way to check is if the traffic is running, then everything is fine.

yup, all internet surfing working fine :) saw a post before saying that we could inspect the traffic header to make sure no 'thumbprint' so will not flag by by gfw's dpi

hv few more points like to ask-

1. ss will only work for http/https traffic, any other protocol will be route(go directly) to the destination? netstat show ss server is listening both on tcp and udp

2. ss will only work with IPv4 only, IPv6 will be route(go directly) to the destination?

3. what is the UDP Fallback use for in SS Client on Android? by default it is disabled

thank you,

[vanyaindigo]

SS+any plugin will work only with any TCP traffic. Pure SS will work with any TCP/UDP traffic.
SS works as with IPv4, so with IPv6.

[aboka2k]

hi @vanyaindigo sorry for so many questions, i hv read a lot(bits here and there on the internet rgd this), but never had chance to ask someone knowledgeable like you. i hv always thought we cant ask question not relate to development in here. so is it ok to ask question here in future, or where else would you suggest we get help? as the other forums(linux, ubuntu, etc) dont hv this topic.

are you part of the cool team that develop this?

here is my visualization of how the traffics flow-
ss-client -> gfw -> cdn -> vps/ss-server -> website, then it travels back(in reverse) to ss-client

so gfw will only see that im going to the cdn, but wont know where is my real destination. is that correct?

and one last question - would using a webserver(nginx proxy_pass) more secure?

cheers,

[vanyaindigo]

#222

[aboka2k]

#222

thanks alot. after reading that, it seems hving a webserver is a good idea for 'camouflage'. will read more and try installing another version with nginx. i did try installing before from the reddit post, but somehow stuck at getting the certificate - authentication error..., so after many tries, i decide to try another method. hopefully this time it will work :)

cheeers,