getting (110: Connection timed out) while reading PROXY protocol on steal yourself
arminmacx opened this issue · 8 comments
Hi,
After I config my server based on your config on Steal yourself, when I run xray and check the logs on nginx and xray i got this error :
*1 client timed out (110: Connection timed out) while reading PROXY protocol, client: 127.0.0.1, server: 127.0.0.1:8001
and on xray i got this transport/internet/tcp: REALITY: failed to dial dest: dial tcp 127.0.0.1:8001: connect: connection refused
i checked the 8001 port is not used and i already try different ports but still got same error
btw i see http2 need to be added like
http2 on;
instead of adding http2 on listen section
my server config :
{
"log": {
"loglevel": "debug",
"error": "/var/log/xray/error.log",
"access": "/var/log/xray/access.log"
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": [
"geoip:ir",
"geoip:private"
],
"outboundTag": "block"
},
{
"type": "field",
"domain": [
"geosite:category-ir",
"geosite:category-bank-ir",
"geosite:category-gov-ir",
"geosite:category-insurance-ir",
"geosite:category-media-ir",
"geosite:category-news-ir",
"geosite:category-payment-ir",
"geosite:category-scholar-ir",
"geosite:category-shopping-ir",
"geosite:category-tech-ir",
"geosite:category-travel-ir",
"geosite:category-bourse-ir",
"geosite:category-education-ir"
],
"outboundTag": "block"
}
]
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "7c8b2381-3cf6-42e9-b193-bfb8efc14b0f",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "8001",
"xver":0,
"serverNames": [
"MY OWN DOMAIN"
],
"privateKey": "MY OWN PRIVATE KEY",
"minClientVer": "1.8.0",
"maxClientVer":"",
// "maxTimeDiff":0,
"shortIds": [
"517c28b4bec7ed28"
]
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls",
"quic"
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
],
"policy": {
"levels": {
"0": {
"handshake": 2,
"connIdle": 120
}
}
}
}
nginx config :
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main '[$time_local] $proxy_protocol_addr "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $proxy_protocol_addr $proxy_forwarded_elem {
~^[0-9.]+$ "for=$proxy_protocol_addr";
~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
default "$proxy_forwarded_elem";
}
# server {
# listen 80;
# listen [::]:80;
# return 301 https://$host$request_uri;
# }
server {
listen 127.0.0.1:8001 ssl default_server;
ssl_reject_handshake on;
ssl_session_timeout 1h;
ssl_session_cache shared:SSL:10m;
ssl_early_data on;
}
server {
listen 127.0.0.1:8001 ssl proxy_protocol;
http2 on;
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
server_name MY OWN DOMAIN;
ssl_certificate /etc/ssl/private/fullchain.cer;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13_AES_128_GCM_SHA256:TLS13_AES_256_GCM_SHA384:TLS13_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 valid=60s;
resolver_timeout 2s;
location / {
sub_filter $proxy_host $host;
sub_filter_once off;
set $website www.samsung.com;
proxy_pass https://$website;
resolver 1.1.1.1;
proxy_set_header Host $proxy_host;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_ssl_server_name on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_set_header Early-Data $ssl_early_data;
}
}
}
"xver":0,
You are using 0 for this parameter, if you use 0 you need to remove this place in the nginx configuration
listen 127.0.0.1:8001 ssl proxy_protocol;
proxy_protocol;
Remove this parameter. xver 1 and use this parameter. which serves to enable nginx to log normal access to your domain name. the IP address of the visitor. If you use 0 for Xver, and don't use this parameter in nginx, the visitor's IP address will be 127.0.0.1 in the logs.
Xver1 must be added to proxy_protocol
Xver0 must not add proxy_protocol.
Otherwise xray and nginx access will fail.
http2 on;
This way of writing requires NGINX version is supported from 1.25 onwards, I use this way myself, the example is the previous way of writing, when starting nginx, nginx will be prompted.
I've looked at the rest of your XRAY and NGINX configurations and they should be fine, you modify them and test them.
Or you refer to my configuration.
yes i forgot to change "xver" back to one after i was tryin to test to see if it maybe having issue on that part.
and something else now my client is connected but its not working, i can ping my vps IP.
i get this
client timed out (110: Connection timed out) while SSL handshaking, client: 127.0.0.1, server: 127.0.0.1:8001
and on xray
2023/09/24 13:02:16 [Info] transport/internet/tcp: REALITY: processed invalid connection
do you have any idea why its not working?
I have a few test ideas:
Let's say you've purchased a domain name from a website that resolves your domain name "MY OWN DOMAIN" to the IP address of your VPS. The resolution is already working. If you type your domain name into your browser, it should show you the content of the reverse proxy site in your nginx configuration.
If this is normal, it means that the dest to nginx configuration part of the xray configuration is correct.
If it is normal. The client still can not connect to the server, check Xray's client and server configuration in several corresponding to some parameters:
Whether the generated public key and private key correspond to fill in correctly.
Whether the short ID corresponds to the same.
If the address in the client configuration is filled in the IP of VPS, whether the service name is correctly written in your domain name.
Guess if you use non-Xray-core files on the client side, it is recommended that you don't use the
"minClientVer": "1.8.0",
"maxClientVer":"","".
These 2 parameters. Avoid some problems that you don't know the cause of.
"maxTimeDiff":0, This parameter is usually left out, or written with 0, both meaning it is not enabled by default, and I never use it.
ok i recreate another vps with new ip and setup normal nginx and point my domain to my vps ip and everything work without any problem.
but after i setup my xray based on your config and nginx based on your config again i got the
REALITY: processed invalid connection
from xray and this time with new error and old error from nginx
client sent frame with unknown type 32 while processing HTTP/2 connection, client: 127.0.0.1, server: 127.0.0.1:8001
client timed out (110: Connection timed out) while processing HTTP/2 connection, client: 127.0.0.1, server: 127.0.0.1:8001
client timed out (110: Connection timed out) while SSL handshaking, client: 127.0.0.1, server: 127.0.0.1:8001
i removed those section as you recommended to not useing it and i put my ip address in my client side and get same error and put my domain name in client side and still getting same thing
UUID and shortid and private and public key are correct in their place in my configs
What you mean is that after you change your own configuration, the client can access those proxied websites normally, right?
But you can't get the client to connect with my configuration. If that's the case, you also checked those REALITY factors (possible causes). I can't give any suggestion. Still you need to double check it yourself.