persistent tls with xray-core? #2175
Comments
|
it is recommended to use NGINX reverse proxy along with a camouflage website in conjunction with vless, WebSocket, and TLS protocols., And, include "?ed=2048" to the path in [WebSocket] |
|
Use gRPC |
|
Just use gRPC, and do not change |
|
WSS 的问题已经说过了 #1750 (comment) ,现在伊朗 GFW 还针对连接数,中国 GFW 暂时没针对这个, @yuhan6665 我们需要在文档、模板里,以及 Xray 的配置加载处,标明 WSS 的风险、已弃用,防止小白一上来就配置这个 WSS 曾是比较流行、稳定(不被封)的模式,然而去年底开始已变为高危模式,且并非无替代品。 还有其它一些常见组合的优缺点,padding 等混淆程度,性能、延迟、多路复用,有没有前向安全,有没有被 GFW 稳定识别、封锁等,以后我们也写一下。 |
|
@RPRX yes the Iran GFW on one of the most popular providers ( IR-MCI ) blocks the SNI after a few days when using WS because the number of times the SNI is exposed to GFW while using WS . Now that you have suggested gRPC , I will check it but I heard that they also find the servers using gRPC and block them but I haven't tested myself . Just to know , can GFW figure out if I'm using WS or gRPC or can it only see the high number of SNIs exposed ? In GFW eyes , is the WS traffic different to gRPC traffic in any thing other than the number of TLS handshakes ? what I want to know if that can they block gRPC traffic without hurting the internet experience for everyone? |
ALPN |
so to solve this problem we should use ALPN. Thanks |
|
As for the choice between ALPN http/1.1 and h2, it's recommended not to manually change the ALPN. The specific ALPN negotiation will depend on the configuration and capabilities of your server and client. You can let the gRPC implementation handle the ALPN negotiation automatically. |
From the experience in China, using the WS TLS combination configuration can be easily detected, and the Chinese firewall will block the ports on your server side, but usually not the server's IP. It is necessary to frequently change the port number in your server configuration after it gets blocked. Even when using a free CDN service like Cloudflare, interference from the firewall on Cloudflare's CDN IP is still common. According to the author's viewpoint in the linked article, the author (RPRX) now recommends using the xxx gRPC TLS combination configuration together with Cloudflare's CDN. You can try the combination approach suggested by the author. For this combination approach, I personally use nginx to listen on port 443. You can configure gRPC using Xray/sing-box as the backend. Here is an example configuration for sing-box that you can refer to: https://github.com/chika0801/sing-box-examples/tree/main/VMess. |
Hello Friends ,
I currently use Vless + WS + Cloudflare and my SNI keeps getting blocked by GFW although I'm the only one using the server . I read somewhere that using WS , hundreds of connections are created even for 1 client and each connection exposes SNI to GFW .
I'm not familiar with how xray-core works but is it a way that we can make TLS persistent so only the handshake exposes the SNI once and the rest of the connection works with that 1 tls handshake?
The text was updated successfully, but these errors were encountered: