From 64ed5937c0d73a5c1822cd4bc78a39a245d56086 Mon Sep 17 00:00:00 2001 From: Lan Tian Date: Sun, 5 Jan 2025 00:23:17 -0800 Subject: [PATCH] v2ray: switch to xhttp --- nixos/client-apps/v2ray.nix | 80 +++++++++++++------ .../nginx/vhost-options/location-options.nix | 32 +++++++- .../nginx/vhost-options/vhost-options.nix | 3 +- nixos/server-apps/v2ray.nix | 11 +-- 4 files changed, 92 insertions(+), 34 deletions(-) diff --git a/nixos/client-apps/v2ray.nix b/nixos/client-apps/v2ray.nix index df99bdc7..9be003cb 100644 --- a/nixos/client-apps/v2ray.nix +++ b/nixos/client-apps/v2ray.nix @@ -29,6 +29,58 @@ let loglevel = "warning"; }; outbounds = [ + { + protocol = "vless"; + settings.vnext = [ + { + address = LT.hosts."bwg-lax".public.IPv4; + port = 443; + users = [ + { + id = { + _secret = config.age.secrets.v2ray-key.path; + }; + encryption = "none"; + } + ]; + } + ]; + streamSettings = + let + network = "xhttp"; + security = "tls"; + tlsSettings = { + serverName = "lantian.pub"; + fingerprint = "firefox"; + }; + xhttpSettings = { + host = "lantian.pub"; + path = "/ray"; + xmux = { + maxConcurrency = 128; + hMaxRequestTimes = 86400; + hMaxReusableSecs = 86400; + }; + }; + in + { + inherit network security tlsSettings; + xhttpSettings = xhttpSettings // { + mode = "stream-up"; + downloadSettings = { + address = LT.hosts."bwg-lax".public.IPv4; + port = 443; + inherit + network + security + tlsSettings + xhttpSettings + ; + }; + }; + }; + tag = "proxy"; + } { protocol = "freedom"; settings.domainStrategy = "UseIPv4"; @@ -39,30 +91,6 @@ let settings.response.type = "none"; tag = "blackhole"; } - { - protocol = "trojan"; - settings.servers = [ - { - address = LT.hosts."bwg-lax".public.IPv4; - port = 443; - password = { - _secret = config.age.secrets.v2ray-key.path; - }; - } - ]; - streamSettings = { - network = "httpupgrade"; - security = "tls"; - tlsSettings = { - serverName = "lantian.pub"; - fingerprint = "firefox"; - }; - httpupgradeSettings = { - path = "/ray?ed=2560"; - }; - }; - tag = "proxy"; - } ]; policy.levels."0" = { connIdle = 86400; @@ -80,12 +108,12 @@ let } { domain = [ "geosite:cn" ]; - outboundTag = "proxy"; + outboundTag = "direct"; type = "field"; } { ip = [ "geoip:cn" ]; - outboundTag = "proxy"; + outboundTag = "direct"; type = "field"; } ]; diff --git a/nixos/common-apps/nginx/vhost-options/location-options.nix b/nixos/common-apps/nginx/vhost-options/location-options.nix index 566c229b..8f1659c1 100644 --- a/nixos/common-apps/nginx/vhost-options/location-options.nix +++ b/nixos/common-apps/nginx/vhost-options/location-options.nix @@ -78,6 +78,28 @@ let proxy_redirect off; chunked_transfer_encoding off; '') + + (lib.optionalString (config.grpcPass != null) '' + grpc_pass ${config.grpcPass}; + + grpc_set_header Host ${ + if config.proxyOverrideHost != null then config.proxyOverrideHost else "$host" + }; + grpc_set_header X-Real-IP ${if config.proxyHideIP then "127.0.0.1" else "$remote_addr"}; + grpc_set_header X-Forwarded-For ${if config.proxyHideIP then "127.0.0.1" else "$remote_addr"}; + grpc_set_header X-Forwarded-Host $host:${LT.portStr.HTTPS}; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_set_header X-Forwarded-Server $host; + grpc_set_header X-Scheme $scheme; + grpc_set_header X-Original-URI $request_uri; + + grpc_set_header LT-SSL-Cipher $ssl_cipher; + grpc_set_header LT-SSL-Ciphers $ssl_ciphers; + grpc_set_header LT-SSL-Curves $ssl_curves; + grpc_set_header LT-SSL-Protocol $ssl_protocol; + grpc_set_header LT-SSL-Early-Data $ssl_early_data; + # Compatibility with common recommendations + grpc_set_header Early-Data $ssl_early_data; + '') + (lib.optionalString config.proxyWebsockets '' proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; @@ -88,7 +110,7 @@ let client_body_timeout 52w; client_max_body_size 0; grpc_read_timeout 52w; - grpc_set_header X-Real-IP $remote_addr; + grpc_send_timeout 52w; keepalive_timeout 52w; proxy_connect_timeout 60; proxy_read_timeout 52w; @@ -180,6 +202,14 @@ in recommendedProxySettings is enabled. ''; }; + grpcPass = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "http://www.example.org/"; + description = '' + Adds grpc_pass directive and sets recommended proxy headers. + ''; + }; proxyOverrideHost = lib.mkOption { type = lib.types.nullOr lib.types.str; default = null; diff --git a/nixos/common-apps/nginx/vhost-options/vhost-options.nix b/nixos/common-apps/nginx/vhost-options/vhost-options.nix index fa06e4d3..3f079e24 100644 --- a/nixos/common-apps/nginx/vhost-options/vhost-options.nix +++ b/nixos/common-apps/nginx/vhost-options/vhost-options.nix @@ -67,8 +67,7 @@ let ''; "/ray" = { - proxyPass = "http://unix:/run/v2ray/v2ray.sock"; - proxyWebsockets = true; + grpcPass = "unix:/run/v2ray/v2ray.sock"; proxyNoTimeout = true; extraConfig = '' access_log off; diff --git a/nixos/server-apps/v2ray.nix b/nixos/server-apps/v2ray.nix index 0c924e43..65f09605 100644 --- a/nixos/server-apps/v2ray.nix +++ b/nixos/server-apps/v2ray.nix @@ -12,15 +12,16 @@ let { listen = "/run/v2ray/v2ray.sock"; port = 0; - protocol = "trojan"; + protocol = "vless"; settings = { clients = [ { - password = { + id = { _secret = config.age.secrets.v2ray-key.path; }; } ]; + decryption = "none"; }; sniffing = { destOverride = [ @@ -31,9 +32,9 @@ let enabled = true; }; streamSettings = { - network = "httpupgrade"; - security = "none"; - httpupgradeSettings = { + network = "xhttp"; + xhttpSettings = { + mode = "stream-up"; path = "/ray"; }; };