Skip to content

Conversation

Meo597
Copy link
Contributor

@Meo597 Meo597 commented Mar 26, 2025

English: https://xtls.github.io/en/config/transport.html#streamsettingsobject

Русский: https://xtls.github.io/ru/config/transport.html#streamsettingsobject


这下小学生论坛的 mjj 们再也不用担心 REALITY 偷 CF 导致小鸡成为别人优选节点被偷流量了!

警告
对于 REALITY 最佳实践始终是偷同 ASN 的证书,那么你大概率用不到此功能;只有当你迫不得已偷了 Cloudflare 这种赛博大善人免费 CDN 的证书时,为避免你服务器成为别人加速节点时可考虑开启此功能。

回落限速是一种特征,不建议启用,如果您是面板/一键脚本开发者,务必让这些参数随机化。

技术细节
原理:针对每个未通过验证的回落连接,当传输了 afterBytes 字节后开启限速算法。
限速采用令牌桶算法,桶的容量是 burstBytesPerSec,每传输一个字节用掉一个令牌,初始 burstBytesPerSec 是满的。
每秒以 bytesPerSec 个令牌填充桶,直到容量满。

建议配置
过大的 afterBytesburstBytesPerSec 将起不到限速效果,过小的 bytesPerSecburstBytesPerSec 则十分容易被探测。
应结合被偷网站的资源大小合理设置参数,如果不允许突发,可以把 burstBytesPerSec 设为 0。

示例配置

  • 限制用户下载:前 10MB + 2MB 不限速,然后 256KB/s
    如果暂停了一会儿再继续下载,又能突发到 2MB/s,然后恢复到 256KB/s

  • 限制用户上传:64KB/s

{
  "inbounds": [
    // 服务端 REALITY 入站配置
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      // 省略其它入站配置...
      "streamSettings": {
        "network": "raw",
        "security": "reality",
        "realitySettings": {
          "dest": "www.yahoo.com:443",
          "serverNames": ["www.yahoo.com"],
          // 省略其它 REALITY 配置...

          // 对未通过验证的回落连接限速(上传)
          "limitFallbackUpload": {
            "afterBytes": 0, // 传输指定字节后开始限速
            "bytesPerSec": 65536, // 基准速率(字节/秒)
            "burstBytesPerSec": 0 // 突发速率(字节/秒),大于 bytesPerSec 时生效
          },

          // 对未通过验证的回落连接限速(下载)
          "limitFallbackDownload": {
            "afterBytes": 10485760, // 传输指定字节后开始限速
            "bytesPerSec": 262144, // 基准速率(字节/秒)
            "burstBytesPerSec": 2097152 // 突发速率(字节/秒),大于 bytesPerSec 时生效
          }
        }
      }
    }
  ]
}

@Fangliding
Copy link
Member

然后面板脚本们随便往里填个或高或低默认参数 很多reality就有了一个限速特征 如果是中间人的人话还可以顺便观察到别人可以长时间得到高于主动探测的速度

@Meo597
Copy link
Contributor Author

Meo597 commented Mar 26, 2025

探测想要触发到限速,是需要时间和带宽成本的
合理的参数想被探测出来,墙需要无差别cc攻击所有目标

然后还可以加rate随机抖动


刚才随机找了几个可以偷的站,体积小的2mb,图片很多的也不过30mb
如果担心brust给太大起不到限速效果
也可以加limitUp/DownloadAfter且随机化再限速
刚刚加好了,没测,目测没问题


至于中间人那就跟限速无关了
假设真的无差别中间人所有
不用探测限速都知道你在爬梯

@RPRX
Copy link
Member

RPRX commented Mar 29, 2025

这个功能我打算在 REALITY 抗量子更新之后合并,因为现在支持抗量子的服务端 CF 占最多?Nginx 用的 OpenSSL 才刚合并它

至于会引入限速特征,虽然会标明,但即使不标明,这太明显了,任何人都应该能自己想到吧,所以说这是个风险自负的问题

@Meo597
Copy link
Contributor Author

Meo597 commented Mar 29, 2025

我感觉特征这块还好,因为:

  • 毕竟他都偷CDN了,ASN都不在一个段,不用探测都知道是reality
  • 同ASN的话,站长也没必要反过来把reality当边缘,流量都一样跑何苦呢

实在不行下个PR加个参数随机浮动

@RPRX
Copy link
Member

RPRX commented Mar 29, 2025

反正要偷 CDN 就是个风险自负的问题,不偷 CDN 的话也用不上这个限速,确实得说明一下以防面版脚本们无差别设默认值

@Fangliding
Copy link
Member

看了一眼好长的选项 感觉加个下行限速够了

@Meo597
Copy link
Contributor Author

Meo597 commented Mar 31, 2025

after和brust是为了规避探测,因此要3个
上下行都可以被滥用,因此要x2

nginx也是六个参数限速,当前行为也和nginx一模一样
或者你有啥好办法没

@Fangliding

@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 6d2b816 to 4cde0ed Compare March 31, 2025 13:38
@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 4cde0ed to 99118bc Compare April 12, 2025 10:47
@intmain0
Copy link

这个功能不要仅限于reality吧,其它入站协议也需要

@RPRX
Copy link
Member

RPRX commented Apr 28, 2025

没合是因为现在还无法合并 XTLS/REALITY#12 ,因为它 base 的 XTLS/REALITY@e26ae23 似乎有问题,@yuhan6665

目前 REALITY 这块的代码只能等跟进 Go 1.24 的改动后再合入新的代码

@RPRX
Copy link
Member

RPRX commented Apr 28, 2025

github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d

比如说 Xray-core 用的 REALITY 都不是 XTLS/REALITY@e26ae23 ,此前 @yuhan6665 好像升级到了该版本然后回退了

给 REALITY 加抗量子更新没啥难度,麻烦的是同步 Go 1.24,又是 boring 又是 internal 的,Golang 这 TLS 库写得真的很烦人,也不知道从哪学的,我都想要不 fork uTLS 搞 REALITY 算了,但是 VLESS 加密要抗量子的话似乎得暴露 internal?还有待研究

@yuhan6665
Copy link
Member

当时好像是 v2rayng 用不了新版 go 现在应该没问题了

@RPRX
Copy link
Member

RPRX commented Apr 28, 2025

@yuhan6665 有时间同步下 Go 1.24 吗,这个我是真不想弄

@yuhan6665
Copy link
Member

@yuhan6665 有时间同步下 Go 1.24 吗,这个我是真不想弄

好吧 我有空尝试更新 reality 到最新

@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 99118bc to 0ff1466 Compare May 10, 2025 00:36
@yuhan6665
Copy link
Member

@yuhan6665 有时间同步下 Go 1.24 吗,这个我是真不想弄

XTLS/REALITY#14

@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 0ff1466 to 4f2d3ec Compare May 14, 2025 20:48
@Meo597
Copy link
Contributor Author

Meo597 commented May 14, 2025

@yuhan6665 @RPRX

XTLS/REALITY 的测试挂了,仅macos跑不通

我试了剥离此PR,REALITY和core都用latest得到一样结果

See: https://github.com/Meo597/Xray-core/actions/runs/15030945205/job/42243080029


=== RUN   TestVlessXtlsVisionReality
Xray 25.4.30 (Xray, Penetrates Everything.) Custom (go1.24.3 darwin/arm64)
A unified platform for anti-censorship.
2025/05/14 21:03:21.070922 [Debug] app/log: Logger started
2025/05/14 21:03:21.071033 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:58205
2025/05/14 21:03:21.071042 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:58205
Warning: 4 21:03:21.071044 [Warning] core: Xray 25.4.30 started
Xray 25.4.30 (Xray, Penetrates Everything.) Custom (go1.24.3 darwin/arm64)
A unified platform for anti-censorship.
2025/05/14 21:03:21.076927 [Debug] app/log: Logger started
2025/05/14 21:03:21.077045 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:58206
2025/05/14 21:03:21.077165 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:58206
Warning: 4 21:03:21.077168 [Warning] core: Xray 25.4.30 started
2025/05/14 21:03:23.078362 [Debug] [3650243354] proxy/dokodemo: processing connection from: 127.0.0.1:58207
2025/05/14 21:03:23.078436 [Info] [3650243354] proxy/dokodemo: received request for 127.0.0.1:58207
2025/05/14 21:03:23.078466 [Info] [3650243354] app/dispatcher: default route for tcp:127.0.0.1:58204
2025/05/14 21:03:23.078485 [Info] [3650243354] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:58205
2025/05/14 21:03:23.078830 [Debug] [3650243354] transport/internet: dialing to tcp:127.0.0.1:58205
REALITY remoteAddr: 127.0.0.1:58208
2025/05/14 21:03:23.080876 [Info] [3650243354] transport/internet/reality: REALITY localAddr: 127.0.0.1:58208	hello.SessionId[:16]: [25 4 30 0 104 37 5 27 1 35 69 103 137 171 205 239]

2025/05/14 21:03:23.080950 [Info] [3650243354] transport/internet/reality: REALITY localAddr: 127.0.0.1:58208	uConn.AuthKey[:16]: [204 238 135 162 160 161 66 217 225 50 74 121 191 110 174 79]	AEAD: *gcm.GCM

REALITY remoteAddr: 127.0.0.1:58208	hs.c.AuthKey[:16]: [204 238 135 162 160 161 66 217 225 50 74 121 191 110 174 79]	AEAD: *chacha20poly1305.chacha20poly1305
REALITY remoteAddr: 127.0.0.1:58208	hs.c.conn == conn: false
REALITY remoteAddr: 127.0.0.1:58208	forwarded SNI: www.google.com
panic: runtime error: index out of range [8] with length 0

goroutine 20 [running]:
github.com/xtls/xray-core/transport/internet/reality.UClient({0x101f92ad8, 0x1400028c070}, 0x140000feb00, {0x101f8b500, 0x140003343c0}, {{0x101f8b650?, 0x14000306148?}, 0x2?, 0x0?})
	/Users/runner/work/Xray-core/Xray-core/transport/internet/reality/reality.go:256 +0xf48
github.com/xtls/xray-core/transport/internet/tcp.Dial({0x101f8b500, 0x140003343c0}, {{0x101f8b650, 0x14000306148}, 0xe35d, 0x2}, 0x14000301aa0)
	/Users/runner/work/Xray-core/Xray-core/transport/internet/tcp/dialer.go:90 +0x15c
github.com/xtls/xray-core/transport/internet.Dial({0x101f8b500, 0x140003343c0}, {{0x101f8b650?, 0x14000306148?}, 0x6148?, 0x140?}, 0x0?)
	/Users/runner/work/Xray-core/Xray-core/transport/internet/dialer.go:64 +0x14c
github.com/xtls/xray-core/app/proxyman/outbound.(*Handler).Dial(0x14000271700, {0x101f8b500, 0x140003343c0}, {{0x101f8b650, 0x14000306148}, 0xe35d, 0x2})
	/Users/runner/work/Xray-core/Xray-core/app/proxyman/outbound/handler.go:316 +0x988
github.com/xtls/xray-core/proxy/vless/outbound.(*Handler).Process.func1()
	/Users/runner/work/Xray-core/Xray-core/proxy/vless/outbound/outbound.go:84 +0xac
github.com/xtls/xray-core/common/retry.(*retryer).On(0x14000131d28, 0x14000131d48)
	/Users/runner/work/Xray-core/Xray-core/common/retry/retry.go:27 +0xbc
github.com/xtls/xray-core/proxy/vless/outbound.(*Handler).Process(0x14000334cf0, {0x101f8b500, 0x140003343c0}, 0x1400027a120, {0x101f88970, 0x14000271700})
	/Users/runner/work/Xray-core/Xray-core/proxy/vless/outbound/outbound.go:81 +0x19c
github.com/xtls/xray-core/app/proxyman/outbound.(*Handler).Dispatch(0x14000271700, {0x101f8b500, 0x140003343c0}, 0x1400027a120)
	/Users/runner/work/Xray-core/Xray-core/app/proxyman/outbound/handler.go:211 +0x3a0
github.com/xtls/xray-core/app/dispatcher.(*DefaultDispatcher).routedDispatch(0x140001fff20, {0x101f8b500, 0x140003343c0}, 0x1400027a120, {{0x101f8b650, 0x140003060a0}, 0xe35c, 0x2})
	/Users/runner/work/Xray-core/Xray-core/app/dispatcher/default.go:486 +0xaa0
created by github.com/xtls/xray-core/app/dispatcher.(*DefaultDispatcher).Dispatch in goroutine 19
	/Users/runner/work/Xray-core/Xray-core/app/dispatcher/default.go:266 +0x4a4
testConn finishes: 151 ms	 read tcp 127.0.0.1:58207->127.0.0.1:58206: read: connection reset by peer 	Alloc = 472.58MB 	TotalAlloc = 5.87GB 	Sys = 1.51GB 	NumGC = 35
    vless_test.go:509: read tcp 127.0.0.1:58207->127.0.0.1:58206: read: connection reset by peer
2025/05/14 21:03:23.230340 [Info] Closing all servers.
2025/05/14 21:03:23.230475 [Debug] app/log: Logger closing
Failed accept TCP connection: accept tcp 127.0.0.1:58204: use of closed network connection
--- FAIL: TestVlessXtlsVisionReality (2.18s)

@RPRX
Copy link
Member

RPRX commented May 16, 2025

09d84c4 修了,rebase 即可

@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 4f2d3ec to 14af429 Compare May 16, 2025 21:36
@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 14af429 to 68c3ee6 Compare June 7, 2025 12:10
@Meo597 Meo597 force-pushed the feature-reality-fallback-ratelimit branch from 6af1a61 to 461526a Compare June 8, 2025 12:51
@RPRX
Copy link
Member

RPRX commented Jun 8, 2025

把上面几个问题改一下应该就行了

@RPRX RPRX merged commit 18ab291 into XTLS:main Jun 8, 2025
38 of 39 checks passed
@Meo597 Meo597 deleted the feature-reality-fallback-ratelimit branch June 8, 2025 14:24
@RPRX
Copy link
Member

RPRX commented Jun 10, 2025

我把这个 PR 的链接放 release notes 了,你更新一下“技术细节”和“示例配置”吧

@Meo597
Copy link
Contributor Author

Meo597 commented Jun 10, 2025

ok

@RPRX
Copy link
Member

RPRX commented Jun 10, 2025

@Meo597 你新示例配置中 limitFallbackUpload 的 bytesPerSec 是 0,与描述不符

@RPRX
Copy link
Member

RPRX commented Jun 10, 2025

@Meo597 应该是你想把 65536 填入 bytesPerSec,结果填入 afterBytes 了

@Meo597
Copy link
Contributor Author

Meo597 commented Jun 10, 2025

@Meo597 应该是你想把 65536 填入 bytesPerSec,结果填入 afterBytes 了

果然还是太细了

改好了

release notes 要不要提一下 docker 的 break changes
#4738

@RPRX
Copy link
Member

RPRX commented Jun 10, 2025

Xray-core releases 每月都有几十万下载量,那 docker 镜像一个月就几千拉取,1% 提它干嘛

你示例配置的单位还是不对,Byte 和 bit 是有区别的,要么写 kB,要么乘以 10 大概换算成 kb,多 2 是带上了 TCP 头等一些损耗

@Meo597
Copy link
Contributor Author

Meo597 commented Jun 10, 2025

ok

@RPRX
Copy link
Member

RPRX commented Jun 10, 2025

数了一下 release notes 只有九个链接,出于强迫症把 docker 那个补上了

话说我一直想问 docker 内用非 root 有什么必要性吗,还有那个 -usa 是啥玩意儿

@RPRX
Copy link
Member

RPRX commented Jun 10, 2025

还有这 docker 历史镜像太乱了,有没有一个脚本能把 v25.6.8 以外的全清了

@Meo597
Copy link
Contributor Author

Meo597 commented Jun 10, 2025

不是所有用户都把docker引擎配为rootless和uid remap,如果docker爆0day有可能逃逸危害宿主
反正遵守权限最小化原则,应该非root运行,大多知名镜像都是这么干的

很多云原生的项目在最后一层都from distroless、chainguard等“无发行版”
里面只有ca、时区,其它啥都没,shell都不给


然后-usa那个是为了支持老旧架构搞得玩意,不必在意它
如果有强迫症我可以再开个PR想办法把它删了

它出现的原因是distroless默认不支持一些老旧的架构
然后我这里做了一些兼容,不得不搞了这个标签
最后-usa的,都被合并到latest里了


删历史镜像得写个脚本,没有现成的
而且不让删下载量大的
或考虑删掉整个package,再触发一次构建镜像

早就发现你有强迫症了

@RPRX
Copy link
Member

RPRX commented Jun 10, 2025

帮忙写个脚本删掉 v25.6.8 以外的吧

应该不会不让删下载量大的吧

@Meo597
Copy link
Contributor Author

Meo597 commented Jun 10, 2025

应该不会不让删下载量大的吧

https://docs.github.com/zh/packages/learn-github-packages/deleting-and-restoring-a-package

公共包的特定版本(如果包版本不超过 5,000 次下载)
如果任何版本的包下载量超过 5,000 次,则无法删除公共包。 在这种情况下,请通过 GitHub 支持门户 联系我们,以获取进一步的帮助。


帮忙写个脚本删掉 v25.6.8 以外的吧

好的我这两天写


usa需要想办法干掉吗?

@RPRX
Copy link
Member

RPRX commented Jun 10, 2025

如果是并入 latest 了就别把 -usa push 上去了吧

@RPRX
Copy link
Member

RPRX commented Jun 10, 2025

公共包的特定版本(如果包版本不超过 5,000 次下载)

那完了,很多包都超过 5000 次了

@Meo597
Copy link
Contributor Author

Meo597 commented Jun 10, 2025

如果是并入 latest 了就别把 -usa push 上去了吧

因为用的是 github actions,build 后会自动 push
如果纯 shell 会简化很多
github就是喜欢把简单的事情搞得极其复杂让你上了它全家桶就离不开了

我想办法优化一下docker.yml
总之现在构建出来的映像应该没问题

@Meo597
Copy link
Contributor Author

Meo597 commented Jun 11, 2025

如果是并入 latest 了就别把 -usa push 上去了吧

-usa 标签干掉了
#4809


还有这 docker 历史镜像太乱了,有没有一个脚本能把 v25.6.8 以外的全清了

我看了有接近一万个version,api速率限制要删到天荒地老了,不如提交个工单直接删整个包吧

maoxikun pushed a commit to maoxikun/Xray-core that referenced this pull request Aug 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants