feat: implement routing based on incoming SNI #5009
Conversation
|
in port in SNI in protocol in xxxxx.... 哎。。。 |
Could you explain pls? |
|
I think adding route-id to vless is better idea. you want to allow the users to choose which server to connect to in the end. but users have to change the sni to connect to another server! these two things are completely independent of each other. Anyway, this is also a solution, but i think the correct way is to add route-id to vless. |
If user go change sni, user stopping be user. Sni provide proxy provider |
So I think this PR should be closed. @RPRX is writing vless-encryption. ask him to write route-id for vless too. |
This feature mostly not for end-users, but for providers. I don't think that routing-id is an option, because it will be break changing for all clients and other client cores. |
|
Anyway, your code is incomplete and does not support Xhttp. |
Could you pls show where we should add it in xhhtp, I can't really find it( |
Xray-core/transport/internet/splithttp/hub.go Lines 286 to 291 in 0cceea7 you need to add So i close this PR, you should add route-id to vless. |
No, i don't think that route-id is good option. It will break all backward compability. |
|
@patterniha could you clarify your previous comment. How in your opinion route-id should work? Seems like there is small misunderstanding for which need this type of routing should be used. In my thought, SNI based routing is firstly for server side config, not user side. In current version, Xray config looks like this: Both inbounds here is completely identical to each other, except TAG. And, for example, end-user will have Xray-JSON subscription with this proxies (example values used)
So user selects from two servers, which already preconfigured. It is called Subscription format, you can use it with Happ, v2rayNG or other apps. And, currently we have no other options that clone inbounds and use other ports for each, which completely break reality security. So, if we will have SNI based routing, we can simplify Xray server config to this: We don't need seconds inbound now, Reality is completely safe and we don't need nginx/haproxy in front of Xray for now. And, Xray-Json subscription will looks like this. Bridge hosts completely identical now, except SNI.
|
Each request can have two incoming-sni or none at all, so your solution is very limited. |
|
@RPRX Hi there, can you please take a look to this PR and discussion? Thanks. |
|
|
|
如果你想通过 SNI 来路由,应当在 TLS/REALITY 那部分代码取出 SNI 存进 ctx,然后由路由读取,这与 VLESS 等协议的代码无关 至于 route-id,创建多个 UUID 并通过邮箱来路由可以实现等价的效果,不过可能要增强下邮箱匹配, |
|
SNI 路由有局限性,route-id 路由要改协议且不适用于其它协议, 我觉得最好的方式是,比如为同一个邮箱创建两个 UUID,然后仅服务端加一个 route-id,然后路由加个匹配 @patterniha |
|
@patterniha 你可以先改 VMess 等其它协议的试一下,VLESS 的等我合了加密你再 rebase, |
|
那不就是email路由么 |
|
不是,email 相同,UUID 不同,流量直接统计到同一个用户,仅服务端多加个 route-id 字段,不需要改协议 |
"clients": [
{
"id": "uuid1",
"email": "user1",
"route": "one"
},
{
"id": "uuid2",
"email": "user1",
"route": "two"
},
{
"id": "uuid3",
"email": "user2",
"route": "one"
},
{
"id": "uuid4",
"email": "user2",
"route": "two"
}
] |
|
相当于 UUID 有了 route-id 的功效,不改协议, |
|
|
|
对他们的破面板其实还是没用 因为他们的user和email都是一个萝卜一个坑的 考虑这些人需求就是灾难 |
|
|
Could you please provide more information about the problems with SNI routing? |
不适用于非 TLS/REALITY |
|
/// we can add for example if UUID is "11111111-1111-1111-1111-111111111111" and if all and if ///
|
|
|
|
|
|
|
我改好了,话说是否有必要要求原始 UUID 最后一字节为 0,才可以使用这一功能? |
I believe it is not necessary |
|
请测试 5464862 |
|
Working as intended 👍 Thanks! Tested with VLESS+REALITY. Sadly currently don't have VLESS+TLS for testing. |
Modern Panels and Clients are based on Subscription system, panel can use a full random uuid in server inbound, but in the client subscription set the last byte to 0 or any other vlessRoute |
|
|
|
属于新功能,这样设计会不会更好一些 或者设计成 |
如果 routeId 为5,如何区分用户是
|
|
@darthstren 如果要区分用户,现在可以靠 email 来区分,不过暂时没有这个需求,他们的需求是对所有用户都生效,就像 incomingSNI 分流 提醒各位他发的不是配置示例,要使用这个功能,配置项只需给 |
|
明白了,还以为在讨论给一个email可以路由多个outbound呢 |
|
又想了下, 因为本来就是按 port 来处理的,支持两个字节, |
…ssRoute` instead #5009 (comment) Replaces 105b306
|
Tested, seems like works correctly |
…elligent "useIP"/"ForceIP", enhance "origin" functionality (#5030) #5009 (comment)
…elligent "useIP"/"ForceIP", enhance "origin" functionality (#5030) #5009 (comment)
…for `routing` `rules` XTLS#5009 (comment) (cherry picked from commit 105b306)
Fixes XTLS#5009 (comment) (cherry picked from commit 5464862)
…ssRoute` instead XTLS#5009 (comment) Replaces XTLS@105b306 (cherry picked from commit 7f300db)
|
Can we have some updated documents? Have no idea how this thing works. |
|
|
说明一下,不要求原始 UUID 那四个地方为 0,设置 vlessRoute 时避开 |
这一设计是为了服务端可以在任何时候开始用 vlessRoute 且兼容尚未更新配置的客户端,因为无需变更原始 UUID |
想了下能连上,但是会落到 vlessRoute |
Hi there,
Currently it is almost impossible to do routing with only one Inbound.
Of course, you can use Dokedomo-Door > Routing > Vless > Routing > Out, but in this case you will still have to have several INCOMING Dokedomo-Doors if I need to route traffic somewhere else.
Simple example:
This small PR adds the ability to define routing rules based on incoming SNI for Trojan+TLS, VLESS+Reality, VLESS+TLS.
With this routing, you will no longer need to create multiple inbounds on different ports if they are completely identical, and will also allow you to leave one single Reality on port 443 and at the same time have full routing capability based on SNI.