[FR] Modify port and security settings in subscriptions if X-UI is behind a TLS reverse proxy #1253
Comments
|
It is already implanted in subscription settings. |
|
@X-Oracle Hi, would you please be more precise on where to find such settings? I have X-UI v1.8.3. On Panel Settings -> Subscription there are the following inputs: Enable, Encode, Show Usage Info, Listen IP, Listen Domain, Listen Port (these listen directives aren't relevant to what I'm talking about above since they are used for subscription service binding, but not for proxy/VPN configuration), URI Path, Public Key Path, Private Key Path, Reverse Proxy URI and Update Intervals. On Panel Settings -> Subscription Json there are the following inputs: URI Path, Reverse Proxy URI, Fragmentation, Mux, Direct Country. |
|
@vnxme . So you you should fisrst configure sub service with Then you should go to your proxy server like nginx and reverse proxy it. Then put the base link which will work with sub reverse proxy in Ex: It was like : You should place bellow uri in Note: You should already know how to configure reverse proxy in proxy serveices like nginx otherwise you should learn that first then do the above. |
@X-Oracle, thank you for a detailed reply. Probably I haven't been clear enough in what I'm suggesting. I already have both reverse proxy and subscription service working, so I know how to configure and I understand the limitations of the existing panel settings. Please take a look at the following screenshot from Foxray. I marked with red ticks 2 options, port and security. Both options are set automatically using subscription. But in order to be used via a reverse proxy this connection should have 443 in port and tls in security. The problem is that I have to make changes manually, and these changes are not persistent, i.e. reversed on periodic subscription updates. My suggestion is to let the user modify subscription in the way these port and security options could be properly set without manual changes. Foxray screenshot
Next please take a look at the following screenshot of inbound client information from X-UI. The port and security settings are taken from inbound config which is correct if you connect directly. But if you connect indirectly, i.e. via a reverse proxy, the port should be 443 (or your reverse proxy port), and the security should be TLS. X-UI screenshot
|
|
Hi @vnxme, What I'm getting is that you want your configs to have different port than your original x-ray config. In that case you should use
|
|
@X-Oracle, very nice, thanks! I didn't know the external proxy feature is related to subscriptions. While this feature enables me to set both port number and security TLS, it doesn't allow to set serverName (expected it to be equal to the external proxy host by default) and fingerprint (I don't know whether it makes any difference to set or leave blank). |
It was originally made for CDN based configs where we need diffrent port and address but we can use it to configure reverse proxy too.
X-UI structure does not allow it. We might need to have multiple configs in x-ray for multiple sni (As single x-ray config does not allow multi sni). In that case, user management will be difficult and might raise system resources for no reason. |
|
@X-Oracle, thank you very much for your detailed explanations! |
Hi,
It is a known feature that one can connect to a VPN/proxy service provided by Xray Core and managed by X-UI both directly and indirectly, i.e. via a reverse proxy. Given the reverse proxy listens on port 443, the letter case may provide additional security (the VPN connection is visually identical to a regular website browsing), speed gains (traffic to/from 443/TCP is often prioritised compared to other irregular TCP and UDP traffic) and concentration (many connections served from single port accessible from the outside). A good example of how to make X-UI work behind nginx and provide WS/GRPC services is here.
Subscription is yet another very useful feature of X-UI - no need to manually modify connections over and over on multiple apps and devices. However, if we combine the reverse proxy feature with the subscription feature, there is a problem: subscriptions can only deliver settings for direct connections and know nothing about the reverse proxy. In other words, to make the connections delivered by the subscription feature work behind the reverse proxy, one has to manually modify each connection and adjust a) port to 443, b) security settings to TLS, c) fingerprint source to one's preferred option. These required modifications defeat the original intention of the subscription feature - automation.
UPDATE: Please read below a bit more detailed explanation with screenshots.
I suggest there could be a checkbox in the connection (inbound) settings "run behind a TLS reverse proxy". If checked, a few additional input boxes could be shown including a reverse proxy port, a reverse proxy host, a fingerprint source. Finally, the subscription controller could take these settings into account for both sub and json streams.
Regards,
The text was updated successfully, but these errors were encountered: