xhttp在客户端启用h3通过cloudflare cdn代理时无法上网 #4258

bubuqing99 · 2025-01-06T08:53:38Z

bubuqing99
Jan 6, 2025

搭建了vless+xhttp+tls，在cloudflare仅dns或cloudflare cdn时客户端都是可以上网。

不过在客户端填写h3时，只有在cloudflare仅dns时可以上网，当cloudflare代理流量时客户端就没法上网，不知道怎么解决。

nginx版本是1.27.3，已经启用quic和h3。

查看xray客户端和nginx服务端日志都显示确实是通过http3连接的。

本人小白，配置都是参考大佬们写的，还有靠chatgpt写好的，希望有大佬指导一下，谢谢。

这是xray服务端配置：

{
"log": {
"access": "/var/log/xray/access.log",
"error": "/var/log/xray/error.log",
"loglevel": "warning"
},

"inbounds": [
{
"listen": "/dev/shm/xrxh.socket,0666",
"protocol": "vless",
"settings": {
"clients": [
{
"id": "fbec4d67-1b04-4813-9b20-4444cd285f75"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "xhttp",
"xhttpSettings": {
"mode": "stream-one",
"path": "/fffffff"
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
}
]
}

这是nginx的配置：
error_log /var/log/nginx/error.log debug;
events {
worker_connections 768;
}

http {

access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log debug;

server {
            listen 80;
    listen 443 ssl;
    listen 443 quic reuseport;
    server_name ffff.com;
    http2 on;
    http3 on;
    quic_retry on;
    quic_gso on;

    add_header Alt-Svc 'h3=":443"; ma=86400'; #通告 HTTP/3 server 的可用性
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用 HSTS

    # SSL 证书配置
    ssl_certificate /cloudflare/fffffff.crt;
    ssl_certificate_key /cloudflare/fffffff.key;

    client_header_timeout 5m;
    keepalive_timeout 5m;

   ssl_protocols TLSv1.3; #若使用 OpenSSL 库，TLSv1.3 需要 OpenSSL 库的版本不小于 1.1.1 构建才支持。
   ssl_prefer_server_ciphers on; #优先使用服务端的密码套件。（对如下 TLSv1.2 协议的密码套件有效）
   ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305; #若证书为 RSA 证书，所有 ECDSA 改为 RSA。
   ssl_ecdh_curve secp521r1:secp384r1:secp256r1:x25519; #若使用 OpenSSL 库，此项配置参数需要 OpenSSL 库的版本不小于 3.0.0 构建才支持。

    location /fffffff {
    client_max_body_size 0;
    grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    client_body_timeout 5m;
    grpc_read_timeout 315;
    grpc_send_timeout 5m;
    grpc_pass grpc://unix:/dev/shm/xrxh.socket;    
    }

    # 其他代理配置
    location / {
        
        proxy_pass http://127.0.0.1:3002;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_ssl_session_reuse off;
        proxy_ssl_server_name on;
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;

        if ($http_user_agent ~* "360Spider|JikeSpider|Spider|spider|bot|Bot|2345Explorer|curl|wget|webZIP|qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|NSPlayer|bingbot") {
            return 403;
        }
    }
}

}

客户端配置
{
"log": {
"loglevel": "info"
},
"inbounds": [
{
"port": "2335",
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "ffff.com",
"port": 443,
"users": [
{
"id": "fbec4d67-1b04-4813-9b20-4444cd285f75",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "xhttp",
"xhttpSettings": {
"path": "fffffff", //填写你的 path
"mode": "stream-one", //如使用 downloadSettings（下行），不可用 stream-one；可用 stream-up。
"#xmux": { //使用默认值。如需自定义：移除前面的 #（井号）。注意：不可超过 Nginx 的最高（上限）值。
"maxConcurrency": 128, //Nginx 默认上限 128。https://nginx.org/en/docs/http/ngx_http_v3_module.html#http3_max_concurrent_streams
"hMaxRequestTimes": 1000, //Nginx 默认上限 1000。https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests
"hMaxReusableSecs": 3600 //Nginx 默认上限 3600s(1h)。https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_time
},
"#downloadSettings": { //如需 H2 下行：移除前面的 #（井号）以使用 downloadSettings；上面和 server.json 的 mode 更改为 stream-up。
"address": "ffff.com",
"port": 443,
"network": "xhttp",
"xhttpSettings": {
"path": "fffffff", //填写你的 path（同上）
"#xmux": { //使用默认值。如需自定义：移除前面的 #（井号）。注意：不可超过 Nginx 的最高（上限）值。
"maxConcurrency": 128, //Nginx 默认上限 128。https://nginx.org/en/docs/http/ngx_http_v3_module.html#http3_max_concurrent_streams
"hMaxRequestTimes": 1000, //Nginx 默认上限 1000。https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests
"hMaxReusableSecs": 3600 //Nginx 默认上限 3600s(1h)。https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_time
}
}

      }
    },
    "security": "tls",
    "tlsSettings": {
      "alpn": [
        "h3"
      ]
    }
  }
}

]
}

xray客户端日志
Xray 24.12.31 (Xray, Penetrates Everything.) 4be32e9 (go1.23.4 windows/amd64)
A unified platform for anti-censorship.
2025/01/06 15:59:07 [Info] infra/conf/serial: Reading config: &{Name:xray.json Format:json}
2025/01/06 15:59:07 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:2335
2025/01/06 15:59:07 [Info] transport/internet/udp: listening UDP on 127.0.0.1:2335
2025/01/06 15:59:07 [Warning] core: Xray 24.12.31 started
2025/01/06 15:59:07 [Info] [2637343663] proxy/socks: TCP Connect request to tcp:play.google.com:443
2025/01/06 15:59:07 [Info] [2637343663] app/dispatcher: default route for tcp:play.google.com:443
2025/01/06 15:59:07 from tcp:127.0.0.1:12353 accepted tcp:play.google.com:443
2025/01/06 15:59:07 [Info] [2637343663] transport/internet/splithttp: XHTTP is dialing to udp:ffff.com:443, mode stream-one, HTTP version 3, host ffff.com
2025/01/06 15:59:07 [Info] [2637343663] proxy/vless/outbound: tunneling request to tcp:play.google.com:443 via ffff.com:443
2025/01/06 15:59:07 [Info] [3971998774] proxy/socks: TCP Connect request to tcp:play.google.com:443
2025/01/06 15:59:07 from tcp:127.0.0.1:12352 accepted tcp:play.google.com:443
2025/01/06 15:59:07 [Info] [3971998774] app/dispatcher: default route for tcp:play.google.com:443
2025/01/06 15:59:07 [Info] [3971998774] transport/internet/splithttp: XHTTP is dialing to udp:ffff.com:443, mode stream-one, HTTP version 3, host ffff.com
2025/01/06 15:59:07 [Info] [3971998774] proxy/vless/outbound: tunneling request to tcp:play.google.com:443 via ffff.com:443
2025/01/06 15:59:08 [Info] [1087766951] proxy/socks: TCP Connect request to tcp:alive.github.com:443
2025/01/06 15:59:08 [Info] [1087766951] app/dispatcher: default route for tcp:alive.github.com:443
2025/01/06 15:59:08 from tcp:127.0.0.1:12356 accepted tcp:alive.github.com:443
2025/01/06 15:59:08 [Info] [1087766951] transport/internet/splithttp: XHTTP is dialing to udp:ffff.com:443, mode stream-one, HTTP version 3, host ffff.com
2025/01/06 15:59:08 [Info] [1087766951] proxy/vless/outbound: tunneling request to tcp:alive.github.com:443 via ffff.com:443
2025/01/06 15:59:11 [Info] [2629257952] proxy/socks: TCP Connect request to tcp:www.google.com:443
2025/01/06 15:59:11 [Info] [2629257952] app/dispatcher: default route for tcp:www.google.com:443
2025/01/06 15:59:11 from tcp:127.0.0.1:12357 accepted tcp:www.google.com:443
2025/01/06 15:59:11 [Info] [2629257952] transport/internet/splithttp: XHTTP is dialing to udp:ffff.com:443, mode stream-one, HTTP version 3, host ffff.com
2025/01/06 15:59:11 [Info] [2629257952] proxy/vless/outbound: tunneling request to tcp:www.google.com:443 via ffff.com:443
2025/01/06 15:59:11 [Info] [2451264429] proxy/socks: TCP Connect request to tcp:www.youtube.com:443
2025/01/06 15:59:11 from tcp:127.0.0.1:12358 accepted tcp:www.youtube.com:443
2025/01/06 15:59:11 [Info] [2451264429] app/dispatcher: default route for tcp:www.youtube.com:443
2025/01/06 15:59:11 [Info] [2451264429] transport/internet/splithttp: XHTTP is dialing to udp:ffff.com:443, mode stream-one, HTTP version 3, host ffff.com
2025/01/06 15:59:11 [Info] [2451264429] proxy/vless/outbound: tunneling request to tcp:www.youtube.com:443 via ffff.com:443
2025/01/06 15:59:27 [Info] [2637343663] app/proxyman/inbound: connection ends > proxy/socks: connection ends > context canceled

nginx后台日志

172.69.195.149 - - [06/Jan/2025:16:01:00 +0800] "POST /fffffff/?x_padding=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/2.0" 200 5190 "-" "quic-go HTTP/3"
172.69.195.149 - - [06/Jan/2025:16:01:06 +0800] "POST /fffffff/?x_padding=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/2.0" 200 5211 "-" "quic-go HTTP/3"
172.69.195.149 - - [06/Jan/2025:16:01:24 +0800] "POST /fffffff/?x_padding=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/2.0" 200 7673 "-" "quic-go HTTP/3"
172.69.195.149 - - [06/Jan/2025:16:01:31 +0800] "POST /fffffff/?x_padding=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/2.0" 200 5189 "-" "quic-go HTTP/3"
172.69.195.149 - - [06/Jan/2025:16:02:13 +0800] "POST /fffffff/?x_padding=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/2.0" 200 5191 "-" "quic-go HTTP/3"

lxhao61 · 2025-01-06T14:21:45Z

lxhao61
Jan 6, 2025

服务端 mode 不需配置，默认自动即可。
使用 HTTP/3 传输时，客户端 mode 配置仅选择 packet-up。

5 replies

bubuqing99 Jan 6, 2025
Author

服务端 mode 不需配置，默认自动即可。使用 HTTP/3 传输时，客户端 mode 配置仅选择 packet-up。
原来是这样啊，改成packet-up确实可以上网了，谢谢。

就是网络超级慢，即使是优选ip速度也只有一两兆，不管了。

lxhao61 Jan 6, 2025

使用 HTTP/3 传输虽然有 QoS 风险，取决于当地情况，但应该无此这么严重。
建议 Nginx 反代改成 gRPC 模式，XMUX 不配置使用默认试试。

bubuqing99 Jan 7, 2025
Author

使用 HTTP/3 传输虽然有 QoS 风险，取决于当地情况，但应该无此这么严重。建议 Nginx 反代改成 gRPC 模式，XMUX 不配置使用默认试试。

我的nginx配置一直都是gRPC，XMUX也是默认，使用http3有时候就快一点，有时候还是超级慢，还是使用http2稳定。

我就说你的用户名怎么有点熟悉，原来我之前是参考你的配置。

你的Xray(VLESS+XHTTP)+Nginx\Caddy配置中，其中nginx那段是 “http2 on; #仅版本不小于 v1.25.1 配置”否则必须删除。”

我这边测试如果把http2 on删除xray客户端是无法上网的，我的nginx版本是1.27.3

lxhao61 Jan 7, 2025

哦，看错了你上传配置，把下面反代配置当成了反代 XHTTP 了。
备注写得很明白。你 Nginx 版本是 1.27.3，干嘛删除http2 on;？

bubuqing99 Jan 7, 2025
Author

哦，看错了你上传配置，把下面反代配置当成了反代 XHTTP 了。备注写得很明白。你 Nginx 版本是 1.27.3，干嘛删除http2 on;？

我理解错了，我看少了一个不字。

xhttp在客户端启用h3通过cloudflare cdn代理时无法上网 #4258

Uh oh!

bubuqing99 Jan 6, 2025

这是xray服务端配置：

}

Replies: 1 comment · 5 replies

Uh oh!

Uh oh!

lxhao61 Jan 6, 2025

Uh oh!

bubuqing99 Jan 6, 2025 Author

Uh oh!

Uh oh!

lxhao61 Jan 6, 2025

Uh oh!

bubuqing99 Jan 7, 2025 Author

Uh oh!

Uh oh!

lxhao61 Jan 7, 2025

Uh oh!

bubuqing99 Jan 7, 2025 Author

bubuqing99
Jan 6, 2025

Replies: 1 comment 5 replies

lxhao61
Jan 6, 2025

bubuqing99 Jan 6, 2025
Author

bubuqing99 Jan 7, 2025
Author

bubuqing99 Jan 7, 2025
Author