REALITY connection fails behind corporate web proxy

[nopoz]

I can't connect to my xray server using reality when behind a corporate web proxy. Using the same config when not behind the proxy (ie on a different network) works. The corp proxy does not appear to use decryption as I can curl https://www.google.com and I get the correct google certificate. I'm suspecting that the corp web proxy is altering TLS fingerprint in a way that reality protocol doesn't like? I don't see any tolerance adjustment settings for reality that I could use to accommodate if that's the case. I do have a working fallback configured to use a websocket connection directly to the xray server, but this will show the corp web proxy my xray server domain as the destination and the goal is for the traffic to appear to have a legitimate destination like www.google.com and not the fallback cdn. websocket address. Any help would be appreciated. Perhaps there is some different configuration settings that would work to achieve the same goal of being able to successfully use reality protocol? Thanks!

Client log FAIL - when connecting behind the corp web proxy:

Xray 25.7.26 (Xray, Penetrates Everything.) b6b51c5 (go1.24.5 darwin/arm64)
A unified platform for anti-censorship.
2025/08/28 13:42:12.108504 [Info] infra/conf/serial: Reading config: &{Name:config_orig.json Format:json}
2025/08/28 13:42:12.122851 [Warning] common/errors: This feature WebSocket transport (with ALPN http/1.1, etc.) is deprecated and being migrated to XHTTP H2 & H3. Please update your config(s) according to release note and documentation before removal.
2025/08/28 13:42:12.123021 [Debug] app/log: Logger started
2025/08/28 13:42:12.123101 [Info] app/dns: DNS: created UDP client initialized for 10.0.0.1:53
2025/08/28 13:42:12.123377 [Debug] app/router: MphDomainMatcher is enabled for 132 domain rule(s)
2025/08/28 13:42:12.123444 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:1080
2025/08/28 13:42:12.123454 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:8080
2025/08/28 13:42:12.123600 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:1080
2025/08/28 13:42:12.123649 [Info] transport/internet/udp: listening UDP on 127.0.0.1:1080
2025/08/28 13:42:12.123743 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:8080
2025/08/28 13:42:12.123759 [Warning] core: Xray 25.7.26 started
2025/08/28 13:42:12.124001 [Info] app/dispatcher: taking platform initialized detour [proxy-google] for [tcp:www.google.com:80]
2025/08/28 13:42:12.124134 [Debug] transport/internet/splithttp: XMUX: creating xmuxClient because xmuxClients is empty
2025/08/28 13:42:12.124318 [Info] transport/internet/splithttp: XHTTP is dialing to tcp:<xray server>:443, mode stream-one, HTTP version 2, host www.google.com
2025/08/28 13:42:12.124443 [Debug] transport/internet: dialing to tcp:<xray server>:443
REALITY localAddr: 10.239.210.85:50982	hello.SessionId[:16]: [25 7 26 0 104 176 191 36 224 223 223 63 58 172 0 73]
REALITY localAddr: 10.239.210.85:50982	uConn.AuthKey[:16]: [120 128 213 174 9 13 226 53 2 19 227 223 34 170 73 54]	AEAD: *gcm.GCM
REALITY localAddr: 10.239.210.85:50982	is using X25519MLKEM768 for TLS' communication: true
REALITY localAddr: 10.239.210.85:50982	is using ML-DSA-65 for cert's extra verification: false
REALITY localAddr: 10.239.210.85:50982	uConn.Verified: false
REALITY localAddr: 10.239.210.85:50982	req.UserAgent(): Chrome
2025/08/28 13:42:12.299827 [Info] transport/internet/splithttp: failed to POST https://www.google.com/ > Post "https://www.google.com/": transport/internet/reality: REALITY: processed invalid connection
2025/08/28 13:42:12.299861 [Info] proxy/vless/outbound: tunneling request to tcp:www.google.com:80 via <xray server>:443
REALITY localAddr: 10.239.210.85:50982	DialTLSContext
2025/08/28 13:42:12.299909 [Info] app/observatory: the outbound proxy-google is dead: GET request failed:app/observatory: outbound failed to relay connection > Get "http://www.google.com/generate_204": EOFwith outbound handler report underlying connection failed > app/observatory: failed to produce report
REALITY localAddr: 10.239.210.85:50982	req.Referer(): https://www.google.com/search?q=technology+trends
REALITY localAddr: 10.239.210.85:50982	len(body): 84268
REALITY localAddr: 10.239.210.85:50982	len(paths): 3
2025/08/28 13:42:13.589130 [Info] [2544978593] proxy/socks: TCP Connect request to tcp:guc3-spclient.spotify.com:443
2025/08/28 13:42:13.589222 [Info] app/router: fallback to [proxy-websocket], due to empty tag returned
2025/08/28 13:42:13.589240 [Info] [2544978593] app/dispatcher: taking detour [proxy-websocket] for [tcp:guc3-spclient.spotify.com:443]
2025/08/28 13:42:13.589249 from tcp:127.0.0.1:50987 accepted tcp:guc3-spclient.spotify.com:443 [proxy-websocket]

Client log SUCCESS - when not connected behind the corp web proxy:

Xray 25.7.26 (Xray, Penetrates Everything.) b6b51c5 (go1.24.5 darwin/arm64)
A unified platform for anti-censorship.
2025/08/28 13:45:12.889283 [Info] infra/conf/serial: Reading config: &{Name:config_orig.json Format:json}
2025/08/28 13:45:12.903232 [Warning] common/errors: This feature WebSocket transport (with ALPN http/1.1, etc.) is deprecated and being migrated to XHTTP H2 & H3. Please update your config(s) according to release note and documentation before removal.
2025/08/28 13:45:12.903351 [Debug] app/log: Logger started
2025/08/28 13:45:12.903421 [Info] app/dns: DNS: created UDP client initialized for 10.0.0.1:53
2025/08/28 13:45:12.903666 [Debug] app/router: MphDomainMatcher is enabled for 132 domain rule(s)
2025/08/28 13:45:12.903731 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:1080
2025/08/28 13:45:12.903745 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:8080
2025/08/28 13:45:12.903865 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:1080
2025/08/28 13:45:12.904005 [Info] transport/internet/udp: listening UDP on 127.0.0.1:1080
2025/08/28 13:45:12.904018 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:8080
2025/08/28 13:45:12.904025 [Warning] core: Xray 25.7.26 started
2025/08/28 13:45:12.904705 [Info] app/dispatcher: taking platform initialized detour [proxy-google] for [tcp:www.google.com:80]
2025/08/28 13:45:12.904748 [Debug] transport/internet/splithttp: XMUX: creating xmuxClient because xmuxClients is empty
2025/08/28 13:45:12.904764 [Info] transport/internet/splithttp: XHTTP is dialing to tcp:<xray server>:443, mode stream-one, HTTP version 2, host www.google.com
2025/08/28 13:45:12.904775 [Debug] transport/internet: dialing to tcp:<xray server>:443
REALITY localAddr: 10.0.0.233:51398	hello.SessionId[:16]: [25 7 26 0 104 176 191 216 224 223 223 63 58 172 0 73]
REALITY localAddr: 10.0.0.233:51398	uConn.AuthKey[:16]: [26 131 63 223 85 111 36 76 213 221 157 56 177 55 0 57]	AEAD: *gcm.GCM
REALITY localAddr: 10.0.0.233:51398	is using X25519MLKEM768 for TLS' communication: true
REALITY localAddr: 10.0.0.233:51398	is using ML-DSA-65 for cert's extra verification: false
REALITY localAddr: 10.0.0.233:51398	uConn.Verified: true
2025/08/28 13:45:12.958367 [Info] proxy/vless/outbound: tunneling request to tcp:www.google.com:80 via <xray server>:443
2025/08/28 13:45:12.975575 [Info] app/observatory: the outbound proxy-google is alive:0.071433833
2025/08/28 13:45:15.541231 [Info] [1797288943] proxy/socks: TCP Connect request to tcp:spclient.wg.spotify.com:443
2025/08/28 13:45:15.541342 [Info] [1797288943] app/dispatcher: taking detour [proxy-google] for [tcp:spclient.wg.spotify.com:443]
2025/08/28 13:45:15.541395 from tcp:127.0.0.1:51403 accepted tcp:spclient.wg.spotify.com:443 [proxy-google]
2025/08/28 13:45:15.541427 [Info] [1797288943] transport/internet/splithttp: XHTTP is dialing to tcp:<xray server>:443, mode stream-one, HTTP version 2, host www.google.com
2025/08/28 13:45:15.541974 [Info] [1797288943] proxy/vless/outbound: tunneling request to tcp:spclient.wg.spotify.com:443 via <xray server>:443
2025/08/28 13:45:17.127861 [Info] [1999295880] proxy/socks: TCP Connect request to tcp:guc3-spclient.spotify.com:443
2025/08/28 13:45:17.127918 [Info] [1999295880] app/dispatcher: taking detour [proxy-google] for [tcp:guc3-spclient.spotify.com:443]
2025/08/28 13:45:17.127940 [Info] [1999295880] transport/internet/splithttp: XHTTP is dialing to tcp:<xray server>:443, mode stream-one, HTTP version 2, host www.google.com
2025/08/28 13:45:17.127948 [Info] [1999295880] proxy/vless/outbound: tunneling request to tcp:guc3-spclient.spotify.com:443 via <xray server>:443
2025/08/28 13:45:17.127901 from tcp:127.0.0.1:51408 accepted tcp:guc3-spclient.spotify.com:443 [proxy-google]
^C2025/08/28 13:45:19.419725 [Debug] app/log: Logger closing

Client config:

{
  "inbounds": [
    {
      "port": 1080, 
      "listen": "127.0.0.1",
      "protocol": "socks",
      "settings": {
        "udp": true
      }
    },
    {
      "port": 8080,
      "listen": "127.0.0.1", 
      "protocol": "http"
    }
  ],
  "outbounds": [
    {
      "protocol": "vless",
      "tag": "proxy-google",
      "settings": {
        "vnext": [{
          "address": "<xray server>",
          "port": 443,
          "users": [{
            "id": "<user id>",
            "encryption": "none"
          }]
        }]
      },
      "streamSettings": {
        "network": "xhttp",
        "security": "reality",
        "realitySettings": {
          "fingerprint": "chrome",
          "serverName": "www.google.com",
          "publicKey": "<public key>",
          "shortId": "<short id>",
          "spiderX": "/search?q=technology+trends",
          "show": true
        },
        "xhttpSettings": { 
          "mode": "stream-one",
          "path": "/",
          "host": "www.google.com",
          "noSSEHeader": true,
          "noGRPCHeader": true
        }
      }
    },
    {
      "protocol": "vless",
      "tag": "proxy-websocket",
      "settings": {
        "vnext": [{
          "address": "cdn.<xray server>",
          "port": 443,
          "users": [{
            "id": "<user id>",
            "encryption": "none"
          }]
        }]
      },
      "streamSettings": {
        "network": "ws",
        "security": "tls",
        "tlsSettings": {
          "serverName": "cdn.<xray server>",
          "fingerprint": "chrome"
        },
        "wsSettings": {
          "path": "/<web socket path>",
          "host": "cdn.<xray server>",
          "headers":{
             "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
          }
        }
      }
    },
    {  
      "protocol": "freedom",
      "tag": "direct",
      "settings": {
        "domainStrategy": "UseIPv4"
      }
    }
  ], 
  "routing": {
    "rules": [
      {
        "type": "field",
        "ip": ["<local xray server DNS IP>"],
        "port": "53",
        "balancerTag": "proxy-balancer"
      },
      {
        "type": "field",
        "domain": ["geosite:private"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "ip": ["geoip:private"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "network": "tcp,udp",
        "balancerTag": "proxy-balancer"
      }
    ],
    "balancers": [
      {
        "tag": "proxy-balancer",
        "selector": ["proxy-google"],
        "strategy": {
          "type": "leastPing"
        },
        "fallbackTag": "proxy-websocket"
      }
    ]
  },
  "dns": {
    "servers": [
      {
        "address": "<local xray server DNS IP>",
        "port": 53
      }
    ],
    "queryStrategy": "UseIPv4",
    "disableFallback": true,
    "disableCache": false
  },
  "observatory": {
    "subjectSelector": ["proxy-google"],
    "probeInterval": "30s",
    "probeURL": "http://www.google.com/generate_204",
    "enableConcurrency": true
  },
  "log": {
    "loglevel": "debug"
  }
}