Issue with VLESS+WS+TLS over Cloudflare: OperationCanceled / Error 404 (Direct connection works)

[name321467]

Hello, respected developer and team.

I apologize in advance for the disturbance. I am not a network engineer and am trying to learn how to configure Xray for my personal use by reading articles and watching videos.

Please keep in mind that I may not understand complex technical language, so if the problem is due to my actions, I would appreciate an explanation suitable for a beginner. I don't know who else to turn to for help.

The Problem

I am setting up a VLESS (post-quantum) + WebSocket + TLS connection through Cloudflare (CDN).

• A direct connection to the server's IP with the same configuration works perfectly.
• When connecting through Cloudflare, the connection is established (Ping is successful), but no data is transferred. The speed test in the client shows OperationCanceled, and websites do not load.

My Environment

• OS: Ubuntu 22.04
• Xray-core: v25.12.2 (Server & Client)
• Panel: 3x-ui v2.8.5
• Client: v2rayN v7.16.4

Chronology of Actions and Tests

1. Basic Setup:
   I created a VLESS+WS config on port 2053 and allowed the port in the firewall.

   • Result: A direct connection (Client -> Server IP) works. Ping is successful, websites load, and traffic is flowing.

2. Cloudflare Configuration:

   • Enabled proxying (Orange cloud).
   • Enabled WebSocket and TLS.
   • Disabled ECH (as it is blocked in my region).
   • Generated Let's Encrypt certificates and specified the paths in the 3x-ui config.

3. Access Restriction:
   I configured the firewall to allow port 2053 only for Cloudflare's IP addresses.

4. Connection Attempt via Domain:

   • Ping in the client is stable and successful.
   • When trying to open a site or run a speed test, I get an OperationCanceled error. Previously, the client logs showed rejected by server, but now only the OperationCanceled error appears.

5. SSL/TLS Mode Diagnostics in Cloudflare:
   I tried changing the encryption modes to diagnose the issue:

   • Full (Strict) mode: Accessing the domain via a browser gives an Error 526 (Invalid SSL).
   • Full mode: Accessing the domain gives an Error 404 (Not Found). There is no certificate error.
   • Accessing the URL https://my.domain:2053/my-path directly returns a "Bad Request" response. I believe this is normal* since I don't have a placeholder website, and it confirms that the request is passing through Cloudflare and reaching Xray (the TLS handshake is successful).

6. Other Steps:
   In Cloudflare Security Events, I can see that my requests are being allowed, not blocked. I also configured a rule to bypass security systems in case WAF was blocking my requests at some stage. The path is identical in the client and server configs. In the 3x-ui panel, I can see that a connection attempt is registered when I run the ping and speed tests.

Questions

1. Why does the VLESS connection itself drop after a successful Ping and a successful TLS handshake (indicated by the 404/Bad Request response from the server)?
2. Why doesn't the connection proceed beyond the ping test?
3. Could Cloudflare be interfering with or "cutting" the VLESS traffic inside the WebSocket tunnel, or am I missing a specific setting?

I would be grateful for any help.

Server Config (Inbound)

{
    "listen": null,
    "port": 2053,
    "protocol": "vless",
    "settings": {
        "clients": [
            {
                "email": "my_email",
                "flow": "",
                "id": "my_id"
            }
        ],
        "decryption": "...",
        "encryption": "...",
        "selectedAuth": "ML-KEM-768, Post-Quantum"
    },
    "streamSettings": {
        "network": "ws",
        "security": "tls",
        "tlsSettings": {
            "alpn": [
                "http/1.1"
            ],
            "certificates": [
                {
                    "buildChain": false,
                    "certificateFile": "/usr/local/x-ui/config/cert.pem",
                    "keyFile": "/usr/local/x-ui/config/key.pem",
                    "oneTimeLoading": false,
                    "usage": "encipherment"
                }
            ],
            "cipherSuites": "",
            "disableSystemRoot": false,
            "echForceQuery": "none",
            "echServerKeys": "",
            "enableSessionResumption": false,
            "maxVersion": "1.3",
            "minVersion": "1.2",
            "rejectUnknownSni": false,
            "serverName": "my.doman",
            "verifyPeerCertInNames": [
                "dns.google",
                "cloudflare-dns.com"
            ]
        },
        "wsSettings": {
            "acceptProxyProtocol": false,
            "headers": {},
            "heartbeatPeriod": 0,
            "host": "",
            "path": "/my-path"
        }
    },
    "tag": "inbound-2053",
    "sniffing": {
        "enabled": true,
        "destOverride": [
            "tls",
            "quic",
            "http"
        ],
        "metadataOnly": false,
        "routeOnly": false
    }
}