Skip to content

swap vmess for vless httpupgrade (non-tls) with encryption#113

Merged
ranthe21 merged 2 commits into
mainfrom
vless-hu-encryption
Jul 10, 2026
Merged

swap vmess for vless httpupgrade (non-tls) with encryption#113
ranthe21 merged 2 commits into
mainfrom
vless-hu-encryption

Conversation

@ranthe21

Copy link
Copy Markdown
Contributor

Replaces the vmess-ws-cdn inbound with a VLESS httpUpgrade pair carried over plain HTTP and fronted by nginx, matching the existing vless-hu-tls-* setup. Since there's no TLS, confidentiality comes from VLESS Encryption (post-quantum ML-KEM-768 + X25519 AEAD) negotiated inside the stream.

What changed

  • inbounds.json: drop vmess-ws-cdn; add vless-hu-direct (xray:8005) and vless-hu-cdn (xray:8055). Server decryption = mlkem768x25519plus.native.600s.<PrivateKey>; links carry the matching encryption=mlkem768x25519plus.native.0rtt.<Password>.
  • config.py: _setup_vless_encryption() derives the X25519 keypair deterministically from the node identifier (same trick as REALITY), so links survive redeploys with no key material persisted. A guard drops these inbounds if key gen fails, mirroring the REALITY/TLS guards, so a bad string never takes down xray -test.
  • nginx.conf: plaintext :8080 server block with both paths + the locations.d/8080 replica include. CF fronts the CDN variant over HTTP on 8080 (same port vmess used).
  • docker-compose.yml: move the 8080 publish from xray to nginx.
  • entrypoint.sh / env_file.example: 8080 replica dir; default/example inbound list updated.

The host firewall list is unchanged (8080 was already open for vmess). Deaf-port healing (#111) picks up 8005/8055 automatically since it's driven off the config.

Format source

decryption/encryption string format follows Xray-core PR #5067 (VLESS post-quantum encryption); X25519-only auth, native mode, padding omitted (optional).

Needs live validation

Can't run xray/nginx locally. On a test server please confirm:

  • xray -test passes with the generated config (both direct + cdn).
  • nginx -t passes and the :8080 block loads.
  • a real client connects on both variants (direct + through CF).
  • check whether xray-knife parses the encryption= link param; if not, the health metric will read these as down even though they work.

Drop the vmess-ws-cdn inbound and replace it with a VLESS httpupgrade
pair carried over plain HTTP, fronted by nginx like the existing hu-tls
inbounds. Confidentiality comes from VLESS Encryption (post-quantum
ML-KEM-768 + X25519 AEAD) inside the stream instead of TLS, so no cert
is needed.

- inbounds.json: vless-hu-direct (xray:8005) and vless-hu-cdn
  (xray:8055), decryption set to the mlkem768x25519plus string; links
  carry the matching encryption= value.
- config.py: derive the X25519 keypair deterministically from the
  identifier (same as REALITY) so links survive redeploys; guard that
  drops the inbounds if key gen fails, mirroring the REALITY/TLS guards.
- nginx: plaintext :8080 server block (both paths), replica include for
  8080; CF fronts the CDN variant over HTTP on 8080.
- docker-compose: move the 8080 publish from xray to nginx. Firewall
  port list is unchanged (8080 was already open for vmess).
@ranthe21 ranthe21 self-assigned this Jul 10, 2026
xorpub masks the handshake public key against DPI at near-zero cost;
stock padding hides handshake length while keeping us in the common
crowd. Keeps X25519 auth + 0rtt for fast, battery-friendly reconnects.
@ranthe21 ranthe21 merged commit 83a2676 into main Jul 10, 2026
@ranthe21 ranthe21 deleted the vless-hu-encryption branch July 10, 2026 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant