traffic through one port 443, generation of bad settings for the client

[alexeyp0708]

Hi, I noticed that you take part in the development (3x-UI) [https://github.com/mhsanaei/3x-ui] and your commits fall on the merger.
Unfortunately, in the original repository, the "Issues" section is closed. Therefore, I will describe the problem for you. Perhaps you will somehow affect her.

I set up servers where all traffic goes through one proxy port [0.0.0.0.0:443]. The panel is configured to IP 127.0.0.1:8000. The subscription is configured to IP 127.0.0.1:8001, Xray on IP 127.0.0.1:8443.
When generating the client settings, it is indicated 127.0.0.1:8443, when generating the reference links, Port is indicated: 8001
Although there should be a port 443
A server IP should be IP VPN or an indication of a fake domain if it is on the same IP VPN.

The passage of traffic through 443 port is compliance with safety rules and masking traffic. HTTP traffic on other ports will be suspicious. (HTTP traffic is easily calculated - on the HTTP request will be HTTP response headline).
.
Describe the bug

Дано:
nginx listen : 0.0.0.0:443
xray listen - 127.0.0.1:8443
3x-ui panel listen - 127.0.0.1:8000
3x-ui subscription listen - 127.0.0.1:8001
domain name : panel.name.domain
fake domain:
nginx.conf

#...

stream { 
        map $ssl_preread_server_name $sni_name {
            hostnames;
            panel.name.domain panel;
            default xray;
        }

        upstream xray {
            server 127.0.0.1:8443;
        }
        
        upstream panel {
           #Additional layer of http
            server 127.0.0.1:9443;

            #If there is a port of 8000, we will not be able to listen to port 127.0.0.1:8001
            #server 127.0.0.1:8000;
        }
        server {
            listen 443;
            listen [::]:443;
            proxy_pass $sni_name;
            ssl_preread on;
        }
}

http {
        server {
            listen 127.0.0.1:9443 ssl;
            server_name       panel.name.domain;
            ssl_certificate      ${SSL_PANEL_DOMAIN_DIR}/fullchain_public.crt;
            ssl_certificate_key      ${SSL_PANEL_DOMAIN_DIR}/private.key;
            add_header Strict-Transport-Security "max-age=63072000" always;
            
            root /usr/share/nginx/www;
            index index.html index.htm;
            proxy_connect_timeout       300;
            proxy_send_timeout          300;
            proxy_read_timeout          300;
            send_timeout                300;

            
            location /dashboard/ {
                proxy_set_header Host $host;
                proxy_pass http://127.0.0.1:8000/dashboard/;
            }
            # or /sub/ or /json/
            location ~^/((?:sub|json)/.*) {
                proxy_set_header Host $host;
                proxy_pass http://127.0.0.1:8001/$1;
            }
        }      
}

xray config.json

// ....
    "inbounds": [
          //....
                  {
            "tag": "name_tag",
            "listen": "127.0.0.1",
            "port": 8443,
            "protocol": "vless",
//....
    ] 

We create a client for connection in the panel and the following settings will be created:

• For Sub, link - https://panel.name.domain:8001/sub/sjffsjfdfkj . It must be https://panel.name.domain:443/sub/sjffsjfdfkj
• For json link -https://panel.name.domain:8001/json/sjffsjfdfkj . It must be https://panel.name.domain:443/json/sjffsjfdfkj
• In the customer settings the server will be indicated https://127.0.0.1:8443. It must be https:// {VPN _IP}:443 or if MY_FAKE_DOMAIN_IP === VPN _IP then https:// {MY_FAKE_DOMAIN}:443 .

To solve this problem, you need to add an additional section of settings to install the client’s variables, as did in Marzban panel. If the value of the variable is indicated, then this variable will be applied, if not indicated, then the variable value will be taken from the panel settings.

If you consider this problem worthy, voiced it for mHsanai

[alireza0]

Hello @alexeyp0708 ,

When you defined an IP for xray to listen on, panel will not change it in the link unless using External Proxy config.
If you keep inbound's listen IP clear, (without Extrenal Proxy) then domain name which you opened by browser will take place.

The option External Proxy is designed exaclly for you here.

[alexeyp0708]

@alireza0

The option External Proxy is designed exaclly for you here.

And what to do with the port for subscription?
https://domain:8001/sub/35732lb9yx58bs46 must be https://domain:443/sub/35732lb9yx58bs46 for external proxy in client config

[EarlVadim]

@alireza0

The option External Proxy is designed exaclly for you here.

And what to do with the port for subscription? https://domain:8001/sub/35732lb9yx58bs46 must be https://domain:443/sub/35732lb9yx58bs46 for external proxy

this is actually done in the cloudflare panel.
in the rules.. "if the subdomain equal SUB.domain.com then redirect to port 8001
and you get result https://sub.domain.com/35732lb9yx58bs46

[alexeyp0708]

in the rules.. "if the subdomain equal SUB.domain.com then redirect to port 8001

Settings in nginx and so it is done that
Domain/sub/: 443 => Proxing to => 127.0.0.1:8001

The problem is that in the QR code of the client and the client settings the link is displayed like this
https://domain:8001/sub/35732lb9yx58bs46 . Must be display https://domain:443/sub/35732lb9yx58bs46

[EarlVadim]

in the rules.. "if the subdomain equal SUB.domain.com then redirect to port 8001

Settings in nginx and so it is done that Domain/sub/: 443 => Proxing to => 127.0.0.1:8001

The problem is that in the QR code of the client and the client settings the link is displayed like this https://domain:8001/sub/35732lb9yx58bs46 . Must be display https://domain:443/sub/35732lb9yx58bs46

это настраивается в разделе Подписки. и домен, и порт (443 кстати совершенно лишнее) как и ненужное слово /sub/

[alexeyp0708]

это настраивается в разделе Подписки. и домен, и порт (443 кстати совершенно лишнее) как и ненужное слово /sub/
Заметьте что JSON LINK у вас с портом 20202 - у вас или порт открыт или ссылка будет не рабочей.

Мой "внешний прокси NGINX" и панель с подпиской на одной хост машине. Прокси и и Панель нельзя привязать к одному порту 443. Это можно будет сделать только в докер контейнерах с пробросом портов в сети bridge.

Физически вы не сможете указать в настройках панели порт 443 , так как он занят NGINX . Если его указать, то что-то перестанет работать.

Настройки таковы что на хост машине кроме 443 порта , другим портам запрещено смотреть во внешнюю сеть.

Задача стоит - подписки и панель на одном домене и на одно IP. Nginx b 3x-ui установлены на хост машине. Функционально панель и подписки на разных портах .
Сервис подписки слушает IP 127.0.0.1:8001 домен соответствует panel.domain.
NGINX проксирует трафик c https://panel.domain:443/sub на 127.0.0.1:8001
При генерации ссылки выдает URL https://panel.domain:8001/sub/35732lb9yx58bs46
Но в настройках подписки должна возможность указывать порт внешнего прокси '443' и для настроек клиента должна быть ссылка https://panel.domain:443/sub/35732lb9yx58bs46

---

En
My "external proxy nginx" and a panel with a subscription on one host machine. The proxy and the panel cannot be tied to one port 443. This can only be done in the containers with the passage of ports in the Bridge network.
Physically, you cannot specify Port 443 in the settings, as it is busy Nginx. If you specify it, then something will stop working.

The settings are so that on the host machine, except for 443 ports, other ports are forbidden to look at the external network.

The task is worthwhile - subscriptions and a panel on one domain and on one IP. Nginx and 3X-UI are installed on the host machine. Functionally panel and subscriptions on different ports.
The subscription service is listening to IP 127.0.0.1:8001 The domain corresponds to Panel.domain.
Nginx proxides traffic C https: //panel.domain: 443/SUB at 127.0.0.1:8001
When generating, the link is issued by the URL https: //panel.domain: 8001/Sub/35732LB9YX58BS46
But in the subscription settings, the Port of the external proxy '443' should indicate and for the customer settings there should be a link https: //panel.domain: 443/Sub/35732LB9YX58BS46

[alireza0]

External proxy is the name of a part in inbound's configuration.

To change your sub link, use Reverse Proxy URI in subscription tab of panel setting

[alexeyp0708]

[alexeyp0708]

To change your sub link, use Reverse Proxy URI in subscription tab of panel setting

These settings are Inactive in the settings.
I cannot enter data into the fields.
And many fields for some reason ceased to be active

[alexeyp0708]

These settings are Inactive in the settings.
I cannot enter data into the fields.
And many fields for some reason ceased to be active

This topic of the bug that I noticed only now.
For some reason, the panel does not allow to correct old settings and enter new ones. This applies to the panel settings.
To change something, you have to open the panel in a liner. After the kakiz or changes without conservation, the ability to edit something disappears again.

https://youtu.be/OUo3zrDcA9g

[alexeyp0708]

OK. The problem was in my carelessness. Sorry.
Settings External proxy and Reverse Proxy URI solved my problem.

For a problem with edit panel blocked , i am created a different topic.
#1553

[EarlVadim]

Заметьте что JSON LINK у вас с портом 20202 - у вас или порт открыт или ссылка будет не рабочей.

я никак не использую JSON LINK.
хотел написать, что в nginx всё прекрасно настраивается на один единственный 443 порт, но я так понял, что вы уже разобрались.