Skip to content

Remove xray.cone.disabled env var#6110

Open
Meo597 wants to merge 1 commit into
mainfrom
cone
Open

Remove xray.cone.disabled env var#6110
Meo597 wants to merge 1 commit into
mainfrom
cone

Conversation

@Meo597
Copy link
Copy Markdown
Collaborator

@Meo597 Meo597 commented May 10, 2026

@Meo597
Copy link
Copy Markdown
Collaborator Author

Meo597 commented May 10, 2026

删的时候突然想到什么场景下会需要逐包路由避免绕路
BT??

@RPRX
Copy link
Copy Markdown
Member

RPRX commented May 13, 2026

如果要留的话,有很多入站没实现非 cone 还得实现一下,我想一下

@RPRX
Copy link
Copy Markdown
Member

RPRX commented May 13, 2026
edited
Loading

新版反向代理示例改到“特性详解”那里吧,标题“反向代理/内网穿透”,旧版反向代理文档加个链接到新页面

@RPRX
Copy link
Copy Markdown
Member

RPRX commented May 13, 2026

另外反向代理有哪些特性要根据 #5101 以及下面的留言都说清楚,比如 reverse tag 相同时的行为,禁止被用于正向代理等

Meo597 added a commit to XTLS/Xray-docs-next that referenced this pull request May 14, 2026
@Meo597
Update VLESS Reverse Proxy
f78fccb 
XTLS/Xray-core#6110 (comment)
XTLS/Xray-core#6110 (comment)
@Meo597
Copy link
Copy Markdown
Collaborator Author

Meo597 commented May 14, 2026

完事了,补了几个进阶示例
底下的留言东一句西一句的,我也不是完全理解所有,都放在结尾了
禁止用于正向代理配置说明里有提及,结尾也补了几句

Meo597 added a commit to XTLS/Xray-docs-next that referenced this pull request May 14, 2026
@Meo597
Update VLESS Reverse Proxy
0fe890e 
XTLS/Xray-core#6110 (comment)
XTLS/Xray-core#6110 (comment)
@RPRX
Copy link
Copy Markdown
Member

RPRX commented May 16, 2026

XHTTPWebSocket 等基于 HTTP 的入站当前会默认读取 X-Forwarded-For。如果前面没有你自己信任的 HTTP 反向代理,这个头可以被客户端伪造,因此不要直接拿它做严格的安全判断,例如 IP 白名单、黑名单或审计归因。

@Meo597 这个问题已经解决了 #5101 (comment) #5331

@Meo597
Copy link
Copy Markdown
Collaborator Author

Meo597 commented May 16, 2026

sockopt.trustedXForwardedFor 一直没文档,补了下
最后那句说明改掉了

又补了个场景

Meo597 added a commit to XTLS/Xray-docs-next that referenced this pull request May 16, 2026
@Meo597
Update VLESS Reverse Proxy Again
d1b09ea 
XTLS/Xray-core#6110 (comment)
@RPRX
Copy link
Copy Markdown
Member

RPRX commented May 17, 2026

话说这个 sockopt.trustedXForwardedFor 要不要改成默认的?即那三个传输默认不读取 X-Forwarded-For

@Meo597
Copy link
Copy Markdown
Collaborator Author

Meo597 commented May 17, 2026

我昨天看这个 PR 的时候也想这个问题来着
len 0 直接不让读会更安全,肯定更好

但那么多套 cdn 的对于他们来说是 breaking change
如果需要用到 src 的话

这三个入站大多也会套个前置吧?

@Fangliding
Copy link
Copy Markdown
Member

Fangliding commented May 17, 2026

拉倒重来的话我是觉得 remoteip IsPrivate() 的话默认信不然不信
但是仍然会让CF User爆炸
哎面向CF编程

@Meo597
Copy link
Copy Markdown
Collaborator Author

Meo597 commented May 17, 2026

建议还是别动了
不然跟隔壁有啥区别

@RPRX
Copy link
Copy Markdown
Member

RPRX commented May 17, 2026

allowInsecure 一样是一开始就有的设计问题,这个 X-Forwarded-For 一开始就该有条件地信任

现在相当于默认 "trustedXForwardedFor": ["X-Forwarded-For"]

@RPRX
Copy link
Copy Markdown
Member

RPRX commented May 17, 2026

@Meo597 要不在哪先加个合适的 warning 吧,以后再设成默认不信任 X-Forwarded-For

@mqk233
Copy link
Copy Markdown

mqk233 commented May 17, 2026

warning不是吓人的吗

@Meo597
Copy link
Copy Markdown
Collaborator Author

Meo597 commented May 18, 2026

ok 我找找看哪里合适

@Meo597 Meo597 mentioned this pull request May 18, 2026
Merged
RPRX pushed a commit that referenced this pull request May 23, 2026
@Meo597
Config: Warn when sockopt.trustedXForwardedFor is not set for XHTTP…
ab69985 
…/WS/HU inbounds (#6159)

#6110 (comment)

Usage: #5331 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Meo597 @RPRX @Fangliding @mqk233