Skip to content

feat: implement routing based on incoming SNI #5009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat: implement routing based on incoming SNI #5009

wants to merge 1 commit into from

Conversation

kastov
Copy link
Contributor

@kastov kastov commented Aug 9, 2025

Hi there,

Currently it is almost impossible to do routing with only one Inbound.

Of course, you can use Dokedomo-Door > Routing > Vless > Routing > Out, but in this case you will still have to have several INCOMING Dokedomo-Doors if I need to route traffic somewhere else.

Simple example:

There is a server called TEST.
We have VLESS Reality, which is configured according to all generally accepted standards on port 443, there is no Nginx/Haproxy/etc in front of it.

And here is the task: from the TEST server to route traffic to the TEST_B, TEST_C servers.
This can be done quite simply, BUT then we will have two Inbound, and they cannot occupy port 443 at the same time.

On the other hand, we can put Nginx/Haproxy in front, as far as I know - putting something in front of Xray in the case of Reality is not recommended, from which I conclude that this method, although in theory it will be working, will be contrary to the principles of Reality.

This small PR adds the ability to define routing rules based on incoming SNI for Trojan+TLS, VLESS+Reality, VLESS+TLS.

With this routing, you will no longer need to create multiple inbounds on different ports if they are completely identical, and will also allow you to leave one single Reality on port 443 and at the same time have full routing capability based on SNI.

{
  "routing": {
    "rules": [
      {
        "type": "field",
        "incomingSni": ["domain:example.com", "sample.com"],
        "outboundTag": "BLOCK"
      }
    ],
    "domainStrategy": "AsIs"
  }
}

@Fangliding
Copy link
Member

in port in SNI in protocol in xxxxx.... 哎。。。
还有这样quic读不出

@Jolymmiles
Copy link
Contributor

in port in SNI in protocol in xxxxx.... 哎。。。 还有这样quic读不出

Could you explain pls?

@patterniha
Copy link
Collaborator

patterniha commented Aug 9, 2025
edited
Loading

I think adding route-id to vless is better idea.

you want to allow the users to choose which server to connect to in the end.

but users have to change the sni to connect to another server! these two things are completely independent of each other.

Anyway, this is also a solution, but i think the correct way is to add route-id to vless.

@Jolymmiles
Copy link
Contributor

I think adding route-id to vless-options is better idea.

you want to allow the users to choose which server to connect to in the end.

but users have to change the sni to connect to another server! these two things are completely independent of each other.

Anyway, this is also a solution, but i think the correct way is to add route-id to vless option.

If user go change sni, user stopping be user. Sni provide proxy provider

@patterniha
Copy link
Collaborator

patterniha commented Aug 9, 2025
edited
Loading

  1. users still can't choose the end-server in non-tls vless

  2. does not work on Xhttp

So I think this PR should be closed.

@RPRX is writing vless-encryption. ask him to write route-id for vless too.

@kastov
Copy link
Contributor Author

kastov commented Aug 9, 2025
edited
Loading

  1. users still can't choose the end-server in non-tls vless
  2. does not work on Xhttp

So I think this PR should be closed.

@RPRX is writing vless-encryption-option. ask him to write route-id-vless-option too.

This feature mostly not for end-users, but for providers.

I don't think that routing-id is an option, because it will be break changing for all clients and other client cores.

@patterniha
Copy link
Collaborator

Anyway, your code is incomplete and does not support Xhttp.

@Jolymmiles
Copy link
Contributor

Anyway, your code is incomplete and does not support Xhttp.

Could you pls show where we should add it in xhhtp, I can't really find it(

@patterniha
Copy link
Collaborator

Anyway, your code is incomplete and does not support Xhttp.

Could you pls show where we should add it in xhhtp, I can't really find it(

Xray-core/transport/internet/splithttp/hub.go

Lines 286 to 291 in 0cceea7

conn := splitConn{
writer: httpSC,
reader: httpSC,
remoteAddr: remoteAddr,
localAddr: h.localAddr,
}

you need to add request.TLS.ServerName, but if we have separate "downloadSettings" with separate "sni", which "sni" should be chosen???

So i close this PR, you should add route-id to vless.

@patterniha patterniha closed this Aug 9, 2025
@kastov
Copy link
Contributor Author

kastov commented Aug 9, 2025

Anyway, your code is incomplete and does not support Xhttp.

Could you pls show where we should add it in xhhtp, I can't really find it(

Xray-core/transport/internet/splithttp/hub.go

Lines 286 to 291 in 0cceea7

conn := splitConn{
writer: httpSC,
reader: httpSC,
remoteAddr: remoteAddr,
localAddr: h.localAddr,
}

you need to add request.TLS.ServerName, but if we have separate "downloadSettings" with separate "sni", which "sni" should be chosen???

So i close this PR, you should add route-id to vless.

No, i don't think that route-id is good option. It will break all backward compability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kastov @Fangliding @Jolymmiles @patterniha