XHTTP + HTTP/3 + CDN
XHTTP was previously known as splitHTTP. HTTP/3 uses udp/443
by default, but Cloudflare cannot support HTTP/3 between Cloudflare and the origin. Therefore the Xray client transmits HTTP/3 over udp/443
, while the Xray server receives HTTP/2 or HTTP/1.1.
1. Install and configure Xray server
1.1. Domain name
For the configuration in this article, you will need to purchase a domain name.
Example:
yourdomain.yourtld
Add your domain name to Cloudflare.
1.2. Hostname
Choose a subdomain that will be the hostname for your server.
Example:
yourhost.yourdomain.yourtld
Go to the Cloudflare DNS page for your domain. Add a DNS A
record (or AAAA
for IPv6) pointing from your subdomain (i.e. hostname) to your virtual private server IP address.
Turn the DNS record's proxy status off for now. The Cloudflare icon for an unproxied record (DNS only) is a gray cloud. Click Save to save the new record you just added.
1.3. Open firewall
Open your server's firewall and/or security groups for input on:
tcp/80
(for obtaining SSL certificate)tcp/443
(for HTTP/2 or HTTP/1.1 proxied from Cloudflare)
1.4. Obtain SSL certificate
SSH into your server as root
.
Update your server:
apt update && apt upgrade -y && apt autoremove -y
Make sure nothing is listening on port tcp/80
, as it will be used to obtain a standalone SSL certificate.
ss -tulpn
Obtain an SSL certificate using the Automatic Certificate Management Environment (ACME) script. Remember to change the sample hostname (subdomain) in what follows to your actual hostname.
apt install -y curl cron socat
curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --upgrade --auto-upgrade
acme.sh --set-default-ca --server letsencrypt
acme.sh --issue -d yourhost.yourdomain.yourtld --standalone --keylength ec-256
acme.sh --install-cert -d yourhost.yourdomain.yourtld --ecc --fullchain-file /etc/ssl/private/fullchain.cer --key-file /etc/ssl/private/private.key
chown -R nobody:nogroup /etc/ssl/private
acme.sh --renew -d yourhost.yourdomain.yourtld --force --ecc
1.5. Turn on proxying, SSL, and HTTP/3 in Cloudflare
Now you can turn on the final configuration of Cloudflare.
- On the DNS page, turn on your subdomain's proxy status. The Cloudflare icon turns to an orange cloud. Click Save to save your change.
- On the SSL/TLS page, select Custom SSL/TLS, and configure Cloudflare to use the Full (Strict) option for your domain. Click Save to save your change.
- Go to Speed > Optimization > Protocol Optimization. Make sure HTTP/3 (with QUIC) is turned on. If you had to change the setting, click Save to save your change.
After proxying is turned on, you will need to SSH into your server by IP address, not by hostname.
1.6. Install Xray
Install Xray:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
1.7. Generate UUID
Generate a universally unique id:
xray uuid
Example:
19fd356b-5dc3-44ec-b166-c2b0ea111104
1.8. Generate path
Generate a secret path for xhttp:
< /dev/urandom tr -dc a-z0-9 | head -c${1:-8};echo;
Example:
1loryo44
1.9. Configure server
Since we are using Cloudflare, what the client sends up as HTTP/3 will be received as HTTP/2 or 1.1.
Edit the server configuration file:
vi /usr/local/etc/xray/config.json
Example:
{ "log": { "loglevel": "warning" }, "inbounds": [ { "port": 443, "listen": "0.0.0.0", "protocol": "vless", "settings": { "clients": [ { "id": "19fd356b-5dc3-44ec-b166-c2b0ea111104" } ], "decryption": "none" }, "streamSettings": { "network": "xhttp", "security": "tls", "xhttpSettings": { "path": "/1loryo44", "host": "yourhost.yourdomain.yourtld" }, "tlsSettings": { "rejectUnknownSni": true, "minVersion": "1.3", "alpn": [ "h2", "http/1.1" ], "certificates": [ { "ocspStapling": 3600, "certificateFile": "/etc/ssl/private/fullchain.cer", "keyFile": "/etc/ssl/private/private.key" } ] } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls", "quic" ] } } ], "outbounds": [ { "protocol": "freedom", "tag": "direct" }, { "protocol": "blackhole", "tag": "block" } ] }
Replace the sample values in the above with your own values.
Save the file.
1.10. Start service
Restart the Xray systemd service:
systemctl restart xray
Exit your SSH session with the server.
2. Install and configure Xray client
2.1. Install client
Download the client executable from https://github.com/XTLS/Xray-core/releases.
Example:
Xray-windows-64.zip
Extract the .zip
file.
2.2. Configure client
Create a client configuration file config.json
in the same folder as the Xray client executable.
Example:
{ "log": { "loglevel": "warning" }, "routing": { "rules": [ { "ip": [ "geoip:private" ], "outboundTag": "direct" } ] }, "inbounds": [ { "port": 10808, "listen": "127.0.0.1", "protocol": "socks", "settings": { "udp": true }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls", "quic" ] } } ], "outbounds": [ { "protocol": "vless", "settings": { "vnext": [ { "address": "yourhost.yourdomain.yourtld", "port": 443, "users": [ { "id": "19fd356b-5dc3-44ec-b166-c2b0ea111104", "encryption": "none" } ] } ] }, "streamSettings": { "network": "xhttp", "security": "tls", "xhttpSettings": { "path": "/1loryo44", "host": "yourhost.yourdomain.yourtld" }, "tlsSettings": { "serverName": "yourhost.yourdomain.yourtld", "alpn": [ "h3" ] }, "noGRPCHeader": true } }, { "protocol": "freedom", "tag": "direct" } ] }
Replace the sample values in the above with your own values.
Save the file.
2.3. Run client
Run the client in a command prompt window.
Example:
cd Downloads\Xray-windows-64
xray.exe -c config.json
Leave the command prompt window open, with xray
running in it.
2.4. Install and configure Firefox
Download Firefox browser from https://www.mozilla.org.
Edit Settings > General > Network Settings > Settings.
Set Manual proxy configuration, SOCKS Host 127.0.0.1
, Port 10808
, SOCKS v5, Proxy DNS when using SOCKS v5.
Browse the web.