Xray-core icon indicating copy to clipboard operation
Xray-core copied to clipboard
verified publisher icon XTLS

[feature request] Add h2c to XHTTP.

Open deepsm0ke opened this issue 3 months ago • 9 comments

Hi. Thanks for publishing vless encryption for strong data encryption even in non-TLS mode.

I think now is a good time to build and add h2c to XHTTP, but there should be a requirement for vless encryption to be enabled in this mode. The reason and argument for using h2c in XHTTP compared to other transport layers like ws/hu/grpc, is the existence of header padding, as well as the nature of http itself and the use of xmux in h2c can be very good points even in non-TLS mode (I emphasize again, provided that vless encryption is enabled).

I would be happy to hear xray team and people' opinions.

deepsm0ke avatar Sep 06 '25 06:09 deepsm0ke

dup #4875

Fangliding avatar Sep 06 '25 06:09 Fangliding

XHTTP 的 header padding 只有在外层是 TLS/REALITY 时才有意义,不然都被看光了,padding 与否没区别

不过随着 VLESS 出了 Encryption,这个话题可以继续,reopen 作为默认禁止公网未加密流量的 reminder,2026 就禁吧

RPRX avatar Sep 06 '25 12:09 RPRX

XHTTP 的 header padding 只有在外层是 TLS/REALITY 时才有意义,不然都被看光了,padding 与否没区别

不过随着 VLESS 出了 Encryption,这个话题可以继续,reopen 作为默认禁止公网未加密流量的 reminder,2026 就禁吧

他的意思是要加h2c 现在也没有h2c啊 没tls是h1 vless enc也不加密xhttp的东西

Fangliding avatar Sep 06 '25 12:09 Fangliding

我知道,但 2026 默认禁了公网未加密流量后,https://github.com/XTLS/Xray-core/issues/4875#issuecomment-3049602566 提到的“这东西不安全”就不存在了

只要内层是 VLESS Encryption,攻击者去改外层明文 XHTTP 也不会影响被代理的数据的安全

RPRX avatar Sep 06 '25 12:09 RPRX

那原issue的意思大概也是搭vmess用 我理解的不安全的意思是明文加上xhttp那堆显眼的参数露头秒 新的代理协议也不能改变这个情况 这难道说2026加h2c吗

Fangliding avatar Sep 06 '25 12:09 Fangliding

伊朗自有国情在,限速 TLS 却不管明文 HTTP,就是逼着你用,再加上伊朗有对时问题(我也不太理解这是个什么问题,好像因为默认采用什么计时标准导致时间戳差半天?@gfw-killer ),用不了需要对时的加密,结果都用明文 VLESS 了

我的意思就是以前开放的话会有很多人开始用 XHTTP h2c + plain VLESS,不安全,但是出了 Encryption 并禁了公网未加密流量就好了

RPRX avatar Sep 06 '25 12:09 RPRX

vmess可以加个对时 但是一想到又有某人要自定义sockopt丢个dialer七了八糟的就头疼

Fangliding avatar Sep 06 '25 14:09 Fangliding

再加上伊朗有对时问题(我也不太理解这是个什么问题,好像因为默认采用什么计时标准导致时间戳差半天?@gfw-killer

Time difference is 1 Hour, It's because on 22 September 2022 Iran cancelled Daylight Saving Time (DST). Devices and Operation Systems with no newer update can't connect to VMESS (Even changing the time manually didn't worked in Android, only SB/Mihomo NTP works to fix VMESS in those Android devices) But Encrypted VLESS should be fine, Thank you for this

But for H2C, I made the same Issue but VLESS had no PQ Encryption at that time But now it's ready. I think it's a good time to support non-tls combinations. but limit to the Encrypted VLESS only

gfw-killer avatar Sep 06 '25 14:09 gfw-killer

but limit to the Encrypted VLESS only

I agree with this part of gfw-killer's statement. When a client wants to connect using non-TLS, they must be required to use VLESS Encryption, otherwise the xray-core will not allow the connection.

deepsm0ke avatar Sep 13 '25 08:09 deepsm0ke