v2ray: switch to xhttp

nixos/client-apps/v2ray.nix

@@ -29,6 +29,58 @@ let
       loglevel = "warning";
     };
     outbounds = [
+      {
+        protocol = "vless";
+        settings.vnext = [
+          {
+            address = LT.hosts."bwg-lax".public.IPv4;
+            port = 443;
+            users = [
+              {
+                id = {
+                  _secret = config.age.secrets.v2ray-key.path;
+                };
+                encryption = "none";
+              }
+            ];
+          }
+        ];
+        streamSettings =
+          let
+            network = "xhttp";
+            security = "tls";
+            tlsSettings = {
+              serverName = "lantian.pub";
+              fingerprint = "firefox";
+            };
+            xhttpSettings = {
+              host = "lantian.pub";
+              path = "/ray";
+              xmux = {
+                maxConcurrency = 128;
+                hMaxRequestTimes = 86400;
+                hMaxReusableSecs = 86400;
+              };
+            };
+          in
+          {
+            inherit network security tlsSettings;
+            xhttpSettings = xhttpSettings // {
+              mode = "stream-up";
+              downloadSettings = {
+                address = LT.hosts."bwg-lax".public.IPv4;
+                port = 443;
+                inherit
+                  network
+                  security
+                  tlsSettings
+                  xhttpSettings
+                  ;
+              };
+            };
+          };
+        tag = "proxy";
+      }
       {
         protocol = "freedom";
         settings.domainStrategy = "UseIPv4";
@@ -39,30 +91,6 @@ let
         settings.response.type = "none";
         tag = "blackhole";
       }
-      {
-        protocol = "trojan";
-        settings.servers = [
-          {
-            address = LT.hosts."bwg-lax".public.IPv4;
-            port = 443;
-            password = {
-              _secret = config.age.secrets.v2ray-key.path;
-            };
-          }
-        ];
-        streamSettings = {
-          network = "httpupgrade";
-          security = "tls";
-          tlsSettings = {
-            serverName = "lantian.pub";
-            fingerprint = "firefox";
-          };
-          httpupgradeSettings = {
-            path = "/ray?ed=2560";
-          };
-        };
-        tag = "proxy";
-      }
     ];
     policy.levels."0" = {
       connIdle = 86400;
@@ -80,12 +108,12 @@ let
         }
         {
           domain = [ "geosite:cn" ];
-          outboundTag = "proxy";
+          outboundTag = "direct";
           type = "field";
         }
         {
           ip = [ "geoip:cn" ];
-          outboundTag = "proxy";
+          outboundTag = "direct";
           type = "field";
         }
       ];

nixos/common-apps/nginx/vhost-options/location-options.nix

@@ -78,6 +78,28 @@ let
         proxy_redirect off;
         chunked_transfer_encoding off;
       '')
+      + (lib.optionalString (config.grpcPass != null) ''
+        grpc_pass ${config.grpcPass};
+
+        grpc_set_header Host ${
+          if config.proxyOverrideHost != null then config.proxyOverrideHost else "$host"
+        };
+        grpc_set_header X-Real-IP ${if config.proxyHideIP then "127.0.0.1" else "$remote_addr"};
+        grpc_set_header X-Forwarded-For ${if config.proxyHideIP then "127.0.0.1" else "$remote_addr"};
+        grpc_set_header X-Forwarded-Host $host:${LT.portStr.HTTPS};
+        grpc_set_header X-Forwarded-Proto $scheme;
+        grpc_set_header X-Forwarded-Server $host;
+        grpc_set_header X-Scheme $scheme;
+        grpc_set_header X-Original-URI $request_uri;
+
+        grpc_set_header LT-SSL-Cipher $ssl_cipher;
+        grpc_set_header LT-SSL-Ciphers $ssl_ciphers;
+        grpc_set_header LT-SSL-Curves $ssl_curves;
+        grpc_set_header LT-SSL-Protocol $ssl_protocol;
+        grpc_set_header LT-SSL-Early-Data $ssl_early_data;
+        # Compatibility with common recommendations
+        grpc_set_header Early-Data $ssl_early_data;
+      '')
       + (lib.optionalString config.proxyWebsockets ''
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
@@ -88,7 +110,7 @@ let
         client_body_timeout 52w;
         client_max_body_size 0;
         grpc_read_timeout 52w;
-        grpc_set_header X-Real-IP $remote_addr;
+        grpc_send_timeout 52w;
         keepalive_timeout 52w;
         proxy_connect_timeout 60;
         proxy_read_timeout 52w;
@@ -180,6 +202,14 @@ in
         recommendedProxySettings is enabled.
       '';
     };
+    grpcPass = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      example = "http://www.example.org/";
+      description = ''
+        Adds grpc_pass directive and sets recommended proxy headers.
+      '';
+    };
     proxyOverrideHost = lib.mkOption {
       type = lib.types.nullOr lib.types.str;
       default = null;

nixos/common-apps/nginx/vhost-options/vhost-options.nix

@@ -67,8 +67,7 @@ let
           '';
 
           "/ray" = {
-            proxyPass = "http://unix:/run/v2ray/v2ray.sock";
-            proxyWebsockets = true;
+            grpcPass = "unix:/run/v2ray/v2ray.sock";
             proxyNoTimeout = true;
             extraConfig = ''
               access_log off;

nixos/server-apps/v2ray.nix

@@ -12,15 +12,16 @@ let
       {
         listen = "/run/v2ray/v2ray.sock";
         port = 0;
-        protocol = "trojan";
+        protocol = "vless";
         settings = {
           clients = [
             {
-              password = {
+              id = {
                 _secret = config.age.secrets.v2ray-key.path;
               };
             }
           ];
+          decryption = "none";
         };
         sniffing = {
           destOverride = [
@@ -31,9 +32,9 @@ let
           enabled = true;
         };
         streamSettings = {
-          network = "httpupgrade";
-          security = "none";
-          httpupgradeSettings = {
+          network = "xhttp";
+          xhttpSettings = {
+            mode = "stream-up";
             path = "/ray";
           };
         };