How to install NGINX+Vless+gRPC+CDN to Ubunutu server. Nginx+gRPC+xui+CDN+Vless/vmess/trojan

About this video

• Video Title: How to install NGINX+Vless+gRPC+CDN to Ubunutu server. Nginx+gRPC+xui+CDN+Vless/vmess/trojan
• Channel: Xmandar
• Speakers: None explicitly named
• Duration: 00:04:42

Overview

This video provides a step-by-step guide on how to install and configure NGINX with Vless, gRPC, and a CDN on an Ubuntu server. The setup aims to enhance X-ray VPN server connections by hiding traffic behind NGINX on port 443, bypassing filtering and censorship. The tutorial covers server updates, NGINX and certbot installation, website configuration, SSL certificate generation, and the setup of the xui panel for managing VPN services.

Key takeaways

• Server Preparation: Update and upgrade the Ubuntu server using standard commands before proceeding with installations.
• NGINX and Certbot Installation: Install NGINX and Certbot for web serving and SSL certificate management.
• Website Configuration: Configure NGINX to serve the website, ensuring DNS records are set up with a CDN (like Cloudflare) and SSL/TLS is enabled in Full mode.
• SSL Certificate Generation: Use Certbot to obtain a free SSL certificate for the website and set up redirection to HTTPS.
• XUI Panel Setup: Install and configure the xui panel, setting a username, password, and port for access.
• Inbound Configuration: Within the xui panel, add an inbound configuration for Vless protocol using gRPC, ensuring the service name matches the website configuration.
• Client Configuration: Copy the generated client configuration and adjust settings like address, port (to 443), and SNI for the V2Ray client.

Before setting up NGINX with Vless+gRPC+CDN on an Ubuntu server, the following prerequisites are mentioned:

• A Linux Ubuntu Server.
• A DNS record of type A with CDN configured.
• In Cloudflare's SSL/TLS settings, the encryption mode should be set to "Full" or "Full (strict)".
• In the network tab of Cloudflare, HTTP/2 and gRPC should be enabled.

The SSL certificate is obtained and configured using Certbot. The process involves:

1. Installation: Certbot is installed alongside NGINX using a specific command.
2. Acquisition: Certbot is then used to get a free SSL certificate for the website, which is valid for 89 days.
3. Configuration: During the Certbot process, when prompted, it's recommended to choose option 'A' to agree and proceed. Option '2' should be selected to redirect all traffic to HTTPS.
4. NGINX Configuration Update: After Certbot obtains the SSL certificate, the NGINX configuration file needs to be edited. The listen directive is updated to include http2 alongside ssl for IPv4 and IPv6.
5. Service Restart: Finally, the NGINX service is restarted to apply the configuration changes, including the newly obtained SSL certificate.

Within the xui panel, for the Vless protocol with gRPC, the following specific settings need to be configured:

• Protocol: Select "Vless".
• Inbound IP: Set to 127.0.0.1.
• Inbound Port: Set to 2002 (this is the port for the gRPC pass).
• User: Add a user.
• Network: Change to "grpc".
• Service Name: This should be set to match the grpc location that was pasted into the website's NGINX configuration. It's crucial that the service name here is identical to the one used in the NGINX configuration for the gRPC location.

To connect through the NGINX+gRPC setup using a client like V2RayNG, the following modifications are necessary for the client configuration:

• Address: Change the address to your website's domain or sub-domain name.
• Port: Change the port to 443, which is the NGINX port.
• TLS: Turn on TLS.
• SNI: In the SNI section, enter your website's domain name.

The video details the configuration process for setting up NGINX with Vless, gRPC, and a CDN on an Ubuntu server to enhance X-ray VPN connections. Here's a breakdown of the configurations and nuances:

1. Server Preparation:

• Update and Upgrade: The first step is to update and upgrade the Ubuntu server using sudo apt update && sudo apt upgrade -y. This ensures all system packages are current.
• Install NGINX and Certbot: NGINX is installed as the web server, and Certbot is installed to manage SSL certificates. This is done with a command like sudo apt install nginx certbot python3-certbot-nginx -y.

2. Cloudflare CDN Configuration:

• DNS Record: A DNS record of type 'A' must be created, pointing to your server's IP address, and proxied through Cloudflare (indicated by the orange cloud).
• SSL/TLS Settings: Crucially, the SSL/TLS encryption mode in Cloudflare must be set to "Full" or "Full (strict)". The video specifically mentions "Full".
• Network Settings: Within Cloudflare's network settings, HTTP/2 and gRPC must be enabled.

3. NGINX Configuration:

• Default Configuration: The default NGINX configuration file (/etc/nginx/sites-available/default) is edited.
• Removing Default Server Block: The initial server block that listens on port 80 is often removed or commented out.
• Website Configuration: The server_name is set to your domain or subdomain.
• SSL Configuration: The listen directive is configured to listen on port 443 with ssl http2.
• gRPC Configuration: A specific location block is added for gRPC. This block is critical:
  • It uses proxy_pass to direct gRPC traffic to the internal service (e.g., http://127.0.0.1:2002).
  • grpc_set_header X-Forwarded-For and grpc_set_header Host are used to pass relevant information.
  • A grpc_read_timeout and grpc_send_timeout are often set.
  • Crucially, the service name within this location block must match the service name configured in the xui panel.

4. SSL Certificate Acquisition:

• Certbot Command: sudo certbot --nginx -d your_domain.com (replace your_domain.com with your actual domain).
• Redirection: When Certbot asks about redirecting HTTP traffic to HTTPS, choose the option to redirect (usually option 2).

5. XUI Panel Setup:

• Installation: The xui panel is installed via a script, often involving answering prompts for username, password, and the port to access the panel (e.g., 12345).
• Inbound Configuration (Vless + gRPC):
  • Add Inbound: Navigate to the "Inbounds" section and click "Add Inbound".
  • Protocol: Select "Vless".
  • Address: Set to 127.0.0.1.
  • Port: Set to 2002 (this is the port NGINX proxies to for gRPC).
  • User: Create a user account.
  • Network: Set to "grpc".
  • Service Name: This is the most critical part. It must exactly match the service name defined in the NGINX location block for gRPC.

6. Client Configuration (V2RayNG Example):

• Address: Your domain name.
• Port: 443.
• Users: User details (UUID, etc.).
• Transport Settings:
  • Network: grpc.
  • gRPC Service Name: Must match the service name configured in NGINX and xui.
  • TLS: Enabled.
  • SNI: Your domain name.

---

Why your Vless gRPC through Yandex CDN might not work (without WebSocket support and using gRPC instead):

The core issue is likely how Yandex CDN (or any CDN) handles and forwards gRPC traffic compared to how your server expects it.

1. gRPC is not HTTP: While gRPC runs over HTTP/2, it's a distinct protocol with specific framing and header requirements that differ from standard HTTP requests.

   • NGINX's Role: Your NGINX server is configured to understand and proxy gRPC traffic to your internal xui service on port 2002.
   • CDN's Role: CDNs primarily act as HTTP proxies. When you enable gRPC support on a CDN, it means the CDN is capable of forwarding gRPC requests to the origin server. However, the CDN itself might not be performing a deep inspection or modification of the gRPC stream in the same way it would for HTTP.

2. Lack of gRPC Forwarding: If Yandex CDN doesn't explicitly support forwarding gRPC traffic from the CDN edge to your origin server as a distinct protocol, it might try to treat it as a generic TCP or HTTP/2 stream, which can break the gRPC connection.

   • The Problem: You selected gRPC because you couldn't use WebSocket. This implies that Yandex CDN might not offer direct gRPC tunneling or it might be configured in a way that doesn't align with your origin server's expectations.
   • CDN as a Middleman: The CDN is supposed to receive the client's request, forward it to your server (the origin), and then relay the server's response back to the client. If the CDN doesn't correctly handle the gRPC protocol in its forwarding mechanism, the connection breaks.

3. WebSocket vs. gRPC:

   • WebSocket: Is a well-established protocol for persistent bidirectional communication over a single TCP connection. CDNs generally have robust support for WebSocket proxying.
   • gRPC: While it uses HTTP/2, its specific implementation and framing might require more specialized handling by intermediate proxies. If the CDN only supports basic HTTP/2 proxying without full gRPC protocol awareness, it can fail.

4. Configuration Mismatch:

   • Service Name: The service name in your NGINX and xui configuration is vital. If this doesn't match, the gRPC connection will fail. Ensure it's identical.
   • Port: Ensure NGINX is listening on 443 with HTTP/2 and SSL, and that it's correctly proxying to 127.0.0.1:2002 for gRPC.
   • Client Settings: Verify the client is configured with grpc network, the correct service name, and TLS enabled with the correct SNI.

To troubleshoot:

• Check CDN Documentation: See if Yandex CDN explicitly supports gRPC proxying and what specific configurations are needed on their end. Sometimes, specific headers or settings are required.
• Test Without CDN: Temporarily bypass Yandex CDN and connect directly to your server's IP address (using port 443 and your domain, if DNS is set up) to see if the gRPC connection works without the CDN. This helps isolate the issue.
• Examine NGINX Logs: Check /var/log/nginx/error.log for any errors related to gRPC or proxying.
• Examine XUI Logs: If xui has logging capabilities, check them for connection errors.
• Simplify: Try a simpler setup first, perhaps without the CDN, to ensure the core NGINX + Vless + gRPC is working.

In essence, gRPC requires more specific handling than standard HTTP requests. If your CDN doesn't fully support or correctly proxy gRPC traffic to your origin server, your connection will likely fail. The video's success relies on Cloudflare's robust gRPC support.