feat: SNI routing v2, PROXY protocol, monitoring improvements#7
Merged
feat: SNI routing v2, PROXY protocol, monitoring improvements#7
Conversation
…bfs rendering - Remove legacy `singbox_dns_servers` with `address:` prefix format (deprecated in 1.12) - Add `singbox_dns_strategy` and `singbox_dns_final` variables for new format - Update config.json.j2 to use variables instead of hardcoded DNS strategy - Wrap `obfs` block in conditional: only render when obfs_enabled and obfs_password set - Add tasks/*.yml and defaults/secrets.yml.example (new sing-box role files)
Feature/singbox role refactor
…dling - Introduce `singbox_dns_strategy` and `singbox_dns_final` for improved DNS format compliance - Update `config.json.j2` to utilize new variables instead of deprecated formats - Conditional rendering of `obfs` block based on `obfs_enabled` and `obfs_password` settings - Add new role files in tasks/*.yml and defaults/secrets.yml.example
feat: add sing-box role + README
- New role: raven_subscribe — standalone subscription server deployment, decoupled from xray/sing-box playbooks. Supports per-inbound host/port overrides (inbound_hosts, inbound_ports) for unified media.zirgate.com routing. - New role: nginx_frontend — TLS proxy on EU server (media.zirgate.com), listens on 8443 (not 443, reserved by Xray Reality). Adds nginx stream TCP relay on port 8445 → 127.0.0.1:443 for VLESS Reality passthrough. - New role: relay — nginx reverse proxy on RU VPS (zirgate.com/my.zirgate.com), TCP stream relay on 8444 → EU:8445 for VLESS Reality via RU server. - xray role: remove raven_subscribe vars/tasks (moved to raven_subscribe role), fix DNS query strategy UseIP → UseIPv4 to avoid IPv6 unreachable errors. - sing-box: update hysteria2 default port 8443 → 8444 (8443 now used by nginx_frontend). - raven-subscribe config.j2: add balancer_strategy/probe_url/probe_interval fields. - .gitignore: add **/*_secrets.yml pattern for raven_subscribe secrets files.
feat: extract raven_subscribe, nginx_frontend, relay into separate Ansible roles
…ides - Add nginx_frontend and relay roles to What you get list - Update Quick Start: separate secrets files per role, separate deploy commands - Update Secrets section: document raven_subscribe/defaults/secrets.yml with inbound_hosts/inbound_ports example - Update Configuration: add xray_dns_query_strategy, raven_subscribe_inbound_hosts/ports - Update Architecture: show full EU+RU server topology and client connection flow - roles/xray/README.md: remove xray_vless_default_flow (removed from templates)
docs: update README for multi-role architecture and per-inbound overr…
- Rewrite README.md with full architecture diagrams, role reference, secrets docs, DNS setup, VLESS Encryption and Hysteria2 sections - Add README.ru.md (Russian translation, full parity with EN) - Add roles/hosts.yml.example (safe template, no real IPs/usernames) - Replace all personal domains (zirgate.com) with example.com in defaults, templates, inventory files, and playbook comments - Remove leftover draft files: roles/xray/exampl/ directory - Remove unused roles/xray/tasks/raven_subscribe.yml (moved to separate role) - Fix role_nginx_frontend.yml and role_relay.yml: use inventory group names (eu/relay) instead of personal host names (vm_my_srv/vm_my_ru)
docs: prepare repo for public release
Both VPN protocols (VLESS+Reality TCP and VLESS+XHTTP+Reality) now share port 443 via nginx stream ssl_preread SNI routing on both EU and RU servers. EU server: - nginx stream :443 routes by SNI: www.adobe.com → Xray XHTTP (:2053), media.zirgate.com → nginx HTTPS (:8443), default → Xray Reality (:4443) - Xray inbounds bind 127.0.0.1 (no longer exposed directly) - XHTTP Reality dest changed to www.adobe.com with xPaddingBytes RU relay: - Single stream :443 routes by SNI: zirgate.com/my.zirgate.com → local nginx HTTPS (:8443), everything else → EU:443 - Removed separate per-protocol stream ports (8444, 2053) nginx_frontend HTTPS: removed XHTTP proxy location (now handled by stream) Raven-subscribe: updated inbound_ports comments for port 443
…ra domains - xray XHTTP scMaxPacketSize: 50000 → 1048576 (1MB) — reduces HTTP round-trips - relay stream: add relay_extra_eu_https_domains for SNI routing to EU:8443 (used when a domain's DNS is moved to RU but cert is on EU nginx)
…sites-enabled - relay stream: remove relay_extra_eu_https_domains (no longer needed) - nginx_frontend: deploy HTTPS config to sites-enabled/ instead of conf.d/ (nginx.conf on EU only includes sites-enabled/)
- New role roles/wireguard: installs wireguard-tools, deploys wg0 on EU (10.10.0.1) and RU (10.10.0.2), PersistentKeepalive=25s - role_wireguard.yml playbook applies to both vm_my_srv and vm_my_ru - monitoring: remove ssh_tunnel_ru task/handler/vars; node_exporter on RU now binds to 10.10.0.2:9100 (WireGuard iface); VictoriaMetrics scrapes RU via 10.10.0.2:9100 instead of SSH tunnel 127.0.0.1:19100 - monitoring/node_exporter: add ufw allow from 10.10.0.0/24 for RU - role_monitoring.yml: apply role to both EU and RU hosts; EU-only components (VictoriaMetrics, Grafana, exporters) guarded by when
Xray requires non-empty email for StatsService per-user counters. If user.email is missing or blank, use user.id instead. Applies to 200-in-vless-reality, 210-in-xhttp, 230/240-in-*-users.
GitHub /releases/latest returns enterprise release (no single-node
tarball). Switch to /releases list and find first release that has
victoria-metrics-linux-{arch}-vX.Y.Z.tar.gz (non-enterprise, non-cluster).
Also fix task order: detect arch before fetching releases list.
server-status: add unique_users (stat), total_connections (stat), routing requests rate (freedom vs blocked), Xray heap memory timeseries. xray-users-traffic: replace cumulative counter tables with bar gauges using increase($__range) — shows traffic per user for selected period.
…ibe monitoring, Grafana alerts - xray-stats-exporter: add xray_inbound_uplink/downlink_bytes_total metrics by querying inbound>>> pattern alongside user>>> in StatsService - scrape.yml: add raven-subscribe job scraping /health (up=0 on failure) - dashboards: add inbound traffic panels and sort_desc on user top charts - server-status: add Raven-subscribe UP/DOWN status and latency panels - grafana-alerting.yml: provision 5 alert rules (xray down, raven-subscribe down, EU/RU server down, EU disk >85%)
Geo metrics (country/city) not available — Xray access.log shows 127.0.0.1 after nginx proxy_protocol was added. Removed geo row and shifted inbound panels up.
…t ports - Fix architecture diagrams: SNI routing on :443, ports 4443/2053/8443 - Add nginx_frontend PROXY protocol notes and deploy order warning - Add monitoring role description (xray-stats-exporter, VictoriaMetrics, Grafana) - Add Monitoring section with Grafana dashboard and alerting description - Update nginx_frontend and relay config variable tables - Add xray-stats-exporter to Related Projects - Sync README.ru.md with EN changes
findias
added a commit
that referenced
this pull request
Apr 4, 2026
feat: SNI routing v2, PROXY protocol, monitoring improvements
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
proxy_protocol on— real client IPs passed to Xray via PROXY protocol v2 (xver: 2)xray_inbound_uplink/downlink_bytes_total--log-path,--geo-city-db,--geo-asn-dbDeploy order (CRITICAL)
When deploying nginx_frontend and Xray inbounds together — always deploy Xray first (
--tags xray_inbounds), then nginx. nginx starts sending PROXY protocol headers immediately; Xray must be ready to accept them (xver: 2).Test plan
xray_up 1in exporter metrics