A Brief Analysis of Fallbacks
In the process of using Xray, you must have heard about the [Fallback] function countless times. This article will briefly explain the logic and usage of this function.
1. Reviewing Fallbacks in the "Beginner's Guide"
If you used the Xray Configuration from the Beginner's Guide and completed the HTTP to HTTPS Redirection Optimization, then you already have a simple fallback based on the VLESS protocol:
{
"inbounds": [
{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
// ... ...
],
"decryption": "none",
"fallbacks": [
{
"dest": 8080 // Default fallback to the probe-resistant proxy/service
}
]
},
"streamSettings": {
// ... ...
}
}
]
}2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
How do we explain this configuration in plain language?
Xray's
[inbound port]is443This means
Xrayis responsible for listening toHTTPStraffic on port443.Xray's
[inbound protocol]isvlessOnly traffic using the
vlessprotocol will flow intoXrayfor further processing.WARNING
Note: The
VLESSlightweight protocol was originally developed to introduce the fallback function to cores likexrayandv2fly, while reducing redundant verification/encryption. (Of course, as of now, thetrojanprotocol inxrayalso fully supports the fallback function.)The
[fallback dest]is8080After
Xrayaccepts traffic on port443, traffic belonging to thevlessprotocol is processed internally byXrayand forwarded to the outbound module. Traffic that is notvlessprotocol is forwarded to port8080.WARNING
Q: Is it singular or plural?
A: Some sharp students may have noticed that in the configuration file, the keys are plural (
inbounds,fallbacks), but when I explain them, I use the singular (inbound,fallback). Why?Because the plural form in the configuration file indicates that
xraysupports N elements of the same level (i.e., N inbounds, M fallbacks, etc.). In the example analysis above, we are referring to just one of them, so I used the singular.Traffic falling back to port
8080is handled by a subsequent programIn the example from the Beginner's Guide, port
8080is handled byNginx, which finds and displays the Red Panda webpage based on its configuration.Summary: The complete data route for the simplest fallback in the Beginner's Guide is as follows:
2. Re-understanding Fallbacks (WHAT, HOW v1)
Based on the example above, you should understand what a fallback is (What) and how it works (How). Simply put, it involves these elements:
- The Time of fallback is after traffic enters the
Xray Listening Port. - The Basis for fallback is traffic characteristics like
Protocol Type. - The Target of fallback is a specific
Port. - The traffic being fallen back is taken over by a subsequent program listening on the
Fallback Port.
3. Why Use Fallbacks (WHY v1)
Initially, it was to defend against [Active Probing].
Active Probing: To put it simply and crudely, this refers to external parties sending specific network requests and interpreting the server's response to guess whether the server is running proxy tools like xray, v2fly, or shadowsocks. Once accurately identified, the server may be interfered with or blocked.
The reason interpretation is possible based on server responses is that a complete data request involves many steps of data exchange, and each step produces certain software signatures. In plain English:
- A normal website response will definitely [HAVE] signatures of Web services/databases like
Nginx,Apache,MySQL, etc. - A normal website response will definitely [NOT HAVE] signatures of proxy tools like
xray,v2fly,shadowsocks, etc.
Therefore, when we provide the [Fallback] function to Xray (as in the example above, falling back to Nginx), the result when facing any probing request is:
- Probing traffic cannot master your
VLESSsecrets/elements, so it will all fall back toNginx. - Since probing traffic falls back into
Nginx, the VPS server's response will definitely [HAVE]Nginxsignatures. - Because
Xrayitself does not respond to probing traffic, the VPS response will definitely [NOT HAVE]Xraysignatures.
Thus, the [Fallback] function solves the security risk of the server being [Actively Probed] from the logic of data interaction.
4. Re-understanding the [Perfect Form of Fallback] (WHAT, WHY, HOW v2)
Why do we need to understand fallbacks again? Because the above only explains the initial version of fallbacks based on "protocols" for resisting [Active Probing].
During the continuous development and iteration of the VLESS protocol and fallback function by RPRX, it was discovered that fallbacks could be much more flexible and powerful. As long as the premise of resisting [Active Probing] is met, by fully utilizing the information in the first data packet, multi-element and multi-level fallbacks (such as path, alpn, etc.) can be achieved.
Based on this development philosophy, the [Fallback] function has gradually grown into its current "Perfect Form," completing the evolution from Pure Camouflage --> WS Shunting --> Multi-protocol Multi-feature Shunting. The final version has even completely replaced the shunting functions that previously required Web servers or other tools. Moreover, since the aforementioned [Fallback/Shunting] processing is completed at the first packet judgment stage with millisecond-level speed and does not involve any data manipulation, there is almost no process loss.
Therefore, the [Complete Fallback Function] in Xray now possesses the following attributes:
- Secure: Fully resists active probing attacks.
- Efficient: Almost zero performance loss.
- Flexible: Flexible data shunting, reuse of common ports (like 443).
Mr. Wordy
Although explaining it in multiple rounds seems tedious, only by peeling it back layer by layer can we fully demonstrate the unique power of the [Perfect Form of Fallback]!
5. Multi-layer Fallback Example and Interpretation
Now that you understand what the [Perfect Form of Fallback] is, you can get your hands dirty configuring multi-layer fallbacks.
5.1 First, I will extract the server-side configuration for port 443 as follows
{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // Fill in your UUID
"flow": "xtls-rprx-vision",
"level": 0,
"email": "love@example.com"
}
],
"decryption": "none",
"fallbacks": [
{
"dest": 1310, // Default fallback to Xray's Trojan protocol
"xver": 1
},
{
"path": "/websocket", // Must be changed to your custom PATH
"dest": 1234,
"xver": 1
},
{
"path": "/vmesstcp", // Must be changed to your custom PATH
"dest": 2345,
"xver": 1
},
{
"path": "/vmessws", // Must be changed to your custom PATH
"dest": 3456,
"xver": 1
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"alpn": ["http/1.1"],
"certificates": [
{
"certificateFile": "/path/to/fullchain.crt", // Absolute path to your certificate
"keyFile": "/path/to/private.key" // Absolute path to your private key
}
]
}
}
}2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
How do we explain this configuration in plain language?
Xray's
[inbound port]is443This means
Xrayis responsible for listening toHTTPStraffic on port443and uses theTLScertificate set undercertificatesfor verification.Xray's
[inbound protocol]isvlessvlessprotocol traffic flows directly intoXrayfor subsequent processing.Non-
VLESSprotocol traffic has 4 different fallback targets:- Traffic with
pathas/websocketfalls back to port1234for processing. - Traffic with
pathas/vmesstcpfalls back to port2345for processing. - Traffic with
pathas/vmesswsfalls back to port3456for processing. - All other traffic falls back to port
1310for processing.
- Traffic with
xverset to1means enabling theproxy protocolfunction to pass the real source IP backwards.The fallback structure described above is shown in the diagram below:
The Web Page Fallback is missing!
That's right, clever students must have noticed that the
nginx fallbackfor defending against [Active Probing] is gone!!! Why is that? Is it insecure? Don't worry, let's continue analyzing:
5.2 The configuration segments for subsequent listening processing are as follows
Traffic falling back to port
1310is verified and processed according to the configuration below:json{ "port": 1310, "listen": "127.0.0.1", "protocol": "trojan", "settings": { "clients": [ { "password": "", // Fill in your password "level": 0, "email": "love@example.com" } ], "fallbacks": [ { "dest": 80 // Or fallback to another probe-resistant proxy } ] }, "streamSettings": { "network": "tcp", "security": "none", "tcpSettings": { "acceptProxyProtocol": true } } }1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26Look, something magical happened. A new
fallbackssection appeared here in thetrojanprotocol. As mentioned before, thetrojanprotocol inxrayalso has full fallback capabilities. So, at this point, thetrojanprotocol can perform judgment and fallback again (this is the legendary "Nested/Matryoshka" fallback):- All
trojanprotocol traffic flows intoXrayfor subsequent processing. - All non-
trojanprotocol traffic is forwarded to port80. The defense against [Active Probing] is complete!
- All
Traffic falling back to port
1234. Look closely! It is actuallyvless+ws:json{ "port": 1234, "listen": "127.0.0.1", "protocol": "vless", "settings": { "clients": [ { "id": "", // Fill in your UUID "level": 0, "email": "love@example.com" } ], "decryption": "none" }, "streamSettings": { "network": "ws", "security": "none", "wsSettings": { "acceptProxyProtocol": true, // Reminder: Delete this line if using Nginx/Caddy to reverse proxy WS "path": "/websocket" // Must be changed to custom PATH, matching the shunting path } } }1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23Traffic falling back to port
2345. Look closely! It is actuallyvmess direct connection:json{ "port": 2345, "listen": "127.0.0.1", "protocol": "vmess", "settings": { "clients": [ { "id": "", // Fill in your UUID "level": 0, "email": "love@example.com" } ] }, "streamSettings": { "network": "tcp", "security": "none", "tcpSettings": { "acceptProxyProtocol": true, "header": { "type": "http", "request": { "path": [ "/vmesstcp" // Must be changed to custom PATH, matching the shunting path ] } } } } }1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29Traffic falling back to port
3456. Look closely again! It is actuallyvmess+ws(+cdn).Explanation
You read that right. This is one of the combinations previously recommended by v2fly, and it fully supports
CDN. It is now included in the perfect fallback package!json{ "port": 3456, "listen": "127.0.0.1", "protocol": "vmess", "settings": { "clients": [ { "id": "", // Fill in your UUID "level": 0, "email": "love@example.com" } ] }, "streamSettings": { "network": "ws", "security": "none", "wsSettings": { "acceptProxyProtocol": true, // Reminder: Delete this line if using Nginx/Caddy to reverse proxy WS "path": "/vmessws" // Must be changed to custom PATH, matching the shunting path } } }1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22With this, we can draw the complete fallback route for the template:
6. Conclusion
This concludes the introduction to Xray's [Fallback] function. I hope this article helps you understand the power of Xray.
7. Bonus Question
I will shamelessly leave a bonus question: Is there any room for optimization in the VLESS-TCP-XTLS-WHATEVER template detailed in this article?
Hint: HTTP automatic redirection to HTTPS.