Can we rewrite hosts or access ips directly with xray configs?

[unacoder]

This is two different questions, one is can we rewrite SNI, e.g steam uses both akamai and fastly, it uses akamai by default and I use Redirector firefox extension to redirect to fastly version and proxy server uses domain front fronting to fetch asset. Second one is can we use ip as SNI? e.g ghcr.io can be fronted using ip as SNI (I got this idea from your v13 commit, was this intention there? cause it's not working there)

I tried to implement similar approach in mhr but wasn't fully versed in tls and rustls so dropped it completely, my main problem there was ssl verification

Bellow are some examples that explain it better

---

Domains working this way:

["avatars.fastly.steamstatic.com",
"avatars.steamstatic.com",
"shared.fastly.steamstatic.com",
"shared.steamstatic.com",
"community.fastly.steamstatic.com",
"community.steamstatic.com",
"store.fastly.steamstatic.com",
"store.steamstatic.com",
"cdn.fastly.steamstatic.com",
"cdn.steamstatic.com"]

# origin: https://store.akamai.steamstatic.com/public/javascript/applications/store/manifest.js?v=snaAd7XpTcDT&l=english&_cdn=akamai
curl -http2 -i --resolve="*:443:151.101.2.137" -H "Host: store.fastly.steamstatic.com" "https://crates.io/public/javascript/applications/store/manifest.js?v=snaAd7XpTcDT&l=english&_cdn=fastly"
# HTTP/2 200
# server: nginx
# content-type: text/javascript;charset=UTF-8
# cache-control: public,max-age=15552000
# expires: Tue, 03 Nov 2026 18:32:32 GMT
# etag: "snaAd7XpTcDT"
# x-integrity: "sha384-CJm0TLxz6pOpMYjs/GvYQvfziIKvZucMdQLmMwaNp6GG8tEYH/4PHKjKO4cXTWdv"
# last-modified: Sun, 09 Sep 2001 01:46:40 GMT
# content-encoding: gzip
# strict-transport-security: max-age=63072000
# accept-ranges: bytes
# age: 508781
# date: Wed, 13 May 2026 15:52:13 GMT
# via: 1.1 varnish
# x-served-by: cache-fra-eddf8230107-FRA
# x-cache: MISS, HIT
# x-cache-hits: 0
# x-timer: S1778687534.634046,VS0,VE1
# content-length: 12937
# 
# Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or
# Warning: consider "--output <FILE>" to save to a file.

---

Domains working this way:

["git.io",
"github.community",
"ghcr.io"]

dig +short -4 A ghcr.io
# 140.82.121.33
curl -k -http2 -i -H "Host: ghcr.io" "https://140.82.121.33/v2"
# HTTP/2 404
# content-type: application/json
# docker-distribution-api-version: registry/2.0
# strict-transport-security: max-age=63072000; includeSubDomains; preload
# date: Wed, 13 May 2026 15:38:29 GMT
# content-length: 18
# x-github-request-id: D62A:70FE1:D15C78:D9A468:6A049AF5
#
# 404 page not found%

dig +short -4 A github.community
# 140.82.113.17
curl -k -i -H "Host: github.community" https://140.82.112.17/t/cd-command-doesnt-work/169987
# HTTP/2 301
# content-length: 0
# location: https://github.com/orgs/community/discussions/26631

---

Some .akamai.steamstatic.com sites also can be accessed by ip (haven't tested all yet)

dig +short -4 A store.akamai.steamstatic.com
# 2.16.238.10
# 2.16.238.28
curl -k -I -H "Host: store.akamai.steamstatic.com" "https://2.16.238.10/public/javascript/applications/store/manifest.js?v=snaAd7XpTcDT&l=english&_cdn=akamai"
# HTTP/1.1 200 OK
# Server: nginx
# Content-Type: text/javascript;charset=UTF-8
# ETag: "snaAd7XpTcDT"
# X-Integrity: "sha384-CJm0TLxz6pOpMYjs/GvYQvfziIKvZucMdQLmMwaNp6GG8tEYH/4PHKjKO4cXTWdv"
# Last-Modified: Sun, 09 Sep 2001 01:46:40 GMT
# Strict-Transport-Security: max-age=63072000
# Cache-Control: public, max-age=15041535
# Expires: Tue, 03 Nov 2026 18:32:31 GMT
# Date: Wed, 13 May 2026 16:20:16 GMT
# Connection: keep-alive

[patterniha]

can be fronted using ip as SNI

ip mean no sni, then default certificate is returned, we should just check its san list for verification.

i release v15 to solve uploads.github.com, i didn't find any white-sni for it but we can use no-sni client hello, and gfw doesn't block it.

///

if you know some domains that tcp-handshake established successfully for their ips, but you didn't find any white sni for them, please send them for me to add in v15.

[patterniha]

["git.io",
"github.community",
"ghcr.io"]

yes, we can use no-sni client-hello for all github domains, but if we know a white-sni it is better to use that because no-sni client-hello may be blocked in future.

[unacoder]

Those three I listed doesn't work with their SNI (tested with xray server using this repo's config)

Did a bit of digging about steamstatic sites, these seems to be working:

curl -k --connect-timeout=2 -I -H "Host: store.akamai.steamstatic.com" https://185.200.232.41/public/shared/css/motiva_sans.css?v=YzJgj1FjzW34&l=english&_cdn=akamai
store.akamai.steamstatic.com -> 185.200.232.41 -> 200
curl -k --connect-timeout=2 -I -H "Host: store.akamai.steamstatic.com" https://185.200.232.43/public/shared/css/motiva_sans.css?v=YzJgj1FjzW34&l=english&_cdn=akamai
store.akamai.steamstatic.com -> 185.200.232.43 -> 200

curl -k --connect-timeout=2 -I -H "Host: community.akamai.steamstatic.com" https://185.200.232.43/public/shared/images/comment_quoteicon.png
community.akamai.steamstatic.com -> 185.200.232.43 -> 200
curl -k --connect-timeout=2 -I -H "Host: community.akamai.steamstatic.com" https://185.200.232.49/public/shared/images/comment_quoteicon.png
community.akamai.steamstatic.com -> 185.200.232.49 -> 200

curl -k --connect-timeout=2 -I -H "Host: avatars.akamai.steamstatic.com" https://2.16.238.20/77f9f0b272340ae557a391bba7bb5936f7c727c3.jpg
avatars.akamai.steamstatic.com -> 2.16.238.20 -> 200

curl -k --connect-timeout=2 -I -H "Host: cdn.akamai.steamstatic.com" https://185.200.232.50/steamcommunity/public/images/apps/730/8dbc71957312bbd3baea65848b545be9eae2a355.jpg
cdn.akamai.steamstatic.com -> 185.200.232.50 -> 200
curl -k --connect-timeout=2 -I -H "Host: cdn.akamai.steamstatic.com" https://185.200.232.41/steamcommunity/public/images/apps/730/8dbc71957312bbd3baea65848b545be9eae2a355.jpg
cdn.akamai.steamstatic.com -> 185.200.232.41 -> 200

curl -k --connect-timeout=2 -I -H "Host: clientconfig.akamai.steamstatic.com" https://5.178.42.161/
clientconfig.akamai.steamstatic.com -> 5.178.42.161 -> 404 (expected)
curl -k --connect-timeout=2 -I -H "Host: clientconfig.akamai.steamstatic.com" https://5.178.42.177/
clientconfig.akamai.steamstatic.com -> 5.178.42.177 -> 404 (expected)

Weeks ago I saw lots and lots of akamai ips that were working but finding a working SNI for them was impossible

[unacoder]

Another followup on the list:

# Steam client config
curl -k --connect-timeout=2 -I -H "Host: clientconfig.akamai.steamstatic.com" https://5.178.42.177/appinfo/884660/sha/[REDACTED].txt.gz
# clientconfig.akamai.steamstatic.com -> 5.178.42.177 -> 200
curl -k --connect-timeout=2 -I -H "Host: steamconnecttest.com" https://185.200.232.43/
# steamconnecttest.com -> 185.200.232.43 -> 200

# Vscode extensions:
curl -k --connect-timeout=2 -I -H "Host: biomejs.gallery.vsassets.io" https://150.171.73.16/_apis/public/gallery/publisher/biomejs/extension/biome/3.6.1/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage?redirect=true
# biomejs.gallery.vsassets.io -> 150.171.73.16 -> 405 (non head request gives proper redirect)
curl -k --connect-timeout=2 -I -H "Host: biomejs.gallerycdn.vsassets.io" https://184.24.77.25/extensions/biomejs/biome/3.6.1/1774983507401/Microsoft.VisualStudio.Services.VSIXPackage
# biomejs.gallerycdn.vsassets.io -> 184.24.77.25 -> 200
curl -k --connect-timeout=2 -I -H "Host: main.vscode-cdn.net" https://150.171.109.100/extensions/marketplace.json
# main.vscode-cdn.net -> 150.171.109.100 -> 200

# Bing:
curl -k --connect-timeout=2 -I -H "Host: www.bing.com" https://150.171.28.10/
# www.bing.com -> 150.171.28.10 -> 200

# Docker stuff (needed for docker pull):
curl -k --connect-timeout=2 -I -H "Host: production.cloudflare.docker.com" https://104.16.99.215/registry-v2/docker/registry/v2/blobs/sha256/f3/[REDACTED]/data?expires=1778318371&signature=[REDACTED]&version=3
# production.cloudflare.docker.com -> 104.16.99.215 -> 200

These were also tested, non working:

*.steamserver.net -> Steam Game Servers
store.steampowered.com -> Steam Store Page

docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com -> Docker Object Storage, it does have an open ip with 443 port open but doesn't respond

huggingface.co -> No open IPs

I don't have a windows machine but I think windows update servers can also be accessed this way. At this point I'm just going through my shell history and see if anything works this way.

[patterniha]

بزار فارسی بگم
اینکه کلاینت هلو رو بدون
sni
بفرستیم الان جواب میده رو ایپی هایی که باز هستن
موضوع اینه یسریا مثل کلودفلر خب ریجکت میکنن چنین چیزی رو
ولی
akamai
و چند جا دیگه قبول میکنن از فایروال ایرانم که رد میشه
من الان تست کردم استیم، مایکروسافت و خیلی های دیگه باز شدن با همین روش
جالب اینه که سایفونم از
akamai
استفاده میکنه و در نتیجه اونم تست کردم دیدم کار کرد و سایفون کانکت شد
///
حالا اینو میشه با یه تغییری رو کلودفلرم راه انداخت احتمالا بشه اگه بشه تا فردا
sni-spoofing 2
رو میدم بیرون نه که به جای اینکه کانفیگ
mitm-domainfronting
رو باهاش اپدیت کنیم بهتره یه کانفیگ جدا برای اتصال سایفون بدیم بیرون

[patterniha]

@unacoder

ممنون بابت تست هات کانفیگ سایفون رو تو گروه گذاشتم این موضوع رو مدتی بود متوجه شده بودم
ولی یاد
akamai
نبودم اصلا. تستای تو رو که دیدم متوجه شدم رو
akamai
هم میشه پس سایفون باز میشه به هر حال ممنون بابت کمکت

[unacoder]

‫به نظر میاد الان کلاینت shir-o-khorshid خیلی راحت کرده اینکارو، به نظرم همون ipـها هم یه تلاشی بشه بد نیست

‫و یه موضوع دیگه نمیدونم چجوری میشه به hiddify و invisible هم رسوند اونا فکر کنم از لحاظ سرعت بهتر باشن و اونا هم از akamai استفاده میکردن

[majideavval]

میشه درباره windows update (sniش چیه؟) و کلا مایکروسافت بیشتر توضیح بدید؟ ip ها و sni های سفید. بشه ویندوز رو آپدیت کنیم حداقل.

[Enqvy]

this issue changed everything