https://cmptrnb.github.io

Vercel XHTTP Relay

Translated by Google Translate from 🇮🇷 Complete Persian Setup Guide.

Telegram Channel

📢 Avaco Cloud Telegram Channel — Join for more tutorials, updates, censorship bypass methods and new configs:

👉 https://t.me/avaco_cloud

A minimal relay running on Vercel Edge Functions that forwards XHTTP traffic from your Xray/V2Ray client to your backend Xray server. The goal: use Vercel's global edge network and the *.vercel.app domain as a front to hide the real IP of your origin server.

Table of Contents

• Who is this project for?
• How it works (architecture)
• Limitations and caveats
• Prerequisites
• Step 1 — Purchase a VPS
• Step 2 — Set up a domain and DNS
• Step 3 — SSH to the VPS
• Step 4 — Install Xray
• Step 5 — Obtain a TLS Certificate
• Step 6 — Configure Xray with XHTTP
• Step 7 — Deploy to Vercel
• Step 8 — Configure the client
• Vercel limitations
• Troubleshooting
• FAQ

Who is this project for?

This project is only useful if you have an Xray server with XHTTP and want to mask its IP with Vercel.

❌ It is not useful for you if:

• You just got a ready-made config (vless/vmess) from the seller
• Your config is WebSocket / gRPC / Reality / Trojan / TCP
• You want to create a proxy without a VPS only with Vercel
• You have heavy traffic (4K streaming, large downloads, torrents, multi-user) — because Fast Origin Transfer in Hobby ends very quickly and the account is paused

✅ It is useful for you if:

• You have or want to get a VPS
• You want to set the transport to XHTTP
• You want your server IP to remain hidden
• You are using personal and light usage (chat, web browsing, video up to 1080p, music)
• Or you are ready to get a Pro plan for heavy traffic

How it works (architecture)

+-----------+                       +-------------+           +---------------+
| Client    | TLS, SNI=vercel.com   | Vercel Edge | HTTP/2    | Xray server   |
| (v2rayN/  +---------------------->| (relay)     +---------->| XHTTP inbound |
| Hiddify)  |  XHTTP request        |             | forward   |               |
+-----------+                       +-------------+           +---------------+

The client connects to the Vercel domain with SNI=vercel.com. To the censor, it looks like normal Vercel traffic. The Vercel Edge Function forwards the request body to the Xray server without buffering. The response is streamed back in the same way.

Limitations and Warnings

🔴 Important Warning — Fast Origin Transfer: In the Hobby plan, each byte of traffic is counted twice (once client↔Vercel and once Vercel↔server). If the quota is reached, Vercel will pause your account, users will no longer be able to connect and you will have to wait 30 days or purchase Pro. Details in Vercel Limitations section.

⚠️ XHTTP only: WebSocket, gRPC, TCP, mKCP, QUIC and Reality do not work on Vercel Edge (runtime limitation).

⚠️ Vercel TOS: Using a proxy may violate the TOS. If traffic is high, your account may be suspended. Keep traffic balanced.

⚠️ Educational: This repo is for personal training and testing, not production. No SLA or support.

💡 Sustainable Usage Tips

To avoid disconnection in the middle of the month:

• 📊 Check Dashboard → Usage weekly (Vercel sends emails at 80% and 100%)
• 🔄 Create a few Hobby projects with multiple Gmail accounts and set up Load Balance / Failover in the client
• ⏸ Exclude 4K videos and large downloads from the proxy (directly or from another proxy)
• 💳 If you have a lot of traffic, go Pro ($20/month) and set a spending cap with Spend Management

Prerequisites

Items to explain

• VPS A Linux server outside of Iran with a public IP (preferably Ubuntu 22.04 or 24.04)
• A domain (paid or free like DuckDNS) with an A record pointing to the server IP
• Free Vercel account from vercel.com
• Node.js + npm on local system for Vercel CLI (you can also deploy from dashboard)
• Optional GitHub account, if using Dashboard method You are using

Tools required by operating system

This guide is written for both Windows and Mac/Linux. At each step you will see the equivalent commands depending on your OS.

🪟 Windows (Windows 10/11)

All of the following tools are free:

• PowerShell is pre-installed (search in Start menu) Run commands
• OpenSSH Client is pre-installed in Win10/11 (Guide) SSH connection
• Git for Windows git-scm.com/download/win git + Git Bash
• Node.js LTS nodejs.org — download installer and Next-Next-Finish for Vercel CLI
• PuTTY (optional) putty.org Replaces SSH with GUI

💡 Recommendation: After installing Git for Windows, use Git Bash, as Unix commands (like curl, ssh, cat) work naturally inside it. It makes this guide easier.

🍎 Mac / 🐧 Linux

• Terminal pre-installed
• ssh, curl, dig pre-installed
• Homebrew (Mac) /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
• Node.js brew install node (Mac) or apt install nodejs npm (Linux)
• Git brew install git (Mac) or apt install git (Linux)

Step 1 — Buy ​​a VPS

Recommendations

• Hetzner ~€4.5 Frankfurt / Helsinki
• Contabo ~$4.5 EU / US
• Vultr $5-6 EU / US
• DigitalOcean $6 Various

Minimum specifications

• RAM: 1 GB
• CPU: 1 vCPU
• Disk: 20 GB SSD
• Bandwidth: at least 1 TB/month
• OS: Ubuntu 22.04 or 24.04

After purchase

Note the public IP and the SSH password from the dashboard.

Step 2 — Set up your domain and DNS

If you don’t have a domain:

• Paid: Namecheap, Porkbun, Cloudflare Registrar
• Free: DuckDNS

Set up an A Record (on Cloudflare):

1. Go to dash.cloudflare.com
2. Click on your domain → DNS menu → Records
3. Add record:
   • Type A
   • Name xray (or whatever you want — it can be xray.yourdomain.com)
   • IPv4 address Public IP of your VPS (e.g. 203.0.113.45)
   • Proxy status ⚫ DNS only (gray, not orange)
   • TTL Auto

🔴 Proxy status must be DNS only. If you set it to Proxied, Cloudflare will get caught in the middle of the traffic and won’t work.

DNS Test

🍎 Mac / 🐧 Linux:

dig @8.8.8.8 xray.yourdomain.com +short

🪟 Windows (PowerShell):

Resolve-DnsName xray.yourdomain.com -Server 8.8.8.8 -Type A

Or with nslookup:

nslookup xray.yourdomain.com 8.8.8.8

🪟 Windows (Git Bash):

nslookup xray.yourdomain.com 8.8.8.8

It should return your server IP. This may take 1-5 minutes.

Step 3 — SSH to VPS

🍎 Mac / 🐧 Linux / 🪟 Windows (PowerShell or Git Bash)

ssh root@YOUR_VPS_IP

First type yes. Enter the password (it won't show as you type — this is normal).

🪟 Windows with PuTTY (if CLI is difficult)

1. Open PuTTY
2. Host Name (or IP address): YOUR_VPS_IP
3. Port: 22
4. Connection type: SSH
5. Click Open
6. Click Accept the first time
7. login: root + Enter, enter password

💡 After this step, all commands starting with # (or root@vps:~#) will be executed inside the SSH server — it doesn't matter if you're connecting from Mac or Windows.

Check OS:

cat /etc/os-release

You should see Ubuntu 22.04 or 24.04.

Step 4 — Install Xray

Update the system and install packages:

apt update && apt upgrade -y

apt install -y curl socat cron ufw

Install Xray with the official script:

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

After a few seconds:

info: Xray vXX.X.X is installed

Check version:

xray version

⚠️ The version must be at least v1.8.16 (for XHTTP). Newer versions (like 26.x) are better.

Generate UUID:

xray uuid

Output like:

xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Save this UUID — you will need it later in the server and client config.

systemctl enable xray

Firewall configuration:

ufw allow 22/tcp # SSH

ufw allow 80/tcp # for issuing cert

ufw allow 443/tcp # for future

ufw allow 2096/tcp # our Xray port

ufw --force enable

ufw status

⚠️ Before ufw --force enable, make sure port 22 is allowed, otherwise SSH connection will be dropped.

Step 5 — Get TLS Certificate

We will use acme.sh + Let's Encrypt (free, automatic).

Install acme.sh:

curl https://get.acme.sh | sh -s email=your@email.com

source ~/.bashrc

Set the default CA:

~/.acme.sh/acme.sh --set-default-ca --server letsencrypt

Make sure port 80 is free:

ss -tlnp | grep :80

If there is anything listening (like apache or nginx), stop it:

systemctl stop apache2 2>/dev/null

systemctl disable apache2 2>/dev/null

systemctl stop nginx 2>/dev/null

Issue a certificate:

~/.acme.sh/acme.sh --issue -d xray.yourdomain.com --standalone -k ec-256

Replace xray.yourdomain.com with your actual domain.

Successful output:

Cert success.
Your cert is in: /root/.acme.sh/xray.yourdomain.com_ecc/...

Install cert in Xray path:

mkdir -p /etc/xray

~/.acme.sh/acme.sh --install-cert -d xray.yourdomain.com --ecc --fullchain-file /etc/xray/cert.pem --key-file /etc/xray/key.pem --reloadcmd "systemctl restart xray"

chown -R nobody:nogroup /etc/xray

chmod 644 /etc/xray/cert.pem

chmod 640 /etc/xray/key.pem

ls -la /etc/xray/

You should see cert.pem and key.pem.

Step 6 — Configure Xray with XHTTP

Prepare Logs:

mkdir -p /var/log/xray

touch /var/log/xray/access.log /var/log/xray/error.log

chown -R nobody:nogroup /var/log/xray

cp /usr/local/etc/xray/config.json /usr/local/etc/xray/config.json.bak 2>/dev/null || true

Write config:

📝 Before pasting, keep these values ​​in mind:

• YOUR-UUID-HERE → UUID you got from xray uuid
• xray.yourdomain.com → your actual domain
• /yourpath → a path of your choice (e.g. /myapppath)

cat > /usr/local/etc/xray/config.json << 'EOF'
{
  "log": {
    "loglevel": "warning",
    "access": "/var/log/xray/access.log",
    "error": "/var/log/xray/error.log"
  },
  "inbounds": [
    {
      "tag": "xhttp-in",
      "listen": "0.0.0.0",
      "port": 2096,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "YOUR-UUID-HERE",
            "flow": ""
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "xhttp",
        "security": "tls",
        "tlsSettings": {
          "alpn": [
            "h2",
            "http/1.1"
          ],
          "certificates": [
            {
              "certificateFile": "/etc/xray/cert.pem",
              "keyFile": "/etc/xray/key.pem"
            }
          ]
        },
        "xhttpSettings": {
          "path": "/yourpath",
          "host": "xray.yourdomain.com",
          "mode": "auto"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "protocol": "blackhole",
      "tag": "blocked"
    }
  ]
}
EOF

⚠️ After pasting, open the file with:

nano /usr/local/etc/xray/config.json

Open it and replace the three values ​​YOUR-UUID-HERE, /yourpath, xray.yourdomain.com with the actual values.

Test the config syntax:

xray -test -config /usr/local/etc/xray/config.json

You should see: Configuration OK.

Start Xray:

systemctl restart xray

systemctl status xray --no-pager

ss -tlnp | grep 2096

Test locally:

curl -vk https://127.0.0.1:2096/yourpath

If you get an HTTP/2 404 → Great! (404 is normal because you didn't send a UUID, which means Xray is working.)

Step 7 — Deploy to Vercel

Two ways: CLI (faster) or Dashboard (with GitHub).

Method A: Vercel CLI

Install Node.js and Vercel CLI

🍎 Mac:

# If you don't have Homebrew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

brew install node

sudo npm i -g vercel

vercel --version

🐧 Linux (Ubuntu/Debian):

sudo apt update

sudo apt install -y nodejs npm

sudo npm i -g vercel

vercel --version

🪟 Windows:

Install Node.js:

1. Go to nodejs.org
2. Download the LTS version (.msi file)
3. Double-click, Next until Finish
4. Make sure Add to PATH is checked

Install Vercel CLI (in PowerShell or Git Bash):

npm i -g vercel

vercel --version

If it gives a permission error, open PowerShell As Administrator and try again.

Login to Vercel

On any operating system:

vercel login

Select Continue with Email with the arrow, enter your email, click the confirmation link.

Initial Deploy

🍎 Mac / 🐧 Linux / 🪟 Git Bash:

git clone https://github.com/YOUR-USERNAME/vercel-xhttp-relay.git

cd vercel-xhttp-relay

vercel

🪟 Windows PowerShell:

git clone https://github.com/YOUR-USERNAME/vercel-xhttp-relay.git

cd vercel-xhttp-relay

vercel

Questions:

• Set up and deploy? → Y
• Link to existing project? → N
• Project name? → Custom name
• Override settings? → N

Set Environment Variable

vercel env add TARGET_DOMAIN

• Value: https://xray.yourdomain.com:2096
• Environments: Only check Production and Preview with Space (don't check Development)
• Git branch: Empty Enter
• Make sensitive: n

Final Deploy

vercel --prod

You will get a URL like https://your-project.vercel.app.

Method B: Dashboard (with GitHub)

1. Fork or clone this project's repo and push it to your GitHub.
2. Import the repo at vercel.com/new.
3. On the Settings page, Environment Variables section:
4. TARGET_DOMAIN = https://xray.yourdomain.com:2096
5. Deploy.

Disabling Deployment Protection

If you enabled Vercel Authentication during setup, you need to disable it or relay won't work:

1. Vercel Dashboard → Project → Settings → Deployment Protection
2. Set Vercel Authentication to Disabled
3. Save

Test relay

🍎 Mac / 🐧 Linux / 🪟 Git Bash / 🪟 PowerShell (Win 10+):

curl -I https://your-project.vercel.app/yourpath

🪟 Windows PowerShell (native version):

Invoke-WebRequest -Uri "https://your-project.vercel.app/yourpath" -Method Head

💡 On Windows 10+, curl.exe is installed and working.

Output Meaning

• HTTP/2 404 ✅ Everything is OK
• HTTP/2 401 + HTML login Deployment Protection is on
• HTTP/2 500 env var not set
• HTTP/2 502 TARGET_DOMAIN is wrong

Step 8 — Configure the client

Configuration values

• UUID: Your UUID
• Address: vercel.com
• Port: 443
• SNI: vercel.com
• Type: xhttp
• Path: /yourpath
• Host: your-project.vercel.app
• Mode: auto
• TLS: on
• ALPN: h2
• Fingerprint: chrome

VLESS share link

vless://YOUR-UUID@vercel.com:443?encryption=none&security=tls&sni=vercel.com&alpn=h2&fp=chrome&type=xhttp&path=%2Fyourpath&host=your-project.vercel.app&mode=auto#Vercel-Relay

Note: Replace / in path with %2F encode.

Recommended Clients

• Windows v2rayN (v6.45+)
• Android v2rayNG, Hiddify
• iOS V2Box, Streisand
• macOS V2Box, Hiddify
• Linux Hiddify, xray-core

Configuration Tips

• Core: Must be Xray-core (not V2Ray-core, as V2Ray does not support XHTTP)
• Mux: Off
• Routing: Turn on Bypass LAN/Iran
• Allow Insecure: OFF

Test after connection

Go to browser:

https://ifconfig.me

It should show your VPS server IP, not Iran IP.

Vercel Limitations

⚠️ These numbers are from the official Vercel documentation at the time of writing this README. They may have changed — check vercel.com/pricing and vercel.com/docs/limits for the latest updates.

General Numbers

• Limits Hobby (Free) Pro
• Fast Data Transfer (Client ↔ Vercel) 100 GB / month 1 TB / month
• Fast Origin Transfer (Vercel ↔ Backend) Limited (Important for relay!) ~10× Hobby
• Edge Requests 1M / month 10M / month
• Active CPU Time 4 hours / month 40 hours / month
• Start Response (Edge) 25 seconds 25 seconds
• Maximum Streaming Duration 300 seconds (5 minutes) 300 seconds

🔴 Very important point: Fast Origin Transfer

For proxy/relay use this is more critical than Fast Data Transfer!

Every byte of your traffic is counted twice.

If Fast Origin Transfer reaches its limit, your Hobby account will be paused and you will have to wait 30 days or upgrade

📚 Fast Origin Transfer documentation

Hobby usage estimates (conservative)

Considering both Fast Data and Fast Origin:

• Chat / Telegram / WhatsApp virtually unlimited
• Stream music (Spotify) virtually unlimited
• Normal web browsing virtually unlimited
• YouTube 720p ~50 hours / month
• YouTube 1080p ~20-30 hours / month
• YouTube 4K / heavy downloads ~7 hours / month

💡 For everyday use (chat, browsing, music, 720p video) Hobby is more than enough. For 4K streaming or heavy downloads, either go Pro or create several Hobby projects and load balance between them.

Troubleshooting

502 Bad Gateway: Tunnel Failed

Vercel cannot reach the backend server. Check:

• TARGET_DOMAIN is exactly correct (https://...:port)
• Xray is up on the server: systemctl status xray
• Port is open in firewall: ufw status

500 Misconfigured: TARGET_DOMAIN is not set

Env var not set or redeployed. Run:

vercel env ls

vercel --prod

401 Unauthorized with HTML login

Vercel Authentication is enabled. In Dashboard → Settings → Deployment Protection → Disabled.

Client connects but traffic is not passed

• Disable Mux
• Set Core to Xray-core
• Enable Routing → Bypass Iran

TLS handshake error on client

Change SNI from vercel.com to your-project.vercel.app

Set ALPN to h2 only

Client only works on Wi-Fi, not mobile data

Mobile ISP may bottleneck *.vercel.app. Connect a Custom Domain to Vercel (Settings → Domains).

Configuration OK but Xray crashes

See error log:

tail -50 /var/log/xray/error.log

Usually cert/key file access problem. Fix with:

chown -R nobody:nogroup /etc/xray /var/log/xray

FAQ

Can I do this with Cloudflare instead of Vercel?

Yes, but with different code (Cloudflare Workers). For WebSocket, Cloudflare Workers is better. For XHTTP, Vercel is more stable because of streaming WebStreams.

What if *.vercel.app is filtered in Iran?

Connect a personal domain to Vercel (Settings → Domains → Add). Then leave the host and address the same in the client.

How many users can connect at the same time?

There is no hard limit, but create a separate UUID for each user:

        "clients": [
          { "id": "uuid-1", "email": "user1@example.com" },
          { "id": "uuid-2", "email": "user2@example.com" }
        ]

Can I change port 2096?

Yes. Put the desired port in config.json, allow in ufw, and set the same port in TARGET_DOMAIN in Vercel.

How to see Vercel logs?

vercel logs --follow

Or in Dashboard → Project → Logs.

What should I do after changing Xray configuration?

xray -test -config /usr/local/etc/xray/config.json

systemctl restart xray

Certificate is automatically renewed?

Yes. acme.sh creates a cron job and automatically renews every 60 days. You can test manually:

~/.acme.sh/acme.sh --renew -d xray.yourdomain.com --force --ecc

License

MIT — same as the original project.

Disclaimer

This project is for personal training and testing. Use at your own risk. Follow the laws of your country and Vercel's TOS.

📢 Contact Us

If this guide was useful to you, or you have questions/suggestions, get in touch via the Telegram channel:

Join Telegram

https://t.me/avaco_cloud

More tutorials • Update configs • Ways to bypass censorship • Support

⭐ If you found the project useful, leave a Star so it can be seen more.