The Practical Guide to Hide Origin Server IP (No Fluff)

If you’re tired of your origin server IP getting flagged or blocked, using Vercel as a front is one of the most effective ways to stay under the radar. Most people try to tunnel traffic through standard proxies, but they hit a wall when they realize their origin IP is still leaking or their connection is throttled. The Vercel-XHTTP relay changes the game by leveraging Vercel’s global edge network to mask your backend Xray server behind the *.vercel.app domain.

Here’s the reality: this isn't a "set it and forget it" solution. If you’re running a heavy-duty setup, you’ll burn through your Vercel Hobby plan’s "Fast Origin Transfer" quota in days. This setup is designed for personal, lightweight traffic—think browsing, messaging, and standard video streaming. If you try to push 4K streams or massive torrents through this, Vercel will pause your account, and you’ll be locked out for the rest of the month.

To get this working, you need a clean VPS running Ubuntu 22.04 or 24.04 and a domain name. Don't use a sub-domain that’s already been burned. Once you have your VPS, the first step is installing Xray. Ensure you’re running at least version 1.8.16, as older versions lack the necessary XHTTP support.

Here is the workflow for a stable deployment:

1. Configure your DNS with an A record pointing to your VPS IP, but keep it set to "DNS Only" in Cloudflare. If you enable proxying (the orange cloud), you’ll break the handshake.
2. Install acme.sh on your server to handle your TLS certificates. This is non-negotiable; you need valid encryption to keep the traffic looking like standard HTTPS.
3. Deploy the relay code to Vercel. You can do this via the Vercel CLI or by connecting your GitHub repository directly to the Vercel dashboard.
4. Update your Xray config on the server to listen for XHTTP traffic on your chosen port, ensuring the UUID matches your client-side configuration.

The most common failure mode I see is users ignoring the Vercel usage dashboard. You need to monitor your bandwidth consumption weekly. If you’re serious about this, don't rely on a single Hobby account. Create multiple projects across different Gmail accounts and use your client’s load-balancing features to distribute the traffic. This creates a failover mechanism; if one account hits its limit, your connection doesn't drop entirely.

Why does this work better than standard WebSocket relays? Because XHTTP is designed to be lightweight and stream-friendly, minimizing the overhead that usually triggers Vercel’s runtime limits. It’s a surgical approach to traffic obfuscation. If you’re looking for a way to hide your origin server IP, this is the most robust method currently available for personal use. Just keep your traffic profile modest, and you’ll avoid the dreaded account suspension.

If you run into issues with the handshake, double-check your SNI settings in your client. The SNI must point to the Vercel domain, not your origin server. Try this today and share what you find in the comments, or read our breakdown of advanced Xray configuration techniques next.