服务端使用合理的端口,禁回国流量
只配置 XTLS Vision,不兼容普通 TLS 代理
回落到网页,不回落/分流到其它代理协议
客户端启用 uTLS(fingerprint)
安装nginx
apt update
apt install nginx申请证书
#nginx -s stop
systemctl stop nginx
apt-get install socat curl cron
curl https://get.acme.sh | sh
#通配符证书申请
mkdir /etc/nginx/ssl/
acme.sh --issue --standalone -d kkiikk.top -d www.kkiikk.top -k ec-256
acme.sh --installcert -d kkiikk.top -d www.kkiikk.top --fullchain-file /etc/nginx/ssl/kkiikk.top.crt --key-file /etc/nginx/ssl/kkiikk.top.key --ecc
#普通证书申请
#~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
#~/.acme.sh/acme.sh --issue -d www.kkiikk.top --standalone -k ec-256 --force --test
#rm -rf ~/.acme.sh/www.kkiikk.top_ecc
#以上是测试
#~/.acme.sh/acme.sh --issue -d www.kkiikk.top --standalone -k ec-256 --force
#mkdir /etc/nginx/ssl/
#~/.acme.sh/acme.sh --installcert -d www.kkiikk.top --fullchainpath /etc/nginx/ssl/www.kkiikk.top.crt --keypath /etc/nginx/ssl/www.kkiikk.top.key --ecc --force安装xray
wget https://github.com/XTLS/Xray-install/raw/main/install-release.sh
bash install-release.sh配置nginx.conf
nano /etc/nginx/nginx.conf编辑nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
log_format main '[$time_local] $proxy_protocol_addr "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $proxy_protocol_addr $proxy_forwarded_elem {
~^[0-9.]+$ "for=$proxy_protocol_addr";
~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
default "$proxy_forwarded_elem";
}
include /etc/nginx/conf.d/*.conf;
}配置www.conf
nano /etc/nginx/conf.d/www.conf编辑www.conf
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
server {
listen 127.0.0.1:8003 ssl default_server;
ssl_reject_handshake on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_timeout 1h;
ssl_session_cache shared:SSL:10m;
ssl_early_data on;
}
server {
listen 127.0.0.1:8003 ssl proxy_protocol;
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
server_name www.kkiikk.top; # 填由 Nginx 加载的 SSL 证书中包含的域名,建议将域名指向服务端的 IP
ssl_certificate /etc/nginx/ssl/www.kkiikk.top.crt;
ssl_certificate_key /etc/nginx/ssl/www.kkiikk.top.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13_AES_128_GCM_SHA256:TLS13_AES_256_GCM_SHA384:TLS13_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 valid=60s;
resolver_timeout 2s;
location / {
sub_filter $proxy_host $host;
sub_filter_once off;
set $website www.反代网址.com;
proxy_pass https://$website;
resolver 1.1.1.1;
proxy_set_header Host $proxy_host;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_ssl_server_name on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_set_header Early-Data $ssl_early_data;
}
}下载geosite.dat
cd /usr/local/share/xray
rm -rf *
wget https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat生成uuid
xray uuid生成Private key和Public key
xray x25519配置xray
nano /usr/local/etc/xray/config.json编辑config.json
{
"log": {
"loglevel": "warning",
"access": "/root/xray_log/access.log", // 访问记录
"error": "/root/xray_log/error.log" // 错误记录
},
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"port": "443",
"network": "udp",
"outboundTag": "block"
},
{
"type": "field",
"domain": ["geosite:cn"],
"outboundTag": "direct-out"
},
{
"type": "field",
"domain": ["geosite:private"],
"outboundTag": "block"
},
{
"type": "field",
"domain": ["geosite:category-ads-all"],
"outboundTag": "block"
}
]
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // 运行 `xray uuid` 生成id
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"target": "8003",
"xver": 1,
"serverNames": [
"" // 输入本地域名
],
"privateKey": "", // 运行 `xray x25519` 生成privateKey
"shortIds": [
"" // 16 个 0~f 的数字字母,可以小于16个,核心将会自动在后面补0, 但位数必须是偶数。如 aa1234 会被自动补全为 aa12340000000000, 但是aaa1234 则会导致错误。
]
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls",
"quic"
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct-out"
},
{
"protocol": "blackhole",
"tag": "block"
}
],
"policy": {
"levels": {
"0": {
"handshake": 2,
"connIdle": 120
}
}
}
}重启服务
systemctl restart nginx
systemctl status nginx
systemctl restart xray
systemctl status xray客户端配置
添加[VLESS]服务器别名随便写地址输入当前vps的域名端口输入443用户ID输入uuid流控选择xtls-rprx-vision传输协议选择tcp伪装类型选择none传输层安全选择realitySNI不用写Fingerprint 选择chromePublickey输入生成的Public keyShortId输入xray配置中的shortIds,配置中没有输入的话需要留空