-
Notifications
You must be signed in to change notification settings - Fork 403
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
279 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
|
||
#user nobody nogroup; #表示以默认用户(root)运行。若取消注释,注意修改为相应权限的用户与组。 | ||
worker_processes auto; | ||
|
||
error_log /var/log/nginx/error.log; #错误日志的文件地址 | ||
|
||
pid /run/nginx.pid; | ||
|
||
events { | ||
worker_connections 1024; | ||
} | ||
|
||
http { | ||
include mime.types; | ||
default_type application/octet-stream; | ||
|
||
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | ||
'$status $body_bytes_sent "$http_referer" ' | ||
'"$http_user_agent" "$http_x_forwarded_for"'; | ||
|
||
access_log /var/log/nginx/access.log main; #访问日志的文件地址 | ||
|
||
sendfile on; | ||
|
||
keepalive_timeout 65; | ||
|
||
server { | ||
listen 80; | ||
listen [::]:80; #无 IPv6,此项可删除。 | ||
return 301 https://$host$request_uri; #HTTP 自动跳转 HTTPS,让网站看起来更真实。 | ||
} | ||
|
||
server { | ||
listen 127.0.0.1:82 http2 proxy_protocol; #使用 H2C server 本地监听端口,且开启 PROXY protocol 接收。(仅版本小于 v1.25.1 配置,否则必须删除。) | ||
listen 127.0.0.1:81 proxy_protocol; #使用 HTTP/1.1 server 本地监听端口,且开启 PROXY protocol 接收。(仅版本小于 v1.25.1 配置,否则必须删除。) | ||
listen 127.0.0.1:88 proxy_protocol; #使用 H2C server 及 HTTP/1.1 server 本地监听端口,且开启 PROXY protocol 接收。(仅版本不小于 v1.25.1 配置,否则必须删除。) | ||
http2 on; #仅版本不小于 v1.25.1 配置,否则必须删除。 | ||
set_real_ip_from 127.0.0.1; | ||
real_ip_header proxy_protocol; | ||
|
||
location / { | ||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用 HSTS | ||
root /var/www/html; #修改为自己存放的 WEB 文件路径 | ||
index index.html index.htm; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
{ | ||
"log": { | ||
"loglevel": "warning", | ||
"error": "/var/log/xray/error.log", | ||
"access": "/var/log/xray/access.log" | ||
}, | ||
"inbounds": [ | ||
{ | ||
"port": 443, //监听端口 | ||
"protocol": "vless", | ||
"settings": { | ||
"clients": [ | ||
{ | ||
"id": "048e0bf2-dd56-11e9-aa37-5600024c1d6a", //修改为自己的 UUID | ||
"flow": "xtls-rprx-vision", //启用 XTLS Vision | ||
"email": "[email protected]" | ||
} | ||
], | ||
"decryption": "none", | ||
"fallbacks": [ | ||
{ | ||
"alpn": "h2", //h2 回落匹配 | ||
"dest": 82, //h2 回落端口 | ||
"xver": 2 //开启 PROXY protocol 发送,发送真实来源 IP 和端口给 Nginx。 1 或 2 表示 PROXY protocol 版本。 | ||
}, //对应 Nginx 版本小于 v1.25.1 配置,否则此部分必须删除。 | ||
{ | ||
"dest": 81, //http/1.1 回落端口 | ||
"xver": 2 //开启 PROXY protocol 发送,发送真实来源 IP 和端口给 Nginx。 1 或 2 表示 PROXY protocol 版本。 | ||
} //对应 Nginx 版本小于 v1.25.1 配置,否则此部分必须删除。 | ||
{ | ||
"dest": 88, //h2 回落与 http/1.1 回落共用端口 | ||
"xver": 2 //开启 PROXY protocol 发送,发送真实来源 IP 和端口给 Nginx。 1 或 2 表示 PROXY protocol 版本。 | ||
} //对应 Nginx 版本不小于 v1.25.1 配置,否则此部分必须删除。 | ||
] | ||
}, | ||
"streamSettings": { | ||
"network": "tcp", | ||
"security": "tls", | ||
"tlsSettings": { | ||
"certificates": [ | ||
{ | ||
"ocspStapling": 3600, | ||
"certificateFile": "/home/tls/xx.yy/xx.yy.crt", //换成自己的证书,绝对路径。 | ||
"keyFile": "/home/tls/xx.yy/xx.yy.key" //换成自己的密钥,绝对路径。 | ||
} | ||
], | ||
"rejectUnknownSni": true, //限定域名连接(包括禁止以 IP 方式访问网站) | ||
"minVersion": "1.2" | ||
} | ||
}, | ||
"sniffing": { | ||
"enabled": true, | ||
"destOverride": [ | ||
"http", | ||
"tls" | ||
] | ||
} | ||
} | ||
], | ||
"routing": { | ||
"rules": [ | ||
{ | ||
"type": "field", | ||
"protocol": [ | ||
"bittorrent" | ||
], | ||
"outboundTag": "blocked" | ||
} | ||
] | ||
}, | ||
"outbounds": [ | ||
{ | ||
"protocol": "freedom", | ||
"settings": {} | ||
}, | ||
{ | ||
"tag": "blocked", | ||
"protocol": "blackhole", | ||
"settings": {} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
|
||
#user nobody nogroup; #表示以默认用户(root)运行。若取消注释,注意修改为相应权限的用户与组。 | ||
worker_processes auto; | ||
|
||
error_log /var/log/nginx/error.log; #错误日志的文件地址 | ||
|
||
pid /run/nginx.pid; | ||
|
||
events { | ||
worker_connections 1024; | ||
} | ||
|
||
http { | ||
include mime.types; | ||
default_type application/octet-stream; | ||
|
||
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | ||
'$status $body_bytes_sent "$http_referer" ' | ||
'"$http_user_agent" "$http_x_forwarded_for"'; | ||
|
||
access_log /var/log/nginx/access.log main; #访问日志的文件地址 | ||
|
||
sendfile on; | ||
|
||
keepalive_timeout 65; | ||
|
||
server { | ||
listen 80; | ||
listen [::]:80; #无 IPv6,此项可删除。 | ||
return 301 https://$host$request_uri; #HTTP 自动跳转 HTTPS,让网站看起来更真实。 | ||
} | ||
|
||
server { | ||
listen unix:/dev/shm/uds82.sock http2 proxy_protocol; #使用 H2C server 监听进程,且开启 PROXY protocol 接收。(仅版本小于 v1.25.1 配置,否则必须删除。) | ||
listen unix:/dev/shm/uds81.sock proxy_protocol; #使用 HTTP/1.1 server 监听进程,且开启 PROXY protocol 接收。(仅版本小于 v1.25.1 配置,否则必须删除。) | ||
listen unix:/dev/shm/uds88.sock proxy_protocol; #使用 H2C server 及 HTTP/1.1 server 监听进程,且开启 PROXY protocol 接收。(仅版本不小于 v1.25.1 配置,否则必须删除。) | ||
http2 on; #仅版本不小于 v1.25.1 配置,否则必须删除。 | ||
set_real_ip_from unix:; | ||
real_ip_header proxy_protocol; | ||
|
||
location / { | ||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用 HSTS | ||
root /var/www/html; #修改为自己存放的 WEB 文件路径 | ||
index index.html index.htm; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
{ | ||
"log": { | ||
"loglevel": "warning", | ||
"error": "/var/log/xray/error.log", | ||
"access": "/var/log/xray/access.log" | ||
}, | ||
"inbounds": [ | ||
{ | ||
"port": 443, //监听端口 | ||
"protocol": "vless", | ||
"settings": { | ||
"clients": [ | ||
{ | ||
"id": "048e0bf2-dd56-11e9-aa37-5600024c1d6a", //修改为自己的 UUID | ||
"flow": "xtls-rprx-vision", //启用 XTLS Vision | ||
"email": "[email protected]" | ||
} | ||
], | ||
"decryption": "none", | ||
"fallbacks": [ | ||
{ | ||
"alpn": "h2", //h2 回落匹配 | ||
"dest": "/dev/shm/uds82.sock", //h2 回落进程 | ||
"xver": 2 //开启 PROXY protocol 发送,发送真实来源 IP 和端口给 Nginx。 1 或 2 表示 PROXY protocol 版本。 | ||
}, //对应 Nginx 版本小于 v1.25.1 配置,否则此部分必须删除。 | ||
{ | ||
"dest": "/dev/shm/uds81.sock", //http/1.1 回落进程 | ||
"xver": 2 //开启 PROXY protocol 发送,发送真实来源 IP 和端口给 Nginx。 1 或 2 表示 PROXY protocol 版本。 | ||
} //对应 Nginx 版本小于 v1.25.1 配置,否则此部分必须删除。 | ||
{ | ||
"dest": "/dev/shm/uds88.sock", //h2 回落与 http/1.1 回落共用进程 | ||
"xver": 2 //开启 PROXY protocol 发送,发送真实来源 IP 和端口给 Nginx。 1 或 2 表示 PROXY protocol 版本。 | ||
} //对应 Nginx 版本不小于 v1.25.1 配置,否则此部分必须删除。 | ||
] | ||
}, | ||
"streamSettings": { | ||
"network": "tcp", | ||
"security": "tls", | ||
"tlsSettings": { | ||
"certificates": [ | ||
{ | ||
"ocspStapling": 3600, | ||
"certificateFile": "/home/tls/xx.yy/xx.yy.crt", //换成自己的证书,绝对路径。 | ||
"keyFile": "/home/tls/xx.yy/xx.yy.key" //换成自己的密钥,绝对路径。 | ||
} | ||
], | ||
"rejectUnknownSni": true, //限定域名连接(包括禁止以 IP 方式访问网站) | ||
"minVersion": "1.2" | ||
} | ||
}, | ||
"sniffing": { | ||
"enabled": true, | ||
"destOverride": [ | ||
"http", | ||
"tls" | ||
] | ||
} | ||
} | ||
], | ||
"routing": { | ||
"rules": [ | ||
{ | ||
"type": "field", | ||
"protocol": [ | ||
"bittorrent" | ||
], | ||
"outboundTag": "blocked" | ||
} | ||
] | ||
}, | ||
"outbounds": [ | ||
{ | ||
"protocol": "freedom", | ||
"settings": {} | ||
}, | ||
{ | ||
"tag": "blocked", | ||
"protocol": "blackhole", | ||
"settings": {} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,22 @@ | ||
介绍: | ||
|
||
本示例配置为 VLESS+Vision+TLS 应用。Xray 服务端前置(监听 443 端口)处理来自墙内的 HTTP/2或HTTPS 请求,如果是合法的 Xray 客户端请求,那么为该请求提供服务(科学上网);否则将已解除 TLS 的流量请求回落(转发)给 Nginx,由 Nginx 为其提供 WEB 服务(回落应用)。 | ||
|
||
原理: | ||
|
||
默认流程:Xray client <------ TCP+TLS(HTTP/2或HTTPS) ------> Xray server | ||
回落流程:WEB client <------------- HTTP/2或HTTPS --------------> Xray server <-- H2C或HTTP/1.1 --> Nginx(WEB server) | ||
|
||
注意: | ||
|
||
1、Xray 版本不小于 v1.7.2 才完美支持 VLESS 协议的 XTLS Vision 应用。 | ||
|
||
2、Nginx 支持 H2C server 需要 Nginx 包含 http_v2_module 模块构建。 | ||
|
||
3、Nginx 版本不小于 v1.25.1 才支持 H2C server 与 HTTP/1.1 server 共用一个端口或一个进程。若 Nginx 版本小于 v1.25.1,回落必须分成 h2 回落与 http/1.1 回落分别对应 Nginx 的 H2C server 与 HTTP/1.1 server。 | ||
|
||
4、Nginx 支持对请求标头的 PROXY 协议处理需要 Nginx 包含 http_realip_module 模块构建。 | ||
|
||
5、不要使用 ACME 客户端在采用本示例的服务器上以 HTTP-01 或 TLS-ALPN-01 验证方式申请与更新 TLS 证书,因 HTTP-01 或 TLS-ALPN-01 验证方式申请与更新 TLS 证书需监听 80 或 443 端口,从而与当前应用端口冲突。 | ||
|
||
6、配置1:使用 Local Loopback 连接,且启用了 PROXY protocol。配置2:使用 UDS 连接,且启用了 PROXY protocol。 |