上一次自建代理还是 v2ray+ws+tls 盛行的时候,后面转机场之后就很久没有需求了
但是最近刚好购买了搬瓦工优化线路的机子,查询资料发现之前的方式已经被精准识别了,所以切换为当前最稳定协议 vless + reality + xtls-rprx-vision。但是经过查询发现资料较少,过程问题很多,所以做一个记录。
参考配置使用 Xray-examples
该种方案下针对 VLESS-Vision-REALITY 有以下两种方式实现 自己偷自己 。
- Nginx前置 使用stream实现分流
- xray前置 使用 xray分流
个人期望使用第一种方式,因为还想要通过nginx托管多个网站。所以后继以第一种方式为准。使用了 mdserver-web 作为网站面板,方便维护。
1. 安装 mdserver-web
curl --insecure -fsSL https://cdn.jsdelivr.net/gh/midoks/mdserver-web@latest/scripts/install.sh | bash打开网页 必须安装的软件是 OpenResty
2. 添加网站
在面板添加想要偷的证书网站 后继以 example.com 为例
1. dns解析指向 example.com
2. 后台添加网站
3. 申请SSL证书3. 修改配置文件
/www/server/openresty/nginx/conf/nginx.conf
# 最后一行添加
include /www/server/web_conf/nginx/stream/*.conf;
/www/server/mdserver-web/plugins/openresty/conf/nginx.conf
# 最后一行添加
include /www/server/web_conf/nginx/stream/*.conf;
/www/server/web_conf/nginx/rewrite/example.com
# rewrite配置 可用来反向代理 制造一个假页面
location / {
sub_filter $proxy_host $host;
sub_filter_once off;
# 反向代理的网站 有需要自己修改
set $website blog.honus.top;
proxy_pass https://$website;
resolver 1.1.1.1;
proxy_set_header Host $proxy_host;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_ssl_server_name on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
/www/server/web_conf/nginx/stream/stream.conf
# 启用nginx stream配置
# 根据需求调整即可
stream {
# vless代理数据流向 example.com -> nginx:443 -> [ vless(xray:8001) -> nginx:8002 ](参考vless配置 等于端口转发)
# 网页数据流向 all.example.com -> nginx:443 -> default_backend
map $ssl_preread_server_name $name {
example.com vless;
default default_backend;
}
upstream vless {
server 127.0.0.1:8001;
}
# default ssl port 8011
upstream default_backend {
server 127.0.0.1:8011;
}
server {
listen 443;
listen [::]:443;
proxy_pass $name;
ssl_preread on;
proxy_protocol on;
}
}
/www/server/openresty/nginx/conf/example.com.conf
# 修改这个配置 尽量不动原来内容 新增需要的
server
{
# reuseport 只能在一个server出现一次
listen 127.0.0.1:8002 ssl proxy_protocol;
http2 on;
server_name example.com;
index index.php index.html index.htm default.php default.htm default.html;
root /www/wwwroot/example.com;
#SSL-START
ssl_certificate /www/server/web_conf/ssl/example.com/fullchain.pem;
ssl_certificate_key /www/server/web_conf/ssl/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13_AES_128_GCM_SHA256:TLS13_AES_256_GCM_SHA384:TLS13_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 valid=60s;
resolver_timeout 2s;
error_page 497 https://$host$request_uri;
#SSL-END
# 增加 proxy_protocol 支持(如未存在)
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
#301-START
#PROXY-START
#ERROR-PAGE-START
#error_page 404 /404.html;
#error_page 502 /502.html;
#ERROR-PAGE-END
#PHP-INFO-START
include /www/server/web_conf/php/conf/enable-php-00.conf;
#PHP-INFO-END
#REWRITE-START
include /www/server/web_conf/nginx/rewrite/example.com.conf;
#REWRITE-END
#禁止访问的文件或目录
location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
{
return 404;
}
#一键申请SSL证书验证目录相关设置
location ~ \.well-known{
allow all;
}
access_log /www/wwwlogs/example.com.log main;
error_log /www/wwwlogs/example.com.error.log;
}http配置需要增加一些内容 没有测试缺少会有什么问题
/www/server/web_conf/nginx/vhost/0.forward.conf
map $proxy_protocol_addr $proxy_forwarded_elem {
~^[0-9.]+$ "for=$proxy_protocol_addr";
~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
default "$proxy_forwarded_elem";
}nginx配置到此为止 可以使用 /www/server/openresty/bin/openresty -T 查看nginx完整配置
4. xray配置文件
client_server.json
# 里面有些参数没有填充 主要注意增加注释的部分
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 8001,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "honus",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"dest": "8002",
// 发送 PROXY protocol 记得是1
"xver": 1,
"serverNames": [
// 与 Nginx 配置中的 server_name 一致
"example.com"
],
"privateKey": "",
"shortIds": [
""
]
},
"tcpSettings": {
// 记得打开这个开关
"acceptProxyProtocol": true
}
},
// 可以不开
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls",
"quic"
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
]
}