#来源
https://github.com/XTLS/Xray-core/discussions/4118
#准备两个域名
reality.yourdomain1.com (用于reality,关闭小云朵)
cdn.yourdomain2.com(用于过CDN,打开小云朵)
#cloudflare要打开ws和grpc
#安装必要组件
apt install -y curl sudo
#安装xray
bash -c “$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)” @ install -u root
#xray配置
{
"log": {
"loglevel": "info"
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": [
"geoip:cn",
"geoip:private"
],
"outboundTag": "block"
}
]
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // run `xray uuid` to generate
"level": 0,
"flow": "xtls-rprx-vision"
}
],
"decryption": "none",
"fallbacks": [
{
"dest": "8001", //可以修改,保持和第64行的端口一致
"xver": 0
}
]
},
"streamSettings": {
"network": "raw",
"security": "reality",
"realitySettings": {
"show": false,
"target": "8003",
"xver": 0,
"serverNames": [
"reality.yourdomain1.com" //reality的域名
],
"privateKey": "", // run `xray x25519` to generate
"shortIds": [
"" // 0 to f, 必须双数,最长16位,可以留空
]
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls", "quic"],
"metadataOnly": false,
"routeOnly": true
}
}
},
{
"listen": "127.0.0.1",
"port": 8001, //和第35行的端口保持一致
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // run `xray uuid` to generate,这是和上面不同的uuid
"level": 0
}
],
"decryption": "none"
},
"streamSettings": {
"network": "xhttp",
"xhttpSettings": {
"host": "",
"path": "/cdn", // 自行定义
"mode": "auto"
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls", "quic"],
"metadataOnly": false,
"routeOnly": true
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
]
}
#测试配置
xray -test -config /usr/local/etc/xray/config.json
#重启服务
systemctl restart xray && systemctl status xray
#安装acme
apt install socat cron -y && curl https://get.acme.sh | sh && ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh
#切换CA
acme.sh –set-default-ca –server letsencrypt
#申请证书
acme.sh –issue -d reality.yourdomain1.com -d cdn.yourdomain2.com –standalone
#安装证书(一次性申请多个证书的话,只要在下面输入第一个证书名字就可以了)(nginx在xray之后安装的话,第四行命令可以不要)
acme.sh –install-cert -d reality.yourdomain1.com –ecc \
–key-file /etc/ssl/private/private.key \
–fullchain-file /etc/ssl/private/fullchain.cer \
–reloadcmd “systemctl force-reload nginx”
#安装nginx
apt-get install -y gcc g++ libpcre3 libpcre3-dev zlib1g zlib1g-dev openssl libssl-dev wget sudo make curl socat cron && wget https://nginx.org/download/nginx-1.27.3.tar.gz && tar -xvf nginx-1.27.3.tar.gz && cd nginx-1.27.3 && ./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module && make && make install && cd && mkdir /var/log/nginx
#创建service
cat > /etc/systemd/system/nginx.service << EOF [Unit] Description=A high performance web server and a reverse proxy server Documentation=man:nginx(8) After=network.target nss-lookup.target [Service] Type=forking PIDFile=/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;' ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid TimeoutStopSec=5 KillMode=mixed [Install] WantedBy=multi-user.target EOF
#启用service
systemctl daemon-reload && systemctl enable nginx.service
#nginx配置文件
/etc/nginx/nginx.conf
修改两个域名和两个回落域名
#nginx配置
user root;
worker_processes auto;
error_log /usr/local/nginx/logs/error.log notice;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 获取真实IP的设置
set_real_ip_from 127.0.0.1;
map $http_cf_connecting_ip $real_client_ip {
default $http_cf_connecting_ip;
"" $remote_addr;
}
real_ip_header X-Real-IP;
# 优化参数
sendfile on;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
client_max_body_size 0;
gzip on;
add_header X-Content-Type-Options nosniff;
# SSL 通用配置
ssl_session_cache shared:SSL:16m;
ssl_session_timeout 1h;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=60s;
resolver_timeout 2s;
# 映射请求头
map $real_client_ip $proxy_forwarded_elem {
~^[0-9.]+$ "for=$real_client_ip";
~^[0-9A-Fa-f:.]+$ "for=\"[$real_client_ip]\"";
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
default "$proxy_forwarded_elem";
}
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
server {
listen 8003 ssl;
http2 on;
#reality的域名
server_name reality.yourdomain1.com;
ssl_certificate /etc/ssl/private/fullchain.cer;
ssl_certificate_key /etc/ssl/private/private.key;
location / {
proxy_pass https://www.stanford.edu; #第一个回落域名
proxy_set_header Host www.stanford.edu; #第一个回落域名
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
}
}
server {
listen 8003 ssl;
http2 on;
#cdn的域名
server_name cdn.yourdomain2.com;
ssl_certificate /etc/ssl/private/fullchain.cer;
ssl_certificate_key /etc/ssl/private/private.key;
location / {
proxy_pass https://www.harvard.edu; #第二个回落域名
proxy_set_header Host www.harvard.edu; #第二个回落域名
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
}
location /cdn {
grpc_pass 127.0.0.1:8001;
grpc_set_header Host $host;
grpc_set_header X-Real-IP $real_client_ip;
grpc_set_header Forwarded $proxy_add_forwarded;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
}
#测试配置文件
nginx -t
#重启服务
systemctl restart nginx && systemctl status nginx
以下为extra配置
出站2:xhttp+Reality 上下行不分离 (上行为 stream-one 模式)
"host": "", "path": "/cdn"
出站3:上行 xhttp+TLS+CDN | 下行 xhttp+Reality
"downloadSettings": {
"address": "x.x.x.x", //服务器IP
"port": 443,
"network": "xhttp",
"security": "reality",
"realitySettings": {
"show": false,
"serverName": "reality.yourdonamain1.com", //reality域名
"fingerprint": "chrome",
"publicKey": "" //填写与服务端配套的公钥
},
"xhttpSettings": {
"host": "",
"path": "/cdn",
"mode": "auto"
}
}
出站5:上行 xhttp+Reality | 下行 xhttp+TLS+CDN
"downloadSettings": {
"address": "cdn.yourdomain2.com", //cdn的域名
"port": 443,
"network": "xhttp",
"security": "tls",
"tlsSettings": {
"serverName": "cdn.yourdomain2.com", //cdn的域名
"allowInsecure": false,
"alpn": ["h2"],
"fingerprint": "chrome"
},
"xhttpSettings": {
"host": "cdn.yourdomain2.com", //cdn的域名
"path": "/cdn",
"mode": "auto"
}
}
可以不要nginx吗?让cdn直接访问vps的指定端口的xhttp(裸xhttp,不要tls)
有新的视频,已经放出了
为啥nginx要编译呢?不能直接安装吗,apt install nginx 不行吗?
可以的,你试试看
两个域名用的证书都是同一个?
可以申请泛域名证书或者一次申请两个证书,然后证书都放在同一个文件里面的