Fixed All-in-One-fallbacks-Nginx routing (#114)

* Fixed routing issue + Add API config

* Fixed typo

* Removed shadowsocks because of similar links

* Fixed typo

---------

Co-authored-by: wlfvpn <vpn.womanlifefreedom.vip>
This commit is contained in:
Woman Life Freedom 2023-01-27 23:17:42 -05:00 committed by GitHub
parent 1ab20c3d42
commit 5d6676b34c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 180 additions and 66 deletions

View file

@ -26,7 +26,7 @@ Nginx is used to serve a decoy website to avoid active probing. It's also used t
## How it works?
The Vless-TCP-XTLS is the HTTPS entrypoint. For every incoming request after doing TLS-Termination, based on the **Path**, **SNI** or **ALPN type**, the request is passed to another inbound(sub-config). For example:
* If the **Path=/vlessws**, the request is passed to **@vless-ws** inbound.
* If the **Path=/vlws**, the request is passed to **@vless-ws** inbound.
* If the **Path=/vmtc**, the request is passed to **@vmess-tcp**.
* If **ALPN=HTTP2** and at the same time the **SNI=trh2o.example.com** then the request is passed to **@trojan-h2**.
@ -47,7 +47,7 @@ VMESS-gRPC Request ------> Xray Vless-TCP-XTLS(443) ----**alpn=h2**----> fallbac
* **(Optional)** If gRPC serviceNames are changed in server.json, they **should** also be changed in Nginx config
## Notes:
* Tested with **Xray 1.7.0** (Xray, Penetrates Everything.) Custom (go1.19.4 linux/amd64)
* Tested with **Xray 1.7.2** (Xray, Penetrates Everything.) Custom (go1.19.4 linux/amd64)
* For a little better performance, a DNS Cache could be setup (on 127.0.0.53 in this case) and used for resolving DNS queries. To enable xray to use it uncomment the corresponding rule from the `routing.settings.rules` in server.json.
* Multiple domains could be used at the same time, including domains behind cloudflare CDN. (For cloudflare, make sure websocket and gRPC are enabled in Network section). In this configuration these domains are **example.com** and **behindcdn.com**
* HTTP2 inbounds (Trojan-H2, Vless-H2, VMESS-H2 and ShadowSocks-H2)
@ -55,18 +55,19 @@ VMESS-gRPC Request ------> Xray Vless-TCP-XTLS(443) ----**alpn=h2**----> fallbac
* It's possible to create a CNAME dns record for all the H2 SNIs and use that as the address of the client config without setting custom SNI on client but it's optinal.
* It is assumed that the **example.com** domain has a **wildcard certificate**. If it's **not** a wildcard certificate or if it's a self-signed certificate, then `streamSettings.tlsSettings.allowInsecure` in the **client configuration** must be `true`.
* Put `nginx.conf` to your `/etc/nginx/conf.d/` then `systemctl restart nginx`
* If restarting nginx failed, you might have to remove socket files first `rm /dev/shm/{h1.sock,h2c.sock} && nginx -t && systemctl restart nginx`
## Client link examples
| Combination | Link |
| ----------- | ---- |
| Trojan-TCP | `trojan://desdemona99@example.com:443?security=tls&type=tcp#Trojan-TCP` |
| Trojan-WS | `trojan://desdemona99@example.com:443?security=tls&type=ws&path=/trojanws#Trojna-WS` |
| Trojan-WS | `trojan://desdemona99@example.com:443?security=tls&type=ws&path=/trojanws?ed=2048#Trojna-WS` |
| Trojan-gRPC | `trojan://desdemona99@example.com:443?security=tls&type=grpc&serviceName=trgrpc#Trojan-gRPC` |
| Trojan-H2 | `trojan://desdemona99@example.com:443?sni=trh2o.example.com&security=tls&type=http&path=/trh2#Trojan-H2` |
| Vless-TCP | `vless://90e4903e-66a4-45f7-abda-fd5d5ed7f797@example.com:443?security=tls&type=tcp#Vless-TCP` |
| Vless-WS | `vless://90e4903e-66a4-45f7-abda-fd5d5ed7f797@example.com:443?security=tls&type=ws&path=/vlws#Vless-WS` |
| Vless-WS | `vless://90e4903e-66a4-45f7-abda-fd5d5ed7f797@example.com:443?security=tls&type=ws?ed=2048&path=/vlws#Vless-WS` |
| Vless-gRPC | `vless://90e4903e-66a4-45f7-abda-fd5d5ed7f797@example.com:443?security=tls&type=grpc&serviceName=vlgrpc#Vless-gRPC` |
| Vless-H2 | `vless://90e4903e-66a4-45f7-abda-fd5d5ed7f797@example.com:443?sni=vlh2o.example.com&security=tls&type=http&path=/vlh2#Vless-H2` |
| VMESS-TCP | `vmess://ewogICAgImFkZCI6ICJleGFtcGxlLmNvbSIsCiAgICAiYWlkIjogIjAiLAogICAgImhvc3QiOiAiIiwKICAgICJpZCI6ICI5MGU0OTAzZS02NmE0LTQ1ZjctYWJkYS1mZDVkNWVkN2Y3OTciLAogICAgIm5ldCI6ICJ0Y3AiLAogICAgInBhdGgiOiAiL3ZtdGMiLAogICAgInBvcnQiOiAiNDQzIiwKICAgICJwcyI6ICJWTUVTUy1UQ1AiLAogICAgInNjeSI6ICJub25lIiwKICAgICJzbmkiOiAiIiwKICAgICJ0bHMiOiAidGxzIiwKICAgICJ0eXBlIjogImh0dHAiLAogICAgInYiOiAiMiIKfQo=` |

View file

@ -28,7 +28,7 @@
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/ssws"
"path": "/ssws?ed=2048"
},
"security": "tls",
"tlsSettings": {

View file

@ -27,7 +27,7 @@
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/trojanws"
"path": "/trojanws?ed=2048"
},
"security": "tls",
"tlsSettings": {

View file

@ -33,7 +33,7 @@
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/vmws"
"path": "/vmws?ed=2048"
},
"security": "tls",
"tlsSettings": {

View file

@ -32,7 +32,7 @@
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/vlws"
"path": "/vlws?ed=2048"
},
"security": "tls",
"tlsSettings": {

View file

@ -2,16 +2,50 @@
"log": {
"loglevel": "info"
},
"api": {
"services": [
"HandlerService",
"LoggerService",
"StatsService"
],
"tag": "api"
},
"stats": {},
"policy": {
"levels": {
"0": {
"statsUserUplink": true,
"statsUserDownlink": true
}
},
"system": {
"statsInboundUplink": true,
"statsInboundDownlink": true,
"statsOutboundUplink": true,
"statsOutboundDownlink": true
}
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 62789,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1"
},
"tag": "api",
"sniffing": null
},
{
"tag": "Vless-TCP-XTLS",
"port": 443, // This is TLS entrypoint. This entrypoint does the SSL Termination then routes the request based on the Path or ALPN type.
"protocol": "vless",
"settings": {
"clients": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"flow": "xtls-rprx-vision"
{ "email": "general@vless-tcp-xtls", //Change to your own email
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", //Change to your own email
"flow": "xtls-rprx-vision",
"level": 0
// "flow": "xtls-rprx-direct"
}
],
@ -127,7 +161,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@ -138,8 +175,10 @@
"protocol": "vless",
"settings": {
"clients": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797" //Change to your own UUID
{ "email":"general@vless-ws", //Change to your own email
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", //Change to your own UUID
"level": 0
}
],
"decryption": "none"
@ -154,7 +193,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
{
@ -163,6 +205,7 @@
"settings": {
"clients": [
{
"email": "general@vmess-ws",
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"level": 0
}
@ -178,7 +221,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
{
@ -187,7 +233,9 @@
"settings": {
"clients": [
{
"password": "desdemona99"
"email":"general@trojan-ws",
"password": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"level": 0
}
]
},
@ -201,7 +249,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
{
@ -210,8 +261,10 @@
"port": 4001,
"protocol": "shadowsocks",
"settings": {
"email":"general@shadowsocks-ws",
"method": "chacha20-ietf-poly1305",
"password": "desdemona99"
"password": "desdemona99",
"level": 0
},
"streamSettings": {
"network": "ws",
@ -222,7 +275,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@ -234,7 +290,9 @@
"settings": {
"clients": [
{
"password": "desdemona99"
"email":"general@trojan-tcp",
"password": "desdemona99",
"level": 0
}
],
"fallbacks": [
@ -254,7 +312,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
{
@ -263,7 +324,9 @@
"settings": {
"clients": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797"
"email":"general@vless-tcp",
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"level": 0
}
],
"decryption": "none"
@ -276,14 +339,19 @@
"header": {
"type": "http",
"request": {
"path": ["/vltc"]
"path": [
"/vltc"
]
}
}
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
{
@ -292,6 +360,7 @@
"settings": {
"clients": [
{
"email":"general@vmess-tcp",
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"level": 0
}
@ -305,7 +374,9 @@
"header": {
"type": "http",
"request": {
"path": ["/vmtc"] //,
"path": [
"/vmtc"
] //,
// "headers": {
// "Host": ["www.varzesh3.com"]
// }
@ -315,7 +386,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
{
@ -325,7 +399,9 @@
"protocol": "shadowsocks",
"settings": {
"method": "chacha20-ietf-poly1305",
"password": "desdemona99"
"password": "desdemona99",
"email": "general@shadowsocks-tcp",
"level":0
},
"streamSettings": {
"network": "tcp",
@ -334,14 +410,19 @@
"header": {
"type": "http",
"request": {
"path": ["/sstc"]
"path": [
"/sstc"
]
}
}
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@ -354,8 +435,10 @@
"protocol": "trojan",
"settings": {
"clients": [
{
"password": "desdemona99"
{
"email": "general@trojan-grpc",
"password": "desdemona99",
"level":0
}
]
},
@ -375,7 +458,9 @@
"settings": {
"clients": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797"
"email":"general@vless-grpc",
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"level": 0
}
],
"decryption": "none"
@ -396,6 +481,7 @@
"settings": {
"clients": [
{
"email":"general@vmess-grpc",
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", //Change to your own UUID
"level": 0
}
@ -427,7 +513,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@ -438,8 +527,10 @@
"protocol": "trojan",
"settings": {
"clients": [
{
"password": "desdemona99"
{
"email":"general@trojan-h2",
"password": "desdemona99",
"level": 0
}
]
},
@ -457,7 +548,9 @@
"settings": {
"clients": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797" //Change to your own UUID
"email":"general@vless-h2", //Change to your own email
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", //Change to your own UUID
"level": 0
}
],
"decryption": "none"
@ -471,7 +564,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
{
@ -479,7 +575,8 @@
"protocol": "vmess",
"settings": {
"clients": [
{
{
"email":"general@vmess-h2",
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"level": 0
}
@ -494,7 +591,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
},
{
@ -505,7 +605,8 @@
"settings": {
"method": "chacha20-ietf-poly1305",
"password": "desdemona99", //Change to your own password
"email": "2011@gmail.com"
"email": "general@shadowsocks-h2",
"level": 0
},
"streamSettings": {
"network": "h2",
@ -516,7 +617,10 @@
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
"destOverride": [
"http",
"tls"
]
}
} //,
// {
@ -581,7 +685,7 @@
},
{
"protocol": "blackhole",
"tag": "blackhole"
"tag": "blocked"
},
{
// A DNS Cache can be setup and added here to imporve performance (the corresponding rule should be uncommented)
@ -595,26 +699,35 @@
],
"routing": {
"domainStrategy": "AsIs",
"settings": {
"rules": [
// {
// // DNS Cache rule
// "type": "field",
// "port": 53,
// "network": "tcp,udp",
// "outboundTag": "DNS-Internal"
// },
{
"type": "field",
"outboundTag": "blackhole",
"ip": ["geoip:private"]
},
{
"type": "field", // Block BitTorrent protocol
"outboundTag": "blackhole",
"protocol": ["bittorrent"]
}
]
}
"rules": [
{
"inboundTag": [
"api"
],
"outboundTag": "api",
"type": "field"
},
// {
// // DNS Cache rule
// "type": "field",
// "port": 53,
// "network": "tcp,udp",
// "outboundTag": "DNS-Internal"
// },
{
"type": "field",
"outboundTag": "blocked",
"ip": [
"geoip:private"
]
},
{
"type": "field", // Block BitTorrent protocol
"outboundTag": "blocked",
"protocol": [
"bittorrent"
]
}
]
}
}
}