From 648e771c00933de807e89b0b31a50de06c584691 Mon Sep 17 00:00:00 2001 From: uzziell <36634183+UZziell@users.noreply.github.com> Date: Mon, 2 Jan 2023 08:09:37 +0330 Subject: [PATCH] multiple configs on one port (#100) * added all-in-one(everything on https) config * Commented http sub-config --- All-in-One-fallbacks-Nginx/README.md | 41 +++ All-in-One-fallbacks-Nginx/nginx.conf | 85 +++++ All-in-One-fallbacks-Nginx/server.json | 434 +++++++++++++++++++++++++ 3 files changed, 560 insertions(+) create mode 100644 All-in-One-fallbacks-Nginx/README.md create mode 100644 All-in-One-fallbacks-Nginx/nginx.conf create mode 100644 All-in-One-fallbacks-Nginx/server.json diff --git a/All-in-One-fallbacks-Nginx/README.md b/All-in-One-fallbacks-Nginx/README.md new file mode 100644 index 0000000..2078457 --- /dev/null +++ b/All-in-One-fallbacks-Nginx/README.md @@ -0,0 +1,41 @@ +# Xray - All-in-one Configuration + Nginx(decoy website) + +The configuration uses xray's `fallbacks` feature to enable these combinations at the same time on port 443: +* HTTPS:443 + * Trojan-TCP-TLS + * Trojan-WS-TLS + * Trojan-gRPC-TLS + * Trojan-TCP-XTLS(flow: xtls-rprx-direct) + * Vless-TCP-TLS + * Vless-WS-TLS + * Vless-gRPC-TLS + * VMESS-TCP-TLS + * VMESS-WS-TLS + * VMESS-gRPC-TLS + * ShadowSocks-gRPC + +Nginx is used to serve a decory website and route gRPC traffic. + +## How it works? +The Trojan-TCP-XTLS is the HTTPS entrypoint. For every incoming request after doing TLS-Termination, based on the **Path** or **ALPN type**, the request is passed to another sub-config. For example: +* If the **Path=/vlessws**, the request is passed to **@vless-ws** sub-config. +* If the **Path=/vmtc**, the request is passed to **@vmess-tcp**. +* In case of **ALPN=HTTP2**, it's first passed to **@trojan-tcp**. In trojan-tcp, if if it's not a valid request(for example the trojan password is wrong), another fallback is set, to once more pass the request to Nginx HTTP2 Unix Domain Socket and a decory website is served. When the request is using HTTP2, it could also be gRPC, so that is also checked in Nginx. This is how a VMESS-gRPC request is processed: + +VMESS-gRPC Request ------> Xray Trojan-TCP-XTLS(443) ----**alpn=h2**----> fallback to xray trojan-tcp ------> fallback to nginx /dev/shm/h2c.sock ---**path=/vmgrpc**---> grpc_pass to xray vmess-gRPC listener on 127.0.0.1:3003 + +## What to change before use? +* Xray server.json + * **SSL Certificates and keys** absolute paths in Trojan-TCP-XTLS + * **Password** of Trojan and ShadowSocks configs + * **UUID** of Vless and VMESS configs + * **(Optional)** Path of all sub-configs. For **Websocket**->`wsSettings.path`, for **TCP**->`tcpSettings.header.request.path` and for **gRPC**->`grpcSettings.serviceName`. +* Nginx nginx.conf + * Domain names + * **(Optional)** If gRPC serviceNames are changed server.json, they **should** also be changed in Nginx config + + +## Notes: +* Tested with **Xray 1.6.1** (Xray, Penetrates Everything.) Custom (go1.19.2 linux/amd64) +* For a little better performance, a DNS Cache could be setup (on 127.0.0.53 in this case) and used for resolving DNS queries. To enable xray to use it uncomment the corresponding rule from the `routing.settings.rules` in server.json. +* Multiple domains could be used at the same time, including domains behind cloudflare CDN. (For cloudflare, make sure websocket and gRPC are enabled in Network section). In this configuration these domains are **example.com** and **behindcdn.com** \ No newline at end of file diff --git a/All-in-One-fallbacks-Nginx/nginx.conf b/All-in-One-fallbacks-Nginx/nginx.conf new file mode 100644 index 0000000..abe885a --- /dev/null +++ b/All-in-One-fallbacks-Nginx/nginx.conf @@ -0,0 +1,85 @@ +server { + listen unix:/dev/shm/h1.sock proxy_protocol default_server; + listen unix:/dev/shm/h2c.sock http2 proxy_protocol default_server; + set_real_ip_from unix:; + real_ip_header proxy_protocol; + server_name _; + return 400; +} #Restrict domain name access (prohibit access to the website by IP) and return 400 + +# HTTP1 UDS listener +server { + listen unix:/dev/shm/h1.sock proxy_protocol; #HTTP/1.1 server monitor process and enable PROXY protocol reception + set_real_ip_from unix:; + real_ip_header proxy_protocol; + server_name examle.com behindcdn.com; #Change to your own domain name(s) + + location / { + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用HSTS + root /var/www/html; #Modify to the path of the WEB file stored by yourself (check the permissions) + index index.html index.htm; + } +} + +# HTTP2 UDS listener +server { + listen unix:/dev/shm/h2c.sock http2 proxy_protocol; #H2C server monitor process and enable PROXY protocol reception + set_real_ip_from unix:; + real_ip_header proxy_protocol; + server_name examle.com behindcdn.com; #Change to your own domain name(s) (don't forget to add the certificates to xray config) + + # grpc settings + grpc_read_timeout 1h; + grpc_send_timeout 1h; + grpc_set_header X-Real-IP $remote_addr; + + location /trgrpc { #corresponds to serviceName in trojan-grpc config of xray + if ($request_method != "POST") { + return 404; + } #POST returns 404 when negotiation fails + client_body_buffer_size 1m; + client_body_timeout 1h; + client_max_body_size 0; + grpc_pass grpc://127.0.0.1:3001; + + } + + location /vlgrpc { #corresponds to serviceName in vless-grpc config of xray + if ($request_method != "POST") { + return 404; + } #POST returns 404 when negotiation fails + client_body_buffer_size 1m; + client_body_timeout 1h; + client_max_body_size 0; + grpc_pass grpc://127.0.0.1:3002; + + } + + location /vmgrpc { #corresponds to serviceName in vmess-grpc config of xray + if ($request_method != "POST") { + return 404; + } #POST returns 404 when negotiation fails + client_body_buffer_size 1m; + client_body_timeout 1h; + client_max_body_size 0; + grpc_pass grpc://127.0.0.1:3003; + + } + + location /ssgrpc { #corresponds to serviceName in shadowsocks-grpc config of xray + if ($request_method != "POST") { + return 404; + } #POST returns 404 when negotiation fails + client_body_buffer_size 1m; + client_body_timeout 1h; + client_max_body_size 0; + grpc_pass grpc://127.0.0.1:3004; + } + + # Decoy website + location / { + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #HSTS + root /var/www/html; # Modify to the path of the WEB file stored by yourself (check the permissions) + index index.html index.htm; + } +} \ No newline at end of file diff --git a/All-in-One-fallbacks-Nginx/server.json b/All-in-One-fallbacks-Nginx/server.json new file mode 100644 index 0000000..a3cca2c --- /dev/null +++ b/All-in-One-fallbacks-Nginx/server.json @@ -0,0 +1,434 @@ +{ + "log": { + "loglevel": "info" + }, + "inbounds": [ + { + "port": 443, // This is TLS entrypoint. This entrypoint does the SSL Termination then routes the request based on the Path or ALPN type. + "protocol": "trojan", + "settings": { + "clients": [ + { + "password": "desdemona99", + "flow": "xtls-rprx-direct" //To enable XTLS Direct, this configuration must be added; otherwise, delete it. V2Ray has deleted the XTLS application since version v4.33.0. If you want to use this application, it is recommended to choose Xray. + } + ], + "decryption": "none", + "fallbacks": [ + { + // if the path was `/vlessws`, pass it to vless-ws listener + "path": "/vlessws", + "dest": "@vless-ws", + "xver": 2 //Enable the sending of the PROXY protocol, and send the real source IP and port to the following vmess+ws application. 1 or 2 indicates the PROXY protocol version. Consistent with the following, it is recommended to configure 2. + }, + { + // if the path was `/vmessws`, pass it to vmess-ws listener + "path": "/vmessws", + "dest": "@vmess-ws", + "xver": 2 + }, + { + // if the path was `/trojanws`, pass it to trojan-ws listener + "path": "/trojanws", + "dest": "@trojan-ws", + "xver": 2 + }, + { + // if the path was `/vltc`, pass it to vless-tcp listener + "path": "/vltc", + "dest": "@vless-tcp", + "xver": 2 + }, + { + // if the path was `/vmtc`, pass it to vmess-tcp listener + "path": "/vmtc", + "dest": "@vmess-tcp", + "xver": 2 + }, + { + // if the request's ALPN was HTTP2, pass it to trojan-tcp. (Also from trojan-tcp fallback to Nginx HTTP2) + "alpn": "h2", + "dest": "@trojan-tcp", + "xver": 2 + }, + { + // if not any other condition, pass it to Nginx HTTP1.1 listener + "dest": "/dev/shm/h1.sock", + "xver": 2 + } + ] + }, + "streamSettings": { + "network": "tcp", + "security": "xtls", //If XTLS Direct is enabled, tls must be changed to xtls; otherwise, tls will be restored. + "xtlsSettings": { + //If XTLS Direct is enabled, tlsSettings must be changed to xtlsSettings; otherwise, restore tlsSettings. + "certificates": [ + { + "ocspStapling": 3600, //The Xray version is not less than v1.3.0 to support configuring the time interval between OCSP stapling update and certificate hot reload. Currently V2Ray does not support it. If you use V2Ray as the server, you must delete this configuration. + "certificateFile": "/etc/ssl/example.com/domain.pem", // this is te fullchain (domain + any bundle). Make sure the permissions are correct (absolute path) + "keyFile": "/etc/ssl/example.com/domain-key.pem" // this is the private key of the cert. Make sure the permissions are correct (absolute path) + }, + { + // more domains and therefore more certificates can be added to this `certificates` list + "ocspStapling": 3600, + "certificateFile": "/etc/ssl/behindcdn.com/domain.pem", + "keyFile": "/etc/ssl/behindcdn.com/domain-key.pem" + } + ], + "minVersion": "1.2", //Xray version is not less than v1.1.4 to support configuring the minimum TLS version. Currently V2Ray does not support it. If you use V2Ray as the server, you must delete this configuration. + "cipherSuites": "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", //Xray版本不小于v1.1.4才支持配置密码套件(若无RSA证书,可删除所有RSA算法的密码套件;无ECC证书, to remove cipher suites for all ECDSA algorithms.). Currently V2Ray does not support it. If you use V2Ray as the server, you must delete this configuration. + "alpn": [ + "h2", //Enabling h2 connection needs to configure h2 fallback, otherwise inconsistency (streaking) is easily detected by the wall and blocked. + "http/1.1" //Enabling http/1.1 connection needs to configure http/1.1 fallback, otherwise inconsistency (streaking) is easily detected by the wall and blocked. + ] + } + }, + "sniffing": { + "enabled": true, + "destOverride": ["http", "tls"] + } + }, + //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// + // WebSocket (VLESS - VMESS - TROJAN) // + //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// + { + "listen": "@vless-ws", + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797" //Change to your own UUID + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "ws", + "security": "none", + "wsSettings": { + "acceptProxyProtocol": true, + "path": "/vlessws" + } + }, + "sniffing": { + "enabled": true, + "destOverride": ["http", "tls"] + } + }, + { + "listen": "@vmess-ws", + "protocol": "vmess", + "settings": { + "clients": [ + { + "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", + "level": 0 + } + ] + }, + "streamSettings": { + "network": "ws", + "security": "none", + "wsSettings": { + "acceptProxyProtocol": true, + "path": "/vmessws" + } + }, + "sniffing": { + "enabled": true, + "destOverride": ["http", "tls"] + } + }, + { + "listen": "@trojan-ws", //trojan+ws listener process + "protocol": "trojan", + "settings": { + "clients": [ + { + "password": "desdemona99" //Change to your own password + } + ] + }, + "streamSettings": { + "network": "ws", + "security": "none", + "wsSettings": { + "acceptProxyProtocol": true, //Enable PROXY protocol reception, receive the real source IP and port + "path": "/trojanws" //Change to your own path + } + }, + "sniffing": { + "enabled": true, + "destOverride": ["http", "tls"] + } + }, + //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// + // TCP + http obfs (VLESS - VMESS - TROJAN) // + //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// + { + "listen": "@trojan-tcp", //trojan+tcp listening process + "protocol": "trojan", + "settings": { + "clients": [ + { + "password": "desdemona99" //Change to your own password + } + ], + "fallbacks": [ + { + // if it was not a valid trojan reuqest, for example the trojan password was wrong, pass it to the NGINX HTTP2 cleartext UDS + "dest": "/dev/shm/h2c.sock", + "xver": 2 //Enable PROXY protocol sending, and send the real source IP and port to Nginx. 1 or 2 indicates the PROXY protocol version. Consistent with the above, configuration 2 is recommended. + } + ] + }, + "streamSettings": { + "network": "tcp", + "security": "none", + "tcpSettings": { + "acceptProxyProtocol": true //Enable PROXY protocol reception, receive the real source IP and port before vless+tcp+tls fallback. + } + }, + "sniffing": { + "enabled": true, + "destOverride": ["http", "tls"] + } + }, + { + "listen": "@vless-tcp", + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797" + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "tcp", + "security": "none", + "tcpSettings": { + "acceptProxyProtocol": true, + "header": { + "type": "http", + "request": { + "path": ["/vltc"] + } + } + } + }, + "sniffing": { + "enabled": true, + "destOverride": ["http", "tls"] + } + }, + { + "listen": "@vmess-tcp", + "protocol": "vmess", + "settings": { + "clients": [ + { + "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", + "level": 0 + } + ] + }, + "streamSettings": { + "network": "tcp", + "security": "none", + "tcpSettings": { + "acceptProxyProtocol": true, + "header": { + "type": "http", + "request": { + "path": ["/vmtc"] //, + // "headers": { + // "Host": ["www.varzesh3.com"] + // } + } + } + } + }, + "sniffing": { + "enabled": true, + "destOverride": ["http", "tls"] + } + }, + //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// + // GRPC (VLESS - VMESS - TROJAN - SHADOWSOCKS) (Nginx routes to them based on `serviceName`(HTTP2 Path) ) // + //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// + { + "tag": "trojan-grpc", + "listen": "127.0.0.1", // listen on localhost + "port": 3001, + "protocol": "trojan", + "settings": { + "clients": [ + { + "password": "desdemona99" + } + ] + }, + "streamSettings": { + "network": "grpc", + "security": "none", + "grpcSettings": { + "serviceName": "trgrpc" + } + } + }, + { + "tag": "vless-grpc", + "listen": "127.0.0.1", // listen on localhost + "port": 3002, + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797" + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "grpc", + "security": "none", + "grpcSettings": { + "serviceName": "vlgrpc" + } + } + }, + { + "tag": "vmess-grpc", + "listen": "127.0.0.1", // listen on localhost + "port": 3003, + "protocol": "vmess", + "settings": { + "clients": [ + { + "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", //Change to your own UUID + "level": 0 + } + ] + }, + "streamSettings": { + "network": "grpc", + "security": "none", + "grpcSettings": { + "serviceName": "vmgrpc" + } + } + }, + { + "listen": "127.0.0.1", //Only listen on localhost + "port": 3004, + "protocol": "shadowsocks", + "settings": { + "method": "chacha20-ietf-poly1305", + "password": "desdemona99", //Change to your own password + "email": "2011@gmail.com" + }, + "streamSettings": { + "network": "grpc", + "security": "none", + "grpcSettings": { + "serviceName": "ssgrpc" //Change to your own gRPC service name, similar to Path in HTTP/2. + } + }, + "sniffing": { + "enabled": true, + "destOverride": ["http", "tls"] + } + }//, + // { + // "port": 80, // this is http entrypoint + // "protocol": "vless", + // "settings": { + // "clients": [ + // { + // "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797" + // } + // ], + // "fallbacks": [ + // { + // "path": "/vlessws", + // "dest": "@vless-ws", + // "xver": 2 + // }, + // { + // "path": "/vmessws", + // "dest": "@vmess-ws", // the same vmess-ws used in 443 TLS entrypint is used here as well + // "xver": 2 + // }, + // { + // "path": "/vltc", + // "dest": "@vless-tcp", + // "xver": 2 + // }, + // { + // "path": "/vmtc", + // "dest": "@vmess-tcp", + // "xver": 2 + // }, + // { + // "dest": "/dev/shm/h1.sock", // defaults to Nginx HTTP1.1 listener + // "xver": 2 + // } + // ], + // "decryption": "none" + // }, + // "streamSettings": { + // "network": "tcp", + // "security": "none" + // }, + // "sniffing": { + // "enabled": true, + // "destOverride": ["http", "tls"] + // } + // } + ], + "outbounds": [ + { + "protocol": "freedom", + "settings": {} + }, + { + "protocol": "blackhole", + "tag": "blackhole" + }, + { + // A DNS Cache can be setup and added here to imporve performance (the corresponding rule should be uncommented) + "tag": "DNS-Internal", + "protocol": "dns", + "settings": { + "address": "127.0.0.53", + "port": 53 + } + } + ], + "routing": { + "domainStrategy": "AsIs", + "settings": { + "rules": [ + // { + // "type": "field", + // "outboundTag": "blackhole", + // "ip": ["geoip:private"] + // }, + // { DNS Cache rule + // "type": "field", + // "port": 53, + // "network": "tcp,udp", + // "outboundTag": "DNS-Internal" + // }, + { + "type": "field", // Block BitTorrent protocol + "outboundTag": "blackhole", + "protocol": ["bittorrent"] + } + ] + } + } +} \ No newline at end of file