From ad496cb607ef4ea39f4f7e5b2663fc9cecfbaf53 Mon Sep 17 00:00:00 2001 From: chika0801 <88967758+chika0801@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:57:12 +0800 Subject: [PATCH] =?UTF-8?q?Vision=E9=85=8D=E7=BD=AE=E7=A4=BA=E4=BE=8B?= =?UTF-8?q?=E6=9B=B4=E6=96=B0=20(#128)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update config_client.json * Update config_server.json * Update config_server.json * Update config_server.json * Update config_server.json * Create nginx.conf * Create README.md --- VLESS-TCP-XTLS-Vision/README.md | 16 ++++++ VLESS-TCP-XTLS-Vision/config_client.json | 22 ++++---- VLESS-TCP-XTLS-Vision/config_server.json | 35 +++++++++--- VLESS-TCP-XTLS-Vision/nginx.conf | 69 ++++++++++++++++++++++++ 4 files changed, 126 insertions(+), 16 deletions(-) create mode 100644 VLESS-TCP-XTLS-Vision/README.md create mode 100644 VLESS-TCP-XTLS-Vision/nginx.conf diff --git a/VLESS-TCP-XTLS-Vision/README.md b/VLESS-TCP-XTLS-Vision/README.md new file mode 100644 index 0000000..b682d31 --- /dev/null +++ b/VLESS-TCP-XTLS-Vision/README.md @@ -0,0 +1,16 @@ +:+1:**XTLS Vision [简介](https://github.com/XTLS/Xray-core/discussions/1295)** + +**使用提醒:** + +:exclamation:相对于 XTLS Vision 的使用基数,目前几乎没有收到 **配置正确** 的 Vision 被封端口的报告,**配置正确** 指的是: + +1. 服务端使用合理的端口,禁回国流量 +2. 只配置 XTLS Vision,不兼容普通 TLS 代理 +3. 回落到网页,不回落/分流到其它代理协议 +4. 客户端启用 uTLS(fingerprint) [#1](https://github.com/XTLS/Xray-core/issues/1544#issuecomment-1399194727) + +首先,如果你特别不想被封,**请先选择一个干净的 IP**,并按照 **配置正确** 去搭建、使用 XTLS Vision。 + +**但是,即使你这样做了,也无法保证 100% 不被封**。自去年底始,很多人的未知流量秒封 IP,TLS in TLS 流量隔天封端口。XTLS Vision 不是未知流量,且完整处理了 TLS in TLS 特征,目前看来效果显著。**但这并不意味着,用 XTLS Vision 可以 100% 不被封,认识到这一点是非常、非常重要的,不要自己偶然被封就大惊小怪**。 + +**因为除了协议本身,还有很多角度能封你**。以 IP 为例,你无法保证 IP 真的干净,无法避免被邻居波及,无法避免整个 IP 段被重点拉清单。也有可能某些地区的 GFW 有独特的标准,比如某个 IP 只有寥寥数人访问连却能跑那么多流量,封。**如果你的 XTLS Vision 被封了,但没有出现去年底 TLS 那样的大规模被封报告,我真心建议你换端口、换 IP、换服务商依次试一遍**。 [#2](https://github.com/XTLS/Xray-core/issues/1544#issuecomment-1402118517) diff --git a/VLESS-TCP-XTLS-Vision/config_client.json b/VLESS-TCP-XTLS-Vision/config_client.json index c6725d5..783fe04 100644 --- a/VLESS-TCP-XTLS-Vision/config_client.json +++ b/VLESS-TCP-XTLS-Vision/config_client.json @@ -25,8 +25,8 @@ }, "inbounds": [ { - "listen": "127.0.0.1", - "port": 10808, // v2rayN 本地监听端口 + "listen": "127.0.0.1", // 填 0.0.0.0 表示允许来自局域网的连接 + "port": 10808, // v2rayN 本地socks监听端口 "protocol": "socks", "settings": { "udp": true @@ -40,8 +40,8 @@ } }, { - "listen": "127.0.0.1", - "port": 10809, // v2rayN 本地监听端口 + "listen": "127.0.0.1", // 填 "0.0.0.0" 表示允许来自局域网的连接 + "port": 10809, // v2rayN 本地http监听端口 "protocol": "http", "sniffing": { "enabled": true, @@ -58,11 +58,11 @@ "settings": { "vnext": [ { - "address": "", // VPS的IP - "port": 16387, // VPS的端口 + "address": "", // 地址,服务端的域名或IP + "port": 443, // 端口,与服务端一致 "users": [ { - "id": "", // 用户ID + "id": "", // 用户ID,与服务端一致 "encryption": "none", "flow": "xtls-rprx-vision" } @@ -74,9 +74,9 @@ "network": "tcp", "security": "tls", "tlsSettings": { - "serverName": "", // 证书中包含的域名 + "serverName": "", // SNI,如果"address"填的是服务端的域名,可留空,如果"address"填的是服务端的IP,此处填服务端的证书中包含的域名 "allowInsecure": false, - "fingerprint": "chrome" // 通过 uTLS 库 模拟 Chrome / Firefox / Safari 或随机生成的指纹 + "fingerprint": "chrome" // 用于配置指定 TLS Client Hello 的指纹,Xray 将通过 uTLS 库 模拟 TLS 指纹,或随机生成 } }, "tag": "proxy" @@ -84,6 +84,10 @@ { "protocol": "freedom", "tag": "direct" + }, + { + "protocol": "blackhole", + "tag": "block" } ] } diff --git a/VLESS-TCP-XTLS-Vision/config_server.json b/VLESS-TCP-XTLS-Vision/config_server.json index 6ef0bcb..d7c3a82 100644 --- a/VLESS-TCP-XTLS-Vision/config_server.json +++ b/VLESS-TCP-XTLS-Vision/config_server.json @@ -16,26 +16,40 @@ }, "inbounds": [ { - "listen": "0.0.0.0", - "port": 16387, // 端口 + "listen": "0.0.0.0", // "0.0.0.0" 表示同时监听IPv4和IPv6 + "port": 443, // 服务端监听的端口 "protocol": "vless", "settings": { "clients": [ { - "id": "", // 用户ID + "id": "", // 用户ID,执行 xray uuid 生成,或 1-30 字节的字符串 "flow": "xtls-rprx-vision" } ], - "decryption": "none" + "decryption": "none", + "fallbacks": [ + { + "dest": "8001", + "xver": 1 + }, + { + "alpn": "h2", + "dest": "8002", + "xver": 1 + } + ] }, "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { + "rejectUnknownSni": true, + "minVersion": "1.2", "certificates": [ { - "certificateFile": "/etc/ssl/private/fullchain.cer", // 证书 - "keyFile": "/etc/ssl/private/private.key" //私钥 + "ocspStapling": 3600, + "certificateFile": "/etc/ssl/private/fullchain.cer", // 证书文件,建议用fullchain(全SSL证书链),若只有网站证书,会出现v2rayN能使用,v2rayNG不能使用的情况,通常不区分扩展名 + "keyFile": "/etc/ssl/private/private.key" // 私钥文件 } ] } @@ -58,5 +72,12 @@ "protocol": "blackhole", "tag": "block" } - ] + ], + "policy": { + "levels": { + "0": { + "handshake": 2, // 连接建立时的握手时间限制,单位为秒,默认值为 4,建议与默认值不同 + "connIdle": 120 // 连接空闲的时间限制,单位为秒,默认值为 300,建议与默认值不同 + } + } } diff --git a/VLESS-TCP-XTLS-Vision/nginx.conf b/VLESS-TCP-XTLS-Vision/nginx.conf new file mode 100644 index 0000000..4f72071 --- /dev/null +++ b/VLESS-TCP-XTLS-Vision/nginx.conf @@ -0,0 +1,69 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + log_format main '[$time_local] $proxy_protocol_addr "$http_referer" "$http_user_agent"'; + access_log /var/log/nginx/access.log main; + + map $http_upgrade $connection_upgrade { + default upgrade; + "" close; + } + + map $proxy_protocol_addr $proxy_forwarded_elem { + ~^[0-9.]+$ "for=$proxy_protocol_addr"; + ~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\""; + default "for=unknown"; + } + + map $http_forwarded $proxy_add_forwarded { + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + default "$proxy_forwarded_elem"; + } + + server { + listen 80; + return 301 https://$host$request_uri; + } + + server { + listen 127.0.0.1:8001 proxy_protocol; + listen 127.0.0.1:8002 http2 proxy_protocol; + set_real_ip_from 127.0.0.1; + + location / { + sub_filter $proxy_host $host; + sub_filter_once off; + + proxy_pass https://www.lovelive-anime.jp; + proxy_set_header Host $proxy_host; + + proxy_http_version 1.1; + proxy_cache_bypass $http_upgrade; + + proxy_ssl_server_name on; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header Forwarded $proxy_add_forwarded; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + resolver 1.1.1.1; + } + } +}