black-internet-days-ahead
/
Xray-examples
mirror of https://github.com/XTLS/Xray-examples.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added more combinations to All-in-One (#107) 

* Added H2 for all protocols, SS-WS and SS-TCP

* added more comments to fallbacks

* update README.md

* added client link examples

* update README.md

* update README.md

* update README

* update README

* typo in domain name

* Switched to latest VISION flow - block private address access by default

* clean up nginx.conf

* added client configurations

* fixed typo in README.md

* client/server UUID mismatch
This commit is contained in:
uzziell 2023-01-11 08:05:01 +03:30 committed by GitHub
parent 648e771c00
commit e374ba0925
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 1037 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
All-in-One-fallbacks-Nginx/README.md
View File

@ -1,41 +1,75 @@
# Xray - All-in-one Configuration + Nginx(decoy website)
The configuration uses xray's `fallbacks` feature to enable these combinations at the same time on port 443:
The configuration uses xray's `fallbacks` feature to enable these **Protocol-Transport** combinations at the same time on port 443:
* HTTPS:443
* Trojan-TCP-TLS
* Trojan-WS-TLS
* Trojan-gRPC-TLS
* Trojan-TCP-XTLS(flow: xtls-rprx-direct)
* Trojan-H2-TLS
* Vless-TCP-XTLS(flow: xtls-rprx-vision)
* Vless-TCP-TLS
* Vless-WS-TLS
* Vless-gRPC-TLS
* Vless-H2-TLS
* VMESS-TCP-TLS
* VMESS-WS-TLS
* VMESS-gRPC-TLS
* VMESS-H2-TLS
* ShadowSocks-TCP-TLS
* ShadowSocks-WS-TLS
* ShadowSocks-gRPC
* ShadowSocks-H2-TLS
Nginx is used to serve a decory website and route gRPC traffic.
[Fallback](https://xtls.github.io/config/features/fallback.html) feature enables an inbound to forward the incoming request to another inbound or another process.
Nginx is used to serve a decoy website to avoid active probing. It's also used to route gRPC traffic(grpc_pass).
## How it works?
The Trojan-TCP-XTLS is the HTTPS entrypoint. For every incoming request after doing TLS-Termination, based on the **Path** or **ALPN type**, the request is passed to another sub-config. For example:
* If the **Path=/vlessws**, the request is passed to **@vless-ws** sub-config.
* If the **Path=/vmtc**, the request is passed to **@vmess-tcp**.
The Vless-TCP-XTLS is the HTTPS entrypoint. For every incoming request after doing TLS-Termination, based on the **Path**, **SNI** or **ALPN type**, the request is passed to another inbound(sub-config). For example:
* If the **Path=/vlessws**, the request is passed to **@vless-ws** inbound.
* If the **Path=/vmtc**, the request is passed to **@vmess-tcp**.
* If **ALPN=HTTP2** and at the same time the **SNI=trh2o.example.com** then the request is passed to **@trojan-h2**.
* In case of **ALPN=HTTP2**, it's first passed to **@trojan-tcp**. In trojan-tcp, if if it's not a valid request(for example the trojan password is wrong), another fallback is set, to once more pass the request to Nginx HTTP2 Unix Domain Socket and a decory website is served. When the request is using HTTP2, it could also be gRPC, so that is also checked in Nginx. This is how a VMESS-gRPC request is processed:
VMESS-gRPC Request ------> Xray Trojan-TCP-XTLS(443) ----**alpn=h2**----> fallback to xray trojan-tcp ------> fallback to nginx /dev/shm/h2c.sock ---**path=/vmgrpc**---> grpc_pass to xray vmess-gRPC listener on 127.0.0.1:3003
VMESS-gRPC Request ------> Xray Vless-TCP-XTLS(443) ----**alpn=h2**----> fallback to xray trojan-tcp ------> fallback to nginx /dev/shm/h2c.sock ---**path=/vmgrpc**---> grpc_pass to xray vmess-gRPC listener on 127.0.0.1:3003
## What to change before use?
* Xray server.json
* **SSL Certificates and keys** absolute paths in Trojan-TCP-XTLS
* **SSL Certificates and keys** absolute paths in Vless-TCP-XTLS (`inbounds[0].streamSettings.xtlsSettings.certificates`)
* **Password** of Trojan and ShadowSocks configs
* **UUID** of Vless and VMESS configs
* **(Optional)** Path of all sub-configs. For **Websocket**->`wsSettings.path`, for **TCP**->`tcpSettings.header.request.path` and for **gRPC**->`grpcSettings.serviceName`.
* **(Optional)** Path of all sub-configs. For **Websocket**-->`wsSettings.path`, for **TCP**-->`tcpSettings.header.request.path`, for **gRPC**-->`grpcSettings.serviceName` and for **H2**-->`httpSettings.path`.
* **(Optional)** The SNIs of H2 fallbacks (`inbounds[0].settings.fallbacks.[].name`) could also be changed but they should be consistent between client and server. (Read the notes on HTTP2 inbounds)
* Nginx nginx.conf
* Domain names
* **(Optional)** If gRPC serviceNames are changed server.json, they **should** also be changed in Nginx config
* **(Optional)** If gRPC serviceNames are changed in server.json, they **should** also be changed in Nginx config
## Notes:
* Tested with **Xray 1.6.1** (Xray, Penetrates Everything.) Custom (go1.19.2 linux/amd64)
* Tested with **Xray 1.7.0** (Xray, Penetrates Everything.) Custom (go1.19.4 linux/amd64)
* For a little better performance, a DNS Cache could be setup (on 127.0.0.53 in this case) and used for resolving DNS queries. To enable xray to use it uncomment the corresponding rule from the `routing.settings.rules` in server.json.
* Multiple domains could be used at the same time, including domains behind cloudflare CDN. (For cloudflare, make sure websocket and gRPC are enabled in Network section). In this configuration these domains are **example.com** and **behindcdn.com**
* Multiple domains could be used at the same time, including domains behind cloudflare CDN. (For cloudflare, make sure websocket and gRPC are enabled in Network section). In this configuration these domains are **example.com** and **behindcdn.com**
* HTTP2 inbounds (Trojan-H2, Vless-H2, VMESS-H2 and ShadowSocks-H2)
* [HTTP2 Transport does not support fallback based on `path`](https://xtls.github.io/config/transports/h2.html#http-2). That's why SNI is used instead.
* It's possible to create a CNAME dns record for all the H2 SNIs and use that as the address of the client config without setting custom SNI on client but it's optinal.
* It is assumed that the **example.com** domain has a **wildcard certificate**. If it's **not** a wildcard certificate or if it's a self-signed certificate, then `streamSettings.tlsSettings.allowInsecure` in the **client configuration** must be `true`.
## Client link examples
| Combination | Link |
| ----------- | ---- |
| Trojan-TCP | `trojan://desdemona99@example.com:443?security=tls&type=tcp#Trojan-TCP` |
| Trojan-WS | `trojan://desdemona99@example.com:443?security=tls&type=ws&path=/trojanws#Trojna-WS` |
| Trojan-gRPC | `trojan://desdemona99@example.com:443?security=tls&type=grpc&serviceName=trgrpc#Trojan-gRPC` |
| Trojan-H2 | `trojan://desdemona99@example.com:443?sni=trh2o.example.com&security=tls&type=http&path=/trh2#Trojan-H2` |
| Vless-TCP | `vless://90e4903e-66a4-45f7-abda-fd5d5ed7f797@example.com:443?security=tls&type=tcp#Vless-TCP` |
| Vless-WS | `vless://90e4903e-66a4-45f7-abda-fd5d5ed7f797@example.com:443?security=tls&type=ws&path=/vlws#Vless-WS` |
| Vless-gRPC | `vless://90e4903e-66a4-45f7-abda-fd5d5ed7f797@example.com:443?security=tls&type=grpc&serviceName=vlgrpc#Vless-gRPC` |
| Vless-H2 | `vless://90e4903e-66a4-45f7-abda-fd5d5ed7f797@example.com:443?sni=vlh2o.example.com&security=tls&type=http&path=/vlh2#Vless-H2` |
| VMESS-TCP | `vmess://ewogICAgImFkZCI6ICJleGFtcGxlLmNvbSIsCiAgICAiYWlkIjogIjAiLAogICAgImhvc3QiOiAiIiwKICAgICJpZCI6ICI5MGU0OTAzZS02NmE0LTQ1ZjctYWJkYS1mZDVkNWVkN2Y3OTciLAogICAgIm5ldCI6ICJ0Y3AiLAogICAgInBhdGgiOiAiL3ZtdGMiLAogICAgInBvcnQiOiAiNDQzIiwKICAgICJwcyI6ICJWTUVTUy1UQ1AiLAogICAgInNjeSI6ICJub25lIiwKICAgICJzbmkiOiAiIiwKICAgICJ0bHMiOiAidGxzIiwKICAgICJ0eXBlIjogImh0dHAiLAogICAgInYiOiAiMiIKfQo=` |
| VMESS-WS | `vmess://ewogICAgImFkZCI6ICJleGFtcGxlLmNvbSIsCiAgICAiYWlkIjogIjAiLAogICAgImhvc3QiOiAiIiwKICAgICJpZCI6ICI5MGU0OTAzZS02NmE0LTQ1ZjctYWJkYS1mZDVkNWVkN2Y3OTciLAogICAgIm5ldCI6ICJ3cyIsCiAgICAicGF0aCI6ICIvdm13cyIsCiAgICAicG9ydCI6ICI0NDMiLAogICAgInBzIjogIlZNRVNTLVdTIiwKICAgICJzY3kiOiAibm9uZSIsCiAgICAic25pIjogIiIsCiAgICAidGxzIjogInRscyIsCiAgICAidHlwZSI6ICIiLAogICAgInYiOiAiMiIKfQo=` |
| VMESS-gRPC | `vmess://ewogICAgImFkZCI6ICJleGFtcGxlLmNvbSIsCiAgICAiYWlkIjogIjAiLAogICAgImhvc3QiOiAiIiwKICAgICJpZCI6ICI5MGU0OTAzZS02NmE0LTQ1ZjctYWJkYS1mZDVkNWVkN2Y3OTciLAogICAgIm5ldCI6ICJncnBjIiwKICAgICJwYXRoIjogInZtZ3JwYyIsCiAgICAicG9ydCI6ICI0NDMiLAogICAgInBzIjogIlZNRVNTLWdSUEMiLAogICAgInNjeSI6ICJub25lIiwKICAgICJzbmkiOiAiIiwKICAgICJ0bHMiOiAidGxzIiwKICAgICJ0eXBlIjogImh0dHAiLAogICAgInYiOiAiMiIKfQo=` |
| VMESS-H2 | `vmess://ewogICAgImFkZCI6ICJleGFtcGxlLmNvbSIsCiAgICAiYWlkIjogIjAiLAogICAgImhvc3QiOiAiIiwKICAgICJpZCI6ICI5MGU0OTAzZS02NmE0LTQ1ZjctYWJkYS1mZDVkNWVkN2Y3OTciLAogICAgIm5ldCI6ICJodHRwIiwKICAgICJwYXRoIjogIi92bWgyIiwKICAgICJwb3J0IjogIjQ0MyIsCiAgICAicHMiOiAiVk1FU1MtSDIiLAogICAgInNjeSI6ICJub25lIiwKICAgICJzbmkiOiAidm1oMm8uZXhhbXBsZS5jb20iLAogICAgInRscyI6ICJ0bHMiLAogICAgInR5cGUiOiAiaHR0cCIsCiAgICAidiI6ICIyIgp9Cg==` |

43
All-in-One-fallbacks-Nginx/client.configs/ShadowSocks-H2-TLS.json Normal file
View File

@ -0,0 +1,43 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "example.com", // Change to you own domain
"port": 443,
"method": "chacha20-ietf-poly1305",
"password": "desdemona99" // Change to you own password
}
]
},
"streamSettings": {
"network": "http",
"httpSettings": {
"path": "/ssh2"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome",
"alpn": ["h2"],
"serverName": "ssh2o.example.com" // Change to ssh2o.yourdomain.tld
}
}
}
]
}

46
All-in-One-fallbacks-Nginx/client.configs/ShadowSocks-TCP-TLS.json Normal file
View File

@ -0,0 +1,46 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "example.com",
"port": 443,
"method": "chacha20-ietf-poly1305",
"password": "desdemona99"
}
]
},
"streamSettings": {
"network": "tcp",
"tcpSettings": {
"header": {
"request": {
"path": ["/sstc"]
},
"type": "http"
}
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

41
All-in-One-fallbacks-Nginx/client.configs/ShadowSocks-WS-TLS.json Normal file
View File

@ -0,0 +1,41 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "example.com", // Change to you own domain
"port": 443,
"method": "chacha20-ietf-poly1305",
"password": "desdemona99" // Change to you own password
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/ssws"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

41
All-in-One-fallbacks-Nginx/client.configs/ShadowSocks-gRPC.json Normal file
View File

@ -0,0 +1,41 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "example.com",
"port": 443,
"method": "chacha20-ietf-poly1305",
"password": "desdemona99"
}
]
},
"streamSettings": {
"network": "grpc",
"grpcSettings": {
"serviceName": "ssgrpc"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

42
All-in-One-fallbacks-Nginx/client.configs/Trojan-H2-TLS.json Normal file
View File

@ -0,0 +1,42 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "trojan",
"settings": {
"servers": [
{
"address": "example.com",
"port": 443,
"password": "desdemona99"
}
]
},
"streamSettings": {
"network": "http",
"httpSettings": {
"path": "/trh2"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome",
"alpn": ["h2"],
"serverName": "trh2o.example.com" // Change to ssh2o.yourdomain.tld
}
}
}
]
}

38
All-in-One-fallbacks-Nginx/client.configs/Trojan-TCP-TLS.json Normal file
View File

@ -0,0 +1,38 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "trojan",
"settings": {
"servers": [
{
"address": "example.com",
"port": 443,
"password": "desdemona99"
}
]
},
"streamSettings": {
"network": "tcp",
"tcpSettings": {},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

40
All-in-One-fallbacks-Nginx/client.configs/Trojan-WS-TLS.json Normal file
View File

@ -0,0 +1,40 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "trojan",
"settings": {
"servers": [
{
"address": "example.com",
"port": 443,
"password": "desdemona99"
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/trojanws"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

40
All-in-One-fallbacks-Nginx/client.configs/Trojan-gRPC-TLS.json Normal file
View File

@ -0,0 +1,40 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "trojan",
"settings": {
"servers": [
{
"address": "example.com",
"port": 443,
"password": "desdemona99"
}
]
},
"streamSettings": {
"network": "grpc",
"grpcSettings": {
"serviceName": "trgrpc"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

48
All-in-One-fallbacks-Nginx/client.configs/VMESS-H2-TLS.json Normal file
View File

@ -0,0 +1,48 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "example.com",
"port": 443,
"users": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"alterId": 0,
"security": "none"
}
]
}
]
},
"streamSettings": {
"network": "http",
"httpSettings": {
"path": "/vmh2"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome",
"alpn": ["h2"],
"serverName": "vmh2o.example.com" // Change to ssh2o.yourdomain.tld
}
}
}
]
}

51
All-in-One-fallbacks-Nginx/client.configs/VMESS-TCP-TLS.json Normal file
View File

@ -0,0 +1,51 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "example.com",
"port": 443,
"users": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"alterId": 0,
"security": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"tcpSettings": {
"header": {
"request": {
"path": ["/vmtc"]
},
"type": "http"
}
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

46
All-in-One-fallbacks-Nginx/client.configs/VMESS-WS-TLS.json Normal file
View File

@ -0,0 +1,46 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "example.com",
"port": 443,
"users": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"alterId": 0,
"security": "none"
}
]
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/vmws"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

46
All-in-One-fallbacks-Nginx/client.configs/VMESS-gRPC-TLS.json Normal file
View File

@ -0,0 +1,46 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "example.com",
"port": 443,
"users": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"alterId": 0,
"security": "none"
}
]
}
]
},
"streamSettings": {
"network": "grpc",
"grpcSettings": {
"serviceName": "vmgrpc"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

47
All-in-One-fallbacks-Nginx/client.configs/Vless-H2-TLS.json Normal file
View File

@ -0,0 +1,47 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "example.com",
"port": 443,
"users": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "http",
"httpSettings": {
"path": "/vlh2"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome",
"alpn": ["h2"],
"serverName": "vlh2o.example.com" // Change to ssh2o.yourdomain.tld
}
}
}
]
}

50
All-in-One-fallbacks-Nginx/client.configs/Vless-TCP-TLS.json Normal file
View File

@ -0,0 +1,50 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "example.com",
"port": 443,
"users": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"tcpSettings": {
"header": {
"request": {
"path": ["/vltc"]
},
"type": "http"
}
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

43
All-in-One-fallbacks-Nginx/client.configs/Vless-TCP-XTLS.json Normal file
View File

@ -0,0 +1,43 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "example.com",
"port": 443,
"users": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

45
All-in-One-fallbacks-Nginx/client.configs/Vless-WS-TLS.json Normal file
View File

@ -0,0 +1,45 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "example.com",
"port": 443,
"users": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/vlws"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

45
All-in-One-fallbacks-Nginx/client.configs/Vless-gRPC-TLS.json Normal file
View File

@ -0,0 +1,45 @@
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": "1080",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "example.com",
"port": 443,
"users": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "grpc",
"grpcSettings": {
"serviceName": "vlgrpc"
},
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"fingerprint": "chrome"
}
}
}
]
}

47
All-in-One-fallbacks-Nginx/nginx.conf
View File

@ -1,3 +1,4 @@
# Restrict access to the website by IP or wrong domain name) and return 400
server {
listen unix:/dev/shm/h1.sock proxy_protocol default_server;
listen unix:/dev/shm/h2c.sock http2 proxy_protocol default_server;
@ -5,38 +6,46 @@ server {
real_ip_header proxy_protocol;
server_name _;
return 400;
} #Restrict domain name access (prohibit access to the website by IP) and return 400
}
# HTTP1 UDS listener
server {
listen unix:/dev/shm/h1.sock proxy_protocol; #HTTP/1.1 server monitor process and enable PROXY protocol reception
listen unix:/dev/shm/h1.sock proxy_protocol; # HTTP/1.1 server monitor process and enable PROXY protocol reception
set_real_ip_from unix:;
real_ip_header proxy_protocol;
server_name examle.com behindcdn.com; #Change to your own domain name(s)
server_name example.com behindcdn.com; # Change to your own domain name(s)
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用HSTS
root /var/www/html; #Modify to the path of the WEB file stored by yourself (check the permissions)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # enable HSTS
root /var/www/html; # Modify to the path of the WEB file stored by yourself (check the permissions)
index index.html index.htm;
}
}
# HTTP2 UDS listener
server {
listen unix:/dev/shm/h2c.sock http2 proxy_protocol; #H2C server monitor process and enable PROXY protocol reception
listen unix:/dev/shm/h2c.sock http2 proxy_protocol; # H2C server monitor process and enable PROXY protocol reception
set_real_ip_from unix:;
real_ip_header proxy_protocol;
server_name examle.com behindcdn.com; #Change to your own domain name(s) (don't forget to add the certificates to xray config)
server_name example.com behindcdn.com; # Change to your own domain name(s) (don't forget to add the certificates to xray config)
# grpc settings
grpc_read_timeout 1h;
grpc_send_timeout 1h;
grpc_set_header X-Real-IP $remote_addr;
# Decoy website
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # enable HSTS
root /var/www/html; # Modify to the path of the WEB file stored by yourself (check the permissions)
index index.html index.htm;
}
location /trgrpc { #corresponds to serviceName in trojan-grpc config of xray
# POST returns 404 when negotiation fails
if ($request_method != "POST") {
return 404;
} #POST returns 404 when negotiation fails
}
client_body_buffer_size 1m;
client_body_timeout 1h;
client_max_body_size 0;
@ -44,10 +53,11 @@ server {
}
location /vlgrpc { #corresponds to serviceName in vless-grpc config of xray
location /vlgrpc { # corresponds to serviceName in vless-grpc config of xray
# return 404 if HTTP Method is not POST
if ($request_method != "POST") {
return 404;
} #POST returns 404 when negotiation fails
}
client_body_buffer_size 1m;
client_body_timeout 1h;
client_max_body_size 0;
@ -55,10 +65,11 @@ server {
}
location /vmgrpc { #corresponds to serviceName in vmess-grpc config of xray
location /vmgrpc { # corresponds to serviceName in vmess-grpc config of xray
# return 404 if HTTP Method is not POST
if ($request_method != "POST") {
return 404;
} #POST returns 404 when negotiation fails
}
client_body_buffer_size 1m;
client_body_timeout 1h;
client_max_body_size 0;
@ -66,20 +77,14 @@ server {
}
location /ssgrpc { #corresponds to serviceName in shadowsocks-grpc config of xray
location /ssgrpc { # corresponds to serviceName in shadowsocks-grpc config of xray
# return 404 if HTTP Method is not POST
if ($request_method != "POST") {
return 404;
} #POST returns 404 when negotiation fails
}
client_body_buffer_size 1m;
client_body_timeout 1h;
client_max_body_size 0;
grpc_pass grpc://127.0.0.1:3004;
}
# Decoy website
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #HSTS
root /var/www/html; # Modify to the path of the WEB file stored by yourself (check the permissions)
index index.html index.htm;
}
}

238
All-in-One-fallbacks-Nginx/server.json
View File

@ -4,26 +4,54 @@
},
"inbounds": [
{
"tag": "Vless-TCP-XTLS",
"port": 443, // This is TLS entrypoint. This entrypoint does the SSL Termination then routes the request based on the Path or ALPN type.
"protocol": "trojan",
"protocol": "vless",
"settings": {
"clients": [
{
"password": "desdemona99",
"flow": "xtls-rprx-direct" //To enable XTLS Direct, this configuration must be added; otherwise, delete it. V2Ray has deleted the XTLS application since version v4.33.0. If you want to use this application, it is recommended to choose Xray.
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"flow": "xtls-rprx-vision"
// "flow": "xtls-rprx-direct"
}
],
"decryption": "none",
"fallbacks": [
// H2
{
// if the path was `/vlessws`, pass it to vless-ws listener
"path": "/vlessws",
// if the SNI was `trh2o.EXAMPLE.COM` and `alpn=h2`, pass it to trojan-h2 listener
"name": "trh2o.example.com",
"alpn": "h2",
"dest": "@trojan-h2"
},
{
// if the SNI was `vlh2o.EXAMPLE.COM` and `alpn=h2`, pass it to vless-h2 listener
"name": "vlh2o.example.com",
"alpn": "h2",
"dest": "@vless-h2"
},
{
// if the SNI was `vmh2o.EXAMPLE.COM` and `alpn=h2`, pass it to vmess-h2 listener
"name": "vmh2o.example.com",
"alpn": "h2",
"dest": "@vmess-h2"
},
{
// if the SNI was `ssh2o.EXAMPLE.COM` and `alpn=h2`, pass it to shadowsocks-h2 listener
"name": "ssh2o.example.com",
"alpn": "h2",
"dest": 4003
},
// Websocket
{
// if the path was `/vlws`, pass it to vless-ws listener
"path": "/vlws",
"dest": "@vless-ws",
"xver": 2 //Enable the sending of the PROXY protocol, and send the real source IP and port to the following vmess+ws application. 1 or 2 indicates the PROXY protocol version. Consistent with the following, it is recommended to configure 2.
},
{
// if the path was `/vmessws`, pass it to vmess-ws listener
"path": "/vmessws",
// if the path was `/vmws`, pass it to vmess-ws listener
"path": "/vmws",
"dest": "@vmess-ws",
"xver": 2
},
@ -33,6 +61,12 @@
"dest": "@trojan-ws",
"xver": 2
},
{
// if the path was `/ssws`, pass it to port 4001 (shadowsocks-ws listener)
"path": "/ssws",
"dest": 4001
},
// TCP + http obfs
{
// if the path was `/vltc`, pass it to vless-tcp listener
"path": "/vltc",
@ -45,6 +79,11 @@
"dest": "@vmess-tcp",
"xver": 2
},
{
// if the path was `/sstc`, pass it to port 4002 (shadowsocks-tcp listener)
"path": "/sstc",
"dest": 4002
},
{
// if the request's ALPN was HTTP2, pass it to trojan-tcp. (Also from trojan-tcp fallback to Nginx HTTP2)
"alpn": "h2",
@ -60,9 +99,11 @@
},
"streamSettings": {
"network": "tcp",
"security": "xtls", //If XTLS Direct is enabled, tls must be changed to xtls; otherwise, tls will be restored.
"xtlsSettings": {
//If XTLS Direct is enabled, tlsSettings must be changed to xtlsSettings; otherwise, restore tlsSettings.
// If XTLS Vision is enabled, "security" must be "tls"
// If XTLS Direct is enabled, "security" must be "xtls"
"security": "tls",
// If XTLS Direct is enabled, "tlsSettings" should also be changed to "xtlsSettings"
"tlsSettings": {
"certificates": [
{
"ocspStapling": 3600, //The Xray version is not less than v1.3.0 to support configuring the time interval between OCSP stapling update and certificate hot reload. Currently V2Ray does not support it. If you use V2Ray as the server, you must delete this configuration.
@ -90,7 +131,7 @@
}
},
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// WebSocket (VLESS - VMESS - TROJAN) //
// WebSocket (VLESS - VMESS - TROJAN - ShadowSocks) //
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
{
"listen": "@vless-ws",
@ -108,7 +149,7 @@
"security": "none",
"wsSettings": {
"acceptProxyProtocol": true,
"path": "/vlessws"
"path": "/vlws"
}
},
"sniffing": {
@ -132,7 +173,7 @@
"security": "none",
"wsSettings": {
"acceptProxyProtocol": true,
"path": "/vmessws"
"path": "/vmws"
}
},
"sniffing": {
@ -146,7 +187,7 @@
"settings": {
"clients": [
{
"password": "desdemona99" //Change to your own password
"password": "desdemona99"
}
]
},
@ -163,8 +204,29 @@
"destOverride": ["http", "tls"]
}
},
{
"tag": "shadowsocks-ws",
"listen": "127.0.0.1",
"port": 4001,
"protocol": "shadowsocks",
"settings": {
"method": "chacha20-ietf-poly1305",
"password": "desdemona99"
},
"streamSettings": {
"network": "ws",
"security": "none",
"wsSettings": {
"path": "/ssws"
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
},
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// TCP + http obfs (VLESS - VMESS - TROJAN) //
// TCP + http obfs (VLESS - VMESS - TROJAN - ShadowSocks) //
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
{
"listen": "@trojan-tcp", //trojan+tcp listening process
@ -172,7 +234,7 @@
"settings": {
"clients": [
{
"password": "desdemona99" //Change to your own password
"password": "desdemona99"
}
],
"fallbacks": [
@ -256,6 +318,32 @@
"destOverride": ["http", "tls"]
}
},
{
"tag": "shadowsocks-tcp",
"listen": "127.0.0.1",
"port": 4002,
"protocol": "shadowsocks",
"settings": {
"method": "chacha20-ietf-poly1305",
"password": "desdemona99"
},
"streamSettings": {
"network": "tcp",
"security": "none",
"tcpSettings": {
"header": {
"type": "http",
"request": {
"path": ["/sstc"]
}
}
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
},
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// GRPC (VLESS - VMESS - TROJAN - SHADOWSOCKS) (Nginx routes to them based on `serviceName`(HTTP2 Path) ) //
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@ -341,9 +429,98 @@
"enabled": true,
"destOverride": ["http", "tls"]
}
}//,
},
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// H2 (VLESS - VMESS - TROJAN - SHADOWSOCKS) //
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
{
"listen": "@trojan-h2",
"protocol": "trojan",
"settings": {
"clients": [
{
"password": "desdemona99"
}
]
},
"streamSettings": {
"network": "h2",
"security": "none",
"httpSettings": {
"path": "/trh2"
}
}
},
{
"listen": "@vless-h2",
"protocol": "vless",
"settings": {
"clients": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797" //Change to your own UUID
}
],
"decryption": "none"
},
"streamSettings": {
"network": "h2",
"security": "none",
"httpSettings": {
"path": "/vlh2"
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
},
{
"listen": "@vmess-h2",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797",
"level": 0
}
]
},
"streamSettings": {
"network": "h2",
"security": "none",
"httpSettings": {
"path": "/vmh2"
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
},
{
"tag": "shadowsocks-h2",
"listen": "127.0.0.1",
"port": 4003,
"protocol": "shadowsocks",
"settings": {
"method": "chacha20-ietf-poly1305",
"password": "desdemona99", //Change to your own password
"email": "2011@gmail.com"
},
"streamSettings": {
"network": "h2",
"security": "none",
"httpSettings": {
"path": "/ssh2"
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
} //,
// {
// "port": 80, // this is http entrypoint
// "port": 80, // this is http entrypoint, uncomment to enable vless-ws, vless-tcp, vmess-ws, v,ess-tcp, shadowwsocks-ws and shadowsocks-tcp on HTTP
// "protocol": "vless",
// "settings": {
// "clients": [
@ -353,12 +530,12 @@
// ],
// "fallbacks": [
// {
// "path": "/vlessws",
// "path": "/vlws",
// "dest": "@vless-ws",
// "xver": 2
// },
// {
// "path": "/vmessws",
// "path": "/vmws",
// "dest": "@vmess-ws", // the same vmess-ws used in 443 TLS entrypint is used here as well
// "xver": 2
// },
@ -375,6 +552,14 @@
// {
// "dest": "/dev/shm/h1.sock", // defaults to Nginx HTTP1.1 listener
// "xver": 2
// },
// {
// "path": "/ssws",
// "dest": 4001
// },
// {
// "path": "/sstc",
// "dest": 4002
// }
// ],
// "decryption": "none"
@ -413,16 +598,17 @@
"settings": {
"rules": [
// {
// "type": "field",
// "outboundTag": "blackhole",
// "ip": ["geoip:private"]
// },
// { DNS Cache rule
// // DNS Cache rule
// "type": "field",
// "port": 53,
// "network": "tcp,udp",
// "outboundTag": "DNS-Internal"
// },
{
"type": "field",
"outboundTag": "blackhole",
"ip": ["geoip:private"]
},
{
"type": "field", // Block BitTorrent protocol
"outboundTag": "blackhole",
@ -431,4 +617,4 @@
]
}
}
}
}