{ "log": { "loglevel": "info" }, "api": { "services": [ "HandlerService", "LoggerService", "StatsService" ], "tag": "api" }, "stats": {}, "policy": { "levels": { "0": { "statsUserUplink": true, "statsUserDownlink": true } }, "system": { "statsInboundUplink": true, "statsInboundDownlink": true, "statsOutboundUplink": true, "statsOutboundDownlink": true } }, "inbounds": [ { "listen": "127.0.0.1", "port": 62789, "protocol": "dokodemo-door", "settings": { "address": "127.0.0.1" }, "tag": "api", "sniffing": null }, { "tag": "Vless-TCP-XTLS", "port": 443, // This is TLS entrypoint. This entrypoint does the SSL Termination then routes the request based on the Path or ALPN type. "protocol": "vless", "settings": { "clients": [ { "email": "general@vless-tcp-xtls", //Change to your own email "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", //Change to your own email "flow": "xtls-rprx-vision", "level": 0 // "flow": "xtls-rprx-direct" } ], "decryption": "none", "fallbacks": [ // H2 { // if the SNI was `trh2o.EXAMPLE.COM` and `alpn=h2`, pass it to trojan-h2 listener "name": "trh2o.example.com", "alpn": "h2", "dest": "@trojan-h2" }, { // if the SNI was `vlh2o.EXAMPLE.COM` and `alpn=h2`, pass it to vless-h2 listener "name": "vlh2o.example.com", "alpn": "h2", "dest": "@vless-h2" }, { // if the SNI was `vmh2o.EXAMPLE.COM` and `alpn=h2`, pass it to vmess-h2 listener "name": "vmh2o.example.com", "alpn": "h2", "dest": "@vmess-h2" }, { // if the SNI was `ssh2o.EXAMPLE.COM` and `alpn=h2`, pass it to shadowsocks-h2 listener "name": "ssh2o.example.com", "alpn": "h2", "dest": 4003 }, // Websocket { // if the path was `/vlws`, pass it to vless-ws listener "path": "/vlws", "dest": "@vless-ws", "xver": 2 //Enable the sending of the PROXY protocol, and send the real source IP and port to the following vmess+ws application. 1 or 2 indicates the PROXY protocol version. Consistent with the following, it is recommended to configure 2. }, { // if the path was `/vmws`, pass it to vmess-ws listener "path": "/vmws", "dest": "@vmess-ws", "xver": 2 }, { // if the path was `/trojanws`, pass it to trojan-ws listener "path": "/trojanws", "dest": "@trojan-ws", "xver": 2 }, { // if the path was `/ssws`, pass it to port 4001 (shadowsocks-ws listener) "path": "/ssws", "dest": 4001 }, // TCP + http obfs { // if the path was `/vltc`, pass it to vless-tcp listener "path": "/vltc", "dest": "@vless-tcp", "xver": 2 }, { // if the path was `/vmtc`, pass it to vmess-tcp listener "path": "/vmtc", "dest": "@vmess-tcp", "xver": 2 }, { // if the path was `/sstc`, pass it to port 4002 (shadowsocks-tcp listener) "path": "/sstc", "dest": 4002 }, { // if the request's ALPN was HTTP2, pass it to trojan-tcp. (Also from trojan-tcp fallback to Nginx HTTP2) "alpn": "h2", "dest": "@trojan-tcp", "xver": 2 }, { // if not any other condition, pass it to Nginx HTTP1.1 listener "dest": "/dev/shm/h1.sock", "xver": 2 } ] }, "streamSettings": { "network": "tcp", // If XTLS Vision is enabled, "security" must be "tls" // If XTLS Direct is enabled, "security" must be "xtls" "security": "tls", // If XTLS Direct is enabled, "tlsSettings" should also be changed to "xtlsSettings" "tlsSettings": { "certificates": [ { "ocspStapling": 3600, //The Xray version is not less than v1.3.0 to support configuring the time interval between OCSP stapling update and certificate hot reload. Currently V2Ray does not support it. If you use V2Ray as the server, you must delete this configuration. "certificateFile": "/etc/ssl/example.com/domain.pem", // this is te fullchain (domain + any bundle). Make sure the permissions are correct (absolute path) "keyFile": "/etc/ssl/example.com/domain-key.pem" // this is the private key of the cert. Make sure the permissions are correct (absolute path) }, { // more domains and therefore more certificates can be added to this `certificates` list "ocspStapling": 3600, "certificateFile": "/etc/ssl/behindcdn.com/domain.pem", "keyFile": "/etc/ssl/behindcdn.com/domain-key.pem" } ], "minVersion": "1.2", //Xray version is not less than v1.1.4 to support configuring the minimum TLS version. Currently V2Ray does not support it. If you use V2Ray as the server, you must delete this configuration. "cipherSuites": "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", //Xray版本不小于v1.1.4才支持配置密码套件(若无RSA证书,可删除所有RSA算法的密码套件;无ECC证书, to remove cipher suites for all ECDSA algorithms.). Currently V2Ray does not support it. If you use V2Ray as the server, you must delete this configuration. "alpn": [ "h2", //Enabling h2 connection needs to configure h2 fallback, otherwise inconsistency (streaking) is easily detected by the wall and blocked. "http/1.1" //Enabling http/1.1 connection needs to configure http/1.1 fallback, otherwise inconsistency (streaking) is easily detected by the wall and blocked. ] } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // WebSocket (VLESS - VMESS - TROJAN - ShadowSocks) // //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// { "listen": "@vless-ws", "protocol": "vless", "settings": { "clients": [ { "email":"general@vless-ws", //Change to your own email "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", //Change to your own UUID "level": 0 } ], "decryption": "none" }, "streamSettings": { "network": "ws", "security": "none", "wsSettings": { "acceptProxyProtocol": true, "path": "/vlws" } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "listen": "@vmess-ws", "protocol": "vmess", "settings": { "clients": [ { "email": "general@vmess-ws", "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", "level": 0 } ] }, "streamSettings": { "network": "ws", "security": "none", "wsSettings": { "acceptProxyProtocol": true, "path": "/vmws" } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "listen": "@trojan-ws", //trojan+ws listener process "protocol": "trojan", "settings": { "clients": [ { "email":"general@trojan-ws", "password": "desdemona99", "level": 0 } ] }, "streamSettings": { "network": "ws", "security": "none", "wsSettings": { "acceptProxyProtocol": true, //Enable PROXY protocol reception, receive the real source IP and port "path": "/trojanws" //Change to your own path } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "tag": "shadowsocks-ws", "listen": "127.0.0.1", "port": 4001, "protocol": "shadowsocks", "settings": { "email":"general@shadowsocks-ws", "method": "chacha20-ietf-poly1305", "password": "desdemona99", "level": 0 }, "streamSettings": { "network": "ws", "security": "none", "wsSettings": { "path": "/ssws" } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // TCP + http obfs (VLESS - VMESS - TROJAN - ShadowSocks) // //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// { "listen": "@trojan-tcp", //trojan+tcp listening process "protocol": "trojan", "settings": { "clients": [ { "email":"general@trojan-tcp", "password": "desdemona99", "level": 0 } ], "fallbacks": [ { // if it was not a valid trojan reuqest, for example the trojan password was wrong, pass it to the NGINX HTTP2 cleartext UDS "dest": "/dev/shm/h2c.sock", "xver": 2 //Enable PROXY protocol sending, and send the real source IP and port to Nginx. 1 or 2 indicates the PROXY protocol version. Consistent with the above, configuration 2 is recommended. } ] }, "streamSettings": { "network": "tcp", "security": "none", "tcpSettings": { "acceptProxyProtocol": true //Enable PROXY protocol reception, receive the real source IP and port before vless+tcp+tls fallback. } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "listen": "@vless-tcp", "protocol": "vless", "settings": { "clients": [ { "email":"general@vless-tcp", "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", "level": 0 } ], "decryption": "none" }, "streamSettings": { "network": "tcp", "security": "none", "tcpSettings": { "acceptProxyProtocol": true, "header": { "type": "http", "request": { "path": [ "/vltc" ] } } } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "listen": "@vmess-tcp", "protocol": "vmess", "settings": { "clients": [ { "email":"general@vmess-tcp", "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", "level": 0 } ] }, "streamSettings": { "network": "tcp", "security": "none", "tcpSettings": { "acceptProxyProtocol": true, "header": { "type": "http", "request": { "path": [ "/vmtc" ] //, // "headers": { // "Host": ["www.varzesh3.com"] // } } } } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "tag": "shadowsocks-tcp", "listen": "127.0.0.1", "port": 4002, "protocol": "shadowsocks", "settings": { "method": "chacha20-ietf-poly1305", "password": "desdemona99", "email": "general@shadowsocks-tcp", "level":0 }, "streamSettings": { "network": "tcp", "security": "none", "tcpSettings": { "header": { "type": "http", "request": { "path": [ "/sstc" ] } } } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // GRPC (VLESS - VMESS - TROJAN - SHADOWSOCKS) (Nginx routes to them based on `serviceName`(HTTP2 Path) ) // //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// { "tag": "trojan-grpc", "listen": "127.0.0.1", // listen on localhost "port": 3001, "protocol": "trojan", "settings": { "clients": [ { "email": "general@trojan-grpc", "password": "desdemona99", "level":0 } ] }, "streamSettings": { "network": "grpc", "security": "none", "grpcSettings": { "serviceName": "trgrpc" } } }, { "tag": "vless-grpc", "listen": "127.0.0.1", // listen on localhost "port": 3002, "protocol": "vless", "settings": { "clients": [ { "email":"general@vless-grpc", "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", "level": 0 } ], "decryption": "none" }, "streamSettings": { "network": "grpc", "security": "none", "grpcSettings": { "serviceName": "vlgrpc" } } }, { "tag": "vmess-grpc", "listen": "127.0.0.1", // listen on localhost "port": 3003, "protocol": "vmess", "settings": { "clients": [ { "email":"general@vmess-grpc", "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", //Change to your own UUID "level": 0 } ] }, "streamSettings": { "network": "grpc", "security": "none", "grpcSettings": { "serviceName": "vmgrpc" } } }, { "listen": "127.0.0.1", //Only listen on localhost "port": 3004, "protocol": "shadowsocks", "settings": { "method": "chacha20-ietf-poly1305", "password": "desdemona99", //Change to your own password "email": "2011@gmail.com" }, "streamSettings": { "network": "grpc", "security": "none", "grpcSettings": { "serviceName": "ssgrpc" //Change to your own gRPC service name, similar to Path in HTTP/2. } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // H2 (VLESS - VMESS - TROJAN - SHADOWSOCKS) // //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// { "listen": "@trojan-h2", "protocol": "trojan", "settings": { "clients": [ { "email":"general@trojan-h2", "password": "desdemona99", "level": 0 } ] }, "streamSettings": { "network": "h2", "security": "none", "httpSettings": { "path": "/trh2" } } }, { "listen": "@vless-h2", "protocol": "vless", "settings": { "clients": [ { "email":"general@vless-h2", //Change to your own email "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", //Change to your own UUID "level": 0 } ], "decryption": "none" }, "streamSettings": { "network": "h2", "security": "none", "httpSettings": { "path": "/vlh2" } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "listen": "@vmess-h2", "protocol": "vmess", "settings": { "clients": [ { "email":"general@vmess-h2", "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797", "level": 0 } ] }, "streamSettings": { "network": "h2", "security": "none", "httpSettings": { "path": "/vmh2" } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "tag": "shadowsocks-h2", "listen": "127.0.0.1", "port": 4003, "protocol": "shadowsocks", "settings": { "method": "chacha20-ietf-poly1305", "password": "desdemona99", //Change to your own password "email": "general@shadowsocks-h2", "level": 0 }, "streamSettings": { "network": "h2", "security": "none", "httpSettings": { "path": "/ssh2" } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } } //, // { // "port": 80, // this is http entrypoint, uncomment to enable vless-ws, vless-tcp, vmess-ws, v,ess-tcp, shadowwsocks-ws and shadowsocks-tcp on HTTP // "protocol": "vless", // "settings": { // "clients": [ // { // "id": "90e4903e-66a4-45f7-abda-fd5d5ed7f797" // } // ], // "fallbacks": [ // { // "path": "/vlws", // "dest": "@vless-ws", // "xver": 2 // }, // { // "path": "/vmws", // "dest": "@vmess-ws", // the same vmess-ws used in 443 TLS entrypint is used here as well // "xver": 2 // }, // { // "path": "/vltc", // "dest": "@vless-tcp", // "xver": 2 // }, // { // "path": "/vmtc", // "dest": "@vmess-tcp", // "xver": 2 // }, // { // "dest": "/dev/shm/h1.sock", // defaults to Nginx HTTP1.1 listener // "xver": 2 // }, // { // "path": "/ssws", // "dest": 4001 // }, // { // "path": "/sstc", // "dest": 4002 // } // ], // "decryption": "none" // }, // "streamSettings": { // "network": "tcp", // "security": "none" // }, // "sniffing": { // "enabled": true, // "destOverride": ["http", "tls"] // } // } ], "outbounds": [ { "protocol": "freedom", "settings": {} }, { "protocol": "blackhole", "tag": "blocked" }, { // A DNS Cache can be setup and added here to imporve performance (the corresponding rule should be uncommented) "tag": "DNS-Internal", "protocol": "dns", "settings": { "address": "127.0.0.53", "port": 53 } } ], "routing": { "domainStrategy": "AsIs", "rules": [ { "inboundTag": [ "api" ], "outboundTag": "api", "type": "field" }, // { // // DNS Cache rule // "type": "field", // "port": 53, // "network": "tcp,udp", // "outboundTag": "DNS-Internal" // }, { "type": "field", "outboundTag": "blocked", "ip": [ "geoip:private" ] }, { "type": "field", // Block BitTorrent protocol "outboundTag": "blocked", "protocol": [ "bittorrent" ] } ] } }