讲真我觉得XTLS真的是天才式的发明,原本的两重https加密流量直接被砍掉了一重,现在接收的https流量直接转发,完美解决了加密安全和解密计算的难题,Bravo!
(其实我也不太懂为什么要去升级下原有的方式,可能是出于强迫症吧OwO,但升级完之后的感觉真的很爽!)
OK废话就不多说了,如果你能看的懂我在说什么就直接Copy代码运行即可,由于Xray的官方推荐使用比较新的系统,所以本代码也只在Debian11上测试过。
—— 安装 ——
apt -y update
apt -y install certbot
certbot certonly --standalone --agree-tos -d 你的域名 --server https://api.buypass.com/acme/directory
apt -y install curl git nginx libnginx-mod-stream 如果之前有旧的V2ray版本,则需要删除掉(如果是新装的机器请无视下面这段)
rm -rf /usr/bin/v2ray /var/log/v2ray /etc/v2ray /etc/systemd/system/v2ray.service
systemctl daemon-reload安装Xray
bash <(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)修改Ngnix默认配置
nano /etc/nginx/nginx.conf在配置文件底部加上如下转发模块,
(具体的回落分流原理我在设置好后就忘掉了,也不想看了,但下面的配置是可以与站点兼容的,需要请自取)
# stream模块设置
stream {
# SNI识别,将一个个域名映射成一个配置名
map $ssl_preread_server_name $stream_map {
你的网站域名 web;
你的代理域名 beforextls; # 注意这里要自己修改
}
# upstream,也就是流量上游的配置
upstream beforextls {
server 127.0.0.1:7999;
}
upstream xtls {
server 127.0.0.1:50000; # 你的XTLS端口
}
upstream web {
server 127.0.0.1:443;
}
# stream模块监听服务器公网IP443端口,并进行端口复用
server {
listen 你的公网IP:443 reuseport; # 注意这里需要自己修改
proxy_pass $stream_map;
ssl_preread on;
proxy_protocol on; # 开启Proxy protocol
}
server {
listen 127.0.0.1:7999 proxy_protocol;# 开启Proxy protocol
proxy_pass xtls; # 以真实的XTLS作为上游,这一层是与XTLS交互的“媒人”
}
}生成随机的UUID与修改Xray配置文件
cat /proc/sys/kernel/random/uuid
nano /usr/local/etc/xray/config.json将配置文件改为如下形式
{
"log": {
"loglevel": "warning",
"access": "/var/log/xray/access.log",
"error": "/var/log/xray/error.log"
},
"inbounds": [
{
"port": 50000,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // 填写你的 UUID
"flow": "xtls-rprx-direct",
"level": 0
}
],
"decryption": "none",
"fallbacks": [
{
"dest": 80,
"xver": 1
},
{
"path": "/python3", // 必须换成自定义的 PATH
"dest": 50003,
"xver": 1
}
]
},
"streamSettings": {
"network": "tcp",
"security": "xtls",
"xtlsSettings": {
"alpn": [
"http/1.1"
],
"certificates": [
{
"certificateFile": "/usr/local/etc/xray/fullchain.pem",
"keyFile": "/usr/local/etc/xray/privkey.pem"
}
]
}
}
},
{
"port": 50001,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "" // 填写你的 UUID
}
]
},
"streamSettings": {
"network": "tcp"
}
},
{
"port": 50002,
"protocol": "vless",
"settings": {
"decryption":"none",
"clients": [
{
"id": "" // 填写你的 UUID
}
]
},
"streamSettings": {
"network": "kcp",
"kcpSettings": {
"mtu": 1350,
"tti": 20,
"uplinkCapacity": 5,
"downlinkCapacity": 20,
"congestion": false,
"readBufferSize": 1,
"writeBufferSize": 1,
"header": {
"type": "none"
},
"seed": "" // 填写你的Kcp密码
}
}
},
{
"port": 50005,
"protocol": "shadowsocks",
"settings": {
"clients": [
{
"password": "", // 填写你的SS密码
"method": "chacha20-ietf-poly1305"
}
],
"network": "tcp,udp"
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}
将之前生成的证书复制到对应的位置,并更改权限
cp /etc/letsencrypt/live/你的域名/fullchain.pem /usr/local/etc/xray/fullchain.pem
cp /etc/letsencrypt/live/你的域名/privkey.pem /usr/local/etc/xray/privkey.pem
chown nobody:nogroup /usr/local/etc/xray/fullchain.pem
chown nobody:nogroup /usr/local/etc/xray/privkey.pem测试配置文件是否正常
xray -config /usr/local/etc/xray/config.json -test
systemctl restart nginx
systemctl restart xray
systemctl status xray如果都没有问题的话,便是大功告成了!
(后面的附属小功能如果没有需求可以直接无视掉)
—— 开启BBR ——
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
lsmod | grep bbr— 探针伪装 —
依然可以放个探针伪装下
# 这一步应该需要有php依赖,请先自行安装php组件
# 进入站点目录,获取探针
cd /
wget https://github.com/kmvan/x-prober/raw/master/dist/prober.php
# 重命名,重载Nginx
mv ./prober.php ./index.php
systemctl reload nginx感谢观看,希望能对你有帮助~
博主你好,我觉得copy代码装载也很难,过段时间你可以帮我电脑装一下嘛,或者手把手教一下嘛