github
/
Xray-docs-next
mirror of https://github.com/XTLS/Xray-docs-next
1
0
Fork 0
Code Issues Releases Wiki Activity

Translate into English (#368) 

* Translate into English

* Translate to English

* Translate dev into English

* Translate dev, second edition

* Translating dev, doc, second edition
pull/375/head
Kevin Amiri 2023-05-15 01:35:07 +02:00 committed by GitHub
parent b2163bd50a
commit 46bccd3fdb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 1381 additions and 1329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
docs/en/README.md
View File

@ -2,90 +2,90 @@
home: true
heroImage: /LogoX2.png
heroText: Project X
tagline: 不畏浮云遮望眼 · 金睛如炬耀苍穹
tagline: Fear not the clouds that obscure the view, golden eyes like a torch brighten the sky
actions:
- text: 由此开始
- text: Start here
link: /document/
type: primary
- text: 配置指南
- text: Configuration guide
link: /config/
type: secondary
features:
- title: 极速协议
details: 原创 VLESS 与 XTLS 协议摆脱冗余加密释放CPU算力
- title: High-speed protocol
details: Original VLESS and XTLS protocols, free from redundant encryption, release CPU power
- title: 自由组合
- title: Free combination
details: |
完善的回落机制,有效防止主动探测,多服务共享端口
Perfect fallback mechanism, effectively prevent active detection, multi-service sharing ports
- title: 超低占用
- title: Ultra-low occupancy
details: |
OpenWRT RaspberryPi 等各种精简设备皆可使用
OpenWRT RaspberryPi and other simplified devices can be used
- title: 强大路由
- title: Powerful routing
details: |
高可定制化的路由系统,满足各类使用需求,充分发挥网络性能
Highly customizable routing system to meet various usage requirements and fully exploit network performance
- title: 完整兼容
- title: Full compatibility
details: |
完整兼容 v2ray-core 配置文件与 API 调用
Fully compatible with v2ray-core configuration files and API calls
- title: 亲和力
- title: Affinity
details: |
活跃的社区讨论及贡献MPL 2.0 开源许可协议
Active community discussions and contributions, MPL 2.0 open source license
footer: Licensed under CC-BY-SA 4.0 | Copyright 2020-Present Project X Community
---
## XTLS ? Xray ? V2Ray ?
## XTLS? Xray? V2Ray?
**XTLS are brilliant ideas for TLS we study, while Xray is the best practice we maintain.**
- Xray-core 是 v2ray-core 的超集,含更好的整体性能和 XTLS 等一系列增强,且~~完全~~兼容 v2ray-core 的功能及配置。
- 只有一个可执行文件,含 ctl 的功能run 为默认指令
- 配置上~~完全~~兼容,环境变量和 API 对应要改为以 XRAY\_ 开头
- 全平台开放了裸协议的 ReadV
- 提供完整的 VLESS & Trojan XTLS 支持,均有 ReadV
- 提供了 XTLS 多种流控模式, 性能一骑绝尘!
- Xray-core is a superset of v2ray-core, with better overall performance and enhancements such as XTLS, and it's~~completely~~compatible with v2ray-core functionality and configuration.
- Only one executable file, including ctl functionality, run is the default command
- Configuration is~~completely~~compatible, environment variables and API calls need to be changed to start with XRAY\_
- Exposed raw protocol's ReadV on all platforms
- Provides complete VLESS & Trojan XTLS support, both with ReadV
- Provides multiple XTLS flow control modes, unrivaled performance!
> “配置兼容,整体更好”
> "Configuration compatible, overall better"
### 我们是谁?
### Who are we?
> **It doesn't matter who we are. What matters is that we will keep riding and never look back.**
### 帮助 Xray 变得更强
### Help Xray become stronger
欢迎帮助 Xray 变得更强!
Welcome to help Xray become stronger!
- 🖥️ 帮助开发和测试 Xray, 提交高质量的 Pull request.
- 📩 在 [GitHub Issues](https://github.com/XTLS/Xray-core/issues) 或 [讨论区](https://github.com/XTLS/Xray-core/discussions)发起建设性或有意义的 issue 与 discussion.
- 📝 写下您的使用心得并提交至 Xray 的 [文档网站](https://github.com/XTLS/Xray-docs-next).
- 💬 在 Telegram 群帮助群友/灌水.
- **...事实上,每一份对 Xray 的支持都会让 Xray 变得更强大**
- 🖥️ Help develop and test Xray, submit high-quality Pull requests.
- 📩 Initiate constructive or meaningful issues and discussions in [GitHub Issues](https://github.com/XTLS/Xray-core/issues) or [Discussion area](https://github.com/XTLS/Xray-core/discussions).
- 📝 Write down your usage experience and submit it to Xray's [documentation website](https://github.com/XTLS/Xray-docs-next).
- 💬 Help group members/chat in Telegram group.
- **...In fact, every support for Xray will make Xray stronger**
### Telegram
- [Project X 交流群](https://t.me/projectXray)
- [Project X Discussion Group](https://t.me/projectXray)
- 交流群可在底线之上随便水,不要撕逼,没有滥权。
- 有问题尽管随便问,知道的尽量回答。
- 禁政治,禁 NSFW
- You can chat freely above the bottom line in the discussion group, don't fight, no abuse of power.
- Feel free to ask questions, and try to answer those you know.
- No politics, No NSFW
- [Project X 频道](https://t.me/projectXtls)
- 发布 Project X 的最新资讯
- [Project X Channel](https://t.me/projectXtls)
- Publish the latest news of Project X
### 致谢
### Thanks
- 感谢所有人的支持!
- 感谢各类脚本、Docker 镜像、客户端支持...感谢所有帮忙完善生态的大佬们!
- 感谢为 Xray 网站和文档添砖加瓦的朋友们.
- 感谢提出有意义的建议和意见的朋友们.
- 感谢 Telegram 群每一位帮助群友的朋友.
- Thanks to everyone for their support!
- Thanks to all kinds of scripts, Docker images, client support... Thanks to all the big guys who helped improve the ecosystem!
- Thanks to friends who have contributed to the Xray website and documentation.
- Thanks to friends who have made meaningful suggestions and comments.
- Thanks to every friend in the Telegram group who helps others.
### 更多关于 project X
### More about project X
- 如果你想知道更多关于 project X 的足迹与成长, 请点击[这里](./about/news.md)
- If you would like to learn more about project X's history and growth, please click [here](./about/news.md)
### License

72
docs/en/config/outbounds/vless.md
View File

@ -1,12 +1,12 @@
# VLESS
::: danger
目前 VLESS 没有自带加密,请用于可靠信道,如 TLS。
Currently, VLESS does not have built-in encryption, please use it on a reliable channel, such as TLS.
:::
VLESS 是一个无状态的轻量传输协议,它分为入站和出站两部分,可以作为 Xray 客户端和服务器之间的桥梁。
VLESS is a stateless lightweight transport protocol, which is divided into inbound and outbound parts, and can be used as a bridge between Xray clients and servers.
与 [VMess](./vmess.md) 不同VLESS 不依赖于系统时间,认证方式同样为 UUID但不需要 alterId。
Unlike [VMess](./vmess.md), VLESS does not rely on system time, and the authentication method is also UUID, but it does not require alterId.
## OutboundConfigurationObject
@ -31,7 +31,7 @@ VLESS 是一个无状态的轻量传输协议,它分为入站和出站两部
> `vnext`: \[ [ServerObject](#serverobject) \]
一个数组, 表示 VLESS 服务器列表,包含一组指向服务端的配置, 其中每一项是一个服务器配置。
An array, representing the VLESS server list, containing a set of configurations pointing to the server, each of which is a server configuration.
### ServerObject
@ -52,15 +52,15 @@ VLESS 是一个无状态的轻量传输协议,它分为入站和出站两部
> `address`: address
服务端地址指向服务端支持域名、IPv4、IPv6。
Server address, pointing to the server, supporting domain names, IPv4, and IPv6.
> `port`: number
服务端端口,通常与服务端监听的端口相同。
Server port, usually the same as the port listened by the server.
> `users`: \[ [UserObject](#userobject) \]
数组, 一组服务端认可的用户列表, 其中每一项是一个用户配置
Array, a list of users recognized by the server, each of which is a user configuration.
### UserObject
@ -75,61 +75,61 @@ VLESS 是一个无状态的轻量传输协议,它分为入站和出站两部
> `id`: string
VLESS 的用户 ID可以是任意小于 30 字节的字符串, 也可以是一个合法的 UUID.
自定义字符串和其映射的 UUID 是等价的, 这意味着你将可以这样在配置文件中写 id 来标识同一用户,即
The user ID of VLESS, which can be any string less than 30 bytes, or a valid UUID.
Custom strings and their mapped UUIDs are equivalent, which means you can write an id in the configuration file to identify the same user, i.e.
- `"id": "我爱🍉老师1314"`,
- 或写 `"id": "5783a3e7-e373-51cd-8642-c83782b807c5"` (此 UUID 是 `我爱🍉老师1314` 的 UUID 映射)
- Write `"id": "I love 🍉 teacher 1314"`,
- Or write `"id": "5783a3e7-e373-51cd-8642-c83782b807c5"` (this UUID is the UUID mapping of `I love 🍉 teacher 1314`)
其映射标准在 [VLESS UUID 映射标准:将自定义字符串映射为一个 UUIDv5](https://github.com/XTLS/Xray-core/issues/158)
The mapping standard is in [VLESS UUID mapping standard: mapping custom strings to a UUIDv5](https://github.com/XTLS/Xray-core/issues/158)
你可以使用命令 `xray uuid -i "自定义字符串"` 生成自定义字符串所映射的的 UUID也可以使用命令 `xray uuid` 生成随机的 UUID。
You can use the command `xray uuid -i "custom string"` to generate the UUID mapped by the custom string, or use the command `xray uuid` to generate a random UUID.
> `encryption`: "none"
需要填 `"none"`,不能留空。
Need to fill in `"none"`, cannot be left empty.
该要求是为了提醒使用者没有加密,也为了以后出加密方式时,防止使用者填错属性名或填错位置导致裸奔。
This requirement is to remind users that there is no encryption and to prevent users from filling in the wrong attribute name or location, causing exposure when encryption methods come out in the future.
若未正确设置 encryption 的值,使用 Xray 或 -test 时会收到错误信息。
If the value of encryption is not set correctly, an error message will be received when using Xray or -test.
> `flow`: string
流控模式,用于选择 XTLS 的算法。
Flow control mode, used to select the XTLS algorithm.
目前出站协议中有以下流控模式可选:
Currently, there are the following flow control modes available in the outbound protocol:
- `flow`,空字符或者 `none`:使用普通 TLS 代理
- `xtls-rprx-vision`:使用新 XTLS 模式 包含内层握手随机填充 支持 uTLS 模拟客户端指纹
- `xtls-rprx-vision-udp443`:同 `xtls-rprx-vision`, 但是放行了目标为 443 端口的 UDP 流量
- No `flow`, empty character or `none`: using regular TLS proxy
- `xtls-rprx-vision`: using the new XTLS mode includes inner handshake random padding supports uTLS client fingerprint simulation
- `xtls-rprx-vision-udp443`: same as `xtls-rprx-vision`, but allows UDP traffic with a destination of port 443
此外,目前 XTLS 仅支持 TCP、mKCP、DomainSocket 这三种传输方式。
In addition, currently, XTLS only supports TCP, mKCP, and DomainSocket transport modes.
<!-- prettier-ignore -->
::: tip 关于 xtls-rprx-*-udp443 流控模式
::: tip About xtls-rprx-*-udp443 flow control mode
启用了 Xray-core 的 XTLS 时,通往 UDP 443 端口的流量默认会被拦截(一般情况下为 QUIC这样应用就不会使用 QUIC 而会使用 TLSXTLS 才会真正生效。实际上QUIC 本身也不适合被代理,因为 QUIC 自带了 TCP 的功能,它作为 UDP 流量在通过 VLESS 协议传输时,底层协议为 TCP就相当于两层 TCP 了。
When using Xray-core's XTLS, traffic to UDP port 443 is blocked by default (generally for QUIC), so the application will use TLS instead of QUIC, and XTLS will take effect. In fact, QUIC itself is not suitable for proxying because it has its own TCP functionality. When it is transmitted as UDP traffic through the VLESS protocol, the underlying protocol is TCP, which is equivalent to two layers of TCP.
若不需要拦截,请在客户端填写 `xtls-rprx-*-udp443`,服务端不变。
If you do not need to block it, please fill in `xtls-rprx-*-udp443` on the client side and do not change the server side.
:::
::: tip 关于 Splice 模式
Splice 是 Linux Kernel 提供的函数,系统内核直接转发 TCP不再经过 Xray 的内存大大减少了数据拷贝、CPU 上下文切换的次数。
::: tip About Splice mode
Splice is a function provided by the Linux Kernel. The system kernel directly forwards TCP without going through Xray's memory, greatly reducing the number of data copies and CPU context switches.
Splice 模式的的使用限制:
The usage restrictions of Splice mode are:
- Linux 环境
- 入站协议为 `Dokodemo door`、`Socks`、`HTTP` 等纯净的 TCP 连接, 或其它使用了 XTLS 的入站协议
- 出站协议为 VLESS + XTLS
- 需要注意的是,使用 mKCP 协议时不会使用 Splice是的虽然没有报错但实际上根本没用到
- Linux environment
- Inbound protocols are `Dokodemo door`, `Socks`, `HTTP`, etc., pure TCP connections, or other inbound protocols that use XTLS
- Outbound protocol is VLESS + XTLS
- It is worth noting that when using the mKCP protocol, Splice will not be used (yes, although there is no error, it is not used at all)
此外,使用 Splice 时网速显示会滞后,这是特性,不是 bug。
In addition, when using Splice, the speed display will lag behind, which is a feature, not a bug.
使用 Vision 模式 如果满足上述条件 会自动启用 Splice
Using Vision mode will automatically enable Splice if the above conditions are met.
:::
> `level`: number
用户等级,连接会使用这个用户等级对应的 [本地策略](../policy.md#levelpolicyobject)。
User level, the connection will use the [local policy](../policy.md#levelpolicyobject) corresponding to this user level.
level 的值, 对应 [policy](../policy.md#policyobject) 中 `level` 的值。 如不指定, 默认为 0。
The value of level corresponds to the value of `level` in [policy](../policy.md#policyobject). If not specified, the default is 0.

42
docs/en/development/README.md
View File

@ -1,41 +1,41 @@
# 开发指南
# Development Guide
## 编译文档
## Compile Documentation
Xray 支持各种平台, 您可以在多种平台上自行进行交叉编译。
Xray supports multiple platforms, and you can perform cross-compilation on various platforms by yourself.
请点击[编译文档](./intro/compile.md)以查看具体编译相关内容。
Please click [Compile Documentation](./intro/compile.md) to view specific compile-related content.
## 设计思路
## Design Concept
Xray 内核提供了一个平台,在其之上可以进二次开发。
Xray kernel provides a platform for secondary development.
这个章节阐述了 Xray 的设计目标和架构。
This section explains the design goals and architecture of Xray.
请点击[设计思路](./intro/design.md)以了解 Xray 的设计目标和架构。
Please click [Design Principles](./intro/design.md) to learn about the design goals and architecture of Xray.
## 开发规范
## Development Standards
这个章节阐述了获取代码,进行开发,提交 PR 的流程中需要遵循的准则, 以及相关的编码规范。
This section outlines the guidelines to follow when obtaining code, developing, submitting PRs, as well as the relevant coding standards.
请点击[开发规范](./intro/guide.md)查看 Xray 开发中应遵循的准则。
Please click [Development Specification](./intro/guide.md) to view the guidelines that should be followed during Xray development.
## 协议详解
## Protocol Details
Xray 用到了很多种协议, 您可以通过各种途径获得协议的详细描述。
Xray uses many protocols, and you can obtain a detailed description of each protocol through various means.
### [VLESS 协议](./protocols/vless.md)
### [VLESS Protocol](./protocols/vless.md)
VLESS 是一个无状态的轻量传输协议,可以作为 Xray 客户端和服务器之间的桥梁。
VLESS is a stateless lightweight transport protocol that can serve as a bridge between Xray clients and servers.
### [VMess 协议](./protocols/vmess.md)
### [VMess Protocol](./protocols/vmess.md)
VMess 是一个加密传输协议,可以作为 Xray 客户端和服务器之间的桥梁。
VMess is an encrypted transport protocol that can act as a bridge between Xray clients and servers.
### [Mux.Cool 协议](./protocols/muxcool.md)
### [Mux.Cool Protocol](./protocols/muxcool.md)
Mux.Cool 协议是一个多路复用传输协议,用于在一条已建立的数据流中传输多个各自独立的数据流。
Mux.Cool protocol is a multiplexing transport protocol used to transmit multiple independent data streams within an established data stream.
### [mKCP 协议](./protocols/mkcp.md)
### [mKCP Protocol](./protocols/mkcp.md)
mKCP 是流式传输协议,由 [KCP 协议](https://github.com/skywind3000/kcp)修改而来,可以按顺序传输任意的数据流。
mKCP is a stream transmission protocol modified from the [KCP protocol](https://github.com/skywind3000/kcp) that can transmit arbitrary data streams in order.

49
docs/en/development/intro/compile.md
View File

@ -1,34 +1,34 @@
# 编译文档
# Compile the document
## 前序工作
## Preparatory Work
Xray 使用 [Golang](https://golang.org/) 作为编程语言,你需要先安装最新版本 Golang 才能够编译。
Xray uses [Golang](https://golang.org/) as its programming language, so you need to install the latest version of Golang first in order to compile.
::: tip TIP
安装 Golang: [golang.org/doc/install](https://golang.org/doc/install)
Install Golang: [golang.org/doc/install](https://golang.org/doc/install)
:::
> 如果你不幸使用 Windows, 请 **务必** 使用 Powershell
If you happen to use Windows, please **make sure** to use Powershell.
## 拉取 Xray 源代码
## Pull Xray source code
```bash
git clone https://github.com/XTLS/Xray-core.git
cd Xray-core && go mod download
```
> 如果你闲的没事干,可以试试 GitHub 官方工具: `gh repo clone XTLS/Xray-core`
If you have free time, you can try GitHub's official tool: `gh repo clone XTLS/Xray-core`
注意:在无法正常访问 Google 的网络环境,依赖无法被正常拉取,需要先设置 `GOPROXY`
Note: In a network environment where Google cannot be accessed normally, dependencies cannot be pulled normally, and `GOPROXY` needs to be set first:
```bash
go env -w GOPROXY=https://goproxy.io,direct
```
## 构建二进制
## Build Binary
:::warning
本小节的命令需要在 Xray 根目录内运行。
This command needs to be executed within Xray root directory.
:::
### Windows(Powershell):
@ -44,38 +44,37 @@ go build -o xray.exe -trimpath -ldflags "-s -w -buildid=" ./main
CGO_ENABLED=0 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
```
运行以上命令会在目录下生成 xray 可执行文件。
Running the above command will generate an xray executable file in the directory.
::: tip
如果需要编译可以进行 debug 的程序,即可以用 dlv 附加到运行的程序进行调试, 请去掉 ldflags 中的 '-w -s' 选项.
If you need to compile a program that can be debugged, i.e., you can use dlv to attach to the running program for debugging, please remove the '-w -s' options from the ldflags.
-w 禁止生成 debug 信息。使用该选项后,将无法使用 gdb 进行调试。
-s 禁用符号表
PS:其实用 vscode 或其他 IDE 调试似乎更方便。
:::
- w option disables the generation of debug information. After using this option, gdb cannot be used for debugging.
- s option disables the symbol table.
PS: Actually, debugging with vscode or other IDEs seems to be more convenient.
## 交叉编译:
## Cross compilation:
这里以在 Windows(Powershell) 环境中,编译到 Linux 服务器为例:
Here, we take the example of compiling to a Linux server in a Windows (Powershell) environment:
```powershell
$env:CGO_ENABLED=0
$env:GOOS="linux"
$env:GOARCH="amd64"
go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
```
上传到服务器后,记得在服务器终端内执行 `chmod +x xray`
go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main```
After uploading to the server, remember to execute `chmod +x xray` in the server terminal.
::: tip
执行 `go tool dist list` 查看所有支持的系统与架构。
Execute `go tool dist list` to view all supported systems and architectures.
:::
## 可复现构建:
## Reproducible Build:
按照上述步骤,能够编译与 Release 中完全相同的二进制文件。
Following the above steps, it is possible to compile and release an identical binary file as the one in Release.
::: warning
请先确认您使用的 Golang 版本与编译 Release 的一致。
Please confirm that you are using the same Golang version as the one used to compile the release.
:::

46
docs/en/development/intro/design.md
View File

@ -1,43 +1,43 @@
# 设计目标
# Design Objectives
- Xray 内核提供了一个平台,支持必要的网络代理功能,在其之上可以进二次开发,以提供更好的用户体验;
- 以跨平台为首要原则,以减少二次开发的成本;
- Xray Kernel provides a platform that supports essential network proxy functions and can be developed upon to provide a better user experience.
- Cross-platform is the primary principle to reduce the cost of secondary development.
## 架构
## Architecture
![Architecture](./framework.png)
内核分为三层:应用层、代理层和传输层。
The kernel is divided into three layers: the application layer, the proxy layer, and the transport layer.
每一层内包含数个模块,模块间互相独立,同类型的模块可无缝替换。
Each layer contains several modules, which are independent of each other. Modules of the same type can be seamlessly replaced.
### 应用层
### Application Layer
应用层包含一些代理层中常用的功能,这些功能被抽象出来,以便在不同的代理模块中复用。
The application layer contains some commonly used functions in proxy layers, which are abstracted for reuse in different proxy modules.
应用层的模块应为纯软件实现,与硬件或平台相关的技术无关。
The modules at the application layer should be implemented purely in software and should not be dependent on hardware or platform-related technologies.
重要模块列表:
List of Important Modules:
- Dispatcher: 用于把入站代理所接收到的数据,传送给出站代理;
- Router: 路由模块,详见 [路由配置](../../config/routing.md)
- DNS: 内置的 DNS 服务器模块;
- Proxy Manager: 代理管理器;
- Dispatcher: Used to transfer data received by the inbound agent to the outbound agent;
- Router: Routing module, see [Routing Configuration](../../config/routing.md) for details;
- DNS: Built-in DNS server module;
- Proxy Manager: Proxy manager;
### 代理层
### Proxy Layer
代理层分为两部分入站代理Inbound Proxy和出站代理Outbound Proxy
The proxy layer is divided into two parts: Inbound Proxy and Outbound Proxy.
两部分相互独立,入站代理不依赖于某个特定的出站代理,反之亦然。
The two parts are independent of each other, where the inbound proxy does not rely on a specific outbound proxy, and vice versa.
#### 入站代理
#### Inbound Proxy
- 实现 [proxy.Inbound](https://github.com/xtls/Xray-core/blob/main/proxy/proxy.go) 接口;
- Implement the [proxy.Inbound](https://github.com/xtls/Xray-core/blob/main/proxy/proxy.go) interface;
#### 出站代理
#### Outbound Proxy
- 实现 [proxy.Outbound](https://github.com/xtls/Xray-core/blob/main/proxy/proxy.go) 接口;
- Implement the [proxy.Outbound](https://github.com/xtls/Xray-core/blob/main/proxy/proxy.go) interface;
### 传输层
### Transport Layer
传输层提供一些网络数据传输相关的工具模块。
The transport layer provides a set of tools and modules related to network data transmission.

164
docs/en/development/intro/guide.md
View File

@ -1,131 +1,131 @@
# 开发规范
# Development Standards
## 基本
## Basic
### 版本控制
### Version Control
project X 的代码被托管在 github 上:
Project X's code is hosted on GitHub:
- xray 核心 [xray-core](https://github.com/XTLS/Xray-core)
- 安装脚本 [Xray-install](https://github.com/XTLS/Xray-install)
- 配置模板 [Xray-examples](https://github.com/XTLS/Xray-examples)
- xray 文档 [Xray-docs-next](https://github.com/XTLS/Xray-docs-next)
- Xray Core [xray-core](https://github.com/XTLS/Xray-core)
- Installation script [Xray-install](https://github.com/XTLS/Xray-install)
- Configuration template [Xray-examples](https://github.com/XTLS/Xray-examples)
- Xray documentation [Xray-docs-next](https://github.com/XTLS/Xray-docs-next)
您可以使用 [Git](https://git-scm.com/) 来获取代码。
You can use [Git](https://git-scm.com/) to get the code.
### 分支(Branch
### Branch
- 本项目的主干分支为 main
- 本项目的发布主分支同为 main
- 需要确保 main 在任一时刻都是可编译,且可正常使用的。
- 如果需要开发新的功能,请新建分支进行开发,在开发完成并且经过充分测试后,合并回主干分支。
- 已经合并入主干且没有必要存在的分支,请删除。
- The main branch is the backbone of this project.
- The main branch is also the release branch of this project.
- It is necessary to ensure that main can be compiled and used normally at any time.
- If you need to develop new features, please create a new branch for development. After development and sufficient testing, merge it back to the main branch.
- Please delete branches that have been merged into the main branch and are no longer necessary.
### 发布(Release
### Release
<Badge text="WIP" type="warning"/>
<Badge text="WIP" type="warning"/> (Note: this is not translatable as it is a technical tag)
- 建立尝鲜版本和稳定版本两个发布通道
- 尝鲜版本,可以为 daily build主要用于特定情况的测试尝鲜和获得即时反馈和再改进。
- 稳定版本,为定时更新(比如月更),合并稳定的修改并发布。
- Create two release channels: one for the beta version and another for the stable version.
- The beta version, also known as the daily build, is mainly used for specific testing, experimentation, and instant feedback and improvement.
- The stable version, updated regularly (e.g. monthly), merges stable modifications and releases them.
### 引用其它项目
### Citing other projects
- Golang
- 产品代码建议使用 Golang 标准库和 [golang.org/x/](https://pkg.go.dev/search?q=golang.org%2Fx) 下的库;
- 如需引用其它项目,请事先创建 issue 讨论;
- 其它
- 不违反双方的协议,且对项目有帮助的工具,都可以使用。
- It is recommended to use the Golang standard library and libraries under [golang.org/x/](https://pkg.go.dev/search?q=golang.org%2Fx) for product code;
- If you need to reference other projects, please create an issue for discussion beforehand;
- Other
- Tools that do not violate the agreement of both parties and are helpful to the project can be used.
## 开发流程
## Development Process
### 写代码之前
### Before Writing Code
发现任何问题,或对项目有任何想法,请创建 [issue](https://github.com/XTLS/Xray-core/issues) 讨论以减少重复劳动和消耗在代码上的时间。
If you encounter any issues or have any ideas for the project, please create an [issue](https://github.com/XTLS/Xray-core/issues) for discussion to reduce redundant work and save time spent on coding.
### 修改代码
### Modify the code
- Golang
- 请参考 [Effective Go](https://golang.org/doc/effective_go.html)
- 每一次 push 之前,请运行:`go generate core/format.go`
- 如果需要修改 protobuf例如增加新配置项请运行`go generate core/proto.go`
- 提交 pull request 之前,建议测试通过:`go test ./...`
- 提交 pull request 之前,建议新增代码有超过 70% 的代码覆盖率code coverage
- 其它
- 请注意代码的可读性。
- Please refer to [Effective Go](https://golang.org/doc/effective_go.html);
- Run `go generate core/format.go` before each push;
- If you need to modify protobuf, such as adding new configuration items, please run: `go generate core/proto.go`;
- It is recommended to pass the test before submitting a pull request: `go test ./...`;
- It is recommended to have more than 70% code coverage for newly added code before submitting pull requests.
- Other
- Please pay attention to the readability of the code.
### Pull Request
- 提交 PR 之前,请先运行 `git pull https://github.com/xray/xray-core.git` 以确保 merge 可顺利进行;
- 一个 PR 只做一件事,如有对多个 bug 的修复,请对每一个 bug 提交一个 PR
- 由于 Golang 的特殊需求Package pathGo 项目的 PR 流程和其它项目有所不同,建议流程如下:
1. 先 Fork 本项目,创建你自己的 `github.com/<your_name>/Xray-core.git` 仓库;
2. 克隆你自己的 Xray 仓库到本地:`git clone https://github.com/<your_name>/Xray-core.git`
3. 基于 `main` 分支创建新的分支,例如 `git branch issue24 main`
4. 在新创建的分支上作修改并提交修改(commit)
5. 在推送(push)修改完成的分支到自己的仓库前,先切换到 `main` 分支,运行 `git pull https://github.com/xray/xray-core.git` 拉取最新的远端代码;
6. 如果上一步拉取得到了新的远端代码,则切换到之前自己创建的分支,运行 `git rebase main` 执行分支合并操作。如遇到文件冲突,则需要解决冲突;
7. 上一步处理完毕后,就可以把自己创建的分支推送到自己的仓库:`git push -u origin your-branch`
8. 最后,把自己仓库的新推送的分支往 `xtls/Xray-core``main` 分支发 PR 即可;
9. 请在 PR 的标题和正文中,完整表述此次 PR 解决的问题 / 新增的功能 / 代码所做的修改的用意等;
10. 耐心等待开发者的回应。
- Before submitting a PR, please run `git pull https://github.com/xray/xray-core.git` to ensure that the merge can proceed smoothly;
- One PR only does one thing. If there are fixes for multiple bugs, please submit a PR for each bug;
- Due to Golang's special requirements (Package path), the PR process for Go projects is different from other projects. The recommended process is as follows:
1. Fork this project first and create your own `github.com/<your_name>/Xray-core.git` repository;
2. Clone your own Xray repository to your local machine: `git clone https://github.com/<your_name>/Xray-core.git`;
3. Create a new branch based on the `main` branch, for example `git branch issue24 main`;
4. Make changes on the new branch and commit the changes;
5. Before pushing the modified branch to your own repository, switch to the `main` branch, and run `git pull https://github.com/xray/xray-core.git` to pull the latest remote code;
6. If new remote code is obtained in the previous step, switch to the branch you created earlier and run `git rebase main` to perform branch merging. If there is a file conflict, you need to resolve the conflict;
7. After the previous step is completed, you can push the branch you created to your own repository: `git push -u origin your-branch`
8. Finally, send a PR from your new pushed branch in your own repository to the `main` branch of `xtls/Xray-core`;
9. Please fully describe the purpose of this PR, including the problem solved, the new feature added, or the modifications made in the title and body of the PR;
10. Please be patient and wait for the developer's response.
### 对代码的修改
### Modifying Code
#### 功能性问题
#### Functional issue
请提交至少一个测试用例Test Case来验证对现有功能的改动。
Please submit at least one test case to verify changes to existing functionality.
#### 性能相关
#### Performance Related
请提交必要的测试数据来证明现有代码的性能缺陷,或是新增代码的性能提升。
Please provide the necessary test data to demonstrate performance issues in existing code or performance improvements in new code.
#### 新功能
#### New Feature
- 如果新增功能对已有功能不影响,请提供可以开启/关闭的开关(如 flag并使新功能保持默认关闭的状态
- 大型新功能(比如增加一个新的协议)开发之前,请先提交一个 issue讨论完毕之后再进行开发。
- If the new feature does not affect the existing functionality, please provide a toggle (such as a flag) that can be turned on/off, and keep the new feature disabled by default.
- For major new features (such as adding a new protocol), please submit an issue for discussion before development.
#### 其它
#### Other
视具体情况而定。
It depends on the specific situation.
## Xray 编码规范
## Xray Coding Guidelines
以下内容适用于 Xray 中的 Golang 代码。
The following content is applicable to Golang code in Xray.
### 代码结构
### Code Structure
```
Xray-core
├── app // 应用模块
│ ├── router // 路由
├── common // 公用代码
├── proxy // 通讯协议
├── app // Application module
│ ├── router // Router
├── common // Common code
├── proxy // Communication protocol
│ ├── blackhole
│ ├── dokodemo-door
│ ├── freedom
│ ├── socks
│ ├── vmess
├── transport // 传输模块
├── transport // Transport module
```
### 编码规范
### Coding Standards
基本与 Golang 官方所推荐做法一致,有一些例外。写在这里以方便大家熟悉 Golang。
Basic practices are consistent with the recommendations of the official Golang, with a few exceptions. Written here to help everyone familiarize themselves with Golang.
#### 命名
#### Naming
- 文件和目录名尽量使用单个英文单词,比如 hello.go
- 如果实在没办法,则目录使用连接线/文件名使用下划线连接两个(或多个单词),比如 hello-world/hello_again.go
- 测试代码使用 \_test.go 结尾;
- 类型使用 Pascal 命名法,比如 ConnectionHandler
- 对缩写不强制小写,即 HTML 不必写成 Html
- 公开成员变量也使用 Pascal 命名法;
- 私有成员变量使用 [小驼峰式命名法](https://zh.wikipedia.org/wiki/%E9%A7%9D%E5%B3%B0%E5%BC%8F%E5%A4%A7%E5%B0%8F%E5%AF%AB) ,如 `privateAttribute`
- 为了方便重构,方法建议全部使用 Pascal 命名法;
- 完全私有的类型放入 `internal`
- Use a single English word for file and directory names, such as hello.go;
- If not possible, use a hyphen for directories / underscore for files to connect two (or more) words, such as hello-world/hello_again.go;
- Use \_test.go to name test code files;
- Use PascalCase for types, such as ConnectionHandler;
- Do not force lowercase for abbreviations, i.e. HTML does not need to be written as Html;
- Use PascalCase for public member variables;
- Use camelCase for private member variables, such as `privateAttribute`;
- For easy refactoring, it is recommended to use PascalCase for all methods;
- Place completely private types in `internal`.
#### 内容组织
#### Content Organization
- 一个文件包含一个主要类型,及其相关的私有函数等;
- 测试相关的文件,如 Mock 等工具类,放入 testing 子目录。
- A file contains a main type and its related private functions;
- Testing-related files, such as Mock tools, should be placed in the testing subdirectory.

126
docs/en/development/protocols/mkcp.md
View File

@ -1,92 +1,92 @@
# mKCP 协议
# mKCP Protocol
mKCP 是流式传输协议,由 [KCP 协议](https://github.com/skywind3000/kcp) 修改而来,可以按顺序传输任意的数据流。
mKCP is a stream transfer protocol, modified from the [KCP protocol](https://github.com/skywind3000/kcp), which can transmit any data stream in order.
## 版本
## Version
mKCP 没有版本号,不保证版本之间兼容性。
mKCP has no version number and does not guarantee compatibility between versions.
## 依赖
## Dependencies
### 底层协议
### Underlying Protocol
mKCP 是一个基于 UDP 的协议,所有通讯使用 UDP 传输。
mKCP is a protocol based on UDP, and all communication uses UDP transmission.
### 函数
### Functions
- fnv: [FNV-1a](https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function) 哈希函数
- 输入参数为任意长度的字符串;
- 输入出一个 32 位无符号整数;
- fnv: [FNV-1a](https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function) hash function
- Takes a string of arbitrary length as input parameter;
- Outputs a 32-bit unsigned integer.
## 通讯过程
## Communication Process
1. mKCP 将数据流拆成若干个数据包进行发送。一个数据流有一个唯一标识,用以区分不同的数据流。数据流中的每一个数据包都携带了同样的标识。
1. mKCP 没有握手过程,当收到一个数据包时,根据其携带的数据流的标识来判断是否为新的通话,或是正在进行中的通话。
1. 每一个数据包中包含若干个片段Segment片段分为三类数据Data、确认ACK、心跳Ping。每个片段需要单独处理。
1. mKCP splits data streams into several data packets for transmission. Each data stream has a unique identifier to distinguish it from other data streams. Each data packet in the data stream carries the same identifier.
2. mKCP does not have a handshake process. When receiving a data packet, it determines whether it is a new call or an ongoing call based on the identifier of the data stream it carries.
3. Each data packet contains several segments (Segment), which are divided into three types: data (Data), acknowledgment (ACK), and heartbeat (Ping). Each segment needs to be processed separately.
## 数据格式
## Data Format
### 数据包
### Data Packet
| 4 字节 | 2 字节 | L 字节 |
| ---------- | ---------- | -------- |
| 认证信息 A | 数据长度 L | 片段部分 |
| 4 Bytes | 2 Bytes | L Bytes |
| ------- | ---------- | -------- |
| Auth A | Data Len L | Fragment |
其中:
as which:
- 认证信息 A = fnv(片段部分big endian
- 片段部分可能包含多个片段;
- Authentication information A = fnv(fragment), big endian;
- The fragment may contain multiple sections.
### 数据片段
### Data snippet
| 2 字节 | 1 字节 | 1 字节 | 4 字节 | 4 字节 | 4 字节 | 2 字节 | Len 字节 |
| --------- | -------- | -------- | --------- | --------- | ---------------- | -------- | -------- |
| 标识 Conv | 指令 Cmd | 选项 Opt | 时间戳 Ts | 序列号 Sn | 未确认序列号 Una | 长度 Len | 数据 |
| 2 bytes | 1 byte | 1 byte | 4 bytes | 4 bytes | 4 bytes | 2 bytes | Len bytes |
| --------- | -------- | -------- | --------- | -------- | -------------- | -------- | --------- |
| Conv flag | Cmd flag | Opt flag | Timestamp | Sequence | Unacknowledged | Len flag | Data |
其中:
as which:
- 标识 Conv: mKCP 数据流的标识
- 指令 Cmd: 常量 0x01
- 选项 Opt: 可选的值有:
- 0x00: 空选项
- 0x01: 对方已发出所有数据
- 时间戳 Ts: 当前片段从远端发送出来时的时间,big endian
- 序列号 Sn: 该数据片段时数据流中的位置,起始片段的序列号为 0之后每个新片段按顺序加 1
- 未确认序列号 Una: 远端主机正在发送的,且尚未收到确认的最小的 Sn
- Identifier Conv: Identifier for mKCP data stream
- Command Cmd: Constant 0x01
- Option Opt: Optional values include:
- 0x00: Empty option
- 0x01: Opposite party has sent all data
- Timestamp Ts: Time when the current segment was sent from the remote end, big endian
- Sequence Number Sn: The position of the data segment in the data stream, the sequence number of the starting segment is 0, and each new segment is sequentially added by 1
- Unacknowledged Sequence Number Una: The minimum Sn that the remote host is sending and has not yet received confirmation.
### 确认片段
### Confirmation snippet
| 2 字节 | 1 字节 | 1 字节 | 4 字节 | 4 字节 | 4 字节 | 2 字节 | Len \* 4 字节 |
| --------- | -------- | -------- | -------- | ----------------- | --------- | -------- | -------------- |
| 标识 Conv | 指令 Cmd | 选项 Opt | 窗口 Wnd | 下一接收序列号 Sn | 时间戳 Ts | 长度 Len | 已收到的序列号 |
| 2 bytes | 1 byte | 1 byte | 4 bytes | 4 bytes | 4 bytes | 2 bytes | Len \* 4 bytes |
| ------- | ------ | ------ | ------- | --------------- | --------- | ------- | ------------------- |
| Conv ID | Cmd | Opt | Wnd | Next Seq Number | Timestamp | Length | Received Seq Number |
其中:
as which:
- 标识 Conv: mKCP 数据流的标识
- 指令 Cmd: 常量 0x00
- 选项 Opt: 同上
- 窗口 Wnd: 远端主机可以接收的最大序列号
- 下一接收序列号 Sn: 远端主机未收到的数据片段中的最小序列号
- 时间戳 Ts: 远端主机最新收到的数据片段的时间戳,可用于计算延迟
- 已收到的序列号: 每个 4 字节,表示此序列号的数据已经确认收到
- Identifier Conv: Identifier of the mKCP data stream
- Command Cmd: Constant 0x00
- Option Opt: Same as above
- Window Wnd: The maximum sequence number that the remote host can receive
- Next receive sequence number Sn: The smallest sequence number of the data segment that the remote host has not received
- Timestamp Ts: The timestamp of the latest received data segment by the remote host, which can be used to calculate the delay
- Received sequence numbers: Each 4 bytes, indicating that the data of this sequence number has been confirmed received.
注释:
as which:
- 远程主机期待收到序列号 [Sn, Wnd) 范围内的数据
- The remote host expects to receive data within the serial number [Sn, Wnd) range.
### 心跳片段
### Heartbeat Fragments
| 2 字节 | 1 字节 | 1 字节 | 4 字节 | 4 字节 | 4 字节 |
| --------- | -------- | -------- | ---------------- | ----------------- | -------- |
| 标识 Conv | 指令 Cmd | 选项 Opt | 未确认序列号 Una | 下一接收序列号 Sn | 延迟 Rto |
| 2 Bytes | 1 Byte | 1 Byte | 4 Bytes | 4 Bytes | 4 Bytes |
| ------- | ------ | ------ | --------------------- | ------------------- | ------- |
| Conv ID | Cmd | Opt | Unacknowledged Seq No | Next Receive Seq No | Rto |
其中:
as which:
- 标识 Conv: mKCP 数据流的标识
- 指令 Cmd: 可选的值有
- 0x02: 远端主机强行终止会话
- 0x03: 正常心跳
- 选项 Opt: 同上
- 未确认序列号 Una: 同数据片段的 Una
- 下一接收序列号 Sn: 同确认片段的 Sn
- 延迟 Rto: 远端主机自己计算出的延迟
- Identifier Conv: Identifier for the mKCP data stream
- Command Cmd: Optional values include:
- 0x02: Remote host forcibly terminates the session
- 0x03: Normal heartbeat
- Option Opt: Same as above
- Unacknowledged sequence number Una: Same as the Una of the data fragment
- Next receive sequence number Sn: Same as the Sn of the acknowledgement fragment
- Delay Rto: Delay calculated by the remote host itself

152
docs/en/development/protocols/muxcool.md
View File

@ -1,119 +1,117 @@
# Mux.Cool 协议
# Mux.Cool Protocol
Mux.Cool 协议是一个多路复用传输协议,用于在一条已建立的数据流中传输多个各自独立的数据流。
Mux.Cool protocol is a multiplexing transport protocol that is used to transmit multiple independent data streams within an established data stream.
## 版本
## Version
当前版本是 1 Beta。
The current version is 1 Beta.
## 依赖
## Dependencies
### 底层协议
### Underlying Protocol
Mux.Cool 必须运行在一个已建立的可靠数据流之上。
Mux.Cool must run on top of a reliable established data stream.
## 通讯过程
## Communication Process
一个 Mux.Cool 连接中可传输若干个子连接,每个子连接有一个独立的 ID 和状态。传输过程由帧Frame组成每一帧用于传输一个特定的子连接的数据。
Within a Mux.Cool connection, multiple sub-connections can be transmitted, each with a unique ID and status. The transmission process consists of frames, with each frame used to transmit data for a specific sub-connection.
### 客户端行为
### Client behavior
当有连接需求时并且没有现有可用的连接时,客户端向服务器发起一个新连接,以下称为“主连接”。
When there is a need for a connection and there are no existing available connections, the client initiates a new connection to the server, referred to as the "main connection".
1. 一个主连接可用于发送若干个子连接。客户端可自主决定主连接可承载的子连接数量。
1. 对于一个新的子连接,客户端必须发送状态`New`以通知服务器建立子连接,然后使用状态`Keep`来传送数据。
1. 当子连接结束时,客户端发送`End`状态来通知服务器关闭子连接。
1. 客户端可自行决定何时关闭主连接,但必须确定服务器也同时保持连接。
1. 客户端可使用 KeepAlive 状态来避免服务器关闭主连接。
1. One main connection can be used to send several sub-connections. The client can decide independently how many sub-connections the main connection can handle.
2. For a new sub-connection, the client must send the `New` status to notify the server to establish the sub-connection, and then use the `Keep` status to transmit data.
3. When the sub-connection ends, the client sends the `End` status to notify the server to close the sub-connection.
4. The client can decide when to close the main connection, but must ensure that the server also maintains the connection.
5. The client can use the KeepAlive status to prevent the server from closing the main connection.
### 服务器端行为
### Server-side behavior
当服务器端接收到新的子连接时,服务器应当按正常的连接来处理。
When a new sub-connection is received on the server side, the server should handle it as a normal connection.
1. 当收到状态`End`时,服务器端可以关闭对目标地址的上行连接。
1. 在服务器的响应中,必须使用与请求相同的 ID 来传输子连接的数据。
1. 服务器不能使用`New`状态。
1. 服务器可使用 KeepAlive 状态来避免客户端关闭主连接。
1. When the status "End" is received, the server can close the upstream connection to the target address.
2. The same ID used in the request must be used to transfer sub-connection data in the server response.
3. The server cannot use the "New" status.
4. The server can use the KeepAlive status to avoid the client closing the main connection.
## 传输格式
## Data Format
Mux.Cool 使用对称传输格式,即客户端和服务器发送和接收相同格式的数据。
Mux.Cool uses symmetric transmission format, where the client and server send and receive data in the same format.
### 帧格式
### Frame Format
| 2 字节 | L 字节 | X 字节 |
| ------------ | ------ | -------- |
| 元数据长度 L | 元数据 | 额外数据 |
| 2 Bytes | L Bytes | X Bytes |
| ----------------- | -------- | --------------- |
| Metadata Length L | Metadata | Additional Data |
### 元数据
### Metadata
元数据有若干种类型。所有类型的元数据都包含 ID 和 Opt 两项,其含义为:
There are several types of metadata. All types of metadata contain two items, ID and Opt, with the following meanings:
- ID: 子连接的唯一标识
- 对于一般 MUX 子链接ID 由 1 开始累加
- 对于 XUDPID 始终为 0
- ID: Unique identifier of the sub-connection
- For general MUX sub-connections, the ID is accumulated starting from 1
- For XUDP, the ID is always 0
- Opt:
- D(0x01): 有额外数据
- D(0x01): Additional data is available
当选项 Opt(D) 开启时,额外数据格式如下:
When option Opt(D) is enabled, the additional data format is as follows:
| 2 字节 | X-2 字节 |
| -------- | -------- |
| 长度 X-2 | 数据 |
| 2 Bytes | X-2 Bytes |
| ---------- | --------- |
| Length X-2 | Data |
### 新建子连接 (New)
### New Sublink (New)
| 2 字节 | 1 字节 | 1 字节 | 1 字节 | 2 字节 | 1 字节 | A 字节 |
| ------ | ------ | -------- | ---------- | ------ | ---------- | ------ |
| ID | 0x01 | 选项 Opt | 网络类型 N | 端口 | 地址类型 T | 地址 A |
| 2 Bytes | 1 Byte | 1 Byte | 1 Byte | 2 Bytes | 1 Byte | A Bytes |
| ------- | ------ | ------ | --------- | ------- | ------ | ------- |
| ID | 0x01 | Option | Network N | Port | Type T | Address |
其中:
where:
- 网络类型 N
- 0x01TCP表示当前子连接的流量应当以 TCP 的方式发送至目标。
- 0x02UDP表示当前子连接的流量应当以 UDP 的方式发送至目标。
- 地址类型 T
- 0x01IPv4
- 0x02:域名
- 0x03IPv6
- 地址 A
- 当 T = 0x01 时A 为 4 字节 IPv4 地址;
- 当 T = 0x02 时A 为 1 字节长度L + L 字节域名;
- 当 T = 0x03 时A 为 16 字节 IPv6 地址;
- Network type N:
- 0x01: TCP, indicating that the traffic of the current sub-connection should be sent to the destination in the way of TCP.
- 0x02: UDP, indicating that the traffic of the current sub-connection should be sent to the destination in the way of UDP.
- Address type T:
- 0x01: IPv4
- 0x02: Domain name
- 0x03: IPv6
- Address A:
- When T = 0x01, A is a 4-byte IPv4 address;
- When T = 0x02, A is a 1-byte length (L) + L-byte domain name;
- When T = 0x03, A is a 16-byte IPv6 address;
在新建子连接时,若 Opt(D) 开启,则这一帧所带的数据需要被发往目标主机。
If Opt(D) is enabled when creating a sub-connection, the data carried by this frame needs to be sent to the target host.
### 保持子连接 (Keep)
### Keep sub-connections
| 2 字节 | 1 字节 | 1 字节 |
| ------ | ------ | -------- |
| ID | 0x02 | 选项 Opt |
| 2 Bytes | 1 Byte | 1 Byte |
| ------- | ------ | ------ |
| ID | 0x02 | Option |
在保持子连接时,若 Opt(D) 开启,则这一帧所带的数据需要被发往目标主机。
XUDP 在 Opt(D) 之后加 UDP 地址,格式同新建子链接
If Opt(D) is enabled while maintaining sub-connections, the data carried by this frame needs to be sent to the target host. XUDP adds the UDP address after Opt(D), and the format is the same as creating a new sub-connection.
### 关闭子连接 (End)
### End
| 2 字节 | 1 字节 | 1 字节 |
| ------ | ------ | -------- |
| ID | 0x03 | 选项 Opt |
| 2 Bytes | 1 Byte | 1 Byte |
| ------- | ------ | ------ |
| ID | 0x03 | Option |
在保持子连接时,若 Opt(D) 开启,则这一帧所带的数据需要被发往目标主机。
If Opt(D) is enabled while maintaining sub-connections, the data carried by this frame needs to be sent to the target host.
### 保持连接 (KeepAlive)
### KeepAlive
| 2 字节 | 1 字节 | 1 字节 |
| ------ | ------ | -------- |
| ID | 0x04 | 选项 Opt |
| 2 Bytes | 1 Byte | 1 Byte |
| ------- | ------ | ---------- |
| ID | 0x04 | Option Opt |
在保持连接时:
While staying connected:
- 若 Opt(D) 开启,则这一帧所带的数据必须被丢弃。
- ID 可为随机值。
- If Opt(D) is enabled, the data carried by this frame must be discarded.
- ID can be a random value.
## 应用
## Application
Mux.Cool 协议与底层协议无关,理论上可以使用任何可靠的流式连接来传输 Mux.Cool 的协议数据。
The Mux.Cool protocol is agnostic to the underlying protocol and can theoretically use any reliable streaming connection to transmit Mux.Cool protocol data.
在目标导向的协议如 Shadowsocks 和 VMess 协议中,连接建立时必须包含一个指定的地址。
为了保持兼容性Mux.Cool 协议指定地址为“v1.mux.cool”。即当主连接的目标地址与之匹配时则进行 Mux.Cool 方式的转发否则按传统方式进行转发。这是一个程序内的标记VMess 和 VLESS 并不会在数据包中发送“v1.mux.cool”地址
In target-oriented protocols such as Shadowsocks and VMess, a specified address must be included when establishing a connection. To maintain compatibility, the Mux.Cool protocol specifies the address as "v1.mux.cool". When the target address of the main connection matches this address, the Mux.Cool forwarding method is used. Otherwise, forwarding is done in the traditional way. (Note: This is an internal tag in the program, and VMess and VLESS do not send the "v1.mux.cool" address in data packets.)

104
docs/en/development/protocols/vless.md
View File

@ -1,91 +1,99 @@
# VLESS 协议
# VLESS Protocol
VLESS 是一个无状态的轻量传输协议,可以作为 Xray 客户端和服务器之间的桥梁。
VLESS is a stateless lightweight transmission protocol that can be used as a bridge between Xray clients and servers.
## Request & Response
| 1 字节 | 16 字节 | 1 字节 | M 字节 | 1 字节 | 2 字节 | 1 字节 | S 字节 | X 字节 |
| -------- | --------- | -------------- | ----------------- | ------ | ------ | -------- | ------ | -------- |
| 协议版本 | 等价 UUID | 附加信息长度 M | 附加信息 ProtoBuf | 指令 | 端口 | 地址类型 | 地址 | 请求数据 |
| 1 byte | 16 bytes | 1 byte | M bytes | 1 byte | 2 bytes | 1 byte | S bytes | X bytes |
| ---------------- | --------------- | ------------------------------- | ------------------------------- | ----------- | ------- | ------------ | ------- | ------------ |
| Protocol Version | Equivalent UUID | Additional Information Length M | Additional Information ProtoBuf | Instruction | Port | Address Type | Address | Request Data |
| 1 字节 | 1 字节 | N 字节 | Y 字节 |
| ---------------------- | -------------- | ----------------- | -------- |
| 协议版本,与请求的一致 | 附加信息长度 N | 附加信息 ProtoBuf | 响应数据 |
| 1 Byte | 1 Byte | N Bytes | Y Bytes |
| --------------------------------------------- | ---------------------------------- | ---------------------------------- | ------------- |
| Protocol Version, consistent with the request | Length of additional information N | Additional information in ProtoBuf | Response data |
VLESS 早在第二个测试版 ALPHA 2 时就已经是上述结构了BETA 是第五个测试版):
VLESS had the aforementioned structure as early as the second alpha test version (ALPHA 2), with BETA being the fifth test version.
> “响应认证”被替换为“协议版本”并移至最前,使 VLESS 可以升级换代同时消除了生成伪随机数的开销。混淆相关结构被替换为附加信息ProtoBuf并前移赋予协议本身可扩展性相关开销也极小[gogo/protobuf](https://github.com/gogo/protobuf)),若无附加信息则无相关开销。
"`Response authentication`" has been replaced with "`Protocol version`" and moved to the front, allowing VLESS to upgrade and eliminate the overhead of generating pseudo-random numbers. The obfuscation-related structure has been replaced with "`Additional information`" (ProtoBuf) and moved forward, giving the protocol itself scalability, with minimal overhead ([gogo/protobuf](https://github.com/gogo/protobuf)). If there is no additional information, there is no relevant overhead.
我一直觉得“响应认证”不是必要的ALPHA 时为了提升生成随机数的性能,还用 math/rand 替换 crypto/rand而现在都不需要了。
I always thought that "response authentication" was not necessary, and ALPHA replaced crypto/rand with math/rand in order to improve the performance of random number generation, which is no longer needed.
“协议版本”不仅能起到“响应认证”的作用,还赋予了 VLESS 无痛升级协议结构的能力,带来无限的可能性。
“协议版本”在测试版本中均为 0正式版本中为 1以后若有不兼容的协议结构变更则应升级版本。
The "Protocol Version" not only serves as "Response Authentication", but also gives VLESS the ability to upgrade the protocol structure seamlessly, bringing infinite possibilities. The "Protocol Version" is 0 in the test version and 1 in the official version. If there are any incompatible protocol structural changes in the future, the version should be upgraded.
VLESS 服务端的设计是 switch version即同时支持所有 VLESS 版本。若需要升级协议版本可能到不了这一步推荐的做法是服务端提前一个月支持一个月后再改客户端。VMess 请求也有协议版本但它的认证信息在外面指令部分则高度耦合且有固定加密导致里面的协议版本毫无意义服务端也没有进行判断响应则没有协议版本。Trojan 的协议结构中没有协议版本。
The design of VLESS server is switch version, which supports all VLESS versions at the same time. If you need to upgrade the protocol version (which may not happen), it is recommended that the server support it one month in advance, and then change the client after one month. VMess requests also have protocol versions, but their authentication information is outside, and the instruction part is highly coupled and has fixed encryption, which makes the protocol version meaningless inside. The server does not judge it, and the response does not have a protocol version. Trojan's protocol structure does not have a protocol version.
接下来是 UUID我本来觉得 16 字节有点长,曾经考虑过缩短它,但后来看到 Trojan 用了 56 个可打印字符56 字节),就彻底打消了这个念头。服务端每次都要验证 UUID所以性能也很重要VLESS 的 Validator 经历了多次重构/升级,相较于 VMess它十分简洁且耗资源很少可以同时支持非常多的用户性能也十分强悍验证速度极快sync.Map。API 动态增删用户则更高效顺滑。
The following is a UUID. I used to think that 16 bytes were a bit long and considered shortening it. However, I later saw that Trojan used 56 printable characters (56 bytes), which completely dispelled this idea. The server needs to verify the UUID every time, so performance is also very important: VLESS's Validator has undergone multiple refactoring/upgrades. Compared with VMess, it is very concise and consumes very few resources. It can support a large number of users at the same time, and its performance is also very strong. The verification speed is extremely fast (sync.Map). API dynamically adds and deletes users, making it more efficient and smooth.
https://github.com/XTLS/Xray-core/issues/158
引入 ProtoBuf 是一个创举,等下会详细讲解。“指令”到“地址”的结构目前与 VMess 完全相同,同样支持 Mux。
Introducing ProtoBuf is an innovation, which will be explained in detail later. The structure from "instruction" to "address" is currently identical to VMess and also supports Mux.
总体上ALPHA 2 到 BETA 主要是:结构进化、清理整合、性能提升、更加完善。这些都是一点一滴的,详见 [VLESS Changes](https://github.com/rprx/v2ray-vless/releases)。
Overall, ALPHA 2 to BETA mainly includes: structural evolution, cleaning and integration, performance improvement, and more completeness. All of these are incremental improvements, please refer to [VLESS Changes](https://github.com/rprx/v2ray-vless/releases) for details.
## ProtoBuf
似乎只有 VLESS 可选内嵌 ProtoBuf它是一种数据交换格式信息被紧密编码成二进制TLV 结构Tag Length Value
It seems that only VLESS supports embedding ProtoBuf, which is a data exchange format that encodes information tightly into binary TLV (Tag Length Value) structures.
起因是我看到一篇文章称 SS 有一些缺点,如没有设计错误回报机制,客户端没办法根据不同的错误采取进一步的动作。
(但我并不认同所有错误都要回报,不然防不了主动探测。下一个测试版中,服务器可以返回一串自定义信息。)
于是想到一个可扩展的结构是很重要的,未来它也可以承载如动态端口指令。不止响应,请求也需要类似的结构。
本来打算自己设计 TLV接着发觉 ProtoBuf 就是此结构、现成的轮子,完全适合用来做这件事,各语言支持等也不错。
The reason is that I saw an article that said that SS has some drawbacks, such as the lack of a design error reporting mechanism, and the client cannot take further action based on different errors. (But I don't agree that all errors should be reported, otherwise it can't prevent active probing. In the next beta version, the server can return a custom string of information.) So I think a scalable structure is important, and in the future, it can also carry dynamic port instructions. Not only the response, but the request also needs a similar structure. I originally planned to design TLV by myself, but then I found that ProtoBuf is the structure, ready-made, and it is completely suitable for this purpose, and the support for various languages is also good.
目前“附加信息”只有 Scheduler 和 SchedulerV它们是 MessName 和 MessSeed 的替代者,**当你不需要它们时,“附加信息长度”为 0也就不会有 ProtoBuf 序列化/反序列化的开销**。其实我更愿意称这个过程为“拼接”,因为 pb 实际原理上也只是这么做而已,相关开销极小。拼接后的 bytes 十分紧凑,和 ALPHA 的方案相差无几,有兴趣的可以分别输出并对比。
Currently, "Additional Information" only has Scheduler and SchedulerV, which are substitutes for MessName and MessSeed. **When you don't need them, the "Additional Information Length" is 0, so there is no ProtoBuf serialization/deserialization overhead**. Actually, I prefer to call this process "concatenation" because that's all pb does in principle, and the related overhead is minimal. The concatenated bytes are very compact, similar to ALPHA's solution, and those who are interested can output and compare them separately.
为了指示对附加信息Addons也可以理解成插件以后可以有很多个插件的不同支持程度下个测试版会在“附加信息长度”前新增“附加信息版本”。256 - 1 = 255 字节是够用且合理的65535 就太多了,还可能有人恶意填充),现有的只用了十分之一,以后也不会同时有那么多附加信息,且大多数情况下是完全没有附加信息的。真不够用的话,可以升级 VLESS 版本。
To indicate different levels of support for additional information (Addons, which can be understood as plugins and can have many plugins in the future), the next beta version will add "Addon Version" before "Addon Length". 256-1 = 255 bytes is enough and reasonable (65535 is too much and there may be malicious padding), and only one-tenth of the existing space is used. In the future, there will not be so many addons at the same time, and most of the time there will be no addons at all. If it is not enough, you can upgrade to a newer version of VLESS.
为了减少逻辑判断等开销,暂定 Addons 不使用多级结构。一个月前出现过“可变协议格式”的想法pb 是可以做到打乱顺序,但没必要,因为现代加密的设计不会让旁观者看出两次传输的头部相同。
To reduce logical judgment and other expenses, it is temporarily decided that Addons will not use a multi-level structure. A month ago, there was an idea of "variable protocol format". PB can shuffle the order, but it is not necessary because the design of modern encryption will not allow bystanders to see that the headers of the two transmissions are the same.
下面介绍 Schedulers 和 Encryption 的构想,**它们都是可选的**,一个应对流量时序特征问题,一个应对密码学上的问题。
Below is an introduction to the concepts of Schedulers and Encryption, both of which are optional. One is designed to address issues related to traffic timing, while the other is designed to address cryptographic issues.
## ~~Schedulers~~ Flow
## Flow
~~中文名暂称:流量调度器~~2020-09-03 更新:中文名确定为“流控”),指令由 ProtoBuf 承载,控制的是数据部分。
### Flow Control (Formerly Traffic Scheduler)
我之前发现VMess 原有的 shake “元数据混淆”在 TLS 上完全不会带来有意义的改变,只会降低性能,所以 VLESS 弃用了它。并且,“混淆”这个表述容易被误解成伪装,也弃用了。顺便一提,我一直是不看好伪装的:做不到完全一样,那不就是强特征吗?做得到完全一样,那为什么不直接用伪装目标?我一开始用的是 SSR后来发现它只是表面伪装骗运营商就再也没用过了。
The Flow Control command is carried by ProtoBuf and manages the data section.
那么,“流量调度器”要解决什么问题?它影响的是宏观流量时序特征,而不是微观特征,后者是加密要解决的事情。流量时序特征可以是协议带来的,比如 Socks5 over TLS 时的 Socks5 握手 TLS 上不同的这种特征对于监测者来说就是不同的协议,此时无限 Schedulers 就相当于无限协议(重新分配每次发送的数据量大小等)。流量时序特征也可以是行为带来的,比如访问 Google 首页时加载了多少文件、顺序、每个文件的大小,多套一层加密并不能有效掩盖这些信息。
I previously discovered that VMess's original "metadata obfuscation" feature didn't provide any meaningful changes in TLS but only decreased performance. Consequently, VLESS has abandoned this feature. Moreover, the term "obfuscation" is often misinterpreted as camouflage, so it has been discarded.
Schedulers 没必要像下面的 Encryption 一样整个套在外面,因为头部的一丁点数据相对于后面的数据量来说太微不足道了。
As for camouflage, if it can't be an exact match, wouldn't it be a noticeable characteristic? If it could be an exact match, why not use the intended target for camouflage directly? Initially, I used SSR but found it only provided superficial disguises, fooling operators. Thus, I stopped using it.
BETA 2 预计推出两个初级的 SchedulerZstd 压缩、数据量动态扩充。进阶操作才是从宏观层面来控制、分配,暂时咕咕。
#### Purpose of Flow Control
Flow Control influences macro traffic temporal characteristics rather than micro characteristics addressed by encryption. Traffic temporal characteristics can be:
1. **Protocol-based**, e.g., Socks5 handshake when using Socks5 over TLS. Different traits on TLS are considered different protocols for monitors. Infinite schedulers equate to infinite protocols (reallocating data sent each time).
2. **Behavior-based**, e.g., loading files, their order, and size when accessing Google's homepage. Adding another encryption layer cannot effectively conceal this information.
Schedulers don't require wrapping like encryption since the header data's tiny amount is negligible compared to the remaining data.
BETA 2 is anticipated to introduce two basic schedulers: Zstd compression and dynamic data expansion. Advanced operations will control and distribute at a macro level, but for now, these remain under development.
## Encryption
与 VMess 的高度耦合不同VLESS 的服务端、客户端不久后可以提前约定好加密方式,仅在外面套一层加密。这有点类似于使用 TLS不影响承载的任何数据也可以理解成底层就是从 TLS 换成预设约定加密。相对于高度耦合这种方式更合理且灵活一种加密方式出了安全性问题直接扔掉并换用其它的就行了十分方便。VLESS 服务端还会允许不同的加密方式共存。
Unlike VMess, which is highly coupled, VLESS allows the server and client to pre-agree on an encryption method, which is only encrypted with an outer layer. This is somewhat similar to using TLS, which does not affect any of the data carried, and can be understood as replacing TLS with pre-agreed encryption at the bottom. Compared with high coupling, this approach is more reasonable and flexible: if there is a security issue with one encryption method, it can be discarded and another one can be used directly, which is very convenient. The VLESS server also allows for different encryption methods to coexist.
对比 VMessVLESS 相当于把 security 换成 encryption把 disableInsecureEncryption 换成 decryption就解决了所有问题。目前 encryption 和 decryption 只接受 \"none\" 且不能留空(即使以后有连接安全性检查),详见 [VLESS 配置文档](https://github.com/rprx/v2fly-github-io/blob/master/docs/config/protocols/vless.md)。encryption 并不需要往外移一级,一是因为无法复用很多代码,二是因为会影响控制粒度,看未来的应用就明白了。
Compared with VMess, VLESS replaces security with encryption and disableInsecureEncryption with decryption, which solves all the problems. Currently, encryption and decryption only accept "none" and cannot be left blank (even if there are connection security checks in the future), as detailed in the VLESS configuration document. Encryption does not need to be moved out one level, firstly because it cannot reuse a lot of code, and secondly because it will affect the control granularity, which will be understood by looking at future applications.
加密支持两类形式,一类是加密完全独立,需要额外密码,适合私用,另一类是结合已有的 UUID 来加密,适合公用。
(若用第一类加密形式,且密码是以某种形式公开的,比如多人共用,那么中间人攻击就不远了)
重新设计的动态端口可能会随加密同时推出,指令由 ProtoBuf 承载,具体实现和 VMess 的动态端口也会有很多不同。
Encryption supports two types of forms. One type is completely independent and requires an additional password, suitable for private use. The other type combines with the existing UUID for encryption, which is suitable for public use.
套现成加密是件很简单的事情,也就多一层 writer & reader。BETA 3 预计支持 SS 的 aes-128-gcm 和 chacha20-ietf-poly1305
客户端的 encryption 可以填 “auto: ss_aes-128-gcm_0_123456, ss_chacha20-ietf-poly1305_0_987654”auto 会选择最适合当前机器的0 代表测试版,最后的是密码。服务端的 decryption 也是类似填法,收到请求时会逐一尝试解密。
(If the first type of encryption is used and the password is publicly available in some form, such as multiple people sharing it, then a man-in-the-middle attack is not far away.)
并不是所有组合都需逐一尝试VMess 的加密分为三段,第一段是认证信息,结合了 UUID、alterId、时间因素第二段是指令部分以固定算法加密指令中含有数据部分使用的加密算法第三段才是重要的数据部分。可以看出VMess 的加解密方式实际上是多对一(服务端适配),而不仅是结合 UUID。但仅是结合 UUID 来加密也是件相对麻烦的事情,短时间内不会出,鉴于我们现在有 VMessAEAD 可用,也并不着急。若 VLESS 推出了结合 UUID 的加密方式,相当于重构了整个 VMess。
A redesigned dynamic port may be released simultaneously with encryption, and the command is carried by ProtoBuf. The specific implementation and the dynamic port of VMess will also have many differences.
It is very easy to cash out encrypted currency, which adds an extra layer of writer & reader. BETA 3 is expected to support SS's aes-128-gcm and chacha20-ietf-poly1305:
The encryption on the client-side can be filled with "auto: ss_aes-128-gcm_0_123456, ss_chacha20-ietf-poly1305_0_987654". Auto will choose the most suitable one for the current machine, 0 represents the beta version, and the last one is the password. The decryption on the server-side is also filled in a similar way, and each decryption attempt will be made when the request is received.
Not all combinations need to be tried one by one: VMess encryption is divided into three parts. The first part is the authentication information, which combines UUID, alterId, and time factors. The second part is the instruction part, which is encrypted using a fixed algorithm. The instruction contains the encryption algorithm used in the data part. The third part is the important data part. It can be seen that the VMess encryption and decryption method is actually many-to-one (adapted by the server), not just combining UUID. However, it is also a relatively difficult thing to encrypt only by combining UUID. It will not be available in a short time. Considering that we now have VMessAEAD available, there is no need to rush. If VLESS introduces an encryption method that combines UUID, it is equivalent to reconstructing the entire VMess.
## UDP issues
[XUDPVLESS & VMess & Mux UDP FullCone NAT](https://github.com/XTLS/Xray-core/discussions/252)
[XUDP: VLESS & VMess & Mux UDP FullCone NAT](https://github.com/XTLS/Xray-core/discussions/252)
## 客户端开发指引
## Client Development Guide
1. VLESS 协议本身还会有不兼容升级但客户端配置文件参数基本上是只增不减的。iOS 客户端的协议实现则需紧跟升级。
2. **视觉标准UI 标识请统一用 VLESS**,而不是 VLess / Vless / vless配置文件不受影响代码内则顺其自然。
3. `encryption` 应做成输入框而不是选择框,新配置的默认值应为 `none`,若用户置空则应代填 `none`
1. The VLESS protocol itself may have incompatible upgrades, but the parameters in the client configuration file are basically only increased and not decreased. The protocol implementation of the iOS client needs to keep up with the upgrade.
2. Visual standard: Please use VLESS as the UI identifier uniformly, instead of VLess / Vless / vless. The configuration file is not affected, and the code should follow naturally.
3. `Encryption` should be made into an input box instead of a selection box. The default value of the new configuration should be `none`, and if the user leaves it blank, it should be filled in with `none`.
## VLESS 分享链接标准
## VLESS Sharing Link Standard
感谢 <img src="https://avatars2.githubusercontent.com/u/7822648?s=32" width="32px" height="32px" alt="a"/> [@DuckSoft](https://github.com/DuckSoft) 的提案!
Thank you to [@DuckSoft](https://github.com/DuckSoft) for the proposal!
详情请见 [VMessAEAD / VLESS 分享链接标准提案](https://github.com/XTLS/Xray-core/issues/91)
Please see [VMessAEAD/VLESS Sharing Link Standard Proposal](https://github.com/XTLS/Xray-core/issues/91) for more details.

257
docs/en/development/protocols/vmess.md
View File

@ -1,175 +1,174 @@
# VMess 协议
# VMess Protocol
VMess 是一个加密传输协议,可以作为 Xray 客户端和服务器之间的桥梁。
VMess is an encrypted transmission protocol that can serve as a bridge between the Xray client and server.
## 版本
## Version
当前版本号为 1。
The current version number is 1.
## 依赖
## Dependencies
### 底层协议
### Underlying Protocol
VMess 是一个基于 TCP 的协议,所有数据使用 TCP 传输。
VMess is a TCP-based protocol where all data is transmitted over TCP.
### 用户 ID
### User ID
ID 等价于 [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier),是一个 16 字节长的随机数它的作用相当于一个令牌Token
一个 ID 形如de305d54-75b4-431b-adb2-eb6b9e546014几乎完全随机可以使用任何的 UUID 生成器来生成,比如[这个](https://www.uuidgenerator.net/)。
An ID is equivalent to a [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), which is a 16-byte long random number. Its function is similar to a token. An ID looks like: `de305d54-75b4-431b-adb2-eb6b9e546014`, it is almost entirely random and can be generated using any UUID generator, such as [this one](https://www.uuidgenerator.net/).
用户 ID 可在[配置文件](../../config)中指定。
User ID can be specified in the [configuration file](../../config).
### 函数
### Functions
- MD5: [MD5 函数](https://en.wikipedia.org/wiki/MD5)
- 输入参数为任意长度的 byte 数组
- 输出为一个 16 byte 的数组
- HMAC: [HMAC 函数](https://en.wikipedia.org/wiki/Hash-based_message_authentication_code)
- 输入参数为:
- H:散列函数
- K:密钥,任意长度的 byte 数组
- M:消息,任意长度的 byte 数组
- Shake: [SHA3-Shake128 函数](https://en.wikipedia.org/wiki/SHA-3)
- 输入参数为任意长度的字符串
- 输出为任意长度的字符串
- MD5: [MD5 Function](https://en.wikipedia.org/wiki/MD5)
- Input parameter is any length byte array
- Output is a 16-byte array
- HMAC: [HMAC Function](https://en.wikipedia.org/wiki/Hash-based_message_authentication_code)
- Input parameters are:
- H: Hash function
- K: Key, any length byte array
- M: Message, any length byte array
- Shake: [SHA3-Shake128 Function](https://en.wikipedia.org/wiki/SHA-3)
- Input parameter is any length string
- Output is any length string
## 通讯过程
## Communication Process
VMess 是一个无状态协议,即客户端和服务器之间不需要握手即可直接传输数据,每一次数据传输对之前和之后的其它数据传输没有影响。
VMess is a stateless protocol, which means that data can be transmitted directly between the client and the server without the need for a handshake. Each data transmission has no impact on other data transmissions before or after it.
VMess 的客户端发起一次请求,服务器判断该请求是否来自一个合法的客户端。如验证通过,则转发该请求,并把获得的响应发回给客户端。
When a VMess client initiates a request, the server checks whether the request comes from a legitimate client. If the validation passes, the server forwards the request and sends the obtained response back to the client.
VMess 使用非对称格式,即客户端发出的请求和服务器端的响应使用了不同的格式。
VMess uses an asymmetric format, meaning that the requests sent by the client and the responses from the server use different formats.
## 客户端请求
## Client Request
| 16 字节 | X 字节 | 余下部分 |
| -------- | -------- | -------- |
| 认证信息 | 指令部分 | 数据部分 |
| 16 Bytes | X Bytes | Remaining |
| -------------------------- | ---------------- | --------- |
| Authentication Information | Instruction Part | Data Part |
### 认证信息
### Authentication Information
认证信息是一个 16 字节的哈希hash它的计算方式如下
The authentication information is a 16-byte hash (hash) value, which is calculated as follows:
- H = MD5
- K = 用户 ID (16 字节)
- M = UTC 时间,精确到秒,取值为当前时间的前后 30 秒随机值(8 字节, Big Endian)
- K = User ID (16 bytes)
- M = UTC time accurate to seconds, with a random value of ±30 seconds from the current time (8 bytes, Big Endian)
- Hash = HMAC(H, K, M)
### 指令部分
### Command Section
指令部分经过 AES-128-CFB 加密:
The instruction part is encrypted using AES-128-CFB.
- KeyMD5(用户 ID + []byte('c48619fe-8f02-49e0-b9e9-edf763e17e21'))
- IVMD5(X + X + X + X)X = []byte(认证信息生成的时间) (8 字节, Big Endian)
- Key: MD5(user ID + []byte('c48619fe-8f02-49e0-b9e9-edf763e17e21'))
- IV: MD5(X + X + X + X), X = []byte(time generated by authentication information) (8 bytes, Big Endian)
| 1 字节 | 16 字节 | 16 字节 | 1 字节 | 1 字节 | 4 位 | 4 位 | 1 字节 | 1 字节 | 2 字节 | 1 字节 | N 字节 | P 字节 | 4 字节 |
| :--------: | :---------: | :----------: | :--------: | :------: | :----: | :----------: | :----: | :------: | :-------: | :--------: | :----: | :----: | :----: |
| 版本号 Ver | 数据加密 IV | 数据加密 Key | 响应认证 V | 选项 Opt | 余量 P | 加密方式 Sec | 保留 | 指令 Cmd | 端口 Port | 地址类型 T | 地址 A | 随机值 | 校验 F |
| 1 Byte | 16 Bytes | 16 Bytes | 1 Byte | 1 Byte | 4 bits | 4 bits | 1 Byte | 1 Byte | 2 Bytes | 1 Byte | N Bytes | P Bytes | 4 Bytes |
| :-----: | :----------------: | :-----------------: | :---------------------------: | :-----: | :------: | :---------------: | :------: | :-----: | :-----: | :----------: | :-----: | :----------: | :------: |
| Version | Data Encryption IV | Data Encryption Key | Response Authentication Value | Options | Reserved | Encryption Method | Reserved | Command | Port | Address Type | Address | Random Value | Checksum |
选项 Opt 细节:(当某一位为 1 时,表示该选项启用)
Options Opt Details: (When a bit is 1, it means the option is enabled)
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |
| X | X | X | X | X | M | R | S |
其中:
of which:
- 版本号 Ver始终为 1
- 数据加密 IV随机值
- 数据加密 Key随机值
- 响应认证 V随机值
- 选项 Opt
- S (0x01):标准格式的数据流(建议开启);
- R (0x02):客户端期待重用 TCP 连接Xray 2.23+ 弃用);
- 只有当 S 开启时,这一项才有效;
- M (0x04):开启元数据混淆(建议开启);
- 只有当 S 开启时,这一项才有效;
- 当其项开启时,客户端和服务器端需要分别构造两个 Shake 实例,分别为 RequestMask = Shake(请求数据 IV), ResponseMask = Shake(响应数据 IV)。
- X:保留
- 余量 P在校验值之前加入 P 字节的随机值;
- 加密方式:指定数据部分的加密方式,可选的值有:
- 0x00AES-128-CFB
- 0x01:不加密;
- 0x02AES-128-GCM
- 0x03ChaCha20-Poly1305
- 指令 Cmd
- 0x01TCP 数据;
- 0x02UDP 数据;
- 端口 PortBig Endian 格式的整型端口号;
- 地址类型 T
- 0x01IPv4
- 0x02:域名
- 0x03IPv6
- 地址 A
- 当 T = 0x01 时A 为 4 字节 IPv4 地址;
- 当 T = 0x02 时A 为 1 字节长度L + L 字节域名;
- 当 T = 0x03 时A 为 16 字节 IPv6 地址;
- 校验 F指令部分除 F 外所有内容的 FNV1a hash
- Version Number Ver: Always 1;
- Data Encryption IV: Random value;
- Data Encryption Key: Random value;
- Response Authentication V: Random value;
- Option Opt:
- S (0x01): Standard format data stream (recommended);
- R (0x02): Client expects to reuse TCP connection (deprecated in Xray 2.23+);
- This item only takes effect when S is enabled;
- M (0x04): Enable metadata obfuscation (recommended);
- This item only takes effect when S is enabled;
- When this item is enabled, the client and server need to construct two Shake instances respectively, RequestMask = Shake (request data IV), ResponseMask = Shake (response data IV).
- X: Reserved
- Redundancy P: Random value added before checksum value;
- Encryption Method: Specify the encryption method for the data part, and the optional values are:
- 0x00: AES-128-CFB;
- 0x01: No encryption;
- 0x02: AES-128-GCM;
- 0x03: ChaCha20-Poly1305;
- Instruction Cmd:
- 0x01: TCP data;
- 0x02: UDP data;
- Port Port: Integer port number in Big Endian format;
- Address Type T:
- 0x01: IPv4
- 0x02: Domain name
- 0x03: IPv6
- Address A:
- When T = 0x01, A is a 4-byte IPv4 address;
- When T = 0x02, A is a 1-byte length (L) + L-byte domain name;
- When T = 0x03, A is a 16-byte IPv6 address;
- Check F: FNV1a hash of all content in the instruction except F.
### 数据部分
### Data Section
当 Opt(S) 开启时,数据部分使用此格式。实际的请求数据被分割为若干个小块,每个小块的格式如下。服务器校验完所有的小块之后,再按基本格式的方式进行转发。
When Opt(S) is enabled, this format is used for the data section. The actual request data is divided into several small chunks, and each chunk has the following format. After the server verifies all the small chunks, it will be forwarded in the basic format.
| 2 字节 | L 字节 |
| :----: | :----: |
| 长度 L | 数据包 |
| 2 Bytes | L Bytes |
| :------: | :---------: |
| Length L | Data Packet |
in which:
- Length L: A big-endian integer with a maximum value of 2^14.
- When Opt(M) is enabled, the value of L is equal to the true value xor Mask. Mask = (RequestMask.NextByte() << 8) + RequestMask.NextByte();
- Packet: A data packet encrypted by the specified encryption method.
Before the transmission is completed, the data packet must contain actual data, in addition to the length and authentication data. When the transmission is complete, the client must send an empty data packet, that is, L = 0 (unencrypted) or the length of the authentication data (encrypted), to indicate the end of the transmission.
The packets are formatted as follows, depending on the encryption method:
- Unencrypted:
  - L bytes: actual data;
- AES-128-CFB: The entire data section is encrypted using AES-128-CFB.
  - 4 bytes: FNV1a hash of actual data;
  - L - 4 bytes: actual data;
- AES-128-GCM: Key is the Key of the instruction section, IV = count (2 bytes) + IV (10 bytes). count starts at 0 and increases by 1 for each packet; IV is the 3rd to 12th byte of the instruction section IV.
  - L - 16 bytes: actual data;
  - 16 bytes: GCM authentication information
- ChaCha20-Poly1305: Key = MD5 (instruction part Key) + MD5 (MD5 (instruction part Key)), IV = count (2 bytes) + IV (10 bytes). count starts at 0 and increases by 1 for each packet; IV is the 3rd to 12th byte of the instruction section IV.
  - L - 16 bytes: actual data;
  - 16 bytes: Poly1305 authentication information
## Server Response
The header data is encrypted using AES-128-CFB encryption. The IV is MD5 of the data encryption IV, and the Key is MD5 of the data encryption Key. The actual response data varies depending on the encryption settings.
| 1 Byte | 1 Byte | 1 Byte | 1 Byte | M Bytes | Remaining Part |
| ------------------------- | ---------- | ----------- | ---------------- | --------------- | -------------------- |
| Response Authentication V | Option Opt | Command Cmd | Command Length M | Command Content | Actual Response Data |
其中:
- 长度 LBig Endian 格式的整型,最大值为 2^14
- 当 Opt(M) 开启时L 的值 = 真实值 xor Mask。Mask = (RequestMask.NextByte() << 8) + RequestMask.NextByte()
- 数据包:由指定的加密方式加密过的数据包;
- Response Authentication V: must match the response authentication V in the client request.
- Option Opt:
- 0x01: server prepares to reuse TCP connections (deprecated in Xray 2.23+).
- Command Cmd:
- 0x01: dynamic port command.
- Actual response data:
- If Opt(S) in the request is enabled, the standard format is used. Otherwise, the basic format is used.
- Both formats are identical to the request data.
- When Opt(M) is enabled, the value of length L is equal to the true value XOR Mask. Mask = (ResponseMask.NextByte() << 8) + ResponseMask.NextByte().
在传输结束之前,数据包中必须有实际数据,即除了长度和认证数据之外的数据。当传输结束时,客户端必须发送一个空的数据包,即 L = 0不加密 或认证数据长度(有加密),来表示传输结束。
### Dynamic Port Instructions
按加密方式不同,数据包的格式如下:
| 1 Byte | 2 Bytes | 16 Bytes | 2 Bytes | 1 Byte | 1 Byte |
| -------- | ------- | -------- | ------- | ---------- | ----------------- |
| Reserved | Port | User ID | AlterID | User level | Validity period T |
- 不加密:
- L 字节:实际数据;
- AES-128-CFB整个数据部分使用 AES-128-CFB 加密
- 4 字节:实际数据的 FNV1a hash
- L - 4 字节:实际数据;
- AES-128-GCMKey 为指令部分的 KeyIV = count (2 字节) + IV (10 字节)。count 从 0 开始递增,每个数据包加 1IV 为 指令部分 IV 的第 3 至第 12 字节。
- L - 16 字节:实际数据;
- 16 字节GCM 认证信息
- ChaCha20-Poly1305Key = MD5(指令部分 Key) + MD5(MD5(指令部分 Key))IV = count (2 字节) + IV (10 字节)。count 从 0 开始递增,每个数据包加 1IV 为 指令部分 IV 的第 3 至第 12 字节。
- L - 16 字节:实际数据;
- 16 字节Poly1305 认证信息
in which:
## 服务器应答
- Port: Integer port number in Big Endian format
- T: Number of minutes as integer value.
应答头部数据使用 AES-128-CFB 加密IV 为 MD5(数据加密 IV)Key 为 MD5(数据加密 Key)。实际应答数据视加密设置不同而不同。
When the client receives a dynamic port command, the server opens a new port for communication. The client can then send data to the new port. After T minutes, the port will expire, and the client must use the main port to communicate again.
| 1 字节 | 1 字节 | 1 字节 | 1 字节 | M 字节 | 余下部分 |
| ---------- | -------- | -------- | ---------- | -------- | ------------ |
| 响应认证 V | 选项 Opt | 指令 Cmd | 指令长度 M | 指令内容 | 实际应答数据 |
## Comment
其中:
- 响应认证 V必须和客户端请求中的响应认证 V 一致;
- 选项 Opt
- 0x01服务器端准备重用 TCP 连接Xray 2.23+ 弃用);
- 指令 Cmd
- 0x01动态端口指令
- 实际应答数据:
- 如果请求中的 Opt(S) 开启,则使用标准格式,否则使用基本格式。
- 格式均和请求数据相同。
- 当 Opt(M) 开启时,长度 L 的值 = 真实值 xor Mask。Mask = (ResponseMask.NextByte() << 8) + ResponseMask.NextByte()
### 动态端口指令
| 1 字节 | 2 字节 | 16 字节 | 2 字节 | 1 字节 | 1 字节 |
| ------ | --------- | ------- | ------- | -------- | ---------- |
| 保留 | 端口 Port | 用户 ID | AlterID | 用户等级 | 有效时间 T |
其中:
- 端口 PortBig Endian 格式的整型端口号;
- 有效时间 T分钟数
客户端在收到动态端口指令时,服务器已开放新的端口用于通信,这时客户端可以将数据发往新的端口。在 T 分钟之后,这个端口将失效,客户端必须重新使用主端口进行通信。
## 注释
- 为确保向前兼容性,所有保留字段的值必须为 0。
- To ensure forward compatibility, the values of all reserved fields must be 0.

30
docs/en/document/config.md
View File

@ -1,10 +1,10 @@
# Configure and Run
After [downloading and installing Xray](./install/), you need to configure it,
After [downloading and installing Xray](./install/), you need to configure it.
For demonstration, only a simple configuration method is introduced here. More templates: [Xray-examples](https://github.com/XTLS/Xray-examples)
For demonstration purposes, only a simple configuration method is introduced here. For more templates, please refer to [Xray-examples](https://github.com/XTLS/Xray-examples).
If you need to configure more complex functions, please refer to the relevant instructions in the more detailed [configuration file](../config/).
If you need to set up more advanced features, please refer to the relevant instructions in the more detailed [configuration file](../config/).
## Server Configuration
@ -14,7 +14,7 @@ You need a server outside the firewall to run server-side Xray. The configuratio
{
"inbounds": [
{
"port": 10086, // server listening port
"port": 10086, // The port on which the server is listening
"protocol": "vmess",
"settings": {
"clients": [
@ -33,7 +33,7 @@ You need a server outside the firewall to run server-side Xray. The configuratio
}
```
In the configuration of the server, you need to ensure `id` that the and port are consistent with the client, and then you can connect normally.
In server configuration, it is necessary to ensure that the `id` and port are consistent with the client in order to establish a normal connection.
## Client Configuration
@ -43,7 +43,7 @@ On your PC (or phone), you need to run Xray with the following configuration:
{
"inbounds": [
{
"port": 1080, // SOCKS proxy port, the proxy needs to be configured in the browser and point to this port
"port": 1080, // SOCKS代理端口,需要在浏览器中配置代理并指向该端口
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
@ -57,8 +57,8 @@ On your PC (or phone), you need to run Xray with the following configuration:
"settings": {
"vnext": [
{
"address": "server", // Server address, please change it to your own server IP or domain name
"port": 10086, // server port
"address": "server", // 服务器地址请将其更改为您自己的服务器IP或域名
"port": 10086, // 服务器端口
"users": [
{
"id": "b831381d-6324-4d53-ad4f-8cda48b30811"
@ -86,14 +86,14 @@ On your PC (or phone), you need to run Xray with the following configuration:
}
```
The only thing to change in the above configuration is your server IP, which is noted in the configuration. The above configuration will forward all traffic to your server except on the LAN (such as the access router).
The only thing you need to modify in the above configuration is your server's IP address, which is indicated in the configuration. This configuration will redirect all traffic to your server, except for traffic on the local area network (such as the access router).
## Run
- On Windows and macOS, configuration files are usually `config.json`
- Just run `Xray` or `Xray.exe`
- On Linux, configuration files are usually located in `/etc/xray/` or `/usr/local/etc/xray/`.
- Run `xray run -c /etc/xray/config.json`
- Or use something like systemd to run Xray as a service in the background.
- On Windows and macOS, the configuration files are usually named `config.json`.
- To start Xray, simply run `Xray` or `Xray.exe`.
- On Linux, the configuration files are usually located in `/etc/xray/` or `/usr/local/etc/xray/`.
- To start Xray, run the command `xray run -c /etc/xray/config.json`.
- Alternatively, you can use a tool like systemd to run Xray as a background service.
For more detailed instructions, please refer to [Configuration](../config/) Document and [小小白话文](./level-0/).
For more detailed instructions, please refer to the [Configuration](../config/) Document and [Layman's Terms](./level-0/).

22
docs/en/document/level-0/README.md
View File

@ -1,25 +1,25 @@
# 小小白白话文
# Plain and Simple Language
**这个章节是【从零开始】的基础课,新来的同学好好看好好学哦**
**This chapter is a basic lesson of [Starting from Scratch]. New students, please watch and learn carefully.**
::: tip
Made with ❤️ by [@ricuhkaen](https://github.com/ricuhkaen)
:::
[第 1 章】 前言罗嗦篇](./ch01-preface.md) - 机场还是自建?这是个问题
[Chapter 1】 Preface: Rambling](./ch01-preface.md) - Airport or Self-built? That is the question.
[【第 2 章】 原料准备篇](./ch02-preparation.md) - 工欲善其事,必先利其器
[Chapter 2: Preparation of Raw Materials](./ch02-preparation.md) - Tools must be sharpened before they can be used proficiently.
[【第 3 章】 远程登录篇](./ch03-ssh.md) - 一桥飞架南北,天堑变通途
[Chapter 3: Remote Login](./ch03-ssh.md) - A bridge connecting the north and south, turning a natural obstacle into a thoroughfare.
[第 4 章】 安全防护篇](./ch04-security.md) - 安全不注意,亲人两行泪
[Chapter 4】Security Protection](./ch04-security.md) - If you don't pay attention to security, you will shed tears for your loved ones.
[【第 5 章】 网站建设篇](./ch05-webpage.md) - 秀出你的美
[【Chapter 5】Website Construction] - Show Your Beauty (Link to webpage.md file)
[【第 6 章】 证书管理篇](./ch06-certificates.md) - 领证的才是合法的
[Chapter 6: Certificate Management](./ch06-certificates.md) - Only those who obtain certificates are considered legitimate.
[【第 7 章】 Xray 服务器篇](./ch07-xray-server.md) - 终于等到你
[Chapter 7: Xray Server](./ch07-xray-server.md) - Finally, waited for you.
[【第 8 章】 Xray 客户端篇](./ch08-xray-clients.md) - 新的开始
[Chapter 8: Xray Client](./ch08-xray-clients.md) - A New Beginning.
[【第 9 章】 附录](./ch09-appendix.md) - 考点都在这里
[Chapter 9] Appendix - All the exam points are here.

106
docs/en/document/level-0/ch01-preface.md
View File

@ -1,96 +1,100 @@
# 【第 1 章】 小小白白话文
# [Chapter 1] Simple and Plain Language
## 1.1 这篇文档是写给谁的?
## 1.1 Who is this document written for?
一句话:写给 **① 零基础** **② 希望学习自建 VPS** 的新人。
One sentence: Written for newbies who are **(1) absolute beginners** and **(2) interested in learning how to build their own VPS**.
## 1.2 这篇文档不是写给谁的?
## 1.2 Who is this document not written for?
包括但不限于:各路大神大能、懒得自己折腾的小白、已经会折腾的高手、确定要用机场的土豪、确定要用一键脚本的逍遥派...... 总之只要有技术基础、或不愿不想自建的同学,您直接关闭本文即可,因为这篇文章大概是入不了您的法眼的,更可能会让您生一肚子闲气,那多划不来。
Including but not limited to: experts and professionals, beginners who are too lazy to tinker on their own, advanced users who already know how to tinker, wealthy users who insist on using airport services, and those who prefer using one-click scripts. In short, if you have a technical background or don't want to build it yourself, you can close this article directly, because this article may not be suitable for you and may even make you upset.
## 1.3 郑重声明及其他声明
## 1.3 Declaration and Other Statements
郑重声明:
Declaration:
鄙人技术奇菜无比,故本文必然挂一漏万破绽百出。您若发现问题还请温柔提醒,莫要人参公鸡。
My technical skills are extremely limited, so this article is inevitably full of errors and flaws. If you find any problems, please kindly point them out and don't be too harsh on me.
免责声明:
Disclaimer:
本文内容请您自行判断是否可信可靠可用,若您根据本文内容建立和使用 VPS 服务器时出了任何问题和不良结果,鄙人概不负责。
Please judge the reliability and usability of the content of this article by yourself. If you encounter any problems or negative results when establishing and using a VPS server based on the content of this article, I am not responsible for it.
啰嗦声明:
Verbose statement:
基于本文【零基础用户】的目标受众,许多内容会尽力详尽说明,所以语言偏啰嗦,请做好心理准备。
Considering the target audience of this article, which is "users with zero experience", many details will be explained in great detail, so the language may be verbose. Please be mentally prepared for this.
## 1.4 为什么自建是个难题?
## 1.4 Why is self-hosting a challenge?
要回答这个问题,就需要稍微多说一点背景信息了。
To answer this question, we need to provide a little more background information.
一、科学上网这件事
1. On the matter of accessing the internet through scientific means
科学上网这件事情,说来已经发展了近二十年(震惊!!!.jpg。最初自己稍微动动手即可改改 host、连一下 ssh、后来需要找一个网页代理再后来需要写一个私有协议(比如 Shadowsocks)等等。
The act of accessing the internet using scientific methods has been around for almost 20 years (shocking!!!.jpg). Initially, one could do it with a little effort (changing the host file, using SSH), then one had to find a web proxy, and later, one had to develop a private protocol (such as Shadowsocks) and so on.
随着 GFW 技术这十几年来不断的迭代升级,若要完成【自己动手科学上网】这个目标,需要做的事情已经包括但不限于:
With the continuous iteration and upgrade of GFW technology over the past decade, to achieve the goal of [building your own scientific Internet access], the things that need to be done include but are not limited to:
- 了解 Linux 系统基本命令
- 了解网络传输协议
- 有技术和经济能力完成 VPS 购买及管理
- 有技术和经济能力完成域名购买及管理
- 有技术能力完成 TLS 证书申请 等等。
- Understand basic Linux commands
- Understand network transmission protocols
- Have the technical and financial ability to purchase and manage a VPS
- Have the technical and financial ability to purchase and manage a domain name
- Have the technical ability to apply for a TLS certificate, and so on.
这就让【自建 VPS 科学上网】这个曾经简单的行为逐渐变成了令新人望而生畏的挑战。
This has turned the once simple act of [setting up a self-built VPS for accessing the internet in a secure and unrestricted manner] into a daunting challenge that intimidates newcomers.
二、零基础用户的无奈
2. Helplessness of Zero-based Users
零基础的非技术用户如果完成上面这一连串的操作势必要学习大量的知识但稍微搜索之后新人只怕会更加迷茫大量的信息散布在互联网的各个角落博客、问答网站、群组、论坛、GitHub、Telegram、YouTube 等等等等)。这些信息纷乱复杂、水平良莠不齐、甚至可能互相矛盾。基本上就是不把新人彻底弄晕誓不罢休。
For non-technical users with zero foundation, if they complete the above series of operations, they will inevitably need to learn a lot of knowledge. However, after a little searching, newbies are likely to become even more confused: a large amount of information is scattered in various corners of the Internet: blogs, Q&A sites, groups, forums, GitHub, Telegram, YouTube, and so on. These pieces of information are chaotic and complex, with varying levels of quality, and may even contradict each other. Basically, they won't stop until they completely confuse the newcomer.
面对这些杂乱无章的信息,新人突然就从【信息匮乏】变成了【信息过剩】。若是几番连蒙带猜的折腾以失败告终(大概率如此)的话,他的积极性势必大受挫折。在这个过程中,若他又恰好去了一些不太友好的地方去求助,恐怕还要雪上加霜的被嘲讽一番:“这么菜,用机场不就行了,瞎折腾什么啊!”、“先去学会 Linux 再回来问吧”。
Faced with such chaotic information, newcomers suddenly shift from [information scarcity] to [information overload]. If they fail after several attempts of groping and guessing (which is highly probable), their enthusiasm is bound to be greatly frustrated. In this process, if they happen to seek help in some unfriendly places, they may be ridiculed even more: "You're so inexperienced, just use the airport, why bother messing around!" "Go learn Linux first before coming back to ask."
这时候,大概也只有一声“呵呵”可以表达心情了。
At this moment, probably only an "hehe" can express the mood.
## 1.5 “用机场不就行了?”
## 1.5 "Why not just use the airport?"
首先,我想反问一下那些冷嘲热讽的人:“用机场”真的就是万灵药吗?
First of all, I would like to respond to those who ridicule and criticize by asking a question: Is using the airport really a panacea?
其次,我认为“不懂”和“不想懂”是有本质区别的。态度恶劣的巨婴伸手党自然惹人厌烦,但真心自学却不得要领的人不该受到无端的白眼和歧视,也正是这种对新人不加区分的恶劣社区氛围促使我写下本文。那么闲话少说,我们来看看机场的优势与劣势究竟如何:
Secondly, I believe that there is a fundamental difference between "not understanding" and "not wanting to understand". The bad attitude of some people who just want handouts is naturally annoying, but those who sincerely want to learn but don't know how should not be subject to unjustified contempt and discrimination. It is precisely this kind of bad community atmosphere that does not distinguish between newcomers that prompted me to write this article. So without further ado, let's take a look at the advantages and disadvantages of the airport:
一、“机场“的优势
1. 稳定性高:机场节点数量多,分布广泛,避免了单点故障的风险,保证了整个网络的稳定性。
2. 速度快:机场的节点通常采用高速服务器和优化的网络架构,网络速度较快,能够满足用户的高速上网需求。
3. 安全性高:机场通常会采用严格的安全措施,如流量加密、防火墙等,保护用户数据的安全性。
4. 稳定性高:机场通常采用专业的运维团队进行管理和维护,保证了服务的稳定性和可靠性。
5. 服务质量高:机场通常会提供完善的客户服务,及时解决用户的问题和反馈,提升用户的满意度。
所谓“机场”,就是“线路提供商”。他负责完成 1.4 提到的那一串技术操作和管理,用户则付费获得使用权。所以,它的优点至少有:
The so-called "airport" refers to the "line provider". They are responsible for completing the technical operations and management mentioned in section 1.4, while users pay for the right to use the service. Therefore, its advantages include at least:
1. **用户操作简单**:扫码操作、一键添加规则等
2. **线路选择多**:可解锁不同国家、地区的网络服务;比如 iplc 等专线服务、游戏加速服务等
3. **接入节点多**:所以抵抗节点封锁的能力强一些,封了一个就换下一个
1. **Simple User Operation**: Scan code operation, one-click rule addition, etc.
2. **Multiple Line Options**: Can unlock network services in different countries and regions, such as iplc dedicated line services, game acceleration services, etc.
3. **Multiple Access Nodes**: Therefore, it has a stronger ability to resist node blocking, if one is blocked, just switch to another one.
二、“机场”的风险
2. Risks of "Airport"
“方便”这枚硬币的另一面就是“风险”,基于“机场”的技术特点和市场情况,它的风险至少有:
"The other side of the coin of 'convenience' is 'risk'. Based on the technical characteristics and market conditions of the 'airport', its risks include at least:"
1. **“机场”可完全获得用户信息**:用户在网上的所有痕迹,都【必然】经过且【非常可能】长期存储在其服务器上,这些记录无法受到任何具备法律效力的用户隐私协议的约束(**窥视、记录你的一举一动**
2. **“机场”缺乏市场管理**:不可避免存在着以欺诈为目标的恶意商家(**主动跑路**
3. **“机场”面临监管压力**大机场相对有保障的同时也无法避免树大招风。2020 年间,已经有几个大机场停运、跑路的事件发生,用户的正常使用受到严重干扰(**被动跑路**
4. **“机场”技术水平难以确定**:线路质量良莠不齐,挂羊头卖狗肉的现象屡见不鲜(**速度慢、掉线多、连不上**
1. "Airport" can fully obtain user information: All the traces left by users online will inevitably and very likely be stored on their servers for a long time. These records cannot be restricted by any legally binding user privacy agreement. ("Snooping and recording your every move")
2. "Airport" lacks market management: There are inevitably malicious merchants who target fraud. ("Actively run away")
3. "Airport" faces regulatory pressure: While large airports are relatively secure, they cannot avoid attracting attention. In 2020, several large airports experienced shutdowns and runaways, seriously disrupting users' normal usage. ("Passively run away")
4. "Airport" technical level is difficult to determine: The quality of the line varies greatly, and the phenomenon of falsely advertising quality services is common. ("Slow speed, frequent disconnections, unable to connect")
## 1.6 那么你到底要不要自建呢?
## 1.6 So should you build your own website?
现在,你已经看到了机场的优势和风险,要用什么,就请各位充分思考并自行决定。毕竟,最适合你的方案才是最好的方案。
Now that you have seen the advantages and risks of the airport, please think carefully and make your own decision on what to use. After all, the best plan is the one that suits you best.
![It's Your Choice!](./ch01-img01-choice.png)
1. 如果决定使用机场的话,现在,你可以关闭本文了。
1. If you decide to use the airport, you can close this article now.
2. 如果你决定自建,那就请继续阅读后面的章节吧!!
2. If you decide to build it yourself, please continue reading the following chapters!
总之,本文的目标就是成为零基础用户的知识起点,提供对每一步充分的讲解和演示,清清楚楚(甚至**婆婆妈妈、絮絮叨叨、啰啰嗦嗦**)的协助新人完成【**从输入第一条命令开始,完成 VPS 服务器部署,并成功在客户端完成科学上网**】的全程。并在这个过程中帮助新人逐步接触和熟悉 Linux 的基础操作,为之后的进一步自学打下基础。
In short, the goal of this article is to serve as a starting point for users with zero experience, providing thorough explanations and demonstrations for each step, even if it may seem overly detailed or repetitive. The aim is to assist beginners in completing the entire process of deploying a VPS server from the first command input to successfully accessing the internet via the client, and gradually introducing them to basic Linux operations, laying a foundation for further self-learning.
## 1.7 题外啰嗦几句
## 1.7 Some digressions
1. 墙外的信息泥沙俱下,请务必学会理性、独立的思辨,不要随意站队,不要轻信猎奇的信息。
1. There is a wealth of information outside of the wall, so please learn to think rationally and independently. Don't take sides easily and don't believe in sensational information.
2. 衷心希望大家获得更顺畅的网络后,可以获取更新鲜的知识、更丰富的娱乐、接触更美好的世界、结交更多志同道合的朋友,但不要成为任何有不可告人目的之人的替罪羊。
2. We sincerely hope that with a smoother internet, everyone can access fresher knowledge, richer entertainment, experience a better world, and make more like-minded friends, but do not become a scapegoat for anyone with ulterior motives.
3. 你的互联网身份依然是你的身份,绝对的匿名化是极为困难的,所以请务必遵守你个人所在地区和 IP 所在地区的相关法律法规。无论何时,自我保护都是最基本的底线。
3. Your internet identity is still your identity, and achieving absolute anonymity is extremely difficult. Therefore, please be sure to comply with the relevant laws and regulations in your personal location and the location of your IP address. Self-protection is always the most basic bottom line.
## 1.8 你的进度
## 1.8 Your Progress
> ⬛⬜⬜⬜⬜⬜⬜⬜ 12.5%

53
docs/en/document/level-0/ch02-preparation.md
View File

@ -1,55 +1,52 @@
# 【第 2 章】原料准备篇
# [Chapter 2] Preparation of Raw Materials
这一章比较特殊,因为涉及到金钱交易行为,本文基于项目的中立立场,不做具体的推荐。我能做的,是告诉你需要准备哪些东西。
This chapter is rather special because it involves monetary transactions. This article takes a neutral stance on the project and does not make specific recommendations. What I can do is to tell you what you need to prepare.
## 2.1 获取一台 VPS
## 2.1 Acquiring a VPS
你需要获取一台健康的、IP 没有被墙的 VPS并在管理后台做下面这些基础准备
You need to obtain a healthy VPS with an unblocked IP, and perform the following basic preparations in the management console:
1. 在 VPS 的后台安装 Debian 10 64bit 系统
2. 小本本记下 VPS 的 IP 地址(本文会用 `"100.200.300.400"` 来表示)
::: tip
这是一个故意写错的非法 IP请替换成你的真实 IP
:::
3. 小本本记下 VPS 的 SSH 远程登陆端口(Port)
4. 小本本记下 SSH 远程登录的用户名和密码
1. Install Debian 10 64-bit system in the backend of VPS.
2. Write down the IP address of VPS in a notebook (this article will use `"100.200.300.400"` as an example, which is an intentionally incorrect and illegal IP address. Please replace it with your real IP address).
3. Write down the SSH remote login port of VPS in a notebook.
4. Write down the username and password for SSH remote login in a notebook.
购买 VPS 是一个比较复杂的事情,建议先去学习一下相关知识,选择适合自己的经济能力和线路需求的即可。另外可以选择薅一些国际大厂的羊毛(比如甲骨文和谷歌提供的永久免费或限时免费的套餐)。总之,务必量力而行。
Buying a VPS is a relatively complex matter. It is recommended to first learn the relevant knowledge and choose one that suits your own economic ability and line requirements. In addition, you can choose to take advantage of some benefits offered by international giants (such as permanent free or limited-time free packages offered by Oracle and Google). In any case, you must act within your means.
::: tip 说明
关于选择 Debian 10 作为操作系统,这里稍微多说一句:不管你在网上听说了什么,不管哪个大神告诉你 XXX 版的 Linux 更好、XXX 版的 Linux 更牛,这些 Linux 的派系之争**跟现在的你半毛钱关系也没有**!使用 Debian 10 足以让你的 VPS 服务器在安全、稳健运行的同时得到足够的优化(如 cloud 专用内核、及时的 bbr 支持等)。等你对 Linux 熟悉之后,再回头去尝试其他的 Linux 发行版也不迟。
:::tip Explanation
Regarding the choice of Debian 10 as the operating system, let me elaborate a bit: No matter what you have heard online, no matter which guru has told you that XXX version of Linux is better or XXX version of Linux is more powerful, these sectarian disputes have **nothing to do with you right now**! Using Debian 10 is enough to optimize your VPS server for security, stability, and performance (such as using cloud-optimized kernel, timely support of BBR, etc.). After you become familiar with Linux, you can try other Linux distributions.
:::
## 2.2 获取一个心仪的域名
## 2.2 Obtaining a Desired Domain Name
你需要获取一个域名、并在 DNS 设置中添加一条 A 记录,指向你 VPS 的 IP 地址
You need to obtain a domain name and add an A record in the DNS settings, pointing to the IP address of your VPS.
1. 请选择靠谱的国际域名服务商。选择一些常见的域名后缀就行,注意不要用 `.cn` 后缀。
2. 在 DNS 设置中,添加一条指向你 VPS 的 IP 地址的 A 记录A 记录的名字可以随便起,本文会用 `"a-name"` 来表示。完整的域名则会用 `"二级域名.你的域名.com"` 或者 `"a-name.yourdomain.com"` 来表示)。效果如下图:
1. Please choose a reliable international domain name service provider. Choose some common domain name suffixes, and make sure not to use the `.cn` suffix.
2. In the DNS settings, add an A record pointing to the IP address of your VPS (the name of the A record can be anything, and in this article, it will be represented by `"a-name"`). The complete domain name will be represented by `"subdomain.yourdomain.com"` or `"a-name.yourdomain.com"`. The effect is as shown in the picture below:
![添加A记录](./ch02-img01-a-name.png)
![Add A Record](./ch02-img01-a-name.png)
::: tip
这**不是**一个真实可用的网址,请替换成你的真实网址
This is **not** a real usable website. Please replace it with your real website URL.
:::
## 2.3 你本地电脑上需要安装的软件
## 2.3 Software you need to install on your local computer
1. SSH 远程登录工具
1. SSH remote login tool
- Windows: [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
- Windows: [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
- macOS/Linux: Terminal
2. 远程文件拷贝工具
2. Remote file copying tool
- Windows: [WinSCP](https://winscp.net/eng/index.php)
- Windows: [WinSCP](https://winscp.net/eng/index.php)
- macOS/Linux: Terminal
3. 靠谱的文本编辑器
3. Reliable text editor
- Windows/macOS/Linux: [VSCode](https://code.visualstudio.com)
## 2.4 你的进度
## 2.4 Your Progress
如果上面的原材料你都准备好了的话,你已经拿到了开启新世界大门的钥匙。那还等什么,让我们快点进入下一章,走进这扇门吧!
If you have all the raw materials ready as mentioned above, you have already obtained the key to unlocking the door to a new world. So, what are you waiting for? Let's quickly move on to the next chapter and step through this door!
> ⬛⬛⬜⬜⬜⬜⬜⬜ 25%

98
docs/en/document/level-0/ch03-ssh.md
View File

@ -1,85 +1,89 @@
# 【第 3 章】远程登录篇
# [Chapter 3] Remote Login
## 3.1 远程登录 VPS (PuTTY)
## 3.1 Remote Login to VPS (PuTTY)
首先,鉴于零基础人群中 Windows 的用户基数最大,所以本文以 Windows 为例进行展示。
First of all, considering that the user base of Windows is the largest among the zero-based population, this article uses Windows as an example for demonstration.
其次,虽然 Windows 10 之后的 PowerShell 和 WSL 也可以达到很好的 SSH 操作体验。但是因为并非所有版本的 Windows 都有最新的组件,故本文还是以老牌的 PuTTY 为例,进行 SSH 远程登录的操作详解。(使用其他工具的话、在 SSH 登陆之后的操作都是一样的)
Secondly, although PowerShell and WSL after Windows 10 can also achieve a good SSH operation experience, not all versions of Windows have the latest components. Therefore, this article uses the classic PuTTY as an example to provide a detailed explanation of SSH remote login operation. (If you use other tools, the operations after the SSH login are the same.)
下面就跟我一步步操作吧。
Follow me step by step and let's start the operation.
1. 进入 PuTTY 的[官网](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html),选择适合你操作系统的版本下载。(本文以 64 位版本为例)
1. Go to the [official website](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) of PuTTY and download the version that suits your operating system (this article uses the 64-bit version as an example).
![下载PuTTY](./ch03-img01-putty-download.png)
![Download PuTTY](./ch03-img01-putty-download.png)
2. 安装运行后,将会看到 PuTTY 的主界面。现在请拿出你上一章记东西的[小本本](./ch02-preparation.md#21-%E8%8E%B7%E5%8F%96%E4%B8%80%E5%8F%B0vps),在下图的对应位置填入你 VPS 的**IP 地址(VPS IP)**和**端口(VPS PORT)**。为了方便以后使用时不用重复输入,我们可以保存会话 (Saved Sessions),未来使用时只要按 Load 即可一键载入设置。
2. After installation and running, you will see the main interface of PuTTY. Now please take out your notebook from the previous chapter where you wrote down the **IP address (VPS IP)** and **port (VPS PORT)** of your VPS in the corresponding positions of the following figure. In order to save time and avoid repeatedly entering these details in the future, we can save the session (Saved Sessions), and simply load it in the future with one click.
![设置PuTTY](./ch03-img02-putty-settings.png)
![PuTTY Settings](./ch03-img02-putty-settings.png)
3. 我建议将 `Connection` 中的 `keepalive` 设置为 `60` 秒,防止你一段时间没有操作之后 SSH 自动断线。另外务必再次保存设置。
3. I suggest setting `keepalive` to `60` seconds in the `Connection` to prevent SSH from automatically disconnecting after a period of inactivity. Be sure to save the settings again.
![防止频繁断线](./ch03-img03-putty-keepalive.png)
![Prevent frequent disconnection](./ch03-img03-putty-keepalive.png)
::: warning 注意
对 PuTTY 的任何设置更新都要再次手动保存 Session不然关闭后就会丢失
::: warning Attention
Any update to the PuTTY configuration needs to be manually saved to the session again. Otherwise, it will be lost after closing.
:::
4. 点击 Open 就会进入 SSH 连接窗口,对应下图输入用户名与密码,与你的 VPS 远程主机建立连接。(本文假设默认用户名是 `root`,另外,在 Linux 系统输入密码的时候,是不会出现 `******` 这种提示符的,这样可以避免密码长度泄漏,不是你的键盘坏掉了哦!)
4. Click on Open to enter the SSH connection window, then enter the username and password corresponding to the following figure to establish a connection with your VPS remote host. (This article assumes that the default username is `root`. Also, when entering a password in the Linux system, there will be no prompt like `******`, which can avoid password length leakage. It's not that your keyboard is broken!)
![SSH远程登录](./ch03-img04-ssh-login.png)
![SSH Remote Login](./ch03-img04-ssh-login.png)
## 3.2 成功登录 SSH初识命令行界面
## 3.2 Successfully Logging in SSH! Introduction to Command Line Interface!
1. 如果你的信息都填写正确,你将会看到类似下图的界面,说明已登录成功:
1. If you have filled in your information correctly, you will see a similar interface as the picture below, indicating that you have successfully logged in:
![初次登录VPS](./ch03-img05-ssh-login-success.png)
![Logging in to VPS for the first time](./ch03-img05-ssh-login-success.png)
这个界面,就等于远程服务器的【桌面】,但它没有你熟悉的图标和鼠标,没有绚丽的色彩,有的只是简单文字,这就是【**命令行界面**】- `Command Line Interface`,或者缩写为 `CLI`
This interface is equivalent to the "desktop" of a remote server, but it does not have familiar icons and a mouse, nor does it have colorful graphics. Instead, all you see is simple text. This is the "**Command Line Interface**" - shortened as `CLI`.
接下来的所有操作,都需要你像电影里的黑客一样,在这个命令行界面中完成。也许你会觉得陌生,但请相信我,使用命令行既不可怕,也不神秘。说到底,它只不过是把你习惯的鼠标操作变成了文字指令而已,**你说一句,它做一句**。
All the following operations require you to act like a hacker in a movie and complete them in this command-line interface. Maybe you will feel unfamiliar, but please believe me, using the command-line interface is neither scary nor mysterious. In the end, it just turns your familiar mouse operations into textual commands, **you say it, it does it**.
2. 现在,你可以稍微观察并熟悉一下命令行环境,这个界面其实已经告诉了你一些有用的信息了,比如系统内核版本(比如图内是 `4.19.37-5`)、上次登录时间及 IP 等。当然根据 VPS 的不同,你看到的界面可能会略有不同。
2. Now, you can observe and familiarize yourself with the command line environment a little bit. This interface has actually provided you with some useful information, such as the system kernel version (e.g. `4.19.37-5` in the picture), last login time and IP address. Of course, depending on the VPS, the interface you see may be slightly different.
3. 请注意命令行最下面一行,闪动的光标左边,有一串字符。图中显示的是`root@vps-server:~#`,这一串要怎么理解呢?很简单:
3. Please pay attention to the line at the bottom of the command line, to the left of the flashing cursor, there is a string of characters. The one shown in the figure is `root@vps-server:~#`. How to understand this string? It's very simple:
- 现在的用户是 `root`
- `root` 所在的服务器是 `vps-server`
- `root` 现在所在的文件夹是 `~`
- `#` 之后是你可以输入命令的地方
- The current user is `root`
- The server where `root` is located is `vps-server`
- The current directory where `root` is located is `~`
- After `#` is the place where you can input commands.
前两个很直观,无需多说。第三个是关于 Linux 的文件夹系统,现在也不需要过于深入,你只需要知道,"`~`"就是【当前用户的大本营】。第四个,提示符`#`,你也不用管,只需要知道,未来文章中会写一些需要你输入的命令,都会以 "`#`" 或者 "`$`" 开头,提示你**后面**是你输入命令的地方。(所以你复制命令的时候,**只需要复制后面的内容**,不要复制提示符)
The first two are pretty straightforward, no need to explain further. The third one is about the folder system in Linux. You don't need to go too deep into it for now. Just know that "`~`" represents **the home directory of the current user**. As for the fourth one, the prompt symbol "`#`", you don't need to worry about it either. Just know that in future articles, there will be some commands that you need to input, and they will be preceded by "`#`" or "`$`" to indicate **where you should input the command**. (So when you copy the command, **just copy the content after the prompt symbol** and don't copy the prompt symbol itself.)
## 3.3 第一次更新 Linux 的软件!
## 3.3 Updating software on Linux for the first time!
1. 正如你的手机,无论安卓还是 iPhone为了 APP 及时更新(获取安全补丁和新功能),都会时不时从应用商店获得更新信息,并且提示你有多少个 APP 可更新。Linux 系统也有逻辑十分类似的更新机制。所以只要你会更新手机 APP就能学会更新 Linux 软件!
1. Just like your phone, whether it's Android or iPhone, in order to keep your apps up-to-date (to get security patches and new features), you will occasionally receive update notifications from the app store, telling you how many apps need to be updated. Linux systems also have a similar update mechanism that works logically. So as long as you know how to update phone apps, you can learn how to update Linux software!
2. Linux 下,每个 APP 都叫做一个“包” package。管理 APP 的程序自然就叫做“包管理器”Package Manager。你可以通过它安装、更新、卸载各种软件、甚至更新 Linux 系统本身。Linux 下的包管理器非常强大,此处按下不表,现在你只需要知道 Debian 系统的包管理器叫做 `apt` 即可。接下来,我们就先使用 `apt` 做一次软件的全面更新,让你熟悉它的基本操作。
2. In Linux, each application is called a "package". The program that manages the applications is naturally called a "package manager". You can use it to install, update, and uninstall various software, and even update the Linux system itself. Package managers in Linux are very powerful, but we won't go into details here. For now, you only need to know that the package manager for the Debian system is called `apt`. Next, we will first use `apt` to do a comprehensive update of the software to familiarize you with its basic operations.
3. 小小白白 Linux 基础命令:
3. Tiny White Linux Basic Commands:
| 编号 | 命令名称 | 命令说明 |
| :------: | :-----------: | :----------: |
| `cmd-01` | `apt update` | 查询软件更新 |
| `cmd-02` | `apt upgrade` | 执行软件更新 |
| Number | Command Name | Command Description |
| :------: | :-----------: | :----------------------: |
| `cmd-01` | `apt update` | Query software updates |
| `cmd-02` | `apt upgrade` | Perform software updates |
4. 现在请输入第一条命令,获取更新信息
4. Now, please enter the first command to get update information.
```shell
apt update
```
```shell
apt update
```
5. 然后请输入第二条命令,并在询问是否继续安装 `(Y/n)` 时输入 `y` 并回车确认,开始安装
This is a command used in a Linux terminal to update the package list from the repositories configured on the system.
```shell
apt upgrade
```
5. Then enter the second command, and when asked if you want to continue installing `(Y/n)`, type `y` and press enter to confirm and start the installation.
6. 完整流程演示如下:
```shell
apt upgrade
```
![初次软件更新流程演示](./ch03-img06-apt-upgrade-full.gif)
This is a command in the shell terminal to upgrade the installed packages on a Debian or Ubuntu Linux system.
## 3.4 你的进度
6. The complete demonstration of the process is as follows:
**恭喜你又迈出了坚实的一步!** 现在,你已经可以通过 SSH 来登录你的远程服务器了!那登录进去之后,除了升级软件之外,应该再做点什么呢?敬请进入下一章一探究竟吧!
![Demonstration of the software update process for the first time](./ch03-img06-apt-upgrade-full.gif)
## 3.4 Your Progress
**Congratulations on taking another solid step!** Now, you can log in to your remote server via SSH! After logging in, besides upgrading the software, what else should you do? Please enter the next chapter to find out!
> ⬛⬛⬛⬜⬜⬜⬜⬜ 37.5%

547
docs/en/document/level-0/ch04-security.md
View File

@ -1,329 +1,346 @@
# 【第 4 章】安全防护篇
# [Chapter 4] Security and Protection
## 4.1 为什么要做安全防护
## 4.1 Why Do We Need Security Protection?
Linux 服务器的安全防护是一个纷繁复杂的巨大课题。无数的网站、APP、服务、甚至线下基础设施都建立在 Linux 的基石之上,这背后牵涉到巨大的经济利益和商业价值,当然也就就意味着黑灰产有巨大的攻击动力。但是这些服务是如此重要、根本不允许出现重大的安全漏洞。于是无数的运维专业人员都在安全攻防的战场上拼搏努力,这才让大家能享受到基本稳定的现代化数字生活。
Security protection for Linux servers is a complex and huge subject. Countless websites, apps, services, and even offline infrastructure are built on the foundation of Linux, which involves huge economic benefits and commercial value. This also means that there is a huge motivation for black and gray industries to launch attacks. However, these services are so important that major security vulnerabilities are not allowed. Therefore, countless operation and maintenance professionals are working hard on the battlefield of security attacks and defense, which enables us to enjoy a basic stable modern digital life.
现在,你拥有了一台 VPS并且将会敞开他的数据访问渠道来达到流量转发的目标那就相当于你已经置身于安全攻防战场的第一线、直面所有风险。但与此同时新人由于知识和信息的不足看待安全问题是总是难免两极分化要么觉得轻如鸿毛和自己没有半点关系要么觉得重于泰山甚至惶惶不可终日。
Now, you have a VPS and will open its data access channel to achieve the goal of traffic forwarding, which means you are now on the front line of the security battle and face all risks. However, at the same time, newcomers tend to have a polarized view of security issues due to lack of knowledge and information: either they feel it is as light as a feather and has nothing to do with them, or they feel it is as heavy as Mount Tai and feel anxious all day long.
- 对于前者,我的建议是:安全无小事,尽量多查一些安全方面的信息,免得自己真的受了损失才后悔莫及
- For the former, my suggestion is: safety is of utmost importance. Try to gather more information on safety issues to avoid regretting after experiencing losses.
- 对于后者,我的建议是:不用紧张,我们的服务器仍不具有太高的价值、一般不会吸引到高水平的攻击,需要面对的基本都是一些自动化脚本的恶意扫描和登录尝试,跟着本文做一些基础的防护即可
- For the latter, my suggestion is: don't worry too much, our servers still don't have too much value and generally won't attract high-level attacks. The basic threats we need to face are mostly malicious scans and login attempts from some automated scripts. Just follow this article to do some basic protection.
## 4.2 具体的风险到底是什么
## 4.2 What are the specific risks
就像我们在《远程登录篇》配置的一样任何人只需要知道【IP 地址】+【端口】+【用户名】+【密码】这四个要素,就能登录你的 VPS 服务器。那很显然,这四要素的安全就是我们要防护的底线。我们来逐一分析:
Just like the configuration we did in the "Remote Login" section, anyone who knows the four elements of [IP address] + [port] + [username] + [password] can log in to your VPS server. So obviously, the security of these four elements is the bottom line that we need to protect. Let's analyze them one by one:
1. 【IP 地址】:恶意脚本会随机尝试和扫描 IP 段,可以简单认为是公开信息、无法隐藏
1. [IP Address]: Malicious scripts randomly attempt to scan IP ranges, which can be regarded as public information and cannot be hidden.
2. 【端口】:如果使用默认端口,那么【端口 = `22`
2. [Port]: If you are using the default port, then [Port = `22`].
3. 【用户名】:如果使用默认用户,那么【用户名 = `root`
3. [Username]: If using the default user, then [Username = `root`]
4. 【密码】:密码不存在默认值,一定是由 VPS 后台随机生成或由你自行设置的。也就是说,如果你的服务器都是默认设置,则四要素中的三个已经是已知的,那么你整个服务器的安全,就全部寄托在一串小小的密码上了。这时有几种情况:
4. [Password]: There is no default value for the password. It must be randomly generated by the VPS backend or set by you. In other words, if all the settings of your server are default, then three of the four elements are already known. Therefore, the security of your entire server relies on a small password. In this case, there are several situations:
- 如果你用了 VPS 管理后台随机生成密码,它一般包含随机的十几个大小写混杂的字母和符号,相对比较安全
- If you use a VPS management background to generate passwords randomly, it usually contains random uppercase and lowercase letters, symbols, and is relatively secure.
- 如果你为了好记、把密码改成了类似`123456`这种超弱的密码,破解你的 VPS 服务器可谓不费吹灰之力
- If you changed your password to something super weak like `123456` just for the sake of easy memorization, hacking into your VPS server would be a piece of cake.
- 如果你为了好记、把密码改成了比较复杂、但在别的地方用过的密码,其实也并不安全。你要明白黑客手里有作弊器,比如说`密码表`,包含数万、数十万、数百万甚至更多曾经泄漏的真实密码)
- If you change your password to a more complex one that you have used elsewhere just for the sake of easy memory, it is not really safe. You should understand that hackers have cheats in their hands, such as `password tables`, which contain tens of thousands, hundreds of thousands, millions, or even more real leaked passwords.
5. 但你要明白,没有哪个黑客真的要坐在电脑前一次一次的尝试你的密码,全部的攻击尝试都是恶意脚本自动进行的,它会 24 小时不眠不休的工作。也许每天你酣睡之时,你的服务器都在经受着一轮又一轮的冲击。
5. But you should understand that no hacker really sits in front of a computer and tries your password repeatedly. All attack attempts are carried out automatically by malicious scripts, which work tirelessly for 24 hours. Perhaps while you are sleeping soundly every night, your server is enduring round after round of attacks.
一旦密码被成功撞破,意味着你的四要素全部被攻击者掌握,恶意脚本就会快速登录服务器、获取服务器的最高 `root` 控制权、安装部署它的恶意服务,然后就可以用你的服务器来 24 小时做各种坏事(比如挖矿、传播病毒、发送垃圾邮件、欺诈邮件、做 BT 中继、甚至暗网公众节点等等等等)。如果恶意脚本比较克制,其实可以做到相当的隐蔽性。而新人一般也不会去观察留意 VPS 的登录记录、进程变化、CPU 占用变化、流量变化等指标,你其实就很难发现自己被黑了。直到你的 VPS 服务商封禁你的账号、或者收到律师函为止。
Once the password is successfully cracked, it means that all four of your elements have been mastered by the attacker. The malicious script will quickly log in to the server, obtain the highest `root` control of the server, install and deploy its malicious services, and then use your server to do all kinds of bad things 24 hours a day (such as mining, spreading viruses, sending spam emails, fraudulent emails, acting as a BT relay, and even dark web public nodes, and so on). If the malicious script is relatively restrained, it can actually achieve considerable concealment. Generally, newcomers will not observe and pay attention to indicators such as login records, process changes, CPU usage changes, and traffic changes of the VPS, so it is difficult for you to discover that you have been hacked. Until your VPS service provider blocks your account or you receive a lawyer's letter.
6. 别忘了,你获得 VPS 时大概率需要使用真实的支付信息,你登录各种网站、社交平台时也会留下你的 IP 地址,这些都与你的身份有直接或者间接的关系。于是,**一旦这些坏事发生,它们就不可避免的与你产生了关联。**
6. Don't forget that when you obtain a VPS, you probably need to use your real payment information, and when you log in to various websites and social platforms, your IP address will also be recorded, which has a direct or indirect relationship with your identity. Therefore, once these bad things happen, they will inevitably be associated with you.
## 4.3 我们要做的安全防护有哪些
## 4.3 What security measures do we need to take
基于上述分析,我们要做的,自然就是对【端口】、【用户名】、【密码】这三要素进行加强,来降低被攻破的风险:
Based on the above analysis, what we need to do is to strengthen the three elements of [port], [username], and [password] to reduce the risk of being hacked.
1. 【端口】:将 SSH 远程登录端口修改为【非 22 端口】 4.4
2. 【用户名】:建立【非 root】的新用户、并禁用 root 用户 SSH 远程登录 4.5、4.6
3. 【密码】SSH 启用 RSA 密钥验证登录、同时禁用密码验证登录 4.7
1. [Port]: Modify the SSH remote login port to a [non-22 port] (4.4).
2. [Username]: Create a [non-root] new user and disable root user SSH remote login (4.5, 4.6).
3. [Password]: Enable RSA key verification for SSH login and disable password verification login (4.7).
记得按顺序来,别把自己锁在门外了。
Remember to follow the order and don't lock yourself out.
## 4.4 将 SSH 远程登录端口修改为非 22 端口
## 4.4 Change the SSH Remote Login Port to a Non-22 Port
现在,我们来解决【端口 = `22`】的问题。(注意:有些 VPS 服务商,默认的端口已经是非 22 端口,那么你可以忽略这一步,当然也可以跟着本文改成别的端口)
Now, let's solve the problem of "port = `22`". (Note: some VPS service providers have non-22 ports set as default, so you can ignore this step if that's the case. Of course, you can also follow this article to change it to another port.)
1. 小小白白 Linux 基础命令:
1. Basic commands of Little White Linux:
| 编号 | 命令名称 | 命令说明 |
| :------: | :-----------------: | :----------: |
| `cmd-03` | `nano` | 文本编辑器 |
| `cmd-04` | `systemctl restart` | 重启某个服务 |
| ID | Command Name | Description |
| :------: | :-----------------: | :---------------: |
| `cmd-03` | `nano` | Text editor |
| `cmd-04` | `systemctl restart` | Restart a service |
2. 小小白白 Linux 基础配置文件
2. Basic Configuration Files of Little White Linux
| 编号 | 配置文件位置 | 文件说明 |
| :-------: | :--------------------: | :------------------: |
| `conf-01` | `/etc/ssh/sshd_config` | SSH 远程登录程序设置 |
| Number | Configuration File Location | File Description |
| :-------: | :-------------------------: | :-------------------------------: |
| `conf-01` | `/etc/ssh/sshd_config` | SSH Remote Login Program Settings |
3. 我们要做的第一件事,当然就是【用`nano`这个文本编辑器打开`SSH远程登录程序设置`】,在 Windows 下,你会【找到文件并双击】,在 Linux 下该怎么办呢?仔细看看上面的命令说明,是不是就很简单了?没错,就是:
3. The first thing we need to do, of course, is to [open the SSH remote login program settings with the text editor `nano`]. In Windows, you will [find the file and double-click] it. What should you do in Linux? Take a close look at the command instructions above, isn't it simple? Yes, it is:
```shell
nano /etc/ssh/sshd_config
```
```shell
nano /etc/ssh/sshd_config
```
4. 文件打开后,你就进入了`nano`的界面,稍微观察一下,你会发现,它把重要的快捷键都显示在屏幕下方了(下图红框内),直接开卷考试、不用死记硬背,是不是很贴心呢?
This is a command in the shell terminal to open the `sshd_config` file located in the `/etc/ssh/` directory using the `nano` text editor.
![nano的界面](./ch04-img01-nano-ui.png)
4. Once the file is opened, you will enter the interface of `nano`. After observing for a while, you will find that it displays important shortcut keys at the bottom of the screen (enclosed in a red box in the figure below). You can take the exam directly without memorizing them, which is very user-friendly, isn't it?
5) 我们要做的第二件事,是【在打开的文件中找到`Port`这一项并修改它的端口】。Port 后面的数字就是 SSH 的端口,一般建议把它改成一个大于`1024`小于`65535`的整数(本文以`9753`为例)。请结合`nano`的快捷键,想一下该怎么操作呢?果然,你又说对了!就是:
![Interface of nano](./ch04-img01-nano-ui.png)
- 使用 `ctrl+w` 进入搜索模式,然后输入 `Port 22` 并回车
- 删除 `22` 并改成 `9753`
- 说明:如果这一行开头有个`#`,证明这一行【不生效】(被注释掉了),你可像我一样在文件最后写一个不带`#`的,或者把`#`删掉就好。
5) The second thing we need to do is to **find the `Port` item in the opened file and modify its port**. The number after `Port` is the SSH port. It is generally recommended to change it to an integer greater than `1024` and less than `65535` (this article takes `9753` as an example). Please think about how to operate it with the shortcut keys of `nano`. You are right again! It is:
::: warning
本文以`9753`为例,就意味着随着本文的发布,这个端口会变成一个不大不小的特征,也许会被攻击者优先尝试、也许被 GFW 干扰、阻断。所以我强烈建议你用一个自己想到的其他端口,毕竟,你有 6 万多个端口可以自由选择。
:::
6. 我们要做的第三件事,是【保存文件并退出】
- 如果第 3 步你有仔细观察,就会发现保存并不是常见的 `ctrl+s`
- 正确的快捷键:保存是 `ctrl+o` + `回车`,退出是 `ctrl+x`
7. 我们最后要做的事,是【重启 ssh 服务,使变更生效】
```shell
systemctl restart ssh
```
8. 完整流程演示如下:
![修改非22端口演示](./ch04-img02-sshd-conf-full.gif)
9. 修改 PuTTY 配置
现在新的端口已经生效,下次使用 PuTTY 登录时就要用`9753`了。所以现在请到 PuTTY 的设置中修改端口号码,然后保存 Session。嗯你应该知道去哪里改了吧如果不知道的话要重读前面的内容了哦
## 4.5 建立非 root 的新用户
第二步,我们来解决【用户名 = `root`】的问题。
首先你要理解, Linux 系统中的`root`,不仅仅是一个管理员账号那么简单。它是整个系统的【根基】、是系统的主宰、至高无上的神。一旦`root`账号出现安全问题,整个系统都只能任人鱼肉、无处可逃。那么就跟随我进行操作吧:
1. 小小白白 Linux 基础命令:
| 编号 | 命令名称 | 命令说明 |
| :------: | :-----------: | :--------------------------: |
| `cmd-05` | `adduser` | 给系统新增用户 |
| `cmd-06` | `apt install` | 安装某个软件 |
| `cmd-07` | `visudo` | 修改 sudo 权限设置专用编辑器 |
2. 我们要做的第一件事,是【新增一个用户并设定登录密码】,名字你可以随便起,我这里以`vpsadmin`为例:
```shell
adduser vpsadmin
```
执行命令后,根据提示操作即可。请务必设置一个用户密码(别忘记设置密码时你时看不到 `******` 的)。之后系统会询问你一些用户的附加信息,这些就可以无视,一路回车即可。
![建立新用户](./ch04-img03-adduser.png)
::: warning
本文以`vpsadmin`为例,就意味着随着本文的发布,这个用户名也会变成一个不大不小的特征,也许会被攻击者优先尝试。所以和端口一样,我强烈建议你用一个自己想到的其他用户名。
:::
3. 完整流程演示如下:
![建立新用户](./ch04-img04-adduser-full.gif)
4. 我们要做的第二件事,是【安装`sudo`功能】(`sudo` 就是在关键时刻,让普通账户临时获得 `root` 的神力,战力全开拯救世界)
```shell
apt update && apt install sudo
```
聪明的你大概已经发现,这一行命令其实是两个命令。前一半 `apt update` 你之前已经见过并且用过了,是去服务器刷新软件版本信息。后面的 `apt install`
就是这一次要用到的【安装命令】。两条连接在一起,就是让系统去【刷新可用的最新软件,然后安装最新版的`sudo`程序】。 `&&` 则是把两个命令连起来执行的意思。
5. 我们要做的第三件事,是【把`vpsadmin`用户加入`sudo`名单里,让他有资格借用`root`的神力】
```shell
visudo
```
`User Privilege Specification` 下加入一行 `vpsadmin ALL=(ALL) NOPASSWD: ALL` 即可。
::: warning
我要特别说明的是`NOPASSWD`这个设置,它的意思是`vpsadmin`用户临时使用`root`权限时,不用额外输入密码。**这与一般的安全建议相反**。我之所以如此推荐,是因为很多新人不顾危险坚持使用`root`账号就是因为用`root`时不用重复输入密码、觉得轻松。“两害相权取其轻”,我认为【直接用`root`用户的风险】大于【使用`sudo`
时不用输密码的风险】,所以做了以上的建议。
如果你希望遵守传统习惯、每次使用`sudo`时需要输入密码,那么这一行改成 `vpsadmin ALL=(ALL:ALL) ALL` 即可。
:::
6. 完整流程演示如下:
![建立新用户](./ch04-img05-sudo-full.gif)
## 4.6 禁用 root 用户 SSH 远程登录
1. 现在你已经逐渐熟悉 Linux 了,所以这次换你思考,我们要做的第一件事是什么呢?没错,还是【用`nano`编辑器打开`SSH远程登录程序设置`】,什么,你想不起来怎么操作了?那去复习一下上面的内容再回来吧!............ 正确答案:
```shell
nano /etc/ssh/sshd_config
```
2. 找到`PermitRootLogin Yes`这一项,然后把它后面的设定值改为`no`即可。还记得怎么操作吗?............ 正确答案:
- 使用 `ctrl+w` 进入搜索模式,然后输入 `PermitRootLogin` 并回车
- 删除 `yes` 并改成 `no`
3. 保存文件并退出。还记得怎么操作吗?............ 正确答案:
- 保存是 `ctrl+o`,然后 `回车` 确认
- 退出是 `ctrl+x`
4. 重启 ssh 服务,让变更生效。还记得............ 算了直接公布正确答案:
```shell
systemctl restart ssh
```
5. 完整流程演示如下:
![禁用root用户SSH远程登录](./ch04-img06-ssh-no-root-full.gif)
6. 下次通过 PuTTY 远程 SSH 登录的时候,`root`用户已无法连接,用户名就要换成`vpsadmin`了!方便起见,我们可以在 PuTTY 中把`vpsadmin`设置成默认登录用户名。(啰嗦君:别忘了保存 Session
![PuTTY设置默认用户名](./ch04-img07-putty-default-user.png)
## 4.7 使用 RSA 密钥登录并禁用密码登录
第三步,我们来解决【密码】可能被撞破的问题。
前面我说过,黑客并不是很蠢的用穷举法破解你的密码,而是会用一些比如“密码表”的作弊手段。除非你用的是随机生成的超长密码(比如借助 1Password或者 macOS 的 keychain 等密码管理工具),否则很容易中招。
超长随机密码虽然安全性有所提高,但是基本上无法记忆,手动输入也十分麻烦易错。为了解决这个困境,我们可以直接弃用【密码验证】方式,改用更安全的【密钥验证】。
所谓的【密钥验证】,就是生成【一对】相关联的密钥文件(公钥和私钥),然后把【公钥】上传到 VPS 备用。每次登录时SSH 会将【公钥】和【私钥】进行匹配,若验证是正确的【密钥对】,则验证通过。(换言之,你无需记忆和输入复杂的密码,只要保护好【私钥】这个文件不外泄即可)
- Use `ctrl+w` to enter search mode, then type `Port 22` and press Enter
- Delete `22` and replace it with `9753`
- Note: If this line starts with `#`, it means that this line is [commented out] and [does not take effect]. You can write a new line at the end of the file without `#`, or delete the `#` to enable this line.
::: warning
本文以 `RSA` 密钥举例,是因为 `RSA` 密钥在各种设备、各种 `SSH` 客户端中有广泛悠久的支持历史,且目前依然能提供够用的安全性。但它绝非唯一选择。
其他的常见密钥还有:
- `DSA` - 已经从数学层面被证明不安全,所以永远不要用它
- `ECDSA` - 密钥小安全性高,但其算法被指留有 NSA 的后门,如果你的 VPS 上有值得 NSA 关注的东西就不要用它
- `Ed25519` - 这是一个与 `ECDSA` 十分类似的算法,故具有相似的性能优势。同时其文档全部公开,所以普遍认为无后门
所以,如果你的设备和软件都支持的话,我建议优先选择 `Ed25519` 密钥。
This article uses `9753` as an example, which means that with the release of this article, this port will become a feature that may be prioritized or blocked by attackers or the Great Firewall of China. Therefore, I strongly recommend that you use another port that you come up with yourself, after all, you have over 60,000 ports to choose from freely.
:::
那我们现在就来配置【密钥验证】吧!
6. The third thing we need to do is to [save the file and exit].
1. 运行`PuTTYgen` (PuTTY 密钥生成器)。位置是 `开始菜单` --> `所有程序` --> `PuTTY (64-bit)` --> `PuTTYgen`
- If you observed carefully in step 3, you would have noticed that saving is not done by the common `ctrl+s`.
- The correct shortcut keys: save is `ctrl+o` + `enter`, and exit is `ctrl+x`.
1. 点击`Generate`开始生成(在界面空白处乱晃鼠标增加随机数)
7. The last thing we need to do is to [restart the SSH service to make the changes take effect].
![生成密钥](./ch04-img08-puttygen-save.png)
```shell
systemctl restart ssh
```
::: warning
本图中是以 `2048` 位的 `RSA` 密钥为例的。但实际上,如果要获得与 `EDCSA/Ed25519``256` 位密钥相同的安全性,你需要使用 `3072` 位的 `RSA` 密钥。(即右下角的数字改成 `3072`
:::
This is a shell command to restart the SSH service.
2. 你可以给私钥设置密码,增加一层安全性
3. 点击 `Save public key` 保存公钥,文件名为 `id_rsa.pub`
4. 点击 `Save private key` 保存私钥,文件名为 `id_rsa` (PuTTY 私钥自带`.ppk`后缀)
5. 最重要的,将上方红框内的内容,向下滚动全部复制出来并保存,文件名为 `authorized_keys`。(用 vscode 保存,默认会变成带`txt`后缀的文本文件,这没关系,之后上传 VPS 时我们会把后缀名去掉)
8. The complete process demonstration is as follows:
![保存密钥](./ch04-img09-puttygen-save-keys.png)
![Demonstration of modifying non-22 port](./ch04-img02-sshd-conf-full.gif)
2. 将公钥上传至 VPS 的`vpsadmin`用户下
9. Modify PuTTY Configuration
1. 这一步就需要用到之前准备的`WinSCP`了。
2. 去[官网](https://winscp.net/eng/index.php)下载并安装,会提示你导入 PuTTY 的设置,当然一键导入啦!
"Now that the new port is in effect, you will need to use `9753` the next time you log in with PuTTY. So please go to the PuTTY settings to change the port number and save the session. Well, you should know where to change it, right? (If you don't know, you need to reread the previous content!)"
![一键导入Session](./ch04-img10-winscp-import-session.png)
## 4.5 Creating a New User Without Root Access
3. 如果没有提示导入或者你已经提前安装好了,那按照下图进行配置即可
In the second step, let's solve the issue of the username being `root`.
![WinSCP登录设置](./ch04-img11-winscp-ui.png)
Firstly, you need to understand that `root` in Linux system is not just a simple administrator account. It is the foundation of the entire system, the ruler and the supreme god of the system. Once the `root` account has security issues, the entire system will be vulnerable and there will be nowhere to hide. So, let's follow me to carry out the operations:
4. WinSCP 左边的目录就是本地电脑上的文件夹和文件,请定位到密钥所在的文件夹
1. Little White Linux Basic Commands:
5. WinSCP 右边的目录则是 VPS 服务器上的文件夹和文件,默认就在 `/home/vpsadmin/` 文件夹,此时在请点击右下角 `X hidden` 来显示隐藏文件
| Number | Command Name | Command Description |
| :------: | :-----------: | :-----------------------------------------------: |
| `cmd-05` | `adduser` | Add new user to the system |
| `cmd-06` | `apt install` | Install a software package |
| `cmd-07` | `visudo` | Special editor to modify sudo permission settings |
![本地和远程文件夹](./ch04-img12-winscp-locations.png)
2. The first thing we need to do is to [add a new user and set a login password]. You can choose any name you want, here I will use `vpsadmin` as an example:
6. 在右边VPS 中)点击右键并新建文件夹,起名`.ssh` (注意有一个`.`
```shell
adduser vpsadmin
```
![在VPS中建立放置公钥的文件夹](./ch04-img13-winscp-newfolder-key.png)
This is a command in the shell terminal to add a new user named "vpsadmin".
7. 将【公钥】`authorized_keys`上传到`.ssh`文件夹内
After executing the command, follow the prompts to operate. Be sure to set a user password (remember that you won't see `******` when setting the password). Afterwards, the system will ask you for some additional user information, which can be ignored by pressing Enter all the way.
![上传authorized_keys](./ch04-img14-winscp-upload-key.png)
8. 在上传时,将【公钥】从 `authorized_keys.txt` 改名为 `authorized_keys`(去掉`.txt`这个后缀名)
![确保没有任何后缀](./ch04-img15-winscp-rename-key.png)
9. 完整流程演示如下:
![WinSCP操作完整演示](./ch04-img16-winscp-full.gif)
3. 在 VPS 端设置 SSH 启用 RSA 密钥验证登录、同时禁用密码验证登录
1. 小小白白 Linux 基础命令:
| 编号 | 命令名称 | 命令说明 |
|:--:|:--:|:--:|
| `cmd-08` | `sudo` | 用`root`权限运行某个命令 |
| `cmd-09` | `chmod` | 修改目标文件/文件夹的权限 |
2. SSH 远程连接到 VPS 上PuTTY
3. 修改 `authorized_keys` 文件权限为 `600` (仅所有者可读可写)
```shell
chmod 600 ~/.ssh/authorized_keys
```
4. 修改 SSH 配置。这个我们已经用了很多次,但现在我们已经从无所不能的`root`变成了普通用户`vpsadmin`,此时的我们是没有权限直接编辑 SSH 配置的。这时候就需要使用`sudo`命令了:
```shell
sudo nano /etc/ssh/sshd_config
```
5. 找到(`ctrl+w`) `PasswordAuthentication` 改成 `no`
6. 找到(`ctrl+w`) `PubkeyAuthentication` 改成 `yes`,然后保存(`ctrl+o`)退出(`ctrl+x`)
7. 重启 SSH 服务。(啰嗦君:别忘了现在需要使用`sudo`来获得权限)
```shell
sudo systemctl restart ssh
```
8. 完整流程如下:
![SSH开启密钥验证并禁用密码验证](./ch04-img17-rsa-login-full.gif)
4. VPS 端已经设置好了公钥,现在要给 PuTTY 指定私钥位置供登录时使用(啰嗦君:别忘了保存 Session
![PuTTY指定私钥位置](./ch04-img18-putty-privatekey-location.png)
5. 至此,【密钥登录】已成功开启、【密码验证】已成功关闭、并且还给 PuTTY 保存了默认的登录用户名和私钥。未来使用 PuTTY 登录时,载入`VPS-SERVER`配置后,点击`Open`就可以一键登录了。
如果你给私钥设置了密码保护,登录时当然还需要输入这个密码才能使用密钥,如下图:
![输入私钥密码](./ch04-img19-putty-privatekey-passphrase.png)
6. 别忘了给`WinSCP`也做对应的密钥设置,否则之后想要传输文件时就无法登录了:
![WinSCP指定私钥位置](./ch04-img20-winscp-privatekey-location.png)
![Creating a new user](./ch04-img03-adduser.png)
::: warning
任何需要借助 SSH 进行登录的软件都需要密钥验证了,软件过多,无法逐一展示,请根据你的需要自行设置好哦
This article takes "vpsadmin" as an example, which means that with the release of this article, this username will also become a significant feature, and may be the first choice for attackers to try. Therefore, just like ports, I strongly recommend that you use another username that you come up with yourself.
:::
3. The complete process demonstration is as follows:
![Creating a new user](./ch04-img04-adduser-full.gif)
4. The second thing we need to do is to install the `sudo` function (which allows ordinary accounts to temporarily obtain the power of `root` at critical moments and unleash their full power to save the world).
```shell
apt update && apt install sudo
```
This is a shell command to update the package list and install the "sudo" package.
You may have noticed that this command actually consists of two commands. The first half, `apt update`, you have seen and used before, is to refresh the software version information on the server. The latter half, `apt install`, is the installation command that will be used this time. The two commands are connected together to instruct the system to refresh the latest available software and then install the latest version of the `sudo` program. `&&` is used to link the two commands together for execution.
5. The third thing we need to do is to add the `vpsadmin` user to the `sudo` list, so that they have the privilege to borrow the power of `root`.
```shell
visudo
```
(Note: `visudo` is a command used in Linux/Unix systems to edit the sudoers file, which specifies which users or groups are allowed to run certain commands with administrative privileges.)
Simply add the following line under `User Privilege Specification`: `vpsadmin ALL=(ALL) NOPASSWD: ALL`.
::: warning
I want to specifically explain the setting of `NOPASSWD`. It means that when the `vpsadmin` user temporarily uses the `root` permission, no additional password needs to be entered. This is contrary to general security recommendations. The reason why I recommend this is that many newcomers insist on using the `root` account because they feel relaxed when using `root` without repeatedly entering passwords. "Choosing the lesser of two evils," I believe that the risk of [directly using the `root` user] is greater than the risk of [not entering a password when using `sudo`], so I made the above suggestion.
If you want to follow the traditional practice and enter a password every time you use `sudo`, then you can change this line to `vpsadmin ALL=(ALL:ALL) ALL`.
6. The complete process demonstration is as follows:
![Creating a new user](./ch04-img05-sudo-full.gif)
## 4.6 Disabling SSH Remote Login for Root User
1. Now that you're gradually getting familiar with Linux, it's time for you to think. What's the first thing we need to do? That's right, it's still to use the `nano` editor to open the `SSH remote login program settings`. What? You can't remember how to do it? Then go back and review the content above and come back! ............ Correct answer:
```shell
nano /etc/ssh/sshd_config
```
This is a command line instruction to open and edit the `sshd_config` file located at `/etc/ssh/` using the `nano` text editor.
2. Find the line `PermitRootLogin Yes`, and change the value after it to `no`. Do you remember how to do it? ............ Correct answer:
- Use `ctrl+w` to enter search mode, then enter `PermitRootLogin` and press enter.
- Delete `yes` and change it to `no`.
3. Save the file and exit. Do you remember how to do it? ............ Correct answer: N/A (The correct answer is not provided in the given text.)
- Save is `ctrl+o`, then press `Enter` to confirm.
- Exit is `ctrl+x`.
4. Restart the ssh service to make the changes take effect. Do you remember...? Never mind, let's just reveal the correct answer:
```shell
systemctl restart ssh
```
(This is a Linux shell command to restart the SSH service.)
5. The complete process is demonstrated as follows:
![Disable SSH remote login for root user](./ch04-img06-ssh-no-root-full.gif)
6. Next time you log in remotely via SSH using PuTTY, you will no longer be able to connect as the `root` user. You will need to use the username `vpsadmin` instead. For convenience, you can set `vpsadmin` as the default login username in PuTTY. (Tip: Don't forget to save the session.)
![PuTTY Setting Default User Name](./ch04-img07-putty-default-user.png)
## 4.7 Login with RSA Key and Disable Password Login
In the third step, we will solve the problem of the password being cracked.
As mentioned earlier, hackers are not foolish enough to crack your password by brute force, but rather they use cheating methods such as "password tables". Unless you use a randomly generated super long password (such as with 1Password, or macOS keychain and other password management tools), it's easy to fall victim to this.
Although a very long random password can improve security, it is usually difficult to remember and manually enter, which can also lead to mistakes. To solve this problem, we can simply abandon the "password verification" method and switch to a more secure "key verification" method.
The so-called "key authentication" refers to generating a pair of related key files (public key and private key), uploading the "public key" to the VPS for backup. Each time you log in, SSH will match the "public key" and "private key". If the verification is correct, the "key pair" will be verified and the authentication will pass. (In other words, you don't need to remember and enter complex passwords, just protect the "private key" file from being leaked.)
::: warning
This article uses `RSA` keys as an example because `RSA` keys have a long history of support in various devices and `SSH` clients and can still provide sufficient security. However, it is not the only choice available.
Other common keys include:
- `DSA` - It has been mathematically proven to be insecure, so never use it.
- `ECDSA` - It has high security with small keys, but its algorithm is suspected to have a backdoor by the NSA. If there is something on your VPS that is worth the attention of the NSA, do not use it.
- `Ed25519` - This is an algorithm that is very similar to `ECDSA`, and it has similar performance advantages. At the same time, all of its documentation is public, so it is generally considered to be free of backdoors.
So, if your device and software both support it, I recommend choosing `Ed25519` keys as a priority.
:::
## 4.8 你的进度
Now let's configure the [Key Authentication]!
到这里为止,你的 VPS 已经完成了【端口】、【用户名】、【密码】这三要素的基本安全保障,虽然远称不上固若金汤,但一般的恶意脚本应该已经无法对你造成伤害了!
1. Run `PuTTYgen` (PuTTY Key Generator). The location is `Start Menu` --> `All Programs` --> `PuTTY (64-bit)` --> `PuTTYgen`.
现在我们终于有了一个安全的系统基础,下一章,我们就可以开始逐步安装配置 Xray 需要的基础设施了!(什么基础设施呢?一个网页,一张证书)
1. Click on `Generate` to start the generation process (move the mouse randomly in the blank area of the interface to add random numbers).
![Generate Key](./ch04-img08-puttygen-save.png)
::: warning
The example in this image is based on a `2048`-bit `RSA` key. However, in reality, if you want to achieve the same level of security as a `256`-bit key for `EDCSA/Ed25519`, you need to use a `3072`-bit `RSA` key. (i.e., change the number in the bottom right corner to `3072`)
:::
2. You can add a password to your private key to increase security.
3. Click on `Save public key` to save the public key with the file name `id_rsa.pub`.
4. Click on `Save private key` to save the private key with the file name `id_rsa` (PuTTY private keys come with the `.ppk` extension).
5. Most importantly, copy and save all the content inside the red box below by scrolling down, with the file name `authorized_keys`. (If you save it using vscode, it will be saved as a text file with a `.txt` extension, which is fine. We will remove the extension when uploading it to VPS later.)
![Save Key](./ch04-img09-puttygen-save-keys.png)
2. Upload the public key to the "vpsadmin" user on the VPS.
1. This step requires the use of the previously prepared `WinSCP`.
2. Go to the [official website](https://winscp.net/eng/index.php) to download and install. It will prompt you to import PuTTY settings, and of course, you can import them with one click!
![One-click Import Session](./ch04-img10-winscp-import-session.png)
3. If there is no prompt for import or you have already installed it in advance, configure it according to the following figure.
![WinSCP login settings](./ch04-img11-winscp-ui.png)
4. The directory on the left side of WinSCP is the folder and files on your local computer. Please locate the folder where the key is stored.
5. The directory on the right side of WinSCP is the folder and files on the VPS server, which are located in the `/home/vpsadmin/` folder by default. To display hidden files, please click on `X hidden` in the lower right corner.
![Local and remote folders](./ch04-img12-winscp-locations.png)
6. Right-click on the right side (in VPS) and create a new folder named `.ssh` (note the period at the beginning).
![Create a folder to place public key in VPS](./ch04-img13-winscp-newfolder-key.png)
7. Upload the [public key] `authorized_keys` to the `.ssh` folder.
![Upload authorized_keys](./ch04-img14-winscp-upload-key.png)
8. When uploading, rename the [public key] from `authorized_keys.txt` to `authorized_keys` (remove the `.txt` extension).
![Ensure there is no file extension](./ch04-img15-winscp-rename-key.png)
9. The complete process demonstration is as follows:
![Complete demonstration of WinSCP operation](./ch04-img16-winscp-full.gif)
3. Enable RSA key authentication for SSH login and disable password authentication login on the VPS side.
1. Basic Linux Commands:
| Number | Command | Description |
| :------: | :-----: | :-----------------------------------------------: |
| `cmd-08` | `sudo` | Run a command with `root` privileges |
| `cmd-09` | `chmod` | Change the permissions of a target file/directory |
2. SSH remote connection to VPS (PuTTY)
3. Change the permission of the `authorized_keys` file to `600` (only the owner can read and write).
```shell
chmod 600 ~/.ssh/authorized_keys
```
This is a command in shell script to change the permissions of the `authorized_keys` file to `600` for the current user's SSH directory (`~/.ssh/`).
4. Modify SSH configuration. We have used this many times, but now that we have changed from the almighty `root` to the ordinary user `vpsadmin`, we do not have the permission to edit SSH configuration directly. At this time, we need to use the `sudo` command:
```shell
sudo nano /etc/ssh/sshd_config
```
(This is a command in the shell/terminal to open the sshd_config file located in the /etc/ssh/ directory with the sudo privilege using the nano text editor.)
5. Find (`ctrl+w`) `PasswordAuthentication` and change it to `no`.
6. Find (`ctrl+w`) `PubkeyAuthentication`, change it to `yes`, then save (`ctrl+o`) and exit (`ctrl+x`).
7. Restart the SSH service. (Note: Don't forget to use `sudo` to gain permission.)
```shell
sudo systemctl restart ssh
```
This is a command in the shell terminal to restart the SSH service with root privileges using the `systemctl` command.
8. The complete process is as follows:
![Enable SSH key verification and disable password verification](./ch04-img17-rsa-login-full.gif)
4. The public key has been set up on the VPS end. Now we need to specify the private key location for PuTTY to use when logging in. (Reminder: Don't forget to save the session.)
![Specify private key location in PuTTY](./ch04-img18-putty-privatekey-location.png)
5. Now, the [Key-based login] has been successfully enabled, [Password authentication] has been successfully disabled, and the default login username and private key have been saved for PuTTY. In the future, when using PuTTY to log in, simply load the `VPS-SERVER` configuration, click `Open`, and you can log in with just one click.
If you have set a password for your private key, you need to enter this password to use the key when logging in, as shown in the following figure:
![Enter Private Key Password](./ch04-img19-putty-privatekey-passphrase.png)
6. Don't forget to set the corresponding key for `WinSCP`, otherwise you won't be able to log in when you want to transfer files later.
![WinSCP Specify Private Key Location](./ch04-img20-winscp-privatekey-location.png)
::: warning
Any software that requires SSH login needs key verification. As there are too many software, it is impossible to show them one by one. Please set it up according to your needs.
:::
## 4.8 Your Progress
Up to this point, your VPS has completed the basic security measures of [port], [username], and [password]. Although it is not completely impregnable, most malicious scripts should no longer be able to harm you.
Now that we finally have a secure system foundation, in the next chapter, we can start step by step to install and configure the infrastructure that Xray needs! (What infrastructure? A web page, a certificate)
> ⬛⬛⬛⬛⬜⬜⬜⬜ 50%

114
docs/en/document/level-0/ch05-webpage.md
View File

@ -1,59 +1,59 @@
# 【第 5 章】网站建设篇
# Chapter 5: Website Building
## 5.1 为什么要做一个网站?
## 5.1 Why should you create a website?
新人也许会迷惑,为什么科学上网还要建一个网站?我不会编程啊,是不是特别麻烦?
Some newcomers may be confused: why do I need to build a website for securing an open digital environment? I don't know how to code! Isn't it very complicated?
先回答第一个问题,建网站的原因有:
First, let's answer the first question. The reasons for building a website are:
1. 申请合法的 TLS 证书(非常重要)
2. 提供合理的回落,防止主动探测攻击,提高安全性
3. 建设一个伪装站(如博客、私人网盘、多媒体网站、游戏网站等),直接访问时有合理的前台,使流量使用看上去更合理。
1. Apply for a legitimate TLS certificate (very important)
2. Provide reasonable fallback to prevent active probing attacks and improve security
3. Set up a camouflage site (such as a blog, private cloud storage, multimedia site, game site, etc.) with a reasonable frontend when directly accessed, making traffic usage look more legitimate.
再回答第二个问题:
Now let's answer the second question:
1. 本文作为演示,仅仅使用了一个最简单的【单文件 html 页面 + Nginx】来搭建以此完成上面的目标所以【非常简单】
2. 这个网站完全可以不仅仅是伪装,而是真的做大做强,这个复杂性就完全取决于你了
3. 对于“伪装”和“网站运营”这个目标,需要的就是各不相同、秀出真我,需要的同学可以自行搜索学习。这个内容已经完全偏离了科学上网,本文就不深入解析了。
1. As a demonstration, this article uses only the simplest "single-file HTML page + Nginx" setup to achieve the above objectives, so it is **very easy**.
2. This website can not only be used for camouflage but also for real development and growth. The complexity depends entirely on you.
3. For the goals of "camouflage" and "website operation", uniqueness and personalization are needed. Students who need this can search and learn by themselves. This content has completely deviated from scientific online access, so this article will not go into depth.
## 5.2 登录 VPS、安装运行 Nginx
## 5.2 Log in to VPS, install and run Nginx
1. 这里用到的,都是之前已经详解过的命令,所以就不重复讲解了。看不懂的同学可以看看前面的章节哦。
1. Here we use commands that have been explained in detail before, so they won't be repeated. If you don't understand, please refer to the previous chapters.
```shell
sudo apt update && sudo apt install nginx
```
2. 完成后Nginx 已经自动运行。此时打开 Windows 上的浏览器并输入 `http://100.200.300.400:80`,若看到下图的界面就说明 Nginx 已经正常在运行了。
2. After completion, Nginx will automatically run. Open the browser on Windows and enter `http://100.200.300.400:80`. If you see the interface shown below, it means Nginx is running normally.
![Nginx默认界面](./ch05-img01-nginx-default-running.png)
![Nginx default interface](./ch05-img01-nginx-default-running.png)
## 5.3 创建一个最简单的网页
## 5.3 Create the simplest web page
1. 小小白白 Linux 基础命令:
| 编号 | 命令名称 | 命令说明 |
|:--:|:--:|:--:|
| `cmd-10` | `mkdir` | 新建文件夹 |
| `cmd-11` | `systemctl reload` | 重新加载某个服务 |
1. Basic Linux commands for beginners:
| No. | Command Name | Command Description |
| :------: | :----------------: | :-----------------------: |
| `cmd-10` | `mkdir` | Create a new folder |
| `cmd-11` | `systemctl reload` | Reload a specific service |
2. 小小白白 Linux 基础配置文件:
| 编号 | 配置文件位置 | 文件说明 |
|:--:|:--:|:--:|
| `conf-02` | `/etc/nginx/nginx.conf` | Nginx 程序设置 |
2. Basic Linux configuration files for beginners:
| No. | Configuration File Location | File Description |
| :-------: | :-------------------------: | :--------------------: |
| `conf-02` | `/etc/nginx/nginx.conf` | Nginx program settings |
3. 创建一个网站专用的文件夹`/home/vpsadmin/www/webpage/`并建立网页文件`index.html`
3. Create a dedicated folder `/home/vpsadmin/www/webpage/` for the website and create the web page file `index.html`
```shell
mkdir -p ~/www/webpage/ && nano ~/www/webpage/index.html
```
::: warning
如果你用的不是 `vpsadmin` 这个用户名,请务必理解这条命令中 `“~”` 符号的意义(这关系到【第 5 步】你要写的内容):
If you are not using the username `vpsadmin`, please be sure to understand the meaning of the "~" symbol in this command (this is related to Step 5 content):
- 如果是 【非 `root` 用户】,`“~”` 就等价于 `/home/用户名`
- 如果是 【 `root` 用户】,`“~”` 就等价于 `/root`
- If it is a **non-root user**, "~" is equivalent to `/home/username`
- If it is a **root user**, "~" is equivalent to `/root`
:::
4. 把下面的内容完整的复制进去,然后保存(`ctrl+o`)退出(`ctrl+x`)
4. Copy the entire content below, save (`ctrl+o`) and exit (`ctrl+x`).
```html
<html lang="">
@ -89,74 +89,74 @@
site.
</p>
<!-- And add a copyright notice.-->
<p>&#169; Wiley Publishing, 2011</p>
<p>© Wiley Publishing, 2011</p>
</body>
</html>
```
5. 修改 `nginx.conf` 并重启 `Nginx` 服务,将`80`端口的 http 访问定位到刚才建立的 `html` 页面上
5. Modify `nginx.conf` and restart the `Nginx` service, directing the http access on port 80 to the newly created `html` page.
1. 修改 `nginx.conf`
1. Modify `nginx.conf`.
```shell
sudo nano /etc/nginx/nginx.conf
```
2. 将下面一段,添加在 `http{}` 内,然后保存(`ctrl+o`)退出(`ctrl+x`)。(记得将域名替换为之前准备好的、包含二级域名的真实域名)
2. Add the following content inside`http{}`, then save (`ctrl+o`) and exit (`ctrl+x`). (Remember to replace the domain name with the real domain name you prepared earlier, including the subdomain)
```
server {
listen 80;
server_name 二级域名.你的域名.com;
server_name subdomain.your_domain.com;
root /home/vpsadmin/www/webpage;
index index.html;
}
```
::: warning 特别注意!
如我在【第 3 步】中的提示所说,请务必确保 `/home/vpsadmin/www/webpage` 改成你的实际文件路径。
::: warning Be extra careful!
As mentioned in Step 3 of section 5.3, make sure to change `/home/vpsadmin/www/webpage` to your actual file path.
:::
3. `nginx` 重新载入配置使其生效
3. Make `nginx` reload the configuration to take effect.
```shell
sudo systemctl reload nginx
```
4. 完整的设置流程如下:
4. The complete setup process is as follows:
![网页设置演示](./ch05-img02-nginx-conf-full.gif)
![Web page settings demonstration](./ch05-img02-nginx-conf-full.gif)
5. 此时如果你访问 `http://二级域名.你的域名.com`,你看到这样的页面则说明成功:
5. Now, if you visit `http://subdomain.your_domain.com`, you should see this page, indicating success:
![http网页成功](./ch05-img03-nginx-http-running.png)
![http web page success](./ch05-img03-nginx-http-running.png)
## 5.4 常见错误的说明
## 5.4 Common error explanations
首先,如果你一路按照文章的说明来操作,并且足够细心,那肯定不会出错。所以,我并不打算修改本文的写法。
First of all, if you follow the instructions in the article step by step and are careful enough, you will definitely not encounter any errors. So, I don't intend to change how this article is written.
那为什么依然有很多同学卡在了这一步,网页怎么也打不开呢?基本上就是两个字:**粗心**。因为这里配置可能出现的问题只有两种,原因也只有两个。
Then why do some students still get stuck at this step, and the web page just won't open? There are basically two words: **carelessness**. Because there are only two possible issues with the configuration here, and there are only two reasons for them.
一、两种问题:
I. Two types of issues:
- `nginx.conf` 里面的 `/home/vpsadmin/www/webpage` 这一条,与你的实际文件路径不符,`nginx` 找不到文件
- 路径正确,但 `nginx` 无权读取
- In `nginx.conf`, the `/home/vpsadmin/www/webpage` does not match the actual file path; `nginx` cannot find the file
- The path is correct, but `nginx` doesn't have permission to access it
二、两个原因:
II. Two reasons:
- 使用了【非 `root` 用户】,但仍然直接拷贝文中的命令不加修改。(这基本就等于抄答案时把同学的名字一起抄过去了)
- 坚持使用【 `root` 用户】
- Use a **non-root user** but still directly copy the commands in the text without modification. (This is basically like copying the name of another student when copying answers)
- Insist on using a **root user**
碰到错误的同学就回过头仔细看一下【5.3】中【第 3 步】和【第 5-2 步】的说明吧。
If you encounter any errors, please carefully review the explanations in Steps 3 and 5-2 of Section 5.3.
::: warning
本文前期已经用了大量篇幅说明了使用【非 `root` 用户】对安全的重要性,全文也是基于此而写。所以,因使用【 `root` 用户】而导致的问题并不在本文的设计范围里。
In the early stages of this article, a lot of space has been devoted to explaining the importance of using a **non-root user** for security, and the entire article is written based on this premise. So, issues caused by using a **root user** are not within the scope of this article.
但我相信,坚持使用【 `root` 用户】的同学应该是有主见、动手能力强、或者有一定 Linux 基础的同学。问题的症结我已经全部说明了,我相信你一定可以自行解决。
:::
## 5.5 你的进度
But I believe that students who persist in using the `root` user should have their own opinions, strong hands-on ability, or have a certain foundation in Linux. I have already explained the crux of the problem, and I believe you can solve it on your own.
至此Xray 的第一个基础设施【网页】已经就位,我们马上就进入第二个基础设施【证书】吧!
## 5.5 Your Progress
So far, Xray's first infrastructure [webpage] has been established. Let's now move on to the second infrastructure [certificate]!
> ⬛⬛⬛⬛⬛⬜⬜⬜ 62.5%

361
docs/en/document/level-0/ch06-certificates.md
View File

@ -1,212 +1,219 @@
# 【第 6 章】证书管理篇
# [Chapter 6] Certificate Management
## 6.1 申请 TLS 证书
## 6.1 Applying for a TLS Certificate
接下来我们要做的,是为我们的域名申请一个真实的 TLS 证书,使网站具备标准 TLS 加密的能力及 HTTPS 访问的能力。这就是 Xray 等现阶段安全代理工具确保流量充分加密最重要的工具。
Next, we need to apply for a real TLS certificate for our domain name, so that the website has the ability to encrypt with standard TLS and the ability to access via HTTPS. This is the most important tool for Xray and other current security proxy tools to ensure fully encrypted traffic.
::: warning
请不要轻易使用自签证书。它并没有让操作简单太多,但增加了无谓的风险(如中间人攻击)。
Please do not use self-signed certificates lightly. It does not make the operation much simpler, but adds unnecessary risks (such as man-in-the-middle attacks).
:::
这里我会使用一个叫做 [`acme.sh`](https://github.com/acmesh-official/acme.sh) 的证书管理工具,它简单、轻量、高效,并可完成证书自动更新。
Here, I will use a certificate management tool called [`acme.sh`](https://github.com/acmesh-official/acme.sh), which is simple, lightweight, efficient, and capable of automatically updating certificates.
另外,我相信,现在你已经逐渐熟悉了 Linux 的基础操作,所以已经多次出现的命令从本章开始不再重复截图、只做简单的描述。如果实在想不起来怎么用的话,就稍微复习一下前面的章节吧。
In addition, I believe that you have gradually become familiar with the basic operations of Linux. Therefore, from this chapter on, commands that have appeared multiple times will no longer have screenshots and will only be briefly described. If you really can't remember how to use them, just review the previous chapters.
## 6.2 安装 `acme.sh`
## 6.2 Install `acme.sh`
1. 小小白白 Linux 基础命令:
| 编号 | 命令名称 | 命令说明 |
|:--:|:--:|:--:|
| `cmd-12` | `wget` | 访问(或下载)某个网页文件 |
| `cmd-13` | `acme.sh` | acme.sh 证书管理相关的命令 |
1. Basic Linux commands for beginners:
| Number | Command | Description |
| :------: | :-------: | :------------------------------------------------: |
| `cmd-12` | `wget` | Retrieve (or download) a webpage file |
| `cmd-13` | `acme.sh` | Commands related to acme.sh certificate management |
2. 运行安装脚本
2. Run the installation script.
```shell
wget -O - https://get.acme.sh | sh
```
```shell
wget -O - https://get.acme.sh | sh
```
3. `acme.sh` 命令生效
3. Make the `acme.sh` command effective.
```shell
. .bashrc
```
```shell
. .bashrc
```
4. 开启 `acme.sh` 的自动升级
(Note: This command is used to source (load) the `.bashrc` file in the shell environment.)
```shell
acme.sh --upgrade --auto-upgrade
```
4. Enable `acme.sh` automatic upgrade.
5. 到这一步的完整流程如下图:
```shell
acme.sh --upgrade --auto-upgrade
```
![acme.sh安装演示](./ch06-img01-acme-install.gif)
5. The complete process up to this point is shown in the following diagram:
## 6.3 测试证书申请
![acme.sh installation demo](./ch06-img01-acme-install.gif)
在正式申请证书之前,我们先用测试命令(`--issue --test`)来验证是否可以成功申请,这样可以避免在本地配置有误时,反复申请证书失败,超过 Let's Encrypt 的频率上限(比如,每小时、每个域名、每个用户失败最多 5 次),导致后面的步骤无法进行。
## 6.3 Testing Certificate Application
1. 测试证书申请的命令如下(本文均以 `ECC` 证书为例,因为时至今日,实在没什么理由不用它):
Before officially applying for the certificate, we use the testing command (`--issue --test`) to verify if the application can be successfully submitted. This can avoid repeated failures in applying for a certificate due to incorrect local configuration, exceeding the frequency limit of Let's Encrypt (such as a maximum of 5 failures per hour, per domain, or per user), which may prevent the subsequent steps from being carried out.
```shell
acme.sh --issue --server letsencrypt --test -d 二级域名.你的域名.com -w /home/vpsadmin/www/webpage --keylength ec-256
```
1. The command to apply for a test certificate is as follows (this article uses ECC certificate as an example, because there is really no reason not to use it nowadays):
::: warning 说明
`ECC`证书的主要优势在于它的 Keysize 更小,意味着同等大小下安全性的提升和加密解密速度的加快。如 ECC-256bit 的强度大约相当于 RSA-3072bit何乐而不为呢当然有人说 ECC 证书握手会明显更快,这我觉得就有些夸张了,因为 RSA 握手也没有太慢,就算有差别应该也是毫秒级,很难直接感知。
```shell
acme.sh --issue --server letsencrypt --test -d subdomain.yourdomain.com -w /home/vpsadmin/www/webpage --keylength ec-256
```
另外,如果有些网站确实需要兼容某些古老设备的,那也还是请按需选择`RSA`证书。
(Note: This is a command in shell script for obtaining SSL certificate from Let's Encrypt CA using ACME protocol. It specifies the test server, the subdomain for which the certificate is requested, the webroot directory of the subdomain, and the key length to use for the certificate.)
::: warning Explanation
The main advantage of the `ECC` certificate is that its `Keysize` is smaller, which means that security is improved and encryption and decryption speed is faster for the same size. Why not choose ECC-256bit, which is approximately equivalent to RSA-3072bit in strength? Of course, some people say that the ECC certificate handshake is significantly faster, which I think is a bit exaggerated, because RSA handshake is not too slow either. Even if there is a difference, it should be in milliseconds and difficult to perceive directly.
In addition, if some websites do need to be compatible with certain old devices, please still choose RSA certificates according to your needs.
2. You should eventually see a prompt similar to this:
```log
[Wed 30 Dec 2022 04:25:12 AM EST] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Create account key ok.
[Wed 30 Dec 2022 04:25:13 AM EST] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Registered
[Wed 30 Dec 2022 04:25:13 AM EST] ACCOUNT_THUMBPRINT='CU6qmPKuRqhyTAIrF4swosR375194z_1ddUlWef8xDc'
[Wed 30 Dec 2022 04:25:13 AM EST] Creating domain key
[Wed 30 Dec 2022 04:25:13 AM EST] The domain key is here: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 04:25:13 AM EST] Single domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 04:25:13 AM EST] Getting domain auth token for each domain
[Wed 30 Dec 2022 04:25:14 AM EST] Getting webroot for domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 04:25:14 AM EST] Verifying: 二级域名.你的域名.com
[Wed 30 Dec 2022 04:25:23 AM EST] Pending
[Wed 30 Dec 2022 04:25:25 AM EST] Success
[Wed 30 Dec 2022 04:25:25 AM EST] Verify finished, start to sign.
[Wed 30 Dec 2022 04:25:25 AM EST] Lets finalize the order.
[Wed 30 Dec 2022 04:25:25 AM EST] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/490205995/7730242871'
[Wed 30 Dec 2022 04:25:25 AM EST] Downloading cert.
[Wed 30 Dec 2022 04:25:25 AM EST] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/xujss5xt8i38waubafz2xujss5xt8i38waubz2'
[Wed 30 Dec 2022 15:21:52 AM EST] Cert success.
--BEGIN CERTIFICAT--
sxlYqPvWreKgD5b8JyOQX0Yg2MLoRUoDyqVkd31PthIiwzdckoh5eD3JU7ysYBtN
cTFK4LGOfjqi8Ks87EVJdK9IaSAu7ZC6h5to0eqpJ5PLhaM3e6yJBbHmYA8w1Smp
wAb3tdoHZ9ttUIm9CrSzvDBt6BBT6GqYdDamMyCYBLooMyDEM4CUFsOzCRrEqqvC
2mTTEmhvpojo5rhdTSJxibozyNWTGwoTj0v9pTUeQcGqLIzqi4DowjBHD5guwRid
SjAFnm6JT2xUQgWFm58A1gv1OhbH1TRPUUmtE1nFEN7YiSjI4xgxqAXT3CLD2EUb
wXlUrO6c75zSsQP4bRMzgOjJUqHtSb6IEqELzt4M7KzL5iCOruCChCo2DZxUwvVX
tOoaAyQJzCbTqE6aUqwiKi3gVyoxvDP9mI5JdRYzsDL6GVud7EHPnYeMl9ubLZAK
0vg84mbMP3f6mYM4KRa1cqiyOIcQPT4AzGFYVv4sm049bZQg7sd0Bz9CaFvE7yDA
1y17XlgCDnsjxl66bqI1vkENN9XT5xeFHONqc18b5fZEKSIvdX7iWPFWp1PyMPpG
0pMCP1EymZNFxIMJLgbWqExwLWfPc5Ib3PjBaIqhXPnw6sT2MQSxXwDupq1UJVhV
7E3hQRVlwI4CXi6WLHJMNvNRyyK87gCrLH1bKYsPeRVaz77poWBq49zwBCts6hPY
IeF4ltGXyANNIOPEi8vy138fRU4LYh81d8FjOtFfJZogMjwhfNvapqxPMsioPlmX
TnZu0n7setrVNUEfTMHWqPpDgk5MPrWLA4LapqaDfEX4pwnQJLMwMi6s94z165c0
iMRSKA1yU5zqv8aNsDfPoY4OkSPWs4MaXgRRSLBsUfZ15DwQXPk76kegHIyxWvwF
tYw9HKR5QCMK66fa0z4aJoFVFLK0IIOGEZOanRFUCnkLUDd3QZ3YU8lEcrj7Uxos
haiRNICyC6UfsCJ94a8vcNyMosPv3xBLMp19WXgiFYqEFQkntkv1FLRI35fjeJmg
0fmD9VG9bkzGPHihJgQLRlCHasGf6XrdfkSsODAyCUHUHJ0RzqF4YEZMcxDxzuQ2
YO7bFwj7S3mUdVPZ6MPasjxdyBjJgEBMch2uy4AhmudXfEBQBye8W6ZI4ztZjLVV
FmP4SIuaNUmMe20TjR8b9NVC96AhxOanWT3mRROsdokpKQGTJvl27EHH8KuAbUOc
G6KtPy4wslNZNXWcBy9n63RcWak12r7kAIFn38tZxmlw2WUKoRSMAH64GcDTjRQd
Am65hBHzvGrj93wEuVNIebvNIsJOlng3HFjpIxVqKGMCIfWIKGDE3YzK3p4LbGZ6
NZFQWYJLNVf2M9CCJfbEImPYgvctrxl39H6KVYPCw1SAdaj9NneUqmREOQkKoEB0
x6PmNirbMscHhQPSC0JQaqUgaQFgba1ALmzRYAnYhNb0twkTxWbY7DBkAarxqMIp
yiLKcBFc5H7dgJCImo7us7aJeftC44uWkPIjw9AKH=
--END CERTIFICAT--
[Wed 30 Dec 2022 15:21:52 AM
3. Note: The certificate applied for here is a test certificate, which cannot be used directly. It is only used to prove that your domain and configuration are correct. If you observe carefully, you will find that the domain that issues the certificate to you is `https://acme-staging-v02.api.letsencrypt.org`, and this `staging` can be understood as a "test server"!
4. If this step goes wrong, you can run the following command to check the detailed application process and specific errors. If you don't understand, you can hide sensitive information and ask in the Xray group.
```shell
acme.sh --issue --server letsencrypt --test -d subdomain.yourdomain.com -w /home/vpsadmin/www/webpage --keylength ec-256 --debug
```
(Note: This command is written in Chinese characters, therefore I have translated it into English. The command is used to issue SSL/TLS certificates using acme.sh client with Let's Encrypt CA in test mode for a subdomain of your domain with the specified webroot path, key length and in debug mode.)
Hmm, that's right. Just added a `--debug` parameter at the end of the command.
5. Once this step is confirmed to be successful, you can apply for the formal certificate. (The test certificate does not need to be deleted, as it will be automatically replaced by the formal certificate.)
## 6.4 Application for Official Certification
1. The command for applying for an official certificate is as follows (i.e., remove the `--test` parameter and add the `--force` parameter at the end):
```shell
acme.sh --set-default-ca --server letsencrypt
```
This is a command in the shell language. It sets the default Certificate Authority (CA) to Let's Encrypt by using the `acme.sh` script.
```shell
acme.sh --issue -d subdomain.yourdomain.com -w /home/vpsadmin/www/webpage --keylength ec-256 --force
```
(Note: This is a command written in shell script that requests a SSL certificate from ACME server using the ACME client "acme.sh". It specifies the subdomain of the domain name, the web root directory of the website, the key length, and forces the re-issuance of the certificate.)
::: warning Explanation
The meaning of the `--force` parameter is to manually (forcefully) update the certificate before the existing certificate expires. Although the certificate we applied for from the "test server" in the previous step cannot be used directly, it has not expired yet, so this parameter is needed.
:::
2. 你最终应该看到类似这样的提示:
2. You should eventually see a prompt that looks similar to the one above.
```log
[Wed 30 Dec 2022 04:25:12 AM EST] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Create account key ok.
[Wed 30 Dec 2022 04:25:13 AM EST] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Registered
[Wed 30 Dec 2022 04:25:13 AM EST] ACCOUNT_THUMBPRINT='CU6qmPKuRqhyTAIrF4swosR375194z_1ddUlWef8xDc'
[Wed 30 Dec 2022 04:25:13 AM EST] Creating domain key
[Wed 30 Dec 2022 04:25:13 AM EST] The domain key is here: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 04:25:13 AM EST] Single domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 04:25:13 AM EST] Getting domain auth token for each domain
[Wed 30 Dec 2022 04:25:14 AM EST] Getting webroot for domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 04:25:14 AM EST] Verifying: 二级域名.你的域名.com
[Wed 30 Dec 2022 04:25:23 AM EST] Pending
[Wed 30 Dec 2022 04:25:25 AM EST] Success
[Wed 30 Dec 2022 04:25:25 AM EST] Verify finished, start to sign.
[Wed 30 Dec 2022 04:25:25 AM EST] Lets finalize the order.
[Wed 30 Dec 2022 04:25:25 AM EST] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/490205995/7730242871'
[Wed 30 Dec 2022 04:25:25 AM EST] Downloading cert.
[Wed 30 Dec 2022 04:25:25 AM EST] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/xujss5xt8i38waubafz2xujss5xt8i38waubz2'
[Wed 30 Dec 2022 15:21:52 AM EST] Cert success.
--BEGIN CERTIFICAT--
sxlYqPvWreKgD5b8JyOQX0Yg2MLoRUoDyqVkd31PthIiwzdckoh5eD3JU7ysYBtN
cTFK4LGOfjqi8Ks87EVJdK9IaSAu7ZC6h5to0eqpJ5PLhaM3e6yJBbHmYA8w1Smp
wAb3tdoHZ9ttUIm9CrSzvDBt6BBT6GqYdDamMyCYBLooMyDEM4CUFsOzCRrEqqvC
2mTTEmhvpojo5rhdTSJxibozyNWTGwoTj0v9pTUeQcGqLIzqi4DowjBHD5guwRid
SjAFnm6JT2xUQgWFm58A1gv1OhbH1TRPUUmtE1nFEN7YiSjI4xgxqAXT3CLD2EUb
wXlUrO6c75zSsQP4bRMzgOjJUqHtSb6IEqELzt4M7KzL5iCOruCChCo2DZxUwvVX
tOoaAyQJzCbTqE6aUqwiKi3gVyoxvDP9mI5JdRYzsDL6GVud7EHPnYeMl9ubLZAK
0vg84mbMP3f6mYM4KRa1cqiyOIcQPT4AzGFYVv4sm049bZQg7sd0Bz9CaFvE7yDA
1y17XlgCDnsjxl66bqI1vkENN9XT5xeFHONqc18b5fZEKSIvdX7iWPFWp1PyMPpG
0pMCP1EymZNFxIMJLgbWqExwLWfPc5Ib3PjBaIqhXPnw6sT2MQSxXwDupq1UJVhV
7E3hQRVlwI4CXi6WLHJMNvNRyyK87gCrLH1bKYsPeRVaz77poWBq49zwBCts6hPY
IeF4ltGXyANNIOPEi8vy138fRU4LYh81d8FjOtFfJZogMjwhfNvapqxPMsioPlmX
TnZu0n7setrVNUEfTMHWqPpDgk5MPrWLA4LapqaDfEX4pwnQJLMwMi6s94z165c0
iMRSKA1yU5zqv8aNsDfPoY4OkSPWs4MaXgRRSLBsUfZ15DwQXPk76kegHIyxWvwF
tYw9HKR5QCMK66fa0z4aJoFVFLK0IIOGEZOanRFUCnkLUDd3QZ3YU8lEcrj7Uxos
haiRNICyC6UfsCJ94a8vcNyMosPv3xBLMp19WXgiFYqEFQkntkv1FLRI35fjeJmg
0fmD9VG9bkzGPHihJgQLRlCHasGf6XrdfkSsODAyCUHUHJ0RzqF4YEZMcxDxzuQ2
YO7bFwj7S3mUdVPZ6MPasjxdyBjJgEBMch2uy4AhmudXfEBQBye8W6ZI4ztZjLVV
FmP4SIuaNUmMe20TjR8b9NVC96AhxOanWT3mRROsdokpKQGTJvl27EHH8KuAbUOc
G6KtPy4wslNZNXWcBy9n63RcWak12r7kAIFn38tZxmlw2WUKoRSMAH64GcDTjRQd
Am65hBHzvGrj93wEuVNIebvNIsJOlng3HFjpIxVqKGMCIfWIKGDE3YzK3p4LbGZ6
NZFQWYJLNVf2M9CCJfbEImPYgvctrxl39H6KVYPCw1SAdaj9NneUqmREOQkKoEB0
x6PmNirbMscHhQPSC0JQaqUgaQFgba1ALmzRYAnYhNb0twkTxWbY7DBkAarxqMIp
yiLKcBFc5H7dgJCImo7us7aJeftC44uWkPIjw9AKH=
--END CERTIFICAT--
[Wed 30 Dec 2022 15:21:52 AM EST] Your cert is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.cer
[Wed 30 Dec 2022 15:21:52 AM EST] Your cert key is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 15:21:52 AM EST] The intermediate CA cert is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/ca.cer
[Wed 30 Dec 2022 15:21:52 AM EST] And the full chain certs is there: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/fullchain.cer
```
```log
vpsadmin@vps-server:~$ acme.sh --issue -d subdomain.yourdomain.com -w /home/vpsadmin/www/webpage --keylength ec-256
[Wed 30 Dec 2022 15:22:51 AM EST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 15:22:51 AM EST] Creating domain key
[Wed 30 Dec 2022 15:22:51 AM EST] The domain key is here: /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/subdomain.yourdomain.com.key
[Wed 30 Dec 2022 15:22:51 AM EST] Single domain='subdomain.yourdomain.com'
[Wed 30 Dec 2022 15:22:51 AM EST] Getting domain auth token for each domain
[Wed 30 Dec 2022 15:22:51 AM EST] Getting webroot for domain='subdomain.yourdomain.com'
[Wed 30 Dec 2022 15:22:51 AM EST] Verifying: subdomain.yourdomain.com
[Wed 30 Dec 2022 15:22:51 AM EST] Pending
[Wed 30 Dec 2022 15:22:51 AM EST] Success
[Wed 30 Dec 2022 15:22:51 AM EST] Verify finished, start to sign.
[Wed 30 Dec 2022 15:22:51 AM EST] Lets finalize the order.
[Wed 30 Dec 2022 15:22:51 AM EST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/490205996/7730242872'
[Wed 30 Dec 2022 15:22:51 AM EST] Downloading cert.
[Wed 30 Dec 2022 15:22:51 AM EST] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/vsxvk0oldnuobe51ayxz4dms62sk2dwmw9zhuw'
[Wed 30 Dec 2022 15:22:51 AM EST] Cert success.
--BEGIN CERTIFICAT--
sxlYqPvWreKgD5b8JyOQX0Yg2MLoRUoDyqVkd31PthIiwzdckoh5eD3JU7ysYBtN
cTFK4LGOfjqi8Ks87EVJdK9IaSAu7ZC6h5to0eqpJ5PLhaM3e6yJBbHmYA8w1Smp
wAb3tdoHZ9ttUIm9CrSzvDBt6BBT6GqYdDamMyCYBLooMyDEM4CUFsOzCRrEqqvC
2mTTEmhvpojo5rhdTSJxibozyNWTGwoTj0v9pTUeQcGqLIzqi4DowjBHD5guwRid
SjAFnm6JT2xUQgWFm58A1gv1OhbH1TRPUUmtE1nFEN7YiSjI4xgxqAXT3CLD2EUb
wXlUrO6c75zSsQP4bRMzgOjJUqHtSb6IEqELzt4M7KzL5iCOruCChCo2DZxUwvVX
tOoaAyQJzCbTqE6aUqwiKi3gVyoxvDP9mI5JdRYzsDL6GVud7EHPnYeMl9ubLZAK
0vg84mbMP3f6mYM4KRa1cqiyOIcQPT4AzGFYVv4sm049bZQg7sd0Bz9CaFvE7yDA
1y17XlgCDnsjxl66bqI1vkENN9XT5xeFHONqc18b5fZEKSIvdX7iWPFWp1PyMPpG
0pMCP1EymZNFxIMJLgbWqExwLWfPc5Ib3PjBaIqhXPnw6sT2MQSxXwDupq1UJVhV
7E3hQRVlwI4CXi6WLHJMNvNRyyK87gCrLH1bKYsPeRVaz77poWBq49zwBCts6hPY
IeF4ltGXyANNIOPEi8vy138fRU4LYh81d8FjOtFfJZogMjwhfNvapqxPMsioPlmX
TnZu0n7setrVNUEfTMHWqPpDgk5MPrWLA4LapqaDfEX4pwnQJLMwMi6s94z165c0
iMRSKA1yU5zqv8aNsDfPoY4OkSPWs4MaXgRRSLBsUfZ15DwQXPk76kegHIyxWvwF
tYw9HKR5QCMK66fa0z4aJoFVFLK0IIOGEZOanRFUCnkLUDd3QZ3YU8lEcrj7Uxos
haiRNICyC6UfsCJ94a8vcNyMosPv3xBLMp19WXgiFYqEFQkntkv1FLRI35fjeJmg
0fmD9VG9bkzGPHihJgQLRlCHasGf6XrdfkSsODAyCUHUHJ0RzqF4YEZMcxDxzuQ2
YO7bFwj7S3mUdVPZ6MPasjxdyBjJgEBMch2uy4AhmudXfEBQBye8W6ZI4ztZjLVV
FmP4SIuaNUmMe20TjR8b9NVC96AhxOanWT3mRROsdokpKQGTJvl27EHH8KuAbUOc
G6KtPy4wslNZNXWcBy9n63RcWak12r7kAIFn38tZxmlw2WUKoRSMAH64GcDTjRQd
Am65hBHzvGrj93wEuVNIebvNIsJOlng3HFjpIxVqKGMCIfWIKGDE3YzK3p4LbGZ6
NZFQWYJLNVf2M9CCJfbEImPYgvctrxl39H6KVYPCw1SAdaj9NneUqmREOQkKoEB0
x6PmNirbMscHhQPSC0JQaqUgaQFgba1ALmzRYAnYhNb0twkTxWbY7DBkAarxqMIp
yiLKcBFc5H7dgJCImo7us7aJeftC44uWkPM=
--END CERTIFICAT--
[Wed 30 Dec 2022 15:22:52 AM EST] Your cert is in /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/subdomain.yourdomain.com.cer
[Wed 30 Dec 2022 15:22:52 AM EST] Your cert key is in /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/subdomain.yourdomain.com.key
[Wed 30 Dec 2022 15:22:52 AM EST] The intermediate CA cert is in /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/ca.cer
[Wed 30 Dec 2022 15:22:52 AM EST] And the full chain certs is there: /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/fullchain.cer
```
3. 注意:这里申请的是测试证书,没办法直接用的,只是用来证明你的域名、配置全都正确。仔细观察,你会发现给你发证书的域名是 `https://acme-staging-v02.api.letsencrypt.org`,这个 `staging` 你就理解成【测试服】吧!
3. If you observe carefully, you will find that the domain name that issues the certificate to you this time is `https://acme-v02.api.letsencrypt.org`, which lacks the word `staging`. Therefore, this is the [Production Environment]!
4. 如果这一步出错的话,你可以运行下面的命令,来查看详细的申请过程和具体的错误。(看不懂就隐藏掉敏感信息后,去 Xray 群里问吧)
## 6.5 Certificate Installation
```shell
acme.sh --issue --server letsencrypt --test -d 二级域名.你的域名.com -w /home/vpsadmin/www/webpage --keylength ec-256 --debug
```
1. After completing the certificate application, it needs to be installed to a specified location and referenced in the configuration file to take effect:
嗯没错,就是在命令的最后加了一个 `--debug` 参数
```shell
vpsadmin@vps-server:~$ acme.sh --installcert -d subdomain.yourdomain.com --cert-file /path/to/install/cert.crt --key-file /path/to/install/cert.key --fullchain-file /path/to/install/fullchain.crt --ecc
[Mon 14 Feb 2022 03:00:25 PM CST] Installing cert to: /etc/xray/cert/cert.crt
[Mon 14 Feb 2022 03:00:25 PM CST] Installing key to: /etc/xray/cert/cert.key
[Mon 14 Feb 2022 03:00:25 PM CST] Installing full chain to: /etc/xray/cert/fullchain.crt
```
5. 这一步确定成功之后,就可以申请正式的证书了。(测试证书不需要删除,它会自动被正式证书覆盖)
(Note: This is a shell command for installing a SSL certificate using acme.sh. The command is specifying the domain, file paths for the certificate, private key, and full chain, as well as indicating that an ECC certificate should be used.)
## 6.4 正式证书申请
## 6.6 Your Progress
1. 申请正式证书的命令如下(即删掉 `--test` 参数,并在最后加入 `--force`参数):
```shell
acme.sh --set-default-ca --server letsencrypt
```
```shell
acme.sh --issue -d 二级域名.你的域名.com -w /home/vpsadmin/www/webpage --keylength ec-256 --force
```
::: warning 说明
`--force` 参数的意思就是,在现有证书到期前,手动(强行)更新证书。上一步我们从“测试服”申请的证书虽然不能直接用,但是它本身是尚未过期的,所以需要用到这个参数。
:::
2. 你最终应该看到跟上面很像的提示:
```log
vpsadmin@vps-server:~$ acme.sh --issue -d 二级域名.你的域名.com -w /home/vpsadmin/www/webpage --keylength ec-256
[Wed 30 Dec 2022 15:22:51 AM EST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 15:22:51 AM EST] Creating domain key
[Wed 30 Dec 2022 15:22:51 AM EST] The domain key is here: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 15:22:51 AM EST] Single domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 15:22:51 AM EST] Getting domain auth token for each domain
[Wed 30 Dec 2022 15:22:51 AM EST] Getting webroot for domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 15:22:51 AM EST] Verifying: 二级域名.你的域名.com
[Wed 30 Dec 2022 15:22:51 AM EST] Pending
[Wed 30 Dec 2022 15:22:51 AM EST] Success
[Wed 30 Dec 2022 15:22:51 AM EST] Verify finished, start to sign.
[Wed 30 Dec 2022 15:22:51 AM EST] Lets finalize the order.
[Wed 30 Dec 2022 15:22:51 AM EST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/490205996/7730242872'
[Wed 30 Dec 2022 15:22:51 AM EST] Downloading cert.
[Wed 30 Dec 2022 15:22:51 AM EST] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/vsxvk0oldnuobe51ayxz4dms62sk2dwmw9zhuw'
[Wed 30 Dec 2022 15:22:51 AM EST] Cert success.
--BEGIN CERTIFICAT--
sxlYqPvWreKgD5b8JyOQX0Yg2MLoRUoDyqVkd31PthIiwzdckoh5eD3JU7ysYBtN
cTFK4LGOfjqi8Ks87EVJdK9IaSAu7ZC6h5to0eqpJ5PLhaM3e6yJBbHmYA8w1Smp
wAb3tdoHZ9ttUIm9CrSzvDBt6BBT6GqYdDamMyCYBLooMyDEM4CUFsOzCRrEqqvC
2mTTEmhvpojo5rhdTSJxibozyNWTGwoTj0v9pTUeQcGqLIzqi4DowjBHD5guwRid
SjAFnm6JT2xUQgWFm58A1gv1OhbH1TRPUUmtE1nFEN7YiSjI4xgxqAXT3CLD2EUb
wXlUrO6c75zSsQP4bRMzgOjJUqHtSb6IEqELzt4M7KzL5iCOruCChCo2DZxUwvVX
tOoaAyQJzCbTqE6aUqwiKi3gVyoxvDP9mI5JdRYzsDL6GVud7EHPnYeMl9ubLZAK
0vg84mbMP3f6mYM4KRa1cqiyOIcQPT4AzGFYVv4sm049bZQg7sd0Bz9CaFvE7yDA
1y17XlgCDnsjxl66bqI1vkENN9XT5xeFHONqc18b5fZEKSIvdX7iWPFWp1PyMPpG
0pMCP1EymZNFxIMJLgbWqExwLWfPc5Ib3PjBaIqhXPnw6sT2MQSxXwDupq1UJVhV
7E3hQRVlwI4CXi6WLHJMNvNRyyK87gCrLH1bKYsPeRVaz77poWBq49zwBCts6hPY
IeF4ltGXyANNIOPEi8vy138fRU4LYh81d8FjOtFfJZogMjwhfNvapqxPMsioPlmX
TnZu0n7setrVNUEfTMHWqPpDgk5MPrWLA4LapqaDfEX4pwnQJLMwMi6s94z165c0
iMRSKA1yU5zqv8aNsDfPoY4OkSPWs4MaXgRRSLBsUfZ15DwQXPk76kegHIyxWvwF
tYw9HKR5QCMK66fa0z4aJoFVFLK0IIOGEZOanRFUCnkLUDd3QZ3YU8lEcrj7Uxos
haiRNICyC6UfsCJ94a8vcNyMosPv3xBLMp19WXgiFYqEFQkntkv1FLRI35fjeJmg
0fmD9VG9bkzGPHihJgQLRlCHasGf6XrdfkSsODAyCUHUHJ0RzqF4YEZMcxDxzuQ2
YO7bFwj7S3mUdVPZ6MPasjxdyBjJgEBMch2uy4AhmudXfEBQBye8W6ZI4ztZjLVV
FmP4SIuaNUmMe20TjR8b9NVC96AhxOanWT3mRROsdokpKQGTJvl27EHH8KuAbUOc
G6KtPy4wslNZNXWcBy9n63RcWak12r7kAIFn38tZxmlw2WUKoRSMAH64GcDTjRQd
Am65hBHzvGrj93wEuVNIebvNIsJOlng3HFjpIxVqKGMCIfWIKGDE3YzK3p4LbGZ6
NZFQWYJLNVf2M9CCJfbEImPYgvctrxl39H6KVYPCw1SAdaj9NneUqmREOQkKoEB0
x6PmNirbMscHhQPSC0JQaqUgaQFgba1ALmzRYAnYhNb0twkTxWbY7DBkAarxqMIp
yiLKcBFc5H7dgJCImo7us7aJeftC44uWkPM=
--END CERTIFICAT--
[Wed 30 Dec 2022 15:22:52 AM EST] Your cert is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.cer
[Wed 30 Dec 2022 15:22:52 AM EST] Your cert key is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 15:22:52 AM EST] The intermediate CA cert is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/ca.cer
[Wed 30 Dec 2022 15:22:52 AM EST] And the full chain certs is there: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/fullchain.cer
```
3. 仔细观察,你会发现这次给你发证书的域名是 `https://acme-v02.api.letsencrypt.org`,少了 `staging`,自然就是【正式服】了!
## 6.5 证书安装
1. 证书申请完成后,需要安装,安装到指定位置,并在配置文件中引用即可:
```shell
vpsadmin@vps-server:~$ acme.sh --installcert -d 二级域名.你的域名.com --cert-file /你要安装到的位置/cert.crt --key-file /你要安装到的位置/cert.key --fullchain-file /你要安装到的位置/fullchain.crt --ecc
[Mon 14 Feb 2022 03:00:25 PM CST] Installing cert to: /etc/xray/cert/cert.crt
[Mon 14 Feb 2022 03:00:25 PM CST] Installing key to: /etc/xray/cert/cert.key
[Mon 14 Feb 2022 03:00:25 PM CST] Installing full chain to: /etc/xray/cert/fullchain.crt
```
## 6.6 你的进度
至此Xray 所需要的两个基础设施终于全部就位!千呼万唤始出来的 Xray 马上就要揭开面纱,我们终于要进入最激动人心章节啦!
At this point, the two basic infrastructures required by Xray are finally in place! Xray, which has been eagerly awaited, is about to be revealed, and we are finally about to enter the most exciting chapter!
> ⬛⬛⬛⬛⬛⬛⬜⬜ 75%

14
docs/en/document/level-1/README.md
View File

@ -1,13 +1,13 @@
# 入门技巧
# Beginner's Tips
**这个章节是入门级的 Xray 使用心得分享,主要分享一些 Xray 常用功能模块的原理说明。**
**This chapter is an introductory level guide on using Xray, mainly sharing the principles of some commonly used functional modules in Xray.**
[回落 (fallbacks) 功能简析](./fallbacks-lv1.md)
[Analysis of Fallbacks Function](./fallbacks-lv1.md)
[路由 (routing) 功能简析(上)](./routing-lv1-part1.md)
[Analysis of Routing Function (Part 1)](./routing-lv1-part1.md)
[路由 (routing) 功能简析(下)](./routing-lv1-part2.md)
[Analysis of Routing Function (Part 2)](./routing-lv1-part2.md)
[Xray 的工作模式简析](./work.md)
[Analysis of Xray's Working Mode](./work.md)
[通过 SNI 回落功能实现伪装与按域名分流](./fallbacks-with-sni.md)
[Fallbacks with SNI for Disguising and Domain-based Routing](./fallbacks-with-sni.md)

157
docs/en/document/level-1/fallbacks-with-sni.md
View File

@ -1,78 +1,80 @@
---
title: SNI 回落
title: SNI fallback
---
# 通过 SNI 回落功能实现伪装与按域名分流
# Implementing camouflage and domain-based routing through SNI fallback function
VLESS 是一种很轻的协议,和 Trojan 一样,不对流量进行复杂的加密和混淆,而是大隐隐于市,通过 TLS 协议加密,混杂在其他 HTTPS 流量中在墙内外穿进穿出。为了更好的伪装以应对主动探测Fallbacks 回落功能随 VLESS 同时出现。这篇教程将演示如何使用 Xray 中 VLESS 入站协议的回落功能配合 Nginx 或 Caddy 在保证伪装完全的前提下实现按域名分流。
VLESS is a lightweight protocol that, like Trojan, does not perform complex encryption and obfuscation on traffic. Instead, it is encrypted through the TLS protocol and mixed in with other HTTPS traffic, making it difficult to detect. In order to better disguise itself and respond to active probing, the fallback function appeared with VLESS at the same time. This tutorial will demonstrate how to use the fallback function of VLESS inbound protocol in Xray, combined with Nginx or Caddy, to achieve domain name-based traffic routing while ensuring complete disguise.
## 应用情景
## Application Scenarios
由于 XTLSXray 需要监听 443 端口,这导致如果之前有网站运行在服务器上,那么此时网站无法运行或需要运行在其他端口上,这显然是不合理的。有以下三种方案可以解决这个问题:
Due to XTLS, Xray needs to listen on port 443, which means that if there is a website running on the server, it cannot run or needs to run on another port, which is obviously unreasonable. There are three solutions to this problem:
- Xray 监听其他常用端口(如 22、3389、8443
- Xray monitors other commonly used ports (such as 22, 3389, 8443).
这个方案是最简单的,但不够完美。
This plan is the simplest, but not perfect enough.
- Nginx 或 HAProxy 监听 443 端口,通过 SNI 分流做 L4 反向代理,实现端口复用
- Nginx or HAProxy listens on port 443, uses SNI for L4 load balancing, and achieves port multiplexing through reverse proxy.
这个方案比较复杂,需要对 Nginx 或 HAProxy 的使用有一定了解,此处不作过多解释。
This plan is relatively complicated and requires some understanding of using Nginx or HAProxy. We will not explain it in too much detail here.
- Xray 监听 443 端口,通过 Fallbacks 功能 SNI 分流将网站流量回落到 Nginx 或 Caddy
- Xray listens on port 443, and uses Fallbacks feature to split website traffic based on SNI and fallbacks it to Nginx or Caddy.
这个方案难度适中,也是此教程接下来想要演示的方案。
This plan has a moderate level of difficulty and is the scheme that this tutorial will demonstrate next.
## SNI 简介
## Introduction to SNI
服务器名称指示(英语:**S**erver **N**ame **I**ndication缩写**SNI**)是 TLS 的一个扩展协议。熟悉反向代理的朋友都知道,如果想要通过域名将流量代理到正确的内容上,需要以下配置:
Server Name Indication (SNI) is an extension protocol of TLS. Friends who are familiar with reverse proxies know that the following configuration is required if you want to proxy traffic to the correct content through a domain name:
```nginx
proxy_set_header Host 主机名;
proxy_set_header Host hostname;
```
这句的作用是将名为 “Host” 的 HTTP Header 设定为某个主机名。为什么要这样做?一般而言,一台服务器对应一个 IP但却运行多个网站访问者通过域名查询到 IP 以访问服务器,那么问题来了,如何确定访问者想要访问的是哪一个网站?这需要“基于名称的虚拟主机”。
(Note: "hostname" should be replaced with the actual hostname.)
当 Web 服务器收到访问请求后,它会查看请求的主机头,使访问者访问正确的网站。然而当 HTTP 协议被 TLS 协议加密后,这种简单的方法就无法实现了。因为 TLS 握手发生在服务器看到任何 HTTP 头之前,因此,服务器不可能使用 HTTP 主机头中的信息来决定呈现哪个证书,更无法决定访问者的访问目标。
This sentence sets the HTTP Header named "Host" to a certain hostname. Why do we need to do this? Generally, one server corresponds to one IP address, but it runs multiple websites. Visitors access the server by querying the IP address via domain name to visit the website. Then the question arises, how to determine which website the visitor wants to access? This requires "name-based virtual hosting".
SNI 的原理也很简单,它通过让客户端发送主机名作为 TLS 协商的一部分来解决此问题。所以在使用 Nginx 对 HTTPS 协议进行反向代理时,需要在配置中加入 `proxy_ssl_server_name on;`,此时 Nginx 会向被代理的服务器发送 SNI 信息,解决了 HTTPS 协议下虚拟主机失效的问题。另外,使用 SNI 时,即使不指定主机头,也可以正确访问网站。
When a Web server receives a request, it looks at the host header to direct the visitor to the correct website. However, this simple method cannot be used when HTTP protocol is encrypted by TLS protocol. This is because the TLS handshake occurs before the server sees any HTTP headers, so the server cannot use the information in the HTTP host header to determine which certificate to present or which destination the visitor wants to access.
## 思路
The principle of SNI is also very simple. It solves the problem by allowing the client to send the hostname as part of the TLS negotiation. Therefore, when using Nginx to reverse proxy the HTTPS protocol, you need to add `proxy_ssl_server_name on;` to the configuration. At this time, Nginx will send SNI information to the proxied server, solving the problem of virtual host failure under the HTTPS protocol. In addition, when using SNI, even if the host header is not specified, the website can be accessed correctly.
![Xray 回落流程](./fallbacks-with-sni-resources/xray-fallbacks.svg)
## Idea
从 443 端口接收到流量后Xray 会把 TLS 解密后首包长度 < 18 namepathalpn dest
![Xray Fallback Process](./fallbacks-with-sni-resources/xray-fallbacks.svg)
## 添加 DNS 记录
After receiving traffic from port 443, Xray will decrypt the TLS and forward the traffic that has a first packet length < 18, invalid protocol version, or failed authentication through matching name, path, and alpn to the address specified by dest.
![DNS 记录](./fallbacks-with-sni-resources/xray-dns-records.webp)
## Adding DNS Records
请按实际情况修改域名和 IP。
![DNS Records](./fallbacks-with-sni-resources/xray-dns-records.webp)
## 申请 TLS 证书
Please modify the domain name and IP according to the actual situation.
由于要对不同前缀的域名进行分流,但一个通配符证书的作用域仅限于两“.”之间(例如:申请 `*.example.com``example.com` 和 `*.*.example.com` 并不能使用该证书),故需申请 [SAN](https://zh.wikipedia.org/wiki/%E4%B8%BB%E9%A2%98%E5%A4%87%E7%94%A8%E5%90%8D%E7%A7%B0) 通配符证书。根据 Let's Encrypt 官网信息[^1],申请通配符证书要求 DNS-01 验证方式,此处演示 NS 记录为 Cloudflare 的域名通过 [acme.sh](https://acme.sh) 申请 Let's Encrypt 的免费 TLS 证书。使用其他域名托管商的申请方法请阅读 [dnsapi · acmesh-official/acme.sh Wiki](https://github.com/acmesh-official/acme.sh/wiki/dnsapi)。
## Applying for TLS Certificate
首先需要到 [Cloudflare 面板](https://dash.cloudflare.com/profile/api-tokens)创建 API Token。参数如下
As it is necessary to route traffic to different domain name prefixes, but a wildcard certificate is only valid between two dots (for example, applying for `*.example.com`, the certificate cannot be used for `example.com` and `*.*.example.com`), it is necessary to apply for a [SAN](https://en.wikipedia.org/wiki/Subject_Alternative_Name) (Subject Alternative Name) wildcard certificate. According to the information on the Let's Encrypt official website, applying for a wildcard certificate requires DNS-01 verification. Here, we demonstrate how to apply for a free TLS certificate from Let's Encrypt using [acme.sh](https://acme.sh) for a domain with NS records hosted on Cloudflare. For the application method using other domain name hosting providers, please refer to [dnsapi · acmesh-official/acme.sh Wiki](https://github.com/acmesh-official/acme.sh/wiki/dnsapi).
![API Token 的权限设置](./fallbacks-with-sni-resources/cf-api-token-permissions-for-acme.webp)
First, you need to go to the [Cloudflare dashboard](https://dash.cloudflare.com/profile/api-tokens) to create an API token. The parameters are as follows:
权限部分至关重要,其他部分任意。
![API Token permission settings](./fallbacks-with-sni-resources/cf-api-token-permissions-for-acme.webp)
创建完毕后,你会得到一串神秘字符,请将其妥善保管到安全且不会丢失的地方,因为它不再会显示。这串字符就是即将用到的 `CF_Token`
The permission part is crucial, while other parts are optional.
::: tip 注意
以下操作需要在 root 用户下进行,使用 sudo 会出现错误。
After creating, you will receive a mysterious string of characters. Please keep it safe in a secure and non-losing place, as it will not be displayed again. This string of characters is the `CF_Token` that will be used soon.
::: tip Note
The following operations need to be performed under the root user. Using sudo will result in errors.
:::
```bash
curl https://get.acme.sh | sh # 安装 acme.sh
export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" # 设定 API Token 变量
acme.sh --issue -d example.com -d *.example.com --dns dns_cf # 使用 DNS-01 验证方式申请证书
mkdir /etc/ssl/xray # 新建证书存放目录
acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem --key-file /etc/ssl/xray/privkey.key --reloadcmd "chown nobody:nogroup -R /etc/ssl/xray && systemctl restart xray" # 安装证书到指定目录并设定自动续签生效指令
curl https://get.acme.sh | sh # Install acme.sh
export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" # Set API Token variable
acme.sh --issue -d example.com -d *.example.com --dns dns_cf # Apply for a certificate using DNS-01 validation method
mkdir /etc/ssl/xray # Create a directory to store the certificate
acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem --key-file /etc/ssl/xray/privkey.key --reloadcmd "chown nobody:nogroup -R /etc/ssl/xray && systemctl restart xray" # Install the certificate to the specified directory and set the effective command for automatic renewal
```
## Xray 配置
## Xray Configuration
```json
{
@ -162,35 +164,35 @@ acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem --
}
```
以上配置针对于 Nginx以下是需要注意的一些细节。
The above configuration is for Nginx. Here are some details that need to be noted.
- 有关 Proxy Protocol
- About Proxy Protocol
Proxy Protocol 是 HaProxy 开发的一种旨在解决代理时容易丢失客户端信息问题的协议,常用于链式代理和反向代理。传统的处理方法往往较为复杂且有诸多限制,而 Proxy Protocol 非常简单地在传输数据时附带上原始连接四元组信息的数据包,解决了这个问题。
Proxy Protocol is a protocol developed by HaProxy to solve the problem of easily losing client information during proxying. It is often used for chain proxying and reverse proxying. The traditional approach to handling this problem is often complex and has many limitations, while Proxy Protocol simply attaches the original connection quadruple information packet to the transmitted data, solving this problem in a very simple way.
凡事皆有利弊Proxy Protocol 也是如此。
Everything has its advantages and disadvantages, and the same goes for the Proxy Protocol.
- 有发送必须有接收,反之亦然
- 同一端口不能既兼容带 Proxy Protocol 数据的连接又兼容不带数据的连接Nginx 同端口的不同虚拟主机server本质是上一条[^2][^3]
- If there is sending, there must be receiving, and vice versa.
- The same port cannot be compatible with connections that have Proxy Protocol data and those that don't have data (e.g., different virtual hosts (servers) on the same port in Nginx, which is essentially the previous point). [^2][^3]
在遇到异常时,请考虑配置是否符合上述条件。
Please consider whether the configuration meets the above conditions when encountering exceptions.
此处,我们使用 Proxy Protocol 让被回落到的目标获取到客户端的真实 IP。
Here, we use the Proxy Protocol to allow the fallback target to obtain the real IP address of the client.
另外,当 Xray 的某个入站配置存在 `"acceptProxyProtocol": true`ReadV 将失效。
In addition, when the `"acceptProxyProtocol": true` exists in a certain inbound configuration of Xray, ReadV will be invalidated.
- 有关 HTTP/2
- Regarding HTTP/2
首先,`inbounds.streamSettings.tlsSettings.alpn` 有顺序,应将 `h2` 放前,`http/1.1` 放后,在优先使用 HTTP/2 的同时保证兼容性;反过来会导致 HTTP/2 在协商时变为 HTTP/1.1,成为无效配置。
First, `inbounds.streamSettings.tlsSettings.alpn` has an order. `h2` should be placed before `http/1.1` to prioritize the use of HTTP/2 while ensuring compatibility. Placing them in reverse order will cause HTTP/2 to be negotiated as HTTP/1.1, resulting in an invalid configuration.
在上述配置中,每条回落到 Nginx 的配置都要分成两个。这是因为 h2 是强制 TLS 加密的 HTTP/2 连接,这有益于数据在互联网中传输的安全,但在服务器内部没有必要;而 h2c 是非加密的 HTTP/2 连接适合该环境。然而Nginx 不能在同一端口上同时监听 HTTP/1.1 和 h2c为了解决这个问题需要在回落中指定 `alpn` 项(是 `fallbacks` 而不是 `tlsSettings` 里面的),以尝试匹配 TLS ALPN 协商结果。
In the above configuration, each `fallback` configuration that falls back to Nginx needs to be divided into two. This is because h2 is an HTTP/2 connection that requires TLS encryption, which is beneficial for the security of data transmission over the Internet, but is unnecessary within the server. On the other hand, h2c is a non-encrypted HTTP/2 connection that is suitable for this environment. However, Nginx cannot listen for HTTP/1.1 and h2c on the same port at the same time. To solve this problem, the `alpn` option (in `fallbacks` rather than `tlsSettings`) needs to be specified in the fallback to try to match the TLS ALPN negotiation result.
建议 `alpn` 项只按需用两种填法:[^4]
Suggestion: Use only two types of fillings for the `alpn` item as needed: [^4]
- 省略
- `"h2"`
- Omitted
- `"h2"`
如果使用 Caddy 就大可不必如此繁杂了,因为它**可以**在同一端口上同时监听 HTTP/1.1 和 h2c配置改动如下
If you use Caddy, you don't need to be so complicated, because **it can** listen to HTTP/1.1 and h2c on the same port at the same time. The configuration changes are as follows:
```json
{
@ -214,9 +216,21 @@ acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem --
}
```
## Nginx 配置
(Note: This is a JSON code block. It describes fallback configurations for a service.)
Nginx 将通过官方源进行安装。
## Nginx Configuration
Nginx will be installed through official sources.
This is a set of Bash commands to install Nginx on Ubuntu.
The first command installs the necessary packages for the installation process.
The second command adds the Nginx repository to the list of sources that Ubuntu uses to find software packages.
The third command downloads the Nginx signing key and adds it to the system's keyring, which verifies the authenticity of the package.
The fourth command updates the package list with the newly added Nginx repository.
```bash
sudo apt install curl gnupg2 ca-certificates lsb-release
@ -227,7 +241,7 @@ sudo apt update
sudo apt install nginx
```
删除 `/etc/nginx/conf.d/default.conf` 并创建 `/etc/nginx/conf.d/fallbacks.conf`,内容如下:
Delete `/etc/nginx/conf.d/default.conf` and create `/etc/nginx/conf.d/fallbacks.conf` with the following content:
```nginx
set_real_ip_from 127.0.0.1;
@ -259,24 +273,31 @@ server {
}
```
## Caddy 配置
## Caddy Configuration
安装 Caddy 请参阅 [Install — Caddy Documentation](https://caddyserver.com/docs/install)。
Please refer to [Install — Caddy Documentation](https://caddyserver.com/docs/install) for installing Caddy.
为了使 Caddy 能获取到访问者的真实 IP需要编译带有 Proxy Protocol 模块的 Caddy。建议直接在 Caddy 官网上在线编译。
To enable Caddy to obtain the real IP address of visitors, it is necessary to compile Caddy with the Proxy Protocol module. It is recommended to compile it directly on the Caddy website.
```bash
sudo curl -o /usr/bin/caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fmastercactapus%2Fcaddy2-proxyprotocol&idempotency=79074247675458"
sudo chmod +x /usr/bin/caddy
```
直接替换即可。
This is a bash script that downloads the Caddy web server and sets the necessary permissions to run it on a Linux system.
Just replace it directly.
::: tip
建议先通过官网文档安装 Caddy再替换二进制文件。这样做无需手动设定进程守护。
It is recommended to install Caddy through the official website documentation first, and then replace the binary file. This way, there is no need to manually set the process management.
:::
编辑 `/etc/caddy/Caddyfile`
Edit `/etc/caddy/Caddyfile`:
This is a Caddyfile, which is a configuration file used by the Caddy web server.
In this specific configuration, there are two servers defined: one listening on `127.0.0.1:5001` and another on `127.0.0.1:5002`. Both servers have a `listener_wrapper` defined for `proxy_protocol`, which is a protocol used for passing client connection information through a proxy or load balancer. Additionally, both servers have the `allow_h2c` option enabled, which allows clients to connect using HTTP/2 cleartext (h2c) protocol.
```Caddyfile
{
@ -317,15 +338,15 @@ http://blog.example.com:5002 {
}
```
## 参考
## Reference
1. [服务器名称指示 - 维基百科,自由的百科全书](https://zh.wikipedia.org/wiki/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%90%8D%E7%A7%B0%E6%8C%87%E7%A4%BA)
1. [Server Name Indication - Wikipedia, the free encyclopedia](https://en.wikipedia.org/wiki/Server_Name_Indication)
2. [Home · acmesh-official/acme.sh Wiki](https://github.com/acmesh-official/acme.sh/wiki)
3. [HTTP/2 - 维基百科,自由的百科全书](https://zh.wikipedia.org/wiki/HTTP/2)
3. [HTTP/2 - Wikipedia, the free encyclopedia](https://en.wikipedia.org/wiki/HTTP/2)
## 引用
## Quotation
[^1]: [常见问题 - Let's Encrypt - 免费的 SSL/TLS 证书](https://letsencrypt.org/zh-cn/docs/faq/)
[^1]: [Frequently Asked Questions - Let's Encrypt - Free SSL/TLS Certificates](https://letsencrypt.org/docs/faq/)
[^2]: [Proxy Protocol - HAProxy Technologies](https://www.haproxy.com/blog/haproxy/proxy-protocol/)
[^3]: [proxy protocol 介绍及 nginx 配置 - 简书](https://www.jianshu.com/p/cc8d592582c9)
[^3]: [Introduction to Proxy Protocol and Nginx Configuration - Jianshu](https://www.jianshu.com/p/cc8d592582c9)
[^4]: [v2fly-github-io/vless.md at master · rprx/v2fly-github-io](https://github.com/rprx/v2fly-github-io/blob/master/docs/config/protocols/vless.md)

36
docs/en/document/level-2/README.md
View File

@ -1,35 +1,35 @@
# 进阶文档
# Advanced Documentation
**这个章节包含进阶级的 Xray 使用心得分享, 如果您已经熟悉 Xray, 那么这里的经验可以让您更加发挥 Xray 的威力**
**This chapter contains experience sharing of using Xray at an advanced level. If you are already familiar with Xray, the experience shared here can help you unleash the full power of Xray.**
[透明代理入门](./transparent_proxy/transparent_proxy.md) by <img src="https://avatars2.githubusercontent.com/u/57820613?s=32" width="32" height="32" alt="a"/> [@kirin](https://github.com/kirin10000)
[Beginner's Guide to Transparent Proxies](./transparent_proxy/transparent_proxy.md) by <img src="https://avatars2.githubusercontent.com/u/57820613?s=32" width="32" height="32" alt="a"/> [@kirin](https://github.com/kirin10000)
透明代理的入门篇章。
An Introduction to Transparent Proxies.
[透明代理(TProxy)配置教程 ](./tproxy.md) by <img src="https://avatars2.githubusercontent.com/u/41363844?s=32" width="32" height="32" alt="a"/> [@BioniCosmos](https://github.com/BioniCosmos)
[TProxy Configuration Tutorial](./tproxy.md) by <img src="https://avatars2.githubusercontent.com/u/41363844?s=32" width="32" height="32" alt="a"/> [@BioniCosmos](https://github.com/BioniCosmos)
基于 Xray 的透明代理TProxy配置完整教程。
Complete tutorial on configuring transparent proxy (TProxy) based on Xray.
[TProxy 透明代理ipv4 and ipv6配置教程](./tproxy_ipv4_and_ipv6.md) by <img src="https://avatars.githubusercontent.com/u/110686480?s=32" width="32" height="32" alt="a"/> [@SQLimit](https://github.com/SQLimit)
[TProxy Transparent Proxy (IPv4 and IPv6) Configuration Tutorial](./tproxy_ipv4_and_ipv6.md) by <img src="https://avatars.githubusercontent.com/u/110686480?s=32" width="32" height="32" alt="a"/> [@SQLimit](https://github.com/SQLimit)
基于 Xray 的 TProxy 透明代理ipv4 and ipv6配置教程
Xray-based TProxy Transparent Proxy (IPv4 and IPv6) Configuration Tutorial
[Nginx_TLS 隧道隐藏指纹](./Nginx_TLS_tunnel.md) by <img src="https://avatars.githubusercontent.com/u/110686480?s=32" width="32" height="32" alt="a"/> [@SQLimit](https://github.com/SQLimit)
[Nginx_TLS Tunnel Hidden Fingerprint](./Nginx_TLS_tunnel.md) by <img src="https://avatars.githubusercontent.com/u/110686480?s=32" width="32" height="32" alt="a"/> [@SQLimit](https://github.com/SQLimit)
双端使用 Nginx_TLS 隧道隐藏指纹
Use Nginx_TLS tunnel on both ends to hide the fingerprint.
[[透明代理]通过 gid 规避 Xray 流量](./iptables_gid.md) by <img src="https://avatars2.githubusercontent.com/u/57820613?s=32" width="32" height="32" alt="a"/> [@kirin](https://github.com/kirin10000)
[[Transparent Proxy] Avoiding Xray Traffic Through gid](./iptables_gid.md) by <img src="https://avatars2.githubusercontent.com/u/57820613?s=32" width="32" height="32" alt="a"/> [@kirin](https://github.com/kirin10000)
在 iptables/nftables 实现的透明代理中,一种新的规避 Xray 流量的方式。
A new way of bypassing Xray traffic in transparent proxy implemented by iptables/nftables.
[通过 Xray 将特定的流量指向特定出口,实现全局路由“分流”](./redirect.md) by <img src="https://avatars.githubusercontent.com/u/28607089?s=32" width="32" height="32" alt="a"/> [@Zzz3m](https://github.com/Zzz3m)
[Redirect Specific Traffic to Specific Gateway using Xray to Achieve Global Routing "Load Balancing"](./redirect.md) by <img src="https://avatars.githubusercontent.com/u/28607089?s=32" width="32" height="32" alt="a"/> [@Zzz3m](https://github.com/Zzz3m)
将 Xray 玩出花:基于 fwmark 或 sendThrough 方式实现“分流”。
Play Xray to the fullest: Implement "load balancing" based on fwmark or sendThrough.
[通过 Cloudflare Warp 增强代理安全性](./warp.md) by <img src="https://avatars.githubusercontent.com/u/1588741?s=32" width="32" height="32" alt="a"/> [@yuhan6665](https://github.com/yuhan6665)
[Enhancing Proxy Security with Cloudflare Warp](./warp.md) by <img src="https://avatars.githubusercontent.com/u/1588741?s=32" width="32" height="32" alt="a"/> [@yuhan6665](https://github.com/yuhan6665)
Xray v1.6.5 新增 WireGuard 出站的使用介绍。
Introduction to using WireGuard for outbound traffic added in Xray v1.6.5.
[Xray 流量统计](./traffic_stats.md) by <img src="https://avatars.githubusercontent.com/u/1588741?s=32" width="32" height="32" alt="a"/> [@yuhan6665](https://github.com/yuhan6665)
[Xray Traffic Statistics](./traffic_stats.md) by <img src="https://avatars.githubusercontent.com/u/1588741?s=32" width="32" height="32" alt="a"/> [@yuhan6665](https://github.com/yuhan6665)
适配 Xray 的流量统计和脚本。
Adapt traffic statistics and scripts compatible with Xray.

52
docs/en/document/level-2/warp.md
View File

@ -1,51 +1,49 @@
---
title: 通过 Cloudflare Warp 增强代理安全性
title: Enhancing Proxy Security with Cloudflare Warp
---
# 通过 Cloudflare Warp 增强代理安全性
# Enhancing Proxy Security with Cloudflare Warp
Xray1.6.5+)新加入了 WireGuard 出站,虽然增加的代码和依赖会增大 core 体积,但是我们认为这是一个很有必要的新功能,原因有三:
Xray (1.6.5+) has added outbound WireGuard support. Although the added code and dependencies will increase the core size, we believe that this is a necessary new feature for three reasons:
1. 通过近期的一些讨论和[实验](https://github.com/net4people/bbs/issues/129#issuecomment-1308102504),我们知道代理回国流量是不安全的。一种应对方式是将回国流量路由至黑洞,它的缺点是由于 geosite 和 geoip 更新的不及时或者新手不知道如何在客户端适当分流,结果流量进入黑洞,影响使用体验。
这时我们只需要将回国流量导入 Cloudflare Warp可以在不影响使用体验的情况下达到同样的安全性。
2. 众所周知,大部分机场会记录用户访问域名的日志,某些机场还会审计和阻断一些用户流量。保护用户私密性的一个方法,就是在客户端使用链式代理。
Warp 使用的 WireGuard 轻量级 VPN 协议会在代理层内增加一层加密。对于机场而言,用户所有流量的目标都是 Warp从而最大程度保护自己的隐私。
3. 方便使用,只需要一个 core 即可完成分流Wireguard Tun链式代理的设置。
1. Through recent discussions and [experiments](https://github.com/net4people/bbs/issues/129#issuecomment-1308102504), we know that proxying the traffic back to China is not safe. One way to deal with this is to route the back-to-China traffic to a black hole, but the downside is that due to the delay in geosite and geoip updates or the lack of knowledge on how to properly split the traffic on the client side, the traffic ends up going to the black hole, affecting the user experience. In this case, we only need to import the back-to-China traffic into Cloudflare Warp, which can achieve the same level of security without affecting the user experience.
2. As we all know, most airports will log the domain names visited by users, and some airports will even audit and block some user traffic. One way to protect user privacy is to use chain proxies on the client side. The WireGuard lightweight VPN protocol used by Warp adds an extra layer of encryption within the proxy layer. For airports, the target of all user traffic is Warp, thereby maximizing privacy protection.
3. It is easy to use, and only one core is needed to complete the split, Wireguard Tun, and chain proxy settings.
## 申请 Warp 账户
## Applying for a Warp Account
1. 感谢 Cloudflare 推动自由的互联网,现在你可以免费使用 Warp 服务,连接的时候会根据出口自动选择最近的服务器
2. 使用一台 vps下载 [wgcf](https://github.com/ViRb3/wgcf/releases)
3. 运行 `wgcf register` 生成 `wgcf-account.toml`
4. 运行 `wgcf generate` 生成 `wgcf-profile.conf` 拷贝内容如下:
1. Thank you Cloudflare for promoting a free internet. Now you can use the Warp service for free, and the nearest server will be automatically selected based on the exit.
2. Use a VPS and download [wgcf](https://github.com/ViRb3/wgcf/releases).
3. Run `wgcf register` to generate `wgcf-account.toml`.
4. Run `wgcf generate` to generate `wgcf-profile.conf`. Copy the following content:
```
[Interface]
PrivateKey = 我的私钥
PrivateKey = my private key
Address = 172.16.0.2/32
Address = 2606:4700:110:8949:fed8:2642:a640:c8e1/128
DNS = 1.1.1.1
MTU = 1280
[Peer]
PublicKey = Warp公钥
PublicKey = Warp public key
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = engage.cloudflareclient.com:2408
```
## 在服务端分流回国流量至 warp
## Diverting inbound traffic to warp on the server side
在现有出站中新增一个 WireGurad 出站
Add a new WireGuard outbound in the existing ones.
```json
{
"protocol": "wireguard",
"settings": {
"secretKey": "我的私钥",
"secretKey": "My private key",
"address": ["172.16.0.2/32", "2606:4700:110:8949:fed8:2642:a640:c8e1/128"],
"peers": [
{
"publicKey": "Warp公钥",
"publicKey": "Warp public key",
"endpoint": "engage.cloudflareclient.com:2408"
}
]
@ -54,9 +52,9 @@ Endpoint = engage.cloudflareclient.com:2408
}
```
路由策略推荐`IPIfNonMatch`
Recommended routing strategy is `IPIfNonMatch`.
在现有路由中新增以下
Add the following to the existing router:
```json
{
@ -75,7 +73,7 @@ Endpoint = engage.cloudflareclient.com:2408
},
```
## 客户端使用 warp 链式代理
## Using Warp Chain Proxy on the Client Side
```json
{
@ -83,10 +81,10 @@ Endpoint = engage.cloudflareclient.com:2408
{
"protocol":"wireguard",
"settings":{
"secretKey":"我的私钥",
"secretKey":"My private key",
"peers":[
{
"publicKey":"Warp公钥",
"publicKey":"Warp public key",
"endpoint":"engage.cloudflareclient.com:2408"
}
]
@ -104,11 +102,11 @@ Endpoint = engage.cloudflareclient.com:2408
"settings":{
"vnext":[
{
"address":"我的IP",
"port":我的端口,
"address":"My IP",
"port":My port,
"users":[
{
"id":"我的UUID",
"id":"My UUID",
"security":"auto"
}
]