diff --git a/docs/en/document/level-0/ch07-xray-server.md b/docs/en/document/level-0/ch07-xray-server.md index a4eea5465..d7b5fe86b 100644 --- a/docs/en/document/level-0/ch07-xray-server.md +++ b/docs/en/document/level-0/ch07-xray-server.md @@ -1,595 +1,572 @@ -# 【第 7 章】Xray 服务器篇 +# [Chapter 7]Xray Server -## 7.1 博观而约取,厚积而薄发 +## 7.1 Study broadly, Act decisively. -本文撰写过程中,大佬开玩笑的吐槽到:你这教程,居然连载了 6 章都还没到 Xray,不知道的还以为你是“手把手教你建网站”教程呢。(我竟无法反驳.jpg!) +During the writing of this article, the boss joked: Your tutorial has been serialized for 6 chapters and has not yet reached Xray. People who don’t know would think that you are a "hand-in-hand teaching you to build a website" tutorial. (I can't refute it.jpg!) -其实这样的结构是我多番思考之后的决定,毕竟只有打好基础,才能在后面事半功倍快速反超。我在群里看到许多新人连`nano`都无法正确使用,也不会用`WinSCP`,远程手写编辑出来的`config.json`自然错误百出,连查错也变得举步维艰。 +In fact, this structure is my decision after much thinking. After all, only by laying a solid foundation can you quickly surpass others with half the effort. I saw many newcomers in the group who can't even use `nano` correctly, nor can they use `WinSCP`. The `config.json` edited by remote handwriting is naturally full of errors, and even error checking becomes difficult. ::: warning -经过了前 6 章的准备,各位已经跟我一起翻越了 Linux 基本操作、VPS 远程管理、网页搭建、域名管理、证书申请等等几座大山。是不是回头看看,觉得其实非常简单呢?现在我们有了如此扎实的准备,接下来安装和配置 Xray -时会有一种【水到渠成】的轻快感觉。 +After the preparation of the first 6 chapters, you have already climbed over several mountains with me, such as basic Linux operations, VPS remote management, web page construction, domain name management, certificate application, etc. Do you think it is actually very simple when you look back? Now that we have such solid preparations, we will have a light feeling of [smooth success] when installing and configuring Xray. ::: -后面要做的事情非常简单: +The things to do next are very simple: -1. 安装 -2. 配置(如安装 TLS 证书、`config.json`) -3. 运行 -4. 优化(如更新内核、开启`bbr`、网站`http`访问自动跳转`https`等) +1. Installation +2. Configuration (such as installing TLS certificates, `config.json`) +3. Run +4. Optimization (such as updating the kernel, enabling `bbr`, automatically redirecting `http` visits to `https`, etc.) -## 7.2 安装 Xray +## 7.2 Install Xray -首先,Xray 的官方载体,就是 [xray-core](https://github.com/XTLS/Xray-core) 开源项目(基于 `MPL 2.0` -开源协议)生成的二进制程序。你把这个二进制放在服务器运行,它就是服务器端;你把它下载到本地电脑运行,它就是客户端。主要区别来源于【配置】。 +First of all, the official carrier of Xray is the binary program generated by the open source project [xray-core](https://github.com/XTLS/Xray-core) (Open sourced with License `MPL 2.0` +). If you put this binary on the server and run it, it is the server side; if you download it to the local computer and run it, it is the client side. The main difference comes from [configuration]. -安装时,直接使用官方安装脚本就很简单直接。它提供了多种安装选项,有兴趣的可以去官方的[安装脚本仓库](https://github.com/XTLS/Xray-install)中看看脚本的说明,**本文使用的是【非 root -用户】安装模式**。 +When installing, it is very simple and direct to use the official installation script directly. It provides a variety of installation options. If you are interested, you can go to the official [installation script repository](https://github.com/XTLS/Xray-install) to see the script instructions. **This article uses the [non-root +user] installation mode**. -写本文时,安装脚本在使用非 root 账户时有一些小 bug,所以我决定正好把这几步分开操作,可以顺便说明一下 Linux 下的删除命令。 +When writing this article, the installation script had some minor bugs when using a non-root account, so I decided to separate these steps and explain the deletion command under Linux. -1. 小小白白 Linux 基础命令: +1. Basic Linux commands for beginners: - | 编号 | 命令名称 | 命令说明 | + | Number | Command name | Command description | | :------: | :------: | :------: | - | `cmd-14` | `rm` | 删除命令 | + | `cmd-14` | `rm` | delete | -2. 将安装脚本下载至本地: +2. Download the installation script: - ```shell - wget https://github.com/XTLS/Xray-install/raw/main/install-release.sh - ``` - -3. 执行安装命令 - - ```shell - sudo bash install-release.sh - ``` - -4. 使用完成之后可以删除该脚本 +```shell +wget https://github.com/XTLS/Xray-install/raw/main/install-release.sh +``` - ```shell - rm ~/install-release.sh - ``` +3. Execute the installation command - ::: warning - 使用 `rm` 命令删除文件的时候,默认其实就是删除现在所在的文件夹下的文件。但是,**我依然写了完整的路径**: `~/install-release.sh`,这是我使用 `rm` 时的一个安全习惯、也是我把安装分成几步之后想强调一下的内容。如果你听过一些“程序员从删库到跑路”之类的段子,大概就知道为什么了。 - ::: +```shell +sudo bash install-release.sh +``` -5. 完整流程演示如下: +4. You can delete the script after use - ![Xray服务器端安装流程演示](./ch07-img01-xray-install.gif) +```shell +rm ~/install-release.sh +``` -## 7.3 给 Xray 配置 TLS 证书 +::: warning +When you use the `rm` command to delete files, the default is to delete the files in the current folder. However, **I still wrote the full path**: `~/install-release.sh`, which is a safety habit I have when using `rm`, and it is also what I want to emphasize after I divide the installation into several steps. If you have heard some jokes like "Programmers go from deleting libraries to running away", you probably know why. +::: -虽然我们前面已经申请好了 TLS -证书,但是按照 [`acme.sh`的官方说明](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E#3-copy%E5%AE%89%E8%A3%85-%E8%AF%81%E4%B9%A6),申请后的证书不建议直接使用。正确的方法是使用 `--install-cert` -命令安装给需要的程序。我们现在就来把证书安装给 `xray-core` 使用。 +5. The complete process is demonstrated as follows: -1. 为了规避非 root 账户的各种潜在的权限困扰,我们在 vpsadmin 账户下建立一个证书文件夹 +![Xray server installation process demonstration](./ch07-img01-xray-install.gif) - ```shell - mkdir ~/xray_cert - ``` +## 7.3 Configure TLS certificate for Xray -2. 使用`acme.sh`的`--install-cert`正确安装(拷贝)证书文件 +Although we have applied for TLS +certificate before, according to the official instructions of [`acme.sh`](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E#3-copy%E5%AE%89%E8%A3%85-%E8%AF%81%E4%B9%A6), it is not recommended to use the applied certificate directly. The correct way is to use the `--install-cert` +command to install it for the required program. Let's install the certificate for `xray-core` now. - ```shell - acme.sh --install-cert -d 二级域名.你的域名.com --ecc \ - --fullchain-file ~/xray_cert/xray.crt \ - --key-file ~/xray_cert/xray.key - ``` +1. In order to avoid various potential permission problems of non-root accounts, we create a certificate folder under the vpsadmin account -3. `xray.key`文件默认对其他用户不可读,所以需要赋予其可读性权限 +```shell +mkdir ~/xray_cert +``` - ```shell - chmod +r ~/xray_cert/xray.key - ``` +2. Use `--install-cert` of `acme.sh` to correctly install (copy) the certificate file -4. 过程比较简单就不放动图了: +```shell +acme.sh --install-cert -d secondary domain name.your domain name.com --ecc \ +--fullchain-file ~/xray_cert/xray.crt \ +--key-file ~/xray_cert/xray.key +``` - ![Xray服务器端安装流程演示](./ch07-img02-xray-cert-install.png) +3. The `xray.key` file is not readable by other users by default, so it needs to be given readability -5. `acme.sh` 会每 60 天检查一次证书并自动更新临期证书。但据我所知是它并不会自动将新证书安装给 `xray-core`,所以我们需要新增一个系统的自动周期任务来完成这一步。 +```shell +chmod +r ~/xray_cert/xray.key +``` - 1. 小小白白 Linux 基础命令: +4. The process is relatively simple, so no animated picture: - | 编号 | 命令名称 | 命令说明 | - | :------: | :----------: | :--------------------: | - | `cmd-15` | `crontab -e` | 编辑当前用户的定时任务 | +![Xray server installation process demonstration](./ch07-img02-xray-cert-install.png) - 2. 建立一个脚本文件(`xray-cert-renew.sh`) +5. `acme.sh` will check the certificate every 60 days and automatically renew the expiring certificate. But as far as I know, it does not automatically install the new certificate to `xray-core`, so we need to add a system automatic periodic task to complete this step. - ```shell - nano ~/xray_cert/xray-cert-renew.sh - ``` + 1. Basic Linux commands for beginners: - 3. 把下面的内容复制进去,记得替换你的真实域名,然后保存退出 + | Number | Command name | Command description | + | :------: | :----------: | :--------------------: | + | `cmd-15` | `crontab -e` | Edit the current user's scheduled task | - ```bash - #!/bin/bash + 2. Create a script file (`xray-cert-renew.sh`) - /home/vpsadmin/.acme.sh/acme.sh --install-cert -d a-name.yourdomain.com --ecc --fullchain-file /home/vpsadmin/xray_cert/xray.crt --key-file /home/vpsadmin/xray_cert/xray.key - echo "Xray Certificates Renewed" + ```shell + nano ~/xray_cert/xray-cert-renew.sh + ``` - chmod +r /home/vpsadmin/xray_cert/xray.key - echo "Read Permission Granted for Private Key" + 3. Copy the following content, remember to replace your real domain name, then save and exit - sudo systemctl restart xray - echo "Xray Restarted" - ``` + ```bash + #!/bin/bash + + /home/vpsadmin/.acme.sh/acme.sh --install-cert -d a-name.yourdomain.com --ecc --fullchain-file /home/vpsadmin/xray_cert/xray.crt --key-file /home/vpsadmin/xray_cert/xray.key + echo "Xray Certificates Renewed" + + chmod +r /home/vpsadmin/xray_cert/xray.key + echo "Read Permission Granted for Private Key" + + sudo systemctl restart xray + echo "Xray Restarted" + ``` - ::: warning - 经大家提醒,`acme.sh` 有一个 `reloadcmd` 命令,可以在证书更新时自动执行特定命令,那么就可以指定自动给 `Xray` 安装证书,但因为 `crontab` 是 Linux - 系统中一个非常有用、非常常用的功能,所以本文保留 `crontab` 的方式来更新 `Xray` 证书。(对 `reloadcmd` 感兴趣的同学可以查看 `acme.sh` - 的[官方文档](https://github.com/acmesh-official/acme.sh)) + ::: warning + As you have reminded, `acme.sh` has a `reloadcmd` command that can automatically execute a specific command when the certificate is updated, so you can specify to automatically install the certificate for `Xray`, but because `crontab` is a very useful and commonly used function in Linux, this article retains the `crontab` method to update the `Xray` certificate. (If you interested in `reloadcmd` can check out the [official documentation](https://github.com/acmesh-official/acme.sh) of `acme.sh`) - 另外,录制动图时,脚本中没有加入重启 `Xray` 的命令,是因为 `Xray` 计划支持【证书热更新】功能,即 `Xray` 会自动识别证书更新并重载证书、无需手动重启。待功能加入后,我将适当修改 `config.json` - 开启此设置,并删除脚本中的重启命令。 - ::: + In addition, when recording animated images, the script did not include a command to restart `Xray` because `Xray` plans to support the [Certificate Hot Update] function, which means that `Xray` will automatically identify certificate updates and reload certificates without manual restart. After the function is added, I will modify `config.json` appropriately + to enable this setting and delete the restart command in the script. + ::: - 4. 给这个文件增加【可执行】权限 + 4. Add [executable] permissions to this file - ``` - chmod +x ~/xray_cert/xray-cert-renew.sh - ``` + ``` + chmod +x ~/xray_cert/xray-cert-renew.sh + ``` - 5. 运行 `crontab -e`,添加一个自动任务【每月自动运行一次`xray-cert-renew.sh`】 (注意不要加`sudo`,因为我们增加的是`vpsadmin` - 账户的自动任务。初次运行时会让你选择编辑器,当然是选择熟悉的`nano`啦!) + 5. Run `crontab -e` and add an automatic task [Automatically run `xray-cert-renew.sh` once a month] (Note that you should not add `sudo`, because we are adding an automatic task for the `vpsadmin` + account. When you run it for the first time, you will be asked to choose an editor. Of course, choose the familiar `nano`!) - ```shell - crontab -e - ``` + ```shell + crontab -e + ``` - 6. 把下面的内容增加在文件最后,保存退出即可。 + 6. Add the following content to the end of the file, save and exit. - ``` - # 1:00am, 1st day each month, run `xray-cert-renew.sh` - 0 1 1 * * bash /home/vpsadmin/xray_cert/xray-cert-renew.sh - ``` + ``` + # 1:00am, 1st day each month, run `xray-cert-renew.sh` + 0 1 1 * * bash /home/vpsadmin/xray_cert/xray-cert-renew.sh + ``` - 7. 完整流程演示如下: + 7. The complete process is demonstrated as follows: - ![每月自动给Xray安装证书](./ch07-img03-crontab-cert-renew.gif) + ![Automatically install certificates for Xray every month](./ch07-img03-crontab-cert-renew.gif) -## 7.4 配置 Xray +## 7.4 Configure Xray -首先,各种配置都可以参考[官方 VLESS 配置示例](https://github.com/XTLS/Xray-examples)。本文会基于官方示例,配置一个最精简的方式:【单 `VLESS` 协议入站 + `80` -端口回落】,满足大多数场景的最大速度及必要安全。 +First, you can refer to the [official VLESS configuration example](https://github.com/XTLS/Xray-examples) for various configurations. This article will configure a simplest method based on the official example: [Single `VLESS` protocol inbound + `80` Port fallback], which meets the maximum speed and necessary security of most scenarios. -1. 生成一个合法的 `UUID` 并保存备用(`UUID`可以简单粗暴的理解为像指纹一样几乎不会重复的 ID) +1. Generate a legal `UUID` and save it for backup (`UUID` can be simply and roughly understood as an ID that is almost never repeated like a fingerprint) ```shell xray uuid ``` -2. 建立日志文件及文件夹备用 +2. Create log files and folders for backup - 1. 小小白白 Linux 基础命令: - | 编号 | 命令名称 | 命令说明 | - |:--:|:--:|:--:| - | `cmd-16` | `touch` | 建立空白文件 | + 1. Basic Linux commands for beginners: + | Number | Command name | Command description | + |:--:|:--:|:--:| + | `cmd-16` | `touch` | Create a blank file | - 2. 在`vpsadmin`的文件夹内建立一个【日志专用文件夹】 + 2. Create a [log dedicated folder] in the `vpsadmin` folder - ```shell - mkdir ~/xray_log - ``` + ```shell + mkdir ~/xray_log + ``` - 3. 生成所需的两个日志文件(访问日志、错误日志) + 3. Generate the two required log files (access log, error log) - ```shell - touch ~/xray_log/access.log && touch ~/xray_log/error.log - ``` + ```shell + touch ~/xray_log/access.log && touch ~/xray_log/error.log + ``` - ::: warning - 这个位置不是`Xray`标准的日志文件位置,放在这里是避免权限问题对新人的操作带来困扰。当你熟悉之后,建议回归默认位置: `/var/log/xray/access.log` - 和 `/var/log/xray/error.log` 。 - ::: + ::: warning + This location is not the standard log file location of `Xray`. It is placed here to avoid permission issues that cause trouble for new users. Once you are familiar with it, it is recommended to return to the default location: `/var/log/xray/access.log` and `/var/log/xray/error.log`. + ::: - 4. 因为 Xray 默认是 nobody 用户使用,所以我们需要让其他用户也有“写”的权限(`*.log` 就是所有文件后缀是`log`的文件,此时`CLI`界面的效率优势就逐渐出现了) - ```shell - chmod a+w ~/xray_log/*.log - ``` + 4. Because Xray is used by the nobody user by default, we need to allow other users to have "write" permissions (`*.log` means all files with the suffix `log`, and the efficiency advantage of the `CLI` interface gradually appears at this time) + ```shell + chmod a+w ~/xray_log/*.log + ``` -3. 使用`nano`创建`Xray`的配置文件 +3. Use `nano` to create the configuration file of `Xray` ```shell sudo nano /usr/local/etc/xray/config.json ``` -4. 将下面的文件全部复制进去,并将之前生成的`UUID`填入第 61 行 `"id": "",` 之中。(填好之后的样子是 `"id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid"` - ),本文的这个配置文件中增加了我的各种啰嗦注解,以方便你理解每一个配置模块的功能是什么。 - - ```json - // REFERENCE: - // https://github.com/XTLS/Xray-examples - // https://xtls.github.io/config/ - // 常用的 config 文件,不论服务器端还是客户端,都有 5 个部分。外加小小白解读: - // ┌─ 1*log 日志设置 - 日志写什么,写哪里(出错时有据可查) - // ├─ 2_dns DNS-设置 - DNS 怎么查(防 DNS 污染、防偷窥、避免国内外站匹配到国外服务器等) - // ├─ 3_routing 分流设置 - 流量怎么分类处理(是否过滤广告、是否国内外分流) - // ├─ 4_inbounds 入站设置 - 什么流量可以流入 Xray - // └─ 5_outbounds 出站设置 - 流出 Xray 的流量往哪里去 - { - // 1\_日志设置 - "log": { - "loglevel": "warning", // 内容从少到多: "none", "error", "warning", "info", "debug" - "access": "/home/vpsadmin/xray_log/access.log", // 访问记录 - "error": "/home/vpsadmin/xray_log/error.log" // 错误记录 - }, - // 2_DNS 设置 - "dns": { - "servers": [ - "https+local://1.1.1.1/dns-query", // 首选 1.1.1.1 的 DoH 查询,牺牲速度但可防止 ISP 偷窥 - "localhost" - ] - }, - // 3*分流设置 - "routing": { - "domainStrategy": "IPIfNonMatch", - "rules": [ - // 3.1 防止服务器本地流转问题:如内网被攻击或滥用、错误的本地回环等 - { - "type": "field", - "ip": [ - "geoip:private" // 分流条件:geoip 文件内,名为"private"的规则(本地) - ], - "outboundTag": "block" // 分流策略:交给出站"block"处理(黑洞屏蔽) - }, - { - // 3.2 防止服务器直连国内 - "type": "field", - "ip": ["geoip:cn"], - "outboundTag": "block" - }, - // 3.3 屏蔽广告 - { - "type": "field", - "domain": [ - "geosite:category-ads-all" // 分流条件:geosite 文件内,名为"category-ads-all"的规则(各种广告域名) - ], - "outboundTag": "block" // 分流策略:交给出站"block"处理(黑洞屏蔽) - } - ] - }, - // 4*入站设置 - // 4.1 这里只写了一个最简单的 vless+xtls 的入站,因为这是 Xray 最强大的模式。如有其他需要,请根据模版自行添加。 - "inbounds": [ - { - "port": 443, - "protocol": "vless", - "settings": { - "clients": [ - { - "id": "", // 填写你的 UUID - "flow": "xtls-rprx-vision", - "level": 0, - "email": "vpsadmin@yourdomain.com" - } - ], - "decryption": "none", - "fallbacks": [ - { - "dest": 80 // 默认回落到防探测的代理 - } - ] - }, - "streamSettings": { - "network": "tcp", - "security": "tls", - "tlsSettings": { - "alpn": "http/1.1", - "certificates": [ - { - "certificateFile": "/home/vpsadmin/xray_cert/xray.crt", - "keyFile": "/home/vpsadmin/xray_cert/xray.key" - } - ] - } - } - } - ], - // 5*出站设置 - "outbounds": [ - // 5.1 第一个出站是默认规则,freedom 就是对外直连(vps 已经是外网,所以直连) - { - "tag": "direct", - "protocol": "freedom" - }, - // 5.2 屏蔽规则,blackhole 协议就是把流量导入到黑洞里(屏蔽) - { - "tag": "block", - "protocol": "blackhole" - } - ] - } - ``` +4. Copy all the files below and fill in the previously generated `UUID` into the 61st line `"id": "",`. (After filling in, it will look like `"id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid"` +) This configuration file in this article adds my various verbose comments to help you understand the function of each configuration module. + +```json +// REFERENCE: +// https://github.com/XTLS/Xray-examples +// https://xtls.github.io/config/ +// Commonly used config files, whether server or client, have 5 parts. Plus Xiao Xiaobai's interpretation: +// ┌─ 1*log Log settings - what to write in the log and where to write (there is evidence when errors occur) +// ├─ 2_dns DNS-settings - how to check DNS (anti-DNS pollution, anti-peeping, avoid matching domestic and foreign sites to foreign servers, etc.) +// ├─ 3_routing Diversion settings - how to classify and process traffic (whether to filter ads, whether to divert traffic domestically and internationally) +// ├─ 4_inbounds Inbound settings - what traffic can flow into Xray +// └─ 5_outbounds Outbound settings - where does the traffic out of Xray go +{ + // 1\_Log settings + "log": { + "loglevel": "warning", // content from less to more: "none", "error", "warning", "info", "debug" + "access": "/home/vpsadmin/xray_log/access.log", // access record + "error": "/home/vpsadmin/xray_log/error.log" // Error log + }, + // 2_DNS settings + "dns": { + "servers": [ + "https+local://1.1.1.1/dns-query", // Prefer 1.1.1.1 DoH query, sacrificing speed but preventing ISP snooping + "localhost" + ] + }, + // 3*Diversion settings + "routing": { + "domainStrategy": "IPIfNonMatch", + "rules": [ + // 3.1 Prevent local server flow problems: such as intranet attacks or abuse, incorrect local loopbacks, etc. + { + "type": "field", + "ip": [ + "geoip:private" // Diversion condition: In the geoip file, the rule named "private" (local) + ], + "outboundTag": "block" // Diversion strategy: Hand over to the outbound "block" for processing (black hole shielding) + }, + { + // 3.2 Prevent the server from connecting directly to China + "type": "field", + "ip": ["geoip:cn"], + "outboundTag": "block" + }, + // 3.3 Block ads + { + "type": "field", + "domain": [ + "geosite:category-ads-all" // Diversion conditions: In the geosite file, the rule named "category-ads-all" (various advertising domain names) + ], + "outboundTag": "block" // Diversion strategy: Hand it over to the outbound "block" for processing (black hole shielding) + } + ] + }, + // 4* Inbound settings + // 4.1 Here is only the simplest vless+xtls inbound, because this is the most powerful mode of Xray. If you need other, please add it according to the template. + "inbounds": [{ + "port": 443, + "protocol": "vless", + "settings": { + "clients": [{ + "id": "", // Fill in your UUID + "flow": "xtls-rprx-vision", + "level": 0, + "email": "vpsadmin@yourdomain.com" + }], + "decryption": "none", + "fallbacks": [{ + "dest": 80 // Fall back to anti-detection proxy by default + }] + }, + "streamSettings": { + "network": "tcp", + "security": "tls", + "tlsSettings": { + "alpn": "http/1.1", + "certificates": [{ + "certificateFile": "/home/vpsadmin/xray_cert/xray.crt", + "keyFile": "/home/vpsadmin/xray_cert/xray.key" + }] + } + } + }], + // 5*Outbound settings + "outbounds": [ + // 5.1 The first outbound is the default rule, freedom is a direct connection to the outside (vps is already an external network, so it is a direct connection) + { + "tag": "direct", + "protocol": "freedom" + }, + // 5.2 Blocking rules, blackhole protocol is to import traffic into the black hole (blocking) + { + "tag": "block", + "protocol": "blackhole" + } + ] +} +``` -5) 完整流程演示如下: - ![创建日志文件及`config.json`配置文件](./ch07-img04-xray-log-and-config.gif) +5) The complete process is demonstrated as follows: + ![Create log file and `config.json` configuration file](./ch07-img04-xray-log-and-config.gif) -## 7.5 启动 Xray 服务!!(并查看服务状态) +## 7.5 Start Xray service! ! (and check the service status) -如果你是跟随本文一步步设置过来,其实就已经避开了最常见**日志文件权限不足**、**证书文件权限不足** 这两个大坑。那么现在运行`Xray`自然应该无比顺利。 +If you follow this article step by step, you have actually avoided the two most common pitfalls of **insufficient log file permissions** and **insufficient certificate file permissions**. Now running `Xray` should be very smooth. -1. 输入下面的命令,享受启动`Xray`的历史性时刻吧!!! +1. Enter the following command and enjoy the historic moment of starting `Xray`! ! ! ```shell sudo systemctl start xray ``` -2. 仅仅`start`我们并不能确定是否成功的开启了 Xray 的服务,要确定它的状态,就要用到下面的命令。 +2. Just `start` does not determine whether the Xray service has been successfully started. To determine its status, use the following command. ```shell sudo systemctl status xray ``` -看到那个绿色的、令人愉悦的 `active (running)` 了吗?它就是说 `Xray` 已经在正确的运行了 +Do you see the green, pleasant `active (running)`? It means that `Xray` is running correctly -3. 完整流程演示如下: +3. The complete process is demonstrated as follows: -![启动并查看Xray运行状态](./ch07-img05-xray-start-and-status.gif) +![Start and check the running status of Xray](./ch07-img05-xray-start-and-status.gif) -## 7.6 回顾 `systemd` 进行基本的服务管理 +## 7.6 Review `systemd` for basic service management -到现在为止,我们已经使用过了`systemctl`相关的`start`, `status`, `reload` 等命令,这些都是基于`systemd`管理模块对 Linux -系统中各种服务进行管理的通用命令。现在正好熟悉一下相关的其他几个命令。 +So far, we have used `systemctl` related commands such as `start`, `status`, `reload`, etc. These are general commands based on the `systemd` management module to manage various services in the Linux +system. Now it is a good time to get familiar with several other related commands. -1. 若你需要暂时关闭 `Xray` 的服务,那就用`stop`命令 +1. If you need to temporarily shut down the `Xray` service, use the `stop` command ```shell sudo systemctl stop xray ``` -2. 若你需要重启`Xray`的服务,那就用`restart`命令 +2. If you need to restart the `Xray` service, use the `restart` command ```shell sudo systemctl restart xray ``` -3. 若你需要禁用`Xray`的服务(电脑重启后禁止 Xray 自动运行),那就用`disable`命令 +3. If you need to disable the `Xray` service (disable Xray from running automatically after the computer is restarted), use the `disable` command ```shell sudo systemctl disable xray ``` -4. 若你需要启用`Xray`的服务(电脑重启后确保 Xray 自动运行),那就用`enable`命令 +4. If you need to enable the `Xray` service (ensure that Xray runs automatically after the computer is restarted), use the `enable` command ```shell sudo systemctl enable xray ``` -## 7.7 服务器优化之一:开启 BBR +## 7.7 Server Optimization 1: Enable BBR -1. 传说中的`BBR` +1. The legendary `BBR` -我相信,你在搜索各种科学上网技术的时候,肯定不止一次的听过`bbr`这个东西,在各种博客添油加醋之下,让人觉得它神乎其神。更有`bbrplus`, `bbr2`, `魔改bbr` 等一大堆衍生品。仿佛神油一般,用了就能野鸡线路变专线。 +I believe that when you search for various scientific Internet technologies, you must have heard of the thing `bbr` more than once. With the exaggeration of various blogs, people feel that it is magical. There are also a lot of derivatives such as `bbrplus`, `bbr2`, `magic bbr`, etc. It's like a magic, which can turn a poorly routed lines become dedicated connections. -那么,这东西究竟是什么?它有没有用?又该用哪一个版本呢? +So, what is this thing? Is it useful? Which version should I use? -2. 实际的`BBR` +2. The actual `BBR` -**BBR** = **B**ottleneck **B**andwidth and **R**ound-trip propagation time,是一种 TCP 的**拥塞控制算法**。简单粗暴的理解就是**数据流量的交通管理** -:当公路不再塞车的时候,每辆车自然就能保持较快的车速了。 +**BBR** = **B**ottleneck **B**andwidth and **R**ound-trip propagation time, which is a **congestion control algorithm** of TCP. A simple and rough understanding is **traffic management of data traffic** +: When the road is no longer congested, each car can naturally maintain a faster speed. -那么它有没有用呢?一般而言,`有BBR` 和 `没有BBR` 会有可以感知的差别(速度、稳定性、延迟方面都会有一些改善),所以 **【非常建议开启 `BBR`】**。 +So is it useful? Generally speaking, there will be a perceptible difference between `with BBR` and `without BBR` (there will be some improvements in speed, stability, and latency), so **[It is highly recommended to turn on `BBR`]**. -但开启之后,`BBR` 在 `4.x` 和 `5.x` 之间的差异往往比较微妙、见仁见智,造成体验差别的决定性因素仍然是线路质量。所以 **【不必纠结版本、不必盲目追新、跟随你的发行版更新内核即可】** +But after it is enabled, the difference between `BBR` in `4.x` and `5.x` is often subtle and subjective, and the decisive factor that causes the difference in experience is still the line quality. So **[Don't worry about the version, don't blindly chase the new, just follow your distribution to update the kernel]** -3. `bbrplus`, `bbr2`, `魔改bbr` 和其他各种听起来就酷炫的版本是不是更好? +3. Are `bbrplus`, `bbr2`, `magic bbr` and other versions that sound cool better? -一句话:**不是!不要用这些!这些都为了吸引眼球乱起的名字!** +In a word: **No! Don't use these! These names are just to attract attention! ** -`BBR` 的更新和发布,都是跟随 Linux 的内核(`Kernel`)进行的。换言之,只要你用的是比较新的内核,就自然会使用到新版`BBR`。 +The update and release of `BBR` are all carried out in accordance with the Linux kernel (`Kernel`). In other words, as long as you use a relatively new kernel, you will naturally use the new version of `BBR`. -而这些名字看起来很酷炫的东西,说白了就是仍未正式发布的、尚在测试阶段的内核及其对应的`BBR`版本。这些脚本也仅仅就是通过下载预览版的内核(甚至第三方魔改内核)来率先开启而已。 +And these things with cool names are, to put it bluntly, kernels that have not yet been officially released and are still in the testing stage and their corresponding `BBR` versions. These scripts are just the first to enable by downloading the preview version of the kernel (even a third-party magic kernel). -内核的稳定是一台服务器稳定运行的基石。**【BBR 测试版带来的细微性能差异绝对不值得更换不稳定的内核。】** 请选择你所在的 Linux 发行版所支持的最新内核,这样可以最大限度的保持服务器的长期稳定和兼容。 +The stability of the kernel is the cornerstone of the stable operation of a server. **The slight performance difference brought by the BBR beta is definitely not worth changing to an unstable Kernel. 】** Please choose the latest kernel supported by your Linux distribution, so as to maximize the long-term stability and compatibility of the server. ::: warning -所谓魔改`bbr`的【领先】是有非常强的时效性的。比如很多 `bbrplus` 脚本,因为几年来都没有更新,到现在还会把你的内核换成 `4.19`,要知道现在稳定如 Debian 已经是 `5.9` -的时代了,那么这个脚本放在 2018 年 1 月也许领先了一点,到 2018 年 10 月 4.19 正发布时就已经失去了意义,放在现在甚至可以说是完完全全的【降级】和【劣化】 -::: +The so-called "leading" of the magic modification `bbr` is very time-sensitive. For example, many `bbrplus` scripts, because they have not been updated for several years, will still change your kernel to `4.19`. You should know that Debian is now stable and it is already the era of `5.9`. Then this script may be a little ahead in January 2018, but it has lost its meaning when 4.19 is released in October 2018. It can even be said to be completely [downgraded] and [degraded] now. -4. `fq`, `fq_codel`, `fq_pie`, `cake`和其他算法哪个好? +4. Which of `fq`, `fq_codel`, `fq_pie`, `cake` and other algorithms is better? -一句话:**看不懂的话,请保持`fq`,足够、且不会劣化你的线路** +In one sentence: **If you don't understand, please keep `fq`, which is enough and will not degrade your line** -5. 锐速、Finalspeed、LotServer 和其他“加速工具” +5. Ruisu, Finalspeed, LotServer and other "acceleration tools" -一句话:**不要用这些!把他们丢进历史的垃圾桶吧!** +In one sentence: **Don't use these! Throw them into the trash can of history! ** -它能解决的也只有丢包率的问题。不太准确的比喻,就是本来你用一辆车送你的货,有时候车半路就坏了(丢包),用了这些以后,你直接派出 3 -份一样的货,让三辆车同时送,只要有一辆没坏就能送到。马路上都是你的车,自然就能把别人挤下去。但可想而知,你挤别人的时候,别人也会来挤你,而整个机房的出口道路一共就那么宽,最终势必就变成集体大堵车了。 +It can only solve the problem of packet loss rate. A not very accurate analogy is that you originally used a car to deliver your goods, and sometimes the car broke down halfway (packet loss). After using these, you directly sent out 3 copies of the same goods and let three cars deliver them at the same time. As long as one of them is not broken, it can be delivered. The road is full of your cars, so you can naturally squeeze others out. But it is conceivable that when you squeeze others, others will also squeeze you, and the exit road of the entire computer room is so wide, and it is bound to become a collective traffic jam in the end. -::: warning 说明 -它们的原理不是算法优化、不是提速、大多数是简单粗暴的**多倍发包**。对于【丢包率非常高】的差线路可能有一点作用,但【对丢包率低的好线路没有任何优化作用,反而会成倍的消耗你的流量】,进而造成服务器和你的邻居不必要的压力。 +::: warning description +Their principle is not algorithm optimization, not speed-up, most of them are simple and crude **multiple packet delivery**. It may be useful for bad lines with very high packet loss rates, but it has no optimization effect on good lines with low packet loss rates. Instead, it will consume your traffic exponentially, causing unnecessary pressure on the server and your neighbors. -如果你的线路真的丢包率奇高,真正靠谱的解决方案是【换线路】。 +If your line really has a very high packet loss rate, the only reliable solution is to **change the line**. ::: -6. 啰嗦了这么多,就是因为围绕 `BBR` 忽悠小白的错误概念和坑人脚本实在是太多了。我希望你们现在对 `BBR` 有了相对清晰的理解。接下来,我们就动手安装最新的 Debian 内核并开启`BBR` 吧!(真的很简单) +6. I have said so much because there are too many misconceptions and scam scripts around `BBR` to fool novices. I hope you now have a relatively clear understanding of `BBR`. Next, let's install the latest Debian kernel and enable `BBR`! (It's really simple) -1. 给 Debian 10 添加官方 `backports` 源,获取更新的软件库 + 1. Add the official `backports` source to Debian 10 to get the updated software library -```shell -sudo nano /etc/apt/sources.list -``` + ```shell + sudo nano /etc/apt/sources.list + ``` -::: warning 说明 -本文以 Debian 10 为例,所以使用 `/etc/apt/sources.list` 仍无问题,但如果你并不是根据本文从头开始,或者使用了其他 Linux -发行版,那么建议你建立 `/etc/apt/sources.list.d/` 文件夹,并在这个文件夹内建立自己的配置文件,形如 `/etc/apt/sources.list.d/vpsadmin.list` -,以此保证兼容性,也可避免默认文件在不可预见的情况下被覆盖而导致配置丢失。 -::: + ::: warning description + This article takes Debian 10 as an example, so there is still no problem using `/etc/apt/sources.list`, but if you are not starting from scratch according to this article, or using other Linux + distributions, it is recommended that you create a `/etc/apt/sources.list.d/` folder and create your own configuration file in this folder, such as `/etc/apt/sources.list.d/vpsadmin.list` + , to ensure compatibility and avoid the default file being overwritten in unforeseen circumstances and causing configuration loss. + ::: -2. 然后把下面这一条加在最后,并保存退出。 + 2. Then add the following item at the end, save and exit. -``` -deb http://deb.debian.org/debian buster-backports main -``` + ``` + deb http://deb.debian.org/debian buster-backports main + ``` -3. 刷新软件库并查询 Debian 官方的最新版内核并安装。请务必安装你的 VPS 对应的版本(本文以比较常见的【amd64】为例)。 + 3. Refresh the software library and query the latest version of the official Debian kernel and install it. Please be sure to install the version corresponding to your VPS (this article takes the more common [amd64] as an example). -```shell -sudo apt update && sudo apt -t buster-backports install linux-image-amd64 -``` + ```shell + sudo apt update && sudo apt -t buster-backports install linux-image-amd64 + ``` -::: warning 注意 + ::: warning Note -如果你的 VPS 支持,可以尝试【云服务器专用内核】`linux-image-cloud-amd64`,优点就是精简、资源占用低,缺点嘛是有同学反馈不支持的系统强行安装会导致无法开机(Kernel 无法识别)。 + If your VPS supports it, you can try the [cloud server dedicated kernel] `linux-image-cloud-amd64`. The advantages are simplicity and low resource usage. The disadvantage is that some students have reported that forced installation on an unsupported system will cause the system to fail to boot (the kernel cannot be recognized). -为了避免无法识别的悲剧,请确保: + To avoid the tragedy of being unable to identify, please make sure: -- 尝试前做一个系统快照,或者 -- 你有 `vnc` 可以救场(并且你知道怎么用) + - Take a system snapshot before trying, or + - You have `vnc` to save the day (and you know how to use it) -::: + ::: -4. 修改 `kernel` 参数配置文件 `sysctl.conf` 并指定开启 `BBR` + 4. Modify the `kernel` parameter configuration file `sysctl.conf` and specify to enable `BBR` -```shell -sudo nano /etc/sysctl.conf -``` - -::: warning 说明 -本文以 Debian 10 为例,所以使用 `/etc/sysctl.conf` 仍无问题,但如果你并不是跟着本文从头开始,或者使用了其他 Linux 发行版,那么建议你建立 `/etc/sysctl.d/` -文件夹,并在这个文件夹内建立自己的配置文件,形如 `/etc/sysctl.d/vpsadmin.conf`,以此保证兼容性,因为部分发行版在 `systemd` -207 版本之后便不再从 `/etc/sysctl.conf` 读取参数。使用自定义配置文件也可避免默认文件在不可预见的情况下被覆盖而导致配置丢失。 -::: + ```shell + sudo nano /etc/sysctl.conf + ``` -5. 把下面的内容添加进去 + ::: warning description + This article takes Debian 10 as an example, so it is still no problem to use `/etc/sysctl.conf`, but if you are not following this article from scratch, or use other Linux distributions, it is recommended that you create a `/etc/sysctl.d/` + folder and create your own configuration file in this folder, such as `/etc/sysctl.d/vpsadmin.conf`, to ensure compatibility, because some distributions no longer read parameters from `/etc/sysctl.conf` after `systemd` + 207 ​​version. Using a custom configuration file can also prevent the default file from being overwritten in unexpected circumstances, resulting in configuration loss. + ::: -``` -net.core.default_qdisc=fq -net.ipv4.tcp_congestion_control=bbr -``` + 5. Add the following content -6. 重启 VPS、使内核更新和`BBR`设置都生效 + ``` + net.core.default_qdisc=fq + net.ipv4.tcp_congestion_control=bbr + ``` -```shell -sudo reboot -``` + 6. Restart the VPS to make the kernel update and `BBR` settings take effect -7. 完整流程演示如下: + ```shell + sudo reboot + ``` -::: tip 啰嗦君 -因为我做展示的 VPS 支持云服务器专用内核,所以动图中我用了 `linux-image-cloud-amd64` -。如果你不确定你的 VPS 是否支持,那请务必按照第 3 步的命令,使用常规内核 `linux-image-amd64`。 -::: + 7. The complete process is demonstrated as follows: -![更新Debian内核并开启`BBR`](./ch07-img06-bbr-proper.gif) + ::: tip + Because the VPS I am demonstrating supports the cloud server-specific kernel, I used `linux-image-cloud-amd64` in the animation. -8. 确认`BBR`开启 + If you are not sure whether your VPS supports it, please follow the command in step 3 and use the regular kernel `linux-image-amd64`. + ::: -如果你想确认 `BBR` 是否正确开启,可以使用下面的命令: - -```shell -lsmod | grep bbr -``` - -此时应该返回这样的结果: - -``` -tcp_bbr -``` + ![Update Debian kernel and enable `BBR`](./ch07-img06-bbr-proper.gif) -如果你想确认 `fq` 算法是否正确开启,可以使用下面的命令: + 8. Confirm that `BBR` is enabled -```shell -lsmod | grep fq -``` - -此时应该返回这样的结果: - -``` -sch_fq -``` +If you want to confirm whether `BBR` is enabled correctly, you can use the following command: + ```shell + lsmod | grep bbr + ``` + This should return the following result: + ``` + tcp_bbr + ``` + If you want to confirm whether the `fq` algorithm is enabled correctly, you can use the following command: + ```shell + lsmod | grep fq + ``` + This should return the following result: + ``` + sch_fq + ``` -## 7.8 服务器优化之二:开启 HTTP 自动跳转 HTTPS +## 7.8 Server Optimization 2: Enable HTTP to automatically redirect to HTTPS -1. 之前我们已经搭建了 `80` 端口的 `http` 网页,并以此申请了 TLS 证书。 +1. We have previously built an `http` webpage on port `80` and applied for a TLS certificate. -但如果你尝试过用浏览器访问我们的这个界面,就会发现 `http` 访问并不会像大多数网站一样自动升级为 `https` 访问。换言之,我们现在的设置下,`http(80)` 和 `https(443)` -之间完全是独立的。如果要解决这个问题,就需要做一些修改。 +But if you try to access our interface with a browser, you will find that `http` access will not automatically upgrade to `https` access like most websites. In other words, under our current settings, `http(80)` and `https(443)` are completely independent. If you want to solve this problem, you need to make some changes. -2. 编辑 Nginx 的配置文件 +2. Edit the Nginx configuration file ```shell sudo nano /etc/nginx/nginx.conf ``` -3. 在我们设置过的 80 端口 Server 中加入下面的语句,并保存退出(可同时删除`root`和`index`两行) +3. Add the following statement to the 80 port server we set, save and exit (you can delete the `root` and `index` lines at the same time) ``` return 301 https://$http_host$request_uri; ``` -4. 在与 `80` 端口同级的位置增加一个本地端口监听来提供网页展示。本文以 `8080` 端口做演示。(可以是任意端口) +4. Add a local port listener at the same level as the `80` port to provide web page display. This article uses the `8080` port for demonstration. (Can be any port) ``` server { - listen 127.0.0.1:8080; - root /home/vpsadmin/www/webpage; - index index.html; - add_header Strict-Transport-Security "max-age=63072000" always; +listen 127.0.0.1:8080; +root /home/vpsadmin/www/webpage; +index index.html; +add_header Strict-Transport-Security "max-age=63072000" always; } ``` -5. 重启 Nginx 服务 +5. Restart Nginx service ```shell sudo systemctl restart nginx ``` -6. 修改 Xray 的回落设置,将回落从 `80` 端口改为 `8080` 端口。(找到 `"dest": 80`, 并改成 `"dest": 8080`) +6. Modify the fallback settings of Xray, changing the fallback from `80` port to `8080` port. (Find `"dest": 80`, and change it to `"dest": 8080`) ```shell sudo nano /usr/local/etc/xray/config.json ``` -7. 重启 `Xray` 服务,即完成了设置 +7. Restart the `Xray` service to complete the configuration ```shell sudo systemctl restart xray ``` -8. 完整流程演示如下: +8. The complete process is demonstrated as follows: -![http自动跳转https](./ch07-img07-http-to-https.gif) +![http automatically jumps to https](./ch07-img07-http-to-https.gif) -9. 当你输入 `http://a-name.yourdomain.com`的时候,它应该已经会自动跳转 https 了 +9. When you enter `http://a-name.yourdomain.com`, it should automatically jump to https -![http自动跳转https生效](./ch07-img08-http-to-https-check.png) +![http automatically jumps to https](./ch07-img08-http-to-https-check.png) -## 7.9 服务器优化之三:更丰富的回落 +## 7.9 Server Optimization 3: More Fallbacks -如果你需要更丰富的回落功能,可以参考 [《回落 (fallbacks) 功能简析》](../level-1/fallbacks-lv1/) +If you need more fallback functions, please refer to [《Fallbacks (fallbacks) Functional Analysis》](../level-1/fallbacks-lv1/) -## 7.10 你的进度 +## 7.10 Your progress -恭喜!!到这一步,你已经拥有了可以正常科学上网的服务器、同时也有了可以防止主动探测攻击的伪装网站。接下来,只要给你的客户端装上合适的软件,就可以享受顺畅的网络了! +Congratulations!! At this point, you already have a server that can access the Internet normally and scientifically, and also have a disguised website that can prevent active detection attacks. Next, just install the appropriate software on your client and you can enjoy a smooth network! > ⬛⬛⬛⬛⬛⬛⬛⬜ 87.5% -## 7.11 重要勘误 +## 7.11 Important errata -1. 初版中`Xray`配置文件`config.json`文件夹位置错误。若你已经根据之前的位置进行了操作,`Xray`会无法正确启动。故勘误说明于此,请自查,造成不便十分抱歉! +1. The folder location of the `Xray` configuration file `config.json` in the first version is wrong. If you have already operated according to the previous location, `Xray` will not start correctly. Therefore, the errata is explained here, please check it yourself, and I am very sorry for the inconvenience! -- 正确位置:`/usr/local/etc/xray/config.json` -- 错误位置:`/usr/local/etc/config.json` +- Correct location: `/usr/local/etc/xray/config.json` +- Wrong location: `/usr/local/etc/config.json` -受影响章节: +Affected sections: -- 7.4 配置`Xray` - 3. 使用`nano`创建`Xray`的配置文件 -- 7.8 服务器优化之二 - 6. 修改`Xray`的回落设置 +- 7.4 Configure `Xray` - 3. Use `nano` to create `Xray` configuration file +- 7.8 Server Optimization 2 - 6. Modify `Xray` fallback settings -2. 初版中修改`Nginx`配置文件`nginx.conf`时内容错误(网页文件夹位置错误),若你已经根据之前的位置进行了操作,`Nginx`会无法找到正确的网站。请自查,造成不便十分抱歉! +2. In the first version, the content of the `Nginx` configuration file `nginx.conf` was modified incorrectly (the webpage folder location was incorrect). If you have already performed the operation according to the previous location, `Nginx` will not be able to find the correct website. Please check it yourself. Sorry for the inconvenience! -- 正确文件夹位置:`root /home/vpsadmin/www/webpage;` -- 错误文件夹位置:`root /var/www/website/html` +- Correct folder location: `root /home/vpsadmin/www/webpage;` +- Wrong folder location: `root /var/www/website/html` -受影响章节: +Affected sections: -- 7.8 服务器优化之二 - 4. 在与 `80` 端口同级的位置增加一个本地端口监听来提供网页展示 +- 7.8 Server Optimization 2 - 4. Add a local port listener at the same level as the `80` port to provide web page display \ No newline at end of file