From ad496cb607ef4ea39f4f7e5b2663fc9cecfbaf53 Mon Sep 17 00:00:00 2001
From: chika0801 <88967758+chika0801@users.noreply.github.com>
Date: Tue, 7 Mar 2023 12:57:12 +0800
Subject: [PATCH] =?UTF-8?q?Vision=E9=85=8D=E7=BD=AE=E7=A4=BA=E4=BE=8B?=
=?UTF-8?q?=E6=9B=B4=E6=96=B0=20(#128)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* Update config_client.json
* Update config_server.json
* Update config_server.json
* Update config_server.json
* Update config_server.json
* Create nginx.conf
* Create README.md
---
VLESS-TCP-XTLS-Vision/README.md | 16 ++++++
VLESS-TCP-XTLS-Vision/config_client.json | 22 ++++----
VLESS-TCP-XTLS-Vision/config_server.json | 35 +++++++++---
VLESS-TCP-XTLS-Vision/nginx.conf | 69 ++++++++++++++++++++++++
4 files changed, 126 insertions(+), 16 deletions(-)
create mode 100644 VLESS-TCP-XTLS-Vision/README.md
create mode 100644 VLESS-TCP-XTLS-Vision/nginx.conf
diff --git a/VLESS-TCP-XTLS-Vision/README.md b/VLESS-TCP-XTLS-Vision/README.md
new file mode 100644
index 0000000..b682d31
--- /dev/null
+++ b/VLESS-TCP-XTLS-Vision/README.md
@@ -0,0 +1,16 @@
+:+1:**XTLS Vision [简介](https://github.com/XTLS/Xray-core/discussions/1295)**
+
+**使用提醒:**
+
+:exclamation:相对于 XTLS Vision 的使用基数,目前几乎没有收到 **配置正确** 的 Vision 被封端口的报告,**配置正确** 指的是:
+
+1. 服务端使用合理的端口,禁回国流量
+2. 只配置 XTLS Vision,不兼容普通 TLS 代理
+3. 回落到网页,不回落/分流到其它代理协议
+4. 客户端启用 uTLS(fingerprint) [#1](https://github.com/XTLS/Xray-core/issues/1544#issuecomment-1399194727)
+
+首先,如果你特别不想被封,**请先选择一个干净的 IP**,并按照 **配置正确** 去搭建、使用 XTLS Vision。
+
+**但是,即使你这样做了,也无法保证 100% 不被封**。自去年底始,很多人的未知流量秒封 IP,TLS in TLS 流量隔天封端口。XTLS Vision 不是未知流量,且完整处理了 TLS in TLS 特征,目前看来效果显著。**但这并不意味着,用 XTLS Vision 可以 100% 不被封,认识到这一点是非常、非常重要的,不要自己偶然被封就大惊小怪**。
+
+**因为除了协议本身,还有很多角度能封你**。以 IP 为例,你无法保证 IP 真的干净,无法避免被邻居波及,无法避免整个 IP 段被重点拉清单。也有可能某些地区的 GFW 有独特的标准,比如某个 IP 只有寥寥数人访问连却能跑那么多流量,封。**如果你的 XTLS Vision 被封了,但没有出现去年底 TLS 那样的大规模被封报告,我真心建议你换端口、换 IP、换服务商依次试一遍**。 [#2](https://github.com/XTLS/Xray-core/issues/1544#issuecomment-1402118517)
diff --git a/VLESS-TCP-XTLS-Vision/config_client.json b/VLESS-TCP-XTLS-Vision/config_client.json
index c6725d5..783fe04 100644
--- a/VLESS-TCP-XTLS-Vision/config_client.json
+++ b/VLESS-TCP-XTLS-Vision/config_client.json
@@ -25,8 +25,8 @@
},
"inbounds": [
{
- "listen": "127.0.0.1",
- "port": 10808, // v2rayN 本地监听端口
+ "listen": "127.0.0.1", // 填 0.0.0.0 表示允许来自局域网的连接
+ "port": 10808, // v2rayN 本地socks监听端口
"protocol": "socks",
"settings": {
"udp": true
@@ -40,8 +40,8 @@
}
},
{
- "listen": "127.0.0.1",
- "port": 10809, // v2rayN 本地监听端口
+ "listen": "127.0.0.1", // 填 "0.0.0.0" 表示允许来自局域网的连接
+ "port": 10809, // v2rayN 本地http监听端口
"protocol": "http",
"sniffing": {
"enabled": true,
@@ -58,11 +58,11 @@
"settings": {
"vnext": [
{
- "address": "", // VPS的IP
- "port": 16387, // VPS的端口
+ "address": "", // 地址,服务端的域名或IP
+ "port": 443, // 端口,与服务端一致
"users": [
{
- "id": "", // 用户ID
+ "id": "", // 用户ID,与服务端一致
"encryption": "none",
"flow": "xtls-rprx-vision"
}
@@ -74,9 +74,9 @@
"network": "tcp",
"security": "tls",
"tlsSettings": {
- "serverName": "", // 证书中包含的域名
+ "serverName": "", // SNI,如果"address"填的是服务端的域名,可留空,如果"address"填的是服务端的IP,此处填服务端的证书中包含的域名
"allowInsecure": false,
- "fingerprint": "chrome" // 通过 uTLS 库 模拟 Chrome / Firefox / Safari 或随机生成的指纹
+ "fingerprint": "chrome" // 用于配置指定 TLS Client Hello 的指纹,Xray 将通过 uTLS 库 模拟 TLS 指纹,或随机生成
}
},
"tag": "proxy"
@@ -84,6 +84,10 @@
{
"protocol": "freedom",
"tag": "direct"
+ },
+ {
+ "protocol": "blackhole",
+ "tag": "block"
}
]
}
diff --git a/VLESS-TCP-XTLS-Vision/config_server.json b/VLESS-TCP-XTLS-Vision/config_server.json
index 6ef0bcb..d7c3a82 100644
--- a/VLESS-TCP-XTLS-Vision/config_server.json
+++ b/VLESS-TCP-XTLS-Vision/config_server.json
@@ -16,26 +16,40 @@
},
"inbounds": [
{
- "listen": "0.0.0.0",
- "port": 16387, // 端口
+ "listen": "0.0.0.0", // "0.0.0.0" 表示同时监听IPv4和IPv6
+ "port": 443, // 服务端监听的端口
"protocol": "vless",
"settings": {
"clients": [
{
- "id": "", // 用户ID
+ "id": "", // 用户ID,执行 xray uuid 生成,或 1-30 字节的字符串
"flow": "xtls-rprx-vision"
}
],
- "decryption": "none"
+ "decryption": "none",
+ "fallbacks": [
+ {
+ "dest": "8001",
+ "xver": 1
+ },
+ {
+ "alpn": "h2",
+ "dest": "8002",
+ "xver": 1
+ }
+ ]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
+ "rejectUnknownSni": true,
+ "minVersion": "1.2",
"certificates": [
{
- "certificateFile": "/etc/ssl/private/fullchain.cer", // 证书
- "keyFile": "/etc/ssl/private/private.key" //私钥
+ "ocspStapling": 3600,
+ "certificateFile": "/etc/ssl/private/fullchain.cer", // 证书文件,建议用fullchain(全SSL证书链),若只有网站证书,会出现v2rayN能使用,v2rayNG不能使用的情况,通常不区分扩展名
+ "keyFile": "/etc/ssl/private/private.key" // 私钥文件
}
]
}
@@ -58,5 +72,12 @@
"protocol": "blackhole",
"tag": "block"
}
- ]
+ ],
+ "policy": {
+ "levels": {
+ "0": {
+ "handshake": 2, // 连接建立时的握手时间限制,单位为秒,默认值为 4,建议与默认值不同
+ "connIdle": 120 // 连接空闲的时间限制,单位为秒,默认值为 300,建议与默认值不同
+ }
+ }
}
diff --git a/VLESS-TCP-XTLS-Vision/nginx.conf b/VLESS-TCP-XTLS-Vision/nginx.conf
new file mode 100644
index 0000000..4f72071
--- /dev/null
+++ b/VLESS-TCP-XTLS-Vision/nginx.conf
@@ -0,0 +1,69 @@
+user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log notice;
+pid /var/run/nginx.pid;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ log_format main '[$time_local] $proxy_protocol_addr "$http_referer" "$http_user_agent"';
+ access_log /var/log/nginx/access.log main;
+
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ "" close;
+ }
+
+ map $proxy_protocol_addr $proxy_forwarded_elem {
+ ~^[0-9.]+$ "for=$proxy_protocol_addr";
+ ~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
+ default "for=unknown";
+ }
+
+ map $http_forwarded $proxy_add_forwarded {
+ "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+ default "$proxy_forwarded_elem";
+ }
+
+ server {
+ listen 80;
+ return 301 https://$host$request_uri;
+ }
+
+ server {
+ listen 127.0.0.1:8001 proxy_protocol;
+ listen 127.0.0.1:8002 http2 proxy_protocol;
+ set_real_ip_from 127.0.0.1;
+
+ location / {
+ sub_filter $proxy_host $host;
+ sub_filter_once off;
+
+ proxy_pass https://www.lovelive-anime.jp;
+ proxy_set_header Host $proxy_host;
+
+ proxy_http_version 1.1;
+ proxy_cache_bypass $http_upgrade;
+
+ proxy_ssl_server_name on;
+
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ proxy_set_header X-Real-IP $proxy_protocol_addr;
+ proxy_set_header Forwarded $proxy_add_forwarded;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Port $server_port;
+
+ proxy_connect_timeout 60s;
+ proxy_send_timeout 60s;
+ proxy_read_timeout 60s;
+
+ resolver 1.1.1.1;
+ }
+ }
+}