During the writing of this article, the boss joked: Your tutorial has been serialized for 6 chapters and has not yet reached Xray. People who don’t know would think that you are a "hand-in-hand teaching you to build a website" tutorial. (I can't refute it.jpg!)
In fact, this structure is my decision after much thinking. After all, only by laying a solid foundation can you quickly surpass others with half the effort. I saw many newcomers in the group who can't even use `nano` correctly, nor can they use `WinSCP`. The `config.json` edited by remote handwriting is naturally full of errors, and even error checking becomes difficult.
After the preparation of the first 6 chapters, you have already climbed over several mountains with me, such as basic Linux operations, VPS remote management, web page construction, domain name management, certificate application, etc. Do you think it is actually very simple when you look back? Now that we have such solid preparations, we will have a light feeling of [smooth success] when installing and configuring Xray.
First of all, the official carrier of Xray is the binary program generated by the open source project [xray-core](https://github.com/XTLS/Xray-core) (Open sourced with License `MPL 2.0`
). If you put this binary on the server and run it, it is the server side; if you download it to the local computer and run it, it is the client side. The main difference comes from [configuration].
When installing, it is very simple and direct to use the official installation script directly. It provides a variety of installation options. If you are interested, you can go to the official [installation script repository](https://github.com/XTLS/Xray-install) to see the script instructions. **This article uses the [non-root
When writing this article, the installation script had some minor bugs when using a non-root account, so I decided to separate these steps and explain the deletion command under Linux.
When you use the `rm` command to delete files, the default is to delete the files in the current folder. However, **I still wrote the full path**: `~/install-release.sh`, which is a safety habit I have when using `rm`, and it is also what I want to emphasize after I divide the installation into several steps. If you have heard some jokes like "Programmers go from deleting libraries to running away", you probably know why.
certificate before, according to the official instructions of [`acme.sh`](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E#3-copy%E5%AE%89%E8%A3%85-%E8%AF%81%E4%B9%A6), it is not recommended to use the applied certificate directly. The correct way is to use the `--install-cert`
command to install it for the required program. Let's install the certificate for `xray-core` now.
5.`acme.sh` will check the certificate every 60 days and automatically renew the expiring certificate. But as far as I know, it does not automatically install the new certificate to `xray-core`, so we need to add a system automatic periodic task to complete this step.
As you have reminded, `acme.sh` has a `reloadcmd` command that can automatically execute a specific command when the certificate is updated, so you can specify to automatically install the certificate for `Xray`, but because `crontab` is a very useful and commonly used function in Linux, this article retains the `crontab` method to update the `Xray` certificate. (If you interested in `reloadcmd` can check out the [official documentation](https://github.com/acmesh-official/acme.sh) of `acme.sh`)
In addition, when recording animated images, the script did not include a command to restart `Xray` because `Xray` plans to support the [Certificate Hot Update] function, which means that `Xray` will automatically identify certificate updates and reload certificates without manual restart. After the function is added, I will modify `config.json` appropriately
to enable this setting and delete the restart command in the script.
5. Run `crontab -e` and add an automatic task [Automatically run `xray-cert-renew.sh` once a month] (Note that you should not add `sudo`, because we are adding an automatic task for the `vpsadmin`
account. When you run it for the first time, you will be asked to choose an editor. Of course, choose the familiar `nano`!)
First, you can refer to the [official VLESS configuration example](https://github.com/XTLS/Xray-examples) for various configurations. This article will configure a simplest method based on the official example: [Single `VLESS` protocol inbound + `80` Port fallback], which meets the maximum speed and necessary security of most scenarios.
1. Generate a legal `UUID` and save it for backup (`UUID` can be simply and roughly understood as an ID that is almost never repeated like a fingerprint)
This location is not the standard log file location of `Xray`. It is placed here to avoid permission issues that cause trouble for new users. Once you are familiar with it, it is recommended to return to the default location: `/var/log/xray/access.log` and `/var/log/xray/error.log`.
4. Because Xray is used by the nobody user by default, we need to allow other users to have "write" permissions (`*.log` means all files with the suffix `log`, and the efficiency advantage of the `CLI` interface gradually appears at this time)
4. Copy all the files below and fill in the previously generated `UUID` into the 61st line `"id": "",`. (After filling in, it will look like `"id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid"`
) This configuration file in this article adds my various verbose comments to help you understand the function of each configuration module.
```json
// REFERENCE:
// https://github.com/XTLS/Xray-examples
// https://xtls.github.io/config/
// Commonly used config files, whether server or client, have 5 parts. Plus Xiao Xiaobai's interpretation:
// ┌─ 1*log Log settings - what to write in the log and where to write (there is evidence when errors occur)
// ├─ 2_dns DNS-settings - how to check DNS (anti-DNS pollution, anti-peeping, avoid matching domestic and foreign sites to foreign servers, etc.)
// ├─ 3_routing Diversion settings - how to classify and process traffic (whether to filter ads, whether to divert traffic domestically and internationally)
// ├─ 4_inbounds Inbound settings - what traffic can flow into Xray
// └─ 5_outbounds Outbound settings - where does the traffic out of Xray go
{
// 1\_Log settings
"log": {
"loglevel": "warning", // content from less to more: "none", "error", "warning", "info", "debug"
"access": "/home/vpsadmin/xray_log/access.log", // access record
// 3.1 Prevent local server flow problems: such as intranet attacks or abuse, incorrect local loopbacks, etc.
{
"type": "field",
"ip": [
"geoip:private" // Diversion condition: In the geoip file, the rule named "private" (local)
],
"outboundTag": "block" // Diversion strategy: Hand over to the outbound "block" for processing (black hole shielding)
},
{
// 3.2 Prevent the server from connecting directly to China
"type": "field",
"ip": ["geoip:cn"],
"outboundTag": "block"
},
// 3.3 Block ads
{
"type": "field",
"domain": [
"geosite:category-ads-all" // Diversion conditions: In the geosite file, the rule named "category-ads-all" (various advertising domain names)
],
"outboundTag": "block" // Diversion strategy: Hand it over to the outbound "block" for processing (black hole shielding)
}
]
},
// 4* Inbound settings
// 4.1 Here is only the simplest vless+xtls inbound, because this is the most powerful mode of Xray. If you need other, please add it according to the template.
"inbounds": [{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [{
"id": "", // Fill in your UUID
"flow": "xtls-rprx-vision",
"level": 0,
"email": "vpsadmin@yourdomain.com"
}],
"decryption": "none",
"fallbacks": [{
"dest": 80 // Fall back to anti-detection proxy by default
// 5.1 The first outbound is the default rule, freedom is a direct connection to the outside (vps is already an external network, so it is a direct connection)
{
"tag": "direct",
"protocol": "freedom"
},
// 5.2 Blocking rules, blackhole protocol is to import traffic into the black hole (blocking)
If you follow this article step by step, you have actually avoided the two most common pitfalls of **insufficient log file permissions** and **insufficient certificate file permissions**. Now running `Xray` should be very smooth.
So far, we have used `systemctl` related commands such as `start`, `status`, `reload`, etc. These are general commands based on the `systemd` management module to manage various services in the Linux
system. Now it is a good time to get familiar with several other related commands.
I believe that when you search for various scientific Internet technologies, you must have heard of the thing `bbr` more than once. With the exaggeration of various blogs, people feel that it is magical. There are also a lot of derivatives such as `bbrplus`, `bbr2`, `magic bbr`, etc. It's like a magic, which can turn a poorly routed lines become dedicated connections.
**BBR** = **B**ottleneck **B**andwidth and **R**ound-trip propagation time, which is a **congestion control algorithm** of TCP. A simple and rough understanding is **traffic management of data traffic**
: When the road is no longer congested, each car can naturally maintain a faster speed.
So is it useful? Generally speaking, there will be a perceptible difference between `with BBR` and `without BBR` (there will be some improvements in speed, stability, and latency), so **[It is highly recommended to turn on `BBR`]**.
But after it is enabled, the difference between `BBR` in `4.x` and `5.x` is often subtle and subjective, and the decisive factor that causes the difference in experience is still the line quality. So **[Don't worry about the version, don't blindly chase the new, just follow your distribution to update the kernel]**
The update and release of `BBR` are all carried out in accordance with the Linux kernel (`Kernel`). In other words, as long as you use a relatively new kernel, you will naturally use the new version of `BBR`.
And these things with cool names are, to put it bluntly, kernels that have not yet been officially released and are still in the testing stage and their corresponding `BBR` versions. These scripts are just the first to enable by downloading the preview version of the kernel (even a third-party magic kernel).
The stability of the kernel is the cornerstone of the stable operation of a server. **The slight performance difference brought by the BBR beta is definitely not worth changing to an unstable Kernel. 】** Please choose the latest kernel supported by your Linux distribution, so as to maximize the long-term stability and compatibility of the server.
The so-called "leading" of the magic modification `bbr` is very time-sensitive. For example, many `bbrplus` scripts, because they have not been updated for several years, will still change your kernel to `4.19`. You should know that Debian is now stable and it is already the era of `5.9`. Then this script may be a little ahead in January 2018, but it has lost its meaning when 4.19 is released in October 2018. It can even be said to be completely [downgraded] and [degraded] now.
It can only solve the problem of packet loss rate. A not very accurate analogy is that you originally used a car to deliver your goods, and sometimes the car broke down halfway (packet loss). After using these, you directly sent out 3 copies of the same goods and let three cars deliver them at the same time. As long as one of them is not broken, it can be delivered. The road is full of your cars, so you can naturally squeeze others out. But it is conceivable that when you squeeze others, others will also squeeze you, and the exit road of the entire computer room is so wide, and it is bound to become a collective traffic jam in the end.
Their principle is not algorithm optimization, not speed-up, most of them are simple and crude **multiple packet delivery**. It may be useful for bad lines with very high packet loss rates, but it has no optimization effect on good lines with low packet loss rates. Instead, it will consume your traffic exponentially, causing unnecessary pressure on the server and your neighbors.
6. I have said so much because there are too many misconceptions and scam scripts around `BBR` to fool novices. I hope you now have a relatively clear understanding of `BBR`. Next, let's install the latest Debian kernel and enable `BBR`! (It's really simple)
This article takes Debian 10 as an example, so there is still no problem using `/etc/apt/sources.list`, but if you are not starting from scratch according to this article, or using other Linux
distributions, it is recommended that you create a `/etc/apt/sources.list.d/` folder and create your own configuration file in this folder, such as `/etc/apt/sources.list.d/vpsadmin.list`
, to ensure compatibility and avoid the default file being overwritten in unforeseen circumstances and causing configuration loss.
3. Refresh the software library and query the latest version of the official Debian kernel and install it. Please be sure to install the version corresponding to your VPS (this article takes the more common [amd64] as an example).
If your VPS supports it, you can try the [cloud server dedicated kernel] `linux-image-cloud-amd64`. The advantages are simplicity and low resource usage. The disadvantage is that some students have reported that forced installation on an unsupported system will cause the system to fail to boot (the kernel cannot be recognized).
This article takes Debian 10 as an example, so it is still no problem to use `/etc/sysctl.conf`, but if you are not following this article from scratch, or use other Linux distributions, it is recommended that you create a `/etc/sysctl.d/`
folder and create your own configuration file in this folder, such as `/etc/sysctl.d/vpsadmin.conf`, to ensure compatibility, because some distributions no longer read parameters from `/etc/sysctl.conf` after `systemd`
207 version. Using a custom configuration file can also prevent the default file from being overwritten in unexpected circumstances, resulting in configuration loss.
But if you try to access our interface with a browser, you will find that `http` access will not automatically upgrade to `https` access like most websites. In other words, under our current settings, `http(80)` and `https(443)` are completely independent. If you want to solve this problem, you need to make some changes.
4. Add a local port listener at the same level as the `80` port to provide web page display. This article uses the `8080` port for demonstration. (Can be any port)
Congratulations!! At this point, you already have a server that can access the Internet normally and scientifically, and also have a disguised website that can prevent active detection attacks. Next, just install the appropriate software on your client and you can enjoy a smooth network!
1. The folder location of the `Xray` configuration file `config.json` in the first version is wrong. If you have already operated according to the previous location, `Xray` will not start correctly. Therefore, the errata is explained here, please check it yourself, and I am very sorry for the inconvenience!
2. In the first version, the content of the `Nginx` configuration file `nginx.conf` was modified incorrectly (the webpage folder location was incorrect). If you have already performed the operation according to the previous location, `Nginx` will not be able to find the correct website. Please check it yourself. Sorry for the inconvenience!
