purgatory/Xray-docs-next
1
0
Fork 0
mirror of https://github.com/XTLS/Xray-docs-next.git synced 2025-01-31 23:11:41 +03:00
Code Issues Packages Projects Releases Wiki Activity

Clean up Vmess alterId

Browse Source
This commit is contained in:
yuhan6665 2023-07-03 05:33:21 -04:00
parent ff57067812
commit 1435269831
8 changed files with 14 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/config/inbounds/vless.md
View File

@ -6,7 +6,7 @@
VLESS 是一个无状态的轻量传输协议,它分为入站和出站两部分,可以作为 Xray 客户端和服务器之间的桥梁。
与 [VMess](./vmess.md) 不同VLESS 不依赖于系统时间,认证方式同样为 UUID,但不需要 alterId
与 [VMess](./vmess.md) 不同VLESS 不依赖于系统时间,认证方式同样为 UUID。
## InboundConfigurationObject

66
docs/config/inbounds/vmess.md
View File

@ -3,7 +3,7 @@
[VMess](../../development/protocols/vmess.md) 是一个加密传输协议,通常作为 Xray 客户端和服务器之间的桥梁。
::: danger
VMess 依赖于系统时间,请确保使用 Xray 的系统 UTC 时间误差在 90 秒之内,时区无关。在 Linux 系统中可以安装`ntp`服务来自动同步系统时间。
VMess 依赖于系统时间,请确保使用 Xray 的系统 UTC 时间误差在 120 秒之内,时区无关。在 Linux 系统中可以安装`ntp`服务来自动同步系统时间。
:::
## InboundConfigurationObject
@ -14,18 +14,15 @@ VMess 依赖于系统时间,请确保使用 Xray 的系统 UTC 时间误差在
{
"id": "5783a3e7-e373-51cd-8642-c83782b807c5",
"level": 0,
"alterId": 0,
"email": "love@xray.com"
}
],
"default": {
"level": 0,
"alterId": 0
"level": 0
},
"detour": {
"to": "tag_to_detour"
},
"disableInsecureEncryption": false
}
}
```
@ -45,22 +42,12 @@ VMess 依赖于系统时间,请确保使用 Xray 的系统 UTC 时间误差在
可选clients 的默认配置。仅在配合`detour`时有效。
> `disableInsecureEncryption`: true | false
是否禁止客户端使用不安全的加密方式,如果设置为 true 当客户端指定下列加密方式时,服务器会主动断开连接。
- `"none"`
- `"aes-128-cfb"`
默认值为`false`
### ClientObject
```json
{
"id": "5783a3e7-e373-51cd-8642-c83782b807c5",
"level": 0,
"alterId": 4,
"email": "love@xray.com"
}
```
@ -88,18 +75,6 @@ Vmess 的用户 ID可以是任意小于 30 字节的字符串, 也可以是
level 的值, 对应 [policy](../policy.md#policyobject) 中 `level` 的值。 如不指定, 默认为 0。
> `alterId`: number
为了进一步防止被探测,一个用户可以在主 ID 的基础上,再额外生成多个 ID。这里只需要指定额外的 ID 的数量,推荐值为 0 代表启用 VMessAEAD。
最大值 65535。这个值不能超过服务器端所指定的值。
不指定的话,默认值是 0。
::: tip
客户端 AlterID 设置为 0 代表启用 VMessAEAD ;服务端为自动适配,可同时兼容启用和未开启 VMessAEAD 的客户端。
客户端可通过设置环境变量 `Xray_VMESS_AEAD_DISABLED=true` 强行禁用 VMessAEAD
:::
> `email`: string
用户邮箱地址,用于区分不同用户的流量。
@ -120,8 +95,7 @@ level 的值, 对应 [policy](../policy.md#policyobject) 中 `level` 的值。
```json
{
"level": 0,
"alterId": 0
"level": 0
}
```
@ -130,35 +104,3 @@ level 的值, 对应 [policy](../policy.md#policyobject) 中 `level` 的值。
用户等级,连接会使用这个用户等级对应的 [本地策略](../policy.md#levelpolicyobject)。
level 的值, 对应 [policy](../policy.md#policyobject) 中 `level` 的值。 如不指定, 默认为 0。
> `alterId`: number
动态端口的默认`alterId`,默认值为`0`
## VMess MD5 认证信息 玷污机制
为了进一步对抗可能的探测和封锁,每个 VMess 认证数据的服务端结构都会包含一个一次写入的玷污状态标记,初始状态为无瑕状态,当服务器检测到重放探测时或者因为其他原因入站连接出错以致校验数据不正确时,该连接所对应的请求认证数据会被玷污。
被玷污的认证数据无法被用于建立连接,当攻击者或客户端使用被玷污的认证数据建立连接时,服务器会输出包含 `invalid user` `ErrTainted` 的错误信息,并阻止该连接。
当服务器没有受到重放攻击时,该机制对正常连接的客户端没有影响。
如果服务器正在被重放攻击,可能会出现连接不稳定的情况。
::: tip
拥有服务器 UUID 以及其他连接数据的恶意程序可能根据此机制对服务器发起拒绝服务攻击,受到此类攻击的服务可以通过修改 `proxy/vmess/validator.go` 文件中 `func (v \*TimedUserValidator) BurnTaintFuse(userHash []byte) error` 函数的 `atomic.CompareAndSwapUint32(pair.taintedFuse, 0, 1)` 语句为 `atomic.CompareAndSwapUint32(pair.taintedFuse, 0, 0)` 来解除服务器对此类攻击的安全保护机制。使用 VMessAEAD 认证机制的客户端不受到 VMess MD5 认证信息 玷污机制 的影响。
:::
## VMess MD5 认证信息 淘汰机制
VMess MD5 认证信息 的淘汰机制已经启动。
自 2022 年 1 月 1 日起,服务器端默认禁用对于 MD5 认证信息 的兼容。任何使用 MD5 认证信息的客户端将无法连接到禁用 VMess MD5 认证信息的服务器端。
::: tip
在服务器端可以通过设置环境变量 xray.vmess.aead.forced=true 以关闭对于 MD5 认证信息的兼容,或者 xray.vmess.aead.forced=false 以强制开启对于 MD5 认证信息 认证机制的兼容(不受到 2022 年自动禁用机制的影响)。
:::
::: tip
如无兼容旧客户端必要,应在服务端配置移除 `"alterID"` 参数。
:::

2
docs/config/outbounds/vless.md
View File

@ -6,7 +6,7 @@
VLESS 是一个无状态的轻量传输协议,它分为入站和出站两部分,可以作为 Xray 客户端和服务器之间的桥梁。
与 [VMess](./vmess.md) 不同VLESS 不依赖于系统时间,认证方式同样为 UUID,但不需要 alterId
与 [VMess](./vmess.md) 不同VLESS 不依赖于系统时间,认证方式同样为 UUID。
## OutboundConfigurationObject

16
docs/config/outbounds/vmess.md
View File

@ -3,7 +3,7 @@
[VMess](../../development/protocols/vmess.md) 是一个加密传输协议,通常作为 Xray 客户端和服务器之间的桥梁。
::: danger
VMess 依赖于系统时间,请确保使用 Xray 的系统 UTC 时间误差在 90 秒之内,时区无关。在 Linux 系统中可以安装`ntp`服务来自动同步系统时间。
VMess 依赖于系统时间,请确保使用 Xray 的系统 UTC 时间误差在 120 秒之内,时区无关。在 Linux 系统中可以安装`ntp`服务来自动同步系统时间。
:::
## OutboundConfigurationObject
@ -17,7 +17,6 @@ VMess 依赖于系统时间,请确保使用 Xray 的系统 UTC 时间误差在
"users": [
{
"id": "5783a3e7-e373-51cd-8642-c83782b807c5",
"alterId": 0,
"security": "auto",
"level": 0
}
@ -62,7 +61,6 @@ VMess 依赖于系统时间,请确保使用 Xray 的系统 UTC 时间误差在
```json
{
"id": "5783a3e7-e373-51cd-8642-c83782b807c5",
"alterId": 0,
"security": "auto",
"level": 0
}
@ -81,18 +79,6 @@ Vmess 的用户 ID可以是任意小于 30 字节的字符串, 也可以是
你可以使用命令 `xray uuid -i "自定义字符串"` 生成自定义字符串所映射的的 UUID, 也可以使用命令 `xray uuid` 生成随机的 UUID。
> `alterId`number
为了进一步防止被探测,一个用户可以在主 ID 的基础上,再额外生成多个 ID。这里只需要指定额外的 ID 的数量,推荐值为 0 代表启用 VMessAEAD。
最大值 65535。这个值不能超过服务器端所指定的值。
不指定的话,默认值是 0。
::: tip
客户端 AlterID 设置为 0 代表启用 VMessAEAD ;服务端为自动适配,可同时兼容启用和未开启 VMessAEAD 的客户端。
客户端可通过设置环境变量 `Xray_VMESS_AEAD_DISABLED=true` 强行禁用 VMessAEAD
:::
> `level`: number
用户等级,连接会使用这个用户等级对应的 [本地策略](../policy.md#levelpolicyobject)。

2
docs/en/config/inbounds/vless.md
View File

@ -6,7 +6,7 @@ Currently, VLESS does not provide built-in encryption. Please use it with a reli
VLESS is a stateless lightweight transport protocol that consists of inbound and outbound parts. It can serve as a bridge between Xray clients and servers.
Unlike [VMess](./vmess.md), VLESS does not rely on system time. The authentication method is still UUID-based, but it does not require alterId.
Unlike [VMess](./vmess.md), VLESS does not rely on system time. The authentication method is still UUID-based.
## InboundConfigurationObject

62
docs/en/config/inbounds/vmess.md
View File

@ -3,7 +3,7 @@
[VMess](../../development/protocols/vmess.md) is an encrypted transport protocol that is commonly used as a bridge between Xray clients and servers.
::: danger
VMess relies on system time. Please ensure that the system UTC time used by Xray is within 90 seconds of the actual time, regardless of time zone. On Linux systems, you can install the `ntp` service to automatically synchronize the system time.
VMess relies on system time. Please ensure that the system UTC time used by Xray is within 120 seconds of the actual time, regardless of time zone. On Linux systems, you can install the `ntp` service to automatically synchronize the system time.
:::
## InboundConfigurationObject
@ -14,18 +14,15 @@ VMess relies on system time. Please ensure that the system UTC time used by Xray
{
"id": "5783a3e7-e373-51cd-8642-c83782b807c5",
"level": 0,
"alterId": 0,
"email": "love@xray.com"
}
],
"default": {
"level": 0,
"alterId": 0
"level": 0
},
"detour": {
"to": "tag_to_detour"
},
"disableInsecureEncryption": false
}
}
```
@ -45,22 +42,12 @@ Indicates that another server should be used for the corresponding outbound prot
Optional. The default configuration for clients. Only effective when used with `detour`.
> `disableInsecureEncryption`: true | false
Whether to disable the use of insecure encryption methods by clients. If set to true, the server will actively disconnect the connection when the client specifies the following encryption methods:
- `"none"`
- `"aes-128-cfb"`
The default value is `false`.
### ClientObject
```json
{
"id": "5783a3e7-e373-51cd-8642-c83782b807c5",
"level": 0,
"alterId": 4,
"email": "love@xray.com"
}
```
@ -87,16 +74,6 @@ The user level that the connection will use to determine the corresponding [Loca
The value of `level` corresponds to the value of `level` in the [policy](../policy.md#policyobject). If not specified, the default value is 0.
> `alterId`: number
To further prevent detection, a user can generate additional IDs in addition to the main ID. Here, you only need to specify the number of additional IDs. The recommended value is 0, which means enabling VMessAEAD. The maximum value is 65535. This value cannot exceed the value specified on the server side.
If not specified, the default value is 0.
::: tip
Setting the client's AlterID to 0 means enabling VMessAEAD. The server automatically adapts to both clients with VMessAEAD enabled and disabled. Clients can force disable VMessAEAD by setting the environment variable `Xray_VMESS_AEAD_DISABLED=true`.
:::
> `email`: string
The user's email address, used to differentiate traffic from different users.
@ -117,8 +94,7 @@ The `tag` of an inbound that specifies the inbound using the VMess protocol.
```json
{
"level": 0,
"alterId": 0
"level": 0
}
```
@ -127,33 +103,3 @@ The `tag` of an inbound that specifies the inbound using the VMess protocol.
The user level that the connection will use to determine the corresponding [Local Policy](../policy.md#levelpolicyobject).
The value of `level` corresponds to the value of `level` in the [policy](../policy.md#policyobject). If not specified, the default value is 0.
> `alterId`: number
The default `alterId` for dynamic ports. The default value is 0.
## VMess MD5 Authentication Tainting Mechanism
To further combat possible detection and blocking, the server-side structure of each VMess authentication data includes a one-time writable taint status flag. The initial state is an untainted state. When the server detects replay attacks or the inbound connection encounters errors that result in incorrect verification data, the authentication data corresponding to that connection will be tainted.
Tainted authentication data cannot be used to establish a connection. When an attacker or client uses tainted authentication data to establish a connection, the server will output an error message containing `invalid user` and `ErrTainted`, and block the connection.
This mechanism has no impact on normal clients when the server is not subjected to replay attacks.
::: tip
Malicious programs that have the server UUID and other connection data may launch denial-of-service attacks against the server based on this mechanism. Services that are targeted by such attacks can disable the server's security protection against such attacks by modifying the `atomic.CompareAndSwapUint32(pair.taintedFuse, 0, 1)` statement in the `func (v *TimedUserValidator) BurnTaintFuse(userHash []byte) error` function in the `proxy/vmess/validator.go` file to `atomic.CompareAndSwapUint32(pair.taintedFuse, 0, 0)`. Clients using the VMessAEAD authentication mechanism are not affected by the VMess MD5 authentication tainting mechanism.
:::
## VMess MD5 Authentication Elimination Mechanism
The elimination mechanism for VMess MD5 authentication has been activated.
Starting from January 1, 2022, the server-side compatibility for MD5 authentication is disabled by default. Any client using MD5 authentication will be unable to connect to servers that have disabled VMess MD5 authentication.
::: tip
On the server side, you can disable the automatic disabling of MD5 authentication by setting the environment variable `xray.vmess.aead.forced=true`, or force enable compatibility with the MD5 authentication mechanism by setting `xray.vmess.aead.forced=false` (not affected by the automatic disabling mechanism in 2022).
:::
::: tip
If there is no need to support old clients, the `"alterID"` parameter should be removed from the server-side configuration.
:::

2
docs/en/config/outbounds/vless.md
View File

@ -6,7 +6,7 @@ Currently, VLESS does not have built-in encryption, please use it on a reliable
VLESS is a stateless lightweight transport protocol, which is divided into inbound and outbound parts, and can be used as a bridge between Xray clients and servers.
Unlike [VMess](./vmess.md), VLESS does not rely on system time, and the authentication method is also UUID, but it does not require alterId.
Unlike [VMess](./vmess.md), VLESS does not rely on system time, and the authentication method is also UUID.
## OutboundConfigurationObject

12
docs/en/config/outbounds/vmess.md
View File

@ -3,7 +3,7 @@
[VMess](../../development/protocols/vmess.md) is an encrypted transport protocol commonly used as a bridge between Xray clients and servers.
::: danger
VMess relies on system time. Please ensure that the UTC time of your system, when using Xray, has an error within 90 seconds, regardless of the time zone. On Linux systems, you can install the `ntp` service to automatically synchronize the system time.
VMess relies on system time. Please ensure that the UTC time of your system, when using Xray, has an error within 120 seconds, regardless of the time zone. On Linux systems, you can install the `ntp` service to automatically synchronize the system time.
:::
## OutboundConfigurationObject
@ -17,7 +17,6 @@ VMess relies on system time. Please ensure that the UTC time of your system, whe
"users": [
{
"id": "5783a3e7-e373-51cd-8642-c83782b807c5",
"alterId": 0,
"security": "auto",
"level": 0
}
@ -62,7 +61,6 @@ Each item is a user configuration [UserObject](#userobject).
```json
{
"id": "5783a3e7-e373-51cd-8642-c83782b807c5",
"alterId": 0,
"security": "auto",
"level": 0
}
@ -81,14 +79,6 @@ The mapping standard is described in the [VLESS UUID Mapping Standard: Mapping a
You can use the command `xray uuid -i "custom string"` to generate the UUID corresponding to a custom string, or use the command `xray uuid` to generate a random UUID.
> `alterId`number
To further prevent detection, a user can generate additional IDs in addition to the main ID. Here, you only need to specify the number of additional IDs. The recommended value is 0, which means VMessAEAD is enabled. The maximum value is 65535. This value cannot exceed the value specified on the server side.
If not specified, the default value is 0.
::: tip Setting the client's AlterID to 0 enables VMessAEAD. The server automatically adapts and can simultaneously be compatible with clients that have enabled or disabled VMessAEAD. The client can forcefully disable VMessAEAD by setting the environment variable `Xray_VMESS_AEAD_DISABLED=true`. :::
> `level`: number
The user level. Connections will use the corresponding [local policy](../policy.md#levelpolicyobject) associated with this user level.