diff --git a/docs/document/level-0/ch07-xray-server.md b/docs/document/level-0/ch07-xray-server.md index 5def9cab9..7d0d86a87 100644 --- a/docs/document/level-0/ch07-xray-server.md +++ b/docs/document/level-0/ch07-xray-server.md @@ -227,7 +227,7 @@ }, // 3*分流设置 "routing": { - "domainStrategy": "AsIs", + "domainStrategy": "IPIfNonMatch", "rules": [ // 3.1 防止服务器本地流转问题:如内网被攻击或滥用、错误的本地回环等 { @@ -237,7 +237,14 @@ ], "outboundTag": "block" // 分流策略:交给出站"block"处理(黑洞屏蔽) }, - // 3.2 屏蔽广告 + { // 3.2 防止服务器直连国内 + "type": "field", + "ip": [ + "geoip:cn" + ], + "outboundTag": "block" + }, + // 3.3 屏蔽广告 { "type": "field", "domain": [ @@ -257,7 +264,7 @@ "clients": [ { "id": "", // 填写你的 UUID - "flow": "xtls-rprx-direct", + "flow": "xtls-rprx-vision", "level": 0, "email": "vpsadmin@yourdomain.com" } @@ -271,11 +278,8 @@ }, "streamSettings": { "network": "tcp", - "security": "xtls", - "xtlsSettings": { - "allowInsecure": false, // 正常使用应确保关闭 - "minVersion": "1.2", // TLS 最低版本设置 - "alpn": ["http/1.1"], + "security": "tls", + "tlsSettings": { "certificates": [ { "certificateFile": "/home/vpsadmin/xray_cert/xray.crt", diff --git a/docs/document/level-0/ch08-xray-clients.md b/docs/document/level-0/ch08-xray-clients.md index 18ba950b4..372dea5cc 100644 --- a/docs/document/level-0/ch08-xray-clients.md +++ b/docs/document/level-0/ch08-xray-clients.md @@ -226,8 +226,7 @@ "users": [ { "id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", // 和服务器端的一致 - "flow": "xtls-rprx-direct", // Windows, macOS 同学保持这个不变 - // "flow": "xtls-rprx-splice", // Linux和安卓同学请改成Splice性能更强 + "flow": "xtls-rprx-vision", "encryption": "none", "level": 0 } @@ -237,10 +236,11 @@ }, "streamSettings": { "network": "tcp", - "security": "xtls", - "xtlsSettings": { + "security": "tls", + "tlsSettings": { "serverName": "a-name.yourdomain.com", // 替换成你的真实域名 - "allowInsecure": false // 禁止不安全证书 + "allowInsecure": false, // 禁止不安全证书 + "fingerprint": "chrome" // 通过 uTLS 库 模拟 Chrome / Firefox / Safari 或随机生成的指纹 } } }, diff --git a/docs/document/level-1/fallbacks-lv1.md b/docs/document/level-1/fallbacks-lv1.md index a882cb05d..d68535627 100644 --- a/docs/document/level-1/fallbacks-lv1.md +++ b/docs/document/level-1/fallbacks-lv1.md @@ -143,7 +143,7 @@ "clients": [ { "id": "", // 填写你的 UUID - "flow": "xtls-rprx-direct", + "flow": "xtls-rprx-vision", "level": 0, "email": "love@example.com" } @@ -173,8 +173,8 @@ }, "streamSettings": { "network": "tcp", - "security": "xtls", - "xtlsSettings": { + "security": "tls", + "tlsSettings": { "alpn": ["http/1.1"], "certificates": [ { diff --git a/docs/document/level-1/fallbacks-with-sni.md b/docs/document/level-1/fallbacks-with-sni.md index 30d4cc87b..d1d7766e7 100644 --- a/docs/document/level-1/fallbacks-with-sni.md +++ b/docs/document/level-1/fallbacks-with-sni.md @@ -87,7 +87,7 @@ acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem -- "clients": [ { "id": "UUID", - "flow": "xtls-rprx-direct" + "flow": "xtls-rprx-vision" } ], "decryption": "none", @@ -122,8 +122,8 @@ acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem -- }, "streamSettings": { "network": "tcp", - "security": "xtls", - "xtlsSettings": { + "security": "tls", + "tlsSettings": { "alpn": ["h2", "http/1.1"], "certificates": [ { @@ -181,9 +181,9 @@ acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem -- - 有关 HTTP/2 - 首先,`inbounds.streamSettings.xtlsSettings.alpn` 有顺序,应将 `h2` 放前,`http/1.1` 放后,在优先使用 HTTP/2 的同时保证兼容性;反过来会导致 HTTP/2 在协商时变为 HTTP/1.1,成为无效配置。 + 首先,`inbounds.streamSettings.tlsSettings.alpn` 有顺序,应将 `h2` 放前,`http/1.1` 放后,在优先使用 HTTP/2 的同时保证兼容性;反过来会导致 HTTP/2 在协商时变为 HTTP/1.1,成为无效配置。 - 在上述配置中,每条回落到 Nginx 的配置都要分成两个。这是因为 h2 是强制 TLS 加密的 HTTP/2 连接,这有益于数据在互联网中传输的安全,但在服务器内部没有必要;而 h2c 是非加密的 HTTP/2 连接,适合该环境。然而,Nginx 不能在同一端口上同时监听 HTTP/1.1 和 h2c,为了解决这个问题,需要在回落中指定 `alpn` 项(是 `fallbacks` 而不是 `xtlsSettings` 里面的),以尝试匹配 TLS ALPN 协商结果。 + 在上述配置中,每条回落到 Nginx 的配置都要分成两个。这是因为 h2 是强制 TLS 加密的 HTTP/2 连接,这有益于数据在互联网中传输的安全,但在服务器内部没有必要;而 h2c 是非加密的 HTTP/2 连接,适合该环境。然而,Nginx 不能在同一端口上同时监听 HTTP/1.1 和 h2c,为了解决这个问题,需要在回落中指定 `alpn` 项(是 `fallbacks` 而不是 `tlsSettings` 里面的),以尝试匹配 TLS ALPN 协商结果。 建议 `alpn` 项只按需用两种填法:[^4] diff --git a/docs/document/level-1/routing-lv1-part1.md b/docs/document/level-1/routing-lv1-part1.md index 511af0252..cd7fc3a21 100644 --- a/docs/document/level-1/routing-lv1-part1.md +++ b/docs/document/level-1/routing-lv1-part1.md @@ -73,7 +73,7 @@ **出站:** 就是流量如何流出 `Xray` ::: -下面的出站配置示例,用大白话说就是:数据按照 `VLESS` 协议,以 `tcp + xtls (direct)` 的方式、及其他相关设置,把流量发送给对应的 VPS。同时,`Xray` 将这个出站用 `[tag]` 命名为 `proxy-out-vless`: +下面的出站配置示例,用大白话说就是:数据按照 `VLESS` 协议,以 `tcp + xtls` 的方式、及其他相关设置,把流量发送给对应的 VPS。同时,`Xray` 将这个出站用 `[tag]` 命名为 `proxy-out-vless`: ```json { @@ -89,7 +89,7 @@ "users": [ { "id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", - "flow": "xtls-rprx-direct", + "flow": "xtls-rprx-vision", "encryption": "none", "level": 0 } @@ -99,9 +99,11 @@ }, "streamSettings": { "network": "tcp", - "security": "xtls", - "xtlsSettings": { - "serverName": "a-name.yourdomain.com" + "security": "tls", + "tlsSettings": { + "serverName": "a-name.yourdomain.com", + "allowInsecure": false, + "fingerprint": "chrome" } } } diff --git a/docs/en/document/level-0/ch07-xray-server.md b/docs/en/document/level-0/ch07-xray-server.md index 58799204f..1c1aa98eb 100644 --- a/docs/en/document/level-0/ch07-xray-server.md +++ b/docs/en/document/level-0/ch07-xray-server.md @@ -190,7 +190,7 @@ 4. 将下面的文件全部复制进去,并将之前生成的`UUID`填入第 61 行 `"id": "",` 之中。(填好之后的样子是 `"id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid"` ),本文的这个配置文件中增加了我的各种啰嗦注解,以方便你理解每一个配置模块的功能是什么。 - ```json5 + ```json // REFERENCE: // https://github.com/XTLS/Xray-examples // https://xtls.github.io/config/ @@ -202,92 +202,96 @@ // └─ 5_outbounds 出站设置 - 流出 Xray 的流量往哪里去 { // 1\_日志设置 - log: { - loglevel: "warning", // 内容从少到多: "none", "error", "warning", "info", "debug" - access: "/home/vpsadmin/xray_log/access.log", // 访问记录 - error: "/home/vpsadmin/xray_log/error.log", // 错误记录 + "log": { + "loglevel": "warning", // 内容从少到多: "none", "error", "warning", "info", "debug" + "access": "/home/vpsadmin/xray_log/access.log", // 访问记录 + "error": "/home/vpsadmin/xray_log/error.log" // 错误记录 }, // 2_DNS 设置 - dns: { - servers: [ + "dns": { + "servers": [ "https+local://1.1.1.1/dns-query", // 首选 1.1.1.1 的 DoH 查询,牺牲速度但可防止 ISP 偷窥 - "localhost", - ], + "localhost" + ] }, // 3*分流设置 - routing: { - domainStrategy: "AsIs", - rules: [ + "routing": { + "domainStrategy": "IPIfNonMatch", + "rules": [ // 3.1 防止服务器本地流转问题:如内网被攻击或滥用、错误的本地回环等 { - type: "field", - ip: [ - "geoip:private", // 分流条件:geoip 文件内,名为"private"的规则(本地) + "type": "field", + "ip": [ + "geoip:private" // 分流条件:geoip 文件内,名为"private"的规则(本地) ], - outboundTag: "block", // 分流策略:交给出站"block"处理(黑洞屏蔽) + "outboundTag": "block" // 分流策略:交给出站"block"处理(黑洞屏蔽) }, - // 3.2 屏蔽广告 + { // 3.2 防止服务器直连国内 + "type": "field", + "ip": [ + "geoip:cn" + ], + "outboundTag": "block" + }, + // 3.3 屏蔽广告 { - type: "field", - domain: [ - "geosite:category-ads-all", // 分流条件:geosite 文件内,名为"category-ads-all"的规则(各种广告域名) + "type": "field", + "domain": [ + "geosite:category-ads-all" // 分流条件:geosite 文件内,名为"category-ads-all"的规则(各种广告域名) ], - outboundTag: "block", // 分流策略:交给出站"block"处理(黑洞屏蔽) - }, - ], + "outboundTag": "block" // 分流策略:交给出站"block"处理(黑洞屏蔽) + } + ] }, // 4*入站设置 // 4.1 这里只写了一个最简单的 vless+xtls 的入站,因为这是 Xray 最强大的模式。如有其他需要,请根据模版自行添加。 - inbounds: [ + "inbounds": [ { - port: 443, - protocol: "vless", - settings: { - clients: [ + "port": 443, + "protocol": "vless", + "settings": { + "clients": [ { - id: "", // 填写你的 UUID - flow: "xtls-rprx-direct", - level: 0, - email: "vpsadmin@yourdomain.com", - }, + "id": "", // 填写你的 UUID + "flow": "xtls-rprx-vision", + "level": 0, + "email": "vpsadmin@yourdomain.com" + } ], - decryption: "none", - fallbacks: [ + "decryption": "none", + "fallbacks": [ { - dest: 80, // 默认回落到防探测的代理 - }, - ], + "dest": 80 // 默认回落到防探测的代理 + } + ] }, - streamSettings: { - network: "tcp", - security: "xtls", - xtlsSettings: { - allowInsecure: false, // 正常使用应确保关闭 - minVersion: "1.2", // TLS 最低版本设置 - alpn: ["http/1.1"], - certificates: [ + "streamSettings": { + "network": "tcp", + "security": "tls", + "tlsSettings": { + "certificates": [ { - certificateFile: "/home/vpsadmin/xray_cert/xray.crt", - keyFile: "/home/vpsadmin/xray_cert/xray.key", - }, - ], - }, - }, - }, + "certificateFile": "/home/vpsadmin/xray_cert/xray.crt", + "keyFile": "/home/vpsadmin/xray_cert/xray.key" + } + ] + } + } + } ], // 5*出站设置 - outbounds: [ + "outbounds": [ // 5.1 第一个出站是默认规则,freedom 就是对外直连(vps 已经是外网,所以直连) { - tag: "direct", - protocol: "freedom", + "tag": "direct", + "protocol": "freedom" }, // 5.2 屏蔽规则,blackhole 协议就是把流量导入到黑洞里(屏蔽) { - tag: "block", - protocol: "blackhole", - }, - ], + "tag": "block", + "protocol": "blackhole" + } + ] } ``` diff --git a/docs/en/document/level-0/ch08-xray-clients.md b/docs/en/document/level-0/ch08-xray-clients.md index d6b862a6e..a0f74141a 100644 --- a/docs/en/document/level-0/ch08-xray-clients.md +++ b/docs/en/document/level-0/ch08-xray-clients.md @@ -99,7 +99,7 @@ - 请将 `serverName` 替换成你的真实域名 - 各个配置模块的说明我都已经(很啰嗦的)放在对应的配置点上了 - ```json5 + ```json // REFERENCE: // https://github.com/XTLS/Xray-examples // https://xtls.github.io/config/ @@ -114,135 +114,141 @@ { // 1_日志设置 // 注意,本例中我默认注释掉了日志文件,因为windows, macOS, Linux 需要写不同的路径,请自行配置 - log: { + "log": { // "access": "/home/local/xray_log/access.log", // 访问记录 // "error": "/home/local/xray_log/error.log", // 错误记录 - loglevel: "warning", // 内容从少到多: "none", "error", "warning", "info", "debug" + "loglevel": "warning" // 内容从少到多: "none", "error", "warning", "info", "debug" }, // 2_DNS设置 - dns: { - servers: [ + "dns": { + "servers": [ // 2.1 国外域名使用国外DNS查询 { - address: "1.1.1.1", - domains: ["geosite:geolocation-!cn"], + "address": "1.1.1.1", + "domains": ["geosite:geolocation-!cn"] }, // 2.2 国内域名使用国内DNS查询,并期待返回国内的IP,若不是国内IP则舍弃,用下一个查询 { - address: "223.5.5.5", - domains: ["geosite:cn"], - expectIPs: ["geoip:cn"], + "address": "223.5.5.5", + "domains": ["geosite:cn"], + "expectIPs": ["geoip:cn"] }, // 2.3 作为2.2的备份,对国内网站进行二次查询 { - address: "114.114.114.114", - domains: ["geosite:cn"], + "address": "114.114.114.114", + "domains": ["geosite:cn"] }, // 2.4 最后的备份,上面全部失败时,用本机DNS查询 - "localhost", - ], + "localhost" + ] }, // 3_分流设置 // 所谓分流,就是将符合否个条件的流量,用指定`tag`的出站协议去处理(对应配置的5.x内容) - routing: { - domainStrategy: "AsIs", - rules: [ + "routing": { + "domainStrategy": "IPIfNonMatch", + "rules": [ // 3.1 广告域名屏蔽 { - type: "field", - domain: ["geosite:category-ads-all"], - outboundTag: "block", + "type": "field", + "domain": ["geosite:category-ads-all"], + "outboundTag": "block" }, // 3.2 国内域名直连 { - type: "field", - domain: ["geosite:cn"], - outboundTag: "direct", + "type": "field", + "domain": ["geosite:cn"], + "outboundTag": "direct" }, // 3.3 国内IP直连 { - type: "field", - ip: ["geoip:cn", "geoip:private"], - outboundTag: "direct", + "type": "field", + "ip": ["geoip:cn", "geoip:private"], + "outboundTag": "direct" }, // 3.4 国外域名代理 { - type: "field", - domain: ["geosite:geolocation-!cn"], - outboundTag: "proxy", + "type": "field", + "domain": ["geosite:geolocation-!cn"], + "outboundTag": "proxy" }, // 3.5 默认规则 // 在Xray中,任何不符合上述路由规则的流量,都会默认使用【第一个outbound(5.1)】的设置,所以一定要把转发VPS的outbound放第一个 - ], + // 3.6 走国内"223.5.5.5"的DNS查询流量分流走direct出站 + { + "type": "field", + "ip": ["223.5.5.5"], + "outboundTag": "direct" + } + ] }, // 4_入站设置 - inbounds: [ + "inbounds": [ // 4.1 一般都默认使用socks5协议作本地转发 { - tag: "socks-in", - protocol: "socks", - listen: "127.0.0.1", // 这个是通过socks5协议做本地转发的地址 - port: 10800, // 这个是通过socks5协议做本地转发的端口 - settings: { - udp: true, - }, + "tag": "socks-in", + "protocol": "socks", + "listen": "127.0.0.1", // 这个是通过socks5协议做本地转发的地址 + "port": 10800, // 这个是通过socks5协议做本地转发的端口 + "settings": { + "udp": true + } }, // 4.2 有少数APP不兼容socks协议,需要用http协议做转发,则可以用下面的端口 { - tag: "http-in", - protocol: "http", - listen: "127.0.0.1", // 这个是通过http协议做本地转发的地址 - port: 10801, // 这个是通过http协议做本地转发的端口 - }, + "tag": "http-in", + "protocol": "http", + "listen": "127.0.0.1", // 这个是通过http协议做本地转发的地址 + "port": 10801 // 这个是通过http协议做本地转发的端口 + } ], // 5_出站设置 - outbounds: [ + "outbounds": [ // 5.1 默认转发VPS // 一定放在第一个,在routing 3.5 里面已经说明了,这等于是默认规则,所有不符合任何规则的流量都走这个 { - tag: "proxy", - protocol: "vless", - settings: { - vnext: [ + "tag": "proxy", + "protocol": "vless", + "settings": { + "vnext": [ { - address: "a-name.yourdomain.com", // 替换成你的真实域名 - port: 443, - users: [ + "address": "a-name.yourdomain.com", // 替换成你的真实域名 + "port": 443, + "users": [ { - id: "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", // 和服务器端的一致 - flow: "xtls-rprx-direct", // Windows, macOS 同学保持这个不变 - // "flow": "xtls-rprx-splice", // Linux和安卓同学请改成Splice性能更强 - encryption: "none", - level: 0, - }, - ], - }, - ], - }, - streamSettings: { - network: "tcp", - security: "xtls", - xtlsSettings: { - serverName: "a-name.yourdomain.com", // 替换成你的真实域名 - allowInsecure: false, // 禁止不安全证书 - }, + "id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", // 和服务器端的一致 + "flow": "xtls-rprx-vision", + "encryption": "none", + "level": 0 + } + ] + } + ] }, + "streamSettings": { + "network": "tcp", + "security": "tls", + "tlsSettings": { + "serverName": "a-name.yourdomain.com", // 替换成你的真实域名 + "allowInsecure": false, // 禁止不安全证书 + "fingerprint": "chrome" // 通过 uTLS 库 模拟 Chrome / Firefox / Safari 或随机生成的指纹 + } + } }, // 5.2 用`freedom`协议直连出站,即当routing中指定'direct'流出时,调用这个协议做处理 { - tag: "direct", - protocol: "freedom", + "tag": "direct", + "protocol": "freedom" }, // 5.3 用`blackhole`协议屏蔽流量,即当routing中指定'block'时,调用这个协议做处理 { - tag: "block", - protocol: "blackhole", - }, - ], + "tag": "block", + "protocol": "blackhole" + } + ] } ``` diff --git a/docs/en/document/level-1/fallbacks-lv1.md b/docs/en/document/level-1/fallbacks-lv1.md index 7f4cda5bd..cb2d86133 100644 --- a/docs/en/document/level-1/fallbacks-lv1.md +++ b/docs/en/document/level-1/fallbacks-lv1.md @@ -133,55 +133,55 @@ ### 5.1 首先,我将服务器端配置的 443 监听段摘抄如下: -```json5 +```json { - port: 443, - protocol: "vless", - settings: { - clients: [ + "port": 443, + "protocol": "vless", + "settings": { + "clients": [ { - id: "", // 填写你的 UUID - flow: "xtls-rprx-direct", - level: 0, - email: "love@example.com", - }, + "id": "", // 填写你的 UUID + "flow": "xtls-rprx-vision", + "level": 0, + "email": "love@example.com" + } ], - decryption: "none", - fallbacks: [ + "decryption": "none", + "fallbacks": [ { - dest: 1310, // 默认回落到 Xray 的 Trojan 协议 - xver: 1, + "dest": 1310, // 默认回落到 Xray 的 Trojan 协议 + "xver": 1 }, { - path: "/websocket", // 必须换成自定义的 PATH - dest: 1234, - xver: 1, + "path": "/websocket", // 必须换成自定义的 PATH + "dest": 1234, + "xver": 1 }, { - path: "/vmesstcp", // 必须换成自定义的 PATH - dest: 2345, - xver: 1, + "path": "/vmesstcp", // 必须换成自定义的 PATH + "dest": 2345, + "xver": 1 }, { - path: "/vmessws", // 必须换成自定义的 PATH - dest: 3456, - xver: 1, - }, - ], + "path": "/vmessws", // 必须换成自定义的 PATH + "dest": 3456, + "xver": 1 + } + ] }, - streamSettings: { - network: "tcp", - security: "xtls", - xtlsSettings: { - alpn: ["http/1.1"], - certificates: [ + "streamSettings": { + "network": "tcp", + "security": "tls", + "tlsSettings": { + "alpn": ["http/1.1"], + "certificates": [ { - certificateFile: "/path/to/fullchain.crt", // 换成你的证书,绝对路径 - keyFile: "/path/to/private.key", // 换成你的私钥,绝对路径 - }, - ], - }, - }, + "certificateFile": "/path/to/fullchain.crt", // 换成你的证书,绝对路径 + "keyFile": "/path/to/private.key" // 换成你的私钥,绝对路径 + } + ] + } + } } ``` diff --git a/docs/en/document/level-1/fallbacks-with-sni.md b/docs/en/document/level-1/fallbacks-with-sni.md index 1e8866b80..d1d7766e7 100644 --- a/docs/en/document/level-1/fallbacks-with-sni.md +++ b/docs/en/document/level-1/fallbacks-with-sni.md @@ -74,91 +74,91 @@ acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem -- ## Xray 配置 -```json5 +```json { - log: { - loglevel: "warning", + "log": { + "loglevel": "warning" }, - inbounds: [ + "inbounds": [ { - port: 443, - protocol: "vless", - settings: { - clients: [ + "port": 443, + "protocol": "vless", + "settings": { + "clients": [ { - id: "UUID", - flow: "xtls-rprx-direct", - }, + "id": "UUID", + "flow": "xtls-rprx-vision" + } ], - decryption: "none", - fallbacks: [ + "decryption": "none", + "fallbacks": [ { - name: "example.com", - path: "/vmessws", - dest: 5000, - xver: 1, + "name": "example.com", + "path": "/vmessws", + "dest": 5000, + "xver": 1 }, { - dest: 5001, - xver: 1, + "dest": 5001, + "xver": 1 }, { - alpn: "h2", - dest: 5002, - xver: 1, + "alpn": "h2", + "dest": 5002, + "xver": 1 }, { - name: "blog.example.com", - dest: 5003, - xver: 1, + "name": "blog.example.com", + "dest": 5003, + "xver": 1 }, { - name: "blog.example.com", - alpn: "h2", - dest: 5004, - xver: 1, - }, - ], + "name": "blog.example.com", + "alpn": "h2", + "dest": 5004, + "xver": 1 + } + ] }, - streamSettings: { - network: "tcp", - security: "xtls", - xtlsSettings: { - alpn: ["h2", "http/1.1"], - certificates: [ + "streamSettings": { + "network": "tcp", + "security": "tls", + "tlsSettings": { + "alpn": ["h2", "http/1.1"], + "certificates": [ { - certificateFile: "/etc/ssl/xray/cert.pem", - keyFile: "/etc/ssl/xray/privkey.key", - }, - ], - }, - }, + "certificateFile": "/etc/ssl/xray/cert.pem", + "keyFile": "/etc/ssl/xray/privkey.key" + } + ] + } + } }, { - listen: "127.0.0.1", - port: 5000, - protocol: "vmess", - settings: { - clients: [ + "listen": "127.0.0.1", + "port": 5000, + "protocol": "vmess", + "settings": { + "clients": [ { - id: "UUID", - }, - ], + "id": "UUID" + } + ] }, - streamSettings: { - network: "ws", - wsSettings: { - acceptProxyProtocol: true, - path: "/vmessws", - }, - }, - }, + "streamSettings": { + "network": "ws", + "wsSettings": { + "acceptProxyProtocol": true, + "path": "/vmessws" + } + } + } ], - outbounds: [ + "outbounds": [ { - protocol: "freedom", - }, - ], + "protocol": "freedom" + } + ] } ``` @@ -181,9 +181,9 @@ acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem -- - 有关 HTTP/2 - 首先,`inbounds.streamSettings.xtlsSettings.alpn` 有顺序,应将 `h2` 放前,`http/1.1` 放后,在优先使用 HTTP/2 的同时保证兼容性;反过来会导致 HTTP/2 在协商时变为 HTTP/1.1,成为无效配置。 + 首先,`inbounds.streamSettings.tlsSettings.alpn` 有顺序,应将 `h2` 放前,`http/1.1` 放后,在优先使用 HTTP/2 的同时保证兼容性;反过来会导致 HTTP/2 在协商时变为 HTTP/1.1,成为无效配置。 - 在上述配置中,每条回落到 Nginx 的配置都要分成两个。这是因为 h2 是强制 TLS 加密的 HTTP/2 连接,这有益于数据在互联网中传输的安全,但在服务器内部没有必要;而 h2c 是非加密的 HTTP/2 连接,适合该环境。然而,Nginx 不能在同一端口上同时监听 HTTP/1.1 和 h2c,为了解决这个问题,需要在回落中指定 `alpn` 项(是 `fallbacks` 而不是 `xtlsSettings` 里面的),以尝试匹配 TLS ALPN 协商结果。 + 在上述配置中,每条回落到 Nginx 的配置都要分成两个。这是因为 h2 是强制 TLS 加密的 HTTP/2 连接,这有益于数据在互联网中传输的安全,但在服务器内部没有必要;而 h2c 是非加密的 HTTP/2 连接,适合该环境。然而,Nginx 不能在同一端口上同时监听 HTTP/1.1 和 h2c,为了解决这个问题,需要在回落中指定 `alpn` 项(是 `fallbacks` 而不是 `tlsSettings` 里面的),以尝试匹配 TLS ALPN 协商结果。 建议 `alpn` 项只按需用两种填法:[^4] @@ -192,24 +192,26 @@ acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem -- 如果使用 Caddy 就大可不必如此繁杂了,因为它**可以**在同一端口上同时监听 HTTP/1.1 和 h2c,配置改动如下: - ```json5 - "fallbacks": [ + ```json + { + "fallbacks": [ { - "name": "example.com", - "path": "/vmessws", - "dest": 5000, - "xver": 1 + "name": "example.com", + "path": "/vmessws", + "dest": 5000, + "xver": 1 }, { - "dest": 5001, - "xver": 1 + "dest": 5001, + "xver": 1 }, { - "name": "blog.example.com", - "dest": 5002, - "xver": 1 + "name": "blog.example.com", + "dest": 5002, + "xver": 1 } - ] + ] + } ``` ## Nginx 配置 diff --git a/docs/en/document/level-1/routing-lv1-part1.md b/docs/en/document/level-1/routing-lv1-part1.md index b7ce698ad..4ac845c8e 100644 --- a/docs/en/document/level-1/routing-lv1-part1.md +++ b/docs/en/document/level-1/routing-lv1-part1.md @@ -71,38 +71,42 @@ **出站:** 就是流量如何流出 `Xray` ::: -下面的出站配置示例,用大白话说就是:数据按照 `VLESS` 协议,以 `tcp + xtls (direct)` 的方式、及其他相关设置,把流量发送给对应的 VPS。同时,`Xray` 将这个出站用 `[tag]` 命名为 `proxy-out-vless`: +下面的出站配置示例,用大白话说就是:数据按照 `VLESS` 协议,以 `tcp + xtls` 的方式、及其他相关设置,把流量发送给对应的 VPS。同时,`Xray` 将这个出站用 `[tag]` 命名为 `proxy-out-vless`: -```json5 -"outbounds": [ +```json +{ + "outbounds": [ { - "tag": "proxy-out-vless", - "protocol": "vless", - "settings": { - "vnext": [ - { - "address": "a-name.yourdomain.com", - "port": 443, - "users": [ - { - "id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", - "flow": "xtls-rprx-direct", - "encryption": "none", - "level": 0 - } - ] - } + "tag": "proxy-out-vless", + "protocol": "vless", + "settings": { + "vnext": [ + { + "address": "a-name.yourdomain.com", + "port": 443, + "users": [ + { + "id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", + "flow": "xtls-rprx-vision", + "encryption": "none", + "level": 0 + } ] - }, - "streamSettings": { - "network": "tcp", - "security": "xtls", - "xtlsSettings": { - "serverName": "a-name.yourdomain.com" - } + } + ] + }, + "streamSettings": { + "network": "tcp", + "security": "tls", + "tlsSettings": { + "serverName": "a-name.yourdomain.com", + "allowInsecure": false, + "fingerprint": "chrome" } + } } -] + ] +} ``` ### 2.3 路由