mirror of
https://github.com/XTLS/Xray-docs-next.git
synced 2025-01-19 09:11:40 +03:00
parent
31bbf6fb07
commit
d298e6a3a5
@ -272,7 +272,8 @@ CipherSuites 用于配置受支持的密码套件列表, 每个套件名称之
|
||||
"show": false, // 选填,若为 true,输出调试信息
|
||||
"dest": "example.com:443", // 必填,格式同 VLESS fallbacks 的 dest
|
||||
"xver": 0, // 选填,格式同 VLESS fallbacks 的 xver
|
||||
"serverNames": [ // 必填,客户端可用的 serverName 列表,暂不支持 * 通配符
|
||||
"serverNames": [
|
||||
// 必填,客户端可用的 serverName 列表,暂不支持 * 通配符
|
||||
"example.com",
|
||||
"www.example.com"
|
||||
],
|
||||
@ -280,7 +281,8 @@ CipherSuites 用于配置受支持的密码套件列表, 每个套件名称之
|
||||
"minClientVer": "", // 选填,客户端 Xray 最低版本,格式为 x.y.z
|
||||
"maxClientVer": "", // 选填,客户端 Xray 最高版本,格式为 x.y.z
|
||||
"maxTimeDiff": 0, // 选填,允许的最大时间差,单位为毫秒
|
||||
"shortIds": [ // 必填,客户端可用的 shortId 列表,可用于区分不同的客户端
|
||||
"shortIds": [
|
||||
// 必填,客户端可用的 shortId 列表,可用于区分不同的客户端
|
||||
"", // 若有此项,客户端 shortId 可为空
|
||||
"0123456789abcdef" // 0 到 f,长度为 2 的倍数,长度上限为 16
|
||||
],
|
||||
|
@ -1,14 +1,13 @@
|
||||
---
|
||||
title: 配置文件
|
||||
lang: zh-CN
|
||||
title: Configurations
|
||||
lang: en-US
|
||||
---
|
||||
|
||||
> **这个章节将告诉您所有的 Xray 配置细节,掌握这些内容,在您手中 Xray 将发挥更大威力。**
|
||||
> **This section will tell you all the details of Xray configuration. By mastering these contents, Xray will unleash its full power in your hands.**
|
||||
|
||||
## 概述
|
||||
## Overview
|
||||
|
||||
Xray 的配置文件为 json 格式, 客户端和服务端的配置格式没有区别, 只是实际的配置内容不一样。
|
||||
形式如下:
|
||||
The configuration file of Xray is in JSON format, and the configuration format for the client and server is the same, except for the actual configuration content. It takes the following form:
|
||||
|
||||
```json
|
||||
{
|
||||
@ -27,51 +26,51 @@ Xray 的配置文件为 json 格式, 客户端和服务端的配置格式没有
|
||||
```
|
||||
|
||||
::: warning
|
||||
如果你刚接触 Xray, 您可以先点击查看[快速入门中的配置运行](../document/install.md), 学习最基本的配置方式, 然后查看本章节内容以掌握所有 Xray 的配置方式。
|
||||
If you are new to Xray, you can first click to view [configuration and running in the Quick Start guide](../document/install.md), to learn the most basic configuration method, and then refer to the contents of this section to master all the configuration methods of Xray.
|
||||
:::
|
||||
|
||||
## 基础配置模块
|
||||
## Basic Configuration Modules
|
||||
|
||||
> log:[LogObject](./log.md)
|
||||
|
||||
日志配置,控制 Xray 输出日志的方式.
|
||||
Log configuration, which controls the way Xray outputs logs.
|
||||
|
||||
> api:[ApiObject](./api.md)
|
||||
|
||||
提供了一些 API 接口供远程调用。
|
||||
Provides some API interfaces for remote calls.
|
||||
|
||||
> dns: [DnsObject](./dns.md)
|
||||
|
||||
内置的 DNS 服务器. 如果没有配置此项,则使用系统的 DNS 设置。
|
||||
Built-in DNS server. If this item is not configured, the system's DNS settings will be used.
|
||||
|
||||
> routing: [RoutingObject](./routing.md)
|
||||
|
||||
路由功能。可以设置规则分流数据从不同的 outbound 发出.
|
||||
Routing function. You can set rules to route data to different outbounds.
|
||||
|
||||
> policy: [PolicyObject](./policy.md)
|
||||
|
||||
本地策略,可以设置不同的用户等级和对应的策略设置。
|
||||
Local policy, which can set different user levels and corresponding policy settings.
|
||||
|
||||
> inbounds: \[ [InboundObject](./inbound.md) \]
|
||||
|
||||
一个数组,每个元素是一个入站连接配置。
|
||||
An array, with each element being an inbound connection configuration.
|
||||
|
||||
> outbounds: \[ [OutboundObject](./outbound.md) \]
|
||||
|
||||
一个数组,每个元素是一个出站连接配置。
|
||||
An array, with each element being an outbound connection configuration.
|
||||
|
||||
> transport: [TransportObject](./transport.md)
|
||||
|
||||
用于配置 Xray 其它服务器建立和使用网络连接的方式。
|
||||
Used to configure the way Xray establishes and uses network connections with other servers.
|
||||
|
||||
> stats: [StatsObject](./stats.md)
|
||||
|
||||
用于配置流量数据的统计。
|
||||
Used to configure traffic data statistics.
|
||||
|
||||
> reverse: [ReverseObject](./reverse.md)
|
||||
|
||||
反向代理。可以把服务器端的流量向客户端转发,即逆向流量转发。
|
||||
Reverse proxy. You can forward server-side traffic to the client, that is, reverse traffic forwarding.
|
||||
|
||||
> fakedns: [FakeDnsObject](./fakedns.md)
|
||||
|
||||
FakeDNS 配置。可配合透明代理使用,以获取实际域名。
|
||||
FakeDNS configuration. It can be used with transparent proxy to obtain the actual domain name.
|
||||
|
@ -1,18 +1,17 @@
|
||||
# API 接口
|
||||
# API Interface
|
||||
|
||||
API 接口配置提供了一些基于 [gRPC](https://grpc.io/)的 API 接口供远程调用。
|
||||
API interface configuration provides a set of APIs based on [gRPC](https://grpc.io/) for remote invocation.
|
||||
|
||||
可以通过 api 配置模块开启接口. 当 api 配置开启时,Xray 会自建一个出站代理,须手动将所有的 API 入站连接通过 [路由规则配置](./routing.md) 指向这一出站代理。
|
||||
The interface can be enabled through the api configuration module. When the api configuration is enabled, Xray will create an outbound proxy automatically. All incoming API connections need to be manually routed to this outbound proxy through [routing rule configuration](./routing.md).
|
||||
|
||||
请参考本节中的 [相关配置](#相关配置)
|
||||
Please refer to the [related configuration](#related-configuration) in this section.
|
||||
|
||||
::: warning
|
||||
大多数用户并不会用到此 API,新手可以直接忽略这一项。
|
||||
:::
|
||||
Most users do not need to use this API. Novices can ignore this item directly. :::
|
||||
|
||||
## ApiObject
|
||||
|
||||
`ApiObject` 对应配置文件的 `api` 项。
|
||||
`ApiObject` corresponds to the `api` item in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -25,15 +24,15 @@ API 接口配置提供了一些基于 [gRPC](https://grpc.io/)的 API 接口供
|
||||
|
||||
> `tag`: string
|
||||
|
||||
出站代理标识。
|
||||
Outbound proxy identifier.
|
||||
|
||||
> `services`: \[string\]
|
||||
> `services`: [string]
|
||||
|
||||
开启的 API 列表,可选的值见 [API 列表](#支持的-api-列表)。
|
||||
List of enabled APIs, optional values can be found in [Supported API List](#supported-api-list).
|
||||
|
||||
## 相关配置
|
||||
## Related Configuration
|
||||
|
||||
可以在 inbounds 配置中增加一个 api 的 inbound
|
||||
An api inbound can be added to the inbounds configuration.
|
||||
|
||||
```json
|
||||
"inbounds": [
|
||||
@ -49,7 +48,7 @@ API 接口配置提供了一些基于 [gRPC](https://grpc.io/)的 API 接口供
|
||||
]
|
||||
```
|
||||
|
||||
在路由配置中增加针对 api inbound 的路由规则
|
||||
Add routing rules for the api inbound in the routing configuration.
|
||||
|
||||
```json
|
||||
"routing": {
|
||||
@ -65,30 +64,30 @@ API 接口配置提供了一些基于 [gRPC](https://grpc.io/)的 API 接口供
|
||||
}
|
||||
```
|
||||
|
||||
## 支持的 API 列表
|
||||
## Supported API List
|
||||
|
||||
### HandlerService
|
||||
|
||||
一些对于入站出站代理进行修改的 API,可用的功能如下:
|
||||
APIs that modify the inbound and outbound proxies, with the following available functions:
|
||||
|
||||
- 添加一个新的入站代理;
|
||||
- 添加一个新的出站代理;
|
||||
- 删除一个现有的入站代理;
|
||||
- 删除一个现有的出站代理;
|
||||
- 在一个入站代理中添加一个用户(仅支持 VMess、VLESS、Trojan、Shadowsocks(v1.3.0+));
|
||||
- 在一个入站代理中删除一个用户(仅支持 VMess、VLESS、Trojan、Shadowsocks(v1.3.0+));
|
||||
- Add a new inbound proxy;
|
||||
- Add a new outbound proxy;
|
||||
- Delete an existing inbound proxy;
|
||||
- Delete an existing outbound proxy;
|
||||
- Add a user to an inbound proxy (VMess, VLESS, Trojan, and Shadowsocks(v1.3.0+) only);
|
||||
- Delete a user from an inbound proxy (VMess, VLESS, Trojan, and Shadowsocks(v1.3.0+) only);
|
||||
|
||||
### LoggerService
|
||||
|
||||
支持对内置 Logger 的重启,可配合 logrotate 进行一些对日志文件的操作。
|
||||
Supports restarting the built-in logger, which can be used in conjunction with logrotate to perform operations on log files.
|
||||
|
||||
### StatsService
|
||||
|
||||
内置的数据统计服务,详见 [统计信息](./stats.md)。
|
||||
Built-in data statistics service, see [Statistics Information](./stats.md) for details.
|
||||
|
||||
### ReflectionService
|
||||
|
||||
支持 gRPC 客户端获取服务端的 API 列表。
|
||||
Supports gRPC clients to obtain the list of APIs from the server.
|
||||
|
||||
```bash
|
||||
$ grpcurl -plaintext localhost:10085 list
|
||||
@ -99,6 +98,6 @@ xray.app.proxyman.command.HandlerService
|
||||
xray.app.stats.command.StatsService
|
||||
```
|
||||
|
||||
## API 调用示例
|
||||
## API Calling Example
|
||||
|
||||
[Xray-API-documents](https://github.com/XTLS/Xray-API-documents) @crossfw
|
||||
|
@ -1,42 +1,45 @@
|
||||
# 内置 DNS 服务器
|
||||
# Built-in DNS Server
|
||||
|
||||
## DNS 服务器
|
||||
## DNS Server
|
||||
|
||||
Xray 内置的 DNS 模块,主要有两大用途:
|
||||
The DNS module built into Xray has two main purposes:
|
||||
|
||||
- 在路由阶段, 解析域名为 IP, 并且根据域名解析得到的 IP 进行规则匹配以分流. 是否解析域名及分流和路由配置模块中 `domainStrategy` 的值有关, 只有在设置以下两种值时,才会使用内置 DNS 服务器进行 DNS 查询:
|
||||
|
||||
- "IPIfNonMatch", 请求一个域名时,进行路由里面的 domain 进行匹配,若无法匹配到结果,则对这个域名使用内置 DNS 服务器进行 DNS 查询,并且使用查询返回的 IP 地址再重新进行 IP 路由匹配。
|
||||
- "IPOnDemand", 当匹配时碰到任何基于 IP 的规则,将域名立即解析为 IP 进行匹配。
|
||||
|
||||
- 解析目标地址进行连接。
|
||||
- 如 在 `freedom` 出站中,将 `domainStrategy` 设置为 `UseIP`, 由此出站发出的请求, 会先将域名通过内置服务器解析成 IP, 然后进行连接。
|
||||
- 如 在 `sockopt` 中,将 `domainStrategy` 设置为 `UseIP`, 此出站发起的系统连接,将先由内置服务器解析为 IP, 然后进行连接。
|
||||
- During the routing phase, it resolves domain names to IP addresses and performs traffic splitting based on the results of domain name resolution and the value of `domainStrategy` in the routing configuration module. The built-in DNS server is only used for DNS queries when either of the following values is set:
|
||||
- "IPIfNonMatch": When a domain name is requested, it first tries to match it against the `domain` entries in the routing configuration. If no match is found, the built-in DNS server is used to perform a DNS query for the domain name, and the returned IP address is used to perform IP routing matching again.
|
||||
- "IPOnDemand": When a domain name is matched against any IP-based rule, it is immediately resolved to an IP address for matching.
|
||||
- It resolves the target address for connection.
|
||||
- In the `freedom` outbound setting, if `domainStrategy` is set to `UseIP`, requests made through the outbound proxy will first resolve the domain name to an IP address using the built-in server before making the connection.
|
||||
- In the `sockopt` setting, if `domainStrategy` is set to `UseIP`, system connections initiated through the outbound proxy will first be resolved to an IP address using the built-in server before making the connection.
|
||||
|
||||
::: tip TIP 1
|
||||
内置 DNS 服务器所发出的 DNS 查询请求,会自动根据路由配置进行转发。
|
||||
DNS queries sent by the built-in DNS server are automatically forwarded based on the routing configuration.
|
||||
:::
|
||||
|
||||
::: tip TIP 2
|
||||
只支持最基本的 IP 查询(A 和 AAAA 记录),CNAME 记录将会重复查询直至返回 A/AAAA 记录为止。其他查询不会进入内置 DNS 服务器。
|
||||
Only basic IP queries (A and AAAA records) are supported. CNAME records will be queried repeatedly until an A/AAAA record is returned. Other queries will not enter the built-in DNS server.
|
||||
:::
|
||||
|
||||
## DNS 处理流程
|
||||
## DNS Processing Flow
|
||||
|
||||
若当前要查询的域名:
|
||||
If the domain name to be queried:
|
||||
|
||||
- 命中了 `hosts` 中的「域名 - IP」、「域名 - IP 数组」映射,则将该 IP 或 IP 数组作为 DNS 解析结果返回。
|
||||
- 命中了 `hosts` 中的「域名 - 域名」映射,则该映射的值(另一个域名)将作为当前要查询的域名,进入 DNS 处理流程,直到解析出 IP 后返回,或返回空解析。
|
||||
- 没有命中 `hosts`,但命中了某(几)个 DNS 服务器中的 `domains` 域名列表,则按照命中的规则的优先级,依次使用该规则对应的 DNS 服务器进行查询。若命中的 DNS 服务器查询失败或 `expectIPs` 不匹配,则使用下一个命中的 DNS 服务器进行查询;否则返回解析得到的 IP。若所有命中的 DNS 服务器均查询失败或 `expectIPs` 不匹配,此时 DNS 组件:
|
||||
- 默认会进行 「DNS 回退(fallback)查询」:使用「上一轮失败查询中未被使用的、且 `skipFallback` 为默认值 `false` 的 DNS 服务器」依次查询。若查询失败或 `expectIPs` 不匹配,返回空解析;否则返回解析得到的 IP。
|
||||
- 若 `disableFallback` 设置为 `true`,则不会进行「DNS 回退(fallback)查询」。
|
||||
- 既没有命中 `hosts`,又没有命中 DNS 服务器中的 `domains` 域名列表,则:
|
||||
- 默认使用「`skipFallback` 为默认值 `false` 的 DNS 服务器」依次查询。若第一个被选中的 DNS 服务器查询失败或 `expectIPs` 不匹配,则使用下一个被选中的 DNS 服务器进行查询;否则返回解析得到的 IP。若所有被选中的 DNS 服务器均查询失败或 `expectIPs` 不匹配,返回空解析。
|
||||
- 若「`skipFallback` 为默认值 `false` 的 DNS 服务器」数量为 0 或 `disableFallback` 设置为 `true`,则使用 DNS 配置中的第一个 DNS 服务器进行查询。查询失败或 `expectIPs` 不匹配,返回空解析;否则返回解析得到的 IP。
|
||||
- Matches the mapping of "domain name - IP" or "domain name - IP array" in the `hosts`, then the IP or IP array will be returned as the DNS resolution result.
|
||||
|
||||
- Matches the mapping of "domain name - domain name" in the `hosts`, then the value of this mapping (another domain name) will be used as the domain name to be queried, and enter the DNS processing flow until an IP is resolved and returned, or an empty resolution is returned.
|
||||
|
||||
- Does not match `hosts`, but matches the `domains` list in one or more DNS servers, then according to the priority of the matching rule, use the DNS server corresponding to the rule to perform the query in sequence. If the DNS server that is hit fails to query or `expectIPs` does not match, then use the next hit DNS server to perform the query. Otherwise, return the resolved IP. If all hit DNS servers fail to query or `expectIPs` does not match, then the DNS component:
|
||||
|
||||
- By default, it will perform "DNS fallback query": use the "DNS server that has not been used in the last failed query and has a default value of `false` for `skipFallback`" to perform the query in sequence. If the query fails or `expectIPs` does not match, return an empty resolution; otherwise, return the resolved IP.
|
||||
- If `disableFallback` is set to `true`, "DNS fallback query" will not be performed.
|
||||
|
||||
- If neither `hosts` nor the `domains` list in DNS servers matches, then:
|
||||
|
||||
- By default, use the "DNS server that has a default value of `false` for `skipFallback`" to perform the query in sequence. If the first selected DNS server fails to query or `expectIPs` does not match, then use the next selected DNS server to perform the query. Otherwise, return the resolved IP. If all selected DNS servers fail to query or `expectIPs` does not match, return an empty resolution.
|
||||
- If the number of "DNS servers that have a default value of `false` for `skipFallback`" is 0 or `disableFallback` is set to `true`, use the first DNS server in the DNS configuration to perform the query. If the query fails or `expectIPs` does not match, return an empty resolution; otherwise, return the resolved IP.
|
||||
|
||||
## DnsObject
|
||||
|
||||
`DnsObject` 对应配置文件的 `dns` 项。
|
||||
`DnsObject` corresponds to the `dns` section in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -70,83 +73,83 @@ Xray 内置的 DNS 模块,主要有两大用途:
|
||||
|
||||
> `hosts`: map{string: address} | map{string: [address]}
|
||||
|
||||
静态 IP 列表,其值为一系列的 "域名": "地址" 或 "域名": ["地址 1","地址 2"]。其中地址可以是 IP 或者域名。在解析域名时,如果域名匹配这个列表中的某一项:
|
||||
A list of static IP addresses, with values consisting of a series of "domain": "address" or "domain": ["address 1","address 2"]. The address can be an IP or a domain name. When resolving a domain name, if the domain name matches an item in this list:
|
||||
|
||||
- 当该项的地址为 IP 时,则解析结果为该项的 IP
|
||||
- 当该项的地址为域名时,会使用此域名进行 IP 解析,而不使用原始域名。
|
||||
- 当地址中同时设置了多个 IP 和域名,则只会返回第一个域名,其余 IP 和域名均被忽略。
|
||||
- If the address of the item is an IP, the resolution result will be that IP.
|
||||
- If the address of the item is a domain name, this domain name will be used for IP resolution instead of the original domain name.
|
||||
- If multiple IPs and domain names are set in the address, only the first domain name will be returned, and the rest of the IPs and domain names will be ignored.
|
||||
|
||||
域名的格式有以下几种形式:
|
||||
The domain name can take several forms:
|
||||
|
||||
- 纯字符串:当此字符串完整匹配目标域名时,该规则生效。例如 "xray.com" 匹配 "xray.com",但不匹配 "www.xray.com"。
|
||||
- 正则表达式:由 `"regexp:"` 开始,余下部分是一个正则表达式。当此正则表达式匹配目标域名时,该规则生效。例如 "regexp:\\\\.goo.\*\\\\.com\$" 匹配 "www.google.com"、"fonts.googleapis.com",但不匹配 "google.com"。
|
||||
- 子域名 (推荐):由 `"domain:"` 开始,余下部分是一个域名。当此域名是目标域名或其子域名时,该规则生效。例如 "domain:xray.com" 匹配 "www.xray.com" 与 "xray.com",但不匹配 "wxray.com"。
|
||||
- 子串:由 `"keyword:"` 开始,余下部分是一个字符串。当此字符串匹配目标域名中任意部分,该规则生效。比如 "keyword:sina.com" 可以匹配 "sina.com"、"sina.com.cn" 和 "www.sina.com",但不匹配 "sina.cn"。
|
||||
- 预定义域名列表:由 `"geosite:"` 开头,余下部分是一个名称,如 `geosite:google` 或者 `geosite:cn`。名称及域名列表参考 [预定义域名列表](./routing.md#预定义域名列表)。
|
||||
- Plain string: When this string matches the target domain name exactly, the rule takes effect. For example, "xray.com" matches "xray.com" but not "www.xray.com".
|
||||
- Regular expression: Starting with `"regexp:"`, the rest is a regular expression. When this regular expression matches the target domain name, the rule takes effect. For example, "regexp:\\.goo.\*\\.com$" matches "www.google.com" and "fonts.googleapis.com", but not "google.com".
|
||||
- Subdomain (recommended): Starting with `"domain:"`, the rest is a domain name. When this domain name is the target domain name or its subdomain, the rule takes effect. For example, "domain:xray.com" matches "www.xray.com" and "xray.com", but not "wxray.com".
|
||||
- Substring: Starting with `"keyword:"`, the rest is a string. When this string matches any part of the target domain name, the rule takes effect. For example, "keyword:sina.com" can match "sina.com", "sina.com.cn", and "www.sina.com", but not "sina.cn".
|
||||
- Predefined domain name list: Starting with `"geosite:"`, the rest is a name, such as `geosite:google` or `geosite:cn`. The names and domain name lists are listed in [Predefined Domain Name Lists](#predefined-domain-name-lists).
|
||||
|
||||
> `servers`: \[string | [ServerObject](#serverobject) \]
|
||||
> `servers`: [string | [ServerObject](#serverobject) ]
|
||||
|
||||
一个 DNS 服务器列表,支持的类型有两种:DNS 地址(字符串形式)和 [ServerObject](#serverobject) 。
|
||||
A list of DNS servers that supports two types: DNS addresses (in string format) and [ServerObject](#serverobject).
|
||||
|
||||
当值为 `"localhost"` 时,表示使用本机预设的 DNS 配置。
|
||||
When the value is `"localhost"`, it means to use the default DNS configuration on the local machine.
|
||||
|
||||
当它的值是一个 DNS `"IP:Port"` 地址时,如 `"8.8.8.8:53"`,Xray 会使用此地址的指定 UDP 端口进行 DNS 查询。该查询遵循路由规则。不指定端口时,默认使用 53 端口。
|
||||
When the value is a DNS `"IP:Port"` address, such as `"8.8.8.8:53"`, Xray will use the specified UDP port of this address for DNS queries. The query follows the routing rules. When the port is not specified, the default port 53 is used.
|
||||
|
||||
当值是 `"tcp://host:port"` 的形式,如 `"tcp://8.8.8.8:53"`,Xray 会使用 `DNS over TCP` 进行查询。该查询遵循路由规则。不指定端口时,默认使用 53 端口。
|
||||
When the value is in the form of `"tcp://host:port"`, such as `"tcp://8.8.8.8:53"`, Xray will use `DNS over TCP` for queries. The query follows the routing rules. When the port is not specified, the default port 53 is used.
|
||||
|
||||
当值是 `"tcp+local://host:port"` 的形式,如 `"tcp+local://8.8.8.8:53"`,Xray 会使用 `TCP 本地模式 (TCPL)` 进行查询。即 DNS 请求不会经过路由组件,直接通过 Freedom outbound 对外请求,以降低耗时。不指定端口时,默认使用 53 端口。
|
||||
When the value is in the form of `"tcp+local://host:port"`, such as `"tcp+local://8.8.8.8:53"`, Xray will use `TCP local mode (TCPL)` for queries. That is, DNS requests will not pass through the routing component and will directly request outbound through Freedom, to reduce latency. When the port is not specified, the default port 53 is used.
|
||||
|
||||
当值是 `"https://host:port/dns-query"` 的形式,如 `"https://dns.google/dns-query"`,Xray 会使用 `DNS over HTTPS` (RFC8484, 简称 DOH) 进行查询。有些服务商拥有 IP 别名的证书,可以直接写 IP 形式,比如 `https://1.1.1.1/dns-query`。也可使用非标准端口和路径,如 `"https://a.b.c.d:8443/my-dns-query"`
|
||||
When the value is in the form of `"https://host:port/dns-query"`, such as `"https://dns.google/dns-query"`, Xray will use `DNS over HTTPS` (RFC8484, abbreviated as DOH) for queries. Some service providers have certificates with IP aliases, which can be directly written in IP form, such as `https://1.1.1.1/dns-query`. Non-standard ports and paths can also be used, such as `"https://a.b.c.d:8443/my-dns-query"`.
|
||||
|
||||
当值是 `"https+local://host:port/dns-query"` 的形式,如 `"https+local://dns.google/dns-query"`,Xray 会使用 `DOH 本地模式 (DOHL)` 进行查询,即 DOH 请求不会经过路由组件,直接通过 Freedom outbound 对外请求,以降低耗时。一般适合在服务端使用。也可使用非标端口和路径。
|
||||
When the value is in the form of `"https+local://host:port/dns-query"`, such as `"https+local://dns.google/dns-query"`, Xray will use `DOH local mode (DOHL)` for queries. That is, DOH requests will not pass through the routing component and will directly request outbound through Freedom, to reduce latency. This is generally suitable for use on the server side. Non-standard ports and paths can also be used.
|
||||
|
||||
当值是 `"quic+local://host"` 的形式,如 `"quic+local://dns.adguard.com"`,Xray 会使用 `DNS over QUIC 本地模式 (DOQL)` 进行查询,即 DNS 请求不会经过路由组件,直接通过 Freedom outbound 对外请求。该方式需要 DNS 服务器支持 DNS over QUIC。默认使用 784 端口进行查询,可以使用非标端口。
|
||||
When the value is in the form of `"quic+local://host"`, such as `"quic+local://dns.adguard.com"`, Xray will use `DNS over QUIC local mode (DOQL)` for queries. That is, DNS requests will not pass through the routing component and will directly request outbound through Freedom. This method requires DNS server support for DNS over QUIC. The default port 784 is used for queries, and non-standard ports can also be used.
|
||||
|
||||
当值是 `fakedns` 时,将使用 FakeDNS 功能进行查询。
|
||||
When the value is `fakedns`, the FakeDNS function will be used for queries.
|
||||
|
||||
::: tip TIP 1
|
||||
当使用 `localhost` 时,本机的 DNS 请求不受 Xray 控制,需要额外的配置才可以使 DNS 请求由 Xray 转发。
|
||||
When using `localhost`, DNS requests on the local machine are not controlled by Xray and additional configuration is required to make DNS requests forwarded by Xray.
|
||||
:::
|
||||
|
||||
::: tip TIP 2
|
||||
不同规则初始化得到的 DNS 客户端会在 Xray 启动日志中以 `info` 级别体现,比如 `local DOH`、`remote DOH` 和 `udp` 等模式。
|
||||
DNS clients initialized with different rules will be reflected in the Xray startup log at the `info` level, such as `local DOH`, `remote DOH`, and `udp` modes.
|
||||
:::
|
||||
|
||||
::: tip TIP 3
|
||||
(v1.4.0+) 可以在 [日志](./log.md) 中打开 DNS 查询日志。
|
||||
(v1.4.0+) DNS query logging can be enabled in the [log](./log.md).
|
||||
:::
|
||||
|
||||
> `clientIp`: string
|
||||
|
||||
用于 DNS 查询时通知服务器以指定 IP 位置。不能是私有地址。
|
||||
Used to notify the server of the specified IP location during DNS queries. Cannot be a private address.
|
||||
|
||||
::: tip TIP 1
|
||||
需要 DNS 服务器支持 EDNS Client Subnet。
|
||||
EDNS Client Subnet support is required for the DNS server.
|
||||
:::
|
||||
|
||||
::: tip TIP 2
|
||||
可以在 [DnsObject](#dnsobject) 为所有 DNS 服务器指定 clientIp, 也可在每个 DNS 服务器配置的 [ServerObject](#serverobject) 为此 DNS 服务器指定 clientIp (优先级高于 [DnsObject](#dnsobject) 的配置)。
|
||||
You can specify `clientIp` for all DNS servers in [DnsObject](#dnsobject), or specify it for each DNS server in the configuration of [ServerObject](#serverobject) (which has higher priority than the configuration in [DnsObject](#dnsobject)).
|
||||
:::
|
||||
|
||||
> `queryStrategy`: "UseIP" | "UseIPv4" | "UseIPv6"
|
||||
|
||||
`UseIPv4` 只查询 A 记录;`UseIPv6` 只查询 AAAA 记录。默认值为 `UseIP`,即查询 A 和 AAAA 记录。
|
||||
`UseIPv4` only queries A records; `UseIPv6` only queries AAAA records. The default value is `UseIP`, which queries both A and AAAA records.
|
||||
|
||||
> `disableCache`: true | false
|
||||
|
||||
`true` 禁用 DNS 缓存,默认为 `false`,即不禁用。
|
||||
`true` disables DNS caching, default is `false` which means caching is not disabled.
|
||||
|
||||
> `disableFallback`: true | false
|
||||
|
||||
`true` 禁用 DNS 的 fallback 查询,默认为 `false`,即不禁用。
|
||||
`true` disables fallback DNS queries, default is `false` which means fallback queries are not disabled.
|
||||
|
||||
> `disableFallbackIfMatch`: true | false
|
||||
|
||||
`true` 当 DNS 服务器的优先匹配域名列表命中时,禁用 fallback 查询,默认为 `false`,即不禁用。
|
||||
`true` disables fallback DNS queries when the matching domain list of the DNS server is hit, default is `false` which means fallback queries are not disabled.
|
||||
|
||||
> `tag`: string
|
||||
|
||||
由内置 DNS 发出的查询流量,除 `localhost`、`fakedns`、`TCPL`、`DOHL` 和 `DOQL` 模式外,都可以用此标识在路由使用 `inboundTag` 进行匹配。
|
||||
Traffic generated by built-in DNS, except for `localhost`, `fakedns`, `TCPL`, `DOHL`, and `DOQL` modes, can be matched with `inboundTag` in routing using this identifier.
|
||||
|
||||
### ServerObject
|
||||
|
||||
@ -163,40 +166,40 @@ Xray 内置的 DNS 模块,主要有两大用途:
|
||||
|
||||
> `address`: address
|
||||
|
||||
一个 DNS 服务器列表,支持的类型有两种:DNS 地址(字符串形式)和 ServerObject 。
|
||||
A list of DNS servers, which can be either DNS addresses (in string form) or ServerObjects.
|
||||
|
||||
当值为 `"localhost"` 时,表示使用本机预设的 DNS 配置。
|
||||
When the value is `"localhost"`, it means using the local DNS configuration.
|
||||
|
||||
当它的值是一个 DNS `"IP"` 地址时,如 `"8.8.8.8"`,Xray 会使用此地址的指定 UDP 端口进行 DNS 查询。该查询遵循路由规则。默认使用 53 端口。
|
||||
When the value is a DNS `"IP"` address, such as `"8.8.8.8"`, Xray will use the specified UDP port of this address for DNS queries. The query follows routing rules. By default, port 53 is used.
|
||||
|
||||
当值是 `"tcp://host"` 的形式,如 `"tcp://8.8.8.8"`,Xray 会使用 `DNS over TCP` 进行查询。该查询遵循路由规则。默认使用 53 端口。
|
||||
When the value is in the form of `"tcp://host"`, such as `"tcp://8.8.8.8"`, Xray will use `DNS over TCP` for the query. The query follows routing rules. By default, port 53 is used.
|
||||
|
||||
当值是 `"tcp+local://host"` 的形式,如 `"tcp+local://8.8.8.8"`,Xray 会使用 `TCP 本地模式 (TCPL)` 进行查询。即 DNS 请求不会经过路由组件,直接通过 Freedom outbound 对外请求,以降低耗时。不指定端口时,默认使用 53 端口。
|
||||
When the value is in the form of `"tcp+local://host"`, such as `"tcp+local://8.8.8.8"`, Xray will use `TCP local mode (TCPL)` for the query. That is, the DNS request will not go through the routing component and will be sent directly through the Freedom outbound to reduce latency. When no port is specified, port 53 is used by default.
|
||||
|
||||
当值是 `"https://host:port/dns-query"` 的形式,如 `"https://dns.google/dns-query"`,Xray 会使用 `DNS over HTTPS` (RFC8484, 简称 DOH) 进行查询。有些服务商拥有 IP 别名的证书,可以直接写 IP 形式,比如 `https://1.1.1.1/dns-query`。也可使用非标准端口和路径,如 `"https://a.b.c.d:8443/my-dns-query"`
|
||||
When the value is in the form of `"https://host:port/dns-query"`, such as `"https://dns.google/dns-query"`, Xray will use `DNS over HTTPS` (RFC8484, abbreviated as DOH) for the query. Some service providers have IP alias certificates, which can be directly written in IP form, such as `https://1.1.1.1/dns-query`. Non-standard ports and paths can also be used, such as `"https://a.b.c.d:8443/my-dns-query"`.
|
||||
|
||||
当值是 `"https+local://host:port/dns-query"` 的形式,如 `"https+local://dns.google/dns-query"`,Xray 会使用 `DOH 本地模式 (DOHL)` 进行查询,即 DOH 请求不会经过路由组件,直接通过 Freedom outbound 对外请求,以降低耗时。一般适合在服务端使用。也可使用非标端口和路径。
|
||||
When the value is in the form of `"https+local://host:port/dns-query"`, such as `"https+local://dns.google/dns-query"`, Xray will use `DOH local mode (DOHL)` for the query, which means that the DOH request will not go through the routing component and will be sent directly through the Freedom outbound to reduce latency. This is generally suitable for server-side use. Non-standard ports and paths can also be used.
|
||||
|
||||
当值是 `"quic+local://host:port"` 的形式,如 `"quic+local://dns.adguard.com"`,Xray 会使用 `DOQ 本地模式 (DOQL)` 进行查询,即 DNS 请求不会经过路由组件,直接通过 Freedom outbound 对外请求。该方式需要 DNS 服务器支持 DNS over QUIC。默认使用 784 端口进行查询,可以使用非标端口。
|
||||
When the value is in the form of `"quic+local://host:port"`, such as `"quic+local://dns.adguard.com"`, Xray will use `DOQ local mode (DOQL)` for the query, which means that the DNS request will not go through the routing component and will be sent directly through the Freedom outbound. This method requires DNS server support for DNS over QUIC. By default, port 784 is used for the query, and non-standard ports can be used.
|
||||
|
||||
当值是 `fakedns` 时,将使用 FakeDNS 功能进行查询。
|
||||
When the value is `fakedns`, FakeDNS functionality will be used for the query.
|
||||
|
||||
> `port`: number
|
||||
|
||||
DNS 服务器端口,如 `53`。此项缺省时默认为 `53`。当使用 DOH、DOHL、DOQL 模式时该项无效,非标端口应在 URL 中指定。
|
||||
The port number of the DNS server, such as `53`. If not specified, the default is `53`. This item is not applicable when using DOH, DOHL, or DOQL modes, and non-standard ports should be specified in the URL.
|
||||
|
||||
> `domains`: \[string\]
|
||||
> `domains`: [string]
|
||||
|
||||
一个域名列表,此列表包含的域名,将优先使用此服务器进行查询。域名格式和 [路由配置](./routing.md#ruleobject) 中相同。
|
||||
A list of domain names. The domain names in this list will be queried using this server first. The format of domain names is the same as in [routing configuration](./routing.md#ruleobject).
|
||||
|
||||
> `expectIPs`:\[string\]
|
||||
> `expectIPs`: [string]
|
||||
|
||||
一个 IP 范围列表,格式和 [路由配置](./routing.md#ruleobject) 中相同。
|
||||
A list of IP ranges in the same format as in [routing configuration](./routing.md#ruleobject).
|
||||
|
||||
当配置此项时,Xray DNS 会对返回的 IP 的进行校验,只返回包含 expectIPs 列表中的地址。
|
||||
When this item is configured, Xray DNS will verify the returned IP addresses and only return addresses that are included in the `expectIPs` list.
|
||||
|
||||
如果未配置此项,会原样返回 IP 地址。
|
||||
If this item is not configured, the IP address will be returned as is.
|
||||
|
||||
> `skipFallback`: true | false
|
||||
|
||||
`true`,在进行 DNS fallback 查询时将跳过此服务器, 默认为 `false`,即不跳过。
|
||||
`true` means to skip this server when performing DNS fallback queries, and the default is `false`, which means not to skip.
|
||||
|
@ -1,14 +1,14 @@
|
||||
# FakeDNS
|
||||
|
||||
FakeDNS 通过伪造 DNS 以获取目标域名,能够降低 DNS 查询时的延迟、配合透明代理获取目标域名。
|
||||
FakeDNS is used to obtain target domain names by forging DNS, which can reduce the delay in DNS queries and work with transparent proxies to obtain target domain names.
|
||||
|
||||
::: warning
|
||||
FakeDNS 有可能会污染本地 DNS,导致 Xray 关闭后“无法访问网络”。
|
||||
FakeDNS may contaminate the local DNS and cause "network unreachable" after Xray is closed.
|
||||
:::
|
||||
|
||||
## FakeDNSObject
|
||||
|
||||
`FakeDNSObject` 对应配置文件的 `fakedns` 项。
|
||||
`FakeDNSObject` corresponds to the `fakedns` item in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -17,7 +17,7 @@ FakeDNS 有可能会污染本地 DNS,导致 Xray 关闭后“无法访问网
|
||||
}
|
||||
```
|
||||
|
||||
`FakeDnsObject` 亦可配置为一个包含多个 FakeIP Pool 的数组。当收到 DNS 查询请求时,FakeDNS 会返回一组同时由多个 FakeIP Pool 得到的一组 FakeIP。
|
||||
`FakeDnsObject` can also be configured as an array containing multiple FakeIP Pools. When a DNS query request is received, FakeDNS returns a group of FakeIPs obtained by multiple FakeIP Pools at the same time.
|
||||
|
||||
```json
|
||||
[
|
||||
@ -34,20 +34,20 @@ FakeDNS 有可能会污染本地 DNS,导致 Xray 关闭后“无法访问网
|
||||
|
||||
> `ipPool`: CIDR
|
||||
|
||||
FakeDNS 将使用此选项指定的 IP 块分配地址。
|
||||
FakeDNS will use the IP block specified by this option to allocate addresses.
|
||||
|
||||
> `poolSize`: int
|
||||
|
||||
指定 FakeDNS 储存的 域名-IP 映射的最大数目。当映射数超过此值后,会按照 LRU 规则淘汰映射。默认为 65535。
|
||||
Specifies the maximum number of domain name-IP mappings stored by FakeDNS. When the number of mappings exceeds this value, mappings will be eliminated according to the LRU rule. The default is 65535.
|
||||
|
||||
::: warning
|
||||
`poolSize` 必须小于或等于 `ipPool` 对应的地址总数。
|
||||
`poolSize` must be less than or equal to the total number of addresses corresponding to `ipPool`.
|
||||
:::
|
||||
|
||||
::: tip
|
||||
若配置文件中 `dns` 项设置了 `fakedns` 但配置文件没有设置 `FakeDnsObject`,Xray 会根据 DNS 组件的 `queryStrategy` 来初始化 `FakeDnsObject`。
|
||||
If the `dns` item in the configuration file sets `fakedns`, but the configuration file does not set `FakeDNSObject`, Xray will initialize `FakeDNSObject` based on the `queryStrategy` of the DNS component.
|
||||
|
||||
`queryStrategy` 为 `UseIP` 时,初始化的 FakeIP Pool 相当于
|
||||
When `queryStrategy` is set to `UseIP`, the initialized FakeIP Pool is equivalent to
|
||||
|
||||
```json
|
||||
[
|
||||
@ -62,7 +62,7 @@ FakeDNS 将使用此选项指定的 IP 块分配地址。
|
||||
]
|
||||
```
|
||||
|
||||
`queryStrategy` 为 `UseIPv4` 时,初始化的 FakeIP Pool 相当于
|
||||
When `queryStrategy` is set to `UseIPv4`, the initialized FakeIP Pool is equivalent to
|
||||
|
||||
```json
|
||||
{
|
||||
@ -71,7 +71,7 @@ FakeDNS 将使用此选项指定的 IP 块分配地址。
|
||||
}
|
||||
```
|
||||
|
||||
`queryStrategy` 为 `UseIPv6` 时,初始化的 FakeIP Pool 相当于
|
||||
When `queryStrategy` is set to `UseIPv6`, the initialized FakeIP Pool is equivalent to
|
||||
|
||||
```json
|
||||
{
|
||||
@ -82,17 +82,17 @@ FakeDNS 将使用此选项指定的 IP 块分配地址。
|
||||
|
||||
:::
|
||||
|
||||
### 如何使用?
|
||||
### How to use?
|
||||
|
||||
FakeDNS 本质上是一个 [DNS 服务器](./dns.md#serverobject),能够与任意 DNS 规则配合使用。
|
||||
FakeDNS is essentially a [DNS server](./dns.md#serverobject) that can be used in conjunction with any DNS rules.
|
||||
|
||||
只有将 DNS 查询路由到 FakeDNS,才能使其发挥作用。
|
||||
Only by routing DNS queries to FakeDNS can it be effective.
|
||||
|
||||
```json
|
||||
{
|
||||
"dns": {
|
||||
"servers": [
|
||||
"fakedns", // fakedns 排在首位
|
||||
"fakedns", // fakedns comes first
|
||||
"8.8.8.8"
|
||||
]
|
||||
},
|
||||
@ -106,7 +106,7 @@ FakeDNS 本质上是一个 [DNS 服务器](./dns.md#serverobject),能够与任
|
||||
"rules": [
|
||||
{
|
||||
"type": "field",
|
||||
"inboundTag": ["dns-in"], // 劫持来自 DNS 查询入口的 DNS 流量,或劫持来自透明代理入站的 DNS 流量。
|
||||
"inboundTag": ["dns-in"], // Intercept DNS traffic from DNS query inbound or from inbound traffic of transparent proxies.
|
||||
"port": 53,
|
||||
"outboundTag": "dns-out"
|
||||
}
|
||||
@ -115,27 +115,27 @@ FakeDNS 本质上是一个 [DNS 服务器](./dns.md#serverobject),能够与任
|
||||
}
|
||||
```
|
||||
|
||||
当外部 DNS 请求进入 FakeDNS 组件时,它会返回位于自己 `ipPool` 内的 IP 地址作为域名的虚构解析结果,并记录该域名与虚构解析结果之间的映射关系。
|
||||
When external DNS requests enter the FakeDNS component, it will return IP addresses within its own `ipPool` as the virtual resolution results of the domain name, and record the mapping relationship between the domain name and the virtual resolution results.
|
||||
|
||||
另外,你需要在**客户端**接收需代理流量的入站中开启 `Sniffing`,并使用 `fakedns` 目标地址重置。
|
||||
In addition, you need to enable `Sniffing` in the **client** for incoming traffic that needs to be proxied, and use the `fakedns` target address reset.
|
||||
|
||||
```json
|
||||
"sniffing": {
|
||||
"enabled": true,
|
||||
"destOverride": ["fakedns"], // 使用 "fakedns",或与其它 sniffer 搭配使用,或直接使用 "fakedns+others"
|
||||
"metadataOnly": false // 此项为 true 时 destOverride 仅可使用 fakedns
|
||||
"destOverride": ["fakedns"], // Use "fakedns", or use it with other sniffer, or directly use "fakedns+others".
|
||||
"metadataOnly": false // When this item is true, destOverride can only use fakedns.
|
||||
},
|
||||
```
|
||||
|
||||
::: warning
|
||||
如果 FakeIP 没有被正确的还原为域名,将无法连接到服务器。
|
||||
If the FakeIP is not correctly restored to the domain name, the server will not be accessible.
|
||||
:::
|
||||
|
||||
### 与其它类型 DNS 搭配使用
|
||||
### Using with other types of DNS
|
||||
|
||||
#### 与 DNS 分流共存
|
||||
#### Coexistence with DNS shunting
|
||||
|
||||
使用 DNS 分流时,为了使 `fakedns` 拥有高优先级,需要对其增加与其他类型 DNS 相同的 `domains`。
|
||||
When using DNS shunting, to give `fakedns` a higher priority, you need to add the same `domains` as other types of DNS.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -143,7 +143,7 @@ FakeDNS 本质上是一个 [DNS 服务器](./dns.md#serverobject),能够与任
|
||||
{
|
||||
"address": "fakedns",
|
||||
"domains": [
|
||||
// 与下方分流所用的内容一致
|
||||
// consistent with the content used in the shunt below
|
||||
"geosite:cn",
|
||||
"domain:example.com"
|
||||
]
|
||||
@ -162,9 +162,9 @@ FakeDNS 本质上是一个 [DNS 服务器](./dns.md#serverobject),能够与任
|
||||
}
|
||||
```
|
||||
|
||||
#### FakeDNS 黑名单
|
||||
#### FakeDNS blacklist
|
||||
|
||||
如不希望某些域名使用 FakeDNS,则可在其它类型的 DNS 配置中添加 `domains` 配置,使指定域名在匹配时其它 DNS 服务器拥有比 FakeDNS 更高的优先级,进而实现 FakeDNS 的黑名单机制。
|
||||
If you do not want certain domain names to use FakeDNS, you can add `domains` configuration in other types of DNS configurations so that when the specified domain names are matched, other DNS servers have a higher priority than FakeDNS, thereby achieving the FakeDNS blacklist mechanism.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -178,9 +178,9 @@ FakeDNS 本质上是一个 [DNS 服务器](./dns.md#serverobject),能够与任
|
||||
}
|
||||
```
|
||||
|
||||
#### FakeDNS 白名单
|
||||
#### FakeDNS whitelist
|
||||
|
||||
如希望仅某些域名使用 FakeDNS,则可在 `fakedns` 增加 `domains` 配置,使指定域名在匹配时 `fakedns` 拥有比其它 DNS 服务器更高的优先级,进而实现 FakeDNS 的白名单机制。
|
||||
If you only want certain domain names to use FakeDNS, you can add `domains` configuration to `fakedns` so that when the specified domain names are matched, `fakedns` has a higher priority than other DNS servers, thereby achieving the FakeDNS whitelist mechanism.
|
||||
|
||||
```json
|
||||
{
|
||||
|
@ -1,10 +1,10 @@
|
||||
# 入站代理
|
||||
# Inbound Proxy
|
||||
|
||||
入站连接用于接收发来的数据,可用的协议请见[inbound protocols](./inbounds/)。
|
||||
Inbound connections are used to receive incoming data and the available protocols are listed in [inbound protocols](./inbounds/).
|
||||
|
||||
## InboundObject
|
||||
|
||||
`InboundObject` 对应配置文件中 `inbounds` 项的一个子元素。
|
||||
The `InboundObject` corresponds to a subelement of the `inbounds` item in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -12,10 +12,10 @@
|
||||
{
|
||||
"listen": "127.0.0.1",
|
||||
"port": 1080,
|
||||
"protocol": "协议名称",
|
||||
"protocol": "protocol_name",
|
||||
"settings": {},
|
||||
"streamSettings": {},
|
||||
"tag": "标识",
|
||||
"tag": "identifier",
|
||||
"sniffing": {
|
||||
"enabled": true,
|
||||
"destOverride": ["http", "tls"]
|
||||
@ -32,69 +32,69 @@
|
||||
|
||||
> `listen`: address
|
||||
|
||||
监听地址,IP 地址或 Unix domain socket,默认值为 `"0.0.0.0"`,表示接收所有网卡上的连接.
|
||||
The listening address, either an IP address or a Unix domain socket. The default value is `"0.0.0.0"`, which means accepting connections on all network interfaces.
|
||||
|
||||
可以指定一个系统可用的 IP 地址。
|
||||
An available system IP address can be specified.
|
||||
|
||||
支持填写 Unix domain socket,格式为绝对路径,形如 `"/dev/shm/domain.socket"`,可在开头加 `@` 代表 [abstract](https://www.man7.org/linux/man-pages/man7/unix.7.html),`@@` 则代表带 padding 的 abstract。
|
||||
Unix domain socket can also be specified by providing the absolute path in the form of `"/dev/shm/domain.socket"`. The `@` symbol can be added at the beginning to represent [abstract](https://www.man7.org/linux/man-pages/man7/unix.7.html), and `@@` represents padded abstract.
|
||||
|
||||
填写 Unix domain socket 时,`port` 和 `allocate` 将被忽略,协议目前可选 VLESS、VMess、Trojan,传输方式可选 TCP、WebSocket、HTTP/2、gRPC。
|
||||
When Unix domain socket is specified, `port` and `allocate` will be ignored. The protocol currently supports VLESS, VMess, and Trojan. The transport methods available are TCP, WebSocket, HTTP/2, and gRPC.
|
||||
|
||||
填写 Unix domain socket 时,填写为形如 `"/dev/shm/domain.socket,0666"` 的形式,即 socket 后加逗号及访问权限指示符,即可指定 socket 的访问权限,可用于解决默认情况下出现的 socket 访问权限问题。
|
||||
When specifying a Unix domain socket, you can add a comma and an access permission indicator after the socket, such as `"/dev/shm/domain.socket,0666"`, to specify the access permission of the socket. This can be used to solve the socket access permission issue that occurs by default.
|
||||
|
||||
> `port`: number | "env:variable" | string
|
||||
|
||||
端口。接受的格式如下:
|
||||
Port. The accepted formats are:
|
||||
|
||||
- 整型数值:实际的端口号。
|
||||
- 环境变量:以 `"env:"` 开头,后面是一个环境变量的名称,如 `"env:PORT"`。Xray 会以字符串形式解析这个环境变量。
|
||||
- 字符串:可以是一个数值类型的字符串,如 `"1234"`;或者一个数值范围,如 `"5-10"` 表示端口 5 到端口 10,这 6 个端口。可以使用逗号进行分段,如 `11,13,15-17` 表示端口 11、端口 13、端口 15 到端口 17 这 5 个端口。
|
||||
- Integer: the actual port number.
|
||||
- Environment variable: starts with `"env:"`, followed by the name of an environment variable, such as `"env:PORT"`. Xray will parse this environment variable as a string.
|
||||
- String: can be a numeric string, such as `"1234"`, or a range of port numbers, such as `"5-10"` which represents ports 5 through 10, a total of 6 ports. You can use commas to separate multiple ranges, such as `11,13,15-17`, which represents ports 11, 13, and 15 through 17, a total of 5 ports.
|
||||
|
||||
当只有一个端口时,Xray 会在此端口监听入站连接。当指定了一个端口范围时,取决于 `allocate` 设置。
|
||||
When only one port is specified, Xray listens for inbound connections on that port. When a range of ports is specified, it depends on the `allocate` setting.
|
||||
|
||||
> `protocol`: string
|
||||
|
||||
连接协议名称,可选的协议类型见 [inbound protocols](./inbounds/)。
|
||||
The connection protocol name. The optional protocol types are listed in [inbound protocols](./inbounds/).
|
||||
|
||||
> `settings`: InboundConfigurationObject
|
||||
|
||||
具体的配置内容,视协议不同而不同。详见每个协议中的 `InboundConfigurationObject`。
|
||||
The specific configuration content depends on the protocol. See `InboundConfigurationObject` in each protocol for details.
|
||||
|
||||
> `streamSettings`: [StreamSettingsObject](./transport.md#streamsettingsobject)
|
||||
|
||||
底层传输方式(transport)是当前 Xray 节点和其它节点对接的方式
|
||||
The underlying transport method is how the current Xray node interfaces with other nodes.
|
||||
|
||||
> `tag`: string
|
||||
> 此入站连接的标识,用于在其它的配置中定位此连接。
|
||||
>
|
||||
> The identifier of this inbound connection, used to locate this connection in other configurations.
|
||||
|
||||
::: danger
|
||||
当其不为空时,其值必须在所有 `tag` 中**唯一**。
|
||||
When it is not empty, its value must be **unique** among all `tag`s.
|
||||
:::
|
||||
|
||||
> `sniffing`: [SniffingObject](#sniffingobject)
|
||||
|
||||
流量探测主要作用于在透明代理等用途.
|
||||
比如一个典型流程如下:
|
||||
Traffic sniffing is mainly used in transparent proxies, for example:
|
||||
|
||||
1. 如有一个设备上网,去访问 abc.com,首先设备通过 DNS 查询得到 abc.com 的 IP 是 1.2.3.4,然后设备会向 1.2.3.4 去发起连接.
|
||||
2. 如果不设置嗅探,Xray 收到的连接请求是 1.2.3.4,并不能用于域名规则的路由分流.
|
||||
3. 当设置了 sniffing 中的 enable 为 true,Xray 处理此连接的流量时,会从流量的数据中,嗅探出域名,即 abc.com
|
||||
4. Xray 会把 1.2.3.4 重置为 abc.com.路由就可以根据域名去进行路由的域名规则的分流
|
||||
1. If a device wants to access `abc.com` while connected to the internet, it will first query the IP address of `abc.com` via DNS and get `1.2.3.4`. Then the device will initiate a connection to `1.2.3.4`.
|
||||
2. If sniffing is not set up, Xray will receive a connection request for `1.2.3.4`, which cannot be used for routing based on domain rules.
|
||||
3. When `enable` in `sniffing` is set to `true`, Xray will sniff the domain name, `abc.com`, from the traffic data when processing the traffic of this connection.
|
||||
4. Xray will reset `1.2.3.4` to `abc.com`. Routing can then be based on domain rules.
|
||||
|
||||
因为变成了一个向 abc.com 请求的连接, 就可以做更多的事情, 除了路由域名规则分流, 还能重新做 DNS 解析等其他工作.
|
||||
Since the connection is now to `abc.com`, more can be done, such as routing based on domain rules, and even re-resolving the DNS.
|
||||
|
||||
当设置了 sniffing 中的 enable 为 true, 还能嗅探出 bittorrent 类型的流量, 然后可以在路由中配置"protocol"项来设置规则处理 BT 流量, 比如服务端用来拦截 BT 流量, 或客户端固定转发 BT 流量到某个 VPS 去等.
|
||||
When `enable` in `sniffing` is set to `true`, it can also sniff out bittorrent traffic and then configure the "protocol" item in routing rules to handle bittorrent traffic, such as intercepting bittorrent traffic on the server or forwarding bittorrent traffic to a VPS on the client side.
|
||||
|
||||
> `allocate`: [AllocateObject](#allocateobject)
|
||||
|
||||
当设置了多个 port 时, 端口分配的具体设置
|
||||
Specifies the specific settings for port allocation when multiple ports are set up.
|
||||
|
||||
### SniffingObject
|
||||
|
||||
```json
|
||||
{
|
||||
"enabled": true,
|
||||
"destOverride": ["http", "tls", "fakedns"],
|
||||
"destOverride": ["http", "tls", "quic", "fakedns", "fakedns+others"],
|
||||
"metadataOnly": false,
|
||||
"domainsExcluded": [],
|
||||
"routeOnly": false
|
||||
@ -103,36 +103,36 @@
|
||||
|
||||
> `enabled`: true | false
|
||||
|
||||
是否开启流量探测。
|
||||
Whether to enable traffic sniffing.
|
||||
|
||||
> `destOverride`: \["http" | "tls" | "quic" | "fakedns" | "fakedns+others" \]
|
||||
> `destOverride`: ["http" | "tls" | "quic" | "fakedns" | "fakedns+others" ]
|
||||
|
||||
当流量为指定类型时,按其中包括的目标地址重置当前连接的目标。
|
||||
When the traffic is of a specified type, reset the destination of the current connection to the target address included in the list.
|
||||
|
||||
其中 `["fakedns+others"]` 相当于 `["http", "tls", "quic", "fakedns"]`,当 IP 地址处于 FakeIP 区间内但没有命中域名记录时会使用 `http`、`tls` 和 `quic` 进行匹配。此项仅在 `metadataOnly` 为 `false` 时有效。
|
||||
`["fakedns+others"]` is equivalent to `["http", "tls", "quic", "fakedns"]`, and when the IP address is in the FakeIP range but no domain records are hit, `http`, `tls`, and `quic` will be used for matching. This option is only effective when `metadataOnly` is set to `false`.
|
||||
|
||||
> `metadataOnly`: true | false
|
||||
|
||||
当启用时,将仅使用连接的元数据嗅探目标地址。此时,除 `fakedns` 以外的 sniffer 将不能激活(包括 `fakedns+others`)。
|
||||
When enabled, only use the connection's metadata to sniff the target address. In this case, sniffer other than `fakedns` (including `fakedns+others`) cannot be activated.
|
||||
|
||||
如果关闭仅使用元数据推断目标地址,此时客户端必须先发送数据,代理服务器才会实际建立连接。此行为与需要服务器首先发起第一个消息的协议不兼容,如 SMTP 协议。
|
||||
If metadata-only is disabled, the client must send data before the proxy server actually establishes the connection. This behavior is incompatible with protocols that require the server to initiate the first message, such as the SMTP protocol.
|
||||
|
||||
> `domainsExcluded`: [string] <Badge text="WIP" type="warning"/>
|
||||
|
||||
一个域名列表,如果流量探测结果在这个列表中时,将 **不会** 重置目标地址。
|
||||
A list of domain names. If the traffic sniffing result matches a domain name in this list, the target address will **not** be reset.
|
||||
|
||||
::: warning
|
||||
目前,`domainsExcluded` 不支持类似路由中的域名匹配方式。此选项未来可能会改变,不保证跨版本兼容。
|
||||
Currently, `domainsExcluded` does not support domain name matching in the routing sense. This option may change in the future and cross-version compatibility is not guaranteed.
|
||||
:::
|
||||
|
||||
> `routeOnly`: true | false
|
||||
|
||||
将嗅探得到的域名仅用于路由,代理目标地址仍为 IP。默认值为 `false`。
|
||||
Use the sniffed domain name for routing only, and keep the target address as the IP address. The default value is `false`.
|
||||
|
||||
此项需要开启 `destOverride` 使用。
|
||||
This option requires `destOverride` to be enabled.
|
||||
|
||||
::: tip
|
||||
在能保证 **被代理连接能得到正确的 DNS 解析** 时,使用 `routeOnly` 且开启 `destOverride` 的同时,将路由匹配策略 `domainStrategy` 设置为 `AsIs` 即可实现全程无 DNS 解析进行域名及 IP 分流。此时遇到 IP 规则匹配时使用的 IP 为域名原始 IP。
|
||||
When it is possible to ensure that **the proxied connection can obtain correct DNS resolution**, by using `routeOnly` and enabling `destOverride`, and setting the routing matching strategy `domainStrategy` to `AsIs`, it is possible to achieve domain and IP separation without DNS resolution throughout the process. The IP used when encountering an IP rule match is the original IP of the domain.
|
||||
:::
|
||||
|
||||
### AllocateObject
|
||||
@ -147,15 +147,15 @@
|
||||
|
||||
> `strategy`: "always" | "random"
|
||||
|
||||
端口分配策略。
|
||||
The port allocation strategy.
|
||||
|
||||
- `"always"` 表示总是分配所有已指定的端口,`port` 中指定了多少个端口,Xray 就会监听这些端口。
|
||||
- `"random"` 表示随机开放端口,每隔 `refresh` 分钟在 `port` 范围中随机选取 `concurrency` 个端口来监听。
|
||||
- `"always"` means all specified ports in `port` will be allocated, and Xray will listen on these ports.
|
||||
- `"random"` means ports will be randomly selected from the `port` range every `refresh` minutes, and `concurrency` ports will be listened on.
|
||||
|
||||
> `refresh`: number
|
||||
|
||||
随机端口刷新间隔,单位为分钟。最小值为 `2`,建议值为 `5`。这个属性仅当 `strategy` 设置为 `"random"` 时有效。
|
||||
The interval for refreshing randomly allocated ports in minutes. The minimum value is `2`, and it is recommended to set to `5`. This property is only effective when `strategy` is set to `"random"`.
|
||||
|
||||
> `concurrency`: number
|
||||
|
||||
随机端口数量。最小值为 `1`,最大值为 `port` 范围的三分之一。建议值为 `3`。
|
||||
The number of randomly allocated ports. The minimum value is `1`, and the maximum value is one-third of the `port` range. It is recommended to set to `3`.
|
||||
|
@ -1,18 +1,18 @@
|
||||
# 日志配置
|
||||
# Log Configuration
|
||||
|
||||
日志配置,控制 Xray 输出日志的方式.
|
||||
Log configuration controls how Xray outputs logs.
|
||||
|
||||
Xray 有两种日志, 访问日志和错误日志, 你可以分别配置两种日志的输出方式.
|
||||
Xray has two types of logs: access logs and error logs. You can configure the output method for each type of log separately.
|
||||
|
||||
## LogObject
|
||||
|
||||
LogObject 对应配置文件的 `log` 项。
|
||||
LogObject corresponds to the `log` item in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
"log": {
|
||||
"access": "文件地址",
|
||||
"error": "文件地址",
|
||||
"access": "file_path",
|
||||
"error": "file_path",
|
||||
"loglevel": "warning",
|
||||
"dnsLog": false
|
||||
}
|
||||
@ -21,27 +21,26 @@ LogObject 对应配置文件的 `log` 项。
|
||||
|
||||
> `access`: string
|
||||
|
||||
访问日志的文件地址,其值是一个合法的文件地址,如`"/var/log/Xray/access.log"`(Linux)或者`"C:\\Temp\\Xray\\_access.log"`(Windows)。当此项不指定或为空值时,表示将日志输出至 stdout。
|
||||
The file path for the access log. The value is a valid file path, such as `"/var/log/Xray/access.log"` (Linux) or `"C:\\Temp\\Xray\\_access.log"` (Windows). When this item is not specified or is an empty value, the log is output to stdout.
|
||||
|
||||
- 特殊值`none`,即关闭 access log。
|
||||
- The special value `none` disables access logs.
|
||||
|
||||
> `error`: string
|
||||
|
||||
错误日志的文件地址,其值是一个合法的文件地址,如`"/var/log/Xray/error.log"`(Linux)或者`"C:\\Temp\\Xray\\_error.log"`(Windows)。当此项不指定或为空值时,表示将日志输出至 stdout。
|
||||
The file path for the error log. The value is a valid file path, such as `"/var/log/Xray/error.log"` (Linux) or `"C:\\Temp\\Xray\\_error.log"` (Windows). When this item is not specified or is an empty value, the log is output to stdout.
|
||||
|
||||
- 特殊值`none`,即关闭 error log。
|
||||
- The special value `none` disables error logs.
|
||||
|
||||
> `loglevel`: "debug" | "info" | "warning" | "error" | "none"
|
||||
|
||||
error 日志的级别, 指示 error 日志需要记录的信息.
|
||||
默认值为 `"warning"`。
|
||||
The log level for error logs, indicating the information that needs to be recorded. The default value is `"warning"`.
|
||||
|
||||
- `"debug"`:调试程序时用到的输出信息。同时包含所有 `"info"` 内容。
|
||||
- `"info"`:运行时的状态信息等,不影响正常使用。同时包含所有 `"warning"` 内容。
|
||||
- `"warning"`:发生了一些并不影响正常运行的问题时输出的信息,但有可能影响用户的体验。同时包含所有 `"error"` 内容。
|
||||
- `"error"`:Xray 遇到了无法正常运行的问题,需要立即解决。
|
||||
- `"none"`:不记录任何内容。
|
||||
- `"debug"`: Output information used for debugging the program. Includes all `"info"` content.
|
||||
- `"info"`: Runtime status information, etc., which does not affect normal use. Includes all `"warning"` content.
|
||||
- `"warning"`: Information output when there are some problems that do not affect normal operation but may affect user experience. Includes all `"error"` content.
|
||||
- `"error"`: Xray encountered a problem that cannot be run normally and needs to be resolved immediately.
|
||||
- `"none"`: Do not record any content.
|
||||
|
||||
> `dnsLog`: bool
|
||||
|
||||
是否启用 DNS 查询日志,例如:`DOH//doh.server got answer: domain.com -> [ip1, ip2] 2.333ms`
|
||||
Whether to enable DNS query logs, for example: `DOH//doh.server got answer: domain.com -> [ip1, ip2] 2.333ms`.
|
||||
|
@ -1,13 +1,13 @@
|
||||
# 出站代理
|
||||
# Outbound Proxies
|
||||
|
||||
出站连接用于发送数据,可用的协议请见 [outbound protocols](./outbounds/)。
|
||||
Outbound connections are used for sending data and can use any of the available protocols listed in [outbound protocols](./outbounds/).
|
||||
|
||||
## OutboundObject
|
||||
|
||||
`OutboundObject` 对应配置文件中 `outbounds` 项的一个子元素。
|
||||
The `OutboundObject` corresponds to a sub-element of the `outbounds` item in the configuration file.
|
||||
|
||||
::: tip
|
||||
列表中的第一个元素作为主 outbound。当路由匹配不存在或没有匹配成功时,流量由主 outbound 发出。
|
||||
The first element in the list serves as the main outbound. When there is no match or no successful match for the routing, the traffic is sent out by the main outbound.
|
||||
:::
|
||||
|
||||
```json
|
||||
@ -15,9 +15,9 @@
|
||||
"outbounds": [
|
||||
{
|
||||
"sendThrough": "0.0.0.0",
|
||||
"protocol": "协议名称",
|
||||
"protocol": "protocol name",
|
||||
"settings": {},
|
||||
"tag": "标识",
|
||||
"tag": "identifier",
|
||||
"streamSettings": {},
|
||||
"proxySettings": {
|
||||
"tag": "another-outbound-tag"
|
||||
@ -30,35 +30,35 @@
|
||||
|
||||
> `sendThrough`: address
|
||||
|
||||
用于发送数据的 IP 地址,当主机有多个 IP 地址时有效,默认值为 `"0.0.0.0"`。
|
||||
The IP address used to send data. It is effective when the host has multiple IP addresses, and the default value is `"0.0.0.0"`.
|
||||
|
||||
> `protocol`: string
|
||||
|
||||
连接协议名称,可选的协议类型见 [outbound protocols](./outbounds/)。
|
||||
The name of the connection protocol. The optional protocol types can be found in [outbound protocols](./outbounds/).
|
||||
|
||||
> `settings`: OutboundConfigurationObject
|
||||
|
||||
具体的配置内容,视协议不同而不同。详见每个协议中的 `OutboundConfigurationObject`。
|
||||
The specific configuration content varies depending on the protocol. See `OutboundConfigurationObject` in each protocol for details.
|
||||
|
||||
> `tag`: string
|
||||
|
||||
此出站连接的标识,用于在其它的配置中定位此连接。
|
||||
The identifier of this outbound connection, used to locate this connection in other configurations.
|
||||
|
||||
::: danger
|
||||
当其不为空时,其值必须在所有 `tag` 中 **唯一**。
|
||||
When it is not empty, its value must be **unique** among all `tag`s.
|
||||
:::
|
||||
|
||||
> `streamSettings`: [StreamSettingsObject](./transport.md#streamsettingsobject)
|
||||
|
||||
底层传输方式(transport)是当前 Xray 节点和其它节点对接的方式
|
||||
The underlying transport method is the way the current Xray node and other nodes are docked.
|
||||
|
||||
> `proxySettings`: [ProxySettingsObject](#proxysettingsobject)
|
||||
|
||||
出站代理配置。当出站代理生效时,此 outbound 的 `streamSettings` 将不起作用。
|
||||
The outbound proxy configuration. When the outbound proxy takes effect, the `streamSettings` of this outbound will not work.
|
||||
|
||||
> `mux`: [MuxObject](#muxobject)
|
||||
|
||||
Mux 相关的具体配置。
|
||||
Specific configuration related to Mux.
|
||||
|
||||
### ProxySettingsObject
|
||||
|
||||
@ -70,25 +70,25 @@ Mux 相关的具体配置。
|
||||
|
||||
> `tag`: string
|
||||
|
||||
当指定另一个 outbound 的标识时,此 outbound 发出的数据,将被转发至所指定的 outbound 发出。
|
||||
When specifying the identifier of another outbound, data emitted by this outbound will be forwarded to the specified outbound.
|
||||
|
||||
::: danger
|
||||
这种转发方式**不经过**底层传输方式。如果需要使用支持底层传输方式的转发,请使用 [SockOpt.dialerProxy](./transport.md#sockoptobject)。
|
||||
This forwarding method does **not go through** the underlying transport. If you need to use forwarding that supports the underlying transport, please use [SockOpt.dialerProxy](./transport.md#sockoptobject).
|
||||
:::
|
||||
|
||||
::: danger
|
||||
此选项与 SockOpt.dialerProxy 不兼容
|
||||
This option is incompatible with SockOpt.dialerProxy.
|
||||
:::
|
||||
|
||||
::: tip
|
||||
兼容 v2fly/v2ray-core 的配置 [transportLayer](https://www.v2fly.org/config/outbounds.html#proxysettingsobject)
|
||||
Compatible with v2fly/v2ray-core's configuration [transportLayer](https://www.v2fly.org/config/outbounds.html#proxysettingsobject).
|
||||
:::
|
||||
|
||||
### MuxObject
|
||||
|
||||
Mux 功能是在一条 TCP 连接上分发多个 TCP 连接的数据。实现细节详见 [Mux.Cool](../../development/protocols/muxcool)。Mux 是为了减少 TCP 的握手延迟而设计,而非提高连接的吞吐量。使用 Mux 看视频、下载或者测速通常都有反效果。Mux 只需要在客户端启用,服务器端自动适配。
|
||||
The Mux function distributes the data of multiple TCP connections on a single TCP connection. For implementation details, see [Mux.Cool](../../development/protocols/muxcool). Mux is designed to reduce the latency of TCP handshake, not to increase the throughput of connections. Using Mux for watching videos, downloading, or speed testing usually has negative effects. Mux only needs to be enabled on the client side, and the server side automatically adapts.
|
||||
|
||||
`MuxObject` 对应 `OutboundObject` 中的 `mux` 项。
|
||||
`MuxObject` corresponds to the `mux` item in `OutboundObject`.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -99,14 +99,14 @@ Mux 功能是在一条 TCP 连接上分发多个 TCP 连接的数据。实现细
|
||||
|
||||
> `enabled`: true | false
|
||||
|
||||
是否启用 Mux 转发请求,默认值 `false`。
|
||||
Whether to enable Mux forwarding requests, default is `false`.
|
||||
|
||||
> `concurrency`: number
|
||||
|
||||
最大并发连接数。最小值 `1`,最大值 `1024`,默认值 `8`。
|
||||
Maximum concurrent connections. Minimum value is `1`, maximum value is `1024`, default is `8`.
|
||||
|
||||
这个数值表示了一个 TCP 连接上最多承载的 Mux 连接数量。比如设置 `concurrency=8` 时,当客户端发出了 8 个 TCP 请求,Xray 只会发出一条实际的 TCP 连接,客户端的 8 个请求全部由这个 TCP 连接传输。
|
||||
This value represents the maximum number of Mux connections that can be carried on a TCP connection. For example, when `concurrency=8` is set, if the client sends 8 TCP requests, Xray will only send one actual TCP connection, and all 8 requests from the client will be transmitted through this TCP connection.
|
||||
|
||||
::: tip
|
||||
填负数时,如 `-1`,不加载 mux 模块。
|
||||
When filling in a negative number, such as `-1`, the mux module is not loaded.
|
||||
:::
|
||||
|
@ -1,10 +1,10 @@
|
||||
# 本地策略
|
||||
# Local Policy
|
||||
|
||||
本地策略,可以设置不同的用户等级和对应的策略设置,比如连接超时设置。Xray 处理的每一个连接都对应一个用户,按照用户的等级(level)应用不同的策略。
|
||||
Local policy can be used to set different policy settings for different user levels, such as connection timeout settings. Each connection handled by Xray corresponds to a user, and different policies are applied based on the user's level.
|
||||
|
||||
## PolicyObject
|
||||
|
||||
`PolicyObject` 对应配置文件的 `policy` 项。
|
||||
`PolicyObject` corresponds to the `policy` field in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -32,15 +32,15 @@
|
||||
|
||||
> `level`: map{string: [LevelPolicyObject](#levelpolicyobject)}
|
||||
|
||||
一组键值对,每个键是一个字符串形式的数字(JSON 的要求),比如 `"0"`、`"1"` 等,双引号不能省略,此数字对应用户等级。每一个值是一个 [LevelPolicyObject](#levelpolicyobject).
|
||||
A set of key-value pairs, where each key is a string representation of a number (as required by JSON), such as `"0"`, `"1"`, etc., with the number corresponding to the user level. Each value is a [LevelPolicyObject](#levelpolicyobject).
|
||||
|
||||
::: tip
|
||||
每个入站出站代理现在都可以设置用户等级,Xray 会根据实际的用户等级应用不同的本地策略。
|
||||
Each inbound and outbound proxy can now set the user level, and Xray will apply different local policies based on the actual user level.
|
||||
:::
|
||||
|
||||
> `system`: [SystemPolicyObject](#systempolicyobject)
|
||||
|
||||
Xray 系统级别的策略
|
||||
Xray system-level policy.
|
||||
|
||||
### LevelPolicyObject
|
||||
|
||||
@ -58,41 +58,41 @@ Xray 系统级别的策略
|
||||
|
||||
> `handshake`: number
|
||||
|
||||
连接建立时的握手时间限制。单位为秒。默认值为 `4`。在入站代理处理一个新连接时,在握手阶段如果使用的时间超过这个时间,则中断该连接。
|
||||
The time limit for handshake during connection establishment. Unit: seconds. Default: `4`. When processing a new inbound connection, if the time used in the handshake phase exceeds this limit, the connection will be aborted.
|
||||
|
||||
> `connIdle`: number
|
||||
|
||||
连接空闲的时间限制。单位为秒。默认值为 `300`。inbound/outbound 处理一个连接时,如果在 `connIdle` 时间内,没有任何数据被传输(包括上行和下行数据),则中断该连接。
|
||||
The time limit for connection idle time. Unit: seconds. Default: `300`. When processing an inbound/outbound connection, if no data is transferred (including upstream and downstream data) within `connIdle` time, the connection will be aborted.
|
||||
|
||||
> `uplinkOnly`: number
|
||||
|
||||
当连接下行线路关闭后的时间限制。单位为秒。默认值为 `2`。当服务器(如远端网站)关闭下行连接时,出站代理会在等待 `uplinkOnly` 时间后中断连接。
|
||||
The time limit after the downstream connection is closed. Unit: seconds. Default: `2`. When the server (such as a remote website) closes the downstream connection, the outbound proxy will abort the connection after waiting for `uplinkOnly` time.
|
||||
|
||||
> `downlinkOnly`: number
|
||||
|
||||
当连接上行线路关闭后的时间限制。单位为秒。默认值为 `5`。当客户端(如浏览器)关闭上行连接时,入站代理会在等待 `downlinkOnly` 时间后中断连接。
|
||||
The time limit after the upstream connection is closed. Unit: seconds. Default: `5`. When the client (such as a browser) closes the upstream connection, the inbound proxy will abort the connection after waiting for `downlinkOnly` time.
|
||||
|
||||
::: tip
|
||||
在 HTTP 浏览的场景中,可以将 `uplinkOnly` 和 `downlinkOnly` 设为 `0`,以提高连接关闭的效率。
|
||||
In the scenario of HTTP browsing, you can set `uplinkOnly` and `downlinkOnly` to `0` to improve the efficiency of connection closing.
|
||||
:::
|
||||
|
||||
> `statsUserUplink`: true | false
|
||||
|
||||
当值为 `true` 时,开启当前等级的所有用户的上行流量统计。
|
||||
When set to `true`, enables upstream traffic statistics for all users at the current level.
|
||||
|
||||
> `statsUserDownlink`: true | false
|
||||
|
||||
当值为 `true` 时,开启当前等级的所有用户的下行流量统计。
|
||||
When set to `true`, enables downstream traffic statistics for all users at the current level.
|
||||
|
||||
> `bufferSize`: number
|
||||
|
||||
每个连接的内部缓存大小。单位为 kB。当值为 `0` 时,内部缓存被禁用。
|
||||
The internal buffer size of each connection. Unit: kB. When set to `0`, the internal buffer is disabled.
|
||||
|
||||
默认值:
|
||||
Default values:
|
||||
|
||||
- 在 ARM、MIPS、MIPSLE 平台上,默认值为 `0`。
|
||||
- 在 ARM64、MIPS64、MIPS64LE 平台上,默认值为 `4`。
|
||||
- 在其它平台上,默认值为 `512`。
|
||||
- On ARM, MIPS, and MIPSLE platforms, the default value is `0`.
|
||||
- On ARM64, MIPS64, and MIPS64LE platforms, the default value is `4`.
|
||||
- On other platforms, the default value is `512`.
|
||||
|
||||
### SystemPolicyObject
|
||||
|
||||
@ -107,16 +107,16 @@ Xray 系统级别的策略
|
||||
|
||||
> `statsInboundUplink`: true | false
|
||||
|
||||
当值为 `true` 时,开启所有入站代理的上行流量统计。
|
||||
When set to `true`, enables upstream traffic statistics for all inbound proxies.
|
||||
|
||||
> `statsInboundDownlink`: true | false
|
||||
|
||||
当值为 `true` 时,开启所有入站代理的下行流量统计。
|
||||
When set to `true`, enables downstream traffic statistics for all inbound proxies.
|
||||
|
||||
> `statsOutboundUplink`: true | false
|
||||
|
||||
当值为 `true` 时,开启所有出站代理的上行流量统计。
|
||||
When set to `true`, enables upstream traffic statistics for all outbound proxies.
|
||||
|
||||
> `statsOutboundDownlink`: true | false
|
||||
|
||||
当值为 `true` 时,开启所有出站代理的下行流量统计。
|
||||
When set to `true`, enables downstream traffic statistics for all outbound proxies.
|
||||
|
@ -1,26 +1,26 @@
|
||||
# 反向代理
|
||||
# Reverse Proxy
|
||||
|
||||
反向代理可以把服务器端的流量向客户端转发,即逆向流量转发。
|
||||
A reverse proxy forwards traffic from a server to a client, which is known as reverse traffic forwarding.
|
||||
|
||||
反向代理的大致工作原理如下:
|
||||
Here's how a reverse proxy generally works:
|
||||
|
||||
- 假设在主机 A 中有一个网页服务器,这台主机没有公网 IP,无法在公网上直接访问。另有一台主机 B,它可以由公网访问。现在我们需要把 B 作为入口,把流量从 B 转发到 A。
|
||||
- 在主机 A 中配置 Xray,称为`bridge`,在 B 中也配置 Xray,称为 `portal`。
|
||||
- `bridge` 会向 `portal` 主动建立连接,此连接的目标地址可以自行设定。`portal` 会收到两种连接,一是由 `bridge` 发来的连接,二是公网用户发来的连接。`portal` 会自动将两类连接合并。于是 `bridge` 就可以收到公网流量了。
|
||||
- `bridge` 在收到公网流量之后,会将其原封不动地发给主机 A 中的网页服务器。当然,这一步需要路由的协作。
|
||||
- `bridge` 会根据流量的大小进行动态的负载均衡。
|
||||
- Suppose there is a web server in host A, which does not have a public IP address and cannot be accessed directly on the Internet. There is another host B that can be accessed via the public network. Now we need to use B as the entry point to forward traffic from B to A.
|
||||
- Configure Xray in host A as a `bridge`, and also configure Xray in B as a `portal`.
|
||||
- `Bridge` will actively establish a connection to `portal`, and the destination address of this connection can be set by itself. `Portal` will receive two types of connections: one is the connection sent by `bridge`, and the other is the connection sent by public network users. `Portal` will automatically merge the two types of connections. So `bridge` can receive public network traffic.
|
||||
- After receiving the public network traffic, `bridge` will forward it unchanged to the web server in host A. Of course, this step requires the cooperation of routing.
|
||||
- `Bridge` will dynamically load balance according to the size of the traffic.
|
||||
|
||||
::: tip
|
||||
反向代理默认已开启 [Mux](../../development/protocols/muxcool/),请不要在其用到的 outbound 上再次开启 Mux。
|
||||
Reverse proxy has Mux enabled by default, so please do not enable Mux again on the outbound it uses.
|
||||
:::
|
||||
|
||||
::: warning
|
||||
反向代理功能尚处于测试阶段,可能会有一些问题。
|
||||
The reverse proxy function is still in the testing phase and may have some issues.
|
||||
:::
|
||||
|
||||
## ReverseObject
|
||||
|
||||
`ReverseObject` 对应配置文件的 `reverse` 项。
|
||||
`ReverseObject` corresponds to the `reverse` field in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -43,11 +43,11 @@
|
||||
|
||||
> `bridges`: \[[BridgeObject](#bridgeobject)\]
|
||||
|
||||
数组,每一项表示一个 `bridge`。每个 `bridge` 的配置是一个 [BridgeObject](#bridgeobject)。
|
||||
An array in which each item represents a `bridge`. The configuration of each `bridge` is a [BridgeObject](#bridgeobject).
|
||||
|
||||
> `portals`: \[[PortalObject](#portalobject)\]
|
||||
> `portals`: [[PortalObject](#portalobject)]
|
||||
|
||||
数组,每一项表示一个 `portal`。每个 `portal` 的配置是一个 [PortalObject](#bridgeobject)。
|
||||
An array in which each item represents a `portal`. The configuration of each `portal` is a [PortalObject](#bridgeobject).
|
||||
|
||||
### BridgeObject
|
||||
|
||||
@ -60,12 +60,11 @@
|
||||
|
||||
> `tag`: string
|
||||
|
||||
所有由 `bridge` 发出的连接,都会带有这个标识。可以在 [路由配置](./routing.md) 中使用 `inboundTag` 进行识别。
|
||||
All connections initiated by `bridge` will have this tag. It can be used to identify the connections in [routing configuration](./routing.md).
|
||||
|
||||
> `domain`: string
|
||||
|
||||
指定一个域名,`bridge` 向 `portal` 建立的连接,都会使用这个域名进行发送。
|
||||
这个域名只作为 `bridge` 和 `portal` 的通信用途,不必真实存在。
|
||||
Specifies a domain name that will be used by `bridge` to send connections to `portal`. This domain name is only used for communication between `bridge` and `portal`, and does not need to actually exist.
|
||||
|
||||
### PortalObject
|
||||
|
||||
@ -78,27 +77,27 @@
|
||||
|
||||
> `tag`: string
|
||||
|
||||
`portal` 的标识。在 [路由配置](./routing.md) 中使用 `outboundTag` 将流量转发到这个 `portal`。
|
||||
The identifier for the `portal`. Use `outboundTag` in [routing configuration](./routing.md) to forward traffic to this `portal`.
|
||||
|
||||
> `domain`: string
|
||||
|
||||
一个域名。当 `portal` 接收到流量时,如果流量的目标域名是此域名,则 `portal` 认为当前连接上 `bridge` 发来的通信连接。而其它流量则会被当成需要转发的流量。`portal` 所做的工作就是把这两类连接进行识别并拼接。
|
||||
A domain name. When the `portal` receives traffic, if the destination domain of the traffic is this domain, the `portal` assumes that the current connection is a communication connection sent by the `bridge`. Other traffic will be considered as traffic that needs to be forwarded. The work of the `portal` is to identify and splice these two types of connections.
|
||||
|
||||
::: tip
|
||||
一个 Xray 既可以作为 `bridge`,也可以作为 `portal`,也可以同时两者,以适用于不同的场景需要。
|
||||
An Xray can act as a `bridge`, a `portal`, or both at the same time, depending on the needs of different scenarios.
|
||||
:::
|
||||
|
||||
## 完整配置样例
|
||||
## Complete Configuration Example
|
||||
|
||||
::: tip
|
||||
在运行过程中,建议先启用 `bridge`,再启用 `portal`。
|
||||
:::
|
||||
tip During operation, it is recommended to enable `bridge` first, then enable `portal`.
|
||||
:::
|
||||
|
||||
### bridge 配置
|
||||
### Bridge Configuration
|
||||
|
||||
`bridge` 通常需要两个 outbound,一个用于连接 `portal`,另一个用于发送实际的流量。也就是说,你需要用路由区分两种流量。
|
||||
A `bridge` usually requires two outbounds, one for connecting to the `portal`, and the other for sending actual traffic. That is, you need to use routing to distinguish between the two types of traffic.
|
||||
|
||||
反向代理配置:
|
||||
Reverse proxy configuration:
|
||||
|
||||
```json
|
||||
{
|
||||
@ -118,7 +117,7 @@ outbound:
|
||||
"tag": "out",
|
||||
"protocol": "freedom",
|
||||
"settings": {
|
||||
"redirect": "127.0.0.1:80" // 将所有流量转发到网页服务器
|
||||
"redirect": "127.0.0.1:80" // Forward all traffic to web server
|
||||
}
|
||||
}
|
||||
```
|
||||
@ -129,7 +128,7 @@ outbound:
|
||||
"settings": {
|
||||
"vnext": [
|
||||
{
|
||||
"address": "portal 的 IP 地址",
|
||||
"address": "portal's IP address",
|
||||
"port": 1024,
|
||||
"users": [
|
||||
{
|
||||
@ -143,7 +142,7 @@ outbound:
|
||||
}
|
||||
```
|
||||
|
||||
路由配置:
|
||||
Routing Configuration:
|
||||
|
||||
```json
|
||||
{
|
||||
@ -163,18 +162,18 @@ outbound:
|
||||
}
|
||||
```
|
||||
|
||||
### portal 配置
|
||||
### Portal Configuration
|
||||
|
||||
`portal` 通常需要两个 inbound,一个用于接收 `bridge` 的连接,另一个用于接收实际的流量。同时你也需要用路由区分两种流量。
|
||||
`portal` usually requires two inbounds, one for receiving connections from `bridge`, and the other for receiving actual traffic. You also need to distinguish between these two types of traffic using routing.
|
||||
|
||||
反向代理配置:
|
||||
Reverse proxy configuration:
|
||||
|
||||
```json
|
||||
{
|
||||
"portals": [
|
||||
{
|
||||
"tag": "portal",
|
||||
"domain": "test.xray.com" // 必须和 bridge 的配置一样
|
||||
"domain": "test.xray.com" // Must be the same as the bridge's configuration
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -210,7 +209,7 @@ inbound:
|
||||
}
|
||||
```
|
||||
|
||||
路由配置:
|
||||
Routing Configuration:
|
||||
|
||||
```json
|
||||
{
|
||||
|
@ -1,14 +1,14 @@
|
||||
# 路由
|
||||
# Routing
|
||||
|
||||
路由功能模块可以将入站数据按不同规则由不同的出站连接发出,以达到按需代理的目的。
|
||||
The routing module can send inbound data through different outbound connections according to different rules to achieve on-demand proxying.
|
||||
|
||||
如常见用法是分流国内外流量,Xray 可以通过内部机制判断不同地区的流量,然后将它们发送到不同的出站代理。
|
||||
A common use case is to split domestic and foreign traffic. Xray can use its internal mechanisms to determine the traffic from different regions and then send them to different outbound proxies.
|
||||
|
||||
有关路由功能更详细的解析:[路由 (routing) 功能简析](https://xtls.github.io/document/level-1/routing-lv1-part1.html)
|
||||
For a more detailed analysis of the routing function, please refer to [Routing Function Analysis](https://xtls.github.io/document/level-1/routing-lv1-part1.html).
|
||||
|
||||
## RoutingObject
|
||||
|
||||
`RoutingObject` 对应配置文件的 `routing` 项。
|
||||
`RoutingObject` corresponds to the `routing` item in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -23,36 +23,39 @@
|
||||
|
||||
> `domainStrategy`: "AsIs" | "IPIfNonMatch" | "IPOnDemand"
|
||||
|
||||
域名解析策略,根据不同的设置使用不同的策略。
|
||||
The domain name resolution strategy, which uses different strategies based on different settings.
|
||||
|
||||
- `"AsIs"`:只使用域名进行路由选择。默认值。
|
||||
- `"IPIfNonMatch"`:当域名没有匹配任何规则时,将域名解析成 IP(A 记录或 AAAA 记录)再次进行匹配;
|
||||
- 当一个域名有多个 A 记录时,会尝试匹配所有的 A 记录,直到其中一个与某个规则匹配为止;
|
||||
- 解析后的 IP 仅在路由选择时起作用,转发的数据包中依然使用原始域名;
|
||||
- `"IPOnDemand"`:当匹配时碰到任何基于 IP 的规则,将域名立即解析为 IP 进行匹配;
|
||||
- `"AsIs"`: Use only the domain name for routing selection. Default value.
|
||||
|
||||
- `"IPIfNonMatch"`: If the domain name does not match any rule, resolve the domain name into an IP address (A record or AAAA record) and match it again;
|
||||
|
||||
- When a domain name has multiple A records, it will try to match all A records until one of them matches a rule;
|
||||
- The resolved IP only works for routing selection, and the original domain name is still used in the forwarded packets;
|
||||
|
||||
- `"IPOnDemand"`: If any IP-based rules are encountered during matching, immediately resolve the domain name into an IP address for matching;
|
||||
|
||||
> `domainMatcher`: "hybrid" | "linear"
|
||||
|
||||
域名匹配算法,根据不同的设置使用不同的算法。此处选项会影响所有未单独指定匹配算法的 `RuleObject`。
|
||||
The domain name matching algorithm, which uses different algorithms based on different settings. This option affects all `RuleObject` that do not have a separately specified matching algorithm.
|
||||
|
||||
- `"hybrid"`:使用新的域名匹配算法,速度更快且占用更少。默认值。
|
||||
- `"linear"`:使用原来的域名匹配算法。
|
||||
- `"hybrid"`: Use the new domain name matching algorithm, which is faster and takes up less space. Default value.
|
||||
- `"linear"`: Use the original domain name matching algorithm.
|
||||
|
||||
> `rules`: \[[RuleObject](#ruleobject)\]
|
||||
> `rules`: [[RuleObject](#ruleobject)]
|
||||
|
||||
对应一个数组,数组中每一项是一个规则。
|
||||
An array corresponding to a list of rules.
|
||||
|
||||
对于每一个连接,路由将根据这些规则从上到下依次进行判断,当遇到第一个生效规则时,即将这个连接转发至它所指定的 `outboundTag`或 `balancerTag`。
|
||||
For each connection, the routing will judge these rules from top to bottom in order. When it encounters the first effective rule, it will forward the connection to the `outboundTag` or `balancerTag` specified by the rule.
|
||||
|
||||
::: tip
|
||||
当没有匹配到任何规则时,流量默认由第一个 outbound 发出。
|
||||
When no rules match, the traffic is sent out by the first outbound by default.
|
||||
:::
|
||||
|
||||
> `balancers`: \[ [BalancerObject](#balancerobject) \]
|
||||
> `balancers`: [ [BalancerObject](#balancerobject) ]
|
||||
|
||||
一个数组,数组中每一项是一个负载均衡器的配置。
|
||||
An array corresponding to a list of load balancers.
|
||||
|
||||
当一个规则指向一个负载均衡器时,Xray 会通过此负载均衡器选出一个 outbound, 然后由它转发流量。
|
||||
When a rule points to a load balancer, Xray selects an outbound through this load balancer, and then it forwards the traffic through it.
|
||||
|
||||
### RuleObject
|
||||
|
||||
@ -76,114 +79,118 @@
|
||||
```
|
||||
|
||||
::: danger
|
||||
当多个属性同时指定时,这些属性需要**同时**满足,才可以使当前规则生效。
|
||||
When multiple attributes are specified at the same time, these attributes need to be satisfied **simultaneously** in order for the current rule to take effect.
|
||||
:::
|
||||
|
||||
> `domainMatcher`: "hybrid" | "linear"
|
||||
|
||||
域名匹配算法,根据不同的设置使用不同的算法。此处选项优先级高于 `RoutingObject` 中配置的 `domainMatcher`。
|
||||
The domain matching algorithm used varies depending on the settings. The option here takes priority over the `domainMatcher` configured in `RoutingObject`.
|
||||
|
||||
- `"hybrid"`:使用新的域名匹配算法,速度更快且占用更少。默认值。
|
||||
- `"linear"`:使用原来的域名匹配算法。
|
||||
- `"hybrid"`: uses a new domain matching algorithm that is faster and takes up less space. This is the default value.
|
||||
- `"linear"`: uses the original domain matching algorithm.
|
||||
|
||||
> `type`: "field"
|
||||
|
||||
目前只支持`"field"`这一个选项。
|
||||
Currently, only the option `"field"` is supported.
|
||||
|
||||
> `domain`: \[string\]
|
||||
> `domain`: [string]
|
||||
|
||||
一个数组,数组每一项是一个域名的匹配。有以下几种形式:
|
||||
An array where each item is a domain match. There are several forms:
|
||||
|
||||
- 纯字符串:当此字符串匹配目标域名中任意部分,该规则生效。比如 "sina.com" 可以匹配 "sina.com"、"sina.com.cn" 和 "www.sina.com",但不匹配 "sina.cn"。
|
||||
- 正则表达式:由 `"regexp:"` 开始,余下部分是一个正则表达式。当此正则表达式匹配目标域名时,该规则生效。例如 "regexp:\\\\.goo.\*\\\\.com\$" 匹配 "www.google.com" 或 "fonts.googleapis.com",但不匹配 "google.com"。
|
||||
- 子域名(推荐):由 `"domain:"` 开始,余下部分是一个域名。当此域名是目标域名或其子域名时,该规则生效。例如 "domain:xray.com" 匹配 "www.xray.com"、"xray.com",但不匹配 "wxray.com"。
|
||||
- 完整匹配:由 `"full:"` 开始,余下部分是一个域名。当此域名完整匹配目标域名时,该规则生效。例如 "full:xray.com" 匹配 "xray.com" 但不匹配 "www.xray.com"。
|
||||
- 预定义域名列表:由 `"geosite:"` 开头,余下部分是一个名称,如 `geosite:google` 或者 `geosite:cn`。名称及域名列表参考 [预定义域名列表](#预定义域名列表)。
|
||||
- 从文件中加载域名:形如 `"ext:file:tag"`,必须以 `ext:`(小写)开头,后面跟文件名和标签,文件存放在 [资源目录](./features/env.md#资源文件路径) 中,文件格式与 `geosite.dat` 相同,标签必须在文件中存在。
|
||||
- Plain string: If this string matches any part of the target domain, the rule takes effect. For example, "sina.com" can match "sina.com", "sina.com.cn", and "www.sina.com", but not "sina.cn".
|
||||
- Regular expression: Starts with `"regexp:"` followed by a regular expression. When this regular expression matches the target domain, the rule takes effect. For example, "regexp:\\.goo.\*\\.com$" matches "www.google.com" or "fonts.googleapis.com", but not "google.com".
|
||||
- Subdomain (recommended): Starts with `"domain:"` followed by a domain. When this domain is the target domain or a subdomain of the target domain, the rule takes effect. For example, "domain:xray.com" matches "www.xray.com" and "xray.com", but not "wxray.com".
|
||||
- Exact match: Starts with `"full:"` followed by a domain. When this domain is an exact match for the target domain, the rule takes effect. For example, "full:xray.com" matches "xray.com" but not "www.xray.com".
|
||||
- Predefined domain list: Starts with `"geosite:"` followed by a name such as `geosite:google` or `geosite:cn`. The names and domain lists are listed in [Predefined Domain List](#predefined-domain-list).
|
||||
- Load domains from a file: Formatted as `"ext:file:tag"`, where the file is stored in the [resource directory](./features/env.md#resource-file-path) and has the same format as `geosite.dat`. The tag must exist in the file.
|
||||
|
||||
::: tip
|
||||
`"ext:geoip.dat:cn"` 等价于 `"geoip:cn"`
|
||||
`"ext:geoip.dat:cn"` is equivalent to `"geoip:cn"`
|
||||
:::
|
||||
|
||||
> `ip`: \[string\]
|
||||
`ip`: [string]
|
||||
|
||||
一个数组,数组内每一项代表一个 IP 范围。当某一项匹配目标 IP 时,此规则生效。有以下几种形式:
|
||||
An array where each item represents an IP range. This rule will take effect when the target IP matches any of the IP ranges in the array. There are several types of IP ranges:
|
||||
|
||||
- IP:形如 `"127.0.0.1"`。
|
||||
- [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing):形如 `"10.0.0.0/8"`。
|
||||
- 预定义 IP 列表:此列表预置于每一个 Xray 的安装包中,文件名为 `geoip.dat`。使用方式形如 `"geoip:cn"`,必须以 `geoip:`(小写)开头,后面跟双字符国家代码,支持几乎所有可以上网的国家。
|
||||
- 特殊值:`"geoip:private"`,包含所有私有地址,如 `127.0.0.1`。
|
||||
- 从文件中加载 IP:形如 `"ext:file:tag"`,必须以 `ext:`(小写)开头,后面跟文件名和标签,文件存放在 [资源目录](./features/env.md#资源文件路径) 中,文件格式与 `geoip.dat` 相同标签必须在文件中存在。
|
||||
- IP: In the format of `"127.0.0.1"`.
|
||||
|
||||
> `port`:number | string
|
||||
- [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing): In the format of `"10.0.0.0/8"`.
|
||||
|
||||
目标端口范围,有三种形式:
|
||||
- Predefined IP lists: These lists are included in every Xray installation package under the file name `geoip.dat`. They can be used in the format of `"geoip:cn"`, where `cn` is a two-letter country code. The prefix `geoip:`(all lowercase) must be used, and nearly all countries that have internet access are supported.
|
||||
|
||||
- `"a-b"`:a 和 b 均为正整数,且小于 65536。这个范围是一个前后闭合区间,当目标端口落在此范围内时,此规则生效。
|
||||
- `a`:a 为正整数,且小于 65536。当目标端口为 a 时,此规则生效。
|
||||
- 以上两种形式的混合,以逗号 "," 分隔。形如:`"53,443,1000-2000"`。
|
||||
- Special value: `"geoip:private"`, which includes all private addresses, such as `127.0.0.1`.
|
||||
|
||||
> `sourcePort`:number | string
|
||||
- Loading IP from a file: In the format of `"ext:file:tag"`, where `file` is the file name and `tag` is a label that must exist in the file. The prefix `ext:` (all lowercase) must be used, and the file should be located in the [resource directory](./features/env.md#resource-file-path) with the same format as `geoip.dat`.
|
||||
|
||||
来源端口,有三种形式:
|
||||
> `port`: number | string
|
||||
|
||||
- `"a-b"`:a 和 b 均为正整数,且小于 65536。这个范围是一个前后闭合区间,当目标端口落在此范围内时,此规则生效。
|
||||
- `a`:a 为正整数,且小于 65536。当目标端口为 a 时,此规则生效。
|
||||
- 以上两种形式的混合,以逗号 "," 分隔。形如:`"53,443,1000-2000"`。
|
||||
The target port range, which can take on three forms:
|
||||
|
||||
- `"a-b"`: `a` and `b` are both positive integers less than 65536. This range is a closed interval, and this rule will take effect when the target port falls within this range.
|
||||
- `a`: `a` is a positive integer less than 65536. This rule will take effect when the target port is `a`.
|
||||
- A mixture of the above two forms, separated by commas ",". For example: `"53,443,1000-2000"`.
|
||||
|
||||
> `sourcePort`: number | string
|
||||
|
||||
The source port, which can take on three forms:
|
||||
|
||||
- `"a-b"`: `a` and `b` are both positive integers less than 65536. This range is a closed interval, and this rule will take effect when the source port falls within this range.
|
||||
- `a`: `a` is a positive integer less than 65536. This rule will take effect when the source port is `a`.
|
||||
- A mixture of the above two forms, separated by commas ",". For example: `"53,443,1000-2000"`.
|
||||
|
||||
> `network`: "tcp" | "udp" | "tcp,udp"
|
||||
|
||||
可选的值有 "tcp"、"udp" 或 "tcp,udp",当连接方式是指定的方式时,此规则生效。
|
||||
This can be "tcp", "udp", or "tcp,udp". This rule will take effect when the connection method is the specified one.
|
||||
|
||||
> `source`: \[string\]
|
||||
> `source`: [string]
|
||||
|
||||
一个数组,数组内每一项代表一个 IP 范围,形式有 IP、CIDR、GeoIP 和从文件中加载 IP。当某一项匹配来源 IP 时,此规则生效。
|
||||
An array where each item represents an IP range in the format of IP, CIDR, GeoIP, or loading IP from a file. This rule will take effect when the source IP matches any of the IP ranges in the array.
|
||||
|
||||
> `user`: \[string\]
|
||||
> `user`: [string]
|
||||
|
||||
一个数组,数组内每一项是一个邮箱地址。当某一项匹配来源用户时,此规则生效。
|
||||
An array where each item represents an email address. This rule will take effect when the source user matches any of the email addresses in the array.
|
||||
|
||||
> `inboundTag`: \[string\]
|
||||
> `inboundTag`: [string]
|
||||
|
||||
一个数组,数组内每一项是一个标识。当某一项匹配入站协议的标识时,此规则生效。
|
||||
An array where each item represents an identifier. This rule will take effect when the inbound protocol matches any of the identifiers in the array.
|
||||
|
||||
> `protocol`: \[ "http" | "tls" | "bittorrent" \]
|
||||
> `protocol`: [ "http" | "tls" | "bittorrent" ]
|
||||
|
||||
一个数组,数组内每一项表示一种协议。当某一个协议匹配当前连接的协议类型时,此规则生效。
|
||||
An array where each item represents a protocol. This rule will take effect when the protocol of the current connection matches any of the protocols in the array.
|
||||
|
||||
::: tip
|
||||
必须开启入站代理中的 `sniffing` 选项, 才能嗅探出连接所使用的协议类型.
|
||||
The `sniffing` option in the inbound proxy must be enabled to detect the protocol type used by the connection.
|
||||
:::
|
||||
|
||||
> `attrs`: string
|
||||
`attrs`: string
|
||||
|
||||
一段脚本,用于检测流量的属性值。当此脚本返回真值时,此规则生效。
|
||||
A script used to detect the attribute values of the traffic. When this script returns a truthy value, this rule takes effect.
|
||||
|
||||
脚本语言为 [Starlark](https://github.com/bazelbuild/starlark),它的语法是 Python 的子集。脚本接受一个全局变量 `attrs`,其中包含了流量相关的属性。
|
||||
The script language is [Starlark](https://github.com/bazelbuild/starlark), which is a subset of Python syntax. The script accepts a global variable `attrs`, which contains traffic-related attributes.
|
||||
|
||||
目前只有 http 入站代理会设置这一属性。
|
||||
Currently, only the inbound HTTP proxy sets this attribute.
|
||||
|
||||
示例:
|
||||
Examples:
|
||||
|
||||
- 检测 HTTP GET:`"attrs[':method'] == 'GET'"`
|
||||
- 检测 HTTP Path:`"attrs[':path'].startswith('/test')"`
|
||||
- 检测 Content Type:`"attrs['accept'].index('text/html') >= 0"`
|
||||
- Detect HTTP GET: `"attrs[':method'] == 'GET'"`
|
||||
- Detect HTTP Path: `"attrs[':path'].startswith('/test')"`
|
||||
- Detect Content Type: `"attrs['accept'].index('text/html') >= 0"`
|
||||
|
||||
> `outboundTag`: string
|
||||
|
||||
对应一个 outbound 的标识。
|
||||
Corresponds to the identifier of an outbound.
|
||||
|
||||
> `balancerTag`: string
|
||||
|
||||
对应一个 Balancer 的标识。
|
||||
Corresponds to the identifier of a balancer.
|
||||
|
||||
::: tip
|
||||
`balancerTag` 和 `outboundTag` 须二选一。当同时指定时,`outboundTag` 生效。
|
||||
`balancerTag` and `outboundTag` are mutually exclusive. When both are specified, `outboundTag` takes effect.
|
||||
:::
|
||||
|
||||
### BalancerObject
|
||||
|
||||
负载均衡器配置。当一个负载均衡器生效时,它会从指定的 outbound 中,按配置选出一个最合适的 outbound,进行流量转发。
|
||||
Load balancer configuration. When a load balancer is in effect, it selects the most appropriate outbound from the specified outbound according to the configuration and forwards traffic.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -194,32 +201,32 @@
|
||||
|
||||
> `tag`: string
|
||||
|
||||
此负载均衡器的标识,用于匹配 `RuleObject` 中的 `balancerTag`。
|
||||
The identifier of this load balancer, used to match `balancerTag` in `RuleObject`.
|
||||
|
||||
> `selector`: \[ string \]
|
||||
> `selector`: [ string ]
|
||||
|
||||
一个字符串数组,其中每一个字符串将用于和 outbound 标识的前缀匹配。在以下几个 outbound 标识中:`[ "a", "ab", "c", "ba" ]`,`"selector": ["a"]` 将匹配到 `[ "a", "ab" ]`。
|
||||
An array of strings, each of which will be used to match the prefix of the outbound identifier. For example, in the following outbound identifiers: `[ "a", "ab", "c", "ba" ]`, `"selector": ["a"]` will match `[ "a", "ab" ]`.
|
||||
|
||||
如果匹配到多个 outbound,负载均衡器目前会从中随机选出一个作为最终的 outbound。
|
||||
If multiple outbounds are matched, the load balancer currently selects one randomly as the final outbound.
|
||||
|
||||
### 预定义域名列表
|
||||
### Predefined Domain Lists
|
||||
|
||||
此列表预置于每一个 Xray 的安装包中,文件名为 `geosite.dat`。这个文件包含了一些常见的域名,使用方式:`geosite:filename`,如 `geosite:google` 表示对文件内符合 `google` 内包含的域名,进行路由筛选或 DNS 筛选。
|
||||
This list is included in every Xray installation package, and the file name is `geosite.dat`. This file contains some common domain names, which can be used as `geosite:filename` to perform routing or DNS filtering for domain names that match those in the file.
|
||||
|
||||
常见的域名有:
|
||||
Common domain lists include:
|
||||
|
||||
- `category-ads`:包含了常见的广告域名。
|
||||
- `category-ads-all`:包含了常见的广告域名,以及广告提供商的域名。
|
||||
- `cn`:相当于 `geolocation-cn` 和 `tld-cn` 的合集。
|
||||
- `apple`:包含了 Apple 旗下绝大部分域名。
|
||||
- `google`:包含了 Google 旗下绝大部分域名。
|
||||
- `microsoft`:包含了 Microsoft 旗下绝大部分域名。
|
||||
- `facebook`:包含了 Facebook 旗下绝大部分域名。
|
||||
- `twitter`:包含了 Twitter 旗下绝大部分域名。
|
||||
- `telegram`:包含了 Telegram 旗下绝大部分域名。
|
||||
- `geolocation-cn`:包含了常见的大陆站点域名。
|
||||
- `geolocation-!cn`:包含了常见的非大陆站点域名,同时包含了 `tld-!cn`。
|
||||
- `tld-cn`:包含了 CNNIC 管理的用于中国大陆的顶级域名,如以 `.cn`、`.中国` 结尾的域名。
|
||||
- `tld-!cn`:包含了非中国大陆使用的顶级域名,如以 `.hk`(香港)、`.tw`(台湾)、`.jp`(日本)、`.sg`(新加坡)、`.us`(美国)`.ca`(加拿大)等结尾的域名。
|
||||
- `category-ads`: Contains common advertising domain names.
|
||||
- `category-ads-all`: Contains common advertising domain names and advertising provider domain names.
|
||||
- `cn`: Equivalent to the combination of `geolocation-cn` and `tld-cn`.
|
||||
- `apple`: Contains most of the domain names under Apple.
|
||||
- `google`: Contains most of the domain names under Google.
|
||||
- `microsoft`: Contains most of the domain names under Microsoft.
|
||||
- `facebook`: Contains most of the domain names under Facebook.
|
||||
- `twitter`: Contains most of the domain names under Twitter.
|
||||
- `telegram`: Contains most of the domain names under Telegram.
|
||||
- `geolocation-cn`: Contains common domain names of mainland Chinese websites.
|
||||
- `geolocation-!cn`: Contains common domain names of non-mainland Chinese websites, as well as `tld-!cn`.
|
||||
- `tld-cn`: Contains top-level domain names managed by CNNIC for mainland China, such as domain names ending in `.cn` and `.中国`.
|
||||
- `tld-!cn`: Contains top-level domain names used outside mainland China, such as domain names ending in `.hk` (Hong Kong), `.tw` (Taiwan), `.jp` (Japan), `.sg` (Singapore), `.us` (United States), and `.ca` (Canada).
|
||||
|
||||
你也可以在这里查看完整的域名列表 [Domain list community](https://github.com/v2fly/domain-list-community)。
|
||||
You can also find the complete list of domain names here: [Domain list community](https://github.com/v2fly/domain-list-community).
|
||||
|
@ -1,10 +1,10 @@
|
||||
# 统计信息
|
||||
# Traffic Statistics
|
||||
|
||||
用于配置 Xray 流量数据的统计。
|
||||
Used to configure traffic statistics for Xray.
|
||||
|
||||
## StatsObject
|
||||
|
||||
`StatsObject` 对应配置文件的 `stats` 项。
|
||||
The `StatsObject` corresponds to the `stats` item in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -12,44 +12,44 @@
|
||||
}
|
||||
```
|
||||
|
||||
目前统计信息不需要任何参数,只要 `StatsObject` 项存在,内部的统计即会开启。
|
||||
Currently, no parameters are required for traffic statistics, and internal statistics will be enabled as long as the `StatsObject` item exists.
|
||||
|
||||
开启了统计以后, 只需在 [Policy](./policy.md) 中开启对应的项,就可以统计对应的数据。
|
||||
After statistics are enabled, you only need to enable the corresponding items in the [Policy](./policy.md) to collect the corresponding data.
|
||||
|
||||
## 获取统计信息
|
||||
## Retrieving Traffic Statistics
|
||||
|
||||
可以用 `xray api` 的相关命令获取统计信息.
|
||||
You can use the `xray api` command to retrieve traffic statistics.
|
||||
|
||||
目前已有的统计信息如下:
|
||||
The current traffic statistics are as follows:
|
||||
|
||||
- 用户数据
|
||||
- User Data
|
||||
|
||||
- `user>>>[email]>>>traffic>>>uplink`
|
||||
|
||||
特定用户的上行流量,单位字节。
|
||||
The uplink traffic of a specific user, in bytes.
|
||||
|
||||
- `user>>>[email]>>>traffic>>>downlink`
|
||||
|
||||
特定用户的下行流量,单位字节。
|
||||
The downlink traffic of a specific user, in bytes.
|
||||
|
||||
::: tip
|
||||
如果对应用户没有指定 Email,则不会开启统计。
|
||||
If the corresponding user does not have an email specified, statistics will not be enabled.
|
||||
:::
|
||||
|
||||
- 全局数据
|
||||
- Global Data
|
||||
|
||||
- `inbound>>>[tag]>>>traffic>>>uplink`
|
||||
|
||||
特定 inbound 的上行流量,单位字节。
|
||||
The uplink traffic of a specific inbound, in bytes.
|
||||
|
||||
- `inbound>>>[tag]>>>traffic>>>downlink`
|
||||
|
||||
特定 inbound 的下行流量,单位字节。
|
||||
The downlink traffic of a specific inbound, in bytes.
|
||||
|
||||
- `outbound>>>[tag]>>>traffic>>>uplink`
|
||||
|
||||
特定 outbound 的上行流量,单位字节。
|
||||
The uplink traffic of a specific outbound, in bytes.
|
||||
|
||||
- `outbound>>>[tag]>>>traffic>>>downlink`
|
||||
|
||||
特定 outbound 的下行流量,单位字节。
|
||||
The downlink traffic of a specific outbound, in bytes.
|
||||
|
@ -1,20 +1,20 @@
|
||||
# 传输方式
|
||||
# Transport Protocol
|
||||
|
||||
传输方式(transport)是当前 Xray 节点和其它节点对接的方式。
|
||||
Transport protocol is the way that Xray nodes communicate with each other.
|
||||
|
||||
传输方式指定了稳定的数据传输的方式。通常来说,一个网络连接的两端需要有对称的传输方式。比如一端用了 WebSocket,那么另一个端也必须使用 WebSocket,否则无法建立连接。
|
||||
Transport protocol specifies a stable way to transmit data. Typically, both ends of a network connection need to use the same transport protocol to establish a connection. For example, if one end uses WebSocket, the other end must also use WebSocket, otherwise the connection cannot be established.
|
||||
|
||||
传输方式(transport)配置有两部分:
|
||||
Transport protocol configuration has two parts:
|
||||
|
||||
1. 全局配置([TransportObject](#transportobject))
|
||||
2. 局部配置([StreamSettingsObject](#streamsettingsobject))。
|
||||
1. Global configuration ([TransportObject](#transportobject))
|
||||
2. Local configuration ([StreamSettingsObject](#streamsettingsobject)).
|
||||
|
||||
- 局部配置时,可以指定每个单独的入站或出站用怎样的方式传输。
|
||||
- 通常来说客户端和服务器对应的入站和出站需要使用同样的传输方式。当其配置指定了一种传输方式,但没有填写具体设置时,此传输方式会使用全局配置中的设置。
|
||||
- When configuring locally, you can specify how each individual inbound or outbound connection is transmitted.
|
||||
- Typically, the inbound and outbound connections corresponding to the client and server need to use the same transport protocol. When a transport protocol is specified but no specific settings are provided, the transport protocol will use the settings from the global configuration.
|
||||
|
||||
## TransportObject
|
||||
|
||||
`TransportObject` 对应配置文件的 `transport` 项。
|
||||
The `TransportObject` corresponds to the `transport` item in the configuration file.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -32,35 +32,35 @@
|
||||
|
||||
> `tcpSettings`: [TcpObject](./transports/tcp.md)
|
||||
|
||||
针对 TCP 连接的配置。
|
||||
Configuration for TCP connections.
|
||||
|
||||
> `kcpSettings`: [KcpObject](./transports/mkcp.md)
|
||||
|
||||
针对 mKCP 连接的配置。
|
||||
Configuration for mKCP connections.
|
||||
|
||||
> `wsSettings`: [WebSocketObject](./transports/websocket.md)
|
||||
|
||||
针对 WebSocket 连接的配置。
|
||||
Configuration for WebSocket connections.
|
||||
|
||||
> `httpSettings`: [HttpObject](./transports/h2.md)
|
||||
|
||||
针对 HTTP/2 连接的配置。
|
||||
Configuration for HTTP/2 connections.
|
||||
|
||||
> `quicSettings`: [QuicObject](./transports/quic.md)
|
||||
|
||||
针对 QUIC 连接的配置。
|
||||
Configuration for QUIC connections.
|
||||
|
||||
> `grpcSettings`: [GRPCObject](./transports/grpc.md)
|
||||
|
||||
针对 gRPC 连接的配置。
|
||||
Configuration for gRPC connections.
|
||||
|
||||
> `dsSettings`: [DomainSocketObject](./transports/domainsocket.md)
|
||||
|
||||
针对 Domain Socket 连接的配置。
|
||||
Configuration for Domain Socket connections.
|
||||
|
||||
## StreamSettingsObject
|
||||
|
||||
`StreamSettingsObject` 对应入站或出站中的 `streamSettings` 项。每一个入站或出站都可以分别配置不同的传输配置,都可以设置 `streamSettings` 来进行一些传输的配置。
|
||||
`StreamSettingsObject` corresponds to the `streamSettings` item in inbound or outbound configuration. Each inbound or outbound can be configured with different transport settings and can use `streamSettings` to perform some transport configurations.
|
||||
|
||||
```json
|
||||
{
|
||||
@ -88,60 +88,59 @@
|
||||
|
||||
> `network`: "tcp" | "kcp" | "ws" | "http" | "domainsocket" | "quic" | "grpc"
|
||||
|
||||
连接的数据流所使用的传输方式类型,默认值为 `"tcp"`
|
||||
The type of transport used by the connection's data stream, with a default value of `"tcp"`.
|
||||
|
||||
> `security`: "none" | "tls" | "reality"
|
||||
> `security`: "none" | "tls" | "xtls"
|
||||
|
||||
是否启用传输层加密,支持的选项有
|
||||
Whether to enable transport layer encryption, with supported options:
|
||||
|
||||
- `"none"` 表示不加密(默认值)
|
||||
- `"tls"` 表示使用 [TLS](https://en.wikipedia.org/wiki/base/transport_Layer_Security)。
|
||||
- `"reality"` 表示使用 REALITY。
|
||||
- `"none"` means no encryption (default value).
|
||||
- `"tls"` means using [TLS](https://en.wikipedia.org/wiki/base/transport_Layer_Security).
|
||||
- `"xtls"` means using [XTLS](./features/xtls.md). <Badge text="Deprecated" type="warning"/>
|
||||
|
||||
> `tlsSettings`: [TLSObject](#tlsobject)
|
||||
|
||||
TLS 配置。TLS 由 Golang 提供,通常情况下 TLS 协商的结果为使用 TLS 1.3,不支持 DTLS。
|
||||
TLS configuration. TLS is provided by Golang, and usually the result of TLS negotiation is to use TLS 1.3, and DTLS is not supported.
|
||||
|
||||
> `realitySettings`: [RealityObject](#realityobject)
|
||||
> `xtlsSettings`: [XTLSObject](#tlsobject) <Badge text="Deprecated" type="warning"/>
|
||||
|
||||
Reality 配置。Reality 是 Xray 的原创黑科技。 Reality 比 TLS 的安全性更高, 配置方式也和 TLS 一致.
|
||||
XTLS configuration. XTLS is Xray's original technology, which is the core driver of Xray's outstanding performance. XTLS has the same security as TLS and uses the same configuration as TLS.
|
||||
|
||||
::: tip
|
||||
Reality 是目前最安全的传输加密方案, 且外部看来流量类型和正常上网具有一致性。 启用 Reality 并且配置合适的 XTLS Vision 流控模式, 可以
|
||||
达到数倍甚至十几倍的性能提升。
|
||||
TLS/XTLS is currently the most secure transport encryption scheme, and its traffic appears consistent with normal web traffic to outsiders. Enabling XTLS and configuring the appropriate XTLS flow control mode can provide several times to even more than ten times the performance improvement while maintaining the same security as TLS. When changing the value of `security` from `tls` to `xtls`, simply modify `tlsSettings` to `xtlsSettings`.
|
||||
:::
|
||||
|
||||
> `tcpSettings`: [TcpObject](./transports/tcp.md)
|
||||
|
||||
当前连接的 TCP 配置,仅当此连接使用 TCP 时有效。配置内容与上面的全局配置相同。
|
||||
The TCP configuration for the current connection, only valid when TCP is used for this connection. The configuration is the same as the global configuration above.
|
||||
|
||||
> `kcpSettings`: [KcpObject](./transports/mkcp.md)
|
||||
|
||||
当前连接的 mKCP 配置,仅当此连接使用 mKCP 时有效。配置内容与上面的全局配置相同。
|
||||
The mKCP configuration for the current connection, only valid when mKCP is used for this connection. The configuration is the same as the global configuration above.
|
||||
|
||||
> `wsSettings`: [WebSocketObject](./transports/websocket.md)
|
||||
|
||||
当前连接的 WebSocket 配置,仅当此连接使用 WebSocket 时有效。配置内容与上面的全局配置相同。
|
||||
The WebSocket configuration for the current connection, only valid when WebSocket is used for this connection. The configuration is the same as the global configuration above.
|
||||
|
||||
> `httpSettings`: [HttpObject](./transports/h2.md)
|
||||
|
||||
当前连接的 HTTP/2 配置,仅当此连接使用 HTTP/2 时有效。配置内容与上面的全局配置相同。
|
||||
The HTTP/2 configuration for the current connection, only valid when HTTP/2 is used for this connection. The configuration is the same as the global configuration above.
|
||||
|
||||
> `quicSettings`: [QUICObject](./transports/quic.md)
|
||||
|
||||
当前连接的 QUIC 配置,仅当此连接使用 QUIC 时有效。配置内容与上面的全局配置相同。
|
||||
The QUIC configuration for the current connection, only valid when QUIC is used for this connection. The configuration is the same as the global configuration above.
|
||||
|
||||
> `grpcSettings`: [GRPCObject](./transports/grpc.md)
|
||||
|
||||
当前连接的 gRPC 配置,仅当此连接使用 gRPC 时有效。配置内容与上面的全局配置相同。
|
||||
The gRPC configuration for the current connection, only valid when gRPC is used for this connection. The configuration is the same as the global configuration above.
|
||||
|
||||
> `dsSettings`: [DomainSocketObject](./transports/domainsocket.md)
|
||||
|
||||
当前连接的 Domain socket 配置,仅当此连接使用 Domain socket 时有效。配置内容与上面的全局配置相同。
|
||||
The Domain socket configuration for the current connection, only valid when Domain socket is used for this connection. The configuration is the same as the global configuration above.
|
||||
|
||||
> `sockopt`: [SockoptObject](#sockoptobject)
|
||||
> `sockopt`: [SockoptObject](./chat#sockoptobject)
|
||||
|
||||
透明代理相关的具体配置。
|
||||
Specific configuration for transparent proxying.
|
||||
|
||||
### TLSObject
|
||||
|
||||
@ -153,7 +152,7 @@ Reality 是目前最安全的传输加密方案, 且外部看来流量类型和
|
||||
"alpn": ["h2", "http/1.1"],
|
||||
"minVersion": "1.2",
|
||||
"maxVersion": "1.3",
|
||||
"cipherSuites": "此处填写你需要的加密套件名称,每个套件名称之间用:进行分隔",
|
||||
"cipherSuites": "Specify the names of the encryption suites you need here, separated by :",
|
||||
"certificates": [],
|
||||
"disableSystemRoot": false,
|
||||
"enableSessionResumption": false,
|
||||
@ -164,62 +163,61 @@ Reality 是目前最安全的传输加密方案, 且外部看来流量类型和
|
||||
|
||||
> `serverName`: string
|
||||
|
||||
指定服务器端证书的域名,在连接由 IP 建立时有用。
|
||||
Specifies the domain name of the server certificate, useful when the connection is established by IP.
|
||||
|
||||
当目标连接由域名指定时,比如在 Socks 入站接收到了域名,或者由 Sniffing 功能探测出了域名,这个域名会自动用于 `serverName`,无须手动配置。
|
||||
When the target connection is specified by domain name, such as when the domain name is received by the Socks inbound or when it is detected by the Sniffing function, this domain name is automatically used for `serverName` without manual configuration.
|
||||
|
||||
> `rejectUnknownSni`: bool
|
||||
|
||||
当值为 `true` 时,服务端接收到的 SNI 与证书域名不匹配即拒绝 TLS 握手,默认为 false。
|
||||
When set to `true`, the server rejects the TLS handshake if the received SNI does not match the domain name in the certificate. The default value is `false`.
|
||||
|
||||
> `alpn`: \[ string \]
|
||||
> `alpn`: [ string ]
|
||||
|
||||
一个字符串数组,指定了 TLS 握手时指定的 ALPN 数值。默认值为 `["h2", "http/1.1"]`。
|
||||
An array of strings that specifies the ALPN values to be used during the TLS handshake. The default value is `["h2", "http/1.1"]`.
|
||||
|
||||
> `minVersion`: \[ string \]
|
||||
> `minVersion`: [ string ]
|
||||
|
||||
minVersion 为可接受的最小 SSL/TLS 版本。
|
||||
`minVersion` is the minimum acceptable SSL/TLS version.
|
||||
|
||||
> `maxVersion`: \[ string \]
|
||||
> `maxVersion`: [ string ]
|
||||
|
||||
maxVersion 为可接受的最大 SSL/TLS 版本。
|
||||
`maxVersion` is the maximum acceptable SSL/TLS version.
|
||||
|
||||
> `cipherSuites`: \[ string \]
|
||||
> `cipherSuites`: [ string ]
|
||||
|
||||
CipherSuites 用于配置受支持的密码套件列表, 每个套件名称之间用:进行分隔.
|
||||
`CipherSuites` is used to configure the supported list of cryptographic suites, with each suite name separated by a colon.
|
||||
|
||||
你可以在 [这里](https://golang.org/src/crypto/tls/cipher_suites.go#L500)或 [这里](https://golang.org/src/crypto/tls/cipher_suites.go#L44)
|
||||
找到 golang 加密套件的名词和说明
|
||||
You can find the names and descriptions of Golang encryption suites at [here](https://golang.org/src/crypto/tls/cipher_suites.go#L500) or [here](https://golang.org/src/crypto/tls/cipher_suites.go#L44).
|
||||
|
||||
::: danger
|
||||
以上两项配置为非必要选项,正常情况下不影响安全性 在未配置的情况下 golang 根据设备自动选择. 若不熟悉, 请勿配置此选项, 填写不当引起的问题自行负责
|
||||
The above two configurations are optional and normally do not affect security. If not configured, Golang will automatically select based on the device. If you are not familiar with these options, do not configure them, and any problems caused by improper configuration are your responsibility.
|
||||
:::
|
||||
|
||||
> `allowInsecure`: true | false
|
||||
|
||||
是否允许不安全连接(仅用于客户端)。默认值为 `false`。
|
||||
Whether to allow insecure connections (only for clients). The default value is `false`.
|
||||
|
||||
当值为 `true` 时,Xray 不会检查远端主机所提供的 TLS 证书的有效性。
|
||||
When set to `true`, Xray will not verify the validity of the TLS certificate provided by the remote host.
|
||||
|
||||
::: danger
|
||||
出于安全性考虑,这个选项不应该在实际场景中选择 true,否则可能遭受中间人攻击。
|
||||
For security reasons, this option should not be set to true in practical scenarios, otherwise, it may be susceptible to man-in-the-middle attacks.
|
||||
:::
|
||||
|
||||
> `disableSystemRoot`: true | false
|
||||
|
||||
是否禁用操作系统自带的 CA 证书。默认值为 `false`。
|
||||
Whether to disable the CA certificate provided by the operating system. The default value is `false`.
|
||||
|
||||
当值为 `true` 时,Xray 只会使用 `certificates` 中指定的证书进行 TLS 握手。当值为 `false` 时,Xray 只会使用操作系统自带的 CA 证书进行 TLS 握手。
|
||||
When set to `true`, Xray will only use the certificates specified in `certificates` for TLS handshakes. When set to `false`, Xray will only use the CA certificates provided by the operating system for TLS handshakes.
|
||||
|
||||
> `enableSessionResumption`: true | false
|
||||
|
||||
此参数的设置为 false 时, ClientHello 里没有 session_ticket 这个扩展。 通常来讲 go 语言程序的 ClientHello 里并没有用到这个扩展, 因此建议保持默认值。 默认值为 `false`。
|
||||
When this parameter is set to false, the `session_ticket` extension is not included in the ClientHello message. Generally, the ClientHello message in Go language programs does not use this extension, so it is recommended to keep the default value. The default value is `false`.
|
||||
|
||||
> `fingerprint`: string
|
||||
|
||||
此参数用于配置指定 `TLS Client Hello` 的指纹。当其值为空时,表示不启用此功能。启用后,Xray 将通过 uTLS 库 **模拟** `TLS` 指纹,或随机生成。支持三种配置方式:
|
||||
This parameter is used to configure the fingerprint of the `TLS Client Hello`. When its value is empty, this feature is not enabled. After enabling it, Xray will **simulate** the `TLS` fingerprint through the uTLS library or generate it randomly. Three configuration options are supported:
|
||||
|
||||
1. 常见浏览器最新版本的 TLS 指纹 包括
|
||||
1. TLS fingerprints of the latest versions of popular browsers, including:
|
||||
|
||||
- `"chrome"`
|
||||
- `"firefox"`
|
||||
@ -230,72 +228,37 @@ CipherSuites 用于配置受支持的密码套件列表, 每个套件名称之
|
||||
- `"360"`
|
||||
- `"qq"`
|
||||
|
||||
2. 在 xray 启动时自动生成一个指纹
|
||||
1. Generate a fingerprint when xray starts
|
||||
|
||||
- `"random"`: 在较新版本的浏览器里随机抽取一个
|
||||
- `"randomized"`: 完全随机生成一个独一无二的指纹 (100% 支持 TLS 1.3 使用 X25519)
|
||||
- `"random"`: randomly select one in newer versions of browsers
|
||||
- `"randomized"`: generate a completely random and unique fingerprint (100% compatible with TLS 1.3 using X25519)
|
||||
|
||||
3. 使用 uTLS 原生指纹变量名 例如`"HelloRandomizedNoALPN"` `"HelloChrome_106_Shuffle"`。完整名单见 [uTLS 库](https://github.com/refraction-networking/utls/blob/master/u_common.go#L162)
|
||||
1. Use uTLS native fingerprint variable names, such as `"HelloRandomizedNoALPN"` `"HelloChrome_106_Shuffle"`. See the full list in [uTLS library](https://github.com/refraction-networking/utls/blob/master/u_common.go#L162).
|
||||
|
||||
::: tip
|
||||
此功能仅 **模拟** `TLS Client Hello` 的指纹,行为、其他指纹与 Golang 相同。如果你希望更加完整地模拟浏览器 `TLS`
|
||||
指纹与行为,可以使用 [Browser Dialer](./transports/websocket.md#browser-dialer)。
|
||||
This feature only **simulates** the fingerprint of the `TLS Client Hello`, and its behavior and other fingerprints are the same as Golang. If you want to simulate browser `TLS` fingerprints and behaviors more completely, you can use the [Browser Dialer](./transports/websocket.md#browser-dialer).
|
||||
:::
|
||||
|
||||
> `pinnedPeerCertificateChainSha256`: \[string\]
|
||||
> `pinnedPeerCertificateChainSha256`: [string]
|
||||
|
||||
用于指定远程服务器的证书链 SHA256 散列值,使用标准编码格式。仅有当服务器端证书链散列值符合设置项中之一时才能成功建立 TLS 连接。
|
||||
Specifies the SHA256 hash value of the certificate chain for the remote server, using standard encoding format. Only when the hash value of the server-side certificate chain matches one of the settings can a TLS connection be successfully established.
|
||||
|
||||
在连接因为此配置失败时,会展示远程服务器证书散列值。
|
||||
When the connection fails due to this configuration, the hash value of the remote server certificate will be displayed.
|
||||
|
||||
::: danger
|
||||
不建议使用这种方式获得证书链散列值,因为在这种情况下将没有机会验证此时服务器提供的证书是否为真实证书,进而不保证获得的证书散列值为期望的散列值。
|
||||
It is not recommended to use this method to obtain the hash value of the certificate chain, because in this case, there will be no opportunity to verify whether the certificate provided by the server at this time is a real certificate, and it cannot be guaranteed that the obtained certificate hash value is the expected hash value.
|
||||
:::
|
||||
|
||||
::: tip
|
||||
如果需要获得证书的散列值,应在命令行中运行 `xray tls certChainHash --cert <cert.pem>` 来获取,`<cert.pem>` 应替换为实际证书文件路径。
|
||||
If you need to obtain the hash value of the certificate, run `xray tls certChainHash --cert <cert.pem>` in the command line, where `<cert.pem>` should be replaced with the actual certificate file path.
|
||||
:::
|
||||
|
||||
> `certificates`: \[ [CertificateObject](#certificateobject) \]
|
||||
> `certificates`: [ [CertificateObject](./chat#certificateobject) ]
|
||||
|
||||
证书列表,其中每一项表示一个证书(建议 fullchain)。
|
||||
A list of certificates, each representing a certificate (recommended fullchain).
|
||||
|
||||
::: tip
|
||||
如果要在 ssllibs 或者 myssl 获得 A/A+ 等级的评价,
|
||||
请参考 [这里](https://github.com/XTLS/Xray-core/discussions/56#discussioncomment-215600).
|
||||
:::
|
||||
|
||||
### RealityObject
|
||||
|
||||
```json
|
||||
{
|
||||
"show": false, // 选填,若为 true,输出调试信息
|
||||
"dest": "example.com:443", // 必填,格式同 VLESS fallbacks 的 dest
|
||||
"xver": 0, // 选填,格式同 VLESS fallbacks 的 xver
|
||||
"serverNames": [ // 必填,客户端可用的 serverName 列表,暂不支持 * 通配符
|
||||
"example.com",
|
||||
"www.example.com"
|
||||
],
|
||||
"privateKey": "", // 必填,执行 ./xray x25519 生成
|
||||
"minClientVer": "", // 选填,客户端 Xray 最低版本,格式为 x.y.z
|
||||
"maxClientVer": "", // 选填,客户端 Xray 最高版本,格式为 x.y.z
|
||||
"maxTimeDiff": 0, // 选填,允许的最大时间差,单位为毫秒
|
||||
"shortIds": [ // 必填,客户端可用的 shortId 列表,可用于区分不同的客户端
|
||||
"", // 若有此项,客户端 shortId 可为空
|
||||
"0123456789abcdef" // 0 到 f,长度为 2 的倍数,长度上限为 16
|
||||
],
|
||||
// 客户端选项
|
||||
"show": false, // 选填,若为 true,输出调试信息
|
||||
"fingerprint": "chrome", // 必填,使用 uTLS 库模拟客户端 TLS 指纹
|
||||
"serverName": "", // 必填,服务端 serverNames 之一
|
||||
"publicKey": "", // 必填,服务端私钥对应的公钥
|
||||
"shortId": "", // 必填,服务端 shortIds 之一
|
||||
"spiderX": "" // 爬虫初始路径与参数,建议每个客户端不同
|
||||
}
|
||||
```
|
||||
|
||||
::: tip
|
||||
更多信息请参考 [REALITY 项目](https://github.com/XTLS/REALITY).
|
||||
If you want to obtain the A/A+ rating in ssllibs or myssl evaluation, please refer to [here](https://github.com/XTLS/Xray-core/discussions/56#discussioncomment-215600).
|
||||
:::
|
||||
|
||||
#### CertificateObject
|
||||
@ -360,63 +323,63 @@ CipherSuites 用于配置受支持的密码套件列表, 每个套件名称之
|
||||
|
||||
> `ocspStapling`: number
|
||||
|
||||
OCSP 装订更新,与证书热重载的时间间隔。 单位:秒。默认值为 `3600`,即一小时。
|
||||
OCSP stapling update interval in seconds for certificate hot reload. Default value is `3600`, i.e. one hour.
|
||||
|
||||
> `oneTimeLoading`: true | false
|
||||
|
||||
仅加载一次。值为 `true` 时将关闭证书热重载功能与 ocspStapling 功能。
|
||||
Load only once. When set to `true`, it will disable certificate hot reload and OCSP stapling feature.
|
||||
|
||||
::: warning
|
||||
当值为 `true` 时,将会关闭 OCSP 装订。
|
||||
When set to `true`, OCSP stapling will be disabled.
|
||||
:::
|
||||
|
||||
> `usage`: "encipherment" | "verify" | "issue"
|
||||
|
||||
证书用途,默认值为 `"encipherment"`。
|
||||
Certificate usage, default value is `"encipherment"`.
|
||||
|
||||
- `"encipherment"`:证书用于 TLS 认证和加密。
|
||||
- `"verify"`:证书用于验证远端 TLS 的证书。当使用此项时,当前证书必须为 CA 证书。
|
||||
- `"issue"`:证书用于签发其它证书。当使用此项时,当前证书必须为 CA 证书。
|
||||
- `"encipherment"`: The certificate is used for TLS authentication and encryption.
|
||||
- `"verify"`: The certificate is used to verify the remote TLS certificate. When using this option, the current certificate must be a CA certificate.
|
||||
- `"issue"`: The certificate is used to issue other certificates. When using this option, the current certificate must be a CA certificate.
|
||||
|
||||
::: tip TIP 1
|
||||
在 Windows 平台上可以将自签名的 CA 证书安装到系统中,即可验证远端 TLS 的证书。
|
||||
On Windows platform, self-signed CA certificate can be installed in the system for verifying remote TLS certificates.
|
||||
:::
|
||||
|
||||
::: tip TIP 2
|
||||
当有新的客户端请求时,假设所指定的 `serverName` 为 `"xray.com"`,Xray 会先从证书列表中寻找可用于 `"xray.com"` 的证书,如果没有找到,则使用任一 `usage`
|
||||
为 `"issue"` 的证书签发一个适用于 `"xray.com"` 的证书,有效期为一小时。并将新的证书加入证书列表,以供后续使用。
|
||||
When a new client request comes in, assuming the specified `serverName` is `"xray.com"`, Xray will first look for a certificate that can be used for `"xray.com"` in the certificate list. If not found, it will issue a certificate for `"xray.com"` using any certificate with `usage` set to `"issue"`, with a validity of one hour. The new certificate is then added to the certificate list for later use.
|
||||
:::
|
||||
|
||||
::: tip TIP 3
|
||||
当 `certificateFile` 和 `certificate` 同时指定时,Xray 优先使用 `certificateFile`。`keyFile` 和 `key` 也一样。
|
||||
When both `certificateFile` and `certificate` are specified, Xray will use `certificateFile` as the priority. The same applies to `keyFile` and `key`.
|
||||
:::
|
||||
|
||||
::: tip TIP 4
|
||||
当 `usage` 为 `"verify"` 时,`keyFile` 和 `key` 可均为空。
|
||||
When `usage` is set to `"verify"`, `keyFile` and `key` can both be empty.
|
||||
:::
|
||||
|
||||
::: tip TIP 5
|
||||
使用 `xray tls cert` 可以生成自签名的 CA 证书。
|
||||
Use `xray tls cert` to generate self-signed CA certificate.
|
||||
:::
|
||||
|
||||
::: tip TIP 6
|
||||
如已经拥有一个域名, 可以使用工具便捷的获取免费第三方证书,如[acme.sh](https://github.com/acmesh-official/acme.sh)
|
||||
If you already have a domain name, you can use tools to obtain free third-party certificates easily, such as [acme.sh](https://github.com/acmesh-official/acme.sh).
|
||||
:::
|
||||
|
||||
> `certificateFile`: string
|
||||
|
||||
证书文件路径,如使用 OpenSSL 生成,后缀名为 .crt。
|
||||
Path to the certificate file generated by OpenSSL, with the suffix `.crt`.
|
||||
|
||||
> `certificate`: \[ string \]
|
||||
> `certificate`: [ string ]
|
||||
|
||||
一个字符串数组,表示证书内容,格式如样例所示。`certificate` 和 `certificateFile` 二者选一。
|
||||
A string array representing the certificate content, in the format shown in the example. Either `certificate` or `certificateFile` can be used.
|
||||
|
||||
> `keyFile`: string
|
||||
|
||||
密钥文件路径,如使用 OpenSSL 生成,后缀名为 .key。目前暂不支持需要密码的 key 文件。
|
||||
Path to the key file generated by OpenSSL, with the suffix `.key`. Password-protected key files are not currently supported.
|
||||
|
||||
> `key`: \[ string \]
|
||||
> `key`: [ string ]
|
||||
|
||||
一个字符串数组,表示密钥内容,格式如样例如示。`key` 和 `keyFile` 二者选一。
|
||||
A string array representing the key content, in the format shown in the example. Either `key` or `keyFile` can be used.
|
||||
|
||||
### SockoptObject
|
||||
|
||||
@ -436,137 +399,128 @@ OCSP 装订更新,与证书热重载的时间间隔。 单位:秒。默认
|
||||
|
||||
> `mark`: number
|
||||
|
||||
一个整数。当其值非零时,在 ountbound 连接以此数值上标记 SO_MARK。
|
||||
An integer value. When its value is non-zero, SO_MARK is marked with this value on the outbound connection.
|
||||
|
||||
- 仅适用于 Linux 系统。
|
||||
- 需要 CAP_NET_ADMIN 权限。
|
||||
- Only applicable to Linux systems.
|
||||
- Requires CAP_NET_ADMIN permission.
|
||||
|
||||
> `tcpFastOpen`: true | false | number
|
||||
|
||||
是否启用 [TCP Fast Open](https://zh.wikipedia.org/wiki/TCP%E5%BF%AB%E9%80%9F%E6%89%93%E5%BC%80)。
|
||||
Specifies whether [TCP Fast Open](https://en.wikipedia.org/wiki/TCP_Fast_Open) is enabled.
|
||||
|
||||
当其值为 `true` 或`正整数`时,启用 TFO;当其值为 `false` 或`负数`时,强制关闭 TFO;当此项不存在或为 `0` 时,使用系统默认设置。 可用于 inbound/outbound。
|
||||
|
||||
- 仅在以下版本(或更新版本)的操作系统中可用:
|
||||
When its value is `true` or a positive integer, TFO is enabled; when its value is `false` or a negative integer, TFO is forced to be disabled; when this item does not exist or is `0`, the system default setting is used. It can be used for inbound/outbound connections.
|
||||
|
||||
- Only available in the following (or later) versions of operating systems:
|
||||
- Windows 10 (1607)
|
||||
- Mac OS 10.11 / iOS 9
|
||||
- Linux 3.16:需要通过内核参数 `net.ipv4.tcp_fastopen` 进行设定,此参数是一个 bitmap,`0x1` 代表客户端允许启用,`0x2` 代表服务器允许启用;默认值为 `0x1`,如果服务器要启用
|
||||
TFO,请把此内核参数值设为 `0x3`。
|
||||
- FreeBSD 10.3 (Server) / 12.0 (Client):需要把内核参数 `net.inet.tcp.fastopen.server_enabled`
|
||||
以及 `net.inet.tcp.fastopen.client_enabled` 设为 `1`。
|
||||
|
||||
- 对于 Inbound,此处所设定的`正整数`代表 [待处理的 TFO 连接请求数上限](https://tools.ietf.org/html/rfc7413#section-5.1) ,**注意并非所有操作系统都支持在此设定**:
|
||||
|
||||
- Linux / FreeBSD:此处的设定的`正整数`值代表上限,可接受的最大值为 2147483647,为 `true` 时将取 `256`;注意在 Linux,`net.core.somaxconn`
|
||||
会限制此值的上限,如果超过了 `somaxconn`,请同时提高 `somaxconn`。
|
||||
- Mac OS:此处为 `true` 或`正整数`时,仅代表启用 TFO,上限需要通过内核参数 `net.inet.tcp.fastopen_backlog` 单独设定。
|
||||
- Windows:此处为 `true` 或`正整数`时,仅代表启用 TFO。
|
||||
|
||||
- 对于 Outbound,设定为 `true` 或`正整数`在任何操作系统都仅表示启用 TFO。
|
||||
- Linux 3.16: It needs to be set through the kernel parameter `net.ipv4.tcp_fastopen`, which is a bitmap. `0x1` represents the client allows enabling it, and `0x2` represents the server allows enabling it. The default value is `0x1`. If the server wants to enable TFO, set this kernel parameter value to `0x3`.
|
||||
- FreeBSD 10.3 (Server) / 12.0 (Client): The kernel parameters `net.inet.tcp.fastopen.server_enabled` and `net.inet.tcp.fastopen.client_enabled` need to be set to `1`.
|
||||
- For inbound, the `positive integer` set here represents the maximum number of TFO connection requests to be processed, **note that not all operating systems support this setting**:
|
||||
- Linux/FreeBSD: The `positive integer` value set here represents the upper limit, and the maximum acceptable value is 2147483647. If it is set to `true`, it will take `256`. Note that in Linux, `net.core.somaxconn` will limit the upper limit of this value. If it exceeds `somaxconn`, please also increase `somaxconn`.
|
||||
- Mac OS: When it is `true` or a `positive integer`, it only represents enabling TFO, and the upper limit needs to be set separately through the kernel parameter `net.inet.tcp.fastopen_backlog`.
|
||||
- Windows: When it is `true` or a `positive integer`, it only represents enabling TFO.
|
||||
- For outbound, setting it to `true` or a `positive integer` only represents enabling TFO on any operating system.
|
||||
|
||||
> `tproxy`: "redirect" | "tproxy" | "off"
|
||||
|
||||
是否开启透明代理(仅适用于 Linux)。
|
||||
Specifies whether to enable transparent proxy (only applicable to Linux).
|
||||
|
||||
- `"redirect"`:使用 Redirect 模式的透明代理。支持所有基于 IPv4/6 的 TCP 和 UDP 连接。
|
||||
- `"tproxy"`:使用 TProxy 模式的透明代理。支持所有基于 IPv4/6 的 TCP 和 UDP 连接。
|
||||
- `"off"`:关闭透明代理。
|
||||
- `"redirect"`: Use the transparent proxy in Redirect mode. It supports all TCP and UDP connections based on IPv4/6.
|
||||
- `"tproxy"`: Use the transparent proxy in TProxy mode. It supports all TCP and UDP connections based on IPv4/6.
|
||||
- `"off"`: Turn off transparent proxy.
|
||||
|
||||
透明代理需要 Root 或 `CAP\_NET\_ADMIN` 权限。
|
||||
Transparent proxy requires Root or `CAP\_NET\_ADMIN` permission.
|
||||
|
||||
::: danger
|
||||
当 [Dokodemo-door](./inbounds/dokodemo.md) 中指定了 `followRedirect`为`true`,且 Sockopt 设置中的`tproxy` 为空时,Sockopt
|
||||
设置中的`tproxy` 的值会被设为 `"redirect"`。
|
||||
When `followRedirect` is set to `true` in [Dokodemo-door](./inbounds/dokodemo.md), and `tproxy` in the Sockopt settings is empty, the value of `tproxy` in the Sockopt settings will be set to `"redirect"`.
|
||||
:::
|
||||
|
||||
> `domainStrategy`: "AsIs" | "UseIP" | "UseIPv4" | "UseIPv6"
|
||||
|
||||
在之前的版本中,当 Xray 尝试使用域名建立系统连接时,域名的解析由系统完成,不受 Xray
|
||||
控制。这导致了在 [非标准 Linux 环境中无法解析域名](https://github.com/v2ray/v2ray-core/issues/1909) 等问题。为此,Xray 1.3.1 为 Sockopt 引入了 Freedom
|
||||
中的 domainStrategy,解决了此问题。
|
||||
In previous versions, when Xray attempted to establish a system connection using a domain name, the resolution of the domain name was completed by the system and not controlled by Xray. This led to issues such as the inability to resolve domain names in non-standard Linux environments. To solve this problem, Xray 1.3.1 introduced Freedom's `domainStrategy` into Sockopt.
|
||||
|
||||
在目标地址为域名时, 配置相应的值, SystemDialer 的行为模式如下:
|
||||
When the target address is a domain name, the corresponding value is configured, and the behavior of SystemDialer is as follows:
|
||||
|
||||
- `"AsIs"`: 通过系统 DNS 服务器解析获取 IP, 向此域名发出连接。
|
||||
- `"UseIP"`、`"UseIPv4"` 和 `"UseIPv6"`: 使用[内置 DNS 服务器](./dns.md)解析获取 IP 后, 直接向此 IP 发出连接。
|
||||
- `"AsIs"`: Resolve the IP address using the system DNS server and connect to the domain name.
|
||||
- `"UseIP"`, `"UseIPv4"`, and `"UseIPv6"`: Resolve the IP address using the [built-in DNS server](./dns.md) and connect to the IP address directly.
|
||||
|
||||
默认值为 `"AsIs"`。
|
||||
The default value is `"AsIs"`.
|
||||
|
||||
::: danger
|
||||
|
||||
启用了此功能后,不当的配置可能会导致死循环。
|
||||
Improper configuration may cause infinite loops when this feature is enabled.
|
||||
|
||||
一句话版本:连接到服务器,需要等待 DNS 查询结果;完成 DNS 查询,需要连接到服务器。
|
||||
In short, connecting to the server requires waiting for the DNS query result, and completing the DNS query requires connecting to the server.
|
||||
|
||||
> Tony: 先有鸡还是先有蛋?
|
||||
> Tony: Which came first, the chicken or the egg?
|
||||
|
||||
详细解释:
|
||||
Explanation:
|
||||
|
||||
1. 触发条件:代理服务器(proxy.com)。内置 DNS 服务器,非 Local 模式。
|
||||
2. Xray 尝试向 proxy.com 建立 TCP 连接 **前** ,通过内置 DNS 服务器查询 proxy.com。
|
||||
3. 内置 DNS 服务器向 dns.com 建立连接,并发送查询,以获取 proxy.com 的 IP。
|
||||
4. **不当的** 的路由规则,导致 proxy.com 代理了步骤 3 中发出的查询。
|
||||
5. Xray 尝试向 proxy.com 建立另一个 TCP 连接。
|
||||
6. 在建立连接前,通过内置 DNS 服务器查询 proxy.com。
|
||||
7. 内置 DNS 服务器复用步骤 3 中的连接,发出查询。
|
||||
8. 问题出现。步骤 3 中连接的建立,需要等待步骤 7 中的查询结果;步骤 7 完成查询,需要等待步骤 3 中的连接完全建立。
|
||||
9. Good Game!
|
||||
1. Trigger condition: proxy server (proxy.com). Built-in DNS server, non-local mode.
|
||||
2. Before Xray attempts to establish a TCP connection to proxy.com, it queries proxy.com using the built-in DNS server.
|
||||
3. The built-in DNS server establishes a connection to dns.com and sends a query to obtain the IP address of proxy.com.
|
||||
4. Improper routing rules cause proxy.com to proxy the query sent in step 3.
|
||||
5. Xray attempts to establish another TCP connection to proxy.com.
|
||||
6. Before establishing the connection, Xray queries proxy.com using the built-in DNS server.
|
||||
7. The built-in DNS server reuses the connection established in step 3 to send a query.
|
||||
8. A problem arises. The establishment of the connection in step 3 requires waiting for the query result in step 7, and the completion of the query in step 7 requires waiting for the connection in step 3 to be fully established.
|
||||
9. Good game!
|
||||
|
||||
解决方案:
|
||||
Solution:
|
||||
|
||||
- 改内置 DNS 服务器的分流。
|
||||
- 用 Hosts。
|
||||
- ~~如果你还是不知道解决方案,就别用这个功能了。~~
|
||||
- Adjust the split of internal DNS servers.
|
||||
- Use Hosts file.
|
||||
- ~~If you still don't know the solution, then don't use this feature.~~
|
||||
|
||||
Therefore, it is **not recommended** for inexperienced users to use this feature.
|
||||
|
||||
因此,**不建议** 经验不足的用户擅自使用此功能。
|
||||
:::
|
||||
|
||||
> `dialerProxy`: ""
|
||||
|
||||
一个出站代理的标识。当值不为空时,将使用指定的 outbound 发出连接。 此选项可用于支持底层传输方式的链式转发。
|
||||
An identifier for an outbound proxy. When the value is not empty, the specified outbound will be used to establish the connection. This option can be used to support chain forwarding of underlying transport protocols.
|
||||
|
||||
::: danger
|
||||
此选项与 ProxySettingsObject.Tag 不兼容
|
||||
This option is incompatible with ProxySettingsObject.Tag
|
||||
:::
|
||||
|
||||
> `acceptProxyProtocol`: true | false
|
||||
|
||||
仅用于 inbound,指示是否接收 PROXY protocol。
|
||||
Only used for inbound, indicates whether to accept the PROXY protocol.
|
||||
|
||||
[PROXY protocol](https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 专用于传递请求的真实来源 IP 和端口,**若你不了解它,请先忽略该项**。
|
||||
[PROXY protocol](https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) is used to pass the true source IP and port of a request. **If you are not familiar with it, please ignore this option first**.
|
||||
|
||||
常见的反代软件(如 HAProxy、Nginx)都可以配置发送它,VLESS fallbacks xver 也可以发送它。
|
||||
Common reverse proxy software (such as HAProxy, Nginx) can be configured to send it, and VLESS fallbacks xver can also send it.
|
||||
|
||||
填写 `true` 时,最底层 TCP 连接建立后,请求方必须先发送 PROXY protocol v1 或 v2,否则连接会被关闭。
|
||||
When set to `true`, after the lowest-level TCP connection is established, the requesting party must first send PROXY protocol v1 or v2, otherwise the connection will be closed.
|
||||
|
||||
> `tcpKeepAliveInterval`: number
|
||||
|
||||
TCP 保持活跃的数据包发送间隔,单位为秒。~~该设置仅适用于 Linux 下。~~
|
||||
Interval between TCP keep-alive packets, in seconds. ~~This setting only applies to Linux.~~
|
||||
|
||||
不配置此项或配置为 0 表示使用 Go 默认值。
|
||||
Not configuring this item or configuring it as 0 means using the default value of Go.
|
||||
|
||||
::: tip
|
||||
填负数时,如 `-1`,不启用 TCP 保持活跃。
|
||||
When filling in a negative number, such as `-1`, TCP keep-alive is not enabled.
|
||||
:::
|
||||
|
||||
> `tcpcongestion`: ""
|
||||
|
||||
TCP 拥塞控制算法。仅支持 Linux。
|
||||
不配置此项表示使用系统默认值。
|
||||
TCP congestion control algorithm. Only supported by Linux. Not configuring this item means using the system default value.
|
||||
|
||||
::: tip 常见的算法
|
||||
::: tip
|
||||
Common algorithms
|
||||
|
||||
- bbr(推荐)
|
||||
- bbr (recommended)
|
||||
- cubic
|
||||
- reno
|
||||
|
||||
:::
|
||||
|
||||
::: tip
|
||||
执行命令 `sysctl net.ipv4.tcp_congestion_control` 获取系统默认值。
|
||||
Execute the command `sysctl net.ipv4.tcp_congestion_control` to get the system default value.
|
||||
:::
|
||||
|
||||
> `interface`: ""
|
||||
|
||||
指定绑定出口网卡名称 仅支持 linux。
|
||||
Specifies the name of the bound outbound network interface. Only supported by Linux.
|
||||
|
Loading…
x
Reference in New Issue
Block a user