XrayR后端的TLS交给Nginx处理的配置

在之前我记录了一下xrayr后端节点的常用配置方法,在这种方法下,tls是直接由xrayr处理的,这样一来会有一些问题。

首先为了避免机器被墙,现在无一例外肯定是使用vmess+websocket+tls或者vless+xtls(xrayr是支持的)

但无论你使用上面提到的这两种方法的哪一种,都是非常依赖443端口的,如果让xrayr直接监听443的话,机器就不能再做其他事情了。比如用nginx或者caddy建站就不能https了。

用其他端口配置吧,又显得有点不伦不类。所以最好的办法是让nginx来处理tls,这样443端口就可以腾出来给nginx用了。

vless+xtls其实是目前更推荐的配置方法,但是目前v2board面板的订阅还不支持,所以下面我就用vmess+websocket+tls来演示一下配置。

首先在节点上安装需要用到的包:

apt -y update
apt -y install nginx python-certbot-nginx supervisor

启动服务并设置开机自启:

systemctl enable --now nginx supervisor

接着在v2board面板内添加一个websocket节点:

注意这里的连接端口和服务端口,连接端口配置为443,服务端口配置为4443。

连接端口就相当于是用户通过订阅连接配置在客户端上的端口,而服务端口是xrayr后端实际监听的端口。

另外别忘了配置path:

现在新建一个nginx站点配置文件:

nano /etc/nginx/conf.d/xrayr.conf

写入如下配置:

server {
    listen       80;
    server_name  rucn2.ohshit.club;

    location /sometimesnaive {
        proxy_pass                       http://127.0.0.1:4443;
        proxy_redirect                   off;
        proxy_http_version               1.1;
        proxy_set_header Upgrade         $http_upgrade;
        proxy_set_header Connection      "upgrade";
        proxy_set_header Host            $http_host;
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

剩下给nginx配置ssl证书的这些步骤全部交给certbot自动帮我们处理即可:

certbot --nginx

现在安装xrayr:

mkdir /opt/xrayr && cd /opt/xrayr
wget https://github.com/XrayR-project/XrayR/releases/download/v0.5.0/XrayR-linux-64.zip

编辑xrayr配置文件:

nano config.yml

改为如下配置,重要部分写了注释:

Log:
  Level: debug
  AccessPath: ./access.log
  ErrorPath: ./error.log
DnsConfigPath: ./dns.json
Nodes:
  -
    PanelType: "V2board"
    ApiConfig:
      ApiHost: "https://v2board.ohshit.club/"
      ApiKey: "imlalaimlalaimlala"
      NodeID: 4 // 对应v2board面板内的节点id
      NodeType: V2ray
      Timeout: 30
      EnableVless: false
      EnableXTLS: false
    ControllerConfig:
      ListenIP: 127.0.0.1 // 仅监听在本地
      UpdatePeriodic: 60
      EnableDNS: false
      CertConfig:
        CertMode: none // 关闭证书申请
        CertDomain: "rucn2.ohshit.club" 
        Provider: cloudflare 
        Email: example@lala.im
        DNSEnv: 
          CF_DNS_API_TOKEN: cwPZEBAvIXUcxCdy4v2ib5j8uK-KwnRMDuNPxE-n

新建supervisor配置文件用于守护xrayr:

nano /etc/supervisor/conf.d/xrayr.conf

写入如下配置:

[program:xrayr]
directory=/opt/xrayr
command=/opt/xrayr/XrayR -config config.yml
autostart=true
autorestart=true

启动xrayr:

supervisorctl update

至此配置就全部完成了。对接有任何问题,查看相应的日志文件有助于排错:

/opt/xrayr/access.log
/opt/xrayr/error.log

下面是我自己的配置:

server {
    server_name  s**.jjm6.com;

    location /allgood {
        proxy_pass                       http://127.0.0.1:14431;
        proxy_redirect                   off;
        proxy_http_version               1.1;
        proxy_set_header Upgrade         $http_upgrade;
        proxy_set_header Connection      "upgrade";
        proxy_set_header Host            $http_host;
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/sgp.jjm6.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sgp.jjm6.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}server {
    if ($host = sgp.jjm6.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen       80;
    server_name  sgp.jjm6.com;
    return 404; # managed by Certbot


}

通过x-ui面板搭建实现vmess+ws+tls+web伪装单端口多用户合租。

节点搭建

#更新软件源
apt update
#启用 BBR TCP 拥塞控制算法
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p

#安装x-ui:
bash <(curl -Ls https://raw.githubusercontent.com/vaxilu/x-ui/master/install.sh)

#安装nginx
apt install nginx
#安装acme:
curl https://get.acme.sh | sh
#添加软链接:
ln -s  /root/.acme.sh/acme.sh /usr/local/bin/acme.sh
#切换CA机构: 
acme.sh --set-default-ca --server letsencrypt
#申请证书: 
acme.sh  --issue -d 你的域名 -k ec-256 --webroot  /var/www/html
#安装证书:
acme.sh --install-cert -d 你的域名 --ecc --key-file /etc/x-ui/server.key  --fullchain-file /etc/x-ui/server.crt --reloadcmd "systemctl force-reload nginx"

寻找适合的伪装站

http站点优先,个人网盘符合单节点大流量特征

示例关键字:intext:登录 Cloudreve

配置nginx

配置文件路径:/etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 1024;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    gzip on;

    server {
        listen 443 ssl;
        
        server_name nicename.co;  #你的域名
        ssl_certificate       /etc/x-ui/server.crt;  #证书位置
        ssl_certificate_key   /etc/x-ui/server.key; #私钥位置
        
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;
        ssl_session_tickets off;
        ssl_protocols    TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        location / {
            proxy_pass https://bing.com; #伪装网址
            proxy_redirect off;
            proxy_ssl_server_name on;
            sub_filter_once off;
            sub_filter "bing.com" $server_name;
            proxy_set_header Host "bing.com";
            proxy_set_header Referer $http_referer;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header User-Agent $http_user_agent;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header Accept-Encoding "";
            proxy_set_header Accept-Language "zh-CN";
        }


        location /ray {   #分流路径
            proxy_redirect off;
            proxy_pass http://127.0.0.1:10000; #Xray端口
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        
        location /xui {   #xui路径
            proxy_redirect off;
            proxy_pass http://127.0.0.1:9999;  #xui监听端口
            proxy_http_version 1.1;
            proxy_set_header Host $host;
        }
    }

    server {
        listen 80;
        location /.well-known/ {
               root /var/www/html;
            }
        location / {
                rewrite ^(.*)$ https://$host$1 permanent;
            }
    }
}

每次修改nginx配置文件后必须使用 systemctl reload nginx 命令重新加载配置文件

多用户合租

通过修改nginx的配置文件实现ws path路径分流

location /ray {   #分流路径
    proxy_redirect off;
    proxy_pass http://127.0.0.1:10000; #Xray端口
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}