Vless-TCP-XTLS-Vision节点搭建

xtls-rprx-vision流控终极配置，有效解决TLS包长的问题，利用多重回落达到高效的伪装，配合客户端模拟指纹安全稳定

更新软件源及安装组件

apt update && apt upgrade -y
apt install socat -y

安装Xray

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

修改Xray配置信息

文件位置：/usr/local/etc/xray/config.json

{
    "log": {
        "loglevel": "warning"
    },
    "routing": {
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "type": "field",
                "ip": [
                    "geoip:cn",
                    "geoip:private"
                ],
                "outboundTag": "block"
            }
        ]
    },
    "inbounds": [
        {
            "port": 443,   //端口
            "protocol": "vless",  //协议类型
            "settings": {
                "clients": [
                    {
                        "id": "uuid",  //替换为你的uuid
                        "flow": "xtls-rprx-vision"   //流控
                    }
                ],
                "decryption": "none",
                "fallbacks": [
                    {
                        "dest": 10010,   //Trojan协议的分流端口
                        "xver": 1
                    },
                    {
                        "path": "/vlessws",    //vless+ws的分流路径
                        "dest": 10011,      //分流端口
                        "xver": 1
                    },
                    {
                        "path": "/vmessws",   //vmess+ws的分流路径
                        "dest": 10012,    //分流端口
                        "xver": 1
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "rejectUnknownSni": true,   //服务端接收到的 SNI 与证书域名不匹配即拒绝 TLS 握手
                    "fingerprint": "chrome",    //TLS指纹伪装，伪装为chrome浏览器指纹
                    "allowInsecure": false,   //不允许不安全连接（仅用于客户端）
                    "alpn": [
                        "http/1.1","h2"
                    ],
                    "certificates": [
                        {
                            "ocspStapling": 3600,   //OCSP 装订更新，与证书热重载的时间间隔
                            "certificateFile": "/etc/ssl/private/cert.crt",   //证书位置，绝对路径
                            "keyFile": "/etc/ssl/private/private.key"   //私钥位置，绝对路径
                        }
                    ]
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ]
            }
        },
        {
            "port": 10010,   //trojan节点的分流端口
            "listen": "127.0.0.1",
            "protocol": "trojan",
            "settings": {
                "clients": [
                    {
                        "password": "pass"  //替换为你的密码
                    }
                ],
                "fallbacks": [
                    {
                        "alpn": "h2",  //h2回落
                        "dest": 81,   //h2回落端口
                        "xver": 1
                    },
                    {
                       "dest": 82,  //http/1.1回落端口
                       "xver": 1
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "none",
                "tcpSettings": {
                    "acceptProxyProtocol": true
                }
            }
        },
        {
            "port": 10011,   //vless+ws节点的分流端口
            "listen": "127.0.0.1",
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "uuid"   //替换为你的uuid
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "ws",
                "security": "none",
                "wsSettings": {
                    "acceptProxyProtocol": true,   //若使用Nginx/Caddy等反代WS，需要删掉这行
                    "path": "/vlessws"   //ws的路径，需要和分流的一致
                }
            }
        },
        {
            "port": 10012,   //vmess+ws节点的分流端口
            "listen": "127.0.0.1",
            "protocol": "vmess",
            "settings": {
                "clients": [
                    {
                        "id": "uuid"   //替换为你的uuid
                    }
                ]
            },
            "streamSettings": {
                "network": "ws",
                "security": "none",
                "wsSettings": {
                    "acceptProxyProtocol": true,   //若使用Nginx/Caddy等反代WS，需要删掉这行
                    "path": "/vmessws"   //ws的路径，需要和分流的一致
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "tag": "block"
        }
    ]
}

修改Xray开机自启配置信息

文件位置：/etc/systemd/system/xray.service

[Unit]
Description=Xray Service
Documentation=https://github.com/xtls
After=network.target nss-lookup.target

[Service]
User=root
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/usr/local/bin/xray run -config /usr/local/etc/xray/config.json
Restart=on-failure
RestartPreventExitStatus=23
LimitNPROC=10000
LimitNOFILE=1000000

[Install]
WantedBy=multi-user.target

申请安装SSL证书

curl https://get.acme.sh | sh
ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh
acme.sh --set-default-ca --server letsencrypt
acme.sh --issue -d 你的域名 --standalone -k ec-256 --webroot /home/wwwroot/html
acme.sh --install-cert -d 你的域名 --ecc --key-file /etc/ssl/private/private.key --fullchain-file /etc/ssl/private/cert.crt

安装Nginx

apt install nginx -y

修改Nginx配置信息

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
}

http {
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    keepalive_timeout 65;

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        return 301 https://$host$request_uri;    #HTTP自动跳转HTTPS
    }

    server {
        listen 127.0.0.1:82 proxy_protocol default_server;
        listen 127.0.0.1:81 http2 proxy_protocol default_server;
        set_real_ip_from 127.0.0.1;
        real_ip_header proxy_protocol;
        server_name _;
        return 404;
    }     #限定域名访问，返回404

    server {
        server_name your-domain-name.com; #你的域名
        listen 127.0.0.1:82 proxy_protocol; #HTTP/1.1本地监听端口
        listen 127.0.0.1:81 http2 proxy_protocol; #H2本地监听端口
        set_real_ip_from 127.0.0.1;
        real_ip_header proxy_protocol;

        location / {
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用HSTS
            proxy_pass https://www.bing.com; #伪装网址
            proxy_ssl_server_name on;
            proxy_redirect off;
            sub_filter_once off;
            sub_filter "www.bing.com" $server_name; #伪装网址
            proxy_set_header Host "www.bing.com"; #伪装网址
            proxy_set_header Referer $http_referer;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header User-Agent $http_user_agent;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header Accept-Encoding "";
            proxy_set_header Accept-Language "zh-CN";
        }
    }
}

重新加载服务

重新加载守护进程

systemctl daemon-reload

重启xray服务查看启动状态

systemctl restart xray
systemctl status xray

重启Nginx服务查看启动状态

systemctl reload nginx
systemctl status nginx