-
your.domain.com→ 你的主域名(建议开启CDN) -
reality.a.com→ 你的 Reality 伪装域名⚠️ 重要:复制使用前,请删除所有//后面的注释,否则配置会报错!
{
"log": {
"access": "/var/log/xray/access.log",
"error": "/var/log/xray/error.log",
"loglevel": "warning"
},
"dns": {
"queryStrategy": "UseIP",
"servers": [
{
"address": "https://dns.google/dns-query",
"skipFallback": false
},
{
"address": "1.1.1.1",
"skipFallback": true
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10001,
"protocol": "vless",
"settings": {
"clients": [
{
"email": "user@example.com",
"flow" : "xtls-rprx-vision",
"id": "uuid", //执行"xray uuid"生成
"level": 0
}
],
"decryption": "mlkem768x25519plus.native.600s.X25519-PrivateKey.ML-KEM-768-Seed." //执行"xray x25519"生成X25519-PrivateKey 执行"xray mlkem768" 生成ML-KEM-768-Seed
},
"streamSettings": {
"network": "xhttp",
"xhttpSettings": {
"host": "",
"mode": "auto", //这里建议设置为auto兼容3种模式
"path": "/xhttp-path"
}
}
},
{
"listen": "127.0.0.1",
"port": 10002,
"protocol": "vless",
"settings": {
"clients": [
{
"flow": "xtls-rprx-vision",
"id": "uuid" //执行"xray uuid"生成,也可使用上面的uuid
}
],
"decryption": "none"
},
"sniffing": {
"destOverride": [
"http",
"tls",
"quic"
],
"enabled": true,
"routeOnly": true
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"dest": "reality.a.com:443", //请填入你的伪装域名
"privateKey": "PrivateKey", //执行"xray x25519"生成
"serverNames": [
"reality.a.com"
],
"shortIds": [
"yourShortIds" //执行"openssl rand -hex 8"生成
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"ip": [
"geoip:private"
],
"outboundTag": "block",
"type": "field"
},
{
"ip": [
"geoip:cn"
],
"outboundTag": "block",
"type": "field"
},
{
"domain": [
"geosite:category-ads-all"
],
"outboundTag": "block",
"type": "field"
}
]
}
}
在服务器执行
生成 UUID:
xray uuid
生成 VLESSENC配置 详细配置见VLESSENC发布页面
先执行 xray x25519 获取PrivateKey 和 Password (PublicKey)
再执行 xray mlkem768 获取 Seed 和 Client
服务端 "decryption": "mlkem768x25519plus.native.600s.PrivateKey.Seed"
客户端 "encryption": "mlkem768x25519plus.native.0rtt.Password.Client"
生成 Reality 密钥:
xray x25519
生成 shortId:
openssl rand -hex 8
✅ nginx 支持
#注释,不需要删除注释内容**
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
#基于SNI分流
stream {
map $ssl_preread_server_name $backend {
reality.a.com reality; #reality伪装域名
your.domain.com web_xray; #填入你的域名
default drop;
}
upstream reality {
server 127.0.0.1:10002; #reality端口
}
upstream web_xray {
server 127.0.0.1:10000; #web_xray端口
}
upstream drop {
server 0.0.0.0:1; #丢弃数据包
}
server {
listen 443 reuseport;#监听443tcp
proxy_pass $backend;
ssl_preread on;
}
}
#HTTP 及 HTTPS 主体配置
http {
# 基本设置
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
# 日志设置
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
# 1. HTTP 默认站
server {
listen 80;
listen [::]:80;
server_name your.domain.com; #填入你的域名
# 强制跳转到 HTTPS
return 301 https://$host$request_uri;
}
# 2. 域名 HTTPS 配置:
server {
listen 127.0.0.1:10000 ssl http2;
listen [::1]:10000 ssl http2;
server_name your.domain.com;#填入你的域名
#填入你证书路径
ssl_certificate /home/admin/cert/domain.crt;
#填入你证书私钥路径
ssl_certificate_key /home/admin/cert/domain.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
#X25519:当前主流安全且高性能的 ECDH 曲线
#X25519MLKEM768:后量子PQ混合密钥交换,需要较新 OpenSSL / Nginx 支持
ssl_ecdh_curve X25519MLKEM768:X25519;
#如果你的环境不支持 ML-KEM,可以降级为:
#ssl_conf_command Groups X25519;
#secp256r1 secp384r1:兼容性较好,但在不同安全模型和实现中存在一定争议
#如需兼容旧客户端,可加入这些曲线;否则建议仅保留 X25519
#ssl_ecdh_curve X25519MLKEM768:X25519:secp256r1:secp384r1;
root /home/admin/webpage; #填入你的网页文件路径
index index.html;
# 3. xray配置部分
#下方有两种写法,第一种只可以使用xhttp packet-up模式
#第二种可以使用xhttp所有模式
#如果你决定使用其中一种配置,请删除另一种配置示例
#vless-xhttp 示例配置1
location /xhttp-path {
proxy_pass http://127.0.0.1:10001;# 填入你xray监听的地址和端口
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
#vless-xhttp 示例配置2
location /xhttp-path {
grpc_buffer_size 16k;
grpc_connect_timeout 60s;
grpc_read_timeout 3600s;
grpc_send_timeout 3600s;
grpc_socket_keepalive on;
grpc_pass grpc://127.0.0.1:10001; # 填入你xray监听的地址和端口
grpc_set_header Host $host;
grpc_set_header X-Real-IP $remote_addr;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 0;
proxy_redirect off;
}
# 其他所有路径 → 尝试找静态文件,找不到返回 主页面
location / {
try_files $uri $uri/ /index.html;
}
}
}
数据包发往服务器443端口----->nginx监听443端口
|
|
sni是否为reality伪装域名or你的域名-----否---->丢弃数据包
| |
| |
转发本地10002端口<-reality伪装域名 你的域名
交由xray处理流量 |
|
转发本地10000端口
|
|
返回index.html<---否------是否为xhttp设定路径"/xhttp-path"
|
是
|
|
转发至本地10001端口
交由xray处理流量
“如有错误或改进建议,欢迎指正,本配置已在个人环境中测试可用。” ✅
This project is for educational and research purposes only.
Users must comply with all applicable laws and regulations in their respective jurisdictions when using this project. The author is not responsible for any misuse or illegal activities.
Do not use this project for any unlawful purposes.
This project does not provide, promote, or imply any specific usage scenarios. Users are solely responsible for how they use this project.