teasiu/xray
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
teasiu
2026-04-14 01:22:25 +08:00
commit 8d6e2e3107
1 changed files with 365 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

365
xray-reality-部署指南.md Normal file
View File

@@ -0,0 +1,365 @@
# Xray + Reality 完整部署指南
## 原理说明
```
客户端 ──VLESS+Reality──▶ 服务端:8443 ──▶ 回落/转发
```
Reality 借用真实网站的 TLS 证书指纹(如 www.cloudflare.com**无需自己申请证书**,抗探测能力极强。由于 Reality 不依赖 80/443 端口,可使用 **8443** 等其他端口,不影响服务器上已有的其他服务(如 frps
---
## 一、服务端部署
### 1. 安装 Xray
```bash
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
# 验证安装
xray version
```
### 2. 生成 Reality 密钥对
```bash
xray x25519
```
输出示例:
```
Private key: gEtA7x0Y_bcoHLj436Ock4i4Ji-Y3vpd74ba0R5hx3s
Public key: W-Y1cF1b1fvSKzBz61mV8OC1sPaIxEChlTUqOePnkWc
```
> 私钥只放服务端,公钥填写到客户端。
### 3. 生成 UUID
```bash
xray uuid
```
### 4. 生成 shortId
```bash
openssl rand -hex 8
```
shortId 为 2-16 位十六进制字符串,位数越长越安全,建议 16 位。
### 5. 服务端配置文件
路径:`/usr/local/etc/xray/config.json`
```json
{
"log": {
"loglevel": "warning",
"access": "/var/log/xray/access.log",
"error": "/var/log/xray/error.log"
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 8443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "你的UUID",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "www.cloudflare.com:443",
"xver": 0,
"serverNames": [
"www.cloudflare.com"
],
"privateKey": "你的私钥",
"shortIds": [
"你的shortId"
]
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls", "quic"]
}
}
],
"outbounds": [
{ "protocol": "freedom", "tag": "direct" },
{ "protocol": "blackhole", "tag": "block" }
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "block"
}
]
}
}
```
**dest 目标站点选择建议:**
- `www.cloudflare.com:443` ✅ 推荐
- `addons.mozilla.org:443` ✅ 推荐(国内未被封)
- `www.amazon.com:443` ✅ 可用
### 6. 创建日志目录
```bash
mkdir -p /var/log/xray
chmod 755 /var/log/xray
```
### 7. 验证配置并启动
```bash
# 验证配置语法
xray -test -c /usr/local/etc/xray/config.json
# 启动并设置开机自启
systemctl enable xray
systemctl start xray
systemctl status xray
# 确认端口监听
ss -tlnp | grep 8443
```
### 8. 开放防火墙端口
```bash
# UFW
ufw allow 8443/tcp
ufw reload
ufw status | grep 8443
# iptablesOracle Cloud 必须执行)
iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
apt install iptables-persistent -y
netfilter-persistent save
```
---
## 二、云服务商安全组配置
**如果 tcpdump 抓不到包,必须在云控制台配置安全组。**
```bash
# 验证包是否到达服务器(客户端连接时观察)
tcpdump -i any port 8443 -n
```
| 云服务商 | 操作位置 |
|---------|---------|
| 阿里云 | 安全组 → 入方向规则 |
| 腾讯云 | 安全组 → 入站规则 |
| AWS | Security Groups → Inbound Rules |
| **Oracle Cloud** | 网络 → VCN → 安全列表 → 添加入站规则(**必须**,且需同时配置本地 iptables |
| Vultr / Hetzner | 一般无需配置ufw 放行即可 |
Oracle Cloud 安全列表入站规则填写:
- 源 CIDR`0.0.0.0/0`IPv6 填 `::/0`
- IP 协议TCP
- 目标端口:`8443`
---
## 三、客户端配置
### 支持 Reality 的客户端
| 客户端 | 支持 Reality | 说明 |
|--------|------------|------|
| Xray-core | ✅ | 首选 |
| sing-box | ✅ | 支持完善 |
| clash-meta (mihomo) | ✅ | 支持 |
| Passwall (OpenWrt) | ✅ | 内置 Xray-core |
| v2ray-core | ❌ | 不支持 |
> **注意:** Reality 客户端必须使用 Xray-core 或其他明确支持 Reality 的内核v2ray 不可用。
### Passwall (OpenWrt) 配置参数
确认 Xray-core 版本 >= 1.8.0
```bash
xray version
```
节点配置填写:
| 参数 | 值 |
|------|----|
| 类型 | Xray |
| 协议 | VLESS |
| 地址 | 服务器 IP |
| 端口 | 8443 |
| UUID | 你的 UUID |
| Flow | xtls-rprx-vision |
| 传输协议 | TCP |
| TLS | Reality |
| SNI | www.cloudflare.com |
| Fingerprint | chrome |
| PublicKey | 你的公钥 |
| ShortId | 你的 shortId |
### Linux 客户端 JSON 配置
安装 Xray
```bash
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
```
配置文件:
```json
{
"log": { "loglevel": "warning" },
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks",
"settings": { "udp": true }
},
{
"listen": "127.0.0.1",
"port": 10809,
"protocol": "http"
}
],
"outbounds": [
{
"tag": "proxy",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "服务器IP",
"port": 8443,
"users": [
{
"id": "你的UUID",
"flow": "xtls-rprx-vision",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"fingerprint": "chrome",
"serverName": "www.cloudflare.com",
"publicKey": "你的公钥",
"shortId": "你的shortId",
"spiderX": "/"
}
}
},
{ "tag": "direct", "protocol": "freedom" },
{ "tag": "block", "protocol": "blackhole" }
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{ "type": "field", "ip": ["geoip:private"], "outboundTag": "direct" },
{ "type": "field", "domain": ["geosite:cn"], "outboundTag": "direct" },
{ "type": "field", "ip": ["geoip:cn"], "outboundTag": "direct" }
]
}
}
```
启动:
```bash
xray run -c /path/to/client_config.json
```
---
## 四、生成分享链接
```
vless://UUID@服务器IP:8443?encryption=none&flow=xtls-rprx-vision&security=reality&sni=www.cloudflare.com&fp=chrome&pbk=公钥&sid=shortId&spx=%2F&type=tcp#节点名称
```
IPv6 地址需用方括号包裹:
```
vless://UUID@[IPv6地址]:8443?...
```
---
## 五、常用排查命令
```bash
# 查看服务状态
systemctl status xray
# 查看实时日志
journalctl -u xray -f
# 检查端口监听
ss -tlnp | grep 8443
# 抓包验证流量是否到达
tcpdump -i any port 8443 -n
# 验证配置文件
xray -test -c /usr/local/etc/xray/config.json
# 查看错误日志
cat /var/log/xray/error.log
# 测试 dest 目标可达
curl -I https://www.cloudflare.com
# 本地测试端口连通(在客户端执行)
nc -zv 服务器IP 8443
```
---
## 六、注意事项
| 事项 | 说明 |
|------|------|
| **私钥保密** | privateKey 只放服务端,客户端只填 publicKey |
| **flow 双端一致** | 服务端客户端都必须设置 `xtls-rprx-vision` |
| **端口选择** | 建议使用 443 / 8443 等常见 HTTPS 端口 |
| **低调使用** | 不要分享节点给太多人,避免 IP 被标记 |
| **IP 被封** | 换 IP 即可,服务端配置不需要改动 |
| **Oracle Cloud** | 必须同时配置控制台安全列表 + 本地 iptables |
| **IPv6 优势** | IPv6 被封概率远低于 IPv4可作为备用节点 |
---
## 七、备份信息模板
```
服务器 IP
端口8443
UUID
PrivateKey
PublicKey
ShortId
destwww.cloudflare.com:443
```