teasiu/xray
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
xray/xray-reality-部署指南.md
teasiu 8d6e2e3107 first commit
2026-04-14 01:22:25 +08:00

366 lines
7.7 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Xray + Reality 完整部署指南
## 原理说明
```
客户端 ──VLESS+Reality──▶ 服务端:8443 ──▶ 回落/转发
```
Reality 借用真实网站的 TLS 证书指纹(如 www.cloudflare.com**无需自己申请证书**,抗探测能力极强。由于 Reality 不依赖 80/443 端口,可使用 **8443** 等其他端口,不影响服务器上已有的其他服务(如 frps
---
## 一、服务端部署
### 1. 安装 Xray
```bash
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
# 验证安装
xray version
```
### 2. 生成 Reality 密钥对
```bash
xray x25519
```
输出示例:
```
Private key: gEtA7x0Y_bcoHLj436Ock4i4Ji-Y3vpd74ba0R5hx3s
Public key: W-Y1cF1b1fvSKzBz61mV8OC1sPaIxEChlTUqOePnkWc
```
> 私钥只放服务端,公钥填写到客户端。
### 3. 生成 UUID
```bash
xray uuid
```
### 4. 生成 shortId
```bash
openssl rand -hex 8
```
shortId 为 2-16 位十六进制字符串,位数越长越安全,建议 16 位。
### 5. 服务端配置文件
路径:`/usr/local/etc/xray/config.json`
```json
{
"log": {
"loglevel": "warning",
"access": "/var/log/xray/access.log",
"error": "/var/log/xray/error.log"
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 8443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "你的UUID",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "www.cloudflare.com:443",
"xver": 0,
"serverNames": [
"www.cloudflare.com"
],
"privateKey": "你的私钥",
"shortIds": [
"你的shortId"
]
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls", "quic"]
}
}
],
"outbounds": [
{ "protocol": "freedom", "tag": "direct" },
{ "protocol": "blackhole", "tag": "block" }
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "block"
}
]
}
}
```
**dest 目标站点选择建议:**
- `www.cloudflare.com:443` ✅ 推荐
- `addons.mozilla.org:443` ✅ 推荐(国内未被封)
- `www.amazon.com:443` ✅ 可用
### 6. 创建日志目录
```bash
mkdir -p /var/log/xray
chmod 755 /var/log/xray
```
### 7. 验证配置并启动
```bash
# 验证配置语法
xray -test -c /usr/local/etc/xray/config.json
# 启动并设置开机自启
systemctl enable xray
systemctl start xray
systemctl status xray
# 确认端口监听
ss -tlnp | grep 8443
```
### 8. 开放防火墙端口
```bash
# UFW
ufw allow 8443/tcp
ufw reload
ufw status | grep 8443
# iptablesOracle Cloud 必须执行)
iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
apt install iptables-persistent -y
netfilter-persistent save
```
---
## 二、云服务商安全组配置
**如果 tcpdump 抓不到包,必须在云控制台配置安全组。**
```bash
# 验证包是否到达服务器(客户端连接时观察)
tcpdump -i any port 8443 -n
```
| 云服务商 | 操作位置 |
|---------|---------|
| 阿里云 | 安全组 → 入方向规则 |
| 腾讯云 | 安全组 → 入站规则 |
| AWS | Security Groups → Inbound Rules |
| **Oracle Cloud** | 网络 → VCN → 安全列表 → 添加入站规则(**必须**,且需同时配置本地 iptables |
| Vultr / Hetzner | 一般无需配置ufw 放行即可 |
Oracle Cloud 安全列表入站规则填写:
- 源 CIDR`0.0.0.0/0`IPv6 填 `::/0`
- IP 协议TCP
- 目标端口:`8443`
---
## 三、客户端配置
### 支持 Reality 的客户端
| 客户端 | 支持 Reality | 说明 |
|--------|------------|------|
| Xray-core | ✅ | 首选 |
| sing-box | ✅ | 支持完善 |
| clash-meta (mihomo) | ✅ | 支持 |
| Passwall (OpenWrt) | ✅ | 内置 Xray-core |
| v2ray-core | ❌ | 不支持 |
> **注意:** Reality 客户端必须使用 Xray-core 或其他明确支持 Reality 的内核v2ray 不可用。
### Passwall (OpenWrt) 配置参数
确认 Xray-core 版本 >= 1.8.0
```bash
xray version
```
节点配置填写:
| 参数 | 值 |
|------|----|
| 类型 | Xray |
| 协议 | VLESS |
| 地址 | 服务器 IP |
| 端口 | 8443 |
| UUID | 你的 UUID |
| Flow | xtls-rprx-vision |
| 传输协议 | TCP |
| TLS | Reality |
| SNI | www.cloudflare.com |
| Fingerprint | chrome |
| PublicKey | 你的公钥 |
| ShortId | 你的 shortId |
### Linux 客户端 JSON 配置
安装 Xray
```bash
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
```
配置文件:
```json
{
"log": { "loglevel": "warning" },
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks",
"settings": { "udp": true }
},
{
"listen": "127.0.0.1",
"port": 10809,
"protocol": "http"
}
],
"outbounds": [
{
"tag": "proxy",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "服务器IP",
"port": 8443,
"users": [
{
"id": "你的UUID",
"flow": "xtls-rprx-vision",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"fingerprint": "chrome",
"serverName": "www.cloudflare.com",
"publicKey": "你的公钥",
"shortId": "你的shortId",
"spiderX": "/"
}
}
},
{ "tag": "direct", "protocol": "freedom" },
{ "tag": "block", "protocol": "blackhole" }
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{ "type": "field", "ip": ["geoip:private"], "outboundTag": "direct" },
{ "type": "field", "domain": ["geosite:cn"], "outboundTag": "direct" },
{ "type": "field", "ip": ["geoip:cn"], "outboundTag": "direct" }
]
}
}
```
启动:
```bash
xray run -c /path/to/client_config.json
```
---
## 四、生成分享链接
```
vless://UUID@服务器IP:8443?encryption=none&flow=xtls-rprx-vision&security=reality&sni=www.cloudflare.com&fp=chrome&pbk=公钥&sid=shortId&spx=%2F&type=tcp#节点名称
```
IPv6 地址需用方括号包裹:
```
vless://UUID@[IPv6地址]:8443?...
```
---
## 五、常用排查命令
```bash
# 查看服务状态
systemctl status xray
# 查看实时日志
journalctl -u xray -f
# 检查端口监听
ss -tlnp | grep 8443
# 抓包验证流量是否到达
tcpdump -i any port 8443 -n
# 验证配置文件
xray -test -c /usr/local/etc/xray/config.json
# 查看错误日志
cat /var/log/xray/error.log
# 测试 dest 目标可达
curl -I https://www.cloudflare.com
# 本地测试端口连通(在客户端执行)
nc -zv 服务器IP 8443
```
---
## 六、注意事项
| 事项 | 说明 |
|------|------|
| **私钥保密** | privateKey 只放服务端,客户端只填 publicKey |
| **flow 双端一致** | 服务端客户端都必须设置 `xtls-rprx-vision` |
| **端口选择** | 建议使用 443 / 8443 等常见 HTTPS 端口 |
| **低调使用** | 不要分享节点给太多人,避免 IP 被标记 |
| **IP 被封** | 换 IP 即可,服务端配置不需要改动 |
| **Oracle Cloud** | 必须同时配置控制台安全列表 + 本地 iptables |
| **IPv6 优势** | IPv6 被封概率远低于 IPv4可作为备用节点 |
---
## 七、备份信息模板
```
服务器 IP
端口8443
UUID
PrivateKey
PublicKey
ShortId
destwww.cloudflare.com:443
```
Reference in New Issue View Git Blame Copy Permalink