一个IP绑定两个域名，如何实现两个VLESS（分用户使用）

ycsks commented 1 year ago

============================================config.json {

"log": {
    "loglevel": "warning"
},
"routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
        {
            "type": "field",
            "ip": [
                "geoip:cn",
                "geoip:private"
            ],
            "outboundTag": "block"
        }
    ]
},
"inbounds": [
    {
        "port": 443,   //端口
        "protocol": "vless",  //协议类型
        "settings": {
            "clients": [
                {
                    "id": "08c82043-14e5-4ed8-be15-8c956cd89b0c",  //替换为你的uuid
                    "flow": "xtls-rprx-vision"   //流控
                }
            ],
            "decryption": "none",
            "fallbacks": [
                {
                    "dest": 10010,   //Trojan协议的分流端口
                    "xver": 1
                },
                {
                    "path": "/vlessws",    //vless+ws的分流路径
                    "dest": 10011,      //分流端口
                    "xver": 1
                },
                {
                    "path": "/vmessws",   //vmess+ws的分流路径
                    "dest": 10012,    //分流端口
                    "xver": 1
                }
            ]
        },
        "streamSettings": {
            "network": "tcp",
            "security": "tls",
            "tlsSettings": {
                "rejectUnknownSni": true,   //服务端接收到的 SNI 与证书域名不匹配即拒绝 TLS 握手
                "fingerprint": "chrome",    //TLS指纹伪装，伪装为chrome浏览器指纹
                "allowInsecure": false,   //不允许不安全连接（仅用于客户端）
                "alpn": [
                    "http/1.1","h2"
                ],
                "certificates": [
                    {
                        "ocspStapling": 3600,   //OCSP 装订更新，与证书热重载的时间间隔
                        "certificateFile": "/etc/ssl/private/cert.crt",   //证书位置，绝对路径
                        "keyFile": "/etc/ssl/private/private.key"   //私钥位置，绝对路径
                    }
                ]
            }
        },
        "sniffing": {
            "enabled": true,
            "destOverride": [
                "http",
                "tls"
            ]
        }
    },
    {
        "port": 10010,   //trojan节点的分流端口
        "listen": "127.0.0.1",
        "protocol": "trojan",  
        "settings": {
            "clients": [
                {
                    "password": "pass"  //替换为你的密码
                }
            ],
            "fallbacks": [
                {
                    "alpn": "h2",  //h2回落
                    "dest": 81,   //h2回落端口
                    "xver": 1
                },
                {
                   "dest": 82,  //http/1.1回落端口
                   "xver": 1 
                }
            ]
        },
        "streamSettings": {
            "network": "tcp",
            "security": "none",
            "tcpSettings": {
                "acceptProxyProtocol": true
            }
        }
    },
    {
        "port": 10011,   //vless+ws节点的分流端口
        "listen": "127.0.0.1",
        "protocol": "vless",
        "settings": {
            "clients": [
                {
                    "id": "c73f45b7-60f2-4904-b075-fea27da41736"   //替换为你的uuid
                }
            ],
            "decryption": "none"
        },
        "streamSettings": {
            "network": "ws",  
            "security": "none",
            "wsSettings": {
                "acceptProxyProtocol": true,   //若使用Nginx/Caddy等反代WS，需要删掉这行
                "path": "/vlessws"   //ws的路径，需要和分流的一致
            }
        }
    },
    {
        "port": 10012,   //vmess+ws节点的分流端口
        "listen": "127.0.0.1",
        "protocol": "vmess",
        "settings": {
            "clients": [
                {
                    "id": "589a6153-711f-497d-a71a-5b79e5cee701"   //替换为你的uuid
                }
            ]
        },
        "streamSettings": {
            "network": "ws",
            "security": "none",
            "wsSettings": {
                "acceptProxyProtocol": true,   //若使用Nginx/Caddy等反代WS，需要删掉这行
                "path": "/vmessws"   //ws的路径，需要和分流的一致
            }
        }
    }
], 
"outbounds": [
    {
        "protocol": "freedom",
        "tag": "direct"
    },
    {
        "protocol": "blackhole",
        "tag": "block"
    }
]

} ============================================nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf;

events { worker_connections 768; }

http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65;

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;    #HTTP自动跳转HTTPS
}

server {
    listen 127.0.0.1:82 proxy_protocol default_server;
    listen 127.0.0.1:81 http2 proxy_protocol default_server;
    set_real_ip_from 127.0.0.1;
    real_ip_header proxy_protocol;
    server_name _;
    return 404;
}     #限定域名访问，返回404

server {
    server_name do.lock.buzz; #你的域名
    listen 127.0.0.1:82 proxy_protocol; #HTTP/1.1本地监听端口
    listen 127.0.0.1:81 http2 proxy_protocol; #H2本地监听端口
    set_real_ip_from 127.0.0.1;
    real_ip_header proxy_protocol;

    location / {
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用HSTS
        proxy_pass https://www.hao123.com; #伪装网址
        proxy_ssl_server_name on;
        proxy_redirect off;
        sub_filter_once off;
        sub_filter "www.hao123.com" $server_name; #伪装网址
        proxy_set_header Host "www.hao123.com"; #伪装网址
        proxy_set_header Referer $http_referer;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Accept-Language "zh-CN";
    }
}

}

zxbiao commented 1 year ago

clients处新增一段{id,flow}，记得前面的要加“,”

ycsks commented 1 year ago

能将修改好的配置发一下吗

csryt commented 1 year ago

@ycsks 来project X tg群伸手，大量客服。

agustyuzu commented 1 year ago

        "clients": [
            {
                "id": "08c82043-14e5-4ed8-be15-8c956cd89b0c",  //替换为你的uuid
                "flow": "xtls-rprx-vision"   //流控
            },
            {
                "id": "22222222222222222",  //替换为你的uuid
                "flow": "xtls-rprx-vision"   //流控
            }
        ],

就是复制一次clients 里的东西，别忘了逗号

ycsks commented 1 year ago

试了不行，，域名相同可以连接，等于多了一个UUID, 用第二个绑定的域名则无法连接

agustyuzu commented 1 year ago

以我浅薄的理解，"certificates"一段是你其中的一个域名的证书，tls加密需要这个域名的证书。也许你需要用另一个端口，重新配置一套入站，这样需要另一个入口。但是端口不在443也许不是个好主意。这样还不行我就没办法啦

多个id就是换了个uuid，确实不对。

    "port": 460, //端口
    "protocol": "vless", //协议类型
    "settings": {
        "clients": [
            {
                "id": "08c82043-14e5-4ed8-be15-8c956cd89b0c", //替换为你的uuid
                "flow": "xtls-rprx-vision" //流控
            }
        ],
        "decryption": "none",
        "fallbacks": [
            {
                "dest": 10010, //Trojan协议的分流端口
                "xver": 1
            },
            {
                "path": "/vlessws", //vless+ws的分流路径
                "dest": 10011, //分流端口
                "xver": 1
            },
            {
                "path": "/vmessws", //vmess+ws的分流路径
                "dest": 10012, //分流端口
                "xver": 1
            }
        ]
    },
    "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
            "rejectUnknownSni": true, //服务端接收到的 SNI 与证书域名不匹配即拒绝 TLS 握手
            "fingerprint": "chrome", //TLS指纹伪装，伪装为chrome浏览器指纹
            "allowInsecure": false, //不允许不安全连接（仅用于客户端）
            "alpn": [
                "http/1.1",
                "h2"
            ],
            "certificates": [
                {
                    "ocspStapling": 3600, //OCSP 装订更新，与证书热重载的时间间隔
                    "certificateFile": "证书2", //证书位置，绝对路径
                    "keyFile": "私钥2" //私钥位置，绝对路径
                }
            ]
        }
    },
    "sniffing": {
        "enabled": true,
        "destOverride": [
            "http",
            "tls"
        ]
    }
},

ycsks commented 1 year ago

无法连接，有没其他办法

cross-hello commented 1 year ago

Set nginx as fronter, then listen different server names.

Mar 10, 2023 19:11:39 9零 @.***>:

无法连接，有没其他办法

— Reply to this email directly, view it on GitHub[https://github.com/XTLS/Xray-core/issues/1763#issuecomment-1463649866], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYF3DKB5PDZC3J2ZOGLW3MD6VANCNFSM6AAAAAAVVUIS2M]. You are receiving this because you are subscribed to this thread.[Tracking image][https://github.com/notifications/beacon/AKGBAYHZ3XCGGXUUINHHLXTW3MD6VA5CNFSM6AAAAAAVVUIS2OWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSXHWDEU.gif]

ycsks commented 1 year ago

发配置文件吧，拜托托

cross-hello commented 1 year ago

Request beyond basic using need your efforts to run it out.

Mar 10, 2023 19:16:36 9零 @.***>:

发配置文件吧，拜托托

— Reply to this email directly, view it on GitHub[https://github.com/XTLS/Xray-core/issues/1763#issuecomment-1463655996], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYB7HP62F2AMJ2NBNDDW3MERJANCNFSM6AAAAAAVVUIS2M]. You are receiving this because you commented.[Tracking image][https://github.com/notifications/beacon/AKGBAYHVIZCD5GA7YTB5ZWLW3MERJA5CNFSM6AAAAAAVVUIS2OWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSXHWPDY.gif]

ycsks commented 1 year ago

谁能修改那两个配置文件，实现双域名啊

GleenJi commented 1 year ago

这不很简单吗，证书那里是个数组，可以写多个域名对应的证书

ycsks commented 1 year ago

能发个代码吗，试了很多次，不知道该怎么改

ghost commented 1 year ago

多用户加ID就好了，不用加域名，你域名多了，跟证书就对不上了，自然连不上

zxcvos commented 1 year ago

        "clients": [
            {
                "id": "08c82043-14e5-4ed8-be15-8c956cd89b0c",  //替换为你的uuid
                "flow": "xtls-rprx-vision"   //流控
            },
            {
                "id": "22222222222222222",  //替换为你的uuid
                "flow": "xtls-rprx-vision"   //流控
            }
        ],

就是复制一次clients 里的东西，别忘了逗号

加上这个试试？

"certificates": [
                    {
                        "ocspStapling": 3600,   //OCSP 装订更新，与证书热重载的时间间隔
                        "certificateFile": "/etc/ssl/private/cert.crt",   //证书位置，绝对路径
                        "keyFile": "/etc/ssl/private/private.key"   //私钥位置，绝对路径
                    },
                    {
                        "ocspStapling": 3600,   //OCSP 装订更新，与证书热重载的时间间隔
                        "certificateFile": "/etc/ssl/private/cert2.crt",   //证书2位置，绝对路径
                        "keyFile": "/etc/ssl/private/private2.key"   //私钥2位置，绝对路径
                    }
                ]

ycsks commented 1 year ago

成了，真是标点符号按错都不行，看不懂代码只能摸黑

ZqinKing commented 1 year ago

那是证书的问题，要么用通配符证书，要么第二个域名忽略证书安全性校验就可以。

jinwyp commented 1 year ago

这种只能通过 nginx SNI 在最前面监听443分流具体可以看这个选23安装 https://github.com/jinwyp/one_click_script/blob/master/README2_CN.md

XTLS / Xray-core

一个IP绑定两个域名，如何实现两个VLESS（分用户使用） #1763