Closed nenakatu closed 4 months ago
please show your config file code
{ "log": { "loglevel": "info" }, "routing": { "rules": [], "domainStrategy": "AsIs" }, "inbounds": [ { "port": 23, "tag": "ss", "protocol": "shadowsocks", "settings": { "method": "2022-blake3-aes-128-gcm", "password": "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbb", "network": "tcp,udp" } }, { "port": 443, "protocol": "vless", "tag": "vless_tls", "settings": { "clients": [ { "id": "7957c33c-d9ca-11ed-afa1-0242ac120002", "email": "user1@myserver", "flow": "xtls-rprx-vision" } ], "decryption": "none", "fallbacks": [ { "path": "/myverysecretpath", "dest": "@vless-ws" }, { "dest": "8080" } ] }, "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "alpn": [ "http/1.1", "h2" ], "certificates": [ { "certificateFile": "/etc/letsencrypt/live/example.com/fullchain.pem", "keyFile": "/etc/letsencrypt/live/example.com/privkey.pem" } ] } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] } }, { "listen": "@vless-ws", "protocol": "vless", "tag": "vless_ws", "settings": { "clients": [ { "id": "7957c33c-d9ca-11ed-afa1-0242ac120002", "email": "user2@myserver" } ], "decryption": "none" }, "streamSettings": { "network": "ws", "security": "none", "wsSettings": { "path": "/myverysecretpath" } } } ], "outbounds": [ { "protocol": "freedom", "tag": "direct" }, { "protocol": "blackhole", "tag": "block" } ] }
The config is like this. Of course, I have my own paths to the privkey.pem and fullchain.pem files, here I specify others, because they contain the name of my domain (but I checked them several times, they are correct)
……
"certificateFile": "/etc/letsencrypt/live/example.com/fullchain.pem", "keyFile": "/etc/letsencrypt/live/example.com/privkey.pem"
……
Are the permissions of those 2 files 755? Is xray is managed by systemd? Maybe you should use the ln command to connect these two files to another place (for example: /home/ssl) and grant 755 and user group permissions
The permission on them is rwx, they are already symbolic links are "certificateFile": "/etc/letsencrypt/archive/example.com/fullchain.pem", "keyFile": "/etc/letsencrypt/archive/example.com/privkey .pem" yes sustemd init system. Previously, I installed XTLS via install script link "bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install" Now I tried to do it myself and it worked, I did not change the config.
This situation is generally:
The one-click script of xray is adapted for the more popular Linux distributions. After all, most of them use systemd to manage the process, so the usability is relatively high.
chown -R nobody:nogroup /etc/letsencrypt/live/example.com/
"certificateFile": "/etc/letsencrypt/live/example.com/fullchain.pem", "keyFile": "/etc/letsencrypt/live/example.com/privkey.pem"
And such a question, if you install it through the script using the link I mentioned above, then a new user is created for the xtls daemon or does it work under root? Just when I set it up on my own, it turns out it works under the root.
https://github.com/XTLS/Xray-install
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install -u root
The user is root after this installation.
If it is not installed this way and the user is nobody, it will ask for SSL certificate with permission issues.
And by default, which user's script hangs nobody?
https://github.com/XTLS/Xray-core/issues/2488#issuecomment-1693694669
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
The reasoning is that when installing with the above command, you will only need to be aware of SSL certificate permissions when using this combination VLESS-XTLS-Vision of protocols.
Yes, I understood it, now I'm trying to understand under which user this script launches xray? Creates a new or uses an existing "nobody"? That is, I do not want my xray to run under root, as I have it set up now, but under another user with less privileges.
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
After installing it this way, it is using nobody and nogroup.
https://github.com/XTLS/Xray-install
Here's the link to the install script so you can check it out.
Is it possible to install it myself without a script, on a clean ubuntu 20.04 server system using the following method, correct if it's not correct ..
Will create a new user "xrayuser" des home directory and shell access.
# sudo adduser --shell /usr/sbin/nologin --no-create-home xrayuser
Download the archive with the program to the server.
# wget https://github.com/XTLS/Xray-core/releases/download/v1.8.0/Xray-linux-64.zip
Create a directory, unpack the archive into it and make and give the rights to run the xray file.
# mkdir /opt/xray
\
# unzip ./Xray-linux-64.zip -d /opt/xray
\
# chmod +x /opt/xray/xray
Allows a process to open sockets on these privileged ports without having to run the entire process as superuser (root).
setcap cap_net_bind_service=+ep /opt/xray/xray
Create a systemd unit with the following content.
nano /etc/systemd/system/xray.service
[Unit]
Description=Xray Service
After=network.target
[Service]
ExecStart=/opt/xray/xray run -c /opt/xray/config.json
Restart=on-failure
RestartSec=30
User=xrayuser
Type=simple
[Install]
WantedBy=multi-user.target
I transfer the certificates to another directory and give the appropriate permission according to this recommendation
But for some reason it does not start, and if I do everything the same (with minor exceptions) only from the root, then everything works. What am I doing wrong?
I'm limited, I can't help you with this one problem of yours.
The steps you tried to install Xray manually without a script seem to be correct, except for one thing: you need to change the owner and group of the /opt/xray directory and its contents to xrayuser, otherwise Xray will not be able to access them. You can do this by running the following command:
sudo chown -R xrayuser:xrayuser /opt/xray
After that, you should be able to start Xray with your systemd unit.
After that, you should be able to start Xray with your systemd unit.
Thank you, it really helped, the service started!
Help solve the problem with certificates. I can't figure out what's wrong with them. Ways in a config are registered correctly several times checked. With certificates (from letsencrypt) everything is also in order to be opened using cat.
-- Reboot -- Aug 25 00:11:46 vm43 systemd[1]: Started Xray Service. Aug 25 00:11:46 vm43 xray[428]: Xray 1.7.5 (Xray, Penetrates Everything.) Custom (go1.20 linux/amd64) Aug 25 00:11:46 vm43 xray[428]: A unified platform for anti-censorship. Aug 25 00:11:46 vm43 xray[428]: 2023/08/25 00:11:46 [Info] infra/conf/serial: Reading config: /usr/local/etc/xray/config.json Aug 25 00:11:46 vm43 xray[428]: Failed to start: main: failed to load config files: [/usr/local/etc/xray/config.json] > infra/conf: Failed to build TLS config. > infra/conf: failed to parse certificate > ope> Aug 25 00:11:46 vm43 systemd[1]: xray.service: Main process exited, code=exited, status=23/n/a Aug 25 00:11:46 vm43 systemd[1]: xray.service: Failed with result 'exit-code'.