search

chika0801 / Xray-examples

Xray 配置示例
https://github.com/XTLS/Xray-core
555 stars 104 forks source link

Reality (steal from yourself) + nginx #44

Open lambovl opened 1 week ago

lambovl commented 1 week ago

Hi I have a VPS running my website with the domain my.site.com with nginx. I want to configure xray in reality mode, where I'm stealing my own SSL certificate. After setting it up, my site works correctly, but when connecting the client to xray, the tunnel isn’t created, and any others sites don’t loading through the VPN (except for my.site.com). Could you advise on what the issue might be?

nginx conf

server {
    listen           8443 ssl;
    server_name      my.site.com;
    #ssl              on;
    ssl_certificate  /var/www/ssl/my.site.com/fullchain.pem;
    ssl_certificate_key /var/www/ssl/my.site.com/privkey.pem;

    ssl_protocols    TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256';
    ssl_prefer_server_ciphers on;
    ssl_session_tickets off;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_buffer_size 16k;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    root             /var/www/path/to/my/site/;
    autoindex        off;
    access_log       off;
    index index.html index.php;

    location ~* \.(css|js|jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf|x-icon|avif|webp|apng|gz|avif)$ {
    expires          30d;
    }

    location ^~ /docs/ {
     alias           /var/www/docs/;
     index           index.html index.htm;
     autoindex       off;
     include         mime.types;
     types {
      text/plain     php;
    }
  }

    gzip_static  always;
    gzip_proxied expired no-cache no-store private auth;
    gunzip       on;
    gzip         off;

    rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
    rewrite ^/(.*)/$ /$1 permanent;

    location /robots.txt {
     try_files $uri $uri/;
    }

    location / {
      try_files $uri/index.html $uri.html $uri/ @extensionless-php;
    }

    location @extensionless-php {
      rewrite ^(.*)$ $1.php last;
    }

    location ~* \.php$ {
    try_files $uri =404;
    fastcgi_pass     unix:/var/run/php/php8.3-fpm.sock;
    fastcgi_intercept_errors on;
    fastcgi_index    index.php;
    fastcgi_split_path_info ^(.+\.php)(.*)$;
    include          fastcgi_params;
    fastcgi_param    SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
  }
server {
    listen           80;
    server_name      my.site.com;
    return 301       https://my.site.com$request_uri;
  }

Reality conf

{
  "log": {
    "loglevel": "info"
  },
  "routing": {
    "rules": [],
    "domainStrategy": "AsIs"
  },
  "inbounds": [
    {
      "port": 443,
      "protocol": "vless",
      "tag": "vless_tls",
      "settings": {
        "clients": [
          {
            "id": "my uuid",
            "email": "1234@mail.com",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
                "realitySettings": {
                        "show": false,
                        "dest": "127.0.0.1:8443",
                        "xver": 0,
                        "serverNames": [
                                "my.site.com",
                        ],
                        "privateKey": "privkey",
                        "minClientVer": "",
                        "maxClientVer": "",
                        "maxTimeDiff": 0,
                        "shortIds": [
                                "abcdefgh"
                        ]
                }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ]
}
chika0801 commented 1 week ago

listen 8443 ssl;

listen 127.0.0.1:8443 ssl;

I am not very familiar with the level of configuration using NGINX. I took a look at your NGINX and XRAY server-side configurations, and all I can suggest is to restart NGINX after you make the changes here.

Then fill in the REALITY parameters on the client side, make sure that it corresponds properly with the server side, and then try to see if the client can connect successfully.