From c6ec3122f5e312d7957746d33910bbf87de16078 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=A3=8E=E6=89=87=E6=BB=91=E7=BF=94=E7=BF=BC?= Date: Sun, 20 Oct 2024 12:05:33 +0000 Subject: [PATCH] Add VLESS-TCP-REALITY(Without being stolen) --- .../README.md | 5 + .../config_client.jsonc | 56 +++++++++++ .../config_server.jsonc | 93 +++++++++++++++++++ 3 files changed, 154 insertions(+) create mode 100644 VLESS-TCP-REALITY(Without being stolen)/README.md create mode 100644 VLESS-TCP-REALITY(Without being stolen)/config_client.jsonc create mode 100644 VLESS-TCP-REALITY(Without being stolen)/config_server.jsonc diff --git a/VLESS-TCP-REALITY(Without being stolen)/README.md b/VLESS-TCP-REALITY(Without being stolen)/README.md new file mode 100644 index 0000000..bcbf373 --- /dev/null +++ b/VLESS-TCP-REALITY(Without being stolen)/README.md @@ -0,0 +1,5 @@ +# 不会被偷跑流量的 REALITY + +一个老生常谈的问题,对于非法请求, reality都会无脑转发流量去dest,如果reality的dest指向一个cloudflare网站,那么相当于服务端变成了CF的端口转发,任何人扫过来都可以拿来嫖。 + +目前的解决办法是不要使用这类的网站作为 dest, 懂一点的会告诉你用 nginx 的 stream 滤一遍 SNI 并丢掉非法请求,但是其实 Xray 本身就支持这种操作,这也是这个模板的原理 \ No newline at end of file diff --git a/VLESS-TCP-REALITY(Without being stolen)/config_client.jsonc b/VLESS-TCP-REALITY(Without being stolen)/config_client.jsonc new file mode 100644 index 0000000..0b66929 --- /dev/null +++ b/VLESS-TCP-REALITY(Without being stolen)/config_client.jsonc @@ -0,0 +1,56 @@ +// 直接从其他示例里 copy 过来的,客户端不需要任何特殊修改,要填的东西也一致 +{ + "log": { + "loglevel": "debug" + }, + "inbounds": [ + { + "listen": "127.0.0.1", + "port": 10808, + "protocol": "socks", + "settings": { + "udp": true + }, + "sniffing": { + "enabled": true, + "destOverride": [ + "http", + "tls", + "quic" + ], + "routeOnly": true + } + } + ], + "outbounds": [ + { + "protocol": "vless", + "settings": { + "vnext": [ + { + "address": "127.0.0.1", + "port": 443, + "users": [ + { + "id": "", // Needs to match server side + "encryption": "none" + } + ] + } + ] + }, + "streamSettings": { + "network": "tcp", + "security": "reality", + "realitySettings": { + "fingerprint": "chrome", + "serverName": "speed.cloudflare.com", + "publicKey": "", + "spiderX": "", + "shortId": "" + } + }, + "tag": "proxy" + } + ] +} diff --git a/VLESS-TCP-REALITY(Without being stolen)/config_server.jsonc b/VLESS-TCP-REALITY(Without being stolen)/config_server.jsonc new file mode 100644 index 0000000..102383a --- /dev/null +++ b/VLESS-TCP-REALITY(Without being stolen)/config_server.jsonc @@ -0,0 +1,93 @@ +{ + "log": { + "loglevel": "debug" + }, + "inbounds": [ + { + "tag": "dokodemo-in", + "port": 443, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1", + "port": 4431, // 指向内网中的 reality 端口,示例是这个端口,如果要自己修改了记得这里和下面的 reality 入站都要修改 + "network": "tcp" + }, + "sniffing": { // 这里的 sniffing 不是多余的,别乱动 + "enabled": true, + "destOverride": [ + "tls" + ], + "routeOnly": true + } + }, + { + "listen": "127.0.0.1", + "port": 4431, // 见上 如果和其他服务冲突了可以换 + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "" // uuid + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "tcp", + "security": "reality", + "realitySettings": { + // 下方要求和普通 reality 一致,这里演示 dest 设置为 cloudflare 不被偷跑流量所以设置为 speed.cloudflare.com 了 + // 你可以设置为其他 CF 网站,如果你的 dest 不是这种网站你也不用点了进来不是吗 + "dest": "speed.cloudflare.com:443", + "serverNames": [ + "speed.cloudflare.com" + ], + "privateKey": "", // 运行 `xray x25519` 生成 + "shortIds": [ + "", + "0123456789abcdef" + ] + } + }, + "sniffing": { + "enabled": true, + "destOverride": [ + "http", + "tls", + "quic" + ], + "routeOnly": true + } + } + ], + "outbounds": [ + { + "protocol": "freedom", + "tag": "direct" + }, + { + "protocol": "blackhole", + "tag": "blcok" + } + ], + "routing": { + "rules": [ + { + "inboundTag": [ + "dokodemo-in" + ], + // 重要,这个域名列表需要和 realitySettings 的 serverNames 保持一致 + "domain": [ + "speed.cloudflare.com" + ], + "outboundTag": "direct" + }, + { + "inboundTag": [ + "dokodemo-in" + ], + "outboundTag": "blcok" + } + ] + } +} \ No newline at end of file