From db8ac0e00f380abbd543c3a879610b9eea0bc0fb Mon Sep 17 00:00:00 2001 From: rnotlnglgq Date: Thu, 5 Jun 2025 19:20:23 +0000 Subject: [PATCH 1/2] tag VLESS-TCP-TLS-WS as deprecated instead of recommended --- .../README.ENG.md | 6 ++++++ .../README.md | 7 +++++++ .../config_client_tcp_tls.jsonc | 0 .../config_client_ws_tls.jsonc | 0 .../config_server.jsonc | 0 5 files changed, 13 insertions(+) rename {VLESS-TCP-TLS-WS (recommended) => VLESS-TCP-TLS-WS}/README.ENG.md (81%) rename {VLESS-TCP-TLS-WS (recommended) => VLESS-TCP-TLS-WS}/README.md (81%) rename {VLESS-TCP-TLS-WS (recommended) => VLESS-TCP-TLS-WS}/config_client_tcp_tls.jsonc (100%) rename {VLESS-TCP-TLS-WS (recommended) => VLESS-TCP-TLS-WS}/config_client_ws_tls.jsonc (100%) rename {VLESS-TCP-TLS-WS (recommended) => VLESS-TCP-TLS-WS}/config_server.jsonc (100%) diff --git a/VLESS-TCP-TLS-WS (recommended)/README.ENG.md b/VLESS-TCP-TLS-WS/README.ENG.md similarity index 81% rename from VLESS-TCP-TLS-WS (recommended)/README.ENG.md rename to VLESS-TCP-TLS-WS/README.ENG.md index 23eb56d..ea33f29 100644 --- a/VLESS-TCP-TLS-WS (recommended)/README.ENG.md +++ b/VLESS-TCP-TLS-WS/README.ENG.md @@ -1,5 +1,11 @@ # VLESS over TCP with TLS + fallback & split to WebSocket (advanced configuration) +## Caution + +**This configuration was tagged as recommended, however https://github.com/XTLS/Xray-core/issues/1750#issuecomment-1459469821 had mentioned its vulnerabilities and it should be tagged as deprecated.** + +## Original Content + This is a superset of [Minimal Configuration](<../VLESS-TCP-TLS%20(minimal%20by%20rprx)>), using the powerful fallback and distribution features of VLESS, it realizes port 443 VLESS over TCP with TLS and Perfect coexistence of any WSS This configuration is for reference. You can replace VLESS on WS with any other protocol such as VMess, and set more PATHs and protocol coexistence. diff --git a/VLESS-TCP-TLS-WS (recommended)/README.md b/VLESS-TCP-TLS-WS/README.md similarity index 81% rename from VLESS-TCP-TLS-WS (recommended)/README.md rename to VLESS-TCP-TLS-WS/README.md index cd0f659..abbe9d4 100644 --- a/VLESS-TCP-TLS-WS (recommended)/README.md +++ b/VLESS-TCP-TLS-WS/README.md @@ -1,4 +1,11 @@ # VLESS over TCP with TLS + 回落 & 分流 to WebSocket(进阶配置) + +## 注意 + +**这个配置过去被标记为推荐,然而 https://github.com/XTLS/Xray-core/issues/1750#issuecomment-1459469821 提到其安全缺陷,且它应当列为已废弃。** + +## 原文 + [ENGLISH](README.ENG.md) 这里是 [最简配置](<../VLESS-TCP-TLS%20(minimal%20by%20rprx)>) 的超集,利用 VLESS 强大的回落分流特性,实现了 443 端口 VLESS over TCP with TLS 和任意 WSS 的完美共存 diff --git a/VLESS-TCP-TLS-WS (recommended)/config_client_tcp_tls.jsonc b/VLESS-TCP-TLS-WS/config_client_tcp_tls.jsonc similarity index 100% rename from VLESS-TCP-TLS-WS (recommended)/config_client_tcp_tls.jsonc rename to VLESS-TCP-TLS-WS/config_client_tcp_tls.jsonc diff --git a/VLESS-TCP-TLS-WS (recommended)/config_client_ws_tls.jsonc b/VLESS-TCP-TLS-WS/config_client_ws_tls.jsonc similarity index 100% rename from VLESS-TCP-TLS-WS (recommended)/config_client_ws_tls.jsonc rename to VLESS-TCP-TLS-WS/config_client_ws_tls.jsonc diff --git a/VLESS-TCP-TLS-WS (recommended)/config_server.jsonc b/VLESS-TCP-TLS-WS/config_server.jsonc similarity index 100% rename from VLESS-TCP-TLS-WS (recommended)/config_server.jsonc rename to VLESS-TCP-TLS-WS/config_server.jsonc From d00b801385ae64c5456dd34fa6a5955e5c002736 Mon Sep 17 00:00:00 2001 From: rnotlnglgq Date: Thu, 5 Jun 2025 19:20:46 +0000 Subject: [PATCH 2/2] Add a minimal VLESS-XHTTP-Reality configuration --- .../minimal-steal_others/README.en.md | 9 +++ .../minimal-steal_others/README.md | 12 +++ .../client-bypass-cn.jsonc | 77 ++++++++++++++++++ .../minimal-steal_others/client.jsonc | 63 +++++++++++++++ .../server-block-cn.jsonc | 79 +++++++++++++++++++ .../minimal-steal_others/server.jsonc | 60 ++++++++++++++ 6 files changed, 300 insertions(+) create mode 100644 VLESS-XHTTP-Reality/minimal-steal_others/README.en.md create mode 100644 VLESS-XHTTP-Reality/minimal-steal_others/README.md create mode 100644 VLESS-XHTTP-Reality/minimal-steal_others/client-bypass-cn.jsonc create mode 100644 VLESS-XHTTP-Reality/minimal-steal_others/client.jsonc create mode 100644 VLESS-XHTTP-Reality/minimal-steal_others/server-block-cn.jsonc create mode 100644 VLESS-XHTTP-Reality/minimal-steal_others/server.jsonc diff --git a/VLESS-XHTTP-Reality/minimal-steal_others/README.en.md b/VLESS-XHTTP-Reality/minimal-steal_others/README.en.md new file mode 100644 index 0000000..6176b83 --- /dev/null +++ b/VLESS-XHTTP-Reality/minimal-steal_others/README.en.md @@ -0,0 +1,9 @@ +# VLESS-XHTTP-Reality-steal_others + +[Reality](https://github.com/XTLS/REALITY) and [XHTTP](https://github.com/XTLS/Xray-core/discussions/4113) are two major techniques of Project X which are up-to-date. This example provides a minimal configuration, which can be used for new versions of Xray-core (and cannot be used for low versions, recommended >= [v25.3.6](https://github.com/XTLS/Xray-core/releases/tag/v25.3.6) ). There are also more complicated configurations provided by other community repositories. + +#### Note + +* Leave the fields blank as much as possible to ensure that users who have not configured their own will be responded to by xray-core with an error. +* Considering practicality, [domain name sniffing](https://xtls.github.io/config/inbound.html#sniffingobject) is enabled. +* The `"fingerprint"` field for Reality has a safe default value of `"chrome"` since version 24.12.18, so it is omitted in this example. Old versions of Xray-Core without a default value should not be able to recognize this configuration file (due to the `"target"` field), so it should be safe to omit it here. \ No newline at end of file diff --git a/VLESS-XHTTP-Reality/minimal-steal_others/README.md b/VLESS-XHTTP-Reality/minimal-steal_others/README.md new file mode 100644 index 0000000..765ad50 --- /dev/null +++ b/VLESS-XHTTP-Reality/minimal-steal_others/README.md @@ -0,0 +1,12 @@ +# VLESS-XHTTP-Reality-steal_others + +[Reality](https://github.com/XTLS/REALITY)与[XHTTP](https://github.com/XTLS/Xray-core/discussions/4113)是XTLS项目的两项主要且较新的技术。本示例配置提供一个极简配置,其可在较新版本的Xray-core使用(且无法在低版本使用,建议版本不旧于[v25.3.6](https://github.com/XTLS/Xray-core/releases/tag/v25.3.6))。目前亦有社区成员在其他仓库提供更复杂的配置方案。 + +另外根据[一些经验](https://github.com/XTLS/Xray-core/issues/1027),对于中国大陆用户建议使用[禁回国流量的路由规则](server-block-cn.jsonc),以避免服务器向境内网站发起连接而被标记为代理。 + +#### 备注 + +* 待填字段尽可能留空了,确保未自行配置的用户将被xray-core回应以报错。 +* 考虑到实用性,开启了[域名嗅探](https://xtls.github.io/config/inbound.html#sniffingobject)。 + +* Reality设定的`"fingerprint"`字段自24.12.18版本已有安全的默认值`"chrome"`,故不再标注。没有默认值的旧版Xray-core应该会因无法识别这个配置文件(因target字段),所以此处省略应该是安全的。 \ No newline at end of file diff --git a/VLESS-XHTTP-Reality/minimal-steal_others/client-bypass-cn.jsonc b/VLESS-XHTTP-Reality/minimal-steal_others/client-bypass-cn.jsonc new file mode 100644 index 0000000..4ba4f85 --- /dev/null +++ b/VLESS-XHTTP-Reality/minimal-steal_others/client-bypass-cn.jsonc @@ -0,0 +1,77 @@ +{ + "routing": { + "rules": [ + { + "ip": [ + "geoip:private" + ], + "outboundTag": "direct" + }, + { + "type": "field", + "ip": [ + "geoip:cn" + ], + "outboundTag": "direct" + }, + { + "type": "field", + "domain": [ + "geosite:cn" + ], + "outboundTag": "direct" + } + ] + }, + "inbounds": [ + { + "listen": "127.0.0.1", + "port": 10808, + "protocol": "socks" + } + ], + "outbounds": [ + { + "protocol": "vless", + "settings": { + "vnext": [ + { + "address": "", // 服务端的域名或 IP + "port": 443, // 填入配置服务器入站时设定的监听端口 + "users": [ + { + "id": "", // 与服务端一致 + "encryption": "none", + "flow": "" + } + ] + } + ] + }, + "streamSettings": { + "network": "xhttp", + "xhttpSettings": { + "path": "/yourpath" // 与服务端一致 + }, + "security": "reality", + "realitySettings": { + "serverName": "", // 在服务端所设serverNames列表中选择一个填入 + "publicKey": "", // 服务端执行 xray x25519 生成,私钥对应的公钥,填 "Public key" 的值 + "shortId": "", // 服务端 shortIds 之一 + "spiderX": "/somepath", // 爬虫初始路径与参数,建议每个客户端不同 + "fingerprint": "chrome" // 使用 uTLS 库模拟客户端 TLS 指纹。,为强调而保留。 + } + }, + "tag": "proxy" + }, + { + "protocol": "freedom", + "tag": "direct" + }, + { + "protocol": "blackhole", + "tag": "block" + } + + ] +} diff --git a/VLESS-XHTTP-Reality/minimal-steal_others/client.jsonc b/VLESS-XHTTP-Reality/minimal-steal_others/client.jsonc new file mode 100644 index 0000000..c857754 --- /dev/null +++ b/VLESS-XHTTP-Reality/minimal-steal_others/client.jsonc @@ -0,0 +1,63 @@ +{ + "routing": { + "rules": [ + { + "ip": [ + "geoip:private" + ], + "outboundTag": "direct" + } + ] + }, + "inbounds": [ + { + "listen": "127.0.0.1", + "port": 10808, + "protocol": "socks" + } + ], + "outbounds": [ + { + "protocol": "vless", + "settings": { + "vnext": [ + { + "address": "", // 服务端的域名或 IP + "port": 443, // 填入配置服务器入站时设定的监听端口 + "users": [ + { + "id": "", // 与服务端一致 + "encryption": "none", + "flow": "" + } + ] + } + ] + }, + "streamSettings": { + "network": "xhttp", + "xhttpSettings": { + "path": "/yourpath" // 与服务端一致 + }, + "security": "reality", + "realitySettings": { + "serverName": "", // 在服务端所设serverNames列表中选择一个填入 + "publicKey": "", // 服务端执行 xray x25519 生成,私钥对应的公钥,填 "Public key" 的值 + "shortId": "", // 服务端 shortIds 之一 + "spiderX": "/somepath", // 爬虫初始路径与参数,建议每个客户端不同 + "fingerprint": "chrome" // 使用 uTLS 库模拟客户端 TLS 指纹。,为强调而保留。 + } + }, + "tag": "proxy" + }, + { + "protocol": "freedom", + "tag": "direct" + }, + { + "protocol": "blackhole", + "tag": "block" + } + + ] +} diff --git a/VLESS-XHTTP-Reality/minimal-steal_others/server-block-cn.jsonc b/VLESS-XHTTP-Reality/minimal-steal_others/server-block-cn.jsonc new file mode 100644 index 0000000..bc7e406 --- /dev/null +++ b/VLESS-XHTTP-Reality/minimal-steal_others/server-block-cn.jsonc @@ -0,0 +1,79 @@ +{ + "routing": { + "domainStrategy": "IPIfNonMatch", + "rules": [ + { + "type": "field", + "ip": [ + "geoip:cn" + ], + "outboundTag": "block" + }, + { + "type": "field", + "domain": [ + "geosite:cn" + ], + "outboundTag": "block" + } + ] + }, + "inbounds": [ + { + "listen": "0.0.0.0", + "port": 443, // 可根据实际情况更换端口 + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "", // 长度为 1-30 字节的任意字符串,或执行 xray uuid 生成 + "flow": "" + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "xhttp", + "xhttpSettings": { + "path": "/yourpath" // 自行设定路径 + }, + "security": "reality", + "realitySettings": { + // 此target字段原名为dest,从24.10.31版本开始开始使用新名称。 + // 目标网站最低标准:国外网站,支持 TLSv1.3 与 H2,域名非跳转用(主域名可能被用于跳转到 www)。详见 https://github.com/XTLS/REALITY + "target": "example.com:443", + "serverNames": [ + // 客户端可用的 serverName 列表,暂不支持 * 通配符 + // 执行 xray tls ping 目标网站网址,填 "Allowed domains" 的值 + ], + "privateKey": "", // 执行 xray x25519 生成,填 "Private key" 的值 + "shortIds": [ // 客户端可用的 shortId 列表,可用于区分不同的客户端 + // "", // 若有此项,客户端 shortId 可为空 + "00", // 0 到 f,长度为 2 的倍数,长度上限为 16 + "01", + "02" + ] + } + }, + "sniffing": { + "enabled": true, + "destOverride": [ + "http", + "tls", + "quic" + ] + } + } + ], + "outbounds": [ + { + "protocol": "freedom", + "tag": "direct" + }, + { + "protocol": "blackhole", + "tag": "block" + } + + ] +} diff --git a/VLESS-XHTTP-Reality/minimal-steal_others/server.jsonc b/VLESS-XHTTP-Reality/minimal-steal_others/server.jsonc new file mode 100644 index 0000000..f1e79e7 --- /dev/null +++ b/VLESS-XHTTP-Reality/minimal-steal_others/server.jsonc @@ -0,0 +1,60 @@ +{ + "inbounds": [ + { + "listen": "0.0.0.0", + "port": 443, // 可根据实际情况更换端口 + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "", // 长度为 1-30 字节的任意字符串,或执行 xray uuid 生成 + "flow": "" + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "xhttp", + "xhttpSettings": { + "path": "/yourpath" // 自行设定路径 + }, + "security": "reality", + "realitySettings": { + // 此target字段原名为dest,从24.10.31版本开始开始使用新名称。 + // 目标网站最低标准:国外网站,支持 TLSv1.3 与 H2,域名非跳转用(主域名可能被用于跳转到 www)。详见 https://github.com/XTLS/REALITY + "target": "example.com:443", + "serverNames": [ + // 客户端可用的 serverName 列表,暂不支持 * 通配符 + // 执行 xray tls ping 目标网站网址,填 "Allowed domains" 的值 + ], + "privateKey": "", // 执行 xray x25519 生成,填 "Private key" 的值 + "shortIds": [ // 客户端可用的 shortId 列表,可用于区分不同的客户端 + // "", // 若有此项,客户端 shortId 可为空 + "00", // 0 到 f,长度为 2 的倍数,长度上限为 16 + "01", + "02" + ] + } + }, + "sniffing": { + "enabled": true, + "destOverride": [ + "http", + "tls", + "quic" + ] + } + } + ], + "outbounds": [ + { + "protocol": "freedom", + "tag": "direct" + }, + { + "protocol": "blackhole", + "tag": "block" + } + + ] +}