Update Serverless-for-Iran (#238)

Persian explanation: https://github.com/patterniha/Serverless-for-Iran

All-in-One-fallbacks-Nginx/client.configs/ShadowSocks-WS-TLS.jsonc

@@ -28,7 +28,7 @@
       "streamSettings": {
         "network": "ws",
         "wsSettings": {
-          "path": "/ssws?ed=2048"
+          "path": "/ssws?ed=2560"
         },
         "security": "tls",
         "tlsSettings": {

All-in-One-fallbacks-Nginx/client.configs/Trojan-WS-TLS.jsonc

@@ -27,7 +27,7 @@
       "streamSettings": {
         "network": "ws",
         "wsSettings": {
-          "path": "/trojanws?ed=2048"
+          "path": "/trojanws?ed=2560"
         },
         "security": "tls",
         "tlsSettings": {

All-in-One-fallbacks-Nginx/client.configs/VMESS-WS-TLS.jsonc

@@ -33,7 +33,7 @@
       "streamSettings": {
         "network": "ws",
         "wsSettings": {
-          "path": "/vmws?ed=2048"
+          "path": "/vmws?ed=2560"
         },
         "security": "tls",
         "tlsSettings": {

All-in-One-fallbacks-Nginx/client.configs/Vless-WS-TLS.jsonc

@@ -32,7 +32,7 @@
       "streamSettings": {
         "network": "ws",
         "wsSettings": {
-          "path": "/vlws?ed=2048"
+          "path": "/vlws?ed=2560"
         },
         "security": "tls",
         "tlsSettings": {

All-in-One-fallbacks-Nginx/generate.sh

@@ -45,15 +45,15 @@ Help()
     echo "Please read the contents of this file and change all the required fields."
     echo "*************************************************************************"
     echo "*************************************************************************"
-    echo 
-    echo 
+    echo
+    echo
     echo "Commands"
     echo
     echo "m     Make and store the configs in result.txt."
     echo "r     Revert all the changes."
     echo "q     Print the qr codes of configs in terminal. Run this after running with -m."
     echo "b     Print one base64 link for all configs in terminal.  Run this after running with -m."
-    echo 
+    echo
     echo
     echo "Usage: "
     echo
@@ -63,7 +63,7 @@ Help()
 
 Revert()
 {
-    git restore client.configs/* server.json nginx.conf
+    git restore client.configs/* server.jsonc nginx.conf
 }
 
 Make()
@@ -71,28 +71,28 @@ Make()
     #################################
     #         main domain           #
     #################################
-    sed -i "s/$fake_domain_crt_path/$main_domain_crt/g" server.json client.configs/* nginx.conf
-    sed -i "s/$fake_domain_key_path/$main_domain_key/g" server.json client.configs/* nginx.conf
-    sed -i "s/$fake_domain/$main_domain/g" server.json client.configs/* nginx.conf
-    
+    sed -i "s/$fake_domain_crt_path/$main_domain_crt/g" server.jsonc client.configs/* nginx.conf
+    sed -i "s/$fake_domain_key_path/$main_domain_key/g" server.jsonc client.configs/* nginx.conf
+    sed -i "s/$fake_domain/$main_domain/g" server.jsonc client.configs/* nginx.conf
+
     #################################
     #       behind cdn domain       #
     #################################
     if [ "$cdn_domain" == "" ]; then
         echo "No domain behind cdn set. Removing related fields."
-        sed -i "146 s/.$//" server.json
-        sed -i "147,152d" server.json
+        sed -i "146 s/.$//" server.jsonc
+        sed -i "147,152d" server.jsonc
     fi
-    
-    sed -i "s/$fake_cdn_domain_crt_path/$cdn_domain_crt/g" server.json client.configs/* nginx.conf
-    sed -i "s/$fake_cdn_domain_key_path/$cdn_domain_key/g" server.json client.configs/* nginx.conf
-    sed -i "s/$fake_cdn_domain/$cdn_domain/g" server.json client.configs/* nginx.conf
+
+    sed -i "s/$fake_cdn_domain_crt_path/$cdn_domain_crt/g" server.jsonc client.configs/* nginx.conf
+    sed -i "s/$fake_cdn_domain_key_path/$cdn_domain_key/g" server.jsonc client.configs/* nginx.conf
+    sed -i "s/$fake_cdn_domain/$cdn_domain/g" server.jsonc client.configs/* nginx.conf
 
     #################################
     #          uuid/pass            #
     #################################
-    sed -i "s/$fakeid/$myid/g" server.json client.configs/* nginx.conf
-    sed -i "s/$fakepass/$mypass/g" server.json client.configs/* nginx.conf
+    sed -i "s/$fakeid/$myid/g" server.jsonc client.configs/* nginx.conf
+    sed -i "s/$fakepass/$mypass/g" server.jsonc client.configs/* nginx.conf
 
     #################################
     #           configs             #
@@ -125,19 +125,19 @@ Printqr()
 {
     while read line; do
         export t=`echo $line | cut -c -2`
-        if [ "$t" == "vm" ]; then  
+        if [ "$t" == "vm" ]; then
             echo $line | cut -c 9- | base64 -d | grep "\"ps\":" | sed -n -e 's/"ps": "//p' | sed -n -e 's/",//p' | sed -n -e 's/ *//p'
             curl qrcode.show -d $line
         else
             echo $line | sed -n -e 's/^.*#//p'
             curl qrcode.show -d $line
-        fi 
-    done < result
+        fi
+    done < result.txt
 }
 
 while getopts "mrqb" option; do
     case $option in
-        r) 
+        r)
             Revert
             exit;;
         m)
@@ -150,7 +150,7 @@ while getopts "mrqb" option; do
             Printqr
             exit;;
 
-        \?) 
+        \?)
             Help
             exit;;
     esac

LICENSE

@@ -0,0 +1,428 @@
+Attribution-ShareAlike 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+     Considerations for licensors: Our public licenses are
+     intended for use by those authorized to give the public
+     permission to use material in ways otherwise restricted by
+     copyright and certain other rights. Our licenses are
+     irrevocable. Licensors should read and understand the terms
+     and conditions of the license they choose before applying it.
+     Licensors should also secure all rights necessary before
+     applying our licenses so that the public can reuse the
+     material as expected. Licensors should clearly mark any
+     material not subject to the license. This includes other CC-
+     licensed material, or material used under an exception or
+     limitation to copyright. More considerations for licensors:
+    wiki.creativecommons.org/Considerations_for_licensors
+
+     Considerations for the public: By using one of our public
+     licenses, a licensor grants the public permission to use the
+     licensed material under specified terms and conditions. If
+     the licensor's permission is not necessary for any reason--for
+     example, because of any applicable exception or limitation to
+     copyright--then that use is not regulated by the license. Our
+     licenses grant only permissions under copyright and certain
+     other rights that a licensor has authority to grant. Use of
+     the licensed material may still be restricted for other
+     reasons, including because others have copyright or other
+     rights in the material. A licensor may make special requests,
+     such as asking that all changes be marked or described.
+     Although not required by our licenses, you are encouraged to
+     respect those requests where reasonable. More considerations
+     for the public:
+    wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution-ShareAlike 4.0 International Public
+License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution-ShareAlike 4.0 International Public License ("Public
+License"). To the extent this Public License may be interpreted as a
+contract, You are granted the Licensed Rights in consideration of Your
+acceptance of these terms and conditions, and the Licensor grants You
+such rights in consideration of benefits the Licensor receives from
+making the Licensed Material available under these terms and
+conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. BY-SA Compatible License means a license listed at
+     creativecommons.org/compatiblelicenses, approved by Creative
+     Commons as essentially the equivalent of this Public License.
+
+  d. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  e. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  f. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  g. License Elements means the license attributes listed in the name
+     of a Creative Commons Public License. The License Elements of this
+     Public License are Attribution and ShareAlike.
+
+  h. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  i. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  j. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  k. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  l. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  m. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part; and
+
+            b. produce, reproduce, and Share Adapted Material.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. Additional offer from the Licensor -- Adapted Material.
+               Every recipient of Adapted Material from You
+               automatically receives an offer from the Licensor to
+               exercise the Licensed Rights in the Adapted Material
+               under the conditions of the Adapter's License You apply.
+
+            c. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+  b. ShareAlike.
+
+     In addition to the conditions in Section 3(a), if You Share
+     Adapted Material You produce, the following conditions also apply.
+
+       1. The Adapter's License You apply must be a Creative Commons
+          license with the same License Elements, this version or
+          later, or a BY-SA Compatible License.
+
+       2. You must include the text of, or the URI or hyperlink to, the
+          Adapter's License You apply. You may satisfy this condition
+          in any reasonable manner based on the medium, means, and
+          context in which You Share Adapted Material.
+
+       3. You may not offer or impose any additional or different terms
+          or conditions on, or apply any Effective Technological
+          Measures to, Adapted Material that restrict exercise of the
+          rights granted under the Adapter's License You apply.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material,
+
+     including for purposes of Section 3(b); and
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public
+licenses. Notwithstanding, Creative Commons may elect to apply one of
+its public licenses to material it publishes and in those instances
+will be considered the “Licensor.” The text of the Creative Commons
+public licenses is dedicated to the public domain under the CC0 Public
+Domain Dedication. Except for the limited purpose of indicating that
+material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the
+public licenses.
+
+Creative Commons may be contacted at creativecommons.org.
+

MITM-Domain-Fronting/README.md

@@ -0,0 +1,15 @@
+# MITM 域前置
+
+ray 很久很久就支持 MITM, 这个功能一直被雪藏，所以还是决定对代码小修改之后放出模板。
+
+这是个仅客户端模板，作用是对请求进行 MITM 解密 TLS 后重新以假 SNI 发出 TLS 请求，达到强行域前置的目的。这只是一个演示其作用机制的模板，它的作用也不止于此，你单纯用来进行 TLS 卸载供后续程序处理或者把明文数据加密进 TLS 隧道什么的也是一种用法。
+
+使用前请确保你足够了解 TLS 和 HTTPS 协议.(至少需要知道 SNI 和 alpn 的工作机制)
+
+这里的接入方法选择了手动使用 socks5 代理，实际上 socks5 代理只是个把请求劫持到本地任意门入站的方法，实际上你可以用 hosts 或者任何方法把请求劫持到 tag 为 tls-decrypt 的那个入站，都可以满足需求。
+
+**请仔细阅读我留下的每一行注释**，有助于你理解工作原理和正确部署。
+
+这个东西能工作的前提是该网站**接受域前置或无 SNI 请求，且有 IP 没有被墙**，你可能需要靠扫描或者社区收集寻找这样可用的 SNI 和 IP 集。
+
+演示网站我选择了 e-hentai, 主要因为它的前端结构比较简单，只要处理了这个域名别的资源都可以正常加载，其他网站可能还需要处理一些资源域名。

MITM-Domain-Fronting/config.jsonc

@@ -0,0 +1,133 @@
+{
+    "log": {
+        "loglevel": "debug"
+    },
+    "inbounds": [
+        // 请求在该入站中被解密
+        {
+            "port": 4431,
+            "listen": "127.0.0.1",
+            "tag": "tls-decrypt",
+            "protocol": "dokodemo-door",
+            "settings": {
+                "network": "tcp",
+                // 从 TLS 的 SNI 中读出目标地址并应用至请求，用于后续路由
+                "followRedirect": true
+            },
+            "streamSettings": {
+                "security": "tls",
+                "tlsSettings": {
+                    // 根据实际情况填写，这里适合绝大多数情况，如果你的网站仅支持 http/1.1, 就只保留 http/1.1
+                    // ps: 如果你选择了 http/1.1 那么你甚至可以用后续的路由模块屏蔽部分路径
+                    "alpn": [
+                        "h2",
+                        "http/1.1"
+                    ],
+                    "certificates": [
+                        {
+                            "usage": "issue",
+                            "buildChain": "true",
+                            // 下面的证书和私钥使用 xray tls cert -ca 命令生成，或者你的自签名证书也行
+                            // 这会生成一个 CA 证书，每个新的要被 MITM 网站请求都会单独用这个 CA 签发一张临时证书
+                            // 所以你只需要在系统信任这一张证书就可以了，或者你可以忍得了浏览器的红标无视风险继续访问也行
+                            "certificate": [],
+                            "key": []
+                        }
+                    ]
+                }
+            }
+        },
+        // 真正用到的入站
+        {
+            "port": 10801,
+            "listen": "127.0.0.1",
+            "tag": "socks-in",
+            "protocol": "socks",
+            "sniffing": {
+                // 一般情况得开
+                "enabled": true,
+                "destOverride": [
+                    "http",
+                    "tls"
+                ]
+            }
+        }
+    ],
+    "outbounds": [
+        // 请求在该出站被强行重定向到 tls-decrypt 进行解密
+        {
+            "tag": "redirect-out",
+            "protocol": "freedom",
+            "settings": {
+                "redirect": "127.0.0.1:4431"
+            }
+        },
+        // 明文请求在这里被重新加密为正常 HTTPS 请求
+        {
+            "tag": "tls-repack",
+            "protocol": "freedom",
+            "settings": {
+                // 你要连接到的服务器的最终IP以及端口，大多数情况下需要手动寻找这样允许域前置的IP
+                "redirect": "104.20.19.168:443"
+            },
+            "streamSettings": {
+                "security": "tls",
+                "tlsSettings": {
+                    // fromMitm 会在客户端发送仅有 alpn http/1.1(大多数时候是wss) 的情况下使用同样的alpn, 需要 v25.2.21+
+                    // 旧版本没这个选项别直接把这玩意发出去了，从上面的alpn选项复制下来(当然更新版本最好)
+                    "alpn": [
+                        "fromMitm"
+                    ],
+                    // 你要发送的假 SNI, 根据你的网站接受的 SNI 而定
+                    // 当然你也可以留空或者我这样乱填个ip, 这样就不会有任何 SNI 扩展被发送，前提是你的网站接受无 SNI 请求
+                    "serverName": "11.45.1.4",
+                    // 你期望服务端返回证书里的包含的域名，需要 v25.2.21+
+                    // 如果是旧版本只能考虑开允许不安全，然后可以考虑文档中其他校验证书的方法进行验证
+                    "verifyPeerCertInNames": [
+                        "e-hentai.org",
+                        // 特殊选项，尝试按从 dokodemo-door 入站进来的 SNI 对远端证书进行验证（或取自内置 DNS 的 DoH h2c hostname）
+                        "fromMitm"
+                    ]
+                }
+            }
+        },
+        // 无辜流量直接放行
+        {
+            "tag": "direct",
+            "protocol": "freedom"
+        }
+    ],
+    "routing": {
+        "domainStrategy": "AsIs",
+        "rules": [
+            {
+                "inboundTag": [
+                    "tls-decrypt"
+                ],
+                // tls-repark 中定义了一些参数(比如IP和SNI), 不同的网站可能需要不同的参数
+                // 要支持更多的网站，可以新建更多的此类 freedom 出站，然后在这里把不同的明文请求按需求路由到不同的出站重新打包回 HTTPS
+                // 这里的域名来源就是 tls-decrypt 入站的 followRedirect, 所以一个本地端口就可以接受任何网站的请求并在核心中这样区分开
+                "domain": [
+                    "e-hentai.org"
+                ],
+                "outboundTag": "tls-repack"
+            },
+            {
+                "inboundTag": [
+                    "socks-in"
+                ],
+                // 你要 mitm 的网址
+                "domain": [
+                    "e-hentai.org"
+                ],
+                "outboundTag": "redirect-out"
+            },
+            {
+                "inboundTag": [
+                    "socks-in"
+                ],
+                "outboundTag": "direct"
+            }
+        ]
+    }
+}

README.md

@@ -1,3 +1,3 @@
 # Xray-examples
 
-Forked from [v2ray-examples](https://github.com/v2fly/v2ray-examples)
+Some examples of uses for [Xray-core](https://github.com/XTLS/Xray-core)

ReverseProxy/VLESS-TCP-XTLS-WS/client_tcp.jsonc

@@ -41,7 +41,7 @@
             "users": [
               {
                 "id": "", // 填写你的 UUID
-                "flow": "xtls-rprx-direct",
+                "flow": "xtls-rprx-vision",
                 "encryption": "none",
                 "level": 0
               }
@@ -51,8 +51,8 @@
       },
       "streamSettings": {
         "network": "tcp",
-        "security": "xtls",
-        "xtlsSettings": {
+        "security": "tls",
+        "tlsSettings": {
           "serverName": "reverse.example" // 换成你的域名
         }
       }

ReverseProxy/VLESS-TCP-XTLS-WS/portal.jsonc

@@ -19,7 +19,7 @@
         "clients": [
           {
             "id": "", //填写你的 UUID
-            "flow": "xtls-rprx-direct",
+            "flow": "xtls-rprx-vsion",
             "level": 0,
             "email": "@external"
           }
@@ -43,8 +43,8 @@
       },
       "streamSettings": {
         "network": "tcp",
-        "security": "xtls",
-        "xtlsSettings": {
+        "security": "tls",
+        "tlsSettings": {
           "alpn": [
             "http/1.1"
           ],

Serverless-for-Iran/README.md

@@ -0,0 +1,48 @@
+# Access almost all websites & services directly, for every person in Iran
+
+**Configs here can not contain "bypassing sanctions" contents (inappropriate on US GitHub)**
+
+**Please join the official Xray Iranian group https://t.me/projectXhttp to get the whole working configs**
+
+# Serverless for Iran
+
+Bypass censorship using TCP/TLS fragment and UDP noises.
+
+It doesn't change your local IP, so it is not suitable for anonymity.
+
+# Serverless with MitM-Domain-Fronting for Iran (Xray-core v25.9.5+)
+
+Same as "Serverless for Iran" but use "DoH h2c + domain fronting" for DNS and MitM for these services that support domain fronting:
+* YouTube
+* X
+* Reddit
+* Meta (Facebook, Instagram, ...)
+
+(This list will be updated)
+
+**Requires a self-signed-certificate: You can create it using "./xray tls cert -ca -file=mycert" command.**
+
+**Also, the certificate must be imported into "Trusted-Root-Certification-Authorities" of system/browser.**
+
+## How to import the certificate into the system/browser:
+
+**Windows**:
+  
+  * System:
+    
+    Right click on the certificate -> Install certificate -> Local machine -> Place all certificates in the following store -> Select "Trusted Root Certification Authorities"
+    
+  * Browser(Chrome):
+    
+    Settings -> Privacy and security -> Security -> Manage certificates -> Manage imported certificates from Windows -> Trusted Root Certification Authorities -> Import -> Select the certificate file -> Place all certificates in the following store -> Select "Trusted Root Certification Authorities"
+
+**Android**:
+
+  * Chromium based browsers and Apps that support user-certificates:
+
+    Setting -> Security and privacy -> More security settings -> Install from device storage -> CA Certificate -> Install anyway -> Select the Certificate file on your storage.
+
+  * Firefox:
+
+    Run the firefox browser -> Settings -> About Firefox -> Tap the Firefox logo five times -> Navigate to Settings -> Secret Settings -> Toggle "Use third party CA certificates"
+

Serverless-for-Iran/serverless_for_Iran.jsonc

@@ -0,0 +1,272 @@
+// Configs here can not contain "bypassing sanctions" contents (inappropriate on US GitHub)
+// Please join the official Xray Iranian group https://t.me/projectXhttp to get the whole working configs
+
+
+{
+  "remarks": "Serverless",
+
+  "version": {
+    "min": "25.9.5"
+  },
+
+  "log": {
+    "loglevel": "warning", "dnsLog": false, "access": "none"
+  },
+
+  "policy": {
+    "levels": {
+      "0": {
+        "uplinkOnly": 0,
+        "downlinkOnly": 0
+      }
+    }
+  },
+
+  "dns":{
+    "hosts": {
+      "geosite:category-ads-all": "#3",
+      "one.one.one.one": ["1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001"],
+      "cloudflare-dns.com": "www.cloudflare.com"
+    },
+    "servers": [
+      {
+        "address": "fakedns",
+        "domains": ["domain:ir", "geosite:private", "geosite:category-ir", "full:www.cloudflare.com"],
+        "finalQuery": true
+      },
+      {
+        "tag": "no-filter-dns",
+        "address": "https://cloudflare-dns.com/dns-query",
+        "timeoutMs": 5000,
+        "finalQuery": true
+      },
+      {
+        "address": "localhost",
+        "domains": ["domain:ir", "geosite:private", "geosite:category-ir", "full:www.cloudflare.com"],
+        "finalQuery": true
+      }
+    ],
+    "queryStrategy": "UseSystem",
+    "useSystemHosts": true
+  },
+
+  "inbounds": [
+    {
+      "tag": "dns-in",
+      "listen": "127.0.0.1",
+      "port": 10853,
+      "protocol": "tunnel",
+      "settings": {
+        "address": "one.one.one.one",
+        "port": 53,
+        "network": "tcp,udp"
+      },
+      "streamSettings": {
+        "sockopt": {
+          "tcpKeepAliveInterval": 1,
+          "tcpKeepAliveIdle": 46
+        }
+      }
+    },
+    {
+      "tag": "socks-in",
+      "listen": "127.0.0.1",
+      "port": 10808,
+      "protocol": "mixed",
+      "sniffing": {
+        "enabled": true,
+        "destOverride": ["fakedns"],
+        "routeOnly": false
+      },
+      "settings": {
+        "udp": true,
+        "ip": "127.0.0.1"
+      },
+      "streamSettings": {
+        "sockopt": {
+          "tcpKeepAliveInterval": 1,
+          "tcpKeepAliveIdle": 46
+        }
+      }
+    }
+  ],
+
+  "outbounds": [
+    {
+      "tag": "block-out",
+      "protocol": "block"
+    },
+    {
+      "tag": "direct-out",
+      "protocol": "direct",
+      "streamSettings": {
+        "sockopt": {
+          "domainStrategy": "ForceIP",
+          "happyEyeballs": {
+            "tryDelayMs": 100,
+            "prioritizeIPv6": true,
+            "interleave": 2,
+            "maxConcurrentTry": 16
+          }
+        }
+      }
+    },
+    {
+      "tag": "dns-out",
+      "protocol": "dns",
+      "settings": {"nonIPQuery": "skip", "network": "tcp", "address": "one.one.one.one", "port": 53},
+      "streamSettings": {
+        "sockopt": {
+          "dialerProxy": "full-fragment"
+        }
+      }
+    },
+    {
+      "tag": "skip-fragment",
+      "protocol": "direct",
+      "settings": {
+        "fragment": {
+          "packets": "1-1",
+          "length": "130",
+          "interval": "190",
+          "maxSplit": "4"
+        }
+      },
+      "streamSettings": {
+        "sockopt": {
+          "dialerProxy": "_chain-skip"
+        }
+      }
+    },
+    {
+      "tag": "_chain-skip",
+      "protocol": "direct",
+      "settings": {
+        "fragment": {
+          "packets": "2-4",
+          "length": "1",
+          "interval": "1",
+          "maxSplit": "130"
+        }
+      },
+      "streamSettings": {
+        "sockopt": {
+          "domainStrategy": "ForceIP",
+          "happyEyeballs": {
+            "tryDelayMs": 300,
+            "prioritizeIPv6": true,
+            "interleave": 2,
+            "maxConcurrentTry": 16
+          }
+        }
+      }
+    },
+    {
+      "tag": "full-fragment",
+      "protocol": "direct",
+      "settings": {
+        "fragment": {
+          "packets": "1-1",
+          "length": "1",
+          "interval": "1",
+          "maxSplit": "517"
+        }
+      },
+      "streamSettings": {
+        "sockopt": {
+          "domainStrategy": "ForceIP",
+          "happyEyeballs": {
+            "tryDelayMs": 300,
+            "prioritizeIPv6": true,
+            "interleave": 2,
+            "maxConcurrentTry": 16
+          }
+        }
+      }
+    },
+    {
+      "tag": "udp-noises",
+      "protocol": "direct",
+      "settings": {
+        "targetStrategy": "ForceIP", // or "ForceIPv6v4" to prefer IPv6
+        "noises": [
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"}, {"type": "rand", "packet": "1250", "delay": "10", "applyTo": "ipv4"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"},
+          {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}, {"type": "rand", "packet": "1230", "delay": "10", "applyTo": "ipv6"}
+        ]
+      }
+    }
+  ],
+
+  "routing": {
+    "domainStrategy": "IPOnDemand",
+    "rules": [
+      {"outboundTag": "block-out",
+        "domain": ["geosite:category-ads-all"]
+      },
+      {"outboundTag": "dns-out",
+        "inboundTag": ["dns-in"]
+      },
+      {"outboundTag": "dns-out",
+        "inboundTag": ["socks-in"], "port": 53
+      },
+      {"outboundTag": "full-fragment", // or "skip-fragment"
+        "inboundTag": ["no-filter-dns"]
+      },
+      {"outboundTag": "block-out",
+        "ip": ["0.0.0.0", "::"]
+      },
+      {"outboundTag": "direct-out",
+        "domain": ["domain:ir", "geosite:private", "geosite:category-ir"]
+      },
+      {"outboundTag": "direct-out",
+        "ip": ["geoip:private", "geoip:ir"]
+      },
+      {"outboundTag": "udp-noises",
+        "network": "udp", "protocol": ["quic"]
+      },
+      {"outboundTag": "udp-noises",
+        "network": "udp", "port": "443,2053,2083,2087,2096,8443"
+      },
+      {"outboundTag": "direct-out",
+        "network": "udp"
+      },
+      {"outboundTag": "full-fragment", // or "skip-fragment"
+        "network": "tcp", "protocol": ["tls"]
+      },
+      {"outboundTag": "full-fragment", // or "skip-fragment"
+        "network": "tcp", "port": "443,2053,2083,2087,2096,8443"
+      },
+      {"outboundTag": "full-fragment",
+        "network": "tcp", "protocol": ["http"]
+      },
+      {"outboundTag": "full-fragment",
+        "network": "tcp", "port": "80,8080,8880,2052,2082,2086,2095"
+      },
+      {"outboundTag": "full-fragment",
+        "network": "tcp"
+      }
+    ]
+  }
+}

Serverless-for-Iran/serverless_with_mitm_for_Iran.jsonc

@@ -0,0 +1,347 @@
+// Configs here can not contain "bypassing sanctions" contents (inappropriate on US GitHub)
+// Please join the official Xray Iranian group https://t.me/projectXhttp to get the whole working configs
+
+// Serverless with MitM-Domain-Fronting for Iran v4
+// Xray-core v25.2.21+
+
+// Requires a self-signed-certificate: You can create it using "./xray tls cert -ca -file=mycert" command.
+// Also, the certificate must be imported into "Trusted-Root-Certification-Authorities" of system/browser.
+
+
+{
+  "log": {
+    "loglevel": "warning", "dnsLog": false, "access": "none"
+  },
+
+  "dns":{
+    "hosts": {
+      "geosite:category-ads-all": ["10.10.34.36", "2001:4188:2:600:10:10:34:36"]
+    },
+    "servers": [
+      "h2c://1.1.1.1/dns-query",
+      {"address": "localhost", "domains": ["geosite:private", "geosite:category-ir"]}
+    ],
+    "tag": "dns-query",
+    "disableFallback": true
+  },
+  
+  "inbounds": [
+    {
+      "tag": "dns-in",
+      "port": 10853,
+      "protocol": "dokodemo-door",
+      "settings": {
+        "address": "1.1.1.1",
+        "port": 53,
+        "network": "tcp,udp"        
+      }      
+    },
+    {
+      "tag": "socks-in",
+      "port": 10808,
+      "protocol": "socks",
+      "sniffing": {
+        "enabled": true,
+        "destOverride": ["http", "tls"],
+        "routeOnly": false
+      },
+      "settings": {"udp": true}
+    },
+    {
+      "port": 4431,
+      "tag": "tls-decrypt-h11",
+      "protocol": "dokodemo-door",
+      "settings": {
+        "network": "tcp",
+        "port": 443,
+        "followRedirect": true
+      },
+      "streamSettings": {
+        "security": "tls",
+        "tlsSettings": {
+          "alpn": ["http/1.1"],
+          "certificates": [
+            {
+              "usage": "issue",
+              "certificateFile": "mycert.crt",  // certificate path
+              "keyFile": "mycert.key"  // private-key path
+            }
+          ]
+        }
+      }
+    },
+    {
+      "port": 4432,
+      "tag": "tls-decrypt-h211",
+      "protocol": "dokodemo-door",
+      "settings": {
+        "network": "tcp",
+        "port": 443,
+        "followRedirect": true
+      },
+      "streamSettings": {
+        "security": "tls",
+        "tlsSettings": {
+          "alpn": ["h2","http/1.1"],
+          "certificates": [
+            {
+              "usage": "issue",
+              "certificateFile": "mycert.crt",  // certificate path
+              "keyFile": "mycert.key"  // private-key path
+            }
+          ]
+        }
+      }
+    }
+  ],
+
+  "outbounds": [    
+    {
+      "tag": "block",
+      "protocol": "blackhole"      
+    },
+    {
+      "tag": "direct",
+      "protocol": "freedom",      
+      "settings": {"domainStrategy": "ForceIP"}
+    },
+    {
+      "tag": "redirect-out-h11",
+      "protocol": "freedom",
+      "settings": {
+        "redirect": "127.0.0.1:4431"
+      }
+    },
+    {
+      "tag": "redirect-out-h211",
+      "protocol": "freedom",
+      "settings": {
+        "redirect": "127.0.0.1:4432"
+      }
+    },
+    {
+      "tag": "tls-repack-dns",
+      "protocol": "freedom",      
+      "settings": {"domainStrategy": "ForceIP"},
+      "streamSettings": {      
+        "security": "tls",
+        "tlsSettings": {
+          "serverName": "www.microsoft.com",
+          "verifyPeerCertInNames": ["fromMitM", "www.microsoft.com"],
+          "alpn": ["fromMitM"],
+          "fingerprint": "chrome"
+        }
+      }              
+    },
+    {
+      "tag": "tls-repack-google",
+      "protocol": "freedom",      
+      "settings": {"domainStrategy": "ForceIP"},
+      "streamSettings": {      
+        "security": "tls",
+        "tlsSettings": {
+          "serverName": "www.google.com",
+          "verifyPeerCertInNames": ["fromMitM", "www.google.com", "dns.google", "www.googlevideo.com", "www.youtube.com"],
+          "alpn": ["fromMitM"],
+          "fingerprint": "chrome"
+        }
+      }              
+    },
+    {
+      "tag": "tls-repack-meta",
+      "protocol": "freedom",      
+      "settings": {"domainStrategy": "ForceIP"},
+      "streamSettings": {      
+        "security": "tls",
+        "tlsSettings": {
+          "serverName": "www.whatsapp.com",
+          "verifyPeerCertInNames": ["fromMitM", "www.whatsapp.com", "www.facebook.com", "www.ar.meta.com", "www.fb.com", "www.whatsapp.net", "www.atlassolutions.com", "www.secure.facebook.com", "www.extern.facebook.com", "www.internet.org", "www.oculus.com", "www.wit.ai", "www.facebook-dns.com", "www.instagram.com", "www.meta.com", "www.external-disputes.meta.com", "www.fbe2e.com", "www.cloud.x2p.facebook.net", "www.secure.latest.facebook.com"],
+          "alpn": ["fromMitM"],
+          "fingerprint": "chrome"
+        }
+      }              
+    },
+    {
+      "tag": "tls-repack-fastly",
+      "protocol": "freedom",      
+      "settings": {"domainStrategy": "ForceIP"},
+      "streamSettings": {      
+        "security": "tls",
+        "tlsSettings": {
+          "serverName": "www.fastly.com",
+          "verifyPeerCertInNames": ["fromMitM", "www.fastly.com", "www.reddit.com", "x.com"],
+          "alpn": ["fromMitM"],
+          "fingerprint": "chrome"
+        }
+      }              
+    },    
+    {
+      "tag": "dns-out",
+      "protocol": "dns",      
+      "settings": {"nonIPQuery": "skip", "network": "tcp", "address": "1.1.1.1", "port": 53},
+      "streamSettings": {
+        "sockopt": {
+          "dialerProxy": "chain1-fragment"
+        }
+      }
+    },
+    {
+      "tag": "super-fragment",
+      "protocol": "freedom",
+      "settings": {
+        "fragment": {
+          "packets": "tlshello",
+          "length": "6",
+          "interval": "0"
+        }
+      },
+      "streamSettings": {
+        "sockopt": {
+          "dialerProxy": "chain1-fragment"
+        }
+      }            
+    },
+    {
+      "tag": "chain1-fragment",
+      "protocol": "freedom",
+      "settings": {
+        "fragment": {
+          "packets": "1-3",
+          "length": "517",
+          "interval": "1"
+        }
+      },
+      "streamSettings": {
+        "sockopt": {
+          "dialerProxy": "chain2-fragment"
+        }
+      }            
+    },                          
+    {
+      "tag": "chain2-fragment",
+      "protocol": "freedom",
+      "settings": {
+        "domainStrategy": "ForceIP",
+        "fragment": {
+          "packets": "1-1",
+          "length": "1",
+          "interval": "2"
+        }
+      }
+    },
+    {
+      "tag": "udp-noisesv4",
+      "protocol": "freedom",
+      "settings": {
+        "domainStrategy": "ForceIPv4",
+        "noises": [
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"},
+          {"type": "rand", "packet": "1250", "delay": "10"}, {"type": "rand", "packet": "1250", "delay": "10"}
+        ]
+      }            
+    },
+    {
+      "tag": "udp-noisesv6",
+      "protocol": "freedom",
+      "settings": {
+        "domainStrategy": "ForceIPv6",
+        "noises": [
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"},
+          {"type": "rand", "packet": "1230", "delay": "10"}, {"type": "rand", "packet": "1230", "delay": "10"}
+        ]
+      }            
+    }          
+  ],
+
+  "routing": {
+    "domainStrategy": "IPOnDemand",
+    "rules": [                  
+      {"outboundTag": "dns-out",
+       "inboundTag": ["dns-in"]
+      },
+      {"outboundTag": "dns-out",
+       "inboundTag": ["socks-in"], "port": 53
+      },
+      {"outboundTag": "tls-repack-dns",
+       "inboundTag": ["dns-query"]
+      },
+      {"outboundTag": "block",
+       "domain": ["geosite:category-ads-all"]
+      },
+      {"outboundTag": "block",
+       "ip": ["10.10.34.0/24", "2001:4188:2:600:10:10:34:36", "2001:4188:2:600:10:10:34:35", "2001:4188:2:600:10:10:34:34"]
+      },           
+      {"outboundTag": "direct",
+       "domain": ["geosite:private", "geosite:category-ir"]
+      },      
+      {"outboundTag": "direct",
+       "ip": ["geoip:private", "geoip:ir"]
+      },
+      {"outboundTag": "chain1-fragment",  // or "super-fragment"
+       "inboundTag": ["socks-in"],
+       "network": "tcp",
+       "ip": ["geoip:cloudflare", "geoip:cloudfront"]
+      },
+      {
+        "outboundTag": "redirect-out-h11",
+        "inboundTag": ["socks-in"],
+        "network": "tcp",
+        "protocol": ["tls"],
+        "port": 443,
+        "domain": ["domain:googlevideo.com"]
+      },
+      {
+        "outboundTag": "redirect-out-h211",
+        "inboundTag": ["socks-in"],
+        "network": "tcp",
+        "protocol": ["tls"],
+        "port": 443,
+        "domain": ["geosite:youtube", "geosite:x", "geosite:reddit", "geosite:meta"]       
+      },
+      {"outboundTag": "tls-repack-google",
+       "domain": ["geosite:youtube", "domain:googlevideo.com"],
+       "inboundTag": ["tls-decrypt-h11", "tls-decrypt-h211"]
+      },
+      {"outboundTag": "tls-repack-meta",
+       "domain": ["geosite:meta"],
+       "inboundTag": ["tls-decrypt-h11", "tls-decrypt-h211"]
+      },
+      {"outboundTag": "tls-repack-fastly",
+       "domain": ["geosite:x", "geosite:reddit"],
+       "inboundTag": ["tls-decrypt-h11", "tls-decrypt-h211"]
+      },                                                         	                                                        
+      {"outboundTag": "udp-noisesv4",
+       "network": "udp", "ip": ["0.0.0.0/0"], "port": 443
+      },
+      {"outboundTag": "udp-noisesv6",
+       "network": "udp", "ip": ["::/0"], "port": 443
+      },
+      {"outboundTag": "direct",
+       "network": "udp"
+      },
+      {"outboundTag": "chain1-fragment",  // or "super-fragment"
+       "network": "tcp"
+      }
+    ]
+  }
+}

Trojan-TCP-XTLS/config_client.jsonc

@@ -30,7 +30,7 @@
                 "servers": [
                     {
                         "address": "example.com",  // your domain name or server IP
-                        "flow": "xtls-rprx-direct",  // Linux or android can be changed to "xtls-rprx-splice"
+                        "flow": "xtls-rprx-vision",  // Linux or android can be changed to "xtls-rprx-splice"
                         "port": 443,
                         "password": "your_password"  // your password
                     }
@@ -38,8 +38,8 @@
             },
             "streamSettings": {
                 "network": "tcp",
-                "security": "xtls",
-                "xtlsSettings": {
+                "security": "tls",
+                "tlsSettings": {
                     "serverName": "example.com"  // your domain name
                 }
             }

Trojan-TCP-XTLS/config_server.jsonc

@@ -10,7 +10,7 @@
                 "clients": [
                     {
                         "password":"your_password",  // password
-                        "flow": "xtls-rprx-direct"
+                        "flow": "xtls-rprx-vison"
                     }
                 ],
                 "fallbacks": [
@@ -27,8 +27,8 @@
             },
             "streamSettings": {
                 "network": "tcp",
-                "security": "xtls",
-                "xtlsSettings": {
+                "security": "tls",
+                "tlsSettings": {
                     "alpn": [
                         "http/1.1",
                         "h2"

Trojan-gRPC-Caddy2／Nginx/README.ENG.md

@@ -5,8 +5,8 @@ Xray client <--- gRPC(TLS) ---> Caddy2 <--- gRPC(cleartext) ---> Xray server
 At the same time, you can also choose to use Nginx. A sample configuration snippet is as follows (partially from [@xqzr](https://github.com/xqzr)):
 ```conf
 server {
-listen 443 ssl http2 so_keepalive=on;
-         listen [::]:443 ssl http2 so_keepalive=on;
+listen 443 ssl http2;
+         listen [::]:443 ssl http2;
 server_name example.com;
 
 index index.html;
@@ -17,8 +17,8 @@ ssl_certificate_key /path/to/example.key;
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE -RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 
-client_header_timeout 52w;
-         keepalive_timeout 52w;
+client_header_timeout 1w;
+keepalive_timeout 30m;
 # Fill in /your ServiceName after location
 location /your ServiceName {
 if ($content_type !~ "application/grpc") {
@@ -27,8 +27,9 @@ return 404;
 client_max_body_size 0;
 client_body_buffer_size 512k;
 grpc_set_header X-Real-IP $remote_addr;
-client_body_timeout 52w;
-grpc_read_timeout 52w;
+client_body_timeout 1w;
+grpc_read_timeout 1w;
+grpc_send_timeout 1w;
 grpc_pass unix:/dev/shm/Xray-Trojan-gRPC.socket;
 }
 }

Trojan-gRPC-Caddy2／Nginx/README.md

@@ -7,8 +7,8 @@ Xray client <--- gRPC(TLS) ---> Caddy2 <--- gRPC(cleartext) ---> Xray server
 同时，您也可以选择使用 Nginx。示例配置片段如下（部分来自 [@xqzr](https://github.com/xqzr)）：
 ```conf
 server {
-	listen 443 ssl http2 so_keepalive=on;
-        listen [::]:443 ssl http2 so_keepalive=on;
+	listen 443 ssl http2;
+        listen [::]:443 ssl http2;
 	server_name example.com;
 
 	index index.html;
@@ -19,18 +19,19 @@ server {
 	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 	
-	client_header_timeout 52w;
-        keepalive_timeout 52w;
+	client_header_timeout 1w;
+        keepalive_timeout 30m;
 	# 在 location 后填写 /你的 ServiceName
 	location /你的 ServiceName {
-		if ($content_type !~ "application/grpc") {
+		if ($content_type !~ "^application/grpc") {
 			return 404;
 		}
 		client_max_body_size 0;
 		client_body_buffer_size 512k;
 		grpc_set_header X-Real-IP $remote_addr;
-		client_body_timeout 52w;
-		grpc_read_timeout 52w;
+		client_body_timeout 1w;
+		grpc_read_timeout 1w;
+		grpc_send_timeout 1w;
 		grpc_pass unix:/dev/shm/Xray-Trojan-gRPC.socket;
 	}
 }

VLESS-GRPC/Caddyfile

@@ -4,6 +4,7 @@ xx.com {
 		path /ServiceName/* # 修改为你自己的 ServiceName，且仅能存在两个斜杠。（如：/MyService/ServiceName/*会导致错误）
 	}
 	reverse_proxy @grpc unix//dev/shm/Xray-VLESS-gRPC.socket {
+		flush_interval -1
 		transport http {
 			versions h2c
 		}

VLESS-GRPC/README.md

@@ -7,8 +7,8 @@ Xray client <--- gRPC(TLS) ---> Caddy2 <--- gRPC(cleartext) ---> Xray server
 同时，您也可以选择使用 Nginx。示例配置片段如下（部分来自 [@xqzr](https://github.com/xqzr)）：
 ```conf
 server {
-	listen 443 ssl http2 so_keepalive=on;
-	listen [::]:443 ssl http2 so_keepalive=on;
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
 	server_name example.com;
 
 	index index.html;
@@ -19,18 +19,19 @@ server {
 	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 	
-	client_header_timeout 52w;
-        keepalive_timeout 52w;
+	client_header_timeout 1w;
+        keepalive_timeout 30m;
 	# 在 location 后填写 /你的 ServiceName
 	location /你的 ServiceName {
-		if ($content_type !~ "application/grpc") {
+		if ($content_type !~ "^application/grpc") {
 			return 404;
 		}
 		client_max_body_size 0;
 		client_body_buffer_size 512k;
 		grpc_set_header X-Real-IP $remote_addr;
-		client_body_timeout 52w;
-		grpc_read_timeout 52w;
+		client_body_timeout 1w;
+		grpc_read_timeout 1w;
+		grpc_send_timeout 1w;
 		grpc_pass unix:/dev/shm/Xray-VLESS-gRPC.socket;
 	}
 }

VLESS-HTTP-Caddy/README.md

@@ -0,0 +1,9 @@
+Xray 基于 HTTP/2 或 HTTP/3 的传输方式完整按照 HTTP 标准实现，可以通过其它的 HTTP 服务器（如 Caddy）进行中转。
+
+Caddy 使用 reverse_proxy 模块，一般使用 path 分流，主路径伪装为网站，中间人无法探测到 Xray-core（请使用复杂 path）。
+
+Caddy 默认开启 UDP 同端口的 HTTP/3 服务器，目前支持三种中转方式
+
+- HTTP/2
+- HTTP/3 解密后重新加密
+- HTTP/3 转 H2C

VLESS-HTTP-Caddy/VLESS-H2C-Caddy/Caddyfile

@@ -1,6 +1,10 @@
 xx.com {
+    log {
+        level DEBUG
+    }
     root * /var/www
     file_server
+    tls CA.crt priv.key # 换成你的证书和私钥，绝对路径
     
     reverse_proxy /path 127.0.0.1:2001 {
         transport http {

VLESS-HTTP-Caddy/VLESS-H3-Caddy/Caddyfile

@@ -0,0 +1,17 @@
+xx.com {
+    log {
+        level DEBUG
+    }
+    root * /var/www
+    file_server
+    tls CA.crt priv.key # 换成你的证书和私钥，绝对路径
+    
+    reverse_proxy /path 127.0.0.1:2001 {
+        transport http {
+            tls
+            tls_client_auth CA.crt priv.key # 换成你的证书和私钥，绝对路径
+            tls_server_name xx.com
+            versions 3
+        }
+    }
+}

VLESS-HTTP-Caddy/VLESS-H3-Caddy/README.md

@@ -0,0 +1,7 @@
+# 原理图：
+Xray client <--- H3 ---> Caddy2 <--- H3 ---> Xray server
+
+注意：
+由于 H3 没有解密的明文传输标准 这种模式 Caddy 解密流量之后 会重新加密 会增加少许延迟和负载
+
+目前仅 Caddy2 的 v2.9.0-beta.2 版及以后完美支持 Xray 的 H3 入站。

VLESS-HTTP-Caddy/VLESS-H3-Caddy/client.jsonc

@@ -0,0 +1,73 @@
+{
+  "log":{},
+  "inbounds":[
+    {
+      "port":"1080",
+      "protocol":"socks",
+      "settings":{
+        "auth":"noauth",
+        "udp":true
+      }
+    },
+    {
+      "port":"1081",
+      "protocol":"http",
+      "settings":{}
+    }
+  ],
+  "outbounds":[
+    {
+      "protocol":"vless",
+      "settings":{
+        "vnext":[
+          {
+            "address":"xx.com",
+            "port":443,
+            "users":[
+              {
+                "id":"",
+                "encryption":"none"
+              }
+            ]
+          }
+        ]
+      },
+      "streamSettings":{
+        "network":"http",
+        "security":"tls",
+        "httpSettings":{
+          "host":[
+            "xx.com"
+          ],
+          "path":"/path"
+        }
+      },
+      "tlsSettings":{
+        "alpn":["h3"],
+        "serverName":"xx.com"
+      }
+    },
+    {
+      "tag":"direct",
+      "protocol":"freedom",
+      "settings":{}
+    },
+    {
+      "tag":"blocked",
+      "protocol":"blackhole",
+      "settings":{}
+    }
+  ],
+  "routing":{
+    "domainStrategy":"IPOnDemand",
+    "rules":[
+      {
+        "type":"field",
+        "ip":[
+          "geoip:private"
+        ],
+        "outboundTag":"direct"
+      }
+    ]
+  }
+}

VLESS-HTTP-Caddy/VLESS-H3-Caddy/server.jsonc

@@ -0,0 +1,66 @@
+{
+  "log": {
+    "loglevel": "warning"
+  },
+  "inbounds": [
+    {
+      "port": 2001,
+      "listen": "127.0.0.1",
+      "protocol": "vless",
+      "settings": {
+        "clients": [
+          {
+            "id": "",
+            "email": "love@example.com"
+          }
+        ],
+        "decryption": "none"
+      },
+      "streamSettings": {
+        "security": "tls",
+        "network": "http",
+        "httpSettings": {
+          "path": "/path",
+          "host": [
+            "xx.com"
+          ]
+        },
+        "tlsSettings": {
+          // "rejectUnknownSni": true,
+          "minVersion": "1.3",
+          "alpn": ["h3"],
+          "certificates": [
+              {
+                  "certificateFile": "CA.crt", // 换成你的证书，绝对路径
+                  "keyFile": "priv.key" // 换成你的私钥，绝对路径
+              }
+          ]
+        }
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "tag": "direct",
+      "protocol": "freedom",
+      "settings": {}
+    },
+    {
+      "tag": "blocked",
+      "protocol": "blackhole",
+      "settings": {}
+    }
+  ],
+  "routing": {
+    "domainStrategy": "AsIs",
+    "rules": [
+      {
+        "type": "field",
+        "ip": [
+          "geoip:private"
+        ],
+        "outboundTag": "blocked"
+      }
+    ]
+  }
+}

VLESS-HTTP-Caddy/VLESS-H3-To-H2C-Caddy/Caddyfile

@@ -0,0 +1,11 @@
+xx.com {
+    log {
+        level DEBUG
+    }
+    root * /var/www
+    file_server
+    tls CA.crt priv.key # 换成你的证书和私钥，绝对路径
+    
+    reverse_proxy /path h2c://127.0.0.1:2001 {
+    }
+}

VLESS-HTTP-Caddy/VLESS-H3-To-H2C-Caddy/README.md

@@ -0,0 +1,5 @@
+# 原理图：
+Xray client <--- H3 ---> Caddy2 <--- H2C ---> Xray server
+
+注意：
+目前仅 Caddy2 的 v2.9.0-beta.2 版及以后完美支持 H3 转换 H2C 对接 Xray 的 H2C 入站。

VLESS-HTTP-Caddy/VLESS-H3-To-H2C-Caddy/client.jsonc

@@ -0,0 +1,73 @@
+{
+  "log":{},
+  "inbounds":[
+    {
+      "port":"1080",
+      "protocol":"socks",
+      "settings":{
+        "auth":"noauth",
+        "udp":true
+      }
+    },
+    {
+      "port":"1081",
+      "protocol":"http",
+      "settings":{}
+    }
+  ],
+  "outbounds":[
+    {
+      "protocol":"vless",
+      "settings":{
+        "vnext":[
+          {
+            "address":"xx.com",
+            "port":443,
+            "users":[
+              {
+                "id":"",
+                "encryption":"none"
+              }
+            ]
+          }
+        ]
+      },
+      "streamSettings":{
+        "network":"http",
+        "security":"tls",
+        "httpSettings":{
+          "host":[
+            "xx.com"
+          ],
+          "path":"/path"
+        },
+        "tlsSettings":{
+          "alpn":["h3"],
+          "serverName":"xx.com"
+        }
+      }
+    },
+    {
+      "tag":"direct",
+      "protocol":"freedom",
+      "settings":{}
+    },
+    {
+      "tag":"blocked",
+      "protocol":"blackhole",
+      "settings":{}
+    }
+  ],
+  "routing":{
+    "domainStrategy":"IPOnDemand",
+    "rules":[
+      {
+        "type":"field",
+        "ip":[
+          "geoip:private"
+        ],
+        "outboundTag":"direct"
+      }
+    ]
+  }
+}

VLESS-HTTP-Caddy/VLESS-H3-To-H2C-Caddy/server.jsonc

@@ -0,0 +1,55 @@
+{
+  "log": {
+    "loglevel": "warning"
+  },
+  "inbounds": [
+    {
+      "port": 2001,
+      "listen": "127.0.0.1",
+      "protocol": "vless",
+      "settings": {
+        "clients": [
+          {
+            "id": "",
+            "email": "love@example.com"
+          }
+        ],
+        "decryption": "none"
+      },
+      "streamSettings": {
+        "security": "none",
+        "network": "http",
+        "httpSettings": {
+          "path": "/path",
+          "host": [
+            "xx.com"
+          ]
+        }
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "tag": "direct",
+      "protocol": "freedom",
+      "settings": {}
+    },
+    {
+      "tag": "blocked",
+      "protocol": "blackhole",
+      "settings": {}
+    }
+  ],
+  "routing": {
+    "domainStrategy": "AsIs",
+    "rules": [
+      {
+        "type": "field",
+        "ip": [
+          "geoip:private"
+        ],
+        "outboundTag": "blocked"
+      }
+    ]
+  }
+}

VLESS-TCP-REALITY (without being stolen)/README.md

@@ -0,0 +1,5 @@
+# 不会被偷跑流量的 REALITY
+
+一个老生常谈的问题，对于非法请求, reality都会无脑转发流量去dest，如果reality的dest指向一个cloudflare网站，那么相当于服务端变成了CF的端口转发，任何人扫过来都可以拿来嫖。
+
+目前的解决办法是不要使用这类的网站作为 dest, 懂一点的会告诉你用 nginx 的 stream 滤一遍 SNI 并丢掉非法请求，但是其实 Xray 本身就支持这种操作，这也是这个模板的原理

VLESS-TCP-REALITY (without being stolen)/config_client.jsonc

@@ -0,0 +1,56 @@
+// 直接从其他示例里 copy 过来的，客户端不需要任何特殊修改，要填的东西也一致
+{
+    "log": {
+        "loglevel": "debug"
+    },
+    "inbounds": [
+        {
+            "listen": "127.0.0.1", 
+            "port": 10808, 
+            "protocol": "socks",
+            "settings": {
+                "udp": true
+            },
+            "sniffing": {
+                "enabled": true,
+                "destOverride": [
+                    "http",
+                    "tls",
+                    "quic"
+                ],
+                "routeOnly": true
+            }
+        }
+    ],
+    "outbounds": [
+        {
+            "protocol": "vless",
+            "settings": {
+                "vnext": [
+                    {
+                        "address": "127.0.0.1", 
+                        "port": 443, 
+                        "users": [
+                            {
+                                "id": "", // Needs to match server side
+                                "encryption": "none"
+                            }
+                        ]
+                    }
+                ]
+            },
+            "streamSettings": {
+                "network": "tcp",
+                "security": "reality",
+                "realitySettings": {
+                    "fingerprint": "chrome", 
+                    "serverName": "speed.cloudflare.com",
+                    "publicKey": "",
+                    "spiderX": "",
+                    "shortId": ""
+                }
+            },
+            "tag": "proxy"
+        }
+    ]
+}

VLESS-TCP-REALITY (without being stolen)/config_server.jsonc

@@ -0,0 +1,93 @@
+{
+    "log": {
+        "loglevel": "debug"
+    },
+    "inbounds": [
+        {
+            "tag": "dokodemo-in",
+            "port": 443,
+            "protocol": "dokodemo-door",
+            "settings": {
+                "address": "127.0.0.1",
+                "port": 4431,  // 指向内网中的 reality 端口，示例是这个端口，如果要自己修改了记得这里和下面的 reality 入站都要修改
+                "network": "tcp"
+            },
+            "sniffing": { // 这里的 sniffing 不是多余的，别乱动
+                "enabled": true,
+                "destOverride": [
+                    "tls"
+                ],
+                "routeOnly": true
+            }
+        },
+        {
+            "listen": "127.0.0.1",
+            "port": 4431, // 见上 如果和其他服务冲突了可以换
+            "protocol": "vless",
+            "settings": {
+                "clients": [
+                    {
+                        "id": "" // uuid
+                    }
+                ],
+                "decryption": "none"
+            },
+            "streamSettings": {
+                "network": "tcp",
+                "security": "reality",
+                "realitySettings": {
+                    // 下方要求和普通 reality 一致，这里演示 dest 设置为 cloudflare 不被偷跑流量所以设置为 speed.cloudflare.com 了
+                    // 你可以设置为其他 CF 网站，如果你的 dest 不是这种网站你也不用点了进来不是吗
+                    "dest": "speed.cloudflare.com:443",
+                    "serverNames": [
+                        "speed.cloudflare.com"
+                    ],
+                    "privateKey": "", // 运行 `xray x25519` 生成
+                    "shortIds": [
+                        "",
+                        "0123456789abcdef"
+                    ]
+                }
+            },
+            "sniffing": {
+                "enabled": true,
+                "destOverride": [
+                    "http",
+                    "tls",
+                    "quic"
+                ],
+                "routeOnly": true
+            }
+        }
+    ],
+    "outbounds": [
+        {
+            "protocol": "freedom",
+            "tag": "direct"
+        },
+        {
+            "protocol": "blackhole",
+            "tag": "block"
+        }
+    ],
+    "routing": {
+        "rules": [
+            {
+                "inboundTag": [
+                    "dokodemo-in"
+                ],
+                // 重要，这个域名列表需要和 realitySettings 的 serverNames 保持一致
+                "domain": [
+                    "speed.cloudflare.com"
+                ],
+                "outboundTag": "direct"
+            },
+            {
+                "inboundTag": [
+                    "dokodemo-in"
+                ],
+                "outboundTag": "block"
+            }
+        ]
+    }
+}

VLESS-TCP-TLS-WS/README.ENG.md

@@ -1,5 +1,11 @@
 # VLESS over TCP with TLS + fallback & split to WebSocket (advanced configuration)
 
+## Caution
+
+**This configuration was tagged as recommended, however https://github.com/XTLS/Xray-core/issues/1750#issuecomment-1459469821 had mentioned its vulnerabilities and it should be tagged as <u>deprecated</u>.**
+
+## Original Content
+
 This is a superset of [Minimal Configuration](<../VLESS-TCP-TLS%20(minimal%20by%20rprx)>), using the powerful fallback and distribution features of VLESS, it realizes port 443 VLESS over TCP with TLS and Perfect coexistence of any WSS
 
 This configuration is for reference. You can replace VLESS on WS with any other protocol such as VMess, and set more PATHs and protocol coexistence.

VLESS-TCP-TLS-WS/README.md

@@ -1,4 +1,11 @@
 # VLESS over TCP with TLS + 回落 & 分流 to WebSocket（进阶配置）
+
+## 注意
+
+**这个配置过去被标记为推荐，然而 https://github.com/XTLS/Xray-core/issues/1750#issuecomment-1459469821 提到其安全缺陷，且它应当列为<u>已废弃</u>。**
+
+## 原文
+
 [ENGLISH](README.ENG.md)
 
 这里是 [最简配置](<../VLESS-TCP-TLS%20(minimal%20by%20rprx)>) 的超集，利用 VLESS 强大的回落分流特性，实现了 443 端口 VLESS over TCP with TLS 和任意 WSS 的完美共存

VLESS-TCP-XTLS-Vision-REALITY/config_client.jsonc

@@ -44,7 +44,7 @@
                 "security": "reality",
                 "realitySettings": {
                     "fingerprint": "chrome", 
-                    "serverName": "bluearchive.jp", // If your dest is `1.1.1.1:443`, then leave it empty
+                    "serverName": "", // A website that support TLS1.3 and h2. If your dest is `1.1.1.1:443`, then leave it empty
                     "publicKey": "", // run `xray x25519` to generate. Public and private keys need to be corresponding.
                     "spiderX": "", // If your dest is `1.1.1.1:443`, then you can fill it with `/dns-query/` or just leave it empty
                     "shortId": "" // Required

VLESS-TCP-XTLS-Vision-REALITY/config_server.jsonc

@@ -19,9 +19,9 @@
                 "network": "tcp",
                 "security": "reality",
                 "realitySettings": {
-                    "dest": "bluearchive.jp:443", // You can also use `1.1.1.1:443` as dest
+                    "dest": "", // A website that support TLS1.3 and h2. You can also use `1.1.1.1:443` as dest
                     "serverNames": [
-                        "bluearchive.jp"    // If you use `1.1.1.1:443` as dest, then you can leave `serverNames` empty, it is a possible ways to bypass Iran's internet speed restrictions.
+                        ""    // A server name in the cert of dest site. If you use `1.1.1.1:443` as dest, then you can leave `serverNames` empty, it is a possible ways to bypass Iran's internet speed restrictions.
                     ],
                     "privateKey": "", // run `xray x25519` to generate. Public and private keys need to be corresponding.
                     "shortIds": [// Required, list of shortIds available to clients, can be used to distinguish different clients

VLESS-TCP-XTLS-WHATEVER/README.ENG.md

@@ -1,18 +0,0 @@
-# VLESS over TCP with XTLS + fallback & split to WHATEVER (ultimate configuration)
-
-This is a superset of [Advanced Configuration](<../VLESS-TCP-TLS-WS%20(recommended)>), using the powerful fallback and shunt features of VLESS, it realizes as many protocols and configurations as possible on port 443. Perfect coexistence, including [XTLS Direct Mode](https://github.com/rprx/v2fly-github-io/blob/master/docs/config/protocols/vless.md#xtls-%E9%BB%91%E7%A7%91%E6%8A%80)
-
-The client can connect to the server through the following methods at the same time, and WS can pass through the CDN
-
-1. VLESS over TCP with XTLS, several times the performance, the preferred method
-2. VLESS over TCP with TLS
-3. VLESS over WS with TLS
-4. VMess over TCP with TLS, not recommended
-5. VMess over WS with TLS
-6. Trojan over TCP with TLS
-
----
-
-Here it is set to fall back to the Trojan protocol of Xray by default, and then continue to fall back to the web server on port 80 (it can also be replaced with a database, FTP, etc.)
-
-You can also configure fallback to Caddy's forwardproxy and other proxies that are also anti-detection, and shunt to any proxy that supports WebSocket, no problem

VLESS-TCP-XTLS-WHATEVER/README.md

@@ -1,20 +0,0 @@
-# VLESS over TCP with XTLS + 回落 & 分流 to WHATEVER（终极配置）
-
-[ENGLISH](README.ENG.md)
-
-这里是 [进阶配置](<../VLESS-TCP-TLS-WS%20(recommended)>) 的超集，利用 VLESS 强大的回落分流特性，实现了 443 端口尽可能多的协议、配置的完美共存，包括 [XTLS Direct Mode](https://github.com/rprx/v2fly-github-io/blob/master/docs/config/protocols/vless.md#xtls-%E9%BB%91%E7%A7%91%E6%8A%80)
-
-客户端可以同时通过下列方式连接到服务器，其中 WS 都可以通过 CDN
-
-1. VLESS over TCP with XTLS，数倍性能，首选方式
-2. VLESS over TCP with TLS
-3. VLESS over WS with TLS
-4. VMess over TCP with TLS，不推荐
-5. VMess over WS with TLS
-6. Trojan over TCP with TLS
-
----
-
-这里设置默认回落到 Xray 的 Trojan 协议，再继续回落到 80 端口的 Web 服务器（也可以换成数据库、FTP 等）
-
-你还可以配置回落到 Caddy 的 forwardproxy 等其它也防探测的代理，以及分流到任何支持 WebSocket 的代理，都没有问题

VLESS-TCP-XTLS-WHATEVER/config_client/trojan_tcp_tls.json

@@ -1,37 +0,0 @@
-{
-    "log": {
-        "loglevel": "warning"
-    },
-    "inbounds": [
-        {
-            "port": 10800,
-            "listen": "127.0.0.1",
-            "protocol": "socks",
-            "settings": {
-                "udp": true
-            }
-        }
-    ],
-    "outbounds": [
-        {
-            "protocol": "trojan",
-            "settings": {
-                "servers": [
-                    {
-                        "address": "example.com", // 换成你的域名或服务器 IP（发起请求时无需解析域名了）
-                        "port": 443,
-                        "password": "", // 填写你的密码
-                        "level": 0
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "tcp",
-                "security": "tls",
-                "tlsSettings": {
-                    "serverName": "example.com" // 换成你的域名
-                }
-            }
-        }
-    ]
-}

VLESS-TCP-XTLS-WHATEVER/config_client/vless_tcp_tls.json

@@ -1,42 +0,0 @@
-{
-    "log": {
-        "loglevel": "warning"
-    },
-    "inbounds": [
-        {
-            "port": 10800,
-            "listen": "127.0.0.1",
-            "protocol": "socks",
-            "settings": {
-                "udp": true
-            }
-        }
-    ],
-    "outbounds": [
-        {
-            "protocol": "vless",
-            "settings": {
-                "vnext": [
-                    {
-                        "address": "example.com", // 换成你的域名或服务器 IP（发起请求时无需解析域名了）
-                        "port": 443,
-                        "users": [
-                            {
-                                "id": "", // 填写你的 UUID
-                                "encryption": "none",
-                                "level": 0
-                            }
-                        ]
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "tcp",
-                "security": "tls",
-                "tlsSettings": {
-                    "serverName": "example.com" // 换成你的域名
-                }
-            }
-        }
-    ]
-}

VLESS-TCP-XTLS-WHATEVER/config_client/vless_tcp_xtls.json

@@ -1,43 +0,0 @@
-{
-    "log": {
-        "loglevel": "warning"
-    },
-    "inbounds": [
-        {
-            "port": 10800,
-            "listen": "127.0.0.1",
-            "protocol": "socks",
-            "settings": {
-                "udp": true
-            }
-        }
-    ],
-    "outbounds": [
-        {
-            "protocol": "vless",
-            "settings": {
-                "vnext": [
-                    {
-                        "address": "example.com", // 换成你的域名或服务器 IP（发起请求时无需解析域名了）
-                        "port": 443,
-                        "users": [
-                            {
-                                "id": "", // 填写你的 UUID
-                                "flow": "xtls-rprx-direct",
-                                "encryption": "none",
-                                "level": 0
-                            }
-                        ]
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "tcp",
-                "security": "xtls", // 需要使用 XTLS
-                "xtlsSettings": {
-                    "serverName": "example.com" // 换成你的域名
-                }
-            }
-        }
-    ]
-}

VLESS-TCP-XTLS-WHATEVER/config_client/vless_ws_tls.json

@@ -1,45 +0,0 @@
-{
-    "log": {
-        "loglevel": "warning"
-    },
-    "inbounds": [
-        {
-            "port": 10800,
-            "listen": "127.0.0.1",
-            "protocol": "socks",
-            "settings": {
-                "udp": true
-            }
-        }
-    ],
-    "outbounds": [
-        {
-            "protocol": "vless",
-            "settings": {
-                "vnext": [
-                    {
-                        "address": "example.com", // 换成你的域名或服务器 IP（发起请求时无需解析域名了）
-                        "port": 443,
-                        "users": [
-                            {
-                                "id": "", // 填写你的 UUID
-                                "encryption": "none",
-                                "level": 0
-                            }
-                        ]
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "ws",
-                "security": "tls",
-                "tlsSettings": {
-                    "serverName": "example.com" // 换成你的域名
-                },
-                "wsSettings": {
-                    "path": "/websocket" // 必须换成自定义的 PATH，需要和服务端的一致
-                }
-            }
-        }
-    ]
-}

VLESS-TCP-XTLS-WHATEVER/config_client/vmess_tcp_tls.json

@@ -1,52 +0,0 @@
-{
-    "log": {
-        "loglevel": "warning"
-    },
-    "inbounds": [
-        {
-            "port": 10800,
-            "listen": "127.0.0.1",
-            "protocol": "socks",
-            "settings": {
-                "udp": true
-            }
-        }
-    ],
-    "outbounds": [
-        {
-            "protocol": "vmess",
-            "settings": {
-                "vnext": [
-                    {
-                        "address": "example.com", // 换成你的域名或服务器 IP（发起请求时无需解析域名了）
-                        "port": 443,
-                        "users": [
-                            {
-                                "id": "", // 填写你的 UUID
-                                "security": "none",
-                                "level": 0
-                            }
-                        ]
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "tcp",
-                "security": "tls",
-                "tlsSettings": {
-                    "serverName": "example.com" // 换成你的域名
-                },
-                "tcpSettings": {
-                    "header": {
-                        "type": "http",
-                        "request": {
-                            "path": [
-                                "/vmesstcp" // 必须换成自定义的 PATH，需要和服务端的一致
-                            ]
-                        }
-                    }
-                }
-            }
-        }
-    ]
-}

VLESS-TCP-XTLS-WHATEVER/config_client/vmess_ws_tls.json

@@ -1,45 +0,0 @@
-{
-    "log": {
-        "loglevel": "warning"
-    },
-    "inbounds": [
-        {
-            "port": 10800,
-            "listen": "127.0.0.1",
-            "protocol": "socks",
-            "settings": {
-                "udp": true
-            }
-        }
-    ],
-    "outbounds": [
-        {
-            "protocol": "vmess",
-            "settings": {
-                "vnext": [
-                    {
-                        "address": "example.com", // 换成你的域名或服务器 IP（发起请求时无需解析域名了）
-                        "port": 443,
-                        "users": [
-                            {
-                                "id": "", // 填写你的 UUID
-                                "security": "none",
-                                "level": 0
-                            }
-                        ]
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "ws",
-                "security": "tls",
-                "tlsSettings": {
-                    "serverName": "example.com" // 换成你的域名
-                },
-                "wsSettings": {
-                    "path": "/vmessws" // 必须换成自定义的 PATH，需要和服务端的一致
-                }
-            }
-        }
-    ]
-}

VLESS-TCP-XTLS-WHATEVER/config_server.json

@@ -1,163 +0,0 @@
-{
-    "log": {
-        "loglevel": "warning"
-    },
-    "inbounds": [
-        {
-            "port": 443,
-            "protocol": "vless",
-            "settings": {
-                "clients": [
-                    {
-                        "id": "", // fill in your UUID
-                        "flow": "xtls-rprx-direct",
-                        "level": 0,
-                        "email": "love@example.com"
-                    }
-                ],
-                "decryption": "none",
-                "fallbacks": [
-                    {
-                        "dest": 1310, // Fall back to Xray's Trojan protocol by default
-                        "xver": 1
-                    },
-                    {
-                        "path": "/websocket", // Must be replaced with a custom PATH
-                        "dest": 1234,
-                        "xver": 1
-                    },
-                    {
-                        "path": "/vmesstcp", // Must be replaced with a custom PATH
-                        "dest": 2345,
-                        "xver": 1
-                    },
-                    {
-                        "path": "/vmessws", // Must be replaced with a custom PATH
-                        "dest": 3456,
-                        "xver": 1
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "tcp",
-                "security": "xtls",
-                "xtlsSettings": {
-                    "alpn": [
-                        "http/1.1"
-                    ],
-                    "certificates": [
-                        {
-                            "certificateFile": "/path/to/fullchain.crt", // Replace with your certificate, absolute path
-                            "keyFile": "/path/to/private.key" // Replace it with your private key, absolute path
-                        }
-                    ]
-                }
-            }
-        },
-        {
-            "port": 1310,
-            "listen": "127.0.0.1",
-            "protocol": "trojan",
-            "settings": {
-                "clients": [
-                    {
-                        "password": "", // fill in your password
-                        "level": 0,
-                        "email": "love@example.com"
-                    }
-                ],
-                "fallbacks": [
-                    {
-                        "dest": 80 // or fall back to other proxies that are also probing-proof
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "tcp",
-                "security": "none",
-                "tcpSettings": {
-                    "acceptProxyProtocol": true
-                }
-            }
-        },
-        {
-            "port": 1234,
-            "listen": "127.0.0.1",
-            "protocol": "vless",
-            "settings": {
-                "clients": [
-                    {
-                        "id": "", // fill in your UUID
-                        "level": 0,
-                        "email": "love@example.com"
-                    }
-                ],
-                "decryption": "none"
-            },
-            "streamSettings": {
-                "network": "ws",
-                "security": "none",
-                "wsSettings": {
-                    "acceptProxyProtocol": true, // Reminder: If you use Nginx/Caddy to reverse generation WS, you need to delete this line
-                    "path": "/websocket" // It must be replaced with a custom PATH, which needs to be consistent with the shunt
-                }
-            }
-        },
-        {
-            "port": 2345,
-            "listen": "127.0.0.1",
-            "protocol": "vmess",
-            "settings": {
-                "clients": [
-                    {
-                        "id": "", // fill in your UUID
-                        "level": 0,
-                        "email": "love@example.com"
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "tcp",
-                "security": "none",
-                "tcpSettings": {
-                    "acceptProxyProtocol": true,
-                    "header": {
-                        "type": "http",
-                        "request": {
-                            "path": [
-                                "/vmesstcp" // It must be replaced with a custom PATH, which needs to be consistent with the shunt
-                            ]
-                        }
-                    }
-                }
-            }
-        },
-        {
-            "port": 3456,
-            "listen": "127.0.0.1",
-            "protocol": "vmess",
-            "settings": {
-                "clients": [
-                    {
-                        "id": "", // fill in your UUID
-                        "level": 0,
-                        "email": "love@example.com"
-                    }
-                ]
-            },
-            "streamSettings": {
-                "network": "ws",
-                "security": "none",
-                "wsSettings": {
-                    "acceptProxyProtocol": true, // Reminder: If you use Nginx/Caddy to reverse generation WS, you need to delete this line
-                    "path": "/vmessws" // It must be replaced with a custom PATH, which needs to be consistent with the shunt
-                }
-            }
-        }
-    ],
-    "outbounds": [
-        {
-            "protocol": "freedom"
-        }
-    ]
-}

VLESS-TLS-SplitHTTP-CaddyNginx/Caddyfile

@@ -0,0 +1,5 @@
+localhost:443 {
+	handle /split/* {
+		reverse_proxy http://127.0.0.1:1234
+	}
+}

VLESS-TLS-SplitHTTP-CaddyNginx/client.jsonc

@@ -0,0 +1,46 @@
+{
+    "log": {
+      "loglevel": "warning"
+    },
+    "inbounds": [
+      {
+        "listen": "127.0.0.1",
+        "port": 10808,
+        "protocol": "socks",
+        "settings": {
+            "udp": true
+        }
+      }
+    ],
+    "outbounds": [
+      {
+        "protocol": "vless",
+        "settings": {
+          "vnext": [
+            {
+              "address": "",
+              "port": 443,
+              "users": [
+                {
+                  "id": "",
+                  "encryption": "none"
+                }
+              ]
+            }
+          ]
+        },
+        "streamSettings": {
+          "network": "splithttp",
+          "splithttpSettings": {
+            "path": "/split"
+          },
+          "security": "tls",
+          "tlsSettings": {
+            "serverName": ""
+          }
+        },
+        "tag": "proxy"
+      }
+    ]
+  }
+  

VLESS-TLS-SplitHTTP-CaddyNginx/nginx.conf

@@ -0,0 +1,23 @@
+server {
+        listen 443 http2 ssl;
+        listen [::]:443 http2 ssl;
+
+        index index.html;
+        root /var/www/html;
+        ssl_certificate /path/to/example.cer;
+        ssl_certificate_key /path/to/example.cer;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+        # splithttp produces very noisy access logs, as it sends many HTTP
+        # requests and uses querystrings for padding. It is recommended to turn
+        # them off after setup, or use custom log formats to limit the amount
+        # of information.
+        # access_log off;
+
+        location /split {
+            proxy_pass http://127.0.0.1:1234;
+            proxy_http_version 1.1;
+            proxy_redirect off;
+        }
+}

VLESS-TLS-SplitHTTP-CaddyNginx/server.jsonc

@@ -0,0 +1,41 @@
+{
+    "log": {
+      "loglevel": "warning"
+    },
+    "inbounds": [
+      {
+        "listen": "127.0.0.1",
+        "port": 1234,
+        "protocol": "vless",
+        "settings": {
+          "clients": [
+            {
+              "id": ""
+            }
+          ],
+          "decryption": "none"
+        },
+        "streamSettings": {
+          "network": "splithttp",
+          "splithttpSettings": {
+            "path": "/split"
+          }
+        },
+        "sniffing": {
+          "enabled": true,
+          "destOverride": [
+            "http",
+            "tls",
+            "quic"
+          ]
+        }
+      }
+    ],
+    "outbounds": [
+      {
+        "protocol": "freedom",
+        "tag": "direct"
+      }
+    ]
+  }
+