搜索

网络与科学上网

2026年 搭建 – Xray – Reality协议

作者 大神K
2026年4月30日 2 分钟阅读
0

原理介绍

环境搭建

  • 安装Nginx
  • 安装Acme 申请证书工具
#安装acme:  
curl https://get.acme.sh | sh

#添加软链接:  
ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh

#切换CA机构:  
acme.sh –set-default-ca –server letsencrypt

#cloudflare API  
export CF_Key=你的API Token  
export CF_Email=你的Cloudflare注册邮箱

#申请证书:  
acme.sh –issue –dns dns_cf -d 你的域名

#安装证书  
acme.sh –install-cert -d 你的域名 –ecc \  
–key-file /etc/ssl/private/private.key \  
–fullchain-file /etc/ssl/private/fullchain.cer \  
–reloadcmd “systemctl force-reload nginx”

安装Xray

bash -c “$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)” @ install -u root

Xray 配置文件

{
  "log": {
    "loglevel": "warning"
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "port": "443",
        "network": "udp",
        "outboundTag": "block"
      },
      {
        "type": "field",
        "ip": [
          "geoip:cn",
          "geoip:private"
        ],
        "outboundTag": "block"
      }
    ]
  },
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "",  // run `xray uuid` to generate
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "8003",
          "xver": 1,
          "serverNames": [
            ""
          ],
          "privateKey": "",   // run `xray x25519` to generate
          "shortIds": [
            ""  // 0 to f, length is a multiple of 2, maximum length is 16
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ],
  "policy": {
    "levels": {
      "0": {
        "handshake": 2,
        "connIdle": 120
      }
    }
  }
}

Nginx 配置文件

user root;  
worker_processes auto;

error_log /usr/local/nginx/logs/error.log notice;  
pid /usr/local/nginx/logs/nginx.pid;

events {  
worker_connections 1024;  
}

http {  
log_format main ‘[$time_local] $proxy_protocol_addr “$http_referer” “$http_user_agent”‘;  
access_log /usr/local/nginx/logs/access.log main;

map $http_upgrade $connection_upgrade {  
default upgrade;  
“” close;  
}

map $proxy_protocol_addr $proxy_forwarded_elem {  
~^[0-9.]+$ “for=$proxy_protocol_addr”;  
~^[0-9A-Fa-f:.]+$ “for=\”[$proxy_protocol_addr]\””;  
default “for=unknown”;  
}

map $http_forwarded $proxy_add_forwarded {  
“~^(,[ \\t]*)*([!#$%&’*+.^_`|~0-9A-Za-z-]+=([!#$%&’*+.^_`|~0-9A-Za-z-]+|\”([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\”))?(;([!#$%&’*+.^_`|~0-9A-Za-z-]+=([!#$%&’*+.^_`|~0-9A-Za-z-]+|\”([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\”))?)*([ \\t]*,([ \\t]*([!#$%&’*+.^_`|~0-9A-Za-z-]+=([!#$%&’*+.^_`|~0-9A-Za-z-]+|\”([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\”))?(;([!#$%&’*+.^_`|~0-9A-Za-z-]+=([!#$%&’*+.^_`|~0-9A-Za-z-]+|\”([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\”))?)*)?)*$” “$http_forwarded, $proxy_forwarded_elem”;  
default “$proxy_forwarded_elem”;  
}

server {  
listen 80;  
listen [::]:80;  
return 301 https://$host$request_uri;  
}

server {  
listen 127.0.0.1:8003 ssl default_server;

ssl_reject_handshake on;

ssl_protocols TLSv1.2 TLSv1.3;

ssl_session_timeout 1h;  
ssl_session_cache shared:SSL:10m;

ssl_early_data on;  
}

server {  
listen 127.0.0.1:8003 ssl proxy_protocol;

set_real_ip_from 127.0.0.1;  
real_ip_header proxy_protocol;

server_name xx.com; # 填由 Nginx 加载的 SSL 证书中包含的域名,建议将域名指向服务端的 IP

ssl_certificate /etc/ssl/private/fullchain.cer;  
ssl_certificate_key /etc/ssl/private/private.key;

ssl_protocols TLSv1.2 TLSv1.3;  
ssl_ciphers TLS13_AES_128_GCM_SHA256:TLS13_AES_256_GCM_SHA384:TLS13_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;

ssl_session_tickets on;

ssl_stapling on;  
ssl_stapling_verify on;  
resolver 1.1.1.1 valid=60s;  
resolver_timeout 2s;

location / {  
sub_filter $proxy_host $host;  
sub_filter_once off;

set $website www.lovelive-anime.jp;  
proxy_pass https://$website;  
resolver 1.1.1.1;

proxy_set_header Host $proxy_host;

proxy_http_version 1.1;  
proxy_cache_bypass $http_upgrade;

proxy_ssl_server_name on;

proxy_set_header Upgrade $http_upgrade;  
proxy_set_header Connection $connection_upgrade;  
proxy_set_header X-Real-IP $proxy_protocol_addr;  
proxy_set_header Forwarded $proxy_add_forwarded;  
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
proxy_set_header X-Forwarded-Proto $scheme;  
proxy_set_header X-Forwarded-Host $host;  
proxy_set_header X-Forwarded-Port $server_port;

proxy_connect_timeout 60s;  
proxy_send_timeout 60s;  
proxy_read_timeout 60s;

proxy_set_header Early-Data $ssl_early_data;  
}  
}  
}
📌 版权声明

文章作者:大神K

原文链接:https://dashenk.com/2026/04/30/2026%e5%b9%b4-%e6%90%ad%e5%bb%ba-xray-reality%e5%8d%8f%e8%ae%ae/

版权说明:本文为原创内容,转载请注明出处。

标签:

作者

大神K

我是一个长期在技术与赚钱之间反复横跳的人。 做过网站、搞过SEO、写过程序,也踩过币圈的坑。 现在在做的事情很简单: 用 AI + 技术,把复杂的事情变简单,把一个人变成一支队伍。 这个网站,不是教程站,而是我的「操作记录」。 一个站长如何做 SEO 和流量 一个开发者如何用 AI 提高效率 一个交易者如何系统性构建赚钱模型 只讲能落地的方案,分享: 真实经验 + 踩过的坑 在这个时代,一个人,也可以是一家公司。

关注我
其他文章
暂无评论!成为第一个。

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注