安装 Nginx#
sudo apt update && sudo apt install -y nginx
mkdir -p /home/xray/webpage/ && cd /home/xray/webpage/
apt install unzip && wget -O web.zip --no-check-certificate https://html5up.net/phantom/download && unzip web.zip && rm web.zip
修改nginx.conf#
# 去除80端口默认占用
sed -i '/\/etc\/nginx\/sites-enabled\//d' /etc/nginx/nginx.conf
# 复制全部 start
cat>/etc/nginx/conf.d/xray.conf<<EOF
server {
listen 80;
server_name yourdomain;
root /home/xray/webpage/;
index index.html;
}
EOF
# end
# 你的域名 替换
sed -i 's/yourdomain/你的域名/' /etc/nginx/conf.d/xray.conf
systemctl reload nginx
# 访问 http://你的域名 显示正常则成功
申请证书#
wget -O - https://get.acme.sh | sh && cd ~ && . .bashrc
acme.sh --upgrade --auto-upgrade
acme.sh --issue --server letsencrypt --test -d 你的域名 -w /home/xray/webpage --keylength ec-256
# 这一步如果失败,有以下几个常见原因
# 1. 80端口没开启或者nginx没有正常启动, acme申请域名必须要能"http://你的域名"访问的通
# 2. 失败次数超过5次被ban了, acme对某个域名一天最大申请次数为5次,超过5次后需要等第二天
acme.sh --set-default-ca --server letsencrypt
acme.sh --issue -d 你的域名 -w /home/xray/webpage --keylength ec-256 --force
安装 Xray#
脚本安装#
wget https://github.com/XTLS/Xray-install/raw/main/install-release.sh && bash install-release.sh && rm install-release.sh
手动安装 (可选)#
如果你选择了脚本安装则跳过
# 解压到root目录下的xray文件夹
wget https://github.com/XTLS/Xray-core/releases/download/v1.5.10/Xray-linux-64.zip -O xray.zip && unzip xray.zip -d /root/xray/ && rm xray.zip
# 创建 systemd 部署 start
cat>/etc/systemd/system/xray.service<<EOF
[Unit]
Description=Xray Service
Documentation=https://github.com/xtls
After=network.target nss-lookup.target
[Service]
User=root
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/root/xray/xray run -config /usr/local/etc/xray/config.json
Restart=on-failure
RestartPreventExitStatus=23
LimitNPROC=10000
LimitNOFILE=1000000
[Install]
WantedBy=multi-user.target
EOF
# end
给 Xray 配置 TLS 证书#
mkdir -p /home/xray/xray_cert && acme.sh --install-cert -d 你的域名 --ecc --fullchain-file /home/xray/xray_cert/xray.crt --key-file /home/xray/xray_cert/xray.key && chmod +r /home/xray/xray_cert/xray.key
自动更新临期证书#
# 创建并写入
cat>/home/xray/xray_cert/xray-cert-renew.sh<<EOF
#!/bin/bash
/root/.acme.sh/acme.sh --install-cert -d yourdomain --ecc --fullchain-file /home/xray/xray_cert/xray.crt --key-file /home/xray/xray_cert/xray.key
echo "Xray Certificates Renewed"
chmod +r /home/xray/xray_cert/xray.key
echo "Read Permission Granted for Private Key"
sudo systemctl restart xray
echo "Xray Restarted"
EOF
# 你的域名 替换
sed -i 's/yourdomain/你的域名/' /home/xray/xray_cert/xray-cert-renew.sh
创建定时任务#
chmod +x /home/xray/xray_cert/xray-cert-renew.sh
( crontab -l | grep -v "0 1 1 * * bash /home/xray/xray_cert/xray-cert-renew.sh"; echo "0 1 1 * * bash /home/xray/xray_cert/xray-cert-renew.sh" ) | crontab -
配置 Xray#
xray uuid
# 自定义日志 可选 start
# 默认日志位置 /var/log/xray
mkdir /home/xray/xray_log && touch /home/xray/xray_log/access.log && touch /home/xray/xray_log/error.log && chmod a+w /home/xray/xray_log/*.log
# end
模板文件修改#
wget https://raw.githubusercontent.com/XTLS/Xray-examples/main/Trojan-TCP-XTLS/config_server.json -O /usr/local/etc/xray/config.json
sed -i 's/\/path\/to\/cert/\/home\/xray\/xray_cert\/xray.crt/' /usr/local/etc/xray/config.json
sed -i 's/\/path\/to\/key/\/home\/xray\/xray_cert\/xray.key/' /usr/local/etc/xray/config.json
启动 Xray#
systemctl start xray && systemctl enable xray
优化#
开启 BBR#
返回第一章节执行一键安装那个命令,选择开启BBR
开启 HTTP 自动跳转 HTTPS#
sed -i '/\/home\/xray\/webpage\//d' /etc/nginx/conf.d/xray.conf
sed -i '/index/d' /etc/nginx/conf.d/xray.conf
# 在80端口规则最后加入 可同时删除root和index两行
sed -i '3a \\treturn 301 https://$http_host$request_uri;' /etc/nginx/conf.d/xray.conf
#在加入新的server
cat>>/etc/nginx/conf.d/xray.conf<<EOF
server {
listen 127.0.0.1:8080;
root /home/xray/webpage/;
index index.html;
add_header Strict-Transport-Security "max-age=63072000" always;
}
EOF
#end
systemctl restart nginx
#修改xray的fallback端口为8080 "dest": 80 -> 改成 "dest": 8080
sed -i '19,24d' /usr/local/etc/xray/config.json
sudo sed -i 's/\"dest\".*/"dest": 8080/g' /usr/local/etc/xray/config.json
systemctl restart xray