Objective
TL;DR
Get rid of GFW and tunnel (proxy) traffic through https (TLS). As pre-requisite, you need a valid domain name, such as yourDomain.com.
CentOS
sudo yum install epel-release
sudo dnf install curl git nginx nginx-mod-stream python3-certbot-nginxInstall the very latest Nginx > http://nginx.org/en/linux_packages.html#RHEL-CentOS
[root@vultrguest ~]# chown nginx:nginx /usr/local/etc/xray/fullchain.pem
[root@vultrguest ~]# chown nginx:nginx /usr/local/etc/xray/privkey.pemDisable SELinux and enable firewall-cmd
Debian/ Ubuntu
Reference > https://henrywithu.com/coexistence-of-web-applications-and-vless-tcp-xtls/
Install
Install Dependencies
apt -y install curl git nginx libnginx-mod-stream python3-certbot-nginxInstall Xray
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ installUninstall Xray
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ removeConfigure nginx and /etc/nginx/nginx.conf.d/
/etc/nginx/nginx.conf
Place the following content outside of http {} block
stream {
map $ssl_preread_server_name $example_multi {
webgame.example.com xtls;
nextcloud.example.com nextcloud;
}
upstream xtls {
server 127.0.0.1:20001; # Xray port
}
upstream nextcloud {
server 127.0.0.1:20002; # Nextcloud port
}
server {
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $example_multi;
ssl_preread on;
}
}Replace example.com with your actual domain name
- Clone a small webgame for
fallback
cd /var/www/html
git clone https://github.com/gd4Ark/2048.git 2048- Configure
fallbackand/etc/nginx/conf.d/fallback.conf
server {
listen 80;
server_name webgame.example.com;
if ($host = webgame.example.com) {
return 301 https://$host$request_uri;
}
server_name nextcloud.example.com;
if ($host = nextcloud.example.com) {
return 301 https://$host$request_uri;
}
return 404;
}server {
listen 127.0.0.1:20009;
server_name webgame.example.com;
index index.html;
root /var/www/html/2048;
}
Configure SSL
certbot certonly --nginxcp /etc/letsencrypt/live/webgame.example.com/fullchain.pem /usr/local/etc/xray/fullchain.pem
cp /etc/letsencrypt/live/webgame.example.com/privkey.pem /usr/local/etc/xray/privkey.pem
Check certificate expiration
openssl x509 -dates -noout < /path/fullchain.pem
notBefore=Nov 14 08:49:01 2021 GMT
notAfter=Feb 12 08:49:00 2022 GMTConfigure Xray
- Generate a UUID for key. This would be like a private key and keep it in secret
cat /proc/sys/kernel/random/uuid- Edit
config.jsonfor Xray
vi /usr/local/etc/xray/config.jsonReplace the value of id with the output
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"listen": "127.0.0.1", # Only listen locally to prevent detection of the following port 20001
"port": 20001, # The port here corresponds to the upstream port in Nginx
"protocol": "vless",
"settings": {
"clients": [
{
"id": "1c0022ae-3XX8-4XXb-9XX7-5e85cf883fde", # fill in your own UUID
"flow": "xtls-rprx-direct",
"level": 0
}
],
"decryption": "none",
"fallbacks": [
{
"dest": "20009" # port of fallback site
}
]
},
"streamSettings": {
"network": "tcp",
"security": "xtls",
"xtlsSettings": {
"alpn": [
"http/1.1"
],
"certificates": [
{
"certificateFile": "/usr/local/etc/xray/fullchain.pem", # your domain cert, absolute path
"keyFile": "/usr/local/etc/xray/privkey.pem" # your private key, absolute path
}
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}Ignore Nextcloud Part or you can choose any other webService
Test Run
ubuntu@master0:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successfulubuntu@master0:~$ xray --test
Xray 1.4.2 (Xray, Penetrates Everything.) Custom (go1.16.2 linux/amd64)
A unified platform for anti-censorship.
2021/06/08 02:56:03 Using config from STDIN
2021/06/08 02:56:03 [Info] infra/conf/serial: Reading config: stdin:
Restart
systemctl restart nginx xrayClient on Android
Reference > https://github.com/2dust/v2rayNG
Courtesy > https://henrywithu.com/coexistence-of-web-applications-and-vless-tcp-xtls/
