直连方案:本地主机 -> 代理服务器
穿CDN方案:本地主机-> CDN边缘节点 -> 代理服务器
有啥好玩的可以联系我哦喵~~Telegram: @ankie
适用环境
适合服务器路由绕路,延迟高等情况
(一般落地服务器都注重国际优化,默认搭配中转服务器使用)
前置任务
搭配条件
- 安全层:仅TLS
- 传输层:WebSocket/gRPC/xhttp
需要做的准备(以Cloudflare为例):
- 域名托管到CF
- 添加域名解析A记录,
cloudflare proxy俗称小黄云可以不用开 - 为域名申请TLS/SSL,详情见前篇-TLS篇
入站端口必须是CDN支持的端口
Cloudflare支持的端口号-https://developers.cloudflare.com/fundamentals/reference/network-ports/
启用TLS
Dashboard->Domain->SSL/TLS->Overview->SSL/TLS encryption->调整模式为full(完全)
*Full(完全)表示 客户端-tls连接-CDN节点-tls连接(回源)->源服务器
*Flexible(灵活)表示 客户端-tls连接-CDN节点-非安全连接(回源)->源服务器
开启gRPC网络支持
Dashboard->Domain->Network->gRPC
Vless Encryption-Vision-TLS-WS
- 内层安全vless encryption
- 外部安全层TLS
- 传输层ws
- vision仅穿透Enc,若不用enc则关闭Vision
xray服务端配置块,命令行生成的参数可以拿个编辑器记录一下
为了保持篇幅简明,仅展示入站inbounds部分,补充其它部分转到【前篇】Xray安装-配置文件
{
"inbounds": [
{
"port": 2087, //CDN支持的端口
"protocol": "vless",
"settings": {
"clients": [
{
"id": "",//运行xray uuid生成
"flow": "xtls-rprx-vision" //若不启用enc则留空
}
],
// 运行xray vlessenc生成,取Authentication: ML-KEM-768, Post-Quantum
"decryption": "dec" //取decryption填写,不启用则填none
},
"streamSettings": {
"network": "ws", //传输层配置,网络ws
"wsSettings": {
"path": "/path", //ws配置path自定义可以截uuid的末尾半截,要有"/"
"host": "" //host保持留空
},
"security": "tls",
"tlsSettings": {
"serverName": "<yourdomain>", //sni域名,CDN通过它回源服务器
"alpn": ["h2","http/1.1"],
"minVersion": "1.2",
"certificates": [
{
"certificateFile": "./cert.crt", //证书路径
"keyFile": "./cert.key" //私钥路径
}
]
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http","tls","quic"],
"routeOnly": false
}
}
]
}
调试节点就在V2RayN里按配置填参数
Mihomo: Vless enc-Vision-TLS-WS
Mihomo客户端节点配置
proxies:
- name: "Enc-TLS-WS-CDN"
type: vless
server: "ip"
port: 443
udp: true
uuid: "uuid"
flow: "xtls-rprx-vision" #若开启enc则填写,不开就留空
tls: true
servername: "" #sni域名,CDN通过它回源服务器
client-fingerprint: chrome
skip-cert-verify: false # 跳过证书校验建议值false
encryption: "" # xray vlessenc生成取encryption填写
network: "ws" #传输层
ws-opts:
path: "/path" #同服务端path
headers:
Host: "domain" #必填,填写值同sni
参考 https://xtls.github.io/config/transports/websocket.html
gRPC
https://xtls.github.io/config/transports/grpc.html
GRPC是基于http/2的,比ws多出多路复用,可以降低延迟
Cloudflare喜欢掐断gRPC长连接,在mihomo上我测试会断连,在xray上有健康检查, 但xray已经有xhttp了,因此不再推荐grpc
Vless enc-Vision-TLS-XHTTP
xhttp有多种灵活配置,这里是推荐配置
与ws比较,仅修改传输层配置
服务端配置如下
"streamSettings": {
"network": "xhttp",
"xhttpSettings": {
"host": "",
"path": "/path", //path自定义
"mode": "auto"
},
mode: auto会自动兼容客户端
在客户端,host同sni,mode选stream-one即可丝滑穿透CDN
mihomo未来可能支持xhttp,到时候也会补充
Vless enc-Vision-TLS-WS多路复用
mihomo不支持mux.coolxray的多路复用协议,因此要想使用多路复用得把服务端换成mihomo
mihomo服务端安装脚本
安装路径: /opt/mihomo
配置文件路径: /opt/mihomo/config.yaml
#!/bin/bash
# 出现错误时自动退出
set -e
echo -e "\033[31m需要jq依赖\033[0m"
echo -e "\033[31mapt install jq\033[0m"
# 仓库源信息
REPO="MetaCubeX/mihomo"
PLATFORM_TAG="linux-amd64-v2"
RESULT="mihomo-core"
# 安装路径
mkdir -p /opt/mihomo
WORK_DIR="/opt/mihomo"
echo "Created working directory at $WORK_DIR"
cd $WORK_DIR || { echo "can not cd to $WORK_DIR"; exit 1; }
echo "Getting release version from $REPO"
echo "正在拉取最新版本信息..."
VERSION=$(curl -s https://api.github.com/repos/$REPO/releases/latest | jq -r .tag_name)
if [ -z "$VERSION" ] || [ "$VERSION" == "null" ]; then
echo "Could not fetch the latest version."
echo "无法获取版本信息,请检查网络连接..."
exit 1
fi
echo "最新版本: $VERSION"
echo "The latest version is $VERSION"
if $WORK_DIR/mihomo-core -v | grep -q "$VERSION"; then
echo "已存在安装最新版本: $VERSION"
echo "mihomo is already at the latest version: $VERSION"
exit 0
fi
# 构造结果示例: mihomo-linux-amd64-v3-v1.19.18.gz
TARGET_FILE="mihomo-${PLATFORM_TAG}-${VERSION}.gz"
echo "待下载目标文件名: $TARGET_FILE"
# API 返回的 assets 中查找该文件名的下载地址
DOWNLOAD_URL=$(curl -s https://api.github.com/repos/$REPO/releases/latest | \
jq -r ".assets[] | select(.name == \"$TARGET_FILE\") | .browser_download_url")
# 检查是否找到了链接
if [ -z "$DOWNLOAD_URL" ] || [ "$DOWNLOAD_URL" == "null" ]; then
echo "错误:在 Release 附件中未找到文件 $TARGET_FILE"
exit 1
fi
echo "Downloading..."
echo "正在下载: $DOWNLOAD_URL"
# 4. 执行下载
curl -L -o "$TARGET_FILE" "$DOWNLOAD_URL"
gunzip -f "$TARGET_FILE"
mv mihomo-linux-* $RESULT
chmod +x $RESULT
if [ $? -eq 0 ]; then
echo "OK"
else
echo "failed to download..."
exit 1
fi
# Create systemd service unit
echo "创建systemd服务单元..."
SERVICE_NAME="mihomo"
NAME="mihomo.service"
SERVICE_FILE="$WORK_DIR/${SERVICE_NAME}.service"
tee "$SERVICE_FILE" > /dev/null <<EOF
[Unit]
Description=mihomo server.
After=network.target NetworkManager.service systemd-networkd.service iwd.service
[Service]
Type=simple
LimitNPROC=500
LimitNOFILE=1000000
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
Restart=always
ExecStartPre=/usr/bin/sleep 1s
ExecStart=$WORK_DIR/mihomo-core -d $WORK_DIR
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
EOF
# set service
cp $SERVICE_FILE /etc/systemd/system/
systemctl daemon-reload
sleep 1
systemctl enable "$NAME"
systemctl restart "$NAME"
echo "OK"
sleep 2
systemctl status "$NAME"
入站
由于mihomo有安全机制,不能跨越访问非运行目录以外的数据,
需要将SSL证书复制到/opt/mihomo运行目录
仅入站部分,请参考官方文档补充DNS、规则等部分
https://wiki.metacubex.one/config/inbound/listeners/vless/
listeners:
# VLess-Enc+VISION+TLS+WS
- name: "vless-in"
type: vless
port: 8443
listen: "0.0.0.0"
users:
- username: 1
uuid: "" #运行xray uuid生成
flow: "xtls-rprx-vision"
ws-path: "/p" # 传输层ws-path
decryption: "" #运行xray vless enc生成
certificate: "./cert.crt" #证书
private-key: "./cert.key" #私钥
客户端出站
- name: "VLess-Enc+VISION+TLS+WS"
type: vless
server: "ip" #优选IP
port: 8443
udp: true
uuid: "uuid"
flow: "xtls-rprx-vision" #若开enc则填,不开则留空
tls: true
alpn:
- http/1.1
skip-cert-verify: false
servername: "" #sni 域名
encryption: "" #运行xray vlessenc生成
network: "ws"
ws-opts:
path: "/" #path
headers:
Host: "domain" #必填,同sni
smux:
enabled: true # 启用多路复用
protocol: smux
max-connections: 4
min-streams: 4
max-streams: 0
优选IP教程
你可以搜到任何优选域名
解析优选域名的结果,以两个为例
ct.877774.xyztelecom.cnae.cnae.cnae.cnae.cnae.cname.cf.468123.xyz
ping出延迟低,数值好的就可以作为入口了
批量测速
https://github.com/XIU2/CloudflareSpeedTest
以XIU2/CloudflareSpeedTest项目示范
把优选域名的结果放在ip.txt文件,加/24拉整个段
# 示例写法
104.18.41.190/24
终端运行命令
cfst -dd -tp 443 -tl 200 -f ip.txt --allip
参数解释:
-dd禁用下载测速,只测延迟节约时间-tp 443目标TCP端口443-tl 200延迟上限-f ip.txt指定IP数据集合--allip对/24范围全部测试
选个好点的IP填到节点server就行了
以下是我测出的部分可用结果
----电信----
162.159.39.13
104.18.40.152
104.18.41.190
162.159.44.27
104.18.41.190
172.64.229.173
172.64.229.195
----移动----
172.64.146.66
172.64.153.209
104.25.243.2
172.64.153.47
104.25.254.199
还有一些地方可以获得优选IP
https://api.uouin.com/cloudflare.html
心怀感激
这一段学习路程,感觉大家莫大的支持,感谢@宋哈娜、感谢
― ChristineProject X社区
- Project X https://t.me/projectXray
写到最后一行时已是3月3日凌晨4点了喵~