1871 words
9 minutes
ws/grpc/xhttp穿透CDN篇
前言
我们知道,http流量可以被CDN回源,既然直连太慢就来试试用CDN提速
穿CDN方案:本地主机-> CDN边缘节点 -> 代理服务器
本期包含ws传输,xhttp传输,Cloudflare优选教程
适用环境
适合服务器路由绕路,延迟高等情况
(一般落地服务器都注重国际优化,默认搭配中转服务器使用)
缺点
即使UDP Over TCP过CDN几乎是100%丢失的(延迟略高)
前置任务
搭配条件
- 安全层:仅限TLS
- 传输层:WebSocket | gRPC | xhttp
需要做的准备(以Cloudflare为例):
- 域名托管到CF
- 添加域名解析A记录,
cloudflare proxy俗称小黄云可以不用开 - 为域名申请TLS/SSL,详情见前篇-TLS篇
入站端口必须是CDN支持的端口
Cloudflare支持的端口号-https://developers.cloudflare.com/fundamentals/reference/network-ports/
Cloudflare https Port 一览
- 443
- 2053
- 2083
- 2087
- 2096
- 8443
启用TLS
Dashboard->Domain->SSL/TLS->Overview->SSL/TLS encryption->调整模式为full(完全)
*Full(完全)表示 客户端-tls连接-CDN节点-tls连接(回源)->源服务器
*Flexible(灵活)表示 客户端-tls连接-CDN节点-非安全连接(回源)->源服务器
开启gRPC网络支持
Dashboard->Domain->Network->gRPC
Vless Encryption-Vision-TLS-WS
- 内层安全vless encryption
- 外部安全层TLS
- 传输层ws
- vision仅穿透Enc,若不用enc则关闭Vision
xray服务端配置块,命令行生成的参数可以拿个编辑器记录一下
为了保持篇幅简明,仅展示入站inbounds部分,补充其它部分转到【前篇】Xray安装-配置文件
{ "inbounds": [ { "port": 2087, //CDN支持的端口 "protocol": "vless", "settings": { "clients": [ { "id": "",//运行xray uuid生成 "flow": "xtls-rprx-vision" //若不启用enc则留空 } ], // 运行xray vlessenc生成,取Authentication: ML-KEM-768, Post-Quantum "decryption": "dec" //取decryption填写,不启用则填none }, "streamSettings": { "network": "ws", //传输层配置,网络ws "wsSettings": { "path": "/path", //ws配置path自定义可以截uuid的末尾半截,要有"/" "host": "" //host保持留空 }, "security": "tls", "tlsSettings": { "serverName": "<yourdomain>", //sni域名,CDN通过它回源服务器 "alpn": ["h2","http/1.1"], "minVersion": "1.2", "certificates": [ { "certificateFile": "./cert.crt", //证书路径 "keyFile": "./cert.key" //私钥路径 } ] } }, "sniffing": { "enabled": true, "destOverride": ["http","tls","quic"], "routeOnly": false } } ]}调试节点就在V2RayN里按配置填参数
Mihomo: Vless enc-Vision-TLS-WS
Mihomo客户端节点配置
proxies: - name: "Enc-TLS-WS-CDN" type: vless server: "ip" port: 443 udp: true uuid: "uuid" flow: "xtls-rprx-vision" #若开启enc则填写,不开就留空 tls: true servername: "" #sni域名,CDN通过它回源服务器 client-fingerprint: chrome skip-cert-verify: false # 跳过证书校验建议值false encryption: "" # xray vlessenc生成取encryption填写 network: "ws" #传输层 ws-opts: path: "/path" #同服务端path headers: Host: "domain" #必填,填写值同snigRPC
https://xtls.github.io/config/transports/grpc.html
GRPC是基于http/2的,比ws多出多路复用,可以降低延迟
Cloudflare喜欢掐断gRPC长连接,在mihomo上我测试会断连,在xray上有健康检查, 但xray已经有xhttp了,因此不再推荐grpc
Vless enc-Vision-TLS-XHTTP
xhttp有多种灵活配置,这里是推荐配置
与ws比较,仅修改传输层配置
服务端配置如下streamSettings
"streamSettings": { "network": "xhttp", "xhttpSettings": { "host": "", "path": "/path", //path自定义 "mode": "auto" }, "security": "tls", "tlsSettings": { "serverName": "<domain>", //服务器名称指示器,CDN通过它回源服务器 "alpn": ["h2","http/1.1","h3"], "minVersion": "1.2", "certificates": [ { "certificateFile": "./cert.crt", //证书路径 "keyFile": "./cert.key" //私钥路径 } ] } },mode: auto会自动兼容客户端
在客户端,host同sni,mode选stream-one即可丝滑穿透CDN
# V2RayN中的填写项Address -服务器地址,过CDN时就填CDN的IPPort -端口号UUID -客户端uuidFlow -如启用了Vless encryption则填,否则双端留空Encryption -内层加密,不启用时填“none”Mux -mux.cool多路复用,不兼容xhttp,必填"关闭"Transport -传输协议,xhttpxhttp mode -xhttp模式,推荐值`Stream-one`双向流模式Host -同SNIPath -path同服务端TLS-sni -证书域名Alpn -h2+http1.1mihomo未来可能支持xhttp,到时候也会补充
Vless enc-Vision-TLS-WS多路复用
mihomo不支持mux.coolxray的多路复用协议,因此要想使用多路复用得把服务端换成mihomo
mihomo服务端安装脚本
安装路径: /opt/mihomo
配置文件路径: /opt/mihomo/config.yaml
#!/bin/bash# 出现错误时自动退出set -eecho -e "\033[31m需要jq依赖\033[0m"echo -e "\033[31mapt install jq\033[0m"# 仓库源信息REPO="MetaCubeX/mihomo"PLATFORM_TAG="linux-amd64-v2"RESULT="mihomo-core"# 安装路径mkdir -p /opt/mihomoWORK_DIR="/opt/mihomo"echo "Created working directory at $WORK_DIR"cd $WORK_DIR || { echo "can not cd to $WORK_DIR"; exit 1; }echo "Getting release version from $REPO"echo "正在拉取最新版本信息..."VERSION=$(curl -s https://api.github.com/repos/$REPO/releases/latest | jq -r .tag_name)if [ -z "$VERSION" ] || [ "$VERSION" == "null" ]; then echo "Could not fetch the latest version." echo "无法获取版本信息,请检查网络连接..." exit 1fiecho "最新版本: $VERSION"echo "The latest version is $VERSION"if $WORK_DIR/mihomo-core -v | grep -q "$VERSION"; then echo "已存在安装最新版本: $VERSION" echo "mihomo is already at the latest version: $VERSION" exit 0fi# 构造结果示例: mihomo-linux-amd64-v3-v1.19.18.gzTARGET_FILE="mihomo-${PLATFORM_TAG}-${VERSION}.gz"echo "待下载目标文件名: $TARGET_FILE"
# API 返回的 assets 中查找该文件名的下载地址DOWNLOAD_URL=$(curl -s https://api.github.com/repos/$REPO/releases/latest | \ jq -r ".assets[] | select(.name == \"$TARGET_FILE\") | .browser_download_url")
# 检查是否找到了链接if [ -z "$DOWNLOAD_URL" ] || [ "$DOWNLOAD_URL" == "null" ]; then echo "错误:在 Release 附件中未找到文件 $TARGET_FILE" exit 1fiecho "Downloading..."echo "正在下载: $DOWNLOAD_URL"
# 4. 执行下载curl -L -o "$TARGET_FILE" "$DOWNLOAD_URL"gunzip -f "$TARGET_FILE"mv mihomo-linux-* $RESULTchmod +x $RESULTif [ $? -eq 0 ]; then echo "OK"else echo "failed to download..." exit 1fi
# Create systemd service unitecho "创建systemd服务单元..."SERVICE_NAME="mihomo"NAME="mihomo.service"SERVICE_FILE="$WORK_DIR/${SERVICE_NAME}.service"tee "$SERVICE_FILE" > /dev/null <<EOF[Unit]Description=mihomo server.After=network.target NetworkManager.service systemd-networkd.service iwd.service
[Service]Type=simpleLimitNPROC=500LimitNOFILE=1000000CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDEAmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDERestart=alwaysExecStartPre=/usr/bin/sleep 1sExecStart=$WORK_DIR/mihomo-core -d $WORK_DIRExecReload=/bin/kill -HUP $MAINPID
[Install]WantedBy=multi-user.targetEOF# set servicecp $SERVICE_FILE /etc/systemd/system/systemctl daemon-reloadsleep 1systemctl enable "$NAME"systemctl restart "$NAME"echo "OK"sleep 2systemctl status "$NAME"入站
由于mihomo有安全机制,不能跨越访问非运行目录以外的数据,
需要将SSL证书复制到/opt/mihomo运行目录
仅入站部分,请参考官方文档补充DNS、规则等部分
https://wiki.metacubex.one/config/inbound/listeners/vless/
listeners: # VLess-Enc+VISION+TLS+WS - name: "vless-in" type: vless port: 8443 listen: "0.0.0.0" users: - username: 1 uuid: "" #运行xray uuid生成 flow: "xtls-rprx-vision" ws-path: "/p" # 传输层ws-path decryption: "" #运行xray vless enc生成 certificate: "./cert.crt" #证书 private-key: "./cert.key" #私钥客户端出站
- name: "VLess-Enc+VISION+TLS+WS" type: vless server: "ip" #优选IP port: 8443 udp: true uuid: "uuid" flow: "xtls-rprx-vision" #若开enc则填,不开则留空 tls: true alpn: - http/1.1 skip-cert-verify: false servername: "" #sni 域名 encryption: "" #运行xray vlessenc生成 network: "ws" ws-opts: path: "/" #path headers: Host: "domain" #必填,同sni smux: enabled: true # 启用多路复用 protocol: smux max-connections: 4 min-streams: 4 max-streams: 0优选IP教程
你可以搜到任何优选域名
解析优选域名的结果,以两个为例
ct.877774.xyztelecom.cnae.cnae.cnae.cnae.cnae.cname.cf.468123.xyz
ping出延迟低,数值好的就可以作为入口了
批量测速
https://github.com/XIU2/CloudflareSpeedTest
以XIU2/CloudflareSpeedTest项目示范
把优选域名的结果放在ip.txt文件,加/24拉整个段
# 示例写法104.18.41.190/24终端运行命令
cfst -dd -tp 443 -tl 200 -f ip.txt --allip参数解释:
-dd禁用下载测速,只测延迟节约时间-tp 443目标TCP端口443-tl 200延迟上限-f ip.txt指定IP数据集合--allip对/24范围全部测试
选个好点的IP填到节点server就行了
以下是我测出的部分可用结果
----电信----162.159.39.13104.18.40.152104.18.41.190162.159.44.27104.18.41.190172.64.229.173172.64.229.195
----移动----172.64.146.66172.64.153.209104.25.243.2172.64.153.47104.25.254.199还有一些地方可以获得优选IP
心怀感激
这一段学习路程,感觉大家莫大的支持,感谢@宋哈娜、感谢Project X社区
- Project X https://t.me/projectXray
写到最后一行时已是3月3日凌晨4点了喵~
ws/grpc/xhttp穿透CDN篇
https://fuwari.vercel.app/posts/xray/xhttp/