架构总览
用户浏览器
│
└── https://mydomain.com (443) → Nginx → 返回自定义网页 /var/www/proxy/index.html
VLESS 客户端
│
└── mydomain.com:8443 → Nginx → 转发到 127.0.0.1:10086 (Xray)✅ 1. 前提条件
Ubuntu 20.04/22.04 云服务器(1核1G+)
域名 mydomain.com 已解析到服务器 IP
开放防火墙端口:80,443,8443
(ubuntu等主流):
sudo ufw status verbose
sudo ufw allow 443/tcp
sudo ufw enable
(部分linux):
sudo firewall-cmd --list-ports
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --reload产看端口占用情况
sudo ss -tulnp | grep -E ':80|:443|:8443'
✅ 2. 安装必要软件
更新系统
sudo apt update && sudo apt upgrade -y
安装 Nginx + Certbot
sudo apt install nginx certbot python3-certbot-nginx -y
安装 Xray(官方一键脚本)
sudo bash -c “$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)” @ install
✅ 3. 部署伪装网站
sudo mkdir -p /var/www/proxy
echo '<h1>Hello, world! Study hard.</h1>' | sudo tee /var/www/proxy/index.html > /dev/null确保 nginx 用户(通常是 www-data)有读权限
sudo chmod -R 755 /var/www/proxy
sudo chown -R www-data:www-data /var/www/proxy✅ 4. 申请 SSL 证书(Let’s Encrypt)
sudo certbot --nginx -d mydomain.com --register-unsafely-without-email --agree-tos
查看证书
ls -l /etc/letsencrypt/live/proxy.mydomain.com/
✅ 5. 配置 Nginx(/etc/nginx/sites-available/default)
cat << 'EOF' | sudo tee /etc/nginx/sites-available/default > /dev/null
# =============== 主站:443 端口(给浏览器访问)===============
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mydomain.com;
# SSL 证书
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
# 安全优化(可与 8443 共用)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 伪装网站根目录
root /var/www/proxy;
index index.html;
# 所有请求返回静态页面(不暴露 /proxy 路径)
location / {
try_files $uri $uri/ =404;
}
# 可选:隐藏代理路径,禁止直接访问
location /proxy {
return 404;
}
# 安全头
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header Referrer-Policy no-referrer;
access_log /var/log/nginx/main_access.log;
error_log /var/log/nginx/main_error.log;
}
# =============== 代理专用:8443 端口(给 Xray 客户端)===============
server {
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
server_name mydomain.com;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 只允许 /proxy 路径,其他返回 404
location / {
return 404;
}
location /proxy {
proxy_pass http://127.0.0.1:10086;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/proxy_access.log;
error_log /var/log/nginx/proxy_error.log;
}
# =============== HTTP 强制跳转 HTTPS(到 443)===============
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
return 301 https://$host$request_uri; # 默认跳转到 443
}
EOF重载 Nginx
sudo nginx -t && sudo systemctl reload nginx
✅ 6. 配置 Xray(/usr/local/etc/xray/config.json)
*kill xray 相关的进程 (如果之前装了xray-agent或者x-ui的话)
sudo pkill -f xray
*查看 xray 相关的进程
ps aux | grep xray | grep -v grep
创建配置文件
cat << 'EOF' | sudo tee /usr/local/etc/xray/config.json > /dev/null
{
"inbounds": [
{
"port": 10086,
"listen": "127.0.0.1",
"protocol": "vless",
"settings": {
"clients": [
{
"id": "你的UUID"
}
],
"decryption": "none",
"fallbacks": []
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/proxy"
}
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}
EOF🔑 替换 “你的UUID” 为真实 UUID(可用 xray uuid 生成)/usr/local/bin/xray uuid
systemd 配置优化 cat /etc/systemd/system/xray.service
[Unit]
Description=Xray Service
Documentation=https://github.com/xtls
After=network.target nss-lookup.target
[Service]
User=nobody
Group=nogroup
ExecStart=/usr/local/bin/xray run -config /usr/local/etc/xray/config.json
Restart=on-failure
RestartSec=5s
LimitNOFILE=65536
LimitNPROC=4096
NoNewPrivileges=true
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.targetsystemd 重载
sudo systemctl daemon-reload
测试并重启
/usr/local/bin/xray -test -config /usr/local/etc/xray/config.json
sudo systemctl restart xray
查看实时运行日志
sudo journalctl -u xray -f --no-pager
启用开机自启
sudo systemctl enable --now xray nginx
✅ 7. 客户端配置(VLESS)
| 字段 | 值 |
|---|---|
| 类型 | VLESS |
| 地址 | mydomain.com |
| 端口 | 443 |
| UUID | 你的UUID |
| 加密 | none |
| 传输协议 | WebSocket |
| 路径 | /proxy |
| TLS | ✅ 开启 |
| SNI | mydomain.com |
✅ 8. 验证
浏览器访问:https://mydomain.com → 显示正常网页 ✅
客户端连接:成功代理上网 ✅
🔄 9. 日常维护
服务状态:
systemctl status xray nginx
更新 Xray:
sudo bash -c “$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)” @ install
证书自动续期(Certbot 默认已配置 cron):
sudo certbot renew –dry-run # 测试续期
perfect