THE NEXT FUTURE
Server side implementation of REALITY protocol, a fork of package tls in latest Go. For client side, please follow https://github.com/XTLS/Xray-core/blob/main/transport/internet/reality/reality.go.
TODO List: TODO
VLESS-XTLS-uTLS-REALITY example for Xray-core
中文 | English
{
"inbounds": [ // 服务端入站配置
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // 必填,执行 ./xray uuid 生成,或 1-30 字节的字符串
"flow": "xtls-rprx-vision" // 选填,若有,客户端必须启用 XTLS
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // 选填,若为 true,输出调试信息
"dest": "example.com:443", // 必填,格式同 VLESS fallbacks 的 dest
"xver": 0, // 选填,格式同 VLESS fallbacks 的 xver
"serverNames": [ // 必填,客户端可用的 serverName 列表,暂不支持 * 通配符
"example.com",
"www.example.com"
],
"privateKey": "", // 必填,执行 ./xray x25519 生成
"minClientVer": "", // 选填,客户端 Xray 最低版本,格式为 x.y.z
"maxClientVer": "", // 选填,客户端 Xray 最高版本,格式为 x.y.z
"maxTimeDiff": 0, // 选填,允许的最大时间差,单位为毫秒
"shortIds": [ // 必填,客户端可用的 shortId 列表,可用于区分不同的客户端
"", // 若有此项,客户端 shortId 可为空
"0123456789abcdef" // 0 到 f,长度为 2 的倍数,长度上限为 16
]
}
}
}
]
}
若用 REALITY 取代 TLS,可消除服务端 TLS 指纹特征,仍有前向保密性等,且证书链攻击无效,安全性超越常规 TLS
可以指向别人的网站,无需自己买域名、配置 TLS 服务端,更方便,实现向中间人呈现指定 SNI 的全程真实 TLS
通常代理用途,目标网站最低标准:国外网站,支持 TLSv1.3 与 H2,域名非跳转用(主域名可能被用于跳转到 www)
加分项:IP 相近(更像,且延迟低),Server Hello 后的握手消息一起加密(如 dl.google.com),有 OCSP Stapling
配置加分项:禁回国流量,TCP/80、UDP/443 也转发(REALITY 对外表现即为端口转发,目标 IP 冷门或许更好)
REALITY 也可以搭配 XTLS 以外的代理协议使用,但不建议这样做,因为它们存在明显且已被针对的 TLS in TLS 特征
REALITY 的下一个主要目标是“预先构建模式”,即提前采集目标网站特征,XTLS 的下一个主要目标是 0-RTT
{
"outbounds": [ // 客户端出站配置
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "", // 服务端的域名或 IP
"port": 443,
"users": [
{
"id": "", // 与服务端一致
"flow": "xtls-rprx-vision", // 与服务端一致
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // 选填,若为 true,输出调试信息
"fingerprint": "chrome", // 必填,使用 uTLS 库模拟客户端 TLS 指纹
"serverName": "", // 服务端 serverNames 之一
"publicKey": "", // 服务端私钥对应的公钥
"shortId": "", // 服务端 shortIds 之一
"spiderX": "" // 爬虫初始路径与参数,建议每个客户端不同
}
}
}
]
}
REALITY 客户端应当收到由“临时认证密钥”签发的“临时可信证书”,但以下三种情况会收到目标网站的真证书:
- REALITY 服务端拒绝了客户端的 Client Hello,流量被导入目标网站
- 客户端的 Client Hello 被中间人重定向至目标网站
- 中间人攻击,可能是目标网站帮忙,也可能是证书链攻击
REALITY 客户端可以完美区分临时可信证书、真证书、无效证书,并决定下一步动作:
- 收到临时可信证书时,连接可用,一切如常
- 收到真证书时,进入爬虫模式
- 收到无效证书时,TLS alert,断开连接
from https://github.com/XTLS/REALITY
-------
搭建Xray的Reality协议
若用 REALITY 取代 TLS,可消除服务端 TLS 指纹特征,仍有前向保密性等,且证书链攻击无效,安全性超越常规 TLS,
可以指向别人的网站,无需自己买域名、配置 TLS 服务端,更方便,实现向中间人呈现指定 SNI 的全程真实 TLS。
安装Xray:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install --beta
生成uuid
cd /usr/local/bin/
./xray uuid
生成公钥私钥
./xray x25519
配置Xray:
配置文件示例如下(可以复制到电脑文本文件里修改)
{ "inbounds": [ // 服务端入站配置 { "listen": "0.0.0.0", "port": 443, "protocol": "vless", "settings": { "clients": [ { "id": "刚才生产的uuid", //必填,执行 ./xray uuid 生成,或 1-30 字节的字符串 "flow": "xtls-rprx-vision" // 选填,若有,客户端必须启用 XTLS } ], "decryption": "none" }, "streamSettings": { "network": "tcp", "security": "reality", "realitySettings": { "show": false, // 选填,若为 true,输出调试信息 "dest": "www.amazon.com:443", // 必填,格式同 VLESS fallbacks 的 dest "xver": 0, // 选填,格式同 VLESS fallbacks 的 xver "serverNames": [ // 必填,客户端可用的 serverName 列表,暂不支持 * 通配符 "amazon.com", "www.amazon.com" ], "privateKey": "刚才生成的私钥Private key", // 必填,执行 ./xray x25519 生成, "minClientVer": "", // 选填,客户端 Xray 最低版本,格式为 x.y.z "maxClientVer": "", // 选填,客户端 Xray 最高版本,格式为 x.y.z "maxTimeDiff": 0, // 选填,允许的最大时间差 "shortIds": [ // 必填,客户端可用的 shortId 列表,可用于区分不同的客户端 "", // 若有此项,客户端 shortId 可为空,openssl rand -hex 8生成 "0123456789abcdef" // 0 到 f,长度为 2 的倍数,长度上限为 16 ] } } } ], "outbounds": [ { "protocol": "freedom", "tag": "direct" }, { "protocol": "blackhole", "tag": "blocked" } ] }
设置配置文件
nano /usr/local/etc/xray/config.json
把刚才的配置文件黏贴进去,Ctrl X 退出,按y确认。
配置完成后,运行下列命令执行
systemctl restart xray
客户端配置
微软安卓客户端可以用v2rayN,v2rayNG,苹果客户端可以用Shadowrocket、FoXray
通常代理用途,目标网站最低标准:国外网站,支持 TLSv1.3 与 H2,域名非跳转用(主域名可能被用于跳转到 www)
加分项:IP 相近(更像,且延迟低),Server Hello 后的握手消息一起加密(如 dl.google.com),有 OCSP Stapling
配置加分项:禁回国流量,TCP/80、UDP/443 也转发(REALITY 对外表现即为端口转发,目标 IP 冷门或许更好).
------------------------
The script supports multiple users and custom ports; supports the construction of vless+vision+reality and vless+h2/grpc+reality
The script supports CentOS 8+, Debian 10+, Ubuntu 20+ operating systems.
All codes are from official documentation;The script is completely open source,you can use it with confidence!
Script installation
Debian && Ubuntu
apt update && apt -y install curl
CentOS
yum update && yum -y install curl
Install
bash <(curl -L https://raw.githubusercontent.com/TinrLin/Reality--build-tutorial/main/Install.sh)
Manual installation
Install the sing-box program
- Debian && Ubuntu
- AMD
apt -y update && apt -y install wget && wget -c "https://github.com/SagerNet/sing-box/releases/download/v1.3.0/sing-box-1.3.0-linux-amd64.tar.gz" -O - | tar -xz -C /usr/local/bin --strip-components=1 && chmod +x /usr/local/bin/sing-box
- ARM
apt -y update && apt -y install wget && wget -c "https://github.com/SagerNet/sing-box/releases/download/v1.3.0/sing-box-1.3.0-linux-arm64.tar.gz" -O - | tar -xz -C /usr/local/bin --strip-components=1 && chmod +x /usr/local/bin/sing-box
- CentOS
- AMD
yum update && yum -y install wget && wget -c "https://github.com/SagerNet/sing-box/releases/download/v1.3.0/sing-box-1.3.0-linux-amd64.tar.gz" -O - | tar -xz -C /usr/local/bin --strip-components=1 && chmod +x /usr/local/bin/sing-box
- ARM
yum update && yum -y install wget && wget -c "https://github.com/SagerNet/sing-box/releases/download/v1.3.0/sing-box-1.3.0-linux-arm64.tar.gz" -O - | tar -xz -C /usr/local/bin --strip-components=1 && chmod +x /usr/local/bin/sing-box
Configure the systemd service of sing-box
wget -P /etc/systemd/system https://raw.githubusercontent.com/TinrLin/Reality--build-tutorial/main/sing-box.service
Download and modify the sing-box configuration file
- Vless+vision+Reality
mkdir -p /usr/local/etc/sing-box/ && wget -O /usr/local/etc/sing-box/config.json https://raw.githubusercontent.com/TinrLin/Reality--build-tutorial/main/vless_vision_reality_config.json
- Vless+h2+Reality
mkdir -p /usr/local/etc/sing-box/ && wget -O /usr/local/etc/sing-box/config.json https://raw.githubusercontent.com/TinrLin/Reality--build-tutorial/main/vless_h2_reality_config.json
- Vless+gRPC+Reality
mkdir -p /usr/local/etc/sing-box/ && wget -O /usr/local/etc/sing-box/config.json https://raw.githubusercontent.com/TinrLin/Reality--build-tutorial/main/vless_grpc_reality_config.json
Start and run sing-box
systemctl daemon-reload && systemctl enable --now sing-box && systemctl status sing-box
from https://github.com/dasunpamod/Reality--build-tutorial
----------------------------------------------------------------------------
基于 Sing-box 内核的 VLESS Reality 协议脚本.
sbox-reality
基于 Sing-box 内核的 VLESS Reality 协议脚本
wget -N --no-check-certificate https://raw.githubusercontent.com/Misaka-blog/sbox-reality/main/reality.sh && bash reality.sh
鸣谢
- BoxXt 的 Sing-box Reality 项目:https://github.com/BoxXt/installReality
from https://github.com/Misaka-blog/sbox-reality
----------------------------------------------------------
Reality 小白一键安装脚本.
Reality 小白一键安装脚本(目前仅提供meta客户端使用的配置文件)
English‘s Readme
如何使用脚本
- 系统仅支持: Ubuntu
- 登录vps
- 输入以下指令,并按照指令提示操作即可
sudo curl -o installReality.sh https://raw.githubusercontent.com/BoxXt/installReality/main/installReality.sh && sh ./installReality.sh
- 最终得到 Meta 的客户端配置文件,选用支持 Clash.meta 的客户端导入使用即可
- 脚本内已自动开启BBR加速
调试
#启动
systemctl start sing-box
#停止
systemctl stop sing-box
#强制停止
systemctl kill sing-box
#重启
systemctl restart sing-box
#实时日志
journalctl -u sing-box --output cat -f
客户端
能力有限目前暂时支持输出clash.meta客户端配置给到meta客户端使用,可使用客户端列表(待测试补充):
-
macOS: ClashX.Meta
- 需要更新内核版本为alpha最新版本。
-
Windows: Clash Verage
- 需要更新内核版本为alpha最新版本。
-
iOS:
-
Android: ClashMetaForAndroid
- 需要更新至最新版本。
from https://github.com/BoxXt/installReality
Install and configure vless with reality or TLS on your linux server by executing a single command!
TUIC and hysteria2 on sing-box is also supported!
This script:
- Installs docker with compose plugin in your server
- Generates docker-compose.yml and sing-box/xray configuration for vless protocol for reality and tls
- Generates docker-compose.yml and sing-box configuration for TUIC protocol with tls
- Generates docker-compose.yml and sing-box configuration for hysteria2 protocol with tls
- Create Cloudflare warp account and configure warp as outbound
- Generates client configuration string and QRcode
- Gets and renews valid certificate from Letsencrypt for TLS encryption
- Fine-tunes kernel tunables
- Is designed by taking security considerations into account to make the server undetectable
- Provides a Telegram bot to manage users from Telegram
Features:
- Generates client configuration string
- Generates client configuration QRcode
- You can choose between xray or sing-box core
- You can choose between reality or TLS security protocol
- You can use a Text-based user interface (TUI)
- You can create multiple user accounts
- You can regenerate configuration and keys
- You can change SNI domain
- You can change transport protocol (tcp, http, grpc, ws)
- You can change tunneling protocol (vless, TUIC, hysteria2, shadowtls)
- You can get valid TLS certificate with Letsencrypt
- You can block malware and adult contents
- Merges your custom advanced configuration
- Use Cloudflare WARP to hide your outbound traffic
- Supports Cloudflare warp+
- Install with a single command
- Telegram bot for user management
- Create backup from users and configuration
- Restore users and configuration from backup
Supported OS:
- Ubuntu 22.04
- Ubuntu 20.04
- Ubuntu 18.04
- Debian 11
- Debian 10
- CentOS Stream 9
- CentOS Stream 8
- CentOS 7
- Fedora 37
You can start using this script with default configuration by copy and paste the line below in terminal.
This command will configure sing-box
with reality
security protocol over tcp
transport protocol on port 443
for www.google.com
SNI domain by default:
bash <(curl -sL https://bit.ly/realityez)
or (if the above command dosen't work):
bash <(curl -sL https://raw.githubusercontent.com/aleskxyz/reality-ezpz/master/reality-ezpz.sh)
After a while you will get configuration string and QR code:
You can run TUI with -m
or --menu
option:
bash <(curl -sL https://bit.ly/realityez) -m
And then you will see management menu in your terminal:
You can also enable Telegram bot with --enable-tgbot
option and manage users from with your Telegram bot (More Info)
Help message of the script:
Usage: reality-ezpz.sh [-t|--transport=tcp|http|grpc|ws|tuic|hysteria2|shadowtls] [-d|--domain=<domain>] [--server=<server>]
[--regenerate] [--default] [-r|--restart] [--enable-safenet=true|false] [--port=<port>] [-c|--core=xray|sing-box]
[--enable-warp=true|false] [--warp-license=<license>] [--security=reality|letsencrypt|selfsigned] [-m|--menu]
[--show-server-config] [--add-user=<username>] [--lists-users] [--show-user=<username>] [--delete-user=<username>]
[--backup] [--restore=<url|file>] [--backup-password=<password>] [-u|--uninstall]
-t, --transport <tcp|http|grpc|ws|tuic|hysteria2|shadowtls> Transport protocol (tcp, http, grpc, ws, tuic, hysteria2, shadowtls default: tcp)
-d, --domain <domain> Domain to use as SNI (default: www.google.com)
--server <server> IP address or domain name of server (Must be a valid domain if using letsencrypt security)
--regenerate Regenerate public and private keys
--default Restore default configuration
-r --restart Restart services
-u, --uninstall Uninstall reality
--enable-safenet <true|false> Enable or disable safenet (blocking malware and adult content)
--port <port> Server port (default: 443)
--enable-warp <true|false> Enable or disable Cloudflare warp
--warp-license <warp-license> Add Cloudflare warp+ license
-c --core <sing-box|xray> Select core (xray, sing-box, default: sing-box)
--security <reality|letsencrypt|selfsigned> Select type of TLS encryption (reality, letsencrypt, selfsigned, default: reality)
-m --menu Show menu
--enable-tgbot <true|false> Enable Telegram bot for user management
--tgbot-token <token> Token of Telegram bot
--tgbot-admins <telegram-username> Usernames of telegram bot admins (Comma separated list of usernames without leading '@')
--show-server-config Print server configuration
--add-user <username> Add new user
--list-users List all users
--show-user <username> Shows the config and QR code of the user
--delete-user <username> Delete the user
--backup Backup users and configuration and upload it to temp.sh
--restore <url|file> Restore backup from URL or file
--backup-password <password> Create/Restore password protected backup file
-h, --help Display this help message
This script can configure the service with 3 types of security options:
- reality
- letsencrypt
- selfsigned
By default reality
is configured but you can change the security protocol with --security
option.
The letsencrypt
option will use Letsencrypt to get a valid certificate for you server. So you have to assign a valid domain or subdomain to your server with --server <domain>
option.
The selfsigned
option is same as letsencrypt
but the certificates are self-signed and you don't need to assign a domain or subdomain to your server.
CDN compatibility table:
Cloudflare | ArvanCloud | |
---|---|---|
reality | ❌ | ❌ |
selfsigned | ✔️ | ✔️ |
letsencrypt | ✔️ | ✔️ |
tcp | ❌ | ❌ |
http | ❌ | ✔️ |
grpc | ✔️ | ✔️ |
ws | ✔️ | ✔️ |
tuic | ❌ | ❌ |
hysteria2 | ❌ | ❌ |
shadowtls | ❌ | ❌ |
- You need to enable
grpc
orwebsocket
in Cloudflare if you want to use the corresponding transport protocols. - You have to configure CDN provider to use HTTPS for connecting to your server.
- The
ws
transport protocol is not compatible withreality
security option. - The
tuic
tunneling protocol is not compatible withreality
security option. - The
tuic
tunneling protocol is only compatible withsing-box
core option. - The
hysteria2
tunneling protocol is not compatible withreality
security option. - The
hysteria2
tunneling protocol is only compatible withsing-box
core option. - The
shadowtls
tunneling protocol is only compatible withsing-box
core option. - Avoid using
tcp
transport protocol withletsencrypt
orselfsigned
security options. - Avoid using
selfsigned
security option. Get a domain and useletsencrypt
option. - Do not change the port to something other than
443
. - The
sing-box
core has better performance. - Using NekoBox for Android is recommended.
You can add, view and delete multiple user account with this script easily!
You can add additional user by using --add-user
option:
bash <(curl -sL https://bit.ly/realityez) --add-user user1
This command will create test1
as a new user.
Notice: Username can only contains A-Z, a-z and 0-9
You can view a list of all users by using --list-users
option:
bash <(curl -sL https://bit.ly/realityez) --list-users
You can get config string and QR code of the user for importing by using --show-user
option:
bash <(curl -sL https://bit.ly/realityez) --show-user user1
This command will print config string and QR code of user1
You can delete a user by using --delete-user
option:
bash <(curl -sL https://bit.ly/realityez) --delete-user user1
This command will delete user1
You can change script defaults by using different arguments.
Your configuration will be saved and restored in each execution. So You can run the script multiple time with out any problem.
Reality protocol will use the public certificate of SNI domain.
Default SNI domain is www.google.com
.
You can change it by using --domain
or -d
options:
bash <(curl -sL https://bit.ly/realityez) -d yahoo.com
Default transport protocol is tcp
.
You can change it by using --transport
or -t
options:
bash <(curl -sL https://bit.ly/realityez) -t http
Valid options are tcp
,http
, grpc
, ws
, tuic
, hysteria2
and shadowtls
.
ws
is not compatible with reality protocol. You have to use letsencrypt
or selfsigned
with it.
tuic
is not compatible with reality protocol. You have to use letsencrypt
or selfsigned
with it.
tuic
is compatible with sing-box core only.
hysteria2
is not compatible with reality protocol. You have to use letsencrypt
or selfsigned
with it.
hysteria2
is compatible with sing-box core only.
shadowtls
is compatible with sing-box core only.
ShadowTLS is a TLS disguise proxy that can use someone else's trusted certificate. It is similar to "Reality," but in transport, it uses Shadowsocks. So you need to assign a working SNI to it.
When you enable ShadowTLS, you will configure two proxies: ShadowTLS and Shadowsocks.
You need to configure your client to use both proxies in chain mode.
First, ShadowTLS will establish a secure connection with the server, then Shadowsocks will use the connection created by ShadowTLS.
You can block malware and adult contents by using --enable-safenet
option:
bash <(curl -sL https://bit.ly/realityez) --enable-safenet true
You can disable this feature with --enable-safenet false
option.
You can get the running configuration with --show-server-config
option:
bash <(curl -sL https://bit.ly/realityez) --show-server-config
You can regenerate keys by using --regenerate
option:
bash <(curl -sL https://bit.ly/realityez) --regenerate
All other configuration will be same as before.
You can restart the service by using -r
or --restart
options:
bash <(curl -sL https://bit.ly/realityez) -r
You can restore default configuration by using --default
option.
bash <(curl -sL https://bit.ly/realityez) --default
User account will not change with this option.
You can delete configuration and services by using --uninstall
or -u
options:
bash <(curl -sL https://bit.ly/realityez) -u
Notice: Do not change default port. This may block your IP!
Default port is 443
.
In case of using letsencrypt
security option, port 80
has to be available for Letsencrypt challenge.
You can change it by using --port
option:
bash <(curl -sL https://bit.ly/realityez) --port 8443
Default engine core is sing-box but you can also switch to xray by using --core
or -c
options:
bash <(curl -sL https://bit.ly/realityez) -c xray
Valid options are xray
and sing-box
.
You can create a backup from users and configuration and upload it to https://temp.sh/ by using --backup
option.
The --backup-password
option allows you to protect the backup zip file with the specified password. (Optional)
bash <(curl -sL https://bit.ly/realityez) --backup --backup-password "P@ssw0rd"
This command will give you a URL to download you backup file. The URL is only valid for 3 days.
You can restore a previously created backup file with --restore
option.
You need to give the path or URL of the backup file to restore.
The --backup-password
option allows you to restore the password protected backup zip file.
bash <(curl -sL https://bit.ly/realityez) --restore /path/to/backup.zip --backup-password "P@ssw0rd"
or
bash <(curl -sL https://bit.ly/realityez) --restore "https://www.example.com/backup.zip" --backup-password "P@ssw0rd"
You can migrate users and configuration from one server to another by:
- Create backup in the old server and copy the URL of backup file
- Restore the URL of backup file in the new server
You can also use the TUI for changing the configuration of the service.
To access to TUI you can use -m
or --menu
options:
bash <(curl -sL https://bit.ly/realityez) -m
You can manage users with Telegram Bot.
You should get a Telegram bot token from @BotFather
Telegram account.
Then you can enable Telegram bot by using this command as an example:
bash <(curl -sL https://bit.ly/realityez) --enable-tgbot true --tgbot-token <telegram-bot-token> --tgbot-admins=<your-telegram-username>
In the command above you have to provide a comma separated list of Telegram usernames (without leading '@') which are authorized to use Telegram bot.
You can disable Telegram bot with this command:
bash <(curl -sL https://bit.ly/realityez) --enable-tgbot false
This script uses official Cloudflare WARP client for connecting to Cloudflare network and send all outbound traffic to Cloudflare server. So your servers address will be masked by Cloudflare IPs. This gives you a better web surffing experience due to less captcha challenges and also resolves some websites limitations on your servers IP.
You can enable Cloudflare WARP by using --enable-warp true
option. This script will create and register a free WAPR account and use it.
bash <(curl -sL https://bit.ly/realityez) --enable-warp true
Free account has traffic limitation and lower performance in comparison with WARP+ account which needs license.
You can either buy an WARP+ Unlimited license or get a free WARP+ license from this telegram bot: https://t.me/generatewarpplusbot
After getting a license from that telegram bot, you can use the license for your server with --warp-license
option:
bash <(curl -sL https://bit.ly/realityez) --warp-license aaaaaaaa-bbbbbbbb-cccccccc
You can use each warp+ license on 4 devices only.
You can disable Cloudflare WARP with --enable-warp false
:
bash <(curl -sL https://bit.ly/realityez) --enable-warp false
You can combine different options together.
We want to setup a server with these configurations:
grpc
transport protocolwww.wikipedia.org
as SNI domain- Block adult contents
- Enable Cloudflare WARP
- Set Cloudflare WARP+ license
So we need to execute this command:
bash <(curl -sL https://bit.ly/realityez) --transport=grpc --domain=www.wikipedia.com --enable-safenet=true --enable-warp=true --warp-license=26z9i0ld-WG0wy324-rA703nZ2
Use this feature only if you know exactly what you are doing!
You can override the configuration generated by the script and add your own custom configuration to it.
Write your custom configuration in one of these files based on the engine that you are using:
/opt/reality-ezpz/sing-box.patch
or
/opt/reality-ezpz/xray.patch
And run script to apply your changes.
For example if you want to increase the debug level of sing-box engine, you can create /opt/reality-ezpz/sing-box.patch
with this content:
{
"log": {
"level": "debug",
"timestamp": true
}
}
from https://github.com/aleskxyz/reality-ezpz
No comments:
Post a Comment