MarkDown
1、服务端各项配置详细介绍
{
"log": {
"disabled": false, //设置为true的时候禁用日志
"level": "error", //日志等级,建议设置为warn或error,只显示警告或错误信息
"output": "box.log", //输出文件路径,没有特殊需求不建议配置
"timestamp": true //给日志添加时间
},
"dns": {}, //服务端不建议配置此项
"inbounds": [ //入站配置,主要配置
{
"type": "vless", //协议类型
"tag": "vless-in", //入站标签,可以自定义,用于区分不同的入站,主要用于配置多协议共存或者单协议多个入站
"network": "tcp", //监听的网络协议,默认监听TCP和UDP,一般情况下默认即可,可丢弃配置
"listen": "::", //监听地址,0.0.0.0代表监听本机IPV4地址,::代表监听本机IPV6地址
"listen_port": 5353, //监听端口
"tcp_fast_open": false, //如果启用TCP Fast Open时network需监听TCP,Linux 3.16开始默认开启TFO,主要优势在于减少了连接建立的往返时间,特别适用于需要大量短暂连接的场景,如网页浏览、应用程序更新等,它可以显著提高网络性能,减少用户感知的延迟
"tcp_multi_path": false, //编译安装sing-box的话需要Go 1.21,启用TCP Multi Path时network 需监听TCP,可以提高连接的性能、可靠性和负载均衡,适用于多路径通信环境和需要高性能的应用程序
"udp_fragment": false, //用于大型UDP数据包的分段和重组,对于音视频传输、在线游戏和其他需要低延迟但可以容忍丢包的应用程序非常有用,fragment是socks协议的一个特性,即被代理的UDP数据包超过了MTU大小,就分成多个数据包发送
"sniff": false, //协议探测,检测传入数据流量的协议类型,并选择适当的传输方式,有助于绕过GFW审查和提高性能和稳定性,可以用于分流
"sniff_override_destination": false, //用探测出的域名覆盖连接目标地址,将传入连接的目标地址修改为指定的目标地址,而不是原始的目标地址,允许选择性地将特定的流量路由通过不同的网络代理,以实现不同的网络访问需求
"sniff_timeout": "300ms", //协议探测超时时间
"domain_strategy": "prefer_ipv6", //请求的域名将在路由之前使用内置DNS服务器解析获取IP,解析出的IP地址与路由规则进行匹配,然后选择适当的路由,如果解析失败或解析的IP地址与路由规则不匹配,将继续按照配置的路由规则处理连接,如果sniff_override_destination生效,它的值将作为后备
"udp_timeout": 300, //UDP NAT过期时间,需要组装UDP连接, 当前为Tun和Shadowsocks
"detour": "another-in" //如果设置,连接将被转发到指定的入站,目标入站支持的协议类型:socks、http、shadowsocks、vmess、trojan、shadowtls、vless
"users": [
{
"name": "sekai", //节点用户名
"uuid": "bf000d23-0752-40b4-affe-68f7707a9661", //节点UUID
"flow": "" //VLESS 子协议
}
],
"tls": {
"enabled": true, //true为启用TLS
"server_name": "", //用于验证返回证书上的主机名,客户端在发起TLS握手时通常会发送一个SNI扩展,其中包含客户端期望连接的目标主机名,服务器可以使用这个SNI扩展来识别客户端请求的目标主机名,对于自签证书非常有用
"alpn": [], //指定服务器支持的应用层协议列表,客户端在TLS握手过程中将从这个列表中选择一个协议,然后双方将在TLS连接上使用该协议进行通信,这允许客户端和服务器之间的明确协议选择,以确保它们都使用相同的协议
"min_version": "", //可接受的最低TLS版本,客户端的最低为TLS 1.2,服务端最低为TLS 1.0,非必要配置
"max_version": "", //可接受的最大TLS版本,当前最高版本为TLS 1.3,非必要配置
"cipher_suites": [], //用于配置受支持的密码套件列表,正常情况下不影响安全性,在未配置的情况下自动选择,非必要配置
"certificate": [ //字符串数组,填写你的证书内容,与certificate_path二选一
"--BEGIN CERTIFICATE--",
"MIICwDCCAaigAwIBAgIRAO16JMdESAuHidFYJAR/7kAwDQYJKoZIhvcNAQELBQAw",
"ADAeFw0xODA0MTAxMzU1MTdaFw0xODA0MTAxNTU1MTdaMAAwggEiMA0GCSqGSIb3",
"DQEBAQUAA4IBDwAwggEKAoIBAQCs2PX0fFSCjOemmdm9UbOvcLctF94Ox4BpSfJ+",
"3lJHwZbvnOFuo56WhQJWrclKoImp/c9veL1J4Bbtam3sW3APkZVEK9UxRQ57HQuw",
"OzhV0FD20/0YELou85TwnkTw5l9GVCXT02NG+pGlYsFrxesUHpojdl8tIcn113M5",
"pypgDPVmPeeORRf7nseMC6GhvXYM4txJPyenohwegl8DZ6OE5FkSVR5wFQtAhbON",
"OAkIVVmw002K2J6pitPuJGOka9PxcCVWhko/W+JCGapcC7O74palwBUuXE1iH+Jp",
"noPjGp4qE2ognW3WH/sgQ+rvo20eXb9Um1steaYY8xlxgBsXAgMBAAGjNTAzMA4G",
"A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA",
"MA0GCSqGSIb3DQEBCwUAA4IBAQBUd9sGKYemzwPnxtw/vzkV8Q32NILEMlPVqeJU",
"7UxVgIODBV6A1b3tOUoktuhmgSSaQxjhYbFAVTD+LUglMUCxNbj56luBRlLLQWo+",
"9BUhC/ow393tLmqKcB59qNcwbZER6XT5POYwcaKM75QVqhCJVHJNb1zSEE7Co7iO",
"6wIan3lFyjBfYlBEz5vyRWQNIwKfdh5cK1yAu13xGENwmtlSTHiwbjBLXfk+0A/8",
"r/2s+sCYUkGZHhj8xY7bJ1zg0FRalP5LrqY+r6BckT1QPDIQKYy615j1LpOtwZe/",
"d4q7MD/dkzRDsch7t2cIjM/PYeMuzh87admSyL6hdtK0Nm/Q",
"--END CERTIFICATE--"
],
"certificate_path": "", //证书文件路径,与certificate二选一
"key": [ //字符串数组,填写你的密钥内容,与key_path二选一
"--BEGIN RSA PRIVATE KEY--",
"MIIEowIBAAKCAQEArNj19HxUgoznppnZvVGzr3C3LRfeDseAaUnyft5SR8GW75zh",
"bqOeloUCVq3JSqCJqf3Pb3i9SeAW7Wpt7FtwD5GVRCvVMUUOex0LsDs4VdBQ9tP9",
"GBC6LvOU8J5E8OZfRlQl09NjRvqRpWLBa8XrFB6aI3ZfLSHJ9ddzOacqYAz1Zj3n",
"jkUX+57HjAuhob12DOLcST8np6IcHoJfA2ejhORZElUecBULQIWzjTgJCFVZsNNN",
"itieqYrT7iRjpGvT8XAlVoZKP1viQhmqXAuzu+KWpcAVLlxNYh/iaZ6D4xqeKhNq",
"IJ1t1h/7IEPq76NtHl2/VJtbLXmmGPMZcYAbFwIDAQABAoIBAFCgG4phfGIxK9Uw",
"qrp+o9xQLYGhQnmOYb27OpwnRCYojSlT+mvLcqwvevnHsr9WxyA+PkZ3AYS2PLue",
"C4xW0pzQgdn8wENtPOX8lHkuBocw1rNsCwDwvIguIuliSjI8o3CAy+xVDFgNhWap",
"/CMzfQYziB7GlnrM6hH838iiy0dlv4I/HKk+3/YlSYQEvnFokTf7HxbDDmznkJTM",
"aPKZ5qbnV+4AcQfcLYJ8QE0ViJ8dVZ7RLwIf7+SG0b0bqloti4+oQXqGtiESUwEW",
"/Wzi7oyCbFJoPsFWp1P5+wD7jAGpAd9lPIwPahdr1wl6VwIx9W0XYjoZn71AEaw4",
"bK4xUXECgYEA3g2o9WqyrhYSax3pGEdvV2qN0VQhw7Xe+jyy98CELOO2DNbB9QNJ",
"8cSSU/PjkxQlgbOJc8DEprdMldN5xI/srlsbQWCj72wXxXnVnh991bI2clwt7oYi",
"pcGZwzCrJyFL+QaZmYzLxkxYl1tCiiuqLm+EkjxCWKTX/kKEFb6rtnMCgYEAx0WR",
"L8Uue3lXxhXRdBS5QRTBNklkSxtU+2yyXRpvFa7Qam+GghJs5RKfJ9lTvjfM/PxG",
"3vhuBliWQOKQbm1ZGLbgGBM505EOP7DikUmH/kzKxIeRo4l64mioKdDwK/4CZtS7",
"az0Lq3eS6bq11qL4mEdE6Gn/Y+sqB83GHZYju80CgYABFm4KbbBcW+1RKv9WSBtK",
"gVIagV/89moWLa/uuLmtApyEqZSfn5mAHqdc0+f8c2/Pl9KHh50u99zfKv8AsHfH",
"TtjuVAvZg10GcZdTQ/I41ruficYL0gpfZ3haVWWxNl+J47di4iapXPxeGWtVA+u8",
"eH1cvgDRMFWCgE7nUFzE8wKBgGndUomfZtdgGrp4ouLZk6W4ogD2MpsYNSixkXyW",
"64cIbV7uSvZVVZbJMtaXxb6bpIKOgBQ6xTEH5SMpenPAEgJoPVts816rhHdfwK5Q",
"8zetklegckYAZtFbqmM0xjOI6bu5rqwFLWr1xo33jF0wDYPQ8RHMJkruB1FIB8V2",
"GxvNAoGBAM4g2z8NTPMqX+8IBGkGgqmcYuRQxd3cs7LOSEjF9hPy1it2ZFe/yUKq",
"ePa2E8osffK5LBkFzhyQb0WrGC9ijM9E6rv10gyuNjlwXdFJcdqVamxwPUBtxRJR",
"cYTY2HRkJXDdtT0Bkc3josE6UUDvwMpO0CfAETQPto1tjNEDhQhT",
"--END RSA PRIVATE KEY--"
],
"key_path": "", //密钥文件路径,与key二选一
"acme": { //sing-box自动申请与管理证书的配置部分
"domain": [], //一组域名
"data_directory": "", //ACME数据目录,可自定义ACME数据存放目录,方便找到证书文件
"default_server_name": "", //若ServerName字段为空时,选择证书时要使用的服务器名称
"email": "", // ACME服务器帐户使用的电子邮件地址
"provider": "", // ACME CA供应商
"disable_http_challenge": false, //禁用所有HTTP质询,HTTP质询的原理:ACME服务器向你的域名发送一个随机TOKEN ,你需要在你的Web服务器上创建一个相应的质询文件,以便ACME服务器能够获取到这个TOKEN ,当ACME服务器能够成功获取并验证TOKEN时,你的域名控制权就得到了验证,你将获得SSL/TLS证书,HTTP质询需要使用你的Web服务器已经配置的HTTP端口
"disable_tls_alpn_challenge": false, //禁用所有TLS-ALPN质询,TLS-ALPN质询需要支持ALPN的服务器和客户端,并且需要根据ACME验证方法配置相应的证书和令牌来执行验证,这种方法通常用于获取通配符证书
"alternative_http_port": 0, //ACME HTTP质询的备用端口,如果配置,将使用此端口而不是80来启动HTTP质询
"alternative_tls_port": 0, //ACME TLS-ALPN 质询的备用端口,系统必须将443转发到此端口以使质询成功
"external_account": { //EAB(外部帐户绑定)功能配置,允许CA和ACME客户端协商,将ACME帐户与其他已知帐户进行关联或绑定
"key_id": "", //密钥标识符,用于唯一标识ACME帐户的标识符
"mac_key": "" // MAC密钥,用于消息身份验证和数据完整性保护的密钥
},
"dns01_challenge": { //ACME DNS01 验证字段,如果配置,将禁用其他验证方法,好处在于不再需要使用80或者443端口来质询从而完成证书的申请
"provider": "cloudflare", // DNS 提供商配置,如需详细了解请查看acme.sh官方文档
"api_token": "" //DNS API,你CloudFlare账户的API令牌
}
},
"ech": { //一个 TLS 扩展,它允许客户端加密其ClientHello的第一部分信息,从而隐藏握手期间的信息,特别是隐藏SNI信息,这有助于提高用户的隐私和减少中间人攻击的风险
"enabled": false, //若要开启请设置为true
"pq_signature_schemes_enabled": false, //启用对后量子对等证书签名方案的支持的主要目的是为了提高加密通信的长期安全性,后量子密码学是一种加密算法,被设计为能够抵抗未来可能出现的量子计算攻击
"dynamic_record_sizing_disabled": false, //如果为true,则始终使用最大可能的TLS记录大小, 如果为false,则可能会调整TLS记录的大小以尝试改善延迟
"key": [ //ECH PEM密钥行数组,字符串数组
"-----BEGIN ECH KEYS-----",
"ACDWNOCSEKWNgqmOOAwD9aLacYlpr9lrMk4KP7Ptoztf8gBX/g0AUwAAIAAgc7AK",
"RsgzRwW1lCk8+QV8unqlXy16Rw0AtS+mAfm6+wYACAABAAEAAQADACBbLS1wcS1z",
"aWduYXR1cmUtc2NoZW1lcy1lbmFibGVkXQAA",
"-----END ECH KEYS-----"
],
"key_path": "" //ECH PEM密钥路径
},
"reality": { //Reality配置
"enabled": false, //true为启用Reality
"handshake": {
"server": "google.com", //握手服务器地址,国外网站,支持TLSv1.3与H2
"server_port": 443 //握手服务器端口
},
"private_key": "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc", //私钥
"short_id": [ //客户端可用的shortId列表,可用于区分不同的客户端
"0123456789abcdef" //一个零到八位的十六进制字符串
],
"max_time_difference": "1m" //服务器与和客户端之间允许的最大时间差,默认禁用检查
}
},
"transport": { //V2Ray 传输层配置
....HTTP传输层配置
"type": "http", //传输协议,HTTP包含纯HTTP以及HTTP2
"host": [], //主机域名列表,客户端会随机从列表中选出一个域名进行通信,服务器会验证域名是否在列表中
"path": "", //HTTP 请求路径,客户端和服务器必须一致
"method": "", //HTTP请求方法,有 PUT、POST、OPTIONS、HEAD、GET、DELETE、CONNECT
"headers": { //HTTP请求的额外标头
"Header": [
"value" //一个键值对,每个键表示一个HTTP头名称
]
},
"idle_timeout": "15s", //在HTTP2服务器中,如果连接上没有收到任何帧,指定一段时间后将使用 PING 帧执行健康检查。需要注意的是,PING响应被视为已接收的帧,因此如果连接上没有其他流量,则健康检查将在每个间隔执行一次,如果值为零,则不会执行健康检查
"ping_timeout": "15s" //在HTTP2客户端中,指定发送PING帧后,在指定的超时时间内必须接收到响应,如果在指定的超时时间内没有收到PING帧的响应,则连接将关闭,默认超时持续时间为 15 秒
....WebSocket传输层配置
"type": "ws", //传输协议
"path": "", //HTTP请求路径
"headers": { //HTTP请求的额外标头
"Host": "bing.com" //一个键值对,每个键表示一个HTTP头的名称
},
"max_early_data": 0, //请求中允许的最大有效负载大小,默认启用
"early_data_header_name": "" //早期数据在路径而不是标头中发送,要与Xray-core兼容,请将其设置为Sec-WebSocket-Protocol,需要与服务器保持一致
....QUIC传输层配置
"type": "quic" //传输协议
....gRPC传输层配置
"type": "grpc", //传输协议
"service_name": "TunService", //gRPC服务名称,客户端会使用此名称进行通信,服务端会验证服务名称是否匹配
"idle_timeout": "15s", //在标准gRPC服务器/客户端,如果传输在此时间段后没有看到任何活动,它会向客户端发送ping请求以检查连接是否仍然活动;在默认gRPC服务器/客户端,它的行为与HTTP传输层中的相应设置相同
"ping_timeout": "15s", //在标准gRPC服务器/客户端,经过一段时间之后,客户端将执行keepalive检查并等待活动,如果没有检测到任何活动,则会关闭连接;在默认gRPC服务器/客户端,它的行为与HTTP传输层中的相应设置相同
"permit_without_stream": false //在标准gRPC客户端,如果启用,客户端传输即使没有活动连接也会发送keepalive ping;如果禁用,则在没有活动连接时,将忽略idle_timeout和ping_timeout,并且不会发送keepalive ping
}
}
],
"outbounds": [
{
"type": "direct", //向任意网络发送TCP或UDP数据
"tag": "direct-in" //出站标签
},
{
"type": "block", //关闭所有传入请求
"tag": "block" //出站标签
}
],
"route": { //路由规则配置,匹配逻辑:domain || domain_suffix || domain_keyword || domain_regex || geosite || geoip || ip_cidr && port || port_range && source_geoip || source_ip_cidr && source_port || source_port_range && other fields
"geoip": { //GeoIP配置
"path": "", //GeoIP资源的路径
"download_url": "", //GeoIP资源的下载链接
"download_detour": "" //用于下载GeoIP资源的出站的标签,如果为空,将使用默认出站
},
"geosite": { //Geosite配置
"path": "", //GeoSite 资源的路径
"download_url": "", //GeoSite资源的下载链接
"download_detour": "" //用于下载GeoSite资源的出站的标签,如果为空,将使用默认出站
},
"rules": [
{
"inbound": [
"mixed-in" //入站标签,对应inbounds里的tag值,多协议共存或者单协议多个入站时需要配置
],
"ip_version": 6, //IPV4或IPV6 ,默认不限制
"network": [
"tcp" //网络协议,tcp或udp
],
"auth_user": [ //认证用户名
"usera", //入站配置里的name值
"userb" //入站配置里的name值
],
"protocol": [ //探测到的协议
"tls",
"http",
"quic"
],
"domain": [ //匹配完整域名
"test.com"
],
"domain_suffix": [ //匹配域名后缀
".cn"
],
"domain_keyword": [ //匹配域名关键字
"test"
],
"domain_regex": [ //匹配域名正则表达式
"^stun\\..+"
],
"geosite": [ //匹配GeoSite
"cn"
],
"source_geoip": [ //匹配源GeoIP,根据流量的源IP地址的地理位置信息来做出决策
"private"
],
"geoip": [ //匹配GeoIP,根据目标IP地址的地理位置信息来做出决策
"cn"
],
"source_ip_cidr": [ //匹配源IP CIDR,用于确定来自特定源IP地址范围的流量
"10.0.0.0/24"
],
"ip_cidr": [ //匹配IP CIDR,用于确定目标IP地址范围的流量
"10.0.0.0/24"
],
"source_port": [ //匹配源端口,用于确定网络数据包的源端口是否符合规定的条件
12345
],
"source_port_range": [ //匹配源端口范围,用于确定流量的源端口范围
"1000:2000",
":3000",
"4000:"
],
"port": [ //匹配端口,用于确定网络数据包的目标端口是否符合规定的条件
80,
443
],
"port_range": [ //匹配端口范围,用于确定流量的目标端口范围
"1000:2000",
":3000",
"4000:"
],
"process_name": [ //匹配进程名称,仅支持Linux、Windows和macOS
"curl"
],
"process_path": [ //匹配进程路径,仅支持Linux、Windows和macOS
"/usr/bin/curl"
],
"package_name": [ //匹配Android应用包名
"com.termux"
],
"user": [ //匹配用户名,仅支持Linux
"sekai"
],
"user_id": [ //匹配用户ID,仅支持Linux
1000
],
"clash_mode": "direct", //匹配Clash模式
"invert": false, //反选匹配结果
"outbound": "direct" //目标出站的标签,对应outbounds里的tag值,多协议共存或者单协议多个入站时需要配置
},
{
"type": "logical", //逻辑规则,用于指定多个子规则之间的逻辑关系
"mode": "and", //逻辑关系的模式,这里是and表示所有的子规则必须满足条件,如果模式是or则表示只需满足其中一个子规则即可
"rules": [], //一个包含子规则的数组
"invert": false, //反选匹配结果
"outbound": "direct" //目标出站的标签,对应outbounds里的tag值
}
],
"final": "", //默认出站标签,若为空,将使用第一个协议出站
"auto_detect_interface": false, //默认将出站连接绑定到默认网卡,以防止在tun下出现路由环路,如果设置了outbound.bind_interface,则不生效
"override_android_vpn": false, //启用auto_detect_interface时接受Android VPN作为上游网卡,仅支持Android
"default_interface": "en0", //默认将出站连接绑定到指定网卡,以防止在tun下出现路由环路,如果设置了auto_detect_interface,则不生效
"default_mark": 233 //默认为出站连接设置路由标记,如果设置了outbound.routing_mark,则不生效
},
"experimental": {} //服务端不建议配置此项
}
2、单协议多个入站配置示例
通过路由来指定入站和出站
{
"log": {
"disabled": false,
"level": "warn",
"timestamp": true
},
"inbounds": [
{
"type": "naive",
"tag": "naive001-in", //tag标签
"listen": "::",
"listen_port": 5353,
"users": [ //多用户结构
{
"username": "sekai",
"password": "password"
},
{
"username": "sekai",
"password": "password"
}
],
"tls": {
"enabled": true,
"server_name": "",
....以下为下载预编译版本的sing-box配置
"certificate_path": "",
"key_path": "",
....以下为编译安装带ACME模块儿的sing-box配置
"acme": {
....以下为使用质询端口申请证书的配置
"domain": [],
"data_directory": "",
"email": "",
"provider": "",
....以下为使用CloudFlare API申请证书的配置,如果配置此部分则禁用质询端口申请证书的方法
"dns01_challenge": {
"provider": "cloudflare",
"api_token": ""
}
},
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [],
"key_path": ""
}
}
},
{
"type": "naive",
"tag": "naive002-in", //tag标签
"listen": "::",
"listen_port": 5354,
"users": [ //多用户结构
{
"username": "sekai",
"password": "password"
},
{
"username": "sekai",
"password": "password"
}
],
"tls": {
"enabled": true,
"server_name": "",
....以下为下载预编译版本的sing-box配置
"certificate_path": "",
"key_path": "",
....以下为编译安装带ACME模块儿的sing-box配置
"acme": {
....以下为使用质询端口申请证书的配置
"domain": [],
"data_directory": "",
"email": "",
"provider": "",
....以下为使用CloudFlare API申请证书的配置,如果配置此部分则禁用质询端口申请证书的方法
"dns01_challenge": {
"provider": "cloudflare",
"api_token": ""
}
},
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [],
"key_path": ""
}
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct-out"
}
],
"route": { //关键配置,影响共存
"rules": [
{
"inbound": [
"naive001-in" //第一个入站的tag标签
],
"outbound": "direct-out"
},
{
"inbound": [
"naive002-in" //第二个入站的tag标签
],
"outbound": "direct-out"
}
]
}
}
3、多协议配置示例
通过路由来指定入站和出站
{
"log": {
"disabled": false,
"level": "warn",
"timestamp": true
},
"inbounds": [
{
"type": "naive",
"tag": "naive-in", //tag标签
"listen": "::",
"listen_port": 10010,
"users": [ //多用户结构
{
"username": "sekai",
"password": "password"
},
{
"username": "sekai",
"password": "password"
}
],
"tls": {
"enabled": true,
"server_name": "",
....以下为下载预编译版本的sing-box配置
"certificate_path": "",
"key_path": "",
....以下为编译安装带ACME模块儿的sing-box配置
"acme": {
....以下为使用质询端口申请证书的配置
"domain": [],
"data_directory": "",
"email": "",
"provider": "",
....以下为使用CloudFlare API申请证书的配置,如果配置此部分则禁用质询端口申请证书的方法
"dns01_challenge": {
"provider": "cloudflare",
"api_token": ""
}
},
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [],
"key_path": ""
}
}
},
{
"type": "vless",
"tag": "vless-in", //tag标签
"listen": "::",
"listen_port": 10011,
"users": [ //多用户结构
{
"name": "sekai",
"uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
"flow": ""
},
{
"name": "sekai",
"uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
"flow": ""
}
],
"tls": {
"enabled": true,
"server_name": "",
"reality": {
"enabled": false,
"handshake": {
"server": "google.com",
"server_port": 443
},
"private_key": "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
"short_id": [
"0123456789abcdef"
]
}
},
"transport": { //与VLESS+Vision+REALITY冲突
....VLESS+H2C+REALITY配置
"type": "http"
....VLESS+gRPC+REALITY配置
"type": "grpc",
"service_name": "TunService",
}
},
{
"type": "hysteria2",
"tag": "hy2-in", //tag标签
"listen": "::",
"listen_port": 10012,
"up_mbps": 100,
"down_mbps": 100,
"obfs": { //没有阻断现象不建议配置此项
"type": "salamander",
"password": "cry_me_a_r1ver"
},
"users": [ //多用户结构
{
"name": "tobyxdd",
"password": "goofy_ahh_password"
},
{
"name": "tobyxdd",
"password": "goofy_ahh_password"
}
],
"ignore_client_bandwidth": false,
"tls": {
"enabled": true,
"server_name": "",
....以下为下载预编译版本的sing-box配置
"certificate_path": "",
"key_path": "",
....以下为编译安装带ACME模块儿的sing-box配置
"acme": {
....以下为使用质询端口申请证书的配置
"domain": [],
"data_directory": "",
"email": "",
"provider": "",
....以下为使用CloudFlare API申请证书的配置,如果配置此部分则禁用质询端口申请证书的方法
"dns01_challenge": {
"provider": "cloudflare",
"api_token": ""
}
},
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [],
"key_path": ""
}
},
"masquerade": "",
"brutal_debug": false
},
{
"type": "tuic",
"tag": "tuic-in", //tag标签
"listen": "::",
"listen_port": 10013,
"users": [ //多用户结构
{
"name": "sekai",
"uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
"password": "hello"
},
{
"name": "sekai",
"uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
"password": "hello"
}
],
"congestion_control": "cubic",
"auth_timeout": "3s",
"zero_rtt_handshake": false,
"heartbeat": "10s",
"tls": {
"enabled": true,
"server_name": "",
....以下为下载预编译版本的sing-box配置
"certificate_path": "",
"key_path": "",
....以下为编译安装带ACME模块儿的sing-box配置
"acme": {
....以下为使用质询端口申请证书的配置
"domain": [],
"data_directory": "",
"email": "",
"provider": "",
....以下为使用CloudFlare API申请证书的配置,如果配置此部分则禁用质询端口申请证书的方法
"dns01_challenge": {
"provider": "cloudflare",
"api_token": ""
}
},
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [],
"key_path": ""
}
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct-out"
}
],
"route": { //关键配置,影响共存
"rules": [
{
"inbound": [
"naive-in" //第一个入站的tag标签
],
"outbound": "direct-out"
},
{
"inbound": [
"vless-in" //第二个入站的tag标签
],
"outbound": "direct-out"
},
{
"inbound": [
"hy2-in" //第三个入站的tag标签
],
"outbound": "direct-out"
},
{
"inbound": [
"tuic-in" //第四个入站的tag标签
],
"outbound": "direct-out"
}
]
}
}
4、配置WireGuard解锁ChatGPT、Disney+、Netflix
工作流程:节点接收我们的流量之后会通过路由匹配选择与之对应的出站,当发现流量是访问ChatGPT、Disney+、Netflix的它会选择把流量交给warp去处理,其它流量正常出站
{
"log": {
"disabled": false,
"level": "warn",
"timestamp": true
},
"inbounds": [
{
"type": "naive",
"tag": "naive-in", //tag标签
"listen": "::",
"listen_port": 5353,
"sniff": true,
"sniff_override_destination": true,
"users": [ //多用户结构
{
"username": "sekai",
"password": "password"
},
{
"username": "sekai",
"password": "password"
}
],
"tls": {
"enabled": true,
"server_name": "",
....以下为下载预编译版本的sing-box配置
"certificate_path": "",
"key_path": "",
....以下为编译安装带ACME模块儿的sing-box配置
"acme": {
....以下为使用质询端口申请证书的配置
"domain": [],
"data_directory": "",
"email": "",
"provider": "",
....以下为使用CloudFlare API申请证书的配置,如果配置此部分则禁用质询端口申请证书的方法
"dns01_challenge": {
"provider": "cloudflare",
"api_token": ""
}
},
"ech": { //TLS扩展
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [
"-----BEGIN ECH KEYS-----",
"ACDWNOCSEKWNgqmOOAwD9aLacYlpr9lrMk4KP7Ptoztf8gBX/g0AUwAAIAAgc7AK",
"RsgzRwW1lCk8+QV8unqlXy16Rw0AtS+mAfm6+wYACAABAAEAAQADACBbLS1wcS1z",
"aWduYXR1cmUtc2NoZW1lcy1lbmFibGVkXQAA",
"-----END ECH KEYS-----"
],
"key_path": ""
}
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct-out"
},
{
"type": "direct",
"tag": "warp-out",
"detour": "wireguard-out",
"domain_strategy": "ipv6_only" //如果你想使用IPV4解锁,设置为ipv4_only
},
{
"type": "wireguard",
"tag": "wireguard-out",
"server": "engage.cloudflareclient.com",
"server_port": 2408,
"system_interface": false,
"interface_name": "wg0",
"local_address": [
"172.16.0.2/32",
"2606:4700:110:813a:a352:3d11:af73:4782/128"
],
"private_key": "SGHP3LIzGCzGZyS9I7LdNTY/EUkfQ3hKRWo19eJdbXY=",
"peer_public_key": "bmXOC+F1FxEMF9dyiK2H5/1ARtzH0JuVo51h2wPfgyo=",
"reserved": [195,53,219],
"mtu": 1280
}
],
"route": { //关键配置,匹配ChatGPT、Disney+、Netflix的配置需放在第一位
"geoip": {
"download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",
"download_detour": "direct-out"
},
"geosite": {
"download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",
"download_detour": "direct-out"
},
"rules": [
{
"inbound": [
"naive-in"
],
"geosite": [
"openai",
"netflix",
"disney"
],
"outbound": "warp-out"
},
{
"inbound": [
"naive-in"
],
"outbound": "direct"
}
]
}
}
5、端口转发配置示例
工作流程:将中转机5353端口接收到的流量全部发送到1.0.0.1服务器的53号端口,让落地机来帮我们访问目标网站
中转机配置示例
{
"log": {
"disabled": false,
"level": "warn",
"timestamp": true
},
"inbounds": [
{
"type": "direct",
"tag": "direct-in",
"listen": "::",
"listen_port": 5353,
"sniff": true,
"sniff_override_destination": true,
"override_address": "1.0.0.1", //落地机地址
"override_port": 53 //落地机端口
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct-out"
}
]
}
落地机配置示例
{
"log": {
"disabled": false,
"level": "warn",
"timestamp": true
},
"inbounds": [
{
"type": "shadowsocks",
"tag": "ss-in",
"listen": "::",
"listen_port": 53,
"method": "2022-blake3-aes-128-gcm",
"password": "8JCsPssfgS8tiRwiMlhARg=="
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct-out"
}
]
}
6、代理转发配置示例
工作流程:中转机接收我们的流量之后会通过路由匹配选择与之对应的出站,当发现流量是访问奈飞的它会选择vless-out这个出站,即将流量转发给我们的落地机,让落地机去访问奈飞,从而达到使用中转节点解锁奈飞的目的;其它流量正常出站
中转机配置示例
{
"log": {
"disabled": false,
"level": "warn",
"timestamp": true
},
"inbounds": [
{
"type": "vless",
"tag": "vless-in",
"listen": "::",
"listen_port": 10010,
"users": [
{
"name": "sekai",
"uuid": "ffb0ea07-4537-4869-837a-bc8982431c20",
"flow": "xtls-rprx-vision"
}
],
"tls": {
"enabled": true,
"server_name": "nijigen-works.jp",
"reality": {
"enabled": true,
"handshake": {
"server": "nijigen-works.jp",
"server_port": 443
},
"private_key": "KBdfrDPXwN1oQUsRyRcvegESIHC-aOxAxi9gVO16zlM",
"short_id": [
"0123456789abcd"
]
}
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct-out"
},
{
"type": "vless",
"tag": "vless-out",
"server": "5.5.5.5",
"server_port": 443,
"uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
"flow": "xtls-rprx-vision",
"tls": {
"enabled": true,
"server_name": "www.apple.com",
"utls": {
"enabled": true,
"fingerprint": "chrome"
},
"reality": {
"enabled": true,
"public_key": "QPB1AnGKhIdD0P6NAXAA7ujB5j_mJK7jteeTIreylUc",
"short_id": "0123456789abcdef"
}
}
}
],
"route": {
"geoip": {
"download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",
"download_detour": "direct-out"
},
"geosite": {
"download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",
"download_detour": "direct-out"
},
"rules": [
{
"inbound": [
"vless-in"
],
"geosite": [
"netflix"
],
"outbound": "vless-out"
},
{
"inbound": [
"vless-in"
],
"outbound": "direct-out"
}
]
}
}
落地机配置示例
{
"log": {
"disabled": false,
"level": "warn",
"timestamp": true
},
"inbounds": [
{
"type": "vless",
"tag": "vless-in",
"listen": "::",
"listen_port": 443,
"users": [
{
"name": "sekai",
"uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
"flow": "xtls-rprx-vision"
}
],
"tls": {
"enabled": true,
"server_name": "www.apple.com",
"reality": {
"enabled": true,
"handshake": {
"server": "www.apple.com",
"server_port": 443
},
"private_key": "QABRgdrx8Pha6vbSa7kGex6oFkV9-mca0EQfZsfeHEs",
"short_id": [
"0123456789abcdef"
]
}
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct-out"
}
]
}
7、Reality 偷自己证书的配置示例
前提条件:需要用到Nginx的Stream模块来转发流量,所以需要编译安装Nginx
安装依赖
apt install build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev
下载和解压Nginx源代码(Nginx版本为1.25.3,如需其它版本,请自己替换版本号)
wget https://nginx.org/download/nginx-1.25.3.tar.gz -O - | tar -zxvf -
进入Nginx源代码目录(1.25.3替换为你自己的Nginx版本号)
cd nginx-1.25.3
配置Nginx编译选项
./configure --prefix=/etc/nginx --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-stream --with-stream_ssl_preread_module --with-threads
编译和安装Nginx
make
make install
配置Nginx的Systemd服务(开机自启)
cat > /etc/systemd/system/nginx.service <<EOF
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/etc/nginx/logs/nginx.pid
ExecStartPre=/etc/nginx/sbin/nginx -t
ExecStart=/etc/nginx/sbin/nginx
ExecReload=/etc/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
启用 Nginx 服务以在启动时自动启动
systemctl enable nginx
修改Nginx配置文件(/etc/nginx/conf/nginx.conf)
工作流程:Nginx 监听 443 端口,对于 SSL/TLS 流量,根据 SNI 扩展将流量路由到 sing-box 后端服务器;sing-box 监听 10010 端口,10010 端口部署的 Reality 回落到本机的 12345 端口去偷自己的证书,并将 HTTPS 流量反代到其它网站,让流量看起来更真实
#user nobody;
worker_processes 1;
error_log /etc/nginx/logs/error.log;
#pid /run/nginx.pid;
events {
worker_connections 1024;
}
stream {
map $ssl_preread_server_name $backend { #映射指令,基于 SNI 将不同的域名映射到后端服务器;根据客户端请求中的 SNI 信息,Nginx将路由流量到不同的后端服务器
example.com sing-box; #将 SNI 为 example.com 的域名映射到名为 sing-box 的后端服务器
}
upstream sing-box { #定义了名为 sing-box 的后端服务器
server 127.0.0.1:10010; #127.0.0.1 表示后端服务器为本地主机,10010 表示后端服务监听的端口
}
server { #处理 TCP 流量的代理服务器;它监听 443 端口,代理通过 SNI 名称映射到的后端服务器
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $backend; #将流量代理到根据 SNI 映射的后端服务器
ssl_preread on; #启用 TLS 握手前的协议(SNI)识别,以便将流量路由到正确的后端
}
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /etc/nginx/logs/access.log main;
sendfile on;
keepalive_timeout 65;
server { #HTTP 服务器,将所有的 HTTP 请求重定向至 HTTPS
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
server { #HTTPS 服务器,监听 12345 端口,将接收到的流量代理到 www.bing.com,代理网站自己修改
listen 12345 ssl;
listen [::]:12345 ssl;
server_name example.com; #example.com 修改为你域名
ssl_certificate /etc/ssl/private/example.com.crt; #证书路径,绝对路径
ssl_certificate_key /etc/ssl/private/example.com.key; #私钥路径,绝对路径
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; #优先使用服务端的密码套件
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305; #椭圆曲线加密的曲线列表,若证书格式为 RSA 证书,将 ECDSA 替换为 RSA
location / { #反向代理配置,www.bing.com 修改为你要反代的网址
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用 HSTS,强制浏览器始终使用 HTTPS 连接
proxy_pass https://www.bing.com;
proxy_ssl_server_name on;
proxy_redirect off;
sub_filter_once off;
sub_filter "www.bing.com" $server_name;
proxy_set_header Host "www.bing.com";
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Accept-Encoding "";
proxy_set_header Accept-Language "zh-CN";
}
}
}
sing-box服务端配置
{
"log": {
"disabled": false,
"level": "info",
"timestamp": true
},
"inbounds": [
{
"type": "vless",
"tag": "vless-in",
"listen": "::",
"listen_port": 10010, //后端服务监听的端口
"sniff": true,
"sniff_override_destination": true,
"users": [
{
"uuid": "8dc6811a-3168-487b-98ea-b75cebb8ff33",
"flow": "xtls-rprx-vision"
}
],
"tls": {
"enabled": true,
"server_name": "example.com", //example.com 修改为你的域名
"reality": {
"enabled": true,
"handshake": {
"server": "127.0.0.1",
"server_port": 12345 //回落到本机的 12345 端口去偷证书
},
"private_key": "wLB3YDmeohOk7YJ1JQj-xtfBcUDoOH0H6NrO4uZrsF8",
"short_id": [
"94596fd79c455cd8"
]
}
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct"
}
]
}