chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2024-10-23 05:18:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

使用 xray reality

Browse Source
This commit is contained in:
陈浩南 2023-08-12 23:58:18 +08:00
parent ee079b4251
commit 593391a894
3 changed files with 33 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
flake.nix
View File

@ -320,10 +320,9 @@
externalIp = "74.211.99.69";
map =
{
"ng01.mirism.one" = "127.0.0.1:7411";
"beta.mirism.one" = "127.0.0.1:9114";
"ng01.mirism.one" = 7411;
"beta.mirism.one" = 9114;
};
proxyPorts = [ 7411 9114 ];
};
httpProxy =
{

132
modules/services/default.nix
View File

@ -92,8 +92,7 @@ inputs:
{
enable = mkOption { type = types.bool; default = false; };
externalIp = mkOption { type = types.nonEmptyStr; };
map = mkOption { type = types.attrsOf types.nonEmptyStr; };
proxyPorts = mkOption { type = types.listOf types.ints.unsigned; };
map = mkOption { type = types.attrsOf types.ints.unsigned; };
};
httpProxy = mkOption
{
@ -114,7 +113,7 @@ inputs:
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) stripeTabs attrsToList;
inherit (inputs.config.nixos) services;
inherit (builtins) map listToAttrs concatStringsSep toString elemAt genList length attrNames;
inherit (builtins) map listToAttrs concatStringsSep toString elemAt genList length attrNames attrValues;
in mkMerge
[
(
@ -379,11 +378,11 @@ inputs:
streamSettings =
{
network = "tcp";
security = "tls";
tlssettings =
security = "reality";
realitySettings =
{
serverName = services.xrayClient.serverName;
allowInsecure = false;
publicKey = "Nl0eVZoDF9d71_3dVsZGJl3UWR9LCv3B14gu7G6vhjk";
fingerprint = "firefox";
};
};
@ -443,32 +442,13 @@ inputs:
services =
{
xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-server.json".path; };
nginx =
nginx.virtualHosts.xray =
{
streamConfig =
let
allowedFingerprint =
[
];
in
inputs.lib.mkBefore (stripeTabs
''
map $stream_ssl_ja3_hash $xray_backend
{
${concatStringsSep "\n" (map
(fp: '' "${fp}" 127.0.0.1:4726;'')
allowedFingerprint)}
default 127.0.0.1:6603;
}
'');
virtualHosts.xray =
{
serverName = services.xrayServer.serverName;
default = true;
listen = [{ addr = "127.0.0.1"; port = 7233; }];
locations."/".return = "400";
};
serverName = services.xrayServer.serverName;
default = true;
listen = [{ addr = "127.0.0.1"; port = 7233; ssl = true; }];
useACMEHost = services.xrayServer.serverName;
locations."/".return = "400";
};
};
sops =
@ -502,18 +482,14 @@ inputs:
streamSettings =
{
network = "tcp";
security = "tls";
tlsSettings =
security = "reality";
realitySettings =
{
alpn = [ "http/1.1" "h2" ];
certificates =
let
cert = inputs.config.security.acme.certs.${services.xrayServer.serverName}.directory;
in
[{
certificateFile = "${cert}/full.pem";
keyFile = "${cert}/key.pem";
}];
dest = "127.0.0.1:7233";
serverNames = [ services.xrayServer.serverName ];
privateKey = inputs.config.sops.placeholder."xray-server/private-key";
minClientVer = "1.8.3";
shortIds = [ "" ];
};
};
sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
@ -539,38 +515,6 @@ inputs:
settings.address = "127.0.0.1";
tag = "api";
}
{
port = 6603;
listen = "127.0.0.1";
protocol = "vless";
settings =
{
clients =
[{
id = inputs.config.sops.placeholder."xray-server/clients/fakeuser";
flow = "xtls-rprx-vision";
}];
decryption = "none";
fallbacks = [{ dest = "127.0.0.1:7233"; }];
};
streamSettings =
{
network = "tcp";
security = "tls";
tlsSettings =
{
alpn = [ "http/1.1" "h2" ];
certificates =
let
cert = inputs.config.security.acme.certs.${services.xrayServer.serverName}.directory;
in
[{
certificateFile = "${cert}/full.pem";
keyFile = "${cert}/key.pem";
}];
};
};
}
];
outbounds =
[
@ -614,7 +558,6 @@ inputs:
};
};
secrets = listToAttrs (map (n: { name = "xray-server/clients/user${toString n}"; value = {}; }) userList)
// { "xray-server/clients/fakeuser" = {}; }
// (listToAttrs (map
(name:
{
@ -625,7 +568,8 @@ inputs:
group = inputs.config.users.users.v2ray.group;
};
})
[ "token" "chat" ]));
[ "token" "chat" ]))
// { "xray-server/private-key" = {}; };
};
systemd =
{
@ -691,11 +635,10 @@ inputs:
nginx.transparentProxy =
{
enable = true;
map."${services.xrayServer.serverName}" = "127.0.0.1:4726";
proxyPorts = [ 4726 ];
map."${services.xrayServer.serverName}" = 4726;
};
};
security.acme.certs.${services.xrayServer.serverName}.group = "v2ray";
security.acme.certs.${services.xrayServer.serverName}.group = inputs.config.users.users.nginx.group;
}
))
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
@ -853,20 +796,21 @@ inputs:
services.nginx =
{
enable = true;
# TODO: fix geoip country
streamConfig = stripeTabs
''
log_format stream '[$time_local] $remote_addr-$geoip_country_code "$ssl_preread_server_name"->$backend $bytes_sent $bytes_received $stream_ssl_ja3_hash';
log_format stream '[$time_local] $remote_addr-$geoip_country_code "$ssl_preread_server_name"->$backend $bytes_sent $bytes_received';
access_log syslog:server=unix:/dev/log stream;
map $ssl_preread_server_name $backend
{
${concatStringsSep "\n" (map
(x: '' "${x.name}" ${x.value};'')
(x: '' "${x.name}" 127.0.0.1:${toString x.value};'')
(attrsToList services.nginx.transparentProxy.map))}
default 127.0.0.1:443;
}
server
{
listen ${services.nginx.transparentProxy.externalIp}:443 ssl;
listen ${services.nginx.transparentProxy.externalIp}:443;
ssl_preread on;
proxy_bind $remote_addr transparent;
proxy_pass $backend;
@ -881,27 +825,7 @@ inputs:
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
package =
let
patches = inputs.pkgs.fetchFromGitHub
{
owner = "fooinha";
repo = "nginx-ssl-ja3";
rev = "35b00242c4aced2e623e392fa58c8d31c99cfaed";
sha256 = "BysKzxXveQayaGvFAgtczcIsgWGlOWNd/rCyKf+yjTI=";
};
in
(inputs.pkgs.nginxMainline.override (prev:
{
openssl = (prev.openssl or inputs.pkgs.openssl).overrideAttrs
(prev: { patches = prev.patches ++ [ "${patches}/patches/openssl.extensions.patch" ]; });
modules = prev.modules
++ [{ name = "ssl-ja3"; src = patches; meta.license = [ inputs.lib.licenses.bsd2 ]; }];
})).overrideAttrs (prev:
{
patches = prev.patches ++ [ "${patches}/patches/nginx.1.23.1.ssl.extensions.patch" ];
configureFlags = prev.configureFlags ++ [ "--with-cc-opt='-DJA3_SORT_EXT'" ];
});
package = inputs.pkgs.nginxMainline;
};
systemd.services =
{
@ -930,7 +854,7 @@ inputs:
)
+ concatStringsSep "\n" (map
(port: ''${ipset} add nginx_proxy_port ${toString port}'')
(services.nginx.transparentProxy.proxyPorts ++ [ 443 ]) )
((attrValues services.nginx.transparentProxy.map) ++ [ 443 ]) )
);
stop = inputs.pkgs.writeShellScript "nginx-proxy.stop" (stripeTabs
''

6
secrets/vps6.yaml
View File

@ -36,10 +36,10 @@ xray-server:
user27: ENC[AES256_GCM,data:KM7HUEUHzXd+g/Vxy13uv+zOXLJ1BtSRPUnFIl2/u+ISu6MW,iv:fAxQRVjPsA3cFV1VLyIYMpG60sxi1pWW7153Cc8zjFM=,tag:HtiU8F5shQrFwonQEgQDiA==,type:str]
user28: ENC[AES256_GCM,data:FWuW6SmdA9l+yhTE7KEec72KZ7Ab0A9jYEWoHcLm1+DPydHk,iv:WipmZE/tZ5yCU+cDfeJCNpKv8o7T/zrcMzYRIVXI7FM=,tag:IDTNiPBGY9lER8fdIfL/6w==,type:str]
user29: ENC[AES256_GCM,data:SSP4igGqVthHTDOxOUodm1KEqPSOikWP/7jFKpYhXGe1wqrF,iv:ri82voK2BEArMlyV9F+NMTXQfV1pakGMoUyKh/LoYN4=,tag:VHZ/3DThAD7NmP3oOGyfcw==,type:str]
fakeuser: ENC[AES256_GCM,data:THPuD00WGrCqAFafZ6bGyHYqa1j8saEnVPzwBNXh9RwCmeDy,iv:qkVuQSAXJmRQFyf6dlJK6Wh/sLjr8MVhmr7/fpopkEg=,tag:2/Bzt9Xt5DJXsoAaqLDYWA==,type:str]
telegram:
token: ENC[AES256_GCM,data:xsJoGgQ8pLeZqA2alGKkCyrvnjY6rVF5TlXn4GWDrStFBl65XXzwVY/9ZZthYQ==,iv:qTLfpRUyuIGFM668URfknhSRtx3WEHp/WTGzGUPuFd4=,tag:p8mF0tM+t02g7v2EQZN3Vg==,type:str]
chat: ENC[AES256_GCM,data:X1JxFQw0bPCu,iv:hf+TOSH2p9RdnXDFKxTpSRzxDLdJyzNHVV8MfOQuGWY=,tag:iiWw9IFiBGOOyOSl9Jj2wQ==,type:str]
private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
sops:
kms: []
gcp_kms: []
@ -64,8 +64,8 @@ sops:
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-12T11:58:29Z"
mac: ENC[AES256_GCM,data:ZCuvK8r0uPavasDFfcjyvSDfLkcab/oF/AXEIur3NPq1ozSNUZfQsbFeDxSC2OyWvot/eeYt+f2ClfS7G+xgvEB/qeW0/G3C4H4UhH0xiyjSs7ytduRrXC1sePqFUPMRIUl/+PXxOSgSa65QX96BVKI4lVJmk8wHWFzWBFIukGA=,iv:TXPqdPN5fV92Z8znH9NkZ2TFzRZXzaVjc6kF/gvhiVc=,tag:29fUxP80EA72LdZ1gZezqA==,type:str]
lastmodified: "2023-08-12T15:34:33Z"
mac: ENC[AES256_GCM,data:KMwMPrPI7JcnRRKoera2QlpiISGkbzZlHq415AupbmGSr/f0rKjh2Z647q6e/Ln2YjEBgj+J57q7lD3H6hLQoZhUbEYd67tBraZAl27FAhqpdi8Np82xq+0gNl+pp8+oeEn5TYwrQqIM1rEtJzmJl3TsCphu3IX6jd7VGaLgLyc=,iv:zUpqJjFr55qoIKXwgHNWi0N0E93U+1sqgnb7S4FzkOo=,tag:/wqwyA+EMYG2s7Q+RjsPKA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3