这是一套快速建立vps节点的方案。 Marzban 提供管理面板,VLESS + Reality 提供了目前最顶级的抗封锁能力,而 Nginx 作为反向代理服务器存在,面板节点不需要转换,目前该方案比较稳健。
在添加用户的界面可以使用vision 流控,进一步加强安全。该方案可以不用域名和伪装站点。使用子域名只是方便使用管理面板。
apt update && apt upgrade -y apt install -y curl socat nginx git vim wget certbot python3-certbot-nginx
sudo bash -c "$(curl -sL https://github.com/Gozargah/Marzban-scripts/raw/master/marzban.sh)" @ install
完成这一步后,通过dns解析,将一个子域名或者域名解析到vps的ip上,方便后续配置nginx.
输入以下代码配置证书(xxx.com改为自己的域名):
sudo certbot --nginx -d xxx.com
marzban cli admin create
vim /etc/nginx/sites-available/default
将原来的内容删除,用以下内容输入并覆盖 ⚠️修改xxx.com为自己的域名
# ========================================================= # 第一部分:Marzban 面板 (HTTPS) # 修改为监听 8443 端口,避免与 Reality 的 443 冲突 # 访问地址: https://xxx.com:8443 # ========================================================= server { listen 8443 ssl; # 如果服务器支持IPv6,可以取消下面这行的注释,否则保持注释 # listen [::]:8443 ssl; server_name panel.jamesblog.top; # SSL 证书配置 (直接复用你 Certbot 生成的路径) ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # 代理转发给 Marzban 面板 location / { proxy_pass http://127.0.0.1:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # WebSocket 支持 (重要) proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } # ========================================================= # 第二部分:HTTP 自动跳转 (可选) # 访问 http://xxx.com 时跳转到 https://...:8443 # ========================================================= server { listen 80; server_name xxx.com; # 301 重定向到 HTTPS 的 8443 端口 return 301 https://$host:8443$request_uri; }
然后检查配置和重启nginx:
nginx -t systemctl restart nginx
生成marzban的密钥:
docker exec marzban-marzban-1 xray x25519
生成short_id:
openssl rand -hex 4
登陆导航面板,然后点击设置,将json配置文件修改为以下内容,注意填入生成的私钥和short_id:
{ "log": { "loglevel": "warning" }, "routing": { "rules": [ { "ip": [ "geoip:private" ], "outboundTag": "BLOCK", "type": "field" }, { "protocol": [ "bittorrent" ], "outboundTag": "BLOCK", "type": "field" } ] }, "inbounds": [ { "tag": "VLESS_REALITY", "port": 443, "protocol": "vless", "settings": { "clients": [], "decryption": "none" }, "streamSettings": { "network": "tcp", "security": "reality", "realitySettings": { "show": false, "dest": "learn.microsoft.com:443", "xver": 0, "serverNames": [ "learn.microsoft.com", "www.microsoft.com" ], "privateKey": 填入私钥, "shortIds": [ "", 填入生成的short_id ], "fingerprint": "chrome" } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls", "quic" ] } } ], "outbounds": [ { "protocol": "freedom", "tag": "DIRECT" }, { "protocol": "blackhole", "tag": "BLOCK" } ] }
然后保存,重启内核,并刷新页面。创建用户,点击订阅链接即可
完成以上测试之后,配置mihomo,针对订阅选择扩写配置:
# Profile Enhancement Merge Template for Clash Verge mixed-port: 7890 allow-lan: true bind-address: "*" mode: rule log-level: info external-controller: "127.0.0.1:9090" sniffing: enable: true parse-pure-ip: true sniff: HTTP: ports: [80] TLS: ports: [443] QUIC: ports: [443] dns: enable: true ipv6: false listen: 127.0.0.1:1053 enhanced-mode: fake-ip fake-ip-range: 198.18.0.1/16 store-fake-ip: true respect-rules: true use-hosts: true # 用加密的 DoT 作为引导 DNS,尽量避免明文 UDP 被识别为“泄漏” default-nameserver: - tls://1.1.1.1:853 - tls://9.9.9.9:853 proxy-server-nameserver: - https://223.5.5.5/dns-query - https://1.1.1.1/dns-query # 统一默认:优先走国外加密 DNS(减少被运营商劫持/污染后触发回退) nameserver: - https://1.1.1.1/dns-query - https://dns.google/dns-query # 针对 CN 域名/直连域名,指定国内 DoH(避免国内站点走国外 DNS 造成延迟或异常) nameserver-policy: "geosite:cn": - https://dns.alidns.com/dns-query - https://doh.pub/dns-query "geosite:private": - https://dns.alidns.com/dns-query - https://doh.pub/dns-query # 回退:再给一组不同运营商/不同体系的加密 DNS,提高容错 fallback: - tls://1.0.0.1:853 - tls://8.8.8.8:853 fallback-filter: geoip: true geoip-code: CN ipcidr: - 240.0.0.0/4 domain: - +.google.com - +.facebook.com - +.youtube.com - +.twitter.com fake-ip-filter: - "*.lan" - "*.local" - "localhost" - "*.localhost" - "*.home.arpa" - "router.asus.com" - "stun.*" - "*.stun.*" - "time.*.com" - "ntp.*.com" - "+.msftncsi.com" - "+.msftconnecttest.com" proxy-groups: - type: select name: PROXY proxies: - DIRECT - REJECT - 🚀 Marz (james) [VLESS - tcp] rule-providers: reject: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt" path: ./ruleset/reject.yaml interval: 86400 # icloud: # type: http # behavior: domain # url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt" # path: ./ruleset/icloud.yaml # interval: 86400 # apple: # type: http # behavior: domain # url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt" # path: ./ruleset/apple.yaml # interval: 86400 google: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt" path: ./ruleset/google.yaml interval: 86400 proxy: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt" path: ./ruleset/proxy.yaml interval: 86400 direct: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt" path: ./ruleset/direct.yaml interval: 86400 private: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt" path: ./ruleset/private.yaml interval: 86400 gfw: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt" path: ./ruleset/gfw.yaml interval: 86400 tld-not-cn: type: http behavior: domain url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt" path: ./ruleset/tld-not-cn.yaml interval: 86400 telegramcidr: type: http behavior: ipcidr url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt" path: ./ruleset/telegramcidr.yaml interval: 86400 cncidr: type: http behavior: ipcidr url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt" path: ./ruleset/cncidr.yaml interval: 86400 lancidr: type: http behavior: ipcidr url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt" path: ./ruleset/lancidr.yaml interval: 86400 applications: type: http behavior: classical url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt" path: ./ruleset/applications.yaml interval: 86400 rules: - IP-CIDR,100.64.0.0/10,DIRECT # Tailscale 相关域名 - DOMAIN-SUFFIX,tailscale.com,DIRECT - DOMAIN-SUFFIX,tailscale.io,DIRECT - DOMAIN-SUFFIX,ts.net,DIRECT # 苹果 - DOMAIN-SUFFIX,apple.com,PROXY - DOMAIN-SUFFIX,icloud.com,PROXY - DOMAIN-SUFFIX,icloud-content.com,PROXY - DOMAIN-SUFFIX,me.com,PROXY # 苹果 CDN 和下载服务 (通常国内直连更快,如果为了伪装IP可能需要代理) - DOMAIN-SUFFIX,mzstatic.com,PROXY - DOMAIN-SUFFIX,aaplimg.com,PROXY - DOMAIN-SUFFIX,apple-mapkit.com,PROXY - IP-CIDR,115.190.162.106/32,DIRECT,no-resolve - IP-CIDR,43.143.220.241/32,DIRECT,no-resolve - RULE-SET,applications,DIRECT - DOMAIN,clash.razord.top,DIRECT - DOMAIN,yacd.haishan.me,DIRECT - RULE-SET,private,DIRECT - RULE-SET,reject,REJECT #- RULE-SET,icloud,DIRECT #- RULE-SET,apple,DIRECT - RULE-SET,google,PROXY - RULE-SET,proxy,PROXY - RULE-SET,direct,DIRECT - RULE-SET,lancidr,DIRECT - RULE-SET,cncidr,DIRECT - RULE-SET,telegramcidr,PROXY - GEOIP,LAN,DIRECT - GEOIP,CN,DIRECT,no-resolve - MATCH,PROXY
然后进行dns 和 web rtc泄露测试: 测试网站为: https://ip8.com/webrtc-test
本文作者:James
本文链接:
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!