easy-xray/template_config_server.jsonc

// This config is based on
// https://github.com/XTLS/Xray-examples/blob/main/VLESS-TCP-XTLS-Vision-REALITY/REALITY.ENG.md
{
  "log": {
    "access": "none",
    "error": "",
    "loglevel": "warning",
    "dnsLog": false
  },
  // Turns on traffic statistics, see https://xtls.github.io/en/config/stats.html#statsobject
  // and https://xtls.github.io/en/config/policy.html#policyobject
  // and special "api" tag below
  "stats": {
  },
  "policy": {
    "levels": {
      // default level
      "0": {
        "statsUserUplink": true,
        "statsUserDownlink": true
      }
    },
    "system": {
      "statsOutboundUplink": true,
      "statsOutboundDownlink": true
    }
  },
  // enables API interface https://xtls.github.io/en/config/api.html#apiobject
  "api": {
    "tag": "api",
    "services": [ "StatsService" ]
  },
  // Forward each inbound connections to corresponding `outboundTag`. If no rules match,
  // the traffic is sent out by the first outbound in `outbounds` section.
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api"
      },
      {
        "type": "field",
        "port": "80",
        "network": "udp",
        "outboundTag": "block"
      },
      {
        "type": "field",
        "ip": [
          // localhost connections
          "geoip:private"
        ],
        "outboundTag": "block"
      },
      {
        "type": "field",
        "protocol": [ "bittorrent" ],
        "outboundTag": "block"
      },
      // block domestic client traffic if it's coming somehow (e.g. wrong client config)
      {
        "type": "field",
        "domain": [
            "geosite:cn",
            "domain:cn",
            "domain:xn--fiqs8s",
            "domain:xn--fiqz9s",
            "domain:xn--55qx5d",
            "domain:xn--io0a7i",
            "domain:ru",
            "domain:xn--p1ai",
            "domain:by",
            "domain:xn--90ais",
            "domain:ir",
            "ext:customgeo.dat:coherence-extra"
        ],
        "outboundTag": "block"
      },
      {
        "type": "field",
        "ip": [
            "geoip:cn",
            "geoip:ru",
            "geoip:by",
            "geoip:ir"
        ],
        "outboundTag": "block"
      }
    ]
  },
  // server-side inbound configuration
  "inbounds": [
    // gRPC API inbound, used to get statistics
    {
      "listen": "127.0.0.1",
      "port": 8080,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "127.0.0.1"
      },
      "tag": "api"
    },
    // main inbound, clients connect to it
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      // VLESS settings
      "settings": {
        "clients": [
          {
            // can be generated with `xray uuid`
            "id": "client_id",
            // some email; appears in logs
            "email": "client_email",
            // Optional; if specified, clients must enable XTLS.
            // XTLS is Xray's original technology, which doesn't encrypt TLS traffic (which is already encrypted),
            // providing outstanding performance and no fingerprints of double-encrypted TLS.
            // XTLS has the same security as TLS.
            // https://xtls.github.io/en/config/transport.html#streamsettingsobject
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      // settings of transport protocol, https://xtls.github.io/en/config/transport.html#streamsettingsobject
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        // REALITY fallback options; see also https://xtls.github.io/en/config/features/fallback.html
        "realitySettings": {
          // optional; if true, outputs debug information
          "show": false,
          // with failed authentication VLESS will forward traffic to this address
          "dest": "www.youtube.com:443",
          "xver": 0,
          // required; list of server names which client can provide to the server during the handshake.
          // (The internet provider sees "serverName" of client config in the client-server traffic, then a censor
          // can use this for active probing. Thus, this names should be in accordance with "dest" above.)
          "serverNames": [
            "www.youtube.com"
          ],
          // required; generate with `xray x25519`; use paired publicKey in client configs
          "privateKey": "private_key",
          "shortIds": [
            // required, list of shortIds available to clients, can be used to distinguish different clients
            "short_id"
          ]
        }
      },
      // used to make transparent proxies, see https://xtls.github.io/en/config/inbound.html#sniffingobject
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ],
        "routeOnly": true
      }
    },
    // extra inbound; its main purpose is to get fallback to "dest" at port 80. Many regular websites
    // have open ports 80 (http) and 443 (https).
    {
      "listen": "0.0.0.0",
      "port": 80,
      "protocol": "vless",
      // VLESS settings
      "settings": {
        "clients": [
          {
            // can be generated with `xray uuid`
            "id": "client_id",
            // some email; appears in logs
            "email": "client_email",
            // Optional; if specified, clients must enable XTLS.
            // XTLS is Xray's original technology, which doesn't encrypt TLS traffic (which is already encrypted),
            // providing outstanding performance and no fingerprints of double-encrypted TLS.
            // XTLS has the same security as TLS.
            // https://xtls.github.io/en/config/transport.html#streamsettingsobject
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      // settings of transport protocol, https://xtls.github.io/en/config/transport.html#streamsettingsobject
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        // REALITY fallback options; see also https://xtls.github.io/en/config/features/fallback.html
        "realitySettings": {
          // optional; if true, outputs debug information
          "show": false,
          // with failed authentication VLESS will forward traffic to this address
          "dest": "www.youtube.com:80",
          "xver": 0,
          // required; list of server names which client can provide to the server during the handshake.
          // (The internet provider sees "serverName" of client config in the client-server traffic, then a censor
          // can use this for active probing. Thus, this names should be in accordance with "dest" above.)
          "serverNames": [
            "www.youtube.com"
          ],
          // required; generate with `xray x25519`; use paired publicKey in client configs
          "privateKey": "private_key",
          "shortIds": [
            // required, list of shortIds available to clients, can be used to distinguish different clients
            "short_id"
          ]
        }
      },
      // used to make transparent proxies, see https://xtls.github.io/en/config/inbound.html#sniffingobject
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ],
        "routeOnly": true
      }
    }
  ],
  // server-side outbound configuration
  "outbounds": [
    // direct connection
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    // for that should be blocked
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ]
}