Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save liberal-boy/b2d5597285b4202b6d607faaa1078d27 to your computer and use it in GitHub Desktop.
Save liberal-boy/b2d5597285b4202b6d607faaa1078d27 to your computer and use it in GitHub Desktop.
HaProxy 通过 Domain Socket 与 V2Ray 通讯
{
"inbounds": [
{
"protocol": "vmess",
"listen": "127.0.0.1",
"port": 40001,
"settings": {
"clients": [
{
"id": "f2435e5c-9ad9-4367-836a-8341117d0a5f"
}
]
},
"streamSettings": {
"network": "ds",
"dsSettings": {
"path": "@v2ray",
"abstract": true
}
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}

HaProxy 通过 Domain Socket 与 V2Ray 通讯

本文供高级玩家阅读,请先阅读 Vmess + TCP + TLS 方式的 HTTP 分流和网站伪装。 相比 TCP,Domain Socket 更为高效。 本文针对使用 Debian 10 的用户,其他系统请自行摸索。

预先准备

  1. 首先按照先前的教程安装好 HaProxy 和 V2Ray。

  2. 修改以下文件,示例见下方

  • /etc/haproxy/haproxy.cfg
  • /etc/v2ray/config.json
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# 仅使用支持 FS 和 AEAD 的加密套件
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# 禁用 TLS 1.2 之前的 TLS
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
tune.ssl.default-dh-param 2048
defaults
log global
# 我们需要使用 tcp 模式
mode tcp
option dontlognull
timeout connect 5s
# 空闲连接等待时间,这里使用与 V2Ray 默认 connIdle 一致的 300s
timeout client 300s
timeout server 300s
frontend tls-in
# 监听 443 tls,tfo 根据自身情况决定是否开启,证书放置于 /etc/ssl/private/example.com.pem
bind *:443 tfo ssl crt /etc/ssl/private/example.com.pem
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
# 将 HTTP 流量发给 web 后端
use_backend web if HTTP
# 将其他流量发给 vmess 后端
default_backend vmess
backend web
server server1 127.0.0.1:8080
backend vmess
# 填写 chroot 后的路径
server server1 abns@v2ray
@sixg0000d
Copy link

sixg0000d commented Aug 30, 2021

为什么使用Domain Socket监听,inbound还需要设置监听ip地址和端口,感觉这两个参数已经失去其作用了,是受v2ray配置文件格式所限制吗

我猜是啊,这样一点都不美观了

最新版本已经可以在 .inbounds[].listen 里填 unix domain socket 和 abstract socket 地址了

@SunsetKnights
Copy link

注意:在4.32.0+版本中,可以设置inbounds[].listen 为 @@v2ray, 此时dsSetting可以省略

@GektorUA
Copy link

Hi, i have setup it by first manual, works without problem, but when i have modified it with Domain Socket manual, v2ray stops working. Have check configs many times, it just doesn't works. Maybe i have missed something inside Debian system?

@SunsetKnights
Copy link

Hi, i have setup it by first manual, works without problem, but when i have modified it with Domain Socket manual, v2ray stops working. Have check configs many times, it just doesn't works. Maybe i have missed something inside Debian system?

Maybe its a domain socket path padding question, in v2ray config @@ is meaning padding path, in haproxy its always padding path

@zhanhb
Copy link

zhanhb commented Jul 11, 2023

我使用xray 1.8.3测试了一下这7种入站协议vmess,vless, trojan,shadowsocks,dokodemo-door,socks,http。

其中vmess和http支持@@地址
vless和trojan监听@@地址会导致xray进程崩溃
shadowsocks, dokodemo-door, socks就好像没监听一样


传输协议:
vmess:

  • tcp,ws,http,grpc 仍然支持@@,个人猜测ws,http,grpc只是在原有的tcp上封装,所以并不会影响tcp连接的特性
  • kcp,quic 进程崩溃,只是试试。虽然unix socket本身可以提供可靠的udp传输,但感觉拿来破网并不合适

http代理:

  • 貌似不支持传输协议配置,在x-ui中没有可配置的选项

关于出站:猜测应该和入站配置看到的效果相对应,测试太麻烦了,就先不测了。


分享一下,仅供参考。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment