本文供高级玩家阅读,请先阅读 Vmess + TCP + TLS 方式的 HTTP 分流和网站伪装。 相比 TCP,Domain Socket 更为高效。 本文针对使用 Debian 10 的用户,其他系统请自行摸索。
-
首先按照先前的教程安装好 HaProxy 和 V2Ray。
-
修改以下文件,示例见下方
- /etc/haproxy/haproxy.cfg
- /etc/v2ray/config.json
Last active
October 23, 2025 09:32
-
-
Save liberal-boy/b2d5597285b4202b6d607faaa1078d27 to your computer and use it in GitHub Desktop.
HaProxy 通过 Domain Socket 与 V2Ray 通讯
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "inbounds": [ | |
| { | |
| "protocol": "vmess", | |
| "listen": "127.0.0.1", | |
| "port": 40001, | |
| "settings": { | |
| "clients": [ | |
| { | |
| "id": "f2435e5c-9ad9-4367-836a-8341117d0a5f" | |
| } | |
| ] | |
| }, | |
| "streamSettings": { | |
| "network": "ds", | |
| "dsSettings": { | |
| "path": "@v2ray", | |
| "abstract": true | |
| } | |
| } | |
| } | |
| ], | |
| "outbounds": [ | |
| { | |
| "protocol": "freedom" | |
| } | |
| ] | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| ca-base /etc/ssl/certs | |
| crt-base /etc/ssl/private | |
| # 仅使用支持 FS 和 AEAD 的加密套件 | |
| ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
| ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | |
| # 禁用 TLS 1.2 之前的 TLS | |
| ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | |
| tune.ssl.default-dh-param 2048 | |
| defaults | |
| log global | |
| # 我们需要使用 tcp 模式 | |
| mode tcp | |
| option dontlognull | |
| timeout connect 5s | |
| # 空闲连接等待时间,这里使用与 V2Ray 默认 connIdle 一致的 300s | |
| timeout client 300s | |
| timeout server 300s | |
| frontend tls-in | |
| # 监听 443 tls,tfo 根据自身情况决定是否开启,证书放置于 /etc/ssl/private/example.com.pem | |
| bind *:443 tfo ssl crt /etc/ssl/private/example.com.pem | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if HTTP | |
| # 将 HTTP 流量发给 web 后端 | |
| use_backend web if HTTP | |
| # 将其他流量发给 vmess 后端 | |
| default_backend vmess | |
| backend web | |
| server server1 127.0.0.1:8080 | |
| backend vmess | |
| # 填写 chroot 后的路径 | |
| server server1 abns@v2ray |
我使用xray 1.8.3测试了一下这7种入站协议vmess,vless, trojan,shadowsocks,dokodemo-door,socks,http。
其中vmess和http支持@@地址
vless和trojan监听@@地址会导致xray进程崩溃
shadowsocks, dokodemo-door, socks就好像没监听一样
传输协议:
vmess:
- tcp,ws,http,grpc 仍然支持@@,个人猜测ws,http,grpc只是在原有的tcp上封装,所以并不会影响tcp连接的特性
- kcp,quic 进程崩溃,只是试试。
虽然unix socket本身可以提供可靠的udp传输,但感觉拿来破网并不合适
http代理:
- 貌似不支持传输协议配置,在x-ui中没有可配置的选项
关于出站:猜测应该和入站配置看到的效果相对应,测试太麻烦了,就先不测了。
分享一下,仅供参考。
按这个部署后,测试连接不上了……
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Maybe its a domain socket path padding question, in v2ray config @@ is meaning padding path, in haproxy its always padding path