mirrors/XTLS_REALITY
0
0
Fork 0
mirror of https://github.com/XTLS/REALITY.git synced 2025-08-22 14:38:35 +00:00
Code

readme

Browse Source
This commit is contained in:
Meo597 2025-06-08 19:39:26 +08:00
parent fda134e780
commit b1225047c7
2 changed files with 150 additions and 187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
README.en.md
View File

@ -3,7 +3,7 @@
### THE NEXT FUTURE
Server side implementation of REALITY protocol, a fork of package tls in latest [Go](https://github.com/golang/go/commits/master/src/crypto/tls).
For client side, please follow https://github.com/XTLS/Xray-core/blob/main/transport/internet/reality/reality.go.
For client side, please follow https://github.com/XTLS/Xray-core/blob/main/transport/internet/reality/reality.go.
TODO List: TODO
@ -11,69 +11,51 @@ TODO List: TODO
[中文](README.md) | English
```jsonc
```json5
{
"inbounds": [
// Server Inbound Configuration
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // Required, execute ./xray uuid to generate, or a string of 1-30 characters
"flow": "xtls-rprx-vision" // Optional, if any, client must enable XTLS
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // Optional, if true, output debugging information
"dest": "example.com:443", // Required, the format is the same as the dest of VLESS fallbacks
"xver": 0, // Optional, the format is the same as xver of VLESS fallbacks
"serverNames": [
// Required, the acceptable serverName list, does not support * wildcards for now
"example.com",
"www.example.com"
],
"privateKey": "", // Required, execute ./xray x25519 to generate
"minClientVer": "", // Optional, minimum client Xray version, format is x.y.z
"maxClientVer": "", // Optional, the highest version of client Xray, the format is x.y.z
"maxTimeDiff": 0, // Optional, the maximum time difference allowed, in milliseconds
"shortIds": [
// Required, the acceptable shortId list, which can be used to distinguish different clients
"", // If there is this item, the client shortId can be empty
"0123456789abcdef" // 0 to f, the length is a multiple of 2, the maximum length is 16
],
// The two limit below are optional for rate limiting falling REALITY connections. Default are 0 means disabled
// WARNING: Enabling rate limiting may create detectable patterns for Great-Firewall!
// If you're a GUI/panel/one-click script developer, RANDOMIZE these parameters!
"limitFallbackUpload": {
// Limit upload for falling REALITY connections
"afterBytes": 0, // Start throttling after (bytes)
"bytesPerSec": 0, // Base speed (bytes/s)
"burstBytesPerSec": 0 // Burst capacity (bytes)
},
"limitFallbackDownload": {
// Limit download for falling REALITY connections
"afterBytes": 0, // Start throttling after (bytes)
"bytesPerSec": 0, // Base speed (bytes/s)
"burstBytesPerSec": 0 // Burst capacity (bytes)
}
"inbounds": [ // Server Inbound Configuration
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // Required, execute ./xray uuid to generate, or a string of 1-30 characters
"flow": "xtls-rprx-vision" // Optional, if any, client must enable XTLS
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // Optional, if true, output debugging information
"dest": "example.com:443", // Required, the format is the same as the dest of VLESS fallbacks
"xver": 0, // Optional, the format is the same as xver of VLESS fallbacks
"serverNames": [ // Required, the acceptable serverName list, does not support * wildcards for now
"example.com",
"www.example.com"
],
"privateKey": "", // Required, execute ./xray x25519 to generate
"minClientVer": "", // Optional, minimum client Xray version, format is x.y.z
"maxClientVer": "", // Optional, the highest version of client Xray, the format is x.y.z
"maxTimeDiff": 0, // Optional, the maximum time difference allowed, in milliseconds
"shortIds": [ // Required, the acceptable shortId list, which can be used to distinguish different clients
"", // If there is this item, the client shortId can be empty
"0123456789abcdef" // 0 to f, the length is a multiple of 2, the maximum length is 16
]
}
}
}
}
}
]
]
}
```
REALITY is intented to replace the use of TLS, it can **eliminate the detectable TLS fingerprint on the server side**, while still maintain the forward secrecy, etc. **Guard against the certificate chain attack, thus its security exceeds conventional TLS**
**REALITY can point to other people's websites**, no need to buy domain names, configure TLS server, more convenient to deploy a proxy service. It **achieves full real TLS that is undistingwishable with the specified SNI to the middleman**
For general proxy purposes, the minimum standard of the target website: **Websites out of China's GFW, support TLSv1.3 and H2, the domain name is not used for redirection** (the main domain name may be used to redirect to www)
Bonus points: target website IP reside closer to proxy IP (looks more reasonable, and lower latency), handshake messages after Server Hello are encrypted together (such as dl.google.com), OCSP Stapling
Configuration bonus items: **Block the proxy traffic back to China, TCP/80, UDP/443 are also forwarded to target** (REALITY behaves like port forwarding to the observer, the target IP may be better if it is an uncommon choice among REALITY users)
@ -81,41 +63,40 @@ Configuration bonus items: **Block the proxy traffic back to China, TCP/80, UDP/
**REALITY can also be used with proxy protocols other than XTLS**, but this is not recommended due to their obvious and already targeted TLS in TLS characteristics
The next main goal of REALITY is "**pre-built mode**", that is, to collect and build the characteristics of the target website in advance, and the next main goal of XTLS is **0-RTT**
```jsonc
```json5
{
"outbounds": [
// Client outbound configuration
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "", // The domain name or IP of the server
"port": 443,
"users": [
{
"id": "", // consistent with the server
"flow": "xtls-rprx-vision", // consistent with the server
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // Optional, if true, output debugging information
"fingerprint": "chrome", // Required, use uTLS library to emulate client TLS fingerprint
"serverName": "", // One of the server serverNames
"publicKey": "", // The public key corresponding to the private key of the server
"shortId": "", // One of the server shortIds
"spiderX": "" // The initial path and parameters of the crawler, recommended to be different for each client
"outbounds": [ // Client outbound configuration
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "", // The domain name or IP of the server
"port": 443,
"users": [
{
"id": "", // consistent with the server
"flow": "xtls-rprx-vision", // consistent with the server
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // Optional, if true, output debugging information
"fingerprint": "chrome", // Required, use uTLS library to emulate client TLS fingerprint
"serverName": "", // One of the server serverNames
"publicKey": "", // The public key corresponding to the private key of the server
"shortId": "", // One of the server shortIds
"spiderX": "" // The initial path and parameters of the crawler, recommended to be different for each client
}
}
}
}
}
]
]
}
```
@ -129,4 +110,4 @@ The REALITY client can perfectly distinguish temporary trusted certificates, rea
1. When the temporary trusted certificate is received, the proxy connection is available and everything is business as usual
2. When the real certificate is received, enter the crawler mode (spiderX)
3. When an invalid certificate is received, TLS alert will be sent and the connection will be disconnected
3. When an invalid certificate is received, TLS alert will be sent and the connection will be disconnected

174
README.md
View File

@ -3,7 +3,7 @@
### THE NEXT FUTURE
Server side implementation of REALITY protocol, a fork of package tls in latest [Go](https://github.com/golang/go/commits/master/src/crypto/tls).
For client side, please follow https://github.com/XTLS/Xray-core/blob/main/transport/internet/reality/reality.go.
For client side, please follow https://github.com/XTLS/Xray-core/blob/main/transport/internet/reality/reality.go.
TODO List: TODO
@ -11,110 +11,92 @@ TODO List: TODO
中文 | [English](README.en.md)
```jsonc
```json5
{
"inbounds": [
// 服务端入站配置
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // 必填,执行 ./xray uuid 生成,或 1-30 字节的字符串
"flow": "xtls-rprx-vision" // 选填,若有,客户端必须启用 XTLS
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // 选填,若为 true输出调试信息
"dest": "example.com:443", // 必填,格式同 VLESS fallbacks 的 dest
"xver": 0, // 选填,格式同 VLESS fallbacks 的 xver
"serverNames": [
// 必填,客户端可用的 serverName 列表,暂不支持 * 通配符
"example.com",
"www.example.com"
],
"privateKey": "", // 必填,执行 ./xray x25519 生成
"minClientVer": "", // 选填,客户端 Xray 最低版本,格式为 x.y.z
"maxClientVer": "", // 选填,客户端 Xray 最高版本,格式为 x.y.z
"maxTimeDiff": 0, // 选填,允许的最大时间差,单位为毫秒
"shortIds": [
// 必填,客户端可用的 shortId 列表,可用于区分不同的客户端
"", // 若有此项,客户端 shortId 可为空
"0123456789abcdef" // 0 到 f长度为 2 的倍数,长度上限为 16
],
// 下列两个 limit 为选填,可对回落的 REALITY 连接限速。默认为 0 即不启用
// 警告:启用限速可能会引入新的特征被 GFW 探测到如果您是GUI/面板/一键脚本开发者,请务必让这些参数随机化!
"limitFallbackUpload": {
// 限制回落上行
"afterBytes": 0, // 传输指定字节后开始限速
"bytesPerSec": 0, // 基准速率 (字节/秒)
"burstBytesPerSec": 0 // 突发速率 (字节/秒)
},
"limitFallbackDownload": {
// 限制回落下行
"afterBytes": 0, // 传输指定字节后开始限速
"bytesPerSec": 0, // 基准速率 (字节/秒)
"burstBytesPerSec": 0 // 突发速率 (字节/秒)
}
"inbounds": [ // 服务端入站配置
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // 必填,执行 ./xray uuid 生成,或 1-30 字节的字符串
"flow": "xtls-rprx-vision" // 选填,若有,客户端必须启用 XTLS
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // 选填,若为 true输出调试信息
"dest": "example.com:443", // 必填,格式同 VLESS fallbacks 的 dest
"xver": 0, // 选填,格式同 VLESS fallbacks 的 xver
"serverNames": [ // 必填,客户端可用的 serverName 列表,暂不支持 * 通配符
"example.com",
"www.example.com"
],
"privateKey": "", // 必填,执行 ./xray x25519 生成
"minClientVer": "", // 选填,客户端 Xray 最低版本,格式为 x.y.z
"maxClientVer": "", // 选填,客户端 Xray 最高版本,格式为 x.y.z
"maxTimeDiff": 0, // 选填,允许的最大时间差,单位为毫秒
"shortIds": [ // 必填,客户端可用的 shortId 列表,可用于区分不同的客户端
"", // 若有此项,客户端 shortId 可为空
"0123456789abcdef" // 0 到 f长度为 2 的倍数,长度上限为 16
]
}
}
}
}
}
]
]
}
```
若用 REALITY 取代 TLS**可消除服务端 TLS 指纹特征**,仍有前向保密性等,**且证书链攻击无效,安全性超越常规 TLS**
**可以指向别人的网站**,无需自己买域名、配置 TLS 服务端,更方便,**实现向中间人呈现指定 SNI 的全程真实 TLS**
若用 REALITY 取代 TLS**可消除服务端 TLS 指纹特征**,仍有前向保密性等,**且证书链攻击无效,安全性超越常规 TLS**
**可以指向别人的网站**,无需自己买域名、配置 TLS 服务端,更方便,**实现向中间人呈现指定 SNI 的全程真实 TLS**
通常代理用途,目标网站最低标准:**国外网站,支持 TLSv1.3 与 H2域名非跳转用**(主域名可能被用于跳转到 www
加分项IP 相近更像且延迟低Server Hello 后的握手消息一起加密(如 dl.google.com有 OCSP Stapling
配置加分项:**禁回国流量TCP/80、UDP/443 也转发**REALITY 对外表现即为端口转发,目标 IP 冷门或许更好)
通常代理用途,目标网站最低标准:**国外网站,支持 TLSv1.3 与 H2域名非跳转用**(主域名可能被用于跳转到 www
加分项IP 相近更像且延迟低Server Hello 后的握手消息一起加密(如 dl.google.com有 OCSP Stapling
配置加分项:**禁回国流量TCP/80、UDP/443 也转发**REALITY 对外表现即为端口转发,目标 IP 冷门或许更好)
**REALITY 也可以搭配 XTLS 以外的代理协议使用**,但不建议这样做,因为它们存在明显且已被针对的 TLS in TLS 特征
REALITY 的下一个主要目标是“**预先构建模式**”即提前采集目标网站特征XTLS 的下一个主要目标是 **0-RTT**
**REALITY 也可以搭配 XTLS 以外的代理协议使用**,但不建议这样做,因为它们存在明显且已被针对的 TLS in TLS 特征
REALITY 的下一个主要目标是“**预先构建模式**”即提前采集目标网站特征XTLS 的下一个主要目标是 **0-RTT**
```jsonc
```json5
{
"outbounds": [
// 客户端出站配置
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "", // 服务端的域名或 IP
"port": 443,
"users": [
{
"id": "", // 与服务端一致
"flow": "xtls-rprx-vision", // 与服务端一致
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // 选填,若为 true输出调试信息
"fingerprint": "chrome", // 必填,使用 uTLS 库模拟客户端 TLS 指纹
"serverName": "", // 服务端 serverNames 之一
"publicKey": "", // 服务端私钥对应的公钥
"shortId": "", // 服务端 shortIds 之一
"spiderX": "" // 爬虫初始路径与参数,建议每个客户端不同
"outbounds": [ // 客户端出站配置
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "", // 服务端的域名或 IP
"port": 443,
"users": [
{
"id": "", // 与服务端一致
"flow": "xtls-rprx-vision", // 与服务端一致
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false, // 选填,若为 true输出调试信息
"fingerprint": "chrome", // 必填,使用 uTLS 库模拟客户端 TLS 指纹
"serverName": "", // 服务端 serverNames 之一
"publicKey": "", // 服务端私钥对应的公钥
"shortId": "", // 服务端 shortIds 之一
"spiderX": "" // 爬虫初始路径与参数,建议每个客户端不同
}
}
}
}
}
]
]
}
```
@ -132,4 +114,4 @@ REALITY 客户端可以完美区分临时可信证书、真证书、无效证书
## Stargazers over time
[![Stargazers over time](https://starchart.cc/XTLS/REALITY.svg)](https://starchart.cc/XTLS/REALITY)
[![Stargazers over time](https://starchart.cc/XTLS/REALITY.svg)](https://starchart.cc/XTLS/REALITY)