cd /news/cybersecurity/xray-vless-xhttp-tls-relay-warp-2-se… · home topics cybersecurity article
[ARTICLE · art-9576] src=gist.github.com ↗ pub= topic=cybersecurity verified=true sentiment=· neutral

Xray VLESS + XHTTP + TLS Relay, WARP: 2-Server Setup

This article provides a technical guide for setting up a two-server Xray proxy configuration using VLESS, XHTTP, and TLS Reality protocols. Server A acts as an inbound relay that accepts client connections via XHTTP with Reality encryption, then forwards traffic to Server B using another VLESS+XHTTP+TLS connection. The guide includes step-by-step installation commands, configuration file examples with placeholder values, and instructions for generating the necessary cryptographic keys and UUIDs.

read4 min views19 publishedMay 3, 2026

gistfile1.txt

  This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.

Learn more about bidirectional Unicode characters

Show hidden characters

СЕРВЕР А

Всё ставим

sudo apt update

sudo apt install -y curl nano jq

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install -u root Всё генерируем с помощью

xray uuid - ИД

xray x25519 - ключи

xray vlessenc - для шифрования

openssl rand -hex 8 - short id В итоге потребуется:

CLIENT_UUID

A_REALITY_PRIVATE_KEY

A_REALITY_PUBLIC_KEY

A_REALITY_SHORT_ID

CLIENT_TO_A_DECRYPTION

CLIENT_TO_A_ENCRYPTION

A_TO_B_UUID

A_TO_B_DECRYPTION

A_TO_B_ENCRYPTION

Конфиг xray, сервер А

vim /usr/local/etc/xray/config.json

Пример

{

  "log": {

    "access": "/var/log/xray/access.log",

    "error": "/var/log/xray/error.log",

    "loglevel": "warning"

  },

  "dns": {

    "servers": [

      "1.1.1.1",

      "8.8.8.8"

    ],

    "queryStrategy": "UseIPv4"

  },

  "inbounds": [

    {

      "tag": "client-xhttp-reality-in",

      "listen": "0.0.0.0",

      "port": 443,

      "protocol": "vless",

      "settings": {

        "clients": [

          {

            "id": "CLIENT_UUID",

            "email": "main-client",

            "flow": "xtls-rprx-vision"

          }

        ],

        "decryption": "CLIENT_TO_A_DECRYPTION"

      },

      "streamSettings": {

        "network": "xhttp",

        "security": "reality",

        "xhttpSettings": {

          "path": "/assets",

          "mode": "stream-one"

        },

        "realitySettings": {

          "show": false,

          "dest": "www.microsoft.com:443",

          "xver": 0,

          "serverNames": [

            "www.microsoft.com"

          ],

          "privateKey": "A_REALITY_PRIVATE_KEY",

          "shortIds": [

            "A_REALITY_SHORT_ID"

          ]

        }

      },

      "sniffing": {

        "enabled": true,

        "destOverride": [

          "http",

          "tls",

          "quic"

        ]

      }

    },

    {

      "tag": "local-test-socks",

      "listen": "127.0.0.1",

      "port": 10808,

      "protocol": "socks",

      "settings": {

        "udp": true

      }

    }

  ],

  "outbounds": [

    {

      "tag": "relay-b",

      "protocol": "vless",

      "settings": {

        "vnext": [

          {

            "address": "api.catandmouseteam.xyz",

            "port": 443,

            "users": [

              {

                "id": "A_TO_B_UUID",

                "encryption": "A_TO_B_ENCRYPTION",

                "flow": "xtls-rprx-vision",

                "packetEncoding": "xudp"

              }

            ]

          }

        ]

      },

      "streamSettings": {

        "network": "xhttp",

        "security": "tls",

        "tlsSettings": {

          "serverName": "api.catandmouseteam.xyz",

          "alpn": [

            "h2",

            "http/1.1"

          ],

          "fingerprint": "chrome"

        },

        "xhttpSettings": {

          "path": "/assets",

          "mode": "stream-one"

        },

        "sockopt": {

          "domainStrategy": "UseIPv4"

        }

      }

    },

    {

      "tag": "direct",

      "protocol": "freedom",

      "settings": {

        "domainStrategy": "UseIPv4"

      }

    },

    {

      "tag": "block",

      "protocol": "blackhole"

    }

  ],

  "routing": {

    "rules": [

      {

        "type": "field",

        "inboundTag": [

          "client-xhttp-reality-in",

          "local-test-socks"

        ],

        "outboundTag": "relay-b"

      }

    ]

  }

}

Запуск

sudo /usr/local/bin/xray run -test -config /usr/local/etc/xray/config.json

sudo systemctl enable --now xray sudo systemctl restart xray

СЕРВЕР Б, ставим xray

sudo apt update

sudo apt install -y curl jq debian-keyring debian-archive-keyring apt-transport-https ca-certificates gnupg

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install -u root

Сервер Б, ставим caddy

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \

| sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \

| sudo tee /etc/apt/sources.list.d/caddy-stable.list

sudo chmod o+r /usr/share/keyrings/caddy-stable-archive-keyring.gpg

sudo chmod o+r /etc/apt/sources.list.d/caddy-stable.list

sudo apt update

sudo apt install -y caddy

Получаем данные WARP

bash -c "$(curl -L warp-reg.vercel.app)" Нужно:

private_key   -> WARP_SECRET_KEY

public_key    -> WARP_PUBLIC_KEY

reserved_dec  -> WARP_RESERVED

endpoint.v4   -> WARP_ENDPOINT

v4            -> WARP_ADDRESS

vim /usr/local/etc/xray/config.json

Пример конфига

{

  "log": {

    "access": "/var/log/xray/access.log",

    "error": "/var/log/xray/error.log",

    "loglevel": "warning"

  },

  "dns": {

    "servers": [

      "1.1.1.1",

      "8.8.8.8"

    ],

    "queryStrategy": "UseIPv4"

  },

  "inbounds": [

    {

      "tag": "vless-xhttp-from-a",

      "listen": "127.0.0.1",

      "port": 10085,

      "protocol": "vless",

      "settings": {

        "clients": [

          {

            "id": "A_TO_B_UUID",

            "email": "server-a",

            "flow": "xtls-rprx-vision"

          }

        ],

        "decryption": "A_TO_B_DECRYPTION"

      },

      "streamSettings": {

        "network": "xhttp",

        "security": "none",

        "xhttpSettings": {

          "path": "/assets",

          "mode": "stream-one"

        }

      },

      "sniffing": {

        "enabled": true,

        "destOverride": [

          "http",

          "tls",

          "quic"

        ]

      }

    }

  ],

  "outbounds": [

    {

      "tag": "warp",

      "protocol": "wireguard",

      "settings": {

        "secretKey": "WARP_SECRET_KEY",

        "address": [

          "WARP_ADDRESS/32"

        ],

        "peers": [

          {

            "publicKey": "WARP_PUBLIC_KEY",

            "allowedIPs": [

              "0.0.0.0/0"

            ],

            "endpoint": "WARP_ENDPOINT:2408",

            "keepAlive": 25

          }

        ],

        "reserved": [

          0,

          0,

          0

        ],

        "mtu": 1280,

        "domainStrategy": "ForceIPv4",

        "noKernelTun": true

      }

    },

    {

      "tag": "direct",

      "protocol": "freedom",

      "settings": {

        "domainStrategy": "UseIPv4"

      }

    },

    {

      "tag": "block",

      "protocol": "blackhole"

    }

  ],

  "routing": {

    "rules": [

      {

        "type": "field",

        "inboundTag": [

          "vless-xhttp-from-a"

        ],

        "outboundTag": "warp"

      }

    ]

  }

}

Запускаем

sudo /usr/local/bin/xray run -test -config /usr/local/etc/xray/config.json

sudo systemctl enable --now xray sudo systemctl restart xray

Конфиг caddy, сервер Б

vim /etc/caddy/Caddyfile

Пример

api.catandmouseteam.xyz {

    encode gzip zstd
        handle /assets* {

                reverse_proxy 127.0.0.1:10085 {

                        flush_interval -1

                        transport http {

                                versions h2c 1.1

                        }

                }

        }

        handle /healthz {

                header Content-Type application/json

                respond `{"status":"ok","service":"api-gateway"}` 200

        }

        handle {

                root * /usr/share/caddy/api

                file_server

        }

}

Можно сделать страницу-заглушку типа

sudo mkdir -p /usr/share/caddy/api

sudo tee /usr/share/caddy/api/index.html >/dev/null <<'HTML'

<!doctype html>

<html lang="en"> <head>

  <meta charset="utf-8">

  <meta name="viewport" content="width=device-width, initial-scale=1">

  <meta name="robots" content="noindex, nofollow">

  <title>System API Gateway</title>

<style>

    body {

      margin: 0;

      min-height: 100vh;

      display: grid;

      place-items: center;

      background: #07111f;

      color: #e5eefb;

      font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;

    }

    main {

      width: min(760px, calc(100% - 32px));

      border: 1px solid rgba(148, 163, 184, .25);

      border-radius: 24px;

      padding: 48px;

      background: rgba(15, 23, 42, .82);

      box-shadow: 0 24px 80px rgba(0,0,0,.35);

    }

    .badge {

      color: #8ea4bf;

      margin-bottom: 24px;

    }

    h1 {

      margin: 0 0 16px;

      font-size: clamp(36px, 8vw, 72px);

      line-height: .95;

      letter-spacing: -0.06em;

    }

    p {

      color: #8ea4bf;

      font-size: 18px;

      line-height: 1.7;

      max-width: 58ch;

    }

</style>

</head>

<body>

<main>

    <div class="badge">operational · private infrastructure</div>

    <h1>System API Gateway</h1>

    <p>

      This endpoint is reserved for internal services, automation tasks, and controlled API traffic.

      Public browsing and API discovery are not available from this host.

    </p>

</main>

</body>

</html>

HTML

Запускаем caddy:

sudo caddy validate --config /etc/caddy/Caddyfile

sudo systemctl enable --now caddy sudo systemctl restart caddy

Проверка на сервере Б

curl -I https://api.catandmouseteam.xyz/

curl https://api.catandmouseteam.xyz/healthz

sudo ss -lntup | grep -E ':80|:443|:10085' Проверка на сервере А

curl -vk --connect-timeout 8 https://api.catandmouseteam.xyz/

curl -v --max-time 30 -x socks5h://127.0.0.1:10808 https://cloudflare.com/cdn-cgi/trace

ССЫЛКА ДЛЯ КЛИЕНТА

vless://CLIENT_UUID@A_IP:443?encryption=CLIENT_TO_A_ENCRYPTION&flow=xtls-rprx-vision&security=reality&sni=www.microsoft.com&fp=chrome&pbk=A_REALITY_PUBLIC_KEY&sid=A_REALITY_SHORT_ID&type=xhttp&path=%2Fassets&mode=stream-one#A-B-WARP

Всё. Видео тут: https://www.youtube.com/watch?v=YdV-09GmezA

── more in #cybersecurity 4 stories · sorted by recency
── more on @xray 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/xray-vless-xhttp-tls…] indexed:0 read:4min 2026-05-03 ·