Xray VLESS + XHTTP + TLS Relay, WARP: 2-Server Setup

This article provides a technical guide for setting up a two-server Xray proxy configuration using VLESS, XHTTP, and TLS Reality protocols. Server A acts as an inbound relay that accepts client connections via XHTTP with Reality encryption, then forwards traffic to Server B using another VLESS+XHTTP+TLS connection. The guide includes step-by-step installation commands, configuration file examples with placeholder values, and instructions for generating the necessary cryptographic keys and UUIDs.

gistfile1.txt This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters Show hidden characters СЕРВЕР А Всё ставим sudo apt update sudo apt install -y curl nano jq bash -c "$ curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh " @ install -u root Всё генерируем с помощью xray uuid - ИД xray x25519 - ключи xray vlessenc - для шифрования openssl rand -hex 8 - short id В итоге потребуется: CLIENT UUID A REALITY PRIVATE KEY A REALITY PUBLIC KEY A REALITY SHORT ID CLIENT TO A DECRYPTION CLIENT TO A ENCRYPTION A TO B UUID A TO B DECRYPTION A TO B ENCRYPTION Конфиг xray, сервер А vim /usr/local/etc/xray/config.json Пример { "log": { "access": "/var/log/xray/access.log", "error": "/var/log/xray/error.log", "loglevel": "warning" }, "dns": { "servers": "1.1.1.1", "8.8.8.8" , "queryStrategy": "UseIPv4" }, "inbounds": { "tag": "client-xhttp-reality-in", "listen": "0.0.0.0", "port": 443, "protocol": "vless", "settings": { "clients": { "id": "CLIENT UUID", "email": "main-client", "flow": "xtls-rprx-vision" } , "decryption": "CLIENT TO A DECRYPTION" }, "streamSettings": { "network": "xhttp", "security": "reality", "xhttpSettings": { "path": "/assets", "mode": "stream-one" }, "realitySettings": { "show": false, "dest": "www.microsoft.com:443", "xver": 0, "serverNames": "www.microsoft.com" , "privateKey": "A REALITY PRIVATE KEY", "shortIds": "A REALITY SHORT ID" } }, "sniffing": { "enabled": true, "destOverride": "http", "tls", "quic" } }, { "tag": "local-test-socks", "listen": "127.0.0.1", "port": 10808, "protocol": "socks", "settings": { "udp": true } } , "outbounds": { "tag": "relay-b", "protocol": "vless", "settings": { "vnext": { "address": "api.catandmouseteam.xyz", "port": 443, "users": { "id": "A TO B UUID", "encryption": "A TO B ENCRYPTION", "flow": "xtls-rprx-vision", "packetEncoding": "xudp" } } }, "streamSettings": { "network": "xhttp", "security": "tls", "tlsSettings": { "serverName": "api.catandmouseteam.xyz", "alpn": "h2", "http/1.1" , "fingerprint": "chrome" }, "xhttpSettings": { "path": "/assets", "mode": "stream-one" }, "sockopt": { "domainStrategy": "UseIPv4" } } }, { "tag": "direct", "protocol": "freedom", "settings": { "domainStrategy": "UseIPv4" } }, { "tag": "block", "protocol": "blackhole" } , "routing": { "rules": { "type": "field", "inboundTag": "client-xhttp-reality-in", "local-test-socks" , "outboundTag": "relay-b" } } } Запуск sudo /usr/local/bin/xray run -test -config /usr/local/etc/xray/config.json sudo systemctl enable --now xray sudo systemctl restart xray СЕРВЕР Б, ставим xray sudo apt update sudo apt install -y curl jq debian-keyring debian-archive-keyring apt-transport-https ca-certificates gnupg bash -c "$ curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh " @ install -u root Сервер Б, ставим caddy curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \ | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \ | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo chmod o+r /usr/share/keyrings/caddy-stable-archive-keyring.gpg sudo chmod o+r /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install -y caddy Получаем данные WARP bash -c "$ curl -L warp-reg.vercel.app " Нужно: private key - WARP SECRET KEY public key - WARP PUBLIC KEY reserved dec - WARP RESERVED endpoint.v4 - WARP ENDPOINT v4 - WARP ADDRESS vim /usr/local/etc/xray/config.json Пример конфига { "log": { "access": "/var/log/xray/access.log", "error": "/var/log/xray/error.log", "loglevel": "warning" }, "dns": { "servers": "1.1.1.1", "8.8.8.8" , "queryStrategy": "UseIPv4" }, "inbounds": { "tag": "vless-xhttp-from-a", "listen": "127.0.0.1", "port": 10085, "protocol": "vless", "settings": { "clients": { "id": "A TO B UUID", "email": "server-a", "flow": "xtls-rprx-vision" } , "decryption": "A TO B DECRYPTION" }, "streamSettings": { "network": "xhttp", "security": "none", "xhttpSettings": { "path": "/assets", "mode": "stream-one" } }, "sniffing": { "enabled": true, "destOverride": "http", "tls", "quic" } } , "outbounds": { "tag": "warp", "protocol": "wireguard", "settings": { "secretKey": "WARP SECRET KEY", "address": "WARP ADDRESS/32" , "peers": { "publicKey": "WARP PUBLIC KEY", "allowedIPs": "0.0.0.0/0" , "endpoint": "WARP ENDPOINT:2408", "keepAlive": 25 } , "reserved": 0, 0, 0 , "mtu": 1280, "domainStrategy": "ForceIPv4", "noKernelTun": true } }, { "tag": "direct", "protocol": "freedom", "settings": { "domainStrategy": "UseIPv4" } }, { "tag": "block", "protocol": "blackhole" } , "routing": { "rules": { "type": "field", "inboundTag": "vless-xhttp-from-a" , "outboundTag": "warp" } } } Запускаем sudo /usr/local/bin/xray run -test -config /usr/local/etc/xray/config.json sudo systemctl enable --now xray sudo systemctl restart xray Конфиг caddy, сервер Б vim /etc/caddy/Caddyfile Пример api.catandmouseteam.xyz { encode gzip zstd handle /assets { reverse proxy 127.0.0.1:10085 { flush interval -1 transport http { versions h2c 1.1 } } } handle /healthz { header Content-Type application/json respond {"status":"ok","service":"api-gateway"} 200 } handle { root /usr/share/caddy/api file server } } Можно сделать страницу-заглушку типа sudo mkdir -p /usr/share/caddy/api sudo tee /usr/share/caddy/api/index.html /dev/null <<'HTML' < doctype html <html lang="en" <head <meta charset="utf-8" <meta name="viewport" content="width=device-width, initial-scale=1" <meta name="robots" content="noindex, nofollow" <title System API Gateway</title <style body { margin: 0; min-height: 100vh; display: grid; place-items: center; background: 07111f; color: e5eefb; font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; } main { width: min 760px, calc 100% - 32px ; border: 1px solid rgba 148, 163, 184, .25 ; border-radius: 24px; padding: 48px; background: rgba 15, 23, 42, .82 ; box-shadow: 0 24px 80px rgba 0,0,0,.35 ; } .badge { color: 8ea4bf; margin-bottom: 24px; } h1 { margin: 0 0 16px; font-size: clamp 36px, 8vw, 72px ; line-height: .95; letter-spacing: -0.06em; } p { color: 8ea4bf; font-size: 18px; line-height: 1.7; max-width: 58ch; } </style </head <body <main <div class="badge" operational · private infrastructure</div <h1 System API Gateway</h1 <p This endpoint is reserved for internal services, automation tasks, and controlled API traffic. Public browsing and API discovery are not available from this host. </p </main </body </html HTML Запускаем caddy: sudo caddy validate --config /etc/caddy/Caddyfile sudo systemctl enable --now caddy sudo systemctl restart caddy Проверка на сервере Б curl -I https://api.catandmouseteam.xyz/ curl https://api.catandmouseteam.xyz/healthz sudo ss -lntup | grep -E ':80|:443|:10085' Проверка на сервере А curl -vk --connect-timeout 8 https://api.catandmouseteam.xyz/ curl -v --max-time 30 -x socks5h://127.0.0.1:10808 https://cloudflare.com/cdn-cgi/trace ССЫЛКА ДЛЯ КЛИЕНТА vless://CLIENT UUID@A IP:443?encryption=CLIENT TO A ENCRYPTION&flow=xtls-rprx-vision&security=reality&sni=www.microsoft.com&fp=chrome&pbk=A REALITY PUBLIC KEY&sid=A REALITY SHORT ID&type=xhttp&path=%2Fassets&mode=stream-one A-B-WARP Всё. Видео тут: https://www.youtube.com/watch?v=YdV-09GmezA