From c0f2e70998b41f29a4820cdc4e02dedfe5375e02 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Sun, 1 Oct 2023 23:44:08 +0300 Subject: [PATCH] update xray on vps --- machines/NixOS-VPS/services/nginx.nix | 44 +++++++++++++++- machines/NixOS-VPS/services/xtls.nix | 72 +++++++++++---------------- profiles/overlay.nix | 1 + 3 files changed, 71 insertions(+), 46 deletions(-) diff --git a/machines/NixOS-VPS/services/nginx.nix b/machines/NixOS-VPS/services/nginx.nix index 6e5c7da..2e072ee 100644 --- a/machines/NixOS-VPS/services/nginx.nix +++ b/machines/NixOS-VPS/services/nginx.nix @@ -25,7 +25,7 @@ recommendedOptimisation = true; # recommendedProxySettings = true; recommendedTlsSettings = true; - # recommendedZstdSettings = true; # forcing nginx rebuild + recommendedZstdSettings = true; appendConfig = '' worker_processes auto; ''; @@ -39,10 +39,50 @@ "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; default "$proxy_forwarded_elem"; } + server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + } ''; eventsConfig = '' worker_connections 1024; ''; - + streamConfig = '' + map $ssl_preread_server_name $name { + auth.ataraxiadev.com auth_backend; + wg.ataraxiadev.com wg_backend; + anime.ataraxiadev.com anime_backend; + default default_backend; + } + upstream auth_backend { + server 127.0.0.1:8010; + } + upstream wg_backend { + server 127.0.0.1:8011; + } + upstream anime_backend { + server 127.0.0.1:8001; + } + upstream default_backend { + server 127.0.0.1:8020; + } + server { + listen 443 reuseport; + listen [::]:443 reuseport; + proxy_pass $name; + ssl_preread on; + proxy_protocol on; + } + ''; + virtualHosts."reject" = { + listen = [{ + addr = "127.0.0.1"; + port = 8020; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + }]; + rejectSSL = true; + }; }; } \ No newline at end of file diff --git a/machines/NixOS-VPS/services/xtls.nix b/machines/NixOS-VPS/services/xtls.nix index 756c6f8..eb710be 100644 --- a/machines/NixOS-VPS/services/xtls.nix +++ b/machines/NixOS-VPS/services/xtls.nix @@ -1,59 +1,43 @@ { config, pkgs, lib, ... }: { - services.nginx.virtualHosts = { - "anime.ataraxiadev.com" = { - forceSSL = true; + services.nginx.virtualHosts."anime.ataraxiadev.com" = { + onlySSL = true; enableACME = false; useACMEHost = "wg.ataraxiadev.com"; - locations."/" = { - proxyWebsockets = true; - extraConfig = '' - proxy_pass http://127.0.0.1:5443; - ''; - }; - }; - "xtls:8001" = { - enableACME = false; - forceSSL = false; listen = [{ addr = "127.0.0.1"; - port = 8001; - ssl = false; + port = 8002; + ssl = true; extraParameters = [ "proxy_protocol" ]; - } { - addr = "127.0.0.1"; - port = 8002; - ssl = false; - extraParameters = [ "http2" "proxy_protocol" ]; - }]; - serverAliases = [ "anime.ataraxiadev.com" ]; - extraConfig = "set_real_ip_from 127.0.0.1;"; + }]; + extraConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ssl_early_data on; + resolver 127.0.0.1 valid=60s; + resolver_timeout 2s; + ''; locations."/" = { + proxyPass = "https://monster-siren.hypergryph.com"; proxyWebsockets = true; extraConfig = '' - sub_filter $proxy_host $host; - sub_filter_once off; - - proxy_pass https://www.crunchyroll.com; - proxy_set_header Host $proxy_host; - proxy_cache_bypass $http_upgrade; - - proxy_ssl_server_name on; - - proxy_set_header X-Real-IP $proxy_protocol_addr; - proxy_set_header Forwarded $proxy_add_forwarded; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - resolver 9.9.9.9; + sub_filter $proxy_host $host; + sub_filter_once off; + proxy_set_header Host $proxy_host; + proxy_cache_bypass $http_upgrade; + proxy_ssl_server_name on; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header Forwarded $proxy_add_forwarded; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + proxy_set_header Early-Data $ssl_early_data; ''; }; }; - }; systemd.tmpfiles.rules = [ "d /srv/xray 0755 root root -" diff --git a/profiles/overlay.nix b/profiles/overlay.nix index a292926..095a1e6 100644 --- a/profiles/overlay.nix +++ b/profiles/overlay.nix @@ -32,6 +32,7 @@ with lib; { ripgrep-all = stable.ripgrep-all; spotify = master.spotify; wine = prev.wineWowPackages.staging; + xray = master.xray; youtube-to-mpv = prev.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; }; yt-dlp = master.yt-dlp; steam = master.steam.override {