中文 | English
- A pure Shell-based Xray management script
- Optional configurations:
- mKCP (VLESS-mKCP-seed)
- Vision (VLESS-Vision-REALITY)
- XHTTP (VLESS-XHTTP-REALITY)
- Trojan (Trojan-XHTTP-REALITY)
- Fallback (includes VLESS-Vision-REALITY and VLESS-XHTTP-REALITY)
- SNI (includes Vision_REALITY, XHTTP_REALITY, XHTTP_TLS)
- SNI configuration uses Nginx to implement SNI traffic splitting, suitable for CDN routing, upstream/downstream separation, and multi-site coexistence
- SNI share links support upstream/downstream separation (upstream xhttp+TLS+CDN | downstream xhttp+Reality, upstream xhttp+Reality | downstream xhttp+TLS+CDN)
- SNI configuration supports managing custom domains and reverse proxy apps, with independent certificates, site configs, stream mappings, and UDS per site
- Rule configuration and custom input:
- Block BitTorrent traffic (optional)
- Block China-bound IP traffic (optional)
- Ad blocking (optional)
- Add custom WARP Proxy routing rules
- Add custom blocking routing rules
- Toggle Cloudflare WARP Proxy ( 🐳 Docker deployment)
- Toggle geodata auto-update
- Xray port defaults and custom input:
- VLESS-mKCP: randomly generated
- ALL-REALITY: 443
- UUID defaults and custom input:
- Randomly generated
- Custom standard UUID input
- Non-standard UUID mapped to UUID
- kcp(seed) and trojan(password) defaults and custom input:
- Randomly generated (example: cw-GEMDYgwIV3_g#)
- Custom input
- target defaults and custom input:
- Randomly selected from serverNames.json
- TLSv1.3 and H2 validation for custom target
- Automatic serverNames lookup for custom target
- shortId defaults and custom input:
- Random generation (default two shortIds, e.g. 01234567, 0123456789abcdef)
- Custom shortId input
- If input is 0 to 8, shortIds with length 0-16 are auto-generated
- Supports multiple values separated by commas
- path defaults and custom input:
- Randomly generated (example: /8ugSUeNJ.9OEnTErb.dVZMUAFu)
- Custom input (example: /8ugSUeNJ, with or without
/)
- If installation succeeds but service is unusable, check whether the server ports are open. You can verify using
https://tcp.ping.pe/ip:port. - Before using SNI configuration, ensure VPS HTTP (80) and HTTPS (443) ports are open.
- Before using SNI configuration, do not enable CDN protection, otherwise SSL issuance may fail.
- For upstream/downstream separation details, see XHTTP: Beyond REALITY and xhttp 五合一配置.
- If you encounter 【Could not get nonce, let's try again】 while issuing certificates with SNI, check the ZeroSSL status page. Most likely ZeroSSL 【Free ACME Service】 is in 【Service disruption】 or 【Service outage】.
- v2025.11.19 resolves the issue where WARP was enabled without log limits, causing container logs to keep growing and eventually fill up disk space.
- Users who already enabled WARP routing can select 【Reset WARP Proxy】 in 【Manage Configuration】 -> 【Routing Management】 to clear container logs and reset WARP Proxy.
- Log limits have been added; just enable WARP directly when needed.
- v2026.03.01 adds CA vendor switching. When switching CA vendor, the script force re-issues certificates for existing domains (
domain,cdn, andcustom_sites[].domain). It writes the new CA only after all re-issues succeed; if any step fails, it automatically rolls back to the original CA and restores related settings, preventing acme auto-renew from breaking.- Force re-issue bypasses the "Domains not changed" check (acme.sh skip scenario).
- Watch out for CA issuance rate limits (for example, Let's Encrypt limits).
- v2026.03.17 adds SNI custom domain and reverse proxy app management, allowing multiple extra HTTPS reverse proxy sites without affecting the existing
Reality(domain)andCDN(cdn)sites.- Menu path:
Manage Configuration -> SNI Configuration -> Manage custom domains and reverse proxy apps - Supports list / add / edit / delete, with an independent certificate,
sites-available/<domain>.conf, stream mapping, and UDS for each custom site. stream.confis rebuilt fromdomain,cdn, andcustom_sites; UDS names use the first12hex chars ofSHA-256(domain)plus the port.- Proxy targets support port-only input or full
http(s)://host:portURLs; port-only input is normalized tohttp://127.0.0.1:<port>; URLs containingpath,query, orfragmentare rejected. - Editing only the upstream target skips certificate re-issuance; changing the domain issues the new certificate first and then switches over with rollback on failure; deleting a site also removes the site config, symlink, renew record, and certificate directory.
- A custom site domain must not duplicate
domain,cdn, or another custom site domain; CA switching and "force renew all certificates" also cover custom site domains. - Custom sites are "pure reverse proxy sites". They do not include Xray
xhttp/grpcpaths and are not managed by the Cloudreve integration; the proxy layer does not inject an extraContent-Security-Policy, so CSP should be controlled by the upstream application.
- Menu path:
Implemented based on VMessAEAD / VLESS share link proposal and v2rayN. If other clients do not work, adjust based on the generated share link manually.
In SNI configuration, CDN share links use H2 as default ALPN. If you need H3, modify it in your client.
-
Download
wget --no-check-certificate -O ${HOME}/Xray-script.sh https://raw.githubusercontent.com/zxcvos/Xray-script/main/install.sh -
Usage
-
Launch UI
bash ${HOME}/Xray-script.sh -
Quick install Vision
bash ${HOME}/Xray-script.sh --vision -
Quick install XHTTP
bash ${HOME}/Xray-script.sh --xhttp -
Quick install Fallback
bash ${HOME}/Xray-script.sh --fallback
-
-
Quick start (UI)
wget --no-check-certificate -O ${HOME}/Xray-script.sh https://raw.githubusercontent.com/zxcvos/Xray-script/main/install.sh && bash ${HOME}/Xray-script.sh
__ __ _ _ _______ _______ _____
\ \ / / | | | | |__ __| |__ __| | __ \
\ V / | |__| | | | | | | |__) |
> < | __ | | | | | | ___/
/ . \ | | | | | | | | | |
/_/ \_\ |_| |_| |_| |_| |_|
Copyright (C) zxcvos | https://github.com/zxcvos/Xray-script
-------------------------------------------
Xray : v25.7.26
CONFIG : VLESS-Vision-REALITY
WARP Proxy : Running
-------------------------------------------
--------------- Xray-script ---------------
Version : v2025-07-25
Description : Xray Management Script
----------------- Install -----------------
1. Full installation
2. Install/Update only
3. Uninstall
----------------- Operation ----------------
4. Start
5. Stop
6. Restart
---------------- Configuration -------------
7. Share links and QR codes
8. Statistics
9. Manage configuration
-------------------------------------------
0. Exit| Platform | Version |
|---|---|
| Debian | 10, 11, 12 |
| Ubuntu | 20, 22, 24 |
| CentOS | 7, 8, 9 |
| Rocky | 8, 9 |
The distributions above were tested on Vultr.
Other Debian-based and Red Hat-based systems may work, but are untested and may have issues.
SNI configuration is intended for long-term use after one setup, and is not suitable for repeated reinstall/reset, which consumes significant time. If you need to change configuration or domain, use the options in the management UI.
After switching to a non-SNI config, Nginx will be stopped but kept on the machine. Re-enabling SNI will not reinstall Nginx.
Installation flow:
Update package index -> install dependencies -> [install Docker] -> [install Cloudreve] -> [install Cloudflare-warp] -> install Xray -> install Nginx -> issue certificate -> apply configuration
Average install time on a 1-core 1GB server (for reference only):
| Item | Duration |
|---|---|
| Update package index | 0-10 min |
| Install dependencies | 0-5 min |
| Install Docker | 1-2 min |
| Install Cloudreve | 3-5 min |
| Install Cloudflare-warp | 3-5 min |
| Install Xray | < 0.5 min |
| Install Nginx | 13-15 min |
| Issue certificate | 1-2 min |
| Apply configuration | < 0.5 min |
Nginx in this script is managed by source compilation.
Compared with installing prebuilt binaries, compilation advantages are:
- Better runtime performance (compiled with -O3 optimization)
- Newer software versions
The downside is long compilation time.
Xray-script: /usr/local/xray-script
Nginx: /usr/local/nginx
Cloudreve: $HOME/.xray-script/docker/cloudreve
Cloudflare-warp: $HOME/.xray-script/docker/warp
Xray: See Xray-install
When using SNI configuration, the script may install the following dependencies:
| Purpose | Debian-based | Red Hat-based |
|---|---|---|
| yumdb set (mark package manually installed) | yum-utils | |
| dnf config-manager | dnf-plugins-core | |
| IP retrieval | iproute2 | iproute |
| DNS resolution | dnsutils | bind-utils |
| wget | wget | wget |
| curl | curl | curl |
| wget/curl https | ca-certificates | ca-certificates |
| kill/pkill/ps/sysctl/free | procps | procps-ng |
| epel repository | epel-release | |
| epel repository | epel-next-release | |
| remi repository | remi-release | |
| Firewall | ufw | firewalld |
| Build basics: | ||
| Download source files | wget | wget |
| Extract tar source files | tar | tar |
| Extract tar.gz source files | gzip | gzip |
| gcc | gcc | gcc |
| g++ | g++ | gcc-c++ |
| make | make | make |
| acme.sh dependencies: | ||
| curl | curl | |
| openssl | openssl | |
| cron | crontabs | |
| Build openssl: | ||
| perl-base (included in libperl-dev) | perl-IPC-Cmd | |
| perl-modules-5.32 (included in libperl-dev) | perl-Getopt-Long | |
| libperl5.32 (included in libperl-dev) | perl-Data-Dumper | |
| perl-FindBin | ||
| Build Brotli: | ||
| git | git | |
| libbrotli-dev | brotli-devel | |
| Build Nginx: | ||
| libpcre2-dev | pcre2-devel | |
| zlib1g-dev | zlib-devel | |
| --with-http_xslt_module | libxml2-dev | libxml2-devel |
| --with-http_xslt_module | libxslt1-dev | libxslt-devel |
| --with-http_image_filter_module | libgd-dev | gd-devel |
| --with-google_perftools_module | libgoogle-perftools-dev | gperftools-devel |
| --with-http_geoip_module | libgeoip-dev | geoip-devel |
| --with-http_perl_module | perl-ExtUtils-Embed | |
| libperl-dev | perl-devel |
This script is for study and communication only. Do not use it for illegal purposes. Illegal acts on the network are still illegal and will be punished by law.