From 5ae62f3704f1e92939f1307efbc9c49d063d270e Mon Sep 17 00:00:00 2001
From: opencode <opencode@local.dev>
Date: Mon, 18 May 2026 13:03:30 +0000
Subject: [PATCH] Add VLESS+XHTTP Docker Compose project with nginx reverse
 proxy

---
 config/client.json | 63 ++++++++++++++++++++++++++++++++++++++++++++++
 config/nginx.conf  | 23 +++++++++++++++++
 config/server.json | 32 +++++++++++++++++++++++
 docker-compose.yml | 47 ++++++++++++++++++++++++++++++++++
 4 files changed, 165 insertions(+)
 create mode 100644 config/client.json
 create mode 100644 config/nginx.conf
 create mode 100644 config/server.json
 create mode 100644 docker-compose.yml

diff --git a/config/client.json b/config/client.json
new file mode 100644
index 0000000..ec7de7b
--- /dev/null
+++ b/config/client.json
@@ -0,0 +1,63 @@
+{
+    "log": {
+        "loglevel": "warning"
+    },
+    "inbounds": [
+        {
+            "listen": "0.0.0.0",
+            "port": 6543,
+            "protocol": "socks",
+            "settings": {
+                "auth": "noauth",
+                "udp": true
+            }
+        }
+    ],
+    "outbounds": [
+        {
+            "tag": "proxy",
+            "protocol": "vless",
+            "settings": {
+                "vnext": [
+                    {
+                        "address": "nginx",
+                        "port": 443,
+                        "users": [
+                            {
+                                "id": "a142293d-1801-4e80-b309-ff3a5f70db8b",
+                                "encryption": "none"
+                            }
+                        ]
+                    }
+                ]
+            },
+            "streamSettings": {
+                "network": "xhttp",
+                "security": "tls",
+                "xhttpSettings": {
+                    "mode": "stream-one",
+                    "path": "/trapdoor"
+                },
+                "tlsSettings": {
+                    "serverName": "localhost",
+                    "allowInsecure": true
+                }
+            }
+        },
+        {
+            "tag": "direct",
+            "protocol": "freedom"
+        }
+    ],
+    "routing": {
+        "domainStrategy": "IPOnDemand",
+        "rules": [
+            {
+                "ip": [
+                    "geoip:private"
+                ],
+                "outboundTag": "direct"
+            }
+        ]
+    }
+}
diff --git a/config/nginx.conf b/config/nginx.conf
new file mode 100644
index 0000000..6016b20
--- /dev/null
+++ b/config/nginx.conf
@@ -0,0 +1,23 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name localhost;
+
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/key.pem;
+
+    client_header_timeout 5m;
+    keepalive_timeout 5m;
+
+    location /trapdoor {
+        proxy_pass http://unix:/dev/shm/xray.socket;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s;
+    }
+}
diff --git a/config/server.json b/config/server.json
new file mode 100644
index 0000000..14df2a1
--- /dev/null
+++ b/config/server.json
@@ -0,0 +1,32 @@
+{
+    "log": {
+        "loglevel": "warning"
+    },
+    "inbounds": [
+        {
+            "listen": "/dev/shm/xray.sock,0666",
+            "protocol": "vless",
+            "settings": {
+                "clients": [
+                    {
+                        "id": "a142293d-1801-4e80-b309-ff3a5f70db8b"
+                    }
+                ],
+                "decryption": "none"
+            },
+            "streamSettings": {
+                "network": "xhttp",
+                "xhttpSettings": {
+                    "mode": "stream-one",
+                    "path": "/trapdoor"
+                }
+            }
+        }
+    ],
+    "outbounds": [
+        {
+            "protocol": "freedom",
+            "tag": "direct"
+        }
+    ]
+}
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..d037107
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,47 @@
+services:
+  cert-gen:
+    image: alpine:latest
+    volumes:
+      - tls-certs:/etc/nginx/ssl
+    command: >
+      sh -c "
+        apk add --no-cache openssl &&
+        openssl req -x509 -nodes -days 3650 -newkey rsa:2048
+          -keyout /etc/nginx/ssl/key.pem
+          -out /etc/nginx/ssl/cert.pem
+          -subj '/CN=localhost' &&
+        chmod 644 /etc/nginx/ssl/cert.pem /etc/nginx/ssl/key.pem
+      "
+
+  nginx:
+    image: nginx:latest
+    depends_on:
+      cert-gen:
+        condition: service_completed_successfully
+      xray-server:
+        condition: service_started
+    volumes:
+      - ./config/nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - tls-certs:/etc/nginx/ssl:ro
+      - xray-socket:/dev/shm
+
+  xray-server:
+    image: ghcr.io/xtls/xray-core:latest
+    volumes:
+      - ./config/server.json:/etc/xray/config.json:ro
+      - xray-socket:/dev/shm
+    command: run -c /etc/xray/config.json
+
+  xray-client:
+    image: ghcr.io/xtls/xray-core:latest
+    depends_on:
+      - nginx
+    volumes:
+      - ./config/client.json:/etc/xray/config.json:ro
+    ports:
+      - "6543:6543"
+    command: run -c /etc/xray/config.json
+
+volumes:
+  tls-certs:
+  xray-socket: