apt install unzip curl nginx nginx-full certbot python3-certbot-nginx sqlite3 jq openssl

/etc/nginx/sites-available/YOU_DOMAIN
server {
        server_tokens off;
        server_name YOU_DOMAIN *.YOU_DOMAIN;
        listen 80;
        listen [::]:80;
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        #http2 on; http3 on;
        index index.html index.htm index.php index.nginx-debian.html;
        root /var/www/html/;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!eNULL:!MD5:!DES:!RC4:!ADH:!SSLv3:!EXP:!PSK:!DSS;
        ssl_certificate /etc/letsencrypt/live/YOU_DOMAIN/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/YOU_DOMAIN/privkey.pem;
        if ($host !~* ^(.+\.)?YOU_DOMAIN$ ){return 444;}
        if ($scheme ~* https) {set $safe 1;}
        if ($ssl_server_name !~* ^(.+\.)?YOU_DOMAIN$ ) {set $safe "${safe}0"; }
        if ($safe = 10){return 444;}
        if ($request_uri ~ "(\"|'|`|~|,|:|--|;|%|\$|&&|\?\?|0x00|0X00|\||\|\{|\}|\[|\]|<|>|\.\.\.|\.\.\/|\/\/\/)"){set $hack 1;}
        error_page 400 402 403 500 501 502 503 504 =404 /404;
        proxy_intercept_errors on;
        #X-UI Admin Panel
        location /RANDOM_STRING/ {
                #auth_basic "Restricted Access";
                #auth_basic_user_file /etc/nginx/.htpasswd;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:RANDOM_PORT;
                break;
        }
        #Subscription Path (simple/encode)
        location ~ ^/(?<fwdport>\d+)/sub/(?<fwdpath>.*)$ {
                if ($hack = 1) {return 404;}
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:$fwdport/sub/$fwdpath$is_args$args;
                break;
        }
        #Subscription Path (json/fragment)
        location ~ ^/(?<fwdport>\d+)/json/(?<fwdpath>.*)$ {
                if ($hack = 1) {return 404;}
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:$fwdport/json/$fwdpath$is_args$args;
                break;
        }
        #Xray Config Path
        location ~ ^/(?<fwdport>\d+)/(?<fwdpath>.*)$ {
                if ($hack = 1) {return 404;}
                #if ($cloudflare_ip != 1) {return 404;}
                #if ($http_cf_ipcountry !~* "XX"){ return 404; }
                #if ($http_user_agent ~* "(bot|clash|fair|go-http|hiddify|java|neko|node|proxy|python|ray|sager|sing|tunnel|v2box|vpn)") { return 404; }
                client_max_body_size 0;
                client_body_timeout 1d;
                grpc_read_timeout 1d;
                grpc_socket_keepalive on;
                proxy_read_timeout 1d;
                proxy_http_version 1.1;
                proxy_buffering off;
                proxy_request_buffering off;
                proxy_socket_keepalive on;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                if ($content_type ~* "GRPC") { grpc_pass grpc://127.0.0.1:$fwdport$is_args$args; break; }
                proxy_pass http://127.0.0.1:$fwdport$is_args$args;
                break;
        }
         location / { try_files $uri $uri/ =404; }
}

https://github.com/augin/x-ui

Add a dokodemo-door inbound as below.

download

{
  "network": "tcp,udp",
  "timeout": 30,
  "followRedirect": true
}

Configure iptables as below.

# Create new chain
iptables -t nat -N V2RAY
iptables -t mangle -N V2RAY
iptables -t mangle -N V2RAY_MARK
 
# Ignore your V2Ray server's addresses
# It's very IMPORTANT, just be careful.
iptables -t nat -A V2RAY -d 123.123.123.123 -j RETURN
 
# Ignore LANs and any other addresses you'd like to bypass the proxy
# See Wikipedia and RFC5735 for full list of reserved networks.
iptables -t nat -A V2RAY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 10.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A V2RAY -d 169.254.0.0/16 -j RETURN
iptables -t nat -A V2RAY -d 172.16.0.0/12 -j RETURN
iptables -t nat -A V2RAY -d 192.168.0.0/16 -j RETURN
iptables -t nat -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t nat -A V2RAY -d 240.0.0.0/4 -j RETURN
 
# Anything else should be redirected to Dokodemo-door's local port
iptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports 12345
 
# Add any UDP rules
ip route add local default dev lo table 100
ip rule add fwmark 1 lookup 100
iptables -t mangle -A V2RAY -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
iptables -t mangle -A V2RAY_MARK -p udp --dport 53 -j MARK --set-mark 1
 
# Apply the rules
iptables -t nat -A OUTPUT -p tcp -j V2RAY
iptables -t mangle -A PREROUTING -j V2RAY
iptables -t mangle -A OUTPUT -j V2RAY_MARK