Overview

Warning

THIS REPOSITORY IS AN EDUCATIONAL EXAMPLE FOR LEARNING NGINX, REVERSE PROXY AND NETWORK SECURITY BASICS. THIS SCRIPT DEMONSTRATES NGINX CONFIGURATION AS A REVERSE PROXY. NOT FOR PRODUCTION USE! IF YOU DON’T UNDERSTAND HOW THE CONTROL PANEL WORKS - THAT’S YOUR PROBLEM, NOT THE SCRIPT AUTHOR’S. USE AT YOUR OWN RISK!

This script is designed to streamline the setup of a reverse proxy server using NGINX and Xray, as well as to automate the installation of the Remnawave control panel and node. In this configuration, Xray operates directly on port 443, forwarding traffic through a socket that NGINX listens to. This approach minimizes unnecessary TCP overhead, delivering improved performance and connection reliability.

Important

Supports Debian and Ubuntu. The script has been tested in a KVM virtualization environment. For proper operation, you will need your own domain. It is recommended to run it with root privileges on a freshly installed system.

Deployment Modes

The script supports flexible deployment configurations:

1. Single Server Mode

• Control panel and XRAY node installed on one machine
• Suitable for compact installations with moderate traffic

2. Distributed Mode

• Panel Server: Management center without XRAY node
• Node Server: Hosts XRAY node with SelfSteal stub for VLESS REALITY

Security Features

Panel Access Protection

NGINX configuration implements URL parameter-based authentication to protect against unauthorized discovery:

Access Method

https://panel.example.com/auth/login?<SECRET_KEY>=<SECRET_KEY>

How It Works

1. URL parameter automatically sets a cookie in the browser

   • Cookie name: <SECRET_KEY>
   • Cookie value: <SECRET_KEY>

2. Access requirements:

   • Valid cookie must be present
   • URL must contain correct parameter

3. Failed access behavior:

   • Missing cookie: Blank page or 404 error
   • Incorrect parameter: Blank page or 404 error

This protection level prevents:

• Host scanning discovery
• Path brute-force attacks
• Brute-force access attempts

The panel remains invisible without the correct authentication parameter.

Features

Proxy Server Configuration

• Automatic configuration updates via subscription
• JSON subscription support with format conversion for popular clients
• Compatibility with major proxy clients

NGINX Integration

• Optimized reverse proxy setup with XRAY
• Unix socket communication for reduced overhead

Security Implementation

• Firewall: UFW configuration for access control
• SSL Certificates: Cloudflare or ACME with automatic renewal
• IPv6 Management: Vulnerability prevention measures
• TCP Optimization: BBR congestion control algorithm
• Masking: Random website template selection

Issues

Found an issue? Let us know by creating an issue on repository page or discuss it in Telegram chat.

Donations

If you enjoy this project and want to support its ongoing development, please consider making a donation. Your contribution helps fund future updates and enhancements!

Donation Methods:

• TON USDT: UQAxyZDwKUPQ5Bp09JOFcaDVakjYQT46rf3iP3lnl_qc9xVS