由于近期TCP阻断频繁,于是部署基于WebSocket+TLS+nginx的v2ray,将代理流量通过TLS加密,以此达到通过V2Ray访问任何网络都显示访问一个HTTPS网站,隐蔽性更高,也更安全。当然,这本来就是完整、真正的TLS流量。
此法的速度没有“自建V2Ray+TLS翻墙“ 的速度快。
申请域名,
首先你要注册一个免费或付费域名,把此域名的a记录填写为服务器的公网ip.
服务端配置Nginx
安装Nginx
apt-get install nginx -y 或yum install -y nginx
编辑Nginx的配置文件
vi /etc/nginx/sites-available/default
或者 vi /etc/nginx/nginx.conf
修改配置如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
server {
listen 80;
server_name urdomain.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 448 ssl;
server_name urdomain.com;
ssl_certificate /etc/letsencrypt/live/urdomain.com/fullchain.pem; //证书路径.
ssl_certificate_key /etc/letsencrypt/live/urdomain.com/privkey.pem;
location /v2r {
proxy_pass http://127.0.0.1:10086;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
}
apt-get install nginx -y 或yum install -y nginx
vi /etc/nginx/sites-available/default
或者 vi /etc/nginx/nginx.conf
1 | server {
|
用acme.sh申请免费SSL证书
V2Ray服务端配置
证书申请好了以后,配置好nginx后,就要安装v2ray和修改服务端的配置文件了。
安装v2ray:
1 | // 下载脚本 |
修改v2ray配置如下:
nano /usr/local/etc/v2ray/config.json
1 | {
|
V2Ray客户端设置
首先从V2Ray官网下载软件。
客户端config.json文件配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{
"inbounds": [
{
"port": 2089,
"listen": "127.0.0.1",
"protocol": "socks",
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"settings": {
"auth": "noauth",
"udp": false
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "urdomain.com",
"port": 448,
"users": [
{
"id": "b831381d-6324-4d53-ad4f-8cda48b30811",
"alterId": 0
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"wsSettings": {
"path": "/v2r"
}
}
}
]
}
到这也就全部完成了。有建站经验的网友应该很容易上手。提醒一下,用之前清理一下浏览器缓存。
然后设置浏览器的socks proxy为127.0.0.1,端口为2089 ,浏览器即可翻墙。
上面的urdomain.com是购买的付费域名,那么上面这么操作后,浏览器即可翻墙。
如果urdomain.com是你注册的免费的可解析的域名,那么此域名有可能已被gfw封锁,无法解析,导致用客户端命令连接不上服务器。解决办法:
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
运行某个ss客户端程序。
cd ~/dns-tcp-socks-proxy;sudo ./dns_proxy
(用法详见https://briteming.blogspot.com/2019/07/dns-tcp-socks-proxysocks-proxydns.html)
然后运行上面的客户端命令。
(如果你合拢了mac机器的机盖,需先运行
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
sudo killall dns_proxy;cd ~/dns-tcp-socks-proxy;sudo ./dns_proxy
然后重新运行客户端命令
参考:
https://toutyrater.github.io/advanced/wss_and_web.html
https://guide.v2fly.org/advanced/advanced.html
https://serverfault.com/questions/765258/use-http-2-0-between-nginx-reverse-proxy-and-backend-webserver
我按照此文,成功翻墙。
首先从V2Ray官网下载软件。
客户端config.json文件配置:
1 | { |
|
--------------------------------------------
引用
- https://www.v2ray.com/
- https://steemit.com/v2ray/@laosan/v2ray-websocket-ws-tls-nginx-bbr-cdn-wordpress
- https://certbot.eff.org/
步骤
- v2ray 服务器端安装及配置
- nginx 安装及配置
- v2ray 客户端使用
v2ray 服务器端安装及配置
test.v2ray.com
指向你的VPS ip地址参考官方安装
bash <(curl -L -s https://install.direct/go.sh)
/usr/bin/v2ray/v2ray
:V2Ray 程序;/usr/bin/v2ray/v2ctl
:V2Ray 工具;/etc/v2ray/config.json
:配置文件;/usr/bin/v2ray/geoip.dat
:IP 数据文件/usr/bin/v2ray/geosite.dat
:域名数据文件 此脚本会配置自动运行脚本。自动运行脚本会在系统重启之后,自动运行 V2Ray。目前自动运行脚本只支持带有 Systemd 的系统,以及 Debian / Ubuntu 全系列。
/etc/systemd/system/v2ray.service
: Systemd/etc/init.d/v2ray
: SysV
脚本运行完成后,你需要:
/etc/v2ray/config.json
文件来配置你需要的代理方式;运行
service v2ray start
来启动 V2Ray 进程;之后可以使用
service v2ray start|stop|status|reload|restart|force-reload
控制 V2Ray 的运行。服务器v2ray配置文件
{
"log" : {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},
"inbound": {
"port": 10000, //(此端口与nginx配置相关)
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "461aad1f-687c-4188-9abc-80073a618ca3", //你的UUID, 此ID需与客户端保持一致
"level": 1,
"alterId": 64 //此ID也需与客户端保持一致
}
]
},
"streamSettings":{
"network": "ws",
"wsSettings": {
"path": "/ray" //与nginx配置相关
}
}
},
"outbound": {
"protocol": "freedom",
"settings": {}
},
"outboundDetour": [
{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}
],
"routing": {
"strategy": "rules",
"settings": {
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "blocked"
}
]
}
}
}
**上面的服务器配置文件也简单注释说明,关于nginx相关的后台会介绍
v2ray 客户端配置文件
{
"log": {
"loglevel": "warning"
},
"inbound": {
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": false
}
},
"inboundDetour": [
{
"port": 8123,
"listen": "127.0.0.1",
"protocol": "http",
"settings": {}
}
],
"outbound": {
"protocol": "vmess",
"settings": {
"vnext": [{
"address": "test.v2ray.com", // 服务器地址,请修改为你自己的服务器 ip 或域名
"port": 443, // 服务器端口
"users": [{
"id": "461aad1f-687c-4188-9abc-80073a618ca3", //你的UUID, 此ID需与服务端保持一致
"level": 1,
"alterId": 64, //此ID也需与客户端保持一致
"security": "aes-128-gcm"
}]
}]
},
"streamSettings":{
"network": "ws",
"security": "tls",
"tlsSettings": {
"serverName": "test.v2ray.com" //此域名是你服务器的域名
},
"wsSettings": {
"path": "/ray" //与服务器配置及nginx配置相关
}
},
"tag": "forgin"
},
"outboundDetour": [
{
"protocol": "freedom",
"settings": {},
"tag": "direct"
}
],
"routing": { //此路由配置是自动分流, 国内IP和网站直连
"strategy": "rules",
"settings": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "chinaip",
"outboundTag": "direct"
},
{
"type": "chinasites",
"outboundTag": "direct"
},
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "direct"
}
]
}
},
"policy": {
"levels": {
"0": {"uplinkOnly": 0}
}
}
}
Nginx 配置
以下是nginx 部分配置, 当然此配置不影响你现在有nginx服务, 只是添加了一个 location /ray.
server {
# SSL configuration
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /ssl.pem; #你的ssl证书, 如果第一次,可能还需要自签一下,
ssl_certificate_key /ssl.key; #你的ssl key
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name test.v2ray.com; #你的服务器域名
location /ray { #/ray 路径需要和v2ray服务器端,客户端保持一致
proxy_redirect off;
proxy_pass http://127.0.0.1:10000; #此IP地址和端口需要和v2ray服务器保持一致,
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
}
成功后, 在crontab 中添加一条任务计划每三个月执行一次,因为let's encrypt证书三个月过期,
0 0 15 */3 * /root/certbot/certbot-auto renew #在3,6,9,12月份的15号零点零分执行更新
v2ray 客户端的使用
推荐使用界面化v2rayN https://github.com/2dust/v2rayN, 在release页面下载一个v2rayN.exe放在 v2ray客户端文件夹里就行了。
v2rayN使用websocket(ws)时一点需要注意,伪装域名/其选项,应该如下填写
/ray;test.v2ray.com #请更换为自己的相关配置
总结
v2ray+WebSocket+TLS+caddy
Caddy反代V2ray实现v2ray+WebSocket+TLS
安装caddy
这里只勾选hook.service
,hook.service
是caddy
的自启服务,开机实现自启,你需要其它插件就自己另外加,caddy
是Go
语言的,以后升级、或者另外加插件,也是一样再一次运行命令即可,会自动替换。
- curl https://getcaddy.com | bash -s personal hook.service
让自启生效
Caddyfile
是caddy
的默认配置文档
- caddy -service install -agree -email abc@caddy.com -conf /usr/local/bin/Caddyfile
abc@caddy.com
改成自己的邮箱路径
/usr/local/bin
可以按自己习惯更改
进入 caddy 安装目录
- cd /usr/local/bin
编辑Caddyfile
- nano Caddyfile
自动申请证书输入以下代码
- hostloc.xyz {
- tls abc@caddy.com
- proxy /ray 127.0.0.1:12345 {
- websocket
- header_upstream -Origin
- }
- }
hostloc.xyz
改成自己的域名,域名提前解析好,不要打开CDN
,也就是CF
中的小黄云
abc@caddy.com
改成自己的邮箱
12345
改成自己在V2ray
设置的端口
/ray
是V2ray
中设置的路径,改成自己设置的/path
如果有自己的SSL
证书用以下代码
- hostloc.xyz {
- tls /etc/ssl/private/hostloc.xyz.crt /etc/ssl/private/hostloc.xyz.key
- proxy /ray 127.0.0.1:12345 {
- websocket
- header_upstream -Origin
- }
- }
/etc/ssl/private/hostloc.xyz.crt
路径改成自己的证书路径和证书名称
在当前目录下,也就是 /usr/local/bin
,
初次运行申请证书:
- ./caddy
初次运行一次,如果填写的邮箱会显示申请证书,没报错就是成功了。
需要查看caddy
运行状态
- caddy -service status
其他命令
- caddy -service restart #重启
- caddy -service start #启动
- caddy -service stop #停止
完整记录v2ray折腾http2方式代理过程
不打算套cdn可以直接在namesilo里面解析域名ip,我这次也没打算套cdn,但为防止ip被封,还是想用cloudflare进行解析,一旦被封可以一键切换到cdn,又能复活vps。要用cloudflare解析ip,先解锁域名,选中域名前勾后点unlockdomains,然后提交即可;然后点切换域名服务器change nameserver,把原有的都删除,换成cloudflare的域名服务器:
到https://www.cloudflare.com注册一下,已经注册好的直接add a site增加一个域名,按提示操作。然后解析ip,在dns处添加A记录,输入你vps的ip地址。特别要注意在“status”点击为dns only状态,不然Caddy不能自动创建tls加密。等Caddy创建完成后可以改为cdn状态。以后一旦ip被封,点击一下此处切换到cdn,就可以复活你的vps了。用cdn还要在“cryto”处把ssl状态改为full。
安装结束后,我们用winscp软件登陆vps进行相关修改。进入/usr/local/caddy/ 下新建Caddyfile文件(注意大小写 )并写入配置文件。下面我用cloud.cctv.com域名、demo@cctv.com邮箱、/data路径为例,进行相关配置。请换成自己的。
保存后,启动Caddy。 启动后可以重启vps直接输入reboot命令。重启后看/temp/caddy.log启动是否正常,如果不正常,看相关提示操作。在winscp里面按ctrl+alt+H键,看是否有隐藏文件夹.caddy。
4、安装v2ray
winscp打开/etc/v2ray/config.json进行修改
其中cloud.cctv.com改为自己的,路径/data和Caddy中一致,"certificateFile": "/etc/v2ray/v2ray.crt","keyFile": "/etc/v2ray/v2ray.key"的路径要和/.caddy/acme/acme-v01.api.letsencrypt.org/sites/cloud.cctv.com/进行软链,不进行软链,则要输入完整Caddy生成的证书文件所在的位置.
service v2ray查看v2ray是否正常启动。
如一切正常,你就可以用http/2协议进行翻墙了。
2、查看端口是否启动 firewall-cmd --query-port=443/tcp,返回为no说明未开放443端口。开放443端口,执行 firewall-cmd --add-port=443/tcp --permanent 提示 success 表示成功,再执行firewall-cmd --reload ,443端口即可开放成功。
3、caddy创建证书不成功,可到tmp/caddy.log文件查看不成功原因。也可用 tail -f /tmp/caddy.log 命令查看。日志文件出现 Serving HTTPS on port 443 https://down.xxxxx.top(你的二级域名),即表示证书创建成功。
4、caddy证书创建成功后,有效期是3个月,到期后会自动续期。但如果你是用cloudflare的cdn服务,到期后需要关闭cdn服务即设为dns only状态,再执行
--------------------------------------
V2ray+ws+tls+nginx一键安装脚本
如果你想搭建V2Ray+websocket+tls+web,先看以下几条是否符合你的需求:
- 想要把v2ray代理流量伪装成https;
- 手里的vps还想挂其他web服务使用80、443端口。
如果你符合上面两条,强烈建议看这篇教程.
这个教程主要以脚本配置为主,已经非常简单了。文末我会贴上v2ray的一些原理图,帮助大家理解,方便大家以后可以脱离一键脚本自行搭建。
1
2
sudo apt-get install update
sudo apt-get install upgrade
过程当中有[Y/N]选项,输入Y即可。然后输入命令:
git clone https://github.com/wulabing/V2Ray_ws-tls_bash_onekey V2Ray_ws-tls_bash_onekey-by-wulabing
cd V2Ray_ws-tls_bash_onekey-by-wulabing
chmod 755 install.sh && ./install.sh
耐心等待后,会要求输入我们的域名,输入我们刚刚申请好的www.mydomain.top
。
稍等片刻脚本会自动帮我们申请ssl证书,并且安装到v2ray,我们要做的仅仅是把最终生成的配置信息记下来:
V2ray+ws+tls 安装成功
V2ray 配置信息
地址(address): yourdomain.com
端口(port): 443
用户id(UUID): 你的UUID
额外id(alterId): 64
加密方式(security): auto
传输协议(network): ws
伪装类型(type): none
路径(不要落下/): /一串字符/
底层传输安全: tls
[OK] Nginx 启动 完成
[OK] V2ray 启动 完成
[OK] cron 计划任务更新 完成
如果你符合上面两条,强烈建议看这篇教程.
1 2 | sudo apt-get install update sudo apt-get install upgrade |
www.mydomain.top
。配置客户端
至此所有工作都接近尾声了,在一键脚本的帮助下,我们省去了配置nginx,省去了申请ssl证书,真是太方便了。
在本地机器,新建配置文件config.json,其内容如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
{
"log": {
"error": "error.log",
"loglevel": "warning"
},
"inbound": {
"port": 2080,
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true,
"ip": "127.0.0.1"
}
},
"outbound": {
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "www.mydomain.top",
"port": 443,
"users": [
{
"id": "************UUID**************", \\此处修改UUID
"alterId": 64,
"security": "auto"
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"tlsSettings": {
"serverName": "www.mydomain.top"
},
"wsSettings": {
"path": "/一串字符/",
"headers": {
"Host": "www.mydomain.top"
}
}
},
"mux": {
"enabled": true
}
},
"inboundDetour": [
{
"port": 6666,
"listen": "127.0.0.1",
"protocol": "http",
"settings": {
"auth": "noauth",
"udp": true,
"ip": "127.0.0.1"
}
}
],
"outboundDetour": [
{
"protocol": "freedom",
"settings": {},
"tag": "direct"
}
],
"dns": {
"servers": [
"8.8.8.8",
"8.8.4.4",
"localhost"
]
},
"routing": {
"strategy": "rules",
"settings": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10",
"geoip:cn"
],
"domain": [
"geosite:cn"
],
"outboundTag": "direct"
},
{
"type": "chinasites",
"outboundTag": "direct"
},
{
"type": "chinaip",
"outboundTag": "direct"
}
]
}
}
}
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 | { "log": { "error": "error.log", "loglevel": "warning" }, "inbound": { "port": 2080, "listen": "127.0.0.1", "protocol": "socks", "settings": { "auth": "noauth", "udp": true, "ip": "127.0.0.1" } }, "outbound": { "protocol": "vmess", "settings": { "vnext": [ { "address": "www.mydomain.top", "port": 443, "users": [ { "id": "************UUID**************", \\此处修改UUID "alterId": 64, "security": "auto" } ] } ] }, "streamSettings": { "network": "ws", "security": "tls", "tlsSettings": { "serverName": "www.mydomain.top" }, "wsSettings": { "path": "/一串字符/", "headers": { "Host": "www.mydomain.top" } } }, "mux": { "enabled": true } }, "inboundDetour": [ { "port": 6666, "listen": "127.0.0.1", "protocol": "http", "settings": { "auth": "noauth", "udp": true, "ip": "127.0.0.1" } } ], "outboundDetour": [ { "protocol": "freedom", "settings": {}, "tag": "direct" } ], "dns": { "servers": [ "8.8.8.8", "8.8.4.4", "localhost" ] }, "routing": { "strategy": "rules", "settings": { "domainStrategy": "IPIfNonMatch", "rules": [ { "type": "field", "ip": [ "0.0.0.0/8", "10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.2.0/24", "192.168.0.0/16", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "::1/128", "fc00::/7", "fe80::/10", "geoip:cn" ], "domain": [ "geosite:cn" ], "outboundTag": "direct" }, { "type": "chinasites", "outboundTag": "direct" }, { "type": "chinaip", "outboundTag": "direct" } ] } } } |
运行v2ray -config config.json
至此,我们走代理的上网行为在gfw眼里就是我们访问www.mydomain.top
这个https网站这么简单,如果你好奇的话可以登陆www.mydomain.top
访问查看,是一个科学计算器,简直天衣无缝。
----------------
用Nginx反代+TLS+WebSocket+web隐藏/伪装v2ray
准备
一个域名:可以申请免费域名,freenom.com,将域名A记录指向服务器。
一台服务器:64M内存就可以用了。服务器购买:Vultr,最低2.5刀一月,注册送10刀,支持支付宝。
一个欲反代的网站:选择一个简单点的网站,因为很多大网站会有安全措施,反代起来有点麻烦。
配置nginx
- service apache2 stop
- apt-get remove apche* -y
debian/ubuntu
- apt-get install nginx -y
- mkdir -p/etc/nginx/ssl
- openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
vi /etc/nginx/sites-enabled/你的域名.conf
- server
- {
- listen 80;
- #listen [::]:80;
- server_name 你的域名 ;
- #将http重定向到https
- return 301 https://你的域名$request_uri;
- }
- server
- {
- listen 443 ssl http2;
- #listen [::]:443 ssl http2;
- server_name 你的域名 ;
- ssl on;
- ssl_certificate /etc/nginx/ssl/你的域名/fullchain.cer;
- ssl_certificate_key /etc/nginx/ssl/你的域名/privkey.key;
- ssl_session_timeout 5m;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_prefer_server_ciphers on;
- ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
- ssl_session_cache builtin:1000 shared:SSL:10m;
- # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
- ssl_dhparam /etc/nginx/ssl/dhparam.pem;
- access_log off;
- location / {
- #向后端传递访客IP
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- #设定需要反代的域名,可以加端口号
- proxy_pass http://148.251.3.246:22900/;
- #替换网站内容
- sub_filter '你反代的对象' '你的域名';
- # websocket设定,V2ray使用,这里的设置要和v2ray的设置一致。
- location /phpmyadmin/ {
- proxy_redirect off;
- #proxy_pass http://127.0.0.1:10000;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_set_header Host $http_host;
- proxy_intercept_errors on;
- if ($http_upgrade = "websocket" ){
- proxy_pass http://127.0.0.1:10000;
- }
- }
- }
- }
proxy_pass http://148.251.3.246:22900/;
就是设定想要反代的域名的地方,148.251.3.246:22900是我挂的一个探针页面,以作测试用,当然你也可以改成其他的网站,比如https://github.com/,如果你反代的https://github.com那么sub_filter '你反代的对象' '你的域名';
就是sub_filter 'github.com' 'yourdomain.com';
申请证书
- apt-get install socat -y
- curl https://get.acme.sh | sh
.acme.sh
的目录内执行,root用户的在/root/.acme.sh,申请证书
- acme.sh --issue --nginx -d 你的域名 -d 你的域名
创建目录存放证书。
- mkdir -p /etc/nginx/ssl/你的域名
~/.acme.sh/你的域名
里面的证书,这个目录仅供内部使用,将来可能会改变结构。
- acme.sh --install-cert -d 你的域名 \
- --key-file /etc/nginx/ssl/你的域名/privkey.key \
- --fullchain-file /etc/nginx/ssl/你的域名/fullchain.cer \
- --reloadcmd "service nginx force-reload"
配置v2ray
使用官方的安装脚本
- bash <(curl -L -s https://install.direct/go.sh)
-bash: curl: command not found
那么安装curl
- apt-get install curl -y
/etc/v2ray/config.json
的内容,然后粘贴以下内容进去,vi /etc/v2ray/config.json
- {
- "log": {
- "access": "/var/log/v2ray/access.log",
- "error": "/var/log/v2ray/error.log",
- "loglevel": "info"
- },
- "inbound": {
- "port": 10000,
- "listen": "127.0.0.1",
- "protocol": "vmess",
- "allocate": {
- "strategy": "always"
- },
- "settings": {
- "clients": [{
- "id": "6d8a82b9-94d6-442e-a340-2b9cd5752c77",
- "level": 1,
- "alterId": 64,
- "security": "chacha20-poly1305"
- }]
- },
- "streamSettings": {
- "network": "ws",
- "wsSettings": {
- "connectionReuse": false,
- "path": "/phpmyadmin/"
- }
- }
- },
- "outbound": {
- "protocol": "freedom",
- "settings": {}
- },
- "outboundDetour": [{
- "protocol": "blackhole",
- "settings": {},
- "tag": "blocked"
- }],
- "routing": {
- "strategy": "rules",
- "settings": {
- "rules": [{
- "type": "field",
- "ip": ["0.0.0.0/8", "10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.2.0/24", "192.168.0.0/16", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "::1/128", "fc00::/7", "fe80::/10"],
- "outboundTag": "blocked"
- }]
- }
- }
- }
"id": "6d8a82b9-94d6-442e-a340-2b9cd5752c77",
里面的ID可以通过https://www.uuidgenerator.net/这里自助生成,强烈建议修改该值。客户端的使用
(注:V2RAY客户端和服务端一体,只是配置方式的不同,因此此处服务端和客户端在同一个地方下载,但是服务端和客户端的系统可能不同,因此应下载不同版本的程序。windows系统应下载:v2ray-windows-32.zip或者v2ray-windows-64.zip)
修改 config.json 配置为以下内容,注意 address (第25行)填写网站域名。
- {
- "log": {
- "access": "",
- "error": "",
- "loglevel": ""
- },
- "inbound": {
- "port": 1085,
- "listen": "0.0.0.0",
- "protocol": "socks",
- "settings": {
- "auth": "noauth",
- "udp": true,
- "ip": "127.0.0.1",
- "clients": null
- },
- "streamSettings": null
- },
- "outbound": {
- "tag": "agentout",
- "protocol": "vmess",
- "settings": {
- "vnext": [
- {
- "address": "网站域名",
- "port": 443,
- "users": [
- {
- "id": "6d8a82b9-94d6-442e-a340-2b9cd5752c77",
- "alterId": 64,
- "security": "chacha20-poly1305"
- }
- ]
- }
- ]
- },
- "streamSettings": {
- "network": "ws",
- "security": "tls",
- "tcpSettings": null,
- "kcpSettings": null,
- "wsSettings": {
- "connectionReuse": true,
- "path": "/phpmyadmin/",
- "headers": null
- }
- },
- "mux": {
- "enabled": true
- }
- },
- "inboundDetour": null,
- "outboundDetour": [
- {
- "protocol": "freedom",
- "settings": {
- "response": null
- },
- "tag": "direct"
- },
- {
- "protocol": "blackhole",
- "settings": {
- "response": {
- "type": "http"
- }
- },
- "tag": "blockout"
- }
- ],
- "dns": {
- "servers": [
- "8.8.8.8",
- "8.8.4.4",
- "localhost"
- ]
- },
- "routing": {
- "strategy": "rules",
- "settings": {
- "domainStrategy": "IPIfNonMatch",
- "rules": [
- {
- "type": "field",
- "port": null,
- "outboundTag": "direct",
- "ip": [
- "0.0.0.0/8",
- "10.0.0.0/8",
- "100.64.0.0/10",
- "127.0.0.0/8",
- "169.254.0.0/16",
- "172.16.0.0/12",
- "192.0.0.0/24",
- "192.0.2.0/24",
- "192.168.0.0/16",
- "198.18.0.0/15",
- "198.51.100.0/24",
- "203.0.113.0/24",
- "::1/128",
- "fc00::/7",
- "fe80::/10"
- ],
- "domain": null
- },
- {
- "type": "field",
- "port": null,
- "outboundTag": "direct",
- "ip": null,
- "domain": [
- "geosite:cn"
- ]
- },
- {
- "type": "field",
- "port": null,
- "outboundTag": "direct",
- "ip": [
- "geoip:cn"
- ],
- "domain": null
- }
- ]
- }
- }
- }
客户端运行 v2ray 或 v2ray.exe,直接运行即可。
参考链接:
https://github.com/iMeiji/shadowsocks_install/wiki/Project-V-%E9%85%8D%E7%BD%AE-WebSocket-TLS-Web-CDN
-----------
ws+TLS+Nginx
yum -y update
bash <(curl -L -s https://install.direct/go.sh)
systemctl enable v2ray
rpm -qa | grep epel-release
rpm -e epel-release-7-11.noarch
yum -y install epel-release
yum -y install certbot
certbot certonly --standalone -d example.com
/etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem
vi /etc/yum.repos.d/nginx.repo
[nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1
yum -y install nginx
systemctl enable nginx
vi /etc/nginx/conf.d/v2ray.conf
server { listen 443 ssl; server_name example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; error_page 497 https://$host$request_uri; location /ray { proxy_pass http://127.0.0.1:10000; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; } }
cp /etc/v2ray/config.json /etc/v2ray/config.jsonbak
echo "" > /etc/v2ray/config.json
vi /etc/v2ray/config.json
{ "inbounds": [ { "port": 10000, "listen":"127.0.0.1", "protocol": "vmess", "settings": { "clients": [ { "id": "你的UUID", "alterId": 64 } ] }, "streamSettings": { "network": "ws", "wsSettings": { "path": "/ray" } } } ], "outbounds": [ { "protocol": "freedom", "settings": {} } ] }
systemctl stop firewalld.service
vi /etc/selinux/config SELINUX=disabled setenforce 0
systemctl start v2ray
systemctl start nginx
systemctl status v2ray
systemctl status nginx
2.https://github.com/2dust/v2rayN
V2RAY 基于 NGINX 的 VMESS+WS+TLS+nginx手工配置
- 手工配置,安全可靠,可以对软件环境加深学习
- 需要先申请域名,配置DNS,安装Nginx,申请证书
vim /etc/nginx/sites-enabled/https
server {
listen 443 ssl http2;
ssl_certificate ssl.srgb888.ga.crt;
ssl_certificate_key ssl.srgb888.ga.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name ssl.srgb888.ga;
root /var/www/html;
location / {
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
if ($http_host = "www.baidu_bing.com" ) {
proxy_pass http://127.0.0.1:8000;
}
}
}
server {
listen 80;
server_name ssl.srgb888.ga;
return 301 https://ssl.srgb888.ga:443;
}
- ssl.srgb888.ga.crt和ssl.srgb888.ga.key为域名的证书文件,保存目录为 /etc/nginx
- nginx 反代原理: v2ray 访问服务器数据流里包含域名 www.baidu_bing.com,就代理到8000端口,而这个端口正好是v2ray的端口号
vim /etc/v2ray/config.json
{
"inbound": {
"port": 8000,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "a0816b69-c87f-4085-95d2-d0feda21a588",
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/",
"headers": {
"Host": "www.baidu_bing.com"
}
}
}
},
"outbound": {
"protocol": "freedom",
"settings": {}
}
}
- 端口8000和nginx配置里对应,UUID: 可以用客户端生成修改
- Host: www.baidu_bing.com 可以自由修改,要和nginx反代配置相同
V2ray_WS_Nginx反代 客户端设置
附: 域名申请DNS设置免费证书申请
- 国内腾讯云或阿里云申请便宜一年域名,实名认证后可以申请赛门铁克SSL一年免费证书
- 登陆云控制台首页,点击域名管理,设置好DNS,找到免费SSL证书,申请使用
- 如果是国外申请域名,也可以使用三个月自动续签证书
- acme协议从letsencrypt生成免费的证书 简易使用脚本
#!/usr/bin/env sh
# https://github.com/Neilpang/acme.sh/wiki/说明
# 安装ssl依赖 和 acme.sh工具
apt-get install socat netcat -y
curl https://get.acme.sh | sh
# 设置域名
DOMAIN=ssl.srgb888.ga
# 生成域名ssl证书
~/.acme.sh/acme.sh --issue -d ${DOMAIN} --webroot /var/www/html --standalone -k ec-256 --force
#### 生成的证书存放地方
#### /root/.acme.sh/ssl.srgb888.ga_ecc/ssl.srgb888.ga.cer
#### /root/.acme.sh/ssl.srgb888.ga_ecc/ssl.srgb888.ga.key
- 使用acme协议免费证书,要先配置好DNS和安装好Nginx,参数 --webroot 要按实际填写正确
# debian 系安装
apt -y install nginx
# centos 系安装 nginx,如果web没法访问,需要关防火墙
yum -y install vnstat nginx
systemctl enable nginx
systemctl restart nginx
# V2Ray 官方一键脚本
bash <(curl -L -s https://install.direct/go.sh)
from
https://github.com/hongwenjun/vps_setup/blob/master/v2ray/v2ray_ws_nginx.md
---
https://github.com/atrandys/v2ray-ws-tls
-----
V2ray多合一脚本,支持VMESS+websocket+TLS+Nginx、VLESS+TCP+XTLS、VLESS+TCP+TLS等组合.
V2ray多合一脚本,支持VMESS+websocket+TLS+Nginx、VLESS+TCP+XTLS、VLESS+TCP+TLS等组合
脚本原作者为网络跳越,网络跳越由于工作原因,停止维护该脚本,目前由ifeng开始维护。维护后的脚本可以在纯ipv6网络环境的主机上使用。使用过程中遇到问题,欢迎进入Tg群组( https://t.me/HiaiFeng )交流。
脚本支持:
安装方法:
bash <(curl -sL https://raw.githubusercontent.com/hiifeng/v2ray/main/install_v2ray.sh)如果没有出现安装菜单,CentOS系统请输入 yum install -y curl,Ubuntu/Debian系统请输入 sudo apt install -y curl,然后再次运行上面的命令。
.