快速构建 nginx + v2ray + ws + tls 科学上网

前言

想想上一篇文章还是 2019年度总结,其实前几个月写了很多东西,都记在 Typecho 里,没写博客。为什么呢?因为知识点太过零散,自觉不方便写成文章,顶多记一记笔记这样子。

突然写这个是因为最近在 ruvds 租了一台机器用来挂给家里的 NAS 挂 bt 下载作代理用,因为移动不提供公网 ip,用 bt 下载速度太慢且几乎没有上传,我可不想一直做一个吸血鬼。

ruvds:一个月 60 卢布,6块钱左右,可以用万事达借记卡支付,很划算。

为什么使用 WebSocket + TLS

因为无论是 Vmess 亦或者 SS 协议,只要流量过大都会导致断流和封端口,遂只能另寻它路。Trojan 和 v2ray + ws 的伪装流量可以解决上述问题,这也就是这篇文章的由来。

准备工作

  • 一台墙外的机器
  • OS选择:Ubuntu / Debian / Centos
  • 一个域名

快速构建

开始

下列命令均在 root 用户下进行(su root 或者 sudo -i)且使用 Debian 9 系统,Centos 需要一些改变

  • nginx:提供网站服务
  • v2ray:提供 socket 代理服务
  • Certbot:自动配置证书,开启 tls

安装必要程序

安装 nginx:apt update && apt install -y nginx
安装 v2ray:wget https://install.direct/go.sh && bash go.sh

安装 Certbot:
OS 不同,方法不同,参考 https://certbot.eff.org/

配置 Nginx

先将域名解析到 vps 上,然后 cd 到 /etc/nginx/conf.d,添加文件 v2ray.conf,填入以下内容,文中 example.com 修改为你解析到 vps 的域名

server {
	server_name example.com;
	root /var/www/ray;
	location /ray { # 与 V2Ray 配置中的 path 保持一致
    if (http_upgrade != "websocket") { # WebSocket协商失败时返回404
        return 404;
    }
    proxy_redirect off;
    proxy_pass http://127.0.0.1:10086; # 假设WebSocket监听在环回地址的10000端口上
    proxy_http_version 1.1;
    proxy_set_header Upgradehttp_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host host;
    # Show real IP in v2ray access.log
    proxy_set_header X-Real-IPremote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }	
}

填写完成后使用 nginx -t 测试语法是否正确,然后 systemctl restart nginx 重启服务,创建 /var/www/ray 这个目录,建一个 index.html 文件,内容随意

配置 Certbot

输入 certbot ,选择你的域名

root@ip-172-26-6-133:/etc/nginx/conf.d# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ray.yukino.ch
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ray.yukino.ch
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/v2ray.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/v2ray.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ray.yukino.ch

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ray.yukino.ch
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ray.yukino.ch/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ray.yukino.ch/privkey.pem
   Your cert will expire on 2020-09-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

至此,直接在浏览器访问你的域名应该可以看到 index.html 文件,如果没有,检查一下 80 / 443 端口是否打开了(telnet exmple.com 80)

配置 V2ray

修改 /etc/v2ray/config.json 文件, id 改为 你 生成 的 UUID

{
    "inbounds": [
        {
            "port": 10086,
            "listen": "127.0.0.1",
            "protocol": "vmess",
            "settings": {
                "clients": [
                    {
                        "id": "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                        "alterId": 64
                    }
                ]
            },
            "streamSettings": {
                "network": "ws",
                "wsSettings": {
                    "path": "/ray"
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "settings": {}
        }
    ]
}

然后 systemctl restart v2ray 重启 v2ray,至此所有内容配置完毕

客户端连接

客户端连接的时候设置 path 为 ray,开启底层传输安全(tls),地址即为你的域名,用户 id 即为你的 uuid

发布者

Yukino

凡心所向,素履所往。

发表评论

电子邮件地址不会被公开。 必填项已用*标注