前言
想想上一篇文章还是 2019年度总结,其实前几个月写了很多东西,都记在 Typecho 里,没写博客。为什么呢?因为知识点太过零散,自觉不方便写成文章,顶多记一记笔记这样子。
突然写这个是因为最近在 ruvds 租了一台机器用来挂给家里的 NAS 挂 bt 下载作代理用,因为移动不提供公网 ip,用 bt 下载速度太慢且几乎没有上传,我可不想一直做一个吸血鬼。
ruvds:一个月 60 卢布,6块钱左右,可以用万事达借记卡支付,很划算。
为什么使用 WebSocket + TLS
因为无论是 Vmess 亦或者 SS 协议,只要流量过大都会导致断流和封端口,遂只能另寻它路。Trojan 和 v2ray + ws 的伪装流量可以解决上述问题,这也就是这篇文章的由来。
准备工作
- 一台墙外的机器
- OS选择:Ubuntu / Debian / Centos
- 一个域名
快速构建
开始
下列命令均在 root 用户下进行(su root 或者 sudo -i)且使用 Debian 9 系统,Centos 需要一些改变
- nginx:提供网站服务
- v2ray:提供 socket 代理服务
- Certbot:自动配置证书,开启 tls
安装必要程序
安装 nginx:apt update && apt install -y nginx 安装 v2ray:wget https://install.direct/go.sh && bash go.sh 安装 Certbot: OS 不同,方法不同,参考 https://certbot.eff.org/
配置 Nginx
先将域名解析到 vps 上,然后 cd 到 /etc/nginx/conf.d,添加文件 v2ray.conf,填入以下内容,文中 example.com 修改为你解析到 vps 的域名
server { server_name example.com; root /var/www/ray; location /ray { # 与 V2Ray 配置中的 path 保持一致 if ($http_upgrade != "websocket") { # WebSocket协商失败时返回404 return 404; } proxy_redirect off; proxy_pass http://127.0.0.1:10086; # 假设WebSocket监听在环回地址的10000端口上 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; # Show real IP in v2ray access.log proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
填写完成后使用 nginx -t 测试语法是否正确,然后 systemctl restart nginx 重启服务,创建 /var/www/ray 这个目录,建一个 index.html 文件,内容随意
配置 Certbot
输入 certbot ,选择你的域名
root@ip-172-26-6-133:/etc/nginx/conf.d# certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: ray.yukino.ch - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for ray.yukino.ch Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/conf.d/v2ray.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/v2ray.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://ray.yukino.ch You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=ray.yukino.ch - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ray.yukino.ch/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/ray.yukino.ch/privkey.pem Your cert will expire on 2020-09-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
至此,直接在浏览器访问你的域名应该可以看到 index.html 文件,如果没有,检查一下 80 / 443 端口是否打开了(telnet exmple.com 80)
配置 V2ray
修改 /etc/v2ray/config.json 文件, id 改为 你 生成 的 UUID
{ "inbounds": [ { "port": 10086, "listen": "127.0.0.1", "protocol": "vmess", "settings": { "clients": [ { "id": "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "alterId": 64 } ] }, "streamSettings": { "network": "ws", "wsSettings": { "path": "/ray" } } } ], "outbounds": [ { "protocol": "freedom", "settings": {} } ] }
然后 systemctl restart v2ray 重启 v2ray,至此所有内容配置完毕
客户端连接
客户端连接的时候设置 path 为 ray,开启底层传输安全(tls),地址即为你的域名,用户 id 即为你的 uuid