用 nginx 反代 v2ray 对抗网络封锁(ws+nginx+tls)

给 v2ray 套 cdn 不是速度快的选择,但会是比较安全的选择。适合不追求速度、单台服务器和 ip 被墙的同学。未被墙的情况下,可以当作两个节点用,配合 v2ray 的特性可以当作多种翻墙方式使用。虽说宝塔、lnmp.org 等提供了方便的安装程序,但只用来反代不想安装太多东西,于是只好自己安装 nginx ,也顺便学习一下如何编译安装 nginx 。

  • 环境: debian 8 、debian 9
  • 域名一枚,本文以 abc.com 为例,且将域名服务器更改为 cloudflare ,并将域名解析至服务器 ip ,把 crypto 项里的 SSL 设置为 Full (strict) ,如不想套 CDN 则不要点开cloudflare 的小云朵。

更新源
# apt-get update -y

安装 v2ray

# bash <(curl -L -s https://install.direct/go.sh)

配置文件路径:/etc/v2ray/config.json

相关命令
启动、停止、状态、重载配置、重启、强制重载配置:service v2ray start|stop|status|reload|restart|force-reload

配置参考

{
    "log": {
        "access": "",
        "error": "",
        "loglevel": "warning"
    },
    "inbound": {
        "port": 10086,//配置 nginx 时需要与此端口一致,且不可是 22、443、80
        "protocol": "vmess",
        "settings": {
            "udp": true,
            "clients": [{
                "id": "f0c8aa8c-d936-4bce-a81a-fa75541c58d2", //自行修改
                "level": 1,
                "alterId": 64
            }]
        },
        "streamSettings": {
            "network": "ws",
            "wsSettings": {
                "path": "/opt/nginx/html"          //自行修改,配置 nginx 时需要与此路径一致
            }
        }
    },
    "outbound": {
        "protocol": "freedom",
        "settings": {}
    },
    "outboundDetour": [{
        "protocol": "blackhole",
        "settings": {},
        "tag": "blocked"
    }],
    "routing": {
        "strategy": "rules",
        "settings": {
            "rules": [{
                "type": "field",
                "ip": [
                    "0.0.0.0/8",
                    "10.0.0.0/8",
                    "100.64.0.0/10",
                    "127.0.0.0/8",
                    "169.254.0.0/16",
                    "172.16.0.0/12",
                    "192.0.0.0/24",
                    "192.0.2.0/24",
                    "192.168.0.0/16",
                    "198.18.0.0/15",
                    "198.51.100.0/24",
                    "203.0.113.0/24",
                    "::1/128",
                    "fc00::/7",
                    "fe80::/10"
                ],
                "outboundTag": "blocked"
            }]
        }
    }
}

编译安装 nginx

这一部分也可以直接 # apt-get install nginx openssl -y ,然后照着下面申请 ssl 证书、修改配置就可以了。

安装依赖环境

# apt-get autoremove -y
# apt-get -fy install
# apt-get --no-install-recommends install -y build-essential gcc g++ make
# for packages in debian-keyring debian-archive-keyring build-essential gcc g++ make cmake autoconf automake re2c wget cron bzip2 libzip-dev libc6-dev bison file rcconf flex vim bison m4 gawk less cpp binutils diffutils unzip tar bzip2 libbz2-dev libncurses5 libncurses5-dev libtool libevent-dev openssl libssl-dev zlibc libsasl2-dev libltdl3-dev libltdl-dev zlib1g zlib1g-dev libbz2-1.0 libbz2-dev libglib2.0-0 libglib2.0-dev libpng3 libjpeg-dev libpng-dev libpng12-0 libpng12-dev libkrb5-dev curl libcurl3-gnutls libcurl4-gnutls-dev libcurl4-openssl-dev libpq-dev libpq5 gettext libpng12-dev libxml2-dev libcap-dev ca-certificates libc-client2007e-dev psmisc patch git libc-ares-dev libicu-dev e2fsprogs libxslt libxslt1-dev libc-client-dev xz-utils libexpat1-dev libaio-dev libtirpc-dev git curl;do apt-get --no-install-recommends install -y $packages; done

新建临时文件目录
# mkdir nginx && cd nginx

下载 OpenSSL
# git clone -b OpenSSL_1_1_0-stable --single-branch https://github.com/openssl/openssl.git

下载 nginx 源码
# wget -N --no-check-certificate https://nginx.org/download/nginx-1.14.0.tar.gz
# tar zxf nginx-1.14.0.tar.gz && cd nginx-1.14.0

新建用户
# groupadd www
# useradd -s /sbin/nologin -g www www

编译安装
# ./configure --user=www --group=www --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-openssl=../openssl
# make && make install

命令项设置
# echo PATH=$PATH:/opt/nginx/sbin/ >> /etc/profile
# source /etc/profile

# echo "[Unit]
Description=nginx
After=network.target

[Service]
Type=forking
ExecStart=/opt/nginx/sbin/nginx
ExecReload=/opt/nginx/sbin/nginx -s reload
ExecStop=/opt/nginx/sbin/nginx -s quit
PrivateTmp=true

[Install]
WantedBy=multi-user.target" >> /lib/systemd/system/nginx.service

# systemctl daemon-reload

开机启动、启动、停止、重载命令:# systemctl enable|start|stop|reload nginx

ssl申请
# mkdir -p /opt/nginx/conf/ssl/
# openssl dhparam -out /opt/nginx/conf/ssl/dhparam.pem 2048
# curl https://get.acme.sh | sh && cd ~/.acme.sh
# export CF_Key="api key" //在这里可以找到 api key https://www.cloudflare.com/a/account
# export CF_Email="cf账号邮箱" //同上
# ./acme.sh --issue -d abc.com -d *.abc.com --dns dns_cf //注意替换域名

证书路径
~/.acme.sh/abc.com/abc.com.key
~/.acme.sh/abc.com/fullchain.cer

配置 nginx 参考

配置文件路径:/opt/nginx/conf/nginx.conf

worker_processes auto;
worker_rlimit_nofile 51200;
events {
    use epoll;
    worker_connections 51200;
    multi_accept on;
    }

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 50m;
    sendfile   on;
    tcp_nopush on;
    keepalive_timeout 60;
    tcp_nodelay on;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;
    gzip on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
    gzip_vary on;
    gzip_proxied   expired no-cache no-store private auth;
    gzip_disable   MSIE [1-6].;
    server_tokens off;
    access_log off;

    server {
        listen 80 default_server;
        listen 443 ssl http2;
        server_name abc.com;                    #注意替换域名
        index index.html index.htm index.php;
        root  /opt/nginx/html;

        ssl on;
        ssl_certificate /root/.acme.sh/abc.com/fullchain.cer;       #注意替换域名
        ssl_certificate_key /root/.acme.sh/abc.com/abc.com.key;     #注意替换域名
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /opt/nginx/conf/ssl/dhparam.pem;

#------------反代 v2ray 部分------------
        location /opt/nginx/html {                       #此路径需与 v2ray 配置里的一致
            proxy_redirect off;
            proxy_pass http://127.0.0.1:10086;           #此端口需与 v2ray 配置里的一致
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;
        }
#------------反代 v2ray 部分------------

#------------只允许来自 cloudflare 的 ip 连接(可不要------------
            # IPv4
            allow 103.21.244.0/22;
            allow 103.22.200.0/22;
            allow 103.31.4.0/22;
            allow 104.16.0.0/12;
            allow 108.162.192.0/18;
            allow 131.0.72.0/22;
            allow 141.101.64.0/18;
            allow 162.158.0.0/15;
            allow 172.64.0.0/13;
            allow 173.245.48.0/20;
            allow 188.114.96.0/20;
            allow 190.93.240.0/20;
            allow 197.234.240.0/22;
            allow 198.41.128.0/17;
            # IPv6
            allow 2400:cb00::/32;
            allow 2405:8100::/32;
            allow 2405:b500::/32;
            allow 2606:4700::/32;
            allow 2803:f800::/32;
            allow 2c0f:f248::/32;
            allow 2a06:98c0::/29;
            deny all;
#------------只允许来自 cloudflare 的 ip 连接(可不要------------


        location /nginx_status {
            stub_status on;
            access_log   off;
        }
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
            expires      30d;
        }
        location ~ .*\.(js|css)?$ {
            expires      12h;
        }
        location ~ /.well-known {
            allow all;
        }  
        location ~ /\. {
            deny all;
        }
    }
}

最后,启动相关服务(如已启动就重启)
# service v2ray start
# systemctl start nginx

图文教程

评 论