配置websocket+tls+web+cdn科学上网

提前说好,这一套主要是抗封锁强,速度和延迟都不是太好,尤其是用了cdn之后,现在我这个只能满足我搜索网页和看高清视频的需求,需求很高的时候我还是蹲宿舍连网线用同一个vps上ipv6的shadowsocks(话说现在看上去我校的网络对ipv6没有任何管制)。当然有钱买得起国外付费cdn的话体验可能会不错。

另外,没有折腾欲望的可以直接用大佬的一键脚本,输下面这一行按提示做,ssl证书,nginx配置,服务端/客户端v2ray的配置文件,直接全搞定。(当然域名还是要自己买,dns和cdn还是要自己操作。

bash <(curl -L -s https://raw.githubusercontent.com/wulabing/V2Ray_ws-tls_bash_onekey/master/install.sh) | tee v2ray_ins.log
wget --no-check-certificate https://github.com/teddysun/across/raw/master/bbr.sh && chmod +x bbr.sh && ./bbr.sh

必要的准备

  • 一台外网ip的vps,目测do的已经被我校封杀殆尽,我现在用的vultr
  • 一个域名,可以去godaddy之类的网站买,几块钱一年的比如sunxiaochuan.me之类的随便弄一个(反正又不是真的网站不求体面
  • 注册个cloudfare,cdn用

VPS安装v2ray和nginx

我用的Ubuntu18.04,nginx直接apt安装就行,很简单。

apt-get install nginx


安装好的文件位置:

  • /usr/sbin/nginx:主程序

  • /etc/nginx:存放配置文件

  • /usr/share/nginx:存放静态文件

  • /var/log/nginx:存放日志

使用
sudo service nginx {start|stop|restart|reload|force-reload|status|configtest|rotate|upgrade}

如果想深入学习nginx的话可以看我的youtube channel里的nginx核心教程 有一次偷了一些视频放在上面emmmm

v2ray参考官网

wget https://install.direct/go.sh 
bash go.sh

添加域名解析

给自己的域名添加一条A记录,把@的解析IP改成空间ip就行了,跟建网站一样。
以godaddy为例子的话如下图

主页点所有域名

我的域名里点管理dns

修改A记录

之后记得ping一下域名查看是否解析成功,一般需要等一会儿dns才会更新。

配置ssl证书

当然是用免费的let’s encrypt

用官方推荐的certbot这个工具,有的旧package的话可能叫certbot-auto,安装按照官网的做法

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot python-certbot-nginx 

然后是获取证书,网上很多教程讲的都比较过时,用的standalone模式装的,略复杂,我上次给这个博客站的centOS6.9装就费了很多时间,因为linux平台毕竟这些软件无力维护很多个版本。。。

然后当时发现的一个东西是let’s encrypt官网说的,装的新一点的系统比如ubuntu1804这种就直接一句certbot –nginx就配置好了,,,也不用自己去改nginx的conf,真的方便(所以以后我办正事只看官方文档,各种博客时效性真的太差照着做下来一堆error)使用这种方法的话,certbot会自动调用nginx的插件修改配置文件,如果不想自动修改的话可以加参数certonly

sudo certbot --nginx -d example.com -d www.example.com

按照提示一步一步输入邮箱之类的就可以了,其间会问要不要把所有的http请求都重定向到https,选1是http和https都可以,选2 http会被重定向到https。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for scall2.szhuizhong.cn
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/nginx.conf for scall2.szhuizhong.cn

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------

如果成功的话应该会看到

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-07-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

在/etc/nginx/conf.d/ 下可以找到配置文件,我这里选的全部重定向到https,被certbot修改过的配置文件如下,可以看到两个server,一个监听80端口,一个监听443,而80端口的http请求被301重定向到https。被certbot修改的地方全都打上了注释标记。

server {
    root /home/example/trunk;
    server_name example.com;
    index  index.html index.htm index.php;

        location ~ \.php(.*)$  {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^((?U).+\.php)(/?.+)$;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            fastcgi_param  PATH_TRANSLATED  $document_root$fastcgi_path_info;
            include        fastcgi_params;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    server_name example.com www.example.com;
    listen 80;
    return 301 https://$host$request_uri; # managed by Certbot
}

当然如果是比较老的package的话还是用stanalone模式来搞稳一点,之后手动把添加到nginx的配置文件里。

./letsencrypt-auto certonly --standalone --email example@email.com -d example.com -d www.example.com

记着把域名和邮箱都换成自己的!改完配置文件需要重启nginx或者nginx -s reload

如果报错的话一般是端口没开启或者被占用,大部分error直接google即可解决

配置v2ray服务端以及nginx反向代理

这儿就直接搬官网的写法了

服务器配置

这次 TLS 的配置将写入 Nginx配置中,由nginx来监听 443 端口(443 比较常用,并非 443 不可),然后将流量转发到 V2Ray 的 WebSocket 所监听的内网端口(本例是 10000),V2Ray 服务器端不需要配置 TLS。

{
  "inbounds": [
    {
      "port": 10000,
      "listen":"127.0.0.1",//只监听 127.0.0.1,避免除本机外的机器探测到开放了 10000 端口
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "b831381d-6324-4d53-ad4f-8cda48b30811",
            "alterId": 64
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
        "path": "/ray"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}

Nginx 配置

利用proxy_pass监听unix socket的功能来实现,细节可以看https://www.youtube.com/watch?v=e-B2UxIwJQE 注意这里的配置文件内容和上面的区别。

server {
  listen  443 ssl;
  ssl on;
  ssl_certificate       /etc/v2ray/v2ray.crt;
  ssl_certificate_key   /etc/v2ray/v2ray.key;
  ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers           HIGH:!aNULL:!MD5;
  server_name           mydomain.me;
        location /ray { # 与 V2Ray 配置中的 path 保持一致
        proxy_redirect off;
        proxy_pass http://127.0.0.1:10000;#假设WebSocket监听在环回地址的10000端口上
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        # Show realip in v2ray access.log
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

客户端配置

重点是path的设置和上面的location保持一致,很容易忘,其他的就基本的v2ray配置,uuid,域名,端口等与服务端一致即可。

{
  "inbounds": [
    {
      "port": 1080,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      },
      "settings": {
        "auth": "noauth",
        "udp": false
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "mydomain.me",
            "port": 443,
            "users": [
              {
                "id": "b831381d-6324-4d53-ad4f-8cda48b811",
                "alterId": 64
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "security": "tls",
        "wsSettings": {
          "path": "/ray"
        }
      }
    }
  ]
}

cdn

我这里用的cloudflare的免费cdn,注册账号后首先添加网站,填自己的主域名,不带www的

选套餐选0元套餐,下一步系统会扫描之前的dns解析记录,无所谓其实,直接下一步

会提示网站域名更换为cloudflare的dns服务器

更换的话需要回到godaddy设置dns的界面,把dns改成cloudflare提供的就行

需要等待一段时间,我当时大概等了不到一个小时,会收到一封邮件提示接管成功
之后再cloudflare面板里选ssl模式,由于服务器已经配置了ssl证书所以选full就ok,其他默认就行了

这时候ping一下域名已经显示的是cdn的ip地址了,成功隐藏了自己的真实ip

到这里基本上就配置完成了,可以放心的XX上网了O(∩_∩)O

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据