#域名购买
namesilo:https://name.bulianglin.com
#域名托管
cloudflare:https://www.cloudflare.com/zh-cn/
#VPS购买
vultr:https://www.vultr.com/
#SSH工具
FinalShell:https://www.hostbuf.com/t/988.html
#相关资料
x-ui项目地址:https://github.com/vaxilu/x-ui
nginx下载地址:http://nginx.org/en/download.html
go项目地址:https://github.com/astaxie/build-web-application-with-golang/blob/master/zh/01.1.md
NaïveProxy项目地址:https://github.com/klzgrad/naiveproxy/wiki/%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87
trojan-go项目地址:https://github.com/p4gefau1t/trojan-go
NaïveProxy电脑版客户端下载地址:https://github.com/klzgrad/naiveproxy/releases/tag/v107.0.5304.87-3
#关闭防火墙ufw disable
#开启BBR加速echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf sysctl -p
#更新软件源apt update apt upgrade apt full-upgrade
#安装组件apt install wget apt install unzip apt install socat
一、搭建vmess、vless节点
1、安装及配置x-ui
bash <(curl -Ls https://raw.githubusercontent.com/vaxilu/x-ui/master/install.sh)
2、安装acme
curl https://get.acme.sh | sh
3、添加软链接
ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh
4、切换CA机构
acme.sh --set-default-ca --server letsencrypt
5、申请证书
acme.sh --issue -d xui.mydomain.com --standalone -k ec-256 --webroot /home/wwwroot/html
6、安装证书
acme.sh --install-cert -d xui.mydomain.com --ecc --key-file /etc/x-ui/private.key --fullchain-file /etc/x-ui/cert.crt
7、编译安装及配置nginx
由于后面要用到Nginx的SNI的4层转发,该功能由stream模块提供,但是 Nginx 默认不启用该模块,所以选择编译安装。
①安装编译工具及相关依赖库
apt install make gcc libpcre3 libpcre3-dev zlib1g-dev libssl-dev
②下载nginx源代码
wget --no-check-certificate http://nginx.org/download/nginx-1.22.1.tar.gz
③解压nginx源代码
tar zxvf nginx-1.22.1.tar.gz
④进入nginx-1.22.1文件夹
cd nginx-1.22.1
⑤设置编译参数
./configure --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_preread_module
⑥编译安装nginx
make install
⑦配置开机启动
#进入/lib/systemd/system/文件夹
cd /lib/systemd/system/
#创建nginx.service文件
touch nginx.service
#编辑nginx.service配置信息
[Unit] Description=The NGINX HTTP and reverse proxy server After=syslog.target network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] Type=forking PIDFile=/usr/local/nginx/logs/nginx.pid ExecStartPre=/usr/local/nginx/sbin/nginx -t ExecStart=/usr/local/nginx/sbin/nginx ExecReload=/usr/local/nginx/sbin/nginx -s reload ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target
#重新加载守护进程
systemctl daemon-reload
#设置开机自启
systemctl enable nginx
⑧修改nginx配置信息
#进入/usr/local/nginx/conf/文件夹
cd /usr/local/nginx/conf/
#编辑nginx.conf配置文件
#user www-data;
worker_processes 1;
error_log logs/error.log;
pid logs/nginx.pid;
events {
worker_connections 2048;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
access_log off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
client_max_body_size 10m;
client_body_buffer_size 128k;
server {
listen 443 ssl; #端口
server_name xui.mydomain.com; #域名
ssl_certificate /etc/x-ui/cert.crt; #证书位置
ssl_certificate_key /etc/x-ui/private.key; #私钥位置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
#vmess节点配置信息
location /ray123 { #节点分流路径
proxy_redirect off;
proxy_pass http://127.0.0.1:10010; #节点端口
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#vless节点配置信息
location /ray1234 { #节点分流路径
proxy_redirect off;
proxy_pass http://127.0.0.1:10011; #节点端口
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#xui面板配置信息
location /xui { #xui登录路径
proxy_redirect off;
proxy_pass http://127.0.0.1:10000; #xui监听端口
proxy_http_version 1.1;
proxy_set_header Host $host;
}
location / {
proxy_pass http://127.0.0.1:80;
}
}
#80端口配置信息
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
proxy_pass https://www.bing.com; #伪装网址
proxy_ssl_server_name on;
proxy_redirect off;
sub_filter_once off;
sub_filter "www.bing.com" $server_name; #伪装网址
proxy_set_header Host "www.bing.com"; #伪装网址
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Accept-Encoding "";
proxy_set_header Accept-Language "zh-CN";
}
}
}⑨启动nginx、查看nginx启动状态、停止nginx
systemctl start nginx
systemctl status nginx.service
systemctl stop nginx
二、安装及配置Naïve
1、下载go
wget https://go.dev/dl/go1.19.4.linux-amd64.tar.gz
2、解压go
tar -C /usr/local -xzf go1.19.4.linux-amd64.tar.gz
3、设置PATH
export PATH=$PATH:/usr/local/go/bin
4、查看go的安装版本
go version
5、安装NaïveProxy+Caddy
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive
setcap cap_net_bind_service=+ep ./caddy
6、创建/etc/caddy/文件夹
mkdir /etc/caddy/
7、进入/etc/caddy/文件夹
cd /etc/caddy/
8、创建Caddyfile文件
touch Caddyfile
9、编辑Caddyfile配置信息(去掉//和中文说明)
{
order forward_proxy before route
admin off
auto_https off
https_port 443 //端口
}
:443 { //端口
tls /etc/caddy/cert.crt /etc/caddy/private.key { //证书和私钥位置
ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
alpn h2 http/1.1
}
forward_proxy {
basic_auth user password //用户名 密码(中间英文空格隔开)
hide_ip
hide_via
probe_resistance
}
@host {
host naive.mydomain.com //域名
}
route @host {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
reverse_proxy https://www.bing.com { //伪装网址
header_up Host {upstream_hostport}
header_up X-Forwarded-Host {host}
}
}
}10、申请证书
acme.sh --issue -d naive.mydomain.com --standalone -k ec-256 --webroot /home/wwwroot/html
11、安装证书
acme.sh --install-cert -d naive.mydomain.com --ecc --key-file /etc/caddy/private.key --fullchain-file /etc/caddy/cert.crt
12、设置caddy开机自启
#使 Caddy 可执行并将 caddy 二进制文件移动/usr/bin/
systemctl --version 232
chmod +x caddy
mv caddy /usr/bin/
#测试是否有效
/usr/bin/caddy run --config /etc/caddy/Caddyfile
#为 caddy 创建唯一的 Linux 组和用户
groupadd --system caddy
useradd --system \ --gid caddy \ --create-home \ --home-dir /var/lib/caddy \ --shell /usr/sbin/nologin \ --comment "Caddy web server" \ caddy
#进入/etc/systemd/system/文件夹
cd /etc/systemd/system/
#创建caddy.service
touch caddy.service
#编辑caddy.service文件配置信息
[Unit] Description=Caddy Documentation=https://caddyserver.com/docs/ After=network.target network-online.target Requires=network-online.target [Service] Type=notify ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile TimeoutStopSec=5s LimitNOFILE=1048576 LimitNPROC=512 PrivateTmp=true ProtectSystem=full AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target
#重新加载守护进程
systemctl daemon-reload
#设置开机自启
systemctl enable caddy
#启动caddy、查看caddy状态、停止caddy
systemctl start caddy
systemctl status caddy
systemctl stop caddy
三、安装及配置Trojan-go
1、在/etc/目录下创建一个trojan-go的文件夹
mkdir /etc/trojan-go
2、进入trojan-go文件夹
cd /etc/trojan-go
3、下载trojan-go
wget https://github.com/p4gefau1t/trojan-go/releases/download/v0.10.6/trojan-go-linux-amd64.zip
4、解压trojan-go
unzip trojan-go-linux-amd64.zip
5、创建config.json文件
touch config.json
6、编辑config.json配置信息(//和中文说明删掉)
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443, //端口
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"password" //密码
],
"disable_http_check": false,
"udp_timeout": 60,
"ssl": {
"verify": true,
"verify_hostname": true,
"cert": "/etc/trojan-go/cert.crt", //证书位置
"key": "/etc/trojan-go/private.key", //私钥位置
"cipher": " ",
"curves": " ",
"prefer_server_cipher": false,
"sni": "trojan.mydomain.com", //域名
"alpn": [
"http/1.1"
],
"session_ticket": true,
"reuse_session": true,
"plain_http_response": " ",
"fallback_addr": "127.0.0.1",
"fallback_port": 80,
"fingerprint": "chrome"
},
"tcp": {
"no_delay": true,
"keep_alive": true,
"prefer_ipv4": false
},
"mux": {
"enabled": true,
"concurrency": 8,
"idle_timeout": 60
},
"router": {
"enabled": true,
"block": [
"geoip:private"
],
"geoip": "/etc/trojan-go/geoip.dat",
"geosite": "/etc/trojan-go/geosite.dat"
},
"websocket": {
"enabled": true,
"path": "/ray12345", //ws路径
"host": "trojan.mydomain.com" //域名
}
}7、申请证书
acme.sh --issue -d trojan.mydomain.com --standalone -k ec-256 --webroot /home/wwwroot/html
8、安装证书
acme.sh --install-cert -d trojan.mydomain.com --ecc --key-file /etc/trojan-go/private.key --fullchain-file /etc/trojan-go/cert.crt
9、设置trojan-go开机自启
#进入/etc/systemd/system/文件夹
cd /etc/systemd/system/
#创建trojan-go.service文件
touch trojan-go.service
#编辑trojan-go.service配置信息
[Unit] Description=Trojan-Go - An unidentifiable mechanism that helps you bypass GFW Documentation=https://p4gefau1t.github.io/trojan-go/ After=network.target nss-lookup.target [Service] CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE NoNewPrivileges=true ExecStart=/etc/trojan-go/trojan-go -config /etc/trojan-go/config.json Restart=on-failure RestartSec=10 RestartPreventExitStatus=23 [Install] WantedBy=multi-user.target
#重新加载守护进程
systemctl daemon-reload
#设置开机自启
systemctl enable trojan-go
10、nginx配置信息
#user www-data;
worker_processes 1;
error_log logs/error.log;
pid logs/nginx.pid;
events {
worker_connections 2048;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
access_log off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
client_max_body_size 10m;
client_body_buffer_size 128k;
#80端口配置信息
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
proxy_pass https://www.bing.com; #伪装网址
proxy_ssl_server_name on;
proxy_redirect off;
sub_filter_once off;
sub_filter "www.bing.com" $server_name; #伪装网址
proxy_set_header Host "www.bing.com"; #伪装网址
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Accept-Encoding "";
proxy_set_header Accept-Language "zh-CN";
}
}
}11、启动nginx、查看nginx启动状态、停止nginx
systemctl start nginx
systemctl status nginx.service
systemctl stop nginx
12、启动trojan-go、查看trojan-go启动状态、停止trojan-go
systemctl start trojan-go
systemctl status trojan-go
systemctl stop trojan-go
四、同时运行vmess、vless、trojan-go、naive节点
#nginx配置信息
#user www-data;
worker_processes 1;
error_log logs/error.log;
pid logs/nginx.pid;
events {
worker_connections 2048;
}
stream {
# SNI识别,将域名映射成配置名
map $ssl_preread_server_name $backend_name {
xui.mydomain.com xui; #用于vmess、vless的域名
naive.mydomain.com naiveproxy; #用于naive的域名
trojan.mydomain.com trojan-go; #用于trojan-go的域名
}
# xui配置转发详情
upstream xui {
server 127.0.0.1:10240; #端口
}
# naiveproxy配置转发详情
upstream naiveproxy {
server 127.0.0.1:10241; #端口
}
# trojan-go配置转发详情
upstream trojan-go {
server 127.0.0.1:10242; #端口
}
# 监听 443 ,并开启 ssl_preread
server {
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
access_log off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
client_max_body_size 10m;
client_body_buffer_size 128k;
#xui的配置信息
server {
listen 10240 ssl; #端口
server_name xui.mydomain.com; #用于vmess、vless的域名
ssl_certificate /etc/x-ui/cert.crt; #证书位置
ssl_certificate_key /etc/x-ui/private.key; #私钥位置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
#vmess节点配置信息
location /ray123 { #节点分流路径
proxy_redirect off;
proxy_pass http://127.0.0.1:10010; #节点端口
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#vless节点配置信息
location /ray1234 { #节点分流路径
proxy_redirect off;
proxy_pass http://127.0.0.1:10011; #节点端口
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /xui { #xui登录路径
proxy_redirect off;
proxy_pass http://127.0.0.1:10000; #xui监听端口
proxy_http_version 1.1;
proxy_set_header Host $host;
}
location / {
proxy_pass http://127.0.0.1:80;
}
}
#80端口配置信息
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
proxy_pass https://www.bing.com; #伪装网址
proxy_ssl_server_name on;
proxy_redirect off;
sub_filter_once off;
sub_filter "www.bing.com" $server_name; #伪装网址
proxy_set_header Host "www.bing.com"; #伪装网址
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Accept-Encoding "";
proxy_set_header Accept-Language "zh-CN";
}
}
}#重新加载nginx
systemctl reload nginx
#查看nginx状态
systemctl status nginx.service
#启动caddy
systemctl start caddy
#查看caddy状态
systemctl status caddy
#启动trojan-go
systemctl start trojan-go
#查看trojan-go状态
systemctl status trojan-go
YouTube视频教程地址:https://youtu.be/azb7L1if-_c
回复
暂无回复。