前言
v2ray默认的vmess协议,流量特征太明显,容易被识别,安全性低。于是找了一个相对安全的方式:https。前提是手里有一个域名用来做伪装站点。
方法
nginx反向代理v2ray的websocket流量。
nginx安装及配置
nginx安装
1 | root@vultr:~# apt install nginx |
查看nginx版本:
nginx -V
修改默认端口
参考文章
root@vultr:/etc/nginx/sites-enabled# ufw allow 8008
root@vultr:/etc/nginx/sites-enabled# nginx -s reload
root@vultr:/etc/nginx/sites-enabled# service nginx restart
扩展:启动nginx遇到一个报错
点击展开报错信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18root@vultr:/etc/nginx/sites-enabled# service nginx status
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-03-18 07:35:04 UTC; 4s ago
Docs: man:nginx(8)
Process: 17186 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exi
Process: 17200 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 17189 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCES
Main PID: 17204 (nginx)
Tasks: 2 (limit: 1108)
CGroup: /system.slice/nginx.service
├─17204 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
└─17207 nginx: worker process
Mar 18 07:35:04 vultr.guest systemd[1]: Stopped A high performance web server and a reverse proxy server.
Mar 18 07:35:04 vultr.guest systemd[1]: Starting A high performance web server and a reverse proxy server...
Mar 18 07:35:04 vultr.guest systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argum
Mar 18 07:35:04 vultr.guest systemd[1]: Started A high performance web server and a reverse proxy server.
解决方法:
参考文章
点击展开解决过程
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23root@vultr:/etc/nginx/sites-enabled# mkdir /etc/systemd/system/nginx.service.d
root@vultr:/etc/nginx/sites-enabled# printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
root@vultr:/etc/nginx/sites-enabled# systemctl daemon-reload
root@vultr:/etc/nginx/sites-enabled# systemctl restart nginx
root@vultr:/etc/nginx/sites-enabled# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/nginx.service.d
└─override.conf
Active: active (running) since Wed 2020-03-18 07:38:08 UTC; 18s ago
Docs: man:nginx(8)
Process: 17290 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exi
Process: 17306 ExecStartPost=/bin/sleep 0.1 (code=exited, status=0/SUCCESS)
Process: 17302 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 17293 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCES
Main PID: 17305 (nginx)
Tasks: 2 (limit: 1108)
CGroup: /system.slice/nginx.service
├─17305 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
└─17310 nginx: worker process
Mar 18 07:38:08 vultr.guest systemd[1]: Starting A high performance web server and a reverse proxy server...
Mar 18 07:38:08 vultr.guest systemd[1]: Started A high performance web server and a reverse proxy server.
已成功启动nginx,可输入IP+端口,进入nginx欢迎界面。
安装certbot获取https证书
1 | root@vultr:/etc/nginx/sites-available# apt install certbot |
申请https证书:
1 | root@vultr:/etc# certbot certonly --manual --preferred-challenge dns -d v2ray.dana5haw.com |
过程中,必须输入邮箱地址,并且允许IP log。
到这一步的时候,要去域名提供商那里设置DNS的TXT解析。
点击展开证书申请的关键过程
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.v2ray.dana5haw.com with the following value:
HnFJE7ZgBZYHI1FA-hEkz533GzkP9duc3Kg8TBYy4Sc
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
成功申请https证书,有效期90天。
我用的这种申请证书的方式,不能直接使用certbot自带的renew命令续期证书(因为我不打算开放80端口,certbot的renew功能续期证书需要服务器开放80端口)。(这个有待验证,因为我现在可以使用这个命令certbot renew
)
点击展开查看renew详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14root@vultr:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/v2ray.dana5haw.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/v2ray.dana5haw.com/fullchain.pem expires on 2020-06-16 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
扩展知识:查看证书有效期
输入命令certbot certificates
即可查看证书有效期。
点击展开查看证书有效期
1
2
3
4
5
6
7
8
9
10
11root@vultr:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: v2ray.dana5haw.com
Domains: v2ray.dana5haw.com
Expiry Date: 2020-06-16 07:24:17+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/v2ray.dana5haw.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/v2ray.dana5haw.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
配置v2ray
修改配置文件config.json
,改为通过websocket传输流量。这个文件里,我们自定义websocket路径(最好是在这个网站随机生成),以及websocket的端口号(我定义的端口号是4433)。
点击展开配置文件内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42{
"inbounds": [{
"port": 4433,
"protocol": "vmess",
"listen": "127.0.0.1",
"settings": {
"clients": [
{
"id": "我的UUID",
"level": 1,
"alterId": 64
},
{
"id": "我的UUID",
"level": 1,
"alterId": 66
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {"path": "/我的websocket路径"}
}
}],
"outbounds": [{
"protocol": "freedom",
"settings": {}
},{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}],
"routing": {
"rules": [
{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "blocked"
}
]
}
}
配置nginx
nginx要做这两件事:
- 反向代理:将websocket流量转发给v2ray
- 制造伪装站点:不细说,总之就是假装自己是个正经网站
配置文件位于/etc/nginx/sites-enabled/default
。
点击展开配置文件内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57server {
listen 8008 ssl default_server; #这是nginx监听端口
listen [::]:8008 ssl default_server;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
ssl_certificate /etc/letsencrypt/live/*/fullchain.pem; #这是我的https证书公钥文件
ssl_certificate_key /etc/letsencrypt/live/*/privkey.pem; #这是我的https证书私钥文件
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:60m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
# Security settings
if ($request_method !~ ^(POST|GET)$) { return 501; }
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security max-age=31536000 always;
autoindex off;
server_tokens off;
charset utf-8;
root /var/www/html; #这是网站根目录,我们将网站模板都放到这个目录
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
location ~ .*\.(js|jpg|JPG|jpeg|JPEG|css|bmp|gif|GIF|png)$ { access_log off; }
server_name *.*.com; #这是我的域名
location /我的websocket路径 {
proxy_pass http://127.0.0.1:4433; #这是v2ray的端口
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_requests 25600;
keepalive_timeout 300 300;
proxy_buffering off;
proxy_buffer_size 8k;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
}
检查配置文件是否正确:nginx -t
重载配置文件:nginx -s reload
上传网站模板
在这个网站下载一个自己喜欢的网站模板(注意,我们用这个网站的模板,是因为这些模板都是全英文的,隐蔽性较强)
将下载下来的所有内容拷贝到网站根目录/var/www/html
(我用的是mobaxterms的xftp功能来上传网站模板,mobaxterms作为一款远程连接工具确实好用)。
重启nginx和v2ray
注意:以上所有操作的前提是,我已经把防火墙关了,并且开启了ssh服务。(为了方便远程连接服务器进行这些软件的安装和配置)
重启nginx和v2ray:
1 | systemctl restart nginx |
测试一下~
测试就看两点:
- 伪装网站能否正常打开
- PC和手机能否正常使用v2ray
伪装网站可以正常打开:
PC端配置文件更改
PC端的配置文件config.json
改成这样:
要点:
- 通信过程:用户——(udp协议、websocket通信)——>v2ray客户端——(tcp协议、tls加密、websocket通信)——>nginx反向代理——(tcp协议、websocket通信)——>v2ray服务端——(any)——>目标访问网站
- v2ray客户端的inbound是用户,outbound是v2ray服务端
- v2ray服务端的inbound是v2ray客户端,outbound是目标访问网站
- 用户访问v2ray客户端使用udp协议,网络访问速度会更快,尤其是看YTB视频更流畅。(视频播放这种应用场景,更适合用udp协议)参考
- 开启MUX功能,即多路复用,增加了并发连接数
点击展开配置文件内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91{
"inbounds": [
{
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"settings": {
"auth": "noauth",
"udp": true //开启UDP
}
}
],
"outbounds": [
{
"tag": "proxy-vmess",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "我的域名", // 服务器的 IP
"port": 8008, // 服务器的端口
"users": [
{
// id 就是 UUID,相当于用户密码
"id": "我的UUID",
"alterId": 4
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"wsSettings": {
"path": "/我的websocket路径"
}
},
"mux": {
"enabled": true, //开启多路复用
"concurrency": 8
}
},
{
"tag": "direct",
"settings": {},
"protocol": "freedom"
}
],
"dns": {
"server": [
"8.8.8.8",
"1.1.1.1"
],
// 你的 IP 地址,用于 DNS 解析离你最快的 CDN
"clientIp": "203.208.40.63"
},
// 配置路由功能,绕过局域网和中国大陆地址
"routing": {
"domainStrategy": "IPOnDemand",
"rules": [
{
"type": "field",
"domain": [
// 默认跳过国内网站,如果想要代理某个国内网站可以添加到下列列表中
"github.com"
],
"outboundTag": "proxy-vmess"
},
{
"type": "field",
"domain": [
"geosite:cn"
],
"outboundTag": "direct"
},
{
"type": "field",
"outboundTag": "direct",
"ip": [
"geoip:cn",
"geoip:private"
]
}
]
}
}
开启软件,打开浏览器代理即可使用。(浏览器的代理配置和之前一样,用SOCKS5代理,代理端口是1080)
手机端的配置更改
参考这篇文章
配置简单,照着这个教程配置就可以正常上网了。
新增:直接把配置文件导入手机端就行了,这样的配置更精细化,网络访问速度更快。
别忘了把防火墙打开
我们打开防火墙是为了便于操作,但不利于安全。操作完成之后,一定要把防火墙开启,并且只开放nginx的监听端口到互联网。
首先关闭ssh服务:service ssh stop
关闭开放的多余端口:
1 | ufw enable |
nginx默认的欢迎页面也删掉
减少暴露信息,我们把nginx欢迎页面删掉。
总结
其实主要运用了Nginx的代理功能,由nginx代理v2ray的websocket流量,并且nginx可以建站,帮助我们挂羊头卖狗肉。这种方式的优点是:所有请求其实都经过nginx代理,nginx设置了https,那么所有流量都将是经过https加密的,不会具有不良特征。
nginx上观察访问日志,看到的都是访问websocket路径,看不到用户访问的具体内容,不过可以看到用户端的IP。
参考
思路主要参考这篇文章:用nginx反向代理v2ray,并伪装站点
PC客户端的配置文件参考了这篇文章
nginx的安装和配置参考这篇
https证书申请参考这篇:用certbot申请let’s encrypt的https证书