编译、配置nginx,使V2ray,Xray,Trojan,博客网站等共用443端口

最后更新2023-06-05

我的VPS: Ubuntu 2022 X64 

申请SSL证书参考这里 第5点,FreshRSS及相关安装参考这里

一、V2ray安装,参考这里

sudo bash -c "$(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)"
systemctl enable --now v2ray
编辑v2ray服务器端配置文件 nano  /usr/local/etc/v2ray/config.json
{
  "log": {
    "loglevel": "warning"
},

"routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
        {
            "type": "field",
            "ip": [
                "geoip:cn",
                "geoip:private"
            ],
            "outboundTag": "block"
        }
    ]
},

  "inbounds": [
    {
      "port": 10000,
      "listen":"127.0.0.1",
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
           "id": "b831381d-6324-4d53-ad4f-8cda48b30811",
            "alterId": 0
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
        "path": "/yourwebsocketpath"
        }
      }
    }
  ],
  "outbounds": [
    {
        "protocol": "freedom",
        "tag": "direct"
    },
    {
        "protocol": "blackhole",
        "tag": "block"
    }
]
}
 二、Xray安装,参考这里
sudo bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install -u root
systemctl enable --now xray

编辑xray服务器端配置文件 nano  /usr/local/etc/xray/config.json

{
    "log": {
        "loglevel": "warning"
    },

"routing": {
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "type": "field",
                "ip": [
                    "geoip:cn",
                    "geoip:private"
                ],
                "outboundTag": "block"
            }
        ]
    },

    "inbounds": [
        {
            "listen": "0.0.0.0", 
            "port": 10247, 
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "b831381d-6324-4d53-ad4f-8cda48b30811", 
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "rejectUnknownSni": true,
                    "minVersion": "1.2",
                    "certificates": [ 
                        {
                            "ocspStapling": 3600,
                            "certificateFile": "/etc/cert/cert.crt", 
                            "keyFile": "/etc/cert/private.key"       
                        }
                    ]
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls",
                    "quic"
                ]
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "tag": "block"
        }
    ]
}

      上面V2ray及Xray配置的路由策略屏蔽了对中国IP的访问,如不需要的话可以删除。

三、Trojan-Go安装,参考这里

wget https://github.com/p4gefau1t/trojan-go/releases/download/v0.10.6/trojan-go-linux-amd64.zip
unzip -o trojan-go-linux-amd64.zip -d /usr/local/bin/trojan-go
编辑trojan-go服务器端配置文件
mkdir -p /usr/local/etc/trojan-go
  nano /usr/local/etc/trojan-go/config.json
{
    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 10248,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
    "password": [
        "password"
    ],
    "ssl": {
        "cert": "/etc/cert/cert.crt",
        "key": "/etc/cert/private.key",
        "sni": "bbs.mydomain.com"
    },
    "websocket": {
	    "enabled": true,
	    "path": "/yourwebsocketpath",
	    "host": "bbs.mydomain.com",
	    "double_tls": false
    },
    "router":{
        "enabled": true,
        "block": [
            "geoip:private"
        ]
    }
}

配置开机启动参考这里

四、编译安装nginx

由于需要用到 ngx_stream_ssl_preread_module 模块,但是 Nginx 默认没有安装该模块,需要自己编译安装。

1、首先安装编译工具及相关依赖库

apt install make gcc libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev

2、下载最新nginx源代码,最新版地址在此

wget --no-check-certificate https://nginx.org/download/nginx-1.26.3.tar.gz && tar -xvf nginx-1.26.3.tar.gz && cd nginx-1.26.3

3、设置编译参数并编译

 ./configure --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_sub_module  --with-http_v2_module --with-http_v3_module  --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module
make && sudo make install

默认安装路径在 /usr/local/nginx,配置文件  /usr/local/nginx/conf/nginx.conf ,执行文件 /usr/local/nginx/sbin/nginx

4、配置开机启动

 编辑文件  nano  /lib/systemd/system/nginx.service

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target
sudo systemctl enable --now nginx

5、配置nginx

以下配置中,域名www.mydomain.com 用于配置FreshRSS;mydomain.com用于配置V2ray,同时也指向FreshRSS;

bbs.mydomain.com 用于配置Trojan-Go;free.mydomain.com 用于配置Xray;

api.mydomain.com 用于配置全文API(如Readabilitymercury);

hub.mydomain.com 用于配置第三方RSS(如rssbridgersshub)。

编辑nginx配置文件 nano  /usr/local/nginx/conf/nginx.conf

将相关域名及WS path路径修改成你自己的,并与v2ray,torjan-go,xray服务器端相关配置一致。

user www-data;
worker_processes auto;
#error_log /var/log/nginx/error.log warn;
#pid /var/run/nginx.pid;

events {
    worker_connections 4096;
    multi_accept on;
    use epoll;
}

 stream {
    # 这里就是 SNI 识别,将域名映射成一个配置名
    map $ssl_preread_server_name $backend_name {
        www.mydomain.com web;
        mydomain.com vmess;
        bbs.mydomain.com trojan;
        free.mydomain.com xtls;
        api.mydomain.com api;
        hub.mydomain.com hub;
    # 域名都不匹配情况下的默认值
        default web;
    }

    # web,配置转发详情,端口与下面server字段中www.mydomain.com监听端口一致
    upstream web {
        server 127.0.0.1:10240;
    }
    # vmess,配置转发详情,端口与下面server字段中mydomain.com监听端口一致
    upstream vmess {
        server 127.0.0.1:10249;
    }
    # trojan,配置转发详情,与trojan配置文件中的端口一致
    upstream trojan {
        server 127.0.0.1:10248;
    }
    # xtls,配置转发详情,与xray配置文件中的端口一致
   upstream xtls {
        server 127.0.0.1:10247;
    }
  # api,配置转发详情
  upstream api {
        server 127.0.0.1:10246;
    }
  # hub,配置转发详情
  upstream  hub {
        server 127.0.0.1:10245;
    }
    # 监听 443 并开启 ssl_preread
    server {
        listen 443 reuseport;
        # listen [::]:443 reuseport;
        proxy_pass  $backend_name;
        ssl_preread on;
    }
}

 http {
    server_tokens off;
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    client_max_body_size 10m;
    client_body_buffer_size 128k;
    access_log    off;

    ssl_certificate         /etc/cert/cert.crt;
    ssl_certificate_key     /etc/cert/private.key;

    ssl_protocols           TLSv1.2 TLSv1.3;
    ssl_ciphers    TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_tickets     off;
  
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always; #
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; 

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Connection "";
    proxy_http_version 1.1;   

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
    }

 server {
  listen  10240 ssl;
  http2   on;
  server_name    www.mydomain.com;

    location / {
       proxy_pass http://127.0.0.1:8080;
    }
  } 

 server {
  listen  10249 ssl;
  http2   on;
  server_name     mydomain.com;

 location /yourwebsocketpath { 
        proxy_redirect off;
        proxy_pass http://127.0.0.1:10000;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
        
 location / {
       proxy_pass http://127.0.0.1:8080;
    }
 } 

 server {
        listen   10246 ssl;
        http2   on;  
        server_name  api.mydomain.com;
        
        location / {
          proxy_pass http://127.0.0.1:3000;
           }
 }

 server {
        listen   10245 ssl;
        http2   on;
        server_name  hub.mydomain.com;
        
        location / {   
          proxy_pass http://127.0.0.1:3002;
           }
 }
}
测试配置文件是否正确
/usr/local/nginx/sbin/nginx -t -c  /usr/local/nginx/conf/nginx.conf
重新加载nginx配置文件使之生效(无需重启服务器)
/usr/local/nginx/sbin/nginx -s reload

记得防火墙放行相关端口如22,80,443等
ufw allow 22
ufw allow 443

最后,在配置客户端时,远程端口设置为443,其他与服务器端相关参数一致。

经测试,NaiveProxy可以与V2ray,Xray,Trojan,博客网站等共存于同一个VPS并共用443端口,参考这里 第六点。




评论

热门博文

Xray安装配置VLESS-XTLS-Vision及VLESS-XTLS-uTLS-REALITY

V2Ray安装配置VMESS-TLS及VMESS-TLS-WS

在VPS上轻松搭建L2TP/IPSec图文教程(通吃各种架构的VPS,包括KVM,OpenVZ等)