NaiveProxy安装配置
- 获取链接
- X
- 电子邮件
- 其他应用
本教程测试环境:ubuntu 22.04 X64
NaiveProxy,官网介绍:NaïveProxy使用Chrome的网络堆栈来伪装流量,具有很强的抗审查能力和低可探测性。重用Chrome的堆栈也确保了性能和安全方面的最佳实践。
一、安装Go
apt install golang二、安装 NaiveProxy 服务端(编译Caddy)
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive编译译成功后,可以看到当前目录中存在一个名为caddy的文件。也可以从这里直接下载。
wget https://github.com/klzgrad/forwardproxy/releases/download/v2.7.6-naive/caddy-forwardproxy-naive.tar.xztar xvf caddy-forwardproxy-naive.tar.xz
三、配置Caddy
1、官方配置(适合于全新VPS,并确保防火墙放行80,443端口)
在上述编译的caddy文件同目录下新建Caddyfile文件
nano Caddyfile输入以下内容,将域名,邮件地址,用户名及密码修改成自己的
{
order forward_proxy before file_server
}
:443, mydomain.com {
tls me@youreamil.com
forward_proxy {
basic_auth user password
hide_ip
hide_via
probe_resistance
}
file_server {
root /var/www/html
}
}运行caddy,它将自动申请证书
./caddy run此命令在前台运行,输出日志,便于排查。若运行无误,则使用以下命令后台运行
./caddy start2、自定义配置。官方是极简配置,若想用自己申请的证书(参考这里第5点),将Caddyfile文件修改以下
{
order forward_proxy before route
admin off
auto_https off
log {
output file /var/log/caddy/access.log
level ERROR
}
}
:443 {
tls /root/cert/cert.crt /root/cert/private.key {
ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
alpn h2 http/1.1
}
forward_proxy {
basic_auth user password
hide_ip
hide_via
probe_resistance
}
@host {
host mydomain.com
}
route @host {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
file_server {
root /usr/share/nginx/html
}
}
}若想自己申请证书,还想使用443以外的端口如8443,使用以下Caddyfile文件(测试无误,删除了log日志)(实际使用需删除注释)
{
order forward_proxy before route
admin off
auto_https off
https_port 8443
}
:8443 {
tls /root/cert/cert.crt /root/cert/private.key { #证书地址,修改为自己的
ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
alpn h2 http/1.1
}
forward_proxy {
basic_auth user password #用户与密码,修改为自己的
hide_ip
hide_via
probe_resistance
}
@host {
host mydomain.com #限定域名访问(禁止以ip方式访问网站),修改为自己的域名。
}
route @host {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" #启用HSTS
}
file_server {
root /usr/share/nginx/html #修改为自己的WEB文件路径,也可用伪装网站,见下第四点
}
}
}
3、也可以使用json文件,二者效果一样。编辑config.json文件
{
"admin": {
"disabled": true
},
"logging": {
"sink": {
"writer": {
"output": "discard"
}
},
"logs": {
"default": {
"writer": {
"output": "discard"
}
}
}
},
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":8443"
],
"routes": [
{
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"auth_pass_deprecated": "password",
"auth_user_deprecated": "user",
"handler": "forward_proxy",
"hide_ip": true,
"hide_via": true,
"probe_resistance": {}
}
]
},
{
"match": [
{
"host": [
"mydomain.com"
]
}
],
"handle": [
{
"handler": "file_server",
"root": "/usr/share/nginx/html",
"index_names": [
"index.html"
]
}
],
"terminal": true
}
]
}
]
}
],
"tls_connection_policies": [
{
"match": {
"sni": [
"mydomain.com"
]
}
}
],
"automatic_https": {
"disable": true
}
}
}
},
"tls": {
"certificates": {
"load_files": [
{
"certificate": "/root/cert/cert.crt",
"key": "/root/cert/private.key"
}
]
}
}
}
}
4、配置开机启动caddy
mkdir -p /etc/caddymv caddy /usr/bin/caddymv Caddyfile /etc/caddy/Caddyfilenano /etc/systemd/system/caddy.service输入以下内容
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.targetsystemctl enable --now caddy以上配置,在全新的VPS上ubuntu 22.04全部测试通过。
四、若你的VPS已经安装了v2ray,博客网站等,并且自己已经申请了证书,就象此博文一样,naiveproxy也可以进行配置,与之并存于同一个VPS。
假设你的VPS上已经申请了mydomain.com及*.mydomain.com泛域名证书,且证书地址在 /root/cert/ 文件夹内。那么需再次运行acme.sh申请一个域名如nas.mydomain.com的证书,专门用于naiveproxy,并将其安装到一个不同的文件夹内,如 /etc/caddy
acme.sh --issue --dns dns_cf -d nas.mydomain.com -k ec-256acme.sh --installcert -d nas.mydomain.com --key-file /etc/caddy/private.key --fullchain-file /etc/caddy/cert.crt --ecc相应地,修改Caddyfile文件证书地址(测试无误,删除掉log日志)
{
order forward_proxy before route
admin off
auto_https off
https_port 8443
}
:8443 {
tls /etc/caddy/cert.crt /etc/caddy/private.key {
ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
alpn h2 http/1.1
}
forward_proxy {
basic_auth user password
hide_ip
hide_via
probe_resistance
}
@host {
host nas.mydomain.com
}
route @host {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
reverse_proxy https://www.mydomain.com {
header_up Host {upstream_hostport}
header_up X-Forwarded-Host {host}
}
}
}
其他的无需修改。
五、客户端配置
1、NaïveProxy网站下载 NaiveProxy 对应的客户端,修改config.json配置文件。设置开机运行参考这里 三.1点。
{
"listen": "socks://0.0.0.0:1080",
"proxy": "https://user:password@mydomain.com:port"
}2、nekoray,基于 Qt 的跨平台代理配置管理器 (后端 v2ray / sing-box),目前支持 Windows / Linux 开箱即用。支持的协议很多,如vmess、vless、tuic、naiveproxy、trojan等。
六、与v2ray,xray,torjan,博客网站共存于同一个VPS,并共用443端口
若已经按上述步骤安装了caddy,且想按此博文共用443端口,则经过简单的设置即可实现上述目标。
Caddyfile文件配置(必须为nas.mydomain.com单独申请证书,并安装到与nginx配置文件中所用证书地址不同的文件夹里)参考上述第四点。
{
order forward_proxy before route
admin off
auto_https off
https_port 10248
}
:10248 {
tls /etc/caddy/cert.crt /etc/caddy/private.key {
ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
alpn h2 http/1.1
}
forward_proxy {
basic_auth user password
hide_ip
hide_via
probe_resistance
}
@host {
host nas.mydomain.com
}
route @host {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
reverse_proxy https://mydomain.com {
header_up Host {upstream_hostport}
header_up X-Forwarded-Host {host}
}
}
}nginx.conf文件配置
以下配置中,mydomain.com用于配置V2ray,同时也指向FreshRSS;
bbs.mydomain.com 用于配置Trojan-Go;free.mydomain.com 用于配置Xray;
api.mydomain.com 用于配置全文API;
www.mydomain.com 用于配置rsshub;
hub.mydomain.com 用于配置rssbridge。
FreshRSS,RSS-Bridge,Readability API的配置参考这里,rsshub的配置参考这里。
#user www-data;
worker_processes 1;
error_log logs/error.log;
pid logs/nginx.pid;
events {
worker_connections 2048;
}
stream {
# 这里就是 SNI 识别,将域名映射成一个配置名
map $ssl_preread_server_name $backend_name {
www.mydomain.com web;
mydomain.com vmess;
bbs.mydomain.com trojan;
free.mydomain.com xtls;
api.mydomain.com api;
hub.mydomain.com hub;
nas.mydomain.com caddy;
# 域名都不匹配情况下的默认值
default web;
}
# web,配置转发详情,端口与下面server字段中www.mydomain.com监听端口一致
upstream web {
server 127.0.0.1:10240;
}
# caddy,配置转发详情,端口与Caddyfile配置文件中的端口一致
upstream caddy {
server 127.0.0.1:10248;
}
# vmess,配置转发详情,端口与下面server字段中mydomain.com监听端口一致
upstream vmess {
server 127.0.0.1:10249;
}
# trojan,配置转发详情,与trojan配置文件中的端口一致
upstream trojan {
server 127.0.0.1:10241;
}
# xtls,配置转发详情,与xray配置文件中的端口一致
upstream xtls {
server 127.0.0.1:10247;
}
# api,配置转发详情
upstream api {
server 127.0.0.1:10246;
}
# hub,配置转发详情
upstream hub {
server 127.0.0.1:10245;
}
# 监听 443 并开启 ssl_preread
server {
listen 443 reuseport;
# listen [::]:443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
access_log off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
client_max_body_size 10m;
client_body_buffer_size 128k;
server {
listen 80 default_server;
server_name www.mydomain.com;
root /usr/share/nginx/html;
return 301 https://$server_name$request_uri;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 10240 ssl;
server_name www.mydomain.com;
ssl_certificate /root/cert/cert.crt;
ssl_certificate_key /root/cert/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:1200;
}
}
server {
listen 10249 ssl;
server_name mydomain.com;
ssl_certificate /root/cert/cert.crt;
ssl_certificate_key /root/cert/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location /yourwebsocketpath {
proxy_redirect off;
proxy_pass http://127.0.0.1:10000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
location / {
proxy_pass http://127.0.0.1:8080;
}
}
server {
listen 10246 ssl;
server_name api.mydomain.com;
ssl_certificate /root/cert/cert.crt;
ssl_certificate_key /root/cert/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:3000;
}
}
server {
listen 10245 ssl;
server_name hub.mydomain.com;
ssl_certificate /root/cert/cert.crt;
ssl_certificate_key /root/cert/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:4000;
}
}
}
测试配置文件是否正确
/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf重新加载nginx配置文件使之生效(无需重启服务器)
/usr/local/nginx/sbin/nginx -s reload说明:防火墙放行相关的端口,如443等。
sudo ufw allow 443
- 获取链接
- X
- 电子邮件
- 其他应用
评论
发表评论