nginx sni实现443端口复用

通过nginx的sni来实现trojan、v2ray与nginx共用443端口,需要域名创建三个子域名

Trojan使用t.crosswall.online

V2ray使用v.crosswall.online

WordPress使用crosswall.online

nginx sni实现443端口复用


安装mysql

wget https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
rpm -Uvh mysql80-community-release-el7-3.noarch.rpm
vi /etc/yum.repos.d/mysql-community.repo
yum install mysql-community-server -y
systemctl start mysqld.service && systemctl status mysqld.service
grep 'temporary password' /var/log/mysqld.log
mysql_secure_installation 
mysql -u root -p
CREATE DATABASE wp;


安装nginx和php

yum install python-certbot-nginx nginx -y 
rm -rf /etc/nginx/sites-enabled/default
rm -rf /etc/nginx/conf.d/default.conf
rm -rf /etc/nginx/sites-available/
yum install gcc gcc-c++ -y 
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
yum install yum-utils -y 
yum-config-manager --enable remi-php74
yum install php php-mcrypt php-devel php-cli php-gd php-pear php-curl php-fpm php-mysql php-ldap php-zip php-fileinfo php-mbstring php-imagick ImageMagick ImageMagick-devel -y 
sed -i 's/user = apache/user = nginx/g' /etc/php-fpm.d/www.conf
sed -i 's/group = apache/group = nginx/g' /etc/php-fpm.d/www.conf
sed -i 's/expose_php = On/expose_php = Off/g' /etc/php.ini
sed -i 's/;date.timezone =/date.timezone = PRC/g' /etc/php.ini
systemctl start php-fpm && systemctl enable php-fpm.service && systemctl status php-fpm.service


安装wordpress和伪装站

mkdir -p /mnt/c/www && cd /mnt/c/www
wget https://cn.wordpress.org/latest-zh_CN.tar.gz
tar -xzvf latest.tar.gz
mv wordpress/* ./
mkdir /mnt/c/www/wp-content/uploads/plugins/
sudo -u nginx touch /mnt/c/www/wp-content/uploads/plugins/test.txt 
ps aux | egrep '(apache|httpd)'
cd /mnt/c/www/
chown nginx:nginx * -R 
usermod -a -G nginx nginx
find . -type f -exec chmod 664 {} + 
find . -type d -exec chmod 775 {} +

mkdir -p /mnt/d/www
cat > /mnt/d/www/index.html <<"EOF"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Nexus</title>
<meta name="keywords" content="Nexus">
<meta name="description" content="Nexus the Next Generation Android,The ultimate experience">
</head>
<body>
<h2>Next Generation</h2>
</body>
</html>
EOF


安装ssl证书

systemctl stop firewalld
certbot certonly --standalone -d crosswall.online --agree-tos --email admin@crosswall.online
certbot certonly --standalone -d v.crosswall.online --agree-tos --email admin@crosswall.online
certbot certonly --standalone -d t.crosswall.online --agree-tos --email admin@crosswall.online


配置nginx

修改nginx配置文件

#对于禁用ipv6的系统,需要注释掉 # listen [::]:443 reuseport; 和# listen [::]:80 default_server;
vim /etc/nginx/nginx.conf       
添加  
stream {
    map $ssl_preread_server_name $backend_name {
        t.crosswall.online trojan;
        v.crosswall.online v2ray;
        crosswall.online web;
        default web;
    }
    upstream v2ray {
        server 127.0.0.1:57001;
    }
    upstream trojan {
        server 127.0.0.1:57002;
    }
    upstream web {
        server 127.0.0.1:57003;
    }
    server {
        listen 443 reuseport;
        #listen [::]:443 reuseport;
        proxy_pass  $backend_name;
        ssl_preread on;
    }
}

nginx sni实现443端口复用


创建站点配置文件

cat > /etc/nginx/conf.d/v2ray.conf <<"EOF"
server {
    listen  57003 ssl;
    server_name  crosswall.online;
    root /mnt/c/www;
    index index.html index.htm index.nginx-debian.html index.php;
    #ssl on;
    ssl_certificate       /etc/letsencrypt/live/crosswall.online/fullchain.pem;
    ssl_certificate_key   /etc/letsencrypt/live/crosswall.online/privkey.pem;
    ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers           HIGH:!aNULL:!MD5;
location ~* .php$ {
    fastcgi_index   index.php;
    fastcgi_pass    127.0.0.1:9000;
    include         fastcgi_params;
    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
    }
}
server {
        return 301 https://crosswall.online;
                listen 80;
                server_name crosswall.online;
}
server {
        return 301 https://v.crosswall.online;
                listen 80;
                server_name v.crosswall.online;
}
server {
        return 301 https://t.crosswall.online;
                listen 80;
                server_name t.crosswall.online;
}
server {
    listen 127.0.0.1:82 default_server;
    root /mnt/d/www;
index index.html index.htm index.nginx-debian.html index.php;
}
EOF

nginx sni实现443端口复用


启动nginx

nginx -t
systemctl start nginx && systemctl enable nginx && systemctl status nginx


配置v2ray

下载安装

bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

创建v2ray配置文件

cat > /usr/local/etc/v2ray/config.json <<'EOF'
{
    "log": {
        "loglevel": "warning"
    },
    "routing": {
        "domainStrategy": "AsIs",
        "rules": [
            {
                "ip": [
                    "geoip:private"
                ],
                "outboundTag": "blocked",
                "type": "field"
            }
        ]
    },
    "inbounds": [
        {
            "port": 57001,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "737f63ce-133f-11eb-adc1-0242ac120002",
                        "level": 0
                    }
                ],
                "decryption": "none",
                "fallbacks": [
                               {
                        "dest": 82
                      }
                    ]
                },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "alpn": [
                        "http/1.1"
                    ],
                    "certificates": [
                        {
                            "certificateFile": "/etc/letsencrypt/live/v.crosswall.online/fullchain.pem",
                            "keyFile": "/etc/letsencrypt/live/v.crosswall.online/privkey.pem"
                        }
                    ]
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom"
        }
    ]
}
EOF


修改服务并启动

#vi /etc/systemd/system/v2ray.service
修改user=nobady改为root

启动v2ray
systemctl start v2ray && systemctl enable v2ray && systemctl status v2ray

nginx sni实现443端口复用


配置trojan

下载安装

bash -c "$(curl -fsSL https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)"


创建trojan配置文件

cat > /usr/local/etc/trojan/config.json <<'EOF'
{
  "run_type": "server",
  "local_addr": "127.0.0.1",
  "local_port": 57002,
  "remote_addr": "127.0.0.1",
  "remote_port": 82,
  "password": [
    "737f63ce"
  ],
  "log_level": 3,
  "ssl": {
    "cert": "/etc/letsencrypt/live/t.crosswall.online/fullchain.pem",
    "key": "/etc/letsencrypt/live/t.crosswall.online/privkey.pem",
    "key_password": "",
    "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
    "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
    "prefer_server_cipher": true,
    "alpn": [
      "http/1.1"
    ],
    "alpn_port_override": {
      "h2": 81
    },
    "reuse_session": true,
    "session_ticket": false,
    "session_timeout": 600,
    "plain_http_response": "",
    "curves": "",
    "dhparam": ""
  },
  "tcp": {
    "prefer_ipv4": false,
    "no_delay": true,
    "keep_alive": true,
    "reuse_port": false,
    "fast_open": false,
    "fast_open_qlen": 20
  },
  "mysql": {
    "enabled": false,
    "server_addr": "127.0.0.1",
    "server_port": 3306,
    "database": "trojan",
    "username": "trojan",
    "password": "",
    "cafile": ""
  }
}
EOF


启动

systemctl restart trojan && systemctl enable trojan && systemctl status trojan


配置dns缓存

yum install dnsmasq -y
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak
touch /etc/dnsmasq.conf

echo "port=53" >> /etc/dnsmasq.conf
echo "no-resolv" >> /etc/dnsmasq.conf
echo "server=1.1.1.1#53" >> /etc/dnsmasq.conf
echo "interface=lo" >> /etc/dnsmasq.conf
echo "listen-address=127.0.0.1" >> /etc/dnsmasq.conf
echo "cache-size=1000" >> /etc/dnsmasq.conf

chattr -i /etc/resolv.conf && echo "nameserver 127.0.0.1" > /etc/resolv.conf && chattr +i /etc/resolv.conf
systemctl enable dnsmasq && systemctl restart dnsmasq && systemctl status dnsmasq


之后升级v2ray

bash install-release.sh
vi /etc/systemd/system/v2ray.service #将nobaby改为root
systemctl daemon-reload
systemctl restart v2ray



更新日期: 2020年10月21日
文章标签: LinuxNginx
文章链接: https://www.vos.cn/os/453.html  
版权说明:如非注明,本站文章均为vOS原创,转载请注明出处和附带本文链接。