nginx sni实现443端口复用
系统3年前 (2020-10-21)
通过nginx的sni来实现trojan、v2ray与nginx共用443端口,需要域名创建三个子域名
Trojan使用t.crosswall.online
V2ray使用v.crosswall.online
WordPress使用crosswall.online
安装mysql
wget https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm rpm -Uvh mysql80-community-release-el7-3.noarch.rpm vi /etc/yum.repos.d/mysql-community.repo yum install mysql-community-server -y systemctl start mysqld.service && systemctl status mysqld.service grep 'temporary password' /var/log/mysqld.log mysql_secure_installation mysql -u root -p CREATE DATABASE wp;
安装nginx和php
yum install python-certbot-nginx nginx -y rm -rf /etc/nginx/sites-enabled/default rm -rf /etc/nginx/conf.d/default.conf rm -rf /etc/nginx/sites-available/ yum install gcc gcc-c++ -y yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y yum install yum-utils -y yum-config-manager --enable remi-php74 yum install php php-mcrypt php-devel php-cli php-gd php-pear php-curl php-fpm php-mysql php-ldap php-zip php-fileinfo php-mbstring php-imagick ImageMagick ImageMagick-devel -y sed -i 's/user = apache/user = nginx/g' /etc/php-fpm.d/www.conf sed -i 's/group = apache/group = nginx/g' /etc/php-fpm.d/www.conf sed -i 's/expose_php = On/expose_php = Off/g' /etc/php.ini sed -i 's/;date.timezone =/date.timezone = PRC/g' /etc/php.ini systemctl start php-fpm && systemctl enable php-fpm.service && systemctl status php-fpm.service
安装wordpress和伪装站
mkdir -p /mnt/c/www && cd /mnt/c/www
wget https://cn.wordpress.org/latest-zh_CN.tar.gz
tar -xzvf latest.tar.gz
mv wordpress/* ./
mkdir /mnt/c/www/wp-content/uploads/plugins/
sudo -u nginx touch /mnt/c/www/wp-content/uploads/plugins/test.txt
ps aux | egrep '(apache|httpd)'
cd /mnt/c/www/
chown nginx:nginx * -R
usermod -a -G nginx nginx
find . -type f -exec chmod 664 {} +
find . -type d -exec chmod 775 {} +
mkdir -p /mnt/d/www
cat > /mnt/d/www/index.html <<"EOF"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Nexus</title>
<meta name="keywords" content="Nexus">
<meta name="description" content="Nexus the Next Generation Android,The ultimate experience">
</head>
<body>
<h2>Next Generation</h2>
</body>
</html>
EOF安装ssl证书
openssl dhparam -out /etc/nginx/dhparam.pem 2048 systemctl stop firewalld certbot certonly --standalone -d crosswall.online --agree-tos --email admin@crosswall.online certbot certonly --standalone -d www.crosswall.online --agree-tos --email admin@crosswall.online certbot certonly --standalone -d v.crosswall.online --agree-tos --email admin@crosswall.online certbot certonly --standalone -d t.crosswall.online --agree-tos --email admin@crosswall.online #续期 #systemctl stop nginx #systemctl stop firewalld #certbot --force-renewal #fuser -k 80/tcp #systemctl start nginx #systemctl start firewalld
配置nginx
修改nginx配置文件
#对于禁用ipv6的系统,需要注释掉 # listen [::]:443 reuseport; 和# listen [::]:80 default_server;
cat > /etc/nginx/nginx.conf <<"EOF"
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 65535;
}
stream {
map $ssl_preread_server_name $backend_name {
t.crosswall.online trojan;
v.crosswall.online v2ray;
www.crosswall.online web;
default web;
}
upstream v2ray {
server 127.0.0.1:57001;
}
upstream trojan {
server 127.0.0.1:57002;
}
upstream web {
server 127.0.0.1:57003;
}
server {
listen 443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
client_max_body_size 16M;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
# listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
EOF
创建站点配置文件
cat > /etc/nginx/conf.d/v2ray.conf <<"EOF"
server {
listen 57003 ssl http2;
server_name crosswall.online;
root /mnt/c/www;
index index.html index.htm index.nginx-debian.html index.php;
#ssl on;
ssl_certificate /etc/letsencrypt/live/www.crosswall.online/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.crosswall.online/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 9.9.9.9 149.112.112.112 64.6.64.6 64.6.65.6 valid=60s;
resolver_timeout 2s;
ssl_buffer_size 4k;
ssl_trusted_certificate /etc/letsencrypt/live/www.crosswall.online/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
location ~* .php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
}
server {
return 301 https://www.crosswall.online;
listen 80;
server_name crosswall.online;
}
server {
return 301 https://v.crosswall.online;
listen 80;
server_name v.crosswall.online;
}
server {
return 301 https://t.crosswall.online;
listen 80;
server_name t.crosswall.online;
}
server {
listen 127.0.0.1:82 default_server;
root /mnt/d/www;
index index.html index.htm index.nginx-debian.html index.php;
}
EOF
启动nginx
nginx -t systemctl start nginx && systemctl enable nginx && systemctl status nginx
配置v2ray
下载安装
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
创建v2ray配置文件
cat > /usr/local/etc/v2ray/config.json <<'EOF'
{
"log": {
"loglevel": "warning"
},
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"ip": [
"geoip:private"
],
"outboundTag": "blocked",
"type": "field"
}
]
},
"inbounds": [
{
"port": 57001,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "737f63ce-133f-11eb-adc1-0242ac120002",
"level": 0
}
],
"decryption": "none",
"fallbacks": [
{
"dest": 82
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"alpn": [
"http/1.1"
],
"certificates": [
{
"certificateFile": "/etc/letsencrypt/live/v.crosswall.online/fullchain.pem",
"keyFile": "/etc/letsencrypt/live/v.crosswall.online/privkey.pem"
}
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}
EOF修改服务并启动
#vi /etc/systemd/system/v2ray.service 修改user=nobady改为root 启动v2ray systemctl start v2ray && systemctl enable v2ray && systemctl status v2ray
配置trojan
下载安装
bash -c "$(curl -fsSL https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)"
创建trojan配置文件
cat > /usr/local/etc/trojan/config.json <<'EOF'
{
"run_type": "server",
"local_addr": "127.0.0.1",
"local_port": 57002,
"remote_addr": "127.0.0.1",
"remote_port": 82,
"password": [
"737f63ce"
],
"log_level": 3,
"ssl": {
"cert": "/etc/letsencrypt/live/t.crosswall.online/fullchain.pem",
"key": "/etc/letsencrypt/live/t.crosswall.online/privkey.pem",
"key_password": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"alpn": [
"http/1.1"
],
"alpn_port_override": {
"h2": 81
},
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": ""
},
"tcp": {
"prefer_ipv4": false,
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": "",
"cafile": ""
}
}
EOF启动
systemctl restart trojan && systemctl enable trojan && systemctl status trojan
配置dns缓存
yum install dnsmasq -y mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak touch /etc/dnsmasq.conf echo "port=53" >> /etc/dnsmasq.conf echo "no-resolv" >> /etc/dnsmasq.conf echo "server=1.1.1.1#53" >> /etc/dnsmasq.conf echo "interface=lo" >> /etc/dnsmasq.conf echo "listen-address=127.0.0.1" >> /etc/dnsmasq.conf echo "cache-size=1000" >> /etc/dnsmasq.conf chattr -i /etc/resolv.conf && echo "nameserver 127.0.0.1" > /etc/resolv.conf && chattr +i /etc/resolv.conf systemctl enable dnsmasq && systemctl restart dnsmasq && systemctl status dnsmasq
之后升级v2ray
bash install-release.sh vi /etc/systemd/system/v2ray.service #将nobaby改为root systemctl daemon-reload systemctl restart v2ray
再之后又换为acme.sh生成证书
yum remove certbot rm -rf /etc/letsencrypt/ rm -rf /usr/bin/letsencrypt curl https://get.acme.sh | sh systemctl stop firewalld & systemctl stop nginx ~/.acme.sh/acme.sh --issue -d crosswall.online --standalone ~/.acme.sh/acme.sh --issue -d www.crosswall.online --standalone ~/.acme.sh/acme.sh --issue -d t.crosswall.online --standalone ~/.acme.sh/acme.sh --issue -d v.crosswall.online --standalone openssl dhparam -out /etc/nginx/ssl/ssl-dhparams.pem 2048 mkdir /etc/nginx/ssl && mkdir /etc/nginx/ssl/crosswall.online mkdir /etc/nginx/ssl/t.crosswall.online && mkdir /etc/nginx/ssl/v.crosswall.online && mkdir /etc/nginx/ssl/www.crosswall.online ~/.acme.sh/acme.sh --installcert -d crosswall.online --key-file /etc/nginx/ssl/crosswall.online/private.key --fullchain-file /etc/nginx/ssl/crosswall.online/cert.crt ~/.acme.sh/acme.sh --installcert -d www.crosswall.online --key-file /etc/nginx/ssl/www.crosswall.online/private.key --fullchain-file /etc/nginx/ssl/www.crosswall.online/cert.crt ~/.acme.sh/acme.sh --installcert -d t.crosswall.online --key-file /etc/nginx/ssl/t.crosswall.online/private.key --fullchain-file /etc/nginx/ssl/t.crosswall.online/cert.crt ~/.acme.sh/acme.sh --installcert -d v.crosswall.online --key-file /etc/nginx/ssl/v.crosswall.online/private.key --fullchain-file /etc/nginx/ssl/v.crosswall.online/cert.crt ~/.acme.sh/acme.sh --upgrade --auto-upgrade ~/.acme.sh/acme.sh --list
本站所有文章均可随意转载,转载时请保留原文链接及作者。
,想必也是非常愉悦的事!
