如果你要旅行,你想去哪里?

Nginx 反代 Shadowsocks+Simple-obfs、V2ray+ws+cdn 共用端口

安装 shadowsocks 、 obfs

shadowsocks

安装依赖环境

# apt-get install -y --no-install-recommends gettext build-essential autoconf libtool libpcre3-dev asciidoc xmlto libev-dev libc-ares-dev automake libmbedtls-dev libsodium-dev wget vim git curl

下载源码

# wget --no-check-certificate https://github.com/shadowsocks/shadowsocks-libev/releases/download/v3.2.0/shadowsocks-libev-3.2.0.tar.gz
# tar xvf shadowsocks-libev-3.2.0.tar.gz && cd shadowsocks-libev-3.2.0

编译安装

# ./configure --prefix=/usr --disable-documentation
# make && make install

配置
# vim debian/config.json

{
    "server":"127.0.0.1",
    "server_port":8080, //需与下文 nginx 反代端口一致
    "local_port":1080,
    "password":"123456",
    "timeout":300,
    "method":"chacha20",
    "plugin":"obfs-server",
    "plugin_opts":"obfs=http"
}

复制配置文件到 /etc/shadowsocks-libev

# mkdir /etc/shadowsocks-libev
# cp debian/config.json /etc/shadowsocks-libev/config.json

配置开机自启、启动、停止、重启脚本
# vim debian/shadowsocks-libev.default

USER=nobody
GROUP=nogroup

修改为

USER=root
GROUP=root
# cp debian/shadowsocks-libev.init /etc/init.d/shadowsocks-libev
# cp debian/shadowsocks-libev.default /etc/default/shadowsocks-libev
# chmod +x /etc/init.d/shadowsocks-libev
# update-rc.d shadowsocks-libev defaults

Simple-obfs

下载源码

# git clone https://github.com/shadowsocks/simple-obfs
# cd simple-obfs && git submodule init && git submodule update

编译安装

# ./autogen.sh
# ./configure --prefix=/usr --disable-documentation
# make && make install

启动 shadowsocks

# service shadowsocks-libev start

安装 V2ray

# bash <(curl -L -s https://install.direct/go.sh)

配置 v2ray
# vim /etc/v2ray/config.json

{
    "log": {
        "access": "/var/log/v2ray/access.log",
        "error": "/var/log/v2ray/error.log",
        "loglevel": "warning"
    },
    "inbound": {
        "port": 10086,    //与下文 nginx 反代端口一致
        "protocol": "vmess",
        "settings": {
            "udp": true,
            "clients": [
                {
                    "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                    "level": 1,
                    "alterId": 64
                }
            ]
        },
        "streamSettings": {
            "network": "ws",
            "wsSettings": {
                "path": "/home/wwwroot/default" //与下文 nginx 反代路径一致
            }
        }
    },
    "outbound": {
        "protocol": "freedom",
        "settings": {}
    },
    "outboundDetour": [
        {
            "protocol": "blackhole",
            "settings": {},
            "tag": "blocked"
        }
    ],
    "routing": {
        "strategy": "rules",
        "settings": {
            "rules": [
                {
                    "type": "field",
                    "ip": [
                        "0.0.0.0/8",
                        "10.0.0.0/8",
                        "100.64.0.0/10",
                        "127.0.0.0/8",
                        "169.254.0.0/16",
                        "172.16.0.0/12",
                        "192.0.0.0/24",
                        "192.0.2.0/24",
                        "192.168.0.0/16",
                        "198.18.0.0/15",
                        "198.51.100.0/24",
                        "203.0.113.0/24",
                        "::1/128",
                        "fc00::/7",
                        "fe80::/10"
                    ],
                    "outboundTag": "blocked"
                }
            ]
        }
    }
}

启动 v2ray

# service v2ray start

安装 Nginx

# wget -c http://soft.vpser.net/lnmp/lnmp1.4.tar.gz && tar zxf lnmp1.4.tar.gz && cd lnmp1.4 && ./install.sh nginx

申请ssl证书

# curl https://get.acme.sh | sh
# cd ~/.acme.sh
# ./acme.sh --issue -d abc.com -d *.abc.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

按照提示解析 txt 记录验证域名

# ./acme.sh --renew -d abc.com -d *.abc.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

配置 nginx conf
# vim /usr/local/nginx/conf/nginx.conf

user  www www;

worker_processes auto;

error_log  /home/wwwlogs/nginx_error.log  crit;

pid        /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

events {
        use epoll;
        worker_connections 51200;
        multi_accept on;
}

http {
        include       mime.types;
        default_type  application/octet-stream;

        server_names_hash_bucket_size 128;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 50m;

        sendfile   on;
        tcp_nopush on;

        keepalive_timeout 60;

        tcp_nodelay on;

        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 256k;

        gzip on;
        gzip_min_length  1k;
        gzip_buffers     4 16k;
        gzip_http_version 1.1;
        gzip_comp_level 2;
        gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
        gzip_vary on;
        gzip_proxied   expired no-cache no-store private auth;
        gzip_disable   "MSIE [1-6]\.";

        #limit_conn_zone $binary_remote_addr zone=perip:10m;
        ##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.

        server_tokens off;
        access_log off;

server {
        listen 80 default_server;
        server_name _;

#反代 shaodowsocks,端口需与上文一致
        location = / {
            proxy_http_version 1.1;
            proxy_set_header Upgrade "websocket";
            proxy_set_header Connection "upgrade";
            if ($http_upgrade = "websocket") {
                proxy_pass http://127.0.0.1:8080;
            }
        }

        access_log  /home/wwwlogs/access.log;
}

server {
        listen 80;
        listen 443 ssl http2;
        server_name abc.com;

        if ( $scheme = http ){
            return 301 https://$server_name$request_uri;
        }

        index index.html index.htm index.php;
        root  /home/wwwroot/default;

#ssl 配置
        ssl on;
        ssl_certificate /root/.acme.sh/abc.com/fullchain.cer;
        ssl_certificate_key /root/.acme.sh/abc.com/abc.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;

#反代 v2ray ,端口、路径需与上文一致
        location /home/wwwroot/default {
            proxy_redirect off;
            proxy_pass http://127.0.0.1:10086;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;
        }

        location /nginx_status
        {
            stub_status on;
            access_log   off;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/access.log;
    }

}

重启 nginx

# /etc/init.d/nginx restart
2018/05/29