人在家中坐,祸从天上来。没想到nginx服务自己莫名其妙停掉了,考虑到之前自建的地基也是别人给搞的,可能不太牢靠,所以这次要自食其力。

先找教程,过程波折。没有梯子打不开教程,打不开教程没办法学习自建。我在痛苦的死循环中挣扎了大概10多分钟,拿出了备用梯子,紧急上网,也不敢多用,万一又炸了呢,我站子还在上面呢。

一、基本搭建

1. 配置SSL证书

yum install -y python36 && pip3 install certbot #安装Certbot
systemctl stop firewalld && systemctl disable firewalld #停止防火墙
certbot certonly --standalone --agree-tos -n -d example.com -m email #申请SSL证书
echo "0 0 1 */2 * service nginx stop; certbot renew; service nginx start;" | crontab #证书自动更新

2. 安装V2Ray & Nginx

  1. 一键安装 1
yum install -y curl && yum install -y nginx && bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

没有Nginx安装源 某些VPS商家提供的系统中,没有带nginx的安装源。因此在运行V2Ray和Nginx的一键安装命令时会出现以下错误:

Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile *base: xxxxxx *extras: xxxxxx *updates: xxxxxx No package nginx available. Error: Nothing to do

解决办法:手动添加安装源即可,根据你的系统版本,运行以下命令:

rpm -ivh https://nginx.org/packages/centos/7/x86_64/RPMS/nginx-1.18.0-1.el7.ngx.x86_64.rpm #CentOS7:(这是大多数VPS的系统版本)
rpm -ivh https://nginx.org/packages/centos/8/x86_64/RPMS/nginx-1.18.0-1.el8.ngx.x86_64.rpm #CentOS8
  1. 关闭SELinux
setsebool -P httpd_can_network_connect 1 && wetenforec 0

3. 配置V2Ray & Nginx

  1. V2Ray配置文件2

nano /usr/local/etc/v2ray/config.json

{
    "log": {
        "loglevel": "warning"
    },
    "routing": {
        "domainStrategy": "AsIs",
        "rules": [
            {
                "type": "field",
                "ip": [
                    "geoip:private"
                ],
                "outboundTag": "block"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": 8964,
            "protocol": "vmess",
            "settings": {
                "clients": [
                    {
                        "id": ""/*UUID, www.uuidgenerator.net */
                    }
                ]
            },
            "streamSettings": {
                "network": "ws",
                "wsSettings": {"path": "/"},/*websocket路径随机字符串*/
                "security": "tls"
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "tag": "block"
        }
    ]
}
  1. Nginx配置文件

nano /etc/nginx/conf.d/default.conf

server {
    server_name ;/*填写域名*/

    listen 80 reuseport fastopen=10;
    rewrite ^(.*) https://$server_name$1 permanent;
    if ($request_method  !~ ^(POST|GET)$) { return  501; }
    autoindex off;
    server_tokens off;
}

server {
    ssl_certificate /etc/letsencrypt/live/example/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/example/privkey.pem;

    location / /*v2ray配置文件中的websocket路径*/
    {
        proxy_pass http://127.0.0.1:8964;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_requests 10000;
        keepalive_timeout 2h;
        proxy_buffering off;
    }

    listen 443 ssl reuseport fastopen=10;
    server_name $server_name;
    charset utf-8;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_requests 10000;
    keepalive_timeout 2h;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers off;

    ssl_session_cache shared:SSL:60m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 10s;

    if ($request_method  !~ ^(POST|GET)$) { return 501; }
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security max-age=31536000 always;
    autoindex off;
    server_tokens off;

    access_log /var/log/nginx/nginx_access.log;
    error_log /var/log/nginx/nginx_error.log;

    index index.html index.htm index.php;
    root /usr/share/nginx/html;
    location ~ .*\.(js|jpg|JPG|jpeg|JPEG|css|bmp|gif|GIF|png)$ { access_log off; }
}

4. 验证配置3

/usr/local/bin/v2ray -test -config=/usr/local/etc/v2ray/config.json
nginx -t

5. 启动服务

service v2ray start
service nginx start

二、进一步强化

1. 加固服务器

防火墙

2. 配置CDN

cloudflare开启代理

3. 使用BBR加速

4. 自行编译Nginx

成果

结果我又失败了

  1. 伪装路径没有正确显示bad gateway

  2. v2ray显示握手失败

[Warning] failed to handler mux client connection > v2ray.com/core/proxy/vmess/outbound: failed to find an available destination > v2ray.com/core/common/retry: [v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://ip:port/path): > dial tcp ip:port: connectex: No connection could be made because the target machine actively refused it.] > v2ray.com/core/common/retry: all retry attempts failed

参考

V2Ray翻墙完全教程(WS+TLS+Web)

  1. 更新v2ray一键安装地址 ↩︎

  2. 更新v2ray配置文件存放地址 ↩︎

  3. 更具最新v2ray目录结构,更新测试命令 ↩︎