V2ray+Nginx实现WebSocket+TLS伪装代理

相比于SS，V2ray设置太麻烦了，对于移动端来说太耗电，对于硬路由来说性能开销太大。但是现在要干扰SS实在太简单，所以不得不未雨绸缪了。花了很大的功夫才利用V2ray+Nginx配置好WebSocket+TLS，同时不影响原来的网站。将V2ray藏在Nginx后面，使用 TLS 加密流量，看起来更像HTTPS。

安装V2ray和Nginx

参考以下两个链接分别安装Nginx和V2ray，其中V2ray是在客户端和服务器上都要安装的，跟SS不同，V2ray不分服务端和客户端。Nginx只需服务器安装就可以了。
V2ray官方Linux下安装指南
我之前写过编译安装和配置Nginx的博文

服务端设置

官方的教程说得已经很清楚了，Nginx的配置和V2ray的配置都提到了，可以先做个参考 V2ray官方白话文配置教程
服务器上的配置我跟官方差不多，直接贴出配置。
Nginx配置

user  root;
worker_processes  2;

pid        /var/run/nginx.pid;
error_log /var/log/nginx_error.log;

events {
	use epoll;
	worker_connections  1024;
	multi_accept on;
}


http {
	include       mime.types;
	default_type  application/octet-stream;
	charset utf-8;
	sendfile on;
	tcp_nopush     on;
	tcp_nodelay on;
	keepalive_timeout  60;
	client_header_buffer_size 4k;
	open_file_cache max=102400 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 1;
	client_header_timeout 15;
	client_body_timeout 15;
	reset_timedout_connection on;
	send_timeout 15;
	gzip on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 3;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
	server_tokens off;
	access_log  /var/log/nginx_access.log;

	server {
		listen      443 ssl;
		server_name  weiyangbo.com www.weiyangbo.com; #此处填你网站的域名
		#下面两行是你的ssl证书的路径
		ssl_certificate /etc/nginx/cert/xxxxxxx.pem;
		ssl_certificate_key /etc/nginx/cert/xxxxxxx.key;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_prefer_server_ciphers on;
		ssl_session_timeout 5m;
		ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
		root /www; #此处填你的网站目录
		location / {
			expires 10h;
			fancyindex on;
			fancyindex_exact_size off;
			fancyindex_localtime on;
			fancyindex_header "/fancyindex/header.html";
			fancyindex_footer "/fancyindex/footer.html";
			fancyindex_ignore "fancyindex" "Download";  #可以自定义文件服务器中不显示的文件或文件夹
			fancyindex_name_length 500;
		}
		#这是防盗链设置
		location ~*  ^.+\.(jpg|gif|png|img|apk|tar.gz|wmv|jpeg|mp3|mp4|zip|rar)$ {
			valid_referers none blocked www.weiyangbo.com weiyangbo.com;
			if ($invalid_referer){
				return 403;
				break;
			}
			access_log off;
		}
		location /v2ray/ { #这一段就是用于V2ray的反向代理
			proxy_redirect off;
			proxy_pass http://127.0.0.1:10000;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
			proxy_set_header Host $http_host;
		}
	}
	#重定向80端口的全部http请求去https
	server {
		listen 80;
		server_name weiyangbo.com www.weiyangbo.com; #网站域名，跟上面保持一致
		return 301 https://$server_name$request_uri;
	}
}

Nginx配置写完之后可以用nginx -t命令检查一下Nginx的配置文件有没有语法错误。然后nginx -s reload重启Nginx。
还有V2ray的服务端配置，默认在/etc/v2ray/config.json

{
  "log" : {
   "access": "/var/log/v2ray/access.log",
   "error": "/var/log/v2ray/error.log",
   "loglevel": "warning"
 },
  "inbound": {
   "port": 10000,
   "listen": "127.0.0.1",
   "protocol": "vmess",
   "settings": {
    "clients": [
     {
      "id": "8335737e-124e-4935-818a-31501e43c819",
	  "alterId": 64
	 }
   ]
  },
   "streamSettings":
  {
    "network": "ws",
    "wsSettings": {
    "path": "/v2ray/"
   }
  }
 },
  "outbound": {
   "protocol": "freedom",
   "settings": {}
 },
  "outboundDetour": [
   {
    "protocol": "blackhole",
    "settings": {
   },
    "tag": "blocked"
  }
 ],
  "routing": {
   "strategy": "rules",
   "settings": {
    "rules": [
     {
      "type": "field",
      "ip": [
       "0.0.0.0/8",
       "10.0.0.0/8",
       "100.64.0.0/10",
       "127.0.0.0/8",
       "169.254.0.0/16",
       "172.16.0.0/12",
       "192.0.0.0/24",
       "192.0.2.0/24",
       "192.168.0.0/16",
       "198.18.0.0/15",
       "198.51.100.0/24",
       "203.0.113.0/24",
       "::1/128",
       "fc00::/7",
       "fe80::/10"
     ],
      "outboundTag": "blocked"
    }
   ]
  }
 }
}

V2ray配置完之后可以用命令/usr/bin/v2ray/v2ray -test /etc/v2ray/config.json命令检查V2ray的配置文件是否有语法错误。接着用systemctl start v2ray来启动。
需要注意的是：
1、Nginx配置里面的location字段必须和V2ray中的path一模一样，连“/”也不可以省略。
2、Nginx配置里面的proxy_pass后面的端口，必须保持和V2ray中的port一致，同时注意SElinux是否允许Nginx做转发。

客户端配置

我在官方的基础上做了较大改动，参考了Kitsunebi大神的这篇帖子，在客户端实现了自动分流（绕过国内IP）和DNS防投毒。下面直接贴出我的配置

{
  "inbounds": [
    {
      "port": 1080,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "settings": {
        "auth": "noauth",
        "udp": false
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "weiyangbo.com",
            "port": 443,
            "users": [
              {
                "id": "8335737e-124e-4935-818a-31501e43c819",
                "alterId": 64,
                "security": "auto"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "security": "tls",
        "tlsSettings": {
          "serverName": "weiyangbo.com"
        },
        "wsSettings": {
          "path": "/v2ray/"
        }
      },
      "tag": "proxy"
    },
    {
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIP"
      },
      "streamSettings": {},
      "tag": "direct"
    },
    {
      "protocol": "blackhole",
      "settings": {},
      "tag": "block"
    },
    {
      "protocol": "dns",
      "tag": "dns-out"
    }
  ],
  "dns": {
    "clientIp": "115.239.211.92",
    "hosts": {
      "localhost": "127.0.0.1"
    },
    "servers": [
      "114.114.114.114",
      {
        "address": "8.8.8.8",
        "domains": [
          "google",
          "android",
          "fbcdn",
          "facebook",
          "domain:fb.com",
          "instagram",
          "whatsapp",
          "akamai",
          "domain:line-scdn.net",
          "domain:line.me",
          "domain:naver.jp"
        ],
        "port": 53
      }
    ]
  },
  "log": {
    "loglevel": "warning"
  },
  "policy": {
    "levels": {
      "0": {
        "bufferSize": 4096,
        "connIdle": 30,
        "downlinkOnly": 0,
        "handshake": 4,
        "uplinkOnly": 0
      }
    }
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "inboundTag": [
          "tun2socks"
        ],
        "network": "udp",
        "port": 53,
        "outboundTag": "dns-out",
        "type": "field"
      },
      {
        "domain": [
          "domain:setup.icloud.com"
        ],
        "outboundTag": "proxy",
        "type": "field"
      },
      {
        "ip": [
          "8.8.8.8/32",
          "8.8.4.4/32",
          "1.1.1.1/32",
          "1.0.0.1/32",
          "9.9.9.9/32",
          "149.112.112.112/32",
          "208.67.222.222/32",
          "208.67.220.220/32"
        ],
        "outboundTag": "proxy",
        "type": "field"
      },
      {
        "ip": [
          "geoip:cn",
          "geoip:private"
        ],
        "outboundTag": "direct",
        "type": "field"
      },
      {
        "outboundTag": "direct",
        "port": "123",
        "type": "field"
      },
      {
        "domain": [
          "domain:pstatp.com",
          "domain:snssdk.com",
          "domain:toutiao.com",
          "domain:ixigua.com",
          "domain:apple.com",
          "domain:crashlytics.com",
          "domain:icloud.com",
          "cctv",
          "umeng",
          "domain:weico.cc",
          "domain:jd.com",
          "domain:360buy.com",
          "domain:360buyimg.com",
          "domain:douyu.tv",
          "domain:douyu.com",
          "domain:douyucdn.cn",
          "geosite:cn"
        ],
        "outboundTag": "direct",
        "type": "field"
      },
      {
        "ip": [
          "149.154.167.0/24",
          "149.154.175.0/24",
          "91.108.56.0/24",
          "125.209.222.0/24"
        ],
        "outboundTag": "proxy",
        "type": "field"
      },
      {
        "domain": [
          "twitter",
          "domain:twimg.com",
          "domain:t.co",
          "google",
          "domain:ggpht.com",
          "domain:gstatic.com",
          "domain:youtube.com",
          "domain:ytimg.com",
          "pixiv",
          "domain:pximg.net",
          "tumblr",
          "instagram",
          "domain:line-scdn.net",
          "domain:line.me",
          "domain:naver.jp",
          "domain:facebook.com",
          "domain:fbcdn.net",
          "pinterest",
          "github",
          "dropbox",
          "netflix",
          "domain:medium.com",
          "domain:fivecdm.com"
        ],
        "outboundTag": "proxy",
        "type": "field"
      }
    ],
    "strategy": "rules"
  }
}

需要注意的是：
客户端配置需要注意在outbounds里面的protocol、settings、 streamSettings三个字段下的所有值必须和服务器端一致，不然连不上。不过有一个例外，那就是settings下的security，因为v2ray的加密算法是客户端与服务器协商的，服务器没有强制，客户端可以随意，我这里填的是auto。
V2ray配置完之后可以用命令/usr/bin/v2ray/v2ray -test /etc/v2ray/config.json命令检查是否有语法错误。接着用systemctl start v2ray来启动。

使用&测试

用ps auxw | grep v2ray分别检查服务器和客户端（本地）的v2ray是否正常运行。既可以在网络代理中设置系统代理，也可以在本地终端设置socksv5代理(仅在当前终端有效)：

export http_proxy="socks5://127.0.0.1:1080"
export https_proxy="socks5://127.0.0.1:1080"

可以用curl检测你当前的访问外网IP

curl ip.sb

根据curl返回的结果，可以判断代理是否设置正确。
1、如果返回的是本地计算机的外网IP，说明你的本地socksv5代理设置没有生效。
2、如果返回HTTP错误代码（404或者400之类的），检查Nginx与V2ray服务端的设置，也可以找找Nginx的日志找找线索。
3、当然返回服务器的外网IP是最好的情况。

总结

V2ray配置虽然麻烦，但是相较于SS优势明显
1、隐蔽性好。虽然道高一尺，魔高一丈，但是目前来说V2ray这种方法还是不容易被干扰的。
2、由于V2ray内建了DNS服务器和路由功能，不需要像SS那样配置路由表和安装额外的DNS服务器，算是一个一揽子解决方案。而且V2ray的socksv5代理支持转发DNS查询到内建的DNS服务器（明显SS并不支持转发DNS结果），可以直接将V2ray的socksv5代理设置为系统代理，上游DNS服务器不需要改动，国内域名还是国内DNS解析并且直连，国外域名用国外DNS服务器的解析结果并且走代理。