avatar

V2ray+Nginx实现WebSocket+TLS伪装代理

相比于SS,V2ray设置太麻烦了,对于移动端来说太耗电,对于硬路由来说性能开销太大。但是现在要干扰SS实在太简单,所以不得不未雨绸缪了。花了很大的功夫才利用V2ray+Nginx配置好WebSocket+TLS,同时不影响原来的网站。将V2ray藏在Nginx后面,使用 TLS 加密流量,看起来更像HTTPS。

安装V2ray和Nginx

参考以下两个链接分别安装Nginx和V2ray,其中V2ray是在客户端和服务器上都要安装的,跟SS不同,V2ray不分服务端和客户端。Nginx只需服务器安装就可以了。
V2ray官方Linux下安装指南
我之前写过编译安装和配置Nginx的博文

服务端设置

官方的教程说得已经很清楚了,Nginx的配置和V2ray的配置都提到了,可以先做个参考 V2ray官方白话文配置教程
服务器上的配置我跟官方差不多,直接贴出配置。
Nginx配置

properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

user root;
worker_processes 2;

pid /var/run/nginx.pid;
error_log /var/log/nginx_error.log;

events {
use epoll;
worker_connections 1024;
multi_accept on;
}


http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60;
client_header_buffer_size 4k;
open_file_cache max=102400 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
client_header_timeout 15;
client_body_timeout 15;
reset_timedout_connection on;
send_timeout 15;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 3;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
server_tokens off;
access_log /var/log/nginx_access.log;

server {
listen 443 ssl;
server_name weiyangbo.com www.weiyangbo.com; #此处填你网站的域名
#下面两行是你的ssl证书的路径
ssl_certificate /etc/nginx/cert/xxxxxxx.pem;
ssl_certificate_key /etc/nginx/cert/xxxxxxx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
root /www; #此处填你的网站目录
location / {
expires 10h;
fancyindex on;
fancyindex_exact_size off;
fancyindex_localtime on;
fancyindex_header "/fancyindex/header.html";
fancyindex_footer "/fancyindex/footer.html";
fancyindex_ignore "fancyindex" "Download"; #可以自定义文件服务器中不显示的文件或文件夹
fancyindex_name_length 500;
}
#这是防盗链设置
location ~* ^.+\.(jpg|gif|png|img|apk|tar.gz|wmv|jpeg|mp3|mp4|zip|rar)$ {
valid_referers none blocked www.weiyangbo.com weiyangbo.com;
if ($invalid_referer){
return 403;
break;
}
access_log off;
}
location /v2ray/ { #这一段就是用于V2ray的反向代理
proxy_redirect off;
proxy_pass http://127.0.0.1:10000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
}
#重定向80端口的全部http请求去https
server {
listen 80;
server_name weiyangbo.com www.weiyangbo.com; #网站域名,跟上面保持一致
return 301 https://$server_name$request_uri;
}
}

Nginx配置写完之后可以用nginx -t命令检查一下Nginx的配置文件有没有语法错误。然后nginx -s reload重启Nginx。
还有V2ray的服务端配置,默认在/etc/v2ray/config.json

json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
{
"log" : {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},
"inbound": {
"port": 10000,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "8335737e-124e-4935-818a-31501e43c819",
"alterId": 64
}
]
},
"streamSettings":
{
"network": "ws",
"wsSettings": {
"path": "/v2ray/"
}
}
},
"outbound": {
"protocol": "freedom",
"settings": {}
},
"outboundDetour": [
{
"protocol": "blackhole",
"settings": {
},
"tag": "blocked"
}
],
"routing": {
"strategy": "rules",
"settings": {
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "blocked"
}
]
}
}
}

V2ray配置完之后可以用命令/usr/bin/v2ray/v2ray -test /etc/v2ray/config.json命令检查V2ray的配置文件是否有语法错误。接着用systemctl start v2ray来启动。
需要注意的是:
1、Nginx配置里面的location字段必须和V2ray中的path一模一样,连“/”也不可以省略。
2、Nginx配置里面的proxy_pass后面的端口,必须保持和V2ray中的port一致,同时注意SElinux是否允许Nginx做转发。

客户端配置

我在官方的基础上做了较大改动,参考了Kitsunebi大神的这篇帖子,在客户端实现了自动分流(绕过国内IP)和DNS防投毒。下面直接贴出我的配置

json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
{
"inbounds": [
{
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
},
"settings": {
"auth": "noauth",
"udp": false
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "weiyangbo.com",
"port": 443,
"users": [
{
"id": "8335737e-124e-4935-818a-31501e43c819",
"alterId": 64,
"security": "auto"
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"tlsSettings": {
"serverName": "weiyangbo.com"
},
"wsSettings": {
"path": "/v2ray/"
}
},
"tag": "proxy"
},
{
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIP"
},
"streamSettings": {},
"tag": "direct"
},
{
"protocol": "blackhole",
"settings": {},
"tag": "block"
},
{
"protocol": "dns",
"tag": "dns-out"
}
],
"dns": {
"clientIp": "115.239.211.92",
"hosts": {
"localhost": "127.0.0.1"
},
"servers": [
"114.114.114.114",
{
"address": "8.8.8.8",
"domains": [
"google",
"android",
"fbcdn",
"facebook",
"domain:fb.com",
"instagram",
"whatsapp",
"akamai",
"domain:line-scdn.net",
"domain:line.me",
"domain:naver.jp"
],
"port": 53
}
]
},
"log": {
"loglevel": "warning"
},
"policy": {
"levels": {
"0": {
"bufferSize": 4096,
"connIdle": 30,
"downlinkOnly": 0,
"handshake": 4,
"uplinkOnly": 0
}
}
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"inboundTag": [
"tun2socks"
],
"network": "udp",
"port": 53,
"outboundTag": "dns-out",
"type": "field"
},
{
"domain": [
"domain:setup.icloud.com"
],
"outboundTag": "proxy",
"type": "field"
},
{
"ip": [
"8.8.8.8/32",
"8.8.4.4/32",
"1.1.1.1/32",
"1.0.0.1/32",
"9.9.9.9/32",
"149.112.112.112/32",
"208.67.222.222/32",
"208.67.220.220/32"
],
"outboundTag": "proxy",
"type": "field"
},
{
"ip": [
"geoip:cn",
"geoip:private"
],
"outboundTag": "direct",
"type": "field"
},
{
"outboundTag": "direct",
"port": "123",
"type": "field"
},
{
"domain": [
"domain:pstatp.com",
"domain:snssdk.com",
"domain:toutiao.com",
"domain:ixigua.com",
"domain:apple.com",
"domain:crashlytics.com",
"domain:icloud.com",
"cctv",
"umeng",
"domain:weico.cc",
"domain:jd.com",
"domain:360buy.com",
"domain:360buyimg.com",
"domain:douyu.tv",
"domain:douyu.com",
"domain:douyucdn.cn",
"geosite:cn"
],
"outboundTag": "direct",
"type": "field"
},
{
"ip": [
"149.154.167.0/24",
"149.154.175.0/24",
"91.108.56.0/24",
"125.209.222.0/24"
],
"outboundTag": "proxy",
"type": "field"
},
{
"domain": [
"twitter",
"domain:twimg.com",
"domain:t.co",
"google",
"domain:ggpht.com",
"domain:gstatic.com",
"domain:youtube.com",
"domain:ytimg.com",
"pixiv",
"domain:pximg.net",
"tumblr",
"instagram",
"domain:line-scdn.net",
"domain:line.me",
"domain:naver.jp",
"domain:facebook.com",
"domain:fbcdn.net",
"pinterest",
"github",
"dropbox",
"netflix",
"domain:medium.com",
"domain:fivecdm.com"
],
"outboundTag": "proxy",
"type": "field"
}
],
"strategy": "rules"
}
}

需要注意的是:
客户端配置需要注意在outbounds里面的protocolsettingsstreamSettings三个字段下的所有值必须和服务器端一致,不然连不上。不过有一个例外,那就是settings下的security,因为v2ray的加密算法是客户端与服务器协商的,服务器没有强制,客户端可以随意,我这里填的是auto
V2ray配置完之后可以用命令/usr/bin/v2ray/v2ray -test /etc/v2ray/config.json命令检查是否有语法错误。接着用systemctl start v2ray来启动。

使用&测试

ps auxw | grep v2ray分别检查服务器和客户端(本地)的v2ray是否正常运行。既可以在网络代理中设置系统代理,也可以在本地终端设置socksv5代理(仅在当前终端有效):

routeros
1
2
export http_proxy="socks5://127.0.0.1:1080"
export https_proxy="socks5://127.0.0.1:1080"

可以用curl检测你当前的访问外网IP

armasm
1
curl ip.sb

根据curl返回的结果,可以判断代理是否设置正确。
1、如果返回的是本地计算机的外网IP,说明你的本地socksv5代理设置没有生效。
2、如果返回HTTP错误代码(404或者400之类的),检查Nginx与V2ray服务端的设置,也可以找找Nginx的日志找找线索。
3、当然返回服务器的外网IP是最好的情况。

总结

V2ray配置虽然麻烦,但是相较于SS优势明显
1、隐蔽性好。虽然道高一尺,魔高一丈,但是目前来说V2ray这种方法还是不容易被干扰的。
2、由于V2ray内建了DNS服务器和路由功能,不需要像SS那样配置路由表和安装额外的DNS服务器,算是一个一揽子解决方案。而且V2ray的socksv5代理支持转发DNS查询到内建的DNS服务器(明显SS并不支持转发DNS结果),可以直接将V2ray的socksv5代理设置为系统代理,上游DNS服务器不需要改动,国内域名还是国内DNS解析并且直连,国外域名用国外DNS服务器的解析结果并且走代理。

Author: Yangbo Wei
Link: http://weiyangbo.gitee.io/2019/12/08/V2ray/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.