vps

V2ray WS TLS自动续签证书+订阅

Nignx,SSL

Updated on March 11, 2021 Posted by elmagnifico on June 7, 2020

Foreword

最近v2ray爆出来了几个漏洞,引发热议.

https://github.com/v2ray/v2ray-core/issues/2542

对应的我也发现之前一直用的默认vmess协议端口一直被阻断,并且从qexw到阿里云都会被阻断,判定应该不是服务器的问题,应该是被检测到了屏蔽端口了,所以也有必要针对性的改变一下目前的协议了。

好久都没关注v2ray,没想到连仓库都要改了,现在改成v2fly了,然后v2要重构了,期待后续的新版本吧

https://github.com/v2fly/v2ray-core

VPS

之前用的qexw,真的垃圾,开始的时候还没有这么多问题,大概半年以后开始经常断流,经常莫名其妙就连不上了,日常被攻击,然后其中有一次竟然我IP还重了,然后我被强行换IP,强行换路由,换协议,原本ping只有13左右,被换以后变成45,没有任何解释。

除了这个以外,速度被限制成傻逼,说是什么2小时占满宽带会被封,尼玛我就从来都没有跑满过,测速都只能测出来30M。亏我还年付了,然后最后整体降配,说不服就退款,然后退款告诉我按9个月(无优惠)算无款可退,真没见过这样的,私自降配不通知不提醒,然后退款还按无优惠计算,真的是无良商家。

然后遇到了阿里云国际新加坡2.5刀,30M,轻松跑满,甚至超过,延迟也只有40+,非常舒服,但是由于内存不够用ttrss和v2ray同时跑,有时候就会直接内存耗尽死机了,只能重启,还是有点烦。

最后遇到了GreenCloud的日本大盘鸡,总体比较便宜,虽然ping稍微有点高,90+,但是1c1g,200g ssd,1t端口,1t流量,然后年付33.6刀,还是可以的,正好打算自己弄个图床给blog和笔记用,正好可以,后面ttrss也可以转移到这里来,然后实测速度其实也就是10-40M左右.

V2ray WS TLS

目前官方推荐的协议组合方式:

  • VMess over Websocket with TLS

  • VMess over TLS
  • VMess over HTTP/2 (使用 TLS 的 HTTP/2,并非 h2c)
  • Shadowsocks(AEAD) over Websocket with TLS

简单说都是基于TLS了,而要TLS就必须得有域名,得有个反代,这里我就用Nginx,其他反代应该也可以.

而由于必须要有证书,所以这里使用自动证书机器人Certbot,自动签发Let’s Encrypt的免费证书,只是需要三个月一续,机器人自动帮忙搞定

Certbot

https://certbot.eff.org/

下载,假如已经有了Nginx,先关闭一下

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
service nginx stop

安装,并根据提示生成证书

./certbot-auto certonly

由于我不想走提示,所以直接使用下面的命令,直接生成我的证书

./certbot-auto certonly --standalone --email xxx@xxx.com --agree-tos -d www.xxx.com
比如:
./certbot-auto certonly --standalone --email elmagnificogg@gmail.com --agree-tos -d img.elmagnifico.tech

然后这里要记录一下生成的证书所在位置

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/img.elmagnifico.tech/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/img.elmagnifico.tech/privkey.pem
   Your cert will expire on 2020-09-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

比如这里的:

/etc/letsencrypt/live/img.elmagnifico.tech/fullchain.pem 证书所在 /etc/letsencrypt/live/img.elmagnifico.tech/privkey.pem 密钥所在

然后添加定时任务,自动renew证书

crontab -e

添加如下内容:
SHELL=/bin/bash
BASH_ENV=/root/.bashrc

0 3 1 * * service nginx stop
1 3 1 * * /root/certbot-auto renew --renew-hook "sudo nginx -s reload" && service nginx start

这个表示每月1号.凌晨3点自动执行renew,自动续期,并且重新加载nginx

然后就是开始配置Nginx了

2021.3.11更新:这里把nginx启动和renew分开了,写同一行执行的时候总是hook出问题,所以分成两步走

Nginx

默认源中没有nginx,所以先添加官方源

rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

安装

yum install nginx -y

开机自动启动

systemctl enable nginx

查找配置文件所在,并修改配置文件

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
vi /etc/nginx/nginx.conf

nginx配置大概是这样的:

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  你的域名;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  你的域名;
        root         /usr/share/nginx/html;

        ssl_certificate "你的证书位置";
        ssl_certificate_key "你的密钥位置";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location /v2ray {#这个位置和v2ray中的相同
        proxy_redirect off;
        proxy_pass http://127.0.0.1:43968; #此IP地址和端口需要和v2ray中监听的端口保持一致,
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

修改完成以后,启动nginx,然后通过域名登陆一下,看看http和https是否可以看到对应主页,都能看到说明nginx启动成功了

sudo systemctl start nginx

V2ray

首先这里v2ray的配置文件的json和以前其实格式上有很多不同了,这里更新一下以前的配置

{
  "log": {
    "access": "/var/log/v2ray/access.log",
    "error": "/var/log/v2ray/error.log",
    "loglevel": "warning"
  },
  "dns": {},
  "stats": {},
  "inbounds": [
  	  # 老配置了,不推荐使用
      {
      "port": 43969,
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "22769f07-8eda-4b14-aa6e-7ac7c476f4a2",
            "alterId": 32
          },
          {
            "id": "8ab40c50-2af9-43b1-96bb-2f48189a9f4c",
            "alterId": 32
          }
        ]
      },
      "tag": "in-0",
      "streamSettings": {
        "network": "tcp",
        "security": "none",
        "tcpSettings": {}
      }
    },
  	# 老配置了,不推荐使用    
    {
      "port": 1207,
      "protocol": "shadowsocks",
      "settings": {
        "method": "aes-256-cfb",
        "password": "password",
        "level": 0,
        "ota": false,
        "network": "tcp,udp"
      },
      "tag": "in-1",
      "streamSettings": {
        "network": "tcp",
        "security": "none",
        "tcpSettings": {}
      }
    },
    # 推荐使用
    {
      "port": 43968,##这里和nginx一样
      "listen": "127.0.0.1",
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "4072f202-53d2-466a-9432-83ec3a219345",
            "alterId": 32
          }
        ]
      },
      "tag": "in-2",
      "streamSettings": {
        "network": "ws",
        "wsSettings":{
                "path":"/v2ray" #这里和nginx一样
        }
      }
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {}
    },
    {
      "tag": "blocked",
      "protocol": "blackhole",
      "settings": {}
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
      {
        "type": "field",
        "ip": [
          "geoip:private"
        ],
        "outboundTag": "blocked"
      }
    ]
  },
  "policy": {},
  "reverse": {},
  "transport": {}
}

可以使用下面的命令来检查你写的json格式是否正确:

/usr/bin/v2ray/v2ray -test -config /etc/v2ray/config.json

没有错的情况下,重启v2ray,尝试连接

systemctl restart v2ray

然后配置好客户端以后基本就能用了

自建订阅

首先,从v2rayN中挑选需要建立的订阅的服务器

SMMS

然后要有OneDrive,这个比较简单

在OneDrive中建立一个txt,然后复制刚才的内容进去,保存,关闭

右键-在线查看,在网页端查看该文件,共享,不允许编辑,获取链接

SMMS

将得到的链接输入到下面的网址中,然后得到永久链接

https://onedrive.gimhoy.com/

这样这个永久链接就可以作为V2ran的订阅链接,日后只需要修改文件内容,就可以自动订阅了

SMMS

还是非常方便的

Summary

总体就是这些了

Quote

https://github.com/v2ray/v2ray-core/issues/2542

https://doubibackup.com/v2ray-ws-tls-nginx.html

https://www.jianshu.com/p/d88e19c8963b

https://zhuanlan.zhihu.com/p/53407930?from_voters_page=true