0. 前言

今年的形势非常严峻,年中的时候未雨绸缪准备了下55R,结果没多久就不行了,现在明显是被墙嗅探到,使用几分钟之后就IP无法ping通,停止使用后IP恢复。鉴于55的作者及55R的作者相继仙隐,放弃这个软件是比较正确的选择。找了一圈,看来只有v2ray还能看一看。

1. V2Ray

几个信息来源这里简单列下:

文章:

  • V2Ray安全混淆教程:用的工具有点小众,作为程序员可以不需要这个工具,拓扑结构可以看下
  • V2Ray安装使用手记:比较通俗易懂的一篇文章,推荐
  • WebSocket:其实就是列表第一篇教程的官方推荐三方教程,所以看这篇就够

2. 拓扑结构

主要可以看这幅图: 拓扑结构

文字描述简单来说就是:
别的代理都是直接客户端穿墙使用TCP、HTTP或自定义协议和墙外的服务器连接。
V2Ray的这套方案则是在墙外做一个启用HTTPS的Nginx服务,使用本地的客户端和墙外的Nginx以WS协议进行连接(这就和一个真正的网站行为一模一样了)。然后在Nginx背后用代理进行内容的访问。
这样的解决方案墙是无法分辨到底是一个代理服务器还是一个正常用户在用HTTPS访问网站,HTTPS也保证了墙无法探知流量的内容。

3. 安装

3.1 V2Ray本体

官方有提供安装脚本,直接使用即可:

1 bash <(curl -L -s https://install.direct/go.sh)

几个位置信息:

bin命令:/usr/bin/v2ray/v2ray
配置文件:/etc/v2ray/config.json
service:/lib/systemd/system/v2ray.service
日志指定是放在配置文件里的:log.access 和 log.error,一般放在:/var/log/v2ray/access.log 和 /var/log/v2ray/error.log

3.2 安装nginx

1 apt-get install nginx

nginx的几个信息:

配置路径:/etc/nginx
www路径:/var/www/html
日志:/var/log/nginx

3.3 安装证书

参考这篇文章:使用 acme.sh 给 Nginx 安装 Let’ s Encrypt 提供的免费 SSL 证书

安装 acme.sh 命令:

1 curl https://get.acme.sh | sh
2 source ~/.bashrc

申请证书:

1 acme.sh --issue -d ${domain} -w /var/www/html

[email protected]:~/opt# acme.sh –issue -d ${domain} -w /var/www/html
[Tue Oct 24 09:00:39 UTC 2017] Registering account
[Tue Oct 24 09:00:40 UTC 2017] Registered
[Tue Oct 24 09:00:40 UTC 2017] Update account tos info success.
[Tue Oct 24 09:00:40 UTC 2017] ACCOUNT_THUMBPRINT=’…’
[Tue Oct 24 09:00:40 UTC 2017] Creating domain key
[Tue Oct 24 09:00:40 UTC 2017] The domain key is here: /root/.acme.sh/${domain}/${domain}.key
[Tue Oct 24 09:00:40 UTC 2017] Single domain=’${domain}’
[Tue Oct 24 09:00:40 UTC 2017] Getting domain auth token for each domain
[Tue Oct 24 09:00:40 UTC 2017] Getting webroot for domain=’${domain}’
[Tue Oct 24 09:00:40 UTC 2017] Getting new-authz for domain=’${domain}’
[Tue Oct 24 09:00:41 UTC 2017] The new-authz request is ok.
[Tue Oct 24 09:00:41 UTC 2017] Verifying:${domain}
[Tue Oct 24 09:00:44 UTC 2017] Success
[Tue Oct 24 09:00:44 UTC 2017] Verify finished, start to sign.
/root/.acme.sh/acme.sh: line 1819: warning: command substitution: ignored null byte in input
[Tue Oct 24 09:00:45 UTC 2017] Cert success.
—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–
[Tue Oct 24 09:00:45 UTC 2017] Your cert is in /root/.acme.sh/${domain}/${domain}.cer
[Tue Oct 24 09:00:45 UTC 2017] Your cert key is in /root/.acme.sh/${domain}/${domain}.key
[Tue Oct 24 09:00:45 UTC 2017] The intermediate CA cert is in /root/.acme.sh/${domain}/ca.cer
[Tue Oct 24 09:00:45 UTC 2017] And the full chain certs is there: /root/.acme.sh/${domain}/fullchain.cer

安装证书:

1 acme.sh --installcert -d ${domain} \
2         --keypath       /var/www/ssl/${domain}.key  \
3         --fullchainpath /var/www/ssl/${domain}.key.pem \
4         --reloadcmd     "sudo service nginx force-reload"

[Tue Oct 24 09:23:54 UTC 2017] Installing key to:/var/www/ssl/${domain}.key
[Tue Oct 24 09:23:54 UTC 2017] Installing full chain to:/var/www/ssl/${domain}.key.pem
[Tue Oct 24 09:23:54 UTC 2017] Run reload cmd: sudo service nginx force-reload
[Tue Oct 24 09:23:54 UTC 2017] Reload success

生成 dhparam.pem 文件:

1 openssl dhparam -out /var/www/ssl/dhparam.pem 2048

修改 Nginx 配置:

 1 http {
 2     # 新增
 3     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 4     ssl_prefer_server_ciphers on;
 5     # 兼容其他老浏览器的 ssl_ciphers 设置请访问 https://wiki.mozilla.org/Security/Server_Side_TLS
 6 
 7     server {
 8         listen 80 default_server;
 9         # 新增
10         listen 443 ssl;
11         ssl_certificate         /var/www/ssl/${domain}.key.pem;
12         ssl_certificate_key     /var/www/ssl/${domain}.key;
13         # ssl_dhparam 
14         ssl_dhparam             /var/www/ssl/dhparam.pem;
15 
16         # 其他省略
17     }
18 }

使用检测工具查看安全评级:https://www.ssllabs.com/ssltest/analyze.html?d=${domain}

使用 crontab 命令查看 acme.sh 添加的证书刷新脚本:

1 crontab -l

并手动尝试执行,看下结果:

[Tue Oct 24 09:47:37 UTC 2017] ===Starting cron===
[Tue Oct 24 09:47:37 UTC 2017] Renew: ‘${domain}’
[Tue Oct 24 09:47:37 UTC 2017] Skip, Next renewal time is: Sat Dec 23 09:00:45 UTC 2017
[Tue Oct 24 09:47:37 UTC 2017] Add ‘–force’ to force to renew.
[Tue Oct 24 09:47:37 UTC 2017] Skipped ${domain}
[Tue Oct 24 09:47:37 UTC 2017] ===End cron===

时间没到命令并不会直接刷新证书,要尝试的话,可以添加 –force 来强制执行:

[Tue Oct 24 09:48:45 UTC 2017] ===Starting cron===
[Tue Oct 24 09:48:45 UTC 2017] Renew: ‘${domain}’
[Tue Oct 24 09:48:45 UTC 2017] Single domain=’${domain}’
[Tue Oct 24 09:48:45 UTC 2017] Getting domain auth token for each domain
[Tue Oct 24 09:48:45 UTC 2017] Getting webroot for domain=’${domain}’
[Tue Oct 24 09:48:45 UTC 2017] Getting new-authz for domain=’${domain}’
[Tue Oct 24 09:48:46 UTC 2017] The new-authz request is ok.
[Tue Oct 24 09:48:46 UTC 2017] ${domain} is already verified, skip http-01.
[Tue Oct 24 09:48:46 UTC 2017] Verify finished, start to sign.
/root/.acme.sh/acme.sh: line 1819: warning: command substitution: ignored null byte in input
[Tue Oct 24 09:48:47 UTC 2017] Cert success.
—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–
[Tue Oct 24 09:48:47 UTC 2017] Your cert is in /root/.acme.sh/${domain}/${domain}.cer
[Tue Oct 24 09:48:47 UTC 2017] Your cert key is in /root/.acme.sh/${domain}/${domain}.key
[Tue Oct 24 09:48:47 UTC 2017] The intermediate CA cert is in /root/.acme.sh/${domain}/ca.cer
[Tue Oct 24 09:48:47 UTC 2017] And the full chain certs is there: /root/.acme.sh/${domain}/fullchain.cer
[Tue Oct 24 09:48:47 UTC 2017] Installing key to:/var/www/ssl/${domain}.key
[Tue Oct 24 09:48:47 UTC 2017] Installing full chain to:/var/www/ssl/${domain}.key.pem
[Tue Oct 24 09:48:47 UTC 2017] Run reload cmd: sudo service nginx force-reload
[Tue Oct 24 09:48:47 UTC 2017] Reload success
[Tue Oct 24 09:48:47 UTC 2017] ===End cron===

3.4 配置V2Ray服务器

编辑配置文件/etc/v2ray/config.json

 1 {
 2     "log": {
 3         "access": "/var/log/v2ray/access.log",
 4         "error": "/var/log/v2ray/error.log",
 5         "loglevel": "warning"
 6     },
 7     "inbound": {
 8         "port": 10000,
 9         "listen":"127.0.0.1",
10         "protocol": "vmess",
11         "settings": {
12             "clients": [
13                 {
14                     "id": "${UUID}",
15                     "level": 1,
16                     "alterId": 64,
17                     "security": "aes-128-cfb"
18                 }
19             ]
20         },
21         "streamSettings": {
22             "network": "ws",
23             "security": "auto",
24             "wsSettings": {
25                 "connectionReuse": true,
26                 "path": "/serv/"
27             }
28         }
29     },
30     "outbound": {
31         "protocol": "freedom",
32         "settings": {}
33     }
34 }

使用命令启动v2ray:

service v2ray start

3.5 配置Nginx

在之前安装HTTPS更改过的nginx配置中再添加一个location:

1 location /serv/ {
2     proxy_redirect off;
3     proxy_pass http://127.0.0.1:10000;
4     proxy_http_version 1.1;
5     proxy_set_header Upgrade $http_upgrade;
6     proxy_set_header Connection "upgrade";
7     proxy_set_header Host $http_host;
8 }

重启nginx:

service nginx restart

3.6 配置本地V2Ray

仍旧编辑config.json文件:

 1 {
 2     "log": {
 3         "access": ".../log/access.log",
 4         "error": ".../log/error.log",
 5         "loglevel": "warning"
 6     },
 7     "inbound": {
 8         "port": 10801,
 9         "listen": "127.0.0.1",
10         "protocol": "socks",
11         "settings": {
12             "auth": "noauth",
13             "udp": false
14         }
15     },
16     "outbound": {
17         "protocol": "vmess",
18         "settings": {
19             "vnext": [
20                 {
21                     "address": "${domain}",
22                     "port": 443,
23                     "users": [
24                         {
25                             "id": "${UUID}",
26                             "level": 1,
27                             "alterId": 64,
28                             "security": "aes-128-cfb"
29                         }
30                     ]
31                 }
32             ]
33         },
34         "streamSettings": {
35             "network": "ws",
36             "security": "tls",
37             "wsSettings": {
38                 "connectionReuse": true,
39                 "path": "/serv/"
40             },
41             "tlsSettings": {
42                 "serverName": "${domain}",
43                 "allowInsecure": false
44             }
45         }
46     }
47 }

启动本地的v2ray:

v2ray -config …/config.json

3.7 制作MAC启动文件

vim org.v2ray.macos.plist

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 <plist version="1.0">
 4 <dict>
 5 	<key>GroupName</key>
 6 	<string>wheel</string>
 7 	<key>KeepAlive</key>
 8 	<dict>
 9 		<key>SuccessfulExit</key>
10 		<false/>
11 	</dict>
12 	<key>Label</key>
13 	<string>org.v2ray.macos</string>
14 	<key>WorkingDirectory</key>
15 	<string>.../V2Ray/</string>
16 	<key>ProgramArguments</key>
17 	<array>
18 		<string>.../V2Ray/v2ray/v2ray</string>
19 		<string>-config</string>
20 		<string>config/config.json</string>
21 	</array>
22 	<key>RunAtLoad</key>
23 	<true/>
24 	<key>StandardErrorPath</key>
25 	<string>.../V2Ray/log/error.log</string>
26 	<key>StandardOutPath</key>
27 	<string>.../V2Ray/log/access.log</string>
28 	<key>UserName</key>
29 	<string>root</string>
30 </dict>
31 </plist>

MAC启动

1 vim /Library/LaunchDaemons/org.v2ray.macos.plist
2 sudo launchctl load ./org.v2ray.macos.plist