介绍

最近试过了下列多种v2ray组合,直接给出结论,第四个”websocket + TLS + nginx/caddy”是最后留下来用的,抗封锁最好。

  • vmess
  • vmess + http
  • TLS + http2
  • websocket + TLS + nginx/caddy

#安装V2Ray

运行下面的指令下载并安装 V2Ray。当 yum 或 apt-get 可用的情况下,此脚本会自动安装 unzip 和 daemon。这两个组件是安装 V2Ray 的必要组件。如果你使用的系统不支持 yum 或 apt-get,请自行安装 unzip 和 daemon

bash <(curl -L -s https://install.direct/go.sh)

此脚本会自动安装以下文件:

  • /usr/bin/v2ray/v2ray:V2Ray 程序;
  • /usr/bin/v2ray/v2ctl:V2Ray 工具;
  • /etc/v2ray/config.json:配置文件;
  • /usr/bin/v2ray/geoip.dat:IP 数据文件
  • /usr/bin/v2ray/geosite.dat:域名数据文件

此脚本会配置自动运行脚本。自动运行脚本会在系统重启之后,自动运行 V2Ray。目前自动运行脚本只支持带有 Systemd 的系统,以及 Debian / Ubuntu 全系列。

运行脚本位于系统的以下位置:

  • /etc/systemd/system/v2ray.service: Systemd
  • /etc/init.d/v2ray: SysV

脚本运行完成后,你需要:

  1. 编辑 /etc/v2ray/config.json 文件来配置你需要的代理方式;
  2. 运行 service v2ray start 来启动 V2Ray 进程;
  3. 之后可以使用 service v2ray start|stop|status|reload|restart|force-reload 控制 V2Ray 的运行。

安装Caddy

首先安装Caddy

第一步:安装球童的最新稳定版本

在Linux,Mac或BSD操作系统上,使用以下命令安装Caddy最新稳定的系统特定版本:

其中http.filemanager,http.forwardproxy不是必须安装的

curl https://getcaddy.com | bash -s personal http.filemanager,http.forwardproxy,http.proxyprotocol

出现提示时,输入您的sudo密码以完成安装。

Caddy二进制文件将被安装到该/usr/local/bin目录。使用以下命令确认:

which caddy

输出应该是:

/usr/local/bin/caddy

为了安全起见,切勿以root身份运行Caddy二进制文件。为了让Caddy能够以非root用户的身份绑定到特权端口(例如80,443),您需要setcap按如下所示运行该命令:

sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy

第2步:配置球童

创建一个专门的系统用户:caddy 和一组同名的Caddy:

sudo useradd -r -d /var/www -M -s /sbin/nologin caddy

注意此处创建**的用户caddy只能用于管理Caddy服务,不能用于登录。

/var/www为Caddy Web服务器创建主目录,并/var/www/example.com为您的站点创建主目录:

sudo mkdir -p /var/www/example.com
sudo chown -R caddy:caddy /var/www

创建一个目录来存储SSL证书:

sudo mkdir /etc/ssl/caddy
sudo chown -R caddy:root /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy

创建专用目录来存储Caddy配置文件Caddyfile

sudo mkdir /etc/caddy
sudo chown -R root:caddy /etc/caddy

创建名为的Caddy配置文件Caddyfile

sudo touch /etc/caddy/Caddyfile
sudo chown caddy:caddy /etc/caddy/Caddyfile
sudo chmod 444 /etc/caddy/Caddyfile
cat <<EOF | sudo tee -a /etc/caddy/Caddyfile
xxx.xxx #(你的域名)
{
    root /var/www/site #(页面路径)
    gzip
    tls xxx@xxx.com #申请证书的邮箱地址
	proxy /2018 localhost:12345 { #其中/2018是路径,和v2ray服务端相同,后面的端口号也与v2ray相同
	websocket
	header_upstream -Origin
	}
}
EOF

注意:其中 xxx.xxx 改成自己的域名 /2018 改成自己的路径,(无须追求复杂,不容易猜出来即可) 12345 改成 Project V 的 WS 监听的内网地址

为了方便Caddy的操作,您可以systemd为Caddy 设置一个单元文件,然后用它systemd来管理Caddy。

使用vi编辑器创建Caddy systemd单元文件:

sudo vi /etc/systemd/system/caddy.service

填充文件:

[Unit]

Description=Caddy HTTP/2 web server

Documentation=https://caddyserver.com/docs

After=network-online.target

Wants=network-online.target systemd-networkd-wait-online.service


[Service]

Restart=on-abnormal


; User and group the process will run as.

User=caddy

Group=caddy


; Letsencrypt-issued certificates will be written to this directory.

Environment=CADDYPATH=/etc/ssl/caddy


; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.

ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp

ExecReload=/bin/kill -USR1 $MAINPID


; Use graceful shutdown with a reasonable timeout

KillMode=mixed

KillSignal=SIGQUIT

TimeoutStopSec=5s


; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.

LimitNOFILE=1048576

; Unmodified caddy is not expected to use more than that.

LimitNPROC=512


; Use private /tmp and /var/tmp, which are discarded after caddy stops.

PrivateTmp=true

; Use a minimal /dev

PrivateDevices=true

; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.

ProtectHome=true

; Make /usr, /boot, /etc and possibly some more folders read-only.

ProtectSystem=full

; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.

;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!

ReadWriteDirectories=/etc/ssl/caddy


; The following additional security directives only work with systemd v229 or later.

; They further retrict privileges that can be gained by caddy. Uncomment if you like.

; Note that you may have to add capabilities required by any plugins in use.

;CapabilityBoundingSet=CAP_NET_BIND_SERVICE

;AmbientCapabilities=CAP_NET_BIND_SERVICE

;NoNewPrivileges=true


[Install]

WantedBy=multi-user.target

保存并退出:

:wq!

启动Caddy服务并使其在系统引导时自动启动:

sudo systemctl daemon-reload
sudo systemctl start caddy.service
sudo systemctl enable caddy.service

第3步:修改防火墙规则

为了允许访问者访问您的球童网站,您需要打开端口80和443,以及V2ray监听端口:

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent
sudo firewall-cmd --reload

然后检查防火墙开放情况

sudo firewall-cmd --list-all

第4步:为您的网站创建一个测试页面

使用以下命令index.html在您的Caddy网站主目录中创建一个名为的文件:

echo '<h1>Hello World!</h1>' | sudo tee /var/www/example.com/index.html

重新启动Caddy服务以加载新内容:

sudo systemctl restart caddy.service

最后,将您的网页浏览器指向http://example.comhttps://example.com。您应该看到Hello World!预期的消息。

配置V2ray服务器端

V2ray服务器端配置文件 /etc/v2ray/config.json

{
  "inbound": {
    "port": 12345,
    "listen":"127.0.0.1",
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "id": "b831381d-6324-4d53-ad4f-8cda48b30811",
          "alterId": 64
        }
      ]
    },
    "streamSettings": {
      "network": "ws",
      "wsSettings": {
      "path": "/2018"
      }
    }
  },
  "outbound": {
    "protocol": "freedom",
    "settings": {}
  },
  "outboundDetour": [
    {
      "protocol": "blackhole",
      "settings": {},
      "tag": "blocked"
    }
  ],
  "routing": {
    "strategy": "rules",
    "settings": {
      "rules": [
        {
          "type": "field",
          "ip": [
            "0.0.0.0/8",
            "10.0.0.0/8",
            "100.64.0.0/10",
            "127.0.0.0/8",
            "169.254.0.0/16",
            "172.16.0.0/12",
            "192.0.0.0/24",
            "192.0.2.0/24",
            "192.168.0.0/16",
            "198.18.0.0/15",
            "198.51.100.0/24",
            "203.0.113.0/24",
            "::1/128",
            "fc00::/7",
            "fe80::/10"
          ],
          "outboundTag": "blocked"
        }
      ]
    }
  }
}

其中修改port,uuid,patch

配置V2ray客户端

{
  "inbound": {
    "port": 1080,
    "listen": "127.0.0.1",
    "protocol": "socks",
    "settings": {
      "auth": "noauth",
      "udp": false
    }
  },
  "outbound": {
    "protocol": "vmess",
    "settings": {
      "vnext": [
        {
          "address": "xxx.xxx",
          "port": 443,
          "users": [
            {
              "id": "b831381d-6324-4d53-ad4f-8cda48b30811",
              "alterId": 64
            }
          ]
        }
      ]
    },
    "streamSettings": {
      "network": "ws",
      "security": "tls",
      "tlsSettings": {
        "serverName": "xxx.xxx"
      },
      "wsSettings": {
        "path": "/2018"
      }
    }
  },
  "outboundDetour": [
    {
      "protocol": "freedom",
      "settings": {},
      "tag": "direct"
    }
  ],
  "routing": {
    "strategy": "rules",
    "settings": {
      "domainStrategy": "IPIfNonMatch",
      "rules": [
        {
          "type": "field",
          "ip": [
            "0.0.0.0/8",
            "10.0.0.0/8",
            "100.64.0.0/10",
            "127.0.0.0/8",
            "169.254.0.0/16",
            "172.16.0.0/12",
            "192.0.0.0/24",
            "192.0.2.0/24",
            "192.168.0.0/16",
            "198.18.0.0/15",
            "198.51.100.0/24",
            "203.0.113.0/24",
            "::1/128",
            "fc00::/7",
            "fe80::/10"
          ],
          "outboundTag": "direct"
        },
        {
          "type": "chinasites",
          "outboundTag": "direct"
        },
        {
          "type": "chinaip",
          "outboundTag": "direct"
        }
      ]
    }
  }
}