介绍

最近试过了下列多种v2ray组合,直接给出结论,第四个”websocket + TLS + nginx/caddy”是最后留下来用的,抗封锁最好。

  • vmess
  • vmess + http
  • TLS + http2
  • websocket + TLS + nginx/caddy

#安装V2Ray

运行下面的指令下载并安装 V2Ray。当 yum 或 apt-get 可用的情况下,此脚本会自动安装 unzip 和 daemon。这两个组件是安装 V2Ray 的必要组件。如果你使用的系统不支持 yum 或 apt-get,请自行安装 unzip 和 daemon

1
bash <(curl -L -s https://install.direct/go.sh)

此脚本会自动安装以下文件:

  • /usr/bin/v2ray/v2ray:V2Ray 程序;
  • /usr/bin/v2ray/v2ctl:V2Ray 工具;
  • /etc/v2ray/config.json:配置文件;
  • /usr/bin/v2ray/geoip.dat:IP 数据文件
  • /usr/bin/v2ray/geosite.dat:域名数据文件

此脚本会配置自动运行脚本。自动运行脚本会在系统重启之后,自动运行 V2Ray。目前自动运行脚本只支持带有 Systemd 的系统,以及 Debian / Ubuntu 全系列。

运行脚本位于系统的以下位置:

  • /etc/systemd/system/v2ray.service: Systemd
  • /etc/init.d/v2ray: SysV

脚本运行完成后,你需要:

  1. 编辑 /etc/v2ray/config.json 文件来配置你需要的代理方式;
  2. 运行 service v2ray start 来启动 V2Ray 进程;
  3. 之后可以使用 service v2ray start|stop|status|reload|restart|force-reload 控制 V2Ray 的运行。

安装Caddy

首先安装Caddy

第一步:安装球童的最新稳定版本

在Linux,Mac或BSD操作系统上,使用以下命令安装Caddy最新稳定的系统特定版本:

其中http.filemanager,http.forwardproxy不是必须安装的

1
curl https://getcaddy.com | bash -s personal http.filemanager,http.forwardproxy,http.proxyprotocol

出现提示时,输入您的sudo密码以完成安装。

Caddy二进制文件将被安装到该/usr/local/bin目录。使用以下命令确认:

1
which caddy

输出应该是:

1
/usr/local/bin/caddy

为了安全起见,切勿以root身份运行Caddy二进制文件。为了让Caddy能够以非root用户的身份绑定到特权端口(例如80,443),您需要setcap按如下所示运行该命令:

1
sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy

第2步:配置球童

创建一个专门的系统用户:caddy 和一组同名的Caddy:

1
sudo useradd -r -d /var/www -M -s /sbin/nologin caddy

注意此处创建**的用户caddy只能用于管理Caddy服务,不能用于登录。

/var/www为Caddy Web服务器创建主目录,并/var/www/example.com为您的站点创建主目录:

1
2
sudo mkdir -p /var/www/example.com
sudo chown -R caddy:caddy /var/www

创建一个目录来存储SSL证书:

1
2
3
sudo mkdir /etc/ssl/caddy
sudo chown -R caddy:root /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy

创建专用目录来存储Caddy配置文件Caddyfile

1
2
sudo mkdir /etc/caddy
sudo chown -R root:caddy /etc/caddy

创建名为的Caddy配置文件Caddyfile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sudo touch /etc/caddy/Caddyfile
sudo chown caddy:caddy /etc/caddy/Caddyfile
sudo chmod 444 /etc/caddy/Caddyfile
cat <<EOF | sudo tee -a /etc/caddy/Caddyfile
xxx.xxx #(你的域名)
{
root /var/www/site #(页面路径)
gzip
tls xxx@xxx.com #申请证书的邮箱地址
proxy /2018 localhost:12345 { #其中/2018是路径,和v2ray服务端相同,后面的端口号也与v2ray相同
websocket
header_upstream -Origin
}
}
EOF

注意:其中 xxx.xxx 改成自己的域名 /2018 改成自己的路径,(无须追求复杂,不容易猜出来即可) 12345 改成 Project V 的 WS 监听的内网地址

为了方便Caddy的操作,您可以systemd为Caddy 设置一个单元文件,然后用它systemd来管理Caddy。

使用vi编辑器创建Caddy systemd单元文件:

1
sudo vi /etc/systemd/system/caddy.service

填充文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=caddy
Group=caddy

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy

; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy

; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

保存并退出:

1
:wq!

启动Caddy服务并使其在系统引导时自动启动:

1
2
3
sudo systemctl daemon-reload
sudo systemctl start caddy.service
sudo systemctl enable caddy.service

第3步:修改防火墙规则

为了允许访问者访问您的球童网站,您需要打开端口80和443,以及V2ray监听端口:

1
2
3
4
sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent
sudo firewall-cmd --reload

然后检查防火墙开放情况

1
sudo firewall-cmd --list-all

第4步:为您的网站创建一个测试页面

使用以下命令index.html在您的Caddy网站主目录中创建一个名为的文件:

1
echo '<h1>Hello World!</h1>' | sudo tee /var/www/example.com/index.html

重新启动Caddy服务以加载新内容:

1
sudo systemctl restart caddy.service

最后,将您的网页浏览器指向http://example.comhttps://example.com。您应该看到Hello World!预期的消息。


配置V2ray服务器端

V2ray服务器端配置文件 /etc/v2ray/config.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
{
"inbound": {
"port": 12345,
"listen":"127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "b831381d-6324-4d53-ad4f-8cda48b30811",
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/2018"
}
}
},
"outbound": {
"protocol": "freedom",
"settings": {}
},
"outboundDetour": [
{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}
],
"routing": {
"strategy": "rules",
"settings": {
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "blocked"
}
]
}
}
}

其中修改port,uuid,patch


配置V2ray客户端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
{
"inbound": {
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": false
}
},
"outbound": {
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "xxx.xxx",
"port": 443,
"users": [
{
"id": "b831381d-6324-4d53-ad4f-8cda48b30811",
"alterId": 64
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"tlsSettings": {
"serverName": "xxx.xxx"
},
"wsSettings": {
"path": "/2018"
}
}
},
"outboundDetour": [
{
"protocol": "freedom",
"settings": {},
"tag": "direct"
}
],
"routing": {
"strategy": "rules",
"settings": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "direct"
},
{
"type": "chinasites",
"outboundTag": "direct"
},
{
"type": "chinaip",
"outboundTag": "direct"
}
]
}
}
}