# V2Ray搭建笔记(WS+TLS+Web)

**Published by:** [0xLin](https://paragraph.com/@0xlin/)
**Published on:** 2022-12-09
**URL:** https://paragraph.com/@0xlin/v2ray-ws-tls-web

## Content

域名解析将二级域名解析至对应的VPS IP地址证书注册(1) 安装Certbot：yum install -y python38 && pip3 install certbot 运行这条命令后，如果显示：Successfully installed xxxx, xxxx, xxxx (各种软件包名字)就表示成功。 (2) 停止防火墙systemctl stop firewalld && systemctl disable firewalld 注意，在CentOS7版本以上，默认开启防火墙，不关闭防火墙将无法申请证书。某些系统上没有安装firewalld防火墙，执行这一步命令会报错，但是不影响后面的操作。 运行这条命令后，如果显示：Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.就表示成功 (3) 申请SSL证书 这一步做个填空题，把这条命令里的域名和邮箱，换成你自己的信息。certbot certonly --standalone --agree-tos -n -d <域名> -m <邮箱> # 如果遇到openssh报错，则 pip3 uninstall pyOpenSSL pip3 install pyOpenSSL==22.0.0 运行这条命令后，如果显示： IMPORTANT NOTES:Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.hrw1rdzqa7c5a8u3ibkn.website/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.hrw1rdzqa7c5a8u3ibkn.website/privkey.pem Your cert will expire on 2020-06-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew"Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org就表示成功。 注意：这一步比较容易出错，常见的问题有：其它代理占用了80，443端口。 解决方法：停止其它代理软件，或重装VPS。没有正确配置域名解析。 解决方法：ping一下域名，看看能不能正确解析到IP。注意不要打开CDN。没有关闭防火墙。 解决方法：回到（2），关闭防火墙。(4) 配置证书自动更新echo "0 0 1 */2 * systemctl stop nginx ; certbot renew; systemctl start nginx;" | crontab 我们申请的证书只有三个月期限，上面的命令表示每隔两个月，证书就自动续命一次，从而保证可以一直用下去。nginx和v2ray安装V2Ray和Nginx可以一键安装，把下列命令复制粘贴到控制台，运行即可。yum install -y nginx && yum install -y curl && bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh) 运行这条命令后，如果最后一行显示： V2Ray vx.x.x is installed. 就表示成功。（如果V2Ray安装成功，那么Nginx也一定安装成功） (2) 关闭SELinux 在某些系统上，需要关闭SELinux，否则Nginx无法正常将流量转发给V2Ray，输入setsebool -P httpd_can_network_connect 1 && setenforce 0 关闭SELinux，没有提示就表示成功。nginx配置vi /etc/nginx/conf.d/xxx.conf server { ### 1: server_name <域名>; listen 80 reuseport fastopen=10; rewrite ^(.*) https://$server_name$1 permanent; if ($request_method !~ ^(POST|GET)$) { return 501; } autoindex off; server_tokens off; } server { ### 2: ssl_certificate /etc/letsencrypt/live/<域名>/fullchain.pem; ### 3: ssl_certificate_key /etc/letsencrypt/live/<域名>/privkey.pem; ### 4: location /<path> { proxy_pass http://127.0.0.1:8964; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_requests 10000; keepalive_timeout 2h; proxy_buffering off; } listen 443 ssl reuseport fastopen=10; server_name $server_name; charset utf-8; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_requests 10000; keepalive_timeout 2h; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:60m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s; if ($request_method !~ ^(POST|GET)$) { return 501; } add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security max-age=31536000 always; autoindex off; server_tokens off; index index.html index.htm index.php; location ~ .*\.(js|jpg|JPG|jpeg|JPEG|css|bmp|gif|GIF|png)$ { access_log off; } location / { index index.html; } } nginx命令systemctl restart nginx systemctl stop nginx systemctl start nginx v2ray配置vi /usr/local/etc/v2ray/config.json { "log" : { "access": "/var/log/v2ray/access.log", "error": "/var/log/v2ray/error.log", "loglevel": "warning" }, "inbound": { "protocol": "vmess", "listen": "127.0.0.1", "port": 8964, "settings": { "clients": [ { "id": "<uuid>", "alterId": <ID> } ]}, "streamSettings": { "network": "ws", "wsSettings": {"path": "/<nginx path>"} } }, "outbound": { "protocol": "freedom" } } v2ray命令systemctl restart v2ray systemctl stop v2ray systemctl start v2ray ### Usage: v2ray <command> [arguments] The commands are: run run V2Ray with config api call V2Ray API convert convert config files test test config files tls TLS tools uuid generate new UUID verify verify if a binary is officially signed version print V2Ray version Use "v2ray help <command>" for more information about a command. Additional help topics: config-merge config merge logic format-loader config formats and loading Use "v2ray help <topic>" for more information about that topic. 验证开启nginx访问https:// 验证是否成功访问nginx主页开启v2ray配置客户端验证是否成功出现问题2022/12/09 09:53:44 127.0.0.1:52970 rejected common/drain: common/drain: drained connection > proxy/vmess/encoding: invalid user: VMessAEAD is enforced and a non VMessAEAD connection is received. You can still disable this security feature with environment variable v2ray.vmess.aead.forced = false . You will not be able to enable legacy header workaround in the future. 如何解决？1、修改v2ray.service 文件 vi /etc/systemd/system/v2ray.service 2、添加：Environment="V2RAY_VMESS_AEAD_FORCED=false" 3、重启服务 systemctl daemon-reload systemctl restart v2ray 参考链接： https://github.com/233boy/v2ray/issues/812 https://91ai.net/thread-950258-1-1.html可选配置1：使用CDN隐藏IPCDN相当于在服务器前又加了一层代理，墙只知道你的域名和CDN的IP，无法得知代理服务器的真实IP。如果伪装网站开启了DoH+ESNI，甚至连域名都可以隐藏。因此v2ray+ws+tls+web+CDN相当于事实上的双重代理，它的隐蔽性和安全性非常高。缺点是Cloudflare 会让访问延迟变高一些。除非遇到IP被墙，或者六四前后等墙加高等极端情况，如果平时翻墙很稳定，就没有必要打开CDN。可选配置2：加固服务器，配置防火墙如果VPS上没有其它服务，建议打开防火墙。服务器对外只暴露80，443，SSH端口，可以降低代理服务器被探测的风险。 前面的步骤中禁用了防火墙firewalld，不是所有的机器都安装了firewalld，我们这里使用ufw防火墙作为替代。 安装ufw：yum install -y epel-release && yum install -y ufw 打开SSH，HTTP，HTTPS端口，运行：ufw disable && ufw allow ssh && ufw allow http && ufw allow https && ufw enable 如果ssh端口不是22，那么需要将ssh改为端口号。例如ssh端口为14320，则：ufw disable && ufw allow 14320 && ufw allow http && ufw allow https && ufw enable ufw和firewalld的底层实现都是一样的，都调用了linux iptables，本质并无太大区别。可选配置3：使用BBR加速BBR是谷歌开发的拥塞控制算法，可以降低延迟，加快访问速度。启用BBR需要4.10以上版本Linux内核，现在大多数VPS都满足这一条件，输入uname(空格)-a可以查看内核版本. 如果内核版本大于4.10就可以用BBR了，把以下三条命令复制到命令窗口执行：bash -c 'echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf' bash -c 'echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf' sysctl -p 然后运行以下命令，查看BBR是否启动成功：sysctl net.ipv4.tcp_congestion_control 如果提示net.ipv4.tcp_congestion_control = bbr 就表示成功启动了BBR加速。可选配置4：编译Nginx某些系统上，通过yum安装的Nginx不支持TLS1.3，需要自行编译。启用TLS1.3可以明显降低VMess+WS+TLS的延迟（握手1-RTT，恢复会话0-RTT）。此外，TLS1.3第一个RTT之后的握手包均被加密，（可能）会降低TLS协议的指纹特征。 Caddy（另一个HTTP反向代理软件）也支持TLS1.3，但自行配置和编译的Nginx可以通过调整多种参数，达到更高的性能。自行编译Nginx也可以启用一些其它反向代理中的特征，例如HTTP/2等。 Nginx编译安装步骤： 更新所有软件及系统内核（用时较长，可选）：yum -y update 安装依赖软件和库：yum -y install wget gcc make perl pcre pcre-devel zlib zlib-devel 下载OpenSSL 1.1.1g（截至2020年4月21日的最新版）wget https://github.com/openssl/openssl/archive/OpenSSL_1_1_1g.zip unzip OpenSSL_1_1_1g.zip rm OpenSSL_1_1_1g.zip && mv openssl-OpenSSL_1_1_1g openssl 下载Nginx 1.18.0wget https://nginx.org/download/nginx-1.18.0.tar.gz tar -xzvf nginx-1.18.0.tar.gz cd nginx-1.18.0 配置编译选项./configure --with-openssl=../openssl --with-openssl-opt='enable-tls1_3' --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module 这一步是Nginx启用TLS1.3的关键，--with-openssl-opt='enable-tls1_3'表示启用TLS1.3，--with-http_v2_module表示启用HTTP/2make && make install 编译完成的Nginx二进制文件位置在/usr/local/nginx/sbin/nginx，可用以下命令进行测试：/usr/local/nginx/sbin/nginx -V 与此对应的，Nginx配置文件目录和网页文件目录分别在：/usr/local/nginx/conf /usr/local/nginx/html 为了把Nginx配置成系统服务，还需要配置systemd文件：[Unit] After=syslog.target network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/usr/local/nginx/logs/nginx.pid ExecStartPre=/usr/local/nginx/sbin/nginx -t ExecStart=/usr/local/nginx/sbin/nginx ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target 最后把上述文件命名为nginx.service，放在/etc/systemd/system下，就完成了Nginx的编译安装。

## Publication Information

- [0xLin](https://paragraph.com/@0xlin/): Publication homepage
- [All Posts](https://paragraph.com/@0xlin/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@0xlin): Subscribe to updates