Caddy+WebSocket+TLS+Web
source link: https://3mile.github.io/archives/2018/07/21/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Caddy+WebSocket+TLS+Web
2018-07-21
发布在 Linux
A beautiful cover
最近试过了下列多种v2ray组合,直接给出结论,第四个”websocket + TLS + nginx/caddy”是最后留下来用的,抗封锁最好。
- vmess
- vmess + http
- TLS + http2
- websocket + TLS + nginx/caddy
#安装V2Ray
运行下面的指令下载并安装 V2Ray。当 yum 或 apt-get 可用的情况下,此脚本会自动安装 unzip 和 daemon。这两个组件是安装 V2Ray 的必要组件。如果你使用的系统不支持 yum 或 apt-get,请自行安装 unzip 和 daemon
bash <(curl -L -s https://install.direct/go.sh)
此脚本会自动安装以下文件:
/usr/bin/v2ray/v2ray:V2Ray 程序;/usr/bin/v2ray/v2ctl:V2Ray 工具;/etc/v2ray/config.json:配置文件;/usr/bin/v2ray/geoip.dat:IP 数据文件/usr/bin/v2ray/geosite.dat:域名数据文件
此脚本会配置自动运行脚本。自动运行脚本会在系统重启之后,自动运行 V2Ray。目前自动运行脚本只支持带有 Systemd 的系统,以及 Debian / Ubuntu 全系列。
运行脚本位于系统的以下位置:
/etc/systemd/system/v2ray.service: Systemd/etc/init.d/v2ray: SysV
脚本运行完成后,你需要:
- 编辑 /etc/v2ray/config.json 文件来配置你需要的代理方式;
- 运行 service v2ray start 来启动 V2Ray 进程;
- 之后可以使用 service v2ray start|stop|status|reload|restart|force-reload 控制 V2Ray 的运行。
安装Caddy
首先安装Caddy
第一步:安装球童的最新稳定版本
在Linux,Mac或BSD操作系统上,使用以下命令安装Caddy最新稳定的系统特定版本:
其中http.filemanager,http.forwardproxy不是必须安装的
curl https://getcaddy.com | bash -s personal http.filemanager,http.forwardproxy,http.proxyprotocol
出现提示时,输入您的sudo密码以完成安装。
Caddy二进制文件将被安装到该/usr/local/bin目录。使用以下命令确认:
which caddy
输出应该是:
/usr/local/bin/caddy
为了安全起见,切勿以root身份运行Caddy二进制文件。为了让Caddy能够以非root用户的身份绑定到特权端口(例如80,443),您需要setcap按如下所示运行该命令:
sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
第2步:配置球童
创建一个专门的系统用户:caddy 和一组同名的Caddy:
sudo useradd -r -d /var/www -M -s /sbin/nologin caddy
注意:此处创建**的用户caddy只能用于管理Caddy服务,不能用于登录。
/var/www为Caddy Web服务器创建主目录,并/var/www/example.com为您的站点创建主目录:
sudo mkdir -p /var/www/example.com
sudo chown -R caddy:caddy /var/www
创建一个目录来存储SSL证书:
sudo mkdir /etc/ssl/caddy
sudo chown -R caddy:root /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy
创建专用目录来存储Caddy配置文件Caddyfile:
sudo mkdir /etc/caddy
sudo chown -R root:caddy /etc/caddy
创建名为的Caddy配置文件Caddyfile:
sudo touch /etc/caddy/Caddyfile
sudo chown caddy:caddy /etc/caddy/Caddyfile
sudo chmod 444 /etc/caddy/Caddyfile
cat <<EOF | sudo tee -a /etc/caddy/Caddyfile
xxx.xxx #(你的域名)
{
root /var/www/site #(页面路径)
gzip
tls [email protected] #申请证书的邮箱地址
proxy /2018 localhost:12345 { #其中/2018是路径,和v2ray服务端相同,后面的端口号也与v2ray相同
websocket
header_upstream -Origin
}
}
EOF
注意:其中 xxx.xxx 改成自己的域名 /2018 改成自己的路径,(无须追求复杂,不容易猜出来即可) 12345 改成 Project V 的 WS 监听的内网地址
为了方便Caddy的操作,您可以systemd为Caddy 设置一个单元文件,然后用它systemd来管理Caddy。
使用vi编辑器创建Caddy systemd单元文件:
sudo vi /etc/systemd/system/caddy.service
填充文件:
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
; User and group the process will run as.
User=caddy
Group=caddy
; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID
; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy
; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
保存并退出:
:wq!
启动Caddy服务并使其在系统引导时自动启动:
sudo systemctl daemon-reload
sudo systemctl start caddy.service
sudo systemctl enable caddy.service
第3步:修改防火墙规则
为了允许访问者访问您的球童网站,您需要打开端口80和443,以及V2ray监听端口:
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent
sudo firewall-cmd --reload
然后检查防火墙开放情况
sudo firewall-cmd --list-all
第4步:为您的网站创建一个测试页面
使用以下命令index.html在您的Caddy网站主目录中创建一个名为的文件:
echo '<h1>Hello World!</h1>' | sudo tee /var/www/example.com/index.html
重新启动Caddy服务以加载新内容:
sudo systemctl restart caddy.service
最后,将您的网页浏览器指向http://example.com或https://example.com。您应该看到Hello World!预期的消息。
配置V2ray服务器端
V2ray服务器端配置文件 /etc/v2ray/config.json
{
"inbound": {
"port": 12345,
"listen":"127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "b831381d-6324-4d53-ad4f-8cda48b30811",
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/2018"
}
}
},
"outbound": {
"protocol": "freedom",
"settings": {}
},
"outboundDetour": [
{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}
],
"routing": {
"strategy": "rules",
"settings": {
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "blocked"
}
]
}
}
}
其中修改port,uuid,patch
配置V2ray客户端
{
"inbound": {
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": false
}
},
"outbound": {
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "xxx.xxx",
"port": 443,
"users": [
{
"id": "b831381d-6324-4d53-ad4f-8cda48b30811",
"alterId": 64
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"tlsSettings": {
"serverName": "xxx.xxx"
},
"wsSettings": {
"path": "/2018"
}
}
},
"outboundDetour": [
{
"protocol": "freedom",
"settings": {},
"tag": "direct"
}
],
"routing": {
"strategy": "rules",
"settings": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "direct"
},
{
"type": "chinasites",
"outboundTag": "direct"
},
{
"type": "chinaip",
"outboundTag": "direct"
}
]
}
}
}
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK