3
AlmaLinux 使用trojan+nginx自建透明代理
source link: https://apad.pro/trojan-nginx/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
AlmaLinux 使用trojan+nginx自建透明代理
前期准备
一台海外服务器、一个DNSPod账号、一个国内可以正常访问的域名,同时需要对Linux有操作基础,至少会使用ssh连接服务器。
由于DNS解析需要一定时间,建议部署前,提前在DNSPod将用于连接代理的域名指向海外服务器IP,并为该域名申请免费的SSL证书。
这里推荐DNSPod,兼顾海内外的解析速度,有专业能力的用户可以随意。
(如果你搞不定以上,建议放弃自建)
部署trojan
1.1 下载与安装sing-box
wget https://github.com/SagerNet/sing-box/releases/download/v1.1-beta9/sing-box-1.1-beta9-linux-amd64v3.tar.gz tar zxvf sing-box-1.1-beta9-linux-amd64v3.tar.gz mv sing-box-1.1-beta9-linux-amd64v3/sing-box /usr/local/bin/sing-box chmod +x /usr/local/bin/sing-box rm -rf sing-box-1.1-beta9-linux-amd64v3
- wget https://github.com/SagerNet/sing-box/releases/download/v1.1-beta9/sing-box-1.1-beta9-linux-amd64v3.tar.gz
- tar zxvf sing-box-1.1-beta9-linux-amd64v3.tar.gz
- mv sing-box-1.1-beta9-linux-amd64v3/sing-box /usr/local/bin/sing-box
- chmod +x /usr/local/bin/sing-box
- rm -rf sing-box-1.1-beta9-linux-amd64v3
wget https://github.com/SagerNet/sing-box/releases/download/v1.1-beta9/sing-box-1.1-beta9-linux-amd64v3.tar.gz tar zxvf sing-box-1.1-beta9-linux-amd64v3.tar.gz mv sing-box-1.1-beta9-linux-amd64v3/sing-box /usr/local/bin/sing-box chmod +x /usr/local/bin/sing-box rm -rf sing-box-1.1-beta9-linux-amd64v3
1.2 创建配置文件
mkdir -p /etc/sing-box mkdir -p /data/wwwlogs vi /etc/sing-box/config.json
- mkdir -p /etc/sing-box
- mkdir -p /data/wwwlogs
- vi /etc/sing-box/config.json
mkdir -p /etc/sing-box mkdir -p /data/wwwlogs vi /etc/sing-box/config.json
输入以下内容后保存
{
"log": {
"level": "error",
"output": "/data/wwwlogs/error_trojan.log",
"timestamp": true
},
"dns": {
"servers": [
{
"address": "208.67.222.222"
}
]
},
"inbounds": [
{
"type": "trojan",
"tag": "trojan-in",
"listen": "127.0.0.1",
"listen_port": 8443,
"tcp_fast_open": true,
"udp_fragment": true,
"udp_timeout": 300,
"proxy_protocol": true,
"proxy_protocol_accept_no_header": true,
"users": [
{
"name": "mytrojan",
"password": "123456"
}
],
"tls": {
"enabled": false
},
"fallback": {
"server": "127.0.0.1",
"server_port": 80
}
}
]
}
- "log": {
- "level": "error",
- "output": "/data/wwwlogs/error_trojan.log",
- "timestamp": true
- "dns": {
- "servers": [
- "address": "208.67.222.222"
- "inbounds": [
- "type": "trojan",
- "tag": "trojan-in",
- "listen": "127.0.0.1",
- "listen_port": 8443,
- "tcp_fast_open": true,
- "udp_fragment": true,
- "udp_timeout": 300,
- "proxy_protocol": true,
- "proxy_protocol_accept_no_header": true,
- "users": [
- "name": "mytrojan",
- "password": "123456"
- "tls": {
- "enabled": false
- "fallback": {
- "server": "127.0.0.1",
- "server_port": 80
{
"log": {
"level": "error",
"output": "/data/wwwlogs/error_trojan.log",
"timestamp": true
},
"dns": {
"servers": [
{
"address": "208.67.222.222"
}
]
},
"inbounds": [
{
"type": "trojan",
"tag": "trojan-in",
"listen": "127.0.0.1",
"listen_port": 8443,
"tcp_fast_open": true,
"udp_fragment": true,
"udp_timeout": 300,
"proxy_protocol": true,
"proxy_protocol_accept_no_header": true,
"users": [
{
"name": "mytrojan",
"password": "123456"
}
],
"tls": {
"enabled": false
},
"fallback": {
"server": "127.0.0.1",
"server_port": 80
}
}
]
}其中仅需要将上文”password”: “123456”中的123456修改为自己想要设置的密码即可
1.3 创建trojan服务
vi /etc/systemd/system/sing-box.service
- vi /etc/systemd/system/sing-box.service
vi /etc/systemd/system/sing-box.service
输入以下内容并保存
[Unit] Description=sing-box service Documentation=https://sing-box.sagernet.org After=network.target nss-lookup.target [Service] CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/local/bin/sing-box run -c /etc/sing-box/config.json Restart=on-failure RestartSec=10s LimitNOFILE=infinity [Install] WantedBy=multi-user.target
- [Unit]
- Description=sing-box service
- Documentation=https://sing-box.sagernet.org
- After=network.target nss-lookup.target
- [Service]
- CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
- AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
- ExecStart=/usr/local/bin/sing-box run -c /etc/sing-box/config.json
- Restart=on-failure
- RestartSec=10s
- LimitNOFILE=infinity
- [Install]
- WantedBy=multi-user.target
[Unit] Description=sing-box service Documentation=https://sing-box.sagernet.org After=network.target nss-lookup.target [Service] CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/local/bin/sing-box run -c /etc/sing-box/config.json Restart=on-failure RestartSec=10s LimitNOFILE=infinity [Install] WantedBy=multi-user.target
启动trojan服务
systemctl start sing-box.service systemctl enable sing-box.service
- systemctl start sing-box.service
- systemctl enable sing-box.service
systemctl start sing-box.service systemctl enable sing-box.service
部署nginx
2.1 使用OneinStack安装nginx
wget -c http://mirrors.linuxeye.com/oneinstack-full.tar.gz && tar xzf oneinstack-full.tar.gz && ./oneinstack/install.sh --nginx_option 1 --iptables --ssh_port 22
- wget -c http://mirrors.linuxeye.com/oneinstack-full.tar.gz && tar xzf oneinstack-full.tar.gz && ./oneinstack/install.sh --nginx_option 1 --iptables --ssh_port 22
wget -c http://mirrors.linuxeye.com/oneinstack-full.tar.gz && tar xzf oneinstack-full.tar.gz && ./oneinstack/install.sh --nginx_option 1 --iptables --ssh_port 22
等待脚本执行结束后编辑nginx配置文件
vi /usr/local/nginx/conf/nginx.conf
- vi /usr/local/nginx/conf/nginx.conf
vi /usr/local/nginx/conf/nginx.conf
在配置文件最后一行增加以下内容并保存
stream {
log_format slog '$remote_addr - [$time_local] '
'$ssl_protocol/$ssl_cipher $ssl_server_name '
'$status $bytes_sent $bytes_received';
server {
listen 443 ssl reuseport;
access_log /data/wwwlogs/trojan_nginx.log slog;
ssl_preread on;
ssl_certificate /data/ssl/trojan.pem;
ssl_certificate_key /data/ssl/trojan.key;
ssl_session_tickets off;
ssl_session_timeout 1440m;
ssl_session_cache shared:SSL:8m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
proxy_protocol on;
proxy_pass 127.0.0.1:8443;
}
}
- stream {
- log_format slog '$remote_addr - [$time_local] '
- '$ssl_protocol/$ssl_cipher $ssl_server_name '
- '$status $bytes_sent $bytes_received';
- server {
- listen 443 ssl reuseport;
- access_log /data/wwwlogs/trojan_nginx.log slog;
- ssl_preread on;
- ssl_certificate /data/ssl/trojan.pem;
- ssl_certificate_key /data/ssl/trojan.key;
- ssl_session_tickets off;
- ssl_session_timeout 1440m;
- ssl_session_cache shared:SSL:8m;
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_prefer_server_ciphers on;
- ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
- proxy_protocol on;
- proxy_pass 127.0.0.1:8443;
stream {
log_format slog '$remote_addr - [$time_local] '
'$ssl_protocol/$ssl_cipher $ssl_server_name '
'$status $bytes_sent $bytes_received';
server {
listen 443 ssl reuseport;
access_log /data/wwwlogs/trojan_nginx.log slog;
ssl_preread on;
ssl_certificate /data/ssl/trojan.pem;
ssl_certificate_key /data/ssl/trojan.key;
ssl_session_tickets off;
ssl_session_timeout 1440m;
ssl_session_cache shared:SSL:8m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
proxy_protocol on;
proxy_pass 127.0.0.1:8443;
}
}如果不想使用443端口,可将listen 443处修改为其它未占用的端口号
2.2 配置证书
创建证书目录
mkdir -p /data/ssl
- mkdir -p /data/ssl
mkdir -p /data/ssl
将申请的证书文件与秘钥文件改名为trojan.pem、trojan.key,并放置于/data/ssl目录,如果有部署能力的话,强烈推荐使用acme.sh进行自动部署。
2.3 启动nginx服务
systemctl start nginx.service systemctl enable nginx.service
- systemctl start nginx.service
- systemctl enable nginx.service
systemctl start nginx.service systemctl enable nginx.service
系统配置
3.1 关闭FirewallD服务
systemctl stop firewalld systemctl disable firewalld
- systemctl stop firewalld
- systemctl disable firewalld
systemctl stop firewalld systemctl disable firewalld
3.2 配置iptables防火墙
vi /etc/sysconfig/iptables
- vi /etc/sysconfig/iptables
vi /etc/sysconfig/iptables
修改防火墙配置文件规则如下
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p udp -m udp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
- -A INPUT -p udp -m udp --dport 443 -j ACCEPT
- -A INPUT -j REJECT --reject-with icmp-host-prohibited
- -A FORWARD -j REJECT --reject-with icmp-host-prohibited
- COMMIT
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p udp -m udp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
开启防火墙
systemctl enable iptables systemctl restart iptables
- systemctl enable iptables
- systemctl restart iptables
systemctl enable iptables systemctl restart iptables
(注:如果你的服务器提供商在web管理页面有防火墙,应前往开启TCP的443端口)
3.3 优化内核参数
vi /etc/sysctl.conf
- vi /etc/sysctl.conf
vi /etc/sysctl.conf
在文件最下方输入以下内容后保存
fs.file-max = 65535 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_keepalive_time = 65 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.ip_local_port_range = 1024 65500 net.core.somaxconn = 65535 net.ipv4.tcp_max_syn_backlog = 262144 net.core.netdev_max_backlog = 262144 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_fastopen = 2
- fs.file-max = 65535
- net.ipv4.tcp_synack_retries = 2
- net.ipv4.tcp_syn_retries = 2
- net.ipv4.tcp_slow_start_after_idle = 0
- net.ipv4.tcp_syncookies = 1
- net.ipv4.tcp_tw_reuse = 1
- net.ipv4.tcp_keepalive_time = 65
- net.ipv4.tcp_fin_timeout = 1
- net.ipv4.tcp_max_tw_buckets = 5000
- net.ipv4.ip_local_port_range = 1024 65500
- net.core.somaxconn = 65535
- net.ipv4.tcp_max_syn_backlog = 262144
- net.core.netdev_max_backlog = 262144
- net.core.rmem_max = 16777216
- net.core.wmem_max = 16777216
- net.core.wmem_default = 8388608
- net.core.rmem_default = 8388608
- net.ipv4.tcp_timestamps = 0
- net.ipv4.tcp_mem = 94500000 915000000 927000000
- net.ipv4.tcp_max_orphans = 3276800
- net.ipv4.tcp_fastopen = 2
fs.file-max = 65535 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_keepalive_time = 65 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.ip_local_port_range = 1024 65500 net.core.somaxconn = 65535 net.ipv4.tcp_max_syn_backlog = 262144 net.core.netdev_max_backlog = 262144 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_fastopen = 2
执行 sysctl -p 使配置立即生效
至此,一台透明代理服务器搭建完成
支持trojan协议的客户端,请参考:
https://www.v2ray.com/awesome/tools.html
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK