299 lines
5.3 KiB
Markdown
299 lines
5.3 KiB
Markdown
|
---
|
||
|
title: Nginx_TLS隧道隐藏指纹
|
||
|
---
|
||
|
|
||
|
# 客户端服务端构建 Nginx 隧道隐藏指纹
|
||
|
|
||
|
网路结构:
|
||
|
|
||
|
xray_client ---tcp--- nginx_client ---tcp_TLS--- nginx_sever ---tcp--- xray_server
|
||
|
|
||
|
## 编译 nginx --with-stream
|
||
|
|
||
|
在客户端及服务端均编译
|
||
|
|
||
|
`curl -O -L http://nginx.org/download/nginx-1.22.1.tar.gz`
|
||
|
|
||
|
`tar -zxvf nginx-1.22.1.tar.gz`
|
||
|
|
||
|
`cd nginx-1.22.1`
|
||
|
|
||
|
`apt install gcc make` //编译依赖 gcc 以及 make
|
||
|
|
||
|
`./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_v2_module --with-stream --with-stream_ssl_module` //此步需要依赖一些库,根据报错安装相应 lib
|
||
|
|
||
|
`make && make install`
|
||
|
|
||
|
编译之后 nginx 文件夹位于 `/usr/local/nginx`
|
||
|
|
||
|
## 配置 nginx
|
||
|
|
||
|
编辑 nginx 配置文件 nginx.conf
|
||
|
|
||
|
`vim /usr/local/nginx/conf/nginx.conf`
|
||
|
|
||
|
服务端加入如下配置
|
||
|
|
||
|
服务器申请证书不再赘述,参考[白话文](https://xtls.github.io/document/level-0/ch06-certificates.html)
|
||
|
|
||
|
```
|
||
|
stream {
|
||
|
server {
|
||
|
listen 443 ssl;
|
||
|
listen [::]:443 ssl;
|
||
|
ssl_protocols TLSv1.3;
|
||
|
ssl_certificate /path/to/cert/domain.crt; #crt文件位置
|
||
|
ssl_certificate_key /path/to/cert/domain.key; #key文件位置
|
||
|
proxy_pass unix:/dev/shm/vless.sock; #使用 domain socket
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
::: warning 注意
|
||
|
|
||
|
stream 部分与 http 模块并列,客户端可删除 http 部分,服务端可删除或搭建网页伪装回落
|
||
|
:::
|
||
|
|
||
|
客户端加入如下配置
|
||
|
|
||
|
```
|
||
|
stream {
|
||
|
server {
|
||
|
listen 6666;
|
||
|
listen [::]:6666;
|
||
|
proxy_ssl on;
|
||
|
proxy_ssl_protocols TLSv1.3;
|
||
|
proxy_ssl_server_name on;
|
||
|
proxy_ssl_name yourdomain.domain; #服务器域名
|
||
|
proxy_pass ip:443; #服务器 ip 形如 proxy_pass 6.6.6.6:443; 或 proxy_pass [2401:0:0::1]:443;
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
在 `/etc/systemd/system` 文件夹中创建 `nginx.service` 文件
|
||
|
|
||
|
`vim /etc/systemd/system/nginx.service`
|
||
|
|
||
|
写入如下
|
||
|
|
||
|
```
|
||
|
[Unit]
|
||
|
Description=The NGINX HTTP and reverse proxy server
|
||
|
After=syslog.target network-online.target remote-fs.target nss-lookup.target
|
||
|
After=xray.service
|
||
|
|
||
|
[Service]
|
||
|
Type=forking
|
||
|
ExecStartPre=/usr/local/nginx/sbin/nginx -t
|
||
|
ExecStart=/usr/local/nginx/sbin/nginx
|
||
|
ExecReload=/usr/local/nginx/sbin/nginx -s reload
|
||
|
ExecStop=/bin/kill -s QUIT $MAINPID
|
||
|
PrivateTmp=true
|
||
|
|
||
|
[Install]
|
||
|
WantedBy=multi-user.target
|
||
|
```
|
||
|
|
||
|
加入开机自启
|
||
|
|
||
|
`systemctl enable nginx`
|
||
|
|
||
|
## xray 配置
|
||
|
|
||
|
服务端 xray 配置
|
||
|
|
||
|
```
|
||
|
{
|
||
|
"log": {
|
||
|
"loglevel": "none"
|
||
|
},
|
||
|
"inbounds": [
|
||
|
{
|
||
|
"listen": "/dev/shm/vless.sock,0666",
|
||
|
"protocol": "vless",
|
||
|
"settings": {
|
||
|
"clients": [
|
||
|
{
|
||
|
"id": "uuid"
|
||
|
}
|
||
|
],
|
||
|
"decryption": "none"
|
||
|
},
|
||
|
"streamSettings": {
|
||
|
"network": "tcp"
|
||
|
},
|
||
|
"sniffing": {
|
||
|
"enabled": true,
|
||
|
"destOverride": [
|
||
|
"http",
|
||
|
"tls"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"outbounds": [
|
||
|
{
|
||
|
"protocol": "freedom"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
```
|
||
|
|
||
|
客户端 xray 配置,此处以旁路由透明代理为例
|
||
|
|
||
|
```
|
||
|
{
|
||
|
"log": {
|
||
|
"loglevel": "none"
|
||
|
},
|
||
|
"inbounds": [
|
||
|
{
|
||
|
"tag": "tproxy-in",
|
||
|
"port": 12345,
|
||
|
"protocol": "dokodemo-door",
|
||
|
"settings": {
|
||
|
"network": "tcp,udp",
|
||
|
"followRedirect": true
|
||
|
},
|
||
|
"sniffing": {
|
||
|
"enabled": true,
|
||
|
"destOverride": [
|
||
|
"http",
|
||
|
"tls"
|
||
|
],
|
||
|
"routeOnly": true
|
||
|
},
|
||
|
"streamSettings": {
|
||
|
"sockopt": {
|
||
|
"tproxy": "tproxy",
|
||
|
"mark": 255
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"tag": "http",
|
||
|
"port": 10808,
|
||
|
"listen": "127.0.0.1",
|
||
|
"protocol": "http",
|
||
|
"sniffing": {
|
||
|
"enabled": true,
|
||
|
"destOverride": [
|
||
|
"http",
|
||
|
"tls"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"outbounds": [
|
||
|
{
|
||
|
"tag": "nginxtls",
|
||
|
"protocol": "vless",
|
||
|
"settings": {
|
||
|
"vnext": [
|
||
|
{
|
||
|
"address": "127.0.0.1",
|
||
|
"port": 6666,
|
||
|
"users": [
|
||
|
{
|
||
|
"id": "uuid",
|
||
|
"encryption": "none"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
"streamSettings": {
|
||
|
"sockopt": {
|
||
|
"mark": 255
|
||
|
},
|
||
|
"network": "tcp"
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"tag": "direct",
|
||
|
"protocol": "freedom",
|
||
|
"streamSettings": {
|
||
|
"sockopt": {
|
||
|
"mark": 255
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"tag": "block",
|
||
|
"protocol": "blackhole",
|
||
|
"settings": {
|
||
|
"response": {
|
||
|
"type": "http"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"routing": {
|
||
|
"domainMatcher": "mph",
|
||
|
"domainStrategy": "AsIs",
|
||
|
"rules": [
|
||
|
{
|
||
|
"type": "field",
|
||
|
"domain": [
|
||
|
"geosite:category-ads-all"
|
||
|
],
|
||
|
"outboundTag": "block"
|
||
|
},
|
||
|
{
|
||
|
"type": "field",
|
||
|
"port": 123,
|
||
|
"network": "udp",
|
||
|
"outboundTag": "direct"
|
||
|
},
|
||
|
{
|
||
|
"type": "field",
|
||
|
"domain": [
|
||
|
"geosite:cn"
|
||
|
],
|
||
|
"outboundTag": "direct"
|
||
|
},
|
||
|
{
|
||
|
"type": "field",
|
||
|
"protocol": [
|
||
|
"bittorrent"
|
||
|
],
|
||
|
"outboundTag": "direct"
|
||
|
},
|
||
|
{
|
||
|
"type": "field",
|
||
|
"ip": [
|
||
|
"geoip:private"
|
||
|
],
|
||
|
"outboundTag": "direct"
|
||
|
},
|
||
|
{
|
||
|
"type": "field",
|
||
|
"inboundTag": [
|
||
|
"tproxy-in"
|
||
|
],
|
||
|
"outboundTag": "nginxtls"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
如果使用透明代理需要在 iptables 或 ip6tables 配置中加入
|
||
|
|
||
|
```
|
||
|
iptables -t mangle -A XRAY_MASK -d VSP_IPv4/32 -j RETURN
|
||
|
ip6tables -t mangle -A XRAY6_MASK -d VPS_IPv6/128 -j RETURN
|
||
|
```
|
||
|
|
||
|
## 客户端及服务端启动服务
|
||
|
|
||
|
`systemctl restart xray`
|
||
|
|
||
|
`systemctl restart nginx`
|
||
|
|
||
|
## 后记
|
||
|
|
||
|
客户端应该也是可以通过 domain socket 连接提高性能,但由于 xray outbound 不支持 ds 出站,想了半天没什么好的实现方法。如果 vnext 里支持 ds 就好了 (没有别的意思)。
|
||
|
|
||
|
从客户端 nginx 开始应该可以选择 http2 grpc ws 等传输方式。
|