Create Nginx_TLS隧道隐藏指纹 (#314)

* Create Nginx_TLS隧道隐藏指纹 * Rename Nginx_TLS隧道隐藏指纹 to Nginx_TLS_tunnel.md * Update Nginx_TLS_tunnel.md * Rename Nginx_TLS_tunnel.md to nginx_tls_tunnel.md
2 years ago · 483372d84f
1 changed files with 298 additions and 0 deletions
--- a/docs/document/level-2/nginx_tls_tunnel.md
+++ b/docs/document/level-2/nginx_tls_tunnel.md
@ -0,0 +1,298 @@
+---
+title: Nginx_TLS隧道隐藏指纹
+---
+
+# 客户端服务端构建 Nginx 隧道隐藏指纹
+
+网路结构：
+
+xray_client ---tcp--- nginx_client ---tcp_TLS--- nginx_sever ---tcp--- xray_server
+
+## 编译 nginx --with-stream
+
+在客户端及服务端均编译
+
+`curl -O -L http://nginx.org/download/nginx-1.22.1.tar.gz`
+
+`tar -zxvf nginx-1.22.1.tar.gz`
+
+`cd nginx-1.22.1`
+
+`apt install gcc make` //编译依赖 gcc 以及 make
+
+`./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_v2_module --with-stream --with-stream_ssl_module` //此步需要依赖一些库，根据报错安装相应 lib
+
+`make && make install`
+
+编译之后 nginx 文件夹位于 `/usr/local/nginx`
+
+## 配置 nginx
+
+编辑 nginx 配置文件 nginx.conf
+
+`vim /usr/local/nginx/conf/nginx.conf`
+
+服务端加入如下配置
+
+服务器申请证书不再赘述，参考[白话文](https://xtls.github.io/document/level-0/ch06-certificates.html)
+
+```
+stream {
+    server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        ssl_protocols TLSv1.3;
+        ssl_certificate /path/to/cert/domain.crt; #crt文件位置
+        ssl_certificate_key /path/to/cert/domain.key; #key文件位置
+        proxy_pass unix:/dev/shm/vless.sock; #使用 domain socket
+    }
+}
+```
+
+::: warning 注意
+
+stream 部分与 http 模块并列，客户端可删除 http 部分，服务端可删除或搭建网页伪装回落
+:::
+
+客户端加入如下配置
+
+```
+stream {
+    server {
+        listen 6666;
+        listen [::]:6666;
+        proxy_ssl on;
+        proxy_ssl_protocols TLSv1.3;
+        proxy_ssl_server_name on;
+        proxy_ssl_name yourdomain.domain; #服务器域名
+        proxy_pass ip:443; #服务器 ip 形如 proxy_pass 6.6.6.6:443; 或 proxy_pass [2401:0:0::1]:443;
+    }
+}
+```
+
+在 `/etc/systemd/system` 文件夹中创建 `nginx.service` 文件
+
+`vim /etc/systemd/system/nginx.service`
+
+写入如下
+
+```
+[Unit]
+Description=The NGINX HTTP and reverse proxy server
+After=syslog.target network-online.target remote-fs.target nss-lookup.target
+After=xray.service
+
+[Service]
+Type=forking
+ExecStartPre=/usr/local/nginx/sbin/nginx -t
+ExecStart=/usr/local/nginx/sbin/nginx
+ExecReload=/usr/local/nginx/sbin/nginx -s reload
+ExecStop=/bin/kill -s QUIT $MAINPID
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+```
+
+加入开机自启
+
+`systemctl enable nginx`
+
+## xray 配置
+
+服务端 xray 配置
+
+```
+{
+	"log": {
+		"loglevel": "none"
+	},
+	"inbounds": [
+		{
+			"listen": "/dev/shm/vless.sock,0666",
+			"protocol": "vless",
+			"settings": {
+				"clients": [
+					{
+						"id": "uuid"
+					}
+				],
+				"decryption": "none"
+			},
+			"streamSettings": {
+				"network": "tcp"
+			},
+			"sniffing": {
+				"enabled": true,
+				"destOverride": [
+					"http",
+					"tls"
+				]
+			}
+		}
+	],
+	"outbounds": [
+		{
+			"protocol": "freedom"
+		}
+	]
+}
+```
+
+客户端 xray 配置，此处以旁路由透明代理为例
+
+```
+{
+	"log": {
+		"loglevel": "none"
+	},
+	"inbounds": [
+		{
+			"tag": "tproxy-in",
+			"port": 12345,
+			"protocol": "dokodemo-door",
+			"settings": {
+				"network": "tcp,udp",
+				"followRedirect": true
+			},
+			"sniffing": {
+				"enabled": true,
+				"destOverride": [
+					"http",
+					"tls"
+				],
+				"routeOnly": true
+			},
+			"streamSettings": {
+				"sockopt": {
+					"tproxy": "tproxy",
+					"mark": 255
+				}
+			}
+		},
+		{
+			"tag": "http",
+			"port": 10808,
+			"listen": "127.0.0.1",
+			"protocol": "http",
+			"sniffing": {
+				"enabled": true,
+				"destOverride": [
+					"http",
+					"tls"
+				]
+			}
+		}
+	],
+	"outbounds": [
+		{
+			"tag": "nginxtls",
+			"protocol": "vless",
+			"settings": {
+				"vnext": [
+					{
+						"address": "127.0.0.1",
+						"port": 6666,
+						"users": [
+							{
+								"id": "uuid",
+								"encryption": "none"
+							}
+						]
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"mark": 255
+				},
+				"network": "tcp"
+			}
+		},
+		{
+			"tag": "direct",
+			"protocol": "freedom",
+			"streamSettings": {
+				"sockopt": {
+					"mark": 255
+				}
+			}
+		},
+		{
+			"tag": "block",
+			"protocol": "blackhole",
+			"settings": {
+				"response": {
+					"type": "http"
+				}
+			}
+		}
+	],
+	"routing": {
+		"domainMatcher": "mph",
+		"domainStrategy": "AsIs",
+		"rules": [
+			{
+				"type": "field",
+				"domain": [
+					"geosite:category-ads-all"
+				],
+				"outboundTag": "block"
+			},
+			{
+				"type": "field",
+				"port": 123,
+				"network": "udp",
+				"outboundTag": "direct"
+			},
+			{
+				"type": "field",
+				"domain": [
+					"geosite:cn"
+				],
+				"outboundTag": "direct"
+			},
+			{
+				"type": "field",
+				"protocol": [
+					"bittorrent"
+				],
+				"outboundTag": "direct"
+			},
+			{
+				"type": "field",
+				"ip": [
+					"geoip:private"
+				],
+				"outboundTag": "direct"
+			},
+			{
+				"type": "field",
+				"inboundTag": [
+					"tproxy-in"
+				],
+				"outboundTag": "nginxtls"
+			}
+		]
+	}
+}
+```
+
+如果使用透明代理需要在 iptables 或 ip6tables 配置中加入
+
+```
+iptables -t mangle -A XRAY_MASK -d VSP_IPv4/32 -j RETURN
+ip6tables -t mangle -A XRAY6_MASK -d VPS_IPv6/128 -j RETURN
+```
+
+## 客户端及服务端启动服务
+
+`systemctl restart xray`
+
+`systemctl restart nginx`
+
+## 后记
+
+客户端应该也是可以通过 domain socket 连接提高性能，但由于 xray outbound 不支持 ds 出站，想了半天没什么好的实现方法。如果 vnext 里支持 ds 就好了 (没有别的意思)。
+
+从客户端 nginx 开始应该可以选择 http2 grpc ws 等传输方式。