5.3 KiB
| title |
|---|
| Nginx_TLS隧道隐藏指纹 |
客户端服务端构建 Nginx 隧道隐藏指纹
网路结构:
xray_client ---tcp--- nginx_client ---tcp_TLS--- nginx_sever ---tcp--- xray_server
编译 nginx --with-stream
在客户端及服务端均编译
curl -O -L http://nginx.org/download/nginx-1.22.1.tar.gz
tar -zxvf nginx-1.22.1.tar.gz
cd nginx-1.22.1
apt install gcc make //编译依赖 gcc 以及 make
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_v2_module --with-stream --with-stream_ssl_module //此步需要依赖一些库,根据报错安装相应 lib
make && make install
编译之后 nginx 文件夹位于 /usr/local/nginx
配置 nginx
编辑 nginx 配置文件 nginx.conf
vim /usr/local/nginx/conf/nginx.conf
服务端加入如下配置
服务器申请证书不再赘述,参考白话文
stream {
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_protocols TLSv1.3;
ssl_certificate /path/to/cert/domain.crt; #crt文件位置
ssl_certificate_key /path/to/cert/domain.key; #key文件位置
proxy_pass unix:/dev/shm/vless.sock; #使用 domain socket
}
}
::: warning 注意
stream 部分与 http 模块并列,客户端可删除 http 部分,服务端可删除或搭建网页伪装回落 :::
客户端加入如下配置
stream {
server {
listen 6666;
listen [::]:6666;
proxy_ssl on;
proxy_ssl_protocols TLSv1.3;
proxy_ssl_server_name on;
proxy_ssl_name yourdomain.domain; #服务器域名
proxy_pass ip:443; #服务器 ip 形如 proxy_pass 6.6.6.6:443; 或 proxy_pass [2401:0:0::1]:443;
}
}
在 /etc/systemd/system 文件夹中创建 nginx.service 文件
vim /etc/systemd/system/nginx.service
写入如下
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
After=xray.service
[Service]
Type=forking
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
加入开机自启
systemctl enable nginx
xray 配置
服务端 xray 配置
{
"log": {
"loglevel": "none"
},
"inbounds": [
{
"listen": "/dev/shm/vless.sock,0666",
"protocol": "vless",
"settings": {
"clients": [
{
"id": "uuid"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp"
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}
客户端 xray 配置,此处以旁路由透明代理为例
{
"log": {
"loglevel": "none"
},
"inbounds": [
{
"tag": "tproxy-in",
"port": 12345,
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
],
"routeOnly": true
},
"streamSettings": {
"sockopt": {
"tproxy": "tproxy",
"mark": 255
}
}
},
{
"tag": "http",
"port": 10808,
"listen": "127.0.0.1",
"protocol": "http",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
}
],
"outbounds": [
{
"tag": "nginxtls",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "127.0.0.1",
"port": 6666,
"users": [
{
"id": "uuid",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"sockopt": {
"mark": 255
},
"network": "tcp"
}
},
{
"tag": "direct",
"protocol": "freedom",
"streamSettings": {
"sockopt": {
"mark": 255
}
}
},
{
"tag": "block",
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
}
}
],
"routing": {
"domainMatcher": "mph",
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"domain": [
"geosite:category-ads-all"
],
"outboundTag": "block"
},
{
"type": "field",
"port": 123,
"network": "udp",
"outboundTag": "direct"
},
{
"type": "field",
"domain": [
"geosite:cn"
],
"outboundTag": "direct"
},
{
"type": "field",
"protocol": [
"bittorrent"
],
"outboundTag": "direct"
},
{
"type": "field",
"ip": [
"geoip:private"
],
"outboundTag": "direct"
},
{
"type": "field",
"inboundTag": [
"tproxy-in"
],
"outboundTag": "nginxtls"
}
]
}
}
如果使用透明代理需要在 iptables 或 ip6tables 配置中加入
iptables -t mangle -A XRAY_MASK -d VSP_IPv4/32 -j RETURN
ip6tables -t mangle -A XRAY6_MASK -d VPS_IPv6/128 -j RETURN
客户端及服务端启动服务
systemctl restart xray
systemctl restart nginx
后记
客户端应该也是可以通过 domain socket 连接提高性能,但由于 xray outbound 不支持 ds 出站,想了半天没什么好的实现方法。如果 vnext 里支持 ds 就好了 (没有别的意思)。
从客户端 nginx 开始应该可以选择 http2 grpc ws 等传输方式。