From 0a911bdb93c445cfca5eb3b34cc50a82d75e23ff Mon Sep 17 00:00:00 2001 From: root Date: Tue, 6 Nov 2018 20:50:24 +0800 Subject: [PATCH] update ngnx config,add server/client config --- websocket+Nginx+TLS/Nginx.config | 146 ------------------ websocket+Nginx+TLS/config_client.json | 0 websocket+Nginx+TLS/config_client_ver4.2.json | 103 ++++++++++++ websocket+Nginx+TLS/config_server.json | 0 websocket+Nginx+TLS/config_server_ver4.2.json | 54 +++++++ websocket+Nginx+TLS/nginx_Domain.Name.conf | 131 ++++++++++++++++ 6 files changed, 288 insertions(+), 146 deletions(-) delete mode 100755 websocket+Nginx+TLS/Nginx.config mode change 100755 => 100644 websocket+Nginx+TLS/config_client.json create mode 100644 websocket+Nginx+TLS/config_client_ver4.2.json mode change 100755 => 100644 websocket+Nginx+TLS/config_server.json create mode 100644 websocket+Nginx+TLS/config_server_ver4.2.json create mode 100644 websocket+Nginx+TLS/nginx_Domain.Name.conf diff --git a/websocket+Nginx+TLS/Nginx.config b/websocket+Nginx+TLS/Nginx.config deleted file mode 100755 index 542e82f..0000000 --- a/websocket+Nginx+TLS/Nginx.config +++ /dev/null @@ -1,146 +0,0 @@ -## -# You should look at the following URL's in order to grasp a solid understanding -# of Nginx configuration files in order to fully unleash the power of Nginx. -# https://www.nginx.com/resources/wiki/start/ -# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ -# https://wiki.debian.org/Nginx/DirectoryStructure -# -# In most cases, administrators will remove this file from sites-enabled/ and -# leave it as reference inside of sites-available where it will continue to be -# updated by the nginx packaging team. -# -# This file will automatically load configuration files provided by other -# applications, such as Drupal or Wordpress. These applications will be made -# available underneath a path with that package name, such as /drupal8. -# -# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. -## - -# Default server configuration -# -#####兼容客户端Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 -#####此文件的真身路径是 /etc/nginx/sites-available/default 如果你修改了 /etc/nginx/nginx.conf 中的内容,但 -#####/etc/nginx/sites-available/default 中的 参数 与 前者 重叠 那么 会 遵从 后者 - -server { - #listen 80 default_server; - #listen [::]:80 default_server; - - # SSL configuration - # - # listen 443 ssl default_server; - # listen [::]:443 ssl default_server; - # - # Note: You should disable gzip for SSL traffic. - # See: https://bugs.debian.org/773332 - # - # Read up on ssl_ciphers to ensure a secure configuration. - # See: https://bugs.debian.org/765782 - # - # Self signed certs generated by the ssl-cert package - # Don't use them in a production server! - # - # include snippets/snakeoil.conf; - - listen 127.0.0.1:80 default_server; - server_name domain.Name; - return 301 https://$host/$request_uri; -} - - -server { - #listen 443 ssl http2; - #listen [::]:443 ssl; - #要开启HTTP/2需要nginx版本在1.10.0以上且需要openssl版本在1.0.2以上编译 - #可以使用 nginx -V 检查 - listen 127.0.0.1:443 ssl http2; - - #证书配置 - ssl_certificate PATH; - ssl_certificate_key PATH; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 5m; - ssl_session_tickets off; - - #https://nginx.org/en/docs/http/ngx_http_ssl_module.html - ssl_protocols TLSv1.2; - ###openssl ciphers - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; #屏蔽不安全的加密方式 - ssl_prefer_server_ciphers on; - - - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - # - ###测试前请使用较少的时间 此处以从 15768000 >>> 15 - ###https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ - #add_header Strict-Transport-Security max-age=15; - - #openssl dhparam out dhparam.pem 2048 - #openssl dhparam out dhparam.pem 4096 - #ssl_dhparam /home/acme/data/dhparam.pem; - - # OCSP Stapling --- - # fetch OCSP records from URL in ssl_certificate and cache them - #有条件就开 - #ssl_stapling on; - #ssl_stapling_verify on; - - root /var/www/html; - - # Add index.php to the list if you are using PHP - index index.html index.htm index.nginx-debian.html index.php tail.html ; - - server_name _; - - - location /PATH/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - - #host判断 - if ($http_host = "domain.Name" ) { - #v 监听端口 - proxy_pass http://127.0.0.1:10086; - } - } - - # pass PHP scripts to FastCGI server - # - location ~ \.php$ { - include snippets/fastcgi-php.conf; - # - # # With php-fpm (or other unix sockets): - fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; - # # With php-cgi (or other tcp sockets): - # fastcgi_pass 127.0.0.1:9000; - } - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -} - - -# Virtual Host configuration for example.com -# -# You can move that to a different file under sites-available/ and symlink that -# to sites-enabled/ to enable it. -# -#server { -# listen 80; -# listen [::]:80; -# -# server_name example.com; -# -# root /var/www/example.com; -# index index.html; -# -# location / { -# try_files $uri $uri/ =404; -# } -#} diff --git a/websocket+Nginx+TLS/config_client.json b/websocket+Nginx+TLS/config_client.json old mode 100755 new mode 100644 diff --git a/websocket+Nginx+TLS/config_client_ver4.2.json b/websocket+Nginx+TLS/config_client_ver4.2.json new file mode 100644 index 0000000..47ea614 --- /dev/null +++ b/websocket+Nginx+TLS/config_client_ver4.2.json @@ -0,0 +1,103 @@ +{ + "log": { + "loglevel": "debug" + }, + "inbounds": [ + { + "port": 10086, + "listen": "0.0.0.0", + "tag": "socks-in", + "protocol": "socks", + "settings": { + "auth": "noauth", + "udp": false + } + }, + { + "port": 1087, + "listen": "0.0.0.0", + "tag": "http-in", + "protocol": "http", + "settings": {} + } + ], + "outbounds": [ + { + "mux": { + "concurrency": 32, + "enabled": true + }, + "protocol": "vmess", + "settings": { + "vnext": [ + { + "users": [ + { + //注:填写uuid + "id": "UUID", + "alterId": 64, + "security": "auto" + } + ], + //注:填写域名、端口 + "address": "domain.Name", + "port": 1234 + } + ] + }, + "streamSettings": { + "tlsSettings": { + "allowInsecure": false + }, + "wsSettings": { + "headers": { + "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.4489.62 Safari/537.36", + //注:填写对应头部 + "Host": "HOST", + "Accept-Encoding": "gzip", + "Pragma": "no-cache" + }, + //注:ws路径 + "path": "/PATH/" + }, + "network": "ws", + "security": "tls" + }, + "tag": "proxy" + }, + { + "protocol": "blackhole", + "settings": {}, + "tag": "blocked" + }, + { + "protocol": "freedom", + "settings": {}, + "tag": "dicert" + } + ], + "routing": { + //注:全域名规则匹配 + "domainStrategy": "AsIs", + "rules": [ + { + "type": "field", + "domain": [ + //注:填写对应域名和host + "domain:domain.Name" + ], + "outboundTag": "dicert" + }, + { + "type": "field", + "inboundTag": [ + "socks-in", + "http-in" + ], + "outboundTag": "proxy" + } + ] + }, + "other": {} +} + diff --git a/websocket+Nginx+TLS/config_server.json b/websocket+Nginx+TLS/config_server.json old mode 100755 new mode 100644 diff --git a/websocket+Nginx+TLS/config_server_ver4.2.json b/websocket+Nginx+TLS/config_server_ver4.2.json new file mode 100644 index 0000000..c95964e --- /dev/null +++ b/websocket+Nginx+TLS/config_server_ver4.2.json @@ -0,0 +1,54 @@ +{ + "log": { + "loglevel": "debug" + }, + "inbounds": [ + { + "port": 10086, + "listen": "127.0.0.1", + "tag": "vmess-in", + "protocol": "vmess", + "settings": { + "clients": [ + { + //注:UUID + "id": "UUID", + "alterId": 64 + } + ] + }, + "streamSettings": { + "network": "ws", + "wsSettings": { + //注:ws路径 + "path": "/PATH/", + "headers": { } + } + } + } + ], + "outbounds": [ + { + "protocol": "freedom", + "settings": { }, + "tag": "direct" + }, + { + "protocol": "blackhole", + "settings": { }, + "tag": "blocked" + } + ], + "routing": { + "domainStrategy": "AsIs", + "rules": [ + { + "type": "field", + "inboundTag": [ + "vmess-in" + ], + "outboundTag": "direct" + } + ] + } +} diff --git a/websocket+Nginx+TLS/nginx_Domain.Name.conf b/websocket+Nginx+TLS/nginx_Domain.Name.conf new file mode 100644 index 0000000..daec2fa --- /dev/null +++ b/websocket+Nginx+TLS/nginx_Domain.Name.conf @@ -0,0 +1,131 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +#####本配置使用正常环境 debian9_x64 nginx_1.10.3 openssl_1.1.0f v2ray_4.2 +#####兼容客户端Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 +#####注:切勿修改中的内容,但<该文件>与中的<参数重叠>那么会<遵从前者> + +server { + # 禁用不需要的请求方式 以下只允许 get、post + if ($request_method !~ ^(POST|GET)$) { + return 444; + } + + listen 127.0.0.1:80; + server_name domain.Name; #注:填写自己的域名 + return 301 https://$host/; +} + +upstream v2ray { + server 127.0.0.1:10086; #注:v2ray后端监听地址、端口 + keepalive 2176; # 链接池空闲链接数 +} + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + + +server { + #要开启 HTTP/2 注意nginx版本 + #可以使用 nginx -V 检查 + listen 127.0.0.1:443 ssl http2 backlog=1024 so_keepalive=120s:60s:10 reuseport; # backlog是nginx 监听队列 默认是511 使用命令 ss -tnl查看(Send-Q); + #设置编码 + charset utf-8; + + #证书配置 + ssl_certificate PATH; #注:填写自己证书路径 + ssl_certificate_key PATH; #注:填写密钥路径 + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; + + # https://nginx.org/en/docs/http/ngx_http_ssl_module.html + ssl_protocols TLSv1.2; + #openssl ciphers + #注:懒人配置 https://mozilla.github.io/server-side-tls/ssl-config-generator/ + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + #安全设定 + #屏蔽请求类型 + if ($request_method !~ ^(POST|GET)$) { + return 444; + } + add_header X-Frame-Options DENY; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + ###测试前请使用较少的时间 + ### https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ + add_header Strict-Transport-Security max-age=15 always; + + #openssl dhparam -out dhparam.pem 2048 + #openssl dhparam -out dhparam.pem 4096 + #ssl_dhparam /home/dhparam.pem; + #ssl_ecdh_curve secp384r1; + + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + #ssl_stapling on; + #ssl_stapling_verify on; + #resolver_timeout 10s; + #resolver [去掉括号并将文字改成你希望的dns服务器ip地址] valid=300s; + #范例 resolver 2.2.2.2 valid=300s; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.php ; + + server_name domain.Name; #注: 将domain.Name 替换成你的域名 + + + location /GLMzpX/ { #注:修改路径 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; #此处与对应 + proxy_set_header Host $http_host; + + # 向后端传递访客ip + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_requests 25600; + keepalive_timeout 300 300; + proxy_buffering off; + proxy_buffer_size 8k; + + #后端错误重定向 + proxy_intercept_errors on; + error_page 400 = URL; # url是一个网站地址。例如:https://www.xxxx.com/ + if ($http_host = "domain.Name" ) { #注: 修改 domain.Name 为自己的域名 + #v2ray 后端 查看上面"upstream"字段 + proxy_pass http://v2ray; + } + } +} +