0%

v2ray + Nginx + TLS(CentOS 7)

v2ray + Nginx + TLS

安装 v2ray

  1. 安装 v2ray 最新版本:

bash <(curl -L -s https://install.direct/go.sh)

  1. 编辑 v2ray 配置文件 /etc/v2ray/config.json,这个配置文件简单启用 2 个传输通道,分别是 port 8081 上的 websocket 和 port 8082 上的 mkcp,其他更多配置请参考官方文档:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
{
"log": {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},
"dns": {},
"stats": {},
"inbounds": [{
"tag": "in-0",
"settings": {
"clients": [{
"id": "xxx",
"alterId": 64,
"level": 1
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/ray"
},
"security": "none"
},
"listen": "127.0.0.1",
"port": 8081,
"protocol": "vmess"
}, {
"tag": "in-1",
"settings": {
"clients": [{
"id": "xxx",
"alterId": 64,
"level": 1
}
]
},
"streamSettings": {
"network": "kcp",
"kcpSettings": {
"header": {
"type": "dtls"
}
},
"security": "none"
},
"port": 8082,
"protocol": "vmess"
}
],
"outbounds": [{
"tag": "direct",
"settings": {},
"protocol": "freedom"
}, {
"tag": "blocked",
"settings": {},
"protocol": "blackhole"
}
],
"routing": {
"rules": [{
"type": "field",
"ip": [
"geoip:private"
],
"outboundTag": "blocked"
}
],
"domainStrategy": "AsIs"
},
"policy": {},
"reverse": {},
"transport": {}
}
  1. 配置 v2ray service:

systemctl enable v2ray && systemctl start v2ray

或者

systemctl start v2ray --now

  1. 开放 v2ray mkcp 端口

firewall-cmd --zone=public --permanent add-port=8082/tcp
firewall-cmd --zone=public --permanent add-port=8082/udp
firewall-cmd --reload

  1. (推荐)通过 docker 运行 v2ray

docker run --restart=always -d -p 8082:8082/udp -p 127.0.0.1:8081:8081 -v /path/to/v2ray/config.json:/etc/v2ray/config.json -v /path/to/v2ray:/var/log/v2ray/ v2ray/officia

注:

  • --restart=always 设置 container 随 docker daemon 启动;
  • 127.0.0.1:8081 作为 Nginx 的 upstream 地址,不对外暴露,由 Nginx 代理;
  • port 8082 作为 UDP server 监听端口,监听 0.0.0.0
  • /path/to/v2ray 作为 v2ray 的配置文件和 log 目录。
  1. 配置 log rotate
1
2
3
4
5
6
7
8
9
cat << EOF > /etc/logrotate.d/v2ray
/path/to/v2ray/*.log {
daily
rotate 5
missingok
notifempty
compress
}
EOF

Centos7 yum 安装 Nginx

  1. Add nginx Repository:

yum install epel-release

  1. Instal nginx

yum install nginx

  1. Config firewall

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

  1. Config nginx

systemctl enable nginx && systemctl start nginx

或者

systemctl start nginx --now

生成自签名的 SSL 证书(x.509 v1)

  1. 生成 RSA 私钥(不加密):

openssl genrsa -out server.key 1024

注:通过 man genrsa 查看使用手册;为避免每次 nginx reload ssl 都要手动输入口令,这里生成的私钥不要加密。

  1. 创建证书签名申请(CSR, Certificate Signning Request):

openssl req -new -key server.key -out server.csr

  1. 使用前面生成的私钥对 CSR 进行签名生成证书:

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

openssl x509 -noout -text -in server.crt 可以查看证书内容。

配置 Nginx 使用自签名的 SSL 证书

  1. 配置私钥和证书文件的目录 mkdir /etc/nginx/self_cert,将前面生成的 server.keyserver.crt 文件 copy /etc/nginx/self_cert,将前面生成的。

  2. 编辑 Nginx 的配置配置文件 /etc/nginx/nginx.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
server {
listen 443 default ssl;
ssl_certificate /etc/nginx/self_cert/server.crt;
ssl_certificate_key /etc/nginx/self_cert/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name your_server_name_or_ip;

location /ray {
proxy_redirect off;
proxy_pass http://127.0.0.1:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location / {
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
  1. 开启被 SELinux 关闭的 httpd 网络连接,否则会发生 permission denied 导致的 Nginx 502 bad gateway 错误:

setsebool -P httpd_can_network_connect 1

  1. 重启 Nginx: nginx -s reload