CentOS7搭建Xray-服务端
目录
Update At 5/9/2023
因为网站迁移后,不再需要proxy.halfstack.net这个域名,因此重新申请了halfstack.net的证书,发现脚本有点问题,因为xray的配置中指定的cert和key不是~/xray_cert里的,因此还需要增加软链或者将证书安装后的内容覆盖~/xray_cert
因此还是直接改xray的配置,修改为脚本中安装的路径
同时,安装脚本变化为:
sh acme.sh --issue --server letsencrypt --test -d halfstack.net -w /home/summer/www/webpage --keylength ec-256
sh acme.sh --installcert -d halfstack.net --cert-file ~/keys/cert.crt --key-file ~/keys/cert.key --fullchain-file ~/keys/fullchain.crt --ecc
chmod +r ~/keys/cert.key
同时要注意将客户端的server_name也一同修改
Update At 5/1/2023
已验证可用
#!/bin/bash
rm -rf ~/.acme.sh
echo "Clear acme"
wget -O - https://get.acme.sh | sh
cd ~/.acme.sh/
echo "Download acme"
sh acme.sh --upgrade --auto-upgrade
echo "Set acme auto upgrade"
sh acme.sh --issue --server letsencrypt --test -d proxy.halfstack.net -w /home/summer/www/webpage --keylength ec-256
echo "Test Generate Cert"
sh acme.sh --set-default-ca --server letsencrypt
echo "Change Default CA"
sh acme.sh --issue -d proxy.halfstack.net -w /home/summer/www/webpage --keylength ec-256 --force
echo "Apply Cert"
sh acme.sh --installcert -d proxy.halfstack.net --cert-file ~/keys/cert.crt --key-file ~/keys/cert.key --fullchain-file ~/keys/fullchain.crt --ecc
echo "Install Cert"
chmod +r /home/summer/xray_cert/xray.key
echo "Read Permission Granted for Private Key"
sudo systemctl restart xray
echo "Xray Restarted"
Update At 4/25/2023
在更新证书的过程中,发现自动更新的脚本是没用的,干脆自己按申请的步骤重写了一份脚本,每次运行重新安装证书,使用时替换对应的域名/网站根页面地址/证书安装路径
不过申请的次数太频繁了。。。暂时被ban了,还没验证这个脚本的可用性。不过我觉得是可用的!下次证书过期了再执行验证8
Update At 4/23/2023
我在使用acme生成证书时,使用的是http方式,因此在自动更新脚本运行时,会访问80端口,但是由于nginx最终的配置中设置了强制https跳转,而443端口由xray监听,最终回落到8080端口,导致acme证书没法生成,进而导致证书更新失败。
针对这种情况,暂时的解决方法是将nginx的强制https跳转关掉,正常让80端口访问webpage
背景
用shadowsocks,没两天vps的ip就被gfw狠狠gank了
仅做个人记录,vps为GoDaddy VPS4,Centos7,美西机房。
需要的东西
- 域名
- vps
- 没了
参考文档
- https://xtls.github.io/document/level-0/ch07-xray-server.html#_7-1-%E5%8D%9A%E8%A7%82%E8%80%8C%E7%BA%A6%E5%8F%96-%E5%8E%9A%E7%A7%AF%E8%80%8C%E8%96%84%E5%8F%91
- https://gaozhiyuan.net/server/centos-7-bbr.html
具体操作
重建vps
从最干净的vps开始。
bbr开启
更新源
yum update
安装elrepo并升级内核
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
更新grub文件 && reboot
[root@89 ~]# egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \'
CentOS Linux (6.1.4-1.el7.elrepo.x86_64) 7 (Core)
CentOS Linux 7 Rescue 05121276371f496993086411838f1b53 (3.10.0-1160.81.1.el7.x86_64)
CentOS Linux (3.10.0-1160.81.1.el7.x86_64) 7 (Core)
CentOS Linux (3.10.0-1160.76.1.el7.x86_64) 7 (Core)
CentOS Linux (3.10.0-1160.45.1.el7.x86_64) 7 (Core)
CentOS Linux (0-rescue-754f8a1ad2654504b10cacfb2e9d5eb0) 7 (Core)
[root@89 ~]# grub2-set-default 0 //这个0是上面这个命令打印出来的最高版本内核的index,根据自己的来换,一般是0
[root@89 ~]# reboot
检查一下当前的内核版本
[root@89 ~]# uname -r
6.1.4-1.el7.elrepo.x86_64 //注意要大于4.9
开启bbr
[root@89 ~]# vim /etc/sysctl.conf //添加下面打印出来的两行
[root@89 ~]# sysctl -p
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
确认bbr开启
[root@89 ~]# sysctl net.ipv4.tcp_available_congestion_control
net.ipv4.tcp_available_congestion_control = reno cubic bbr
[root@89 ~]# lsmod | grep bbr
tcp_bbr 20480 1
VPS基础配置修改(爱做不做)
给非root用户添加sudo权限(如果没有的话新建一个用户)
安装sudo&&添加权限:
[root@89 ~]# yum -y install sudo
[root@89 ~]# visudo
//在root ALL=(ALL) ALL下面加入
//用户名 ALL=(ALL) ALL
关闭Root的SSH等
网站建设
配置 EPEL 源 && 安装 Nginx
[summer@89 ~]$ sudo yum install -y epel-release && sudo yum -y update sudo yum install -y nginx
[summer@89 ~]$ mkdir -p ~/www/webpage/ && nano ~/www/webpage/index.html
安装nano
[summer@89 ~]$ sudo yum -y install nano
配一个静态页面
[summer@89 ~]$ nano ~/www/webpage/index.html
填入以下html代码
<html lang="">
<!-- Text between angle brackets is an HTML tag and is not displayed.
Most tags, such as the HTML and /HTML tags that surround the contents of
a page, come in pairs; some tags, like HR, for a horizontal rule, stand
alone. Comments, such as the text you're reading, are not displayed when
the Web page is shown. The information between the HEAD and /HEAD tags is
not displayed. The information between the BODY and /BODY tags is displayed.-->
<head>
<title>Enter a title, displayed at the top of the window.</title>
</head>
<!-- The information between the BODY and /BODY tags is displayed.-->
<body>
<h1>Enter the main heading, usually the same as the title.</h1>
<p>Be <b>bold</b> in stating your key points. Put them in a list:</p>
<ul>
<li>The first item in your list</li>
<li>The second item; <i>italicize</i> key words</li>
</ul>
<p>Improve your image by including an image.</p>
<p>
<img src="https://i.imgur.com/SEBww.jpg" alt="A Great HTML Resource" />
</p>
<p>
Add a link to your favorite
<a href="https://www.dummies.com/">Web site</a>. Break up your page
with a horizontal rule or two.
</p>
<hr />
<p>
Finally, link to <a href="page2.html">another page</a> in your own Web
site.
</p>
<!-- And add a copyright notice.-->
<p>© Wiley Publishing, 2011</p>
</body>
</html>
修改nginx配置
[summer@89 webpage]$ sudo nano /etc/nginx/nginx.conf
修改user为当前用户
在http下添加:
server {
listen 80;
server_name proxy.halfstack.net;
root /home/summer/www/webpage;
index index.html;
}
重启nginx
[summer@89 www]$ sudo systemctl restart nginx
证书管理
安装acme
[summer@89 www]$ wget -O - https://get.acme.sh | sh
[summer@89 ~]$ . .bashrc
开启acme自动升级
[summer@89 ~]$ acme.sh --upgrade --auto-upgrade
[Wed Jan 11 14:41:28 UTC 2023] Already uptodate!
[Wed Jan 11 14:41:28 UTC 2023] Upgrade success!
测试证书申请
[summer@89 ~]$ acme.sh --issue --server letsencrypt --test -d proxy.halfstack.net -w /home/summer/www/webpage --keylength ec-256
有问题添加–debug查看详情
正式申请证书
[summer@89 ~]$ acme.sh --set-default-ca --server letsencrypt
[Wed Jan 11 14:47:20 UTC 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
[summer@89 ~]$ acme.sh --issue -d proxy.halfstack.net -w /home/summer/www/webpage --keylength ec-256 --force
安装证书
[summer@89 ~]$ mkdir ~/keys
[summer@89 ~]$ acme.sh --installcert -d proxy.halfstack.net --cert-file ~/keys/cert.crt --key-file ~/keys/cert.key --fullchain-file ~/keys/fullchain.crt --ecc
[Wed Jan 11 14:51:09 UTC 2023] Installing cert to: /home/summer/keys/cert.crt
[Wed Jan 11 14:51:09 UTC 2023] Installing key to: /home/summer/keys/cert.key
[Wed Jan 11 14:51:09 UTC 2023] Installing full chain to: /home/summer/keys/fullchain.crt
Xray服务端
安装Xray
下载安装脚本
[summer@89 ~]$ wget https://github.com/XTLS/Xray-install/raw/main/install-release.sh
运行安装脚本
[summer@89 ~]$ sudo bash install-release.sh
删除安装脚本
[summer@89 ~]$ rm ~/install-release.sh
给Xray配置TLS证书
[summer@89 ~]$ mkdir ~/xray_cert
[summer@89 ~]$ acme.sh --install-cert -d proxy.halfstack.net --ecc \
--fullchain-file ~/xray_cert/xray.crt \
--key-file ~/xray_cert/xray.key
[Wed Jan 11 14:57:07 UTC 2023] Installing key to: /home/summer/xray_cert/xray.key
[Wed Jan 11 14:57:07 UTC 2023] Installing full chain to: /home/summer/xray_cert/xray.crt
增加其他用户可读权限
[summer@89 ~]$ chmod +r ~/xray_cert/xray.key
[summer@89 ~]$ chmod +x /home/summer/
建立Cronjob更新证书
nano ~/xray_cert/xray-cert-renew.sh
#!/bin/bash
/home/summer/.acme.sh/acme.sh --install-cert -d proxy.halfstack.net --ecc --fullchain-file /home/summer/xray_cert/xray.crt --key-file /home/summer/xray_cert/xray.key
echo "Xray Certificates Renewed"
chmod +r /home/summer/xray_cert/xray.key
echo "Read Permission Granted for Private Key"
sudo systemctl restart xray
echo "Xray Restarted"
添加可执行权限
chmod +x ~/xray_cert/xray-cert-renew.sh
添加定时任务
[summer@89 xray_cert]$ crontab -e
添加:
# 1:00am, 1st day each month, run `xray-cert-renew.sh`
0 1 1 * * bash /home/summer/xray_cert/xray-cert-renew.sh
生成UUID
[summer@89 xray_cert]$ xray uuid
创建日志文件
[summer@89 ~]$ mkdir ~/xray_log
[summer@89 ~]$ touch ~/xray_log/access.log && touch ~/xray_log/error.log
[summer@89 ~]$ chmod a+w ~/xray_log/*.log
修改配置文件
[summer@89 ~]$ sudo nano /usr/local/etc/xray/config.json
添加:
// REFERENCE:
// https://github.com/XTLS/Xray-examples
// https://xtls.github.io/config/
// 常用的 config 文件,不论服务器端还是客户端,都有 5 个部分。外加小小白解读:
// ┌─ 1*log 日志设置 - 日志写什么,写哪里(出错时有据可查)
// ├─ 2_dns DNS-设置 - DNS 怎么查(防 DNS 污染、防偷窥、避免国内外站匹配到国外服务器等)
// ├─ 3_routing 分流设置 - 流量怎么分类处理(是否过滤广告、是否国内外分流)
// ├─ 4_inbounds 入站设置 - 什么流量可以流入 Xray
// └─ 5_outbounds 出站设置 - 流出 Xray 的流量往哪里去
{
// 1\_日志设置
"log": {
"loglevel": "warning", // 内容从少到多: "none", "error", "warning", "info", "debug"
"access": "/home/summer/xray_log/access.log", // 访问记录
"error": "/home/summer/xray_log/error.log" // 错误记录
},
// 2_DNS 设置
"dns": {
"servers": [
"https+local://1.1.1.1/dns-query", // 首选 1.1.1.1 的 DoH 查询,牺牲速度但可防止 ISP 偷窥
"localhost"
]
},
// 3*分流设置
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
// 3.1 防止服务器本地流转问题:如内网被攻击或滥用、错误的本地回环等
{
"type": "field",
"ip": [
"geoip:private" // 分流条件:geoip 文件内,名为"private"的规则(本地)
],
"outboundTag": "block" // 分流策略:交给出站"block"处理(黑洞屏蔽)
},
{
// 3.2 防止服务器直连国内
"type": "field",
"ip": ["geoip:cn"],
"outboundTag": "block"
},
// 3.3 屏蔽广告
{
"type": "field",
"domain": [
"geosite:category-ads-all" // 分流条件:geosite 文件内,名为"category-ads-all"的规则(各种广告域名)
],
"outboundTag": "block" // 分流策略:交给出站"block"处理(黑洞屏蔽)
}
]
},
// 4*入站设置
// 4.1 这里只写了一个最简单的 vless+xtls 的入站,因为这是 Xray 最强大的模式。如有其他需要,请根据模版自行添加。
"inbounds": [
{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "", // 填写你的 UUID
"flow": "xtls-rprx-vision",
"level": 0,
"email": "summer@yourdomain.com"
}
],
"decryption": "none",
"fallbacks": [
{
"alpn":"h2",
"dest": 8080 // 默认回落到防探测的代理
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"certificates": [
{
"certificateFile": "/home/summer/xray_cert/xray.crt",
"keyFile": "/home/summer/xray_cert/xray.key"
}
],
"serverName":"proxy.halfstack.net",
"alpn" : [
"h2",
"http/1.1"
]
}
}
}
],
// 5*出站设置
"outbounds": [
// 5.1 第一个出站是默认规则,freedom 就是对外直连(vps 已经是外网,所以直连)
{
"tag": "direct",
"protocol": "freedom"
},
// 5.2 屏蔽规则,blackhole 协议就是把流量导入到黑洞里(屏蔽)
{
"tag": "block",
"protocol": "blackhole"
}
]
}
启动Xray
[summer@89 ~]$ sudo systemctl start xray
[summer@89 ~]$ sudo systemctl status xray
● xray.service - Xray Service
Loaded: loaded (/etc/systemd/system/xray.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/xray.service.d
└─10-donot_touch_single_conf.conf
Active: active (running) since Wed 2023-01-11 14:53:20 UTC; 31min ago
Docs: https://github.com/xtls
Main PID: 21082 (xray)
CGroup: /system.slice/xray.service
└─21082 /usr/local/bin/xray run -config /usr/local/etc/xray/config.json
Jan 11 14:53:20 89.202.178.68.host.secureserver.net systemd[1]: Started Xray Service.
Jan 11 14:53:20 89.202.178.68.host.secureserver.net xray[21082]: Xray 1.7.2 (Xray, Penetrates Everything.) Custom (go1.19.4 linux/amd64)
Jan 11 14:53:20 89.202.178.68.host.secureserver.net xray[21082]: A unified platform for anti-censorship.
Jan 11 14:53:20 89.202.178.68.host.secureserver.net xray[21082]: 2023/01/11 14:53:20 [Info] infra/conf/serial: Reading config: /usr/local/etc/xray/config.json
Jan 11 14:53:20 89.202.178.68.host.secureserver.net xray[21082]: 2023/01/11 14:53:20 [Warning] core: Xray 1.7.2 started
HTTPS跳转
修改nginx配置
[summer@89 ~]$ sudo nano /etc/nginx/nginx.conf
改成这样:
server {
listen 80;
server_name proxy.halfstack.net;
return 301 https://$http_host$request_uri;
}
server {
listen 8080 http2;
root /home/summer/www/webpage;
index index.html;
add_header Strict-Transport-Security "max-age=63072000" always;
}
[summer@89 ~]$ sudo systemctl restart nginx
修改xray回落
[summer@89 ~]$ sudo nano /usr/local/etc/xray/config.json
[summer@89 ~]$ sudo systemctl restart xray
