脚本与配置
目录
自动更新域名SSL证书脚本
#!/bin/bash
rm -rf ~/.acme.sh
echo "Clear acme"
wget -O - https://get.acme.sh | sh
cd ~/.acme.sh/
echo "Download acme"
sh acme.sh --upgrade --auto-upgrade
echo "Set acme auto upgrade"
sh acme.sh --issue --server letsencrypt --test -d halfstack.net -w /home/summer/www/webpage --keylength ec-256
echo "Test Generate Cert"
sh acme.sh --set-default-ca --server letsencrypt
echo "Change Default CA"
sh acme.sh --issue -d halfstack.net -w /home/summer/www/webpage --keylength ec-256 --force
echo "Apply Cert"
sh acme.sh --installcert -d halfstack.net --cert-file ~/keys/cert.crt --key-file ~/keys/cert.key --fullchain-file ~/keys/fullchain.crt --ecc
echo "Install Cert"
chmod +r /home/summer/keys/cert.key
echo "Read Permission Granted for Private Key"
sudo systemctl restart xray
echo "Xray Restarted"
Nginx配置
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user summer;
worker_processes auto;
error_log /var/log/nginx/error.log debug;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
server {
listen 8080 http2;
#root /home/summer/www/webpage;
root /home/summer/www/Oasis7311.github.io;
index index.html;
add_header Strict-Transport-Security "max-age=63072000" always;
location / {
# 重定向末尾没有斜杠的请求,指定端口号443
if ($request_uri ~ "^([^.\?]*[^/])$") {
return 301 https://$host:443$request_uri/;
}
}
}
# server {
# listen 80;
# server_name proxy.halfstack.net;
# return 301 https://$http_host$request_uri;
# }
server {
listen 80;
server_name halfstack.net;
root /home/summer/www/webpage;
index index.html;
}
server {
listen 7890;
server_name vps.halfstack.net;
root /usr/share/nginx/html;
index index.php;
location / {
index index.php index.html index.htm;
}
#添加下列信息,配置Nginx通过fastcgi方式处理您的PHP请求。
location ~ .php$ {
root /usr/share/nginx/html; #将/usr/share/nginx/html替换为您的网站根目录,本文使用/usr/share/nginx/html作为网站根目录。
fastcgi_pass 127.0.0.1:9000; #Nginx通过本机的9000端口将PHP请求转发给PHP-FPM进行处理。
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params; #Nginx调用fastcgi接口处理PHP请求。
}
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
X-Ray配置
// REFERENCE:
// https://github.com/XTLS/Xray-examples
// https://xtls.github.io/config/
// 常用的 config 文件,不论服务器端还是客户端,都有 5 个部分。外加小小白解读:
// ┌─ 1*log 日志设置 - 日志写什么,写哪里(出错时有据可查)
// ├─ 2_dns DNS-设置 - DNS 怎么查(防 DNS 污染、防偷窥、避免国内外站匹配到国外服务器等)
// ├─ 3_routing 分流设置 - 流量怎么分类处理(是否过滤广告、是否国内外分流)
// ├─ 4_inbounds 入站设置 - 什么流量可以流入 Xray
// └─ 5_outbounds 出站设置 - 流出 Xray 的流量往哪里去
{
// 1\_日志设置
"log": {
"loglevel": "warning", // 内容从少到多: "none", "error", "warning", "info", "debug"
"access": "/home/summer/xray_log/access.log", // 访问记录
"error": "/home/summer/xray_log/error.log" // 错误记录
},
// 2_DNS 设置
"dns": {
"servers": [
"https+local://1.1.1.1/dns-query", // 首选 1.1.1.1 的 DoH 查询,牺牲速度但可防止 ISP 偷窥
"localhost"
]
},
// 3*分流设置
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
// 3.1 防止服务器本地流转问题:如内网被攻击或滥用、错误的本地回环等
{
"type": "field",
"ip": [
"geoip:private" // 分流条件:geoip 文件内,名为"private"的规则(本地)
],
"outboundTag": "block" // 分流策略:交给出站"block"处理(黑洞屏蔽)
},
{
// 3.2 防止服务器直连国内
"type": "field",
"ip": ["geoip:cn"],
"outboundTag": "block"
},
// 3.3 屏蔽广告
{
"type": "field",
"domain": [
"geosite:category-ads-all" // 分流条件:geosite 文件内,名为"category-ads-all"的规则(各种广告域名)
],
"outboundTag": "block" // 分流策略:交给出站"block"处理(黑洞屏蔽)
}
]
},
// 4*入站设置
// 4.1 这里只写了一个最简单的 vless+xtls 的入站,因为这是 Xray 最强大的模式。如有其他需要,请根据模版自行添加。
"inbounds": [
{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "xxxxxxxxxxxxxxxxxx", // 填写你的 UUID
"flow": "xtls-rprx-vision",
"level": 0,
"email": "summer@yourdomain.com"
}
],
"decryption": "none",
"fallbacks": [
{
"alpn": "h2",
"dest": 8080 // 默认回落到防探测的代理
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"certificates": [
{
"certificateFile": "/home/summer/keys/cert.crt",
"keyFile": "/home/summer/keys/cert.key"
}
],
"serverName":"halfstack.net",
"alpn" : [
"h2",
"http/1.1"
]
}
}
}
],
// 5*出站设置
"outbounds": [
// 5.1 第一个出站是默认规则,freedom 就是对外直连(vps 已经是外网,所以直连)
{
"tag": "direct",
"protocol": "freedom"
},
// 5.2 屏蔽规则,blackhole 协议就是把流量导入到黑洞里(屏蔽)
{
"tag": "block",
"protocol": "blackhole"
}
]
}