VPS搭建-2-安装caddy+trojan+v2fly,使用ws+tls

By | 2020-11-08
0 Comment

搭建-1VPS搭建-1-开启BBR+libsodium

1.概要

  • 为了便于管理及方便,caddy, trojan,v2fly 的可执行文件安装到统一目录下:

/usr/local/bin/

  • caddy, trojan,v2fly的配置文件Caddyfile,trojan+v2fly的config文件放入以下目录:

/usr/local/etc/

2.caddy的安装及设置:

1.caddy下载并安装:(本文使用caddy1.04版本)

# cd /usr/local/bin
# wget https://github.com/caddyserver/caddy/releases/download/v1.0.4/caddy_v1.0.4_linux_amd64.tar.gz
# tar -xvf caddy_v1.0.4_linux_amd64.tar.gz

2.安装后检查安装位置:

which caddy #检查文件位置
caddy version #检查版本,确定安装成功
ulimit -n 8192 #优化ulimit

3.文件夹赋予root权限:

chown root:root /usr/local/bin/caddy
chmod 755 /usr/local/bin/caddy

4.设定caddy特定端口使用:

setcap ‘cap_net_bind_service=+ep’ /usr/local/bin/caddy

5.设定Caddyfile文件及赋权:

mkdir /usr/local/etc/caddy #创建文件夹
chmod +x /usr/local/etc/caddy #赋权
touch /usr/local/etc/caddy/Caddyfile #创建caddyfile文件
chown -R root:root /usr/local/etc/caddy #赋root组权限

6.建立存放网站的目录:

mkdir /var/www #创建网站目录(如果没有)
mkdir -p /var/www/xxx.yyy.zzz #根据网站名称创建网站目录
chown root:root /var/www #网站目录赋root组权

7.创建ssl证书目录:

mkdir /etc/ssl/caddy
chown -R root:root /etc/ssl/caddy
chmod 0770 /etc/ssl/caddy

备注: 默认证书及key位置

  • /.caddy/acme/acme-v02.api.letsencrypt.org/sites/xxx.yyy.zzz/xxx.yyy.zzz.crt
  • /.caddy/acme/acme-v02.api.letsencrypt.org/sites/xxx.yyy.zzz/xxx.yyy.zzz.key

8.设置caddy开机启动

# curl -s https://raw.githubusercontent.com/mholt/caddy/master/dist/init/linux-systemd/caddy.service -o /etc/systemd/system/caddy.service

9.编辑Caddyfile (nano, vi编辑 或者编辑好之后winscp等上传)

nano /usr/local/etc/caddy/Caddyfile

***Caddyfile***配置:

a.网站+trojan+v2fly三种方式的Caddyfile,trojan使用443端口,其他caddy转发到80端口,然后分流

:80 {
root /var/www/xxx.yyy.zzz #修改为自己的网站
gzip
browse
tls aaa@bbb.com #修改为自己的邮箱
log /var/log/caddy.log
proxy /ws777 localhost:19998 localhost:19999 { #设定ws路径及监听端口
websocket
header_upstream -Origin
}
}

b.仅网站+v2fly配置的Caddyfile:

xxx.yyy.zzz
{
root /var/www/xxx.yyy.zzz
gzip
tls aaa@bbb.com
log /var/log/caddy.log
proxy /ws localhost:19998 localhost:19999 { #/ws为路径,可随意设定,19998为v2ray服务端监听端口
websocket
header_upstream -Origin
}
}

10.使用编辑器编辑修改Caddy systemd单元文件:

nano /etc/systemd/system/caddy.service

[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=root
Group=root

##修改user\group为root(同caddy目录用户组一致)

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy

; Always set “-root” to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/usr/local/etc/caddyCaddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID

##注意以上路径为caddy可执行文件目录及caddyfile文件目录

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see man systemd.exec for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy

; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

保存并退出:

:wq

11.重启服务使之生效

chmod 644 /etc/systemd/system/caddy.service #赋权
systemctl restart caddy.service #重启服务应用修改
systemctl daemon-reload #重新加载配置
systemctl enable caddy.service #加入开机自启
systemctl status caddy.service #查看caddy状态

12.打开网站确定网站可以访问!到此caddy安装完成!

3.Trojan安装

1.停掉caddy 服务

service caddy stop #关闭caddy服务
service caddy start #开启caddy服务

2.下载安装trojan,使用官方一键脚本:

# bash -c “$(curl -fsSL https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)”
######or#####
# bash -c “$(wget -O- https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)”

备注:

  • config文件: /usr/local/etc/trojan/config.json
  • systemd service: /etc/systemd/system/trojan.service

3.进入/usr/local/etc/trojan/config.json修改config文件:

{
“run_type”: “server”,
“local_addr”: “0.0.0.0”,
“local_port”: 443,
“remote_addr”: “127.0.0.1”,
“remote_port”: 80, #1.修改此端口为80,转发网站及v2ray流量
“password”: [
“ppppppp1” #2.修改此处密码为自己的密码
“ppppppp2”
],
“log_level”: 1,
“ssl”: {
“cert”: “/usr/local/etc/v2ray/v2ray.crt”, #3.修改此处caddy及tls申请的证书位置
“key”: “/usr/local/etc/v2ray/v2ray.key”, #4.修改此处caddy及tls申请的密钥位置
}
} #以下不需要修改任何资料,此处删减了

4.启动trojan:(启动caddy服务后)

systemctl enable trojan #加入开机自启
systemctl start trojan #执行
systemctl status trojan #查看状态
journalctl -fu trojan #查看错误日志

5.如果客户端使用文件配置,修改如下:

{
“run_type”: “client”,
“local_addr”: “127.0.0.1”,
“local_port”: 1070, #1.修改本地客户端接口
“remote_addr”: “xxx.yyy.zzz“, #2.修改为网站地址
“remote_port”: 443,
“password”: [
pppppp1” #3.修改同服务端一样的密码
],

“tcp”: {
“no_delay”: true,
“keep_alive”: true,
“reuse_port”: false,
“fast_open”: true, #4.如果开fastopen,这里修改为true
“fast_open_qlen”: 20 } }

4.安装配置v2fly

1.官方脚本安装运行程序:

bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

2.安裝最新發行的 geoip.dat 和 geosite.dat

bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-dat-release.sh)

3.移除v2fly

bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh) –remove

4.设置:因v2fly最近有用户组权限问题,用修改为root的方式暂时使用

“/etc/systemd/system/v2ray.service”
“/etc/systemd/system/v2ray@.service”
修改user=root

5.启动v2fly服务:

systemctl enable v2ray #添加systemd服务模块
systemctl start v2ray #开启v2ray服务
service v2ray status #检查v2ray服务状态

6.使用模板配置server的config.json文件:

https://github.com/v2fly/v2ray-examples/blob/master/VMess-Websocket-TLS/config_server.json

https://github.com/v2fly/v2ray-examples #其他模板链接

修改注意项目如下:

“inbounds”: [
{
“listen”: “0.0.0.0”,
“port”: 12345, #于Caddyfile里的localhost 端口 一致
“protocol”: “vmess”,
“settings”: {
“clients”: [
{
“id”: “xxx-xxx-xxx-xxx-xxx“, #使用uuid,自行获取或使用以前的
“alterId”: 0
}
],
“disableInsecureEncryption”: false
},
“streamSettings”: {
“network”: “ws”,
“wsSettings”: {
“path”: “/wsxxx“, #Caddyfile里 proxy 的路径一致
“headers”: {
“Host”: “example.domain” #使用自己网站地址或者空白
}
},
“security”: “tls”,
“tlsSettings”: {
“certificates”: [
{
“certificateFile”: “/usr/local/etc/v2ray/v2ray.crt“,
“keyFile”: “/usr/local/etc/v2ray/v2ray.key
}
]

修改好config.json文件后(注意json格式必须正确!!!)上传到

/usr/local/etc/v2ray/config.json

5.tls证书申请

1.安装acme (使用acme.sh,用来签发Let’s Encrypt免费证书,默认是安装在~/.acme.sh/)

apt-get install -y socat netcat #安装依赖
curl https://get.acme.sh | sh #安装acme脚本

2.证书申请

a.若没有配置网页,使用以下命令:

~/.acme.sh/acme.sh –issue -d xxx.yyy.zzz –standalone -k ec-256

b.如有网站,使用以下命令:

~/.acme.sh/acme.sh –issue -d xxx.yyy.zzz –webroot /var/www/xxx.yyy.zzz

3.申请好证书后,安装证书到 /usr/local/etc/v2ray/ 内,如果没有,先建立此目录,否则拷贝出错!:

~/.acme.sh/acme.sh –installcert -d xxx.yyy.zzz –fullchainpath /usr/local/etc/v2ray/v2ray.crt –keypath /usr/local/etc/v2ray/v2ray.key –ecc

4.证书续期: 执行完签发命令后,系统已经加上了crond自动签发,如果你想手动签发,可以执行下面的命令:

~/.acme.sh/acme.sh –renew -d xxx.yyy.zzz –force –ecc

6.结束及启动所有服务

systemctl daemon-reload #重新加载配置
systemctl restart caddy.service #重启caddy
systemctl status caddy.service #查看caddy状态
systemctl start trojan #开启trojan服务
systemctl status trojan #查看trojan状态
systemctl start v2ray #启动v2fly服务
service v2ray status #查看v2fly状态

reboot #重启服务,检查各服务运行没问题!

发表回复