Saturday, September 22, 2018

HTTPS/SSL/NGINX/V2RAY

1. Generating a Private Key:
`openssl genrsa -out domainname.com.key 2048`

2. Generating a Certificate Signing Request:
`openssl req -new -key domainname.com.key -out domainname.com.csr`

3. Create a Self-signed certificate (you can share this certificate):
`openssl x509 -req -days 365 -in domainname.com.csr -signkey domainname.com.key -out sinomail.ml.crt`

@reference_1_tutorials.jenkov.com
OpenSSL for Web Servers

@reference_2_stackexchange.com
How do I produce a CA signed public key?

4. Nginx Configration:
`server {
    listen 443 ssl;
    server_name _;

    root /var/www/domainname.com;

    ssl on;
    ssl_certificate     /root/certs/domainname.com.crt;
    ssl_certificate_key /root/certs/domainname.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    location / {
                index Login.html index.html index.htm;
    }

    location /dir1/dir2 {
                 proxy_redirect off;
                 proxy_pass http://127.0.0.1:12345;
                 proxy_http_version 1.1;
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection "upgrade";
                 proxy_set_header Host $http_host;
                 proxy_set_header X-Forwarded-For $proxy_protocol_addr;
    }

}`

@reference_3_nginx.org
Configuring HTTPS servers
@reference_4_theviper24.today
v2ray tips
@reference_5_chrad.ml
使用V2Ray实现科学爱国
-----------------------------
V2Ray server:

    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "path": "/dir1/dir2"   //该路径可以自定义,但是要在Nginx、客户端中保持一致
      }
    }

Nginx server:

    location /dir1/dir2 //这里要与上面的路径一致
     {
          proxy_redirect off;
          proxy_pass http://127.0.0.1:12345; //端口与上面一致
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          proxy_set_header Host $http_host;
      }

V2Ray client:

    "streamSettings": {
      "network": "ws",
      "security": "tls",
      "tlsSettings": {
      "serverName": "domainname.com",  //填入你网站的域名
      "allowInsecure": true
      },
      "wsSettings": {
        "connectionReuse": true,
        "path": "/dir1/dir2",   //与上面的路径一致
        "headers": {
               "Host": "domainname.com",
               "User-Agent": "Mozilla/5.0 **********************************",
               "Accept-Language": "en-US,en;q=0.8",
               "Accept": "image/webp,image/apng,image/*,*/*;q=0.8"
        }

      }

    }

Note that:
如果证书是自签证书或免费证书(如let's encrypt),会出现
x509: certificate signed by unknown authority
需要在client的streamSettings加上
"tlsSettings":{
"allowInsecure": true
}

-------------------------------------------------
V2Ray shadowsocks server:

{
  "method": "aes-256-cfb",
  "password": "***************",
  "network": "tcp"
}


V2Ray shadowsocks client:

{
        "servers": [{
              "address": "domainname.com",
              "port": 443,
              "method": "aes-256-cfb",
              "password": "***************"
        }]
 }

@reference_6_v2ray.com
Shadowsocks

VMESS Client:

  "outbound": {
    "protocol": "vmess",
    "settings": {
        "vnext": [
        {
          "address": "domainname.com",
          "port": 443,
          "users": [
          {
             "id": "23********************************",
             "alterId": 10,
             "security": "auto",
             "level": 0
          }
          ]
       }
      ]
   },

VMESS Server:

{
  "log" : {
    "access": "/var/log/v2ray/access.log",
    "error": "/var/log/v2ray/error.log",
    "loglevel": "warning"
  },
  "inbound": {
    "port": 8080,
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "id": "23***********************************",
          "level": 1,
          "alterId": 64
        }
      ]
    },
   
    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "path": "/dir1/dir2"
       }
    }

  },
  "outbound": {
    "protocol": "freedom",
    "settings": {}
  },
  "outboundDetour": [
    {
      "protocol": "blackhole",
      "settings": {},
      "tag": "blocked"
    }
  ],
  "routing": {
    "strategy": "rules",
    "settings": {
      "rules": [
        {
          "type": "field",
          "ip": ["geoip:private"],
          "outboundTag": "blocked"
        }
      ]
    }
  }
}

No comments:

Post a Comment