v2ray + CloudFlare 配置

Posted by API Caller on March 1, 2019

v2ray 配合 CDN 貌似很稳, 利用 CDN 隐藏真实 IP, 就算 VPS 被墙也可以续命, 简单记录一下步骤.

本文环境

  • Windows 10 x64
  • Ubuntu 18.04 (VPS, 默认 root 用户)

具体流程

先修改时区为东八

1
2
3
4
5
apt install tzdata -y
dpkg-reconfigure tzdata 

# centos
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

查看安全策略, 确保开放 443 端口

iptables 开放 443

1
2
3
4
5
6
7
8
9
10
11
12
13
/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -L -n

# 保存
# ubuntu
# iptables-save > /etc/iptables-rules
# ip6tables-save > /etc/ip6tables-rules
# iptables-restore < /etc/iptables-rules
# ip6tables-restore < /etc/ip6tables-rules
apt install iptables-persistent
dpkg-reconfigure iptables-persistent 
# centos
service iptables save

先升级一波

1
2
apt update
apt upgrade -y

移除 apache

1
2
apt-get --purge remove apache* -y
apt-get autoremove

针对阿里云盾来一波

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 卸载阿里云盾
wget http://update.aegis.aliyun.com/download/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh
wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
chmod +x quartz_uninstall.sh
./quartz_uninstall.sh

# 卸载残留
pkill aliyun-service
rm -fr /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*

# 屏蔽云盾IP
iptables -I INPUT -s 140.205.201.0/28 -j DROP
iptables -I INPUT -s 140.205.201.16/29 -j DROP
iptables -I INPUT -s 140.205.201.32/28 -j DROP
iptables -I INPUT -s 140.205.225.192/29 -j DROP
iptables -I INPUT -s 140.205.225.200/30 -j DROP
iptables -I INPUT -s 140.205.225.184/29 -j DROP
iptables -I INPUT -s 140.205.225.183/32 -j DROP
iptables -I INPUT -s 140.205.225.206/32 -j DROP
iptables -I INPUT -s 140.205.225.205/32 -j DROP
iptables -I INPUT -s 140.205.225.195/32 -j DROP
iptables -I INPUT -s 140.205.225.204/32 -j DROP 

bbr 来一波

分 KVM 和 openvz

  • openvz

    1
    2
    3
    4
    5
    6
    
    # 查看 glibc 版本,要求 2.14+
    ldd --version
    
    wget --no-check-certificate https://raw.githubusercontent.com/kuoruan/shell-scripts/master/ovz-bbr/ovz-bbr-installer.sh
    chmod +x ovz-bbr-installer.sh
    ./ovz-bbr-installer.sh
    
  • KVM

    注意阿里云香港的 ECS 是 KVM, 选择 Ubuntu 16+ 并且 apt upgrade, 内核 (uname -r) 原本为 4.4.0-143-generic, bbr 不能选择这个脚本中最新的 4.20.*, 不过经测试支持 4.20, 不带小版本号. 但是在阿里云香港的轻量应用服务器上又可以安装最新的 5.0, 所以装之前弄个镜像, 二分法尝试吧…

    1
    2
    3
    
    wget --no-check-certificate https://github.com/teddysun/across/raw/master/bbr.sh
    chmod +x bbr.sh
    ./bbr.sh
    
  • Ubuntu 18.04
1
2
3
4
5
6
7
8
9
10
11
12
13
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf

# 保存生效
sysctl -p

# 查看内核是否已开启BBR
sysctl net.ipv4.tcp_available_congestion_control
# net.ipv4.tcp_available_congestion_control = bbr cubic reno

# 查看BBR是否启动
lsmod | grep bbr
# tcp_bbr                20480  14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 更新并重启
yum update -y
reboot

# 查看内核版本
uname -r

#导入ELRepo公钥
wget https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm --import RPM-GPG-KEY-elrepo.org
#安装ELRepo
rpm -Uvh http://www.elrepo.org/elrepo-release-6-8.el6.elrepo.noarch.rpm
#升级最新内核
yum --enablerepo=elrepo-kernel install kernel-lt -y


禁用 ipv6

1
2
3
4
# centos 6
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

安装 v2ray

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 安装依赖
apt-get install jq socat netcat -y

# 安装
rm go.sh
wget https://install.direct/go.sh
bash go.sh

# 启动
systemctl start v2ray
# 停止    
systemctl stop v2ray
# 重启    
systemctl restart v2ray

Centos 6 创建 /etc/init.d/v2ray

centos 6 不支持, 需要手动处理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#!/bin/sh
#
# v2ray        Startup script for v2ray
#
# chkconfig: - 24 76
# processname: v2ray
# pidfile: /var/run/v2ray.pid
# description: V2Ray proxy services
#

### BEGIN INIT INFO
# Provides:          v2ray
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: V2Ray proxy services
# Description:       V2Ray proxy services
### END INIT INFO

DESC=v2ray
NAME=v2ray
DAEMON=/usr/bin/v2ray/v2ray
PIDFILE=/var/run/$NAME.pid
LOCKFILE=/var/lock/subsys/$NAME
SCRIPTNAME=/etc/init.d/$NAME
RETVAL=0

DAEMON_OPTS="-config /etc/v2ray/config.json"

# Exit if the package is not installed
[ -x $DAEMON ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Source function library.
. /etc/rc.d/init.d/functions

start() {
  local pids=$(pgrep -f $DAEMON)
  if [ -n "$pids" ]; then
    echo "$NAME (pid $pids) is already running"
    RETVAL=0
    return 0
  fi

  echo -n $"Starting $NAME: "

  mkdir -p /var/log/v2ray
  $DAEMON $DAEMON_OPTS 1>/dev/null 2>&1 &
  echo $! > $PIDFILE

  sleep 2
  pgrep -f $DAEMON >/dev/null 2>&1
  RETVAL=$?
  if [ $RETVAL -eq 0 ]; then
    success; echo
    touch $LOCKFILE
  else
    failure; echo
  fi
  return $RETVAL
}

stop() {
  local pids=$(pgrep -f $DAEMON)
  if [ -z "$pids" ]; then
    echo "$NAME is not running"
    RETVAL=0
    return 0
  fi

  echo -n $"Stopping $NAME: "
  killproc -p ${PIDFILE} ${NAME}
  RETVAL=$?
  echo
  [ $RETVAL = 0 ] && rm -f ${LOCKFILE} ${PIDFILE}
}

reload() {
  echo -n $"Reloading $NAME: "
  killproc -p ${PIDFILE} ${NAME} -HUP
  RETVAL=$?
  echo
}

rh_status() {
  status -p ${PIDFILE} ${DAEMON}
}

# See how we were called.
case "$1" in
  start)
    rh_status >/dev/null 2>&1 && exit 0
    start
    ;;
  stop)
    stop
    ;;
  status)
    rh_status
    RETVAL=$?
    ;;
  restart)
    stop
    start
    ;;
  reload)
    reload
  ;;
  *)
    echo "Usage: $SCRIPTNAME {start|stop|status|reload|restart}" >&2
    RETVAL=2
  ;;
esac
exit $RETVAL

保存文件后启动

1
2
3
4
5
6
7
8
9
10
chmod a+x /etc/init.d/v2ray
chkconfig v2ray on
service v2ray start

# 启动
service v2ray start
# 停止    
service v2ray stop
# 重启    
service v2ray restart

配置 v2ray

配置文件路径是 /etc/v2ray/config.json, 搜索一下怎么编辑和保存文件, 修改完了重启 v2ray.

先贴配置, 再简单讲解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
{
    "log": {
        "access": "",
        "error": "",
        "loglevel": "warning"
    },
    "inbound": {
        "port": 17639,
        "protocol": "vmess",
        "settings": {
            "udp": true,
            "clients": [
                {
                    "id": "00000000-0000-4000-0000-de80df2f4dde",
                    "level": 1,
                    "alterId": 64,
                    "security": "aes-128-gcm"
                }
            ]
        },
        "streamSettings": {
            "network": "ws",
            "wsSettings": {
                "path": "/baidu/xxx"
            }
        }
    },
    "outbound": {
        "protocol": "freedom",
        "settings": {}
    },
    "outboundDetour": [
        {
            "protocol": "blackhole",
            "settings": {},
            "tag": "blocked"
        }
    ],
    "routing": {
        "strategy": "rules",
        "settings": {
            "rules": [
                {
                    "type": "field",
                    "ip": [
                        "0.0.0.0/8",
                        "10.0.0.0/8",
                        "100.64.0.0/10",
                        "127.0.0.0/8",
                        "169.254.0.0/16",
                        "172.16.0.0/12",
                        "192.0.0.0/24",
                        "192.0.2.0/24",
                        "192.168.0.0/16",
                        "198.18.0.0/15",
                        "198.51.100.0/24",
                        "203.0.113.0/24",
                        "::1/128",
                        "fc00::/7",
                        "fe80::/10"
                    ],
                    "outboundTag": "blocked"
                }
            ]
        }
    }
}

  • “port”: 17639 : 端口, 22、80、443 等常用端口之外随意挑个.
  • “id”: “00000000-0000-4000-0000-de80df2f4dde” : uuid, 可以自己在 https://1024tools.com/uuid 生成一个填上去.
  • “path”: “/baidu/xxx” : url, 瞎填一个, 下面配置 nginx 要用.

其余不用管.

生成证书

注意 : example.com 是你自己的域名.

例如 test.example.com, 则先将 test.example.com 的 A 记录指向 vps.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 安装
curl  https://get.acme.sh | sh

# 自动更新
~/.acme.sh/acme.sh  --upgrade  --auto-upgrade


# ~/.acme.sh/acme.sh --issue --debug 2 -d example.com -d *.example.com --standalone -k ec-256
# 用 dns 方式申请通配符, 例如阿里云, 先去分配一个子用户, 给予 DNS 权限, 设置环境变量
export Ali_Key="XXXX"
export Ali_Secret="XXXX"
~/.acme.sh/acme.sh --issue --debug 2 -d test.example.com -d *.test.example.com --dns dns_ali



安装 nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apt-get install nginx -y

# centos

# 临时关闭 重启失效
setenforce 0

# 永久关闭 重启生效
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

yum install epel-release
yum install nginx
chkconfig nginx on


# 停止
service nginx stop
# 启动
service nginx start
# 重启
service nginx restart

配置 nginx

1
2
3
# 生成 dhparam.pem 文件, 蛮久的
mkdir -p /etc/nginx/conf/ssl/
openssl dhparam -out /etc/nginx/conf/ssl/dhparam.pem 2048

编辑 /etc/nginx/nginx.conf, 保存后重启 nginx 服务.

这一步只允许 CloudFlare 的 ip 请求, 这样就无法 v2ray 直连 vps, 而是必须经过 CDN.

端口, 域名和 url 参考上面 v2ray 的配置已经生成证书的路径填写.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
worker_processes auto;
worker_rlimit_nofile 51200;
events {
    use epoll;
    worker_connections 51200;
    multi_accept on;
    }

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 50m;
    sendfile   on;
    tcp_nopush on;
    keepalive_timeout 60;
    tcp_nodelay on;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;
    gzip on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
    gzip_vary on;
    gzip_proxied   expired no-cache no-store private auth;
    gzip_disable   MSIE [1-6].;
    server_tokens off;
    access_log off;

    server {
#        listen 80 default_server;
        listen 443 ssl http2;
        server_name v.test.example.com;
        index index.html index.htm index.php;
        root  /baidu/xxx;

        ssl on;
        ssl_certificate /root/.acme.sh/test.example.com/fullchain.cer;
        ssl_certificate_key /root/.acme.sh/test.example.com/test.example.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /etc/nginx/conf/ssl/dhparam.pem;

        #------------ v2ray------------
        location /baidu/xxx {
            proxy_redirect off;
            proxy_pass http://127.0.0.1:17639;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;
        }
        #------------ v2ray ------------

        #------------ cf ip ------------
        allow 103.21.244.0/22;
        allow 103.22.200.0/22;
        allow 103.31.4.0/22;
        allow 104.16.0.0/12;
        allow 108.162.192.0/18;
        allow 131.0.72.0/22;
        allow 141.101.64.0/18;
        allow 162.158.0.0/15;
        allow 172.64.0.0/13;
        allow 173.245.48.0/20;
        allow 188.114.96.0/20;
        allow 190.93.240.0/20;
        allow 197.234.240.0/22;
        allow 198.41.128.0/17;
        deny all;
        #------------ cf ip ------------


        location /nginx_status {
            stub_status on;
            access_log   off;
        }
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
            expires      30d;
        }
        location ~ .*\.(js|css)?$ {
            expires      12h;
        }
        location ~ /.well-known {
            allow all;
        }  
        location ~ /\. {
            deny all;
        }
    }


    server {
#        listen 80 default_server;
        listen 443 ssl http2;
        server_name d.test.example.com;
        index index.html index.htm index.php;
        root  /baidu/xxx;

        ssl on;
        ssl_certificate /root/.acme.sh/test.example.com/fullchain.cer;
        ssl_certificate_key /root/.acme.sh/test.example.com/test.example.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /etc/nginx/conf/ssl/dhparam.pem;

        #------------ v2ray------------
        location /baidu/xxx {
            proxy_redirect off;
            proxy_pass http://127.0.0.1:17639;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;
        }
        #------------ v2ray ------------

        #------------ cf ip ------------
        # allow 103.21.244.0/22;
        # allow 103.22.200.0/22;
        # allow 103.31.4.0/22;
        # allow 104.16.0.0/12;
        # allow 108.162.192.0/18;
        # allow 131.0.72.0/22;
        # allow 141.101.64.0/18;
        # allow 162.158.0.0/15;
        # allow 172.64.0.0/13;
        # allow 173.245.48.0/20;
        # allow 188.114.96.0/20;
        # allow 190.93.240.0/20;
        # allow 197.234.240.0/22;
        # allow 198.41.128.0/17;
        # deny all;
        #------------ cf ip ------------


        location /nginx_status {
            stub_status on;
            access_log   off;
        }
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
            expires      30d;
        }
        location ~ .*\.(js|css)?$ {
            expires      12h;
        }
        location ~ /.well-known {
            allow all;
        }  
        location ~ /\. {
            deny all;
        }
    }    
}





配置 CDN

  • 先把你的域名的 DNS 改成

    1
    2
    
      bonnie.ns.cloudflare.com
      damon.ns.cloudflare.com
    
  • 注册 CloudFlare
  • Add a Site , 配置你的域名, 选择 Free (免费)
  • 添加后, Crypto 选项卡选择 Full, 确保显示 Universal SSL Status 显示为 Active Certificate
  • DNS 选项卡, 填你要配置 CDN 的域名和 IP, 黄色云朵就是走 CDN.
  • 一般很快就生效, ping 一下配置好的域名, 如果一直没变注意刷新一下本地的 DNS
    1
    
      ipconfig /flushdns
    

CentOS 6 升级 CentOS 7

  • 更新重启
1
2
yum update -y
reboot
  • 添加源
1
vim /etc/yum.repos.d/upgrade.repo

这里有坑, 网上各种 dev.centos.org 已经不能访问, [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'dev.centos.org'"

1
2
3
4
5
6
[upgrade]
name=CentOS-$releasever - Upgrade Tool
baseurl=https://buildlogs.centos.org/centos/6/upg/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
yum clean all
yum makecache

# 降级安装 openscap
yum erase openscap -y
yum install https://buildlogs.centos.org/centos/6/upg/x86_64/Packages/openscap-1.0.8-1.0.1.el6.centos.x86_64.rpm -y

# 使用 yum 安装此工具及其预升级助手   
yum install redhat-upgrade-tool preupgrade-assistant-contents -y

# 执行此工具的预升级助手查看可用内容
preupg -l

# 执行预升级助手进行升级前的检查
preupg -s CentOS6_7


centos-upgrade-tool-cli --network 7 --instrepo=http://vault.centos.org/7.2.1511/os/x86_64/

Refer

  1. 使用 acme.sh 部署 Let’s Encrypt 通过阿里云 DNS 验证方式实现泛域名 HTTPS
  2. 阿里云 - 权限管理 - DNS