nginx 代理 trojan 多https网站共存

2020-10-20 11:45:11   工作备份

 

因为v2ray的加密措施,导致代理确实慢一些,才萌发了使用Trojan的想法,考虑到Trojan 独占443端口,无法和nginx 共用的问题,参考了下网上的做法,实现了nginx 多网站443 与Trojan 共存

1.安装 Trojan

  1. bash -c "$(curl -fsSL https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)"
  2. #默认配置文件在 /usr/local/etc/trojan/config.json,我不是很喜欢这个位置
  3. mkdir /etc/trojan
  4. cp /usr/local/etc/trojan/config.json /etc/trojan/
  5. vim etc/systemd/system/trojan.service
  6. #修改配置文件位置 ,具体如下
  7. ------
  8. [Unit]
  9. Description=trojan
  10. Documentation=https://trojan-gfw.github.io/trojan/config https://trojan-gfw.github.io/trojan/
  11. After=network.target network-online.target nss-lookup.target mysql.service mariadb.service mysqld.service
  12. [Service]
  13. Type=simple
  14. StandardError=journal
  15. ExecStart="/usr/local/bin/trojan" "/etc/trojan/config.json"
  16. ExecReload=/bin/kill -HUP $MAINPID
  17. LimitNOFILE=51200
  18. Restart=on-failure
  19. RestartSec=1s
  20. [Install]
  21. WantedBy=multi-user.target
  22. ------

你启动文件都改了,当然需要重载一下

  1. systemctl daemon-reload

2.nginx 我是使用宝塔的,版本 1.18,其他版本的话,你检查 nginx -V,有
—with-stream_ssl_preread_module 模块即可,没有的话,你就需要手动编译安装了,网上教程很多,这里不再赘述

3.修改宝塔nginx 默认配置,在events 和 http中间新增

  1. stream {
  2. map $ssl_preread_server_name $name {
  3. #有多少网站写多少网站
  4. www.xxx.top blog;
  5. nginx.xxx.top trojan;
  6. }
  7. #记住下面的端口,后面要用
  8. upstream blog {
  9. server 127.0.0.1:3000; #blog 博客
  10. }
  11. upstream trojan {
  12. server 127.0.0.1:3001; #trojan端口
  13. }
  14. server {
  15. listen 443 reuseport;
  16. listen [::]:443 reuseport;
  17. proxy_pass $name;
  18. ssl_preread on; #开启 ssl_preread
  19. }
  20. }

4.修改宝塔网站配置,之前的端口现在要用了(网站的配置跟默认的宝塔一致,添加网站,填写域名 ,申请证书 ssl,强制 https之类的,我也不说了,说的话,要写好多,我默认你配好了),这是你自己想正常访问的站点,重启下nginx服务,检查下访问有没有什么问题

  1. listen 80;
  2. listen 443 ssl http2;
  3. server_name www.xxx.top;
  4. index index.php index.html index.htm default.php default.htm default.html;
  5. root /www/wwwroot/xxx.top/public;
  6. #SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
  7. #error_page 404/404.html;
  8. #HTTP_TO_HTTPS_START
  9. if ($server_port !~ 443){
  10. rewrite ^(/.*)$ https://$host$1 permanent;
  11. }

5.Trojan站点配置
新增网站 配置ssl 修改配置文件 80端口是拿来续签用的,请不要动,不用和上面 stream里的冲突就好了,前往不要和Trojan的端口冲突,否则Trojan是启动不了的,这里其实也是想方便续签而已

  1. listen 80;
  2. listen 443 ssl http2;
  3. server_name nginx.xxx.top;
  4. index index.php index.html index.htm default.php default.htm default.html;
  5. root /www/wwwroot/nginx.xxx.top;

6.trojan配置

  1. {
  2. "run_type": "server",
  3. "local_addr": "127.0.0.1",
  4. "local_port": 3001,//和stream里配置的Trojan 端口填写一致,上面的流量会代理到这个端口来
  5. "remote_addr": "127.0.0.1",
  6. "remote_port": 443,
  7. "password": [
  8. "XXXXXXX"//自己定义一个密码,复杂一点
  9. ],
  10. "log_level": 1,
  11. "ssl": {
  12. //证书地址 之前宝塔不是创建了一个Trojan续签的网站吗,没错,把配置里的证书地址直接拿过来就好了
  13. "cert": "/www/server/panel/vhost/cert/nginx.xxx.top/fullchain.pem",
  14. "key": "/www/server/panel/vhost/cert/nginx.xxx.top/privkey.pem",
  15. "key_password": "",
  16. "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
  17. "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
  18. "prefer_server_cipher": true,
  19. "alpn": [
  20. "http/1.1"
  21. ],
  22. "alpn_port_override": {
  23. "h2": 81
  24. },
  25. "reuse_session": true,
  26. "session_ticket": false,
  27. "session_timeout": 600,
  28. "plain_http_response": "",
  29. "curves": "",
  30. "dhparam": ""
  31. },
  32. "tcp": {
  33. "prefer_ipv4": false,
  34. "no_delay": true,
  35. "keep_alive": true,
  36. "reuse_port": false,
  37. "fast_open": false,
  38. "fast_open_qlen": 20
  39. },
  40. "mysql": {
  41. "enabled": false,
  42. "server_addr": "127.0.0.1",
  43. "server_port": 3306,
  44. "database": "trojan",
  45. "username": "trojan",
  46. "password": "",
  47. "key": "",
  48. "cert": "",
  49. "ca": ""
  50. }
  51. }

7.接下来,重启下Trojan

  1. systemctl restart trojan

没什么问题的话,你就可以用了