v2ray服务器配置笔记

readme.md

前言

• Nginx(反代) + Websocket + SSL 方案

一些 No Good 方案

• Caddy + tls + h2 + 阿里CDN 🚫 CDN不支持回源h2(Caddy日志记录为http1.1 遂失败) / 国内CDN需要备案域名 / Nginx不支持h2反代 / 速度不理想
  • https://www.moerats.com/archives/404/
  • v2ray/v2ray-core#1052
  • https://guide.v2fly.org/advanced/h2_tls_web.html#%E6%9C%8D%E5%8A%A1%E7%AB%AF%E9%85%8D%E7%BD%AE
• mKcp方案 🚫 端口封杀太快甚至直接封IP
• Websocket + CDN CloudFlare的试过了，速度很不理想 / 阿里云全站、又拍云 WSCDN 加速基本 ￥4/GB 还要另算 CDN 加速费

一些云厂商

• AWS 信用卡可以可以撸免费额度，选日本节点，所谓的 Global 加速也没有很理想
• GCP 谷歌云 这个可以作为备选，台湾节点理想，要注意的是，访问谷歌云需要梯子
• 阿里云 轻量服务器为首选，新加坡节点比较理想
• Azure 还没尝试，感觉大同小异，不折腾这个了

查看节点走向

• ipip.net router trace

一些常识

• 国际出口线路海底就那几条，所以高峰时期会慢是没办法的

推荐配置

• CentOS 7 x64 or whatever Ubuntu

准备工作

• 一台国际服务器，并允许SSH连接
• 开启80 443端口
• 域名
• 域名对应 SSL 证书
• 新建目录 /etc/v2ray
• 安装nginx并设置开机启动
• sudo apt update
• 注意证书的配置

开启 SSH

vi /etc/ssh/sshd_config

PermitRootLogin yes           //默认为no，需要开启root用户访问改为yes
PasswordAuthentication yes    //默认为no，改为yes开启密码登陆

service sshd restart # 重启 SSH 服务

安装 Nginx

sudo apt install nginx # 安装

sudo systemctl enable nginx # 设置开机启动 

sudo systemctl start nginx

Certbot

sudo apt install cerbot python3-certbot-nginx

sudo certbot --nginx

安装 V2ray

https://github.com/v2fly/fhs-install-v2ray

$ wget https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh
$ sudo bash install-release.sh

config.json

See the other file.

sudo vim /usr/local/etc/v2ray/config.json

sudo systemctl enable v2ray # 设置开机启动 
sudo systemctl start v2ray

nginx.conf

Enable server domain first.

可能需要的命令

vim /var/log/nginx/error.log 

systemctl status nginx.service -l

问题收集

• 客户端提示 502 Bad Gateway > websocket: bad handshake

  • 从nginx入手 查看日志

  • 权限不足，选择关闭SELinux

  • 查看/usr/sbin/sestatus -v

  • 修改/etc/selinux/config 文件

    将SELINUX=enforcing改为SELINUX=disabled

    重启机器即可

• connect() failed (111: Connection refused) while connecting to upstream

  • v2ray 未启动成功

*521 connect() to 127.0.0.1:666 failed (13: Permission denied) while connecting to upstream, client: 218.85.120.242, server: brazil.emin.ink, request: "GET /emin HTTP/1.1", upstream: "http://127.0.0.1:666/emin", host: "brazil.emin.ink"

开启 BBR

• https://juejin.im/entry/6844903669830254600
• https://wiki.crowncloud.net/?How_to_enable_BBR_on_Ubuntu_20_04

Verify current algos:

$ sysctl net.ipv4.tcp_available_congestion_control
net.ipv4.tcp_available_congestion_control = reno cubic

$ sysctl net.ipv4.tcp_congestion_control
net.ipv4.tcp_congestion_control = cubic

Update $ sudo vim /etc/sysctl.conf and append the two lines at the end:

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Execute and verify:

$ sudo sysctl -p
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

$ sysctl net.ipv4.tcp_congestion_control
net.ipv4.tcp_congestion_control = bbr

client.json

{
  "policy": {
    "system": {
      "statsInboundUplink": true,
      "statsInboundDownlink": true
    }
  },
  "log": {
    "access": "",
    "error": "",
    "loglevel": "warning"
  },
  "inbounds": [
    {
      "tag": "proxy",
      "port": 10808,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": null,
        "address": null,
        "clients": null
      },
      "streamSettings": null
    },
    {
      "tag": "api",
      "port": 49417,
      "listen": "127.0.0.1",
      "protocol": "dokodemo-door",
      "sniffing": null,
      "settings": {
        "auth": null,
        "udp": false,
        "ip": null,
        "address": "127.0.0.1",
        "clients": null
      },
      "streamSettings": null
    }
  ],
  "outbounds": [
    {
      "tag": "proxy",
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "domain or ip",
            "port": 443,
            "users": [
              {
                "id": "uuid",
                "alterId": 64,
                "email": "email",
                "security": "auto"
              }
            ]
          }
        ],
        "servers": null,
        "response": null
      },
      "streamSettings": {
        "network": "ws",
        "security": "tls",
        "tlsSettings": {
          "allowInsecure": false,
          "serverName": null
        },
        "tcpSettings": null,
        "kcpSettings": null,
        "wsSettings": {
          "connectionReuse": true,
          "path": "/study",
          "headers": null
        },
        "httpSettings": null,
        "quicSettings": null
      },
      "mux": {
        "enabled": false
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {
        "vnext": null,
        "servers": null,
        "response": null
      },
      "streamSettings": null,
      "mux": null
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "vnext": null,
        "servers": null,
        "response": {
          "type": "http"
        }
      },
      "streamSettings": null,
      "mux": null
    }
  ],
  "stats": {},
  "api": {
    "tag": "api",
    "services": [
      "StatsService"
    ]
  },
  "dns": null,
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "port": null,
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "ip": null,
        "domain": null
      }
    ]
  }
}

config.json

{
  "stats": {},
  "api": {
    "tag": "api",
    "services": [
        "StatsService"
    ]
},
  "inbounds": [
    {
    "port": 666,
    //"listen":"127.0.0.1",//只监听 127.0.0.1
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "id": "<TODO add uuid>",
          "level": 1,
          "alterId": 64
        }
      ]
    },
    "streamSettings": {
      "network": "ws",
      "tlsSettings": {
        "allowInsecure": false
      },
      "wsSettings": {
        "path": "/study"
        }
    },
    "sniffing": {
      "enabled": true,
      "destOverride": ["http", "tls"]
    }
  },
  {
    "listen": "127.0.0.1",
    "port": 10085,
    "protocol": "dokodemo-door",
    "settings": {
        "address": "127.0.0.1"
    },
    "tag": "api"
  }
],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}
  },
  {
    "protocol": "blackhole",
    "settings": {

},
    "tag": "blocked"
  }],
  "policy":{
    "levels": {
      "0": {
        "handshake": 4,
        "connIdle": 300,
        "uplinkOnly": 2,
        "downlinkOnly": 2,
        "statsUserUplink": true,
        "statsUserDownlink": true,
        "bufferSize": 1024//1M
      },
      "1": {
        "handshake": 4,
        "connIdle": 300,
        "uplinkOnly": 2,
        "downlinkOnly": 5,
        "statsUserUplink": true,
        "statsUserDownlink": true,
        "bufferSize": 20480//20M
      }
    },
    "system": {
      "statsInboundUplink": true,
      "statsInboundDownlink": true
    }
  },
  "routing": {
    "rules": [
      {
        "inboundTag": [
          "Api"
      ],
        "type": "field",
        "ip": ["geoip:private"],
        "outboundTag": "api"
      },
      {
        "domaIN":[
           //"pornhub.com",
           //"app.swag.live",
           //"swag.live",
           "a.live"
           //"twitter.com",
           //"facebook.com"
         ],
         "type": "field",
         "outboundTag":"blocked"
      },
	    {
        "type": "field",
        "outboundTag": "block",
        "protocol": [
          "bittorrent"
        ]
      }
    ]
  },
  "strategy": "rules"
}

nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    use epoll;
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    proxy_connect_timeout       1800;
    proxy_send_timeout          1800;
    proxy_read_timeout          1800;
    send_timeout                1800;
    client_max_body_size 2048M;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   1800;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        #listen       80 udp;
        listen       [::]:80 default_server;
        server_name  yourServer;
	    root /usr/share/nginx/html;
	    index index.html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
                    root  /usr/share/nginx/html;
                    index index.html;
                }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }        
    # Settings for a TLS enabled server.
    #
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  yourServer;
        root         /usr/share/nginx/html;
	    index        index.html;
        ssl_certificate       /etc/v2ray/a.crt;
        ssl_certificate_key   /etc/v2ray/a.key;

        ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location /study {
            if ($http_upgrade != "websocket") { # WebSocket协商失败时返回404
                 return 404;
            }
            proxy_redirect off;
            proxy_pass http://127.0.0.1:666; # 
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            # Show real IP in v2ray access.log
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}