TaChao/a-trojan-with-nginx-stream-module.md

## a-trojan-with-nginx-stream-module.md

      
    Raw
  

              a-trojan-with-nginx-stream-module.md
            
          
    利用 NGINX 的 Stream 模塊 sni_preread 功能，可以做到讓 Trojan 和其他網站在同一台機器上共享 443 端口。

  
## default.conf
# 將 /etc/nginx/sites-available/default 的內容改成如下，可以實現全局 https 跳轉

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

## nginx.conf
# 在 /etc/nginx/nginx.conf 加入這段, 原先的內容不要刪
stream {
	map $ssl_preread_server_name $backend_name {
		trojan.example.com trojan;
		website1.example.com tls_backend;
		website2.example.com tls_backend;
		default web;
	}

	upstream web {
		server 127.0.0.1:80;
	}

	upstream trojan {
		server 127.0.0.1:8080;
	}

	upstream tls_backend {
		server 127.0.0.1:8443;
	}

	server {
		listen 443 reuseport;
		listen [::]:443 reuseport;
		proxy_pass  $backend_name;
		ssl_preread on;
	}
}

## trojan-go.conf
{
  "run_type": "server",
  "local_addr": "127.0.0.1",
  "local_port": 8080,
  "remote_addr": "127.0.0.1",
  "remote_port": 80,
  "log_level": 5,
  "password": [
    "your_awesome_password"
  ],
  "ssl": {
    "verify_hostname": true,
    "cert": "/etc/ssl/trojan/fullchain.crt",
    "key": "/etc/ssl/trojan/key.key",
    "sni": "trojan.example.com",
    "alpn": [
      "http/1.1"
    ]
  },
  "router": {
    "enabled": false
  }
}

## trojan.conf
# trojan 偽裝站設置
# 將此檔案放到以下三種位置之一
# 位置1 (推荐): 放到 /etc/nginx/sites-available 下, 建立軟鏈到 /etc/nginx/sites-enabled
# 位置2: 放到 /etc/nginx/conf.d
# 位置3: 放到 /etc/nginx/sites-enabled

server {
    listen 127.0.0.1:80;
    server_name trojan.example.com;

    root /var/www/html;
    index index.php index.html index.htm;
}

## web.conf
# 其他網站全部監聽 127.0.0.1:8443, 在這個端口進行 TLS 握手
# 將此檔案放到以下三種位置之一
# 位置1 (推荐): 放到 /etc/nginx/sites-available 下, 建立軟鏈到 /etc/nginx/sites-enabled
# 位置2: 放到 /etc/nginx/conf.d
# 位置3: 放到 /etc/nginx/sites-enabled

server {
    listen 127.0.0.1:8443 ssl http2;
    server_name website1.example.com;

    ssl_certificate /path/to/fullchain.crt;
    ssl_certificate_key /path/to/key.key;
    ssl_protocols TLSv1.2 TLSv1.3;

    location / {
    }
}

server {
    listen 127.0.0.1:8443 ssl http2;
    server_name website2.example.com;

    ssl_certificate /path/to/fullchain.crt;
    ssl_certificate_key /path/to/key.key;
    ssl_protocols TLSv1.2 TLSv1.3;

    location / {
    }
}
	# 將 /etc/nginx/sites-available/default 的內容改成如下，可以實現全局 https 跳轉

	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
	}
	# 在 /etc/nginx/nginx.conf 加入這段, 原先的內容不要刪
	stream {
	map $ssl_preread_server_name $backend_name {
	trojan.example.com trojan;
	website1.example.com tls_backend;
	website2.example.com tls_backend;
	default web;
	}

	upstream web {
	server 127.0.0.1:80;
	}

	upstream trojan {
	server 127.0.0.1:8080;
	}

	upstream tls_backend {
	server 127.0.0.1:8443;
	}

	server {
	listen 443 reuseport;
	listen [::]:443 reuseport;
	proxy_pass $backend_name;
	ssl_preread on;
	}
	}
	{
	"run_type": "server",
	"local_addr": "127.0.0.1",
	"local_port": 8080,
	"remote_addr": "127.0.0.1",
	"remote_port": 80,
	"log_level": 5,
	"password": [
	"your_awesome_password"
	],
	"ssl": {
	"verify_hostname": true,
	"cert": "/etc/ssl/trojan/fullchain.crt",
	"key": "/etc/ssl/trojan/key.key",
	"sni": "trojan.example.com",
	"alpn": [
	"http/1.1"
	]
	},
	"router": {
	"enabled": false
	}
	}
	# trojan 偽裝站設置
	# 將此檔案放到以下三種位置之一
	# 位置1 (推荐): 放到 /etc/nginx/sites-available 下, 建立軟鏈到 /etc/nginx/sites-enabled
	# 位置2: 放到 /etc/nginx/conf.d
	# 位置3: 放到 /etc/nginx/sites-enabled

	server {
	listen 127.0.0.1:80;
	server_name trojan.example.com;

	root /var/www/html;
	index index.php index.html index.htm;
	}
	# 其他網站全部監聽 127.0.0.1:8443, 在這個端口進行 TLS 握手
	# 將此檔案放到以下三種位置之一
	# 位置1 (推荐): 放到 /etc/nginx/sites-available 下, 建立軟鏈到 /etc/nginx/sites-enabled
	# 位置2: 放到 /etc/nginx/conf.d
	# 位置3: 放到 /etc/nginx/sites-enabled

	server {
	listen 127.0.0.1:8443 ssl http2;
	server_name website1.example.com;

	ssl_certificate /path/to/fullchain.crt;
	ssl_certificate_key /path/to/key.key;
	ssl_protocols TLSv1.2 TLSv1.3;

	location / {
	}
	}

	server {
	listen 127.0.0.1:8443 ssl http2;
	server_name website2.example.com;

	ssl_certificate /path/to/fullchain.crt;
	ssl_certificate_key /path/to/key.key;
	ssl_protocols TLSv1.2 TLSv1.3;

	location / {
	}
	}