Skip to content

Instantly share code, notes, and snippets.

@phlinhng
Last active March 28, 2024 13:39
Show Gist options
  • Save phlinhng/84e4fe056b4383e24898b22c95394c5c to your computer and use it in GitHub Desktop.
Save phlinhng/84e4fe056b4383e24898b22c95394c5c to your computer and use it in GitHub Desktop.
Trojan + NGINX 多網站共存

利用 NGINX 的 Stream 模塊 sni_preread 功能,可以做到讓 Trojan 和其他網站在同一台機器上共享 443 端口。

# 將 /etc/nginx/sites-available/default 的內容改成如下,可以實現全局 https 跳轉
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# 在 /etc/nginx/nginx.conf 加入這段, 原先的內容不要刪
stream {
map $ssl_preread_server_name $backend_name {
trojan.example.com trojan;
website1.example.com tls_backend;
website2.example.com tls_backend;
default web;
}
upstream web {
server 127.0.0.1:80;
}
upstream trojan {
server 127.0.0.1:8080;
}
upstream tls_backend {
server 127.0.0.1:8443;
}
server {
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
}
{
"run_type": "server",
"local_addr": "127.0.0.1",
"local_port": 8080,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"log_level": 5,
"password": [
"your_awesome_password"
],
"ssl": {
"verify_hostname": true,
"cert": "/etc/ssl/trojan/fullchain.crt",
"key": "/etc/ssl/trojan/key.key",
"sni": "trojan.example.com",
"alpn": [
"http/1.1"
]
},
"router": {
"enabled": false
}
}
# trojan 偽裝站設置
# 將此檔案放到以下三種位置之一
# 位置1 (推荐): 放到 /etc/nginx/sites-available 下, 建立軟鏈到 /etc/nginx/sites-enabled
# 位置2: 放到 /etc/nginx/conf.d
# 位置3: 放到 /etc/nginx/sites-enabled
server {
listen 127.0.0.1:80;
server_name trojan.example.com;
root /var/www/html;
index index.php index.html index.htm;
}
# 其他網站全部監聽 127.0.0.1:8443, 在這個端口進行 TLS 握手
# 將此檔案放到以下三種位置之一
# 位置1 (推荐): 放到 /etc/nginx/sites-available 下, 建立軟鏈到 /etc/nginx/sites-enabled
# 位置2: 放到 /etc/nginx/conf.d
# 位置3: 放到 /etc/nginx/sites-enabled
server {
listen 127.0.0.1:8443 ssl http2;
server_name website1.example.com;
ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/key.key;
ssl_protocols TLSv1.2 TLSv1.3;
location / {
}
}
server {
listen 127.0.0.1:8443 ssl http2;
server_name website2.example.com;
ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/key.key;
ssl_protocols TLSv1.2 TLSv1.3;
location / {
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment