零、前期准备
推荐使用ACME申请泛域名证书并自动续期,否则后续TLS解密比较麻烦
推荐使用伪装站点、八合一共存脚本,因为uTLS特征影响不大
安装完成后默认监听443端口
一、伪装站设置为https镜像
修改/etc/nginx/conf.d/alone.conf
中两处location /
改为如下
location / {
add_header Strict-Transport-Security "max-age=15552000; preload" always;
sub_filter 镜像网站域名 伪装域名;
sub_filter_once off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer https://镜像网站域名/;
proxy_set_header Host 镜像网站域名;
proxy_pass https://镜像网站域名;
proxy_set_header Accept-Encoding "";
proxy_ssl_session_reuse off;
#proxy_ssl_server_name on;
proxy_ssl_name $proxy_host;
proxy_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
}
修改完成并保存后,运行systemctl restart nginx
二、部署其他功能性网站
此处以AdGuardhome为例进行配置,建议详细阅读参考内容
参考内容:
1.证书
①使用申请的泛域名证书(使用ACME申请泛域名证书并自动续期)
②配置多个不同证书
"certificates": [
{
"certificateFile": "/etc/ssl/xray/cert1.pem",
"keyFile": "/etc/ssl/xray/privkey1.key"
},
{
"certificateFile": "/etc/ssl/xray/cert2.pem",
"keyFile": "/etc/ssl/xray/privkey2.key"
}
]
2.修改入站fallback
以下仅为示例,仅供参考
"fallbacks": [
{"dest":31296,"xver":1}, // 回落至TCP+TLS
{"alpn":"h2","dest":31302,"xver":0}, // 回落至grcp
{"path":"/路径ws","dest":31297,"xver":1}, // 回落至ws
{"path":"/路径vws","dest":31299,"xver":1}, // 回落至ws
{"name":"ADG域名","alpn":"h2","dest":端口2,"xver":1}, // 换成域名和自定义的两个端口
{"name":"ADG域名","dest":端口1,"xver":1}
]
配置有顺序,应将
h2
放前,http/1.1
放后,在优先使用 HTTP/2 的同时保证兼容性;反过来会导致 HTTP/2 在协商时变为 HTTP/1.1,成为无效配置
3.配置nginx
在/etc/nginx/conf.d/
中创建一个新的配置dns.conf
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
#若配置 Nginx 接收 PROXY protocol,除了设置 proxy_protocol 外,还需设置set_real_ip_from,否则可能会出问题
server {
listen 127.0.0.1:端口1 proxy_protocol;
listen 127.0.0.1:端口2 proxy_protocol http2;
server_name ADG域名;
proxy_ssl_server_name on;
location / {
proxy_pass https://127.0.0.1:DOH端口;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
add_header X-Cache $upstream_cache_status;
}
}
评论区