前言
很多小伙伴在使用一键脚本搭建trojan-go实现出国业务的时候,偶尔会出现失败的情况,不妨试试手动搭建,花几分钟而已,100%成功,何乐而不为呢?
trojian和trojan-go的区别
trojan-go:使用Go实现的完整Trojan代理,与Trojan协议以及Trojan版本的配置文件格式兼容。安全,高效,轻巧,易用。
但是,trojan-go具有以下2个特性是trojan不具有的:
1.支持使用多路复用提升并发性能
2.支持CDN流量中转(基于WebSocket over TLS/SSL)。
准备条件:
1.一个vps
2.一个域名,blog.zhuzhirui.com和trojan.zhuzhirui.com 为例子
blog.zhuzhirui.com 正常访问网站
trojan.zhuzhirui.com是用来访问trojan的域名
3.客户端为clash
1、安装Nginx插件
1.1、有lnmp的情况下
在lnmp安装根目录下
vim lnmp.conf
找到Nginx_Modules_Options=''
修改成
Nginx_Modules_Options='--with-stream_ssl_preread_module'
然后升级nginx版本到1.18.0
./upgrade.sh nginx Current Nginx Version:1.18.0 You can get version number from http://nginx.org/en/download.html Please enter nginx version you want, (example: 1.18.0): #输入1.18.0,等待安装结束!
1.2、无lnmp的情况下
screen -S lnmp wget http://soft.vpser.net/lnmp/lnmp1.7.tar.gz -cO lnmp1.7.tar.gz && tar zxf lnmp1.7.tar.gz && cd lnmp1.7 vim lnmp.conf
找到Nginx_Modules_Options=''
修改成
Nginx_Modules_Options='--with-stream_ssl_preread_module'
然后安装
./install.sh lnmp
2、绑定域名
lnmp vhost add
最后一步觉得申请ssl证书,不然无法进行
3、修改nginx.conf配置
打开
vim /usr/local/nginx/conf/nginx.conf
Nginx 配置:
user nginx; pid /var/run/nginx.pid; # 其他配置保持默认即可 # 流量转发核心配置 stream { # 这里就是 SNI 识别,将域名映射成一个配置名,web是正常站,trojan是代理 map $ssl_preread_server_name $backend_name { blog.zhuzhirui.com web; trojan.zhuzhirui.com trojan; # 域名都不匹配情况下的默认值 default web; } # web,配置转发详情 upstream web { server 127.0.0.1:10240; } # trojan,配置转发详情 upstream trojan { server 127.0.0.1:10241; } # 监听 443 并开启 ssl_preread server { listen 443 reuseport; listen [::]:443 reuseport; proxy_pass $backend_name; ssl_preread on; } } http { # 这块保持不变即可 }
简简单单几行配置,就完成了流量分发,最后将 Trojan 和 Web 的配置端口修改一下和上面的配置保持一致即可。
4、修改vhost配置
Blog.zhuzhirui.com的配置,正常访问站
server { listen 80; #listen [::]:80; server_name blog.zhuzhirui.com ; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/blog.zhuzhirui.com; include rewrite/other.conf; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; } include enable-php-pathinfo.conf; location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location ~ /\. { deny all; } access_log off; } server { listen 10241 ssl http2; #端口修改成上面nginx.conf的web端口 #listen [::]:443 ssl http2; server_name blog.zhuzhirui.com ; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/blog.zhuzhirui.com; ssl_certificate /usr/local/nginx/conf/ssl/blog.zhuzhirui.com/fullchain.cer; ssl_certificate_key /usr/local/nginx/conf/ssl/blog.zhuzhirui.com/blog.zhuzhirui.com.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5"; ssl_session_cache builtin:1000 shared:SSL:10m; # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048 ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem; include rewrite/other.conf; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; } include enable-php-pathinfo.conf; location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location ~ /\. { deny all; } access_log off; }
trojan.zhuzhirui.com的配置,proxy站
server { listen 80; #listen [::]:80; server_name trojan.zhuzhirui.com ; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/trojan.zhuzhirui.com; #这块配置需要开启trojan开启ws模式才会用到 location /phpmyadmin { proxy_pass http://127.0.0.1:36402; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } access_log off; } ##剩下的ssl配置删除
5、安装trojan-go
5.1、新建目录,作为trojan的安装目录
mkdir /etc/trojan mkdir /etc/trojan/bin mkdir /etc/trojan/conf
5.2、下载trojan-go最新版本
浏览器打开trojan-go的release页面:https://github.com/p4gefau1t/trojan-go/releases,找到最新版本的release,目前是:v0.8.1。
这里有很多不同系统的release,找到自己的系统对应的版本。不知道自己的,可以执行下面这句查看系统版本:
uname -m
经过查询我的vps是x86_64,对应的版本是:trojan-go-windows-amd64.zip,执行下面语句下载:
wget --no-check-certificate -O /etc/trojan/bin/trojan-go-linux-amd64.zip "https://github.com/p4gefau1t/trojan-go/releases/download/v0.8.2/trojan-go-linux-amd64.zip"
5.3、解压/安装trojan-go
下载后解压:
unzip -o -d /etc/trojan/bin /etc/trojan/bin/trojan-go-linux-amd64.zip
如果执行上面那句报unzip command not found ,debian和ubuntu请执行(没有报错就无需执行):
apt -y install unzip
centos请执行:
yum -y install unizip
这样trojan-go就安装完成了
5.4 、配置trojan-go
trojan-go安装完成后,开始配置
5.4.1、服务端配置
1.创建服务端的配置文件带ws:
vim /etc/trojan/conf/server.json
{ "run_type": "server", "local_addr": "0.0.0.0", "local_port": 10241, "remote_addr": "127.0.0.1", "remote_port": 80, "password": [ "ei202112" ], "log_level": 1, "log_file": "/etc/trojan/bin/test.log", "ssl": { "verify": true, "verify_hostname": true, "cert": "/usr/local/nginx/conf/ssl/trojan.zhuzhirui.com/fullchain.cer", "key": "/usr/local/nginx/conf/ssl/trojan.zhuzhirui.com/trojan.zhuzhirui.com.key", "key_password": "", "prefer_server_cipher": false, "alpn": [ "http/1.1" ], "reuse_session": true, "session_ticket": false, "session_timeout": 600, "plain_http_response": "", "curves": "", "dhparam": "", "sni": "trojan.zhuzhirui.com", "fingerprint": "firefox" }, "tcp": { "no_delay": true, "keep_alive": true }, "mux": { "enabled": true, "concurrency": 8, "idle_timeout": 60 }, "websocket": { "enabled": true, "path": "/2a3c9839", "host": "trojan.zhuzhirui.com" }, "mysql": { "enabled": false, "server_addr": "127.0.0.1", "server_port": 8088, "database": "trojan", "username": "trojan", "password": "" } }
配置解释
{ "run_type": "server", "local_addr": "0.0.0.0", "local_port": 10241, #必须对应nginx.conf的端口 "remote_addr": "127.0.0.1", "remote_port": 80, "password": [ "ei202112" //设置客户端连接密码,不支持特殊符号,可设置多个密码,用于多用户连接使用 ], "log_level": 1, "log_file": "/etc/trojan/bin/test.log", "ssl": { "verify": true, "verify_hostname": true, "cert": "/usr/local/nginx/conf/ssl/trojan.zhuzhirui.com/fullchain.cer", //改成上传证书的.pem/.crt文件路径 "key": "/usr/local/nginx/conf/ssl/trojan.zhuzhirui.com/trojan.zhuzhirui.com.key", //改成证书.key文件路径 "key_password": "", "prefer_server_cipher": false, "alpn": [ "http/1.1" ], "reuse_session": true, "session_ticket": false, "session_timeout": 600, "plain_http_response": "", "curves": "", "dhparam": "", "sni": "trojan.zhuzhirui.com", "fingerprint": "firefox" }, "tcp": { "no_delay": true, "keep_alive": true }, "mux": { "enabled": true, "concurrency": 8, "idle_timeout": 60 }, "websocket": { "enabled": true, //设置true,开启CDN功能 "path": "/2a3c9839", //路径建议尽量设置复杂,以免被侦查识别 "host": "trojan.zhuzhirui.com" //设置个人域名访问 }, "mysql": { "enabled": false, "server_addr": "127.0.0.1", "server_port": 8088, "database": "trojan", "username": "trojan", "password": "" } }
5.4.2、启动trojan-go服务
1.创建trojan-go服务文件
cat >/etc/systemd/system/trojan.service<< EOF [Unit] Description=trojan Documentation=https://github.com/p4gefau1t/trojan-go After=network.target [Service] Type=simple StandardError=journal PIDFile=/usr/src/trojan/trojan/trojan.pid ExecStart=/etc/trojan/bin/trojan-go -config /etc/trojan/conf/server.json ExecReload= ExecStop=/etc/trojan/bin/trojan-go LimitNOFILE=51200 Restart=on-failure RestartSec=1s [Install] WantedBy=multi-user.target EOF
2.加载服务文件:
systemctl daemon-reload
3.启动服务
systemctl start trojan.service
启动服务,先将nginx重启
systemctl start nginx.service
4.其他的一些命令:
systemctl stop trojan.service ------停止trojan-go systemctl restart trojan.service --------重启trojan-go
服务端和客户端配置文件都改好后,就可以进行科学上网了。但是,这个配置文件对于Trojan-go的新特效,一个都没有配置。
5.4.3、新特性的配置
下面我们一个个来看看如何设置这些新特性:
1.配置CDN流量中转
服务器配置文件修改以下3点:
1.第2行改为true
2.第3行改为一个url,必须以斜杠(“/“)开始,如:/my,客户端和服务端必须一致
3.第4行是域名
"websocket": { "enabled": true, "path": "/your-websocket-path", "host": "example.com",
- host是主机名,一般填写域名。客户端host是可选的,填写你的域名。如果留空,将会使用remote_addr填充。
- path指的是websocket所在的URL路径,必须以斜杠(“/“)开始。路径并无特别要求,满足URL基本格式即可,但要保证客户端和服务端的path一致。path应当选择较长的字符串,以避免遭到GFW直接的主动探测。客户端的host将包含在Websocket的握手HTTP请求中,发送给CDN服务器,必须有效;服务端和客户端path必须一致,否则Websocket握手无法进行。
2.使用多路复用提升并发性能
服务端和客户端都只需要将false改为true即可
"mux": { "enabled": true, "concurrency": 8, "idle_timeout": 60 },
6、Clash客户端配置
6.1、有ws协议的配置
- name: "ru-105" type: trojan server: trojan.zhuzhirui.com port: 443 password: ei202011 ws-path: /2a3c9839 tls: true # udp: true # sni: example.com # aka server name alpn: - h2 - http/1.1 # skip-cert-verify: true
6.2、无ws协议
- name: "ru-105" type: trojan server: trojan.zhuzhirui.com port: 443 password: ei202112 tls: true alpn: - h2 - http/1.1
7、伪装proxy站点
我们必须把trojan.zhuzhirui.com伪装成正常访问的一个网站。 上传一些小偷之类的网站到你的/home/wwwroot/trojan.zhuzhirui.com目录下
8、题外话
该文档为技术测试文章,不涉及到其他领域!请不要拿来做非法使用!否则后果自负!
原文链接:https://blog.e9china.net/tufan/nginx-and-trojan-oexist-on-port-443.html
文章评论