准备 #
参考 #
https://whuwangyong.github.io/2023-03-18-v2ray-websocket-tls-web-cloudflare-guide/
https://github.com/v2fly/v2ray-examples?tab=readme-ov-file
域名 #
-
实名认证
-
域名解析(不要购买DNS服务)
- 点击 添加记录。
- 记录类型:A
- 主机记录:v2
- 如果是 @,你应该 ping cxxxx.top。(你的域名)
- 如果是 www,你应该 ping www.cxxxx.top。
- 如果你一定要用 v2.xxxxx.top,你必须点击“添加记录”,在主机记录里填入 v2,记录值填你的 IP。
- 记录值:xxxxxxx(ip地址)
- 点击确认。
-
申请SSL证书
-
ssh root@x x x x x 连接到你的服务器
-
//安装socat sudo apt update sudo apt install socat -y -
//安装 curl https://get.acme.sh | shsource ~/.bashrc //注册邮箱账号(换成你的邮箱) ~/.acme.sh/acme.sh --register-account -m myemail@example.com//注意域名填写 ~/.acme.sh/acme.sh --issue -d xx.xxxxx.xxx --standalone -k ec-256 -
//创建证书存放路径 mkdir -p /etc/v2ray_cert//将证书安装复制进去 ~/.acme.sh/acme.sh --install-cert -d xx.xxxxx.top --ecc \ --fullchain-file /etc/v2ray_cert/fullchain.crt \ --key-file /etc/v2ray_cert/private.key
-
服务器 #
所用系统ubuntu
。。。
个人网站 #
你需要一个可以运行到个人网站
服务端 #
v2ray安装 #
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
配置文件位于/usr/local/etc/v2ray/config.json
文件内容(保密)参考vless+tcp+tls
注意修改:
- ID uuid新建一个
- 域名
- 证书地址/etc/v2ray_cert/private.key
//重启
sudo systemctl restart v2ray.service
nginx安装 #
sudo apt update
sudo apt install nginx -y
准备个人网站 #
sudo nano /var/www/html/index.html
//网站内容
。。。
配置Nginx配置文件 #
文件内容(保密)
//测试配置文件是否正确
sudo nginx -t
注意修改:
- 日志路径
- 域名
//重启
sudo systemctl restart nginx
//设置开机自启
sudo systemctl enable nginx
确保 V2Ray 也在运行。
打开浏览器,直接访问 https://你的域名。
如果访问不了
//先给权限 chmod 644 /etc/v2ray_cert/private.key//测试配置文件返回ok /usr/local/bin/v2ray test -config /usr/local/etc/v2ray/config.json//重启一下 systemctl restart nginx systemctl restart v2ray//查看服务状态 systemctl status v2ray
设置时间一致 #
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 同步为北京时间
客户端 #
-
安装V2RayN 客户端
配置客户端 #
方案一: #
-
找个文件夹创建config_client.json文件
文件内容(保密)注意:
-
{ "listen": "127.0.0.1", "port": "10811", 这个端口是你软件左下角本地:[mixed:xxxx]的端口 "protocol": "http" }
-
-
打开主页->配置文件->添加自定义配置
- 别名(remarks)随便填
- 地址(address)选择配置文件地址
- core类型->xray
- 确定
-
设为活动状态测试
方案二:(推荐) #
点击配置文件->添加[VLESS]
填写以下内容:(没提到的不填)
配置文件:xray
别名:随便
地址:你的域名或服务器IP
端口:443
用户ID:同配置文件中的uuid
加密方式:none
开启Mux多路复用:off
传输协议:tcp
传输层安全:tls
SNI:你的域名
Fingerprint:chrome
Alan:h2,http/1.1
跳过证书验证:false
禁止服务器密码登录 #
- 生成密钥
# 生成ED25519密钥(推荐)
ssh-keygen -t ed25519 -C "你的标识" -f ~/.ssh/server_key
# 或者生成RSA密钥(兼容性更好)
ssh-keygen -t rsa -b 4096 -C "你的标识" -f ~/.ssh/server_key
# 设置密钥文件权限
chmod 600 ~/.ssh/server_key
chmod 644 ~/.ssh/server_key.pub
-
将公钥上传到服务器
ssh-copy-id -i ~/.ssh/server_key.pub root@xxxxxxx -
测试登录
ssh -i ~/.ssh/server_key root@xxxxxx -
禁用密码登录
vim /etc/ssh/sshd_config# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Include /etc/ssh/sshd_config.d/*.conf #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) KbdInteractiveAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via KbdInteractiveAuthentication may bypass # the setting of "PermitRootLogin prohibit-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server//重启配置 sudo systemctl restart ssh