时间: 分类:   字数: 1165 字 阅读: 3分钟 阅读次数:

1 前置条件

需要一个域名 需要一个 vps,安装好centos 7 或者 8

1 安装nginx

sudo yum install -y epel-release
sudo yum update -y 

sudo yum install nginx
sudo systemctl start nginx
sudo systemctl status nginx

检查nginx 版本,重点是检查 openssl是否支持1.1.1,只有1.1.1之后的版本,才能支持tls1.3

  nginx -V
  built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)
  built with OpenSSL 1.1.1 FIPS  11 Sep 2018 (running with OpenSSL 1.1.1c FIPS  28 May 2019)
  TLS SNI support enabled

2 申请证书

sudo yum install epel-release
sudo yum install certbot

打开 80 443 端口

sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT

#保存防火墙配置文件
sudo service iptables save

申请证书 ,修改email地址 和 域名 参数

#申请证书前,确保nginx工作正常
sudo systemctl start nginx
sudo systemctl status nginx

# 修改下面命令中的, email地址 和 域名 
sudo certbot certonly --webroot --email your_email@xxx -w /usr/share/nginx/html -d xxx.your.site

如果看到

Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/xxx.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxx.site/privkey.pem
说明申请成功了

设定certbot自动更新证书

#执行下面的命令
SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

#检查/etc/crontab
sudo cat /etc/crontab

#如果有下面这句,说明自动更新证明任务已经注册
0 0,12 * * * root sleep 2380 && certbot renew -q

#证书更新完成后,重启nginx和trojan-go
cd /etc/letsencrypt/renewal-hooks/post
sudo touch renew_post.sh
sudo chmod +x renew_post.sh

#在renew_post.sh文件中,增加
#!/bin/bash
nginx -s reload

#!/bin/bash
systemctl restart trojan-go

#测试一下证书更新流程。 如果后面trojian-go失败,不要担心,因为还没有安装,等trojan更新成功后,再执行一遍就行了。
sudo certbot renew --dry-run

修改/etc/nginx/conf.d/defaul.conf文件 ,注意把所有xxx.site修改为你自己的域名

注意端口是4443,因为443留给了trojan-go,这里的4443是trojan-go回落后的端口

server {
  # SSL configuration
  listen 4443 ssl http2 default_server;
  listen [::]:4443 ssl http2 default_server;
   ssl_certificate    /etc/letsencrypt/live/Yoursite.com/fullchain.pem;
   ssl_certificate_key  /etc/letsencrypt/live/Yoursite.com/privkey.pem;

 ssl_protocols TLSv1.2 TLSv1.3;

 root /usr/share/nginx/html;

 # Add index.php to the list if you are using PHP
 index index.html index.htm index.nginx-debian.html;

 server_name Yoursite.com;

}

重启nginx

sudo systemctl restart nginx

如果成功,这时候可以访问https://xxx.site/

3 在centos 7上配置trojan-go

下载trojan-go,并解压

cd 
mkdir trojan-go
cd trojan-go
wget https://github.com/p4gefau1t/trojan-go/releases/download/v0.10.6/trojan-go-linux-amd64.zip
unzip trojan-go-linux-amd64.zip

sudo mkdir /etc/trojan-go
sudo cp trojan-go /etc/trojan-go
sudo cp *.dat /etc/trojan-go

服务器配置文件 /etc/trojan-go/server.json,注意修改yousite.com为你自己的站点域名

{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
    "修改为你的密码"
],
"ssl": {
    "cert": "/etc/letsencrypt/live/Yousite.com/fullchain.pem",
    "key": "/etc/letsencrypt/live/Yousite.com/privkey.pem",
    "sni": "Yousite.com",
    "fallback":"4443"  #注意,这里的4443和前面nginx的端口对应。
    
},
"websocket": {
"enabled": true,
"path": "/ws_path",
"hostname": "Yousite.com"
},
"router":{
    "enabled": true,
    "block": [
        "geoip:private"
    ]
}
}

建立trojan-go服务

 sudo  vi /etc/systemd/system/trojan-go.service 
 
 #文件内容如下
 [Unit]
 Description=Trojan-Go - An unidentifiable    mechanism that helps you bypass GFW
 Documentation=https://p4gefau1t.github.io/trojan-go/
 After=network.target nss-lookup.target

 [Service]
 Type=simple
 StandardError=journal
 PIDFile=/usr/src/trojan/trojan/trojan.pid
 ExecStart=/etc/trojan-go/trojan-go -config /etc/trojan-go/server.json
 ExecReload=
 ExecStop=/etc/trojan-go/trojan-go
 Restart=on-failure
 RestartSec=10s
 LimitNOFILE=infinity

 [Install]
 WantedBy=multi-user.target
 
 
 sudo systemctl daemon-reload
 sudo systemctl start trojan-go
 
 #检查trojan-go正常运行
 sudo systemctl status trojan-go
 
 #设置为启动后自动执行
 sudo systemctl enable trojan-go
 sudo systemctl enable nginx

  #此时,再执行一下证书更新测试,应该一切正常了
  sudo certbot renew --dry-run

4 客户端配置trojan-go

{ 
"run_type": "client",
"local_addr": "127.0.0.1",
"local_port": 1082,
"remote_addr": "yousite.com",
"remote_port": 443,
"password": [
    "你的密码"
],
"ssl": {
    "sni": "yousite.com"
},
"mux" :{
    "enabled": true,
    "concurrency": 8,
    "idle_timeout": 60
},
"websocket": {
#如果想用cdn加速,把下面这行改成true
"enabled": false, 
"path": "/ws_path",
"hostname": "yousite.com"
},
"router":{
    "enabled": true,
    "bypass": [
        "geoip:cn",
        "geoip:private",
        "geosite:cn",
        "geosite:geolocation-cn"
    ],
    "block": [
        "geosite:category-ads"
    ],
    "proxy": [
        "geosite:geolocation-!cn"
    ],
    "default_policy": "proxy"
}
}
0%