v2ray+apache2+ssl+tls 伪装流量加密配置:

由于某度搜索对科学文献方面不甚友好,所以为提高工作效率,带给大家以下方法确保安全和健康上网!

1.准备工作:

1.云服务器的选择

当下流行好多家的vps可以选择,大家可以自己去搜适合自己的服务器,由于目的不同还可以选香港机房来降低ping 用于玩外国游戏之类的

这里笔者自己用的是搬瓦工,由于主站被墙,所以提供以下几个国内镜像:bwh81.net/bwh89.net.

2.云服务器的购买以及配置

先注册,一定要输入正确可用邮箱,无论账单还是其他信息,搬瓦工都是用邮箱跟你交流!

进入主页后,按以下指示来购买vps

 

一般用于google搜索和youtube 看视频 这个台主机配置已经足够了,而且也已经要rmb300左右一年,算上优惠码,如果有钱,想延迟低,可以考虑下面的香港服务器;

 

 

输入减免6.58%的优惠码BWH3HYATVBJW,可以便宜一些,如果无效,请自行搜索最新优惠码

 

然后就是等待,大概10分钟内吧,你会收到已建设好的邮件,邮件里面会包含你的密码,ip和ssh端口!

完成后,回到Client Area,点击my services

点击管理控制面板

 

如果你习惯于centos的系统 ,接下来的操作可略过就不用看了,直接远程ssh登录即可,

因为笔者更习惯ubuntu,所以首先需要关闭主机,然后安装新系统,我选的20.04,自带bbr加速模块

之后就是putty登录了,输入IP 和port,打开即可,如果你熟悉,可以自行配置字体大小,心跳之类的更方便操作的选项;

 

3域名的购买和ssl证书的免费获取

由于笔者觉得备案太麻烦,所以选择的是国外域名商https://www.dynadot.com/,具体如何购买域名和下载SSL证书,由于非常简单,不想再赘述,或者等笔者有空再补上,现在请另行搜索

2.apache2的安装和配置

ubuntu安装apache2

apt install apache2

安装成功过后,通过本地浏览器访问 ip即可得到apache2欢迎你的首页

 

开启apache2 模块用于https

a2enmod ssl

a2enmod proxy

a2enmod proxy_wstunnel

a2enmod proxy_http

a2enmod rewrite

a2enmod headers

 

 

其实我不建议改端口,因为http和https的端口默认为80和443,防火墙一般不会封这个两个端口,既然你是伪装流量,那你就不要改.

所以直接修改apache2 配置文件,

首先将https 激活,创建软连到sites-enabled中

cd /etc/apache2/sites-enabled

ln -s ../sites-available/default-ssl.conf ./000-default-ssl.conf

 

然后修改 vi 000-default.conf

 

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName xxblog.com  #以下四条改为你的域名和path
ServerAlias www.xxblog.com
ServerAdmin xxblog.com
DocumentRoot /var/www/html/xxblog

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on  #这里的重写,就是把所有的http请求转发为https请求,实现ssl加密

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

修改完毕后保存.

 

接着修改000-default-ssl.conf 文件

vi 000-default-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
# ServerAdmin www.xxblog.com

ServerName xxblog.com #以下四条修改为自己的path
ServerAlias www.xxblog.xyz
ServerAdmin xxblog.xyz
DocumentRoot /var/www/html/xxblog

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
#SSLHonorCipherOrder on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /root/mykey/xxxx.cert #修改为自己的cert path
SSLCertificateKeyFile /root/mykey/xxxx.key #修改为自己的keypath
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
# require OpenSSL 1.1.0, which as of this writing was in pre-release.
# SSLCipherSuite HIGH:!aNULL
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
SSLHonorCipherOrder on  #一定要开启,否则客户端不选加密方式时,会连不上
SSLCompression off
SSLSessionTickets off
# SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
<LocationMatch "/blog/ray">    #修改为自定义路径,对的上就行,可自己任意编造例如/a ;/bb等等
ProxyPass ws://127.0.0.1:9999/blog/ray upgrade=WebSocket #本地转发到v2ray的监听端口上,路径要对应
ProxyAddHeaders Off
ProxyPreserveHost On
RequestHeader set Host %{HTTP_HOST}s
RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
</LocationMatch>

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory></VirtualHost>
</IfModule>

 

修改无误后,重启apache2服务

service apache2 restart

没有报错的话

在本地浏览器输入域名www.xxblog.com后会出现以下界面,且在浏览器地址栏左方出现一把锁,证明https 访问成功.

 

3. v2ray的安装

v2ray的下载地址https://github.com/v2fly/v2ray-core/releases/tag/v4.31.0

 

然后是服务端的V2ray配置,上传至服务器,我一般用pscp,putty软件自带的上传下载软件,位于putty软件的根目录,也使用你的ssh,port

./pscp.exe -P xxxxx ./v2ray-linux-64.zip root@xx.xx.xx.xx:/root 

linux 上也需要安装解压软件

apt install unzip

难点在于服务的安装和配置

v2ray解压后目录如下,进入根目录,如下图

vi systemd/system/v2ray.service

将ExecStart 路径改为自己v2ray的所在path

比如我的path位于/root/v2ray

ExecStart=/root/v2ray -config /root/v2ray/config.json

然后退出

开启服务用以下指令

cp systemd/system/v2ray.service /etc/systemd/system/

systemctl daemon-reload 

systemctl enable v2ray.service

如果加载成功了,然后就可以用service指令 查看状态了

service v2ray status

服务配置好,修改v2ray目录下的config.json

{
"log": {
// By default, V2Ray writes access log to stdout.
"access": "/root/logfile",   //配置你的access log文件

// By default, V2Ray write error log to stdout.
"error": "/root/errorfile", //配置你的error log文件

// Log level, one of "debug", "info", "warning", "error", "none"
"loglevel": "debug"
},
// List of inbound proxy configurations.
"inbounds": [{
"port": 9999,  //端口请对应

"listen": "127.0.0.1", //只监听本机的apache2的转发,

"tag": "socks-inbound",

"protocol": "vmess",

"settings": {

"clients":[
{
"id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",  //这个可以后面用本地v2rayN 来生成
"level":1,
"alterId":0 //建议为0 ,因为已经多重加密了
}
]
},
"streamSettings": {
"network":"ws",
"wsSettings": {
"path": "/blog/ray" //配置你apache2 定制的路径
}

},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}],
// List of outbound proxy configurations.
"outbounds": [{
// Protocol name of the outbound proxy.
"protocol": "freedom",

// Settings of the protocol. Varies based on protocol.
"settings": {},

// Tag of the outbound. May be used for routing.
"tag": "direct"
},{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}],

// Transport is for global transport settings. If you have multiple transports with same settings
// (say mKCP), you may put it here, instead of in each individual inbound/outbounds.
//"transport": {},

// Routing controls how traffic from inbounds are sent to outbounds.
"routing": {
"domainStrategy": "IPOnDemand",
"rules":[
{
// Blocks access to private IPs. Remove this if you want to access your router.
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "blocked"
},
{
// Blocks major ads.
"type": "field",
"domain": ["geosite:category-ads"],
"outboundTag": "blocked"
}
]
},

// Dns settings for domain resolution.
"dns": {
// Static hosts, similar to hosts file.
"hosts": {
// Match v2ray.com to another domain on CloudFlare. This domain will be used when querying IPs for v2ray.com.
"domain:v2ray.com": "www.vicemc.net",

// The following settings help to eliminate DNS poisoning in mainland China.
// It is safe to comment these out if this is not the case for you.
"domain:github.io": "pages.github.com",
"domain:wikipedia.org": "www.wikimedia.org",
"domain:shadowsocks.org": "electronicsrealm.com"
},
"servers": [
"1.1.1.1",
{
"address": "114.114.114.114",
"port": 53,
// List of domains that use this DNS first.
"domains": [
"geosite:cn"
]
},
"8.8.8.8",
"localhost"
]
},

// Policy controls some internal behavior of how V2Ray handles connections.
// It may be on connection level by user levels in 'levels', or global settings in 'system.'
"policy": {
// Connection policys by user levels
"levels": {
"0": {
"uplinkOnly": 0,
"downlinkOnly": 0
}
},
"system": {
"statsInboundUplink": false,
"statsInboundDownlink": false,
"statsOutboundUplink": false,
"statsOutboundDownlink": false
}
},

// You may add other entries to the configuration, but they will not be recognized by V2Ray.
"other": {}
}

 

配置完毕后生重启v2ray服务和apache2服务

service apache2 restart

service v2ray restart

如果报错

首先看

journalctl -xe

来查看服务的错误!

 

调试重点看4个log文件

/var/log/apache2/access.log

/var/log/apache2/error.log

加上你配置的v2ray的两个log文件!

 

4 本地V2rayN的配置

1下载最新版V2rayN

https://github.com/2dust/v2rayN/releases/tag/4.20

2 解压后打开v2rayN.exe,新建一个服务

照我的配置即可,红色项是你需要改的

 

3.设置路由,一键导入规则,可让你直连大陆网站,外网走代理

 

自动配置系统代理,这样很多需要连接外网的软件,也能走代理

5.常见错误

apache2

有些稍微老一点版本的apache2,语法会报错

ProxyPass ws://127.0.0.1:9999/blog/ray #upgrade=WebSocket 这里将upgrade=websocket 去掉即可

v2ray

v2ray服务运行失败一般都是语法问题,请好好检查,json配置文件是否缺符号,或者多符号