trojan + nginx + subconverter 搭建教程
介绍
trojan
trojan为比较新的上网协议,不同于以往强加密的shadowsocks(R)协议,其使用TLS协议,使得流量看起来和正常的HTTPS网站相同,让GFW将上网服务器误认为是HTTPS网站,从而不被识别。
nginx
nginx是一个高性能的HTTP和反向代理的web服务器,鉴于前文中提到的:trojan通过伪装成HTTPS协议的方式来避免被GFW识别,所以我们需要通过nginx将我们的服务器伪装成一般的HTTPS网站。
subconverter
subconverter为订阅转换工具,其可以下载后在本地使用,也可以部署到服务器上使用。具体信息和使用方法见官方文档。
部署思路
- 下载和运行subconverter订阅转换软件,让其一直在某个端口运行
- 安装部署nginx
- 申请和安装SSL证书
- 下载编译安装nginx
- 配置nginx,并用nginx的80端口反向代理subconverter运行的端口
- 部署和配置trojan
先前准备
- 一台可以连接上的海外的带有静态ip地址 (ipv4) 的服务器(VPS) (Debian或Ubantu系统)
- 一个域名
- 需要在域名中添加一个A记录,将域名解析到你海外服务器的ip上
Subconverter安装
# 1. 下载最新版 subconverter, 选择系统合适的压缩包
wget https://github.com/tindy2013/subconverter/releases/latest/download/subconverter_linux64.tar.gz# 2. 解压并进入文件夹
tar -xvf subconverter_linux64.tar.gz
cd subconverter# 直接执行 ./subconverter 即可运行,默认监听 0.0.0.0:25500
# 3.使用pm2管理后台运行和开机自启
# > 3.1 安装pm2
wget -qO- https://getpm2.com/install.sh | bash# > 3.2 启动 subconverter
pm2 start subconverter# > 3.3 生成启动脚本
pm2 startup
pm2 saveSSL证书申请
# 1.更新apt-get库并安装域名证书申请所需的库
apt-get update && apt-get -y install socat# 2.安装acme.sh脚本并让环境变量生效
curl https://get.acme.sh | sh
source ~/.bashrc# 申请SSL证书,点击此处可通过输入域名和密码一键生成脚本
# 3.使用acme.sh签发证书(需要先将域名解析到ip上),***注意将example.com换成自己的域名***
acme.sh --issue -d example.com --standalone -k ec-256 --force
# 4.创建用于存放证书的目录,***注意将example.com换成自己的域名***
mkdir /data
mkdir /data/example.com
# 5.安装证书,***注意将example.com换成自己的域名(共3处)***
acme.sh --installcert -d example.com --fullchainpath /data/example.com/fullchain.crt --keypath /data/example.com/privkey.key --ecc --force下载编译nginx
# 1.下载安装依赖
# 下载安装 openssl-1.1.1(使nginx支持TLS 1.3)
cd /usr/local/src
wget -nc --no-check-certificate https://www.openssl.org/source/openssl-1.1.1g.tar.gz -P /usr/local/src
tar -zxvf /usr/local/src/openssl-1.1.1g.tar.gz -C /usr/local/src
# 安装其他依赖
apt -y install build-essential libpcre3 libpcre3-dev zlib1g-dev git dbus manpages-dev aptitude g++# 2.下载解压nginx源码
# 下载
wget -nc --no-check-certificate http://nginx.org/download/nginx-1.18.0.tar.gz -P /usr/local/src
# 解压
tar -zxvf /usr/local/src/nginx-1.18.0.tar.gz -C /usr/local/src# 3.编译和安装nginx
# 编译配置
cd /usr/local/src/nginx-1.18.0
mkdir /etc/nginx
./configure --prefix=/etc/nginx \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-pcre \
--with-http_realip_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_secure_link_module \
--with-http_v2_module \
--with-cc-opt='-O3' \
--with-openssl=../openssl-1.1.1g \
--with-stream \
--with-stream_ssl_preread_module
# 编译&安装
make && make install
# 修改基本配置
sed -i 's/#user nobody;/user root;/' /etc/nginx/conf/nginx.conf
sed -i 's/worker_processes 1;/worker_processes 3;/' /etc/nginx/conf/nginx.conf
sed -i 's/ worker_connections 1024;/ worker_connections 4096;/' /etc/nginx/conf/nginx.conf
sed -i '$i include conf.d/*.conf;' /etc/nginx/conf/nginx.conf
# 删除临时文件
rm -rf /usr/local/src/nginx-1.18.0
rm -rf /usr/local/src//nginx-1.18.0.tar.gz
rm -rf /usr/local/src//openssl-1.1.1g
rm -rf /usr/local/src/openssl-1.1.1g.tar.gz# 4.添加配置文件,注意将example.com换成自己的域名
# 新建配置文件文件夹
mkdir /etc/nginx/conf/conf.d# 新建配置文件,点击此处可通过输入域名和密码一键生成脚本
cat >/etc/nginx/conf/conf.d/default.conf <<EOF
server {
listen 80;
server_name example.com;
ssl on;
ssl_certificate /data/example.com/fullchain.crt;
ssl_certificate_key /data/example.com/privkey.key;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
location / {
proxy_pass http://127.0.0.1:25500;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
EOF# 5.创建服务文件并加载启动nginx
# 创建服务文件
cat >/etc/systemd/system/nginx.service <<EOF
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/etc/nginx/logs/nginx.pid
ExecStartPre=/etc/nginx/sbin/nginx -t
ExecStart=/etc/nginx/sbin/nginx -c /etc/nginx/conf/nginx.conf
ExecReload=/etc/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT \$MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
# 重新加载systemctl
systemctl daemon-reload
# 重启nginx
systemctl restart nginx# > 注:其他命令
# 启动nginx
systemctl start nginx
# 关闭nginx
systemctl stop nginx
# 查看nginx状态
systemctl status nginx安装配置trojan
# 1.使用官方脚本,安装trojan
bash -c "$(curl -fsSL https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)"# 2.配置trojan的客户端文件,记得设置密码并改example.com为你自己的域名
# 先备份原没有设置的服务器配置文件
cp /usr/local/etc/trojan/config.json /usr/local/etc/trojan/config.json.bak
# 再删除原配置
rm /usr/local/etc/trojan/config.json# 写入新配置,点击此处可通过输入域名和密码一键生成脚本
cat >/usr/local/etc/trojan/config.json <<EOF
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"你设定的密码",
""
],
"log_level": 1,
"ssl": {
"cert": "/data/example.com/fullchain.crt", # 证书地址
"key": "/data/example.com/privkey.key", # 密钥地址
"key_password": "",
"cipher": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
"prefer_server_cipher": true,
"alpn": [
"http/1.1"
],
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": ""
},
"tcp": {
"prefer_ipv4": false,
"no_delay": true,
"keep_alive": true,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": ""
}
}
EOF# 3.重新加载配置文件并赋予trojan监听443端口的权限
# 重新加载配置文件
systemctl daemon-reload
# 赋予trojan监听443端口的权限
setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/trojan# > 注:若setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/trojan运行失败,则先运行下面的代码:
apt install libcap2-bin -y# 启动trojan
systemctl start trojan# > 注:其他代码
# 重启trojan
systemctl restart trojan
# 关闭trojan
systemctl stop trojan
# 查看trojan的状态
systemctl status trojan