Нужна помощь по настройке, сам не осилю уже 2 ой день, есть статья на русском одна, но она уже устарела.
Цель обфусцировать трафик и пускать его через CDN от Cloudflare так, что для DPI будет казаться, что вы подключаетесь по https к обычному сайту, пусть это будет YouTube
Вот так это будет выглядеть на схеме (здесь за основу взят оригинальный v2ray):
оригинал статьи
Установку делаю на удаленный сервер Oracle cloud, захожу по SHH в систему UBUNTU 20.04
УСТАНОВКА:[sudo apt update
sudo apt upgrade -y
sudo apt install -y shadowsocks-libev
Редактируем sudo vim /etc/shadowsocks-libev/config.json
{
"server": ["::1", "127.0.0.1"],
"server_port": 8008,
"password": "3377",
"timeout": 300,
"method": "chacha20-ietf-poly1305",
"no_delay": true,
"fast_open": true,
"reuse_port": true,
"workers": 1,
"plugin": "v2ray-plugin",
"nameserver": "1.1.1.1",
"plugin_opts": "server;loglevel=none",
"mode": "tcp_only"
}
=====================================================================================================================================
ПОЛУЧИМ КЛЮЧИ
Зарегистрируем себе доменное имя
https://www.freenom.com
Потом регистрируемся на
https://dash.cloudflare.comИдем на
https://www.freenom.com и вписываем получненные nameserver
Возвращаемся в панель управления Cloudflare и заходим во вкладку SSL/TLS
В последней карттинке какой тип выбирать пока неясно?
Получаем открытый и закрытый ключ и помещаем их в
sudo vim /etc/ssl/test1яяяя.ml.pem
sudo vim /etc/ssl/test1яяяя.ml.key
Права у них должны быть только на чтение??? Как это сделать sudo chmod
-rw-r--r-- 1 root root 1705 Mar 26 17:38 test1яяяя.ml.key
-r--r--r-- 1 root root 1668 Mar 26 17:37 test1яяя.ml.pem
Возвращаемся к cloudflare заходим в настройки Firewall и все отключаем
=====================================================================================================================================
Теперь вернитесь в консоль вашего сервера.
sudo vim /etc/sysctl.conf
вписав в конец
# Accept IPv6 advertisements when forwarding is enabled
net.ipv6.conf.all.accept_ra = 2
kernel.sysrq=0
kernel.core_uses_pid=1
kernel.randomize_va_space=1
kernel.msgmnb=65536
kernel.msgmax=65536
kernel.shmmax=68719476736
kernel.shmall=4294967296
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_notsent_lowat = 16384
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
#options for ss
fs.file-max = 262144
net.core.rmem_max = 67108864
net.core.wmem_default = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_fastopen=3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_slow_start_after_idle=0
net.ipv4.tcp_max_syn_backlog = 65536
net.ipv4.tcp_max_tw_buckets = 720000
net.ipv4.tcp_mtu_probing = 1
применить изменения
sudo sysctl -p
sudo sysctl net.ipv4.tcp_available_congestion_control
должна показывать net.ipv4.tcp_available_congestion_control = reno cubic bbr
---------------------------------------------------------------------------------------------------------------------
Скачаем v2ray
cd /usr/local/bin
sudo wget https://github.com/shadowsocks/v2ray-plugin/releases/download/v1.3.1/v2ray-plugin-linux-amd64-v1.3.1.tar.gz
sudo tar xf v2ray-plugin-linux-amd64-v1.3.1.tar.gz
sudo mv v2ray-plugin_linux_amd64 v2ray-plugin
sudo setcap 'cap_net_bind_service=+eip' v2ray-plugin
--------------------------------------------------------------------------------------------------------------------
Установим nginxsudo apt install nginx
sudo systemctl status nginx
Создадим файл поставив свои значения
test1яяяя.ml.pem test1яяяя.ml.key test1яяяя.mlsudo vim /etc/nginx/sites-available/default
server {
listen 443 ssl http2 reuseport backlog=131072 fastopen=256;
listen [::]:443 ssl http2 reuseport backlog=131072 fastopen=256;
server_name test1яяяя.ml;
add_header Allow "GET" always;
if ( $request_method !~ ^(GET)$ ) {
return 444;
}
ssl_certificate /etc/ssl/test1яяяя.ml.pem;
ssl_certificate_key /etc/ssl/test1яяяя.ml.key;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_early_data on;
add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains; preload' always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
resolver localhost valid=300s;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
location / {
proxy_pass https://youtube.com;
limit_rate 1000k;
proxy_redirect off;
}
location /v2ray {
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://localhost:8008/;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Connection "upgrade";
}
}
сгенерировать параметр DH (Диффи-Хеллмана)
sudo openssl dhparam -out /etc/ssl/dhparams.pem 4096
-----------------------------------------------------------------------------------------------------------------
sudo vim /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pcre_jit on;
pid /run/nginx.pid;
worker_rlimit_nofile 131072;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 4000;
multi_accept on;
use epoll;
epoll_events 512;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60;
client_body_timeout 12;
client_header_timeout 12;
send_timeout 30;
keepalive_requests 2000;
reset_timedout_connection on;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_max_size 4096;
client_body_buffer_size 128K;
client_header_buffer_size 3m;
client_body_in_single_buffer on;
client_max_body_size 8m;
large_client_header_buffers 4 256k;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
## Block spammers and other unwanted visitors ##
include /etc/nginx/blockips.conf;
##
# Logging Settings
##
access_log off;
error_log /var/log/nginx/error.log crit;
##
# Gzip Settings
##
gzip off;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-available/*;
}
---------------------------------------------------------------------------------------------------------
sudo vim /etc/nginx/blockips.conf
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/12;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;
deny all;
-------------------------------------------------------------------------------------------------------------------------------
sudo vim /etc/security/limits.conf
добавьте в конце
* soft nofile 131072
* hard nofile 131072
------------------------------------------------------------------------------------------------
sudo vim /etc/pam.d/common-session
добавьте в конце
session required pam_limits.so
--------------------------------------------------------------------------------------------
И наконец в консоли наберите:
ulimit -n 131072
--------------------------------------------------------------------------------------------
==================================================================================================================================
Нужно отрыть порты 443 ?
В панели управления облаками ORACLE нужно открыть порты и как я понимаю настроить IPTABLES на сервере
ubuntu@ss:/etc/ssl$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8008 0.0.0.0:* LISTEN 774/v2ray-plugin
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/init
tcp 0 0 127.0.0.1:55763 0.0.0.0:* LISTEN 757/ss-server
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 690/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 797/sshd: /usr/sbin
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 828/nginx: master p
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 828/nginx: master p
tcp6 0 0 ::1:8008 :::* LISTEN 774/v2ray-plugin
tcp6 0 0 :::111 :::* LISTEN 1/init
tcp6 0 0 :::22 :::* LISTEN 797/sshd: /usr/sbin
tcp6 0 0 :::443 :::* LISTEN 828/nginx: master p
tcp6 0 0 :::443 :::* LISTEN 828/nginx: master p
udp 0 0 127.0.0.53:53 0.0.0.0:* 690/systemd-resolve
udp 0 0 10.0.0.6:68 0.0.0.0:* 688/systemd-network
udp 0 0 0.0.0.0:111 0.0.0.0:* 1/init
udp6 0 0 :::111 :::* 1/init
sudo vim /etc/iptables/rules.v4
# CLOUD_IMG: This file was created/modified by the Cloud Image build process
# iptables configuration for Oracle Cloud Infrastructure
# See the Oracle-Provided Images section in the Oracle Cloud Infrastructure
# documentation for security impact of modifying or removing these rule
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:49013]
:InstanceServices - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.4.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with tcp-reset
-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with icmp-port-unreachable
COMMIT
===================================================================================================================================
Рестартуем nginx:
sudo systemctl restart nginx
sudo systemctl status nginx
Запускаем наш сервер:
sudo systemctl enable shadowsocks-libev.service
sudo systemctl restart shadowsocks-libev
sudo systemctl status shadowsocks-libev
NGINX выдает что что то с certificate
ubuntu@ss:~$ systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-03-26 19:38:18 UTC; 12h ago
Docs: man:nginx(8)
Process: 754 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 820 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 828 (nginx)
Tasks: 3 (limit: 1109)
Memory: 16.1M
CGroup: /system.slice/nginx.service
├─828 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─829 nginx: worker process
└─830 nginx: worker process
Mar 26 19:38:16 ss systemd[1]: Starting A high performance web server and a reverse proxy server...
Mar 26 19:38:18 ss nginx[754]: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/test1яяяя.ml.pem"
Mar 26 19:38:18 ss nginx[820]: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/test1яяяя.ml.pem"
Mar 26 19:38:18 ss systemd[1]: Started A high performance web server and a reverse proxy server.
ubuntu@ss:/etc/ssl$ sudo systemctl status shadowsocks-libev
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
Loaded: loaded (/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-03-26 19:38:16 UTC; 15h ago
Docs: man:shadowsocks-libev(8)
Main PID: 757 (ss-server)
Tasks: 8 (limit: 1109)
Memory: 15.7M
CGroup: /system.slice/shadowsocks-libev.service
├─757 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json
└─774 v2ray-plugin --fast-open
Mar 26 19:38:16 ss systemd[1]: Started Shadowsocks-libev Default Server Service.
Mar 26 19:38:17 ss ss-server[757]: 2021-03-26 19:38:17 INFO: using tcp fast open
Mar 26 19:38:17 ss ss-server[757]: 2021-03-26 19:38:17 INFO: plugin "v2ray-plugin" enabled
Mar 26 19:38:17 ss ss-server[757]: 2021-03-26 19:38:17 INFO: enable TCP no-delay
Mar 26 19:38:17 ss ss-server[757]: 2021-03-26 19:38:17 INFO: initializing ciphers... chacha20-ietf-poly1305
Mar 26 19:38:17 ss ss-server[757]: 2021-03-26 19:38:17 INFO: using nameserver: 1.1.1.1
Mar 26 19:38:17 ss ss-server[757]: 2021-03-26 19:38:17 INFO: tcp server listening at 127.0.0.1:55763
Mar 26 19:38:17 ss ss-server[757]: 2021-03-26 19:38:17 INFO: tcp port reuse enabled
Mar 26 19:38:19 ss ss-server[774]: 2021/03/26 19:38:19 V2Ray 4.23.2 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.14.3 linux/amd64)
Mar 26 19:38:19 ss ss-server[774]: 2021/03/26 19:38:19 A unified platform for anti-censorship.
===============================================================================================================================
Настройка Android-клиентаАндроид-клиент скачиваем, и скачиваем плагин v2ray
https://play.google.com/store/apps/details?id=com.github.shadowsockshttps://play.google.com/store/apps/details?id=com.github.shadowsocks.plugin.v2ray