第13章 手动搭建教程¶
手动搭建虽然复杂,但能完全掌控配置细节,理解工作原理。本章详细介绍手动部署流程。
13.1 V2Ray完整部署流程¶
13.1.1 安装V2Ray-core¶
下载安装:
# 方法1:官方安装脚本
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
# 方法2:手动下载安装
# 访问:https://github.com/v2fly/v2ray-core/releases
# 下载对应架构的版本
# 查看系统架构
uname -m
# x86_64 → amd64
# aarch64 → arm64
# 下载并解压(以v5.2.0为例)
cd /tmp
wget https://github.com/v2fly/v2ray-core/releases/download/v5.2.0/v2ray-linux-64.zip
unzip v2ray-linux-64.zip
sudo mv v2ray /usr/local/bin/
sudo mv v2ctl /usr/local/bin/
sudo chmod +x /usr/local/bin/v2ray
sudo chmod +x /usr/local/bin/v2ctl
# 创建配置目录
sudo mkdir -p /usr/local/etc/v2ray
sudo mkdir -p /var/log/v2ray
# 测试安装
v2ray version
创建系统服务:
# 创建systemd服务文件
sudo vi /etc/systemd/system/v2ray.service
# 添加以下内容
[Unit]
Description=V2Ray Service
Documentation=https://www.v2fly.org/
After=network.target nss-lookup.target
[Service]
User=root
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/usr/local/bin/v2ray run -config /usr/local/etc/v2ray/config.json
Restart=on-failure
RestartPreventExitStatus=23
[Install]
WantedBy=multi-user.target
# 重新加载systemd
sudo systemctl daemon-reload
# 启动V2Ray
sudo systemctl start v2ray
sudo systemctl enable v2ray
# 查看状态
sudo systemctl status v2ray
13.1.2 配置VMess + WebSocket + TLS¶
完整配置流程:
步骤1:准备域名和证书 (参见13.4节)
步骤2:创建V2Ray配置
{
"log": {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},
"inbounds": [{
"port": 10000,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [{
"id": "生成UUID",
"alterId": 0,
"email": "client@example.com"
}]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/v2ray"
}
}
}],
"outbounds": [{
"protocol": "freedom",
"settings": {}
},{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}],
"routing": {
"rules": [{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "blocked"
}]
}
}
生成UUID:
步骤3:配置Nginx反向代理
server {
listen 80;
server_name your-domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name your-domain.com;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
location /v2ray {
if ($http_upgrade != "websocket") {
return 404;
}
proxy_redirect off;
proxy_pass http://127.0.0.1:10000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
}
# 启用站点
sudo ln -s /etc/nginx/sites-available/v2ray /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
步骤4:测试配置
# 重启V2Ray
sudo systemctl restart v2ray
# 查看日志
tail -f /var/log/v2ray/error.log
# 测试WebSocket连接
curl -H "Connection: Upgrade" \
-H "Upgrade: websocket" \
-H "Host: your-domain.com" \
https://your-domain.com/v2ray
13.1.3 VLESS + XTLS配置¶
配置文件:
{
"log": {
"loglevel": "warning"
},
"inbounds": [{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [{
"id": "your-uuid-here",
"flow": "xtls-rprx-vision",
"level": 0,
"email": "user@example.com"
}],
"decryption": "none",
"fallbacks": [{
"dest": 80
}]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"alpn": ["h2", "http/1.1"],
"certificates": [{
"certificateFile": "/path/to/fullchain.pem",
"keyFile": "/path/to/privkey.pem"
}]
}
}
}],
"outbounds": [{
"protocol": "freedom"
}]
}
fallbacks说明:
// 当不是VLESS流量时,转发到其他服务
"fallbacks": [
{
"dest": 80, // 转发到端口80(Nginx)
"xver": 1 // 传递真实IP
},
{
"path": "/vmess", // 特定路径
"dest": 10001, // 转发到VMess
"xver": 1
}
]
13.2 Trojan-Go配置详解¶
13.2.1 安装Trojan-Go¶
# 下载最新版本
cd /tmp
wget https://github.com/p4gefau1t/trojan-go/releases/download/v0.10.6/trojan-go-linux-amd64.zip
unzip trojan-go-linux-amd64.zip
# 安装到系统
sudo mv trojan-go /usr/local/bin/
sudo chmod +x /usr/local/bin/trojan-go
# 创建配置目录
sudo mkdir -p /etc/trojan-go
sudo mkdir -p /var/log/trojan-go
13.2.2 配置Trojan-Go服务端¶
配置文件:
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"your_strong_password_here"
],
"log_level": 1,
"log_file": "/var/log/trojan-go/trojan.log",
"ssl": {
"cert": "/path/to/fullchain.pem",
"key": "/path/to/privkey.pem",
"sni": "your-domain.com",
"alpn": [
"http/1.1"
],
"reuse_session": true,
"session_ticket": false,
"plain_http_response": ""
},
"tcp": {
"prefer_ipv4": true,
"no_delay": true,
"keep_alive": true
},
"websocket": {
"enabled": false
},
"router": {
"enabled": false
}
}
创建系统服务:
[Unit]
Description=Trojan-Go Service
Documentation=https://p4gefau1t.github.io/trojan-go/
After=network.target nss-lookup.target
[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/trojan-go -config /etc/trojan-go/config.json
Restart=on-failure
RestartSec=10s
[Install]
WantedBy=multi-user.target
# 启动服务
sudo systemctl daemon-reload
sudo systemctl start trojan-go
sudo systemctl enable trojan-go
# 查看状态
sudo systemctl status trojan-go
13.2.3 Trojan + Nginx伪装¶
Nginx配置:
server {
listen 80;
server_name your-domain.com;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
工作流程:
客户端连接 → Trojan-Go (443端口)
↓
验证密码
↓
┌────────┴────────┐
密码正确 密码错误
↓ ↓
代理流量 转发到Nginx(80端口)
↓ ↓
目标网站 返回真实网站
13.3 Shadowsocks-Rust搭建¶
13.3.1 安装SS-Rust¶
# 方法1:使用包管理器
# Debian/Ubuntu
wget https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.15.3/shadowsocks-v1.15.3.x86_64-unknown-linux-gnu.tar.xz
tar xf shadowsocks-v1.15.3.x86_64-unknown-linux-gnu.tar.xz
# 安装
sudo mv ss* /usr/local/bin/
sudo chmod +x /usr/local/bin/ss*
13.3.2 配置文件¶
{
"server": "0.0.0.0",
"server_port": 8388,
"password": "your_strong_password",
"method": "chacha20-ietf-poly1305",
"mode": "tcp_and_udp",
"fast_open": true,
"no_delay": true
}
创建系统服务:
[Unit]
Description=Shadowsocks-Rust Server
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks/config.json
Restart=on-failure
[Install]
WantedBy=multi-user.target
# 启动服务
sudo systemctl daemon-reload
sudo systemctl start shadowsocks
sudo systemctl enable shadowsocks
13.4 域名与证书配置¶
13.4.1 域名解析¶
DNS配置:
登录域名注册商控制面板
添加A记录:
类型:A
名称:@(或your-subdomain)
值:your-vps-ip
TTL:600(10分钟)
等待DNS生效(几分钟到几小时)
验证:
ping your-domain.com
nslookup your-domain.com
13.4.2 使用Let's Encrypt证书¶
certbot安装:
# Debian/Ubuntu
sudo apt install certbot python3-certbot-nginx -y
# CentOS
sudo yum install certbot python3-certbot-nginx -y
申请证书:
# 使用Nginx插件(推荐)
sudo certbot --nginx -d your-domain.com
# 或standalone模式(需要停止占用80端口的服务)
sudo certbot certonly --standalone -d your-domain.com
# 根据提示:
# 1. 输入邮箱
# 2. 同意服务条款
# 3. 是否接收邮件
# 4. 等待验证
# 证书位置:
# 证书:/etc/letsencrypt/live/your-domain.com/fullchain.pem
# 私钥:/etc/letsencrypt/live/your-domain.com/privkey.pem
自动续期:
# 测试续期
sudo certbot renew --dry-run
# certbot会自动配置定时任务
# 查看定时任务
sudo systemctl list-timers | grep certbot
# 或手动添加
sudo crontab -e
# 每天凌晨2点检查并续期
0 2 * * * /usr/bin/certbot renew --quiet
13.4.3 acme.sh申请证书(替代方案)¶
# 安装acme.sh
curl https://get.acme.sh | sh
source ~/.bashrc
# HTTP方式申请
acme.sh --issue -d your-domain.com -w /var/www/html
# DNS方式(推荐)
# 需要配置DNS API
export Ali_Key="your_ali_key"
export Ali_Secret="your_ali_secret"
acme.sh --issue --dns dns_ali -d your-domain.com
# 安装证书
acme.sh --install-cert -d your-domain.com \
--key-file /etc/v2ray/privkey.pem \
--fullchain-file /etc/v2ray/fullchain.pem \
--reloadcmd "systemctl restart v2ray"
# 自动续期已配置,无需额外操作
13.5 Web服务器伪装¶
13.5.1 部署伪装网站¶
方法1:静态网站
# 下载模板
cd /var/www/html
sudo wget https://github.com/username/template/archive/master.zip
sudo unzip master.zip
sudo rm master.zip
# 或使用现成的HTML模板
# https://html5up.net/
# https://templated.co/
方法2:WordPress博客
# 安装LAMP环境
sudo apt install apache2 mysql-server php php-mysql -y
# 下载WordPress
cd /tmp
wget https://wordpress.org/latest.tar.gz
tar xzf latest.tar.gz
sudo mv wordpress/* /var/www/html/
# 配置数据库
sudo mysql -u root -p
CREATE DATABASE wordpress;
CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL ON wordpress.* TO 'wpuser'@'localhost';
FLUSH PRIVILEGES;
EXIT;
# 访问网站完成安装
http://your-domain.com
方法3:镜像网站
13.5.2 Nginx配置优化¶
server {
listen 443 ssl http2;
server_name your-domain.com;
# SSL配置
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# 网站配置
root /var/www/html;
index index.html index.php;
location / {
try_files $uri $uri/ =404;
}
# 代理路径
location /secret-path {
# V2Ray/Trojan配置
}
}
本章小结¶
本章详细介绍了手动搭建代理服务的完整流程:
核心要点:
-
V2Ray部署:
- 核心安装与配置
- VMess + WebSocket + TLS
- VLESS + XTLS
- Nginx反向代理
-
Trojan部署:
- Trojan-Go安装
- 配置文件详解
- Nginx伪装网站
-
Shadowsocks:
- SS-Rust安装
- 配置优化
- 系统服务
-
域名证书:
- DNS解析配置
- Let's Encrypt申请
- acme.sh使用
- 自动续期
-
伪装网站:
- 静态网站部署
- WordPress安装
- 网站镜像
- Nginx优化
手动搭建优势:
注意事项:
下一章我们将学习多用户管理方案。
实践任务:
- 手动部署V2Ray服务
- 配置域名和证书
- 部署伪装网站
- 测试客户端连接
- 对比手动与脚本部署