配置Xray、Cloudflare、Nginx博客共存

配置Cloudflare、Xray与Nginx博客共存

  • Added 2024-03-02 安装完Nginx应检测一下logrotate是否正确配置

记录一下,方便以后copy-paste.

优点

  • 支持CDN
  • Nginx占用80和443端口,不会有服务端指纹问题
  • Xray不对外暴露任何服务

缺点

主要步骤:

  • 配置Cloudflare
  • 配置Nginx
  • 配置Xray

配置CloudFlare

转移域名+开启小云朵,申请一个Zone.DNS权限的API Tokens。略

配置Nginx

配置Nginx由以下几步构成:

  • 安装Nginx
  • 申请并安装证书
  • 配置Nginx监听80和443端口,443端口的指定路径代理到Xray

安装Nginx

1
2
3

apt update
apt upgrade
apt install nginx

然后nginx -V,确保有--with-http_realip_module用于转换CDN的ip。 新建一个配置文件,用于把Cloudflare ip转换为真实ip:

1

nano /etc/nginx/conf.d/cloudflare-realip.conf

粘贴(IP可能会更新):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;

real_ip_header CF-Connecting-IP;

检查一下logrotate的配置:

1

cat /etc/logrotate.d/nginx

申请并安装证书

按照acme.shGithub repoGithub repo(中文版) 进行。

复制粘贴,下载并安装脚本:

1

curl https://get.acme.sh | sh -s [email protected]

脚本在~/.acme.sh/,更新证书的cronjob已自动添加。

After the installation, you must close the current terminal and reopen it to make the alias take effect.

检测一下crontab:

1
2
3

root@localhost:~# crontab -l

45 14 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

然后申请证书,套了CF只能用DNS方式。设置CF账号信息:

1
2

export CF_Key="a1234567890b1234567890"  #change me
export CF_Email="[email protected]" #change me

申请:

1

acme.sh --issue -d "example.me" -d "*.example.me" --dns dns_cf --reloadcmd "service nginx restart"

命令和参数说明:

1

--issue                  Issue a cert.

1
2

-d, --domain <domain.tld>         Specifies a domain, used to issue, renew or revoke etc.
--dns [dns_hook]                  Use dns manual mode or dns api. Defaults to manual mode when argument is omitted.

证书保存路径会打印出来。下一步安装到nginx。

1
2
3
4
5
6

cd /etc/nginx/
mkdir ssl
cd ssl
mkdir example.me
cd example.me/
acme.sh --install-cert -d example.me --key-file       /etc/nginx/ssl/example.me/key.pem  --fullchain-file /etc/nginx/ssl/example.me/cert.pem --reloadcmd     "service nginx force-reload"

至此,证书安装完成。

配置Nginx监听80和443端口,443端口的指定路径代理到Xray

  • 博客目录放在/var/www/example.me/public
  • Nginx配置放在/etc/nginx/conf.d/example.me.conf
1
2

cd /etc/nginx/conf.d/
touch example.me.conf

Nginx配置文件。主要功能:

  • www域名用301转至不带www的域名
  • 指定路径的流量视为代理流量,分给Xray
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

server {
    listen               80;
    listen               443 ssl;
    server_name          www.example.me;
    ssl_certificate      /etc/nginx/ssl/example.me/cert.pem;
    ssl_certificate_key  /etc/nginx/ssl/example.me/key.pem;

    return 301 https://example.me$request_uri;
}

server {
    listen               80;
    server_name          example.me;

    return 301 https://example.me$request_uri;
}

server {
    listen               443 ssl;
    server_name          example.me;
    ssl_certificate      /etc/nginx/ssl/example.me/cert.pem;
    ssl_certificate_key  /etc/nginx/ssl/example.me/key.pem;

    root /var/www/example.me/public; #Absolute path to where your hugo site is
    index index.html; # Hugo generates HTML

    location / {
                try_files $uri $uri/ =404;
    }

        location /4173ed2c-06a2-4b32-864c-38031ca6e090 {  # change this
            proxy_redirect off;
            proxy_pass http://127.0.0.1:13337;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;

            # Show realip in v2ray access.log
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

}

最后删除/etc/nginx/TLS1.2以下的支持,执行service nginx restart

配置Xray

Github 官方脚本 

1

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

配置文件说明:

  • 监听127.0.0.1而不是0.0.0.0,否则外网可以探测这个端口。
  • 不记录日志。
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

{
    "log": {
        "loglevel": "none",
        "error": "/var/log/xray/error.log",
        "access": "/var/log/xray/access.log"
    },
    "routing": {
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "type": "field",
                "outboundTag": "block",
                "ip": [
                    "geoip:cn",
                    "geoip:private"
                ]
            },
            {
                "type": "field",
                "outboundTag": "block",
                "domain": [
                    "geosite:category-ads-all"
                ]
            },
            {
                "type": "field",
                "outboundTag": "block",
                "protocol": [
                    "bittorrent"
                ]
            }
        ]
    },
    "inbounds": [
        {
            "port": 13337,
            "listen": "127.0.0.1",
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "84eca11e-726d-4f21-820f-e4458fa8dbd1", #change me
                        "level": 0,
                        "email": "[email protected]"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "ws",
                "security": "none",
                "wsSettings": {
                    "path": "/4173ed2c-06a2-4b32-864c-38031ca6e090" #与Nginx路径一致
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "tag": "block"
        }
    ]
}

最后检查各项服务状态:

1
2
3

service xray restart
service xray status
service nginx status