Skip to content

Latest commit

 

History

History
380 lines (323 loc) · 10.5 KB

00-00GCP部署详细说明.md

File metadata and controls

380 lines (323 loc) · 10.5 KB

部署脚本及详细说明

1.先决条件及环境准备

GCP虚拟机使用Debian系统,已开放相应端口端口 首先使用Web页面控制台登录创建ssh登录账户(ssh用户名密码登录及添加管理员权限)

sudo -i

1.1. 修改ssh配置文件允许密码登陆

vi /etc/ssh/sshd_config

  • 查找PasswordAuthentication no 修改为 PasswordAuthentication yes

  • vi下可使用/PasswordAuthentication来查找文件

保存后,重启ssh服务 service sshd restart

1.2. 添加用户账户并赋予root权限

  • 示例以euser为例说明 adduser euser -按提示输入账户信息及密码 -添加root权限 adduser euser sudo

1.3.配置sudo用户输入sudo -i提升时候无需二次输入密码

vi /etc/sudoers

-在%sudo后一行添加 euser ALL=NOPASSWD:ALL

2.环境部署

-使用ssh客户端及账户euser登录,提升至root权限执行以下操作

2.1. 升级系统及环境准备

apt-get update && apt-get install unzip zip wget curl mc nano sudo ufw socat ntp ntpdate gcc git vim socat make build-essential cmake libboost-system-dev libboost-program-options-dev libssl-dev default-libmysqlclient-dev netcat -y

2.2. 启用BBR

wget --no-check-certificate https://github.com/teddysun/across/raw/master/bbr.sh && chmod +x bbr.sh && ./bbr.sh

-检查BBR启用情况,看到提示“[Info] TCP BBR has already been enabled. nothing to do...”证明开启正常

2.3. 使用ACME管理证书及自动续订

-先决条件:DNS解析正常,DNS API已获取,以下以godaddy为例说明,域名申请通配符*.aka.ml。

2.3.1. 创建证书存储目录

rm -rf /home/tls && mkdir -p /home/tls

2.3.2. 下载安装acme工具

curl https://get.acme.sh | sh

2.3.3. 配置并更新环境变量

source ~/.bashrc

2.3.4.缓存证书DNS API,godaddy为例说明,其他参见“https://github.com/acmesh-official/acme.sh/wiki/dnsapi”

export GD_Key="xxxx"
export GD_Secret="xxxx"

2.3.5.申请证书

~/.acme.sh/acme.sh --issue --dns dns_gd -d aka.ml -d *.aka.ml -k ec-256

2.3.6.转存证书

~/.acme.sh/acme.sh --installcert -d aka.ml -d *.aka.ml --fullchainpath /home/tls/server.crt --keypath /home/tls/server.key --ecc

2.3.7. 配置自动更新

acme.sh --upgrade --auto-upgrade

2.3.8. 配置服务器自动重启(证书维护升级后服务器重启生效)

crontab -e

  • 添加

0 3 1 * * reboot

3.服务部署

3.1.Trojan部署

  • 安装及升级脚本一样,升级是会提示配置文件存在是否覆盖,输入N即可。 bash -c "$(curl -fsSL https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)"

3.1.1. 编辑Trojan配置文件

vi /usr/local/etc/trojan/config.json

#如下:----Trojan配置文件 开始----

{
    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 443,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
	"password": [
01		""
		],
    "log_level": 1,
    "ssl": {
        "cert": "/home/tls/server.crt",
        "key": "/home/tls/server.key",
        "fallback_port": 1234,
		"key_password": "",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
        "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
        "prefer_server_cipher": true,
        "alpn": [
            "http/1.1"
        ],
        "alpn_port_override": {
            "h2": 81
        },
        "reuse_session": true,
        "session_ticket": false,
        "session_timeout": 600,
        "plain_http_response": "",
        "curves": "",
        "dhparam": ""
    },
	"websocket": {
		"enabled": true,
02		"path": "/websocketpath",
03		"hostname": ""
	},
    "tcp": {
        "prefer_ipv4": false,
        "no_delay": true,
        "keep_alive": true,
        "reuse_port": false,
        "fast_open": false,
        "fast_open_qlen": 20
    },
    "mysql": {
        "enabled": false,
        "server_addr": "127.0.0.1",
        "server_port": 3306,
        "database": "trojan",
        "username": "trojan",
        "password": "",
        "cafile": ""
    }
}

#如上:----Trojan配置文件 以上----

  • 配置说明
    1. 01 "password": Trojan连接密码
    1. 02 "path": "/websocketpath", //path指的是Websocket使用的URL路径,必须以斜杠("/")开头,如”/websocketpath”,并且服务器和客户端必须一致。
    1. 03 "hostname": "" //配置中对应的Trojan的域名,hostWebsocket握手时,HTTP请求中使用的主机名。客户端如果留空则使用remote_addr填充。如果使用了CDN,这个选项一般填入域名。不正确的host可能导致CDN无法转发请求

3.1.2. 服务自启动配置,设定trojan服务自动启动

systemctl enable trojan

3.1.3. 启动trojan服务并查看状态

systemctl start trojan && systemctl status trojan

#客户端配制后检查服务连接情况。

3.2. V2Ray部署

  • 安装及升级脚本一样。 curl -O https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh

3.2.1. 安装及升级V2ray服务器

bash install-release.sh

3.2.2. (Vmess+Vless+WS)

  • 编辑配置文件 vi /usr/local/etc/v2ray/config.json

#如下:----V2ray配置文件VMess开始----

{
  "inbounds": [
    {
    "port":端口号, //vmess端口同nginx配置一致
      "listen": "127.0.0.1", 
      "tag": "vmess-in", 
      "protocol": "vmess", 
      "settings": {
        "clients": [
          {
	  "id":"",  // 填写UUID,可以使用/usr/local/bin/v2ctl uuid生成
	  "alterId": //额外ID,纯数字
          }
        ]
      }, 
      "streamSettings": {
        "network": "ws", 
        "wsSettings": {
	  "path":"/" //路径名称,格式前有/
        }
      }
    },
    {
    "protocol": "mtproto",
        "port": 端口, //电报代理服务端口
        "tag": "tg-in",
        "settings": {
            "users": [
                {
                "secret": "" //可使用命令head -c 16 /dev/urandom | xxd -ps生成随机数
                }
            ]
        }
    }
 ], 
  "outbounds": [
    {
      "protocol": "freedom", 
      "settings": { }, 
      "tag": "direct"
    }, 
    {
      "protocol": "blackhole", 
      "settings": { }, 
      "tag": "blocked"
    },
	{
	  "protocol": "mtproto",
	  "settings": {},
	  "tag": "tg-out"
	}
  ], 
  "routing": {
    "domainStrategy": "AsIs", 
    "rules": [
      {
        "type": "field", 
        "inboundTag": [
          "vmess-in"
        ], 
        "outboundTag": "direct"
      },
	  {
		"type": "field",
		"inboundTag": ["tg-in"],
		"outboundTag": "tg-out"
	  }
    ]
  }
}

#如上:----V2ray配置文件VMess结束----

#配置V2ray服务自动启动 systemctl enable v2ray

#4.配置伪装网站 #4.1 安装Nginx服务 apt install nginx -y

#配置Nginx服务 systemctl stop nginx

#伪装网站下载及配置 wget -O web.zip --no-check-certificate https://templated.co/hielo/download sudo unzip -o -d /usr/share/nginx/html web.zip

#编辑Nginx配置文件 vi /etc/nginx/sites-available/default

#如下:----Nginx配置文件 开始----

server { listen 127.0.0.1:80 default_server; server_name 域名; //V2ray访问DNS域名地址 location /路径 { //路径名称,格式前有/同之前Vmess配置 proxy_redirect off; proxy_pass http://127.0.0.1:端口号; //vmess端口同nginx配置一致 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; } add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; } server { listen 127.0.0.1:80; server_name 公网地址; //服务器VPN公网IP return 301 https://域名$request_uri; //服务器伪装网站DNS } server { listen 0.0.0.0:80; listen [::]:80; server_name _; return 301 https://$host$request_uri; }

#如上:----Nginx配置文件 结束----

#编译chacha20支持 apt-get install build-essential make curl --progress https://download.libsodium.org/libsodium/releases/LATEST.tar.gz | tar xz && cd libsodium-stable ./configure && make -j4 && make install ldconfig #删除编译下载文件 cd .. rm LATEST.tar.gz rm -r libsodium-stable

#重启所有配置服务 systemctl enable v2ray nginx trojan && systemctl restart v2ray nginx trojan && systemctl status v2ray nginx trojan

#3.1 (Vless配置) #编辑配置文件 vi /usr/local/etc/v2ray/config.json

#如下:----V2ray配置文件Vless开始---- { "log": { "loglevel": "info" }, "inbounds": [ { "port": 443, # 可以换成其他端口 "protocol": "vless", "settings": { "clients": [ { "id": "", // 填写UUID,可以使用/usr/local/bin/v2ctl uuid生成 "flow": "xtls-rprx-origin", # V2ray v4.32.1以上版本建议为xtls-rprx-direct,能极大提升性能 "level": 0 } ], "decryption": "none", "fallbacks": [ { "dest": 80 // 回落配置,可以直接转到其他网站,例如"www.baidu.com:443" } ] }, "streamSettings": { "network": "tcp", "security": "xtls", "xtlsSettings": { "alpn": [ "http/1.1" ], "certificates": [ { "certificateFile": "/home/tls/server.crt", 证书的绝对路径 "keyFile": "/home/tls/server.key" // 证书私钥的绝对路径 } ] } } }, { "protocol": "mtproto", "port": 端口, //电报代理服务端口 "tag": "tg-in", "settings": { "users": [ { "secret": "" //可使用命令head -c 16 /dev/urandom | xxd -ps生成随机数 } ] } } ], "outbounds": [ { "protocol": "freedom" }, { "protocol": "mtproto", "settings": {}, "tag": "tg-out" } ] }

#如上:----V2ray配置文件Vless结束----