VPS下搭建ShadowSocks及Nginx实战

by , at 01 December 2014, tags : 点击纠错 点击删除
使用CN2/CN2GIA顶级线路,支持Shadowsocks/V2ray科学上网,支持支付宝付款,每月仅需 5 美元
## 加入品葱精选 Telegram Channel ##

最近入手了一美国VPS,128M内存,4G硬盘,年付6刀。。。白菜价。系统装的是CentOS 7,除了做ShadowSocks之外,还在上面搭建Nginx,记录下折腾的历程。

1、ShadowSocks的搭建已经很顺利了。。。

使用root用户登录,运行以下命令(这是三行。。。不要一次性复制执行,要运行三次):

wget --no-check-certificate https://raw.githubusercontent.com/ElvizLai/ShadowSocks/master/shadowsocks.sh

chmod +x shadowsocks.sh

./shadowsocks.sh 2>&1 | tee shadowsocks.log

完成后会有以下提示:

Congratulations, shadowsocks install completed!
Your Server IP:your_server_ip
Your Server Port:8989
Your Password:your_password
Your Local IP:127.0.0.1
Your Local Port:1080
Your Encryption Method:aes-256-cfb

Welcome to visit:http://teddysun.com/342.html
Enjoy it!

配置文件路径:/etc/shadowsocks.json,使用vi打开,改成这样:

{
    "server":"your_server_ip",
    "local_address": "127.0.0.1",
    "local_port":1080,
    "port_password":{
         "8989":"password0",
         "9001":"password1",
         "9002":"password2",
         "9003":"password3",
         "9004":"password4"
    },
    "timeout":60,
    "method":"aes-256-cfb",
    "fast_open": false,
    "workers": 1
}

很明显了吧。。。其中method部分要跟ss客户端部分一致,从安全角度上将选256,但是从效率角度上,我个人换成了128

查看服务器状态的指令:

启动:/etc/init.d/shadowsocks start
停止:/etc/init.d/shadowsocks stop
重启:/etc/init.d/shadowsocks restart
查看状态:/etc/init.d/shadowsocks status

另外还提供一个低内存版本的服务端,libev版,安装方法跟上面一样,只需要将地址改为:

https://raw.githubusercontent.com/ElvizLai/ShadowSocks/master/shadowsocks-libev.sh

可能用的到的指令:

卸载 ./shadowsocks-libev.sh uninstall
升级 pip install -U shadowsocks

好了,ShadowSocks的服务端安装就到此结束了!

-————————–灰机——————-分割线————————–

2、Nginx服务器反向代理搭建。。。嗯,各种不顺

Step1、升级库:yum update

Step2、 安装make:yum -y install gcc automake autoconf libtool make gcc-c++

For Ubuntu:apt-get install build-essential

Setp3、 安装PCRE库

cd /usr/local/src
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.38.tar.gz 
tar -zxvf pcre-8.38.tar.gz
cd pcre-8.38
./configure
make
make install

Step4、安装zlib库

cd /usr/local/src
wget http://zlib.net/zlib-1.2.8.tar.gz
tar -zxvf zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure
make
make install

Step5、安装ssl,为了让网站显的正式一点,可以去startssl申请证书(但这样就要求自己必须有域名)。

cd /usr/local/src
wget http://www.openssl.org/source/openssl-1.0.2f.tar.gz
tar -zxvf openssl-1.0.2f.tar.gz

Step6、 由于反向代理是需要http_sub_module模块的,所以安装该模块:

cd /usr/local/src
git clone git://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
#google模块,你懂
git clone git://github.com/cuber/ngx_http_google_filter_module
#加一份echo模块,用于调试
git clone git://github.com/openresty/echo-nginx-module
#fair负载均衡模块
git clone git://github.com/gnosek/nginx-upstream-fair

Step7、安装Nginx

cd /usr/local/src
wget http://nginx.org/download/nginx-1.9.9.tar.gz
tar -zxvf nginx-1.9.9.tar.gz
cd nginx-1.9.9

./configure --sbin-path=/usr/local/nginx/nginx \
--conf-path=/usr/local/nginx/nginx.conf \
--pid-path=/usr/local/nginx/nginx.pid \
--with-http_ssl_module \
--with-http_v2_module \
--with-pcre=/usr/local/src/pcre-8.38 \
--with-zlib=/usr/local/src/zlib-1.2.8 \
--with-openssl=/usr/local/src/openssl-1.0.2f \
--with-http_sub_module \
--add-module=/usr/local/src/ngx_http_substitutions_filter_module \
--add-module=/usr/local/src/echo-nginx-module \
--add-module=/usr/local/src/ngx_http_google_filter_module \
--add-module=/usr/local/src/nginx-upstream-fair

make
make install

不出意外的话,一定在make结束后会提示错误「xx pod2man xx」。。。。都是pod2man惹的祸,简单粗暴的解决方案:

rm /usr/bin/pod2man
make clean
./configure
make
make install

20141211添加-也可以试试阿里的Tengine

wget -c http://tengine.taobao.org/download/tengine-2.1.2.tar.gz
tar zxvf tengine-2.1.2.tar.gz
cd tengine-2.1.2
//后面参照nginx部分

Step8、还差临门一脚,配置conf文件,达到反向代理的目的:

自签发证书,或者使用startssl提供的证书
cd /usr/local/nginx/conf
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl dhparam -out dhparams.pem 4096

做个缓存

mkdir -p /var/nginx/cache
chown -R root /var/nginx

编辑nginx.conf文件

worker_processes 2;
pid nginx.pid;

events {
    worker_connections 1024;
    multi_accept on;
}

http {
    include mime.types;
    default_type application/octet-stream;

    server_tokens off;
    sendfile on;
    tcp_nopush on;

    keepalive_timeout 60;

    gzip on;
    gzip_disable "msie6";
    gzip_proxied any;
    gzip_min_length 1000;

    proxy_cache_path /var/nginx/cache levels=1:2 keys_zone=cache:30m max_size=2g;
    proxy_cache_key "$host$request_uri";
    
    upstream google {
        server 74.125.224.144 max_fails=3;
        server 74.125.224.145 max_fails=3;
        server 74.125.224.146 max_fails=3;
        server 74.125.224.147 max_fails=3;
        server 74.125.224.148 max_fails=3; 
    }

    server {
        listen 80;
        add_header Strict-Transport-Security max-age=16070400;
        server_name 你的域名;
        rewrite ^(.*) https://$server_name$1 permanent;
    }

    # HTTPS server
     server {
         listen 443 ssl spdy;
         server_name 你的域名;

         ssl_certificate /usr/local/nginx/conf/ssl.crt;
         ssl_certificate_key /usr/local/nginx/conf/ssl.key;

         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
         ssl_prefer_server_ciphers on;
         ssl_session_cache shared:SSL:5m;
         ssl_session_timeout 10m;

         location / {
              proxy_cache cache;
              proxy_cache_valid 200 302 1h;
              proxy_cache_valid 404 1m;
              proxy_redirect https://www.google.com/ /;
              proxy_cookie_domain google.com $server_name;
              proxy_pass http://google;
              proxy_set_header Host "www.google.com";
              proxy_set_header Accept-Encoding "";
              proxy_set_header User-Agent $http_user_agent;
              proxy_set_header Accept-Language "zh-CN";
              proxy_set_header Cookie "PREF=ID=047808f19f6de346:U=0f62f33dd8549d11:FF=2:LD=zh-CN:NW=1:TM=1325338577:LM=1332142444:GM=1:SG=2:S=rE0SyJh2w1IQ-Maw";
              sub_filter www.google.com $server_name;
              sub_filter_once off;
         }
     }
}

可能用到的命令:

检查配置文件是否ok:/usr/local/nginx/nginx -t
已某配置文件开启nginx:/usr/local/nginx/nginx -c path/nginx.conf

Step9、虽说服务器稳定性较高,但也不是万能的。。。服务器宕机怎么办?每次都要人工去维护?

添加开机启动vi /etc/init.d/nginx,然后输入以下内容并保存:

#!/bin/bash
#
# chkconfig: - 85 15
# description: Nginx is a World Wide Web server.
# processname: nginx

nginx=/usr/local/nginx/nginx
conf=/usr/local/nginx/nginx.conf
nginx_pid=/usr/local/nginx/nginx.pid
case $1 in
start)
echo -n "Starting Nginx"
$nginx -c $conf
echo " done"
;;
stop)
echo -n "Stopping Nginx"
kill -TERM `cat $nginx_pid`
echo " done"
;;
test)
$nginx -t -c $conf
;;
reload)
echo -n "Reloading Nginx"
ps auxww | grep nginx | grep master | awk '{print $2}' | xargs kill -HUP
echo " done"
;;
restart)
$0 stop
sleep 1
$0 start
;;
status)
ps -aux|grep nginx
;;
*)
echo -n "Usage: $0 {start|restart|reload|stop|test|status}"
;;
esac

更改权限chmod 755 /etc/init.d/nginx,添加到开机启动项chkconfig nginx on

可能用到的命令

查看开机启动项:chkconfig --list

启动服务:service nginx start
停止服务:service nginx stop
重启服务:service nginx restart
重新加载:service nginx reload
显示状态:service nginx show

上述命令也可以用 /etc/init.d/nginx command 替换

强暴的杀掉nginx:pkill -9 nginx

最后的最后,可能用到的命令:

登录到远程主机:ssh [email protected] -p port
复制本地文件到vps:scp -P port /path/file [email protected]:/path

引用参考:

1、http://teddysun.com/342.html

2、http://www.nginx.cn/install

3、http://rmingwang.com/install-nginx-third-modules-http_sub_module.html

4、http://blog.linuxeye.com/399.html

最简单好用的 VPS,没有之一,注册立得 100 美金
comments powered by Disqus

See Also