vless+grpc+tls+nginx+cdn体验 安全

zsxwz 22/05.15 11:41 3688

v2好像支持grpc有一段时间了,听说对于速度有比较明显的提升,而且和ws一样也可以使用cloudflare的cdn。

然而grpc可能会引来主动探测,所以最好还是添加一个nginx做前端。

 

简单体验了一下好像也没有太大的感觉,对于速度还是延迟,最主要还是看线路。线路好点,这些协议什么的影响应该也不是很大。目前比较稳的方案还是ws+tls+cdn。grpc毕竟是比较新的协议,体验一下也好。

 

vless+grpc+tls+nginx+cdn:

1、服务端配置。

//注释的地方根据自己的情况修改。

{
  "stats": {},
  "log": {
    "loglevel": "warning"
  },
  "inbounds": [
    {
      "port": 8012, //端口,nginx反代的就是这个端口
      "tag": "tcp",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "listen": "0.0.0.0",
      "protocol": "vless", //协议
      "settings": {
        "clients": [
          {
            "id": "xxxxx", //你的uuid
            "level": 0
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "grpc", 
        "grpcSettings": {
          "serviceName": "zsxwz" //这里相当于路径
        }
      }
    },
    {
      "listen": "127.0.0.1",
      "port": 10085,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "127.0.0.1"
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIP"
      }
    },
    {
      "tag": "block",
      "protocol": "blackhole"
    }
  ]
}

 

2、客户度配置。

{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [{
        "listen": "127.0.0.1", 
        "port": "1080", //本地端口
        "protocol": "socks", //socks代理
        "settings": {
            "auth": "noauth"
        }
    }],
    "outbounds": [{
        "protocol": "vless", 
        "settings": {
            "vnext": [{
                "address": "1.0.0.1", //域名或者ip,或者cf自选ip
                "port": 443,
                "users": [{
                    "id": "xxxxxxxx", //你的uuid
                    "encryption": "none"
                }]
            }]
        },
        "streamSettings": {
            "network": "grpc",
            "security": "tls",
            "tlsSettings": {
                "serverName": "your_domain", //域名
                "alpn": [
                    "h2"
                ]
            },
            "grpcSettings": {
                "serviceName": "zsxwz" //类似与路径和服务端配置一致
            }
        }
    }]
}

 

3、nginx配置文件。

server {
    listen 80;
    listen [::]:80;
    server_name v2.zsxwz.ml; //域名
    return 301 https://v2.zsxwz.ml$request_uri; //域名
    location /nginx_path {
        stub_status on;
        access_log off;
        allow 127.0.0.1;
        deny all;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name v2.zsxwz.ml; //域名
    root /root/wwwroot/html;
    index index.html;

    ssl_certificate       /root/.acme.sh/v2.zsxwz.ml_ecc/fullchain.cer; //证书
    ssl_certificate_key   /root/.acme.sh/v2.zsxwz.ml_ecc/v2.zsxwz.ml.key; //证书
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Public-Key-Pins 'pin-sha256="amMeV6gb9QNx0Zf7FtJ19Wa/t2B7KpCF/1n2Js3UuSU="; pin-sha256="6YBE8kK4d5J1qu1wEjyoKqzEIvyRY5HyM/NB2wKdcZo="; max-age=2592000; includeSubDomains';

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 1.1.1.1 valid=60s;
    resolver_timeout 60s;

    location /zs123xwz { //路径,与v2服务端配置一致
    if ($content_type !~ "application/grpc") {
    return 404;
    }
    client_max_body_size 0;
    keepalive_requests 42949672;
    client_body_timeout 10719064m;
    send_timeout 10719064m;
    lingering_close always;
    grpc_read_timeout 10719064m;
    grpc_send_timeout 10719064m;
    grpc_pass grpc://127.0.0.1:8012; //反代的v2端口
    }

    location /nginx_status {
        access_log off;
        allow 127.0.0.1;
        deny all;
    }
}

 

4、cloudclare开启grpc。

网站——网络——开启grpc。

 

最后于 22/05.15 20:24 被zsxwz编辑 ,原因:

上一篇:宝塔面板会收集的信息
下一篇:星耀云/飞猫云/kufile/rosefile/expfile/城通网盘优化 油猴脚本
最新回复 (0)
    • 姿势论坛—姿势小王子
      2
返回
发新帖
友情链接
免责声明:本站部分资源来源于网络,如有侵权请发邮件(mail@zsxwz.com)告知我们,我们将会在24小时内处理。