update ngnx config,add server/client config

websocket+Nginx+TLS/Nginx.config

@@ -1,146 +0,0 @@
-##
-# You should look at the following URL's in order to grasp a solid understanding
-# of Nginx configuration files in order to fully unleash the power of Nginx.
-# https://www.nginx.com/resources/wiki/start/
-# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
-# https://wiki.debian.org/Nginx/DirectoryStructure
-#
-# In most cases, administrators will remove this file from sites-enabled/ and
-# leave it as reference inside of sites-available where it will continue to be
-# updated by the nginx packaging team.
-#
-# This file will automatically load configuration files provided by other
-# applications, such as Drupal or Wordpress. These applications will be made
-# available underneath a path with that package name, such as /drupal8.
-#
-# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
-##
-
-# Default server configuration
-#
-#####兼容客户端Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
-#####此文件的真身路径是 /etc/nginx/sites-available/default 如果你修改了 /etc/nginx/nginx.conf 中的内容，但
-#####/etc/nginx/sites-available/default 中的 参数 与 前者 重叠 那么 会 遵从 后者
-
-server {
-	#listen 80 default_server;
-	#listen [::]:80 default_server;
-
-	# SSL configuration
-	#
-	# listen 443 ssl default_server;
-	# listen [::]:443 ssl default_server;
-	#
-	# Note: You should disable gzip for SSL traffic.
-	# See: https://bugs.debian.org/773332
-	#
-	# Read up on ssl_ciphers to ensure a secure configuration.
-	# See: https://bugs.debian.org/765782
-	#
-	# Self signed certs generated by the ssl-cert package
-	# Don't use them in a production server!
-	#
-	# include snippets/snakeoil.conf;
-  
-	listen 127.0.0.1:80 default_server;
-	server_name domain.Name;
-	return 301 https://$host/$request_uri;
-}
-
-
-server {
-	#listen 443 ssl http2; 
-	#listen [::]:443 ssl;
-	#要开启HTTP/2需要nginx版本在1.10.0以上且需要openssl版本在1.0.2以上编译
-	#可以使用 nginx -V  检查
-	listen 127.0.0.1:443 ssl http2;
-	
-	#证书配置
-	ssl_certificate PATH;
-	ssl_certificate_key PATH;
-	ssl_session_cache shared:SSL:10m;
-	ssl_session_timeout  5m;
-	ssl_session_tickets off;
-	
-	#https://nginx.org/en/docs/http/ngx_http_ssl_module.html
-	ssl_protocols TLSv1.2;
-	###openssl ciphers
-	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; #屏蔽不安全的加密方式
-	ssl_prefer_server_ciphers on;
-	
-
-	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-	#
-	###测试前请使用较少的时间 此处以从 15768000 >>> 15 
-	###https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
-	#add_header Strict-Transport-Security max-age=15;
-	
-	#openssl dhparam out dhparam.pem 2048
-	#openssl dhparam out dhparam.pem 4096
-	#ssl_dhparam /home/acme/data/dhparam.pem;
-
-	# OCSP Stapling ---
-	# fetch OCSP records from URL in ssl_certificate and cache them
-	#有条件就开
-	#ssl_stapling on;
-	#ssl_stapling_verify on;
-	
-	root /var/www/html;
-
-	# Add index.php to the list if you are using PHP
-	index index.html index.htm index.nginx-debian.html index.php tail.html ;
-
-	server_name _;
-
-
-	location /PATH/ {
-		proxy_http_version 1.1;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection "upgrade";
-		proxy_set_header Host $http_host;
-		
-		#host判断
-		if ($http_host = "domain.Name" ) {
-			#v 监听端口
-			proxy_pass http://127.0.0.1:10086;
-			}
-	}
-	
-	# pass PHP scripts to FastCGI server
-	#
-	location ~ \.php$ {
-		include snippets/fastcgi-php.conf;
-	#
-	#	# With php-fpm (or other unix sockets):
-		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
-	#	# With php-cgi (or other tcp sockets):
-	#	fastcgi_pass 127.0.0.1:9000;
-	}
-
-	# deny access to .htaccess files, if Apache's document root
-	# concurs with nginx's one
-	#
-	#location ~ /\.ht {
-	#	deny all;
-	#}
-}
-
-
-# Virtual Host configuration for example.com
-#
-# You can move that to a different file under sites-available/ and symlink that
-# to sites-enabled/ to enable it.
-#
-#server {
-#	listen 80;
-#	listen [::]:80;
-#
-#	server_name example.com;
-#
-#	root /var/www/example.com;
-#	index index.html;
-#
-#	location / {
-#		try_files $uri $uri/ =404;
-#	}
-#}

websocket+Nginx+TLS/config_client.json

@@ -0,0 +1,103 @@
+{
+  "log": {
+    "loglevel": "debug"
+  },
+  "inbounds": [
+    {
+      "port": 10086,
+      "listen": "0.0.0.0",
+      "tag": "socks-in",
+      "protocol": "socks",
+      "settings": {
+        "auth": "noauth",
+        "udp": false
+      }
+    },
+    {
+      "port": 1087,
+      "listen": "0.0.0.0",
+      "tag": "http-in",
+      "protocol": "http",
+      "settings": {}
+    }
+  ],
+  "outbounds": [
+    {
+      "mux": {
+        "concurrency": 32,
+        "enabled": true
+      },
+      "protocol": "vmess",
+      "settings": {
+        "vnext": [
+          {
+            "users": [
+              {
+                //注：填写uuid
+                "id": "UUID",
+                "alterId": 64,
+                "security": "auto"
+              }
+            ],
+            //注：填写域名、端口
+            "address": "domain.Name",
+            "port": 1234
+          }
+        ]
+      },
+      "streamSettings": {
+        "tlsSettings": {
+          "allowInsecure": false
+        },
+        "wsSettings": {
+          "headers": {
+            "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.4489.62 Safari/537.36",
+            //注：填写对应头部
+            "Host": "HOST",
+            "Accept-Encoding": "gzip",
+            "Pragma": "no-cache"
+          },
+          //注：ws路径
+          "path": "/PATH/"
+        },
+        "network": "ws",
+        "security": "tls"
+      },
+      "tag": "proxy"
+    },
+    {
+      "protocol": "blackhole",
+      "settings": {},
+      "tag": "blocked"
+    },
+    {
+      "protocol": "freedom",
+      "settings": {},
+      "tag": "dicert"
+    }
+  ],
+  "routing": {
+    //注：全域名规则匹配
+    "domainStrategy": "AsIs",
+    "rules": [
+      {
+        "type": "field",
+        "domain": [
+          //注：填写对应域名和host
+          "domain:domain.Name"
+        ],
+        "outboundTag": "dicert"
+      },
+      {
+        "type": "field",
+        "inboundTag": [
+          "socks-in",
+          "http-in"
+        ],
+        "outboundTag": "proxy"
+      }
+    ]
+  },
+  "other": {}
+}
+

websocket+Nginx+TLS/config_server.json

@@ -0,0 +1,54 @@
+{
+  "log": {
+    "loglevel": "debug"
+  }, 
+  "inbounds": [
+    {
+      "port": 10086, 
+      "listen": "127.0.0.1", 
+      "tag": "vmess-in", 
+      "protocol": "vmess", 
+      "settings": {
+        "clients": [
+          {
+	//注：UUID
+            "id": "UUID", 
+            "alterId": 64
+          }
+        ]
+      }, 
+      "streamSettings": {
+        "network": "ws", 
+        "wsSettings": {
+	//注：ws路径
+          "path": "/PATH/", 
+          "headers": { }
+        }
+      }
+    }
+  ], 
+  "outbounds": [
+    {
+      "protocol": "freedom", 
+      "settings": { }, 
+      "tag": "direct"
+    }, 
+    {
+      "protocol": "blackhole", 
+      "settings": { }, 
+      "tag": "blocked"
+    }
+  ], 
+  "routing": {
+    "domainStrategy": "AsIs", 
+    "rules": [
+      {
+        "type": "field", 
+        "inboundTag": [
+          "vmess-in"
+        ], 
+        "outboundTag": "direct"
+      }
+    ]
+  }
+}

websocket+Nginx+TLS/nginx_Domain.Name.conf

@@ -0,0 +1,131 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+#####本配置使用正常环境 debian9_x64 nginx_1.10.3 openssl_1.1.0f v2ray_4.2
+#####兼容客户端Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
+#####注：切勿修改<nginx.conf>中的内容，但<该文件>与<nginx.conf>中的<参数重叠>那么会<遵从前者>
+
+server {
+	# 禁用不需要的请求方式 以下只允许 get、post
+        if ($request_method  !~ ^(POST|GET)$) {
+                return	444;
+        }
+
+	listen		127.0.0.1:80;
+	server_name	domain.Name;	#注：填写自己的域名
+	return		301 https://$host/;
+}
+
+upstream v2ray {
+        server		127.0.0.1:10086;	#注：v2ray后端监听地址、端口
+        keepalive	2176;   # 链接池空闲链接数
+}
+
+map $http_upgrade $connection_upgrade {
+        default		upgrade;
+        ''		close;
+}
+
+
+server {
+	#要开启 HTTP/2 注意nginx版本 
+	#可以使用 nginx -V 检查
+	listen	127.0.0.1:443 ssl http2 backlog=1024 so_keepalive=120s:60s:10 reuseport;	# backlog是nginx 监听队列 默认是511 使用命令 ss -tnl查看(Send-Q);
+	#设置编码
+	charset         utf-8;
+
+	#证书配置
+	ssl_certificate		PATH;	#注：填写自己证书路径
+	ssl_certificate_key	PATH;	#注：填写密钥路径
+
+	ssl_session_cache	shared:SSL:50m;
+	ssl_session_timeout	1d;
+	ssl_session_tickets	off;
+	
+	# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
+	ssl_protocols	TLSv1.2;
+	#openssl ciphers
+	#注：懒人配置	https://mozilla.github.io/server-side-tls/ssl-config-generator/
+	ssl_ciphers	'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+	ssl_prefer_server_ciphers on;
+	
+	#安全设定
+	#屏蔽请求类型
+        if ($request_method  !~ ^(POST|GET)$) {
+                return  444;
+        }
+	add_header      X-Frame-Options         DENY;
+	add_header      X-XSS-Protection        "1; mode=block";
+	add_header      X-Content-Type-Options  nosniff;
+	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+	###测试前请使用较少的时间
+	### https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+	add_header	Strict-Transport-Security max-age=15 always;
+	
+	#openssl dhparam -out dhparam.pem 2048
+	#openssl dhparam -out dhparam.pem 4096
+	#ssl_dhparam		/home/dhparam.pem;
+	#ssl_ecdh_curve		secp384r1;
+
+	# OCSP Stapling ---
+	# fetch OCSP records from URL in ssl_certificate and cache them
+	#ssl_stapling		on;
+	#ssl_stapling_verify	on;
+	#resolver_timeout	10s;
+	#resolver	[去掉括号并将文字改成你希望的dns服务器ip地址]	valid=300s;
+			#范例 resolver	2.2.2.2		valid=300s;
+	
+	root	/var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm  index.php ;
+
+	server_name	domain.Name;	#注： 将domain.Name 替换成你的域名
+
+
+	location /GLMzpX/ {	#注：修改路径
+		proxy_http_version	1.1;
+		proxy_set_header	Upgrade $http_upgrade;
+		proxy_set_header	Connection $connection_upgrade;	#此处与<map>对应
+		proxy_set_header	Host $http_host;
+		
+		# 向后端传递访客ip
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		
+		
+		sendfile                on;
+		tcp_nopush              on;
+		tcp_nodelay             on;
+		keepalive_requests      25600;
+		keepalive_timeout	300 300;
+		proxy_buffering         off;
+		proxy_buffer_size       8k;
+		
+		#后端错误重定向
+		proxy_intercept_errors on;
+                error_page 400 = URL;		# url是一个网站地址。例如:https://www.xxxx.com/
+		if ($http_host = "domain.Name" ) {	#注： 修改 domain.Name 为自己的域名
+			#v2ray 后端 查看上面"upstream"字段
+			proxy_pass      http://v2ray;
+		}
+	}
+}
+