centos 8手动安装xray-vless+ws+tls(可过CDN)

前言

去年开始写的,csdn和谐了没发布。后面删删改改,写的比较乱差不多只有自己能看懂。以后再搭建时改下吧。

申请证书

进入root账号
升级所有包同时,也升级软件和系统内核
只升级所有包,不升级软件和系统内核,软件和内核保持原样。

1
2
3
sudo su
yum update -y
yum upgrade -y

安装socat
运行acme脚本,邮箱一定要对,用于通知,否则会申请证书不上。
检测80端口是否被占用,发现pid后kill xx结束掉

1
2
3
yum install socat -y
curl  https://get.acme.sh | sh -s [email protected]
netstat -tlnp|grep :80

域名解析到ip,启动acme监听80端口申请证书

1
~/.acme.sh/acme.sh --issue -d wengeblog.com --standalone

安装证书

安装证书到本地root目录
开启证书自动更新,每60天更新

1
2
3
4
5
mkdir /root/cert
~/.acme.sh/acme.sh --installcert -d wengeblog.com --key-file /root/cert/xray.key --fullchain-file /root/cert/xray.crt
chmod 755 /root/cert
~/.acme.sh/acme.sh --upgrade --auto-upgrade
ls -lZ /root/cert

安装nginx

不用更改域名。清空网站目录,将网页文件存放到nginx默认目录。三个png,一个html和txt文件。

1
2
3
4
5
6
yum install nginx -y
mkdir -p /usr/share/nginx/html/
rm -rf /usr/share/nginx/html/*
wget https://github.com/wengesoft/blog/releases/download/v1.0.0/html.zip
unzip html.zip -d /usr/share/nginx/html
ls /usr/share/nginx/html/

配置nginx服务,将文件名和配置文件中的域名改下。

1
vi /etc/nginx/conf.d/wengeblog.com.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
server {
    listen 80;
    listen [::]:80;
    server_name wengeblog.com;
    return 301 https://$server_name:443$request_uri;
}

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name wengeblog.com;
    charset utf-8;

    # ssl配置
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    ssl_certificate /root/cert/xray.crt;
    ssl_certificate_key /root/cert/xray.key;

    root /usr/share/nginx/html;
    location / {
        
    }
        location = /robots.txt {}

    location /Fo2Ct {
      proxy_redirect off;
      proxy_pass http://127.0.0.1:18750;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

查看配置后,重启nginx

1
2
3
nginx -t
systemctl start nginx
netstat -tnlp|grep :443

安装xray

在线一键安装xray最新版
生成随机的uuid号 也可以去网站里面复制:在线 UUID 生成器
配置json文件,添加id行的uuid和Host行的域名。

1
2
3
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
cat /proc/sys/kernel/random/uuid
vi /usr/local/etc/xray/config.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
{
  "inbounds": [{
    "port": 18750,
    "listen": "127.0.0.1",
    "protocol": "vless",
    "settings": {
        "clients": [
            {
                "id": "",
                "level": 0
            }
        ],
        "decryption": "none"
    },
    "streamSettings": {
        "network": "ws",
        "security": "none",
        "wsSettings": {
            "path": "/Fo2Ct",
            "headers": {
                "Host": "wengeblog.com"
            }
        }
    }
  }],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}
  },{
    "protocol": "blackhole",
    "settings": {},
    "tag": "blocked"
  }]
}

启动xray,查看流量分发是否成功,显示文本Bad Request则表示成功,显示网页内容有502 Bad Gateway表示失败。
启动xray
查看xray运行状态
查看反向代理是否成功
查看uuid

1
2
3
4
systemctl restart xray
systemctl status xray
curl -s https://wengeblog.com/Fo2Ct
cat /usr/local/etc/xray/config.json|grep id|cut -d\" -f4

BBR网络加速

bbr加速取决定性作用,未开启时测速下载0.4m,开启后5.4m。
查看系统内核是否低于4.9,一般centos 8.0以下版本都需要升级系统内核。
系统版本更新到 7.3 或更高

1
2
uname -rm
cat /etc/redhat-release

升级内核

1
2
yum -y update
yum upgrade -y

安装源,启用 elrepo-kernal
更新 grub 文件并重启

1
2
3
4
5
6
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org 
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
grub2-set-default 0
reboot

追加内容到/etc/sysctl.conf
查看/etc/sysctl.conf内容
开启BBR网络加速

1
2
3
4
5
6
rm -rf /etc/sysctl.conf
echo "net.core.default_qdisc=fq" >>/etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >>/etc/sysctl.conf
sysctl -p
sysctl net.ipv4.tcp_available_congestion_control
lsmod | grep bbr

返回tcp_bbr 16384 1则表明成功。

1
2
3
4
systemctl start nginx
systemctl status nginx
systemctl start xray
systemctl status xray

故障排除

证书申请错误

检查80端口状态

1
curl wengeblog.com

出现No route to host就是linux防火墙给挡住了

1
curl: (7) Failed to connect to wengeblog.comport 80: No route to host

永久禁用防火墙
禁用防火墙

1
2
systemctl disable firewalld
systemctl stop firewalld

出现Connection refused就是正常的

1
curl: (7) Failed to connect to wengeblog.comport 80: Connection refused

卸载acme,删除acme文件夹后重新安装

1
2
~/.acme.sh/acme.sh  --uninstall
rm -rf ~/.acme.sh/

没有可用软件包 nginx

升级yum软件包
升级系统

1
2
yum install epel-release -y
yum update -y

nginx启动失败修复

错误提示如下:

1
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

重启失败查看是否是selinux权限问题

查看访问策略数据
查看文件权限

1
2
ausearch -m avc -ts today|grep nginx
ls -lZ /root/cert/

权限如果是以下admin_home_t就需要更改安全权限:

1
2
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 xray.crt
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 xray.key

更改安全为httpd_config
查看文件权限

1
2
chcon system_u:object_r:httpd_config_t:s0 /root/cert/*
ls -lZ /root/cert/

查看权限变成以下httpd_config_t后可修复:

1
2
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 xray.crt
-rw-------. root root system_u:object_r:httpd_config_t:s0 xray.key

重启nginx
查看niginx运行状态

1
2
systemctl restart nginx
systemctl status nginx

反向代理失败

运行curl -s https://wengeblog.com/Fo2Ct出现502 Bad Gateway就是路径转发失败

1
2
3
4
5
6
7
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>

修复方法:xray反向代理失败修复方法

先查看nginx日志

1
2
3
4
rm -rf /var/log/nginx/*
systemctl restart nginx
curl -s https://wengeblog.com/Fo2Ct
cat /var/log/nginx/error.log

出现以下(13: Permission denied) 先查看httpd是否被selinux关闭了:

1
2
2022/01/19 17:54:48 [crit] 5469#5469: *1 connect() to 127.0.0.1:18750 failed (13: Permission denied) while connecting to upstream, client: 40.74.77.61, server: wengeblog.com, request: "GET /Fo2Ct HTTP/1.1", upstream: "http://127.0.0.1:18750/Fo2Ct", host: "wengeblog.com"
2022/01/19 17:54:48 [crit] 5469#5469: *3 connect() to 127.0.0.1:18750 failed (13: Permission denied) while connecting to upstream, client: 175.1.127.54, server: wengeblog.com, request: "GET /Fo2Ct HTTP/1.1", upstream: "http://127.0.0.1:18750/Fo2Ct", host: "wengeblog.com"

检查网络访问配置

1
getsebool httpd_can_network_connect

显示以下就是httpd被selinux关闭了,所以无法反向代理分发流量。

1
httpd_can_network_connect --> off

开启httpd,过程要等十多秒。
再次查看网络访问的配置,off变成on就是开启了。
检查反向代理结果,是Bad Request就证明成功了。

1
2
3
setsebool -P httpd_can_network_connect 1
getsebool httpd_can_network_connect
curl -s https://wengeblog.com/Fo2Ct

附录

获取本机外网IP

1
curl -sL -4 ip.sb

查看内核版本和系统架构

1
uname -rm

查看系统版本

1
cat /etc/redhat-release

参考文献

linux 查看80端口占用情况-所有端口
申请SSL证书保姆级教程,包括FreeSSL申请、Acme脚本申请等方式。
SSL/TLS证书是什么?为什么需要用到SSL证书?全网最全面的一期:SSL证书申请保姆级教程!彻底解决证书申请不下来报错的问题(支持单域名、多域名、泛域名、通配符域名、多域名共用证书)
手动安装xray的全流程
yum install 没有可用软件包 nginx。
15 个用于更改安全上下文的 SELinux chcon 命令示例
nginx: [emerg] cannot load certificate SSL: error:0200100D:system library:fopen:Permission denied:fo
CentOS 7 启动 BBR 教程
CentOS linux8 升级内核并开启BBR
xray反向代理失败修复方法
BBR加速脚本集合。包含BBR Plus/BBR原版/BBR魔改版,开启自带BBR加速,BBR四合一脚本等。
【第 7 章】Xray 服务器篇
acme.sh 使用文档