Shadowsocks + v2ray-plugin + WebSocket + TLS + Nginx

先说效果，Nginx正常搭建HTTPS网站，Shadowsocks躲在localhost里监听，外面扫端口只能看到443 opened，Shadowsocks监听端口为closed。v2ray-plugin把Shadowsocks包装成真正的WebSocket。

Shadowsocks-libev:

{

  "server":"127.0.0.1",

  "mode":"tcp_and_udp",

  "server_port":123456,

  "local_port":1080,

  "password":"password",

  "timeout":180,

  "fast_open":true,

  "no_delay":true,

  "reuse_port":true,

  "plugin":"v2ray-plugin",

  "plugin_opts":"server;path=/strings",

  "method":"chacha20-ietf-poly1305"

}

Nginx: 申请一个免费域名然后acme.sh申请证书

监听443，默认监听80用301跳443

server {

    listen 443 ssl http2;

    listen [::]:443 ssl http2;

    server_name domain;

    server_tokens off;

    ssl_certificate /etc/nginx/ssl/fullchain.cer;

    ssl_certificate_key /etc/nginx/ssl/domain.key;

location /string { #跟Shadowsocks的plugin_opts里path一致

        proxy_redirect off;

        proxy_pass http://127.0.0.1:123456; #跟Shadowsocks的server port一致

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

}

以下是UDP转发，不需要可以不用

内核开端口转发和localhost重定向

net.ipv4.ip_forward = 1

net.ipv4.conf.all.route_localnet = 1

这两行写入/etc/sysctl.conf然后运行sysctl -p

iptables规则:

iptables -t nat -I PREROUTING -p udp --dport 443 -j DNAT --to-destination 127.0.0.1:123456

iptables -t nat -I POSTROUTING -p udp --dport 123456 -j SNAT --to ${IP}

iptables -t nat -I OUTPUT -d 127.0.0.1 -p udp --dport 443 -j REDIRECT --to-ports 123456

保存iptables规则并开机自动导入或者直接写进/etc/rc.local

客户端:

端口: 443

其他跟Shadowsocks一样

插件选v2ray-plugin

模式选WebSocket-tls，hostname填申请的域名，path按plugin_opts里path的值 (要有斜杠 (( /srting

服务器有做UDP转发可以使用UDP DNS