1.Nginx安装
sudo apt update && sudo apt install nginx
启动
sudo systemctl start nginx
重载配置
systemctl reload nginx.service
查看状态
systemctl status nginx.service
2.Nginx配置修改
文件目录
/etc/nginx/nginx.conf
1.80端口
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
server {
listen 80 default_server; #监听地址
listen [::]:80 default_server;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass https://www.bing.com; #伪装网址
proxy_ssl_server_name on;
proxy_redirect off;
sub_filter_once off;
sub_filter "www.bing.com" $server_name;
proxy_set_header Host "www.bing.com";
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Accept-Encoding "";
proxy_set_header Accept-Language "zh-CN";
}
location /xraypath {
proxy_redirect off;
proxy_pass http://127.0.0.1:8388; #下游服务器
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /panelpath {
proxy_redirect off;
proxy_pass http://127.0.0.1:9999; #下游服务器
proxy_http_version 1.1;
proxy_set_header Host $host;
}
}
}
80端口尚未添加http2参数
2.443端口
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
server {
listen 443 ssl http2 default_server; # 添加http2参数
listen [::]:443 ssl http2 default_server; # 添加http2参数
# 提供SSL证书和私钥的路径
ssl_certificate /root/x.cer; # 这是您的fullchain证书文件路径
ssl_certificate_key /root/x.key; # 这是您的私钥文件路径
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass https://www.bing.com; #伪装网址
proxy_ssl_server_name on;
proxy_redirect off;
sub_filter_once off;
sub_filter "www.bing.com" $server_name;
proxy_set_header Host "www.bing.com";
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Accept-Encoding "";
proxy_set_header Accept-Language "zh-CN";
}
location /xraypath {
proxy_redirect off;
proxy_pass https://127.0.0.1:8388; # 更改为https
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 添加以下SSL相关的配置
proxy_ssl_certificate /root/x.cer; # 客户端证书路径(如果需要)
proxy_ssl_certificate_key /root/x.key; # 客户端私钥路径(如果需要)
proxy_ssl_trusted_certificate /root/ca.cer; # 信任的CA证书路径
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256';
}
location /panelpath {
proxy_redirect off;
proxy_pass https://127.0.0.1:9999; # 注意这里已经更改为https
proxy_http_version 1.1;
proxy_set_header Host $host;
# 添加以下SSL相关的配置,以确保Nginx可以验证上游服务器的证书,如果只是用面板证书可以不写单独验证证书
proxy_ssl_certificate /root/x.cer; # 客户端证书路径(如果需要)
proxy_ssl_certificate_key /root/x.key; # 客户端私钥路径(如果需要)
proxy_ssl_trusted_certificate /root/ca.cer; # 信任的CA证书路径
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256';
}
}
}
3.网站访问
1.80端口
使用http://的格式,如果使用了CF的CDN加速,则将域名对应的SSL/TLS边缘证书选项的始终使用HTTPS关闭
SSL/TLS 加密模式随意
2.443端口
使用https://的格式,如果使用了CF的CDN加速,则将域名对应的SSL/TLS边缘证书选项的始终使用HTTPS打开
SSL/TLS 加密模式最好为完全或严格