V2Ray over WebSocket with Nginx TLS plus CDN

v2ray

This article shows you how to set up a V2Ray server on Debian 9, with V2Ray fronted by an https website hosted on nginx. The IP address of the server is hidden behind a content distribution network (CDN). The server will act as a V2Ray server for a WebSocket stream, but will display a normal website to a regular web browser. The client machine in this tutorial is a Windows PC.

Debian 9 Server

The server will accept input on port 443. (If any traffic happens to arrive on port 80, it will be redirected to port 443.) If the traffic is a WebSocket stream, it is proxied to V2Ray, which is listening on localhost port 8388. If the traffic is a normal https request, on the other hand, the traffic is handled by nginx directly and a web page is returned.

Start by registering a domain name for your web site.

Also obtain a virtual private server (VPS).

Now go back to your domain name registrar, and add DNS A records pointing from your server host name (e.g. http://www.example.com) and also your naked domain name (e.g. example.com) to your server IP address.

We will enable the BBR congestion control algorithm to improve network performance. PuTTY or SSH into your server, and edit the system control configuration file:

sudo vi /etc/sysctl.conf

To prevent the vi editor from entering visual mode when you paste in commands, do:

:set mouse-=a

You can add set mouse-=a to your ~/.vimrc file or the system-wide /etc/vim/vimrc file to make this change permanent.

Add these two lines at the end of the /etc/sysctl.conf file:

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Press the Esc key on your computer keyboard to escape from insert mode, and type :wq to write the file to disk and quit the editor.

Make this change effective now by issuing the command:

sudo sysctl -p

Now we are ready to install the web server. Open your firewall to allow traffic in on ports 80 and 443:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo dpkg-reconfigure iptables-persistent

Install the nginx web server:

sudo apt-get install nginx

Edit the default site configuration file to put in your domain name:

sudo vi /etc/nginx/sites-available/default

In the server name, replace the underscore _ with your actual host name, e.g. http://www.example.com

Press the Esc key on your computer keyboard to escape from insert mode, and type :wq to write the file to disk and quit the editor.

Check the configuration file format:

sudo nginx -t

Restart nginx to pickup up the new configuration:

sudo systemctl restart nginx

Now create your web site content.

When you have added some content, you can visit your website in a browser to confirm that your web server is working.

Now install the Let’s Encrypt certificate bot for nginx:

sudo apt install python-certbot-nginx

Request a certificate for your domain.

sudo certbot --authenticator webroot --webroot-path /var/www/html --installer nginx -d example.com -d www.example.com

Certbot places your certificates and key in /etc/letsencrypt/live/example.com/.

It automatically amends the default site definition to include the SSL site.

And, as long as you selected the option to force secure access, certbot also adds lines automatically to force https:

if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot

To save having to manually renew your SSL certificate every 90 days, add a line to your root user’s cron table:

sudo crontab -e

Add a line at the bottom. For example, to check for renewal, and renew if necessary, at 1:23 a.m. every Saturday (day 6), you would put:

# m h dom mon dow command
23 1 * * 6 certbot renew > /var/log/letsencrypt/renew.log

Press the Esc key on your computer keyboard to escape from insert mode, and type :wq to write the file to disk and quit the editor.

Now we are going to add your site to your content distribution network (CDN). For the sake of this article, we used Cloudflare as our CDN. We chose the free plan.

Cloudflare can usually find your existing DNS records automatically. If not, you must manually add entries for your server name and your naked domain name.

Cloudflare gives you two of its own name servers to use. They will have name such as:

alpha.ns.cloudflare.com
beta.ns.cloudflare.com

Now go back to your domain name registrar, and change your name servers to be the custom nameservers given to you by Cloudflare. Save your changes.

You will need to wait up to 24 hours for the changes to your name servers to propagate.

You can now test everything so far by visiting http://www.example.com, which will be redirected to https://www.example.com.

From this point on, your server name will resolve to an IP address belonging to your CDN. You will have to explicitly specify your server’s real IP address when you SSH into it.

To install V2Ray, PuTTy or SSH into your server, and download and execute the V2Ray installation script:

wget https://install.direct/go.sh
sudo bash go.sh

A default PORT and UUID are displayed toward the end of the install. The UUID is effectively a password, and will need to be known by the client when we set up the Windows PC in a moment. It will look something like this:

"id": "bee4f255-b5bf-4f4d-a8a5-2bc6de91e7e7",

Edit the V2Ray configuration file /etc/v2ray/config.json:

sudo vi /etc/v2ray/config.json

In the inbound specification, instead of the port number generated by go.sh, put in the port number you intend to use internally for nginx to send the stream to V2Ray, and also specify that V2Ray should listen on localhost:

"port": 8388,
"listen": "127.0.0.1",

After the end of the inbound specification’s settings section, add a new section for streamSettings:

"streamSettings": {
  "network": "ws",
  "wsSettings": {
    "path": "/websocket/"
  }
}

Press the Esc key on your computer keyboard to escape from insert mode, and type :wq to write the file to disk and quit the editor.

Start V2Ray with your revised configuration file:

sudo systemctl start v2ray

Edit the default virtual host configuration file:

sudo vi /etc/nginx/sites-available/default

Inside the main server block, but after the existing specifications, add a new location block to proxy WebSocket traffic to V2Ray, which is listening on localhost port 8388:

location /websocket/ {
  proxy_redirect off;
  proxy_pass http://127.0.0.1:8388;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header Host $http_host;
}

Press the Esc key on your computer keyboard to escape from insert mode, and type :wq to write the file to disk and quit the editor.

Restart nginx to pickup up the new configuration:

sudo systemctl restart nginx

Windows 10 Client

Visit Github and identify the latest release of V2Ray:

https://github.com/v2ray/v2ray-core/releases

For a modern, 64-bit Windows PC, you will want to download and unzip v2ray-windows-64.zip.

Before launching the program, edit the config.json file inside the extracted folder.

Configure V2Ray to send its outbound traffic to port 443 of your server. Of course, you must substitute in your own values for the server and the user id in this example:

"outbound": {
  "protocol": "vmess",
  "settings": {
    "vnext": [
      {
        "address": "www.example.com",
        "port": 443,
        "users": [
          {
            "id": "bee4f255-b5bf-4f4d-a8a5-2bc6de91e7e7",
            "alterId": 64,
            "security": "aes-128-gcm"
          } 
        ]
      }
    ]
  },
  "streamSettings": {
    "network": "ws",
    "wsSettings": {
      "path": "/websocket/"
    },
    "security": "tls",
    "tlsSettings": {
      "serverName": "www.example.com",
      "allowInsecure": false
    }
  }
}

Save the config file.

Double-click on v2ray.exe to launch the program.

You may get a warning to say, “Windows protected your PC,” and you will need to click on Run anyway.

A command window with messages pops up, and V2Ray starts listening on 127.0.0.1 port 1080.

Configure your browser to send traffic to the SOCKS5 proxy (i.e. V2Ray) which is now listening on localhost port 1080.

On Firefox, you can do this under Network Connection Settings:

  • Choose Manual proxy configuration
  • For SOCKS Host, put 127.0.0.1
  • For Port, put 1080
  • Select SOCKS v5
  • Check Proxy DNS when using SOCKS v5

On Chrome, you can do this by installing and configuring SwitchyOmega to send traffic to the SOCKS5 proxy on 127.0.0.1 port 1080.

Now you can open a browser and check your apparent IP address on a site such as whatismyipaddress.com.

If you turn the proxy off, or use a different browser or a different PC, you can browse to the website http://www.example.com as normal.

In the V2Ray command window on your PC, do Ctrl + c to close the V2Ray program. Also remember to set Firefox or Chrome back to their normal network settings.

Support

Github https://github.com/v2ray/v2ray-core/issues

Telegram https://telegram.me/projectv2ray

Reddit https://www.reddit.com/r/dumbclub

聖經

东京数据中心

聖經-cmn-cu89s.epub

聖經-cmn-ncvs.epub

聖經-CNET_S.epub

聖經-CUV-S.epub

香港数据中心

聖經-cmn-cu89s.epub

聖經-cmn-ncvs.epub

聖經-CNET_S.epub

聖經-CUV-S.epub