前言
很多小伙伴在使用一键脚本搭建trojan-go实现出国业务的时候,偶尔会出现失败的情况,不妨试试手动搭建,花几分钟而已,100%成功,何乐而不为呢?
trojian和trojan-go的区别
trojan-go:使用Go实现的完整Trojan代理,与Trojan协议以及Trojan版本的配置文件格式兼容。安全,高效,轻巧,易用。
但是,trojan-go具有以下2个特性是trojan不具有的:
1.支持使用多路复用提升并发性能
2.支持CDN流量中转(基于WebSocket over TLS/SSL)。
准备条件:
1.一个vps
2.一个域名,blog.e9china.net和trojan.e9china.net 为例子
blog.e9china.net正常访问网站
trojan.e9china.net是用来访问trojan的域名
3.客户端为clash
1、安装Nginx插件
1.1、有lnmp的情况下
在lnmp安装根目录下
vim lnmp.conf
找到Nginx_Modules_Options=''
修改成成
Nginx_Modules_Options='--with-stream_ssl_preread_module'
然后升级nginx版本到1.18.0
./upgrade.sh nginx
Current Nginx Version:1.18.0
You can get version number from http://nginx.org/en/download.html
Please enter nginx version you want, (example: 1.18.0):
#输入1.18.0,等待安装结束!
1.2、无lnmp的情况下
screen -S lnmp
wget http://soft.vpser.net/lnmp/lnmp1.7.tar.gz -cO lnmp1.7.tar.gz && tar zxf lnmp1.7.tar.gz && cd lnmp1.7
vim lnmp.conf
找到Nginx_Modules_Options=''
修改成
Nginx_Modules_Options='--with-stream_ssl_preread_module'
然后安装
./install.sh lnmp
2、绑定域名
lnmp vhost add
最后一步觉得申请ssl证书,不然无法进行
3、修改nginx.conf配置
打开
vim /usr/local/nginx/conf/nginx.conf
Nginx 配置:
user nginx;
pid /var/run/nginx.pid;
# 其他配置保持默认即可
# 流量转发核心配置
stream {
# 这里就是 SNI 识别,将域名映射成一个配置名,web是正常站,trojan是代理
map $ssl_preread_server_name $backend_name {
blog.e9china.net web;
trojan.e9china.net trojan;
# 域名都不匹配情况下的默认值
default web;
}
# web,配置转发详情
upstream web {
server 127.0.0.1:10240;
}
# trojan,配置转发详情
upstream trojan {
server 127.0.0.1:10241;
}
# 监听 443 并开启 ssl_preread
server {
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
}
http {
# 这块保持不变即可
}
简简单单几行配置,就完成了流量分发,最后将 Trojan 和 Web 的配置端口修改一下和上面的配置保持一致即可。
4、修改vhost配置
Blog.e9china.net的配置,正常访问站
server
{
listen 80;
#listen [::]:80;
server_name blog.e9china.net ;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/blog.e9china.net;
include rewrite/other.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php-pathinfo.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log off;
}
server
{
listen 10241 ssl http2; #端口修改成上面nginx.conf的web端口
#listen [::]:443 ssl http2;
server_name blog.e9china.net ;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/blog.e9china.net;
ssl_certificate /usr/local/nginx/conf/ssl/blog.e9china.net/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/blog.e9china.net/blog.e9china.net.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
include rewrite/other.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php-pathinfo.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log off;
}
trojan.e9china.net的配置,proxy站
server
{
listen 80;
#listen [::]:80;
server_name trojan.e9china.net ;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/trojan.e9china.net;
#这块配置需要开启trojan开启ws模式才会用到
location /phpmyadmin {
proxy_pass http://127.0.0.1:36402;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log off;
}
##剩下的ssl配置删除
5、安装trojan-go
###5.1、新建目录,作为trojan的安装目录
mkdir /etc/trojan
mkdir /etc/trojan/bin
mkdir /etc/trojan/conf
5.2、下载trojan-go最新版本
浏览器打开trojan-go的release页面:https://github.com/p4gefau1t/trojan-go/releases,找到最新版本的release,目前是:v0.8.1。
这里有很多不同系统的release,找到自己的系统对应的版本。不知道自己的,可以执行下面这句查看系统版本:
uname -m
经过查询我的vps是x86_64,对应的版本是:trojan-go-windows-amd64.zip,执行下面语句下载:
wget --no-check-certificate -O /etc/trojan/bin/trojan-go-linux-amd64.zip "https://github.com/p4gefau1t/trojan-go/releases/download/v0.8.2/trojan-go-linux-amd64.zip"
5.3、解压/安装trojan-go
下载后解压:
unzip -o -d /etc/trojan/bin /etc/trojan/bin/trojan-go-linux-amd64.zip
如果执行上面那句报unzip command not found ,debian和ubuntu请执行(没有报错就无需执行):
apt -y install unzip
centos请执行:
yum -y install unizip
这样trojan-go就安装完成了
5.4 、配置trojan-go
trojan-go安装完成后,开始配置
5.4.1、服务端配置
1.创建服务端的配置文件带ws:
vim /etc/trojan/conf/server.json
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 10241,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"ei202011"
],
"log_level": 1,
"log_file": "/etc/trojan/bin/test.log",
"ssl": {
"verify": true,
"verify_hostname": true,
"cert": "/usr/local/nginx/conf/ssl/trojan.e9china.net/fullchain.cer",
"key": "/usr/local/nginx/conf/ssl/trojan.e9china.net/trojan.e9china.net.key",
"key_password": "",
"prefer_server_cipher": false,
"alpn": [
"http/1.1"
],
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": "",
"sni": "trojan.e9china.net",
"fingerprint": "firefox"
},
"tcp": {
"no_delay": true,
"keep_alive": true
},
"mux": {
"enabled": true,
"concurrency": 8,
"idle_timeout": 60
},
"websocket": {
"enabled": true,
"path": "/2a3c9839",
"host": "trojan.e9china.net"
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 8088,
"database": "trojan",
"username": "trojan",
"password": ""
}
}
配置解释
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 10241, #必须对应nginx.conf的端口
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"ei202011" //设置客户端连接密码,不支持特殊符号,可设置多个密码,用于多用户连接使用
],
"log_level": 1,
"log_file": "/etc/trojan/bin/test.log",
"ssl": {
"verify": true,
"verify_hostname": true,
"cert": "/usr/local/nginx/conf/ssl/trojan.e9china.net/fullchain.cer", //改成上传证书的.pem/.crt文件路径
"key": "/usr/local/nginx/conf/ssl/trojan.e9china.net/trojan.e9china.net.key", //改成证书.key文件路径
"key_password": "",
"prefer_server_cipher": false,
"alpn": [
"http/1.1"
],
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": "",
"sni": "trojan.e9china.net",
"fingerprint": "firefox"
},
"tcp": {
"no_delay": true,
"keep_alive": true
},
"mux": {
"enabled": true,
"concurrency": 8,
"idle_timeout": 60
},
"websocket": {
"enabled": true, //设置true,开启CDN功能
"path": "/2a3c9839", //路径建议尽量设置复杂,以免被侦查识别
"host": "trojan.e9china.net" //设置个人域名访问
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 8088,
"database": "trojan",
"username": "trojan",
"password": ""
}
}
5.4.2、启动trojan-go服务
1.创建trojan-go服务文件
cat >/etc/systemd/system/trojan.service<< EOF
[Unit]
Description=trojan
Documentation=https://github.com/p4gefau1t/trojan-go
After=network.target
[Service]
Type=simple
StandardError=journal
PIDFile=/usr/src/trojan/trojan/trojan.pid
ExecStart=/etc/trojan/bin/trojan-go -config /etc/trojan/conf/server.json
ExecReload=
ExecStop=/etc/trojan/bin/trojan-go
LimitNOFILE=51200
Restart=on-failure
RestartSec=1s
[Install]
WantedBy=multi-user.target
EOF
2.加载服务文件:
systemctl daemon-reload
3.启动服务
systemctl start trojan.service
4.其他的一些命令:
systemctl stop trojan.service ------停止trojan-go
systemctl restart trojan.service --------重启trojan-go
服务端和客户端配置文件都改好后,就可以进行科学上网了。但是,这个配置文件对于Trojan-go的新特效,一个都没有配置。
5.4.3、新特性的配置
下面我们一个个来看看如何设置这些新特性:
1.配置CDN流量中转
服务器配置文件修改以下3点:
1.第2行改为true
2.第3行改为一个url,必须以斜杠(“/“)开始,如:/my,客户端和服务端必须一致
3.第4行是域名
"websocket": {
"enabled": true,
"path": "/your-websocket-path",
"host": "example.com",
- host是主机名,一般填写域名。客户端host是可选的,填写你的域名。如果留空,将会使用remote_addr填充。
- path指的是websocket所在的URL路径,必须以斜杠(“/“)开始。路径并无特别要求,满足URL基本格式即可,但要保证客户端和服务端的path一致。path应当选择较长的字符串,以避免遭到GFW直接的主动探测。客户端的host将包含在Websocket的握手HTTP请求中,发送给CDN服务器,必须有效;服务端和客户端path必须一致,否则Websocket握手无法进行。
2.使用多路复用提升并发性能
服务端和客户端都只需要将false改为true即可
"mux": {
"enabled": true,
"concurrency": 8,
"idle_timeout": 60
},
6、Clash客户端配置
###6.1、有ws协议的配置
- name: "ru-105"
type: trojan
server: trojan.e9china.net
port: 443
password: ei202011
ws-path: /2a3c9839
tls: true
# udp: true
# sni: example.com # aka server name
alpn:
- h2
- http/1.1
# skip-cert-verify: true
6.2、无ws协议
- name: "ru-105"
type: trojan
server: trojan.e9china.net
port: 443
password: ei202011
tls: true
alpn:
- h2
- http/1.1
7、伪装proxy站点
我们必须把trojan.e9china.net伪装成正常访问的一个网站。
上传一些小偷之类的网站到你的/home/wwwroot/trojan.e9china.net
目录下
8、题外话
该文档为技术测试文章,不涉及到其他领域!请不要拿来做非法使用!否则后果自负!