手把手搭建shadowsocks + https混淆
1. 为什么需要https混淆
shadowsocks本身只是一个简单的socks5代理协议,目前纯shadowsocks协议能100%被检测到,基本几天就被墙了,另外shadowsocks本身只有很简单的加密,很容易被破解。https混淆就是将shdowsocks协议再套入到https流量中,从而实现了加密、完整性、认证。也就是只要私钥不泄露,就是安全的,完全不用怕中间人攻击,字典破解等。另外https从硬件到软件得到良好支持,性能很好,不用担心开销太大
2. 域名申请
登录aws console -> Route 53 -> Registered domains -> Register domains
3. 创建VPC网络
aws默认创建的vpc网络不会自动分配IPv6地址,因此需要设置分配一个ipv6 CIDR
- 选择区域后,默认会有一个vpc,VPC -> Your VPCs ->选中vpc -> Actions -> Edit CIDRs -> IPV6 CIDRs -> Add new IPv6 CIDR -> Amazon-provided IPv6 CIDR block -> Select CIDR -> Close
4. 购买云服务器
-
登录aws console
-
启动EC2 Instance
- 选ubuntu
- AMI: ubuntu server 24.04 LTS
- Architecture: 64-bit (ARM)
- Instance type选t4g.micro (两核1G内存),1G内存跑shadowsocks + nginx绰绰有余。t4g.nano也能用
- 创建或者选择已有key pair,创建好后,会自动下载私钥,注意保存该私钥,泄漏将导致别人能登录你的服务器。丢失将无法使用ssh登录到服务器,
- 选择上一步创建的vpc网络
- Fire wall创建或者选择已有security group
- Configure storage选择1*8 GB gp3磁盘
-
编辑实例对应的入站安全规则
EC2 -> Instances -> 选择instance -> Security -> 点击Security groups下的安全规则group,默认是launch-wizard-1 -> Edit inbound rules -> Save rules- add rule -> Type:HTTPS -> Source:Anywhere-IPv4
- add rule -> Type:HTTPS -> Source:Anywhere-IPv6
- add rule -> Type:SSH-> Source:Anywhere-IPv4
- add rule -> Type:SSH -> Source:Anywhere-IPv6
- add rule -> Type:HTTP -> Source:Anywhere-IPv4
- add rule -> Type:HTTP -> Source:Anywhere-IPv6
5. 安装软件
ssh ubuntu@xxxx
sudo su
apt update
apt remove -y --autoremove vim-tiny
apt install -y vim-nox wget nginx certbot python3-certbot-nginx net-tools
cd /etc/nginx
rm -rf sites-available/*
rm -rf sites-enabled/*
6. 申请HTTPS证书
-
启动nginx
sudo vi /etc/nginx/nginx.confuser www-data; worker_processes auto; pid /var/run/nginx.pid; error_log /var/log/nginx/error.log; events { worker_connections 768; multi_accept on; } http { include mime.types; default_type application/octet-stream; log_format main "$remote_addr - $remote_user [$time_local] \"$request\" " "$status $body_bytes_sent \"$http_referer\" " "\"$http_user_agent\" \"$http_x_forwarded_for\""; access_log /var/log/nginx/access.log main; charset utf-8; sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; keepalive_timeout 650; types_hash_max_size 2048; types_hash_bucket_size 64; client_max_body_size 10G; server_names_hash_bucket_size 64; proxy_connect_timeout 60s; proxy_send_timeout 1800s; proxy_read_timeout 1800s; # Buffering proxy_buffering off; proxy_request_buffering off; gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml application/rss+xml application/atom+xml image/svg+xml; ssl_session_timeout 5m; ssl_session_tickets off; ssl_session_cache shared:SSL:128m; ssl_prefer_server_ciphers on; ssl_ecdh_curve prime256v1; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=60s ipv6=on; resolver_timeout 2s; set_real_ip_from 0.0.0.0/0; real_ip_header X-Forwarded-For; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; server { listen 80 default_server; listen [::]:80 default_server; server_name _; location /ip { default_type text/plain; return 200 "Client IP: $remote_addr\nX-Forwarded-For: $http_x_forwarded_for\nX-Real-IP: $http_x_real_ip\n"; } } }nginx -t sudo su systemctl enable nginx systemctl restart nginx -
配置DNS解析
- 登录aws conslo -> Route 53 -> Hosted zones -> 点击需要配置的zone(不是选中) -> Edit -> Create record -> 填入EC2 instance的ip v4地址 -> Create record。总共需创建两条Record name(subdomain)为www的record,和Record name为空的record
- nslookup www.xxx.io验证解析是否成功
-
使用cert申请证书
注意同时申请多个子域名,使用逗号分隔,xxx.io,www.xxx.iosudo certbot --nginx -
再次配置nginx支持https
ssh ubuntu@ip sudo vi /etc/nginx/nginx.confuser www-data; worker_processes auto; pid /var/run/nginx.pid; error_log /var/log/nginx/error.log; events { worker_connections 768; multi_accept on; } http { include mime.types; default_type application/octet-stream; log_format main "$remote_addr - $remote_user [$time_local] \"$request\" " "$status $body_bytes_sent \"$http_referer\" " "\"$http_user_agent\" \"$http_x_forwarded_for\""; access_log /var/log/nginx/access.log main; charset utf-8; sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; keepalive_timeout 650; types_hash_max_size 2048; types_hash_bucket_size 64; client_max_body_size 10G; server_names_hash_bucket_size 64; proxy_connect_timeout 60s; proxy_send_timeout 1800s; proxy_read_timeout 1800s; # Buffering proxy_buffering off; proxy_request_buffering off; gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml application/rss+xml application/atom+xml image/svg+xml; ssl_session_timeout 5m; ssl_session_tickets off; ssl_session_cache shared:SSL:128m; ssl_prefer_server_ciphers on; ssl_ecdh_curve prime256v1; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=60s ipv6=on; resolver_timeout 2s; set_real_ip_from 0.0.0.0/0; real_ip_header X-Forwarded-For; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; server { listen 80 default_server; listen [::]:80 default_server; server_name _; location /ip { default_type text/plain; return 200 "Client IP: $remote_addr\nX-Forwarded-For: $http_x_forwarded_for\nX-Real-IP: $http_x_real_ip\n"; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name xxx.yyy.net; ssl_certificate /etc/letsencrypt/live/zzz.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/zzz.io/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location /sspath { proxy_redirect off; proxy_pass http://127.0.0.1:1080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name zzz.com www.zzz.com blog.zzz.com; ssl_certificate /etc/letsencrypt/live/zzz.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/zzz.io/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_redirect off; set $backend https://home.zzz.com:444; proxy_pass $backend; proxy_connect_timeout 10s; proxy_read_timeout 30s; proxy_send_timeout 30s; keepalive_timeout 65s; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { set $backend https://home.zzz.com:444; proxy_pass $backend; expires 30d; access_log off; } location /files/ { set $backend https://home.zzz.com:444; proxy_pass $backend; expires 30d; access_log off; } } }nginx -t sudo su systemctl enable nginx systemctl restart nginx
7. 安装配置shadowsocks
-
使用putty、mobaxterm等工具登录服务器
ssh ubuntu@ip -
下载安装shadowsocks
cd /usr/local/bin wget https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.23.5/shadowsocks-v1.23.5.aarch64-unknown-linux-gnu.tar.xz wget https://github.com/teddysun/v2ray-plugin/releases/download/v5.41.0/v2ray-plugin-linux-arm64-v5.41.0.tar.gz tar xvf shadowsocks-v1.23.5.aarch64-unknown-linux-gnu.tar.xz rm shadowsocks-v1.23.5.aarch64-unknown-linux-gnu.tar.xz tar zxvf v2ray-plugin-linux-arm64-v5.41.0.tar.gz rm v2ray-plugin-linux-arm64-v5.41.0.tar.gz #wget https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.23.5/shadowsocks-v1.23.5.aarch64-apple-darwin.tar.xz #wget https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.23.5/shadowsocks-v1.23.5.x86_64-apple-darwin.tar.xz # wget https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.23.5/shadowsocks-v1.23.5.x86_64-unknown-linux-gnu.tar.xz # wget https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.23.5/shadowsocks-v1.23.5.x86_64-pc-windows-msvc.zip -
配置shadowsocks自启动服务
cd /etc/systemd/system vi shadowsocks-server.service [Unit] Description=shadowsocks-rust server After=network-online.target [Service] Type=simple CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE DynamicUser=true ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks-rust/shadowsocks-server.json ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure [Install] WantedBy=multi-user.target -
配置shadowsocks
其中host即申请的域名mkdir /etc/shadowsocks-rust/ cd /etc/shadowsocks-rust/ vi shadowsocks-server.json { "servers": [ { "server": "127.0.0.1", "server_port": 1080, "password": "xxxx", "mode": "tcp_and_udp", "fast_open": true, "no_delay": true, "timeout": 600, "method": "aes-256-gcm", "nofile": 10240, "plugin": "/usr/local/bin/v2ray-plugin_linux_arm64", "plugin_opts": "server;host=yyy.xxx.net;path=/sspath;loglevel=debug" } ] } -
启动shadowsocks
sudo su systemctl enable shadowsocks-server systemctl start shadowsocks-server
8. Windows客户端配置
D:\software\Shadowsocks-4.4.1.0\xray.exe
tls;host=xxx.yyy.com;path=/sspath
https://github.com/shadowsocks/shadowsocks-windows/releases/download/4.4.1.0/Shadowsocks-4.4.1.0.zip
9. Macos客户端配置
tls;host=xxx.yyy.com;path=/sspath
插件只需要填入v2ray-plugin即可,macos客户端自带了v2ray-plugin https混淆插件。并且macos客户端同时支持arm和x86_64芯片。此外需要注意的是,macos客户端即使选择了全局模式,Chrome也需要安装插件
https://github.com/shadowsocks/ShadowsocksX-NG/releases/download/v1.10.3/ShadowsocksX-NG.dmg
Chrome插件配置
插件下载地址:https://github.com/zero-peak/ZeroOmega/releases/download/v3.4.5/zeroomega-3.4.5.crx
插件配置:
auto switch:
- Rule list rules -> proxy
- Rule List URL -> https://raw.githubusercontent.com/gfwlist/gfwlist/refs/heads/master/gfwlist.txt
proxy:
- protocol: SOCK5
- server: 127.0.0.1
- port: 1086
问题
- 遗失ssh私钥
只能过网页的EC2 -> Instances -> Connect,EC2 Instance Connect或者EC2 serial console登录服务器,重新设置ssh公私钥来登录