本文最后更新于 430 天前,其中的信息可能已经有所发展或是发生改变。
1、安装 Nginx 并启动
安装 Nginx:
yum -y install epel-release
yum -y install nginx
service nginx start
# 设置开机启动
systemctl enable nginx
访问 IP 测试下是否能访问到页面,不能到话去开启下防火墙和安全组,搬瓦工不需要这些操作因此在本文中略过。
接着配置 Nginx:
cd /etc/nginx
vi nginx.conf
# nginx.conf
...
...
# ====== example.com ======
# === usa-bwg-01.example.com ===
server {
listen 80;
listen [::]:80;
server_name usa-bwg-01.example.com;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
# Let's Encrypt 证书认证(优先级最高放在最前面)
location ~ /.well-known {
root /usr/share/nginx;
allow all;
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
...
...
之后重启:
nginx -s reload
service nginx restart
2、安装 certbot 并申请证书
安装:
yum -y install certbot
申请证书:
certbot certonly --webroot --agree-tos -v -t --email [email protected] -w /usr/share/nginx/ -d usa-bwg-01.example.com
这里我出现过两个错误:
① 搬瓦工上出现的证书过期错误:... ... if 'timed out' in str(err) or 'did not complete (read)' in str(err): # Python 2.6 TypeError: __str__ returned non-string (type Error) An unexpected error occurred: TypeError: __str__ returned non-string (type Error) Please see the logfiles in /var/log/letsencrypt for more details.
想起来似乎是 2022 年上半年 Let's Encrypt 的证书过期过一次,于是检查了下服务器的根证书版本:
yum list updates -q | grep ca-certificates
返回的版本:
ca-certificates.noarch 2021.2.50-72.el7_9 updates
果然是过期了,更新下:
# 查看更新日志 rpm -qa --changelog ca-certificates | head -n5 # 安装更新 yum -y update ca-certificates
之后再申请就会成功了。
② 阿里云上碰到的 python2 脚本相关导入出错:... ... File "/usr/lib/python2.7/site-packages/certbot/_internal/constants.py", line 6, in
from acme import challenges File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in import requests File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in from . import utils File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in from .exceptions import InvalidURL File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in from urllib3.exceptions import HTTPError as BaseHTTPError File "/usr/lib/python2.7/site-packages/urllib3/__init__.py", line 10, in from .connectionpool import ( File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 31, in from .connection import ( File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 45, in from .util.ssl_ import ( File "/usr/lib/python2.7/site-packages/urllib3/util/__init__.py", line 4, in from .request import make_headers File "/usr/lib/python2.7/site-packages/urllib3/util/request.py", line 5, in from ..exceptions import UnrewindableBodyError ImportError: cannot import name UnrewindableBodyError 执行一下命令重新安装 python-requests 模块即可:
sudo pip uninstall requests sudo pip uninstall urllib3 sudo yum remove python-urllib3 sudo yum remove python-requests sudo yum install python-urllib3 sudo yum install python-requests
申请完成后别忘记添加定时任务更新证书,防止 3 个月后证书过期:
# 配置定时任务
crontab -e
# 每 12 小时更新一下证书
0 */12 * * * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
# 刷新定时任务
service crond restart
3、安装 Trojan-Go
注:这里使用 Trojan-Go 的原因是其支持连接复用,比起普通的 Trojan 服务端建立连接会更快,当然对后续视频的下载速度不会有太大影响。Trojan 原版和 Go 版的安装配置可以说是一样的,如果你想要安装原版的话只需要切换下载压缩包的地址即可。
下载并解压:
# 下载
yum -y install wget
wget https://github.com/p4gefau1t/trojan-go/releases/download/v0.10.6/trojan-go-linux-amd64.zip
# 解压到 trojan-go 目录
mkdir trojan-go
yum -y install unzip
unzip -d trojan-go/ trojan-go-linux-amd64.zip
原版:
# 下载 yum -y install wget wget https://github.com/trojan-gfw/trojan/releases/download/v1.16.0/trojan-1.16.0-linux-amd64.tar.xz # 解压出 trojan 目录 tar -xvf trojan-1.16.0-linux-amd64.tar.xz # 注意之后的操作中需要把 trojan-go 目录修改为 trojan
之后进入目录创建配置文件:
cd trojan-go vi config.json
配置内容在下方,修改下你的密码和域名即可,我这里的可执行文件
trojan-go
在/root/trojan-go/
中,如果你和我不一样也请自己更改下:{ "run_type": "server", "local_addr": "0.0.0.0", "local_port": 443, "remote_addr": "127.0.0.1", "remote_port": 80, "log_level": 1, "log_file": "/root/trojan-go/test.log", "password": [ "YourPassword" ], "buffer_size": 32, "dns": [], "ssl": { "verify": true, "verify_hostname": true, "cert": "/etc/letsencrypt/live/usa-bwg-01.example.com/fullchain.pem", "key": "/etc/letsencrypt/live/usa-bwg-01.example.com/privkey.pem", "key_password": "", "cipher": "", "cipher_tls13": "", "curves": "", "prefer_server_cipher": false, "sni": "usa-bwg-01.example.com", "alpn": [ "http/1.1" ], "session_ticket": true, "reuse_session": true, "plain_http_response": "", "fallback_port": 80, "fingerprint": "firefox", "serve_plain_text": false }, "tcp": { "no_delay": true, "keep_alive": true, "reuse_port": false, "prefer_ipv4": false, "fast_open": false, "fast_open_qlen": 20 }, "mux": { "enabled": true, "concurrency": 8, "idle_timeout": 60 }, "router": { "enabled": false, "bypass": [], "proxy": [], "block": [], "default_policy": "proxy", "domain_strategy": "as_is", "geoip": "/root/trojan-go/geoip.dat", "geosite": "/root/trojan-go/geosite.dat" }, "websocket": { "enabled": false, "path": "/", "hostname": "usa-bwg-01.example.com", "obfuscation_password": "", "double_tls": true, "ssl": { "verify": true, "verify_hostname": true, "cert": "/etc/letsencrypt/live/usa-bwg-01.example.com/fullchain.pem", "key": "/etc/letsencrypt/live/usa-bwg-01.example.com/privkey.pem", "key_password": "", "prefer_server_cipher": false, "sni": "usa-bwg-01.example.com", "session_ticket": true, "reuse_session": true, "plain_http_response": "" } } }
启动试下:
/root/trojan-go/trojan-go -config /root/trojan-go/config.json
如果跳出了请检查端口占用和日志。
端口占用查看:yum -y install lsof lsof -i:443
日志:
cat /root/trojan-go/test.log
Clash 中的配置段:
... ... proxies: - {name: Trojan-搬瓦工美国, type: trojan, server: usa-bwg-01.example.com, port: 443, password: YourPassword } ... ...
4、将 Trojan-Go 注册为服务方便开机启动
新建服务:
cd /usr/lib/systemd/system/
vi trojan-go.service
内容:
[Unit]
Description=trojan-go
After=network.target nss-lookup.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/root/trojan-go/trojan-go -config /root/trojan-go/config.json
Restart=on-failure
RestartSec=10
RestartPreventExitStatus=23
[Install]
WantedBy=multi-user.target
之后的控制命令就很简单了:
# 启动
systemctl start trojan-go.service
# 关闭
systemctl stop trojan-go.service
# 设置开机自启动
systemctl enable trojan-go.service
结束。