Go back

【归档文章】CentOS7 下搭建 Trojan 服务端(附带搬瓦工机器的一些特殊配置)

| 0 Views Edit page

关于 Trojan 协议节点的搭建教程,以及搬瓦工机器的特殊配置。

注:这篇文章是从旧的博客系统中迁移过来的、我觉得还存在价值的文章。但是由于时间关系,可能已经不再是最佳实践,请仅作参考。

1、安装 Nginx 并启动

安装 Nginx:

yum -y install epel-release
yum -y install nginx
service nginx start
# 设置开机启动
systemctl enable nginx

访问 IP 测试下是否能访问到页面,不能到话去开启下防火墙和安全组,搬瓦工不需要这些操作因此在本文中略过。
接着配置 Nginx:

cd /etc/nginx
vi nginx.conf
# nginx.conf
    ...
    ...
    # ====== example.com ======
    # === usa-bwg-01.example.com ===
    server {
        listen       80;
        listen       [::]:80;
        server_name  usa-bwg-01.example.com;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        # Let's Encrypt 证书认证(优先级最高放在最前面)
        location ~ /.well-known {
            root /usr/share/nginx;
            allow all;
        }

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
    ...
    ...

之后重启:

nginx -s reload
service nginx restart

2、安装 certbot 并申请证书

安装:

yum -y install certbot

申请证书:

certbot certonly --webroot --agree-tos -v -t --email xxxxxx@qq.com -w /usr/share/nginx/ -d usa-bwg-01.example.com

这里我出现过两个错误:
① 搬瓦工上出现的证书过期错误:

...
...
    if 'timed out' in str(err) or 'did not complete (read)' in str(err):  # Python 2.6
TypeError: __str__ returned non-string (type Error)
An unexpected error occurred:
TypeError: __str__ returned non-string (type Error)
Please see the logfiles in /var/log/letsencrypt for more details.

想起来似乎是 2022 年上半年 Let’s Encrypt 的证书过期过一次,于是检查了下服务器的根证书版本:

yum list updates -q | grep ca-certificates

返回的版本:

ca-certificates.noarch            2021.2.50-72.el7_9               updates

果然是过期了,更新下:

# 查看更新日志
rpm -qa --changelog ca-certificates | head -n5
# 安装更新
yum -y update ca-certificates

之后再申请就会成功了。
② 阿里云上碰到的 python2 脚本相关导入出错:

...
...
  File "/usr/lib/python2.7/site-packages/certbot/_internal/constants.py", line 6, in <module>
    from acme import challenges
  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in <module>
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module>
    from . import utils
  File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in <module>
    from .exceptions import InvalidURL
  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in <module>
    from urllib3.exceptions import HTTPError as BaseHTTPError
  File "/usr/lib/python2.7/site-packages/urllib3/__init__.py", line 10, in <module>
    from .connectionpool import (
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 31, in <module>
    from .connection import (
  File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 45, in <module>
    from .util.ssl_ import (
  File "/usr/lib/python2.7/site-packages/urllib3/util/__init__.py", line 4, in <module>
    from .request import make_headers
  File "/usr/lib/python2.7/site-packages/urllib3/util/request.py", line 5, in <module>
    from ..exceptions import UnrewindableBodyError
ImportError: cannot import name UnrewindableBodyError

执行一下命令重新安装 python-requests 模块即可:

sudo pip uninstall requests
sudo pip uninstall urllib3
sudo yum remove python-urllib3
sudo yum remove python-requests
sudo yum install python-urllib3
sudo yum install python-requests

申请完成后别忘记添加定时任务更新证书,防止 3 个月后证书过期:

# 配置定时任务
crontab -e
# 每 12 小时更新一下证书
0 */12 * * * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
# 刷新定时任务
service crond restart

3、安装 Trojan-Go

注:这里使用 Trojan-Go 的原因是其支持连接复用,比起普通的 Trojan 服务端建立连接会更快,当然对后续视频的下载速度不会有太大影响。Trojan 原版和 Go 版的安装配置可以说是一样的,如果你想要安装原版的话只需要切换下载压缩包的地址即可。
下载并解压:

# 下载
yum -y install wget
wget https://github.com/p4gefau1t/trojan-go/releases/download/v0.10.6/trojan-go-linux-amd64.zip
# 解压到 trojan-go 目录
mkdir trojan-go
yum -y install unzip
unzip -d trojan-go/ trojan-go-linux-amd64.zip

原版:

# 下载
yum -y install wget
wget https://github.com/trojan-gfw/trojan/releases/download/v1.16.0/trojan-1.16.0-linux-amd64.tar.xz
# 解压出 trojan 目录
tar -xvf trojan-1.16.0-linux-amd64.tar.xz
# 注意之后的操作中需要把 trojan-go 目录修改为 trojan

之后进入目录创建配置文件:

cd trojan-go
vi config.json

配置内容在下方,修改下你的密码和域名即可,我这里的可执行文件 trojan-go/root/trojan-go/ 中,如果你和我不一样也请自己更改下:

{
  "run_type": "server",
  "local_addr": "0.0.0.0",
  "local_port": 443,
  "remote_addr": "127.0.0.1",
  "remote_port": 80,
  "log_level": 1,
  "log_file": "/root/trojan-go/test.log",
  "password": [
       "YourPassword"
  ],
  "buffer_size": 32,
  "dns": [],
  "ssl": {
    "verify": true,
    "verify_hostname": true,
      "cert": "/etc/letsencrypt/live/usa-bwg-01.example.com/fullchain.pem",
      "key": "/etc/letsencrypt/live/usa-bwg-01.example.com/privkey.pem",
    "key_password": "",
    "cipher": "",
    "cipher_tls13": "",
    "curves": "",
    "prefer_server_cipher": false,
    "sni": "usa-bwg-01.example.com",
    "alpn": [
      "http/1.1"
    ],
    "session_ticket": true,
    "reuse_session": true,
    "plain_http_response": "",
    "fallback_port": 80,
    "fingerprint": "firefox",
    "serve_plain_text": false
  },
  "tcp": {
    "no_delay": true,
    "keep_alive": true,
    "reuse_port": false,
    "prefer_ipv4": false,
    "fast_open": false,
    "fast_open_qlen": 20
  },
  "mux": {
    "enabled": true,
    "concurrency": 8,
    "idle_timeout": 60
  },
  "router": {
    "enabled": false,
    "bypass": [],
    "proxy": [],
    "block": [],
    "default_policy": "proxy",
    "domain_strategy": "as_is",
    "geoip": "/root/trojan-go/geoip.dat",
    "geosite": "/root/trojan-go/geosite.dat"
  },
  "websocket": {
    "enabled": false,
    "path": "/",
    "hostname": "usa-bwg-01.example.com",
    "obfuscation_password": "",
    "double_tls": true,
    "ssl": {
      "verify": true,
      "verify_hostname": true,
      "cert": "/etc/letsencrypt/live/usa-bwg-01.example.com/fullchain.pem",
      "key": "/etc/letsencrypt/live/usa-bwg-01.example.com/privkey.pem",
      "key_password": "",
      "prefer_server_cipher": false,
      "sni": "usa-bwg-01.example.com",
      "session_ticket": true,
      "reuse_session": true,
      "plain_http_response": ""
    }
  }
}

启动试下:

/root/trojan-go/trojan-go -config /root/trojan-go/config.json

如果跳出了请检查端口占用和日志。
端口占用查看:

yum -y install lsof
lsof -i:443

日志:

cat /root/trojan-go/test.log

Clash 中的配置段:

...
...
proxies:
  - {name: Trojan-搬瓦工美国, type: trojan, server: usa-bwg-01.example.com, port: 443, password: YourPassword }
...
...

4、将 Trojan-Go 注册为服务方便开机启动

新建服务:

cd /usr/lib/systemd/system/
vi trojan-go.service

内容:

[Unit]
Description=trojan-go
After=network.target nss-lookup.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/root/trojan-go/trojan-go -config /root/trojan-go/config.json
Restart=on-failure
RestartSec=10
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

之后的控制命令就很简单了:

# 启动
systemctl start trojan-go.service
# 关闭
systemctl stop trojan-go.service
# 设置开机自启动
systemctl enable trojan-go.service

结束。

Edit page
Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Previous Post
【归档文章】CentOS7 下搭建哪吒监控面板(附带监控端的安装)
Next Post
【归档文章】CentOS7 下 Docker 部署 RedisInsight Redis 网页版的可视化工具