下面将介绍如何正确配置Trojan-Go以完全隐藏你的代理节点特征。
在开始之前,你需要
一个服务器,且未被GFW封锁
一个域名,可以使用免费的域名服务,如.tk等
Trojan-Go,可以从release页面下载
证书和密钥,可以从letsencrypt等机构免费申请签发
------freenom不好使了,还是去买一个新域名吧 ------
f1g1ns1.dnspod.net
f1g1ns2.dnspod.net
我们使用apache2来web应用,同时将web页面和域名绑定,然后用letsencrypt生成证书和密钥,以下是步骤: (也可以参考这个)
apache2安装
在Ubuntu 20.04上安装apache2参考这里
1)、安装apache:
sudo apt update && sudo apt apache2
2)、防火墙的设置:
$ sudo ufw app list:
结果如下:
Available applications:
Apache
Apache Full
Apache Secure
OpenSSH
$ sudo ufw allow 'Apache'
$ sudo ufw status
3)、查看apache2状态:
$ sudo systemctl status apache2
结果如下:
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2022-06-22 01:29:24 UTC; 4h 44min ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 20373 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 20387 (apache2)
Tasks: 55 (limit: 1083)
Memory: 8.3M
CGroup: /system.slice/apache2.service
├─20387 /usr/sbin/apache2 -k start
├─20388 /usr/sbin/apache2 -k start
└─20389 /usr/sbin/apache2 -k start
4)、管理apache2进程:
$ sudo systemctl stop apache2
$ sudo systemctl start apache2
$ sudo systemctl restart apache2
$ sudo systemctl reload apache2
$ sudo systemctl disable apache2
$ sudo systemctl enable apache2
5)、设置虚拟主机
创建你的域名的文件夹:
$ sudo mkdir /var/www/test
$ sudo chown -R $USER:$USER /var/www/test
$ sudo vim /var/www/test/index.html
创建一个新的虚拟主机的配置文件,我们暂时不要修改/etc/apache2/sites-available/000-default.conf,而是创建一个新的文件:/etc/apache2/sites-available/test.conf,内容是:
<VirtualHost *:80>
ServerAdmin test@gmail.com
ServerName test.top
ServerAlias www.test.top
DocumentRoot /var/www/test
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
此时我们把DocumentRoot更新到了我们的新文件夹/var/www/test,
ServerAdmin:是一个可以联系的上的邮箱
下面使用命令a2ensite启用这个配置文件:
sudo a2ensite /etc/apache2/sites-available/test.conf
同时使用a2dissite禁用默认的站点:
sudo a2dissite 000-default.conf
测试配置文件是否有问题:
sudo apache2ctl configtest
重启apache2:
sudo systemctl restart apache2
根据域名http://www.lolasap.top/直接访问即可。
熟悉apache重要的文件和目录:
Now that you know how to manage the Apache service itself, you should take a few minutes to familiarize yourself with a few important directories and files.
Content
/var/www/html: The actual web content, which by default only consists of the default Apache page you saw earlier, is served out of the/var/www/htmldirectory. This can be changed by altering Apache configuration files.
Server Configuration
/etc/apache2: The Apache configuration directory. All of the Apache configuration files reside here./etc/apache2/apache2.conf: The main Apache configuration file. This can be modified to make changes to the Apache global configuration. This file is responsible for loading many of the other files in the configuration directory./etc/apache2/ports.conf: This file specifies the ports that Apache will listen on. By default, Apache listens on port 80 and additionally listens on port 443 when a module providing SSL capabilities is enabled./etc/apache2/sites-available/: The directory where per-site virtual hosts can be stored. Apache will not use the configuration files found in this directory unless they are linked to thesites-enableddirectory. Typically, all server block configuration is done in this directory, and then enabled by linking to the other directory with thea2ensitecommand./etc/apache2/sites-enabled/: The directory where enabled per-site virtual hosts are stored. Typically, these are created by linking to configuration files found in thesites-availabledirectory with thea2ensite. Apache reads the configuration files and links found in this directory when it starts or reloads to compile a complete configuration./etc/apache2/conf-available/,/etc/apache2/conf-enabled/: These directories have the same relationship as thesites-availableandsites-enableddirectories, but are used to store configuration fragments that do not belong in a virtual host. Files in theconf-availabledirectory can be enabled with thea2enconfcommand and disabled with thea2disconfcommand./etc/apache2/mods-available/,/etc/apache2/mods-enabled/: These directories contain the available and enabled modules, respectively. Files ending in.loadcontain fragments to load specific modules, while files ending in.confcontain the configuration for those modules. Modules can be enabled and disabled using thea2enmodanda2dismodcommand.
Server Logs
/var/log/apache2/access.log: By default, every request to your web server is recorded in this log file unless Apache is configured to do otherwise./var/log/apache2/error.log: By default, all errors are recorded in this file. TheLogLeveldirective in the Apache configuration specifies how much detail the error logs will contain.
如何在 Ubuntu 20.04 上使用 Let’s Encrypt 保护 Apache,看这里
1)、首先安装certbot和python3-certbot-apache
$ sudo apt install certbot python3-certbot-apache
2)、检查apache虚拟主机配置
$ sudo vim /etc/apache2/sites-available/test.conf
$ sudo apache2ctl configtest
$ sudo systemctl reload apache2
3)、允许 HTTPS 通过防火墙
$ sudo ufw status
4)、获取 SSL 证书!!!!!!
$ sudo certbot --apache
结果如下:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: test.top
2: www.test.top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
直接回车
Obtaining a new certificate
Created an SSL vhost at /etc/apache2/sites-available/test-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/test-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/test-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/test-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
输入2,将所有流量都重定向到https
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/test.conf to ssl vhost in /etc/apache2/sites-available/test-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://test.top and
https://www.test.top
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=test.top
https://www.ssllabs.com/ssltest/analyze.html?d=www.test.top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/test.top-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/test.top-0002/privkey.pem
Your cert will expire on 2022-09-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
此时再访问http://test.top,就可以看到网址前面加了一个锁,表明已经得到了适当的保护
5)、验证 Certbot 自动续订
$ sudo systemctl status certbot.timer
执行结果如下:
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Wed 2022-06-22 07:32:00 UTC; 38s ago
Trigger: Wed 2022-06-22 12:50:16 UTC; 5h 17min left
Triggers: ● certbot.service
Jun 22 07:32:00 test.top systemd[1]: Started Run certbot twice daily.
下面开始说trojan server端的配置,先上server.json配置文件:
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"123456"
],
"ssl": {
"cert": "/etc/letsencrypt/live/test/cert.pem",
"key": "/etc/letsencrypt/live/test/privkey.pem"
}
然后启动server端:
