利用 NGINX 的 Stream 模塊 sni_preread 功能,可以做到讓 Trojan 和其他網站在同一台機器上共享 443 端口。
Forked from phlinhng/a-trojan-with-nginx-stream-module.md
Created
November 9, 2022 11:42
-
-
Save zengjiapei3000/41bfe9c6f88b88be948925e562f11f4a to your computer and use it in GitHub Desktop.
Trojan + NGINX 多網站共存
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 將 /etc/nginx/sites-available/default 的內容改成如下,可以實現全局 https 跳轉 | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name _; | |
return 301 https://$host$request_uri; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 在 /etc/nginx/nginx.conf 加入這段, 原先的內容不要刪 | |
stream { | |
map $ssl_preread_server_name $backend_name { | |
trojan.example.com trojan; | |
website1.example.com tls_backend; | |
website2.example.com tls_backend; | |
default web; | |
} | |
upstream web { | |
server 127.0.0.1:80; | |
} | |
upstream trojan { | |
server 127.0.0.1:8080; | |
} | |
upstream tls_backend { | |
server 127.0.0.1:8443; | |
} | |
server { | |
listen 443 reuseport; | |
listen [::]:443 reuseport; | |
proxy_pass $backend_name; | |
ssl_preread on; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"run_type": "server", | |
"local_addr": "127.0.0.1", | |
"local_port": 8080, | |
"remote_addr": "127.0.0.1", | |
"remote_port": 80, | |
"log_level": 5, | |
"password": [ | |
"your_awesome_password" | |
], | |
"ssl": { | |
"verify_hostname": true, | |
"cert": "/etc/ssl/trojan/fullchain.crt", | |
"key": "/etc/ssl/trojan/key.key", | |
"sni": "trojan.example.com", | |
"alpn": [ | |
"http/1.1" | |
] | |
}, | |
"router": { | |
"enabled": false | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# trojan 偽裝站設置 | |
# 將此檔案放到以下三種位置之一 | |
# 位置1 (推荐): 放到 /etc/nginx/sites-available 下, 建立軟鏈到 /etc/nginx/sites-enabled | |
# 位置2: 放到 /etc/nginx/conf.d | |
# 位置3: 放到 /etc/nginx/sites-enabled | |
server { | |
listen 127.0.0.1:80; | |
server_name trojan.example.com; | |
root /var/www/html; | |
index index.php index.html index.htm; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 其他網站全部監聽 127.0.0.1:8443, 在這個端口進行 TLS 握手 | |
# 將此檔案放到以下三種位置之一 | |
# 位置1 (推荐): 放到 /etc/nginx/sites-available 下, 建立軟鏈到 /etc/nginx/sites-enabled | |
# 位置2: 放到 /etc/nginx/conf.d | |
# 位置3: 放到 /etc/nginx/sites-enabled | |
server { | |
listen 127.0.0.1:8443 ssl http2; | |
server_name website1.example.com; | |
ssl_certificate /path/to/fullchain.crt; | |
ssl_certificate_key /path/to/key.key; | |
ssl_protocols TLSv1.2 TLSv1.3; | |
location / { | |
} | |
} | |
server { | |
listen 127.0.0.1:8443 ssl http2; | |
server_name website2.example.com; | |
ssl_certificate /path/to/fullchain.crt; | |
ssl_certificate_key /path/to/key.key; | |
ssl_protocols TLSv1.2 TLSv1.3; | |
location / { | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment