常用命令

SSH密钥访问

首先设置公私钥

ssh-keygen -t rsa -b 4096 连续两次输入密码后即可生成公私钥,存在于 /root/.ssh

使用 cat id_rsa.pub(your_pub_name) >> authorized_keys 将公钥添加到已认证密钥列表里

查看是否写入成功 cat authorized_keys 是否有公钥内容

设置ssh配置文件使其禁用密码登录且更换默认端口 PasswordAuthentication no 建议设置端口为非 22端口确保安全性

重启ssh生效 systemctl restart sshd

修改主机Hostname

sudo hostnamectl set-hostname 新主机名

sudo nano /etc/hosts 更新hosts

Nginx编译安装配置正向代理HTTPS

无法代理https流量,基本无用

apt-get install nginx
apt-cache search libnginx
apt-get install libnginx-mod-http-geoip2 libnginx-mod-http-headers-more-filter libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-stream-geoip2
mkdir webapps
apt-get update
apt-get upgrade
apt-get install -y build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev curl git
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -zxvf nginx-1.18.0.tar.gz 
git clone https://github.com/chobits/ngx_http_proxy_connect_module
git clone https://github.com/leev/ngx_http_geoip2_module.git
apt-get install libmaxminddb0 libmaxminddb-dev
nginx -V
cd nginx-1.18.0/
patch -p1 < ../ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1018.patch
./configure --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-niToSo/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=../ngx_http_geoip2_module --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --add-dynamic-module=../ngx_http_proxy_connect_module --with-cc-opt="-Wno-deprecated-declarations"
make
cd /usr/sbin/
ll nginx
mv nginx nginx.bak
cp /opt/nginx-1.18.0/objs/nginx ./

server {
    listen 8000;  # 代理监听端口
    listen [::]:8000;

    # 启用 HTTPS 正向代理(支持 CONNECT 方法)
    proxy_connect;
    proxy_connect_allow 443 80;
    proxy_connect_connect_timeout 10s;
    proxy_connect_read_timeout 10s;
    proxy_connect_send_timeout 10s;

    # 基础认证配置
    auth_basic "Proxy Authentication Required";
    auth_basic_user_file /etc/nginx/password/https-proxy;

    location / {
        # 正向代理规则
        proxy_pass http://$http_host$request_uri;
        proxy_set_header Host $http_host;
    }
}

在http块中加入 resolver 8.8.8.8load_module modules/ngx_http_proxy_connect_module.so;

证书签发

certbot 签发 letsencrypt 证书

apt-get install certbot python3-certbot-nginx
certbot certonly --manual --preferred-challenges http-01 -d domain

搭建v2ray服务

通过v2ray代理的任何行为请遵守中华人民共和国和当地法律

在服务器上搭建v2ray服务

https://233boy.com/v2ray/v2ray-script/

# 按照提示步骤来搭建代理,我使用no-auto-tls,通过nginx伪装流量,nginx配置如下

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name hk-datat-ps.site;

    #隐藏nginx版本号
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem; # certbot申请的证书
    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;
    #服务端要支持 协议配置
    ssl_protocols TLSv1.2 TLSv1.3;
    #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_ecdh_curve X25519:secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_session_tickets off;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    # 启用 OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    root /opt/webapps;

    if ($scheme = http) {
    	return 301 https://$host$request_uri;
    }

    location /v2ray路径 {
      proxy_pass http://127.0.0.1:port; # v2ray端口
      proxy_redirect off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_read_timeout 5d;
    }

    location / {
		  try_files $uri $uri/ =404;
	  }

    location /undefined {
        return 301;
    }
}

使用V2ray服务

通过v2ray代理的任何行为请遵守中华人民共和国和当地法律

  • Ubuntu桌面使用 - 下载Qv2ray客户端 - 下载v2ray代码包 - 配置客户端,导入配置使用
  • 安卓使用v2rayNG - 谷歌商店
  • window使用v2rayN - https://github.com/2dust/v2rayN/releases

以下为Ubuntu桌面版使用方法

cd /opt
wget https://github.com/Qv2ray/Qv2ray/releases/download/v2.7.0/Qv2ray-v2.7.0-linux-x64.AppImage
chmod +x Qv2ray-v2.7.0-linux-x64.AppImage
wget https://github.com/v2ray/v2ray-core/releases/download/v4.28.2/v2ray-linux-64.zip
unzip v2ray-linux-64.zip -d ./v2ray

# 启动 过程中可能会报错,按照提示来安装依赖包即可
./Qv2ray-v2.7.0-linux-x64.AppImage
# 在打开的软件中设置首选项,设置v2ray可执行文件/opt/v2ray/v2ray,设置v2ray目录为/opt/v2ray即可,保存后导入搭建的v2ray连接后启动
# 设置系统socket代理端口到软件中默认端口127.0.0.1:1089即可科学上网

Wireshark抓包SSL流量

首先设置环境变量将sslkeys打印到日志

SSLKEYLOGFILE = E:\sslkeys.log

建议用Firefox访问目标ssl网站,浏览器会将日志写入 sslkeys.log打开Wireshark设置 TLS - Transport Layer Security - (Pre)-Mater-Secret log filename = E:\sslkeys.log

如果无法解密ssl检查是否输出ssl日志到目标文件 E:\sslkeys.log另外浏览器需要在Wireshark后打开才能正常抓取和解密。