Nginx+Trojan Go搭建

配置系统Nginx服务

使用 apt 进行前置软件安装

1
2


apt update
apt install nginx screen curl unzip

创建站点文件夹，并编写测试网页文件

1
2


mkdir -p /var/www/baoshuma.top
vi /var/www/baoshuma.top/index.html

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>

<body>
    <h1>Example Page</h1>
    This is content......
</body>

</html>

1

vi /etc/nginx/sites-available/baoshuma.top

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


server {
    listen 80;

    root /var/www/baoshuma.top;
    index index.html index.htm index.nginx-debian.html;
    server_name baoshuma.top www.baoshuma.top;

    location / {
        try_files $uri $uri/ =404;
    }

    if ( $remote_addr != 127.0.0.1 ) {
        rewrite ^/(.*)$ https://baoshuma.top/$1 redirect;
    } 

    access_log /var/log/nginx/baoshuma.top.access.log;
    error_log /var/log/nginx/baoshuma.top.error.log;
}

创建软连接并重启nginx服务

1
2
3


ln -s /etc/nginx/sites-available/baoshuma.top /etc/nginx/sites-enabled
systemctl restart nginx

通过ACME.SH进行SSL证书自动化

1
2
3
4
5
6
7


curl https://get.acme.sh | sh
acme.sh --set-default-ca --server letsencrypt
export CF_Key="XXX"
export CF_Email="XXX"
acme.sh --issue --dns dns_cf -d baoshuma.top -d '*.baoshuma.top' -k ec-256
mkdir -p /etc/nginx/ssl
acme.sh --installcert -d baoshuma.top --fullchain-file /etc/nginx/ssl/fullchain.cer --key-file /etc/nginx/ssl/baoshuma.top.key --ecc

配置Trojan-Go

1
2
3
4
5


wget https://github.com/p4gefau1t/trojan-go/releases/download/v0.10.6/trojan-go-linux-amd64.zip
mkdir -p /etc/trojan-go/{bin,conf,logs}
unzip -d /etc/trojan-go/bin trojan-go-linux-amd64.zip
rm trojan-go-linux-amd64.zip
vi /etc/trojan-go/conf/server.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36


{
    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 443,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
    "password": [
        "XXX"
    ],
    "log_level": 1,
    "log_file": "/etc/trojan-go/logs/trojan-go-access.log",
    "ssl": {
        "verify": true,
        "verify_hostname": true,
        "cert": "/etc/nginx/ssl/fullchain.cer",
        "key": "/etc/nginx/ssl/baoshuma.top.key",
        "key_password": "",
        "curves": "",
        "cipher": "", 
        "prefer_server_cipher": false,
        "sni": "baoshuma.top",
        "alpn": [
            "http/1.1"
        ],
        "reuse_session": true,
        "session_ticket": true,
        "plain_http_response": "",
        "fallback_addr": "127.0.0.1",
        "fallback_port": 80,    
        "fingerprint": ""
    },
    "tcp": {
        "no_delay": true,
        "keep_alive": true
    }
}

配置Trojan-Go开机自启服务

1

vi /lib/systemd/system/trojan-go.service

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


[Unit]
Description=Trojan-Go - An unidentifiable mechanism that helps you bypass GFW
Documentation=https://p4gefau1t.github.io/trojan-go
After=network.target nss-lookup.target

[Service]
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/etc/trojan-go/bin/trojan-go -config /etc/trojan-go/conf/server.json
Restart=on-failure
RestartSec=10s
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target

1
2
3
4
5
6


systemctl enable trojan-go
systemctl daemon-reload
systemctl start trojan-go
systemctl status trojan-go
journalctl -u trojan-go -n 20 -f

BBR+cake

1
2
3
4
5
6
7
8


echo 'net.core.default_qdisc=cake' | tee -a /etc/sysctl.conf
echo 'net.ipv4.tcp_congestion_control=bbr' | tee -a /etc/sysctl.conf
sysctl -p

lsmod | egrep bbr


reboot