特别鸣谢: O大佬的天书和一对一地指导;XBB 大佬 亲自规划 亲自手打;PH 大佬 折腾无极限;Mike大佬 看看帮助下 的全力支持
以下以 ubuntu 20 为列:
1. 更新系统
1
2
3
| apt update
apt upgrade -y
reboot
|
列出可用的 5.15 内核版本 (如果版本已经是5.8 以上了就不需要升级内核,因为brutal 需要5.8 以上内核,不然V6 无法使用),执行第一行命令后, 会出现所有可选的版本, 可以看最后一行, 看下版本号, 并在第二行命令中修改, 比如 现在是 : 5.15.0-91,generic 和 lowlatency 二选一
1
2
| apt list linux-headers-5.15.*-*-generic linux-image-5.15.*-*-generic
sudo apt install linux-headers-5.15.0-91-generic linux-image-5.15.0-91-generic
|
or
1
2
| apt list linux-headers-5.15.*-*-generic linux-image-5.15.*-*-lowlatency
sudo apt install linux-headers-5.15.0-91-generic linux-image-5.15.0-91-lowlatency
|
reboot
2. 安装brutal
1
2
| apt install curl
bash <(curl -fsSL https://tcp.hy2.sh/)
|
3. 安装nginx
3.1 方法1:
1
2
3
4
5
6
7
8
9
10
11
12
| sudo apt install curl gnupg2 ca-certificates lsb-release
echo "deb http://nginx.org/packages/mainline/ubuntu $(lsb_release -sc) nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo gpg --dearmor \
-o /usr/share/keyrings/nginx-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu $(lsb_release -sc) nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
sudo apt update
sudo apt-get install nginx
|
3.2 方法2:
1
2
3
| sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
|
检查密钥
gpg –dry-run –quiet –import –import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
检查返回信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
| sudo tee /etc/apt/preferences.d/99nginx
sudo apt update
sudo apt-get install nginx
|
nginx -v ( 看下版本号 : 今天最新是1.25.3)
返回版本号 :
1
2
| Unpacking nginx (1.25.3-1~focal) ...
Setting up nginx (1.25.3-1~focal) ...
|
4. SSL证书
1
2
3
4
5
6
7
| apt install -y curl tar socat wget
curl https://get.acme.sh | sh
systemctl stop nginx
~/.acme.sh/acme.sh --register-account -m ***.***@gmail.com # 自己的邮箱
~/.acme.sh/acme.sh --issue -d *******.com --standalone # 绑好IP的域名
~/.acme.sh/acme.sh --installcert -d ********.com --key-file /root/private.key --fullchain-file /root/cert.crt # 绑好IP的域名
~/.acme.sh/acme.sh --upgrade --auto-upgrade
|
5. 配置nginx
nano /etc/nginx/conf.d/default.conf
下面是conf文件内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| server {
listen 443 ssl;
http2 on;
server_name xxxxxxx.com; # 域名
index index.html;
root /usr/share/nginx/html;
ssl_certificate /root/cert.crt;
ssl_certificate_key /root/private.key;
ssl_protocols TLSv1.2 TlSv1.3;
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:!aNULL';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'";
}
server {
listen 80;
server_name *************.com; # 域名
location / {
return 301 https://$host$request_uri;
}
}
|
准备好的网站 拉到 路径 /usr/share/nginx/
1
2
| systemctl enable nginx --now
systemctl status nginx
|
6. 服务端 singbox
1
2
3
4
5
6
7
8
9
10
11
| apt -y install curl git build-essential libssl-dev libevent-dev zlib1g-dev gcc-mingw-w64
curl -L https://go.dev/dl/go1.21.4.linux-amd64.tar.gz -o go1.21.4.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.21.4.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' > /etc/profile.d/golang.sh
source /etc/profile.d/golang.sh
go install -v -tags with_quic,with_grpc,with_wireguard,with_utls,with_reality_server github.com/sagernet/sing-box/cmd/sing-box@latest
cp $(go env GOPATH)/bin/sing-box /usr/local/bin/
mkdir -p /usr/local/etc/sing-box
nano /etc/systemd/system/sing-box.service
|
下面是sing-box.service文件内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| [Unit]
Description=sing-box service
Documentation=https://sing-box.sagernet.org
After=network.target nss-lookup.target
[Service]
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json
Restart=on-failure
RestartSec=1800s
LimitNOFILE=infinity
[Install]
WantedBy=multi-user.target
|
服务端 Json
几个地方需要修改 , 看注释 ,改完把注释删了
1
2
3
| UUID : sing-box generate uuid
sing-box generate reality-keypair (会出来 客户端公钥 和 服务端私钥)
short id : sing-box generate rand --hex 8
|
nano /usr/local/etc/sing-box/config.json (这里复制黏贴json)
下面是json文件内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
| {
"inbounds": [
{
"type": "vless",
"listen": "::",
"listen_port": 10888, # 端口, 随意
"sniff":true,
"sniff_override_destination":true,
"sniff_timeout":"300ms",
"users": [
{
"uuid": "", # UUID
"flow": ""
}
],
"tls": {
"enabled": true,
"server_name": "", # 刚刚打的证书域名
"reality": {
"enabled": true,
"handshake": {
"server": "", # 刚刚打的证书域名
"server_port": 443
},
"private_key": "", # 私钥
"short_id": [
"" # 短ID
]
}
},
"multiplex": {
"enabled": true,
"padding": true,
"brutal": {
"enabled": true,
"up_mbps": 500, # 家里下传
"down_mbps": 1000
}
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct"
},
{
"type": "block",
"tag": "block"
}
],
"route": {
"geoip": {
"path": "root/geoip.db",
"download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",
"download_detour": "direct"
},
"geosite": {
"path": "root/geosite.db",
"download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",
"download_detour": "direct"
},
"rules": [
{
"geosite": [
"cn",
"category-games@cn"
],
"outbound": "block"
},
{
"geoip": [
"cn",
"private"
],
"outbound": "block"
}
],
"final": "direct"
}
}
|
1
2
| systemctl enable --now sing-box
systemctl status sing-box
|
7. 客户端 添加这个节点的配置, 以及seletor 也注意加上相同的tag
几个地方需要修改 , 看注释 ,改完把注释删了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| {
"type": "vless",
"tag": "", # 节点标签,添加到selector 保持一致
"uuid": "", # 和服务端uuid 一致
"packet_encoding": "xudp",
"server": "", # VPS 的IP
"server_port": , # 服务端 端口,
"flow": "",
"tls": {
"enabled": true,
"server_name": "",` # 域名 , 偷自己的证书
"utls": {
"enabled": true,
"fingerprint": "chrome"
},
"reality": {
"enabled": true,
"public_key": "", # 客户端公钥
"short_id": ""` # 和服务端一致
}
},
"multiplex": {
"enabled": true,
"protocol": "h2mux",
"max_connections": 1,
"min_streams": 4,
"padding": true,
"brutal": {
"enabled": true,
"up_mbps": 50,
"down_mbps": 1000 # VPS 的下行
}
}
},
|
