Use v2ray-plugin after Nginx

[Eintler]

Question 1 I wonder whether it is possible to deploy shadowsocks-libev with v2ray-plugin after Nginx Question 2 What the purpose of Certification for TLS verification in plugin,how to use it?

Thanks

[M3chD09]

Answer 1 Of course! Let's assume that you are using Shadowsocks over websocket(HTTPS). Here is an example configuration for nginx.

server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  example.com;     # Your domain.
        root         /usr/share/nginx/html/;
        ssl_certificate "/path/to/cert";     # Path to certificate
        ssl_certificate_key "/path/to/key";     # Path to private key
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        location / {
            proxy_redirect off;
            proxy_http_version 1.1;
            proxy_pass http://localhost:8008;     # Port of v2ray-plugin
            proxy_set_header Host $http_host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
}

The corresponding configuration for shadowsocks-libev with v2ray-plugin.

{
    "server":"localhost",
    "server_port":8008,
    "password":"password",
    "timeout":300,
    "method":"aes-256-gcm",
    "plugin":"v2ray-plugin",
    "plugin_opts":"server;loglevel=none"
}

You can run ss-local -c config.json -p 443 --plugin v2ray-plugin --plugin-opts "tls;host=example.com" on your client to connect.

[malikshi]

        proxy_set_header Connection "upgrade";

it's better using that method or v2ray over Cloudflare Ips?

[M3chD09]

it's better using that method or v2ray over Cloudflare Ips?

This method can also be used behind a CDN like Cloudflare, which is better if you want to run a website. :)

[Eintler]

Nginx server { server_name domain; listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate ; ssl_certificate_key ; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;

For V2ray

            location /ray { 
                          proxy_redirect off
                          proxy_pass http://127.0.0.1:10000;
                          proxy_http_version 1.1;
                          proxy_set_header Upgrade $http_upgrade;
                          proxy_set_header Connection "upgrade";
                          proxy_set_header Host $http_host;
                         }

For ss

             location /fuckGFW {
                          proxy_redirect off;
                          proxy_pass http://127.0.0.1:10001;
                          proxy_http_version 1.1;
                          proxy_set_header Upgrade $http_upgrade;
                          proxy_set_header Connection "upgrade";
                          proxy_set_header Host $http_host;
                         }
          }

ss { "server":"127.0.0.1", "server_port":10001, "password":"*", "nameserver": "8.8.8.8", "timeout":60, "method":"aes-256-gcm", "plugin":"/usr/bin/v2ray-plugin", "plugin_opts":"server", "mode": "tcp_only", "reuse_port":true, "no_delay":true }

tail -f /var/log/nginx/access.log [20/Feb/2019:08:40:53 -0500] "GET /fuckGFW HTTP/1.1" 404 0 "-" "Go-http-client/1.1"

@M3chD09 Anything wrong with configuration? Thanks :)

[M3chD09]

Nginx server { server_name domain; listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate ; ssl_certificate_key ; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;

For V2ray

location /ray { proxy_redirect off proxy_pass http://127.0.0.1:10000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; }

For ss

location /fuckGFW { proxy_redirect off; proxy_pass http://127.0.0.1:10001; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; } }

ss { "server":"127.0.0.1", "server_port":10001, "password":"*", "nameserver": "8.8.8.8", "timeout":60, "method":"aes-256-gcm", "plugin":"/usr/bin/v2ray-plugin", "plugin_opts":"server", "mode": "tcp_only", "reuse_port":true, "no_delay":true }

tail -f /var/log/nginx/access.log [20/Feb/2019:08:40:53 -0500] "GET /fuckGFW HTTP/1.1" 404 0 "-" "Go-http-client/1.1"

@M3chD09 Anything wrong with configuration? Thanks :)

Try "plugin_opts":"server;path=/fuckGFW"

[Eintler]

It works! Thank you so much @M3chD09

[xianren78]

Provide a sample Caddyfile: yourdomain.com { log /var/log/caddy.log root /var/www/ proxy /v2ray localhost:10000 { websocket header_upstream -Origin } proxy /ss-v2ray-plugin localhost:10001 { websocket header_upstream -Origin } } use "plugin_opts":"server;path=/ss-v2ray-plugin;loglevel=none", loglevel=none to ensure service start successfully.

[70599]

I can not make this plugin worikng, got these errors from ss-server:

2019/02/27 20:09:58 http: TLS handshake error from 127.0.0.1:11728: tls: first record does not look like a TLS handshake
2019/02/27 20:09:58 http: TLS handshake error from 127.0.0.1:11730: tls: first record does not look like a TLS handshake
2019/02/27 20:09:58 http: TLS handshake error from 127.0.0.1:11732: tls: first record does not look like a TLS handshake
2019/02/27 20:09:59 http: TLS handshake error from 127.0.0.1:11734: tls: first record does not look like a TLS handshake
2019/02/27 20:09:59 http: TLS handshake error from 127.0.0.1:11736: tls: first record does not look like a TLS handshake

Errors from nginx:

2019/02/27 20:16:46 [error] 46683#46683: *444 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"
2019/02/27 20:16:46 [error] 46683#46683: *446 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"
2019/02/27 20:16:47 [error] 46683#46683: *447 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"
2019/02/27 20:16:47 [error] 46683#46683: *448 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"
2019/02/27 20:16:47 [error] 46683#46683: *453 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"

Nginx conf:

server  {
    listen  443 ssl http2;
    server_name subdomain.example.com;

    ssl_certificate "/path/to/cert";
    ssl_certificate_key "/path/to/key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location    /path/  {
        access_log  off;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_pass http://localhost:10003;
    }
}

Server side config:

{
    "server":"localhost",
    "server_port":10003,
    "password":"password",
    "timeout":300,
    "method":"chacha20-ietf-poly1305",
    "plugin":"v2ray-plugin",
    "plugin_opts":"server;tls;host=subdomain.example.com;path=/path/;cert=/path/to/cert;key=/path/to/key;loglevel=none"
}

Client side config:

{
    "server": "subdomain.example.com",
    "server_port": 443,
    "password": "password",
    "method": "chacha20-ietf-poly1305",
    "local_address": "0.0.0.0",
    "plugin": "/usr/bin/v2ray-plugin",
    "plugin_opts": "tls;host=subdomain.example.com;path=/path/;loglevel=none",
    "timeout": 60,
    "reuse_port": true
}

[M3chD09]

I can not make this plugin worikng, got these errors from ss-server:

2019/02/27 20:09:58 http: TLS handshake error from 127.0.0.1:11728: tls: first record does not look like a TLS handshake
2019/02/27 20:09:58 http: TLS handshake error from 127.0.0.1:11730: tls: first record does not look like a TLS handshake
2019/02/27 20:09:58 http: TLS handshake error from 127.0.0.1:11732: tls: first record does not look like a TLS handshake
2019/02/27 20:09:59 http: TLS handshake error from 127.0.0.1:11734: tls: first record does not look like a TLS handshake
2019/02/27 20:09:59 http: TLS handshake error from 127.0.0.1:11736: tls: first record does not look like a TLS handshake

Errors from nginx:

2019/02/27 20:16:46 [error] 46683#46683: *444 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"
2019/02/27 20:16:46 [error] 46683#46683: *446 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"
2019/02/27 20:16:47 [error] 46683#46683: *447 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"
2019/02/27 20:16:47 [error] 46683#46683: *448 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"
2019/02/27 20:16:47 [error] 46683#46683: *453 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 1.23.45.67, server: subdomain.example.com, request: "GET /path/ HTTP/1.1", upstream: "http://127.0.0.1:10003/path/", host: "subdomain.example.com"

Nginx conf:

server    {
  listen  443 ssl http2;
  server_name subdomain.example.com;

  ssl_certificate "/path/to/cert";
  ssl_certificate_key "/path/to/key";
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout  10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;

  location    /path/  {
      access_log  off;
      proxy_redirect off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_pass http://localhost:10003;
  }
}

Server side config:

{
  "server":"localhost",
  "server_port":10003,
  "password":"password",
  "timeout":300,
  "method":"chacha20-ietf-poly1305",
  "plugin":"v2ray-plugin",
  "plugin_opts":"server;tls;host=subdomain.example.com;path=/path/;cert=/path/to/cert;key=/path/to/key;loglevel=none"
}

Client side config:

{
    "server": "subdomain.example.com",
    "server_port": 443,
    "password": "password",
    "method": "chacha20-ietf-poly1305",
    "local_address": "0.0.0.0",
    "plugin": "/usr/bin/v2ray-plugin",
    "plugin_opts": "tls;host=subdomain.example.com;path=/path/;loglevel=none",
    "timeout": 60,
    "reuse_port": true
}

I don't think you need to enable TLS on both ss-server and nginx, TLS on nginx is enough. Try "plugin_opts":"server;path=/path/;loglevel=none" in the config file of ss-server.

[70599]

@M3chD09 Thanks! Worked!

[gotexis]

@M3chD09

Hey I actually saw your repository for getting v2ray which was really helpful.

My current config is that I have a website using docker-nginx.

I wonder if I could include a dockerized shadowsocks in my docker-compose so I can deploy with ease.

The reason is for consistency, like I had no idea how to proxy_pass from nginx inside docker to the host machine.

I was trying to add simple-obfs to my ss-server but I saw it had been deprecated. Not sure if it's still working.

I only found the following docker image (for simple obfs)

https://hub.docker.com/r/mritd/shadowsocks

Not sure if this will still be working, could you give some advice? If this is not working, I wonder if you are interested in dockerizing the v2ray-plugin 👍

Cheers, 谢谢

[M3chD09]

@M3chD09

Hey I actually saw your repository for getting v2ray which was really helpful.

My current config is that I have a website using docker-nginx.

I wonder if I could include a dockerized shadowsocks in my docker-compose so I can deploy with ease.

The reason is for consistency, like I had no idea how to proxy_pass from nginx inside docker to the host machine.

I was trying to add simple-obfs to my ss-server but I saw it had been deprecated. Not sure if it's still working.

I only found the following docker image (for simple obfs)

https://hub.docker.com/r/mritd/shadowsocks

Not sure if this will still be working, could you give some advice? If this is not working, I wonder if you are interested in dockerizing the v2ray-plugin 👍

Cheers, 谢谢

I just created a Dockerfile in my repository and built it on the docker hub. docker pull m3chd09/shadowsocks-with-v2ray-plugin I would be very happy if you think it helps.

[whoizit]

Is it possible to use shadowsocks-libev + v2ray-plugin + cloudflare with own domain without nginx? Why use nginx?

[whoizit]

not works for me, same config as on top, behind CDN loglevel=debug on client: [Info] failed to handler mux client connection > v2ray.com/core/proxy/freedom: failed to open connection to tcp:{DOMAIN.TLD}:443 > v2ray.com/core/common/retry: [v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://{DOMAIN.TLD}/): 521 Origin Down > websocket: bad handshake] > v2ray.com/core/common/retry: all retry attempts failed

loglevel=debug on server:

 2019-04-19 03:36:38 INFO: plugin "v2ray-plugin" enabled
 2019-04-19 03:36:38 INFO: initializing ciphers... aes-256-gcm
 2019-04-19 03:36:38 INFO: tcp server listening at 127.0.0.1:35999
 2019-04-19 03:36:38 INFO: running from root user
2019/04/19 03:36:38 V2Ray 4.16 (Po) Custom
2019/04/19 03:36:38 A unified platform for anti-censorship.
2019/04/19 03:36:38 [Debug] v2ray.com/core/app/log: Logger started
2019/04/19 03:36:38 [Warning] v2ray.com/core: V2Ray 4.16 started

[xianren78]

看一下nginx的日志，似乎是nginx和v2ray直接连接有问题

whoami notifications@github.com 于 2019年4月19日周五 11:43写道：

not works for me, same config as on top, behind CDN loglevel=debug on client: [Info] failed to handler mux client connection > v2ray.com/core/proxy/freedom: failed to open connection to tcp:{DOMAIN.TLD}:443 > v2ray.com/core/common/retry: [ v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://{DOMAIN.TLD}/): 521 Origin Down > websocket: bad handshake] > v2ray.com/core/common/retry: all retry attempts failed

loglevel=debug on server:

2019-04-19 03:36:38 INFO: plugin "v2ray-plugin" enabled 2019-04-19 03:36:38 INFO: initializing ciphers... aes-256-gcm 2019-04-19 03:36:38 INFO: tcp server listening at 127.0.0.1:35999 2019-04-19 03:36:38 INFO: running from root user 2019/04/19 03:36:38 V2Ray 4.16 (Po) Custom 2019/04/19 03:36:38 A unified platform for anti-censorship. 2019/04/19 03:36:38 [Debug] v2ray.com/core/app/log: Logger started 2019/04/19 03:36:38 [Warning] v2ray.com/core: V2Ray 4.16 started

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shadowsocks/v2ray-plugin/issues/48#issuecomment-484758256, or mute the thread https://github.com/notifications/unsubscribe-auth/AGNKUHYB3F4OZRXLWNY3A5TPRE5VJANCNFSM4GYMNJBA .

[whoizit]

client config, works:

{
  "server": "{DIRECT_IP_TO_VPS}",
  "server_port": 443,
  "local_address": "127.0.0.1",
  "local_port": 1080,
  "password": "password",
  "method": "aes-256-gcm",
  "plugin": "v2ray-plugin",
  "plugin_opts": "tls;host={DOMAIN.TLD};loglevel=debug",
  "timeout": 300
}

not works (domain over Cloudflare CDN):

{
  "server": "{DOMAIN.TLD}",
  "server_port": 443,
  "local_address": "127.0.0.1",
  "local_port": 1080,
  "password": "password",
  "method": "aes-256-gcm",
  "plugin": "v2ray-plugin",
  "plugin_opts": "tls;host={DOMAIN.TLD};loglevel=debug",
  "timeout": 300
}

ss-local -c /etc/shadowsocks/config

[wakou]

@M3chD09 I have configure nginx according to you sample,But now it can only work on port 80 and not on port 443. nginx http.conf

server {
       listen 80;
       listen [::]:80;
       server_name proxy.example.com;

       location / {
           root /usr/share/nginx/html;
           index index.html;
          proxy_redirect off;
          proxy_http_version 1.1;
          proxy_pass http://localhost:10000;
          proxy_set_header Host $http_host;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
     }
 }

nginx https.conf

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name proxy.example.com;

    ssl_certificate /path/cert;
    ssl_certificate_key /path/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparams.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_pass http://localhost:10000;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

ss-server.json

{
    "server":"localhost",
    "server_port":10000,
    "local_port":1080,
    "password":"password",
    "timeout":60,
    "method":"chacha20-ietf-poly1305",
    "plugin":"v2ray-plugin",
    "plugin_opts":"server;loglevel=none"
}

when use port 80

[25/Apr/2019:06:20:45 +0000] "GET / HTTP/1.1" 101 1668 "-" "Go-http-client/1.1"

use port 443

[25/Apr/2019:06:22:16 +0000] "GET / HTTP/1.1" 400 280 "-" "Go-http-client/1.1"

Can you help to look for what happened? Other than this, I find use IP also connect the server, is it normal? Thanks.

[x007007007]

@M3chD09

when use port 80

[25/Apr/2019:06:20:45 +0000] "GET / HTTP/1.1" 101 1668 "-" "Go-http-client/1.1"

use port 443

[25/Apr/2019:06:22:16 +0000] "GET / HTTP/1.1" 400 280 "-" "Go-http-client/1.1"

Can you help to look for what happened? Other than this, I find use IP also connect the server, is it normal? Thanks.

ss-client config add plugin_opts tls for 443 port

    "plugin_opts":"tls;server;loglevel=none"

[wakou]

@x007007007 ss-client config add tls to plugin_opts? it's useless. In fact, when I use tls in client, the nginx cannot receive the request, I can't find my IP both "access.log" and "error.log".

If you know why, please tell me.

[wakou]

ok, now the v2ray-plugin work fine by 443, error reason is I set a wrong plugin-opts, the option "host" have to same as my domain, this is my ss-client config file

{
      "server": "my domain",
      "server_port": 443,
      "password": "password",
      "method": "aes-256-gcm",
      "plugin": "v2ray-plugin",
      "plugin_opts": "tls;path=/ss;host=mydomain",
      "plugin_args": "",
      "timeout": 5
    }

but who can tell me the reason, why the host must same as my domain? The question are confusing me. but

[olegbliaher]

@Zalasento I am not 100% sure, but I believe that the domain name is somewhere in the headers of the packets being sent, so it's basically used for verification that it should go to the correct Shadowsocks, and not, for example, to some other service. It's for authorization.

Everyone feel free to correct me if I'm wrong.

[shmilyoo]

can anyone provide a quic config with the ss v2ray-plugin tls

[dm116]

@M3chD09 I got some error on kali2019 when I run shadowsocks-libev ss-local. But my another client shadowsocks4.1.9.2 run perfectly on window10.

1. shadowsocks4.1.9.2 configuration on window10

"server":"mydomain.com",
"server_port":443,
"password":"mypassword",
"encryption":"aes-256-gcm",
"plugin":"v2ray-plugin",
"plugin_options":"tls;host=mydomain.com;path=/ss/;loglevel=none",
"local_port":1080

2. Configuration of client on Kali2019

2.1 local.json of shadowsocks-libev

{
    "server":"mydomain.com",
    "server_port":443,
    "local_port":1080,
    "password":"mypassword",
    "timeout":300,
    "method":"aes-256-gcm",
    "plugin":"/usr/bin/v2ray-plugin",
    "plugin_opt":"tls;host=mydomain.com;path=/ss/;loglevel=none",
    "reuse_port":true
}

2.2 error message of chrome

root@kali:~# chrome
[2097:2097:0325/184838.830074:ERROR:edid_parser.cc(102)] Too short EDID data: manufacturer id
[2126:2126:0325/184838.931405:ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process.
[2129:2134:0325/184854.258843:ERROR:ssl_client_socket_impl.cc(941)] handshake failed; returned -1, SSL error code 1, net_error -100
[2129:2134:0325/184854.259257:ERROR:ssl_client_socket_impl.cc(941)] handshake failed; returned -1, SSL error code 1, net_error -100
[2129:2134:0325/184854.276415:ERROR:ssl_client_socket_impl.cc(941)] handshake failed; returned -1, SSL error code 1, net_error -100

2.3 nginx.conf of client ()

I used nginx on client because chrome didn't work well on kali so I used nginx as a reverse proxy. I add to http{...} as following:

server {
        listen 80;
        server_name 127.0.0.1;
        location /autoproxy.pac {
            alias /etc/shadowsocks-libev/autoproxy.pac;
        }
}

The whole content of nginx.conf is as follows:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##
    server {
        listen 80;
        server_name 127.0.0.1;
        location /autoproxy.pac {
            alias /etc/shadowsocks-libev/autoproxy.pac;
        }
    }

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

# proxy chrome 

#mail {
#   # See sample authentication script at:
#   # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#   # auth_http localhost/auth.php;
#   # pop3_capabilities "TOP" "USER";
#   # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#   server {
#       listen     localhost:110;
#       protocol   pop3;
#       proxy      on;
#   }
# 
#   server {
#       listen     localhost:143;
#       protocol   imap;
#       proxy      on;
#   }
#}

3 configuration of server

By the way my VPS has been configured by v2ray+tls+nginx+cdn(cloudflare's cdn)

3.1 configuration of shadowsocks-libev

{
    "server":"0.0.0.0",
    "server_port":10086,
    "local_port":1080,
    "password":"mypassword",
    "timeout":300,
    "plugin":"/usr/bin/v2ray-plugin",
    "plugin_opts":"server;path=/ss/;loglevel=none",
    "method":"aes-256-gcm"
}

3.2 configuration of nginx on VPS

server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        server_name mydomain.com www.mydomain.com;
        root /var/www/mydomain.com;
        index index.php index.html index.htm;

        ssl_certificate         /etc/ssl/certs/cloudflare_mydomain.com;
        ssl_certificate_key     /etc/ssl/private/cloudflare_mydomain.com;
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache       shared:SSL:1m;
        ssl_session_timeout     10m;
        ssl_ciphers             HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_client_certificate  /etc/ssl/certs/origin-pull-ca.pem;
        ssl_verify_client on;

        client_max_body_size 100M;

        autoindex off;

        location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location /ss {
                access_log off;
                proxy_redirect off;
                proxy_pass http://localhost:10086;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $http_host;
        }

        location /mn_v2ray {
                access_log off;
                proxy_redirect off;
                proxy_pass http://localhost:110;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $http_host;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }
}