search

v2ray / v2ray-core

A platform for building proxies to bypass network restrictions.
https://www.v2ray.com/
MIT License
45.08k stars 8.94k forks source link

通过acme.sh 申请的非通配符证书,不能使用"allowInsecure" : false #2596

Closed t66y100 closed 4 years ago

t66y100 commented 4 years ago

问题描述:

同一服务器,相同的软件版本(最新4.25.1以及别的版本都有测试,结果一样),完全相同的配置文件,只是ssl证书不一样,两种情况下可以使用 allowInsecure" : false ,另外一种情况不能使用allowInsecure" : false

ssl证书通过以下方式申请:

一种是通过acme.sh --issue --standalone -d example.com -d www.example.com -d v.example.com -d c.example.com -d t.example.com申请 (由于是ml免费域名并且托管cf,cf现在不支持ml域名api,无法能过acme自动申请通配符ssl证书)

一种是通过 freessl.cn 申请: example.com *.example.com

用pc firefox或android chrome浏览器 https方式打开 example.com www.example.com v.example.com c.example.com t.example.com 显示: 证书状态正常; acme方式申请的证书,证书主题背景的备用名称包含: example.com www.example.com v.example.com c.example.com t.example.com; freessl.cn申请的证书,证书主题背景的备用名称包含:example.com *.example.com 。

通过acme.sh申请的,不可以使用"allowInsecure" : false ,如果使用则无法建立连接; 通过freessl.cn申请的,可以使用"allowInsecure" : false ; c.example.com套cloudflare并使用acme.sh申请的证书,并且cloudflare SSL/TLS 加密模式为 完全(严格),可以使用"allowInsecure" : false 。

客户端配置:

    {
  "inbounds" : [
    {
      "protocol" : "socks",
      "streamSettings" : {

      },
      "listen" : "0.0.0.0",
      "port" : 1080,
      "settings" : {
        "allowTransparent" : true
      }
    }
  ],
  "log" : {
    "loglevel" : "none"
  },
  "dns" : {},
  "outbounds" : [
    {
      "streamSettings" : {
        "security" : "tls",
        "network" : "ws",
        "wsSettings" : {
          "path" : "/ws",
          "headers" : {
            "Host" : "v.example.com"
          }
        },
        "tlsSettings" : {
          "serverName" : "v.example.com",
          "allowInsecure" : false
        }
      },
      "protocol" : "vmess",
      "mux" : {
        "enabled" : true,
        "concurrency" : 8
      },
      "settings" : {
        "vnext" : [
          {
            "port" : 443,
            "address" : "v.example.com",
            "users" : [
              {
                "alterId" : 0,
                "security" : "none",
                "id" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
              }
            ]
          }
        ]
      },
      "tag" : "proxy"
    }
  ],
  "policy" : {
    "levels" : {
      "2018" : {
        "uplinkOnly" : 0,
        "handshake" : 4,
        "downlinkOnly" : 0,
        "connIdle" : 15
      },
      "0" : {
        "uplinkOnly" : 0,
        "handshake" : 4,
        "downlinkOnly" : 0,
        "connIdle" : 15
      }
    }
  }
}

服务器nginx配置1:

   worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       conf.d/*.conf;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    server {
        listen       80;
        server_name  localhost;
        location / {
                proxy_pass http://127.0.0.1:10240;
        }
    }
}

stream {
    map $ssl_preread_server_name $backend_name {
        example.com web;
        c.example.com vmess;
        v.example.com vmess;
        t.example.com trojan;
        default web;
    }

    upstream web {
        server 127.0.0.1:10240;
    }

    upstream trojan {
        server 127.0.0.1:10241;
    }

    upstream vmess {
        server 127.0.0.1:10242;
    }

    server {
        listen 443 reuseport;
        listen [::]:443 reuseport;
        proxy_pass  $backend_name;
        ssl_preread on;
    }
}

服务器nginx配置2:

   server {
    listen 10242 ssl http2;

    gzip on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_proxied any;
    gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate      full_chain.pem;
    ssl_certificate_key  private.key;
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location /ws {
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:419;
    }

    location / {
       proxy_pass http://127.0.0.1:10240;
    }
}

服务器v2ray配置:

    {
    "outbound": {
        "tag": null,
        "protocol": "freedom",
        "settings": null,
        "streamSettings": null,
        "mux": null
    },

    "outboundDetour": [
        {
            "tag": "direct",
            "protocol": "freedom",
            "settings": null
        },
        {
            "tag": "blocked",
            "protocol": "blackhole",
            "settings": null
        }
    ],

    "inbound": {
        "port": 419,
        "listen": "127.0.0.1",
        "protocol": "vmess",
        "settings": {
            "ip": null,
            "auth": null,
            "udp": true,
            "clients": [{
                "alterId": 5,
                "id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
                "security": "none"
            }]
        },
        "streamSettings": {
            "network": "ws",
            "wsSettings": { "path": "/ws" },
            "tlsSettings": {},
            "security": "",
            "tcpSettings": null,
            "kcpSettings": null
        }
    },

    "inboundDetour": null,

    "routing": {
        "settings": {
            "rules": [{
                "ip": [
                        "0.0.0.0/8",
                        "10.0.0.0/8",
                        "100.64.0.0/10",
                        "127.0.0.0/8",
                        "169.254.0.0/16",
                        "172.16.0.0/12",
                        "192.0.0.0/24",
                        "192.0.2.0/24",
                        "192.168.0.0/16",
                        "198.18.0.0/15",
                        "198.51.100.0/24",
                        "203.0.113.0/24",
                        "::1/128",
                        "fc00::/7",
                        "fe80::/10"
                ],
            "outboundTag": "blocked",
            "type": "field",
            "port": null,
            "domain": null
        }],
        "domainStrategy": null
        },
        "strategy": "rules"
    },

    "dns": null

}
okudayukiko commented 4 years ago

用FullChain证书。 /etc/nginx/nginx.conf

VMess+WS+HTTP1+TLS

listen 10242 ssl; gzip off; ssl_protocols TLSv1.2 TLSv1.3; ssl_certificate full_chain.pem; ssl_certificate_key private.key; ssl_ciphers HIGH:!aNULL:!eNULL:!MD5:!RC4:!ADH:!AECDH; ssl_prefer_server_ciphers off; ssl_ecdh_curve P-256;

t66y100 commented 4 years ago

用FullChain证书。 /etc/nginx/nginx.conf

VMess+WS+HTTP1+TLS

listen 10242 ssl; gzip off; ssl_protocols TLSv1.2 TLSv1.3; ssl_certificate full_chain.pem; ssl_certificate_key private.key; ssl_ciphers HIGH:!aNULL:!eNULL:!MD5:!RC4; ssl_prefer_server_ciphers off; ssl_ecdh_curve P-256;

感谢感谢,我直接用了xxx.com.cer,原来还有一个fullchain.cer。现在可以了,谢谢。