VPS 配置记录

Linux 发行版: Debian

系统和软件包更新到最新

# 别忘记修改 root 密码
passwd root
# root 用户
apt update && apt full-upgrade -y && apt autoremove -y && apt autoclean && apt clean
# 非 root 用户使用 sudo
# sudo apt update && sudo apt full-upgrade -y && sudo apt autoremove -y && sudo apt autoclean && sudo apt clean
reboot

创建用户

普通用户切换到 root 用户, 同时切换工作环境

# root 用户可忽略
su - root

创建用户

apt install sudo
# 创建用户, 并添加到 sudo/whell 组, 设置默认 shell 为 bash
# useradd -m -G wheel -s /bin/bash user
useradd -m -G sudo -s /bin/bash user
passwd user
# 取消注释相关组配置
visudo

修改 SSH 配置

# 修改默认端口, 加上配置 Port 20022, 禁用以 root 用户连接 ssh
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
nano /etc/ssh/sshd_config
reboot

开启 bbr

# 确保系统已经加载 tcp_bbr 模块
sudo modprobe tcp_bbr
# 写入 sysctl 配置
cat << 'EOF' | sudo tee /etc/sysctl.d/90-bbr.conf
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
EOF
# 应用并验证
sudo sysctl --system
sudo sysctl net.ipv4.tcp_congestion_control
lsmod | grep bbr
sudo reboot

安装必要软件

sudo apt install nano vim nginx curl wget git unzip tree

acme.sh 申请证书

https://github.com/acmesh-official/acme.sh?tab=readme-ov-file#-usage-guide
https://github.com/acmesh-official/acme.sh/wiki/dnsapi#35-use-namesilocom-api

curl https://get.acme.sh | sh -s email=your-email
sudo reboot
# 未测试
# source ~/.bashrc

sudo chmod a+w /var/www/html/
sudo systemctl restart nginx
acme.sh --issue -d your-domain -w /var/www/html
# 以下如果没有公网 IP 的环境下执行
# export Namesilo_Key="<key>"
# acme.sh --issue --dns dns_namesilo -d example.com --dnssleep 1800

cat << 'EOF' > /home/user/acme-reloadcmd.sh
#!/bin/sh
EOF
chmod +x /home/user/acme-reloadcmd.sh

mkdir /home/user/acme-certs
acme.sh --install-cert -d your-domain \
--cert-file      /home/user/acme-certs/cert.pem  \
--key-file       /home/user/acme-certs/key.pem  \
--fullchain-file /home/user/acme-certs/fullchain.pem \
--reloadcmd     "sh /home/user/acme-reloadcmd.sh"

创建配置 Proxy 工具并运行

mkdir -p /home/user/proxy-tools/xray
mkdir -p /home/user/proxy-tools/hysteria2
mkdir -p /home/user/proxy-tools/hysteria2/masquerade

wget https://github.com/XTLS/Xray-core/releases/latest/download/Xray-linux-64.zip -O /home/user/proxy-tools/xray/Xray-linux-64.zip
wget https://github.com/apernet/hysteria/releases/latest/download/hysteria-linux-amd64 -O /home/user/proxy-tools/hysteria2/hysteria2
wget https://www.rfc-editor.org/rfc/rfc1178 -O /home/user/proxy-tools/hysteria2/masquerade/index.html
# 网络问题加速下载
# wget https://fastly.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat -O /home/user/proxy-tools/hysteria2/geoip.dat
# wget https://fastly.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat -O /home/user/proxy-tools/hysteria2/geosite.dat

unzip /home/user/proxy-tools/xray/Xray-linux-64.zip -d /home/user/proxy-tools/xray
rm /home/user/proxy-tools/xray/Xray-linux-64.zip
chmod +x /home/user/proxy-tools/xray/xray
chmod +x /home/user/proxy-tools/hysteria2/hysteria2

# 别忘记修改password
# 按需修改其他参数
# 如果访问某些网站存在异常, 可能是 acl 规则的问题
cat << 'EOF' > /home/user/proxy-tools/hysteria2/config.yaml
listen: 0.0.0.0:20443

tls:
  cert: /home/user/acme-certs/fullchain.pem
  key: /home/user/acme-certs/key.pem
  sniGuard: strict

auth:
  type: password
  password: random-uuid

acl:
  inline:
    - reject(geoip:cn)
    - reject(geosite:cn)
    - reject(geosite:category-ads-all)
    - reject(geoip:private)
    - reject(geosite:private)
  # geoip: /home/user/proxy-tools/hysteria2/geoip.dat
  # geosite: /home/user/proxy-tools/hysteria2/geosite.dat
  geoUpdateInterval: 24h

masquerade:
  type: file
  file:
    dir: /home/user/proxy-tools/hysteria2/masquerade
  listenHTTPS: 0.0.0.0:20443
EOF
cd /home/user/proxy-tools/hysteria2 && \
nohup ./hysteria2 server -c ./config.yaml > ./hysteria2.log 2>&1 &

touch /home/user/proxy-tools/xray/access.log
touch /home/user/proxy-tools/xray/error.log
cat << 'EOF' > /home/user/proxy-tools/xray/config.json
{
  "log": {
    "access": "/home/user/proxy-tools/xray/access.log",
    "error": "/home/user/proxy-tools/xray/error.log",
    "loglevel": "info",
    "dnsLog": true
  },
  "dns": {
    "servers": [
      "https+local://1.1.1.1/dns-query",
      "localhost"
    ]
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "ip": [
          "geoip:cn"
        ],
        "outboundTag": "block"
      },
      {
        "domain": [
          "geosite:cn"
        ],
        "outboundTag": "block"
      },
      {
        "domain": [
          "geosite:category-ads-all"
        ],
        "outboundTag": "block"
      },
      {
        "ip": [
          "geoip:private"
        ],
        "outboundTag": "block"
      },
      {
        "domain": [
          "geosite:private"
        ],
        "outboundTag": "block"
      }
    ]
  },
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 22443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "run [xray uuid]",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "run [xray vlessenc]"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "serverName": "[your-domain]",
          "rejectUnknownSni": true,
          "minVersion": "1.3",
          "certificates": [
            {
              "certificateFile": "/home/user/acme-certs/fullchain.pem",
              "keyFile": "/home/user/acme-certs/key.pem"
            }
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 23443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "run [xray uuid]",
            "flow": ""
          }
        ],
        "decryption": "run [xray vlessenc]"
      },
      "streamSettings": {
        "network": "xhttp",
        "xhttpSettings": {
          "path": "[/your-path]"
        },
        "security": "reality",
        "realitySettings": {
          "target": "[other-domain]:443",
          "serverNames": [
            "run [xray tls ping other-domain]"
          ],
          "privateKey": "run [xray x25519]",
          "shortIds": [
            "[random 0-f string length 16]"
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom"
    },
    {
      "tag": "block",
      "protocol": "blackhole"
    }
  ]
}
EOF
cd /home/user/proxy-tools/xray && \
nohup ./xray run -c ./config.json > ./xray.log 2>&1 &

# TODO:
# 添加 xray 配置
# 添加防火墙配置
# /home/user/acme-reloadcmd.sh 添加 xray,  hysteria2 重启命令
# 添加 xray, hysteria2 定期检查更新脚本
# 添加系统定期更新脚本

hysteria2 配置

listen: 0.0.0.0:20443

tls:
  cert: /home/user/acme-certs/fullchain.pem
  key: /home/user/acme-certs/key.pem
  sniGuard: strict

auth:
  type: password
  password: random-uuid

acl:
  inline:
    - reject(geoip:cn)
    - reject(geosite:cn)
    - reject(geosite:category-ads-all)
    - reject(geoip:private)
    - reject(geosite:private)
  # geoip: /home/user/proxy-tools/hysteria2/geoip.dat
  # geosite: /home/user/proxy-tools/hysteria2/geosite.dat
  geoUpdateInterval: 24h

masquerade:
  type: file
  file:
    dir: /home/user/proxy-tools/hysteria2/masquerade
  listenHTTPS: 0.0.0.0:20443

xray 配置

https://github.com/XTLS/Xray-examples/blob/main/VLESS-TCP-XTLS-Vision/config_server.jsonc
https://github.com/XTLS/Xray-examples/blob/main/VLESS-XHTTP-Reality/minimal-steal_others/server-block-cn.jsonc

{
  "log": {
    "access": "/home/user/proxy-tools/xray/access.log",
    "error": "/home/user/proxy-tools/xray/error.log",
    "loglevel": "info",
    "dnsLog": true
  },
  "dns": {
    "servers": [
      "https+local://1.1.1.1/dns-query",
      "localhost"
    ]
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "ip": [
          "geoip:cn"
        ],
        "outboundTag": "block"
      },
      {
        "domain": [
          "geosite:cn"
        ],
        "outboundTag": "block"
      },
      {
        "domain": [
          "geosite:category-ads-all"
        ],
        "outboundTag": "block"
      },
      {
        "ip": [
          "geoip:private"
        ],
        "outboundTag": "block"
      },
      {
        "domain": [
          "geosite:private"
        ],
        "outboundTag": "block"
      }
    ]
  },
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 22443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "run [xray uuid]",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "run [xray vlessenc]"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "serverName": "[your-domain]",
          "rejectUnknownSni": true,
          "minVersion": "1.3",
          "certificates": [
            {
              "certificateFile": "/home/user/acme-certs/fullchain.pem",
              "keyFile": "/home/user/acme-certs/key.pem"
            }
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 23443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "run [xray uuid]",
            "flow": ""
          }
        ],
        "decryption": "run [xray vlessenc]"
      },
      "streamSettings": {
        "network": "xhttp",
        "xhttpSettings": {
          "path": "[/your-path]"
        },
        "security": "reality",
        "realitySettings": {
          "target": "[other-domain]:443",
          "serverNames": [
            "run [xray tls ping other-domain]"
          ],
          "privateKey": "run [xray x25519]",
          "shortIds": [
            "[random 0-f string length 16]"
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom"
    },
    {
      "tag": "block",
      "protocol": "blackhole"
    }
  ]
}