Vmess + TLS + Web
How to setup VMess + TLS + Web
Install latest haproxy 1.8
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:vbernat/haproxy-1.8
Install haproxy and nginx
sudo apt install haproxy
sudo apt install nginx
Configure haproxy
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
#ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
tune.ssl.default-dh-param 2048
defaults
log global
mode tcp
option dontlognull
timeout connect 5s
timeout client 300s
timeout server 300s
frontend tls-in
bind *:443 tfo ssl crt /etc/ssl/your.domain.pem
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
use_backend web if HTTP
default_backend vmess
backend web
server server1 127.0.0.1:80
backend vmess
server server1 /v2ray/v2ray.sock
Issue Let’s encrypt certificate
Install acme.sh, exit and ssh again
curl https://get.acme.sh | sh
Issue a cert, make sure you can write /var/www/html
acme.sh --issue -d your.domain -w /var/www/html
Deploy certificate for haproxy
Deploy cert for haproxy
export DEPLOY_HAPROXY_PEM_PATH=/etc/ssl
export DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy restart"
acme.sh --deploy -d your.domain --deploy-hook haproxy
Test haproxy for web
curl https://your.domain
Configure VMess
{
"log": {
"loglevel": "warning"
},
"dns": {},
"stats": {},
"inbounds": [
{
"port": <your-port>,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": <your-guid>,
"alterId": <your-alert-id>,
"security": "auto"
}
]
},
"tag": "in-0",
"streamSettings": {
"network": "ds",
"dsSettings": { "path": "/var/lib/haproxy/v2ray/v2ray.sock" }
}
}
],
"outbounds": [
{
"tag": "direct",
"protocol": "freedom",
"settings": {}
},
{
"tag": "blocked",
"protocol": "blackhole",
"settings": {}
}
],
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"ip": [
"geoip:private"
],
"outboundTag": "blocked"
}
]
},
"policy": {},
"reverse": {},
"transport": {}
}
V2ray systemd config, /etc/systemd/system/v2ray.service
[Unit]
Description=V2Ray - A unified platform for anti-censorship
Documentation=https://v2ray.com https://guide.v2fly.org
After=network.target nss-lookup.target
Wants=network-online.target
[Service]
# If the version of systemd is 240 or above, then uncommenting Type=exec and commenting out Type=simple
#Type=exec
Type=simple
# Runs as root or add CAP_NET_BIND_SERVICE ability can bind 1 to 1024 port.
# This service runs as root. You may consider to run it as another user for security concerns.
# By uncommenting User=v2ray and commenting out User=root, the service will run as user v2ray.
# More discussion at https://github.com/v2ray/v2ray-core/issues/1011
User=root
#User=v2ray
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
NoNewPrivileges=yes
ExecStartPre=/bin/rm -rf /var/lib/haproxy/v2ray/*.sock
ExecStart=/usr/bin/v2ray/v2ray -config /etc/v2ray/config.json
ExecStartPost=/bin/sleep 1
ExecStartPost=/bin/chmod 777 /var/lib/haproxy/v2ray/v2ray.sock
Restart=on-failure
# Don't restart in the case of configuration error
RestartPreventExitStatus=23
[Install]
WantedBy=multi-user.target
Reload systemd
sudo systemctl daemon-reload
Make directory for sock
sudo mkdir -p /var/lib/haproxy/v2ray
Restart V2ray
sudo systemctl restart v2ray
Test Vmess
Modify client config to access 443 port and security tls
{
"streamSettings": {
"network": "tcp",
"security": "tls",
}
}