Vmess + TLS + Web

How to setup VMess + TLS + Web

Vmess + TLS + Web

Install latest haproxy 1.8

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:vbernat/haproxy-1.8

Install haproxy and nginx

sudo apt install haproxy
sudo apt install nginx

Configure haproxy

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# An alternative list with additional directives can be obtained from
	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
	#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	#ssl-default-bind-options no-sslv3
	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
    	tune.ssl.default-dh-param 2048

defaults
	log	global
	mode	tcp
	option	dontlognull
        timeout connect 5s
        timeout client  300s
        timeout server  300s

frontend tls-in
    bind *:443 tfo ssl crt /etc/ssl/your.domain.pem
    tcp-request inspect-delay 5s
    tcp-request content accept if HTTP
    use_backend web if HTTP
    default_backend vmess

backend web
    server server1 127.0.0.1:80

backend vmess
    server server1 /v2ray/v2ray.sock

Issue Let’s encrypt certificate

Install acme.sh, exit and ssh again

curl https://get.acme.sh | sh

Issue a cert, make sure you can write /var/www/html

acme.sh --issue -d your.domain -w /var/www/html

Deploy certificate for haproxy

Deploy cert for haproxy

export DEPLOY_HAPROXY_PEM_PATH=/etc/ssl
export DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy restart"
acme.sh --deploy -d your.domain --deploy-hook haproxy

Test haproxy for web

curl https://your.domain

Configure VMess

{
  "log": {
    "loglevel": "warning"
  },
  "dns": {},
  "stats": {},
  "inbounds": [
    {
      "port": <your-port>,
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": <your-guid>,
            "alterId": <your-alert-id>,
	    "security": "auto"
          }
        ]
      },
      "tag": "in-0",
      "streamSettings": {
        "network": "ds",
	"dsSettings": { "path": "/var/lib/haproxy/v2ray/v2ray.sock" }
      }
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {}
    },
    {
      "tag": "blocked",
      "protocol": "blackhole",
      "settings": {}
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
      {
        "type": "field",
        "ip": [
          "geoip:private"
        ],
        "outboundTag": "blocked"
      }
    ]
  },
  "policy": {},
  "reverse": {},
  "transport": {}
}

V2ray systemd config, /etc/systemd/system/v2ray.service

[Unit]
Description=V2Ray - A unified platform for anti-censorship
Documentation=https://v2ray.com https://guide.v2fly.org
After=network.target nss-lookup.target
Wants=network-online.target

[Service]
# If the version of systemd is 240 or above, then uncommenting Type=exec and commenting out Type=simple
#Type=exec
Type=simple
# Runs as root or add CAP_NET_BIND_SERVICE ability can bind 1 to 1024 port.
# This service runs as root. You may consider to run it as another user for security concerns.
# By uncommenting User=v2ray and commenting out User=root, the service will run as user v2ray.
# More discussion at https://github.com/v2ray/v2ray-core/issues/1011
User=root
#User=v2ray
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
NoNewPrivileges=yes
ExecStartPre=/bin/rm -rf /var/lib/haproxy/v2ray/*.sock
ExecStart=/usr/bin/v2ray/v2ray -config /etc/v2ray/config.json
ExecStartPost=/bin/sleep 1
ExecStartPost=/bin/chmod 777 /var/lib/haproxy/v2ray/v2ray.sock
Restart=on-failure
# Don't restart in the case of configuration error
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

Reload systemd

sudo systemctl daemon-reload

Make directory for sock

sudo mkdir -p /var/lib/haproxy/v2ray

Restart V2ray

sudo systemctl restart v2ray

Test Vmess

Modify client config to access 443 port and security tls

{
	"streamSettings": {
		"network": "tcp",
        "security": "tls",
	}
}