NaiveProxy + Caddy
NaiveProxy + Caddy
NaiveProxy
官网:https://github.com/klzgrad/naiveproxy
可缓解以下几种方式的流量攻击:
- 网站指纹识别/流量分类:通过HTTP/2中的流量复用来缓解。
- TLS参数指纹识别:因复用Chrome的网络堆栈而不能识别。
- 主动探测:被前端应用所克制,即将代理服务器隐藏在具有应用程序层路由的常用前端后面,即反向代理。
- 基于数据包长度的流量分析:通过长度充填来减免。
1. 选择并购买VPS服务器
购买VPS并安装系统,请见教程:
https://allinfa.com/vultr-vps-purchase.html
2. 购买域名并设置与服务器ip关联
域名是为了建立网页,即你访问代理服务器就是访问你的网页,消除了代理的特征信号,提高了代理的安全性。
-
购买域名
- 申请免费域名(不稳定, 不推荐)
- 列出几家:
- https://www.dynadot.com/zh/ 常有优惠,有中文界面,稳定,有免费域名隐私保护
- https://www.namesilo.com/ 优惠少,价格适中,稳定,有免费域名隐私保护
- https://www.internetbs.net/ 优惠少,价格适中,稳定,有免费域名隐私保护
-
DNS设置
例:假如购买的域名是 abc.com,VPS主机的ip地址是:123.123.123.123
那么
-
三级域名解析
一个域名,理论上可以演变出无数的次级域名,上图所示的是顶级域名、二级域名的解析。
顶级域名: 如 abcdef.com
二级域名: 在顶级域名加前缀,如 www.abcdef.com 或 v2.abcdef.com 等等;
三级域名: 在二级域名加前缀,如 www.v2.abcdef.com 或 host.v2.abcdef.com 等等;
- 检测是否生效
- 用域名能否登录SSH链接VPS服务器
SSH链接服务器,可用IP,也可以用域名
域名指向ip是否生效,即域名是否正确解析已经指向服务器ip,当用“域名”(不是服务器ip)做SSH连接服务器时,如果能够连接上,连上后有显示,说明域名已经正确解析 - 域名解析是否已经生效也可在网站查询
https://www.whatsmydns.net/
- 用域名能否登录SSH链接VPS服务器
3. ssh连接服务器
ssh root@23.94.87.136
第一次,会有询问,输入y,然后输入密码就可以.
4. 系统设置
-
更新系统
apt update
apt -y upgrade -
更改sysctl.conf
vim /etc/sysctl.conf
配置如下:
# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096
# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1
# for high-latency network
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control = bb
- 配置更改
sysctl -p
5. 安装 Caddy
- 安装curl
apt install curl
sudo apt-get install yum
- 安装caddy
wget -P /usr/local/bin "https://daofa.cyou/c1/caddy.tar"
tar -xvf /usr/local/bin/caddy.tar -C /usr/local/binrm /usr/local/bin/caddy.tar
- 确定caddy文件安装在何处
确定caddy文件安装在何处
- 给权限
chmod 755 /usr/local/bin/caddy
- 允许Caddy绑定到特权端口
setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
- www-data的组和用户
cat /etc/group | grep www-data
cat /etc/passwd | grep www-data
如果显示
www-data:x:33:
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
就不用管,要不创建
groupadd -g 33 www-data
useradd -g www-data --no-user-group --home-dir /var/www --no-create-home --shell /usr/sbin/nologin --system --uid 33 www-data
- 为 Caddy 创建目录
mkdir /etc/caddy
mkdir /etc/ssl/caddy
chown -R root:root /etc/caddy
chown -R root:www-data /etc/ssl/caddy
chmod 770 /etc/ssl/caddy
#创建记录文件
touch /var/log/caddy.log
chown root:www-data /var/log/caddy.log
chmod 770 /var/log/caddy.log
6. 创建网页
mkdir -p /var/www/html
chown -R www-data:www-data /var/www
touch /etc/caddy/Caddyfile
创建网页,可以在网上找模版,放在/var/www/html/ 目录下
7. 设置SystemD服务
touch /etc/systemd/system/caddy.service
vim /etc/systemd/system/caddy.service
复制下面内容
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
; Do not allow the process to be restarted in a tight loop. If the
; process fails to start, something critical needs to be fixed.
StartLimitIntervalSec=14400
StartLimitBurst=10
[Service]
Restart=on-abnormal
; User and group the process will run as.
User=www-data
Group=www-data
; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -log-timestamps=false -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID
; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=false
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWritePaths=/etc/ssl/caddy
ReadWriteDirectories=/etc/ssl/caddy
; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
设置caddy.service权限
chown root:root /etc/systemd/system/caddy.service
chmod 644 /etc/systemd/system/caddy.service
重载systemd使其检测到新安装的Caddy服务
systemctl daemon-reload
8. 配置 Caddy
- 创建密码
head /dev/urandom | tr -dc a-z0-9 | head -c 16 ; echo ''
- 加入Caddy配置文件
vim /etc/caddy/Caddyfile
np.abcdef.com {
log stdout
errors stderr
root /var/www/html
tls 12345@gmail.com
forwardproxy {
basicauth 你的用户名 你的密码
hide_ip
hide_via
probe_resistance
upstream https://127.0.0.1:8080
}
}
将”域名”、“信箱”为你自己的资料,也就是np.abcdef.com, 和12345@gmail.com
- 赋予Caddy配置文件权限
chown root:root /etc/caddy/Caddyfile
chmod 644 /etc/caddy/Caddyfile
- 启动Caddy
systemctl start caddy
- 检查Caddy启动状态
systemctl status caddy
- 检查SSL证书是否生效及效果
- 在浏览器中用 https://你的域名
如果已经可以访问你的网站,显示你自己建的网站内容,就表明SSL已经安装成功了。
因有时SSL证书申请要等几分钟,如果没有马上生效,可稍等一下。 - https://www.ssllabs.com/ssltest/
- 在浏览器中用 https://你的域名
- 自启动Caddy
systemctl enable caddy
- 若Caddy没有正常启动的记录查看
journalctl --boot -u caddy.service
9. 安装 NaiveProxy
- 先安装组件
apt install libnss3
- 安装 NaiveProxy
ttps://github.com/klzgrad/naiveproxy/releases
例如:
wget https://github.com/klzgrad/naiveproxy/releases/download/v81.0.4044.92-1/naiveproxy-v81.0.4044.92-1-linux-x64.tar.xz
apt install xz-utils
tar -xf naiveproxy-v81.0.4044.92-1-linux-x64.tar.xz
- 配置SystemD服务文件
cd naiveproxy-v81.0.4044.92-1-linux-x64
cp naive /usr/local/bin
vim /etc/systemd/system/naive.service
内容
[Unit]
Description=NaiveProxy Server Service
After=network-online.target
[Service]
Type=simple
User=nobody
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ExecStart=/usr/local/bin/naive /etc/naive/config.json
[Install]
WantedBy=multi-user.target
重启
systemctl daemon-reload
10. NaiveProxy服务器端配置
mkdir /etc/naive
vim /etc/naive/config.json
内容
{
"listen": "https://127.0.0.1:8080",
"padding": true
}
说明:这个意思是:在NaiveProxy服务器上,配置侦听端口为8080,这是Caddy将传递经过身份验证的数据流量的位置。
启动 NaiveProxy
systemctl enable naive
systemctl start naive
ystemctl status naive
如果状态不对,也就是不是绿色的active ,看日志
journalctl -fu naive
11. 启动防火墙
apt install ufw
ufw default deny incoming
ufw default allow outgoing
#允许SSH连接
#如果有的VPS服务器的SSH使用其他端口,则必须指定相应的端口
ufw allow 22
启用UFW
ufw enable
打开常用端口
ufw allow 80
ufw allow 443
启用防火墙
ufw enable
服务器配置完毕,可以退出ssh,做客户端。
浙公网安备 33010602011771号