由于shadowsocks缺乏伪装手段,而v2ray又过于臃肿庞大,便选择了一种折中的方式,shadowsocks+v2ray-plugin。为了方便,使用docker-compose来部署


docker-compose.yml

version: "3"
services:
  nginx:
    build: ./nginx
    ports:
      - 80:80
      - 443:443
      - 443:443/udp //映射udp端口
    volumes:
      - ./www:/home/wwwroot
      - ./nginx/conf:/etc/nginx
      - ./nginx/logs:/home/wwwlogs
    restart: always
    container_name: nginx
  shadowsocks-libev:
    build: ./shadowsocks-libev
    volumes:
      - ./shadowsocks-libev/config:/etc/shadowsocks-libev
    restart: always
    container_name: shadowsocks-libev



shadowsocks配置文件

{
    "server": "0.0.0.0",
    "mode": "tcp_and_udp",
    "server_port": 10086,
    "password": "password",
    "method": "aes-256-gcm",
    "fast_open": true,
    "no_delay": true,
    "timeout": 60,
    "plugin": "v2ray-plugin",
    "plugin_opts": "server;path=/ss"
}



nginx配置文件(部分)

location /ss {
    proxy_redirect off;
    proxy_pass http://shadowsocks-libev:10086;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
}

nginx将请求反代给后端的ss-server

现在看起来已经可以正常使用了,但是还有一个问题,v2ray-plugin并没有处理udp流量的能力,它只能处理tcp

在启动ss-server的时候,v2ray-plugin会将处理好的流量再转发给后面的ss-server,两个之间通过一个随机端口通信,而udp流量是直接到ss-server,不会经过v2ray-plugin处理。所以为了使用方便,需要将发送到443端口的udp流量转发到ss-server,为此可以直接使用nginxstream模块

stream {
    server {
        listen 443 udp;
        proxy_pass shadowsocks-libev:10086;
    }
}

这样一来,tcpudp流量都能正确地被代理了

  • tcp => nginx => v2ray-plugin => ss-server
  • udp => nginx => ss-server