使用 HAProxy 复用 443 端口分流代理软件和 Nginx

使用 HAProxy 复用 443 端口分流代理软件和 Nginx。


安装 HAProxy 最新版

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
## 添加HAProxy软件包源(Debian系统)
curl https://haproxy.debian.net/bernat.debian.org.gpg | apt-key add -
echo deb http://haproxy.debian.net buster-backports-2.2 main | tee /etc/apt/sources.list.d/haproxy.list

## 安装(Debian系统)
apt-get update
apt-get install haproxy=2.2.\*

## 查看版本
haproxy -v

## 进程管理
systemctl status haproxy
systemctl start haproxy
systemctl restart haproxy

配置文件路径/etc/haproxy/haproxy.cfg


HAProxy 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 24h
timeout client 24h
timeout server 24h

frontend ssl
mode tcp
bind *:443

tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 }

use_backend trojan if { req_ssl_sni -i trojan.exp.com }
use_backend naiveproxy if { req_ssl_sni -i naive.exp.com }
use_backend v2ray if { req_ssl_sni -i v2ray.exp.com }
use_backend web1 if { req_ssl_sni -i web1.exp.com }
use_backend web2 if { req_ssl_sni -i web2.exp.com }

backend trojan
mode tcp
server trojan 127.0.0.1:350

backend naiveproxy
mode tcp
server naiveproxy 127.0.0.1:352

backend v2ray
mode tcp
server v2ray 127.0.0.1:353

backend web1
mode tcp
server web1 127.0.0.1:356

backend web2
mode tcp
server web2 127.0.0.1:357

Trojan 服务端配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 350,
"remote_addr": "127.0.0.1",
"remote_port": 351,
"password": [
"passwd1",
"passwd2"
],
"log_level": 1,
"ssl": {
"cert": "/path/cert.pem",
"key": "/path/key.pem",
"key_password": "",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"alpn": [
"http/1.1"
],
"alpn_port_override": {
"h2": 81
},
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": ""
},
"tcp": {
"prefer_ipv4": false,
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": "",
"cafile": ""
}
}

NaiveProxy 服务端 Caddy 配置

2021-01-26:更新json新语法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
{
"admin": {
"disabled": true
},
"logging": {
"sink": {
"writer": {
"output": "discard"
}
},
"logs": {
"default": {
"writer": {
"output": "discard"
}
}
}
},
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":352"
],
"routes": [
{
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"auth_pass_deprecated": "你的密码",
"auth_user_deprecated": "你的账户",
"handler": "forward_proxy",
"hide_ip": true,
"hide_via": true,
"probe_resistance": {
"domain": "your-secret-link.localhost"
}
}
]
},
{
"match": [
{
"host": [
"naive.exp.com"
]
}
],
"handle": [
{
"handler": "file_server",
"root": "/www/wwwroot/naive.exp.com",
"index_names": [
"404.html"
]
}
],
"terminal": true
}
]
}
]
}
],
"tls_connection_policies": [
{
"match": {
"sni": [
"naive.exp.com"
]
}
}
],
"automatic_https": {
"disable": true
}
}
}
},
"tls": {
"certificates": {
"load_files": [
{
"certificate": "/www/cert/naive.exp.com/cert.pem",
"key": "/www/cert/naive.exp.com/key.pem"
}
]
}
}
}
}


V2Ray 服务端配置

VLESS+TCP+TLS 和 VMess+WebSocket+TLS 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"port": 353,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "你的UUID",
"level": 0
}
],
"decryption": "none",
"fallbacks": [
{
"dest": 354
},
{
"path": "/yourpath",
"dest": 355
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"alpn": [
"http/1.1"
],
"certificates": [
{
"certificateFile": "/path/to/fullchain.crt",
"keyFile": "/path/to/private.key"
}
]
}
}
},
{
"port": 355,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "你的UUID",
"level": 0,
"alterId": 4
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/yourpath 和上面一样"
}
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}

Nginx 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
user root root
...
events {
...
}
http {
...

## Trojan 伪装站点配置
server {
listen 80;
listen [::]:80;
server_name trojan.exp.com;
return 301 https://trojan.exp.com$request_uri;
}
server {
listen 351;
server_name trojan.exp.com;
index index.php index.html;
root /www/wwwroot/trojan.exp.com;
...
}

## NaiveProxy 配置(只处理http重定向至https)
server {
listen 80;
listen [::]:80;
server_name naive.exp.com;
return 301 https://naive.exp.com$request_uri;
}

## VLESS 回落站点配置
server {
listen 80;
listen [::]:80;
server_name v2ray.exp.com;
return 301 https://v2ray.exp.com$request_uri;
}
server {
listen 354;
server_name v2ray.exp.com;
index index.php index.html;
root /www/wwwroot/v2ray.exp.com;
...
}

## web1 站点配置
server {
listen 80;
listen [::]:80;
server_name web1.exp.com;
return 301 https://web1.exp.com$request_uri;
}
server {
listen 356 ssl http2;
server_name web1.exp.com;
index index.php index.html;
root /www/wwwroot/web1.exp.com;

ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/private.key;
...
}

## web2 站点配置
server {
listen 80;
listen [::]:80;
server_name web2.exp.com;
return 301 https://web2.exp.com$request_uri;
}
server {
listen 357 ssl http2;
server_name web2.exp.com;
index index.php index.html;
root /www/wwwroot/web2.exp.com;

ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/private.key;
...
}
...
}

为 Nginx 启用 PROXY protocol

HAProxy 配置

1
2
3
4
5
6
7
8
9
...
backend web1
mode tcp
server web1 127.0.0.1:356 send-proxy

backend web2
mode tcp
server web2 127.0.0.1:357 send-proxy
...

Nginx 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
...
http {
...
## web1 站点配置
...
server {
listen 356 ssl http2 proxy_protocol;
server_name web1.exp.com;
index index.php index.html;
root /www/wwwroot/web1.exp.com;

set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;

ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/private.key;
...
}

## web2 站点配置
...
server {
listen 357 ssl http2 proxy_protocol;
server_name web2.exp.com;
index index.php index.html;
root /www/wwwroot/web2.exp.com;

set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;

ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/private.key;
...
}
...
}