Litao OK Blog

A little blog for my life.

通过VPS建立自己的代理服务器

原理

原理其实很简单,在国外申请个VPS,然后在上面搭建HTTP或SOCKS5代理,然后再安装个加密通道stunnel;再找一台本地电脑,也安装一个stunnel,和服务器使用同样的证书,再配置一个pac代理脚本,指定哪些网站用代理,哪些不用,然后给电脑或手机配置自动代理,最后就可以通过这个加密通道代理上网了。

1. 申请一台国外VPS

这个就不多说了,例如linode.com,oneasiahost.com, digitalocean.com, aws.amazon.com等等,自己考察性价比吧…

2. 搭建代理服务

1) 搭建SOCKS5代理

SOCSK5代理很多种,我这里介绍的是比较简单python版本的shadowsocks,直接使用python工具安装即可:

1
pip install shadowsocks

如果提示无pip,要先安装一下:

1
2
yum install python-setuptools && easy_install pip
pip install pip --upgrade

创建一个配置文件 /etc/shadowsocks.json,内容如下:

1
2
3
4
5
6
7
8
9
{
    "server":"127.0.0.1",
    "server_port":1080,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"test",
    "timeout":30,
    "method":"rc4-md5"
}

注意,我这里server的IP设置为127.0.0.1,是因为客户端不会直接访问VPS,后面会建立个加密通道来访问,这个1080端口就是给加密通道使用的。

然后启动:

1
/usr/local/bin/python /usr/local/bin/ssserver -c /etc/shadowsocks.json -d start

2) 搭建HTTP代理

这里我使用的squid-3.1.23,安装简单,使用方便:

1
yum install squid

修改配置文件: /etc/squid/squid.conf,下面只列出了要修改的部分:

1
2
http_access allow localhost
http_port 3128 # 可以改成你需要的端口号,这个端口号是给后面的stunnel加密通道用的

然后启动服务:

1
/etc/init.d/squid start

3. 搭建加密通道stunnel

1) 下载,解压:

1
2
wget http://www.stunnel.org/downloads/stunnel-5.35.tar.gz
tar -zxf stunnel-5.35.tar.gz

2) 编译安装:

1
2
3
4
5
yum install openssl-devel
cd stunnel-5.35
./configure
make
make install

3) 生成签名证书

1
2
3
4
cd /usr/local/etc/stunnel/
openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunnel.pem -keyout stunnel.pem
# 如果报错找不到openssl.cnf,可以把-config openssl.cnf去掉,即:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

4) 修改配置文件:

HTTP代理:

/usr/local/etc/stunnel/stunnel-http.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
cert = /usr/local/etc/stunnel/stunnel.pem
CAfile = /usr/local/etc/stunnel/stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

;;;chroot = /var/run/stunnel
pid = /tmp/stunnel.pid
verify = 3

;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem

setuid = stunnel
setgid = stunnel

;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
sslVersion = TLSv1
fips=no

#debug = 7
#syslog = no
#output = /var/log/stunnel.log

[sproxy]
accept = 8686
connect = 127.0.0.1:3128

SOCKS5代理:

/usr/local/etc/stunnel/stunnel-sockd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
cert = /usr/local/etc/stunnel/stunnel.pem
CAfile = /usr/local/etc/stunnel/stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

;;;chroot = /var/run/stunnel
pid = /tmp/stunnel.pid
verify = 3

;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem

setuid = stunnel
setgid = stunnel

;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
sslVersion = TLSv1
fips=no

#debug = 7
#syslog = no
#output = /var/log/stunnel.log

[sproxy]
accept = 8787
connect = 127.0.0.1:1080

5) 启动两个stunnel

1
2
/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel-http.conf
/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel-sockd.conf

4. 在本地电脑安装stunnel客户端:

1) stunnel安装方法和上面一样,只不过需要把服务器生成的密钥文件stunnel.pem下载到本地电脑

放在相同位置: /usr/local/etc/stunnel/

2) 修改本地配置:

HTTP代理加密通道: /etc/local/etc/stunnel/stunnel-http.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cert = /usr/local/etc/stunnel/stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 2
CAfile = /usr/local/etc/stunnel/stunnel.pem
client=yes
compression = zlib
ciphers = AES256-SHA
delay = no
failover = prio
sslVersion = TLSv1
fips = no

setuid = stunnel
setgid = stunnel

debug = 7
syslog = no
output = /var/log/stunnel.log

[sproxy]
accept  = 0.0.0.0:8118
connect = 你的国外VPS的IP:8686

SOCKS5代理加密通道: /etc/local/etc/stunnel/stunnel-sockd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cert = /usr/local/etc/stunnel/stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 2
CAfile = /usr/local/etc/stunnel/stunnel.pem
client=yes
compression = zlib
ciphers = AES256-SHA
delay = no
failover = prio
sslVersion = TLSv1
fips = no

setuid = stunnel
setgid = stunnel

debug = 7
syslog = no
output = /var/log/stunnel.log

[sproxy]
accept  = 0.0.0.0:8008
connect = 你的国外VPS的IP:8787

然后启动

1
2
/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel-http.conf
/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel-sockd.conf

5. 本地设置pac文件:

1) 首先要搭建一个HTTP服务器,方便电脑或手机访问你配置的pac文件,这里我用的是nginx

我本地系统用的是debian,安装nginx比较方便:

1
apt-get install nginx

修改nginx的配置文件: /etc/nginx/conf.d/default.conf

1
2
3
4
5
6
7
8
9
10
11
12
server {
    listen   80;

    root /usr/share/nginx/www;
    index index.html index.htm;

    server_name localhost;

    location / {
        try_files $uri $uri/ /index.html;
    }
}

重新启动nginx

1
/etc/init.d/nginx restart

2) 建立pac文件

/usr/share/nginx/www/a.pac

内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
var proxy = "PROXY your_local_ip:8118;SOCKS your_local_ip:8008";
var direct = "DIRECT";
var blocked_domains = [
    ".4shared.com",
    ".9apps.com",
    ".9lessons.info",
    ".akamaihd.net",
    ".amazon.com",
    ".amazonaws.com",
    ".android.com",
    ".appannie.com",
    ".appspot.com",
    ".apkpure.com",
    ".blogspot.com",
    ".blogger.com",
    ".blogblog.com",
    ".blogspot.sg",
    ".cloudfront.net",
    ".cloudinsights.com",
    ".codespot.com",
    ".dailymotion.com",
    ".danielfett.de",
    ".dmcdn.net",
    ".dotabuff.com",
    ".dropbox.com",
    ".dropboxusercontent.com",
    ".facebook.com",
    ".facebook.net",
    ".fastly.net",
    ".fbcdn.net",
    ".findproxyforurl.com",
    ".gdaily.org",
    ".gist.github.com",
    ".gmail.com",
    ".ggpht.com",
    ".golang.org",
    ".goo.gl",
    ".google.com",
    ".google.com.sg",
    ".google.com.hk",
    ".google.com.tw",
    ".google.com.sg",
    ".google.co.in",
    ".google.co.uk",
    ".google.co.jp",
    ".googlesource.com",
    ".googlecode.com",
    ".googleapis.com",
    ".googleusercontent.com",
    ".googlevideo.com",
    ".gstatic.com"
];
function FindProxyForURL(url, host) {
    for (var i = 0; i < blocked_domains.length; ++i) {
        if (dnsDomainIs(host, blocked_domains[i])) {
            return proxy;
        } else if (blocked_domains[i].substr(1) === host) {
            return proxy;
        }
    }
    return direct;
}

其中,PROXY your_local_ip:8118一个就能应付大多数场景,SOCKS your_local_ip:8008是可选的

然后,在手机或电脑网络代理里面配置一下自动代理:

http://your local ip/a.pac

最后,试下,看看是否能上一些被墙的网站哈,另外,如果还有访问不了的,自己把域名加到a.pac中,格式不要改变。