《自由》系列-Caddy2 + Vmess 部署

===== 本教程更新于 2024-01-25 =====

系统环境

• 系统版本：22.04.3 LTS (Jammy Jellyfish)
• 内核版本：5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
• v2ray 版本：v5.13.0
• caddy 版本：v2.7.6 h1

v2ray 安装

1.点击这里下载 v2ray 到服务器的 /usr/local/src 目录下：

2.将下载下来的 v2ray 压缩文件 解压到 /usr/local/v2ray 目录：

# unzip v2ray-linux-64.zip -d /usr/local/v2ray

3.在解压目录下创建以下目录，分别用于存储 v2ray 日志，v2ray 配置文件 以及 v2ray 可执行文件：

# mkdir  /usr/local/v2ray/{conf,logs,bin}

4.将解压目录下的 config.json 文件复制到上面创建的 etc 目录中，并修改成如下样式：

// Config file of V2Ray. This file follows standard JSON format, with comments support.
// Uncomment entries below to satisfy your needs. Also read our manual for more detail at
// https://www.v2fly.org/
{
  "log": {
    // By default, V2Ray writes access log to stdout.
    // "access": "/path/to/access/log/file",

    // By default, V2Ray write error log to stdout.
    // "error": "/path/to/error/log/file",

    // Log level, one of "debug", "info", "warning", "error", "none"
    "loglevel": "warning"
  },
  // List of inbound proxy configurations.
  "inbounds": [{
    // Port to listen on. You may need root access if the value is less than 1024.
    "port": 1425,

    // IP address to listen on. Change to "0.0.0.0" to listen on all network interfaces.
    "listen": "127.0.0.1",

    // Tag of the inbound proxy. May be used for routing.
    "tag": "socks-inbound",

    // Protocol name of inbound proxy.
    "protocol": "vmess",

    // Settings of the protocol. Varies based on protocol.
    "settings": {
       "clients": [
          {
            "id": "b5e88c22-13d4-11ee-9783-3d06e4916c03",
          //  "level": 1,
            "alterId": 0
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
          "path": "/data/website/v2ray"
        }
      }
    }
  ],
  // List of outbound proxy configurations.
  "outbounds": [{
    // Protocol name of the outbound proxy.
    "protocol": "freedom",

    // Settings of the protocol. Varies based on protocol.
    "settings": {},

    // Tag of the outbound. May be used for routing.
    "tag": "direct"
  },{
    "protocol": "blackhole",
    "settings": {},
    "tag": "blocked"
  }],

  // Transport is for global transport settings. If you have multiple transports with same settings
  // (say mKCP), you may put it here, instead of in each individual inbound/outbounds.
  //"transport": {},

  // Routing controls how traffic from inbounds are sent to outbounds.
  "routing": {
    // "domainStrategy": "IPOnDemand",
    "rules":[
      {
        // Blocks access to private IPs. Remove this if you want to access your router.
        "type": "field",
       // "ip": ["geoip:private"],
        "ip": [
          "0.0.0.0/8",
          "10.0.0.0/8",
          "100.64.0.0/10",
          "127.0.0.0/8",
          "169.254.0.0/16",
          "172.16.0.0/12",
          "192.0.0.0/24",
          "192.0.2.0/24",
          "192.168.0.0/16",
          "198.18.0.0/15",
          "198.51.100.0/24",
          "203.0.113.0/24",
          "::1/128",
          "fc00::/7",
          "fe80::/10"
        ],        
        "outboundTag": "blocked"
      }
    //  {
    //    // Blocks major ads.
    //    "type": "field",
    //    "domain": ["geosite:category-ads"],
     //   "outboundTag": "blocked"
     // }
    ]
  }

  // Dns settings for domain resolution.
  // "dns": {
  //   // Static hosts, similar to hosts file.
  //   "hosts": {
  //     // Match v2fly.org to another domain on CloudFlare. This domain will be used when querying IPs for v2fly.org.
  //     "domain:v2fly.org": "www.vicemc.net",

  //     // The following settings help to eliminate DNS poisoning in mainland China.
  //     // It is safe to comment these out if this is not the case for you.
  //     "domain:github.io": "pages.github.com",
  //     "domain:wikipedia.org": "www.wikimedia.org",
  //     "domain:shadowsocks.org": "electronicsrealm.com"
  //   },
  //   "servers": [
  //     "1.1.1.1",
  //     {
  //       "address": "114.114.114.114",
  //       "port": 53,
  //       // List of domains that use this DNS first.
  //       "domains": [
  //         "geosite:cn"
  //       ]
  //     },
  //     "8.8.8.8",
  //     "localhost"
  //   ]
  // },

  // // Policy controls some internal behavior of how V2Ray handles connections.
  // // It may be on connection level by user levels in 'levels', or global settings in 'system.'
  // "policy": {
  //   // Connection policys by user levels
  //   "levels": {
  //     "0": {
  //       "uplinkOnly": 0,
  //       "downlinkOnly": 0
  //     }
  //   },
  //   "system": {
  //     "statsInboundUplink": false,
  //     "statsInboundDownlink": false,
  //     "statsOutboundUplink": false,
  //     "statsOutboundDownlink": false
  //   }
  // },

  // // Stats enables internal stats counter.
  // // This setting can be used together with Policy and Api. 
  // //"stats":{},

  // // Api enables gRPC APIs for external programs to communicate with V2Ray instance.
  // //"api": {
  //   //"tag": "api",
  //   //"services": [
  //   //  "HandlerService",
  //   //  "LoggerService",
  //   //  "StatsService"
  //   //]
  // //},

  // // You may add other entries to the configuration, but they will not be recognized by V2Ray.
  // "other": {}
}

注意：由于我们使用的 v2ray 版本为 5.3 ,所以系统内核一定要大于 5.10， 否则在使用 v2ray 时会报如下错误：

You can still disable this security feature with environment variable v2ray.vmess.aead.forced = false

这是官方 Issues 解决方法：使用v2ray无法上网，提示安全问题

说得简单点就是，在 config.json 配置文件中要删除 "level": 1 且需要将 "alterId": 64 修改成 "alterId": 0

5.在 /lib/systemd/system/ 目录下创建 v2ray.service 文件，并写入以下内容：

[Unit]
Description=V2Ray Service
Documentation=https://www.v2fly.org/
After=network.target nss-lookup.target

[Service]
User=nobody
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/usr/local/v2ray/bin/v2ray run -config /usr/local/v2ray/etc/config.json
Restart=on-failure
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

6.执行加载脚本的命令：

# systemctl daemon-reload

7.执行启动脚本的命令，并将 v2ray 设置为开机启动：

# systemctl enable --now v2ray.service

caddy 安装

1.创建运行 caddy 的用户，切记一定要创建该用户的家目录（因为后面 caddy 自动申请证书时需要将证书文件存放到家目录下）：

# useradd -m -s /sbin/nologin caddy

2.创建caddy 应用结构目录：

# mkdir -p /usr/local/caddy/{logs, etc, bin}

3.点击这里下载 caddy 到上面创建的 /usr/local/caddy/bin 目录中

4.下载完成后，重命名 caddy 文件：

# mv /usr/local/caddy/bin/caddy_linux_amd64 /usr/local/caddy/bin/caddy

5.在 /usr/local/caddy/etc 目录下创建 Caddyfile 文件，内容为：

your.daemon.com:443 {
    # 网站路径，不清楚中间的 * 作用
    #root * /data/website/india/

    # 启用压缩
    #encode zstd gzip

    # 设置当前目录为静态文件服务器
    #file_server browse

    # 定义 log
    log {
        output file /usr/local/caddy/logs/caddy.log
    }

    # 注意这里的反向代理路径要和 v2ray 配置文件中的 path 一致，同时，后面反向代理的端口也要和 v2ray 配置文件中的 port 一致：
    reverse_proxy /data/website/v2ray 127.0.0.1:1425

    # 自动申请TLS 的邮箱，好像在这个版本也可以不用写
    tls caddy@caddy.com
    tls {
        protocols tls1.2 tls1.3
    }

    # 启用HSTS
    header {
        #
        #Strict-Transport-Security "max-age=31536000;"

        # 加上includeSubdomains
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

        X-Frame-Options SAMEORIGIN
        X-Content-Type-Options nosniff

    }
}

6.根据配置文件内容，在 /usr/local/caddy/logs 目录下创建 caddy.log 文件：

# touch /usr/local/caddy/logs/caddy.log

7.在 /lib/systemd/system 目录下创建 caddy 启动脚本文件 caddy2.service, 内容为：

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/local/caddy/bin/caddy run --environ --config /usr/local/caddy/etc/Caddyfile
ExecReload=/usr/local/caddy/bin/caddy --config /usr/local/caddy/etc/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

8.执行加载脚本的命令：

# systemctl daemon-reload

9.修改 caddy 目录的所属主和组为 caddy:

# chown -R caddy:caddy /usr/local/caddy

10.启动 caddy 并设置开机启动：

# systemctl enable --now caddy2.service