sqybi · October 3, 2022 04:56
diff --git a/deploy_v2ray_ubuntu20.sh b/deploy_v2ray_ubuntu20.sh
 #!/usr/bin/env bash

 set -ex

 #####################################
 # Please run this script with ROOT! #
 #####################################

 ### CONFIGS ###

 # Always update domain name!!!

 SERVER_DOMAIN_NAME="yourdomain.example.com"  # Domain name is necessary for certbot

 # Update these parameters for your first V2Ray server -- there is no need to change them when deploying more servers, unless you'd like to.

 V2RAY_ID="uuid-here"  # Use https://www.uuidgenerator.net to generate a UUID
 V2RAY_PATH="abcdefg"  # Any URL string here and DO NOT use the default one -- Your V2Ray client will connect to ${SERVER_DOMAIN_NAME}/${V2RAY_PATH}
 CERTBOT_EMAIL="[email protected]"  # Use your email - this is used when applying for the free SSL license

 FAKE_HTML_PAGE_URL="http://baidu.com"  # Use this page as your Nginx's index page -- fake HTTP server (optional, but better to use another website)
 SSH_KEY="your+sss/key=="  # This will be added to ~/.ssh/authorized_keys (optional)
 CERTBOT_CRON_SCHEDULE="0 0 1 */2 *"  # The schedule for updating SSL license (no need to change)
 V2RAY_PRIVATE_PORT=12345  # The port V2Ray is using (no need to change, unless there is confliction)

 # They work well for most Ubuntu 20.04 servers. Do not modify these parameters unless you know what you are doing.

 NGINX_CONF_PATH=/etc/nginx/nginx.conf
 NGINX_HTML_DIR=/usr/share/nginx/html
 V2RAY_CONFIG_DIR=/usr/local/etc/v2ray
 V2RAY_CONFIG_PATH=${V2RAY_CONFIG_DIR}/config.json

 ### CONFIGS END ###

 # SSH
 mkdir -p ~/.ssh
 touch ~/.ssh/authorized_keys
 grep -qxF '${SSH_KEY}' ~/.ssh/authorized_keys || printf "\n${SSH_KEY}\n" >> ~/.ssh/authorized_keys

 # Installation
 apt update
 apt install -y apt-transport-https ca-certificates curl software-properties-common python3-dev python3 nginx
 curl -sS https://bootstrap.pypa.io/get-pip.py | python3
 bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
 pip3 install certbot

 # SSL
 systemctl stop nginx
 certbot certonly --standalone --agree-tos -n -d ${SERVER_DOMAIN_NAME} -m ${CERTBOT_EMAIL}
 echo "${CERTBOT_CRON_SCHEDULE} service nginx stop; certbot renew; service nginx start" | crontab

 # Nginx (Note: port 443 had been banned starting from Oct 3, 2022. Use another port instead)
 mv ${NGINX_CONF_PATH} ${NGINX_CONF_PATH}.backup | true
 printf 'user www-data;\nworker_processes auto;\npid /run/nginx.pid;\n#include /etc/nginx/modules-enabled/*.conf;\n\nevents {\n  worker_connections 768;\n  # multi_accept on;\n}\n\nhttp{\n\n  server {\n    server_name SERVER_DOMAIN_NAME;\n\n    listen 80;\n    rewrite ^(.*) https://$server_name$1 permanent;\n    if ($request_method !~ ^(POST|GET)$) { return 501; }\n    autoindex off;\n    server_tokens off;\n  }\n\n  server {\n    ssl_certificate /etc/letsencrypt/live/SERVER_DOMAIN_NAME/fullchain.pem;\n    ssl_certificate_key /etc/letsencrypt/live/SERVER_DOMAIN_NAME/privkey.pem;\n  \n    location /RCFcu4b {\n      proxy_pass http://127.0.0.1:V2RAY_PRIVATE_PORT;\n      proxy_redirect off;\n\n      proxy_http_version 1.1;\n      proxy_set_header Upgrade $http_upgrade;\n      proxy_set_header Connection "upgrade";\n      proxy_set_header Host $host;\n\n      sendfile on;\n      tcp_nopush on;\n      tcp_nodelay on;\n      keepalive_requests 25600;\n      keepalive_timeout 300 300;\n      proxy_buffering off;\n      proxy_buffer_size 8k;\n    }\n\n    listen 1443 ssl http2;\n    server_name $server_name;\n    charset utf-8;\n\n    ssl_protocols TLSv1.2 TLSv1.3;\n    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;\n    ssl_prefer_server_ciphers on;\n\n    ssl_session_cache shared:SSL:60m;\n    ssl_session_timeout 1d;\n    ssl_session_tickets off;\n\n    ssl_stapling on;\n    ssl_stapling_verify on;\n    resolver 8.8.8.8 8.8.4.4 valid=300s;\n    resolver_timeout 10s;\n\n    # Security settings\n    if ($request_method !~ ^(POST|GET)$) { return 501; }\n    add_header X-Frame-Options DENY;\n    add_header X-XSS-Protection "1; mode=block";\n    add_header X-Content-Type-Options nosniff;\n    add_header Strict-Transport-Security max-age=31536000 always;\n    autoindex off;\n    server_tokens off;\n\n    index index.html index.htm index.php;\n    root /usr/share/nginx/html;\n    location ~ .*\\.(js|jpg|JPG|jpeg|JPEG|css|bmp|gif|GIF|png)$ { access_log off; }\n  }\n\n}\n' | sed "s/SERVER_DOMAIN_NAME/${SERVER_DOMAIN_NAME}/g" | sed "s/V2RAY_PRIVATE_PORT/${V2RAY_PRIVATE_PORT}/g" >${NGINX_CONF_PATH}
 mkdir -p ${NGINX_HTML_DIR}
 mv ${NGINX_HTML_DIR}/index.html ${NGINX_HTML_DIR}/index.html.backup 2>/dev/null || true
 wget -P ${NGINX_HTML_DIR} ${FAKE_HTML_PAGE_URL}
 systemctl restart nginx

 # V2Ray
 mkdir -p ${V2RAY_CONFIG_DIR}
 mv ${V2RAY_CONFIG_PATH} ${V2RAY_CONFIG_PATH}.backup | true
 printf "{\n  \"log\": {\n    \"loglevel\": \"warning\"\n  },\n  \"inbound\": {\n    \"listen\": \"127.0.0.1\",\n    \"port\": ${V2RAY_PRIVATE_PORT},\n    \"protocol\": \"vmess\",\n    \"settings\": {\n      \"clients\": [\n        {\n          \"id\": \"${V2RAY_ID}\"\n        }\n      ]\n    },\n    \"streamSettings\": {\n      \"network\": \"ws\",\n      \"wsSettings\": {\n        \"path\": \"/${V2RAY_PATH}\"\n      }\n    }\n  },\n  \"outbound\": {\n    \"protocol\": \"freedom\"\n  }\n}\n" >${V2RAY_CONFIG_PATH}
 systemctl enable v2ray
 systemctl start v2ray
	#!/usr/bin/env bash

	set -ex

	#####################################
	# Please run this script with ROOT! #
	#####################################

	### CONFIGS ###

	# Always update domain name!!!

	SERVER_DOMAIN_NAME="yourdomain.example.com" # Domain name is necessary for certbot

	# Update these parameters for your first V2Ray server -- there is no need to change them when deploying more servers, unless you'd like to.

	V2RAY_ID="uuid-here" # Use https://www.uuidgenerator.net to generate a UUID
	V2RAY_PATH="abcdefg" # Any URL string here and DO NOT use the default one -- Your V2Ray client will connect to ${SERVER_DOMAIN_NAME}/${V2RAY_PATH}
	CERTBOT_EMAIL="[email protected]" # Use your email - this is used when applying for the free SSL license

	FAKE_HTML_PAGE_URL="http://baidu.com" # Use this page as your Nginx's index page -- fake HTTP server (optional, but better to use another website)
	SSH_KEY="your+sss/key==" # This will be added to ~/.ssh/authorized_keys (optional)
	CERTBOT_CRON_SCHEDULE="0 0 1 /2 " # The schedule for updating SSL license (no need to change)
	V2RAY_PRIVATE_PORT=12345 # The port V2Ray is using (no need to change, unless there is confliction)

	# They work well for most Ubuntu 20.04 servers. Do not modify these parameters unless you know what you are doing.

	NGINX_CONF_PATH=/etc/nginx/nginx.conf
	NGINX_HTML_DIR=/usr/share/nginx/html
	V2RAY_CONFIG_DIR=/usr/local/etc/v2ray
	V2RAY_CONFIG_PATH=${V2RAY_CONFIG_DIR}/config.json

	### CONFIGS END ###

	# SSH
	mkdir -p ~/.ssh
	touch ~/.ssh/authorized_keys
	grep -qxF '${SSH_KEY}' ~/.ssh/authorized_keys \|\| printf "\n${SSH_KEY}\n" >> ~/.ssh/authorized_keys

	# Installation
	apt update
	apt install -y apt-transport-https ca-certificates curl software-properties-common python3-dev python3 nginx
	curl -sS https://bootstrap.pypa.io/get-pip.py \| python3
	bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
	pip3 install certbot

	# SSL
	systemctl stop nginx
	certbot certonly --standalone --agree-tos -n -d ${SERVER_DOMAIN_NAME} -m ${CERTBOT_EMAIL}
	echo "${CERTBOT_CRON_SCHEDULE} service nginx stop; certbot renew; service nginx start" \| crontab

	# Nginx (Note: port 443 had been banned starting from Oct 3, 2022. Use another port instead)
	mv ${NGINX_CONF_PATH} ${NGINX_CONF_PATH}.backup \| true
	printf 'user www-data;\nworker_processes auto;\npid /run/nginx.pid;\n#include /etc/nginx/modules-enabled/.conf;\n\nevents {\n worker_connections 768;\n # multi_accept on;\n}\n\nhttp{\n\n server {\n server_name SERVER_DOMAIN_NAME;\n\n listen 80;\n rewrite ^(.) https://$server_name$1 permanent;\n if ($request_method !~ ^(POST\|GET)$) { return 501; }\n autoindex off;\n server_tokens off;\n }\n\n server {\n ssl_certificate /etc/letsencrypt/live/SERVER_DOMAIN_NAME/fullchain.pem;\n ssl_certificate_key /etc/letsencrypt/live/SERVER_DOMAIN_NAME/privkey.pem;\n \n location /RCFcu4b {\n proxy_pass http://127.0.0.1:V2RAY_PRIVATE_PORT;\n proxy_redirect off;\n\n proxy_http_version 1.1;\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection "upgrade";\n proxy_set_header Host $host;\n\n sendfile on;\n tcp_nopush on;\n tcp_nodelay on;\n keepalive_requests 25600;\n keepalive_timeout 300 300;\n proxy_buffering off;\n proxy_buffer_size 8k;\n }\n\n listen 1443 ssl http2;\n server_name $server_name;\n charset utf-8;\n\n ssl_protocols TLSv1.2 TLSv1.3;\n ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;\n ssl_prefer_server_ciphers on;\n\n ssl_session_cache shared:SSL:60m;\n ssl_session_timeout 1d;\n ssl_session_tickets off;\n\n ssl_stapling on;\n ssl_stapling_verify on;\n resolver 8.8.8.8 8.8.4.4 valid=300s;\n resolver_timeout 10s;\n\n # Security settings\n if ($request_method !~ ^(POST\|GET)$) { return 501; }\n add_header X-Frame-Options DENY;\n add_header X-XSS-Protection "1; mode=block";\n add_header X-Content-Type-Options nosniff;\n add_header Strict-Transport-Security max-age=31536000 always;\n autoindex off;\n server_tokens off;\n\n index index.html index.htm index.php;\n root /usr/share/nginx/html;\n location ~ .*\\.(js\|jpg\|JPG\|jpeg\|JPEG\|css\|bmp\|gif\|GIF\|png)$ { access_log off; }\n }\n\n}\n' \| sed "s/SERVER_DOMAIN_NAME/${SERVER_DOMAIN_NAME}/g" \| sed "s/V2RAY_PRIVATE_PORT/${V2RAY_PRIVATE_PORT}/g" >${NGINX_CONF_PATH}
	mkdir -p ${NGINX_HTML_DIR}
	mv ${NGINX_HTML_DIR}/index.html ${NGINX_HTML_DIR}/index.html.backup 2>/dev/null \|\| true
	wget -P ${NGINX_HTML_DIR} ${FAKE_HTML_PAGE_URL}
	systemctl restart nginx

	# V2Ray
	mkdir -p ${V2RAY_CONFIG_DIR}
	mv ${V2RAY_CONFIG_PATH} ${V2RAY_CONFIG_PATH}.backup \| true
	printf "{\n \"log\": {\n \"loglevel\": \"warning\"\n },\n \"inbound\": {\n \"listen\": \"127.0.0.1\",\n \"port\": ${V2RAY_PRIVATE_PORT},\n \"protocol\": \"vmess\",\n \"settings\": {\n \"clients\": [\n {\n \"id\": \"${V2RAY_ID}\"\n }\n ]\n },\n \"streamSettings\": {\n \"network\": \"ws\",\n \"wsSettings\": {\n \"path\": \"/${V2RAY_PATH}\"\n }\n }\n },\n \"outbound\": {\n \"protocol\": \"freedom\"\n }\n}\n" >${V2RAY_CONFIG_PATH}
	systemctl enable v2ray
	systemctl start v2ray