24 次浏览
使用Nginx反向代理并通过V2ray加密隧道实现安全的外网访问。
1、关闭OMV的公网暴露
OMV 默认监听 80(或 443)。
确保它只监听本地:
sudo nano /etc/nginx/sites-enabled/openmediavault-webgui找到 listen 语句,改为:
listen 127.0.0.1:80 default_server;保存后重启 Nginx:
sudo systemctl restart nginx这样 OMV 只接受来自本机的访问(外部访问不到)。
2、安装并配置V2Ray
执行官方安装脚本:
bash <(curl -L -s https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)启动并检查V2ray运行状态:
sudo systemctl start v2ray # 启动
sudo systemctl enable v2ray # 设置开机自启
sudo systemctl status v2ray # 检查服务状态配置V2ray服务端:
sudo nano /usr/local/etc/v2ray/config.json内容如下:
{
"log": {
"access": "/var/log/v2ray/access.log", # 访问日志路径
"error": "/var/log/v2ray/error.log", # 错误日志路径
"loglevel": "warning" # 日志等级,可选:debug / info / warning / error / none
},
"inbounds": [
{
"tag": "wmess-in", # vmess + WebSocket + TLS 入站
"listen": "127.0.0.1", # 只监听本地连接,由Nginx反向代理
"port": 10000, # 此端口必须与Nginx配置中proxy_pass的端口一致,避免直接使用443,以防冲突
"protocol": "vmess",
"settings": {"clients": [{"id": "替换成你的UUID", "alterId": 0}]}, # 使用命令成UUID: cat /proc/sys/kernel/random/uuid
"streamSettings": {"network": "ws", "wsSettings": {"path": "/v2ray"}}
},
{
"tag": "ssh-in"
"listen": "0.0.0.0",
"port": 10022,
"protocol": "dokodemo-door",
"settings": {"address": "127.0.0.1", "port": 22, "network": "tcp"},
},
{
"tag": "smb-in",
"listen": "127.0.0.1",
"port": 10445,
"protocol": "dokodemo-door",
"settings": { "address": "127.0.0.1", "port": 445, "network": "tcp" }
},
{
"tag": "webdav-in",
"listen": "127.0.0.1",
"port": 18080,
"protocol": "dokodemo-door",
"settings": { "address": "127.0.0.1", "port": 8080, "network": "tcp" }
},
{
"tag": "rdp-in"
"listen": "127.0.0.1",
"port": 13389,
"protocol": "dokodemo-door",
"settings": {"address": "192.168.1.101", "port": 3389, "network": "tcp"},
}
],
"outbounds": [
{
"tag": "direct" # 直接出站标签
"protocol": "freedom", # 使用freedom直接出站
"settings": {},
},
{
"tag": "proxy" # 代理出站标签,使用其他节点代理出站。
"protocol": "vmess",
"settings": {"vnext": [{ "address": "代理节点地址", "port": 443, "users":[{ "id": "替换成你的UUID", "alterId": 0, "security": "auto"}] }] },
"streamSettings": { "network": "ws", "security": "tls", "wsSettings": { "path": "/v2ray/" } }
},
{
"tag": "block" # 拦截出站标签
"protocol": "blackhole", # 拦截出站
"settings": {},
},
{
"tag": "local-web", # 本地回环,用于访问本地OMV
"protocol": "dokodemo-door",
"settings": {"address": "127.0.0.1", "port": 80, "network": "tcp"}
}
],
"routing": {
"rules": [
{
"type": "field", # 访问OMV
"inboundTag": ["vmess-in"],
"domain": ["yourdomain.com"],
"outboundTag": "local-web"
},
{
"type": "field", # 国外流量走代理
"inboundTag": ["vmess-in"],
"domain": ["geosite:geolocation-!cn"], # 需要 geosite.dat数据
"outboundTag": "proxy"
},
{
"type": "field", # 广告拦截
"inboundTag": ["vmess-in"],
"domain": ["geosite:category-ads-all"], # 需要 geosite.dat数据
"outboundTag": "block"
},
{
"type": "field", # 其他流量直连
"inboundTag": ["vmess-in"],
"outboundTag": "direct"
},
{
"type": "field",
"inboundTag": ["ssh-in"],
"outboundTag": "direct"
},
{
"type": "field",
"inboundTag": ["smb-in"],
"outboundTag": "direct"
},
{
"type": "field",
"inboundTag": ["webdav-in"],
"outboundTag": "direct"
},
{
"type": "field",
"inboundTag": ["rdp-in"],
"outboundTag": "direct"
}
]
}
}
3、配置Nginx反向代理
新建配置文件,避免修改OMV的相关配置
sudo nano /etc/nginx/conf.d/v2ray.conf内容如下:
server {
listen 8443 ssl http2; # 启用 HTTP/2 可以提供更好的性能,家庭宽带屏蔽443端口
listen [::]:8443 ssl http2; # 启用 IPv6 支持
server_name your-domain.com; # 自己的域名
# SSL 证书路径(使用Let's Encrypt生成)
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
# 如果没有证书,可先用自签:
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
# -keyout /etc/ssl/private/ssl-cert-snakeoil.key \
# -out /etc/ssl/certs/ssl-cert-snakeoil.pem
# 用于 V2Ray WebSocket
location /v2ray {
# 如果 WebSocket 协商失败,返回 404 更安全
if ($http_upgrade != "websocket") {return 404;}
proxy_redirect off;
proxy_pass http://127.0.0.1:10000; # 此端口需要与 V2Ray 配置中的端口一致
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 外网直接访问时返回伪装页面
location / {
proxy_pass https://google.com; # 代理到google主页
}
# 用于WebDAV/Nextcloud 文件访问
location /files {
proxy_pass http://127.0.0.1:8080/; # WebDAV使用的端口
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
测试并重载Nginx和V2Ray
sudo nginx -t
sudo systemctl restart nginx
sudo systemctl restart v2ray4、客户端配置
地址 你的域名或公网 IP
端口 8443
UUID 与服务器相同
协议 VMess
传输 WebSocket
路径 /V2Ray
TLS 开启(如果你用了 SSL 证书)
5、通过客户端访问
在不开启V2ray客户端的情况下使用浏览器访问
https://yourdomain.com:8443/会进入nginx配置的伪装页面。
在客户端通过 V2Ray 建立隧道后(即代理开启状态),在浏览器访问:
https://yourdomain.com:8443可以访问到OMV 的web管理页面。
OMV 本身不会暴露公网端口,极大提升安全性。
6、补充说明:geosite/geoip数据获取
使用官方自动更新脚本:
bash <(curl -L -s https://github.com/v2fly/fhs-install-v2ray/raw/master/install-dat-release.sh)运行后会自动下载最新数据:
/usr/local/share/v2ray/geoip.dat
/usr/local/share/v2ray/geosite.dat常见的分组:
geosite:cn(中国大陆网站)
geosite:geolocation-!cn(非中国网站)
geosite:google
geosite:youtube
geosite:facebook
geosite:telegram
geosite:netflix
自动更新:
sudo crontab -e添加一行:
0 3 * * 0 bash <(curl -L -s https://github.com/v2fly/fhs-install-v2ray/raw/master/install-dat-release.sh) >/dev/null 2>&1每周日凌晨 3 点自动更新 geosite/geoip