WeAir

反向代理Google

前期准备

反代Google之前要准备的各种乱七八糟的包括但不限于一台国外的VPS、一个域名、SSL证书等等,请提前准备好。

Apache反代

Apache需安装开启proxy相关模块以及substitute模块。

Apache配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<VirtualHost ip_address:80>
ServerAdmin admin@domain.name
ServerName domain.name
ServerAlias *.domain.name
Redirect / https://domain.name
</VirtualHost>
<VirtualHost ip_address:443>
ServerAdmin admin@domain.name
ServerName domain.name
ServerAlias *.domain.name
#403跳转页面。
# ErrorDocument 403 https://www.bing.com/
SSLEngine on
SSLCertificateFile /path/cert/pem.pem
SSLCACertificateFile /path/cert/crt.crt
SSLCertificateKeyFile /path/cert/key.key
RewriteEngine On
RewriteCond %{HTTP_HOST} !^domain.name$ [NC]
RewriteRule ^(.*)$ https://domain.name$1 [L,R=301]
#限制IP访问。
# <Location />
# Order Deny,Allow
# Deny from all
# Allow from 192.168.1.1
# Allow from 192.168.1.0/24
# </Location>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
ProxyRequests Off
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ProxyPass / https://www.google.com/
ProxyPassReverse / https://www.google.com/
RequestHeader unset Accept-Encoding
AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html text/xml
#关键字符替换。
Substitute s|www.google.com|domain.name|in
Header always set Strict-Transport-Security "max-age=31536000; preload"
Header always edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
</VirtualHost>

Nginx反代

Nginx需编译安装nginx_substitutions_filter模块。

Nginx配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
server {
listen 80;
listen [::]:80;
server_name domain.name;
rewrite ^ https://$server_name$request_uri? permanent;
}

server {
listen 443 http2;
listen [::]:443 http2;
ssl on;
server_name domain.name;

if ($host != 'domain.name' ) {
rewrite ^/(.*)$ https://$server_name/$1 permanent;
}

#403跳转页面。
# error_page 403 https://www.bing.com;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!DSS;
ssl_prefer_server_ciphers on;
ssl_certificate /path/cert/pem.pem;
ssl_certificate_key /path/cert/key.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

#防止网络爬虫。
if ($http_user_agent ~* "360Spider|qihoobot|Bingbot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|YandexBot|Yisouspider|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
return 403;
}

resolver 1.1.1.1 [2606:4700:4700::1111] valid=30s;

location / {
proxy_pass https://www.google.com;
proxy_redirect off;
proxy_cookie_domain google.com domain.name;
proxy_connect_timeout 60s;
proxy_read_timeout 5400s;
proxy_send_timeout 5400s;

proxy_set_header Accept-Encoding "";
proxy_set_header Host "www.google.com";
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Referer https://www.google.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Accept-Language "zh-CN";
proxy_set_header Cookie "PREF=ID=047808f19f6de346:U=0f62f33dd8549d11:FF=2:LD=en-US:NW=1:TM=1325338577:LM=1332142444:GM=1:SG=2:S=rE0SyJh2W1IQ-Maw";

subs_filter_types text/css text/xml text/javascript application/javascript application/json;
#关键字符替换。
subs_filter www.google.com domain.name;
subs_filter www.google.com.hk domain.name;

sub_filter_once off;

#限制IP访问。
# allow 192.168.1.1;
# allow 192.168.1.0/24;
# deny all;
}

}

后记

domain.name替换成你自己的域名,建议为域名添加SSL证书,以及过滤IP访问。