dzcpy/Dockerfile

## Dockerfile
FROM alpine:latest

WORKDIR /opt

EXPOSE 443/tcp 500/udp 4500/udp

ENV HOST_NAME=
ENV LOGIN_USER=
ENV LOGIN_PASSWORD=
ENV LOCAL_SUBNET=172.19.240.0/20
ENV V2RAY_ALTER_ID=64
ENV V2RAY_FALLBACK_PORT=80
ENV XRAY_LOCATION_ASSET=/usr/lib/xray

COPY ./run.sh .

RUN set -x
RUN apk --update --no-cache add iptables strongswan acme.sh socat
RUN mkdir -p /var/lib/acme.sh
RUN mkdir -p ${XRAY_LOCATION_ASSET}
RUN mkdir -p /etc/xray
RUN TMP_DIR="$(mktemp -d)"
RUN case "$(arch -s)" in 'i386' | 'i686') ARCH='32' ;; 'amd64' | 'x86_64') ARCH='64' ;; *) echo "error: The architecture is not supported." && rm -rf ${TMP_DIR} && exit 1 ;; esac
RUN TAG=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/XTLS/Xray-core/releases/latest | grep -o '[0-9]*\.[0-9]*\.[0-9]*')
RUN wget https://github.com/XTLS/Xray-core/releases/download/${TAG}/Xray-linux-${ARCH}.zip -P ${TMP_DIR}
RUN unzip ${TMP_DIR}/*.zip -d ${TMP_DIR} -o
RUN mv ${TMP_DIR}/xray /usr/bin
RUN mv ${TMP_DIR}/*.dat ${XRAY_LOCATION_ASSET}
RUN rm -rf ${TMP_DIR}
RUN chmod +x /opt/run.sh

CMD "/opt/run.sh"

## run.sh
#!/bin/sh

# variables
[ -z ${HOST_NAME} ] && echo 'Please provide "HOST_NAME" ENV variable' && exit;
[ -z ${LOGIN_USER} ] && echo 'Please provide "LOGIN_USER" ENV variable' && exit;
[ -z ${LOGIN_PASSWORD} ] && echo 'Please provide "LOGIN_PASSWORD" ENV variable' && exit;
DEFAULT_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')"
DEFAULT_IP=$(curl -s http://checkip.amazonaws.com)

# iptables
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -d ${LOCAL_SUBNET} -i ${DEFAULT_IFACE} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j ACCEPT
iptables -A FORWARD -j DROP
iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -m policy --dir out --pol none -j MASQUERADE

# acme.sh
if [ ! -f "/etc/ipsec.d/private/privkey.pem" ]; then
	wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem
	acme.sh --home /var/lib/acme.sh --issue --alpn --standalone -d ${HOST_NAME}
	acme.sh --home /var/lib/acme.sh --force --install-cert -d ${HOST_NAME} --cert-file /etc/ipsec.d/certs/cert.pem --key-file /etc/ipsec.d/private/privkey.pem --ca-file /etc/ipsec.d/cacerts/chain.pem --fullchain-file /etc/ipsec.d/certs/fullchain.pem
	chmod -R 755 /etc/ipsec.d
fi

# ipsec
cat > /etc/ipsec.secrets<<-EOF
${HOST_NAME} : RSA privkey.pem
${LOGIN_USER} %any : EAP "${LOGIN_PASSWORD}"
EOF
cat > /etc/ipsec.conf<<-EOF
config setup
	uniqueids=never
	strictcrlpolicy=no
conn vpn
	auto=add
	compress=no
	type=tunnel
	keyexchange=ikev2
	fragmentation=yes
	forceencaps=yes
	dpdaction=clear
	dpddelay=300s
	rekey=no
	left=%any
	leftid=@${HOST_NAME}
	leftcert=cert.pem
	leftsendcert=always
	leftsubnet=0.0.0.0/0
	right=%any
	rightid=%any
	rightauth=eap-mschapv2
	rightdns=1.1.1.1,8.8.8.8
	rightsourceip=${LOCAL_SUBNET}
	rightsendcert=never
	eap_identity=%identity
EOF
ipsec restart

# xray-core
rm -rf /run/*.sock
rm -rf /run/*.lock
cat > /etc/xray/config.json<<-EOF
{
	"log": {
		"loglevel": "none"
	},
	"inbounds": [
		{
			"port": 443,
			"protocol": "vless",
			"settings": {
				"clients": [
					{
						"id": "${LOGIN_PASSWORD}",
						"flow": "xtls-rprx-direct",
						"level": 0
					}
				],
				"decryption": "none",
				"fallbacks": [
					{
						"dest": "/run/xray-trojan.sock",
						"xver": 1
					},
					{
						"path": "/websocket",
						"dest": "/run/xray-vmess-ws.sock",
						"xver": 1
					}
				]
			},
			"streamSettings": {
				"network": "tcp",
				"security": "xtls",
				"xtlsSettings": {
					"alpn": [
						"http/1.1"
					],
					"certificates": [
						{
							"certificateFile": "/etc/ipsec.d/certs/fullchain.pem",
							"keyFile": "/etc/ipsec.d/private/privkey.pem"
						}
					]
				}
			}
		},
		{
			"listen": "/run/xray-trojan.sock",
			"protocol": "trojan",
			"settings": {
				"clients": [
					{
						"password": "${LOGIN_PASSWORD}",
						"level": 0
					}
				],
				"fallbacks": [
					{
						"dest": ${V2RAY_FALLBACK_PORT}
					}
				]
			},
			"streamSettings": {
				"network": "tcp",
				"security": "none",
				"tcpSettings": {
					"acceptProxyProtocol": true
				}
			}
		},
		{
			"listen": "/run/xray-vmess-ws.sock",
			"protocol": "vmess",
			"settings": {
				"clients": [
					{
						"id": "${LOGIN_PASSWORD}",
						"alterId": ${V2RAY_ALTER_ID}
					}
				]
			},
			"streamSettings": {
				"network": "ws",
				"security": "none",
				"wsSettings": {
					"acceptProxyProtocol": true,
					"path": "/websocket"
				}
			}
		}
	],
	"outbounds": [
		{
			"protocol": "freedom"
		}
	]
}

EOF
xray run -confdir /etc/xray

# keep running
tail -f /dev/null
	FROM alpine:latest

	WORKDIR /opt

	EXPOSE 443/tcp 500/udp 4500/udp

	ENV HOST_NAME=
	ENV LOGIN_USER=
	ENV LOGIN_PASSWORD=
	ENV LOCAL_SUBNET=172.19.240.0/20
	ENV V2RAY_ALTER_ID=64
	ENV V2RAY_FALLBACK_PORT=80
	ENV XRAY_LOCATION_ASSET=/usr/lib/xray

	COPY ./run.sh .

	RUN set -x
	RUN apk --update --no-cache add iptables strongswan acme.sh socat
	RUN mkdir -p /var/lib/acme.sh
	RUN mkdir -p ${XRAY_LOCATION_ASSET}
	RUN mkdir -p /etc/xray
	RUN TMP_DIR="$(mktemp -d)"
	RUN case "$(arch -s)" in 'i386' \| 'i686') ARCH='32' ;; 'amd64' \| 'x86_64') ARCH='64' ;; *) echo "error: The architecture is not supported." && rm -rf ${TMP_DIR} && exit 1 ;; esac
	RUN TAG=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/XTLS/Xray-core/releases/latest \| grep -o '[0-9]\.[0-9]\.[0-9]*')
	RUN wget https://github.com/XTLS/Xray-core/releases/download/${TAG}/Xray-linux-${ARCH}.zip -P ${TMP_DIR}
	RUN unzip ${TMP_DIR}/*.zip -d ${TMP_DIR} -o
	RUN mv ${TMP_DIR}/xray /usr/bin
	RUN mv ${TMP_DIR}/*.dat ${XRAY_LOCATION_ASSET}
	RUN rm -rf ${TMP_DIR}
	RUN chmod +x /opt/run.sh

	CMD "/opt/run.sh"
	#!/bin/sh

	# variables
	[ -z ${HOST_NAME} ] && echo 'Please provide "HOST_NAME" ENV variable' && exit;
	[ -z ${LOGIN_USER} ] && echo 'Please provide "LOGIN_USER" ENV variable' && exit;
	[ -z ${LOGIN_PASSWORD} ] && echo 'Please provide "LOGIN_PASSWORD" ENV variable' && exit;
	DEFAULT_IFACE="$(route \| grep '^default' \| grep -o '[^ ]*$')"
	DEFAULT_IP=$(curl -s http://checkip.amazonaws.com)

	# iptables
	iptables -F
	iptables -t nat -F
	iptables -t mangle -F
	iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
	iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
	iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
	iptables -A FORWARD -d ${LOCAL_SUBNET} -i ${DEFAULT_IFACE} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j ACCEPT
	iptables -A FORWARD -j DROP
	iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j MASQUERADE
	iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -m policy --dir out --pol none -j MASQUERADE

	# acme.sh
	if [ ! -f "/etc/ipsec.d/private/privkey.pem" ]; then
	wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem
	acme.sh --home /var/lib/acme.sh --issue --alpn --standalone -d ${HOST_NAME}
	acme.sh --home /var/lib/acme.sh --force --install-cert -d ${HOST_NAME} --cert-file /etc/ipsec.d/certs/cert.pem --key-file /etc/ipsec.d/private/privkey.pem --ca-file /etc/ipsec.d/cacerts/chain.pem --fullchain-file /etc/ipsec.d/certs/fullchain.pem
	chmod -R 755 /etc/ipsec.d
	fi

	# ipsec
	cat > /etc/ipsec.secrets<<-EOF
	${HOST_NAME} : RSA privkey.pem
	${LOGIN_USER} %any : EAP "${LOGIN_PASSWORD}"
	EOF
	cat > /etc/ipsec.conf<<-EOF
	config setup
	uniqueids=never
	strictcrlpolicy=no
	conn vpn
	auto=add
	compress=no
	type=tunnel
	keyexchange=ikev2
	fragmentation=yes
	forceencaps=yes
	dpdaction=clear
	dpddelay=300s
	rekey=no
	left=%any
	leftid=@${HOST_NAME}
	leftcert=cert.pem
	leftsendcert=always
	leftsubnet=0.0.0.0/0
	right=%any
	rightid=%any
	rightauth=eap-mschapv2
	rightdns=1.1.1.1,8.8.8.8
	rightsourceip=${LOCAL_SUBNET}
	rightsendcert=never
	eap_identity=%identity
	EOF
	ipsec restart

	# xray-core
	rm -rf /run/*.sock
	rm -rf /run/*.lock
	cat > /etc/xray/config.json<<-EOF
	{
	"log": {
	"loglevel": "none"
	},
	"inbounds": [
	{
	"port": 443,
	"protocol": "vless",
	"settings": {
	"clients": [
	{
	"id": "${LOGIN_PASSWORD}",
	"flow": "xtls-rprx-direct",
	"level": 0
	}
	],
	"decryption": "none",
	"fallbacks": [
	{
	"dest": "/run/xray-trojan.sock",
	"xver": 1
	},
	{
	"path": "/websocket",
	"dest": "/run/xray-vmess-ws.sock",
	"xver": 1
	}
	]
	},
	"streamSettings": {
	"network": "tcp",
	"security": "xtls",
	"xtlsSettings": {
	"alpn": [
	"http/1.1"
	],
	"certificates": [
	{
	"certificateFile": "/etc/ipsec.d/certs/fullchain.pem",
	"keyFile": "/etc/ipsec.d/private/privkey.pem"
	}
	]
	}
	}
	},
	{
	"listen": "/run/xray-trojan.sock",
	"protocol": "trojan",
	"settings": {
	"clients": [
	{
	"password": "${LOGIN_PASSWORD}",
	"level": 0
	}
	],
	"fallbacks": [
	{
	"dest": ${V2RAY_FALLBACK_PORT}
	}
	]
	},
	"streamSettings": {
	"network": "tcp",
	"security": "none",
	"tcpSettings": {
	"acceptProxyProtocol": true
	}
	}
	},
	{
	"listen": "/run/xray-vmess-ws.sock",
	"protocol": "vmess",
	"settings": {
	"clients": [
	{
	"id": "${LOGIN_PASSWORD}",
	"alterId": ${V2RAY_ALTER_ID}
	}
	]
	},
	"streamSettings": {
	"network": "ws",
	"security": "none",
	"wsSettings": {
	"acceptProxyProtocol": true,
	"path": "/websocket"
	}
	}
	}
	],
	"outbounds": [
	{
	"protocol": "freedom"
	}
	]
	}

	EOF
	xray run -confdir /etc/xray

	# keep running
	tail -f /dev/null