Last active
November 7, 2023 06:43
-
-
Save whg517/54f93ac2ce441bc3fb09d40b6e34afaf to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -x | |
# https://github.com/XTLS/Xray-install | |
# https://github.com/XTLS/Xray-examples | |
# 安装脚本 | |
# 说明: | |
# - Caddy: 服务器安装 Caddy Web 服务,并使用 Caddy 的自动 TLS 功能,自动生成本地私有证书,同时自动轮转新证书,这些都是由 Caddy 自动完成 | |
# 如果有域名,Caddy 会自动生成和更新免费证书。使用 Caddy 同时提供 Web 服务功能,用来伪装访问地址。 | |
# - 使用 https://github.com/PanJiaChen/vue-element-admin.git 构建的项目作为 Web 服务项目。当使用浏览器打开地址,访问的是一个页面。 | |
# - 使用 https://github.com/XTLS/Xray-install 的 XTLS 强大回落功能让代理同时支持 XTLS ,VLESS 和 VMESS 多种协议。 | |
# - 启用 BBR 加速 | |
# 注意: | |
# Caddy 只为 443 端口启用自动 TLS 证书生成。所以 XTLS 不能占用 443 端口,配置中选择了常见的 8443 端口,同时回落到 80 端口。 | |
# 脚本暂未在生产环境中测试。请谨慎使用一键执行,建议逐步执行。 | |
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | |
# !不建议关闭操作系统的防火墙,除非你在服务商中配置了防火墙! | |
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | |
WEB_ROOT=/opt/wwwroot/default | |
CADDY_LOG=/var/log/caddy | |
EXTERNAL_IP=$(curl -s https://httpbin.org/ip | grep -oP '"origin": "\K(.*)(?=")') | |
# 如果有域名,将 DOMAIN 换成域名,同时在域名服务商将域名解析到该IP | |
DOMAIN=${EXTERNAL_IP} | |
XRAY_PORT=6443 | |
function initSystemEnvironment(){ | |
# 关闭 SELINUX | |
sed -i 's/\(^SELINUX=\).*$/\1disabled/' /etc/selinux/config | |
setenforce 0 | |
# 安装系统软件 | |
dnf -y update | |
dnf -y install nodejs git vim tar | |
cat > /etc/sysctl.d/01-sysctl.conf <<EOF | |
# 20230222 | |
vm.swappiness = 10 | |
net.ipv4.tcp_syncookies = 1 | |
net.ipv4.tcp_timestamps = 1 | |
net.ipv4.tcp_tw_reuse = 1 | |
net.ipv4.ip_local_port_range = 1024 65535 | |
net.ipv4.tcp_max_syn_backlog = 1024 | |
vm.overcommit_memory = 1 | |
fs.inotify.max_user_instances = 4096 | |
# enable bbr | |
net.core.default_qdisc=fq | |
net.ipv4.tcp_congestion_control=bbr | |
EOF | |
cat > /etc/security/limits.d/01-limits.conf <<EOF | |
# 20230222 | |
* soft nofile 65535 | |
* hard nofile 65535 | |
* soft nproc 65535 | |
EOF | |
/sbin/sysctl -p | |
} | |
function installWebServer() { | |
dnf -y install 'dnf-command(copr)' | |
dnf -y copr enable @caddy/caddy | |
dnf -y install caddy | |
# 配置防火墙,开启 http 80 和 https 443 端口 | |
firewall-cmd --add-service=http --permanent | |
firewall-cmd --add-service=https --permanent | |
firewall-cmd --reload | |
systemctl enable caddy | |
systemctl start caddy | |
curl http://localhost | |
caddy trust | |
} | |
# 配置 Caddy,开启 80 443 端口,使用 vue-element-admin 作为静态 Web 页面 。 | |
# 服务域名默认为 IP 地址。Caddy 检测本地地址,会自动生成本地私有证书,并自动轮转。 | |
# 如果有公网域名,并解析到本服务器,可以替换成公网域名,Caddy 会自动使用 ACME 生成 | |
# 公网证书,并自动轮转。 | |
function deployWebApp() { | |
mkdir -p ${WEB_ROOT} | |
chown -R caddy:caddy ${WEB_ROOT} | |
mkdir -p ${CADDY_LOG} | |
chown -R caddy:caddy ${CADDY_LOG} | |
mkdir /opt/devtools | |
curl -O https://nodejs.org/dist/v18.16.0/node-v18.16.0-linux-x64.tar.xz | |
tar -Jxvf node-v18.16.0-linux-x64.tar.xz -C /opt/devtools/ | |
export NODE_PATH=/opt/devtools/node-v18.16.0-linux-x64/ | |
export PATH=$NODE_PATH/bin:$PATH | |
node -v | |
git clone https://github.com/PanJiaChen/vue-element-admin.git | |
# https://stackoverflow.com/questions/69692842/error-message-error0308010cdigital-envelope-routinesunsupported | |
export NODE_OPTIONS=--openssl-legacy-provider | |
cd vue-element-admin | |
npm install | |
npm run build:prod | |
cp -R dist/* ${WEB_ROOT} | |
# 如果有自己的域名,则将 ${DOMAIN} 换成域名,Caddy 会自动使用 ACME 生成证书 | |
# 如果没有域名,则使用 IP 地址,Caddy 会自动生成本地私有证书,并自动轮转 | |
cat > /etc/caddy/Caddyfile <<EOF | |
${DOMAIN}:80 { | |
root * ${WEB_ROOT} | |
file_server | |
log { | |
output file ${CADDY_LOG}/access.log { | |
roll_size 100mb | |
roll_keep 5 | |
roll_keep_for 15d | |
} | |
} | |
} | |
${DOMAIN}:443 { | |
root * ${WEB_ROOT} | |
file_server | |
log { | |
output file ${CADDY_LOG}/access.log { | |
roll_size 100mb | |
roll_keep 5 | |
roll_keep_for 15d | |
} | |
} | |
} | |
EOF | |
systemctl restart caddy | |
curl -k -I https://${DOMAIN} | |
} | |
# 安装 xray ,同时配置 xray ,并配置 xray 使用 caddy 自动生成的证书。 | |
# 安装完成后会创建 xray 的防火墙规则,并开启 caddy 防火墙 | |
function installXray() { | |
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install | |
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install-geodata | |
# 使用 caddy 用户启动 xray 服务。主要是因为 caddy 自动生成的证书只有 caddy 用户才有权限读取。 | |
# xray 默认使用的是 nobody 用户,在启动时无法读取 caddy 证书导致启动失败 | |
sed -i 's/\(^User=\).*$/\1caddy/' /etc/systemd/system/xray.service | |
systemctl daemon-reload | |
cat > /usr/local/etc/xray/config.json <<EOF | |
{ | |
"log": { | |
"loglevel": "warning" | |
// "loglevel": "debug" | |
}, | |
"inbounds": [ | |
{ | |
"port": ${XRAY_PORT}, | |
"protocol": "vless", | |
"settings": { | |
"clients": [ | |
{ | |
"id": "$(uuidgen)", // 使用 uuidgen 生产 ID | |
"flow": "xtls-rprx-vision", | |
"level": 0, | |
"email": "love@example.com" | |
} | |
], | |
"decryption": "none", | |
"fallbacks": [ | |
{ | |
"dest": 1310, // Fall back to Xray's Trojan protocol by default | |
"xver": 1 | |
}, | |
{ | |
"path": "/websocket", // Must be replaced with a custom PATH | |
"dest": 1234, | |
"xver": 1 | |
}, | |
{ | |
"path": "/vmessws", // Must be replaced with a custom PATH | |
"dest": 3456, | |
"xver": 1 | |
}, | |
{ | |
"dest": 80 // or fall back to other proxies that are also probing-proof | |
} | |
] | |
}, | |
"streamSettings": { | |
"network": "tcp", | |
"security": "tls", | |
"tlsSettings": { | |
"serverName": "${DOMAIN}", | |
"rejectUnknownSni": true, | |
"certificates": [ | |
{ | |
"certificateFile": "/var/lib/caddy/.local/share/caddy/certificates/local/${DOMAIN}/${DOMAIN}.crt", // Replace with your certificate, absolute path | |
"keyFile": "/var/lib/caddy/.local/share/caddy/certificates/local/${DOMAIN}/${DOMAIN}.key" // Replace it with your private key, absolute path | |
} | |
] | |
} | |
}, | |
"sniffing": { | |
"enabled": true, | |
"destOverride": [ | |
"http", | |
"tls" | |
] | |
} | |
}, | |
{ | |
"port": 1310, | |
"listen": "127.0.0.1", | |
"protocol": "trojan", | |
"settings": { | |
"clients": [ | |
{ | |
"password": "$(uuidgen)", | |
"level": 0, | |
"email": "love@example.com" | |
} | |
], | |
"fallbacks": [ | |
{ | |
"dest": 80 | |
} | |
] | |
}, | |
"streamSettings": { | |
"network": "tcp", | |
"security": "none", | |
"tcpSettings": { | |
"acceptProxyProtocol": true | |
} | |
} | |
}, | |
{ | |
"port": 1234, | |
"listen": "127.0.0.1", | |
"protocol": "vless", | |
"settings": { | |
"clients": [ | |
{ | |
"id": "$(uuidgen)", | |
"level": 0, | |
"email": "love@example.com" | |
} | |
], | |
"decryption": "none" | |
}, | |
"streamSettings": { | |
"network": "ws", | |
"security": "none", | |
"wsSettings": { | |
"acceptProxyProtocol": true, // Reminder: If you use Nginx/Caddy to reverse generation WS, you need to delete this line | |
"path": "/websocket" // It must be replaced with a custom PATH, which needs to be consistent with the shunt | |
} | |
} | |
}, | |
{ | |
"port": 3456, | |
"listen": "127.0.0.1", | |
"protocol": "vmess", | |
"settings": { | |
"clients": [ | |
{ | |
"id": "$(uuidgen)", | |
"level": 0, | |
"email": "love@example.com" | |
} | |
] | |
}, | |
"streamSettings": { | |
"network": "ws", | |
"security": "none", | |
"wsSettings": { | |
"acceptProxyProtocol": true, // Reminder: If you use Nginx/Caddy to reverse generation WS, you need to delete this line | |
"path": "/vmessws" // It must be replaced with a custom PATH, which needs to be consistent with the shunt | |
} | |
} | |
} | |
], | |
"outbounds": [ | |
{ | |
"protocol": "freedom", | |
"tag": "direct" | |
} | |
], | |
"routing": { | |
"domainStrategy": "IPIfNonMatch", | |
"rules": [ | |
] | |
}, | |
"policy": { | |
"levels": { | |
"0": { | |
"handshake": 2, // The handshake time limit when the connection is established, in seconds, the default value is 4, it is recommended to be different from the default value | |
"connIdle": 120 // Connection idle time limit in seconds, the default value is 300, it is recommended to be different from the default value | |
} | |
} | |
} | |
} | |
EOF | |
systemctl restart xray | |
# 创建 xray 的防火墙规则文件 | |
cat > /etc/firewalld/services/xray.xml <<EOF | |
<?xml version="1.0" encoding="utf-8"?> | |
<service> | |
<short>Xray</short> | |
<description>Xray port</description> | |
<port protocol="tcp" port="${XRAY_PORT}"/> | |
<port protocol="udp" port="${XRAY_PORT}"/> | |
</service> | |
EOF | |
# 配置 xray 的防火墙 | |
firewall-cmd --reload | |
firewall-cmd --add-service=xray --permanent | |
firewall-cmd --reload | |
} | |
initSystemEnvironment | |
# deployWireguard | |
installWebServer | |
deployWebApp | |
installXray |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment