Skip to content

Instantly share code, notes, and snippets.

@whg517

whg517/xray-deploy.sh

Last active November 7, 2023 06:43
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save whg517/54f93ac2ce441bc3fb09d40b6e34afaf to your computer and use it in GitHub Desktop.
Save whg517/54f93ac2ce441bc3fb09d40b6e34afaf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
xray-deploy.sh
#!/bin/bash
set -x
# https://github.com/XTLS/Xray-install
# https://github.com/XTLS/Xray-examples
# 安装脚本
# 说明:
# - Caddy: 服务器安装 Caddy Web 服务,并使用 Caddy 的自动 TLS 功能,自动生成本地私有证书,同时自动轮转新证书,这些都是由 Caddy 自动完成
# 如果有域名,Caddy 会自动生成和更新免费证书。使用 Caddy 同时提供 Web 服务功能,用来伪装访问地址。
# - 使用 https://github.com/PanJiaChen/vue-element-admin.git 构建的项目作为 Web 服务项目。当使用浏览器打开地址,访问的是一个页面。
# - 使用 https://github.com/XTLS/Xray-install 的 XTLS 强大回落功能让代理同时支持 XTLS ,VLESS 和 VMESS 多种协议。
# - 启用 BBR 加速
# 注意:
# Caddy 只为 443 端口启用自动 TLS 证书生成。所以 XTLS 不能占用 443 端口,配置中选择了常见的 8443 端口,同时回落到 80 端口。
# 脚本暂未在生产环境中测试。请谨慎使用一键执行,建议逐步执行。
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !不建议关闭操作系统的防火墙,除非你在服务商中配置了防火墙!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WEB_ROOT=/opt/wwwroot/default
CADDY_LOG=/var/log/caddy
EXTERNAL_IP=$(curl -s https://httpbin.org/ip | grep -oP '"origin": "\K(.*)(?=")')
# 如果有域名,将 DOMAIN 换成域名,同时在域名服务商将域名解析到该IP
DOMAIN=${EXTERNAL_IP}
XRAY_PORT=6443
function initSystemEnvironment(){
# 关闭 SELINUX
sed -i 's/\(^SELINUX=\).*$/\1disabled/' /etc/selinux/config
setenforce 0
# 安装系统软件
dnf -y update
dnf -y install nodejs git vim tar
cat > /etc/sysctl.d/01-sysctl.conf <<EOF
# 20230222
vm.swappiness = 10
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_syn_backlog = 1024
vm.overcommit_memory = 1
fs.inotify.max_user_instances = 4096
# enable bbr
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
EOF
cat > /etc/security/limits.d/01-limits.conf <<EOF
# 20230222
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
EOF
/sbin/sysctl -p
}
function installWebServer() {
dnf -y install 'dnf-command(copr)'
dnf -y copr enable @caddy/caddy
dnf -y install caddy
# 配置防火墙,开启 http 80 和 https 443 端口
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
systemctl enable caddy
systemctl start caddy
curl http://localhost
caddy trust
}
# 配置 Caddy,开启 80 443 端口,使用 vue-element-admin 作为静态 Web 页面 。
# 服务域名默认为 IP 地址。Caddy 检测本地地址,会自动生成本地私有证书,并自动轮转。
# 如果有公网域名,并解析到本服务器,可以替换成公网域名,Caddy 会自动使用 ACME 生成
# 公网证书,并自动轮转。
function deployWebApp() {
mkdir -p ${WEB_ROOT}
chown -R caddy:caddy ${WEB_ROOT}
mkdir -p ${CADDY_LOG}
chown -R caddy:caddy ${CADDY_LOG}
mkdir /opt/devtools
curl -O https://nodejs.org/dist/v18.16.0/node-v18.16.0-linux-x64.tar.xz
tar -Jxvf node-v18.16.0-linux-x64.tar.xz -C /opt/devtools/
export NODE_PATH=/opt/devtools/node-v18.16.0-linux-x64/
export PATH=$NODE_PATH/bin:$PATH
node -v
git clone https://github.com/PanJiaChen/vue-element-admin.git
# https://stackoverflow.com/questions/69692842/error-message-error0308010cdigital-envelope-routinesunsupported
export NODE_OPTIONS=--openssl-legacy-provider
cd vue-element-admin
npm install
npm run build:prod
cp -R dist/* ${WEB_ROOT}
# 如果有自己的域名,则将 ${DOMAIN} 换成域名,Caddy 会自动使用 ACME 生成证书
# 如果没有域名,则使用 IP 地址,Caddy 会自动生成本地私有证书,并自动轮转
cat > /etc/caddy/Caddyfile <<EOF
${DOMAIN}:80 {
root * ${WEB_ROOT}
file_server
log {
output file ${CADDY_LOG}/access.log {
roll_size 100mb
roll_keep 5
roll_keep_for 15d
}
}
}
${DOMAIN}:443 {
root * ${WEB_ROOT}
file_server
log {
output file ${CADDY_LOG}/access.log {
roll_size 100mb
roll_keep 5
roll_keep_for 15d
}
}
}
EOF
systemctl restart caddy
curl -k -I https://${DOMAIN}
}
# 安装 xray ,同时配置 xray ,并配置 xray 使用 caddy 自动生成的证书。
# 安装完成后会创建 xray 的防火墙规则,并开启 caddy 防火墙
function installXray() {
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install-geodata
# 使用 caddy 用户启动 xray 服务。主要是因为 caddy 自动生成的证书只有 caddy 用户才有权限读取。
# xray 默认使用的是 nobody 用户,在启动时无法读取 caddy 证书导致启动失败
sed -i 's/\(^User=\).*$/\1caddy/' /etc/systemd/system/xray.service
systemctl daemon-reload
cat > /usr/local/etc/xray/config.json <<EOF
{
"log": {
"loglevel": "warning"
// "loglevel": "debug"
},
"inbounds": [
{
"port": ${XRAY_PORT},
"protocol": "vless",
"settings": {
"clients": [
{
"id": "$(uuidgen)", // 使用 uuidgen 生产 ID
"flow": "xtls-rprx-vision",
"level": 0,
"email": "love@example.com"
}
],
"decryption": "none",
"fallbacks": [
{
"dest": 1310, // Fall back to Xray's Trojan protocol by default
"xver": 1
},
{
"path": "/websocket", // Must be replaced with a custom PATH
"dest": 1234,
"xver": 1
},
{
"path": "/vmessws", // Must be replaced with a custom PATH
"dest": 3456,
"xver": 1
},
{
"dest": 80 // or fall back to other proxies that are also probing-proof
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "${DOMAIN}",
"rejectUnknownSni": true,
"certificates": [
{
"certificateFile": "/var/lib/caddy/.local/share/caddy/certificates/local/${DOMAIN}/${DOMAIN}.crt", // Replace with your certificate, absolute path
"keyFile": "/var/lib/caddy/.local/share/caddy/certificates/local/${DOMAIN}/${DOMAIN}.key" // Replace it with your private key, absolute path
}
]
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
},
{
"port": 1310,
"listen": "127.0.0.1",
"protocol": "trojan",
"settings": {
"clients": [
{
"password": "$(uuidgen)",
"level": 0,
"email": "love@example.com"
}
],
"fallbacks": [
{
"dest": 80
}
]
},
"streamSettings": {
"network": "tcp",
"security": "none",
"tcpSettings": {
"acceptProxyProtocol": true
}
}
},
{
"port": 1234,
"listen": "127.0.0.1",
"protocol": "vless",
"settings": {
"clients": [
{
"id": "$(uuidgen)",
"level": 0,
"email": "love@example.com"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "ws",
"security": "none",
"wsSettings": {
"acceptProxyProtocol": true, // Reminder: If you use Nginx/Caddy to reverse generation WS, you need to delete this line
"path": "/websocket" // It must be replaced with a custom PATH, which needs to be consistent with the shunt
}
}
},
{
"port": 3456,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "$(uuidgen)",
"level": 0,
"email": "love@example.com"
}
]
},
"streamSettings": {
"network": "ws",
"security": "none",
"wsSettings": {
"acceptProxyProtocol": true, // Reminder: If you use Nginx/Caddy to reverse generation WS, you need to delete this line
"path": "/vmessws" // It must be replaced with a custom PATH, which needs to be consistent with the shunt
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
}
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
]
},
"policy": {
"levels": {
"0": {
"handshake": 2, // The handshake time limit when the connection is established, in seconds, the default value is 4, it is recommended to be different from the default value
"connIdle": 120 // Connection idle time limit in seconds, the default value is 300, it is recommended to be different from the default value
}
}
}
}
EOF
systemctl restart xray
# 创建 xray 的防火墙规则文件
cat > /etc/firewalld/services/xray.xml <<EOF
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Xray</short>
<description>Xray port</description>
<port protocol="tcp" port="${XRAY_PORT}"/>
<port protocol="udp" port="${XRAY_PORT}"/>
</service>
EOF
# 配置 xray 的防火墙
firewall-cmd --reload
firewall-cmd --add-service=xray --permanent
firewall-cmd --reload
}
initSystemEnvironment
# deployWireguard
installWebServer
deployWebApp
installXray
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment