mirror of https://github.com/wulabing/Xray_onekey
vndroid
parent
9fad566653
commit
e7e03be584
|
|
@ -1,34 +0,0 @@
|
||||||
## ss-openresty 白名单
|
|
||||||
|
|
||||||
> 请注意该内容依然属于测试内容,相关的技术框架已经全部说明,具体内容可以查阅相关文档
|
|
||||||
|
|
||||||
这是一个 ss 的基于 openresty(nginx) 的白名单实现
|
|
||||||
* 使用 `docker-compose` 启动
|
|
||||||
* 利用 `ngx_http_auth_basic_module` 进行访问验证
|
|
||||||
* 利用 `ngx_http_access_module` 实现IP白名单控制
|
|
||||||
* 利用 `ngx_stream_proxy_module` 实现四层反向代理
|
|
||||||
* 利用 `lua` 进行配置调整及应用
|
|
||||||
|
|
||||||
通过浏览器访问代理的IP地址,并通过用户名密码验证,即可添加当前访问IP至白名单
|
|
||||||
不需要签发证书,ss 使用 `ss-libev` 版本
|
|
||||||
|
|
||||||
无教程,具体需要的内容可以查看 docker-compose.yml 中的 volume 部分,包括 nginx 配置文件,模板也在 ss_whitelist 文件夹中,在对应文件夹需要创建一个 allow.list 空文件
|
|
||||||
## 优势
|
|
||||||
* 不再需要 tls / tls 隧道,TCP直连。
|
|
||||||
* 没有签发证书的繁琐流程
|
|
||||||
* 应该大概也许可能 能够最大程度上保证 端口/IP 不被封禁
|
|
||||||
|
|
||||||
## 原理
|
|
||||||
|
|
||||||
目前对 ss 类协议的主要探测方式为大量IP进行主动探测,并对端口进行封禁
|
|
||||||
|
|
||||||
经过 **少量** 测试发现,使用白名单限制ss端口访问来源可以很大程度上规避端口封禁
|
|
||||||
|
|
||||||
> 我们相信防火墙可以通过伪造来源IP的方式来访问服务端,并进行重放攻击,ss-AEAD 本身的抗重放应该足以应对这种情况
|
|
||||||
|
|
||||||
大部分代理使用场景都是在固定场所,在一定时间内有相对固定的 IP,因此在大部分情况下,通过白名单限制访问 ss 的 IP 来源方式相对可行
|
|
||||||
|
|
||||||
## 使用方法
|
|
||||||
|
|
||||||
* 访问 IP/域名 输入鉴权信息,添加当前 IP 地址进入白名单
|
|
||||||
* 访问 /purge 清空白名单信息
|
|
||||||
|
|
@ -0,0 +1,30 @@
|
||||||
|
services:
|
||||||
|
shadowsocks:
|
||||||
|
image: vndroid/shadowsocks-libev:alpine
|
||||||
|
expose:
|
||||||
|
- 8388/tcp
|
||||||
|
- 8388/udp
|
||||||
|
environment:
|
||||||
|
- METHOD=aes-256-gcm
|
||||||
|
- PASSWORD=9MLSpPmNt
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
|
openresty:
|
||||||
|
image: openresty/openresty:alpine
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "443:443"
|
||||||
|
- "18388:18388/tcp"
|
||||||
|
- "18388:18388/udp"
|
||||||
|
volumes:
|
||||||
|
- ./nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf
|
||||||
|
- ./allow.list:/etc/openresty/allow.list
|
||||||
|
- ./htpasswd:/etc/openresty/.htpasswd
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
|
depends_on:
|
||||||
|
- shadowsocks
|
||||||
|
networks:
|
||||||
|
backend:
|
||||||
|
|
@ -1,31 +0,0 @@
|
||||||
version: "3.9"
|
|
||||||
services:
|
|
||||||
shadowsocks:
|
|
||||||
image: shadowsocks/shadowsocks-libev:latest
|
|
||||||
expose:
|
|
||||||
- 8388
|
|
||||||
- 8388/udp
|
|
||||||
environment:
|
|
||||||
- METHOD=chacha20-ietf-poly1305
|
|
||||||
- PASSWORD=96166477-95b6-41a1-92c5-e33bce9694b0
|
|
||||||
restart: always
|
|
||||||
networks:
|
|
||||||
- backend
|
|
||||||
openresty:
|
|
||||||
image: openresty/openresty:latest
|
|
||||||
ports:
|
|
||||||
- "80:80"
|
|
||||||
- "443:443"
|
|
||||||
- "7777:7777"
|
|
||||||
- "7777:7777/udp"
|
|
||||||
volumes:
|
|
||||||
- ./nginx.conf:/etc/openresty/nginx.conf
|
|
||||||
- ./allow.list:/etc/openresty/allow.list
|
|
||||||
- ./auth:/etc/openresty/auth
|
|
||||||
restart: always
|
|
||||||
networks:
|
|
||||||
- backend
|
|
||||||
depends_on:
|
|
||||||
- shadowsocks
|
|
||||||
networks:
|
|
||||||
backend:
|
|
||||||
|
|
@ -1,5 +1,4 @@
|
||||||
user root;
|
user root;
|
||||||
# This number should be, at maximum, the number of CPU cores on your system.
|
|
||||||
worker_processes auto;
|
worker_processes auto;
|
||||||
worker_rlimit_nofile 655350;
|
worker_rlimit_nofile 655350;
|
||||||
|
|
||||||
|
|
@ -8,8 +7,6 @@ pcre_jit on;
|
||||||
error_log logs/error.log;
|
error_log logs/error.log;
|
||||||
pid logs/nginx.pid;
|
pid logs/nginx.pid;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
events {
|
events {
|
||||||
use epoll;
|
use epoll;
|
||||||
worker_connections 60000;
|
worker_connections 60000;
|
||||||
|
|
@ -36,9 +33,9 @@ stream {
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen [::]:7777;
|
listen 18388;
|
||||||
listen [::]:7777 udp;
|
listen 18388 udp;
|
||||||
include allow.list;
|
include /etc/openresty/allow.list;
|
||||||
deny all;
|
deny all;
|
||||||
proxy_pass ss;
|
proxy_pass ss;
|
||||||
}
|
}
|
||||||
|
|
@ -59,7 +56,6 @@ http {
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
|
|
||||||
client_body_buffer_size 128k;
|
client_body_buffer_size 128k;
|
||||||
client_max_body_size 10m;
|
client_max_body_size 10m;
|
||||||
proxy_read_timeout 180s;
|
proxy_read_timeout 180s;
|
||||||
|
|
@ -74,17 +70,23 @@ http {
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
|
|
||||||
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
|
||||||
error_page 404 /404.html;
|
error_page 404 /404.html;
|
||||||
error_page 500 502 503 504 /50x.html;
|
error_page 500 502 503 504 /50x.html;
|
||||||
|
|
||||||
server{
|
server{
|
||||||
listen [::]:80;
|
listen 80;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
default_type 'application/json';
|
||||||
|
return 200 '{"status":"success","code":200,"server":"openresty"}';
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /admin {
|
||||||
auth_basic "";
|
auth_basic "";
|
||||||
auth_basic_user_file /etc/openresty/auth;
|
auth_basic_user_file /etc/openresty/.htpasswd;
|
||||||
add_header Content-Type text/plain;
|
add_header Content-Type text/plain;
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
set_real_ip_from 0.0.0.0/8;
|
set_real_ip_from 0.0.0.0/8;
|
||||||
|
|
@ -112,7 +114,7 @@ http {
|
||||||
}
|
}
|
||||||
location /purge {
|
location /purge {
|
||||||
auth_basic "";
|
auth_basic "";
|
||||||
auth_basic_user_file /etc/openresty/auth;
|
auth_basic_user_file /etc/openresty/.htpasswd;
|
||||||
add_header Content-Type text/plain;
|
add_header Content-Type text/plain;
|
||||||
content_by_lua_block {
|
content_by_lua_block {
|
||||||
ngx.header.content_type = "text/plain;charset=UTF-8";
|
ngx.header.content_type = "text/plain;charset=UTF-8";
|
||||||
Loading…
Reference in New Issue