Closed lobstergy closed 3 years ago
...
ports:
- "newport:8388/tcp"
- "newport:8388/udp"
...
或者在docker-compose.yaml中使用环境变量指定容器内的SERVER_PORT
,保持与yam ports中的一致:
...
ports:
- "newport:newport/tcp"
- " newport:newport/udp"
volumes:
- /home/myusername/.acme.sh:/home/myusername/.acme.sh:ro
environment:
# Set SERVER_PORT environment variable
- SERVER_PORT=newport
- METHOD=aes-256-gcm
- DNS_ADDRS=aa.aa.aa.aa, bb.bb.bb.bb
- PASSWORD=mypassword
- ARGS=--plugin v2ray-plugin --plugin-opts server;tls;host=mydomain;path=/mypath;cert=/home/myusername/.acme.sh/mydomin/fullchain.cer;key=/home/myusername/.acme.sh/mydomain/mydomain.key -u
restart: always
建议使用第一种方法即可。
感谢如此及时解答 1.-有启用TLS, 改成443观察一段再来反馈 (docker版的web server反向代理还不会配置), 希望老大方便时给出配置参考, 看过teddysun的配置, 以后试试
2.-docker-compose.yml, 按照指点加入变量修改成功,为443端口 (之前只能用docker run修改)
如果使用Caddy/Nginx等web server反代的时候,v2ray-plugin可以不开TLS模式,也不用挂载证书,而是由web server来接管TLS流量,然后web server到v2ray-plugin之间直接走clear text即可。
Caddy可以自动生成证书,给一个Caddy2的配置文件参考:
yourname.com {
# 这些通用的配置可以不用细看
# Enable gzip
encode zstd gzip
# Add some security headers to all pages
header {
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN"
}
# 用于使用DNS模式生成证书
# Enabling the DNS Challenge
tls {
dns cloudflare YOUR_CLOUDFLARE_API_TOKEN
}
# Add HSTS header
header Strict-Transport-Security max-age=31536000;
file_server
root * /usr/share/caddy/default
# 反向代理部分
# v2ray-plugin
reverse_proxy /YOUR_PATH shadowsocks-libev:8388 {
header_up -Origin
}
}
Wow, 拜谢! 很想试一下, 已添麻烦了,无奈小白啊....一堆问题
我试着理解流程是: 安装caddy2于我的google cloud vm debian实例->按照老大给出配置运行caddy2(无需acme.sh申请证书,安装到caddy?)->cloudflare dns中启动cdn->配置docker-compose.yml (不知要做如何修改,server_addr不变? 只在客户端改server:mydomain.com?,path 参数呢?)
窃以为,最好给出docker-compose.yml参考,超出认知啊orz
另外,老大的code介绍简单美好, (不开TLS模式,也不用挂载证书,而是由web server来接管TLS流量,然后web server到v2ray-plugin之间直接走clear text即可。#是不用证书达到tls的效果吗? 安全性相同?); 对比teddysun的常规思路, 有不明之处
yourname.com {
# 这些通用的配置可以不用细看
# Enable gzip
encode zstd gzip
# Add some security headers to all pages
header {
# Enable cross-site filter (XSS) and tell the browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN" # **这里照填吗还是有特指?**
}
# 用于使用DNS模式生成证书
# Enabling the DNS Challenge
tls {
dns cloudflare YOUR_CLOUDFLARE_API_TOKEN # **这里添上cloudflare_api_tocken就会自动生成证书对吗? 证书用于哪啊? **
}
# Add HSTS header
header Strict-Transport-Security max-age=31536000;
file_server
root * /usr/share/caddy/default
# 反向代理部分
# v2ray-plugin
reverse_proxy /YOUR_PATH shadowsocks-libev:8388 { # **8388需要修改为之前修改的443端口吗?**
header_up -Origin
}
}
teddysun的caddy文件 (似乎是流量显示到baidu.com,server&port为mydomian/443, websocket指向127.0.0.1:9000?且需要生成证书,指定目录)
mydomain.me:443 {
gzip
tls /root/caddy/caddy.crt /root/caddy/caddy.key
log /root/caddy/caddy.log
proxy / https://www.baidu.com
proxy /ray 127.0.0.1:9000 {
websocket
header_upstream -Origin
}
}
附上完整的docker-compose.yaml示例:
version: "3.7"
services:
shadowsocks-libev:
container_name: shadowsocks-libev
image: acrisliu/shadowsocks-libev
environment:
- PASSWORD=YOUR_PASSWORD
- ARGS=--plugin v2ray-plugin --plugin-opts server;host=YOUR_DOMAIN.com;path=/YOUR_PATH -u
restart: always
caddy:
container_name: caddy
image: caddy
ports:
- "80:80/tcp"
- "80:80/udp"
- "443:443/tcp"
- "443:443/udp"
volumes:
- ./caddy/config/Caddyfile:/etc/caddy/Caddyfile:ro
restart: always
附上Caddyfile配置:
# Global
{
email YOUR_EMAIL
}
YOUR_DOMAIN.com {
encode zstd gzip
file_server
reverse_proxy / https://www.baidu.com
reverse_proxy /YOUR_PATH shadowsocks-libev:8388 {
header_up -Origin
}
}
Hi Acris, 两个问题请教下,谢谢
1._如何避免server端ss端口被block? 已经出现过两次,6/7和今天6/28, 症状均是突然断联, 检查docker top shadowsocks-libev运行正常, 再docker logs shadowsocks-libev -f --tail 100, 发现无持续握手输出, 重启docker, logs 仅仅显示到V2Ray 4.38.3 started就再无输出. 于是更改端口/dns,重启docker和对应修改端口的客户端后一切正常. 由此可否判断是端口被封,(检测/干扰?). 如是今后如何避免呢?
2._ docker-compose修改端口/dns后, dns启用修改的,但端口还是8388.如何让新端口生效, 贴出file,请帮忙看看