How to avoid ss port be blocked? Occurred twice in 1 month. How to make modified port in docker-compose file take effect?

lobstergy commented 3 years ago

Hi Acris, 两个问题请教下,谢谢

1._如何避免server端ss端口被block? 已经出现过两次,6/7和今天6/28, 症状均是突然断联, 检查docker top shadowsocks-libev运行正常, 再docker logs shadowsocks-libev -f --tail 100, 发现无持续握手输出, 重启docker, logs 仅仅显示到V2Ray 4.38.3 started就再无输出. 于是更改端口/dns,重启docker和对应修改端口的客户端后一切正常. 由此可否判断是端口被封,(检测/干扰?). 如是今后如何避免呢?

-e SERVER_PORT=newport \
-e DNS_ADDRS=aa.aa.aa.aa, bb.bb.bb.bb \
-p newport:newport/tcp \
-p newport:newport/udp \

2._ docker-compose修改端口/dns后, dns启用修改的,但端口还是8388.如何让新端口生效, 贴出file,请帮忙看看

version: "3.7"
services:
  shadowsocks-libev:
    container_name: shadowsocks-libev
    image: acrisliu/shadowsocks-libev:latest
    user: root
    ports:
      - "newport:newport/tcp"
      - " newport:newport/udp"
    volumes:
      - /home/myusername/.acme.sh:/home/myusername/.acme.sh:ro
    environment:
      - METHOD=aes-256-gcm
      - DNS_ADDRS=aa.aa.aa.aa, bb.bb.bb.bb
      - PASSWORD=mypassword
      - ARGS=--plugin v2ray-plugin --plugin-opts server;tls;host=mydomain;path=/mypath;cert=/home/myusername/.acme.sh/mydomin/fullchain.cer;key=/home/myusername/.acme.sh/mydomain/mydomain.key -u
    restart: always

Acris commented 3 years ago

如果你开启了TLS，建议使用常用端口，如443，如果端口与server上的website冲突，可以尝试使用web server反向代理。

容器内的port保持8388无需修改。example:

...
ports:
  - "newport:8388/tcp"
  - "newport:8388/udp"
...

或者在docker-compose.yaml中使用环境变量指定容器内的SERVER_PORT，保持与yam ports中的一致：

...
ports:
  - "newport:newport/tcp"
  - " newport:newport/udp"
volumes:
  - /home/myusername/.acme.sh:/home/myusername/.acme.sh:ro
environment:
  # Set SERVER_PORT environment variable
  - SERVER_PORT=newport
  - METHOD=aes-256-gcm
  - DNS_ADDRS=aa.aa.aa.aa, bb.bb.bb.bb
  - PASSWORD=mypassword
  - ARGS=--plugin v2ray-plugin --plugin-opts server;tls;host=mydomain;path=/mypath;cert=/home/myusername/.acme.sh/mydomin/fullchain.cer;key=/home/myusername/.acme.sh/mydomain/mydomain.key -u
restart: always

建议使用第一种方法即可。

lobstergy commented 3 years ago

感谢如此及时解答 1.-有启用TLS, 改成443观察一段再来反馈 (docker版的web server反向代理还不会配置), 希望老大方便时给出配置参考, 看过teddysun的配置, 以后试试

2.-docker-compose.yml, 按照指点加入变量修改成功,为443端口 (之前只能用docker run修改)

Acris commented 3 years ago

如果使用Caddy/Nginx等web server反代的时候，v2ray-plugin可以不开TLS模式，也不用挂载证书，而是由web server来接管TLS流量，然后web server到v2ray-plugin之间直接走clear text即可。

~~Caddy可以自动生成证书，给一个Caddy2的配置文件参考：~~

yourname.com {
    # 这些通用的配置可以不用细看
    # Enable gzip
    encode zstd gzip

    # Add some security headers to all pages
    header {
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "SAMEORIGIN"
    }

    # 用于使用DNS模式生成证书
    # Enabling the DNS Challenge
    tls {
        dns cloudflare YOUR_CLOUDFLARE_API_TOKEN
    }

    # Add HSTS header
    header Strict-Transport-Security max-age=31536000;

    file_server
    root * /usr/share/caddy/default

    # 反向代理部分
    # v2ray-plugin
    reverse_proxy /YOUR_PATH shadowsocks-libev:8388 {
        header_up -Origin
    }
}

lobstergy commented 3 years ago

Wow, 拜谢! 很想试一下, 已添麻烦了,无奈小白啊....一堆问题

我试着理解流程是: 安装caddy2于我的google cloud vm debian实例->按照老大给出配置运行caddy2(无需acme.sh申请证书,安装到caddy?)->cloudflare dns中启动cdn->配置docker-compose.yml (不知要做如何修改,server_addr不变? 只在客户端改server:mydomain.com?,path 参数呢?)

窃以为,最好给出docker-compose.yml参考,超出认知啊orz

另外,老大的code介绍简单美好, (不开TLS模式，也不用挂载证书，而是由web server来接管TLS流量，然后web server到v2ray-plugin之间直接走clear text即可。#是不用证书达到tls的效果吗? 安全性相同?); 对比teddysun的常规思路, 有不明之处

yourname.com {
    # 这些通用的配置可以不用细看
    # Enable gzip
    encode zstd gzip

    # Add some security headers to all pages
    header {
        # Enable cross-site filter (XSS) and tell the browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "SAMEORIGIN"   # **这里照填吗还是有特指?**
    }

    # 用于使用DNS模式生成证书
    # Enabling the DNS Challenge
    tls {
        dns cloudflare YOUR_CLOUDFLARE_API_TOKEN # **这里添上cloudflare_api_tocken就会自动生成证书对吗? 证书用于哪啊? **
    }

    # Add HSTS header
    header Strict-Transport-Security max-age=31536000;

    file_server
    root * /usr/share/caddy/default

    # 反向代理部分
    # v2ray-plugin
    reverse_proxy /YOUR_PATH shadowsocks-libev:8388 {    # **8388需要修改为之前修改的443端口吗?**
        header_up -Origin
    }
}

teddysun的caddy文件 (似乎是流量显示到baidu.com,server&port为mydomian/443, websocket指向127.0.0.1:9000?且需要生成证书,指定目录)

mydomain.me:443 {
  gzip
  tls /root/caddy/caddy.crt /root/caddy/caddy.key
  log /root/caddy/caddy.log
  proxy / https://www.baidu.com
  proxy /ray 127.0.0.1:9000 {
    websocket
    header_upstream -Origin
  }
}

Acris commented 3 years ago

附上完整的docker-compose.yaml示例：

version: "3.7"
services:
  shadowsocks-libev:
    container_name: shadowsocks-libev
    image: acrisliu/shadowsocks-libev
    environment:
      - PASSWORD=YOUR_PASSWORD
      - ARGS=--plugin v2ray-plugin --plugin-opts server;host=YOUR_DOMAIN.com;path=/YOUR_PATH -u
    restart: always

  caddy:
    container_name: caddy
    image: caddy
    ports:
      - "80:80/tcp"
      - "80:80/udp"
      - "443:443/tcp"
      - "443:443/udp"
    volumes:
      - ./caddy/config/Caddyfile:/etc/caddy/Caddyfile:ro
    restart: always

附上Caddyfile配置：

# Global
{
    email YOUR_EMAIL
}

YOUR_DOMAIN.com {
    encode zstd gzip
    file_server

    reverse_proxy / https://www.baidu.com

    reverse_proxy /YOUR_PATH shadowsocks-libev:8388 {
        header_up -Origin
    }
}

Acris / docker-shadowsocks-libev

How to avoid ss port be blocked? Occurred twice in 1 month. How to make modified port in docker-compose file take effect? #27