From 5de264f09d33a9acfdcb4d979e2424407668a7b0 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Fri, 4 Oct 2024 21:57:13 +1000 Subject: [PATCH 1/9] Ignore Action flow updates --- .github/workflows/docker-buildx-dev.yml | 1 + .github/workflows/docker-buildx-latest.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/docker-buildx-dev.yml b/.github/workflows/docker-buildx-dev.yml index 2e4d9af..9751df1 100644 --- a/.github/workflows/docker-buildx-dev.yml +++ b/.github/workflows/docker-buildx-dev.yml @@ -7,6 +7,7 @@ on: - dev paths-ignore: - '**/*.md' + - '.github/**' jobs: multi-arch-dev: diff --git a/.github/workflows/docker-buildx-latest.yml b/.github/workflows/docker-buildx-latest.yml index fad3cd3..06ac0af 100644 --- a/.github/workflows/docker-buildx-latest.yml +++ b/.github/workflows/docker-buildx-latest.yml @@ -7,6 +7,7 @@ on: - master paths-ignore: - '**/*.md' + - '.github/**' jobs: multi-arch-latest: From 5d6f0a07d921839b87180265b483eb4c4d1bbaf4 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Fri, 4 Oct 2024 22:48:43 +1000 Subject: [PATCH 2/9] Updated Iran proxy rules example --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9449249..8b127df 100644 --- a/README.md +++ b/README.md @@ -159,17 +159,17 @@ $ docker run --name proxy-xray --rm -it -p 1080:1080 samuelhbne/proxy-xray \ ### 4. Connect to TCP-Trojan-TLS server -The following instruction connect to Xray server port 443 in TCP-Trojan-TLS mode with given password; Update geosite and geoip rule dat files; All sites and IPs located in Iran will be connected directly. +The following instruction connect to Xray server port 443 in TCP-Trojan-TLS mode with given password; Update geosite and geoip rule dat files; All sites and IPs located in Iran will be connected directly. All Iran-related domains that are blocked inside of iran will be proxied. ```shell $ mkdir -p /tmp/rules $ cd /tmp/rules $ wget -c -t3 -T30 https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat $ wget -c -t3 -T30 https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat -$ wget -c -t3 -T30 https://github.com/SamadiPour/iran-hosted-domains/releases/download/202108210015/iran.dat +$ wget -c -t3 -T30 https://github.com/SamadiPour/iran-hosted-domains/releases/download/202409300035/iran.dat $ docker run --name proxy-xray --rm -it -p 1080:1080 -v /tmp/rules:/opt/rules samuelhbne/proxy-xray \ --ttt trojan_pass@mydomain.duckdns.org:8443 \ ---rules-path /opt/rules --domain-direct ext:iran.dat:ir --ip-direct geoip:ir +--rules-path /opt/rules --domain-direct ext:iran.dat:ir --ip-direct geoip:ir --domain-proxy ext:iran.dat:proxy ``` ### 5. Start proxy-xray container in debug mode for for connection issue diagnosis From 33d01a894653452857561e28b68b147666f34005 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Fri, 4 Oct 2024 22:53:45 +1000 Subject: [PATCH 3/9] Trivy compliant --- .github/workflows/trivy-scan.yml | 32 +++++++++++++ Dockerfile | 77 ++++++++++++++++---------------- 2 files changed, 71 insertions(+), 38 deletions(-) create mode 100644 .github/workflows/trivy-scan.yml diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml new file mode 100644 index 0000000..c1aa9ec --- /dev/null +++ b/.github/workflows/trivy-scan.yml @@ -0,0 +1,32 @@ +name: Trivy-scanning + +on: + workflow_dispatch: + push: + branches: + - master + - dev + +jobs: + Trivy-Scan: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + - + name: Run Trivy fs vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@0.20.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + #severity: 'CRITICAL' + - + name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' diff --git a/Dockerfile b/Dockerfile index 6e6ac24..b282f31 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,39 +10,40 @@ RUN git clone https://github.com/XTLS/Xray-core.git . && \ git checkout ${XRAY_VER} && \ go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main -RUN cd /tmp; \ - curl -sSLO https://fukuchi.org/works/qrencode/qrencode-${QREC_VER}.tar.gz && \ - tar xvf qrencode-${QREC_VER}.tar.gz && \ - cd qrencode-${QREC_VER} && \ - ./configure --without-png && \ - make install +RUN curl -sSLO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat +RUN curl -sSLO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat -RUN cd /usr/local; tar zcvf /tmp/qrencode.tar.gz bin lib share +RUN curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/apple.china.conf +RUN curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/google.china.conf +RUN curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/bogus-nxdomain.china.conf +RUN curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf -RUN cd /tmp; curl -sSLO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat -RUN cd /tmp; curl -sSLO https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat +WORKDIR /tmp +RUN curl -sSLO https://fukuchi.org/works/qrencode/qrencode-${QREC_VER}.tar.gz && \ + tar xvf qrencode-${QREC_VER}.tar.gz +WORKDIR /tmp/qrencode-${QREC_VER} +RUN ./configure --without-png && make install -RUN cd /tmp; curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/apple.china.conf -RUN cd /tmp; curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/google.china.conf -RUN cd /tmp; curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/bogus-nxdomain.china.conf -RUN cd /tmp; curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf +WORKDIR /usr/local +RUN tar zcvf /tmp/qrencode.tar.gz bin lib share FROM alpine:3.20 -COPY --from=builder /go/src/XTLS/Xray-core/xray /usr/local/bin/ -COPY --from=builder /tmp/geosite.dat /usr/local/bin/ -COPY --from=builder /tmp/geoip.dat /usr/local/bin/ +COPY --from=builder /go/src/XTLS/Xray-core/xray /usr/local/bin/ +COPY --from=builder /go/src/XTLS/Xray-core/geosite.dat /usr/local/bin/ +COPY --from=builder /go/src/XTLS/Xray-core/geoip.dat /usr/local/bin/ RUN mkdir -p /etc/dnsmasq.disable -COPY --from=builder /tmp/apple.china.conf /etc/dnsmasq.disable/ -COPY --from=builder /tmp/google.china.conf /etc/dnsmasq.disable/ -COPY --from=builder /tmp/bogus-nxdomain.china.conf /etc/dnsmasq.disable/ -COPY --from=builder /tmp/accelerated-domains.china.conf /etc/dnsmasq.disable/ +COPY --from=builder /go/src/XTLS/Xray-core/apple.china.conf /etc/dnsmasq.disable/ +COPY --from=builder /go/src/XTLS/Xray-core/google.china.conf /etc/dnsmasq.disable/ +COPY --from=builder /go/src/XTLS/Xray-core/bogus-nxdomain.china.conf /etc/dnsmasq.disable/ +COPY --from=builder /go/src/XTLS/Xray-core/accelerated-domains.china.conf /etc/dnsmasq.disable/ COPY --from=builder /tmp/qrencode.tar.gz /tmp/ -RUN cd /usr/local && tar xvf /tmp/qrencode.tar.gz +WORKDIR /usr/local +RUN tar xvf /tmp/qrencode.tar.gz RUN rm /tmp/qrencode.tar.gz RUN apk --no-cache add bash openssl curl jq moreutils \ @@ -50,29 +51,29 @@ RUN apk --no-cache add bash openssl curl jq moreutils \ RUN sed -i "s/^socks4.*/socks5\t127.0.0.1 1080/g" /etc/proxychains/proxychains.conf -ADD proxy-lgp.sh /proxy-lgp.sh -ADD proxy-lgr.sh /proxy-lgr.sh -ADD proxy-lgt.sh /proxy-lgt.sh +COPY proxy-lgp.sh /proxy-lgp.sh +COPY proxy-lgr.sh /proxy-lgr.sh +COPY proxy-lgt.sh /proxy-lgt.sh -ADD proxy-lsp.sh /proxy-lsp.sh -ADD proxy-lst.sh /proxy-lst.sh +COPY proxy-lsp.sh /proxy-lsp.sh +COPY proxy-lst.sh /proxy-lst.sh -ADD proxy-ltr.sh /proxy-ltr.sh -ADD proxy-ltt.sh /proxy-ltt.sh +COPY proxy-ltr.sh /proxy-ltr.sh +COPY proxy-ltt.sh /proxy-ltt.sh -ADD proxy-lwp.sh /proxy-lwp.sh -ADD proxy-lwt.sh /proxy-lwt.sh +COPY proxy-lwp.sh /proxy-lwp.sh +COPY proxy-lwt.sh /proxy-lwt.sh -ADD proxy-mtt.sh /proxy-mtt.sh -ADD proxy-mwp.sh /proxy-mwp.sh -ADD proxy-mwt.sh /proxy-mwt.sh +COPY proxy-mtt.sh /proxy-mtt.sh +COPY proxy-mwp.sh /proxy-mwp.sh +COPY proxy-mwt.sh /proxy-mwt.sh -ADD proxy-ttt.sh /proxy-ttt.sh -ADD proxy-twp.sh /proxy-twp.sh -ADD proxy-twt.sh /proxy-twt.sh +COPY proxy-ttt.sh /proxy-ttt.sh +COPY proxy-twp.sh /proxy-twp.sh +COPY proxy-twt.sh /proxy-twt.sh -ADD qrcode.sh /qrcode -ADD run.sh /run.sh +COPY qrcode.sh /qrcode +COPY run.sh /run.sh RUN chmod 755 /*.sh RUN chmod 755 /qrcode From f1567466b881eb881089c95f119d60b722517300 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Sat, 5 Oct 2024 09:26:02 +1000 Subject: [PATCH 4/9] Add Trivy pipeline --- .github/workflows/docker-buildx-dev.yml | 32 ++++++++++++++++--------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/.github/workflows/docker-buildx-dev.yml b/.github/workflows/docker-buildx-dev.yml index 9751df1..56d2403 100644 --- a/.github/workflows/docker-buildx-dev.yml +++ b/.github/workflows/docker-buildx-dev.yml @@ -36,18 +36,28 @@ jobs: name: Login to DockerHub uses: docker/login-action@v1 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push multi-arch dev uses: docker/build-push-action@v2 with: - context: . - file: ./Dockerfile - platforms: | - linux/amd64 - linux/arm64 - linux/arm/v7 - linux/arm/v6 - push: true - tags: ${{ github.repository }}:dev + context: . + file: ./Dockerfile + platforms: | + linux/amd64 + linux/arm64 + linux/arm/v7 + linux/arm/v6 + push: true + tags: ${{ github.repository }}:${{ github.ref }} + - + name: Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: '${{ github.repository }}:${{ github.ref }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + #severity: 'CRITICAL,HIGH' \ No newline at end of file From 6b445a5ee36e3e2c674a507c09e45d8d958ce378 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Sat, 5 Oct 2024 10:17:21 +1000 Subject: [PATCH 5/9] Trivy pipeline debug --- .github/workflows/trivy-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index c1aa9ec..dd8ece0 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -21,6 +21,7 @@ jobs: uses: aquasecurity/trivy-action@0.20.0 with: scan-type: 'fs' + scan-ref: '.' ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' From 2863e53b60f8f66f364e29eed8aba5e90dcab163 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Sat, 5 Oct 2024 10:27:04 +1000 Subject: [PATCH 6/9] Trivy pipeline debug --- .github/workflows/trivy-scan.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index dd8ece0..32349e2 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -21,11 +21,10 @@ jobs: uses: aquasecurity/trivy-action@0.20.0 with: scan-type: 'fs' - scan-ref: '.' ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' - #severity: 'CRITICAL' + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 From 0903a3070fc1c32aa2b5e2b6d9c98d29b530543b Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Sat, 5 Oct 2024 10:46:48 +1000 Subject: [PATCH 7/9] Docker buildx pipeline debug --- .github/workflows/docker-buildx-dev.yml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/.github/workflows/docker-buildx-dev.yml b/.github/workflows/docker-buildx-dev.yml index 56d2403..2efb869 100644 --- a/.github/workflows/docker-buildx-dev.yml +++ b/.github/workflows/docker-buildx-dev.yml @@ -15,18 +15,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@main with: ref: ${{ github.ref }} - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v3 with: platforms: all - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 with: version: latest - @@ -34,13 +34,13 @@ jobs: run: echo ${{ steps.buildx.outputs.platforms }} - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push multi-arch dev - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile @@ -51,13 +51,3 @@ jobs: linux/arm/v6 push: true tags: ${{ github.repository }}:${{ github.ref }} - - - name: Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: '${{ github.repository }}:${{ github.ref }}' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - #severity: 'CRITICAL,HIGH' \ No newline at end of file From f267cd98939f32735530c0b1f9d2df28d105057e Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Sat, 5 Oct 2024 10:49:29 +1000 Subject: [PATCH 8/9] Docker buildx pipeline debug --- .github/workflows/docker-buildx-dev.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-buildx-dev.yml b/.github/workflows/docker-buildx-dev.yml index 2efb869..4be434b 100644 --- a/.github/workflows/docker-buildx-dev.yml +++ b/.github/workflows/docker-buildx-dev.yml @@ -50,4 +50,4 @@ jobs: linux/arm/v7 linux/arm/v6 push: true - tags: ${{ github.repository }}:${{ github.ref }} + tags: ${{ github.repository }}:dev From 117c6b3844352e06f0bb01e46ae3b51e1370da85 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Sat, 5 Oct 2024 23:37:36 +1000 Subject: [PATCH 9/9] Trivy Compliant, Action full SHA --- .github/workflows/docker-buildx-dev.yml | 10 +++++----- .github/workflows/docker-buildx-latest.yml | 10 +++++----- .github/workflows/trivy-scan.yml | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/docker-buildx-dev.yml b/.github/workflows/docker-buildx-dev.yml index 4be434b..8df5528 100644 --- a/.github/workflows/docker-buildx-dev.yml +++ b/.github/workflows/docker-buildx-dev.yml @@ -15,18 +15,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@main + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.ref }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 with: platforms: all - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: version: latest - @@ -34,13 +34,13 @@ jobs: run: echo ${{ steps.buildx.outputs.platforms }} - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push multi-arch dev - uses: docker/build-push-action@v6 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . file: ./Dockerfile diff --git a/.github/workflows/docker-buildx-latest.yml b/.github/workflows/docker-buildx-latest.yml index 06ac0af..5415b16 100644 --- a/.github/workflows/docker-buildx-latest.yml +++ b/.github/workflows/docker-buildx-latest.yml @@ -15,18 +15,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.ref }} - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 with: platforms: all - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: version: latest - @@ -34,13 +34,13 @@ jobs: run: echo ${{ steps.buildx.outputs.platforms }} - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push multi-arch latest - uses: docker/build-push-action@v2 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . file: ./Dockerfile diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 32349e2..52c53f4 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -13,12 +13,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.ref }} - name: Run Trivy fs vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: scan-type: 'fs' ignore-unfixed: true