diff --git a/Dockerfile b/Dockerfile index fef063a..fdca7e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,6 +32,8 @@ COPY nginx-proxy.tpl /etc/nginx/conf.d/ COPY nginx-grpc.tpl /etc/nginx/conf.d/ COPY nginx-ws.tpl /etc/nginx/conf.d/ +COPY proxy-log-fmt.tpl /etc/nginx/conf.d/001-proxy-log-fmt.conf + ADD server-lgp.sh /server-lgp.sh ADD server-lgr.sh /server-lgr.sh ADD server-lgt.sh /server-lgt.sh diff --git a/nginx-stream.tpl b/nginx-stream.tpl index f233d05..ae7db37 100644 --- a/nginx-stream.tpl +++ b/nginx-stream.tpl @@ -1,15 +1,15 @@ -#STSTUB +#STREAM_TAG stream { map $ssl_preread_server_name $stream_map { - #XMAP-TAG + #XMAP_TAG } - #XUPSTREAM-TAG + #XUPSTREAM_TAG server { listen STPORT reuseport; proxy_pass $stream_map; - # proxy_bind $remote_addr transparent; + #STPROXY_PASS_TAG ssl_preread on; } } diff --git a/proxy-log-fmt.tpl b/proxy-log-fmt.tpl new file mode 100644 index 0000000..987012d --- /dev/null +++ b/proxy-log-fmt.tpl @@ -0,0 +1,3 @@ + log_format proxy '$proxy_protocol_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; diff --git a/run.sh b/run.sh index 4709448..20b8526 100755 --- a/run.sh +++ b/run.sh @@ -12,10 +12,10 @@ usage() { echo " --lgt p=13443,u=id1,u=id2...,s=svcname,d=domain.com" echo " --lsp p=14443,u=id1,u=id2...,w=/webpath" echo " --lst p=16443,u=id1,u=id2...,w=/webpath,d=domain.com" - echo " --ltr p=17443,u=id1,u=id2...,d=dest.com,pub=xx,prv=yy[,shortId=ab],[xtls]" - echo " --ltrx p=17443,u=id1,u=id2...,d=dest.com,pub=xx,prv=yy[,shortId=ab]" - echo " --ltt p=18443,u=id1,u=id2...,d=domain.com,[xtls]" - echo " --lttx p=18443,u=id1,u=id2...,d=domain.com" + echo " --ltr p=17443,u=id1,u=id2...,d=dest.com,pub=xx,prv=yy[,shortId=ab],[proxy_acpt],[xtls]" + echo " --ltrx p=17443,u=id1,u=id2...,d=dest.com,pub=xx,prv=yy[,shortId=ab],[proxy_acpt]" + echo " --ltt p=18443,u=id1,u=id2...,d=domain.com,[proxy_acpt],[xtls]" + echo " --lttx p=18443,u=id1,u=id2...,d=domain.com,[proxy_acpt]" echo " --lwp p=19443,u=id1,u=id2...,w=/wskpath" echo " --lwt p=22443,u=id1,u=id2...,w=/wskpath,d=domain.com" echo " --mtt p=23443,u=id1,u=id2...,d=domain.com" @@ -24,9 +24,9 @@ usage() { echo " --ttt p=26443,u=pw1,u=pw2...,d=domain.com" echo " --twp p=27443,u=pw1,u=pw2...,w=/wskpath" echo " --twt p=28443,u=pw1,u=pw2...,w=/wskpath,d=domain.com" - echo " --ng-server p=8443,d=domain0.com,d=domain1.com..." + echo " --ng-server p=8443,d=domain0.com,d=domain1.com...,[proxy_acpt]" echo " --ng-proxy d=domain0.com,d=domain1.com,p=port-backend,l=location,n=ws|grpc|splt" - echo " --st-port 443" + echo " --st-server [p=443],[proxy_pass]" echo " --st-map sni=domain.com,ups=127.0.0.1:8443" echo " --domain-block Add a domain rule for routing-server block, like geosite:category-ads-all" echo " --ip-block Add a ip-addr rule for routing block, like geoip:private" @@ -42,7 +42,7 @@ usage() { Jrules='{"rules":[]}' -TEMP=`getopt -o u:k:r:c:j:di --long lgp:,lgr:,lgt:,lsp:,lst:,ltr:,ltrx:,ltt:,lttx:,lwp:,lwt:,mtt:,mwp:,mwt:,ttt:,twp:,twt:,user:,hook:,request-domain:,cert-home:,ip-block:,domain-block:,cn-block,ng-server:,ng-proxy:,st-port:,st-map:,json:,stdin,debug -n "$0" -- $@` +TEMP=`getopt -o u:k:r:c:j:di --long lgp:,lgr:,lgt:,lsp:,lst:,ltr:,ltrx:,ltt:,lttx:,lwp:,lwt:,mtt:,mwp:,mwt:,ttt:,twp:,twt:,user:,hook:,request-domain:,cert-home:,ip-block:,domain-block:,cn-block,ng-server:,ng-proxy:,st-server:,st-map:,json:,stdin,debug -n "$0" -- $@` if [ $? != 0 ] ; then usage; exit 1 ; fi eval set -- "$TEMP" @@ -114,8 +114,8 @@ while true ; do NGPROXY+=("$2") shift 2 ;; - --st-port) - STPORT="$2" + --st-server) + STSVR="$2" shift 2 ;; --st-map) @@ -191,8 +191,8 @@ if [ -z "${SVCMD}" ]; then fi # Start Nginx if necessary -if [ -n "${STPORT}" ]; then - NGOPT="--st-port ${STPORT}" +if [ -n "${STSVR}" ]; then + NGOPT="--st-server ${STSVR}" for mapopt in "${STMAP[@]}" do NGOPT="${NGOPT} --st-map $mapopt" diff --git a/server-ltr.sh b/server-ltr.sh index 4cee23f..4a2df6f 100755 --- a/server-ltr.sh +++ b/server-ltr.sh @@ -4,7 +4,7 @@ DIR=`dirname $0` usage() { echo "VLESS-TCP-REALITY server builder" - echo "Usage: server-ltr ,,,[xtls],,[pub=xx,prv=yy,shortId=zz],,..." + echo "Usage: server-ltr ,,,[xtls],[proxy_acpt],,[pub=xx,prv=yy,shortId=zz],,..." } options=(`echo $1 |tr ',' ' '`) @@ -27,6 +27,9 @@ do p|port) port="${kv[1]}" ;; + proxy_acpt) + acceptProxyProtocol=true + ;; shortId) shortIds+=("${kv[1]}") ;; @@ -106,6 +109,13 @@ do cat $XCONF |${DIR}/fallback.sh -p $port -f ${fb} | sponge $XCONF done +# StreamSettings +if [ -n "${acceptProxyProtocol}" ]; then + cat $XCONF |jq --arg port "${port}" \ + '( .inbounds[] | select(.port == ($port|tonumber)) | .streamSettings ) += {"sockopt":{"acceptProxyProtocol":true}} ' \ + |sponge $XCONF +fi + # Network settings cat $XCONF |jq --arg port "${port}" \ '( .inbounds[] | select(.port == ($port|tonumber)) | .streamSettings ) += {"network":"tcp"} ' \ diff --git a/server-ltt.sh b/server-ltt.sh index 91c0ca0..c22783c 100755 --- a/server-ltt.sh +++ b/server-ltt.sh @@ -4,7 +4,7 @@ DIR=`dirname $0` usage() { echo "VLESS-TCP-TLS server builder" - echo "Usage: server-ltt ,,,[xtls],,,..." + echo "Usage: server-ltt ,,,[xtls],[proxy_acpt],,,..." } options=(`echo $1 |tr ',' ' '`) @@ -27,6 +27,9 @@ do p|port) port="${kv[1]}" ;; + proxy_acpt) + acceptProxyProtocol=true + ;; u|user) xuser+=("${kv[1]}") ;; @@ -106,6 +109,13 @@ do cat $XCONF |${DIR}/fallback.sh -p $port -f ${fb} | sponge $XCONF done +# StreamSettings +if [ -n "${acceptProxyProtocol}" ]; then + cat $XCONF |jq --arg port "${port}" \ + '( .inbounds[] | select(.port == ($port|tonumber)) | .streamSettings ) += {"sockopt":{"acceptProxyProtocol":true}} ' \ + |sponge $XCONF +fi + # Network settings cat $XCONF |jq --arg port "${port}" \ '( .inbounds[] | select(.port == ($port|tonumber)) | .streamSettings ) += {"network":"tcp"} ' \ diff --git a/server-nginx.sh b/server-nginx.sh index 1502a67..0fadb74 100755 --- a/server-nginx.sh +++ b/server-nginx.sh @@ -2,40 +2,44 @@ DIR=`dirname $0` DIR="$(cd $DIR; pwd)" -TPL="site-ssl.conf.tpl" -STPL="nginx-stream.tpl" +SITE_TPL="site-ssl.conf.tpl" +STREAM_TPL="nginx-stream.tpl" NGCONF="/etc/nginx/nginx.conf" usage() { echo "server-nginx --ng-server [,p=443] --ng-proxy [,h=127.0.0.1]" echo " --ng-proxy [,h=127.0.0.1][,d=host-domain]" - echo " --ng-server [,p=443]" + echo " --ng-server [,p=443],[proxy_acpt]" echo " --st-map " - echo " --st-port " + echo " --st-server [p=443],[proxy_pass]" } -TEMP=`getopt -o m:p:s:x: --long ng-server:,ng-proxy:,st-map:,st-port: -n "$0" -- $@` +TEMP=`getopt -o m:n:p:s:x: --long ng-server:,ng-proxy:,st-server:,st-map: -n "$0" -- $@` if [ $? != 0 ] ; then usage; exit 1 ; fi eval set -- "$TEMP" while true ; do case "$1" in - -m|--st-map) - STMAP+=("$2") - shift 2 - ;; - -p|--st-port) - STPORT="$2" - shift 2 - ;; - -s|--ng-server) + # Multiple Nginx domain servers Allowed + -n|--ng-server) NGSVR+=("$2") shift 2 ;; + # Multiple Nginx proxy locations Allowed -x|--ng-proxy) NGPROXY+=("$2") shift 2 ;; + # Only SINGLE Stream server Allowed + -s|--st-server) + STSVR="$2" + shift 2 + ;; + # Multiple Nginx SNI map items Allowed + -m|--st-map) + STMAP+=("$2") + shift 2 + ;; --) shift break @@ -49,7 +53,7 @@ while true ; do done if [ -z "${NGSVR}" ] && [ -z "${STPORT}" ]; then - echo "No server/stream defined. Quit."; + echo "No Stream/Server defined. Quit."; usage; exit 1; fi @@ -63,16 +67,36 @@ if [ -f /etc/nginx/conf.d/default.conf ]; then mv default.conf default.conf.disable fi -# Remove all lines generated previously after #STSTUB tag. -sed -i '/\#STSTUB/q' /etc/nginx/nginx.conf -# Remove #STSTUB tag -sed -i '/\#STSTUB/d' /etc/nginx/nginx.conf +# Remove all lines generated previously after #STREAM_TAG tag. +sed -i '/\#STREAM_TAG/q' /etc/nginx/nginx.conf +# Remove #STREAM_TAG tag +sed -i '/\#STREAM_TAG/d' /etc/nginx/nginx.conf +# Remove temp files generated previously. +rm /tmp/stmap.conf; rm /tmp/stups.conf; rm /tmp/stproxy.conf + +if [ -n "${STSVR}" ]; then +options=(`echo $STSVR |tr ',' ' '`) + for option in "${options[@]}" + do + kv=(`echo $option |tr '=' ' '`) + case "${kv[0]}" in + p|port) + STPORT="${kv[1]}" + ;; + x|proxy_pass) + STPROXY_PASS=1 + ;; + esac + done + + if [ -z "${STPORT}" ]; then STPORT=443; fi + if ! [ "${STPORT}" -eq "${STPORT}" ] 2>/dev/null; then + >&2 echo "Stream port number must be numeric"; + exit 1; + fi -if [ -n "${STPORT}" ]; then - rm /tmp/map.conf - rm /tmp/ups.conf # Attach the stream configuration to the tail of nginx.conf - cat ${STPL} >> /etc/nginx/nginx.conf + cat ${STREAM_TPL} >> /etc/nginx/nginx.conf for stmap in "${STMAP[@]}" do options=(`echo $stmap |tr ',' ' '`) @@ -88,17 +112,26 @@ if [ -n "${STPORT}" ]; then ;; esac done + # Named the upstream as yahoo_com for SNI yahoo.com upsname=`echo $sni|sed 's/\./_/g'` - echo " $sni $upsname;" >>/tmp/map.conf - echo " upstream $upsname {" >>/tmp/ups.conf - echo " server $upstream;" >>/tmp/ups.conf - echo " }" >>/tmp/ups.conf + echo " $sni $upsname;" >>/tmp/stmap.conf + echo " upstream $upsname {" >>/tmp/stups.conf + echo " server $upstream;" >>/tmp/stups.conf + echo " }" >>/tmp/stups.conf done - # Add map.conf down to #MAPSTUB tag - sed -i '/#XMAP-TAG/r /tmp/map.conf' /etc/nginx/nginx.conf - # Add ups.conf down to #UPSSTUB tag - sed -i '/#XUPSTREAM-TAG/r /tmp/ups.conf' /etc/nginx/nginx.conf + + # Add map.conf down to #XMAP_TAG tag + sed -i '/#XMAP_TAG/r /tmp/stmap.conf' /etc/nginx/nginx.conf + # Add ups.conf down to #XUPSTREAM_TAG tag + sed -i '/#XUPSTREAM_TAG/r /tmp/stups.conf' /etc/nginx/nginx.conf sed -i "s/STPORT/${STPORT}/g" /etc/nginx/nginx.conf + # Add "proxy_protocol=on" down to #STPROXY_PASS_TAG tag + if [ -n "${STPROXY_PASS}" ]; then + echo " proxy_protocol on;" >/tmp/stproxy.conf + sed -i '/#STPROXY_PASS_TAG/r /tmp/stproxy.conf' /etc/nginx/nginx.conf + fi + echo "Generated /etc/nginx/nginx.conf ====>" + cat /etc/nginx/nginx.conf fi for ngsvr in "${NGSVR[@]}" @@ -119,6 +152,9 @@ do domain="${kv[1]}" DOMAIN+=("${kv[1]}") ;; + proxy_acpt) + NGPROTOCOL="proxy_protocol" + ;; esac done @@ -137,12 +173,21 @@ do ESC_CERTFILE=$(printf '%s\n' "${fullchain}" | sed -e 's/[]\/$*.^[]/\\&/g') ESC_PRVKEYFILE=$(printf '%s\n' "${prvkey}" | sed -e 's/[]\/$*.^[]/\\&/g') - cat ${TPL} \ + cat "${SITE_TPL}" \ | sed "s/CERTFILE/${ESC_CERTFILE}/g" \ | sed "s/PRVKEYFILE/${ESC_PRVKEYFILE}/g" \ | sed "s/NGDOMAIN/${domain}/g" \ | sed "s/NGPORT/${port}/g" \ + | sed "s/NGPROTOCOL/${NGPROTOCOL}/g" \ >"${domain}.conf" + # Applying proxy log format instead of main format when --ng-server proxy_pass was set + if [ -n "${NGPROTOCOL}" ]; then + sed -i '/access_log/s/main/proxy/' "${domain}.conf" + sed -i 's/remote_addr/proxy_protocol_addr/g' "${domain}.conf" + sed -i 's/proxy_add_x_forwarded_for/proxy_protocol_addr/g' "${domain}.conf" + fi + echo "Generated /etc/nginx/conf.d/${domain}.conf ====>" + cat /etc/nginx/conf.d/${domain}.conf done for ngproxy in "${NGPROXY[@]}" @@ -184,19 +229,27 @@ do # Add tpl file content down to #LOCATION tag case "${xnetwork}" in ws|websocket) - sed -i '/#XLOCATION-TAG/r nginx-ws.tpl' ${domain}.conf + sed -i '/#XLOCATION_TAG/r nginx-ws.tpl' ${domain}.conf ;; grpc) - sed -i '/#XLOCATION-TAG/r nginx-grpc.tpl' ${domain}.conf + sed -i '/#XLOCATION_TAG/r nginx-grpc.tpl' ${domain}.conf ;; splt|proxy) - sed -i '/#XLOCATION-TAG/r nginx-proxy.tpl' ${domain}.conf + sed -i '/#XLOCATION_TAG/r nginx-proxy.tpl' ${domain}.conf ;; esac ESC_LOCATION=$(printf '%s\n' "${xlocation}" | sed -e 's/[]\/$*.^[]/\\&/g') sed -i "s/HOST/${xhost}/g" ${domain}.conf sed -i "s/PORT/${xport}/g" ${domain}.conf sed -i "s/WEBPATH/${ESC_LOCATION}/g" ${domain}.conf + # Applying proxy log format instead of main format when --ng-server proxy_pass was set + if [ -n "${NGPROTOCOL}" ]; then + sed -i '/access_log/s/main/proxy/' "${domain}.conf" + sed -i 's/remote_addr/proxy_protocol_addr/g' "${domain}.conf" + sed -i 's/proxy_add_x_forwarded_for/proxy_protocol_addr/g' "${domain}.conf" + fi + echo "Generated /etc/nginx/conf.d/${domain}.conf ====>" + cat /etc/nginx/conf.d/${domain}.conf done done exit 0 diff --git a/site-ssl.conf.tpl b/site-ssl.conf.tpl index e6cd6f2..57b49a0 100644 --- a/site-ssl.conf.tpl +++ b/site-ssl.conf.tpl @@ -1,7 +1,7 @@ server { listen NGPORT quic; - listen NGPORT ssl; - listen [::]:NGPORT ssl; + listen NGPORT ssl NGPROTOCOL; + listen [::]:NGPORT ssl NGPROTOCOL; http2 on; server_name NGDOMAIN; ssl_certificate CERTFILE; @@ -15,9 +15,11 @@ server { client_header_timeout 1071906480m; keepalive_timeout 1071906480m; + access_log /var/log/nginx/access.log main; + location / { return 404; } - #XLOCATION-TAG + #XLOCATION_TAG }