Geralt的Warehouse

2024年11月16日星期六

caddy反代下载文件

# 监听端口 51110，提供静态文件服务和目录浏览

:51110 {

root * /home/tls

encode gzip # 只启用 gzip 压缩

file_server {

browse

}

# 使用提供的证书和密钥

# tls /home/www/docker/nginx/wget-cert/fullchain.cer /home/www/docker/nginx/wget-cert/key.key

}

# 配置 *.dlfrp.cn:51109，提供静态文件服务和目录浏览

*.mydomain.com:51109 {

root * /home/tls

encode gzip # 只启用 gzip 压缩

file_server {

browse

}

# 使用提供的证书和密钥

tls /home/www/docker/nginx/wget-cert/fullchain.cer /home/www/docker/nginx/wget-cert/key.key

}

# 配置 mydomain2.com:6443 反向代理到 https://assets.livednow.com/epg.xml

mydomain2.com:6443 {

# 重写路径，将 /epg.xml 重定向到目标 URL

rewrite * /epg.xml

# 反向代理到目标 URL (主机部分)

reverse_proxy https://assets.livednow.com

# 使用提供的证书和密钥

tls /home/www/docker/nginx/wget-cert/fullchain.cer /home/www/docker/nginx/wget-cert/key.key

}

2024年11月1日星期五

debian12 eth0 限速脚本

debian12限速脚本

保存为limit-bandwidth.sh

chmod +x limit-bandwidth.sh

sudo ./limit-bandwidth.sh

#取消限速

sudo tc qdisc del dev eth0 root

#!/bin/bash

# 确保已安装tc工具

if ! command -v tc &> /dev/null; then

apt-get update

apt-get install -y iproute2

# 清除已有的队列规则

tc qdisc del dev eth0 root 2>/dev/null

# 添加根队列规则

tc qdisc add dev eth0 root handle 1: htb default 10

# 添加主要类别，设置最大带宽为1MB/s（8Mbit/s）

tc class add dev eth0 parent 1: classid 1:10 htb rate 8mbit burst 1mbit

# 添加过滤规则

tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip src 0.0.0.0/0 flowid 1:10

tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 0.0.0.0/0 flowid 1:10

2024年10月27日星期日

转发避免网站被攻击的低成本想法

cf 我觉得是要上的，用替代方案会多花很多钱。cf 一定要把相关接口速率设置好，对于一些非受众国家的 ip 直接盾，如果可以设置 ip 白名单解高速率。此举针对 cc 有奇效。

服务器开 ip 白名单，只允许 cf 的 ip 段访问。而且很重要的是，使用 cf 给的服务器证书，不要自己去申请其他免费的证书。此举针对 fofa 之类的找源 ip 有奇效。

如果你的服务器需要出口访问，容易被对方钓真实 ip 。可以买个 ovh 的小鸡部署代理，同时只给你服务器 ip 开白名单，让你服务器走 ovh 出去（一般设置 http_proxy 之类的环境变量即可，特殊软件具体对待）。这样对方最多能获得 ovh 的地址，难打不说，打死了也对你业务影响不大。此举针对 d 有奇效。

另外如果使用了 smtp 发信，注意 smtp 服务泄露你的 ip 。用大厂的服务一般无此问题。

这一套下来，打你的代价就会非常大，收效非常小，而你几乎没有增加什么支出。

来源 https://linux.do/t/topic/242440

2024年10月22日星期二

[分享]sing-box规则分流 Netflix/Disney+/ChatGPT/Gemini/Claude

{

"outbounds": [

{

"tag": "direct",

"type": "direct",

"domain_strategy": "prefer_ipv4"

{

"type": "shadowsocks",

"tag": "unlock-netflix",

"server": "www.mydomain.com",

"server_port": 28000,

"method": "aes-128-gcm",

"password": "eebeeba9-e02b-49ef-98a4-013a806825de"

{

"type": "shadowsocks",

"tag": "unlock-disney",

"server": "www.mydomain.com",

"server_port": 27000,

"method": "aes-128-gcm",

"password": "3e9eb602-a0b0-4ffe-b996-89c5c2e28dd1"

{

"type": "shadowsocks",

"tag": "unlock-openai",

"server": "www.mydomain.com",

"server_port": 26000,

"method": "aes-128-gcm",

"password": "886b5631-732e-440a-af1e-2448922364e7"

{

"type": "block",

"tag": "block"

}

"route": {

"rules": [

{

"domain": [

"1.1.1.1"

"outbound": "direct"

{

"domain": [

"fast.com"

"outbound": "direct"

{

"domain_keyword": [

"gemini"

"outbound": "unlock-netflix"

{

"rule_set": [

"geosite-netflix"

"outbound": "unlock-netflix"

{

"rule_set": [

"geosite-disney"

"outbound": "unlock-disney"

{

"domain_keyword": [

"disney"

"outbound": "unlock-disney"

{

"rule_set": [

"geosite-anthropic"

"outbound": "unlock-disney"

{

"rule_set": [

"geosite-openai"

"outbound": "unlock-openai"

{

"domain_suffix": [

"openai.com",

"oaistatic.com",

"oaiusercontent.com"

"outbound": "unlock-netflix"

{

"package_name": "com.openai.chatgpt",

"outbound": "unlock-netflix"

{

"ip_is_private": true,

"outbound": "block"

{

"rule_set": [

"geosite-google"

"outbound": "direct"

{

"domain_keyword": [

"apple"

"outbound": "direct"

{

"rule_set": [

"geosite-cn",

"geoip-cn"

"outbound": "block"

{

"domain_regex": [

"(.?)(xunlei|sandai|Thunder|XLLiveUD)(.)",

"(.+.|^)(360).(cn|com|net)",

"(.*.||)(guanjia.qq.com|qqpcmgr|QQPCMGR)",

"(.*.||)(rising|kingsoft|duba|xindubawukong|jinshanduba).(com|net|org)",

"(.*.||)(netvigator|torproject).(com|cn|net|org)",

"(.*.||)(taobao).(com)"

"outbound": "block"

{

"outbound": "direct",

"network": [

"udp",

"tcp"

]

}

"rule_set": [

{

"tag": "geoip-cn",

"type": "remote",

"format": "binary",

"url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs",

"download_detour": "direct"

{

"tag": "geosite-cn",

"type": "remote",

"format": "binary",

"url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-cn.srs",

"download_detour": "direct"

{

"tag": "geosite-netflix",

"type": "remote",

"format": "binary",

"url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-netflix.srs",

"download_detour": "direct"

{

"tag": "geosite-disney",

"type": "remote",

"format": "binary",

"url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-disney.srs",

"download_detour": "direct"

{

"tag": "geosite-openai",

"type": "remote",

"format": "binary",

"url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-openai.srs",

"download_detour": "direct"

{

"tag": "geosite-anthropic",

"type": "remote",

"format": "binary",

"url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-anthropic.srs",

"download_detour": "direct"

{

"tag": "geosite-google",

"type": "remote",

"format": "binary",

"url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-google.srs",

"download_detour": "direct"

}

]

"experimental": {

"cache_file": {

"enabled": true

}

2024年10月9日星期三

Debian/ Ubuntu 安装docker ssh 后备/救援用

#假设已安装好docker

#建立docker打通网络

sudo docker network create --driver bridge --subnet 172.18.0.0/16 my_network

#拉取并创建 ssh Docker 容器

sudo docker run -d --name ssh-container \

--network my_network \

-v /:/host \

-p 2222:22 \

-e ROOT_PASSWORD=123456 \

--restart unless-stopped \

rastasheep/ubuntu-sshd:18.04

ssh连接2222 root 123456提示密码错误

重建 docker ssh 密码为 123456

sudo docker exec -it ssh-container passwd root

重新连接连接 ssh 2222 （root 123456）

进入主机的文件系统并使用 chroot：

cd /host

chroot .

现在尝试更新包列表：

apt update

您应该能够重建容器以外的 SSH 服务器：

apt purge openssh-server && apt install openssh-server

passwd root

2024年10月2日星期三

GOST WSS隧道，客户端/服务端代码

#国内机

gost -L "tcp://:10004" -L "udp://:10004" -F "relay+wss://海外vpsip.com:15000"

#海外vps

relay+wss://:15000/127.0.0.1:16000

127.0.0.1:16000端口可以是梯子服务端如ss reality等

国内机监听10004端口进入隧道-目的地-海外vps：16000

-----------------

纯TCP/UDP转发

nohup gost -L=udp://:10002/你的ip:15002 &

2024年9月28日星期六

Docker版nginx反向代理emby服务端范例

cer和key证书文件放在

/home/www/docker/nginx/

nginx.conf文件也在内

```

docker run --restart=always --name nginx -d -v /home/www/docker/nginx/:/etc/nginx/ --network=host docker.io/nginx

```

#nginx.conf

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log notice;

pid /var/run/nginx.pid;

events {

worker_connections 1024;

}

http {

include /etc/nginx/mime.types;

default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" '

'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;

#tcp_nopush on;

keepalive_timeout 65;

#gzip on;

include /etc/nginx/conf.d/*.conf;

}

#default.conf

server {

listen 34687 ssl;

server_name XXXX.XX你的emby服务器域名XX.COM;

ssl_certificate /etc/nginx/fullchain.cer;

ssl_certificate_key /etc/nginx/key.key;

# SSL 配置（建议添加以下优化）

ssl_protocols TLSv1.2 TLSv1.3;

ssl_prefer_server_ciphers on;

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

location / {

proxy_pass http://172.18.0.2:8096;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

# WebSocket 支持

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

}

# 可选：添加额外的安全头

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

}

订阅：博文 (Atom)