NaiveFromScratch

发表于 更新于 分类于 阅读次数:

服务器安装

TLS证书

安装certbot

1
apt install certbot

获取证书

1
2
# certbot certonly --standalone -d $domain --agree-to --email $email
certbot certonly --standalone -d np2.abc.com --agree-to --email admin@email.com

运行结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for np1.abc.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/np1.abc.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/np1.abc.com/privkey.pem
This certificate expires on 2023-11-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

更新证书

1
certbot renew

安装Naive

1
2
3
4
5
sudo apt install xz-utils
wget https://github.com/klzgrad/naiveproxy/releases/download/v114.0.5735.91-3/naiveproxy-v114.0.5735.91-3-linux-x64.tar.xz
tar xJvf naiveproxy-v114.0.5735.91-3-linux-x64.tar.xz
cd naiveproxy-v114.0.5735.91-3-linux-x64
sudo ln -snf $(pwd)/naive /usr/bin/naive

编辑配置

/etc/naive/config.json

1
2
3
4
{
  "listen": "http://127.0.0.1:54321",
  "padding": false
}

命令行运行服务端

1
/usr/bin/naive /etc/naive/config.json

service运行服务端

编辑/lib/systemd/system/naive.service文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
[Unit]
Description=Naive Service
After=network.target nss-lookup.target

[Service]
Type=simple
User=root
NoNewPrivileges=true
ExecStart=/usr/bin/naive /etc/naive/config.json
Restart=on-failure

[Install]
WantedBy=multi-user.target
1
2
3
4
systemctl daemon-reload
systemctl enable naive
systemctl start naive
systemctl status naive

安装Caddy

1
2
wget https://github.com/klzgrad/forwardproxy/releases/download/v2.7.3-caddy2-naive/caddy-forwardproxy-naive.tar.xz
tar xJvf caddy-forwardproxy-naive.tar.xz

basicauth指令

1
2
caddy hash-password
#输入123456作为密码

生成结果:

$2a$14$VaF5ztcQ0nKChrP0ImGmPuyyjeLdVnUO/n69r1ua8fCperXBiXmDG

1
2
3
4
5
6
7
www.abc.com {
  root * /var/caddy/vpn
  file_server 
  basicauth /* {
    admin $2a$14$VaF5ztcQ0nKChrP0ImGmPuyyjeLdVnUO/n69r1ua8fCperXBiXmDG
  }
}

访问:

https://admin:123456@www.abc.com/

完整的Caddyfile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{
  order forward_proxy before reverse_proxy
  order forward_proxy before handle_path
}
:443, np2.abc.com, np3.abc.com, w2.abc.com {
  tls admin@abc.com
  forward_proxy {
    basic_auth admin !Qaz2023 # 用户名、密码
    hide_ip
    hide_via
    probe_resistance
    upstream http://127.0.0.1:54321
  }
  reverse_proxy https://www.fsf.org {
    header_up Host {upstream_hostport}
    header_up X-Forwarded-Host {host}
  }
  handle_path /api {
    reverse_proxy 127.0.0.1:64730
  }
}

import sites/*

一键安装脚本

https://852us.com/naive

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
#!/bin/bash
TEMPDIR="/tmp/naive"
USER="User"
PASSWORD="!Qaz2023"
HOST=""
declare -a HOSTS
while getopts ":h:e:u:p:" opt
do
  case $opt in
  e)  # 处理 -e 选项
    echo "EMAIL: $OPTARG"
    EMAIL=$OPTARG
    ;;
  h)  # 处理 -h 选项
    #echo "0: HOST: $HOST"
    #echo "0: HOSTS: $HOSTS"
    echo "HOST: $OPTARG"
    if [ -z "$HOST" ] ; then
      HOST="$OPTARG"
      HOSTS+="$HOST"
      #echo "1: HOST: $HOST#"
      #echo "1: HOSTS: $HOSTS"
    else
      HOST="$OPTARG"
      HOSTS+=($HOST)
      #echo "2: HOST: $HOST"
      #echo "2: HOSTS: $HOSTS"
    fi
    echo
    ;;
  u)  # 处理 -u 选项
    echo "USER: $OPTARG"
    USER=$OPTARG
    ;;
  p)  # 处理 -p 选项
    echo "PASSWORD: $OPTARG"
    PASSWORD=$OPTARG
    ;;
  \?)
    echo "无效参数:-$OPTARG" >&2
    ;;
  esac
done

#echo "3: HOST: $HOST"
#echo "3: HOSTS: $HOSTS"
for host in ${HOSTS[@]}; do 
  echo $host; 
  HOST_LIST+=" $host"
done
echo "$HOST_LIST"

if [[ -z "$HOST_LIST" || -z "$USER" || -z "$PASSWORD" ]]; then
  echo "请设置EMAIL, HOST,USER,PASSWORD参数"
  echo "  -e EMAIL"
  echo "  -h HOST"
  echo "  -u USER"
  echo "  -p PASSWORD"
  echo
  exit 1
fi

if [ ! -d "$TEMPDIR" ]; then
  mkdir -p "$TEMPDIR"
fi
cd "$TEMPDIR"

BIN_DIR="/usr/local/bin"
NAIVE_CONFIG_FILE="/etc/naive/config.json"
NAIVE_SERVICE_FILE="/lib/systemd/system/naive.service"
CADDY_SERVICE_FILE="/lib/systemd/system/caddy.service"

install_naive_service() {
  echo "安装naive.service ..."
  echo

# config.json
  if [ ! -d /etc/naive ]; then mkdir /etc/naive; fi
  cat > $NAIVE_CONFIG_FILE <<-EOF
{
  "listen": "http://127.0.0.1:54321",
  "padding": false
}
EOF

  cat > $NAIVE_SERVICE_FILE <<-EOF
[Unit]
Description=Naive Service
After=network.target nss-lookup.target

[Service]
Type=simple
User=root
NoNewPrivileges=true
ExecStart=/usr/local/bin/naive /etc/naive/config.json
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF
  systemctl enable naive
  systemctl start naive
  systemctl list-units | grep naive
}

install_caddy_service() {
  echo "安装caddy.service ..."
  echo

# caddy.naive
  if [ ! -d /etc/caddy ]; then mkdir /etc/caddy; fi
  if [ -z "$(grep 'order' /etc/caddy/Caddyfile)" ] ; then 
echo "    
{
  order forward_proxy before reverse_proxy
  order forward_proxy before handle_path
}
$(cat /etc/caddy/Caddyfile)" > /etc/caddy/Caddyfile
  fi 

  cat >/etc/caddy/sites/Caddyfile.naive <<-EOF
:443, $HOST_LIST {
  tls $EMAIL
  forward_proxy {
    basic_auth $USER $PASSWORD # 用户名、密码
    hide_ip
    hide_via
    probe_resistance
    upstream http://127.0.0.1:54321
  }  
}
EOF
# caddy.service
  cat > $CADDY_SERVICE_FILE <<-EOF
# Refer to: https://github.com/caddyserver/dist/blob/master/init/caddy.service
# CADDY_SERVICE_FILE="/lib/systemd/system/caddy.service"
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=root
Group=root
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full

[Install]
WantedBy=multi-user.target
EOF
  systemctl enable caddy
  systemctl start caddy
  systemctl list-units | grep caddy
}

download_naive() {
  NAIVE_SERVICE="$(systemctl list-unit-files | grep naive)"
  if [ ! -z "$NAIVE_SERVICE" ] ; then
    #echo $NAIVE_SERVICE
    systemctl disable naive
    systemctl stop naive
  fi
  sudo apt install xz-utils
  API_URL="https://api.github.com/repos/klzgrad/naiveproxy/releases/latest?v=$RANDOM"
  #echo NAIVE_VERSION="$(curl -s $API_URL | awk -F '"' '/"tag_name"/{print $4}')"
  NAIVE_VERSION="$(curl -s $API_URL | awk -F '"' '/"tag_name"/{print $4}')"
  echo $NAIVE_VERSION
  DOWN_URL="https://github.com/klzgrad/naiveproxy/releases/download"
  DOWN_URL="$DOWN_URL/$NAIVE_VERSION/naiveproxy-$NAIVE_VERSION-linux-x64.tar.xz"
  echo wget -c $DOWN_URL
  wget -c $DOWN_URL
  tar xJvf naiveproxy-$NAIVE_VERSION-linux-x64.tar.xz
  cp naiveproxy-$NAIVE_VERSION-linux-x64/naive /usr/local/bin/
}

download_caddy() {
  CADDY_SERVICE="$(systemctl list-unit-files | grep naive)"
  if [ ! -z "$CADDY_SERVICE" ] ; then
  #  echo $CADDY_SERVICE
    systemctl disable caddy
    systemctl stop caddy
  fi
  API_JSON="api.json"
  GITHUB_USER="klzgrad"
  REPO_NAME="forwardproxy"
  API_URL="https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/releases/latest?v=$RANDOM"
  echo $API_URL 
  curl -s $API_URL > $API_JSON
  #cat $API_JSON
  RELEASE_VERSION="$(awk -F '"' '/"tag_name"/{print $4}' $API_JSON)"
  echo "RELEASE_VERSION=$RELEASE_VERSION"
  DOWN_URL="$(awk -F '"' '/"browser_download_url"/{print $4}' $API_JSON)"
  echo "DOWN_URL=$DOWN_URL"
  FILE_NAME="$(echo "$DOWN_URL" | sed 's/.*[!/]//')"
  echo "FILE_NAME=$FILE_NAME"
  PATH_NAME="$(echo $FILE_NAME | sed 's/.tar.xz//')"
  echo "PATH_NAME=$PATH_NAME"
  echo wget -c $DOWN_URL
  wget -c $DOWN_URL
  echo tar xJvf $FILE_NAME
  tar xJvf $FILE_NAME
  echo cp $PATH_NAME/caddy /usr/local/bin/
  cp $PATH_NAME/caddy /usr/local/bin/
}

show_info() {
  echo
  #for host in "$HOSTS"; do
  for host in ${HOSTS[@]}; do
    #echo "Host: $host"
    ALIAS=$(echo $host | awk -F '.' '{print $1}')
    echo "naive+https://$USER:$PASSWORD@$host:443?padding=false#$ALIAS"
  done
  echo
}

remove_tmp_files() {
  rm -rf api.json
  rm -rf naive*
  rm -rf caddy*
  cd -
}

download_naive
install_naive_service
download_caddy
install_caddy_service
show_info
remove_tmp_files

使用方式:

./install.sh -e YOUR_EMAIL -h HOSTNAME

客户端连接方式

1
naive+https://user:pass@np2.abc.com:443?padding=false#np2