first-commit

99nginx.sh

@@ -0,0 +1,372 @@
+#!/bin/bash
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
+export PATH
+
+RED_COLOR="\033[0;31m"
+NO_COLOR="\033[0m"
+GREEN="\033[32m\033[01m"
+BLUE="\033[0;36m"
+FUCHSIA="\033[0;35m"
+
+nginx_v=1.25.3.1
+
+install_nginx(){
+apt update -y && apt install vim curl lsof wget -y
+apt install build-essential libpcre3 libpcre3-dev zlib1g-dev openssl libssl-dev linux-image-amd64 linux-headers-amd64 -y
+wget -N --no-check-certificate https://git.igewu.org/yanglc/tunnel/raw/branch/main/$nginx_v.tar.gz && tar -xvzf $nginx_v.tar.gz
+cd openresty-$nginx_v
+./configure \
+--prefix=/etc/nginx \
+--sbin-path=/usr/sbin/nginx \
+--conf-path=/etc/nginx/nginx.conf \
+--error-log-path=/var/log/nginx/error.log \
+--http-log-path=/var/log/nginx/access.log \
+--pid-path=/var/run/nginx.pid \
+--lock-path=/var/run/nginx.lock \
+--with-file-aio \
+--with-threads \
+--with-stream \
+--with-stream_realip_module \
+--with-stream_ssl_module \
+--with-stream_ssl_preread_module
+make && make install
+cd
+rm -rf $nginx_v.tar.gz openresty-$nginx_v
+wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.conf"
+wget -N --no-check-certificate -P /usr/lib/systemd/system/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.service"
+systemctl enable nginx --now
+systemctl daemon-reload
+install_wireguard
+99_menu
+}
+
+install_wireguard(){
+apt install linux-image-amd64 -y && apt install wireguard -y
+systemctl enable wg-quick@wg0
+}
+
+nginx_conf(){
+echo -e "
+ ${GREEN} 1.跳板机
+ ${GREEN} 2.中转机
+ "
+read -p "输入选项:" aNum
+echo -e "
+ ${GREEN} 1.隧道1(tunnel1)
+ ${GREEN} 2.隧道2(tunnel2)
+ ${GREEN} 3.隧道3(tunnel3)
+ "
+read -p "请输入括号里的代号:" mplsdh
+if [ "$aNum" = "1" ];then
+rm -rf /etc/nginx/nginx.conf
+wget -N --no-check-certificate -P /etc/nginx/ "https://h5ai.98yys.pw/99/$mplsdh/luodi/nginx.txt"
+wget -N --no-check-certificate -P /etc/nginx/ssl "https://h5ai.98yys.pw/99/${mplsdh}/luodi/ca1.crt"
+wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.conf"
+nginx_rows=`wc -l /etc/nginx/nginx.txt | awk '{print $1}'`
+echo -e "
+stream {" >> /etc/nginx/nginx.conf
+for((i=1;i<=$nginx_rows;i++));  
+do
+listen_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $1}'`
+listen_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $2}'`
+remote_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $3}'`
+remote_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $4}'`
+lan_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $5}'`
+echo -e "
+server {
+        listen $listen_ip:$listen_port ssl;
+        listen $lan_ip:$listen_port udp;
+        ssl_protocols TLSv1.3;
+        ssl_conf_command MinProtocol TLSv1.3;
+        ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
+        ssl_certificate /etc/nginx/ssl/server.crt;
+        ssl_certificate_key /etc/nginx/ssl/server.key;
+        ssl_client_certificate /etc/nginx/ssl/ca1.crt;
+        ssl_verify_client on;
+        ssl_session_cache shared:SSL:15m;
+        ssl_session_timeout 3h;
+        ssl_session_tickets off;
+        tcp_nodelay on;
+        proxy_pass $remote_ip:$remote_port;
+        proxy_protocol off;
+        access_log off;
+}" >> /etc/nginx/nginx.conf
+done
+elif [ "$aNum" = "2" ];then
+rm -rf /etc/nginx/nginx.conf
+wget -N --no-check-certificate -P /etc/nginx/ "https://h5ai.98yys.pw/99/$mplsdh/zhongzhuan/nginx.txt"
+wget -N --no-check-certificate -P /etc/nginx/ssl "https://h5ai.98yys.pw/99/${mplsdh}/zhongzhuan/ca1.crt"
+wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.conf"
+nginx_rows=`wc -l /etc/nginx/nginx.txt | awk '{print $1}'`
+echo -e "
+stream {" >> /etc/nginx/nginx.conf
+for((i=1;i<=$nginx_rows;i++));  
+do
+listen_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $1}'`
+listen_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $2}'`
+remote_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $3}'`
+remote_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $4}'`
+lan_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $5}'`
+echo -e "
+server {
+        listen $listen_ip:$listen_port;
+        proxy_ssl_certificate /etc/nginx/ssl/server.crt;
+        proxy_ssl_certificate_key /etc/nginx/ssl/server.key;
+        proxy_ssl_trusted_certificate /etc/nginx/ssl/ca1.crt;
+        proxy_ssl_protocols TLSv1.3;
+        proxy_ssl_server_name on;
+        proxy_ssl_verify on;
+        proxy_ssl on;
+        ssl_session_tickets off;
+        tcp_nodelay on;
+        proxy_ssl_name $remote_ip;
+        proxy_pass $remote_ip:$remote_port;
+        proxy_protocol off;
+        access_log off;
+}
+server {
+        listen $listen_ip:$listen_port udp;
+        proxy_pass $lan_ip:$remote_port;
+        proxy_protocol off;
+        access_log off;
+}" >> /etc/nginx/nginx.conf
+done
+fi
+echo -e "
+}" >> /etc/nginx/nginx.conf
+wireguard_conf
+systemctl restart nginx
+99_menu
+}
+
+wireguard_conf(){
+if [ "$aNum" = "1" ];then
+wget -N --no-check-certificate -P /etc/wireguard "https://h5ai.98yys.pw/99/${mplsdh}/luodi/wg0.conf"
+elif [ "$aNum" = "2" ];then
+wget -N --no-check-certificate -P /etc/wireguard "https://h5ai.98yys.pw/99/${mplsdh}/zhongzhuan/wg0.conf"
+fi
+wg-quick down wg0
+wg-quick up wg0
+}
+
+delete_firewall(){
+if [[ "$EUID" -ne 0 ]]; then
+    echo "false"
+  else
+    echo "true"
+  fi
+if [[ -f /etc/redhat-release ]]; then
+		release="centos"
+	elif cat /etc/issue | grep -q -E -i "debian"; then
+		release="debian"
+	elif cat /etc/issue | grep -q -E -i "ubuntu"; then
+		release="ubuntu"
+	elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat"; then
+		release="centos"
+	elif cat /proc/version | grep -q -E -i "debian"; then
+		release="debian"
+	elif cat /proc/version | grep -q -E -i "ubuntu"; then
+		release="ubuntu"
+	elif cat /proc/version | grep -q -E -i "centos|red hat|redhat"; then
+		release="centos"
+    fi
+    
+     if [[ $release = "ubuntu" || $release = "debian" ]]; then
+ufw disable
+apt-get remove ufw
+apt-get purge ufw
+  elif [[ $release = "centos" ]]; then
+  systemctl stop firewalld.service
+  systemctl disable firewalld.service 
+  else
+    exit 1
+  fi
+  99_menu
+}
+
+create_ssl(){
+mkdir -p /etc/nginx/ssl
+cd /etc/nginx/ssl
+servername=`curl -s http://ipv4.icanhazip.com`
+cat > my-openssl.cnf << EOF
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+x509_extensions = usr_cert
+[ req ]
+default_bits        = 2048
+default_md          = sha256
+default_keyfile     = privkey.pem
+distinguished_name  = req_distinguished_name
+attributes          = req_attributes
+x509_extensions     = v3_ca
+string_mask         = utf8only
+[ req_distinguished_name ]
+[ req_attributes ]
+[ usr_cert ]
+basicConstraints       = CA:FALSE
+nsComment              = "OpenSSL Generated Certificate"
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer
+[ v3_ca ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints       = CA:true
+EOF
+openssl genrsa -out ca.key 2048
+openssl req -x509 -new -nodes -key ca.key -subj "/CN=${servername}" -days 5000 -out ca.crt
+openssl genrsa -out server.key 2048
+openssl req -new -sha256 -key server.key \
+    -subj "/C=CN/ST=lj/L=lj/O=ljfxz/CN=${servername}" \
+    -reqexts SAN \
+    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:${servername},IP:${servername}")) \
+    -out server.csr
+openssl x509 -req -days 365 -sha256 \
+	-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
+	-extfile <(printf "subjectAltName=DNS:${servername},IP:${servername}") \
+	-out server.crt
+cat /etc/nginx/ssl/ca.crt
+}
+
+install_kernel(){
+wget -N --no-check-certificate "https://git.igewu.org/yanglc/tunnel/raw/branch/main/tcp.sh" && chmod +x tcp.sh && ./tcp.sh
+}
+
+install_v2ray(){
+bash <(curl -Ls https://raw.githubusercontent.com/vaxilu/soga/master/install.sh)
+rm -rf /etc/soga/soga.conf
+read -p "输入对接域名(例如www.baidu.com):" ym
+read -p "输入节点id:" nodeid
+read -p "输入mukey:" mukey
+read -p "输入soga授权码:" sogakey
+echo "
+# 基础配置
+type=sspanel-uim
+server_type=v2ray
+node_id=${nodeid}
+soga_key=${sogakey}
+
+# webapi 或 db 对接任选一个
+api=webapi
+
+# webapi 对接信息
+webapi_url=https://${ym}
+webapi_key=${mukey}
+
+# db 对接信息
+db_host=
+db_port=
+db_name=
+db_user=
+db_password=
+
+# 手动证书配置
+cert_file=
+key_file=
+
+# 自动证书配置
+cert_mode=
+cert_domain=
+cert_key_length=ec-256
+dns_provider=
+
+# dns 配置
+default_dns=
+dns_cache_time=10
+dns_strategy=ipv4_first
+
+# v2ray 特殊配置
+v2ray_reduce_memory=false
+vless=false
+vless_flow=
+
+# proxy protocol 中转配置
+proxy_protocol=false
+
+# 全局限制用户 IP 数配置
+redis_enable=false
+redis_addr=
+redis_password=
+redis_db=0
+conn_limit_expiry=60
+
+# 其它杂项
+user_conn_limit=0
+user_speed_limit=0
+node_speed_limit=0
+check_interval=60
+force_close_ssl=false
+forbidden_bit_torrent=true
+log_level=info
+
+# 更多配置项如有需要自行添加
+" > /etc/soga/soga.conf
+soga restart
+}
+
+manage_nginx(){
+echo -e "
+ ${GREEN} 1.停止隧道
+ ${GREEN} 2.启动隧道
+ ${GREEN} 3.重启隧道
+"
+read -p "请输入选项:" bNum
+if [ "$bNum" = "1" ];then
+wg-quick down wg0
+systemctl stop nginx
+elif [ "$bNum" = "2" ];then
+wg-quick up wg0
+systemctl start nginx
+elif [ "$bNum" = "3" ];then
+wg-quick down wg0
+wg-quick up wg0
+systemctl restart nginx
+fi
+99_menu
+}
+
+99_menu(){
+clear
+echo -e " 
+ ${GREEN} 1.安装隧道工具
+ ${GREEN} 2.获取隧道配置
+ ${GREEN} 3.对接v2ray
+ ${GREEN} 4.删除防火墙
+ ${GREEN} 5.管理隧道
+ ${GREEN} 6.自签ssl
+ ${GREEN} 7.安装内核
+ ${GREEN} 0.退出脚本"
+read -p " 请输入数字后[0-7] 按回车键:" num
+case "$num" in
+	1)
+	install_nginx
+	;;
+	2)
+	nginx_conf
+	;;
+	3)
+	install_v2ray
+	;;
+	4)
+	delete_firewall
+	;;
+	5)
+	manage_nginx
+	;;
+	6)
+	create_ssl
+	;;
+	7)
+	install_kernel
+	;;
+	0)
+	exit 1
+	;;
+	*)	
+	echo "请输入正确数字 [0-7] 按回车键"
+	sleep 1s
+	99_menu
+	;;
+esac
+}
+99_menu

README.md

@@ -1,3 +1,5 @@
-# tunnel
+## tunnel
+一个自用隧道
 
-自用隧道
+#server为中转机配置
+#client为落地机配置

checkmemnginx.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
+MemTotal=`free -t |grep "Mem:" | awk '{print $2}'`
+MemUsed=`free -t |grep "Mem:" | awk '{print $3}'`
+MemPercent=$((MemUsed*100/MemTotal))
+if [ $MemPercent -gt 80 ] 
+then
+ systemctl restart nginx
+else
+exit 1
+fi

nginx.conf

@@ -0,0 +1,13 @@
+worker_priority -20;
+worker_processes auto;
+worker_cpu_affinity auto;
+worker_rlimit_nofile 204800;
+worker_shutdown_timeout 120s;
+error_log /dev/null;
+
+events {
+    worker_connections  204800;
+    multi_accept on;
+    accept_mutex off;
+    use epoll;
+}

nginx.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=nginx - high performance web server
+Documentation=https://nginx.org/en/docs/
+After=wg-quick@wg0.service
+Wants=network-online.target
+[Service]
+Type=forking
+PIDFile=/var/run/nginx.pid
+ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
+ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)"
+ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)"
+[Install]
+WantedBy=multi-user.target

tunnel1/client/ca1 (1).crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIUBRGBexnWPL/hvRezaOdjdD2Kvs4wDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOMjIzLjExMy4xMzAuNTEwHhcNMjMxMjAyMTExNDAyWhcN
+MzcwODEwMTExNDAyWjAZMRcwFQYDVQQDDA4yMjMuMTEzLjEzMC41MTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2REeBhYpYQLOIwqoTQY+2ojUlvp5tn
+4U1yGh3UKwKzULg2+ZpZTYp06hJzeh4UadCC17FF4wuM47pTDTG+beD00ZkvBnt+
+sqAwjRHa8g2rfu8GXga+OEK/GyRYyipQ2c2/nK8jqpATdikW3/nHBwLzKYj8GM9h
+GkB/i808UEuetmhYhcuBMpz8/iHpx3CrxKQqAgEPA33wBAcoio721ldKYMo+qKW9
+gB+UtUkbSkL8nQBTsoAJmrNXD5D4GoqBWujyqrYdYcdpKZuwT+i3lgAm8l//dQ/G
+9g07HGvhYIl4ITDcSqFr+vSbJLrflIwvvGv7vkgEApxpOTFnHems1iUCAwEAAaNT
+MFEwHQYDVR0OBBYEFENtzpA9rsHVdKT1C1GrCdxHTgSQMB8GA1UdIwQYMBaAFENt
+zpA9rsHVdKT1C1GrCdxHTgSQMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggEBADpFCRuNOgqmZjTNCy2cnuUEU3CIAwP+G1luz13PyrAGBk+SksIDloOB
+xxcIFfpkyLkMNFKC7/X5BCe1w39G7Y35TJubaeAES3uXbWDfSAkd1ex+myLSAnKx
+pxvR9gfHIAt3S2B9iOQfn/gnGA10vXQ2QsFi2DvweWE5PEMtHW8krm/sGC4bK83F
+wAsWATq3vMvqvzfJfaplzmyrSrCSieRCP4NB2ZjDi2ISYLPTaqiE9IFqe7zL9G+J
+0NOmrM58aH8/1iO4pREafYsGNWyjG2eBOXwzTopBfebBYPToEhrSHzJMBX8Mz/nm
+F3/0S2IYWyshvT+GShMLxUOKSUrUHn8=
+-----END CERTIFICATE-----

tunnel1/client/wg0.conf

@@ -0,0 +1,9 @@
+[Interface]
+PrivateKey = KBXJNg06K+ZCH9lHlqVVr71TXkmMzRZb3mE2iImnu2A= 
+Address = 10.10.7.2/32
+
+[Peer]
+PublicKey = AUeWgJQ+Kx8METeyNE1tVVwmH7yjwxW5ll/E+TkNOUQ=
+AllowedIPs = 10.10.7.1
+Endpoint = 223.113.130.51:15791
+PersistentKeepalive = 10

tunnel1/server/ca1.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIULTwbAO68zpnWEE319k+6EQTzaBswDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOMTg1LjI0NC4yMDguODQwHhcNMjMxMjE5MTM1NTQ2WhcN
+MzcwODI3MTM1NTQ2WjAZMRcwFQYDVQQDDA4xODUuMjQ0LjIwOC44NDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANGX3ocFQtorCS0WkoI8JqYRw6i8PJ0F
+LhnRC/eSXfBWYFe3wRyPW2D9IDEKS0yoHOPRu5BVzb+G+IduAjkbizhf6hJgC5UF
+D6y0OeJJWx1/+UQRmDcdYHCB9xHQTfY1JvN3YpK90XTrohI7HmhsHLoAIVFn1Txi
+fylNmgfKqFZDswWylxY6JO8JNyvxgpOuCBHDNFSD/8HfBOKt/BlXqRCWeWKfamKO
+n2Zbp+KK59Fk2wPshEgRkVczRGbHMrPpTPQDxqew0+DHX7C5akRpaIeM+JfGD0Uj
+Z1gaVjgobibL7PHDzgSdKks0ADy60ZJsY0pSFAQsemGXG6U7Sqheq8kCAwEAAaNT
+MFEwHQYDVR0OBBYEFObh6Pgjh0DcCyL9YLHDrSW9RVo0MB8GA1UdIwQYMBaAFObh
+6Pgjh0DcCyL9YLHDrSW9RVo0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggEBAE8FKWyUM+xlomqL+KJwqR5gqVShzuFg5sQtT3j6pmGmbq0/bKlcJWhn
+Ky6x9jc/1rG9YyhuRFLB7QuNWE5bO0VMnqjaPIjBXl3verUWNhrLgPbxNBULBnZt
+BGA//sl0R8JGlt5E5LPq6sE0I/SkHWHpkbldaoubXHJQo/8boe5HN0sXekebru98
+QY7aLGuIla5gEdyh+F6IhYrdU0UBwJLMaYtXJBAY8dJn+2OVml/3auP120r0ly8M
+OG7CoY6c2DO28TOIzraIHFcBQxCtyWrCt6xEZrCFckOBeaUi+oNZwSKlA4zhgtlM
+vXUnJoaJnv4ZCQ89I3UKNY2ZWCBigqc=
+-----END CERTIFICATE-----

tunnel1/server/wg0.conf

@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.10.7.1/32
+ListenPort = 15791
+PrivateKey = 8KHcT9x0ylFVYc49US2cWjQrTMvjrXgYhGEdRMYFiUA= 
+
+[Peer]
+PublicKey = ZsCSutmxHTumEBPJaxJiZ7B8yfdSVig2DnEtBYiF7jw=
+AllowedIPs = 10.10.7.2