#!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin export PATH RED_COLOR="\033[0;31m" NO_COLOR="\033[0m" GREEN="\033[32m\033[01m" BLUE="\033[0;36m" FUCHSIA="\033[0;35m" nginx_v=1.25.3.1 install_nginx(){ apt update -y && apt install vim curl lsof wget -y apt install build-essential libpcre3 libpcre3-dev zlib1g-dev openssl libssl-dev linux-image-amd64 linux-headers-amd64 -y wget -N --no-check-certificate https://git.igewu.org/yanglc/tunnel/raw/branch/main/$nginx_v.tar.gz && tar -xvzf $nginx_v.tar.gz cd openresty-$nginx_v ./configure \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --with-file-aio \ --with-threads \ --with-stream \ --with-stream_realip_module \ --with-stream_ssl_module \ --with-stream_ssl_preread_module make && make install cd rm -rf $nginx_v.tar.gz openresty-$nginx_v wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.conf" wget -N --no-check-certificate -P /usr/lib/systemd/system/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.service" systemctl enable nginx --now systemctl daemon-reload install_wireguard 99_menu } install_wireguard(){ apt install linux-image-amd64 -y && apt install wireguard -y systemctl enable wg-quick@wg0 } nginx_conf(){ echo -e " ${GREEN} 1.跳板机 ${GREEN} 2.中转机 " read -p "输入选项:" aNum echo -e " ${GREEN} 1.隧道1(tunnel1) ${GREEN} 2.隧道2(tunnel2) ${GREEN} 3.隧道3(tunnel3) " read -p "请输入括号里的代号:" mplsdh if [ "$aNum" = "1" ];then rm -rf /etc/nginx/nginx.conf wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/client/nginx.txt" wget -N --no-check-certificate -P /etc/nginx/ssl "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/client/ca1.crt" wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.conf" nginx_rows=`wc -l /etc/nginx/nginx.txt | awk '{print $1}'` echo -e " stream {" >> /etc/nginx/nginx.conf for((i=1;i<=$nginx_rows;i++)); do listen_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $1}'` listen_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $2}'` remote_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $3}'` remote_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $4}'` lan_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $5}'` echo -e " server { listen $listen_ip:$listen_port ssl; listen $lan_ip:$listen_port udp; ssl_protocols TLSv1.3; ssl_conf_command MinProtocol TLSv1.3; ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_client_certificate /etc/nginx/ssl/ca1.crt; ssl_verify_client on; ssl_session_cache shared:SSL:15m; ssl_session_timeout 3h; ssl_session_tickets off; tcp_nodelay on; proxy_pass $remote_ip:$remote_port; proxy_protocol off; access_log off; }" >> /etc/nginx/nginx.conf done elif [ "$aNum" = "2" ];then rm -rf /etc/nginx/nginx.conf wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/server/nginx.txt" wget -N --no-check-certificate -P /etc/nginx/ssl "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/server/ca1.crt" wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.conf" nginx_rows=`wc -l /etc/nginx/nginx.txt | awk '{print $1}'` echo -e " stream {" >> /etc/nginx/nginx.conf for((i=1;i<=$nginx_rows;i++)); do listen_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $1}'` listen_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $2}'` remote_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $3}'` remote_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $4}'` lan_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $5}'` echo -e " server { listen $listen_ip:$listen_port; proxy_ssl_certificate /etc/nginx/ssl/server.crt; proxy_ssl_certificate_key /etc/nginx/ssl/server.key; proxy_ssl_trusted_certificate /etc/nginx/ssl/ca1.crt; proxy_ssl_protocols TLSv1.3; proxy_ssl_server_name on; proxy_ssl_verify on; proxy_ssl on; ssl_session_tickets off; tcp_nodelay on; proxy_ssl_name $remote_ip; proxy_pass $remote_ip:$remote_port; proxy_protocol off; access_log off; } server { listen $listen_ip:$listen_port udp; proxy_pass $lan_ip:$remote_port; proxy_protocol off; access_log off; }" >> /etc/nginx/nginx.conf done fi echo -e " }" >> /etc/nginx/nginx.conf wireguard_conf systemctl restart nginx 99_menu } wireguard_conf(){ if [ "$aNum" = "1" ];then wget -N --no-check-certificate -P /etc/wireguard "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/client/wg0.conf" elif [ "$aNum" = "2" ];then wget -N --no-check-certificate -P /etc/wireguard "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/server/wg0.conf" fi wg-quick down wg0 wg-quick up wg0 } delete_firewall(){ if [[ "$EUID" -ne 0 ]]; then echo "false" else echo "true" fi if [[ -f /etc/redhat-release ]]; then release="centos" elif cat /etc/issue | grep -q -E -i "debian"; then release="debian" elif cat /etc/issue | grep -q -E -i "ubuntu"; then release="ubuntu" elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat"; then release="centos" elif cat /proc/version | grep -q -E -i "debian"; then release="debian" elif cat /proc/version | grep -q -E -i "ubuntu"; then release="ubuntu" elif cat /proc/version | grep -q -E -i "centos|red hat|redhat"; then release="centos" fi if [[ $release = "ubuntu" || $release = "debian" ]]; then ufw disable apt-get remove ufw apt-get purge ufw elif [[ $release = "centos" ]]; then systemctl stop firewalld.service systemctl disable firewalld.service else exit 1 fi 99_menu } create_ssl(){ mkdir -p /etc/nginx/ssl cd /etc/nginx/ssl servername=`curl -s https://ip.nekocat.cn` cat > my-openssl.cnf << EOF [ ca ] default_ca = CA_default [ CA_default ] x509_extensions = usr_cert [ req ] default_bits = 2048 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = utf8only [ req_distinguished_name ] [ req_attributes ] [ usr_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = CA:true EOF openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -subj "/CN=${servername}" -days 5000 -out ca.crt openssl genrsa -out server.key 2048 openssl req -new -sha256 -key server.key \ -subj "/C=CN/ST=yanglc/L=yanglc/O=mymisaka/CN=${servername}" \ -reqexts SAN \ -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:${servername},IP:${servername}")) \ -out server.csr openssl x509 -req -days 365 -sha256 \ -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:${servername},IP:${servername}") \ -out server.crt cat /etc/nginx/ssl/ca.crt } install_kernel(){ wget -N --no-check-certificate "https://git.igewu.org/yanglc/tunnel/raw/branch/main/tcp.sh" && chmod +x tcp.sh && ./tcp.sh } get_ip(){ ehco -e "你的ipv6地址是:" curl -6 ip.nekocat.cn ehco -e "你的ipv4地址是:" curl -4 ip.nekocat.cn } manage_nginx(){ echo -e " ${GREEN} 1.停止隧道 ${GREEN} 2.启动隧道 ${GREEN} 3.重启隧道 " read -p "请输入选项:" bNum if [ "$bNum" = "1" ];then wg-quick down wg0 systemctl stop nginx elif [ "$bNum" = "2" ];then wg-quick up wg0 systemctl start nginx elif [ "$bNum" = "3" ];then wg-quick down wg0 wg-quick up wg0 systemctl restart nginx fi 99_menu } 99_menu(){ clear echo -e " ${GREEN} 1.安装隧道工具 ${GREEN} 2.获取隧道配置 ${GREEN} 3.查看当前ip ${GREEN} 4.删除防火墙 ${GREEN} 5.管理隧道 ${GREEN} 6.自签ssl ${GREEN} 7.安装内核 ${GREEN} 0.退出脚本" read -p " 请输入数字后[0-7] 按回车键:" num case "$num" in 1) install_nginx ;; 2) nginx_conf ;; 3) get_ip ;; 4) delete_firewall ;; 5) manage_nginx ;; 6) create_ssl ;; 7) install_kernel ;; 0) exit 1 ;; *) echo "请输入正确数字 [0-7] 按回车键" sleep 1s 99_menu ;; esac } 99_menu